Loading data/nginx/server.conf +1 −1 Original line number Diff line number Diff line Loading @@ -11,7 +11,7 @@ map $http_x_forwarded_proto $forwarded_https { server { listen 80; server_name _; root /app/static; root /app/static/wp; # Consider all private IP addresses safe sources for X-Forwarded-For set_real_ip_from 10.0.0.0/8; Loading doc/configuration.md +9 −0 Original line number Diff line number Diff line Loading @@ -182,6 +182,15 @@ The secret paired with the access key given in [**S3_MEDIA_KEY**](#s3_media_key) A base URL for viewers to access uploaded media. This allows caching proxies, such as CDNs, to be used for accessing files. ### SANDBOX_MODE **Type**: flag\ **Required**: no\ If set, [sandbox mode](sandbox-mode.md) is enabled. **Do not set on production sites** ### SITE_ADMIN **Type**: string\ Loading doc/sandbox-mode.md 0 → 100644 +39 −0 Original line number Diff line number Diff line Sandbox Mode ============ Sandbox mode allows administrator users to experiment with plugins and themes, by allowing write access to the relevant directories. It is enabled by setting [SANDBOX_MODE][]. > **Warning:** > Use at your own risk; sandbox mode is experimental and there are a number of gotchas, both > known and unknown. Gotchas ------- ### Ephemeral Extensions *Anything installed through the admin interface is not retained across restarts, even if the volumes used are.* You should take note of the packages installed and add them to site settings as soon as you have determined they are *probably* suitable. ### Untidy and Possibly Insecure *Potentially everything is available to anyone who can access a site* Sandbox mode works by moving the installable extensions directories (plugins, themes, language-packs) to the volume shared with the Nginx frontend. This is necessary to make any static content that is installed after startup available to the frontend. This approach puts *all* the extension content where it can be served by the frontend, effectively bypassing the filtering of [STATIC_PATTERNS][]) for the plugin, theme and language-pack directories. Unexpected content may be served and it may also present a heightened security risk. [SANDBOX_MODE]: configuration.md#sandbox_mode [STATIC_PATTERNS]: configuration.md#static_patterns plugins/docker-integration.php +5 −1 Original line number Diff line number Diff line <?php /** * Copyright 2019-2021, 2024 Dominik Sekotill <dom.sekotill@kodo.org.uk> * Copyright 2019-2021, 2023-2024 Dominik Sekotill <dom.sekotill@kodo.org.uk> * * Plugin Name: Docker Image Integration * Plugin URI: https://code.kodo.org.uk/singing-chimes.co.uk/wordpress/tree/master/plugins Loading @@ -12,6 +12,8 @@ */ if ( !defined( 'SANDBOX_MODE' ) ): // Block File Modification add_filter( Loading Loading @@ -51,6 +53,8 @@ add_filter( 10, 3 ); endif; // S3-Uploads Integration Loading scripts/entrypoint.sh +25 −1 Original line number Diff line number Diff line Loading @@ -189,6 +189,29 @@ setup_media() chown -R ${WORKER_USER}:${WORKER_USER} "${MEDIA}" } setup_sandbox() { [[ -v SANDBOX_MODE ]] || return 0 wp config set SANDBOX_MODE true --raw wp config set FS_METHOD direct wp config set WP_CONTENT_DIR /app/static/wp-content wp config set WPMU_PLUGIN_DIR /app/wp-content/mu-plugins rm -r static/wp/wp-content ln -s ../wp-content static/wp/wp-content rsync \ --archive \ --exclude=/wp-content/mu-plugins/ \ wp-content static/ mkdir -p \ static/wp-content/plugins \ static/wp-content/upgrade chown -R www-data:www-data \ static/wp-content/languages \ static/wp-content/plugins \ static/wp-content/themes \ static/wp-content/upgrade } collect_static() { get_media_dir Loading @@ -211,7 +234,7 @@ collect_static() --recursive \ --relative \ --times \ . static/ . static/wp/ } generate_static() Loading Loading @@ -297,6 +320,7 @@ case "$1" in setup_media collect_static generate_static setup_sandbox timestamp "Completed Wordpress preparation" run_background_cron exec "$@" "${extra_args[@]}" Loading Loading
data/nginx/server.conf +1 −1 Original line number Diff line number Diff line Loading @@ -11,7 +11,7 @@ map $http_x_forwarded_proto $forwarded_https { server { listen 80; server_name _; root /app/static; root /app/static/wp; # Consider all private IP addresses safe sources for X-Forwarded-For set_real_ip_from 10.0.0.0/8; Loading
doc/configuration.md +9 −0 Original line number Diff line number Diff line Loading @@ -182,6 +182,15 @@ The secret paired with the access key given in [**S3_MEDIA_KEY**](#s3_media_key) A base URL for viewers to access uploaded media. This allows caching proxies, such as CDNs, to be used for accessing files. ### SANDBOX_MODE **Type**: flag\ **Required**: no\ If set, [sandbox mode](sandbox-mode.md) is enabled. **Do not set on production sites** ### SITE_ADMIN **Type**: string\ Loading
doc/sandbox-mode.md 0 → 100644 +39 −0 Original line number Diff line number Diff line Sandbox Mode ============ Sandbox mode allows administrator users to experiment with plugins and themes, by allowing write access to the relevant directories. It is enabled by setting [SANDBOX_MODE][]. > **Warning:** > Use at your own risk; sandbox mode is experimental and there are a number of gotchas, both > known and unknown. Gotchas ------- ### Ephemeral Extensions *Anything installed through the admin interface is not retained across restarts, even if the volumes used are.* You should take note of the packages installed and add them to site settings as soon as you have determined they are *probably* suitable. ### Untidy and Possibly Insecure *Potentially everything is available to anyone who can access a site* Sandbox mode works by moving the installable extensions directories (plugins, themes, language-packs) to the volume shared with the Nginx frontend. This is necessary to make any static content that is installed after startup available to the frontend. This approach puts *all* the extension content where it can be served by the frontend, effectively bypassing the filtering of [STATIC_PATTERNS][]) for the plugin, theme and language-pack directories. Unexpected content may be served and it may also present a heightened security risk. [SANDBOX_MODE]: configuration.md#sandbox_mode [STATIC_PATTERNS]: configuration.md#static_patterns
plugins/docker-integration.php +5 −1 Original line number Diff line number Diff line <?php /** * Copyright 2019-2021, 2024 Dominik Sekotill <dom.sekotill@kodo.org.uk> * Copyright 2019-2021, 2023-2024 Dominik Sekotill <dom.sekotill@kodo.org.uk> * * Plugin Name: Docker Image Integration * Plugin URI: https://code.kodo.org.uk/singing-chimes.co.uk/wordpress/tree/master/plugins Loading @@ -12,6 +12,8 @@ */ if ( !defined( 'SANDBOX_MODE' ) ): // Block File Modification add_filter( Loading Loading @@ -51,6 +53,8 @@ add_filter( 10, 3 ); endif; // S3-Uploads Integration Loading
scripts/entrypoint.sh +25 −1 Original line number Diff line number Diff line Loading @@ -189,6 +189,29 @@ setup_media() chown -R ${WORKER_USER}:${WORKER_USER} "${MEDIA}" } setup_sandbox() { [[ -v SANDBOX_MODE ]] || return 0 wp config set SANDBOX_MODE true --raw wp config set FS_METHOD direct wp config set WP_CONTENT_DIR /app/static/wp-content wp config set WPMU_PLUGIN_DIR /app/wp-content/mu-plugins rm -r static/wp/wp-content ln -s ../wp-content static/wp/wp-content rsync \ --archive \ --exclude=/wp-content/mu-plugins/ \ wp-content static/ mkdir -p \ static/wp-content/plugins \ static/wp-content/upgrade chown -R www-data:www-data \ static/wp-content/languages \ static/wp-content/plugins \ static/wp-content/themes \ static/wp-content/upgrade } collect_static() { get_media_dir Loading @@ -211,7 +234,7 @@ collect_static() --recursive \ --relative \ --times \ . static/ . static/wp/ } generate_static() Loading Loading @@ -297,6 +320,7 @@ case "$1" in setup_media collect_static generate_static setup_sandbox timestamp "Completed Wordpress preparation" run_background_cron exec "$@" "${extra_args[@]}" Loading
