PERMANENTLY MOVED TO https://github.com/spacetab-io/static-server-php
Specific static server with support corporate standard of configuration and more.. This server is a simple wrapper for nginx or an any web server.
Server created for javascript SPA apps like: Vue, React, Angular, etc.
- Special created for modern web app's.
- Secure headers by default.
- If backend app will be hacked, the hacker may write a letter to us, because email address injected to head section of index (console message) :)
- Corporate config standard supported by default and injected too.
- Brotli-compression (Gzip used as fallback for outdated browsers). Enabled by default. More.
- Deny all
robots.txtby default. - Hot reload
FROM microparts/static-server-php:2.0.3 ARG VCS_SHA1 ARG STAGE # dist & frontend yaml configuration COPY dist/ /app COPY ./configuration /app/configurationFull example can be founded here. And with local use here.
CLI usage implies 2 commands for usage:
- Start server:
server runResult:
[2019-12-18 17:38:30] Server.INFO: State: STAGE=local SHA1= VERSION=2.0.3 CONFIG_PATH=/Users/roquie/google_drive/projects/microparts/static-server-php/configuration [2019-12-18 17:38:30] Server.INFO: Files modification enabled. Have fun!. [2019-12-18 17:38:30] Server.INFO: Nginx Brotli module not installed. Turning off this compression method. [2019-12-18 17:38:30] Server.INFO: Check if platform supports async io... [2019-12-18 17:38:30] Server.INFO: Platform does not supports async io, turning it off. [2019-12-18 17:38:30] Server.INFO: Prerender is not enabled, skip check. [2019-12-18 17:38:30] Server.INFO: Nginx PID location: /tmp/spa_nginx.pid [2019-12-18 17:38:30] Server.INFO: nginx: the configuration file /tmp/generated_nginx.conf syntax is ok [2019-12-18 17:38:30] Server.INFO: nginx: configuration file /tmp/generated_nginx.conf test is successful [2019-12-18 17:38:30] Server.INFO: Server started at: 0.0.0.0:8080- Reload
After editing files or configuration you can reload server without restart master process.
server reloadReload command result:
[2019-12-18 17:41:44] Server.INFO: Reload configuration [2019-12-18 17:41:44] Server.INFO: State: STAGE=local SHA1= VERSION=2.0.3 CONFIG_PATH=/Users/roquie/google_drive/projects/microparts/static-server-php/configuration [2019-12-18 17:41:44] Server.INFO: Files modification enabled. Have fun!. [2019-12-18 17:41:44] Server.INFO: Nginx Brotli module not installed. Turning off this compression method. [2019-12-18 17:41:44] Server.INFO: Check if platform supports async io... [2019-12-18 17:41:44] Server.INFO: Platform does not supports async io, turning it off. [2019-12-18 17:41:44] Server.INFO: Prerender is not enabled, skip check. [2019-12-18 17:41:44] Server.INFO: Nginx PID location: /tmp/spa_nginx.pid [2019-12-18 17:41:44] Server.INFO: nginx: the configuration file /tmp/generated_nginx.conf syntax is ok [2019-12-18 17:41:44] Server.INFO: nginx: configuration file /tmp/generated_nginx.conf test is successful [2019-12-18 17:41:44] Server.INFO: Configuration reloaded- Dump loaded configuration:
server dumpResult:
CONFIG_PATH = /app/configuration STAGE = dev server: host: 0.0.0.0 port: 8080 root: ./dist index: index.html modify: enabled: true root: ./dist/modified inject: before_script handler: name: nginx options: pid: /tmp/spa_nginx.pid config: /tmp/generated_nginx.conf prerender: enabled: false url: null resolver: "8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1" headers: [] service_worker: enabled: false log_info: '%%cSTAGE=%s SHA1=%s; %%cSecurity bugs: security@spacetab.io, Job/partnership: work@spacetab.io' logger: enabled: true level: info security_txt: contact: security@spacetab.io preferred_lang: 'en, ru' headers: csp: - 'default-src ''self''' - 'script-src ''self'' ''unsafe-inline'' cdnjs.cloudflare.com' - 'img-src ''self'' data:' - 'style-src ''self'' ''unsafe-inline'' fonts.googleapis.com cdnjs.cloudflare.com' - 'font-src ''self'' data: fonts.gstatic.com cdnjs.cloudflare.com' - 'form-action ''self''' feature_policy: - 'geolocation ''none''' - 'payment ''none''' - 'microphone ''none''' - 'camera ''none''' - 'autoplay ''none''' referer_policy: no-referrer pragma: public xss_protection: '1; mode=block' x_content_type: nosniff x_content_type_options: nosniff x_ua_compatible: IE=edge sts: 'max-age=86400; includeSubDomains; preload'Comments about server configuration can be found here.
Server reads files from dist, then modifying index.html on the fly and append configuration before first <script> tag will be founded. Also available insert config before first tag to <head> section (but it blocks page painting).
Injected config file (__config.js) has following content:
window.__stage = 'local'; window.__config = JSON.parse('{}' /* frontend config from yaml here */); window.__vcs = '%s'; console.log('%%cSTAGE=dev SHA1=55b5293; %%cSecurity bugs: security@spacetab.io, Job/partnership: work@spacetab.io','color:#F44336','color:#009688');Also, will be injected <link> tag with rel=preload. More.
Then, starts the nginx server.
By default will be added following headers to response:
Pragma: public X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type: nosniff X-Content-Type-Options: nosniff X-Ua-Compatible: IE=edge Referrer-Policy: no-referrer Feature-Policy: geolocation 'none'; payment 'none'; microphone 'none'; camera 'none'; autoplay 'none' Content-Security-Policy: default-src 'self'; script-src 'self' cdnjs.cloudflare.com; img-src 'self' data:; style-src 'self' 'unsafe-inline' fonts.googleapis.com cdnjs.cloudflare.com; font-src 'self' data: fonts.gstatic.com cdnjs.cloudflare.com; form-action 'self' Strict-Transport-Security: max-age=604800; includeSubDomains; preloadA+ rating issued by the site https://securityheaders.com.
Frontend-developer should be use Content Security Policy protection, i.e configure server himself.
It creates a server.yaml config file and add it to stage directory dev/prod/local (or only to defaults folder) with following contents:
dev: server: headers: csp: - default-src 'self' *.teamcsrv.com *.teamc.io - script-src 'self' - "img-src 'self' data:" - style-src 'self' 'unsafe-inline' fonts.googleapis.com - "font-src 'self' data: fonts.gstatic.com" - form-action 'self'And it edit in accordance with business logic of application.
As new feature since 1.1.4 version you able to use Link header for server configuration.
- How it use for
<link rel=preload>requirements (lighthouse), – https://w3c.github.io/preload/#example-3 , https://w3c.github.io/preload/#example-6 - Specification https://tools.ietf.org/html/rfc5988#section-5
Example:
dev: server: headers: link: - value: </app/style.css>; rel=preload; as=style; nopush - value: - <https://example.com/app/script.js> - rel=preload - as=scriptBy default server use Brotli-compression algorithm developed by Google Inc.
If a more effective (up to 21%) lossless compression algorithm than gzip and deflate.
For the present, his support all modern browsers: https://caniuse.com/#search=Brotli
Server read the following environment variables:
CONFIG_PATH – server and frontend configuration. STAGE – server and frontend mode to start: prod/dev/local VCS_SHA1 – build commit sha1 for debugBy default root directory is /app. It special for container-based usage.
Root directory contains following files from scratch:
. ├── favicon.ico ├── index.html └── robots.txt favicon.ico– is a transparent.icofile (for prevent error logs).index.html– simple index file with hello message.robots.txt– the file which blocks all robots by default./.well-known/security.txt– https://securitytxt.org/
Each file can be replaced.
Install packages for development using composer and just run following command:
vendor/bin/phpunit PHPUnit 8.5.0 by Sebastian Bergmann and contributors. Runtime: PHP 7.4.0 with Xdebug 2.9.0 Configuration: /Users/roquie/google_drive/projects/microparts/static-server-php/phpunit.xml ...................... 22 / 22 (100%) Time: 403 ms, Memory: 10.00 MB OK (22 tests, 40 assertions) GNU GPL v3