Merge branch '29-optimize-pipeline' into 'master'

Resolve "optimize pipeline"

Closes #29

See merge request !28

.dockerignore

+.composer
+.npm
+.gitlab
+.vscode
+node_modules
+vendor
+.editorconfig
+.git
+.gitattributes
+.gitignore
+.gitlab-ci.yaml
+.gitlab
+.gitlab-ci.yaml
\ No newline at end of file

.env.example

+APP_ENV=local
+APP_KEY=
+APP_DEBUG=true
+APP_LOG_LEVEL=debug
+LOG_CHANNEL=stderr
+APP_URL=https://localhost:8080
+
+DB_CONNECTION=mysql
+DB_HOST=127.0.0.1
+DB_PORT=3306
+DB_DATABASE=homestead
+DB_USERNAME=homestead
+DB_PASSWORD=secret
+
+BROADCAST_DRIVER=log
+CACHE_DRIVER=redis
+SESSION_DRIVER=array
+QUEUE_DRIVER=sync
+
+CENTRAL_REDIS_HOST=redis
+CENTRAL_REDIS_PASSWORD=null
+CENTRAL_REDIS_PORT=6379
+
+REDIS_HOST=redis
+REDIS_PASSWORD=null
+REDIS_PORT=6379
+
+MAIL_DRIVER=smtp
+MAIL_HOST=mailtrap.io
+MAIL_PORT=2525
+MAIL_USERNAME=null
+MAIL_PASSWORD=null
+MAIL_ENCRYPTION=null
+
+PUSHER_APP_ID=
+PUSHER_APP_KEY=
+PUSHER_APP_SECRET=
+
+PROXY_PASSWORD_OLD=secure_password
+PROXY_PASSWORD=very_secure_password
+PROXY_TIMEOUT=3600
+PROXY_URL=https://localhost:8080
+PROXY_LOG_LOCATION=/var/log/proxy/proxy.log
+
+PROXY_MEMORY_CACHE=5242880
+PROXY_FREE_DOWNLOAD_LIMIT=104857600
+
+CACHE_ENABLED=true
\ No newline at end of file

.gitignore

@@ -4,6 +4,7 @@
 /storage/*.key
 /vendor
 .npm
+.composer
 .env
 .env.backup
 .phpunit.result.cache

.gitlab-ci.yml

@@ -14,6 +14,7 @@ variables:
     SAST_DISABLED: "true"
     TEST_DISABLED: "true"
     CACHE_FALLBACK_KEY: proxy-master
+    AUTO_DEVOPS_BUILD_IMAGE_FORWARDED_CI_VARIABLES: "AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,S3_HOST,S3_BUCKETNAME"
 
 include:
   - template: Jobs/Build.gitlab-ci.yml
@@ -23,7 +24,6 @@ include:
   image: "registry.gitlab.com/gitlab-org/cluster-integration/auto-deploy-image:v2.12.0"
 
 stages:
-  - prepare
   - build
   - test
   - deploy  # dummy stage to follow the template guidelines
@@ -38,30 +38,6 @@ stages:
   - incremental rollout 100%
   - performance
   - cleanup
-
-prepare_node:
-  stage: prepare
-  image: node:16
-  before_script:
-    - npm i --cache .npm --prefer-offline --no-audit --progress=false
-  script:
-    - npm run prod
-  artifacts:
-    paths:
-      - public/js/
-      - public/css/
-      - public/mix-manifest.json
-  cache:
-    # Reuse existing cache or create new one if package-lock changed
-    key:
-      files:
-        - package-lock.json
-    paths:
-      - .npm
-      - node_modules
-  only:
-    - branches
-    - tags
     
 build:
   services:

.gitlab/auto-deploy-values.yaml

@@ -4,7 +4,7 @@ podDisruptionBudget:
   maxUnavailable:
 service:
   externalPort: 80
-  internalPort: 80
+  internalPort: 8080
   commonName:
 ingress:
   tls:

.gitlab/production-values.yaml

@@ -4,7 +4,7 @@ podDisruptionBudget:
   maxUnavailable:
 service:
   externalPort: 80
-  internalPort: 80
+  internalPort: 8080
   commonName:
 ingress:
   tls:

.gitlab/review-values.yaml

 service:
   enabled: true
   externalPort: 80
-  internalPort: 80
+  internalPort: 8080
   commonName: ""
 ingress:
   tls:

Dockerfile

-FROM debian:10
+# syntax = docker/dockerfile:experimental
+FROM debian:10 AS dependencies
+
+WORKDIR /html
+EXPOSE 8080
 
 # Install System Components
 RUN apt update \
     && apt install -y \
     nginx \
     tzdata \
-    cron \
     lsb-release \
     apt-transport-https \
-    zip \
-    curl 
+    curl \
+    zip
 
 RUN curl -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg \
     && echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
@@ -30,15 +33,34 @@ RUN apt update \
     php7.4-dom \
     php7.4-fileinfo \
     php7.4-redis \
+    php7.4-xdebug \
     php7.4-zip
 
-WORKDIR /html
+# Install Composer
+COPY ./helpers/installComposer.sh /usr/bin/installComposer
+RUN chmod +x /usr/bin/installComposer && \
+    /usr/bin/installComposer && \
+    rm /usr/bin/installComposer
 
-RUN sed -i 's/error_log = \/var\/log\/php7.4-fpm.log/error_log = \/dev\/stderr/g' /etc/php/7.4/fpm/php-fpm.conf && \
+# Install Nodejs
+COPY ./helpers/installNodejs.sh /usr/bin/installNodejs
+RUN chmod +x /usr/bin/installNodejs && \
+    /usr/bin/installNodejs && \
+    rm /usr/bin/installNodejs
+ENV PATH /usr/local/lib/nodejs/bin:$PATH
+
+# Install Minio Client
+RUN curl -o /usr/bin/mc "https://dl.min.io/client/mc/release/linux-amd64/mc" &&\
+    chmod +x /usr/bin/mc
+
+FROM dependencies AS development
+
+RUN sed -i 's/pid = \/run\/php\/php7.4-fpm.pid/;pid = \/run\/php\/php7.4-fpm.pid/g' /etc/php/7.4/fpm/php-fpm.conf && \
+    sed -i 's/error_log = \/var\/log\/php7.4-fpm.log/error_log = \/dev\/stderr/g' /etc/php/7.4/fpm/php-fpm.conf && \
     sed -i 's/;daemonize = yes/daemonize = no/g' /etc/php/7.4/fpm/php-fpm.conf && \
-    mkdir -p /run/php && \
     sed -i 's/listen = \/run\/php\/php7.4-fpm.sock/listen = 9000/g' /etc/php/7.4/fpm/pool.d/www.conf && \
     sed -i 's/decorate_workers_output = no/decorate_workers_output = no/g' /etc/php/7.4/fpm/pool.d/www.conf && \
+    sed -i 's/;catch_workers_output = yes/catch_workers_output = yes/g' /etc/php/7.4/fpm/pool.d/www.conf && \
     sed -i 's/user = nobody/user = www-data/g' /etc/php/7.4/fpm/pool.d/www.conf && \
     sed -i 's/group = nobody/group = www-data/g' /etc/php/7.4/fpm/pool.d/www.conf && \
     sed -i 's/pm.max_children = 5/pm.max_children = 1024/g' /etc/php/7.4/fpm/pool.d/www.conf && \
@@ -46,33 +68,54 @@ RUN sed -i 's/error_log = \/var\/log\/php7.4-fpm.log/error_log = \/dev\/stderr/g
     sed -i 's/pm.min_spare_servers = 1/pm.min_spare_servers = 5/g' /etc/php/7.4/fpm/pool.d/www.conf && \
     sed -i 's/pm.max_spare_servers = 3/pm.max_spare_servers = 50/g' /etc/php/7.4/fpm/pool.d/www.conf && \
     sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.4/fpm/php.ini && \
-    sed -i 's/expose_php = On/expose_php = Off/g' /etc/php/7.4/fpm/php.ini && \
-    # Opcache configuration
+    sed -i 's/;zend_extension=xdebug.so/zend_extension=xdebug.so/g' /etc/php/7.4/fpm/conf.d/20-xdebug.ini && \
+    echo "xdebug.mode = debug" >> /etc/php/7.4/fpm/conf.d/20-xdebug.ini && \
+    echo "xdebug.start_with_request = yes" >> /etc/php/7.4/fpm/conf.d/20-xdebug.ini && \
+    echo "xdebug.discover_client_host = true" >> /etc/php/7.4/fpm/conf.d/20-xdebug.ini && \
+    echo "xdebug.idekey=VSCODE" >> /etc/php/7.4/fpm/conf.d/20-xdebug.ini && \
+    cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \
+    echo "Europe/Berlin" > /etc/timezone
+
+# Using image as non-root
+RUN groupadd -g 1000 metager-proxy && \
+    useradd -b /home/metager-proxy -g 1000 -u 1000 -M -s /bin/bash metager-proxy
+RUN chown -R 1000:1000 /var/lib/nginx /var/log/nginx
+RUN mkdir -p /home/metager-proxy &&\
+    chown 1000:1000 /home/metager-proxy
+RUN touch /run/nginx.pid && \
+    chown 1000:1000 /run/nginx.pid
+USER 1000:1000
+
+CMD /entrypoint.sh
+
+# Just the changes we need for production use (i.e. enable opcache, disable xdebug, etc.)
+FROM development AS production
+
+USER 0:0
+# Opcache configuration
+RUN apt purge -y php7.4-xdebug
+RUN sed -i 's/expose_php = On/expose_php = Off/g' /etc/php/7.4/fpm/php.ini && \
     sed -i 's/;opcache.enable=1/opcache.enable=1/g' /etc/php/7.4/fpm/php.ini && \
     sed -i 's/;opcache.memory_consumption=128/opcache.memory_consumption=128/g' /etc/php/7.4/fpm/php.ini && \
     sed -i 's/;opcache.interned_strings_buffer=8/opcache.interned_strings_buffer=8/g' /etc/php/7.4/fpm/php.ini && \
     sed -i 's/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=10000/g' /etc/php/7.4/fpm/php.ini && \
     sed -i 's/;opcache.max_wasted_percentage=5/opcache.max_wasted_percentage=5/g' /etc/php/7.4/fpm/php.ini && \
     sed -i 's/;opcache.validate_timestamps=1/opcache.validate_timestamps=1/g' /etc/php/7.4/fpm/php.ini && \
-    sed -i 's/;opcache.revalidate_freq=2/opcache.revalidate_freq=300/g' /etc/php/7.4/fpm/php.ini && \
-    cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \
-    echo "Europe/Berlin" > /etc/timezone && \
-    (crontab -l ; echo "* * * * * php /html/artisan schedule:run >> /dev/null 2>&1") | crontab -
-
+    sed -i 's/;opcache.revalidate_freq=2/opcache.revalidate_freq=300/g' /etc/php/7.4/fpm/php.ini
 
 COPY config/nginx.conf /etc/nginx/nginx.conf
 COPY config/nginx-default.conf /etc/nginx/sites-available/default
 RUN sed -i 's/fastcgi_pass phpfpm:9000;/fastcgi_pass localhost:9000;/g' /etc/nginx/sites-available/default
-COPY --chown=root:www-data . /html
 
-COPY ./helpers/installComposer.sh /usr/bin/installComposer
-RUN chmod +x /usr/bin/installComposer && \
-    /usr/bin/installComposer && \
-    rm /usr/bin/installComposer && \
-    composer install --no-dev
+# Install Entrypoint
+COPY ./helpers/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
 
-WORKDIR /html
-EXPOSE 80
+COPY --chown=1000:1000 . /html
+
+# Install packages
+RUN --mount=type=secret,id=auto-devops-build-secrets . /run/secrets/auto-devops-build-secrets && \
+    chmod +x ./helpers/installPackages.sh && \
+    /bin/sh -c ./helpers/installPackages.sh
 
-CMD cron -L /dev/stdout && \
-    php-fpm7.4 -F -R
+USER 1000:1000

DockerfileDev

-FROM debian:10
-
-# Install System Components
-RUN apt update \
-    && apt install -y \
-        nginx \
-        tzdata \
-        cron \
-        lsb-release \
-        apt-transport-https \
-        curl \
-        zip
-
-RUN curl -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg \
-    && echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
-
-# Install PHP Components
-RUN apt update \
-    && apt install -y \
-        php7.4 \
-        php7.4-fpm \
-        php7.4-json \
-        php7.4-bcmath \
-        php7.4-ctype \
-        php7.4-mbstring \
-        php7.4-pdo \
-        php7.4-tokenizer \
-        php7.4-xml \
-        php7.4-curl \
-        php7.4-dom \
-        php7.4-fileinfo \
-        php7.4-redis \
-        php7.4-xdebug \
-        php7.4-zip
-
-WORKDIR /html
-
-RUN sed -i 's/error_log = \/var\/log\/php7.4-fpm.log/error_log = \/dev\/stderr/g' /etc/php/7.4/fpm/php-fpm.conf && \
-    sed -i 's/;daemonize = yes/daemonize = no/g' /etc/php/7.4/fpm/php-fpm.conf && \
-    mkdir -p /run/php && \
-    sed -i 's/listen = \/run\/php\/php7.4-fpm.sock/listen = 9000/g' /etc/php/7.4/fpm/pool.d/www.conf && \
-    sed -i 's/decorate_workers_output = no/decorate_workers_output = no/g' /etc/php/7.4/fpm/pool.d/www.conf && \
-    sed -i 's/user = nobody/user = www-data/g' /etc/php/7.4/fpm/pool.d/www.conf && \
-    sed -i 's/group = nobody/group = www-data/g' /etc/php/7.4/fpm/pool.d/www.conf && \
-    sed -i 's/pm.max_children = 5/pm.max_children = 100/g' /etc/php/7.4/fpm/pool.d/www.conf && \
-    sed -i 's/pm.start_servers = 2/pm.start_servers = 5/g' /etc/php/7.4/fpm/pool.d/www.conf && \
-    sed -i 's/pm.min_spare_servers = 1/pm.min_spare_servers = 5/g' /etc/php/7.4/fpm/pool.d/www.conf && \
-    sed -i 's/pm.max_spare_servers = 3/pm.max_spare_servers = 25/g' /etc/php/7.4/fpm/pool.d/www.conf && \
-    sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.4/fpm/php.ini && \
-    sed -i 's/expose_php = On/expose_php = Off/g' /etc/php/7.4/fpm/php.ini && \
-    sed -i 's/;zend_extension=xdebug.so/zend_extension=xdebug.so/g' /etc/php/7.4/fpm/conf.d/20-xdebug.ini && \
-    echo "xdebug.mode = debug" >> /etc/php/7.4/fpm/conf.d/20-xdebug.ini && \
-    echo "xdebug.start_with_request = yes" >> /etc/php/7.4/fpm/conf.d/20-xdebug.ini && \
-    echo "xdebug.discover_client_host = true" >> /etc/php/7.4/fpm/conf.d/20-xdebug.ini && \
-    echo "xdebug.idekey=VSCODE" >> /etc/php/7.4/fpm/conf.d/20-xdebug.ini && \
-    cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \
-    echo "Europe/Berlin" > /etc/timezone && \
-    (crontab -l ; echo "* * * * * php /html/artisan schedule:run >> /dev/null 2>&1") | crontab -
-
-COPY ./helpers/installComposer.sh /usr/bin/installComposer
-RUN chmod +x /usr/bin/installComposer && \
-    /usr/bin/installComposer && \
-    rm /usr/bin/installComposer
-
-WORKDIR /html
-EXPOSE 80
-
-CMD cron -L /dev/stdout && \
-    composer install && \
-    php-fpm7.4 -F -R

app/Console/Commands/RequestFetcher.php

@@ -41,10 +41,10 @@ class RequestFetcher extends Command
     {
         parent::__construct();
         $this->multicurl = curl_multi_init();
-        $this->proxyhost = env("PROXY_HOST", "");
-        $this->proxyport = env("PROXY_PORT", "");
-        $this->proxyuser = env("PROXY_USER", "");
-        $this->proxypassword = env("PROXY_PASSWORD", "");
+        $this->proxyhost = config("requestfetcher.proxy.host");
+        $this->proxyport = config("requestfetcher.proxy.port");
+        $this->proxyuser = config("requestfetcher.proxy.user");
+        $this->proxypassword = config("requestfetcher.proxy.password");
     }
 
     /**
@@ -67,7 +67,8 @@ class RequestFetcher extends Command
             } catch (\Exception $e) {
                 if ($count >= 9) {
                     // If its not available after 10 seconds we will exit
-                    return;
+                    echo "Redis Connection was not possible within 10 seconds." . PHP_EOL;
+                    return 1;
                 }
                 sleep(1);
             }

app/Http/Controllers/DownloadController.php

@@ -133,7 +133,7 @@ class DownloadController extends Controller
         if (!is_string($data) || strlen($data) === 0) {
             return null;
         }
-        return hash_hmac("sha256", $data, env("PROXY_PASSWORD", "unsecure_password"));
+        return hash_hmac("sha256", $data, config("proxy.password"));
     }
 
     private static function checkPassword($url, $validUntil, $password)
@@ -142,7 +142,7 @@ class DownloadController extends Controller
         if (!is_string($data) || strlen($data) === 0) {
             return false;
         }
-        $excpectedHash = hash_hmac("sha256", $data, env("PROXY_PASSWORD", "unsecure_password"));
+        $excpectedHash = hash_hmac("sha256", $data, config("proxy.password"));
         return hash_equals($excpectedHash, $password);
     }
 }

app/Http/Controllers/ProxyController.php

@@ -20,7 +20,7 @@ class ProxyController extends Controller
     public function proxyPage(Request $request)
     {
         if(!$request->filled("url") || !$request->filled("password")){
-            if (env("APP_ENV", "") !== "production") {
+            if (\App::environment() !== "production") {
                 return view("development");
             } else {
                 return redirect("https://metager.de");
@@ -63,7 +63,7 @@ class ProxyController extends Controller
 
             $redirProxyUrl = rtrim($redirProxyUrl, "&");
 
-            $pw = md5(env('PROXY_PASSWORD') . $redirProxyUrl);
+            $pw = md5(config("proxy.password") . $redirProxyUrl);
 
             $redirProxyUrl = base64_encode(str_rot13($redirProxyUrl));
             $redirProxyUrl = urlencode(str_replace("/", "<<SLASH>>", $redirProxyUrl));
@@ -322,7 +322,7 @@ class ProxyController extends Controller
     private function fetchUrl($targetUrl){
         $hash = md5($targetUrl);
 
-        if (!Cache::has($hash) || env("CACHE_ENABLED") === false) {
+        if (!Cache::has($hash) || config("proxy.cache.enabled") === false) {
             $useragent = $_SERVER['HTTP_USER_AGENT'];
             if (preg_match('/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino/i', $useragent) || preg_match('/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i', substr($useragent, 0, 4))) {
                 // Mobile Browser Dummy Mobile Useragent
@@ -528,7 +528,7 @@ class ProxyController extends Controller
         if (!is_string($data) || strlen($data) === 0) {
             return null;
         }
-        return hash_hmac("sha256", $data, env("PROXY_PASSWORD", "unsecure_password"));
+        return hash_hmac("sha256", $data, config("proxy.password"));
     }
 
     private static function checkPassword($url, $validUntil, $password)
@@ -542,13 +542,13 @@ class ProxyController extends Controller
         if (!is_string($data) || strlen($data) === 0) {
             return false;
         }
-        $excpectedHash = hash_hmac("sha256", $data, env("PROXY_PASSWORD", "unsecure_password"));
+        $excpectedHash = hash_hmac("sha256", $data, config("proxy.password"));
         return hash_equals($excpectedHash, $password);
     }
 
     private function writeLog($targetUrl, $ip)
     {
-        $logFile = env('PROXY_LOG_LOCATION');
+        $logFile = config("proxy.log.location");
 
         $dateString = date('D M d H:i:s Y');
 

app/Http/Middleware/CheckPassword.php

@@ -18,7 +18,7 @@ class CheckPassword
 
         $password = $request->route('password');
         if ($timed === "true") {
-            $checkPw = md5(env('PROXY_PASSWORD') . date('dmy'));
+            $checkPw = md5(config('proxy.password') . date('dmy'));
             if ($checkPw === $password) {
                 return $next($request);
             }
@@ -32,7 +32,7 @@ class CheckPassword
             }
             
             // Check Password:
-            $checkPw  = md5(env('PROXY_PASSWORD_OLD') . $targetUrl);
+            $checkPw  = md5(config('proxy.password_old') . $targetUrl);
             $password = $request->route('password');
             if ($checkPw === $password) {
                 return $next($request);

app/Providers/AppServiceProvider.php

@@ -25,9 +25,9 @@ class AppServiceProvider extends ServiceProvider
     {
         \Prometheus\Storage\Redis::setDefaultOptions(
             [
-                'host' => env("REDIS_HOST", '127.0.0.1'),
-                'port' => intval(env("REDIS_PORT", 6379)),
-                'password' => env("REDIS_PASSWORD", null),
+                'host' => config("database.redis.default.host"),
+                'port' => intval(config("database.redis.default.port")),
+                'password' => config("database.redis.default.password"),
                 'timeout' => 0.1, // in seconds
                 'read_timeout' => '10', // in seconds
                 'persistent_connections' => false

chart/templates/deployment.yaml

@@ -57,6 +57,10 @@ spec:
       - name: env-files
         secret:
           secretName: {{ .Values.application.secretName }}
+      securityContext:
+        fsGroup: 1000
+        runAsUser: 1000
+        runAsGroup: 1000
       containers:
       - name: {{ .Chart.Name }}-phpfpm
         image: {{ template "imagename" . }}
@@ -133,8 +137,7 @@ spec:
       # WORKER
       - name: {{ .Chart.Name }}-worker
         image: {{ template "imagename" . }}
-        command: ["su"]
-        args: ["-s", "/bin/sh", "-c", "php artisan requests:fetcher", "www-data"]
+        command: ["/bin/sh", "-c", "php artisan requests:fetcher"]
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- if .Values.application.secretName }}
         envFrom:
@@ -190,4 +193,8 @@ spec:
           requests:
             cpu: 100m
             memory: 500M
+        securityContext:
+          runAsUser: 100
+          runAsGroup: 101
+          allowPrivilegeEscalation: false
 {{- end -}}

config/nginx-default-dev.conf

 server {
-    listen       80;
+    listen       8080;
     server_name  localhost;
     root   /html/public;
     index  index.php index.html index.htm;

config/nginx-default.conf

 server {
-    listen       80;
+    listen       8080;
     server_name  localhost;
     root   /html/public;
     index  index.php index.html index.htm;

config/nginx.conf

-user  www-data;
+# user  www-data;
 worker_processes  auto;
 
 error_log  /dev/stdout warn;
-pid        /run/nginx.pid;
+# pid        /run/nginx.pid;
 
 daemon off;
 

config/proxy.php

+<?php
+
+return [
+    'password_old' => env("PROXY_PASSWORD_OLD", "old_secret"),
+    'password' => env("PROXY_PASSWORD", "secret"),
+    'cache' => [
+        "enabled" => env("CACHE_ENABLED", true),
+    ],
+    'log' => [
+        'location' => env("PROXY_LOG_LOCATION", "/dev/null"),
+    ],
+];
\ No newline at end of file