.env

+CONTAINER_NAME="test"
+NGINX_PORT=81
+APP_BASE_DIR="./public"
\ No newline at end of file

.gitignore

+.idea/
+public/vendor
\ No newline at end of file

.idea/.gitignore

-# Default ignored files
-/shelf/
-/workspace.xml
-# Editor-based HTTP Client requests
-/httpRequests/
-# Datasource local storage ignored files
-/dataSources/
-/dataSources.local.xml

.idea/modules.xml

-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="ProjectModuleManager">
-    <modules>
-      <module fileurl="file://$PROJECT_DIR$/.idea/stud-symfa.iml" filepath="$PROJECT_DIR$/.idea/stud-symfa.iml" />
-    </modules>
-  </component>
-</project>
\ No newline at end of file

.idea/php.xml

-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="MessDetectorOptionsConfiguration">
-    <option name="transferred" value="true" />
-  </component>
-  <component name="PHPCSFixerOptionsConfiguration">
-    <option name="transferred" value="true" />
-  </component>
-  <component name="PHPCodeSnifferOptionsConfiguration">
-    <option name="highlightLevel" value="WARNING" />
-    <option name="transferred" value="true" />
-  </component>
-  <component name="PhpStanOptionsConfiguration">
-    <option name="transferred" value="true" />
-  </component>
-  <component name="PsalmOptionsConfiguration">
-    <option name="transferred" value="true" />
-  </component>
-</project>
\ No newline at end of file

.idea/stud-symfa.iml

-<?xml version="1.0" encoding="UTF-8"?>
-<module type="WEB_MODULE" version="4">
-  <component name="NewModuleRootManager">
-    <content url="file://$MODULE_DIR$" />
-    <orderEntry type="inheritedJdk" />
-    <orderEntry type="sourceFolder" forTests="false" />
-  </component>
-</module>
\ No newline at end of file

.idea/vcs.xml

-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="VcsDirectoryMappings">
-    <mapping directory="" vcs="Git" />
-  </component>
-</project>
\ No newline at end of file

app/Dockerfile

-FROM php:fpm
-
-WORKDIR ./app
-
-COPY . .
-
-RUN php index.php

compose.yml

+services:
+  app:
+    container_name: ${CONTAINER_NAME}_app
+    build:
+      context: ./docker/php
+      target: app-dev
+      args:
+        COMPOSER_AUTH: "{}"
+        APP_BASE_DIR: ${APP_BASE_DIR-.}
+    restart: unless-stopped
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    volumes:
+      - ${APP_BASE_DIR-.}:/app
+
+  web:
+    container_name: ${CONTAINER_NAME}_web
+    build:
+      context: ./docker/nginx
+      target: web-dev
+      args:
+        APP_BASE_DIR: ${APP_BASE_DIR-.}
+    restart: unless-stopped
+    ports:
+      - ${NGINX_PORT}:80
+    environment:
+      PHP_FPM_HOST: app
+    volumes:
+      - ${APP_BASE_DIR-.}:/app/public
+    depends_on:
+      - app

docker-compose.yml

-version: '3.1'
-
-services:
-  php:
-    build:
-      context: app
-      dockerfile: Dockerfile
-    networks:
-      - app
-    volumes:
-      - ./app/:/app
-
-  nginx:
-    build:
-      context: ../stud-symfa/nginx
-      dockerfile: Dockerfile
-    ports:
-      - '80:80'
-    networks:
-      - app
-    volumes:
-      - ./app/:/app
-
-networks:
-  app:
-    driver: bridge
-

docker/nginx/Dockerfile

+# ---------------------------------------------- Build Time Arguments --------------------------------------------------
+ARG NGINX_VERSION="1.21"
+
+# ======================================================================================================================
+# ======================================================================================================================
+#                                                  --- NGINX ---
+# ======================================================================================================================
+# ======================================================================================================================
+FROM nginx:${NGINX_VERSION}-alpine AS nginx
+
+RUN rm -rf /var/www/* /etc/nginx/conf.d/* && adduser -u 1000 -D -S -G www-data www-data
+COPY nginx/nginx-*   /usr/local/bin/
+COPY nginx/          /etc/nginx/
+RUN chown -R www-data /etc/nginx/ && chmod +x /usr/local/bin/nginx-*
+
+# The PHP-FPM Host
+## Localhost is the sensible default assuming image run on a k8S Pod
+ENV PHP_FPM_HOST "localhost"
+ENV PHP_FPM_PORT "9000"
+ENV NGINX_LOG_FORMAT "json"
+
+# For Documentation
+EXPOSE 80
+
+# Switch User
+USER www-data
+
+# Add Healthcheck
+HEALTHCHECK CMD ["nginx-healthcheck"]
+
+# Add Entrypoint
+ENTRYPOINT ["nginx-entrypoint"]
+
+# ======================================================================================================================
+#                                                 --- NGINX PROD ---
+# ======================================================================================================================
+
+FROM nginx AS web
+
+USER root
+
+RUN SECURITY_UPGRADES="curl"; \
+    apk add --no-cache --upgrade ${SECURITY_UPGRADES}
+
+USER www-data
+
+# Copy Public folder + Assets that's going to be served from Nginx
+COPY --chown=www-data:www-data --from=app /app/public /app/public
+
+# ======================================================================================================================
+#                                                 --- NGINX DEV ---
+# ======================================================================================================================
+FROM nginx AS web-dev
+
+ENV NGINX_LOG_FORMAT "combined"
+
+COPY --chown=www-data:www-data nginx/dev/*.conf   /etc/nginx/conf.d/
+COPY --chown=www-data:www-data nginx/dev/certs/   /etc/nginx/certs/

docker/nginx/nginx/conf.d/app.conf

+upstream backend {
+    # The number of idle keepalive connections to an upstream server that remain open for each worker process
+    server ${PHP_FPM_HOST}:${PHP_FPM_PORT};
+    keepalive 40;
+    keepalive_requests 250; # Must be less than php-fpm.conf:pm.max_requests
+    keepalive_timeout 10;
+}
+
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name localhost;
+	set $base /app;
+	root $base/public;
+
+  # deny all dot files except .well-known
+  location ~ /\.(?!well-known) {
+      deny all;
+  }
+
+	# index.php
+	index index.php;
+
+
+
+  # index.php fallback
+  location / {
+  # try to serve file directly, fallback to index.php
+    try_files $uri /index.php$is_args$args;
+  }
+
+  # Disable falling back to PHP script for the asset directories;
+  location ~ ^/(public|bundles)/ {
+    try_files $uri =404;
+  }
+
+	# handle non-files
+	location ~ ^/index\.php(/|$) {
+		# default fastcgi_params
+        include fastcgi_params;
+
+        # fastcgi settings
+        fastcgi_pass			backend;
+        fastcgi_index			index.php;
+        fastcgi_buffers			8 16k;
+        fastcgi_buffer_size		32k;
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+
+        # fastcgi params
+        fastcgi_param DOCUMENT_ROOT		$realpath_root;
+        fastcgi_param SCRIPT_FILENAME	$realpath_root$fastcgi_script_name;
+        fastcgi_param PHP_ADMIN_VALUE	"open_basedir=none";
+
+        # Prevents URIs that include the front controller. This will 404:
+        # http://domain.tld/index.php/some-path
+        # Remove the internal directive to allow URIs like this
+        internal;
+	}
+
+	# return 404 for all other php files not matching the front controller
+	# this prevents access to other php files you don't want to be accessible.
+	location ~ \.php$ {
+		return 404;
+	}
+
+	# favicon.ico
+	location = /favicon.ico {
+		log_not_found off;
+		access_log off;
+	}
+
+	# robots.txt
+	location = /robots.txt {
+		log_not_found off;
+		access_log off;
+	}
+
+	# assets, media
+	location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
+		expires 7d;
+		access_log off;
+	}
+
+	# svg, fonts
+	location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
+		add_header Access-Control-Allow-Origin "*";
+		expires 7d;
+		access_log off;
+	}
+}
\ No newline at end of file

docker/nginx/nginx/conf.d/compression.conf

+# Compression
+gzip on;
+gzip_disable "msie6";
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 6;
+gzip_buffers 32 16k;
+gzip_http_version 1.1;
+gzip_min_length 250;
+gzip_types image/jpeg image/bmp image/svg+xml text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon;
\ No newline at end of file

docker/nginx/nginx/conf.d/json-logs.conf

+# logging
+log_format json escape=json '{"@timestamp":"$time_iso8601","status":"$status","method":"$request_method","path":"$request_uri","request_query":"$args","request_time":"$request_time","vhost":"$host","bytes_sent":"$bytes_sent","request_length":"$request_length","request_proto":"$server_protocol","remote_user":"$remote_user","remote_addr":"$remote_addr","http_referrer":"$http_referer","http_user_agent":"$http_user_agent"}';
+access_log /dev/stdout ${NGINX_LOG_FORMAT};
+error_log /dev/stderr warn;
\ No newline at end of file

docker/nginx/nginx/conf.d/monitor.conf

+# Healthcheck & Metrics endpoint on port 8090
+server {
+	listen 8090;
+	listen [::]:8090;
+	location /stub_status {
+		stub_status;
+		access_log off;
+		allow 127.0.0.1;
+		deny all;
+	}
+}
\ No newline at end of file

docker/nginx/nginx/conf.d/non-root.conf

+# Non Root Temp Paths
+client_body_temp_path /tmp/client_temp;
+proxy_temp_path       /tmp/proxy_temp_path;
+fastcgi_temp_path     /tmp/fastcgi_temp;
+uwsgi_temp_path       /tmp/uwsgi_temp;
+scgi_temp_path        /tmp/scgi_temp;
\ No newline at end of file

docker/nginx/nginx/dev/certs/dev-selfsigned.crt

+-----BEGIN CERTIFICATE-----
+MIICxDCCAawCCQCUYv2tOO4zGDANBgkqhkiG9w0BAQsFADAkMRAwDgYDVQQKDAdr
+dWJlcGhwMRAwDgYDVQQDDAdrdWJlcGhwMB4XDTIyMDIyNTE0MzEwNloXDTMyMDIy
+MzE0MzEwNlowJDEQMA4GA1UECgwHa3ViZXBocDEQMA4GA1UEAwwHa3ViZXBocDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLdT4dDwxjNfc1POHfy/pTf
+JBGonmisS1i0NlN/sSz+QrktsyNtH3dvAJp/kHnOoTGgY3QyDCBNtr8/mULLig7B
+aAfGNDDuWJm7ayahxLoCfk2DZTcSf3NoOIPpvimwLfKxFOtuyOF742Lz3E3gVQ5+
+aDsePRp8NPSc1dBzGkrxGkPLvv4GGa8+MzeznKSamDOQ4fdqGdJyCOvTcYl2Pu4E
+ON6F5Z9cFOVu44l6VL7SzGpI86X6XGJY34PJ+KXg47Hs6/kGDt2UocgI0K3PfhDj
+6FlAf6ZeQ2GG//JRCPmWt4/womawo9nVHKtIkNMq20Ja3ITXrQ//Gism6HHZFEMC
+AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAH3jtGiuTaga9O+83MJNW4XursYhR0VHs
+BXDmWr87uXuKemAhBiN+YvWVkLu/Egr1lSWiQoO3besPQnQu75fEwTNpkBZliS3+
+Rm5rtf+7stAC9vTKKaljksGj9ipnTktvwM2WjqrfnpYPokGIHsNOZRf9GXNXfAOw
+YBKEz0sd8D3C26EgJjX9thoEW+pt2HkFYqp40jp8x3mGWXHTX2jpcXoyD1F2oB1i
+4G4GHR5pSz79OGrO7YdR8g/8mV5lMmcVwzbX/lIVmBVAdXeC/CDQFW8I9B0eCHHJ
+vCWTwoIb6aDWsDVKCqmot7CXczze5tvYomxZiEddq2vtSvfpduFlmw==
+-----END CERTIFICATE-----

docker/nginx/nginx/dev/certs/dev-selfsigned.key

+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCy3U+HQ8MYzX3N
+Tzh38v6U3yQRqJ5orEtYtDZTf7Es/kK5LbMjbR93bwCaf5B5zqExoGN0MgwgTba/
+P5lCy4oOwWgHxjQw7liZu2smocS6An5Ng2U3En9zaDiD6b4psC3ysRTrbsjhe+Ni
+89xN4FUOfmg7Hj0afDT0nNXQcxpK8RpDy77+BhmvPjM3s5ykmpgzkOH3ahnScgjr
+03GJdj7uBDjeheWfXBTlbuOJelS+0sxqSPOl+lxiWN+Dyfil4OOx7Ov5Bg7dlKHI
+CNCtz34Q4+hZQH+mXkNhhv/yUQj5lreP8KJmsKPZ1RyrSJDTKttCWtyE160P/xor
+Juhx2RRDAgMBAAECggEBALLPVksGbgrkm6hdUzlu3h0b+mYA6OQBoo16E3lkBU7S
+nQec7SI0XCm8+aB6eIedDz6adfJaeg7tQg1tWh0Rd+IKbaKf/dsQ29hMKfGD9TRz
+e6qn+c6Vmn5YKW+OhEIO09B0QVKf/QiWHpr06T+dTcrgifjX4QQSOap1A7eQ6i8R
+ryXdALrfG70RTYHSKu9B2mjn4vOXl0YNBhNlNAN5GBRh6iaqmSxRMWfURNK2P9Tc
+lcHJFMW7duue38q6U5hPrVK/euXUtEoEDFXRzBXAZ2jcOzKxfJ6ZHXgP1wmWC6hS
+fLWpnc2f7uc5A5EAS2cOOZBLbTZFkiGB1FSfmB+Bf6ECgYEA3kVeBE6Xv/E7PgPJ
+AHQnMoISREASNxxS7Foly4VelzsL9qXO8Xb6hK/y/Cx6X5LFX108LvKLCn2d09qG
+HPseA/A54uw2uUPztFNpHOnLgBCMo0qu4Rsp/FsermcUvTy8XL4NeUMM85vAJ4dQ
+BjwDs7iDjZ7lVR0my5PJVEcXVZMCgYEAzgG30pdUuTrsL/Am5+ilR7qC/S7zOF/W
+aQvvcX2EjzqtViCcalk80sJmsCLrkx2p8Qx54z3jW9pie6z6A90bVrAZ7QprjhMZ
+mw+kEy+Me/htCp1Oh0Bj/X/GBGYVdJyEz3BkmUe4oUTQikYGNTN3INrTVBiiUpte
+2r1QeHKZdJECgYAO6MBBsbPkIB5FLqPQ7/mhHbBz+4g9Qh0d1X4rhKqvojpPNRgI
+gl6Tf+ngmGss9f9fQjXDQGmrLnnjuAi+8Ok2gmqfmhChpLk4I1AtrFEGKhYE7gGE
+//l0//ey4x81AlnwLp9gvuqjfJMLE7x+bpAhAgNxAHOJngb4KNWcXZhnGQKBgBwe
+Den3b7/sc+pDG/xRO6XjphdKfjX2lrw1vdO+rwYhmyEDSHYXgf6+O+fUjFTDGrvk
+2QoUG2EhGIoK3QED/8RAOvmoj2+P2dHZO6rGtaUCDlgBioNZXYxvESbujAUji9kI
+XSKysFeKnfARiK1gPeVFGM0Eo7skq7itWDtoYNuRAoGBAMpxteZlaIFY4Z0AIJ/Y
+MkkIWIq0OujGD2ApXFXw6Dh3KHyF5z4YMUVIKYKW/dMDYd2WRPYFD6AZiWBFQadA
+YUg0ks7ayF1FSPn2kldyr3AIysJjs6EGaj3svDN3rmIlLkS7vyYp0xfP7JG8l8Vm
+Dq7DO0YZ9hJs1M/np0HU8z7f
+-----END PRIVATE KEY-----

docker/nginx/nginx/dev/dev-https.conf

+server {
+    listen 443 ssl;
+    server_name localhost;
+
+    ssl_certificate      /etc/nginx/certs/dev-selfsigned.crt;
+    ssl_certificate_key  /etc/nginx/certs/dev-selfsigned.key;
+
+    location / {
+        access_log off;
+        proxy_pass http://127.0.0.1:80;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+    }
+}
\ No newline at end of file

docker/nginx/nginx/nginx-entrypoint

+#!/bin/sh
+set -eu
+
+# Envsubset all files and only replace exported envs.
+for f in $(find /etc/nginx/ -name "*.conf"); do cat $f | envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" > "$f.tmp"; mv "$f.tmp" "$f"; done
+
+# Give FPM some time to warmup
+sleep 1
+
+# Validate & Test nginx config (retry to wait if fpm host hasn't started yet)
+timeout 30 sh -c "until nginx -t -q; do echo 'Runtime Test Failed, Retrying...'; sleep 5; done"
+
+echo "► Started Nginx"
+
+exec nginx -g 'daemon off;'