application env (dev / prod) & 3rd party integration correction

Author: codeyourweb

.env

@@ -1,4 +1,5 @@
 COMPOSE_PROFILES=sftp,phpmyadmin,kibana,internal-monitoring
+APP_ENV=prod
 ELASTICSEARCH_CLUSTER_MODE=single-node
 SENTINELKIT_FRONTEND_HOSTNAME=sentinel-kit.local
 SENTINELKIT_BACKEND_HOSTNAME=backend.sentinel-kit.local

.gitignore

@@ -2,14 +2,14 @@
 /.env.local.php
 /.env.*.local
 /config/caddy_server/certificates/*
-/config/yara_ruleset/*
-/config/sigma_ruleset/*
 /config/elastalert_ruleset/*
 /config/backend/*
 /data/caddy_logs/*
 /data/ftp_data/*
 /data/grafana/*
 /data/kibana/*
+/data/rulesets/yara_ruleset/*
+/data/rulesets/sigma_ruleset/*
 /data/fluentbit_db/*
 /data/log_ingest_data/evtx/*
 /data/log_ingest_data/auditd/*
@@ -19,6 +19,7 @@
 /data/yara_triage_data/*
 /docs/graphs/*.bkp
 /sentinel-kit_server_frontend/node_modules/*
+/sentinel-kit_server_frontend/dist/*
 /sentinel-kit_server_frontend/package-lock.json
 /sentinel-kit_server_backend/composer.lock
 /sentinel-kit_server_backend/.initial_setup_done

config/docker-config/Dockerfile.backend

@@ -1,7 +1,7 @@
-FROM php:8.2-fpm-alpine
+FROM php:8.5-fpm-alpine
 
 RUN apk update && \
-    apk add --no-cache icu-dev zip libzip-dev bash && \
+    apk add --no-cache icu-dev zip libzip-dev bash nginx curl && \
     docker-php-ext-install intl pdo pdo_mysql zip
 
 RUN apk add --no-cache libpng-dev libjpeg-turbo-dev libwebp-dev libxpm-dev freetype-dev python3 pipx && \
@@ -22,8 +22,16 @@ RUN curl -1sLf 'https://dl.cloudsmith.io/public/symfony/stable/setup.alpine.sh'
 
 RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
 
+COPY config/docker-config/nginx-backend.conf /etc/nginx/nginx.conf
+COPY config/docker-config/backend-php-fpm.conf /usr/local/etc/php-fpm.d/www.conf
+RUN mkdir -p /run/nginx /var/log/nginx && \
+    chown -R nginx:nginx /var/log/nginx /run/nginx
+
 RUN chown -R www-data:www-data /var/www/html && chown -R www-data:www-data /detection-rules
-# Note: We start as root to fix permissions of mounted volumes, then switch to www-data in entrypoint
+
+COPY config/docker-config/backend-entrypoint.sh /opt/server-backend/backend-entrypoint.sh
+RUN chmod +x /opt/server-backend/backend-entrypoint.sh
+
 WORKDIR /var/www/html
 
 ENTRYPOINT ["/bin/sh", "-c", "/opt/server-backend/backend-entrypoint.sh"]

config/docker-config/Dockerfile.frontend

@@ -0,0 +1,15 @@
+FROM node:24-alpine
+
+RUN apk add --no-cache nginx curl && npm install -g npm
+
+RUN mkdir -p /run/nginx /var/log/nginx && \
+    chown -R nginx:nginx /var/log/nginx /run/nginx
+
+COPY config/docker-config/frontend-nginx.conf /etc/nginx/nginx.conf
+
+COPY config/docker-config/frontend-entrypoint.sh /usr/local/bin/frontend-entrypoint.sh
+RUN chmod +x /usr/local/bin/frontend-entrypoint.sh
+
+WORKDIR /app
+
+ENTRYPOINT ["/usr/local/bin/frontend-entrypoint.sh"]

config/docker-config/Dockerfile.scanner

@@ -8,6 +8,7 @@ RUN apk update \
        build-base \
        mysql-client \
        mysql-dev \
+       curl \
     && rm -rf /var/cache/apk/*
 
 WORKDIR /app

config/docker-config/backend-entrypoint.sh

@@ -1,24 +1,62 @@
 #!/bin/sh
+
+echo "=== Sentinel Kit Backend Entrypoint ==="
+echo "Environment: $APP_ENV"
+
 chown -R www-data:www-data /var/www/html
 chown -R www-data:www-data /detection-rules
 
+setup_symfony() {
+    MARKER_FILE="/var/www/html/.initial_setup_done"
+    rm -rf /var/www/html/var/cache
+    rm -rf /var/www/html/public/bundles
+    rm -rf /detection-rules/elastalert/*
+    
+    echo "Installing Composer dependencies..."
+    composer install
+    
+    if [ ! -f "$MARKER_FILE" ]; then
+        echo "Running initial setup..."
+        sleep 10
+        rm -rf /var/www/html/migrations/*.php
+        php /var/www/html/bin/console doctrine:schema:drop --force --full-database
+        php /var/www/html/bin/console make:migration -n
+        php /var/www/html/bin/console doctrine:migrations:migrate -n
+        php /var/www/html/bin/console lexik:jwt:generate-keypair
+        php /var/www/html/bin/console lexik:jwt:check-config
+        touch "$MARKER_FILE"
+        echo "Initial setup completed."
+    fi
+    
+    if [ "$APP_ENV" = "prod" ]; then
+        echo "Warming up production cache..."
+        php /var/www/html/bin/console cache:clear --env=prod --no-debug
+        php /var/www/html/bin/console cache:warmup --env=prod --no-debug
+    else
+        echo "Clearing development cache..."
+        php /var/www/html/bin/console cache:clear
+    fi
+}
+
 su -s /bin/sh www-data << 'EOF'
-MARKER_FILE="/var/www/html/.initial_setup_done"
-rm -rf /var/www/html/var/cache
-rm -rf /var/www/html/public/bundles
-rm -rf /detection-rules/elastalert/*
-composer install
-if [ ! -f "$MARKER_FILE" ]; then
-echo "Running initial setup..."
-sleep 10
-rm -rf /var/www/html/migrations/*.php
-php /var/www/html/bin/console doctrine:schema:drop --force --full-database
-php /var/www/html/bin/console make:migration -n
-php /var/www/html/bin/console doctrine:migrations:migrate -n
-php /var/www/html/bin/console lexik:jwt:generate-keypair
-php /var/www/html/bin/console lexik:jwt:check-config
-touch "$MARKER_FILE"
-fi
-echo "Starting Symfony server..."
+$(declare -f setup_symfony)
+setup_symfony
+EOF
+
+if [ "$APP_ENV" = "prod" ]; then
+    echo "Starting PRODUCTION mode with Nginx + PHP-FPM..."
+    
+    echo "Starting PHP-FPM..."
+    php-fpm -D
+    
+    echo "Starting Nginx on port 8000..."
+    nginx -g 'daemon off;'
+    
+else
+    echo "Starting DEVELOPMENT mode with Symfony server..."
+    
+    su -s /bin/sh www-data << 'EOF'
+echo "Starting Symfony development server on port 8000..."
 symfony server:start --allow-http --port=8000 --listen-ip='0.0.0.0'
-EOF
+EOF
+fi

config/docker-config/backend-php-fpm.conf

@@ -0,0 +1,36 @@
+; Performance optimizations for production
+[global]
+daemonize = no
+error_log = /proc/self/fd/2
+
+[www]
+user = www-data
+group = www-data
+listen = 127.0.0.1:8000
+listen.owner = www-data
+listen.group = www-data
+
+; Process management
+pm = dynamic
+pm.max_children = 50
+pm.start_servers = 5
+pm.min_spare_servers = 5
+pm.max_spare_servers = 35
+pm.max_requests = 1000
+
+; Logging
+access.log = /proc/self/fd/2
+catch_workers_output = yes
+
+; Security
+security.limit_extensions = .php
+
+; Performance
+request_slowlog_timeout = 10s
+slowlog = /proc/self/fd/2
+
+; Environment variables
+env[PATH] = /usr/local/bin:/usr/bin:/bin
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp

config/docker-config/frontend-entrypoint.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+echo "=== Sentinel Kit Frontend Entrypoint ==="
+echo "Environment: $APP_ENV"
+
+echo "Installing npm dependencies..."
+npm install
+
+if [ "$APP_ENV" = "prod" ]; then
+    echo "Starting frontend in PRODUCTION mode"
+
+    if [ ! -d "/app/dist" ]; then
+        echo "Building application for production..."
+        npm run build
+    fi
+    
+    if [ ! -d "/app/dist" ]; then
+        echo "ERROR: Build failed - dist directory not found!"
+        exit 1
+    fi
+    
+    echo "Starting nginx on port 3000..."
+    nginx -g 'daemon off;'
+    
+else
+    echo "Starting in DEVELOPMENT mode"
+    echo "Starting Vite dev server on port 3000..."
+    npm run dev -- --host '0.0.0.0' --port 3000
+fi

config/docker-config/frontend-nginx.conf

@@ -0,0 +1,64 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Logging
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    # Performance
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types
+        text/plain
+        text/css
+        text/xml
+        text/javascript
+        application/javascript
+        application/xml+rss
+        application/json;
+
+    server {
+        listen 3000;
+        server_name localhost;
+        root /app/dist;
+        index index.html;
+
+        # Security headers
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "no-referrer-when-downgrade" always;
+        add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+
+        # Handle client-side routing
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+
+        # Cache static assets
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+        }
+
+        # Security: deny access to sensitive files
+        location ~ /\. {
+            deny all;
+        }
+    }
+}