From 0635eb368b4cb872fa5648e827edd8b5d191a78c Mon Sep 17 00:00:00 2001 From: bunkerity Date: Sun, 15 Nov 2020 20:49:43 +0100 Subject: [PATCH] various bug fixes --- confs/site/php.conf | 2 +- confs/site/reverse-proxy.conf | 2 +- entrypoint/defaults.sh | 4 +- entrypoint/global-config.sh | 2 +- entrypoint/site-config.sh | 48 ++++++++++--------- examples/behind-traefik/docker-compose.yml | 19 -------- examples/multisite-basic/docker-compose.yml | 12 ++--- .../docker-compose.yml | 6 ++- .../wp.website.com/wordpress.conf | 1 + 9 files changed, 43 insertions(+), 53 deletions(-) create mode 100644 examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf diff --git a/confs/site/php.conf b/confs/site/php.conf index 90fb918..4b356a5 100644 --- a/confs/site/php.conf +++ b/confs/site/php.conf @@ -1,5 +1,5 @@ location ~ \.php$ { fastcgi_pass %REMOTE_PHP%:9000; fastcgi_index index.php; - include /etc/nginx/fastcgi.conf; + include %FASTCGI_PATH%fastcgi.conf; } diff --git a/confs/site/reverse-proxy.conf b/confs/site/reverse-proxy.conf index 0bc8aff..bc12a78 100644 --- a/confs/site/reverse-proxy.conf +++ b/confs/site/reverse-proxy.conf @@ -1,3 +1,3 @@ location %REVERSE_PROXY_URL% { - proxy_pass %REVERSE_PROXY_LOCATION%; + proxy_pass %REVERSE_PROXY_HOST%; } diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh index 4d09b76..6e589d2 100644 --- a/entrypoint/defaults.sh +++ b/entrypoint/defaults.sh @@ -21,8 +21,8 @@ PROXY_CACHE_METHODS="${PROXY_CACHE_METHODS-GET HEAD}" PROXY_CACHE_MIN_USES="${PROXY_CACHE_MIN_USES-2}" PROXY_CACHE_KEY="${PROXY_CACHE_KEY-\$scheme\$host\$request_uri}" PROXY_CACHE_VALID="${PROXY_CACHE_VALID-200=10m 301=10m 301=1h any=1m}" -PROXY_NO_CACHE="${PROXY_NO_CACHE-\$http_pragma \$http_authorization}" -PROXY_CACHE_BYPASS="${PROXY_CACHE_BYPASS-\$http_pragma \$http_authorization}" +PROXY_NO_CACHE="${PROXY_NO_CACHE-\$http_authorization}" +PROXY_CACHE_BYPASS="${PROXY_CACHE_BYPASS-\$http_authorization}" USE_GZIP="${USE_GZIP-no}" GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL-5}" GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH-1000}" diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index d1aa13d..ddfb440 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -32,7 +32,7 @@ else fi # proxy_cache zone -if [ "$(has_value USE_PROXY_CACHE yes)" = "yes" ] ; then +if [ "$(has_value USE_PROXY_CACHE yes)" != "" ] ; then replace_in_file "/etc/nginx/nginx.conf" "%PROXY_CACHE_PATH%" "proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:${PROXY_CACHE_PATH_ZONE_SIZE} ${PROXY_CACHE_PATH_PARAMS};" else replace_in_file "/etc/nginx/nginx.conf" "%PROXY_CACHE_PATH%" "" diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index 7269260..cf4e312 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -37,27 +37,29 @@ else fi # max body size -replace_in_file "{NGINX_PREFIX}server.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE" +replace_in_file "${NGINX_PREFIX}server.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE" # server tokens -replace_in_file "{NGINX_PREFIX}server.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS" +replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS" # reverse proxy if [ "$USE_REVERSE_PROXY" = "yes" ] ; then i=1 for var in $(env) ; do - check=$(echo "$var" | grep "^REVERSE_PROXY_URL") - if [ "$check" != "" ] ; then + check1=$(echo "$var" | grep "^REVERSE_PROXY_URL") + check2=$(echo "$var" | grep "^${1}_REVERSE_PROXY_URL") + if [ "$check1" != "" ] || [ "$check2" != "" ] ; then name=$(echo "$var" | cut -d '=' -f 1) - value=$(echo "$var" | sed "s/${name}//") - host=$(echo "$name" | sed "s/URL/HOST//") + value=$(echo "$var" | sed "s/${name}=//") + host=$(echo "$name" | sed "s/URL/HOST/") + host_value=$(env | grep "^${host}=" | sed "s/${host}=//") cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf" replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$value" - replace_in_file "${NGINX_PREFIX}reverse-proxy.${i}conf" "%REVERSE_PROXY_HOST%" "${!host}" + replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value" i=$(($i + 1)) fi done - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy-*.conf" + replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy-*.conf;" else replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "" fi @@ -127,6 +129,10 @@ fi if [ "$REMOTE_PHP" != "" ] ; then replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "include ${NGINX_PREFIX}php.conf;" replace_in_file "${NGINX_PREFIX}php.conf" "%REMOTE_PHP%" "$REMOTE_PHP" + replace_in_file "${NGINX_PREFIX}php.conf" "%FASTCGI_PATH%" "$NGINX_PREFIX" + if [ "$MULTISITE" = "yes" ] ; then + cp /etc/nginx/fastcgi.conf ${NGINX_PREFIX}fastcgi.conf + fi replace_in_file "${NGINX_PREFIX}fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/" else replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "" @@ -321,26 +327,24 @@ fi if [ "$USE_MODSECURITY" = "yes" ] ; then replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}/modsecurity-rules.conf" replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "include ${NGINX_PREFIX}modsecurity.conf;" + modsec_custom="" if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then - if [ "$MULTISITE" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "include /modsec-confs/${1}/*.conf" - else - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "include /modsec-confs/*.conf" - fi - else - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "" + modsec_custom="include /modsec-confs/*.conf\n" fi + if [ "$MULTISITE" = "yes" ] && ls /modsec-confs/${1}/*.conf > /dev/null 2>&1 ; then + modsec_custom="${modsec_custom}include /modsec-confs/${1}/*.conf\n" + fi + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom" if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf" + modsec_crs_custom="" if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then - if [ "$MULTISITE" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/${1}/*.conf" - else - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf" - fi - else - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "" + modsec_crs_custom="include /modsec-crs-confs/*.conf\n" fi + if [ "$MULTISITE" = "yes" ] && ls /modsec-crs-confs/${1}/*.conf > /dev/null 2>&1 ; then + modsec_crs_custom="${modsec_custom}include /modsec-crs-confs/${1}/*.conf\n" + fi + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom" replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf" else replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "" diff --git a/examples/behind-traefik/docker-compose.yml b/examples/behind-traefik/docker-compose.yml index 042e4a8..8f594e4 100644 --- a/examples/behind-traefik/docker-compose.yml +++ b/examples/behind-traefik/docker-compose.yml @@ -12,9 +12,6 @@ services: - /var/run/docker.sock:/var/run/docker.sock - ./traefik/traefik.toml:/traefik.toml - ./traefik/acme.json:/acme.json - networks: - - netwww1 - - netwww2 mywww1: image: bunkerity/bunkerized-nginx @@ -33,9 +30,6 @@ services: - 'traefik.enable=true' - 'traefik.port=8080' - 'traefik.frontend.rule=Host:app1.website.com' # replace with your domain - networks: - - netwww1 - - netphp1 mywww2: image: bunkerity/bunkerized-nginx @@ -54,28 +48,15 @@ services: - 'traefik.enable=true' - 'traefik.port=8080' - 'traefik.frontend.rule=Host:app2.website.com' # replace with your domain - networks: - - netwww2 - - netphp2 myphp1: image: php:fpm restart: always volumes: - ./web1:/app - networks: - - netphp1 myphp2: image: php:fpm restart: always volumes: - ./web2:/app - networks: - - netphp2 - - networks: - netwww1: - netwww2: - netphp1: - netphp2: diff --git a/examples/multisite-basic/docker-compose.yml b/examples/multisite-basic/docker-compose.yml index 6296c0d..dae433a 100644 --- a/examples/multisite-basic/docker-compose.yml +++ b/examples/multisite-basic/docker-compose.yml @@ -39,7 +39,7 @@ services: image: php:fpm restart: always volumes: - - ./web-files/app1:/app + - ./web-files/app1.website.com:/app networks: - net1 @@ -47,7 +47,7 @@ services: image: php:fpm restart: always volumes: - - ./web-files/app2:/app + - ./web-files/app2.website.com:/app networks: - net2 @@ -63,7 +63,7 @@ services: networks: - net3 - networks: - net1: - net2: - net3: +networks: + net1: + net2: + net3: diff --git a/examples/multisite-custom-server-confs/docker-compose.yml b/examples/multisite-custom-server-confs/docker-compose.yml index 027bbff..267a09b 100644 --- a/examples/multisite-custom-server-confs/docker-compose.yml +++ b/examples/multisite-custom-server-confs/docker-compose.yml @@ -13,7 +13,7 @@ services: - ./letsencrypt:/etc/letsencrypt - ./server-confs:/server-confs:ro - ./modsec-confs:/modsec-confs:ro - - ./modsec-crs-confs:/modsec-crs-conf:ro + - ./modsec-crs-confs:/modsec-crs-confs:ro environment: - SERVER_NAME=wp.website.com nc.website.com # replace with your domains - MULTISITE=yes @@ -88,3 +88,7 @@ services: - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) networks: - net2 + +networks: + net1: + net2: diff --git a/examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf b/examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf new file mode 100644 index 0000000..654b883 --- /dev/null +++ b/examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf @@ -0,0 +1 @@ +SecRuleRemoveById 953120