diff --git a/Dockerfile b/Dockerfile index daca783..3e264c4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,18 +6,12 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* -COPY crowdsec/install.sh /tmp/install.sh -RUN chmod +x /tmp/install.sh && \ - /tmp/install.sh && \ - rm -rf /tmp/* - COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban COPY logs/ /opt/logs COPY lua/ /opt/lua -COPY crowdsec/ /opt/crowdsec COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index 50fed53..fdd611d 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -6,18 +6,12 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* -COPY crowdsec/install.sh /tmp/install.sh -RUN chmod +x /tmp/install.sh && \ - /tmp/install.sh && \ - rm -rf /tmp/* - COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban COPY logs/ /opt/logs COPY lua/ /opt/lua -COPY crowdsec/ /opt/crowdsec COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index 4f8ffc9..d985889 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -13,18 +13,12 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* -COPY crowdsec/install.sh /tmp/install.sh -RUN chmod +x /tmp/install.sh && \ - /tmp/install.sh && \ - rm -rf /tmp/* - COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban COPY logs/ /opt/logs COPY lua/ /opt/lua -COPY crowdsec/ /opt/crowdsec COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index 6f85a36..ec933cb 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -13,18 +13,12 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* -COPY crowdsec/install.sh /tmp/install.sh -RUN chmod +x /tmp/install.sh && \ - /tmp/install.sh && \ - rm -rf /tmp/* - COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban COPY logs/ /opt/logs COPY lua/ /opt/lua -COPY crowdsec/ /opt/crowdsec COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh diff --git a/Dockerfile-i386 b/Dockerfile-i386 index 664d57a..bffd43e 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -6,18 +6,12 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* -COPY crowdsec/install.sh /tmp/install.sh -RUN chmod +x /tmp/install.sh && \ - /tmp/install.sh && \ - rm -rf /tmp/* - COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban COPY logs/ /opt/logs COPY lua/ /opt/lua -COPY crowdsec/ /opt/crowdsec COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh diff --git a/compile.sh b/compile.sh index 808dabf..147591b 100644 --- a/compile.sh +++ b/compile.sh @@ -30,7 +30,7 @@ function git_secure_clone() { NTASK=$(nproc) # install build dependencies -apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg brotli-dev +apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg brotli-dev openssl-dev # compile and install ModSecurity library cd /tmp @@ -111,6 +111,36 @@ git_secure_clone https://github.com/ledgetech/lua-resty-http.git 984fdc260543763 cd lua-resty-http make install cd /tmp +git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15 +cd lualogging +cp -r src/* /usr/local/lib/lua +cd /tmp +git_secure_clone https://github.com/diegonehab/luasocket.git 5b18e475f38fcf28429b1cc4b17baee3b9793a62 +cd luasocket +make -j $NTASK +mkdir /usr/local/lib/lua/socket +cp src/*.lua /usr/local/lib/lua/socket +cp src/*.so /usr/local/lib/lua/5.1/ +mv /usr/local/lib/lua/5.1/socket*.so /usr/local/lib/5.1/socket.so +mv /usr/local/lib/lua/5.1/mime*.so /usr/local/lib/5.1/mime.so +cd /tmp +git_secure_clone https://github.com/brunoos/luasec.git c6704919bdc85f3324340bdb35c2795a02f7d625 +cd luasec +make linux -j $NTASK +cp src/ssl.so /usr/local/lib/lua/5.1 +mkdir /usr/local/lib/lua/ssl +cp src/*.lua /usr/local/lib/lua +cd /tmp +git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 71c4247d6b66234e3f3426b2ea721ad50c741579 +cd lua-cs-bouncer +mkdir /usr/local/lib/lua/crowdsec +cp lib/*.lua /usr/local/lib/lua/crowdsec +cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf +sed -i 's/^API_URL=.*/API_URL=%CROWDSEC_HOST%/:' /usr/local/lib/lua/crowdsec/crowdsec.conf +sed -i 's/^API_KEY=.*/API_KEY=%CROWDSEC_KEY%/:' /usr/local/lib/lua/crowdsec/crowdsec.conf +sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua +sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua +cd /tmp git_secure_clone https://github.com/openresty/lua-nginx-module.git 2d23bc4f0a29ed79aaaa754c11bffb1080aa44ba export LUAJIT_LIB=/usr/local/lib export LUAJIT_INC=/usr/local/include/luajit-2.1 diff --git a/crowdsec/install.sh b/crowdsec/install.sh deleted file mode 100644 index 6de9886..0000000 --- a/crowdsec/install.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/sh - -function git_secure_clone() { - repo="$1" - commit="$2" - folder=$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@") - git clone "$repo" - cd "$folder" - git checkout "${commit}^{commit}" - if [ $? -ne 0 ] ; then - echo "[!] Commit hash $commit is absent from repository $repo !" - exit 1 - fi - cd .. -} - -NTASK=$(nproc) - -# install build dependencies -apk add --no-cache --virtual build git bash lua-dev mariadb-dev sqlite-dev gettext make go jq - -# build and install crowdsec -cd /tmp -git_secure_clone https://github.com/crowdsecurity/crowdsec.git 2fdf7624da381af605baa46f319f2ed3015807e4 -cd crowdsec -make -j $NTASK build -./wizard.sh --bininstall -sed -i 's/^machine_id:.*//' /etc/crowdsec/config/api.yaml -sed -i 's/^password:.*//' /etc/crowdsec/config/api.yaml - -# install nginx collection -cscli update -cscli install collection crowdsecurity/nginx -sed -i "s/^filter:.*$/filter: \"evt.Line.Labels.type == 'nginx'\"/" /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml -sed -i 's/apply_on: message/apply_on: Line.Raw/g' /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml - -# build and install luasql -cd /tmp -git_secure_clone https://github.com/keplerproject/luasql.git 22d4a911f35cf851af9db71124e3998d96fb3fa1 -cd luasql -make -j $NTASK sqlite3 mysql -mkdir /usr/local/lib/lua/5.1/luasql -cp src/*.so /usr/local/lib/lua/5.1/luasql - -# install lualogging -cd /tmp -git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15 -cd lualogging -cp -r src/* /usr/local/lib/lua - -# install cs-lua-lib -cd /tmp -git_secure_clone https://github.com/crowdsecurity/cs-lua-lib.git 97e55a555a8f6d46c1c2032825a4578090283301 -cd cs-lua-lib -mkdir /usr/local/lib/lua/crowdsec -cp lib/*.lua /usr/local/lib/lua/crowdsec -cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf -rm /usr/local/lib/lua/crowdsec/lrucache.lua -sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua -sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua - -# remove build dependencies -apk del build diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh index b08da6f..7de2728 100644 --- a/entrypoint/defaults.sh +++ b/entrypoint/defaults.sh @@ -1,7 +1,7 @@ #!/bin/bash MULTISITE="${MULTISITE-no}" -LOG_FORMAT="${LOG_FORMAT-\$remote_addr - \$remote_user \$host [\$time_local] \"\$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}" +LOG_FORMAT="${LOG_FORMAT-\$host \$remote_addr - \$remote_user [\$time_local] \"\$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}" HTTP_PORT="${HTTP_PORT-8080}" HTTPS_PORT="${HTTPS_PORT-8443}" MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}" diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index 6c3430d..bc950d1 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -100,12 +100,6 @@ if [ "$USE_FAIL2BAN" = "yes" ] ; then LOGS="$LOGS /var/log/fail2ban.log" fi -# start crowdsec -if [ "$USE_CROWDSEC" = "yes" ] ; then - echo "[*] Running crowdsec ..." - crowdsec -fi - # autotest if [ "$1" == "test" ] ; then sleep 10 diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index be1f99c..3a33521 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -291,10 +291,8 @@ fi # CrowdSec setup if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;" - cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml - cscli api register >> /etc/crowdsec/config/api.yaml - cscli api pull - echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root + replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST" "$CROWDSEC_HOST" + replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY" "$CROWDSEC_KEY" else replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "" fi diff --git a/crowdsec/acquis.yaml b/examples/crowdsec/acquis.yaml similarity index 100% rename from crowdsec/acquis.yaml rename to examples/crowdsec/acquis.yaml diff --git a/examples/crowdsec/docker-compose.yml b/examples/crowdsec/docker-compose.yml new file mode 100644 index 0000000..862e1ad --- /dev/null +++ b/examples/crowdsec/docker-compose.yml @@ -0,0 +1,70 @@ +version: '3' + +services: + + mywww: + image: bunkerity/bunkerized-nginx + restart: always + ports: + - 80:8080 + - 443:8443 + volumes: + - ./web-files:/www:ro + - ./letsencrypt:/etc/letsencrypt + - nginx_logs:/var/log + environment: + - SERVER_NAME=app1.website.com app2.website.com # replace with your domains + - MULTISITE=yes + - AUTO_LETS_ENCRYPT=yes + - REDIRECT_HTTP_TO_HTTPS=yes + - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_BROTLI=yes + - USE_CROWDSEC=yes + - CROWDSEC_HOST=mycrowdsec + - CROWDSEC_KEY= # you need to generate it (see bouncer_key.sh) + - app1.website.com_REMOTE_PHP=myapp1 + - app1.website.com_REMOTE_PHP_PATH=/app + - app2.website.com_REMOTE_PHP=myapp2 + - app2.website.com_REMOTE_PHP_PATH=/app + networks: + - net0 + - net1 + - net2 + + mycrowdsec: + image: crowdsecurity/crowdsec:v1.0.2 + restart: always + volumes: + - ./acquis.yaml:/etc/crowdsec/acquis.yaml + - nginx_logs:/var/log:ro + environment: + - COLLECTIONS=crowdsecurity/nginx + - REGISTER_TO_ONLINE_API=true + networks: + - net0 + + myapp1: + image: php:fpm + restart: always + volumes: + - ./web-files/app1.website.com:/app + networks: + - net1 + + myapp2: + image: php:fpm + restart: always + volumes: + - ./web-files/app2.website.com:/app + networks: + - net2 + +networks: + net0: + net1: + net2: + +volumes: + nginx_logs: diff --git a/examples/crowdsec/web-files/app1.website.com/index.php b/examples/crowdsec/web-files/app1.website.com/index.php new file mode 100644 index 0000000..e5e25c9 --- /dev/null +++ b/examples/crowdsec/web-files/app1.website.com/index.php @@ -0,0 +1,5 @@ + diff --git a/examples/crowdsec/web-files/app2.website.com/index.php b/examples/crowdsec/web-files/app2.website.com/index.php new file mode 100644 index 0000000..69971d5 --- /dev/null +++ b/examples/crowdsec/web-files/app2.website.com/index.php @@ -0,0 +1,5 @@ +