From 09e6b50e5809421b62393053cee2a5c07789baba Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Fri, 3 Jan 2020 10:21:37 +0000
Subject: [PATCH] custom conf

---
 Dockerfile             | 5 ++---
 README.md              | 2 --
 confs/serve-files.conf | 5 +++++
 confs/server.conf      | 9 +++------
 entrypoint.sh          | 9 +++++++++
 5 files changed, 19 insertions(+), 11 deletions(-)
 create mode 100644 confs/serve-files.conf

diff --git a/Dockerfile b/Dockerfile
index 641979c..7e3cd5e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,9 +15,8 @@ RUN apk --no-cache add php7-fpm php7-session certbot libstdc++ libmaxminddb geoi
     mkdir /www && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
 
-VOLUME /www
+VOLUME /www /confs
 
-EXPOSE 80
-EXPOSE 443
+EXPOSE 80/tcp 443/tcp
 
 ENTRYPOINT ["/opt/entrypoint.sh"]
diff --git a/README.md b/README.md
index 815bc5f..abc9ca7 100644
--- a/README.md
+++ b/README.md
@@ -87,7 +87,5 @@ Accepted value can be found [here](https://github.com/AirisX/nginx_cookie_flag_m
 
 ## TODO
 - File permissions hardening
-- Custom nginx configuration
 - Custom TLS certificates
 - Documentation
-- Reverse proxy mode
diff --git a/confs/serve-files.conf b/confs/serve-files.conf
new file mode 100644
index 0000000..fe621a3
--- /dev/null
+++ b/confs/serve-files.conf
@@ -0,0 +1,5 @@
+root /www;
+index index.html index.php;
+location / {
+	try_files $uri $uri/ =404;
+}
diff --git a/confs/server.conf b/confs/server.conf
index 14766b1..b895843 100644
--- a/confs/server.conf
+++ b/confs/server.conf
@@ -2,12 +2,7 @@ server {
 	%LISTEN_HTTP%
 	%AUTO_LETS_ENCRYPT%
 	server_name %SERVER_NAME%;
-	root /www;
-	index index.html index.php;
-	location / {
-		try_files $uri $uri/ =404;
-		%BLOCK_TOR_EXIT_NODE%
-	}
+	%SERVE_FILES%
 	if ($request_method !~ ^(%ALLOWED_METHODS%)$)
 	{
 		return 405; 
@@ -22,6 +17,8 @@ server {
 	%FEATURE_POLICY%
 	%BLOCK_COUNTRY%
 	%BLOCK_USER_AGENT%
+	%BLOCK_TOR_EXIT_NODE%
 	%COOKIE_FLAGS%
 	%ERRORS%
+	include /confs/*.conf;
 }
diff --git a/entrypoint.sh b/entrypoint.sh
index 2ce6c0d..f26d474 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+echo "[*] Starting bunkerized-nginx ..."
+
 # replace pattern in file
 function replace_in_file() {
 	# escape slashes
@@ -56,6 +58,7 @@ PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS:-system, exec, shell_exec, passth
 USE_MODSECURITY="${USE_MODSECURITY:-yes}"
 CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY:-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}"
 COOKIE_FLAGS="${COOKIE_FLAGS:-* HttpOnly}"
+SERVE_FILES="${SERVE_FILES:-yes}"
 
 # replace values
 replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
@@ -229,6 +232,11 @@ if [ "$COOKIE_FLAGS" != "" ] ; then
 else
         replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" ""
 fi
+if [ "$SERVE_FILES" = "yes" ] ; then
+        replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" "include /etc/nginx/serve-files.conf;"
+else
+        replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
+fi
 
 
 # start PHP
@@ -241,4 +249,5 @@ crond
 
 # start nginx in foreground
 # when nginx is killed, container get killed too
+echo "[*] Running nginx ..."
 exec /usr/sbin/nginx