From 0d3da03534fccf9a624f93d83c1ce5e10409f79d Mon Sep 17 00:00:00 2001 From: bunkerity Date: Sun, 14 Mar 2021 12:33:59 +0100 Subject: [PATCH] prepare /www directory, fix log socket path and whitelist acme challenges path --- confs/global/nginx.conf | 4 ++-- confs/site/main-lua.conf | 6 ++++++ entrypoint/global-config.sh | 5 ----- entrypoint/site-config.sh | 4 ++++ prepare.sh | 4 ++++ 5 files changed, 16 insertions(+), 7 deletions(-) diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index 81f35bb..d414109 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -49,8 +49,8 @@ http { # write logs to local syslog log_format logf '%LOG_FORMAT%'; - access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice logf; - error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn; + access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf; + error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 warn; # temp paths proxy_temp_path /tmp/proxy_temp; diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index adc974b..6b1af89 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -3,6 +3,7 @@ set $session_check_addr on; access_by_lua_block { +local use_lets_encrypt = %USE_LETS_ENCRYPT% local use_whitelist_ip = %USE_WHITELIST_IP% local use_whitelist_reverse = %USE_WHITELIST_REVERSE% local use_user_agent = %USE_USER_AGENT% @@ -31,6 +32,11 @@ local recaptcha = require "recaptcha" local antibot_uri = "%ANTIBOT_URI%" local whitelist_useragent_list = {%WHITELIST_USERAGENT_LIST%} +-- check if it's let's encrypt bot +if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then + ngx.exit(ngx.OK) +end + -- check if already in whitelist cache if use_whitelist_ip and whitelist.ip_cached_ok() then ngx.exit(ngx.OK) diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index bcbd142..728cf50 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -9,11 +9,6 @@ # copy stub confs cp /opt/confs/global/* /etc/nginx/ -# install additional modules if needed -if [ "$ADDITIONAL_MODULES" != "" ] ; then - apk add $ADDITIONAL_MODULES -fi - # include server block(s) if [ "$MULTISITE" = "yes" ] ; then includes="" diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index af024e1..a0f078c 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -336,6 +336,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" "" fi if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "true" if [ "$MULTISITE" = "no" ] ; then FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1) else @@ -347,15 +348,18 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem" replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "include ${NGINX_PREFIX}lets-encrypt-webroot.conf;" elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false" replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT" replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY" replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "" elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false" replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem" replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem" replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "" fi else + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false" replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" "" fi diff --git a/prepare.sh b/prepare.sh index 8a1a42f..883b4d2 100644 --- a/prepare.sh +++ b/prepare.sh @@ -6,6 +6,10 @@ apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clama # custom entrypoint mkdir /opt/entrypoint.d +# prepare /www +chown -R root:nginx /www +chmod -R 770 /www + # prepare /opt chown -R root:nginx /opt find /opt -type f -exec chmod 0740 {} \;