From 119e963612020105a969f7d93f5133645082fc26 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Wed, 16 Dec 2020 11:43:41 +0100 Subject: [PATCH] JOBS - be more verbose about jobs failure/success --- Dockerfile | 2 +- Dockerfile-amd64 | 2 +- Dockerfile-arm32v7 | 2 +- Dockerfile-arm64v8 | 2 +- Dockerfile-i386 | 2 +- entrypoint/entrypoint.sh | 2 +- scripts/abusers.sh | 24 +++++++++++++++++++++--- scripts/certbot-new.sh | 4 ++++ scripts/certbot-renew-hook.sh | 20 ++++++++++++++++++++ scripts/certbot-renew.sh | 10 +++++++++- scripts/exit-nodes.sh | 24 +++++++++++++++++++++--- scripts/geoip.sh | 21 +++++++++++++++++---- scripts/logrotate.sh | 7 ++++++- scripts/proxies.sh | 24 +++++++++++++++++++++--- scripts/referrers.sh | 19 +++++++++++++++++-- scripts/user-agents.sh | 18 ++++++++++++++++-- scripts/utils.sh | 8 ++++++++ 17 files changed, 166 insertions(+), 25 deletions(-) create mode 100644 scripts/certbot-renew-hook.sh create mode 100644 scripts/utils.sh diff --git a/Dockerfile b/Dockerfile index 9e7f38b..292f03b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,7 +25,7 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c rm -f /var/log/nginx/* && \ chown root:nginx /var/log/nginx && \ chmod 750 /var/log/nginx && \ - touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \ + touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log && \ chown nginx:nginx /var/log/nginx/*.log && \ mkdir /acme-challenge && \ chown root:nginx /acme-challenge && \ diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index e3ddead..435858c 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -25,7 +25,7 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c rm -f /var/log/nginx/* && \ chown root:nginx /var/log/nginx && \ chmod 750 /var/log/nginx && \ - touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \ + touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log && \ chown nginx:nginx /var/log/nginx/*.log && \ mkdir /acme-challenge && \ chown root:nginx /acme-challenge && \ diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index bac8d69..ea057d8 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -32,7 +32,7 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c rm -f /var/log/nginx/* && \ chown root:nginx /var/log/nginx && \ chmod 750 /var/log/nginx && \ - touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \ + touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log && \ chown nginx:nginx /var/log/nginx/*.log && \ mkdir /acme-challenge && \ chown root:nginx /acme-challenge && \ diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index 0a58886..cb0d8dc 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -32,7 +32,7 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c rm -f /var/log/nginx/* && \ chown root:nginx /var/log/nginx && \ chmod 750 /var/log/nginx && \ - touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \ + touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log && \ chown nginx:nginx /var/log/nginx/*.log && \ mkdir /acme-challenge && \ chown root:nginx /acme-challenge && \ diff --git a/Dockerfile-i386 b/Dockerfile-i386 index 4734a9d..d638bf7 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -25,7 +25,7 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c rm -f /var/log/nginx/* && \ chown root:nginx /var/log/nginx && \ chmod 750 /var/log/nginx && \ - touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \ + touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log && \ chown nginx:nginx /var/log/nginx/*.log && \ mkdir /acme-challenge && \ chown root:nginx /acme-challenge && \ diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index 65dd6ba..d28dd89 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -85,7 +85,7 @@ echo "[*] Running nginx ..." su -s "/usr/sbin/nginx" nginx # list of log files to display -LOGS="/var/log/access.log /var/log/error.log" +LOGS="/var/log/access.log /var/log/error.log /var/log/jobs.log" # start fail2ban if [ "$USE_FAIL2BAN" = "yes" ] ; then diff --git a/scripts/abusers.sh b/scripts/abusers.sh index bcf3895..e7d0011 100755 --- a/scripts/abusers.sh +++ b/scripts/abusers.sh @@ -1,14 +1,32 @@ #!/bin/sh -echo "" > /etc/nginx/block-abusers.conf +. /opt/scripts/utils.sh + +if [ ! -f /etc/nginx/block-abusers.conf ] ; then + echo "" > /etc/nginx/block-abusers.conf +fi +echo "" > /cache/block-abusers.conf curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | grep -v "^\#.*" | while read entry ; do check=$(echo $entry | grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$") if [ "$check" != "" ] ; then - echo "deny ${entry};" >> /etc/nginx/block-abusers.conf + echo "deny ${entry};" >> /cache/block-abusers.conf fi done -cp /etc/nginx/block-abusers.conf /cache + +cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf +lines="$(wc -l /etc/nginx/block-abusers.conf | cut -d ' ' - f1)" +if [ "$lines" -gt 1 ] ; then + job_log "[BLACKLIST] abusers list updated ($lines entries)" +else + job_log "[BLACKLIST] can't update abusers list" +fi + if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload > /dev/null 2>&1 + if [ "$?" -eq 0 ] ; then + job_log "[NGINX] successfull nginx reload after abusers list update" + else + job_log "[NGINX] failed nginx reload after abusers list update" + fi fi diff --git a/scripts/certbot-new.sh b/scripts/certbot-new.sh index 2f8d658..f0e69a9 100644 --- a/scripts/certbot-new.sh +++ b/scripts/certbot-new.sh @@ -2,8 +2,12 @@ # generate certificate certbot certonly --webroot -w /acme-challenge -n -d "$1" --email "$2" --agree-tos +if [ "$?" -ne 0 ] ; then + exit 1 +fi # fix rights chown -R root:nginx /etc/letsencrypt chmod -R 740 /etc/letsencrypt find /etc/letsencrypt -type d -exec chmod 750 {} \; +exit 0 diff --git a/scripts/certbot-renew-hook.sh b/scripts/certbot-renew-hook.sh new file mode 100644 index 0000000..c16ff04 --- /dev/null +++ b/scripts/certbot-renew-hook.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +. /opt/scripts/utils.sh + +job_log "[CERTBOT] certificates have been renewed" + +# fix rights +chown -R root:nginx /etc/letsencrypt +chmod -R 740 /etc/letsencrypt +find /etc/letsencrypt -type d -exec chmod 750 {} \; + +# reload nginx +if [ -f /tmp/nginx.pid ] ; then + /usr/sbin/nginx -s reload > /dev/null 2>&1 + if [ "$?" -eq 0 ] ; then + job_log "[NGINX] successfull nginx reload after certbot renew" + else + job_log "[NGINX] failed nginx reload after certbot renew" + fi +fi diff --git a/scripts/certbot-renew.sh b/scripts/certbot-renew.sh index dc596c7..a63fd76 100644 --- a/scripts/certbot-renew.sh +++ b/scripts/certbot-renew.sh @@ -1,7 +1,15 @@ #!/bin/sh +. /opt/scripts/utils.sh + # ask new certificates if needed -certbot renew +certbot renew --deploy-hook /opt/scripts/certbot-renew-hook.sh + +if [ "$?" -eq 0 ] ; then + job_log "[CERTBOT] renew operation done" +else + job_log "[CERTBOT] renew operation failed" +fi # fix rights chown -R root:nginx /etc/letsencrypt diff --git a/scripts/exit-nodes.sh b/scripts/exit-nodes.sh index 9ea575f..503d02b 100644 --- a/scripts/exit-nodes.sh +++ b/scripts/exit-nodes.sh @@ -1,14 +1,32 @@ #!/bin/sh -echo "" > /etc/nginx/block-tor-exit-node.conf +. /opt/scripts/utils.sh + +if [ ! -f /etc/nginx/block-tor-exit-node.conf ] ; then + echo "" > /etc/nginx/block-tor-exit-node.conf +fi +echo "" > /cache/block-tor-exit-node.conf curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | grep -v "^\#.*" | while read entry ; do check=$(echo $entry | grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$") if [ "$check" != "" ] ; then - echo "deny ${entry};" >> /etc/nginx/block-tor-exit-node.conf + echo "deny ${entry};" >> /cache/block-tor-exit-node.conf fi done -cp /etc/nginx/block-tor-exit-node.conf /cache + +cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf +lines="$(wc -l /etc/nginx/block-tor-exit-node.conf | cut -d ' ' - f1)" +if [ "$lines" -gt 1 ] ; then + job_log "[BLACKLIST] TOR exit node list updated ($lines entries)" +else + job_log "[BLACKLIST] can't update TOR exit node list" +fi + if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload > /dev/null 2>&1 + if [ "$?" -eq 0 ] ; then + job_log "[NGINX] successfull nginx reload after TOR exit node list update" + else + job_log "[NGINX] failed nginx reload after TOR exit node list update" + fi fi diff --git a/scripts/geoip.sh b/scripts/geoip.sh index 1000680..c7a72ff 100644 --- a/scripts/geoip.sh +++ b/scripts/geoip.sh @@ -1,12 +1,25 @@ #!/bin/sh +. /opt/scripts/utils.sh + # MMDB from https://db-ip.com/db/download/ip-to-country-lite URL="https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).mmdb.gz" -wget -O /etc/nginx/geoip.mmdb.gz "$URL" > /dev/null 2>&1 -if [ -f /etc/nginx/geoip.mmdb.gz ] ; then - gunzip -f /etc/nginx/geoip.mmdb.gz - cp /etc/nginx/geoip.mmdb /cache +wget -O /cache/geoip.mmdb.gz "$URL" > /dev/null 2>&1 +if [ -f /cache/geoip.mmdb.gz ] ; then + gunzip -f /cache/geoip.mmdb.gz > /dev/null 2>&1 + if [ "$?" -ne 0 ] ; then + job_log "[GEOIP] can't extract DB from $URL" + exit 1 + fi + cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload > /dev/null 2>&1 + if [ "$?" -eq 0 ] ; then + job_log "[NGINX] successfull nginx reload after GeoIP DB update" + else + job_log "[NGINX] failed nginx reload after GeoIP DB update" + fi fi +else + job_log "[GEOIP] can't download DB from $URL" fi diff --git a/scripts/logrotate.sh b/scripts/logrotate.sh index 0a6eb84..cb6c230 100644 --- a/scripts/logrotate.sh +++ b/scripts/logrotate.sh @@ -7,5 +7,10 @@ pkill -HUP rsyslogd fail2ban-client flushlogs if [ -f /tmp/nginx.pid ] ; then - /usr/sbin/nginx -s reload > /dev/null 2>&1 + /usr/sbin/nginx -s reload > /dev/null 2>&1 + if [ "$?" -eq 0 ] ; then + job_log "[NGINX] successfull nginx reload after logrotate" + else + job_log "[NGINX] failed nginx reload after logrotate" + fi fi diff --git a/scripts/proxies.sh b/scripts/proxies.sh index 1d3dc9f..0b15d29 100755 --- a/scripts/proxies.sh +++ b/scripts/proxies.sh @@ -1,14 +1,32 @@ #!/bin/sh -echo "" > /etc/nginx/block-proxies.conf +. /opt/scripts/utils.sh + +if [ ! -f /etc/nginx/block-proxies.conf ] ; then + echo "" > /etc/nginx/block-proxies.conf +fi +echo "" > /cache/block-proxies.conf curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | grep -v "^\#.*" | while read entry ; do check=$(echo $entry | grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$") if [ "$check" != "" ] ; then - echo "deny ${entry};" >> /etc/nginx/block-proxies.conf + echo "deny ${entry};" >> /cache/block-proxies.conf fi done -cp /etc/nginx/block-proxies.conf /cache + +cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf +lines="$(wc -l /etc/nginx/block-proxies.conf | cut -d ' ' - f1)" +if [ "$lines" -gt 1 ] ; then + job_log "[BLACKLIST] proxies list updated ($lines entries)" +else + job_log "[BLACKLIST] can't update proxies list" +fi + if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload > /dev/null 2>&1 + if [ "$?" -eq 0 ] ; then + job_log "[NGINX] successfull nginx reload after proxies list update" + else + job_log "[NGINX] failed nginx reload after proxies list update" + fi fi diff --git a/scripts/referrers.sh b/scripts/referrers.sh index 6f4359f..40d72d0 100755 --- a/scripts/referrers.sh +++ b/scripts/referrers.sh @@ -1,15 +1,30 @@ #!/bin/sh +. /opt/scripts/utils.sh + +echo "map \$http_referer \$bad_referrer { hostnames; default no; }" > /etc/nginx/map-referrer.conf +echo "map \$http_referer \$bad_referrer { hostnames; default no; }" > /cache/map-referrer.conf + BLACKLIST="$(curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list)" +if [ "$?" -ne 0 ] ; then + job_log "[BLACKLIST] can't update referrers list" +fi DATA="" IFS=$'\n' for ref in $BLACKLIST ; do DATA="${DATA}\"~${ref}\" yes;\n" done -echo -e "map \$http_referer \$bad_referrer { hostnames; default no; $DATA }" > /etc/nginx/map-referrer.conf -cp /etc/nginx/map-referrer.conf /cache +echo -e "map \$http_referer \$bad_referrer { hostnames; default no; $DATA }" > /cache/map-referrer.conf +cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf +lines="$(wc -l /etc/nginx/map-referrer.conf | cut -d ' ' -f 1)" +job_log "[BLACKLIST] referrers list updated ($lines entries)" if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload > /dev/null 2>&1 + if [ "$?" -eq 0 ] ; then + job_log "[NGINX] successfull nginx reload after referrers list update" + else + job_log "[NGINX] failed nginx reload after referrers list update" + fi fi diff --git a/scripts/user-agents.sh b/scripts/user-agents.sh index 097c648..4de7c90 100755 --- a/scripts/user-agents.sh +++ b/scripts/user-agents.sh @@ -1,7 +1,14 @@ #!/bin/sh +echo "map \$http_user_agent \$bad_user_agent { default no; }" > /etc/nginx/map-user-agent.conf +echo "map \$http_user_agent \$bad_user_agent { default no; }" > /cache/map-user-agent.conf + + BLACKLIST="$(curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list) $(curl -s https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt)" +if [ "$?" -ne 0 ] ; then + job_log "[BLACKLIST] can't update user-agent list" +fi DATA="" IFS=$'\n' for ua in $BLACKLIST ; do @@ -9,9 +16,16 @@ for ua in $BLACKLIST ; do done DATA_ESCAPED=$(echo "$DATA" | sed 's: :\\\\ :g' | sed 's:\\\\ yes;: yes;:g' | sed 's:\\\\\\ :\\\\ :g') -echo -e "map \$http_user_agent \$bad_user_agent { default no; $DATA_ESCAPED }" > /etc/nginx/map-user-agent.conf -cp /etc/nginx/map-user-agent.conf /cache +echo -e "map \$http_user_agent \$bad_user_agent { default no; $DATA_ESCAPED }" > /cache/map-user-agent.conf +cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf +lines="$(wc -l /etc/nginx/map-user-agent.conf | cut -d ' ' -f 1)" +job_log "[BLACKLIST] user-agent list updated ($lines entries)" if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload > /dev/null 2>&1 + if [ "$?" -eq 0 ] ; then + job_log "[NGINX] successfull nginx reload after user-agent list update" + else + job_log "[NGINX] failed nginx reload after user-agent list update" + fi fi diff --git a/scripts/utils.sh b/scripts/utils.sh new file mode 100644 index 0000000..db2543a --- /dev/null +++ b/scripts/utils.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +function job_log() { + when="$(date +[%d/%m/%Y %H:%M:%S]) + what="$1" + echo "$when $what" >> /var/log/jobs.log +} +