From 1aa1dcf50d6cabe5b8164a9d3306dc8c96f087f9 Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Sun, 30 Aug 2020 21:40:13 +0200
Subject: [PATCH] logrotate support

---
 Dockerfile                  |  1 +
 README.md                   | 26 +++++++++++++++++++++-----
 compile.sh                  |  7 +++++--
 confs/error.conf            |  2 +-
 entrypoint.sh               | 15 +++++++++++----
 logs/logrotate.conf         | 19 +++++++++++++++++++
 {confs => logs}/syslog.conf |  0
 7 files changed, 58 insertions(+), 12 deletions(-)
 create mode 100644 logs/logrotate.conf
 rename {confs => logs}/syslog.conf (100%)

diff --git a/Dockerfile b/Dockerfile
index 0eb423a..9fc52c6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,6 +10,7 @@ COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY misc/*.mmdb /etc/nginx/geoip.mmdb
 COPY fail2ban/ /opt/fail2ban
+COPY logs/ /opt/logs
 
 RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
diff --git a/README.md b/README.md
index 9b7a309..8d98dcd 100644
--- a/README.md
+++ b/README.md
@@ -119,7 +119,7 @@ A use case to not serving files is when you setup bunkerized-nginx as a reverse
 `ROOT_FOLDER`  
 Values : *\<any valid path to web files\>  
 Default value : */www*  
-The default folder where nginx will search for web files. Don't change it unless you want to make your own image (TODO).
+The default folder where nginx will search for web files. Don't change it unless you want to make your own image.
 
 `MAX_CLIENT_SIZE`  
 Values : *0* | *Xm*  
@@ -164,6 +164,12 @@ Values : *\<any valid text\>*
 Default value : *Restricted area*  
 The text displayed inside the login prompt when `USE_AUTH_BASIC` is set to yes.
 
+`ERROR_XXX`  
+Values : *\<relative path to the error page\>*  
+Default value :  
+Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code.  
+For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder.
+
 ## HTTPS
 `AUTO_LETS_ENCRYPT`  
 Values : *yes* | *no*  
@@ -383,6 +389,16 @@ Default value :
 You can specify additional modules to install. All [alpine packages](https://pkgs.alpinelinux.org/packages) are valid.  
 A use case is to use this to install PHP extensions (e.g. : php7-json php7-xml php7-curl ...).
 
+`LOGROTATE_MINSIZE`  
+Values : *x* | *xk* | *xM* | *xG*  
+Default value : 10M  
+The minimum size of a log file before being rotated (no letter = bytes, k = kilobytes, M = megabytes, G = gigabytes).
+
+`LOGROTATE_MAXAGE`  
+Values : *\<any integer\>*  
+Default value : 7  
+The number of days before rotated files are deleted.
+
 # Create your own image
 
 You can use bunkerity/bunkerized-nginx as a base image for your web application.  
@@ -408,6 +424,8 @@ ENV WRITE_ACCESS yes
 ENV ADDITIONAL_MODULES php7-mysqli php7-json php7-session
 ```
 
+You can have a look at (bunkerized-phpmyadmin)[https://github.com/bunkerity/bunkerized-phpmyadmin] which is a secure phpMyAdmin Docker image based on bunkerized-nginx.
+
 # Include custom configurations
 Custom configurations files (ending with .conf suffix) can be added in some directory inside the container :
   - /http-confs : http context
@@ -419,11 +437,9 @@ docker run ... -v /path/to/http/confs:/http-confs ... bunkerity/bunkerized-nginx
 ```
 
 # TODO
-- logrotate
-- readme : custom errors
-- remove nginx on default error pages
-- nginx compile flags
+- search for hardcoded /www in configs
 - Antibot with recaptcha v3
 - HSTS preload, HPKP
 - Web UI
 - Full documentation
+- nginx compile flags ?
diff --git a/compile.sh b/compile.sh
index 3696fca..d57acc8 100644
--- a/compile.sh
+++ b/compile.sh
@@ -29,11 +29,14 @@ git clone https://github.com/AirisX/nginx_cookie_flag_module.git
 
 # compile and install nginx
 cd /tmp
-git clone https://github.com/nginx/nginx.git
-cd nginx
+VERSION="1.18.0"
+wget https://nginx.org/download/nginx-${VERSION}.tar.gz
+tar -xvzf nginx-${VERSION}.tar.gz
+cd nginx-${VERSION}
 ./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module
 make -j $NTASK
 make install
+strip /usr/sbin/nginx
 
 # remove build dependencies
 apk del build
diff --git a/confs/error.conf b/confs/error.conf
index 534ec3a..af44ffe 100644
--- a/confs/error.conf
+++ b/confs/error.conf
@@ -1,7 +1,7 @@
 error_page %CODE% %PAGE%;
 
 location = %PAGE% {
-    root /www;
+    root %ROOT_FOLDER%;
     modsecurity off;
     internal;
 }
diff --git a/entrypoint.sh b/entrypoint.sh
index 745a993..d21ba0d 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -38,7 +38,8 @@ function replace_in_file() {
 cp /opt/confs/*.conf /etc/nginx
 cp -r /opt/confs/owasp-crs /etc/nginx
 cp /opt/confs/php.ini /etc/php7/php.ini
-cp /opt/confs/syslog.conf /etc/syslog.conf
+cp /opt/logs/syslog.conf /etc/syslog.conf
+cp /opt/logs/logrotate.conf /etc/logrotate.conf
 
 # remove cron jobs
 echo "" > /etc/crontabs/root
@@ -105,8 +106,8 @@ AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
 AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
 USE_HTTPS_CUSTOM="${USE_HTTPS_CUSTOM-no}"
 ROOT_FOLDER="${ROOT_FOLDER-/www}"
-SYSLOG_MAXSIZE="${SYSLOG_MAXSIZE-1000}"
-SYSLOG_KEEP="${SYSLOG_KEEP-10}"
+LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
+LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
 
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@@ -317,6 +318,7 @@ for var in $(env) ; do
 		cp /opt/confs/error.conf /etc/nginx/error-${err_code}.conf
 		replace_in_file "/etc/nginx/error-${err_code}.conf" "%CODE%" "$err_code"
 		replace_in_file "/etc/nginx/error-${err_code}.conf" "%PAGE%" "$err_page"
+		replace_in_file "/etc/nginx/error-${err_code}.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
 		ERRORS="${ERRORS}include /etc/nginx/error-${err_code}.conf;\n"
 	fi
 done
@@ -394,7 +396,7 @@ if [ "$WRITE_ACCESS" = "yes" ] ; then
 fi
 
 # start syslogd
-syslogd -S -s "$SYSLOG_MAXSIZE" -b "$SYSLOG_KEEP"
+syslogd -S
 
 # start PHP
 if [ "$USE_PHP" = "yes" ] ; then
@@ -421,6 +423,11 @@ if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	fail2ban-server > /dev/null
 fi
 
+# setup logrotate
+replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
+replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
+echo "0 0 * * * logrotate -f /etc/logrotate.conf > /dev/null 2>&1" >> /etc/crontabs/root
+
 # display logs
 if [ "$USE_PHP" = "yes" ] ; then
 	tail -f /var/log/nginx.log /var/log/php.log &
diff --git a/logs/logrotate.conf b/logs/logrotate.conf
new file mode 100644
index 0000000..cf5f28f
--- /dev/null
+++ b/logs/logrotate.conf
@@ -0,0 +1,19 @@
+/var/log/messages /var/log/*.log /var/log/clamav/*.log /var/log/php7/*.log {
+	# compress old files using gzip
+	compress
+
+	# rotate everyday
+	daily
+
+	# remove old logs after X days
+	maxage %LOGROTATE_MAXAGE%
+
+	# no errors if a file is missing
+	missingok
+
+	# disable mailing
+	nomail
+
+	# mininum size of a logfile before rotating
+	minsize %LOGROTATE_MINSIZE%
+}
diff --git a/confs/syslog.conf b/logs/syslog.conf
similarity index 100%
rename from confs/syslog.conf
rename to logs/syslog.conf