From 1e02368e8a908f5d94ebd02ac106a68b30983e39 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Mon, 21 Jun 2021 14:56:48 +0200 Subject: [PATCH] linux/docker - common /opt/bunkerized-nginx folder --- .github/workflows/linux-bunkerized-nginx.yml | 20 +++++ Dockerfile | 16 ++-- confs/global/nginx.conf | 2 +- confs/site/modsecurity-rules.conf | 16 ++-- confs/site/server.conf | 8 +- entrypoint/certbot.sh | 6 +- entrypoint/entrypoint.sh | 18 ++--- entrypoint/nginx-temp.sh | 6 +- entrypoint/post-jobs.sh | 22 +++--- entrypoint/pre-jobs.sh | 10 +-- helpers/install.sh | 77 ++++++++++++++++++-- misc/cron | 14 ++-- prepare.sh | 23 ++++-- scripts/abusers.sh | 6 +- scripts/certbot-new.sh | 2 +- scripts/certbot-renew-hook.sh | 2 +- scripts/certbot-renew.sh | 4 +- scripts/exit-nodes.sh | 6 +- scripts/geoip.sh | 10 +-- scripts/proxies.sh | 6 +- scripts/referrers.sh | 6 +- scripts/user-agents.sh | 6 +- settings.json | 2 +- tests/linux.sh | 45 ++++++++++++ 24 files changed, 236 insertions(+), 97 deletions(-) create mode 100644 .github/workflows/linux-bunkerized-nginx.yml create mode 100644 tests/linux.sh diff --git a/.github/workflows/linux-bunkerized-nginx.yml b/.github/workflows/linux-bunkerized-nginx.yml new file mode 100644 index 0000000..89d8c36 --- /dev/null +++ b/.github/workflows/linux-bunkerized-nginx.yml @@ -0,0 +1,20 @@ +name: Automatic test for Linux + +on: + push: + branches: [dev, master] + pull_request: + branches: [dev, master] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout source code + uses: actions/checkout@v2 + - name: Debian test + run: ./tests/linux.sh debian:buster-slim + - name: Ubuntu test + run: ./tests/linux.sh ubuntu:focal + - name: CentOS test + run: ./tests/linux.sh centos.sh diff --git a/Dockerfile b/Dockerfile index c162b93..4395fc0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,14 +9,14 @@ RUN apk add --no-cache bash && \ RUN apk add --no-cache certbot bash libmaxminddb libgcc lua yajl libstdc++ openssl py3-pip && \ pip3 install jinja2 -COPY gen/ /opt/gen -COPY entrypoint/ /opt/entrypoint -COPY confs/ /opt/confs -COPY scripts/ /opt/scripts +COPY gen/ /opt/bunkerized-nginx/gen +COPY entrypoint/ /opt/bunkerized-nginx/entrypoint +COPY confs/ /opt/bunkerized-nginx/confs +COPY scripts/ /opt/bunkerized-nginx/scripts COPY lua/ /usr/local/lib/lua -COPY antibot/ /antibot -COPY defaults/ /defaults -COPY settings.json /opt +COPY antibot/ /opt/bunkerized-nginx/antibot +COPY defaults/ /opt/bunkerized-nginx/defaults +COPY settings.json /opt/bunkerized-nginx COPY misc/cron /etc/crontabs/nginx COPY prepare.sh /tmp/prepare.sh @@ -35,4 +35,4 @@ USER nginx:nginx HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 CMD [ -f /tmp/nginx.pid ] || exit 1 -ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] +ENTRYPOINT ["/opt/bunkerized-nginx/entrypoint/entrypoint.sh"] diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index 41b199c..5a6c2f7 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -108,7 +108,7 @@ http { {% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %} # custom http confs - include /http-confs/*.conf; + include /opt/bunkerized-nginx/http-confs/*.conf; # LUA init block include /etc/nginx/init-lua.conf; diff --git a/confs/site/modsecurity-rules.conf b/confs/site/modsecurity-rules.conf index 8f5fa4e..aba560d 100644 --- a/confs/site/modsecurity-rules.conf +++ b/confs/site/modsecurity-rules.conf @@ -58,11 +58,11 @@ SecAuditLog /var/log/nginx/modsec_audit.log include /opt/bunkerized-nginx/crs-setup.conf # custom CRS configurations before loading rules (exclusions) -{% if is_custom_conf("/modsec-crs-confs") %} -include /modsec-crs-confs/*.conf +{% if is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs") %} +include /opt/bunkerized-nginx/modsec-crs-confs/*.conf {% endif %} -{% if MULTISITE == "yes" and is_custom_conf("/modsec-crs-confs/" + FIRST_SERVER) %} -include /modsec-crs-confs/{{ FIRST_SERVER }}/*.conf +{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs/" + FIRST_SERVER) %} +include /opt/bunkerized-nginx/modsec-crs-confs/{{ FIRST_SERVER }}/*.conf {% endif %} # include OWASP CRS rules @@ -70,9 +70,9 @@ include /opt/bunkerized-nginx/crs/*.conf {% endif %} # custom rules after loading the CRS -{% if is_custom_conf("/modsec-confs") %} -include /modsec-confs/*.conf +{% if is_custom_conf("/opt/bunkerized-nginx/modsec-confs") %} +include /opt/bunkerized-nginx/modsec-confs/*.conf {% endif %} -{% if MULTISITE == "yes" and is_custom_conf("/modsec-confs/" + FIRST_SERVER) %} -include /modsec-confs/{{ FIRST_SERVER }}/*.conf +{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-confs/" + FIRST_SERVER) %} +include /opt/bunkerized-nginx/modsec-confs/{{ FIRST_SERVER }}/*.conf {% endif %} diff --git a/confs/site/server.conf b/confs/site/server.conf index b352121..90dc577 100644 --- a/confs/site/server.conf +++ b/confs/site/server.conf @@ -1,7 +1,7 @@ # custom config before server block -include /pre-server-confs/*.conf; +include /opt/bunkerized-nginx/pre-server-confs/*.conf; {% if MULTISITE == "yes" %} -include /pre-server-confs/{{ FIRST_SERVER }}/*.conf; +include /opt/bunkerized-nginx/pre-server-confs/{{ FIRST_SERVER }}/*.conf; {% endif %} server { @@ -12,9 +12,9 @@ server { {% endif %} # custom config - include /server-confs/*.conf; + include /opt/bunkerized-nginx/server-confs/*.conf; {% if MULTISITE == "yes" %} - include /server-confs/{{ FIRST_SERVER }}/*.conf; + include /opt/bunkerized-nginx/server-confs/{{ FIRST_SERVER }}/*.conf; {% endif %} # proxy real IP diff --git a/entrypoint/certbot.sh b/entrypoint/certbot.sh index c6778cf..7892959 100644 --- a/entrypoint/certbot.sh +++ b/entrypoint/certbot.sh @@ -1,7 +1,7 @@ #!/bin/sh # load some functions -. /opt/entrypoint/utils.sh +. /opt/bunkerized-nginx/entrypoint/utils.sh if [ "$MULTISITE" != "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then first_server_name=$(echo "$SERVER_NAME" | cut -d " " -f 1) @@ -9,7 +9,7 @@ if [ "$MULTISITE" != "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server_name}" if [ ! -f /etc/letsencrypt/live/${first_server_name}/fullchain.pem ] ; then echo "[*] Performing Let's Encrypt challenge for $domains_lets_encrypt ..." - /opt/scripts/certbot-new.sh "$domains_lets_encrypt" "$EMAIL_LETS_ENCRYPT" + /opt/bunkerized-nginx/scripts/certbot-new.sh "$domains_lets_encrypt" "$EMAIL_LETS_ENCRYPT" fi elif [ "$MULTISITE" = "yes" ] ; then servers=$(find /etc/nginx -name "site.env" | cut -d '/' -f 4) @@ -22,7 +22,7 @@ elif [ "$MULTISITE" = "yes" ] ; then if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then EMAIL_LETS_ENCRYPT="contact@${server}" fi - /opt/scripts/certbot-new.sh "$domains" "EMAIL_LETS_ENCRYPT" + /opt/bunkerized-nginx/scripts/certbot-new.sh "$domains" "EMAIL_LETS_ENCRYPT" fi done fi diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index ed7e7bb..3921cf0 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -16,14 +16,14 @@ trap "trap_exit" TERM INT QUIT function trap_reload() { echo "[*] Catched reload operation" if [ "$SWARM_MODE" != "yes" ] ; then - /opt/entrypoint/pre-jobs.sh + /opt/bunkerized-nginx/entrypoint/pre-jobs.sh fi if [ -f /tmp/nginx.pid ] ; then echo "[*] Reloading nginx ..." nginx -s reload if [ $? -eq 0 ] ; then echo "[*] Reload successfull" - /opt/entrypoint/post-jobs.sh + /opt/bunkerized-nginx/entrypoint/post-jobs.sh else echo "[!] Reload failed" fi @@ -40,16 +40,16 @@ if [ ! -f "/etc/nginx/global.env" ] ; then # check permissions if [ "$SWARM_MODE" != "yes" ] ; then - /opt/entrypoint/permissions.sh + /opt/bunkerized-nginx/entrypoint/permissions.sh else - /opt/entrypoint/permissions-swarm.sh + /opt/bunkerized-nginx/entrypoint/permissions-swarm.sh fi if [ "$?" -ne 0 ] ; then exit 1 fi # start temp nginx to solve Let's Encrypt challenges if needed - /opt/entrypoint/nginx-temp.sh + /opt/bunkerized-nginx/entrypoint/nginx-temp.sh # only do config if we are not in swarm mode if [ "$SWARM_MODE" != "yes" ] ; then @@ -57,10 +57,10 @@ if [ ! -f "/etc/nginx/global.env" ] ; then env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "/tmp/variables.env" # call the generator - /opt/gen/main.py --settings /opt/settings.json --templates /opt/confs --output /etc/nginx --variables /tmp/variables.env + /opt/bunkerized-nginx/gen/main.py --settings /opt/bunkerized-nginx/settings.json --templates /opt/bunkerized-nginx/confs --output /etc/nginx --variables /tmp/variables.env # pre-jobs - /opt/entrypoint/pre-jobs.sh + /opt/bunkerized-nginx/entrypoint/pre-jobs.sh fi else echo "[*] Skipping configuration process" @@ -90,7 +90,7 @@ pid="$!" # autotest if [ "$1" == "test" ] ; then sleep 10 - echo -n "autotest" > /www/index.html + echo -n "autotest" > /opt/bunkerized-nginx/www/index.html check=$(curl -H "User-Agent: legit" "http://localhost:8080") if [ "$check" == "autotest" ] ; then exit 0 @@ -99,7 +99,7 @@ if [ "$1" == "test" ] ; then fi # post jobs -/opt/entrypoint/post-jobs.sh +/opt/bunkerized-nginx/entrypoint/post-jobs.sh # wait for nginx wait "$pid" diff --git a/entrypoint/nginx-temp.sh b/entrypoint/nginx-temp.sh index 694a1d9..f6565de 100644 --- a/entrypoint/nginx-temp.sh +++ b/entrypoint/nginx-temp.sh @@ -1,12 +1,12 @@ #!/bin/bash # load some functions -. /opt/entrypoint/utils.sh +. /opt/bunkerized-nginx/entrypoint/utils.sh # start nginx with temp conf for let's encrypt challenges and API if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$SWARM_MODE" = "yes" ] || [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then - cp /opt/confs/global/nginx-temp.conf /tmp/nginx-temp.conf - cp /opt/confs/global/api-temp.conf /tmp/api.conf + cp /opt/bunkerized-nginx/confs/global/nginx-temp.conf /tmp/nginx-temp.conf + cp /opt/bunkerized-nginx/confs/global/api-temp.conf /tmp/api.conf if [ "$SWARM_MODE" = "yes" ] ; then replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" "include /tmp/api.conf;" replace_in_file "/tmp/api.conf" "%API_URI%" "$API_URI" diff --git a/entrypoint/post-jobs.sh b/entrypoint/post-jobs.sh index 91f78b9..85d6309 100644 --- a/entrypoint/post-jobs.sh +++ b/entrypoint/post-jobs.sh @@ -1,16 +1,16 @@ #!/bin/bash # load some functions -. /opt/entrypoint/utils.sh +. /opt/bunkerized-nginx/entrypoint/utils.sh # User-Agents if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then if [ -f "/cache/user-agents.list" ] && [ "$(wc -l /cache/user-agents.list | cut -d ' ' -f 1)" -gt 1 ] ; then echo "[*] Copying cached user-agents.list ..." - cp /cache/user-agents.list /etc/nginx/user-agents.list + cp /opt/bunkerized-nginx/cache/user-agents.list /etc/nginx/user-agents.list elif [ "$(ps aux | grep "user-agents\.sh")" = "" ] ; then echo "[*] Downloading bad user-agent list (in background) ..." - /opt/scripts/user-agents.sh > /dev/null 2>&1 & + /opt/bunkerized-nginx/scripts/user-agents.sh > /dev/null 2>&1 & fi fi @@ -18,10 +18,10 @@ fi if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then if [ -f "/cache/referrers.list" ] && [ "$(wc -l /cache/referrers.list | cut -d ' ' -f 1)" -gt 1 ] ; then echo "[*] Copying cached referrers.list ..." - cp /cache/referrers.list /etc/nginx/referrers.list + cp /opt/bunkerized-nginx/cache/referrers.list /etc/nginx/referrers.list elif [ "$(ps aux | grep "referrers\.sh")" = "" ] ; then echo "[*] Downloading bad referrer list (in background) ..." - /opt/scripts/referrers.sh > /dev/null 2>&1 & + /opt/bunkerized-nginx/scripts/referrers.sh > /dev/null 2>&1 & fi fi @@ -29,10 +29,10 @@ fi if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then if [ -f "/cache/tor-exit-nodes.list" ] && [ "$(wc -l /cache/tor-exit-nodes.list | cut -d ' ' -f 1)" -gt 1 ] ; then echo "[*] Copying cached tor-exit-nodes.list ..." - cp /cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list + cp /opt/bunkerized-nginx/cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list elif [ "$(ps aux | grep "exit-nodes\.sh")" = "" ] ; then echo "[*] Downloading tor exit nodes list (in background) ..." - /opt/scripts/exit-nodes.sh > /dev/null 2>&1 & + /opt/bunkerized-nginx/scripts/exit-nodes.sh > /dev/null 2>&1 & fi fi @@ -40,10 +40,10 @@ fi if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then if [ -f "/cache/proxies.list" ] && [ "$(wc -l /cache/proxies.list | cut -d ' ' -f 1)" -gt 1 ] ; then echo "[*] Copying cached proxies.list ..." - cp /cache/proxies.list /etc/nginx/proxies.list + cp /opt/bunkerized-nginx/cache/proxies.list /etc/nginx/proxies.list elif [ "$(ps aux | grep "proxies\.sh")" = "" ] ; then echo "[*] Downloading proxies list (in background) ..." - /opt/scripts/proxies.sh > /dev/null 2>&1 & + /opt/bunkerized-nginx/scripts/proxies.sh > /dev/null 2>&1 & fi fi @@ -51,9 +51,9 @@ fi if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then if [ -f "/cache/abusers.list" ] && [ "$(wc -l /cache/abusers.list | cut -d ' ' -f 1)" -gt 1 ] ; then echo "[*] Copying cached abusers.list ..." - cp /cache/abusers.list /etc/nginx/abusers.list + cp /opt/bunkerized-nginx/cache/abusers.list /etc/nginx/abusers.list elif [ "$(ps aux | grep "abusers\.sh")" = "" ] ; then echo "[*] Downloading abusers list (in background) ..." - /opt/scripts/abusers.sh > /dev/null 2>&1 & + /opt/bunkerized-nginx/scripts/abusers.sh > /dev/null 2>&1 & fi fi diff --git a/entrypoint/pre-jobs.sh b/entrypoint/pre-jobs.sh index ccda706..2ddf05f 100644 --- a/entrypoint/pre-jobs.sh +++ b/entrypoint/pre-jobs.sh @@ -1,7 +1,7 @@ #!/bin/bash # load some functions -. /opt/entrypoint/utils.sh +. /opt/bunkerized-nginx/entrypoint/utils.sh # self signed certs for sites files=$(has_value GENERATE_SELF_SIGNED_SSL yes) @@ -58,7 +58,7 @@ if [ "$files" != "" ] ; then if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}" fi - certbot_output=$(/opt/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1) + certbot_output=$(/opt/bunkerized-nginx/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1) if [ $? -eq 0 ] ; then echo "[*] Certbot new successfully executed for domain(s) $(echo -n $SERVER_NAME | sed 's/ /,/g')" else @@ -70,11 +70,11 @@ fi # GeoIP if [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ; then - if [ -f "/cache/geoip.mmdb" ] ; then + if [ -f "/opt/bunkerized-nginx/cache/geoip.mmdb" ] ; then echo "[*] Copying cached geoip.mmdb ..." - cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb + cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb elif [ "$(ps aux | grep "geoip\.sh")" = "" ] ; then echo "[*] Downloading GeoIP database ..." - /opt/scripts/geoip.sh > /dev/null 2>&1 + /opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1 fi fi diff --git a/helpers/install.sh b/helpers/install.sh index 72fe3bd..4bc249a 100644 --- a/helpers/install.sh +++ b/helpers/install.sh @@ -115,7 +115,7 @@ do_and_check_cmd cp -r /tmp/bunkerized-nginx/lua/* /usr/local/lib/lua echo "[*] Copy antibot" do_and_check_cmd cp -r /tmp/bunkerized-nginx/antibot /opt/bunkerized-nginx -# Copy antibot +# Copy defaults echo "[*] Copy defaults" do_and_check_cmd cp -r /tmp/bunkerized-nginx/defaults /opt/bunkerized-nginx @@ -129,6 +129,69 @@ if [ "$(grep "nginx:" /etc/passwd)" = "" ] ; then do_and_check_cmd useradd -d /opt/bunkerized-nginx -s /usr/sbin/nologin nginx fi +# Create www folder +if [ ! -d "/opt/bunkerized-nginx/www" ] ; then + echo "[*] Create /opt/bunkerized-nginx/www folder" + do_and_check_cmd mkdir /opt/bunkerized-nginx/www +fi + +# Create http-confs folder +if [ ! -d "/opt/bunkerized-nginx/http-confs" ] ; then + echo "[*] Create /opt/bunkerized-nginx/http-confs folder" + do_and_check_cmd mkdir /opt/bunkerized-nginx/http-confs +fi + +# Create server-confs folder +if [ ! -d "/opt/bunkerized-nginx/server-confs" ] ; then + echo "[*] Create /opt/bunkerized-nginx/server-confs folder" + do_and_check_cmd mkdir /opt/bunkerized-nginx/server-confs +fi + +# Create modsec-confs folder +if [ ! -d "/opt/bunkerized-nginx/modsec-confs" ] ; then + echo "[*] Create /opt/bunkerized-nginx/modsec-confs folder" + do_and_check_cmd mkdir /opt/bunkerized-nginx/modsec-confs +fi + +# Create modsec-crs-confs folder +if [ ! -d "/opt/bunkerized-nginx/modsec-crs-confs" ] ; then + echo "[*] Create /opt/bunkerized-nginx/modsec-crs-confs folder" + do_and_check_cmd mkdir /opt/bunkerized-nginx/modsec-crs-confs +fi + +# Create cache folder +if [ ! -d "/opt/bunkerized-nginx/cache" ] ; then + echo "[*] Create /opt/bunkerized-nginx/cache folder" + do_and_check_cmd mkdir /opt/bunkerized-nginx/cache +fi + +# Create pre-server-confs folder +if [ ! -d "/opt/bunkerized-nginx/pre-server-confs" ] ; then + echo "[*] Create /opt/bunkerized-nginx/pre-server-confs folder" + do_and_check_cmd mkdir /opt/bunkerized-nginx/pre-server-confs +fi + +# Create acme-challenge folder +if [ ! -d "/opt/bunkerized-nginx/acme-challenge" ] ; then + echo "[*] Create /opt/bunkerized-nginx/acme-challenge folder" + do_and_check_cmd mkdir /opt/bunkerized-nginx/acme-challenge +fi + +# Create plugins folder +if [ ! -d "/opt/bunkerized-nginx/plugins" ] ; then + echo "[*] Create /opt/bunkerized-nginx/plugins folder" + do_and_check_cmd mkdir /opt/bunkerized-nginx/plugins +fi + +# Set permissions for /opt/bunkerized-nginx +echo "[*] Set permissions for /opt/bunkerized-nginx files and folders" +do_and_check_cmd chown -R root:nginx /opt/bunkerized-nginx +do_and_check_cmd find /opt -type f -exec chmod 0740 {} \; +do_and_check_cmd find /opt -type d -exec chmod 0750 {} \; +do_and_check_cmd chmod 770 /opt/bunkerized-nginx/cache +do_and_check_cmd chmod 770 /opt/bunkerized-nginx/acme-challenge +do_and_check_cmd chmod 750 /opt/bunkerized-nginx/scripts/* + # Install cron echo "[*] Add jobs to crontab" if [ "$OS" = "debian" ] || [ "$OS" = "ubuntu" ] ; then @@ -139,27 +202,27 @@ fi # Download abusers list echo "[*] Download abusers list" -# TODO : call external script +do_and_check_cmd /opt/bunkerized-nginx/scripts/abusers.sh # Download TOR exit nodes list echo "[*] Download TOR exit nodes list" -# TODO : call external script +do_and_check_cmd /opt/bunkerized-nginx/scripts/exit-nodes.sh # Download proxies list echo "[*] Download proxies list" -# TODO : call external script +do_and_check_cmd /opt/bunkerized-nginx/scripts/proxies.sh # Download referrers list echo "[*] Download referrers list" -# TODO : call external script +do_and_check_cmd /opt/bunkerized-nginx/scripts/referrers.sh # Download user agents list echo "[*] Download user agents list" -# TODO : call external script +do_and_check_cmd /opt/bunkerized-nginx/scripts/user-agents.sh # Download geoip database echo "[*] Download proxies list" -# TODO : call external script +do_and_check_cmd /opt/bunkerized-nginx/scripts/geoip.sh # We're done echo "[*] bunkerized-nginx successfully installed !" diff --git a/misc/cron b/misc/cron index f4167fd..99496ad 100644 --- a/misc/cron +++ b/misc/cron @@ -1,7 +1,7 @@ -15 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1 -30 0 * * * /opt/scripts/user-agents.sh > /dev/null 2>&1 -45 0 * * * /opt/scripts/referrers.sh > /dev/null 2>&1 -0 1 * * * /opt/scripts/abusers.sh > /dev/null 2>&1 -0 2 * * * /opt/scripts/proxies.sh > /dev/null 2>&1 -0 */1 * * * /opt/scripts/exit-nodes.sh > /dev/null 2>&1 -0 3 2 * * /opt/scripts/geoip.sh > /dev/null 2>&1 +15 0 * * * /opt/bunkerized-nginx/scripts/certbot-renew.sh > /dev/null 2>&1 +30 0 * * * /opt/bunkerized-nginx/scripts/user-agents.sh > /dev/null 2>&1 +45 0 * * * /opt/bunkerized-nginx/scripts/referrers.sh > /dev/null 2>&1 +0 1 * * * /opt/bunkerized-nginx/scripts/abusers.sh > /dev/null 2>&1 +0 2 * * * /opt/bunkerized-nginx/scripts/proxies.sh > /dev/null 2>&1 +0 */1 * * * /opt/bunkerized-nginx/scripts/exit-nodes.sh > /dev/null 2>&1 +0 3 2 * * /opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1 diff --git a/prepare.sh b/prepare.sh index af31f21..b2e0b85 100644 --- a/prepare.sh +++ b/prepare.sh @@ -6,13 +6,13 @@ chown -R root:nginx /www chmod -R 770 /www # prepare /opt -chown -R root:nginx /opt +chown -R root:nginx /opt/bunkerized-nginx find /opt -type f -exec chmod 0740 {} \; find /opt -type d -exec chmod 0750 {} \; -chmod ugo+x /opt/entrypoint/* /opt/scripts/* -chmod ugo+x /opt/gen/main.py -chmod 770 /opt -chmod 440 /opt/settings.json +chmod ugo+x /opt/bunkerized-nginx/entrypoint/* /opt/bunkerized-nginx/scripts/* +chmod ugo+x /opt/bunkerized-nginx/gen/main.py +chmod 770 /opt/bunkerized-nginx +chmod 440 /opt/bunkerized-nginx/settings.json # prepare /etc/nginx for file in $(ls /etc/nginx) ; do @@ -69,4 +69,15 @@ chmod 440 /etc/crontabs/nginx # prepare /plugins mkdir /plugins chown root:nginx /plugins -chmod 770 /plugins \ No newline at end of file +chmod 770 /plugins + +# prepare symlinks +ln -s /www /opt/bunkerized-nginx/www +ln -s /http-confs /opt/bunkerized-nginx/http-confs +ln -s /server-confs /opt/bunkerized-nginx/server-confs +ln -s /modsec-confs /opt/bunkerized-nginx/modsec-confs +ln -s /modsec-crs-confs /opt/bunkerized-nginx/modsec-crs-confs +ln -s /cache /opt/bunkerized-nginx/cache +ln -s /pre-server-confs /opt/bunkerized-nginx/pre-server-confs +ln -s /acme-challenge /opt/bunkerized-nginx/acme-challenge +ln -s /plugins /opt/bunkerized-nginx/plugins diff --git a/scripts/abusers.sh b/scripts/abusers.sh index f67ca47..ec128a1 100755 --- a/scripts/abusers.sh +++ b/scripts/abusers.sh @@ -1,7 +1,7 @@ #!/bin/sh # load some functions -. /opt/entrypoint/utils.sh +. /opt/bunkerized-nginx/entrypoint/utils.sh if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then exit 0 @@ -36,7 +36,7 @@ if [ "$lines" -gt 1 ] ; then $RELOAD > /dev/null 2>&1 # new config is ok : save it in the cache if [ "$?" -eq 0 ] ; then - cp /tmp/abusers.list /cache + cp /tmp/abusers.list /opt/bunkerized-nginx/cache job_log "[NGINX] successfull nginx reload after abusers list update" else job_log "[NGINX] failed nginx reload after abusers list update fallback to old list" @@ -44,7 +44,7 @@ if [ "$lines" -gt 1 ] ; then $RELOAD > /dev/null 2>&1 fi else - cp /tmp/abusers.list /cache + cp /tmp/abusers.list /opt/bunkerized-nginx/cache fi else job_log "[BLACKLIST] can't update abusers list" diff --git a/scripts/certbot-new.sh b/scripts/certbot-new.sh index 6ef742d..4c18de5 100644 --- a/scripts/certbot-new.sh +++ b/scripts/certbot-new.sh @@ -1,7 +1,7 @@ #!/bin/sh # generate certificate -certbot certonly --webroot -w /acme-challenge -n -d "$1" --email "$2" --agree-tos +certbot certonly --webroot -w /opt/bunkerized-nginx/acme-challenge -n -d "$1" --email "$2" --agree-tos if [ "$?" -ne 0 ] ; then exit 1 fi diff --git a/scripts/certbot-renew-hook.sh b/scripts/certbot-renew-hook.sh index ac55a52..e382b11 100644 --- a/scripts/certbot-renew-hook.sh +++ b/scripts/certbot-renew-hook.sh @@ -1,7 +1,7 @@ #!/bin/sh # load some functions -. /opt/entrypoint/utils.sh +. /opt/bunkerized-nginx/entrypoint/utils.sh job_log "[CERTBOT] certificates have been renewed" diff --git a/scripts/certbot-renew.sh b/scripts/certbot-renew.sh index eab15be..4724342 100644 --- a/scripts/certbot-renew.sh +++ b/scripts/certbot-renew.sh @@ -1,7 +1,7 @@ #!/bin/sh # load some functions -. /opt/entrypoint/utils.sh +. /opt/bunkerized-nginx/entrypoint/utils.sh if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then exit 0 @@ -12,7 +12,7 @@ if [ "$(has_value AUTO_LETS_ENCRYPT yes)" = "" ] ; then fi # ask new certificates if needed -certbot renew --deploy-hook /opt/scripts/certbot-renew-hook.sh +certbot renew --deploy-hook /opt/bunkerized-nginx/scripts/certbot-renew-hook.sh if [ "$?" -eq 0 ] ; then job_log "[CERTBOT] renew operation done" diff --git a/scripts/exit-nodes.sh b/scripts/exit-nodes.sh index 5b92aa4..95f8d8f 100644 --- a/scripts/exit-nodes.sh +++ b/scripts/exit-nodes.sh @@ -1,7 +1,7 @@ #!/bin/sh # load some functions -. /opt/entrypoint/utils.sh +. /opt/bunkerized-nginx/entrypoint/utils.sh if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then exit 0 @@ -36,7 +36,7 @@ if [ "$lines" -gt 1 ] ; then $RELOAD > /dev/null 2>&1 # new config is ok : save it in the cache if [ "$?" -eq 0 ] ; then - cp /tmp/tor-exit-nodes.list /cache + cp /tmp/tor-exit-nodes.list /opt/bunkerized-nginx/cache job_log "[NGINX] successfull nginx reload after TOR exit node list update" else job_log "[NGINX] failed nginx reload after TOR exit node list update fallback to old list" @@ -44,7 +44,7 @@ if [ "$lines" -gt 1 ] ; then $RELOAD > /dev/null 2>&1 fi else - cp /tmp/tor-exit-nodes.list /cache + cp /tmp/tor-exit-nodes.list /opt/bunkerized-nginx/cache fi else job_log "[BLACKLIST] can't update TOR exit node list" diff --git a/scripts/geoip.sh b/scripts/geoip.sh index 302c6b8..5e5b89e 100644 --- a/scripts/geoip.sh +++ b/scripts/geoip.sh @@ -1,7 +1,7 @@ #!/bin/sh # load some functions -. /opt/entrypoint/utils.sh +. /opt/bunkerized-nginx/entrypoint/utils.sh if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then exit 0 @@ -32,17 +32,17 @@ if [ "$?" -eq 0 ] && [ -f /tmp/geoip.mmdb.gz ] ; then if [ "$RELOAD" != "" ] ; then $RELOAD > /dev/null 2>&1 if [ "$?" -eq 0 ] ; then - cp /etc/nginx/geoip.mmdb /cache + cp /etc/nginx/geoip.mmdb /opt/bunkerized-nginx/cache job_log "[NGINX] successfull nginx reload after GeoIP DB update" else job_log "[NGINX] failed nginx reload after GeoIP DB update" - if [ -f /cache/geoip.mmdb ] ; then - cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb + if [ -f /opt/bunkerized-nginx/cache/geoip.mmdb ] ; then + cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb $RELOAD > /dev/null 2>&1 fi fi else - cp /etc/nginx/geoip.mmdb /cache + cp /etc/nginx/geoip.mmdb /opt/bunkerized-nginx/cache fi else job_log "[GEOIP] can't download DB from $URL" diff --git a/scripts/proxies.sh b/scripts/proxies.sh index 1718d27..9728b0f 100755 --- a/scripts/proxies.sh +++ b/scripts/proxies.sh @@ -1,7 +1,7 @@ #!/bin/sh # load some functions -. /opt/entrypoint/utils.sh +. /opt/bunkerized-nginx/entrypoint/utils.sh if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then exit 0 @@ -36,7 +36,7 @@ if [ "$lines" -gt 1 ] ; then $RELOAD > /dev/null 2>&1 # new config is ok : save it in the cache if [ "$?" -eq 0 ] ; then - cp /tmp/proxies.list /cache + cp /tmp/proxies.list /opt/bunkerized-nginx/cache job_log "[NGINX] successfull nginx reload after proxies list update" else job_log "[NGINX] failed nginx reload after proxies list update fallback to old list" @@ -44,7 +44,7 @@ if [ "$lines" -gt 1 ] ; then $RELOAD > /dev/null 2>&1 fi else - cp /tmp/proxies.list /cache + cp /tmp/proxies.list /opt/bunkerized-nginx/cache fi else job_log "[BLACKLIST] can't update proxies list" diff --git a/scripts/referrers.sh b/scripts/referrers.sh index 7e98723..088c5ad 100755 --- a/scripts/referrers.sh +++ b/scripts/referrers.sh @@ -1,7 +1,7 @@ #!/bin/sh # load some functions -. /opt/entrypoint/utils.sh +. /opt/bunkerized-nginx/entrypoint/utils.sh if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then exit 0 @@ -39,7 +39,7 @@ if [ "$lines" -gt 1 ] ; then if [ "$RELOAD" != "" ] ; then $RELOAD > /dev/null 2>&1 if [ "$?" -eq 0 ] ; then - cp /tmp/referrers.list /cache + cp /tmp/referrers.list /opt/bunkerized-nginx/cache job_log "[NGINX] successfull nginx reload after referrers list update" else #cp /tmp/referrers.list.bak /etc/nginx @@ -47,7 +47,7 @@ if [ "$lines" -gt 1 ] ; then $RELOAD > /dev/null 2>&1 fi else - cp /tmp/referrers.list /cache + cp /tmp/referrers.list /opt/bunkerized-nginx/cache fi else job_log "[BLACKLIST] can't update referrers list" diff --git a/scripts/user-agents.sh b/scripts/user-agents.sh index be3a3dd..92bc92d 100755 --- a/scripts/user-agents.sh +++ b/scripts/user-agents.sh @@ -1,7 +1,7 @@ #!/bin/sh # load some functions -. /opt/entrypoint/utils.sh +. /opt/bunkerized-nginx/entrypoint/utils.sh if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then exit 0 @@ -39,7 +39,7 @@ if [ "$lines" -gt 1 ] ; then if [ "$RELOAD" != "" ] ; then $RELOAD > /dev/null 2>&1 if [ "$?" -eq 0 ] ; then - cp /tmp/user-agents.list /cache + cp /tmp/user-agents.list /opt/bunkerized-nginx/cache job_log "[NGINX] successfull nginx reload after user-agent list update" else #cp /tmp/user-agents.list.bak /etc/nginx @@ -47,7 +47,7 @@ if [ "$lines" -gt 1 ] ; then $RELOAD > /dev/null 2>&1 fi else - cp /tmp/user-agents.list /cache + cp /tmp/user-agents.list /opt/bunkerized-nginx/cache fi else job_log "[BLACKLIST] can't update user-agent list" diff --git a/settings.json b/settings.json index 2c64861..a376333 100644 --- a/settings.json +++ b/settings.json @@ -1190,7 +1190,7 @@ }, { "context": "global", - "default": "/www", + "default": "/opt/bunkerized-nginx/www", "env": "ROOT_FOLDER", "id": "root-folder", "label": "Root folder", diff --git a/tests/linux.sh b/tests/linux.sh new file mode 100644 index 0000000..4014668 --- /dev/null +++ b/tests/linux.sh @@ -0,0 +1,45 @@ +#!/bin/sh + +image="$1" + +echo "[*] Run $image" +id="$(docker run -d -it "$image")" +if [ $? -ne 0 ] ; then + echo "[!] docker run failed" + exit 1 +fi + +echo "[*] Copy dependencies.sh" +docker cp helpers/dependencies.sh "$id:/tmp" +if [ $? -ne 0 ] ; then + echo "[!] docker cp failed" + exit 2 +fi + +echo "[*] Exec dependencies.sh" +docker exec "$id" /bin/bash -c 'chmod +x /tmp/dependencies.sh && /tmp/dependencies.sh' +if [ $? -ne 0 ] ; then + echo "[!] docker exec failed" + exit 3 +fi + +echo "[*] Copy install.sh" +docker cp helpers/install.sh "$id:/tmp" +if [ $? -ne 0 ] ; then + echo "[!] docker cp failed" + exit 4 +fi + +echo "[*] Exec install.sh" +docker exec "$id" /bin/bash -c 'chmod +x /tmp/install.sh && /tmp/install.sh' +if [ $? -ne 0 ] ; then + echo "[!] docker exec failed" + exit 4 +fi + +echo "[*] Exec nginx -V" +docker exec "$id" nginx -V +if [ $? -ne 0 ] ; then + echo "[!] docker exec failed" + exit 5 +fi