From 2da51d92a625873f2b8f65ac38b99ada613a371f Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Wed, 11 Nov 2020 16:54:27 +0100
Subject: [PATCH] multisite - bug fixes

---
 Dockerfile                  |  2 +-
 Dockerfile-amd64            |  2 +-
 Dockerfile-arm32v7          |  2 +-
 Dockerfile-arm64v8          |  2 +-
 Dockerfile-i386             |  2 +-
 confs/site/modsecurity.conf |  2 +-
 confs/site/php.conf         |  2 +-
 confs/site/server.conf      |  4 ++--
 entrypoint/defaults.sh      |  2 +-
 entrypoint/entrypoint.sh    | 14 ++++++++------
 entrypoint/global-config.sh | 18 +++++++++++++++---
 entrypoint/site-config.sh   | 33 +++++++++++++++++++++++----------
 entrypoint/utils.sh         |  6 +++---
 scripts/user-agents.sh      |  2 +-
 14 files changed, 60 insertions(+), 33 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 2d9c982..5f68e35 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,7 +19,7 @@ COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
     chmod +x /opt/entrypoint/* /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     rm -f /var/log/nginx/* && \
diff --git a/Dockerfile-amd64 b/Dockerfile-amd64
index 00b3999..6c330e9 100644
--- a/Dockerfile-amd64
+++ b/Dockerfile-amd64
@@ -19,7 +19,7 @@ COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
     chmod +x /opt/entrypoint/* /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     rm -f /var/log/nginx/* && \
diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7
index 3a3bc85..482f8e7 100644
--- a/Dockerfile-arm32v7
+++ b/Dockerfile-arm32v7
@@ -26,7 +26,7 @@ COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
     chmod +x /opt/entrypoint/* /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     rm -f /var/log/nginx/* && \
diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8
index 41d12e9..9f769af 100644
--- a/Dockerfile-arm64v8
+++ b/Dockerfile-arm64v8
@@ -26,7 +26,7 @@ COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
     chmod +x /opt/entrypoint/* /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     rm -f /var/log/nginx/* && \
diff --git a/Dockerfile-i386 b/Dockerfile-i386
index 6620ad4..8620238 100644
--- a/Dockerfile-i386
+++ b/Dockerfile-i386
@@ -19,7 +19,7 @@ COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
     chmod +x /opt/entrypoint/* /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     rm -f /var/log/nginx/* && \
diff --git a/confs/site/modsecurity.conf b/confs/site/modsecurity.conf
index 4eee500..b30c0f8 100644
--- a/confs/site/modsecurity.conf
+++ b/confs/site/modsecurity.conf
@@ -1,2 +1,2 @@
 modsecurity on;
-modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;
+modsecurity_rules_file %MODSEC_RULES_FILE%;
diff --git a/confs/site/php.conf b/confs/site/php.conf
index 7e81af3..90fb918 100644
--- a/confs/site/php.conf
+++ b/confs/site/php.conf
@@ -1,5 +1,5 @@
 location ~ \.php$ {
 	fastcgi_pass      %REMOTE_PHP%:9000;
 	fastcgi_index     index.php;
-	include           fastcgi.conf;
+	include           /etc/nginx/fastcgi.conf;
 }
diff --git a/confs/site/server.conf b/confs/site/server.conf
index 25bcb7c..67da2c5 100644
--- a/confs/site/server.conf
+++ b/confs/site/server.conf
@@ -1,6 +1,6 @@
 server {
-	include /server-confs/*.conf;
-	include /etc/nginx/main-lua.conf;
+	%SERVER_CONF%
+	%MAIN_LUA%
 	%PROXY_REAL_IP%
 	%USE_MODSECURITY%
 	%LISTEN_HTTP%
diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh
index b545426..2a93b4c 100644
--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 HTTP_PORT="${HTTP_PORT-8080}"
 HTTPS_PORT="${HTTPS_PORT-8443}"
diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh
index 0f59a23..1e0ac21 100644
--- a/entrypoint/entrypoint.sh
+++ b/entrypoint/entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # load default values
 . ./opt/entrypoint/defaults.sh
@@ -32,7 +32,7 @@ if [ ! -f "/opt/installed" ] ; then
 	echo "[*] Configuring bunkerized-nginx ..."
 	/opt/entrypoint/global-config.sh
 	if [ "$MULTISITE" = "yes" ] ; then
-		for server in "$SERVER_NAME" ; do
+		for server in $SERVER_NAME ; do
 			/opt/entrypoint/site-config.sh "$server"
 			echo "[*] Multi site - $server configuration done"
 		done
@@ -63,20 +63,22 @@ rsyslogd
 # start crond
 crond
 
+# start nginx
+echo "[*] Running nginx ..."
+su -s "/usr/sbin/nginx" nginx
+
 # start fail2ban
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
+	echo "[*] Running fail2ban ..."
 	fail2ban-server > /dev/null
 fi
 
 # start crowdsec
 if [ "$USE_CROWDSEC" = "yes" ] ; then
+	echo "[*] Running crowdsec ..."
 	crowdsec
 fi
 
-# start nginx
-echo "[*] Running nginx ..."
-su -s "/usr/sbin/nginx" nginx
-
 # autotest
 if [ "$1" == "test" ] ; then
 	sleep 10
diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh
index 443435e..b9208b6 100644
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@@ -1,4 +1,7 @@
-#!/bin/sh
+#!/bin/bash
+
+# load default values
+. /opt/entrypoint/defaults.sh
 
 # load some functions
 . /opt/entrypoint/utils.sh
@@ -20,7 +23,7 @@ fi
 # include server block(s)
 if [ "$MULTISITE" = "yes" ] ; then
 	includes=""
-	for server in "$SERVER_NAME" ; do
+	for server in $SERVER_NAME ; do
 		includes="${includes}include /etc/nginx/${server}/server.conf;\n"
 	done
 	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
@@ -54,7 +57,7 @@ fi
 
 # self-signed certificate
 if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
-		mkdir /etc/nginx/self-signed-ssl/
+	mkdir /etc/nginx/self-signed-ssl/
         openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
 fi
 
@@ -148,6 +151,15 @@ else
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
 fi
 
+# DNSBL
+if [ "$(has_value USE_DNSBL yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
+fi
+list=$(spaces_to_lua "$DNSBL_LIST")
+replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
+
 # fail2ban setup
 if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
 	rm -rf /etc/fail2ban/jail.d/*.conf
diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh
index 3c67389..34b6a09 100644
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@@ -1,4 +1,7 @@
-#!/bin/sh
+#!/bin/bash
+
+# load default values
+. /opt/entrypoint/defaults.sh
 
 # load some functions
 . /opt/entrypoint/utils.sh
@@ -7,12 +10,13 @@
 NGINX_PREFIX="/etc/nginx/"
 if [ "$MULTISITE" = "yes" ] ; then
 	NGINX_PREFIX="${NGINX_PREFIX}${1}/"
-	for var in env ; do
+	for var in $(env) ; do
 		name=$(echo "$var" | cut -d '=' -f 1)
-		check=$(echo "name" | grep "^$1_")
+		check=$(echo "$name" | grep "^$1_")
 		if [ "$check" != "" ] ; then
-			repl_name=$(echo "$name" | sed "s/${1}_//")
-			repl_value=$(echo "$var" | sed "s/${name}//")
+			repl_name=$(echo "$name" | sed "s~${1}_~~")
+			repl_value=$(echo "$var" | sed "s~${name}=~~")
+			echo "$SERVER_NAME (check ok) : $repl_name - $repl_value"
 			read -r "$repl_name" <<< $repl_value
 		fi
 	done
@@ -25,6 +29,15 @@ if [ "$MULTISITE" = "yes" ] ; then
 fi
 cp /opt/confs/site/* "$NGINX_PREFIX"
 
+# replace paths
+replace_in_file "${NGINX_PREFIX}server.conf" "%MAIN_LUA%" "include ${NGINX_PREFIX}main-lua.conf;"
+replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}/modsecurity-rules.conf"
+if [ "$MULTISITE" = "yes" ] ; then
+	replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/${1}/*.conf;"
+else
+	replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;"
+fi
+
 # remote PHP
 if [ "$REMOTE_PHP" != "" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "include ${NGINX_PREFIX}php.conf;"
@@ -149,21 +162,21 @@ fi
 
 # block TOR exit nodes
 if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
-	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "include ${NGINX_PREFIX}block-tor-exit-node.conf;"
+	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
 fi
 
 # block proxies
 if [ "$BLOCK_PROXIES" = "yes" ] ; then
-	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" "include ${NGINX_PREFIX}block-proxies.conf;"
+	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" "include /etc/nginx/block-proxies.conf;"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" ""
 fi
 
 # block abusers
 if [ "$BLOCK_ABUSERS" = "yes" ] ; then
-	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" "include ${NGINX_PREFIX}block-abusers.conf;"
+	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" "include /etc/nginx/block-abusers.conf;"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" ""
 fi
@@ -228,13 +241,13 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" ""
 	fi
 	if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
-		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include ${NGINX_PREFIX}owasp-crs.conf"
+		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
 		if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
 			replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf"
 		else
 			replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
 		fi
-		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include ${NGINX_PREFIX}owasp-crs/*.conf"
+		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
 	else
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
diff --git a/entrypoint/utils.sh b/entrypoint/utils.sh
index 497e735..87c436b 100644
--- a/entrypoint/utils.sh
+++ b/entrypoint/utils.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # replace pattern in file
 function replace_in_file() {
@@ -28,8 +28,8 @@ function has_value() {
 	fi
 	for var in $(env) ; do
 		domain=$(echo "$var" | cut -d '_' -f 1)
-		name=$(echo "$var" | cut -d '=' -f 1 | sed "s/${domain}_//")
-		value=$(echo "$var" | sed "s/${domain}_${name}=//")
+		name=$(echo "$var" | cut -d '=' -f 1 | sed "s~${domain}_~~")
+		value=$(echo "$var" | sed "s~${domain}_${name}=~~")
 		if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then
 			echo "ok"
 			return 0
diff --git a/scripts/user-agents.sh b/scripts/user-agents.sh
index 1493003..7290b18 100755
--- a/scripts/user-agents.sh
+++ b/scripts/user-agents.sh
@@ -17,7 +17,7 @@ for ua in $BLACKLIST ; do
 done
 DATA_ESCAPED=$(echo "$DATA" | sed 's: :\\\\ :g' | sed 's:\\\\ yes;: yes;:g' | sed 's:\\\\\\ :\\\\ :g')
 
-cp /opt/confs/map-user-agent.conf /etc/nginx/map-user-agent.conf
+cp /opt/confs/global/map-user-agent.conf /etc/nginx/map-user-agent.conf
 replace_in_file "/etc/nginx/map-user-agent.conf" "%BLOCK_USER_AGENT%" "$DATA_ESCAPED"
 
 if [ -f /tmp/nginx.pid ] ; then