Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

multisite - bug fixes

Browse Source
This commit is contained in:
bunkerity 2020-11-11 16:54:27 +01:00
parent bd7997497b
commit 2da51d92a6
No known key found for this signature in database
GPG Key ID: 654FFF51CEF7CC47
14 changed files with 60 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -19,7 +19,7 @@ COPY logs/ /opt/logs
COPY lua/ /opt/lua COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec COPY crowdsec/ /opt/crowdsec
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
chmod +x /opt/entrypoint/* /opt/scripts/* && \ chmod +x /opt/entrypoint/* /opt/scripts/* && \
mkdir /opt/entrypoint.d && \ mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \ rm -f /var/log/nginx/* && \

2
Dockerfile-amd64
View File

@ -19,7 +19,7 @@ COPY logs/ /opt/logs
COPY lua/ /opt/lua COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec COPY crowdsec/ /opt/crowdsec
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
chmod +x /opt/entrypoint/* /opt/scripts/* && \ chmod +x /opt/entrypoint/* /opt/scripts/* && \
mkdir /opt/entrypoint.d && \ mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \ rm -f /var/log/nginx/* && \

2
Dockerfile-arm32v7
View File

@ -26,7 +26,7 @@ COPY logs/ /opt/logs
COPY lua/ /opt/lua COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec COPY crowdsec/ /opt/crowdsec
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
chmod +x /opt/entrypoint/* /opt/scripts/* && \ chmod +x /opt/entrypoint/* /opt/scripts/* && \
mkdir /opt/entrypoint.d && \ mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \ rm -f /var/log/nginx/* && \

2
Dockerfile-arm64v8
View File

@ -26,7 +26,7 @@ COPY logs/ /opt/logs
COPY lua/ /opt/lua COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec COPY crowdsec/ /opt/crowdsec
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
chmod +x /opt/entrypoint/* /opt/scripts/* && \ chmod +x /opt/entrypoint/* /opt/scripts/* && \
mkdir /opt/entrypoint.d && \ mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \ rm -f /var/log/nginx/* && \

2
Dockerfile-i386
View File

@ -19,7 +19,7 @@ COPY logs/ /opt/logs
COPY lua/ /opt/lua COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec COPY crowdsec/ /opt/crowdsec
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
chmod +x /opt/entrypoint/* /opt/scripts/* && \ chmod +x /opt/entrypoint/* /opt/scripts/* && \
mkdir /opt/entrypoint.d && \ mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \ rm -f /var/log/nginx/* && \

2
confs/site/modsecurity.conf
View File

@ -1,2 +1,2 @@
modsecurity on; modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity-rules.conf; modsecurity_rules_file %MODSEC_RULES_FILE%;

2
confs/site/php.conf
View File

@ -1,5 +1,5 @@
location ~ \.php$ { location ~ \.php$ {
fastcgi_pass %REMOTE_PHP%:9000; fastcgi_pass %REMOTE_PHP%:9000;
fastcgi_index index.php; fastcgi_index index.php;
include fastcgi.conf; include /etc/nginx/fastcgi.conf;
} }

4
confs/site/server.conf
View File

@ -1,6 +1,6 @@
server { server {
include /server-confs/*.conf; %SERVER_CONF%
include /etc/nginx/main-lua.conf; %MAIN_LUA%
%PROXY_REAL_IP% %PROXY_REAL_IP%
%USE_MODSECURITY% %USE_MODSECURITY%
%LISTEN_HTTP% %LISTEN_HTTP%

2
entrypoint/defaults.sh
View File

@ -1,4 +1,4 @@
#!/bin/sh #!/bin/bash
HTTP_PORT="${HTTP_PORT-8080}" HTTP_PORT="${HTTP_PORT-8080}"
HTTPS_PORT="${HTTPS_PORT-8443}" HTTPS_PORT="${HTTPS_PORT-8443}"

14
entrypoint/entrypoint.sh
View File

@ -1,4 +1,4 @@
#!/bin/sh #!/bin/bash
# load default values # load default values
. ./opt/entrypoint/defaults.sh . ./opt/entrypoint/defaults.sh
@ -32,7 +32,7 @@ if [ ! -f "/opt/installed" ] ; then
echo "[*] Configuring bunkerized-nginx ..." echo "[*] Configuring bunkerized-nginx ..."
/opt/entrypoint/global-config.sh /opt/entrypoint/global-config.sh
if [ "$MULTISITE" = "yes" ] ; then if [ "$MULTISITE" = "yes" ] ; then
for server in "$SERVER_NAME" ; do for server in $SERVER_NAME ; do
/opt/entrypoint/site-config.sh "$server" /opt/entrypoint/site-config.sh "$server"
echo "[*] Multi site - $server configuration done" echo "[*] Multi site - $server configuration done"
done done
@ -63,20 +63,22 @@ rsyslogd
# start crond # start crond
crond crond
# start nginx
echo "[*] Running nginx ..."
su -s "/usr/sbin/nginx" nginx
# start fail2ban # start fail2ban
if [ "$USE_FAIL2BAN" = "yes" ] ; then if [ "$USE_FAIL2BAN" = "yes" ] ; then
echo "[*] Running fail2ban ..."
fail2ban-server > /dev/null fail2ban-server > /dev/null
fi fi
# start crowdsec # start crowdsec
if [ "$USE_CROWDSEC" = "yes" ] ; then if [ "$USE_CROWDSEC" = "yes" ] ; then
echo "[*] Running crowdsec ..."
crowdsec crowdsec
fi fi
# start nginx
echo "[*] Running nginx ..."
su -s "/usr/sbin/nginx" nginx
# autotest # autotest
if [ "$1" == "test" ] ; then if [ "$1" == "test" ] ; then
sleep 10 sleep 10

16
entrypoint/global-config.sh
View File

@ -1,4 +1,7 @@
#!/bin/sh #!/bin/bash
# load default values
. /opt/entrypoint/defaults.sh
# load some functions # load some functions
. /opt/entrypoint/utils.sh . /opt/entrypoint/utils.sh
@ -20,7 +23,7 @@ fi
# include server block(s) # include server block(s)
if [ "$MULTISITE" = "yes" ] ; then if [ "$MULTISITE" = "yes" ] ; then
includes="" includes=""
for server in "$SERVER_NAME" ; do for server in $SERVER_NAME ; do
includes="${includes}include /etc/nginx/${server}/server.conf;\n" includes="${includes}include /etc/nginx/${server}/server.conf;\n"
done done
replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes" replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
@ -148,6 +151,15 @@ else
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "" replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
fi fi
# DNSBL
if [ "$(has_value USE_DNSBL yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
else
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
fi
list=$(spaces_to_lua "$DNSBL_LIST")
replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
# fail2ban setup # fail2ban setup
if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
rm -rf /etc/fail2ban/jail.d/*.conf rm -rf /etc/fail2ban/jail.d/*.conf

33
entrypoint/site-config.sh
View File

@ -1,4 +1,7 @@
#!/bin/sh #!/bin/bash
# load default values
. /opt/entrypoint/defaults.sh
# load some functions # load some functions
. /opt/entrypoint/utils.sh . /opt/entrypoint/utils.sh
@ -7,12 +10,13 @@
NGINX_PREFIX="/etc/nginx/" NGINX_PREFIX="/etc/nginx/"
if [ "$MULTISITE" = "yes" ] ; then if [ "$MULTISITE" = "yes" ] ; then
NGINX_PREFIX="${NGINX_PREFIX}${1}/" NGINX_PREFIX="${NGINX_PREFIX}${1}/"
for var in env ; do for var in $(env) ; do
name=$(echo "$var" | cut -d '=' -f 1) name=$(echo "$var" | cut -d '=' -f 1)
check=$(echo "name" | grep "^$1_") check=$(echo "$name" | grep "^$1_")
if [ "$check" != "" ] ; then if [ "$check" != "" ] ; then
repl_name=$(echo "$name" | sed "s/${1}_//") repl_name=$(echo "$name" | sed "s~${1}_~~")
repl_value=$(echo "$var" | sed "s/${name}//") repl_value=$(echo "$var" | sed "s~${name}=~~")
echo "$SERVER_NAME (check ok) : $repl_name - $repl_value"
read -r "$repl_name" <<< $repl_value read -r "$repl_name" <<< $repl_value
fi fi
done done
@ -25,6 +29,15 @@ if [ "$MULTISITE" = "yes" ] ; then
fi fi
cp /opt/confs/site/* "$NGINX_PREFIX" cp /opt/confs/site/* "$NGINX_PREFIX"
# replace paths
replace_in_file "${NGINX_PREFIX}server.conf" "%MAIN_LUA%" "include ${NGINX_PREFIX}main-lua.conf;"
replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}/modsecurity-rules.conf"
if [ "$MULTISITE" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/${1}/*.conf;"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;"
fi
# remote PHP # remote PHP
if [ "$REMOTE_PHP" != "" ] ; then if [ "$REMOTE_PHP" != "" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "include ${NGINX_PREFIX}php.conf;" replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "include ${NGINX_PREFIX}php.conf;"
@ -149,21 +162,21 @@ fi
# block TOR exit nodes # block TOR exit nodes
if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "include ${NGINX_PREFIX}block-tor-exit-node.conf;" replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
else else
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "" replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
fi fi
# block proxies # block proxies
if [ "$BLOCK_PROXIES" = "yes" ] ; then if [ "$BLOCK_PROXIES" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" "include ${NGINX_PREFIX}block-proxies.conf;" replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" "include /etc/nginx/block-proxies.conf;"
else else
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" "" replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" ""
fi fi
# block abusers # block abusers
if [ "$BLOCK_ABUSERS" = "yes" ] ; then if [ "$BLOCK_ABUSERS" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" "include ${NGINX_PREFIX}block-abusers.conf;" replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" "include /etc/nginx/block-abusers.conf;"
else else
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" "" replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" ""
fi fi
@ -228,13 +241,13 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "" replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" ""
fi fi
if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include ${NGINX_PREFIX}owasp-crs.conf" replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf" replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf"
else else
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "" replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
fi fi
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include ${NGINX_PREFIX}owasp-crs/*.conf" replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
else else
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "" replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "" replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""

6
entrypoint/utils.sh
View File

@ -1,4 +1,4 @@
#!/bin/sh #!/bin/bash
# replace pattern in file # replace pattern in file
function replace_in_file() { function replace_in_file() {
@ -28,8 +28,8 @@ function has_value() {
fi fi
for var in $(env) ; do for var in $(env) ; do
domain=$(echo "$var" | cut -d '_' -f 1) domain=$(echo "$var" | cut -d '_' -f 1)
name=$(echo "$var" | cut -d '=' -f 1 | sed "s/${domain}_//") name=$(echo "$var" | cut -d '=' -f 1 | sed "s~${domain}_~~")
value=$(echo "$var" | sed "s/${domain}_${name}=//") value=$(echo "$var" | sed "s~${domain}_${name}=~~")
if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then
echo "ok" echo "ok"
return 0 return 0

2
scripts/user-agents.sh
View File

@ -17,7 +17,7 @@ for ua in $BLACKLIST ; do
done done
DATA_ESCAPED=$(echo "$DATA" | sed 's: :\\\\ :g' | sed 's:\\\\ yes;: yes;:g' | sed 's:\\\\\\ :\\\\ :g') DATA_ESCAPED=$(echo "$DATA" | sed 's: :\\\\ :g' | sed 's:\\\\ yes;: yes;:g' | sed 's:\\\\\\ :\\\\ :g')
cp /opt/confs/map-user-agent.conf /etc/nginx/map-user-agent.conf cp /opt/confs/global/map-user-agent.conf /etc/nginx/map-user-agent.conf
replace_in_file "/etc/nginx/map-user-agent.conf" "%BLOCK_USER_AGENT%" "$DATA_ESCAPED" replace_in_file "/etc/nginx/map-user-agent.conf" "%BLOCK_USER_AGENT%" "$DATA_ESCAPED"
if [ -f /tmp/nginx.pid ] ; then if [ -f /tmp/nginx.pid ] ; then