diff --git a/Dockerfile b/Dockerfile index 2641166..6106808 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,4 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr EXPOSE 8080/tcp 8443/tcp +USER nginx + ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index a201837..1e7501e 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -20,4 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr EXPOSE 8080/tcp 8443/tcp +USER nginx + ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index e8a1f2e..887f420 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -27,4 +27,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr EXPOSE 8080/tcp 8443/tcp +USER nginx + ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index 9ae7e23..87ade2a 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -27,4 +27,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr EXPOSE 8080/tcp 8443/tcp +USER nginx + ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/Dockerfile-i386 b/Dockerfile-i386 index 2f80f70..ea94a1a 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -20,4 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr EXPOSE 8080/tcp 8443/tcp +USER nginx + ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/autoconf/AutoConf.py b/autoconf/AutoConf.py index 3cb9928..eb263c4 100644 --- a/autoconf/AutoConf.py +++ b/autoconf/AutoConf.py @@ -5,6 +5,7 @@ class AutoConf : def __init__(self, swarm, api) : self.__swarm = swarm + self.__servers = {} self.__instances = {} self.__sites = {} self.__config = Config(self.__swarm, api) @@ -72,11 +73,11 @@ class AutoConf : def __process_server(self, instance, event, id, name, labels) : vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in labels.items() if k.startswith("bunkerized-nginx.")} if event == "create" : - if self.__config.generate(instances, vars) : + if self.__config.generate(self.__instances, vars) : utils.log("[*] Generated config for " + vars["SERVER_NAME"]) - self.__servers[id] = obj + self.__servers[id] = instance if self.__swarm : - if self.__config.activate(instances, vars) : + if self.__config.activate(self.__instances, vars) : utils.log("[*] Activated config for " + vars["SERVER_NAME"]) else : utils.log("[!] Can't activate config for " + vars["SERVER_NAME"]) @@ -85,21 +86,21 @@ class AutoConf : elif event == "start" : if id in self.__servers : self.__servers[id].reload() - if self.__config.activate(instances, vars) : + if self.__config.activate(self.__instances, vars) : utils.log("[*] Activated config for " + vars["SERVER_NAME"]) else : utils.log("[!] Can't activate config for " + vars["SERVER_NAME"]) elif event == "die" : if id in self.__servers : self.__servers[id].reload() - if self.__config.deactivate(instances, vars) : + if self.__config.deactivate(self.__instances, vars) : utils.log("[*] Deactivated config for " + vars["SERVER_NAME"]) else : utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"]) elif event == "destroy" or event == "remove" : if id in self.__servers : if self.__swarm : - if self.__config.deactivate(instances, vars) : + if self.__config.deactivate(self.__instances, vars) : utils.log("[*] Deactivated config for " + vars["SERVER_NAME"]) else : utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"]) diff --git a/autoconf/Dockerfile b/autoconf/Dockerfile index 0b479ee..7604a85 100644 --- a/autoconf/Dockerfile +++ b/autoconf/Dockerfile @@ -8,7 +8,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ pip3 install docker requests && \ mkdir /opt/entrypoint && \ mkdir -p /opt/confs/site && \ - mkdir -p /opt/confs/global + mkdir -p /opt/confs/global && \ + addgroup -g 101 nginx && \ + adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx COPY confs/site/ /opt/confs/site COPY confs/global/ /opt/confs/global diff --git a/autoconf/Dockerfile-amd64 b/autoconf/Dockerfile-amd64 index 2e6a0cf..603fe1c 100644 --- a/autoconf/Dockerfile-amd64 +++ b/autoconf/Dockerfile-amd64 @@ -4,7 +4,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ pip3 install docker requests && \ mkdir /opt/entrypoint && \ mkdir -p /opt/confs/site && \ - mkdir -p /opt/confs/global + mkdir -p /opt/confs/global && \ + addgroup -g 101 nginx && \ + adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx COPY confs/site/ /opt/confs/site COPY entrypoint/* /opt/entrypoint/ diff --git a/autoconf/Dockerfile-arm32v7 b/autoconf/Dockerfile-arm32v7 index c272ad4..dcbe5e1 100644 --- a/autoconf/Dockerfile-arm32v7 +++ b/autoconf/Dockerfile-arm32v7 @@ -11,7 +11,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ pip3 install docker requests && \ mkdir /opt/entrypoint && \ mkdir -p /opt/confs/site && \ - mkdir -p /opt/confs/global + mkdir -p /opt/confs/global && \ + addgroup -g 101 nginx && \ + adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx COPY confs/site/ /opt/confs/site COPY entrypoint/* /opt/entrypoint/ diff --git a/autoconf/Dockerfile-arm64v8 b/autoconf/Dockerfile-arm64v8 index ff8b775..d7a4be4 100644 --- a/autoconf/Dockerfile-arm64v8 +++ b/autoconf/Dockerfile-arm64v8 @@ -11,7 +11,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ pip3 install docker requests && \ mkdir /opt/entrypoint && \ mkdir -p /opt/confs/site && \ - mkdir -p /opt/confs/global + mkdir -p /opt/confs/global && \ + addgroup -g 101 nginx && \ + adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx COPY confs/site/ /opt/confs/site COPY entrypoint/* /opt/entrypoint/ diff --git a/autoconf/Dockerfile-i386 b/autoconf/Dockerfile-i386 index fa026d5..7c27bc3 100644 --- a/autoconf/Dockerfile-i386 +++ b/autoconf/Dockerfile-i386 @@ -4,7 +4,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ pip3 install docker requests && \ mkdir /opt/entrypoint && \ mkdir -p /opt/confs/site && \ - mkdir -p /opt/confs/global + mkdir -p /opt/confs/global && \ + addgroup -g 101 nginx && \ + adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx COPY confs/site/ /opt/confs/site COPY entrypoint/* /opt/entrypoint/ diff --git a/compile.sh b/compile.sh index 8b7a249..0030d0c 100644 --- a/compile.sh +++ b/compile.sh @@ -50,8 +50,9 @@ make install-strip cd /tmp git_secure_clone https://github.com/coreruleset/coreruleset.git 7776fe23f127fd2315bad0e400bdceb2cabb97dc cd coreruleset -cp -r rules /etc/nginx/owasp-crs -cp crs-setup.conf.example /etc/nginx/owasp-crs.conf +mkdir /opt/owasp +cp -r rules /opt/owasp/crs +cp crs-setup.conf.example /opt/owasp/crs.conf # get nginx modules cd /tmp diff --git a/entrypoint/clamav.sh b/entrypoint/clamav.sh index 59effad..eb41a79 100644 --- a/entrypoint/clamav.sh +++ b/entrypoint/clamav.sh @@ -10,12 +10,12 @@ if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then echo "[*] Updating clamav (in background) ..." freshclam > /dev/null 2>&1 & - echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root + echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/nginx fi if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then - echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root + echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx else - echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root + echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx fi fi diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index 3c30e73..147b4e1 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -35,7 +35,7 @@ function trap_reload() { fi if [ -f /tmp/nginx.pid ] ; then echo "[*] Reloading nginx ..." - /usr/sbin/nginx -s reload + nginx -s reload if [ $? -eq 0 ] ; then echo "[*] Reload successfull" else @@ -91,13 +91,8 @@ else echo "[*] Skipping configuration process" fi -# fix nginx configs rights (and modules through the symlink) -chown -R root:nginx /etc/nginx/ -chmod -R 740 /etc/nginx/ -find /etc/nginx -type d -exec chmod 750 {} \; - # start rsyslogd -rsyslogd +rsyslogd -i /tmp/rsyslogd.pid # start crond crond @@ -117,7 +112,7 @@ fi # run nginx echo "[*] Running nginx ..." -su -s "/usr/sbin/nginx" nginx +nginx if [ "$?" -eq 0 ] ; then echo "[*] nginx successfully started !" else diff --git a/entrypoint/fail2ban.sh b/entrypoint/fail2ban.sh index 3e73c37..12382f2 100644 --- a/entrypoint/fail2ban.sh +++ b/entrypoint/fail2ban.sh @@ -8,7 +8,6 @@ # fail2ban setup if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then - rm -rf /etc/fail2ban/jail.d/*.conf cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index 9c8aab4..bcbd142 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -9,9 +9,6 @@ # copy stub confs cp /opt/confs/global/* /etc/nginx/ -# remove cron jobs -echo "" > /etc/crontabs/root - # install additional modules if needed if [ "$ADDITIONAL_MODULES" != "" ] ; then apk add $ADDITIONAL_MODULES @@ -53,7 +50,6 @@ if [ "$MULTISITE" = "yes" ] ; then replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" "" fi openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" - chmod +r /etc/nginx/default-key.pem if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;" else @@ -92,14 +88,13 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then /opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT" fi fi - echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root + echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/nginx fi # self-signed certificate if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then mkdir /etc/nginx/self-signed-ssl/ openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" - chmod +r /etc/nginx/self-signed-ssl/key.pem fi # country ban/whitelist @@ -112,7 +107,7 @@ if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes" replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;" fi - echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/root + echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/nginx if [ -f "/cache/geoip.mmdb" ] ; then echo "[*] Copying cached geoip.mmdb ..." cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb @@ -127,7 +122,7 @@ fi # block bad UA if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;" - echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/root + echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/nginx if [ -f "/cache/map-user-agent.conf" ] ; then echo "[*] Copying cached map-user-agent.conf ..." cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf @@ -142,7 +137,7 @@ fi # block bad refferer if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;" - echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/root + echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/nginx if [ -f "/cache/map-referrer.conf" ] ; then echo "[*] Copying cached map-referrer.conf ..." cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf @@ -156,7 +151,7 @@ fi # block TOR exit nodes if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then - echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root + echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/nginx if [ -f "/cache/block-tor-exit-node.conf" ] ; then echo "[*] Copying cached block-tor-exit-node.conf ..." cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf @@ -168,7 +163,7 @@ fi # block proxies if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then - echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/root + echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/nginx if [ -f "/cache/block-proxies.conf" ] ; then echo "[*] Copying cached block-proxies.conf ..." cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf @@ -180,7 +175,7 @@ fi # block abusers if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then - echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/root + echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/nginx if [ -f "/cache/block-abusers.conf" ] ; then echo "[*] Copying cached block-abusers.conf ..." cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf diff --git a/entrypoint/logs.sh b/entrypoint/logs.sh index 8543fba..0aa5080 100644 --- a/entrypoint/logs.sh +++ b/entrypoint/logs.sh @@ -7,8 +7,8 @@ . /opt/entrypoint/utils.sh # copy stub confs -cp /opt/logs/rsyslog.conf /etc/rsyslog.conf -cp /opt/logs/logrotate.conf /etc/logrotate.conf +cat /opt/logs/rsyslog.conf > /etc/rsyslog.conf +cat /opt/logs/logrotate.conf > /etc/logrotate.conf # create empty logs touch /var/log/access.log @@ -18,4 +18,4 @@ touch /var/log/jobs.log # setup logrotate replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE" replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE" -echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root +echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/nginx diff --git a/entrypoint/multisite-config.sh b/entrypoint/multisite-config.sh index 7313c89..32de77f 100644 --- a/entrypoint/multisite-config.sh +++ b/entrypoint/multisite-config.sh @@ -6,11 +6,6 @@ # load some functions . /opt/entrypoint/utils.sh -# fix nginx configs rights (and modules through the symlink) -chown -R root:nginx /etc/nginx/ -chmod -R 740 /etc/nginx/ -find /etc/nginx -type d -exec chmod 750 {} \; - if [ "$MULTISITE" = "yes" ] ; then servers=$(find /etc/nginx -name "server.conf" | cut -d '/' -f 4) for server in $servers ; do @@ -30,7 +25,7 @@ if [ "$MULTISITE" = "yes" ] ; then modsec_custom="${modsec_custom}include /modsec-confs/${server}/*.conf\n" fi replace_in_file "${SERVER_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom" - if grep "owasp-crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then + if grep "owasp/crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then modsec_crs_custom="" if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then modsec_crs_custom="include /modsec-crs-confs/*.conf\n" diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index f54d6de..af024e1 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -385,7 +385,7 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom" fi if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf" + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /opt/owasp/crs.conf" if [ "$MULTISITE" != "yes" ] ; then modsec_crs_custom="" if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then @@ -393,7 +393,7 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then fi replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom" fi - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf" + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /opt/owasp/crs/*.conf" else replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "" replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "" diff --git a/entrypoint/utils.sh b/entrypoint/utils.sh index c6823f5..3cb3f36 100644 --- a/entrypoint/utils.sh +++ b/entrypoint/utils.sh @@ -5,7 +5,9 @@ function replace_in_file() { # escape slashes pattern=$(echo "$2" | sed "s/\//\\\\\//g") replace=$(echo "$3" | sed "s/\//\\\\\//g") - sed -i "s/$pattern/$replace/g" "$1" + sed "s/$pattern/$replace/g" "$1" > /tmp/sed + cat /tmp/sed > "$1" + rm /tmp/sed } # convert space separated values to LUA diff --git a/logs/rsyslog.conf b/logs/rsyslog.conf index e760709..b529034 100644 --- a/logs/rsyslog.conf +++ b/logs/rsyslog.conf @@ -4,11 +4,11 @@ $WorkDirectory /var/lib/rsyslog # Sets default permissions for all log files. -$FileOwner root -$FileGroup root -$FileCreateMode 0600 -$DirCreateMode 0700 -$Umask 0077 +$FileOwner nginx +$FileGroup nginx +$FileCreateMode 0660 +$DirCreateMode 0770 +$Umask 0007 # Include all config files in /etc/rsyslog.d/. include(file="/etc/rsyslog.d/*.conf" mode="optional") @@ -16,10 +16,10 @@ include(file="/etc/rsyslog.d/*.conf" mode="optional") #### Modules #### # Provides --MARK-- message capability. -module(load="immark") +#module(load="immark") # Provides support for local system logging (e.g. via logger command). -module(load="imuxsock") +module(load="imuxsock" SysSock.Name="/tmp/log") # Nginx $template rawFormat,"%msg:2:2048%\n" diff --git a/prepare.sh b/prepare.sh index 253631e..8a1a42f 100644 --- a/prepare.sh +++ b/prepare.sh @@ -3,18 +3,65 @@ # install dependencies apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli -# make scripts executable -chmod +x /opt/entrypoint/* /opt/scripts/* +# custom entrypoint mkdir /opt/entrypoint.d -# log files/folders rights +# prepare /opt +chown -R root:nginx /opt +find /opt -type f -exec chmod 0740 {} \; +find /opt -type d -exec chmod 0750 {} \; +chmod ugo+x /opt/entrypoint/* /opt/scripts/* +chmod 770 /opt + +# prepare /etc/nginx +chown -R root:nginx /etc/nginx +chmod -R 770 /etc/nginx + +# prepare /var/log rm -f /var/log/nginx/* chown root:nginx /var/log/nginx -chmod 750 /var/log/nginx touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log -chown nginx:nginx /var/log/nginx/*.log +chown nginx:nginx /var/log/nginx/* +chmod -R 770 /var/log/nginx +touch /var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/fail2ban.log +chown nginx:nginx /var/log/*.log +chmod 770 /var/log/*.log -# let's encrypt webroot +# prepare /acme-challenge mkdir /acme-challenge chown root:nginx /acme-challenge -chmod 750 /acme-challenge +chmod 770 /acme-challenge + +# prepare /etc/letsencrypt +mkdir /etc/letsencrypt +chown root:nginx /etc/letsencrypt +chmod 770 /etc/letsencrypt + +# prepare /etc/fail2ban +rm -rf /etc/fail2ban/jail.d/*.conf +chown -R root:nginx /etc/fail2ban +find /etc/fail2ban -type f -exec chmod 0760 {} \; +find /etc/fail2ban -type d -exec chmod 0770 {} \; + +# prepare /var/run/fail2ban and /var/lib/fail2ban +chown -R root:nginx /var/run/fail2ban /var/lib/fail2ban +chmod -R 770 /var/run/fail2ban /var/lib/fail2ban + +# prepare /usr/local/lib/lua +chown root:nginx /usr/local/lib/lua +chmod 770 /usr/local/lib/lua + +# prepare /cache +mkdir /cache +chown root:nginx /cache +chmod 770 /cache + +# prepare misc files +chown root:nginx /etc/rsyslog.conf /etc/logrotate.conf +chmod 660 /etc/rsyslog.conf /etc/logrotate.conf +chown root:nginx /etc/rsyslog.conf + +# prepare /etc/crontabs/nginx +touch /etc/crontabs/nginx +chown root:nginx /etc/crontabs/nginx +chmod 660 /etc/crontabs/nginx