init work on disabling root processes

entrypoint/clamav.sh

@@ -10,12 +10,12 @@
 if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	echo "[*] Updating clamav (in background) ..."
 	freshclam > /dev/null 2>&1 &
-	echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
+	echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/nginx
 fi
 if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
-        	echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
+        	echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
         else
-		echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
+		echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
         fi
 fi

entrypoint/entrypoint.sh

@@ -35,7 +35,7 @@ function trap_reload() {
 	fi
 	if [ -f /tmp/nginx.pid ] ; then
 		echo "[*] Reloading nginx ..."
-		/usr/sbin/nginx -s reload
+		nginx -s reload
 		if [ $? -eq 0 ] ; then
 			echo "[*] Reload successfull"
 		else
@@ -91,13 +91,8 @@ else
 	echo "[*] Skipping configuration process"
 fi
 
-# fix nginx configs rights (and modules through the symlink)
-chown -R root:nginx /etc/nginx/
-chmod -R 740 /etc/nginx/
-find /etc/nginx -type d -exec chmod 750 {} \;
-
 # start rsyslogd
-rsyslogd
+rsyslogd -i /tmp/rsyslogd.pid
 
 # start crond
 crond
@@ -117,7 +112,7 @@ fi
 
 # run nginx
 echo "[*] Running nginx ..."
-su -s "/usr/sbin/nginx" nginx
+nginx
 if [ "$?" -eq 0 ] ; then
 	echo "[*] nginx successfully started !"
 else

entrypoint/fail2ban.sh

@@ -8,7 +8,6 @@
 
 # fail2ban setup
 if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
-	rm -rf /etc/fail2ban/jail.d/*.conf
 	cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
 	cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
 	cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local

entrypoint/global-config.sh

@@ -9,9 +9,6 @@
 # copy stub confs
 cp /opt/confs/global/* /etc/nginx/
 
-# remove cron jobs
-echo "" > /etc/crontabs/root
-
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
 	apk add $ADDITIONAL_MODULES
@@ -53,7 +50,6 @@ if [ "$MULTISITE" = "yes" ] ; then
 			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" ""
 		fi
 		openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
-		chmod +r /etc/nginx/default-key.pem
 		if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
 			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;"
 		else
@@ -92,14 +88,13 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 			/opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT"
 		fi
 	fi
-	echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
+	echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
 fi
 
 # self-signed certificate
 if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
 	mkdir /etc/nginx/self-signed-ssl/
         openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
-	chmod +r /etc/nginx/self-signed-ssl/key.pem
 fi
 
 # country ban/whitelist
@@ -112,7 +107,7 @@ if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
 		replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes"
 		replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;"
 	fi
-	echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/root
+	echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/geoip.mmdb" ] ; then
 		echo "[*] Copying cached geoip.mmdb ..."
 		cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
@@ -127,7 +122,7 @@ fi
 # block bad UA
 if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
-	echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/root
+	echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/map-user-agent.conf" ] ; then
 		echo "[*] Copying cached map-user-agent.conf ..."
 		cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
@@ -142,7 +137,7 @@ fi
 # block bad refferer
 if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;"
-	echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/root
+	echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/map-referrer.conf" ] ; then
 		echo "[*] Copying cached map-referrer.conf ..."
 		cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
@@ -156,7 +151,7 @@ fi
 
 # block TOR exit nodes
 if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
-	echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
+	echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/block-tor-exit-node.conf" ] ; then
 		echo "[*] Copying cached block-tor-exit-node.conf ..."
 		cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
@@ -168,7 +163,7 @@ fi
 
 # block proxies
 if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
-	echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/root
+	echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/block-proxies.conf" ] ; then
 		echo "[*] Copying cached block-proxies.conf ..."
 		cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
@@ -180,7 +175,7 @@ fi
 
 # block abusers
 if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
-	echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/root
+	echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/block-abusers.conf" ] ; then
 		echo "[*] Copying cached block-abusers.conf ..."
 		cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf

entrypoint/logs.sh

@@ -7,8 +7,8 @@
 . /opt/entrypoint/utils.sh
 
 # copy stub confs
-cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
-cp /opt/logs/logrotate.conf /etc/logrotate.conf
+cat /opt/logs/rsyslog.conf > /etc/rsyslog.conf
+cat /opt/logs/logrotate.conf > /etc/logrotate.conf
 
 # create empty logs
 touch /var/log/access.log
@@ -18,4 +18,4 @@ touch /var/log/jobs.log
 # setup logrotate
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
-echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
+echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/nginx

entrypoint/multisite-config.sh

@@ -6,11 +6,6 @@
 # load some functions
 . /opt/entrypoint/utils.sh
 
-# fix nginx configs rights (and modules through the symlink)
-chown -R root:nginx /etc/nginx/
-chmod -R 740 /etc/nginx/
-find /etc/nginx -type d -exec chmod 750 {} \;
-
 if [ "$MULTISITE" = "yes" ] ; then
 	servers=$(find /etc/nginx -name "server.conf" | cut -d '/' -f 4)
 	for server in $servers ; do
@@ -30,7 +25,7 @@ if [ "$MULTISITE" = "yes" ] ; then
 				modsec_custom="${modsec_custom}include /modsec-confs/${server}/*.conf\n"
 			fi
 			replace_in_file "${SERVER_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
-			if grep "owasp-crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then
+			if grep "owasp/crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then
 				modsec_crs_custom=""
 				if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
 					modsec_crs_custom="include /modsec-crs-confs/*.conf\n"

entrypoint/site-config.sh

@@ -385,7 +385,7 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
 	fi
 	if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
-		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
+		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /opt/owasp/crs.conf"
 		if [ "$MULTISITE" != "yes" ] ; then
 			modsec_crs_custom=""
 			if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
@@ -393,7 +393,7 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
 			fi
 			replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom"
 		fi
-		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
+		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /opt/owasp/crs/*.conf"
 	else
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""

entrypoint/utils.sh

@@ -5,7 +5,9 @@ function replace_in_file() {
 	# escape slashes
 	pattern=$(echo "$2" | sed "s/\//\\\\\//g")
 	replace=$(echo "$3" | sed "s/\//\\\\\//g")
-	sed -i "s/$pattern/$replace/g" "$1"
+	sed "s/$pattern/$replace/g" "$1" > /tmp/sed
+	cat /tmp/sed > "$1"
+	rm /tmp/sed
 }
 
 # convert space separated values to LUA