diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index 028b3e5..bdcaa63 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -26,7 +26,7 @@ if [ "$MULTISITE" = "yes" ] ; then done for var in $(cut -d '=' -f 1 "${NGINX_PREFIX}nginx.env") ; do name=$(echo "$var") - check=$(echo "$name" | grep "^$1_") + check=$(echo "$name" | grep "^${1}_") if [ "$check" != "" ] ; then repl_name=$(echo "$name" | sed "s~${1}_~~") repl_value=$(env | grep -E "^${name}=" | sed "s~^${name}=~~") @@ -60,38 +60,34 @@ replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS" # reverse proxy if [ "$USE_REVERSE_PROXY" = "yes" ] ; then i=1 - for var in $(compgen -e) ; do - check1=$(echo "$var" | grep "^REVERSE_PROXY_URL") - check2=$(echo "$var" | grep "^${1}_REVERSE_PROXY_URL") - if [ "$check1" != "" ] || [ "$check2" != "" ] ; then - name=$(echo "$var") - value=$(echo "${!var}") - host=$(echo "$name" | sed "s/URL/HOST/") - host_value=$(env | grep "^${host}=" | sed "s/${host}=//") - custom_headers=$(echo "$name" | sed "s/URL/HEADERS/") - custom_headers_value=$(env | grep "^${host}=" | sed "s/${host}=//") - ws=$(echo "$name" | sed "s/URL/WS/") - ws_value=$(env | grep "^${ws}=" | sed "s/${ws}=//") - cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf" - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$value" - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value" - if [ "$custom_headers_value" != "" ] ; then - IFS_=$IFS - IFS=';' - for header_value in $(echo "$custom_headers_value") ; do - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "more_set_headers $header_value;\n%REVERSE_PROXY_CUSTOM_HEADERS%" - done - IFS=$IFS_ - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "" - fi - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HEADERS%" "include ${NGINX_PREFIX}reverse-proxy-headers.conf;" - if [ "$ws_value" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" "proxy_http_version 1.1;\nproxy_set_header Upgrade \$http_upgrade;\nproxy_set_header Connection \"Upgrade\";\n" - else - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" "" - fi - i=$(($i + 1)) + for var in $(set | cut -d '=' -f 1 | grep "^REVERSE_PROXY_URL") ; do + url=$(echo "$var") + url_value=$(echo "${!var}") + host=$(echo "$var" | sed "s/URL/HOST/") + host_value=$(echo "${!host}") + custom_headers=$(echo "$var" | sed "s/URL/HEADERS/") + custom_headers_value=$(echo "${!custom_headers}") + ws=$(echo "$var" | sed "s/URL/WS/") + ws_value=$(echo "${!ws}") + cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf" + replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$url_value" + replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value" + if [ "$custom_headers_value" != "" ] ; then + IFS_=$IFS + IFS=';' + for header_value in $(echo "$custom_headers_value") ; do + replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "more_set_headers $header_value;\n%REVERSE_PROXY_CUSTOM_HEADERS%" + done + IFS=$IFS_ fi + replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "" + replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HEADERS%" "include ${NGINX_PREFIX}reverse-proxy-headers.conf;" + if [ "$ws_value" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" "proxy_http_version 1.1;\nproxy_set_header Upgrade \$http_upgrade;\nproxy_set_header Connection \"Upgrade\";\n" + else + replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" "" + fi + i=$(($i + 1)) done replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy-*.conf;" else diff --git a/examples/swarm/stack.yml b/examples/swarm/stack.yml new file mode 100644 index 0000000..8167891 --- /dev/null +++ b/examples/swarm/stack.yml @@ -0,0 +1,97 @@ +version: '3.8' + +services: + + autoconf: + image: bunkerity/bunkerized-nginx-autoconf + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - /shared/confs:/etc/nginx + - /shared/letsencrypt:/etc/letsencrypt + - /shared/acme-challenge:/acme-challenge + environment: + - SWARM_MODE=yes + - API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from nginx + networks: + - net_config + deploy: + replicas: 1 + placement: + constraints: + - "node.role==manager" + + nginx: + image: bunkerity/bunkerized-nginx + ports: + - published: 80 + target: 8080 + mode: host + protocol: tcp + - published: 443 + target: 8443 + mode: host + protocol: tcp + volumes: + - /shared/confs:/etc/nginx:ro + - /shared/letsencrypt:/etc/letsencrypt:ro + - /shared/acme-challenge:/acme-challenge:ro + - /shared/www:/www:ro + environment: + - SWARM_MODE=yes + - USE_API=yes + - API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from autoconf + - MULTISITE=yes + - SERVER_NAME= + - AUTO_LETS_ENCRYPT=yes + - REDIRECT_HTTP_TO_HTTPS=yes + - DISABLE_DEFAULT_SERVER=yes + networks: + - net_config + - net_services + deploy: + mode: global + placement: + constraints: + - "node.role==worker" + labels: + - "bunkerized-nginx.AUTOCONF" + + app1: + image: php:fpm-alpine + volumes: + - /shared/www/app1.website.com:/www + networks: + - net_services + deploy: + replicas: 1 + placement: + constraints: + - "node.role==worker" + labels: + - "bunkerized-nginx.SERVER_NAME=app1.website.com" + - "bunkerized-nginx.REMOTE_PHP=php" + - "bunkerized-nginx.REMOTE_PHP_PATH=/www" + + app2: + image: phpmyadmin:apache + environment: + - PMA_ARBITRARY=1 + - PMA_ABSOLUTE_URI=https://app2.website.com + networks: + - net_services + deploy: + replicas: 1 + placement: + constraints: + - "node.role==worker" + labels: + - "bunkerized-nginx.SERVER_NAME=app2.website.com" + - "bunkerized-nginx.USE_REVERSE_PROXY=yes" + - "bunkerized-nginx.REVERSE_PROXY_URL=/" + - "bunkerized-nginx.REVERSE_PROXY_HOST=http://app2" + +networks: + net_config: + driver: overlay + net_services: + driver: overlay diff --git a/ui/Dockerfile b/ui/Dockerfile index 537cc2b..8ad0c06 100644 --- a/ui/Dockerfile +++ b/ui/Dockerfile @@ -10,9 +10,6 @@ COPY entrypoint/* /opt/entrypoint/ COPY ui/ /opt/entrypoint/ RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh -# Fix CVE-2020-1971 -RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0" - VOLUME /etc/nginx EXPOSE 5000 diff --git a/ui/Dockerfile-amd64 b/ui/Dockerfile-amd64 index 42d0890..aa06df5 100644 --- a/ui/Dockerfile-amd64 +++ b/ui/Dockerfile-amd64 @@ -10,9 +10,6 @@ COPY entrypoint/* /opt/entrypoint/ COPY ui/ /opt/entrypoint/ RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh -# Fix CVE-2020-1971 -RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0" - VOLUME /etc/nginx EXPOSE 5000 diff --git a/ui/Dockerfile-arm32v7 b/ui/Dockerfile-arm32v7 index fcfe520..646e93c 100644 --- a/ui/Dockerfile-arm32v7 +++ b/ui/Dockerfile-arm32v7 @@ -17,9 +17,6 @@ COPY entrypoint/* /opt/entrypoint/ COPY ui/ /opt/entrypoint/ RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh -# Fix CVE-2020-1971 -RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0" - VOLUME /etc/nginx EXPOSE 5000 diff --git a/ui/Dockerfile-arm64v8 b/ui/Dockerfile-arm64v8 index b094112..859f0d0 100644 --- a/ui/Dockerfile-arm64v8 +++ b/ui/Dockerfile-arm64v8 @@ -17,9 +17,6 @@ COPY entrypoint/* /opt/entrypoint/ COPY ui/ /opt/entrypoint/ RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh -# Fix CVE-2020-1971 -RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0" - VOLUME /etc/nginx EXPOSE 5000 diff --git a/ui/Dockerfile-i386 b/ui/Dockerfile-i386 index ec60ddd..53471b4 100644 --- a/ui/Dockerfile-i386 +++ b/ui/Dockerfile-i386 @@ -10,9 +10,6 @@ COPY entrypoint/* /opt/entrypoint/ COPY ui/ /opt/entrypoint/ RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh -# Fix CVE-2020-1971 -RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0" - VOLUME /etc/nginx EXPOSE 5000