diff --git a/Dockerfile b/Dockerfile index d6c69d4..80d6cb4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,7 +29,7 @@ RUN chmod +x /tmp/prepare.sh && \ # Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 RUN apk add "curl>=7.77.0-r0" -VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge +VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index 67f0691..63bb194 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -29,7 +29,7 @@ RUN chmod +x /tmp/prepare.sh && \ # Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 RUN apk add "curl>=7.77.0-r0" -VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge +VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index 44a3cae..78fa778 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -36,7 +36,7 @@ RUN chmod +x /tmp/prepare.sh && \ # Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 RUN apk add "curl>=7.77.0-r0" -VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge +VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index 50cc64a..34dda35 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -36,7 +36,7 @@ RUN chmod +x /tmp/prepare.sh && \ # Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 RUN apk add "curl>=7.77.0-r0" -VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge +VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-i386 b/Dockerfile-i386 index 7000610..b30d01b 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -29,7 +29,7 @@ RUN chmod +x /tmp/prepare.sh && \ # Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 RUN apk add "curl>=7.77.0-r0" -VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge +VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins EXPOSE 8080/tcp 8443/tcp diff --git a/confs/global/init-lua.conf b/confs/global/init-lua.conf index ed95133..7fa9348 100644 --- a/confs/global/init-lua.conf +++ b/confs/global/init-lua.conf @@ -1,14 +1,15 @@ init_by_lua_block { -local dataloader = require "dataloader" -local logger = require "logger" +local dataloader = require "dataloader" +local logger = require "logger" +local cjson = require "cjson" -local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif %} -local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif %} +local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif %} +local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif %} local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif %} local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif %} -local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif %} -local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif %} +local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif %} +local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif %} if use_proxies then dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data) @@ -40,4 +41,32 @@ if use_crowdsec then logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done") end +-- Load plugins +ngx.shared.plugins_data:safe_set("plugins", nil, 0) +local p = io.popen("find /plugins -maxdepth 1 -type d ! -path /plugins") +for dir in p:lines() do + -- read JSON + local file = io.open(dir .. "/plugin.json") + if file then + -- store settings + local data = cjson.decode(file:read("*a")) + for k, v in pairs(data.settings) do + ngx.shared.plugins_data:safe_set(data.id .. "_" .. k, v, 0) + end + file:close() + -- store plugin + local plugins, flags = ngx.shared.plugins_data:get("plugins") + if plugins == nil then + ngx.shared.plugins_data:safe_set("plugins", data.id, 0) + else + ngx.shared.plugins_data:safe_set("plugins", plugins .. " " .. data.id, 0) + end + logger.log(ngx.ERR, "PLUGINS", "*NOT AN ERROR* plugin " .. data.name .. "/" .. data.version .. " has been loaded") + else + logger.log(ngx.ERR, "PLUGINS", "Can't load " .. dir .. "/plugin.json") + end + +end +p:close() + } diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index 554d104..41b199c 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -78,7 +78,7 @@ http { port_in_redirect off; # lua path and dicts - lua_package_path "/usr/local/lib/lua/?.lua;;"; + lua_package_path "/usr/local/lib/lua/?.lua;/plugins/?.lua;;"; {% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %} {% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %} {% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %} @@ -93,6 +93,7 @@ http { {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %} {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %} {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %} + lua_shared_dict plugins_data 10m; # shared memory zone for limit_req {% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %} diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index 2f54146..d30c183 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -291,6 +291,15 @@ if use_antibot_recaptcha and ngx.var.uri ~= "/favicon.ico" then end end +-- plugins check +local plugins, flags = ngx.shared.plugins_data:get("plugins") +if plugins ~= nil then + for plugin_id in string.gmatch(plugins, "%w+") do + local plugin = require(plugin_id .. "/" .. plugin_id) + plugin.check() + end +end + ngx.exit(ngx.OK) } diff --git a/prepare.sh b/prepare.sh index 96fcc3a..af31f21 100644 --- a/prepare.sh +++ b/prepare.sh @@ -65,3 +65,8 @@ chmod 770 /cache # prepare /etc/crontabs/nginx chown root:nginx /etc/crontabs/nginx chmod 440 /etc/crontabs/nginx + +# prepare /plugins +mkdir /plugins +chown root:nginx /plugins +chmod 770 /plugins \ No newline at end of file