Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

plugins - started basic plugin system

Browse Source
This commit is contained in:
bunkerity 2021-06-04 17:42:34 +02:00
parent 62217a3210
commit 388fc1a0e8
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
9 changed files with 56 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -29,7 +29,7 @@ RUN chmod +x /tmp/prepare.sh && \
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 # Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
RUN apk add "curl>=7.77.0-r0" RUN apk add "curl>=7.77.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
EXPOSE 8080/tcp 8443/tcp EXPOSE 8080/tcp 8443/tcp

2
Dockerfile-amd64
View File

@ -29,7 +29,7 @@ RUN chmod +x /tmp/prepare.sh && \
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 # Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
RUN apk add "curl>=7.77.0-r0" RUN apk add "curl>=7.77.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
EXPOSE 8080/tcp 8443/tcp EXPOSE 8080/tcp 8443/tcp

2
Dockerfile-arm32v7
View File

@ -36,7 +36,7 @@ RUN chmod +x /tmp/prepare.sh && \
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 # Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
RUN apk add "curl>=7.77.0-r0" RUN apk add "curl>=7.77.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
EXPOSE 8080/tcp 8443/tcp EXPOSE 8080/tcp 8443/tcp

2
Dockerfile-arm64v8
View File

@ -36,7 +36,7 @@ RUN chmod +x /tmp/prepare.sh && \
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 # Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
RUN apk add "curl>=7.77.0-r0" RUN apk add "curl>=7.77.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
EXPOSE 8080/tcp 8443/tcp EXPOSE 8080/tcp 8443/tcp

2
Dockerfile-i386
View File

@ -29,7 +29,7 @@ RUN chmod +x /tmp/prepare.sh && \
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 # Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
RUN apk add "curl>=7.77.0-r0" RUN apk add "curl>=7.77.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
EXPOSE 8080/tcp 8443/tcp EXPOSE 8080/tcp 8443/tcp

41
confs/global/init-lua.conf
View File

@ -1,14 +1,15 @@
init_by_lua_block { init_by_lua_block {
local dataloader = require "dataloader" local dataloader = require "dataloader"
local logger = require "logger" local logger = require "logger"
local cjson = require "cjson"
local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif %} local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif %}
local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif %} local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif %}
local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif %} local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif %}
local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif %} local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif %}
local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif %} local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif %}
local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif %} local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif %}
if use_proxies then if use_proxies then
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data) dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
@ -40,4 +41,32 @@ if use_crowdsec then
logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done") logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done")
end end
-- Load plugins
ngx.shared.plugins_data:safe_set("plugins", nil, 0)
local p = io.popen("find /plugins -maxdepth 1 -type d ! -path /plugins")
for dir in p:lines() do
-- read JSON
local file = io.open(dir .. "/plugin.json")
if file then
-- store settings
local data = cjson.decode(file:read("*a"))
for k, v in pairs(data.settings) do
ngx.shared.plugins_data:safe_set(data.id .. "_" .. k, v, 0)
end
file:close()
-- store plugin
local plugins, flags = ngx.shared.plugins_data:get("plugins")
if plugins == nil then
ngx.shared.plugins_data:safe_set("plugins", data.id, 0)
else
ngx.shared.plugins_data:safe_set("plugins", plugins .. " " .. data.id, 0)
end
logger.log(ngx.ERR, "PLUGINS", "*NOT AN ERROR* plugin " .. data.name .. "/" .. data.version .. " has been loaded")
else
logger.log(ngx.ERR, "PLUGINS", "Can't load " .. dir .. "/plugin.json")
end
end
p:close()
} }

3
confs/global/nginx.conf
View File

@ -78,7 +78,7 @@ http {
port_in_redirect off; port_in_redirect off;
# lua path and dicts # lua path and dicts
lua_package_path "/usr/local/lib/lua/?.lua;;"; lua_package_path "/usr/local/lib/lua/?.lua;/plugins/?.lua;;";
{% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %} {% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %}
{% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %} {% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %}
{% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %} {% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %}
@ -93,6 +93,7 @@ http {
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %} {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %}
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %} {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %}
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %} {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %}
lua_shared_dict plugins_data 10m;
# shared memory zone for limit_req # shared memory zone for limit_req
{% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %} {% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %}

9
confs/site/main-lua.conf
View File

@ -291,6 +291,15 @@ if use_antibot_recaptcha and ngx.var.uri ~= "/favicon.ico" then
end end
end end
-- plugins check
local plugins, flags = ngx.shared.plugins_data:get("plugins")
if plugins ~= nil then
for plugin_id in string.gmatch(plugins, "%w+") do
local plugin = require(plugin_id .. "/" .. plugin_id)
plugin.check()
end
end
ngx.exit(ngx.OK) ngx.exit(ngx.OK)
} }

5
prepare.sh
View File

@ -65,3 +65,8 @@ chmod 770 /cache
# prepare /etc/crontabs/nginx # prepare /etc/crontabs/nginx
chown root:nginx /etc/crontabs/nginx chown root:nginx /etc/crontabs/nginx
chmod 440 /etc/crontabs/nginx chmod 440 /etc/crontabs/nginx
# prepare /plugins
mkdir /plugins
chown root:nginx /plugins
chmod 770 /plugins