diff --git a/Dockerfile b/Dockerfile index 5402106..2d9c982 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,7 @@ RUN chmod +x /tmp/install.sh && \ /tmp/install.sh && \ rm -rf /tmp/* -COPY entrypoint.sh /opt/entrypoint.sh +COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban @@ -20,7 +20,7 @@ COPY lua/ /opt/lua COPY crowdsec/ /opt/crowdsec RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ - chmod +x /opt/entrypoint.sh /opt/scripts/* && \ + chmod +x /opt/entrypoint/* /opt/scripts/* && \ mkdir /opt/entrypoint.d && \ rm -f /var/log/nginx/* && \ chown root:nginx /var/log/nginx && \ @@ -32,4 +32,4 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs EXPOSE 8080/tcp 8443/tcp -ENTRYPOINT ["/opt/entrypoint.sh"] +ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index 988ef74..00b3999 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -11,7 +11,7 @@ RUN chmod +x /tmp/install.sh && \ /tmp/install.sh && \ rm -rf /tmp/* -COPY entrypoint.sh /opt/entrypoint.sh +COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban @@ -20,7 +20,7 @@ COPY lua/ /opt/lua COPY crowdsec/ /opt/crowdsec RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ - chmod +x /opt/entrypoint.sh /opt/scripts/* && \ + chmod +x /opt/entrypoint/* /opt/scripts/* && \ mkdir /opt/entrypoint.d && \ rm -f /var/log/nginx/* && \ chown root:nginx /var/log/nginx && \ @@ -32,4 +32,4 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs EXPOSE 8080/tcp 8443/tcp -ENTRYPOINT ["/opt/entrypoint.sh"] +ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index 0c4a531..3a3bc85 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -18,7 +18,7 @@ RUN chmod +x /tmp/install.sh && \ /tmp/install.sh && \ rm -rf /tmp/* -COPY entrypoint.sh /opt/entrypoint.sh +COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban @@ -27,7 +27,7 @@ COPY lua/ /opt/lua COPY crowdsec/ /opt/crowdsec RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ - chmod +x /opt/entrypoint.sh /opt/scripts/* && \ + chmod +x /opt/entrypoint/* /opt/scripts/* && \ mkdir /opt/entrypoint.d && \ rm -f /var/log/nginx/* && \ chown root:nginx /var/log/nginx && \ @@ -39,4 +39,4 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs EXPOSE 8080/tcp 8443/tcp -ENTRYPOINT ["/opt/entrypoint.sh"] +ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index 0386ea4..41d12e9 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -18,7 +18,7 @@ RUN chmod +x /tmp/install.sh && \ /tmp/install.sh && \ rm -rf /tmp/* -COPY entrypoint.sh /opt/entrypoint.sh +COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban @@ -27,7 +27,7 @@ COPY lua/ /opt/lua COPY crowdsec/ /opt/crowdsec RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ - chmod +x /opt/entrypoint.sh /opt/scripts/* && \ + chmod +x /opt/entrypoint/* /opt/scripts/* && \ mkdir /opt/entrypoint.d && \ rm -f /var/log/nginx/* && \ chown root:nginx /var/log/nginx && \ @@ -39,4 +39,4 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs EXPOSE 8080/tcp 8443/tcp -ENTRYPOINT ["/opt/entrypoint.sh"] +ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/Dockerfile-i386 b/Dockerfile-i386 index c37c024..6620ad4 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -11,7 +11,7 @@ RUN chmod +x /tmp/install.sh && \ /tmp/install.sh && \ rm -rf /tmp/* -COPY entrypoint.sh /opt/entrypoint.sh +COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban @@ -20,7 +20,7 @@ COPY lua/ /opt/lua COPY crowdsec/ /opt/crowdsec RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ - chmod +x /opt/entrypoint.sh /opt/scripts/* && \ + chmod +x /opt/entrypoint/* /opt/scripts/* && \ mkdir /opt/entrypoint.d && \ rm -f /var/log/nginx/* && \ chown root:nginx /var/log/nginx && \ @@ -32,4 +32,4 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs EXPOSE 8080/tcp 8443/tcp -ENTRYPOINT ["/opt/entrypoint.sh"] +ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/confs/cache.conf b/confs/global/cache.conf similarity index 100% rename from confs/cache.conf rename to confs/global/cache.conf diff --git a/confs/crowdsec.conf b/confs/global/crowdsec.conf similarity index 100% rename from confs/crowdsec.conf rename to confs/global/crowdsec.conf diff --git a/confs/dhparam b/confs/global/dhparam similarity index 100% rename from confs/dhparam rename to confs/global/dhparam diff --git a/confs/geoip.conf b/confs/global/geoip.conf similarity index 100% rename from confs/geoip.conf rename to confs/global/geoip.conf diff --git a/confs/gzip.conf b/confs/global/gzip.conf similarity index 100% rename from confs/gzip.conf rename to confs/global/gzip.conf diff --git a/confs/map-user-agent.conf b/confs/global/map-user-agent.conf similarity index 100% rename from confs/map-user-agent.conf rename to confs/global/map-user-agent.conf diff --git a/confs/nginx.conf b/confs/global/nginx.conf similarity index 93% rename from confs/nginx.conf rename to confs/global/nginx.conf index 4ad0e59..13e9a57 100644 --- a/confs/nginx.conf +++ b/confs/global/nginx.conf @@ -80,9 +80,6 @@ http { # resolvers to use resolver %DNS_RESOLVERS% ipv6=off; - # get real IP address if behind a reverse proxy - %PROXY_REAL_IP% - # lua path and dicts lua_package_path "/usr/local/lib/lua/?.lua;;"; %WHITELIST_IP_CACHE% @@ -97,18 +94,15 @@ http { # shared memory zone for limit_req %LIMIT_REQ_ZONE% - # server config - include /etc/nginx/server.conf; - # list of blocked country %BLOCK_COUNTRY% # list of blocker user agents %BLOCK_USER_AGENT% - # enable/disable ModSecurity - %USE_MODSECURITY% - # custom http confs include /http-confs/*.conf; + + # server config(s) + %INCLUDE_SERVER% } diff --git a/confs/antibot-captcha.conf b/confs/site/antibot-captcha.conf similarity index 100% rename from confs/antibot-captcha.conf rename to confs/site/antibot-captcha.conf diff --git a/confs/antibot-javascript.conf b/confs/site/antibot-javascript.conf similarity index 100% rename from confs/antibot-javascript.conf rename to confs/site/antibot-javascript.conf diff --git a/confs/antibot-recaptcha.conf b/confs/site/antibot-recaptcha.conf similarity index 100% rename from confs/antibot-recaptcha.conf rename to confs/site/antibot-recaptcha.conf diff --git a/confs/auth-basic-sitewide.conf b/confs/site/auth-basic-sitewide.conf similarity index 100% rename from confs/auth-basic-sitewide.conf rename to confs/site/auth-basic-sitewide.conf diff --git a/confs/auth-basic.conf b/confs/site/auth-basic.conf similarity index 100% rename from confs/auth-basic.conf rename to confs/site/auth-basic.conf diff --git a/confs/block-user-agent.conf b/confs/site/block-user-agent.conf similarity index 100% rename from confs/block-user-agent.conf rename to confs/site/block-user-agent.conf diff --git a/confs/content-security-policy.conf b/confs/site/content-security-policy.conf similarity index 100% rename from confs/content-security-policy.conf rename to confs/site/content-security-policy.conf diff --git a/confs/cookie-flags.conf b/confs/site/cookie-flags.conf similarity index 100% rename from confs/cookie-flags.conf rename to confs/site/cookie-flags.conf diff --git a/confs/custom-https.conf b/confs/site/custom-https.conf similarity index 100% rename from confs/custom-https.conf rename to confs/site/custom-https.conf diff --git a/confs/disable-default-server.conf b/confs/site/disable-default-server.conf similarity index 100% rename from confs/disable-default-server.conf rename to confs/site/disable-default-server.conf diff --git a/confs/error.conf b/confs/site/error.conf similarity index 100% rename from confs/error.conf rename to confs/site/error.conf diff --git a/confs/feature-policy.conf b/confs/site/feature-policy.conf similarity index 100% rename from confs/feature-policy.conf rename to confs/site/feature-policy.conf diff --git a/confs/geoip-server.conf b/confs/site/geoip-server.conf similarity index 100% rename from confs/geoip-server.conf rename to confs/site/geoip-server.conf diff --git a/confs/https.conf b/confs/site/https.conf similarity index 100% rename from confs/https.conf rename to confs/site/https.conf diff --git a/confs/limit-req.conf b/confs/site/limit-req.conf similarity index 100% rename from confs/limit-req.conf rename to confs/site/limit-req.conf diff --git a/confs/main-lua.conf b/confs/site/main-lua.conf similarity index 100% rename from confs/main-lua.conf rename to confs/site/main-lua.conf diff --git a/confs/modsecurity-clamav.conf b/confs/site/modsecurity-clamav.conf similarity index 100% rename from confs/modsecurity-clamav.conf rename to confs/site/modsecurity-clamav.conf diff --git a/confs/modsecurity-rules.conf b/confs/site/modsecurity-rules.conf similarity index 100% rename from confs/modsecurity-rules.conf rename to confs/site/modsecurity-rules.conf diff --git a/confs/modsecurity.conf b/confs/site/modsecurity.conf similarity index 100% rename from confs/modsecurity.conf rename to confs/site/modsecurity.conf diff --git a/confs/php.conf b/confs/site/php.conf similarity index 100% rename from confs/php.conf rename to confs/site/php.conf diff --git a/confs/proxy-real-ip.conf b/confs/site/proxy-real-ip.conf similarity index 100% rename from confs/proxy-real-ip.conf rename to confs/site/proxy-real-ip.conf diff --git a/confs/redirect-http-to-https.conf b/confs/site/redirect-http-to-https.conf similarity index 100% rename from confs/redirect-http-to-https.conf rename to confs/site/redirect-http-to-https.conf diff --git a/confs/referrer-policy.conf b/confs/site/referrer-policy.conf similarity index 100% rename from confs/referrer-policy.conf rename to confs/site/referrer-policy.conf diff --git a/confs/serve-files.conf b/confs/site/serve-files.conf similarity index 100% rename from confs/serve-files.conf rename to confs/site/serve-files.conf diff --git a/confs/server.conf b/confs/site/server.conf similarity index 94% rename from confs/server.conf rename to confs/site/server.conf index 0569bfb..25bcb7c 100644 --- a/confs/server.conf +++ b/confs/site/server.conf @@ -1,6 +1,8 @@ server { include /server-confs/*.conf; include /etc/nginx/main-lua.conf; + %PROXY_REAL_IP% + %USE_MODSECURITY% %LISTEN_HTTP% %USE_HTTPS% %REDIRECT_HTTP_TO_HTTPS% diff --git a/confs/x-content-type-options.conf b/confs/site/x-content-type-options.conf similarity index 100% rename from confs/x-content-type-options.conf rename to confs/site/x-content-type-options.conf diff --git a/confs/x-frame-options.conf b/confs/site/x-frame-options.conf similarity index 100% rename from confs/x-frame-options.conf rename to confs/site/x-frame-options.conf diff --git a/confs/x-xss-protection.conf b/confs/site/x-xss-protection.conf similarity index 100% rename from confs/x-xss-protection.conf rename to confs/site/x-xss-protection.conf diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100644 index 4edaddc..0000000 --- a/entrypoint.sh +++ /dev/null @@ -1,644 +0,0 @@ -#!/bin/sh - -echo "[*] Starting bunkerized-nginx ..." - -# execute custom scripts if it's a customized image -for file in /entrypoint.d/* ; do - [ -f "$file" ] && [ -x "$file" ] && "$file" -done - -# trap SIGTERM and SIGINT -function trap_exit() { - echo "[*] Catched stop operation" - echo "[*] Stopping crond ..." - pkill -TERM crond - if [ "$USE_FAIL2BAN" = "yes" ] ; then - echo "[*] Stopping fail2ban" - fail2ban-client stop > /dev/null - fi - echo "[*] Stopping nginx ..." - /usr/sbin/nginx -s stop - echo "[*] Stopping rsyslogd ..." - pkill -TERM rsyslogd - pkill -TERM tail -} -trap "trap_exit" TERM INT - -# replace pattern in file -function replace_in_file() { - # escape slashes - pattern=$(echo "$2" | sed "s/\//\\\\\//g") - replace=$(echo "$3" | sed "s/\//\\\\\//g") - sed -i "s/$pattern/$replace/g" "$1" -} - -# convert space separated values to LUA -function spaces_to_lua() { - for element in $1 ; do - if [ "$result" = "" ] ; then - result="\"${element}\"" - else - result="${result}, \"${element}\"" - fi - done - echo "$result" -} - -# copy stub confs -cp /opt/confs/* /etc/nginx -cp /opt/logs/rsyslog.conf /etc/rsyslog.conf -cp /opt/logs/logrotate.conf /etc/logrotate.conf -cp -r /opt/lua/* /usr/local/lib/lua - -# remove cron jobs -echo "" > /etc/crontabs/root - -# set default values -HTTP_PORT="${HTTP_PORT-8080}" -HTTPS_PORT="${HTTPS_PORT-8443}" -MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}" -SERVER_TOKENS="${SERVER_TOKENS-off}" -CACHE="${CACHE-max=1000 inactive=60s}" -CACHE_ERRORS="${CACHE_ERRORS-on}" -CACHE_USES="${CACHE_USES-1}" -CACHE_VALID="${CACHE_VALID-60s}" -#CLIENT_CACHE="${CLIENT_CACHE}-css|gif|htm|html|ico|jpeg|jpg|js|png|svg|tif|tiff|eot|otf|ttf|woff|woff2" -#CLIENT_CACHE_EXPIRES="${CLIENT_CACHE_EXPIRES}-1d}" -#CLIENT_CACHE_CONTROL= -USE_GZIP="${USE_GZIP-off}" -GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL-6}" -GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH-10240}" -GZIP_TYPES="${GZIP_TYPES-text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml}" -REMOTE_PHP_PATH="${REMOTE_PHP_PATH-/app}" -HEADER_SERVER="${HEADER_SERVER-no}" -X_FRAME_OPTIONS="${X_FRAME_OPTIONS-DENY}" -X_XSS_PROTECTION="${X_XSS_PROTECTION-1; mode=block}" -X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS-nosniff}" -REFERRER_POLICY="${REFERRER_POLICY-no-referrer}" -FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}" -DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}" -SERVER_NAME="${SERVER_NAME-www.bunkerity.com}" -ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}" -BLOCK_COUNTRY="${BLOCK_COUNTRY-}" -BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}" -BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}" -BLOCK_PROXIES="${BLOCK_PROXIES-yes}" -BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}" -AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}" -HTTP2="${HTTP2-yes}" -HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}" -STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}" -USE_MODSECURITY="${USE_MODSECURITY-yes}" -USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}" -CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';}" -COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}" -COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}" -SERVE_FILES="${SERVE_FILES-yes}" -WRITE_ACCESS="${WRITE_ACCESS-no}" -REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}" -LISTEN_HTTP="${LISTEN_HTTP-yes}" -USE_FAIL2BAN="${USE_FAIL2BAN-yes}" -FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}" -FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}" -FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}" -FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}" -USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}" -USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}" -CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}" -USE_AUTH_BASIC="${USE_AUTH_BASIC-no}" -AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}" -AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}" -AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}" -AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}" -USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}" -ROOT_FOLDER="${ROOT_FOLDER-/www}" -LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}" -LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}" -DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11 8.8.8.8}" -USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}" -WHITELIST_IP_LIST="${WHITELIST_IP_LIST-23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}" -USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}" -WHITELIST_REVERSE_LIST="${WHITELIST_REVERSE_LIST-.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net}" -USE_BLACKLIST_IP="${USE_BLACKLIST_IP-yes}" -BLACKLIST_IP_LIST="${BLACKLIST_IP_LIST-}" -USE_BLACKLIST_REVERSE="${USE_BLACKLIST_REVERSE-yes}" -BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}" -USE_DNSBL="${USE_DNSBL-yes}" -DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}" -USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}" -LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}" -LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}" -LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}" -PROXY_REAL_IP="${PROXY_REAL_IP-no}" -PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}" -PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}" -PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}" -GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}" -SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}" -SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}" -SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}" -SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}" -SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}" -SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}" -SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-web}" -ANTIBOT_URI="${ANTIBOT_URI-/challenge}" -USE_ANTIBOT="${USE_ANTIBOT-no}" -ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}" -ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}" -USE_CROWDSEC="${USE_CROWDSEC-no}" - -# install additional modules if needed -if [ "$ADDITIONAL_MODULES" != "" ] ; then - apk add $ADDITIONAL_MODULES -fi - -# replace values -replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE" -replace_in_file "/etc/nginx/nginx.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS" -replace_in_file "/etc/nginx/cache.conf" "%CACHE%" "$CACHE" -replace_in_file "/etc/nginx/cache.conf" "%CACHE_ERRORS%" "$CACHE_ERRORS" -replace_in_file "/etc/nginx/cache.conf" "%CACHE_USES%" "$CACHE_USES" -replace_in_file "/etc/nginx/cache.conf" "%CACHE_VALID%" "$CACHE_VALID" -replace_in_file "/etc/nginx/gzip.conf" "%USE_GZIP%" "$USE_GZIP" -replace_in_file "/etc/nginx/gzip.conf" "%GZIP_COMP_LEVEL%" "$GZIP_COMP_LEVEL" -replace_in_file "/etc/nginx/gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH" -replace_in_file "/etc/nginx/gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES" -if [ "$REMOTE_PHP" != "" ] ; then - replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" "include /etc/nginx/php.conf;" - replace_in_file "/etc/nginx/php.conf" "%REMOTE_PHP%" "$REMOTE_PHP" - replace_in_file "/etc/nginx/fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/" -else - replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" "" -fi -if [ "$HEADER_SERVER" = "yes" ] ; then - replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" "" -else - replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" "more_clear_headers 'Server';" -fi -if [ "$X_FRAME_OPTIONS" != "" ] ; then - replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" "include /etc/nginx/x-frame-options.conf;" - replace_in_file "/etc/nginx/x-frame-options.conf" "%X_FRAME_OPTIONS%" "$X_FRAME_OPTIONS" -else - replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" "" -fi -if [ "$X_XSS_PROTECTION" != "" ] ; then - replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" "include /etc/nginx/x-xss-protection.conf;" - replace_in_file "/etc/nginx/x-xss-protection.conf" "%X_XSS_PROTECTION%" "$X_XSS_PROTECTION" -else - replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" "" -fi -if [ "$X_CONTENT_TYPE_OPTIONS" != "" ] ; then - replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" "include /etc/nginx/x-content-type-options.conf;" - replace_in_file "/etc/nginx/x-content-type-options.conf" "%X_CONTENT_TYPE_OPTIONS%" "$X_CONTENT_TYPE_OPTIONS" -else - replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" "" -fi -if [ "$REFERRER_POLICY" != "" ] ; then - replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" "include /etc/nginx/referrer-policy.conf;" - replace_in_file "/etc/nginx/referrer-policy.conf" "%REFERRER_POLICY%" "$REFERRER_POLICY" -else - replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" "" -fi -if [ "$FEATURE_POLICY" != "" ] ; then - replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" "include /etc/nginx/feature-policy.conf;" - replace_in_file "/etc/nginx/feature-policy.conf" "%FEATURE_POLICY%" "$FEATURE_POLICY" -else - replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" "" -fi -if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then - replace_in_file "/etc/nginx/server.conf" "%DISABLE_DEFAULT_SERVER%" "include /etc/nginx/disable-default-server.conf;" - SERVER_NAME_PIPE=$(echo $SERVER_NAME | sed "s/ /|/g") - replace_in_file "/etc/nginx/disable-default-server.conf" "%SERVER_NAME%" "$SERVER_NAME_PIPE" -else - replace_in_file "/etc/nginx/server.conf" "%DISABLE_DEFAULT_SERVER%" "" -fi -replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME" -replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS" -if [ "$BLOCK_COUNTRY" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;" - replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip-server.conf;" - replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;" - echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root - if [ ! -f /etc/nginx/geoip.mmdb ] ; then - /opt/scripts/geoip.sh - fi -else - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "" - replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "" -fi -if [ "$BLOCK_USER_AGENT" = "yes" ] ; then - replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/block-user-agent.conf;" - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;" - /opt/scripts/user-agents.sh & - echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root -else - replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" "" - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "" -fi -if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then - replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;" - /opt/scripts/exit-nodes.sh & - echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root -else - replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" "" -fi -if [ "$BLOCK_PROXIES" = "yes" ] ; then - replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" "include /etc/nginx/block-proxies.conf;" - /opt/scripts/proxies.sh & - echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root -else - replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" "" -fi -if [ "$BLOCK_ABUSERS" = "yes" ] ; then - replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" "include /etc/nginx/block-abusers.conf;" - /opt/scripts/abusers.sh & - echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root -else - replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" "" -fi - -# HTTPS config -if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then - replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" "include /etc/nginx/https.conf;" - replace_in_file "/etc/nginx/https.conf" "%HTTPS_PORT%" "$HTTPS_PORT" - if [ "$HTTP2" = "yes" ] ; then - replace_in_file "/etc/nginx/https.conf" "%HTTP2%" "http2" - else - replace_in_file "/etc/nginx/https.conf" "%HTTP2%" "" - fi - replace_in_file "/etc/nginx/https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS" - if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then - replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;" - replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;" - else - replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" "" - replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" "" - fi - if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then - replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';" - else - replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" "" - fi - if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then - FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1) - DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g") - EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}" - replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem" - replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem" - if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then - /opt/scripts/certbot-renew.sh - else - certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT - fi - echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root - elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then - replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT" - replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY" - elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then - mkdir /etc/nginx/self-signed-ssl/ - openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" - replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem" - replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem" - fi -else - replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" "" -fi - -if [ "$LISTEN_HTTP" = "yes" ] ; then - replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT};" -else - replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "" -fi - -if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then - replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include /etc/nginx/redirect-http-to-https.conf;" -else - replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "" -fi - -if [ "$USE_MODSECURITY" = "yes" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" "include /etc/nginx/modsecurity.conf;" - if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then - replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "include /modsec-confs/*.conf" - else - replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "" - fi - if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then - replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf" - if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then - replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf" - else - replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "" - fi - replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf" - else - replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "" - replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "" - replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "" - fi -else - replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" "" -fi -if [ "$PROXY_REAL_IP" = "yes" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;" - froms="" - for from in $PROXY_REAL_IP_FROM ; do - froms="${froms}set_real_ip_from ${from};\n" - done - replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms" - replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER" - replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE" -else - replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" "" -fi - - -ERRORS="" -for var in $(env) ; do - var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1) - if [ "z${var_name}" = "zERROR" ] ; then - err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2) - err_page=$(echo "$var" | cut -d '=' -f 2) - cp /opt/confs/error.conf /etc/nginx/error-${err_code}.conf - replace_in_file "/etc/nginx/error-${err_code}.conf" "%CODE%" "$err_code" - replace_in_file "/etc/nginx/error-${err_code}.conf" "%PAGE%" "$err_page" - replace_in_file "/etc/nginx/error-${err_code}.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER" - ERRORS="${ERRORS}include /etc/nginx/error-${err_code}.conf;\n" - fi -done -if [ "$ERRORS" != "" ] ; then - replace_in_file "/etc/nginx/server.conf" "%ERRORS%" "$ERRORS" -else - replace_in_file "/etc/nginx/server.conf" "%ERRORS%" "" -fi -if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then - replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" "include /etc/nginx/content-security-policy.conf;" - replace_in_file "/etc/nginx/content-security-policy.conf" "%CONTENT_SECURITY_POLICY%" "$CONTENT_SECURITY_POLICY" -else - replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" "" -fi -if [ "$COOKIE_FLAGS" != "" ] ; then - replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" "include /etc/nginx/cookie-flags.conf;" - if [ "$COOKIE_AUTO_SECURE_FLAG" = "yes" ] ; then - if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then - COOKIE_FLAGS="${COOKIE_FLAGS} Secure" - fi - fi - replace_in_file "/etc/nginx/cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS" -else - replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" "" -fi -if [ "$SERVE_FILES" = "yes" ] ; then - replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" "include /etc/nginx/serve-files.conf;" - replace_in_file "/etc/nginx/serve-files.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER" -else - replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" "" -fi -if [ "$USE_AUTH_BASIC" = "yes" ] ; then - if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then - replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic-sitewide.conf;" - replace_in_file "/etc/nginx/auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT"; - else - replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;" - replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION"; - replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT"; - fi - htpasswd -b -B -c /etc/nginx/.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD" -else - replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "" -fi - -# DNS resolvers -resolvers=$(spaces_to_lua "$DNS_RESOLVERS") -replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers" -replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS" - -# whitelist IP -if [ "$USE_WHITELIST_IP" = "yes" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "lua_shared_dict whitelist_ip_cache 10m;" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_IP%" "true" -else - replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_IP%" "false" -fi -list=$(spaces_to_lua "$WHITELIST_IP_LIST") -replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list" - -# whitelist rDNS -if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "lua_shared_dict whitelist_reverse_cache 10m;" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_REVERSE%" "true" -else - replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_REVERSE%" "false" -fi -list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST") -replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list" - -# blacklist IP -if [ "$USE_BLACKLIST_IP" = "yes" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "lua_shared_dict blacklist_ip_cache 10m;" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_IP%" "true" -else - replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_IP%" "false" -fi -list=$(spaces_to_lua "$BLACKLIST_IP_LIST") -replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list" - -# blacklist rDNS -if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "lua_shared_dict blacklist_reverse_cache 10m;" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_REVERSE%" "true" -else - replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false" -fi -list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST") -replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list" - -# DNSBL -if [ "$USE_DNSBL" = "yes" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_DNSBL%" "true" -else - replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_DNSBL%" "false" -fi -list=$(spaces_to_lua "$DNSBL_LIST") -replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list" - -# antibot uri and session secret -replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" -if [ "$ANTIBOT_SESSION_SECRET" = "random" ] ; then - ANTIBOT_SESSION_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32) -fi -replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_SESSION_SECRET%" "$ANTIBOT_SESSION_SECRET" - -# antibot via cookie -if [ "$USE_ANTIBOT" = "cookie" ] ; then - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "" -# antibot via javascript -elif [ "$USE_ANTIBOT" = "javascript" ] ; then - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "true" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "include /etc/nginx/antibot-javascript.conf;" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "" - replace_in_file "/etc/nginx/antibot-javascript.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" -# antibot via captcha -elif [ "$USE_ANTIBOT" = "captcha" ] ; then - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "true" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "include /etc/nginx/antibot-captcha.conf;" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "" - replace_in_file "/etc/nginx/antibot-captcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" -# antibot via recaptcha -elif [ "$USE_ANTIBOT" = "recaptcha" ] ; then - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "true" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "include /etc/nginx/antibot-recaptcha.conf;" - replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" - replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SITEKEY%" "$ANTIBOT_RECAPTCHA_SITEKEY" - replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SECRET%" "$ANTIBOT_RECAPTCHA_SECRET" - replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SCORE%" "$ANTIBOT_RECAPTCHA_SCORE" -else - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "" -fi - -if [ "$USE_LIMIT_REQ" = "yes" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};" - replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "include /etc/nginx/limit-req.conf;" - replace_in_file "/etc/nginx/limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST" -else - replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "" - replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "" -fi - -# fail2ban setup -if [ "$USE_FAIL2BAN" = "yes" ] ; then - echo "" > /etc/nginx/fail2ban-ip.conf - rm -rf /etc/fail2ban/jail.d/*.conf - replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;" - cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local - cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local - cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local - replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME" - replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME" - replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY" - replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES" -else - replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" "" -fi - -# clamav setup -if [ "$USE_CLAMAV_UPLOAD" = "yes" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then - echo "[*] Updating clamav (in background) ..." - freshclam > /dev/null 2>&1 & - echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root -fi -if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then - replace_in_file "/etc/nginx/modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "include /etc/nginx/modsecurity-clamav.conf" -else - replace_in_file "/etc/nginx/modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "" -fi -if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then - if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then - echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2> /dev/null" >> /etc/crontabs/root - else - echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2> /dev/null" >> /etc/crontabs/root - fi -fi - -# CrowdSec setup -if [ "$USE_CROWDSEC" = "yes" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "true" - cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml - cscli api register >> /etc/crowdsec/config/api.yaml - cscli api pull - echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root -else - replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "" - replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "false" -fi - -# edit access if needed -if [ "$WRITE_ACCESS" = "yes" ] ; then - chown -R root:nginx /www - chmod g+w -R /www -fi - -# start rsyslogd -rsyslogd - -# start crond -crond - -# create empty logs -touch /var/log/access.log -touch /var/log/error.log - -# fix nginx configs rights (and modules through the symlink) -chown -R root:nginx /etc/nginx/ -chmod -R 740 /etc/nginx/ -find /etc/nginx -type d -exec chmod 750 {} \; - -# fix let's encrypt rights -if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then - chown -R root:nginx /etc/letsencrypt - chmod -R 740 /etc/letsencrypt - find /etc/letsencrypt -type d -exec chmod 750 {} \; -fi - -# start nginx -echo "[*] Running nginx ..." -su -s "/usr/sbin/nginx" nginx - -# start fail2ban -if [ "$USE_FAIL2BAN" = "yes" ] ; then - fail2ban-server > /dev/null -fi - -# start crowdsec -if [ "$USE_CROWDSEC" = "yes" ] ; then - crowdsec -fi - -# setup logrotate -replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE" -replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE" -echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root - -# display logs -LOGS="/var/log/access.log /var/log/error.log" -if [ "$USE_FAIL2BAN" = "yes" ] ; then - LOGS="$LOGS /var/log/fail2ban.log" -fi -tail -F $LOGS & -wait $! - -# sigterm trapped -echo "[*] bunkerized-nginx stopped" -exit 0 diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh new file mode 100644 index 0000000..b545426 --- /dev/null +++ b/entrypoint/defaults.sh @@ -0,0 +1,94 @@ +#!/bin/sh + +HTTP_PORT="${HTTP_PORT-8080}" +HTTPS_PORT="${HTTPS_PORT-8443}" +MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}" +SERVER_TOKENS="${SERVER_TOKENS-off}" +CACHE="${CACHE-max=1000 inactive=60s}" +CACHE_ERRORS="${CACHE_ERRORS-on}" +CACHE_USES="${CACHE_USES-1}" +CACHE_VALID="${CACHE_VALID-60s}" +#CLIENT_CACHE="${CLIENT_CACHE}-css|gif|htm|html|ico|jpeg|jpg|js|png|svg|tif|tiff|eot|otf|ttf|woff|woff2" +#CLIENT_CACHE_EXPIRES="${CLIENT_CACHE_EXPIRES}-1d}" +#CLIENT_CACHE_CONTROL= +USE_GZIP="${USE_GZIP-off}" +GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL-6}" +GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH-10240}" +GZIP_TYPES="${GZIP_TYPES-text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml}" +REMOTE_PHP_PATH="${REMOTE_PHP_PATH-/app}" +HEADER_SERVER="${HEADER_SERVER-no}" +X_FRAME_OPTIONS="${X_FRAME_OPTIONS-DENY}" +X_XSS_PROTECTION="${X_XSS_PROTECTION-1; mode=block}" +X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS-nosniff}" +REFERRER_POLICY="${REFERRER_POLICY-no-referrer}" +FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}" +DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}" +SERVER_NAME="${SERVER_NAME-www.bunkerity.com}" +ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}" +BLOCK_COUNTRY="${BLOCK_COUNTRY-}" +BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}" +BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}" +BLOCK_PROXIES="${BLOCK_PROXIES-yes}" +BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}" +AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}" +HTTP2="${HTTP2-yes}" +HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}" +STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}" +USE_MODSECURITY="${USE_MODSECURITY-yes}" +USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}" +CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';}" +COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}" +COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}" +SERVE_FILES="${SERVE_FILES-yes}" +WRITE_ACCESS="${WRITE_ACCESS-no}" +REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}" +LISTEN_HTTP="${LISTEN_HTTP-yes}" +USE_FAIL2BAN="${USE_FAIL2BAN-yes}" +FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}" +FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}" +FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}" +FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}" +USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}" +USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}" +CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}" +USE_AUTH_BASIC="${USE_AUTH_BASIC-no}" +AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}" +AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}" +AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}" +AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}" +USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}" +ROOT_FOLDER="${ROOT_FOLDER-/www}" +LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}" +LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}" +DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11 8.8.8.8}" +USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}" +WHITELIST_IP_LIST="${WHITELIST_IP_LIST-23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}" +USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}" +WHITELIST_REVERSE_LIST="${WHITELIST_REVERSE_LIST-.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net}" +USE_BLACKLIST_IP="${USE_BLACKLIST_IP-yes}" +BLACKLIST_IP_LIST="${BLACKLIST_IP_LIST-}" +USE_BLACKLIST_REVERSE="${USE_BLACKLIST_REVERSE-yes}" +BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}" +USE_DNSBL="${USE_DNSBL-yes}" +DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}" +USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}" +LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}" +LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}" +LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}" +PROXY_REAL_IP="${PROXY_REAL_IP-no}" +PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}" +PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}" +PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}" +GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}" +SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}" +SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}" +SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}" +SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}" +SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}" +SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}" +SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-web}" +ANTIBOT_URI="${ANTIBOT_URI-/challenge}" +USE_ANTIBOT="${USE_ANTIBOT-no}" +ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}" +ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}" +USE_CROWDSEC="${USE_CROWDSEC-no}" diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh new file mode 100644 index 0000000..e85aca4 --- /dev/null +++ b/entrypoint/entrypoint.sh @@ -0,0 +1,90 @@ +#!/bin/sh + +# load default values +. ./opt/entrypoint/defaults.sh + +echo "[*] Starting bunkerized-nginx ..." + +# execute custom scripts if it's a customized image +for file in /entrypoint.d/* ; do + [ -f "$file" ] && [ -x "$file" ] && "$file" +done + +# trap SIGTERM and SIGINT +function trap_exit() { + echo "[*] Catched stop operation" + echo "[*] Stopping crond ..." + pkill -TERM crond + if [ "$USE_FAIL2BAN" = "yes" ] ; then + echo "[*] Stopping fail2ban" + fail2ban-client stop > /dev/null + fi + echo "[*] Stopping nginx ..." + /usr/sbin/nginx -s stop + echo "[*] Stopping rsyslogd ..." + pkill -TERM rsyslogd + pkill -TERM tail +} +trap "trap_exit" TERM INT + +# do the configuration magic if needed +if [ ! -f "/opt/installed" ] ; then + echo "[*] Configuring bunkerized-nginx ..." + /opt/entrypoint/global-config.sh + if [ "$MULTISITE" = "yes" ] ; then + for server in "$SERVER_NAME" ; do + /opt/entrypoint/site-config.sh "$server" + echo "[*] Multi site - $server configuration done" + done + else + /opt/entrypoint/site-config.sh + echo "[*] Single site - $SERVER_NAME configuration done" + fi + touch /opt/installed +else + echo "[*] Skipping configuration process" +fi + +# fix nginx configs rights (and modules through the symlink) +chown -R root:nginx /etc/nginx/ +chmod -R 740 /etc/nginx/ +find /etc/nginx -type d -exec chmod 750 {} \; + +# fix let's encrypt rights +if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then + chown -R root:nginx /etc/letsencrypt + chmod -R 740 /etc/letsencrypt + find /etc/letsencrypt -type d -exec chmod 750 {} \; +fi + +# start rsyslogd +rsyslogd + +# start crond +crond + +# start fail2ban +if [ "$USE_FAIL2BAN" = "yes" ] ; then + fail2ban-server > /dev/null +fi + +# start crowdsec +if [ "$USE_CROWDSEC" = "yes" ] ; then + crowdsec +fi + +# start nginx +echo "[*] Running nginx ..." +su -s "/usr/sbin/nginx" nginx + +# display logs +LOGS="/var/log/access.log /var/log/error.log" +if [ "$USE_FAIL2BAN" = "yes" ] ; then + LOGS="$LOGS /var/log/fail2ban.log" +fi +tail -F $LOGS & +wait $! + +# sigterm trapped +echo "[*] bunkerized-nginx stopped" +exit 0 diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh new file mode 100644 index 0000000..443435e --- /dev/null +++ b/entrypoint/global-config.sh @@ -0,0 +1,195 @@ +#!/bin/sh + +# load some functions +. /opt/entrypoint/utils.sh + +# copy stub confs +cp /opt/logs/rsyslog.conf /etc/rsyslog.conf +cp /opt/logs/logrotate.conf /etc/logrotate.conf +cp -r /opt/lua/* /usr/local/lib/lua +cp /opt/confs/global/* /etc/nginx/ + +# remove cron jobs +echo "" > /etc/crontabs/root + +# install additional modules if needed +if [ "$ADDITIONAL_MODULES" != "" ] ; then + apk add $ADDITIONAL_MODULES +fi + +# include server block(s) +if [ "$MULTISITE" = "yes" ] ; then + includes="" + for server in "$SERVER_NAME" ; do + includes="${includes}include /etc/nginx/${server}/server.conf;\n" + done + replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes" +else + replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;" +fi + +# global values +replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE" +replace_in_file "/etc/nginx/nginx.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS" +replace_in_file "/etc/nginx/cache.conf" "%CACHE%" "$CACHE" +replace_in_file "/etc/nginx/cache.conf" "%CACHE_ERRORS%" "$CACHE_ERRORS" +replace_in_file "/etc/nginx/cache.conf" "%CACHE_USES%" "$CACHE_USES" +replace_in_file "/etc/nginx/cache.conf" "%CACHE_VALID%" "$CACHE_VALID" +replace_in_file "/etc/nginx/gzip.conf" "%USE_GZIP%" "$USE_GZIP" +replace_in_file "/etc/nginx/gzip.conf" "%GZIP_COMP_LEVEL%" "$GZIP_COMP_LEVEL" +replace_in_file "/etc/nginx/gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH" +replace_in_file "/etc/nginx/gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES" + +# let's encrypt setup +if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then + FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1) + DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g") + EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}" + if [ ! -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then + echo "[*] Performing Let's Encrypt challenge ..." + certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT + fi + echo "0 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root +fi + +# self-signed certificate +if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then + mkdir /etc/nginx/self-signed-ssl/ + openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" +fi + +# country ban +if [ "$BLOCK_COUNTRY" != "" ] ; then + echo "[*] Updating GeoIP database (in background) ..." + replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;" + replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;" + echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root + /opt/scripts/geoip.sh & +else + replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "" +fi + +# block bad UA +if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then + echo "[*] Downloading bad user-agent list (in background) ..." + replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;" + /opt/scripts/user-agents.sh & + echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root +else + replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "" +fi + +# block TOR exit nodes +if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then + echo "[*] Downloading tor exit nodes list (in background) ..." + /opt/scripts/exit-nodes.sh & + echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root +fi + +# block proxies +if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then + echo "[*] Downloading proxies list (in background) ..." + /opt/scripts/proxies.sh & + echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root +fi + +# block abusers +if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then + echo "[*] Downloading abusers list (in background) ..." + /opt/scripts/abusers.sh & + echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root +fi + +# DNS resolvers +resolvers=$(spaces_to_lua "$DNS_RESOLVERS") +replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers" +replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS" + +# whitelist IP +if [ "$(has_value USE_WHITELIST_IP yes)" != "" ] ; then + replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "lua_shared_dict whitelist_ip_cache 10m;" +else + replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "" +fi +list=$(spaces_to_lua "$WHITELIST_IP_LIST") +replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list" + +# whitelist rDNS +if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then + replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "lua_shared_dict whitelist_reverse_cache 10m;" +else + replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "" +fi +list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST") +replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list" + +# blacklist IP +if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then + replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "lua_shared_dict blacklist_ip_cache 10m;" +else + replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "" +fi +list=$(spaces_to_lua "$BLACKLIST_IP_LIST") +replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list" + +# blacklist rDNS +if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then + replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "lua_shared_dict blacklist_reverse_cache 10m;" +else + replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "" +fi +list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST") +replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list" + +# request limiting +if [ "$(has_value USE_LIMIT_REQ yes)" != "" ] ; then + replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};" +else + replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "" +fi + +# fail2ban setup +if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then + rm -rf /etc/fail2ban/jail.d/*.conf + cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local + cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local + cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local + replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME" + replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME" + replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY" + replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES" +fi + +# clamav setup +if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then + echo "[*] Updating clamav (in background) ..." + freshclam > /dev/null 2>&1 & + echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root +fi +if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then + if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then + echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root + else + echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root + fi +fi + +# CrowdSec setup +if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then + replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;" + cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml + cscli api register >> /etc/crowdsec/config/api.yaml + cscli api pull + echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root +else + replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "" +fi + +# create empty logs +touch /var/log/access.log +touch /var/log/error.log + +# setup logrotate +replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE" +replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE" +echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh new file mode 100644 index 0000000..3c67389 --- /dev/null +++ b/entrypoint/site-config.sh @@ -0,0 +1,414 @@ +#!/bin/sh + +# load some functions +. /opt/entrypoint/utils.sh + +# get nginx path and override multisite variables +NGINX_PREFIX="/etc/nginx/" +if [ "$MULTISITE" = "yes" ] ; then + NGINX_PREFIX="${NGINX_PREFIX}${1}/" + for var in env ; do + name=$(echo "$var" | cut -d '=' -f 1) + check=$(echo "name" | grep "^$1_") + if [ "$check" != "" ] ; then + repl_name=$(echo "$name" | sed "s/${1}_//") + repl_value=$(echo "$var" | sed "s/${name}//") + read -r "$repl_name" <<< $repl_value + fi + done + ROOT_FOLDER="${ROOT_FOLDER}/$1" +fi + +# copy stub confs +if [ "$MULTISITE" = "yes" ] ; then + mkdir "$NGINX_PREFIX" +fi +cp /opt/confs/site/* "$NGINX_PREFIX" + +# remote PHP +if [ "$REMOTE_PHP" != "" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "include ${NGINX_PREFIX}php.conf;" + replace_in_file "${NGINX_PREFIX}php.conf" "%REMOTE_PHP%" "$REMOTE_PHP" + replace_in_file "${NGINX_PREFIX}fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "" +fi + +# serve files +if [ "$SERVE_FILES" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%SERVE_FILES%" "include ${NGINX_PREFIX}serve-files.conf;" + replace_in_file "${NGINX_PREFIX}serve-files.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%SERVE_FILES%" "" +fi + +# remove server header +if [ "$HEADER_SERVER" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%HEADER_SERVER%" "" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%HEADER_SERVER%" "more_clear_headers 'Server';" +fi + +# X-Frame-Options header +if [ "$X_FRAME_OPTIONS" != "" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%X_FRAME_OPTIONS%" "include ${NGINX_PREFIX}x-frame-options.conf;" + replace_in_file "${NGINX_PREFIX}x-frame-options.conf" "%X_FRAME_OPTIONS%" "$X_FRAME_OPTIONS" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%X_FRAME_OPTIONS%" "" +fi + +# X-XSS-Protection header +if [ "$X_XSS_PROTECTION" != "" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%X_XSS_PROTECTION%" "include ${NGINX_PREFIX}x-xss-protection.conf;" + replace_in_file "${NGINX_PREFIX}x-xss-protection.conf" "%X_XSS_PROTECTION%" "$X_XSS_PROTECTION" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%X_XSS_PROTECTION%" "" +fi + +# X-Content-Type-Options header +if [ "$X_CONTENT_TYPE_OPTIONS" != "" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%X_CONTENT_TYPE_OPTIONS%" "include ${NGINX_PREFIX}x-content-type-options.conf;" + replace_in_file "${NGINX_PREFIX}x-content-type-options.conf" "%X_CONTENT_TYPE_OPTIONS%" "$X_CONTENT_TYPE_OPTIONS" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%X_CONTENT_TYPE_OPTIONS%" "" +fi + +# Referrer-Policy header +if [ "$REFERRER_POLICY" != "" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%REFERRER_POLICY%" "include ${NGINX_PREFIX}referrer-policy.conf;" + replace_in_file "${NGINX_PREFIX}referrer-policy.conf" "%REFERRER_POLICY%" "$REFERRER_POLICY" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%REFERRER_POLICY%" "" +fi + +# Feature-Policy header +if [ "$FEATURE_POLICY" != "" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%FEATURE_POLICY%" "include ${NGINX_PREFIX}feature-policy.conf;" + replace_in_file "${NGINX_PREFIX}feature-policy.conf" "%FEATURE_POLICY%" "$FEATURE_POLICY" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%FEATURE_POLICY%" "" +fi + +# Content-Security-Policy header +if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%CONTENT_SECURITY_POLICY%" "include ${NGINX_PREFIX}content-security-policy.conf;" + replace_in_file "${NGINX_PREFIX}content-security-policy.conf" "%CONTENT_SECURITY_POLICY%" "$CONTENT_SECURITY_POLICY" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%CONTENT_SECURITY_POLICY%" "" +fi + +# cookie flags +if [ "$COOKIE_FLAGS" != "" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%COOKIE_FLAGS%" "include ${NGINX_PREFIX}cookie-flags.conf;" + if [ "$COOKIE_AUTO_SECURE_FLAG" = "yes" ] ; then + if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then + COOKIE_FLAGS="${COOKIE_FLAGS} Secure" + fi + fi + replace_in_file "${NGINX_PREFIX}cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%COOKIE_FLAGS%" "" +fi + +# disable default server +if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%DISABLE_DEFAULT_SERVER%" "include ${NGINX_PREFIX}disable-default-server.conf;" + if [ "$MULTISITE" == "yes" ] ; then + replace_in_file "${NGINX_PREFIX}disable-default-server.conf" "%SERVER_NAME%" "$1" + else + SERVER_NAME_PIPE=$(echo $SERVER_NAME | sed "s/ /|/g") + replace_in_file "${NGINX_PREFIX}disable-default-server.conf" "%SERVER_NAME%" "$SERVER_NAME_PIPE" + fi +else + replace_in_file "${NGINX_PREFIX}server.conf" "%DISABLE_DEFAULT_SERVER%" "" +fi + +# set the server host name +if [ "$MULTISITE" == "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_NAME%" "$1" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_NAME%" "$SERVER_NAME" +fi + +# allowed HTTP methods +replace_in_file "${NGINX_PREFIX}server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS" + +# country ban +if [ "$BLOCK_COUNTRY" != "" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_COUNTRY%" "include ${NGINX_PREFIX}geoip-server.conf;" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_COUNTRY%" "" +fi + +# block bad UA +if [ "$BLOCK_USER_AGENT" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_USER_AGENT%" "include ${NGINX_PREFIX}block-user-agent.conf;" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_USER_AGENT%" "" +fi + +# block TOR exit nodes +if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "include ${NGINX_PREFIX}block-tor-exit-node.conf;" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "" +fi + +# block proxies +if [ "$BLOCK_PROXIES" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" "include ${NGINX_PREFIX}block-proxies.conf;" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" "" +fi + +# block abusers +if [ "$BLOCK_ABUSERS" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" "include ${NGINX_PREFIX}block-abusers.conf;" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" "" +fi + +# HTTPS config +if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" "include ${NGINX_PREFIX}https.conf;" + replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_PORT%" "$HTTPS_PORT" + if [ "$HTTP2" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}https.conf" "%HTTP2%" "http2" + else + replace_in_file "${NGINX_PREFIX}https.conf" "%HTTP2%" "" + fi + replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS" + if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then + replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;" + replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;" + else + replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_DHPARAM%" "" + replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_CIPHERS%" "" + fi + if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then + replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';" + else + replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" "" + fi + if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then + FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1) + replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem" + replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem" + elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT" + replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY" + elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem" + replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem" + fi +else + replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" "" +fi + +# listen on HTTP_PORT +if [ "$LISTEN_HTTP" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT};" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%LISTEN_HTTP%" "" +fi + +# HTTP to HTTPS redirect +if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include ${NGINX_PREFIX}redirect-http-to-https.conf;" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "" +fi + +# ModSecurity config +if [ "$USE_MODSECURITY" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "include ${NGINX_PREFIX}modsecurity.conf;" + if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "include /modsec-confs/*.conf" + else + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "" + fi + if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include ${NGINX_PREFIX}owasp-crs.conf" + if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf" + else + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "" + fi + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include ${NGINX_PREFIX}owasp-crs/*.conf" + else + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "" + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "" + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "" + fi +else + replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "" +fi + +# real IP behind reverse proxy +if [ "$PROXY_REAL_IP" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%PROXY_REAL_IP%" "include ${NGINX_PREFIX}proxy-real-ip.conf;" + froms="" + for from in $PROXY_REAL_IP_FROM ; do + froms="${froms}set_real_ip_from ${from};\n" + done + replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms" + replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER" + replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%PROXY_REAL_IP%" "" +fi + +# custom errors +ERRORS="" +for var in $(env) ; do + var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1) + if [ "z${var_name}" = "zERROR" ] ; then + err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2) + err_page=$(echo "$var" | cut -d '=' -f 2) + cp /opt/confs/error.conf ${NGINX_PREFIX}error-${err_code}.conf + replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%CODE%" "$err_code" + replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%PAGE%" "$err_page" + replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER" + ERRORS="${ERRORS}include ${NGINX_PREFIX}error-${err_code}.conf;\n" + fi +done +replace_in_file "${NGINX_PREFIX}server.conf" "%ERRORS%" "$ERRORS" + +# auth basic +if [ "$USE_AUTH_BASIC" = "yes" ] ; then + if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "include ${NGINX_PREFIX}auth-basic-sitewide.conf;" + replace_in_file "${NGINX_PREFIX}auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT"; + else + replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "include ${NGINX_PREFIX}auth-basic.conf;" + replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION"; + replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT"; + fi + htpasswd -b -B -c ${NGINX_PREFIX}.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "" +fi + +# whitelist IP +if [ "$USE_WHITELIST_IP" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "true" +else + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "false" +fi + +# whitelist rDNS +if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "true" +else + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "false" +fi + +# blacklist IP +if [ "$USE_BLACKLIST_IP" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "true" +else + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "false" +fi + +# blacklist rDNS +if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "true" +else + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false" +fi + +# DNSBL +if [ "$USE_DNSBL" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "true" +else + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "false" +fi + +# antibot uri and session secret +replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" +if [ "$ANTIBOT_SESSION_SECRET" = "random" ] ; then + ANTIBOT_SESSION_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32) +fi +replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_SESSION_SECRET%" "$ANTIBOT_SESSION_SECRET" + +# antibot via cookie +if [ "$USE_ANTIBOT" = "cookie" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "" +# antibot via javascript +elif [ "$USE_ANTIBOT" = "javascript" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "true" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "include ${NGINX_PREFIX}antibot-javascript.conf;" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "" + replace_in_file "${NGINX_PREFIX}antibot-javascript.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" +# antibot via captcha +elif [ "$USE_ANTIBOT" = "captcha" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "true" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "include ${NGINX_PREFIX}antibot-captcha.conf;" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "" + replace_in_file "${NGINX_PREFIX}antibot-captcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" +# antibot via recaptcha +elif [ "$USE_ANTIBOT" = "recaptcha" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "true" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "include ${NGINX_PREFIX}antibot-recaptcha.conf;" + replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" + replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SITEKEY%" "$ANTIBOT_RECAPTCHA_SITEKEY" + replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SECRET%" "$ANTIBOT_RECAPTCHA_SECRET" + replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SCORE%" "$ANTIBOT_RECAPTCHA_SCORE" +else + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "" +fi + +# request limiting +if [ "$USE_LIMIT_REQ" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" "include ${NGINX_PREFIX}limit-req.conf;" + replace_in_file "${NGINX_PREFIX}limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" "" +fi + +# fail2ban +if [ "$USE_FAIL2BAN" = "yes" ] ; then + echo "" > ${NGINX_PREFIX}fail2ban-ip.conf + replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "include ${NGINX_PREFIX}fail2ban-ip.conf;" +else + replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "" +fi + +# clamav scan uploaded files +if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "include ${NGINX_PREFIX}modsecurity-clamav.conf" +else + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "" +fi + +# CrowdSec +if [ "$USE_CROWDSEC" = "yes" ] ; then + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "true" +else + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "false" +fi diff --git a/entrypoint/utils.sh b/entrypoint/utils.sh new file mode 100644 index 0000000..497e735 --- /dev/null +++ b/entrypoint/utils.sh @@ -0,0 +1,38 @@ +#!/bin/sh + +# replace pattern in file +function replace_in_file() { + # escape slashes + pattern=$(echo "$2" | sed "s/\//\\\\\//g") + replace=$(echo "$3" | sed "s/\//\\\\\//g") + sed -i "s/$pattern/$replace/g" "$1" +} + +# convert space separated values to LUA +function spaces_to_lua() { + for element in $1 ; do + if [ "$result" = "" ] ; then + result="\"${element}\"" + else + result="${result}, \"${element}\"" + fi + done + echo "$result" +} + +# check if at least one env var (global or multisite) has a specific value +function has_value() { + if [ "${!1}" == "$2" ] ; then + echo "ok" + return 0 + fi + for var in $(env) ; do + domain=$(echo "$var" | cut -d '_' -f 1) + name=$(echo "$var" | cut -d '=' -f 1 | sed "s/${domain}_//") + value=$(echo "$var" | sed "s/${domain}_${name}=//") + if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then + echo "ok" + return 0 + fi + done +}