diff --git a/Dockerfile b/Dockerfile index 8d9ef20..6632230 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.20.0-alpine +FROM nginx:1.20.1-alpine COPY nginx-keys/ /tmp/nginx-keys COPY compile.sh /tmp/compile.sh @@ -25,9 +25,6 @@ RUN chmod +x /tmp/prepare.sh && \ /tmp/prepare.sh && \ rm -f /tmp/prepare.sh -# fix CVE-2021-20205 -RUN apk add "libjpeg-turbo>=2.1.0-r0" - VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index 22b1230..6c3b177 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -1,4 +1,4 @@ -FROM amd64/nginx:1.20.0-alpine +FROM amd64/nginx:1.20.1-alpine COPY nginx-keys/ /tmp/nginx-keys COPY compile.sh /tmp/compile.sh @@ -25,9 +25,6 @@ RUN chmod +x /tmp/prepare.sh && \ /tmp/prepare.sh && \ rm -f /tmp/prepare.sh -# fix CVE-2021-20205 -RUN apk add "libjpeg-turbo>=2.1.0-r0" - VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index 48a979a..755c404 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -3,7 +3,7 @@ FROM alpine AS builder ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 -FROM arm32v7/nginx:1.20.0-alpine +FROM arm32v7/nginx:1.20.1-alpine COPY --from=builder qemu-arm-static /usr/bin @@ -32,9 +32,6 @@ RUN chmod +x /tmp/prepare.sh && \ /tmp/prepare.sh && \ rm -f /tmp/prepare.sh -# fix CVE-2021-20205 -RUN apk add "libjpeg-turbo>=2.1.0-r0" - VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index 6a75d9d..d9bc6f0 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -3,7 +3,7 @@ FROM alpine AS builder ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 -FROM arm64v8/nginx:1.20.0-alpine +FROM arm64v8/nginx:1.20.1-alpine COPY --from=builder qemu-aarch64-static /usr/bin @@ -32,9 +32,6 @@ RUN chmod +x /tmp/prepare.sh && \ /tmp/prepare.sh && \ rm -f /tmp/prepare.sh -# fix CVE-2021-20205 -RUN apk add "libjpeg-turbo>=2.1.0-r0" - VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-i386 b/Dockerfile-i386 index 0682123..b945099 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -1,4 +1,4 @@ -FROM i386/nginx:1.20.0-alpine +FROM i386/nginx:1.20.1-alpine COPY nginx-keys/ /tmp/nginx-keys COPY compile.sh /tmp/compile.sh @@ -25,9 +25,6 @@ RUN chmod +x /tmp/prepare.sh && \ /tmp/prepare.sh && \ rm -f /tmp/prepare.sh -# fix CVE-2021-20205 -RUN apk add "libjpeg-turbo>=2.1.0-r0" - VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/autoconf/Dockerfile b/autoconf/Dockerfile index 2af601f..cbec6f9 100644 --- a/autoconf/Dockerfile +++ b/autoconf/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.20.0-alpine AS builder +FROM nginx:1.20.1-alpine AS builder FROM alpine diff --git a/autoconf/Dockerfile-amd64 b/autoconf/Dockerfile-amd64 index 67700ce..7f6a385 100644 --- a/autoconf/Dockerfile-amd64 +++ b/autoconf/Dockerfile-amd64 @@ -1,44 +1,26 @@ -FROM nginx:stable-alpine AS builder +FROM nginx:1.20.1-alpine AS builder FROM amd64/alpine COPY --from=builder /etc/nginx/ /opt/confs/nginx -RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ - pip3 install docker requests && \ - mkdir /opt/entrypoint && \ - mkdir -p /opt/confs/site && \ - mkdir -p /opt/confs/global && \ - mkdir /opt/scripts && \ - addgroup -g 101 nginx && \ - adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \ - mkdir /etc/letsencrypt && \ - chown root:nginx /etc/letsencrypt && \ - chmod 770 /etc/letsencrypt && \ - mkdir /var/log/letsencrypt && \ - chown root:nginx /var/log/letsencrypt && \ - chmod 770 /var/log/letsencrypt && \ - mkdir /var/lib/letsencrypt && \ - chown root:nginx /var/lib/letsencrypt && \ - chmod 770 /var/lib/letsencrypt && \ - mkdir /cache && \ - chown root:nginx /cache && \ - chmod 770 /cache && \ - touch /var/log/jobs.log && \ - chown root:nginx /var/log/jobs.log && \ - chmod 770 /var/log/jobs.log && \ - chown -R root:nginx /opt/confs/nginx && \ - chmod -R 770 /opt/confs/nginx && \ - mkdir /acme-challenge && \ - chown root:nginx /acme-challenge && \ - chmod 770 /acme-challenge +COPY autoconf/dependencies.sh /tmp +RUN chmod +x /tmp/dependencies.sh && \ + /tmp/dependencies.sh && \ + rm -f /tmp/dependencies.sh -COPY autoconf/misc/logrotate.conf /etc/logrotate.conf -COPY scripts/* /opt/scripts/ +COPY gen/ /opt/gen +COPY entrypoint/ /opt/entrypoint COPY confs/global/ /opt/confs/global COPY confs/site/ /opt/confs/site -COPY entrypoint/* /opt/entrypoint/ +COPY scripts/ /opt/scripts +COPY settings.json /opt +COPY misc/cron /etc/crontabs/nginx COPY autoconf/* /opt/entrypoint/ -RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh + +COPY autoconf/prepare.sh /tmp +RUN chmod +x /tmp/prepare.sh && \ + /tmp/prepare.sh && \ + rm -f /tmp/prepare.sh ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/autoconf/Dockerfile-arm32v7 b/autoconf/Dockerfile-arm32v7 index 3fff90e..7dfcd5b 100644 --- a/autoconf/Dockerfile-arm32v7 +++ b/autoconf/Dockerfile-arm32v7 @@ -3,48 +3,30 @@ FROM alpine AS builder ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 -FROM nginx:stable-alpine AS builder2 +FROM nginx:1.20.1-alpine AS builder2 FROM arm32v7/alpine COPY --from=builder qemu-arm-static /usr/bin COPY --from=builder2 /etc/nginx/ /opt/confs/nginx -RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ - pip3 install docker requests && \ - mkdir /opt/entrypoint && \ - mkdir -p /opt/confs/site && \ - mkdir -p /opt/confs/global && \ - mkdir /opt/scripts && \ - addgroup -g 101 nginx && \ - adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \ - mkdir /etc/letsencrypt && \ - chown root:nginx /etc/letsencrypt && \ - chmod 770 /etc/letsencrypt && \ - mkdir /var/log/letsencrypt && \ - chown root:nginx /var/log/letsencrypt && \ - chmod 770 /var/log/letsencrypt && \ - mkdir /var/lib/letsencrypt && \ - chown root:nginx /var/lib/letsencrypt && \ - chmod 770 /var/lib/letsencrypt && \ - mkdir /cache && \ - chown root:nginx /cache && \ - chmod 770 /cache && \ - touch /var/log/jobs.log && \ - chown root:nginx /var/log/jobs.log && \ - chmod 770 /var/log/jobs.log && \ - chown -R root:nginx /opt/confs/nginx && \ - chmod -R 770 /opt/confs/nginx && \ - mkdir /acme-challenge && \ - chown root:nginx /acme-challenge && \ - chmod 770 /acme-challenge +COPY autoconf/dependencies.sh /tmp +RUN chmod +x /tmp/dependencies.sh && \ + /tmp/dependencies.sh && \ + rm -f /tmp/dependencies.sh -COPY autoconf/misc/logrotate.conf /etc/logrotate.conf -COPY scripts/* /opt/scripts/ +COPY gen/ /opt/gen +COPY entrypoint/ /opt/entrypoint COPY confs/global/ /opt/confs/global COPY confs/site/ /opt/confs/site -COPY entrypoint/* /opt/entrypoint/ +COPY scripts/ /opt/scripts +COPY settings.json /opt +COPY misc/cron /etc/crontabs/nginx COPY autoconf/* /opt/entrypoint/ -RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh + +COPY autoconf/prepare.sh /tmp +RUN chmod +x /tmp/prepare.sh && \ + /tmp/prepare.sh && \ + rm -f /tmp/prepare.sh ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/autoconf/Dockerfile-arm64v8 b/autoconf/Dockerfile-arm64v8 index cd83bb6..cf19146 100644 --- a/autoconf/Dockerfile-arm64v8 +++ b/autoconf/Dockerfile-arm64v8 @@ -3,48 +3,30 @@ FROM alpine AS builder ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 -FROM nginx:stable-alpine AS builder2 +FROM nginx:1.20.1-alpine AS builder2 FROM arm64v8/alpine COPY --from=builder qemu-aarch64-static /usr/bin COPY --from=builder2 /etc/nginx/ /opt/confs/nginx -RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ - pip3 install docker requests && \ - mkdir /opt/entrypoint && \ - mkdir -p /opt/confs/site && \ - mkdir -p /opt/confs/global && \ - mkdir /opt/scripts && \ - addgroup -g 101 nginx && \ - adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \ - mkdir /etc/letsencrypt && \ - chown root:nginx /etc/letsencrypt && \ - chmod 770 /etc/letsencrypt && \ - mkdir /var/log/letsencrypt && \ - chown root:nginx /var/log/letsencrypt && \ - chmod 770 /var/log/letsencrypt && \ - mkdir /var/lib/letsencrypt && \ - chown root:nginx /var/lib/letsencrypt && \ - chmod 770 /var/lib/letsencrypt && \ - mkdir /cache && \ - chown root:nginx /cache && \ - chmod 770 /cache && \ - touch /var/log/jobs.log && \ - chown root:nginx /var/log/jobs.log && \ - chmod 770 /var/log/jobs.log && \ - chown -R root:nginx /opt/confs/nginx && \ - chmod -R 770 /opt/confs/nginx && \ - mkdir /acme-challenge && \ - chown root:nginx /acme-challenge && \ - chmod 770 /acme-challenge +COPY autoconf/dependencies.sh /tmp +RUN chmod +x /tmp/dependencies.sh && \ + /tmp/dependencies.sh && \ + rm -f /tmp/dependencies.sh -COPY autoconf/misc/logrotate.conf /etc/logrotate.conf -COPY scripts/* /opt/scripts/ +COPY gen/ /opt/gen +COPY entrypoint/ /opt/entrypoint COPY confs/global/ /opt/confs/global COPY confs/site/ /opt/confs/site -COPY entrypoint/* /opt/entrypoint/ +COPY scripts/ /opt/scripts +COPY settings.json /opt +COPY misc/cron /etc/crontabs/nginx COPY autoconf/* /opt/entrypoint/ -RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh + +COPY autoconf/prepare.sh /tmp +RUN chmod +x /tmp/prepare.sh && \ + /tmp/prepare.sh && \ + rm -f /tmp/prepare.sh ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/autoconf/Dockerfile-i386 b/autoconf/Dockerfile-i386 index 9c239ba..0c7b578 100644 --- a/autoconf/Dockerfile-i386 +++ b/autoconf/Dockerfile-i386 @@ -1,44 +1,26 @@ -FROM nginx:stable-alpine AS builder +FROM nginx:1.20.1-alpine AS builder FROM i386/alpine COPY --from=builder /etc/nginx/ /opt/confs/nginx -RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ - pip3 install docker requests && \ - mkdir /opt/entrypoint && \ - mkdir -p /opt/confs/site && \ - mkdir -p /opt/confs/global && \ - mkdir /opt/scripts && \ - addgroup -g 101 nginx && \ - adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \ - mkdir /etc/letsencrypt && \ - chown root:nginx /etc/letsencrypt && \ - chmod 770 /etc/letsencrypt && \ - mkdir /var/log/letsencrypt && \ - chown root:nginx /var/log/letsencrypt && \ - chmod 770 /var/log/letsencrypt && \ - mkdir /var/lib/letsencrypt && \ - chown root:nginx /var/lib/letsencrypt && \ - chmod 770 /var/lib/letsencrypt && \ - mkdir /cache && \ - chown root:nginx /cache && \ - chmod 770 /cache && \ - touch /var/log/jobs.log && \ - chown root:nginx /var/log/jobs.log && \ - chmod 770 /var/log/jobs.log && \ - chown -R root:nginx /opt/confs/nginx && \ - chmod -R 770 /opt/confs/nginx && \ - mkdir /acme-challenge && \ - chown root:nginx /acme-challenge && \ - chmod 770 /acme-challenge +COPY autoconf/dependencies.sh /tmp +RUN chmod +x /tmp/dependencies.sh && \ + /tmp/dependencies.sh && \ + rm -f /tmp/dependencies.sh -COPY autoconf/misc/logrotate.conf /etc/logrotate.conf -COPY scripts/* /opt/scripts/ +COPY gen/ /opt/gen +COPY entrypoint/ /opt/entrypoint COPY confs/global/ /opt/confs/global COPY confs/site/ /opt/confs/site -COPY entrypoint/* /opt/entrypoint/ +COPY scripts/ /opt/scripts +COPY settings.json /opt +COPY misc/cron /etc/crontabs/nginx COPY autoconf/* /opt/entrypoint/ -RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh + +COPY autoconf/prepare.sh /tmp +RUN chmod +x /tmp/prepare.sh && \ + /tmp/prepare.sh && \ + rm -f /tmp/prepare.sh ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/confs/global/api-temp.conf b/confs/global/api-temp.conf index a368bcc..42b4d76 100644 --- a/confs/global/api-temp.conf +++ b/confs/global/api-temp.conf @@ -1,15 +1,14 @@ -# todo : if api_uri == "random" -location ~ ^{{ API_URI }}/ping { +location ~ ^%API_URI%/ping { return 444; } -location ~ {{ API_URI }} { +location ~ %API_URI% { rewrite_by_lua_block { local api = require "api" - local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} - local api_uri = "{{ API_URI }}" + local api_whitelist_ip = { %API_WHITELIST_IP% } + local api_uri = "%API_URI%" local logger = require "logger" if api.is_api_call(api_uri, api_whitelist_ip) then diff --git a/confs/global/api.conf b/confs/global/api.conf index 1e70b0b..55beb1f 100644 --- a/confs/global/api.conf +++ b/confs/global/api.conf @@ -2,7 +2,7 @@ rewrite_by_lua_block { local api = require "api" - local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} + local api_whitelist_ip = {% raw %}{{% endraw %}{% if API_WHITELIST_IP != ""%}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} local api_uri = "{{ API_URI }}" local logger = require "logger" diff --git a/confs/global/geoip.conf b/confs/global/geoip.conf index 0e7994a..22fc9cb 100644 --- a/confs/global/geoip.conf +++ b/confs/global/geoip.conf @@ -6,10 +6,14 @@ geoip2 /etc/nginx/geoip.mmdb { map $geoip2_data_country_code $allowed_country { default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif %}; - {% for country in WHITELIST_COUNTRY.split(" ") %} - {{ country }} yes; - {% endfor %} - {% for country in BLACKLIST_COUNTRY.split(" ") %} - {{ country }} no; - {% endfor %} + {% if WHITELIST_COUNTRY != "" %} + {% for country in WHITELIST_COUNTRY.split(" ") %} + {{ country }} yes; + {% endfor %} + {% endif %} + {% if BLACKLIST_COUNTRY != "" %} + {% for country in BLACKLIST_COUNTRY.split(" ") %} + {{ country }} no; + {% endfor %} + {% endif %} } diff --git a/confs/site/log-lua.conf b/confs/site/log-lua.conf index e45620f..377ac9c 100644 --- a/confs/site/log-lua.conf +++ b/confs/site/log-lua.conf @@ -3,7 +3,7 @@ log_by_lua_block { -- bad behavior local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %} local behavior = require "behavior" -local bad_behavior_status_codes = {% raw %}{{% endraw %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local bad_behavior_status_codes = {% raw %}{{% endraw %}{% if BAD_BEHAVIOR_STATUS_CODES != "" %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} local bad_behavior_threshold = {{ BAD_BEHAVIOR_THRESHOLD }} local bad_behavior_count_time = {{ BAD_BEHAVIOR_COUNT_TIME }} local bad_behavior_ban_time = {{ BAD_BEHAVIOR_BAN_TIME }} diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index a6310d9..2f54146 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -30,23 +30,23 @@ local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif %} -- resolvers -local dns_resolvers = {% raw %}{{% endraw %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local dns_resolvers = {% raw %}{{% endraw %}{% if DNS_RESOLVERS != "" %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} -- whitelist local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif %} local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes" %}true{% else %}false{% endif %} -local whitelist_ip_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -local whitelist_reverse_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local whitelist_ip_list = {% raw %}{{% endraw %}{% if WHITELIST_IP_LIST != "" %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} +local whitelist_reverse_list = {% raw %}{{% endraw %}{% if WHITELIST_REVERSE_LIST != "" %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} -- blacklist local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif %} local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes" %}true{% else %}false{% endif %} -local blacklist_ip_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -local blacklist_reverse_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local blacklist_ip_list = {% raw %}{{% endraw %}{% if BLACKLIST_IP_LIST != "" %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} +local blacklist_reverse_list = {% raw %}{{% endraw %}{% if BLACKLIST_REVERSE_LIST != "" %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} -- dnsbl local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif %} -local dnsbl_list = {% raw %}{{% endraw %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local dnsbl_list = {% raw %}{{% endraw %}{% if DNSBL_LIST != "" %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} -- bad behavior local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %} @@ -65,8 +65,8 @@ local logger = require "logger" -- user variables local antibot_uri = "{{ ANTIBOT_URI }}" -local whitelist_user_agent = {% raw %}{{% endraw %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -local whitelist_uri = {% raw %}{{% endraw %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local whitelist_user_agent = {% raw %}{{% endraw %}{% if WHITELIST_USER_AGENT != "" %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} +local whitelist_uri = {% raw %}{{% endraw %}{% if WHITELIST_URI != "" %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} -- check if already in whitelist cache if use_whitelist_ip and whitelist.ip_cached_ok() then diff --git a/confs/site/serve-files.conf b/confs/site/serve-files.conf index 4cf51be..ea83f00 100644 --- a/confs/site/serve-files.conf +++ b/confs/site/serve-files.conf @@ -1,3 +1,3 @@ -root {{ ROOT_FOLDER }}/{{ FIRST_SERVER }}; +root {{ ROOT_FOLDER }}; index index.html index.php; try_files $uri $uri/ =404; diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index b2a1df5..934443f 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -94,7 +94,7 @@ pid="$!" if [ "$1" == "test" ] ; then sleep 10 echo -n "autotest" > /www/index.html - check=$(curl "http://localhost:8080") + check=$(curl -H "User-Agent: legit" "http://localhost:8080") if [ "$check" == "autotest" ] ; then exit 0 fi diff --git a/entrypoint/nginx-temp.sh b/entrypoint/nginx-temp.sh index dae7594..eb86e94 100644 --- a/entrypoint/nginx-temp.sh +++ b/entrypoint/nginx-temp.sh @@ -10,11 +10,13 @@ if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$SWARM_MODE" = "yes" ] ; if [ "$SWARM_MODE" = "yes" ] ; then replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" "include /tmp/api.conf;" replace_in_file "/tmp/api.conf" "%API_URI%" "$API_URI" + API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}" list=$(spaces_to_lua "$API_WHITELIST_IP") replace_in_file "/tmp/api.conf" "%API_WHITELIST_IP%" "$list" else replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" "" fi + HTTP_PORT="${HTTP_PORT-8080}" replace_in_file "/tmp/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT" nginx -c /tmp/nginx-temp.conf if [ "$?" -eq 0 ] ; then