diff --git a/autoconf/prepare.sh b/autoconf/prepare.sh index 3ded0c1..b314afe 100644 --- a/autoconf/prepare.sh +++ b/autoconf/prepare.sh @@ -52,9 +52,9 @@ chmod 770 /cache # prepare /acme-challenge ln -s /acme-challenge /opt/bunkerized-nginx/acme-challenge -mkdir /acme-challenge -chown root:nginx /acme-challenge -chmod 770 /acme-challenge +mkdir -p /acme-challenge/.well-known/acme-challenge +chown -R root:nginx /acme-challenge +chmod -R 770 /acme-challenge # prepare /http-confs ln -s /http-confs /opt/bunkerized-nginx/http-confs diff --git a/autoconf/src/Config.py b/autoconf/src/Config.py index 01ed19d..f134954 100644 --- a/autoconf/src/Config.py +++ b/autoconf/src/Config.py @@ -12,7 +12,8 @@ CONFIGS = { "http": "/http-confs", "server": "/server-confs", "modsec": "/modsec-confs", - "modsec-crs": "/modsec-crs-confs" + "modsec-crs": "/modsec-crs-confs", + "acme": "/acme-challenge" } class Config : diff --git a/autoconf/src/ReloadServer.py b/autoconf/src/ReloadServer.py index 98c78a3..94d1411 100644 --- a/autoconf/src/ReloadServer.py +++ b/autoconf/src/ReloadServer.py @@ -2,7 +2,7 @@ import socketserver, threading, os, stat from logger import log -class ReloadServerHandler(socketserver.StreamRequestHandler): +class ReloadServerHandler(socketserver.BaseRequestHandler): def handle(self) : locked = False @@ -10,7 +10,8 @@ class ReloadServerHandler(socketserver.StreamRequestHandler): while True : data = self.request.recv(512) - if not data or not data in [b"lock", b"reload", b"unlock"] : + print(data, flush=True) + if not data or not data in [b"lock", b"reload", b"unlock", b"acme"] : break if data == b"lock" : self.server.controller.lock.acquire() diff --git a/helpers/docker.sh b/helpers/docker.sh index a1fb9fd..b6d54f3 100755 --- a/helpers/docker.sh +++ b/helpers/docker.sh @@ -1,33 +1,19 @@ #!/bin/sh -# prepare /www -mkdir /www -chown -R root:nginx /www -chmod -R 770 /www - -# prepare /acme-challenge -mkdir /acme-challenge -chown root:nginx /acme-challenge -chmod 770 /acme-challenge - -# prepare /cache -mkdir /cache -chown root:nginx /cache -chmod 770 /cache - -# prepare /plugins -mkdir /plugins -chown root:nginx /plugins -chmod 770 /plugins - -# prepare symlinks +# prepare folders folders="www http-confs server-confs modsec-confs modsec-crs-confs cache pre-server-confs acme-challenge plugins" for folder in $folders ; do - if [ -e "/opt/bunkerized-nginx/$folder" ] ; then - rm -rf "/opt/bunkerized-nginx/$folder" + if [ -e "/opt/bunkerized-nginx/${folder}" ] ; then + rm -rf "/opt/bunkerized-nginx/${folder}" fi + mkdir "/${folder}" + chown root:nginx "/${folder}" + chmod 770 "/${folder}" ln -s "/$folder" "/opt/bunkerized-nginx/$folder" done +mkdir -p /acme-challenge/.well-known/acme-challenge +chown -R root:nginx /acme-challenge +chmod 770 /acme-challenge # prepare /var/log rm -f /var/log/nginx/* diff --git a/helpers/install.sh b/helpers/install.sh index adc8aa0..3167d1e 100755 --- a/helpers/install.sh +++ b/helpers/install.sh @@ -348,7 +348,7 @@ module_hotfixes=true" elif [ "$OS" = "fedora" ] ; then echo "[*] Install nginx" do_and_check_cmd dnf install -y nginx - elif [ "$OS" = "archlinux" ; then + elif [ "$OS" = "archlinux" ] ; then echo "[*] Update pacman DB" do_and_check_cmd pacman -Sy echo "[*] Install nginx" @@ -825,7 +825,7 @@ fi # Create acme-challenge folder if [ ! -d "/opt/bunkerized-nginx/acme-challenge" ] ; then echo "[*] Create /opt/bunkerized-nginx/acme-challenge folder" - do_and_check_cmd mkdir /opt/bunkerized-nginx/acme-challenge + do_and_check_cmd mkdir -p /opt/bunkerized-nginx/acme-challenge/.well-known/acme-challenge fi # Create plugins folder @@ -840,7 +840,7 @@ do_and_check_cmd chown -R root:nginx /opt/bunkerized-nginx do_and_check_cmd find /opt/bunkerized-nginx -type f -exec chmod 0740 {} \; do_and_check_cmd find /opt/bunkerized-nginx -type d -exec chmod 0750 {} \; do_and_check_cmd chmod 770 /opt/bunkerized-nginx/cache -do_and_check_cmd chmod 770 /opt/bunkerized-nginx/acme-challenge +do_and_check_cmd chmod -R 770 /opt/bunkerized-nginx/acme-challenge do_and_check_cmd chmod 750 /opt/bunkerized-nginx/entrypoint/* do_and_check_cmd chmod 750 /opt/bunkerized-nginx/gen/main.py do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/main.py diff --git a/misc/cron-autoconf b/misc/cron-autoconf index 4a4a61e..a5c8370 100644 --- a/misc/cron-autoconf +++ b/misc/cron-autoconf @@ -3,6 +3,6 @@ 45 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_REFERRER yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name referrers" nginx >> /var/log/nginx/jobs.log 2>&1 0 1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_ABUSERS yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name abusers" nginx >> /var/log/nginx/jobs.log 2>&1 0 2 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_PROXIES yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name proxies" nginx >> /var/log/nginx/jobs.log 2>&1 -30 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value USE_REMOTE_API yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name remote-api-database --server $(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2) --version $(cat /opt/bunkerized-nginx/VERSION) --id $(cat /opt/bunkerized-nginx/cache/machine.id)" nginx >> /var/log/nginx/jobs.log 2>&1 +30 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value USE_REMOTE_API yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name remote-api-database --server $(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2) --version $(cat /opt/bunkerized-nginx/VERSION) --id $(cat /opt/bunkerized-nginx/cache/machine.id)" nginx >> /var/log/nginx/jobs.log 2>&1 0 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name exit-nodes" nginx >> /var/log/nginx/jobs.log 2>&1 0 3 2 * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name geoip" nginx >> /var/log/nginx/jobs.log 2>&1