integrations - fix missing acme folder when using Swarm or Kubernetes

autoconf/prepare.sh

@@ -52,9 +52,9 @@ chmod 770 /cache
 
 # prepare /acme-challenge
 ln -s /acme-challenge /opt/bunkerized-nginx/acme-challenge
-mkdir /acme-challenge
+mkdir -p /acme-challenge/.well-known/acme-challenge
-chown root:nginx /acme-challenge
+chown -R root:nginx /acme-challenge
-chmod 770 /acme-challenge
+chmod -R 770 /acme-challenge
 
 # prepare /http-confs
 ln -s /http-confs /opt/bunkerized-nginx/http-confs

autoconf/src/Config.py

@@ -12,7 +12,8 @@ CONFIGS = {
 	"http": "/http-confs",
 	"server": "/server-confs",
 	"modsec": "/modsec-confs",
-	"modsec-crs": "/modsec-crs-confs"
+	"modsec-crs": "/modsec-crs-confs",
+	"acme": "/acme-challenge"
 }
 
 class Config :

autoconf/src/ReloadServer.py

@@ -2,7 +2,7 @@ import socketserver, threading, os, stat
 
 from logger import log
 
-class ReloadServerHandler(socketserver.StreamRequestHandler):
+class ReloadServerHandler(socketserver.BaseRequestHandler):
 
 	def handle(self) :
 		locked = False
@@ -10,7 +10,8 @@ class ReloadServerHandler(socketserver.StreamRequestHandler):
 
 			while True :
 				data = self.request.recv(512)
-				if not data or not data in [b"lock", b"reload", b"unlock"] :
+				print(data, flush=True)
+				if not data or not data in [b"lock", b"reload", b"unlock", b"acme"] :
 					break
 				if data == b"lock" :
 					self.server.controller.lock.acquire()

helpers/docker.sh

@@ -1,33 +1,19 @@
 #!/bin/sh
 
-# prepare /www
+# prepare folders
-mkdir /www
-chown -R root:nginx /www
-chmod -R 770 /www
-
-# prepare /acme-challenge
-mkdir /acme-challenge
-chown root:nginx /acme-challenge
-chmod 770 /acme-challenge
-
-# prepare /cache
-mkdir /cache
-chown root:nginx /cache
-chmod 770 /cache
-
-# prepare /plugins
-mkdir /plugins
-chown root:nginx /plugins
-chmod 770 /plugins
-
-# prepare symlinks
 folders="www http-confs server-confs modsec-confs modsec-crs-confs cache pre-server-confs acme-challenge plugins"
 for folder in $folders ; do
-	if [ -e "/opt/bunkerized-nginx/$folder" ] ; then
+	if [ -e "/opt/bunkerized-nginx/${folder}" ] ; then
-		rm -rf "/opt/bunkerized-nginx/$folder"
+		rm -rf "/opt/bunkerized-nginx/${folder}"
 	fi
+	mkdir "/${folder}"
+	chown root:nginx "/${folder}"
+	chmod 770 "/${folder}"
 	ln -s "/$folder" "/opt/bunkerized-nginx/$folder"
 done
+mkdir -p /acme-challenge/.well-known/acme-challenge
+chown -R root:nginx /acme-challenge
+chmod 770 /acme-challenge
 
 # prepare /var/log
 rm -f /var/log/nginx/*

helpers/install.sh

@@ -348,7 +348,7 @@ module_hotfixes=true"
 	elif [ "$OS" = "fedora" ] ; then
 		echo "[*] Install nginx"
 		do_and_check_cmd dnf install -y nginx
-	elif [ "$OS" = "archlinux" ; then
+	elif [ "$OS" = "archlinux" ] ; then
 		echo "[*] Update pacman DB"
 		do_and_check_cmd pacman -Sy
 		echo "[*] Install nginx"
@@ -825,7 +825,7 @@ fi
 # Create acme-challenge folder
 if [ ! -d "/opt/bunkerized-nginx/acme-challenge" ] ; then
 	echo "[*] Create /opt/bunkerized-nginx/acme-challenge folder"
-	do_and_check_cmd mkdir /opt/bunkerized-nginx/acme-challenge
+	do_and_check_cmd mkdir -p /opt/bunkerized-nginx/acme-challenge/.well-known/acme-challenge
 fi
 
 # Create plugins folder
@@ -840,7 +840,7 @@ do_and_check_cmd chown -R root:nginx /opt/bunkerized-nginx
 do_and_check_cmd find /opt/bunkerized-nginx -type f -exec chmod 0740 {} \;
 do_and_check_cmd find /opt/bunkerized-nginx -type d -exec chmod 0750 {} \;
 do_and_check_cmd chmod 770 /opt/bunkerized-nginx/cache
-do_and_check_cmd chmod 770 /opt/bunkerized-nginx/acme-challenge
+do_and_check_cmd chmod -R 770 /opt/bunkerized-nginx/acme-challenge
 do_and_check_cmd chmod 750 /opt/bunkerized-nginx/entrypoint/*
 do_and_check_cmd chmod 750 /opt/bunkerized-nginx/gen/main.py
 do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/main.py

misc/cron-autoconf

@@ -3,6 +3,6 @@
 45 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_REFERRER yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name referrers" nginx >> /var/log/nginx/jobs.log 2>&1
 0 1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_ABUSERS yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name abusers" nginx >> /var/log/nginx/jobs.log 2>&1
 0 2 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_PROXIES yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name proxies" nginx >> /var/log/nginx/jobs.log 2>&1
-30 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value USE_REMOTE_API yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name remote-api-database --server $(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2) --version $(cat /opt/bunkerized-nginx/VERSION) --id $(cat /opt/bunkerized-nginx/cache/machine.id)" nginx >> /var/log/nginx/jobs.log 2>&1
+30 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value USE_REMOTE_API yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name remote-api-database --server $(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2) --version $(cat /opt/bunkerized-nginx/VERSION) --id $(cat /opt/bunkerized-nginx/cache/machine.id)" nginx >> /var/log/nginx/jobs.log 2>&1
 0 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name exit-nodes" nginx >> /var/log/nginx/jobs.log 2>&1
 0 3 2 * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name geoip" nginx >> /var/log/nginx/jobs.log 2>&1