Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

integrated ajarmoszuk work

Browse Source
This commit is contained in:
bunkerity 2020-10-06 21:52:49 +02:00
parent 919b418d58
commit 6e3c2ddcc2
6 changed files with 108 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@ -178,7 +178,22 @@ For example : `ERROR_404=/404.html` means the /404.html page will be displayed w
`PROXY_REAL_IP` `PROXY_REAL_IP`
Values : *yes* | *no* Values : *yes* | *no*
Default value : *no* Default value : *no*
Use this kind of environment variable to define whether you're using Nginx inside another proxy, this means you will see "X-Forwarded-For" instead of regular "Remote-Addr" IPs inside your logs. Modsecurity will also then work correctly. Set this environment variable to *yes* if you're using bunkerized-nginx behind a reverse proxy. This means you will see the real client address instead of the proxy one inside your logs. Modsecurity, fail2ban and others security tools will also then work correctly.
`PROXY_REAL_IP_FROM`
Values : *\<list of trusted IP addresses and/or networks separated with spaces\>*
Default value : *192.168.0.0/16 172.16.0.0/12 10.0.0.0/8*
When `PROXY_REAL_IP` is set to *yes*, lets you define the trusted IPs/networks allowed to send the correct client address.
`PROXY_REAL_IP_HEADER`
Values : *X-Forwarded-For* | *X-Real-IP* | *custom header*
Default value : *X-Forwarded-For*
When `PROXY_REAL_IP` is set to *yes*, lets you define the header that contains the real client IP address.
`PROXY_REAL_IP_RECURSIVE`
Values : *on* | *off*
Default value : *on*
When `PROXY_REAL_IP` is set to *yes*, setting this to *on* avoid spoofing attacks using the header defined in `PROXY_REAL_IP_HEADER`.
## HTTPS ## HTTPS
`AUTO_LETS_ENCRYPT` `AUTO_LETS_ENCRYPT`
@ -221,48 +236,48 @@ Full path of the key file to use when `USE_CUSTOM_HTTPS` is set to yes.
`GENERATE_SELF_SIGNED_SSL` `GENERATE_SELF_SIGNED_SSL`
Values : *yes* | *no* Values : *yes* | *no*
Default value : *no* Default value : *no*
If set to yes, HTTPS will be enabled with a container generated self signed SSL. If set to yes, HTTPS will be enabled with a container generated self-signed certificate.
`SELF_SIGNED_SSL_EXPIRY` `SELF_SIGNED_SSL_EXPIRY`
Values : *integer* Values : *integer*
Default value : *365* (1 year) Default value : *365* (1 year)
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the expiry date for the self generated certificate. Sets the expiry date for the self generated certificate.
`SELF_SIGNED_SSL_COUNTRY` `SELF_SIGNED_SSL_COUNTRY`
Values : *text* Values : *text*
Default value : *Switzerland* Default value : *Switzerland*
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the country for the self generated certificate. Sets the country for the self generated certificate.
`SELF_SIGNED_SSL_STATE` `SELF_SIGNED_SSL_STATE`
Values : *text* Values : *text*
Default value : *Switzerland* Default value : *Switzerland*
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the state for the self generated certificate. Sets the state for the self generated certificate.
`SELF_SIGNED_SSL_CITY` `SELF_SIGNED_SSL_CITY`
Values : *text* Values : *text*
Default value : *Bern* Default value : *Bern*
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the city for the self generated certificate. Sets the city for the self generated certificate.
`SELF_SIGNED_SSL_ORG` `SELF_SIGNED_SSL_ORG`
Values : *text* Values : *text*
Default value : *AcmeInc* Default value : *AcmeInc*
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the organisation name for the self generated certificate. Sets the organisation name for the self generated certificate.
`SELF_SIGNED_SSL_OU` `SELF_SIGNED_SSL_OU`
Values : *text* Values : *text*
Default value : *IT* Default value : *IT*
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the organisitional unit for the self generated certificate. Sets the organisitional unit for the self generated certificate.
`SELF_SIGNED_SSL_CN` `SELF_SIGNED_SSL_CN`
Values : *text* Values : *text*
Default value : *bunkerity-nginx* Default value : *bunkerity-nginx*
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the CN server name for the self generated certificate. Sets the CN server name for the self generated certificate.
## ModSecurity ## ModSecurity

7
confs/https.conf Normal file
View File

@ -0,0 +1,7 @@
listen 0.0.0.0:443 ssl %HTTP2%;
ssl_certificate %HTTPS_CERT%;
ssl_certificate_key %HTTPS_KEY%;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
%STRICT_TRANSPORT_SECURITY%

6
confs/nginx.conf
View File

@ -61,9 +61,11 @@ http {
# enable/disable sending nginx version # enable/disable sending nginx version
server_tokens %SERVER_TOKENS%; server_tokens %SERVER_TOKENS%;
# write logs to local syslogd # get real IP address if behind a reverse proxy
%PROXY_REAL_IP% %PROXY_REAL_IP%
access_log syslog:server=unix:/dev/log,nohostname,facility=local0 %LOG_TYPE%;
# write logs to local syslogd
access_log syslog:server=unix:/dev/log,nohostname,facility=local0 combined;
error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn; error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn;
# lua path # lua path

7
confs/proxy-real-ip.conf
View File

@ -1,3 +1,4 @@
log_format proxy '$http_x_real_ip - $remote_user [$time_local] ' %PROXY_REAL_IP_FROM%
'"$request" $status $body_bytes_sent ' real_ip_header %PROXY_REAL_IP_HEADER%;
'"$http_referer" "$http_user_agent"'; real_ip_recursive %PROXY_REAL_IP_RECURSIVE%;

3
confs/server.conf
View File

@ -1,8 +1,7 @@
server { server {
include /server-confs/*.conf; include /server-confs/*.conf;
%LISTEN_HTTP% %LISTEN_HTTP%
%AUTO_LETS_ENCRYPT% %USE_HTTPS%
%CUSTOM_HTTPS%
%REDIRECT_HTTP_TO_HTTPS% %REDIRECT_HTTP_TO_HTTPS%
server_name %SERVER_NAME%; server_name %SERVER_NAME%;
%DISABLE_DEFAULT_SERVER% %DISABLE_DEFAULT_SERVER%

76
entrypoint.sh
View File

@ -132,6 +132,9 @@ LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}" LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}" LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
PROXY_REAL_IP="${PROXY_REAL_IP-no}" PROXY_REAL_IP="${PROXY_REAL_IP-no}"
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no"}" GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no"}"
SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}" SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-Switzerland}" SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-Switzerland}"
@ -283,59 +286,45 @@ if [ "$BLOCK_ABUSERS" = "yes" ] ; then
else else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" "" replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" ""
fi fi
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] && [ "$USE_CUSTOM_HTTPS" = "no" ]; then
# HTTPS config
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" "include /etc/nginx/https.conf;"
if [ "$HTTP2" = "yes" ] ; then
replace_in_file "/etc/nginx/https.conf" "%HTTP2%" "http2"
else
replace_in_file "/etc/nginx/https.conf" "%HTTP2%" ""
fi
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
else
replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
fi
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1) FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g") DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}" EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" "include /etc/nginx/auto-lets-encrypt.conf;" replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
if [ "$HTTP2" = "yes" ] ; then
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%HTTP2%" "http2"
else
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%HTTP2%" ""
fi
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%FIRST_SERVER_NAME%" "$FIRST_SERVER_NAME"
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
else
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%STRICT_TRANSPORT_SECURITY%" ""
fi
if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
/opt/scripts/certbot-renew.sh /opt/scripts/certbot-renew.sh
else else
certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos
fi fi
echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
else elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" "" replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
fi replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
if [ "$USE_CUSTOM_HTTPS" = "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "no" ]; then elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%CUSTOM_HTTPS%" "include /etc/nginx/custom-https.conf;"
if [ "$HTTP2" = "yes" ] ; then
replace_in_file "/etc/nginx/custom-https.conf" "%HTTP2%" "http2"
else
replace_in_file "/etc/nginx/custom-https.conf" "%HTTP2%" ""
fi
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
replace_in_file "/etc/nginx/custom-https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
else
replace_in_file "/etc/nginx/custom-https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
fi
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_CERT%" "$HTTPS_CUSTOM_CERT"
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_KEY%" "$HTTPS_CUSTOM_KEY"
if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
mkdir /etc/nginx/self-signed-ssl/ mkdir /etc/nginx/self-signed-ssl/
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_CERT%" "/etc/nginx/self-signed-ssl/cert.pem" replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_KEY%" "/etc/nginx/self-signed-ssl/key.pem" replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
else
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_CERT%" "$HTTPS_CUSTOM_CERT"
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_KEY%" "$HTTPS_CUSTOM_KEY"
fi fi
else else
replace_in_file "/etc/nginx/server.conf" "%CUSTOM_HTTPS%" "" replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" ""
fi fi
if [ "$LISTEN_HTTP" = "yes" ] ; then if [ "$LISTEN_HTTP" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;" replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;"
else else
@ -373,10 +362,15 @@ else
fi fi
if [ "$PROXY_REAL_IP" = "yes" ] ; then if [ "$PROXY_REAL_IP" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;" replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
replace_in_file "/etc/nginx/server.conf" "%LOG_TYPE%" "proxy" froms=""
for from in $PROXY_REAL_IP_FROM ; do
froms="${froms}set_real_ip_from ${from};\n"
done
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms"
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
else else
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "" replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" ""
replace_in_file "/etc/nginx/server.conf" "%LOG_TYPE%" "combined"
fi fi