Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

integrated ajarmoszuk work

Browse Source
This commit is contained in:
bunkerity 2020-10-06 21:52:49 +02:00
parent 919b418d58
commit 6e3c2ddcc2
6 changed files with 108 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
README.md
View File

@ -175,10 +175,25 @@ Default value :
Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code. Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code.
For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder. For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder.
`PROXY_REAL_IP` `PROXY_REAL_IP`
Values : *yes* | *no* Values : *yes* | *no*
Default value : *no* Default value : *no*
Use this kind of environment variable to define whether you're using Nginx inside another proxy, this means you will see "X-Forwarded-For" instead of regular "Remote-Addr" IPs inside your logs. Modsecurity will also then work correctly. Set this environment variable to *yes* if you're using bunkerized-nginx behind a reverse proxy. This means you will see the real client address instead of the proxy one inside your logs. Modsecurity, fail2ban and others security tools will also then work correctly.
`PROXY_REAL_IP_FROM`
Values : *\<list of trusted IP addresses and/or networks separated with spaces\>*
Default value : *192.168.0.0/16 172.16.0.0/12 10.0.0.0/8*
When `PROXY_REAL_IP` is set to *yes*, lets you define the trusted IPs/networks allowed to send the correct client address.
`PROXY_REAL_IP_HEADER`
Values : *X-Forwarded-For* | *X-Real-IP* | *custom header*
Default value : *X-Forwarded-For*
When `PROXY_REAL_IP` is set to *yes*, lets you define the header that contains the real client IP address.
`PROXY_REAL_IP_RECURSIVE`
Values : *on* | *off*
Default value : *on*
When `PROXY_REAL_IP` is set to *yes*, setting this to *on* avoid spoofing attacks using the header defined in `PROXY_REAL_IP_HEADER`.
## HTTPS ## HTTPS
`AUTO_LETS_ENCRYPT` `AUTO_LETS_ENCRYPT`
@ -203,7 +218,7 @@ Values : *yes* | *no*
Default value : *yes* Default value : *yes*
If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled. If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled.
`USE_CUSTOM_HTTPS` `USE_CUSTOM_HTTPS`
Values : *yes* | *no* Values : *yes* | *no*
Default value : *no* Default value : *no*
If set to yes, HTTPS will be enabled with certificate/key of your choice. If set to yes, HTTPS will be enabled with certificate/key of your choice.
@ -218,51 +233,51 @@ Values : *\<any valid path inside the container\>*
Default value : Default value :
Full path of the key file to use when `USE_CUSTOM_HTTPS` is set to yes. Full path of the key file to use when `USE_CUSTOM_HTTPS` is set to yes.
`GENERATE_SELF_SIGNED_SSL` `GENERATE_SELF_SIGNED_SSL`
Values : *yes* | *no* Values : *yes* | *no*
Default value : *no* Default value : *no*
If set to yes, HTTPS will be enabled with a container generated self signed SSL. If set to yes, HTTPS will be enabled with a container generated self-signed certificate.
`SELF_SIGNED_SSL_EXPIRY` `SELF_SIGNED_SSL_EXPIRY`
Values : *integer* Values : *integer*
Default value : *365* (1 year) Default value : *365* (1 year)
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the expiry date for the self generated certificate. Sets the expiry date for the self generated certificate.
`SELF_SIGNED_SSL_COUNTRY` `SELF_SIGNED_SSL_COUNTRY`
Values : *text* Values : *text*
Default value : *Switzerland* Default value : *Switzerland*
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the country for the self generated certificate. Sets the country for the self generated certificate.
`SELF_SIGNED_SSL_STATE` `SELF_SIGNED_SSL_STATE`
Values : *text* Values : *text*
Default value : *Switzerland* Default value : *Switzerland*
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the state for the self generated certificate. Sets the state for the self generated certificate.
`SELF_SIGNED_SSL_CITY` `SELF_SIGNED_SSL_CITY`
Values : *text* Values : *text*
Default value : *Bern* Default value : *Bern*
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the city for the self generated certificate. Sets the city for the self generated certificate.
`SELF_SIGNED_SSL_ORG` `SELF_SIGNED_SSL_ORG`
Values : *text* Values : *text*
Default value : *AcmeInc* Default value : *AcmeInc*
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the organisation name for the self generated certificate. Sets the organisation name for the self generated certificate.
`SELF_SIGNED_SSL_OU` `SELF_SIGNED_SSL_OU`
Values : *text* Values : *text*
Default value : *IT* Default value : *IT*
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the organisitional unit for the self generated certificate. Sets the organisitional unit for the self generated certificate.
`SELF_SIGNED_SSL_CN` `SELF_SIGNED_SSL_CN`
Values : *text* Values : *text*
Default value : *bunkerity-nginx* Default value : *bunkerity-nginx*
Needs "GENERATE_SELF_SIGNED_SSL" to work. Needs `GENERATE_SELF_SIGNED_SSL` to work.
Sets the CN server name for the self generated certificate. Sets the CN server name for the self generated certificate.
## ModSecurity ## ModSecurity

7
confs/https.conf Normal file
View File

@ -0,0 +1,7 @@
listen 0.0.0.0:443 ssl %HTTP2%;
ssl_certificate %HTTPS_CERT%;
ssl_certificate_key %HTTPS_KEY%;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
%STRICT_TRANSPORT_SECURITY%

6
confs/nginx.conf
View File

@ -61,9 +61,11 @@ http {
# enable/disable sending nginx version # enable/disable sending nginx version
server_tokens %SERVER_TOKENS%; server_tokens %SERVER_TOKENS%;
# write logs to local syslogd # get real IP address if behind a reverse proxy
%PROXY_REAL_IP% %PROXY_REAL_IP%
access_log syslog:server=unix:/dev/log,nohostname,facility=local0 %LOG_TYPE%;
# write logs to local syslogd
access_log syslog:server=unix:/dev/log,nohostname,facility=local0 combined;
error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn; error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn;
# lua path # lua path

7
confs/proxy-real-ip.conf
View File

@ -1,3 +1,4 @@
log_format proxy '$http_x_real_ip - $remote_user [$time_local] ' %PROXY_REAL_IP_FROM%
'"$request" $status $body_bytes_sent ' real_ip_header %PROXY_REAL_IP_HEADER%;
'"$http_referer" "$http_user_agent"'; real_ip_recursive %PROXY_REAL_IP_RECURSIVE%;

3
confs/server.conf
View File

@ -1,8 +1,7 @@
server { server {
include /server-confs/*.conf; include /server-confs/*.conf;
%LISTEN_HTTP% %LISTEN_HTTP%
%AUTO_LETS_ENCRYPT% %USE_HTTPS%
%CUSTOM_HTTPS%
%REDIRECT_HTTP_TO_HTTPS% %REDIRECT_HTTP_TO_HTTPS%
server_name %SERVER_NAME%; server_name %SERVER_NAME%;
%DISABLE_DEFAULT_SERVER% %DISABLE_DEFAULT_SERVER%

86
entrypoint.sh
View File

@ -132,6 +132,9 @@ LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}" LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}" LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
PROXY_REAL_IP="${PROXY_REAL_IP-no}" PROXY_REAL_IP="${PROXY_REAL_IP-no}"
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no"}" GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no"}"
SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}" SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-Switzerland}" SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-Switzerland}"
@ -283,59 +286,45 @@ if [ "$BLOCK_ABUSERS" = "yes" ] ; then
else else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" "" replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" ""
fi fi
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] && [ "$USE_CUSTOM_HTTPS" = "no" ]; then
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" "include /etc/nginx/auto-lets-encrypt.conf;"
# HTTPS config
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" "include /etc/nginx/https.conf;"
if [ "$HTTP2" = "yes" ] ; then if [ "$HTTP2" = "yes" ] ; then
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%HTTP2%" "http2" replace_in_file "/etc/nginx/https.conf" "%HTTP2%" "http2"
else else
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%HTTP2%" "" replace_in_file "/etc/nginx/https.conf" "%HTTP2%" ""
fi
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%FIRST_SERVER_NAME%" "$FIRST_SERVER_NAME"
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
else
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%STRICT_TRANSPORT_SECURITY%" ""
fi
if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
/opt/scripts/certbot-renew.sh
else
certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos
fi
echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" ""
fi
if [ "$USE_CUSTOM_HTTPS" = "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "no" ]; then
replace_in_file "/etc/nginx/server.conf" "%CUSTOM_HTTPS%" "include /etc/nginx/custom-https.conf;"
if [ "$HTTP2" = "yes" ] ; then
replace_in_file "/etc/nginx/custom-https.conf" "%HTTP2%" "http2"
else
replace_in_file "/etc/nginx/custom-https.conf" "%HTTP2%" ""
fi fi
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
replace_in_file "/etc/nginx/custom-https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';" replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
else else
replace_in_file "/etc/nginx/custom-https.conf" "%STRICT_TRANSPORT_SECURITY%" "" replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
fi fi
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_CERT%" "$HTTPS_CUSTOM_CERT" if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_KEY%" "$HTTPS_CUSTOM_KEY" FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
/opt/scripts/certbot-renew.sh
else
certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos
fi
echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
mkdir /etc/nginx/self-signed-ssl/ mkdir /etc/nginx/self-signed-ssl/
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_CERT%" "/etc/nginx/self-signed-ssl/cert.pem" replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_KEY%" "/etc/nginx/self-signed-ssl/key.pem" replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
else fi
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_CERT%" "$HTTPS_CUSTOM_CERT"
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_KEY%" "$HTTPS_CUSTOM_KEY"
fi
else else
replace_in_file "/etc/nginx/server.conf" "%CUSTOM_HTTPS%" "" replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" ""
fi fi
if [ "$LISTEN_HTTP" = "yes" ] ; then if [ "$LISTEN_HTTP" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;" replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;"
else else
@ -372,11 +361,16 @@ else
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" "" replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
fi fi
if [ "$PROXY_REAL_IP" = "yes" ] ; then if [ "$PROXY_REAL_IP" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;" replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
replace_in_file "/etc/nginx/server.conf" "%LOG_TYPE%" "proxy" froms=""
for from in $PROXY_REAL_IP_FROM ; do
froms="${froms}set_real_ip_from ${from};\n"
done
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms"
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
else else
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "" replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" ""
replace_in_file "/etc/nginx/server.conf" "%LOG_TYPE%" "combined"
fi fi