From 70f9f8417e7999bf03c64059e9ccc9d07b697f48 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Fri, 2 Jul 2021 09:48:57 +0200 Subject: [PATCH] templates - add missing new line when necessary --- confs/global/api.conf | 2 +- confs/global/geoip.conf | 6 +- confs/global/init-lua.conf | 18 +++--- .../multisite-default-server-https.conf | 4 +- confs/global/multisite-default-server.conf | 6 +- confs/global/nginx.conf | 44 ++++++------- confs/site/authelia-auth-request.conf | 2 +- confs/site/custom-https.conf | 2 +- confs/site/error.conf | 2 +- confs/site/https.conf | 6 +- confs/site/log-lua.conf | 4 +- confs/site/main-lua.conf | 64 +++++++++---------- confs/site/modsecurity-rules.conf | 8 +-- confs/site/proxy-cache.conf | 2 +- confs/site/proxy-real-ip.conf | 2 +- confs/site/reverse-proxy.conf | 10 +-- confs/site/server.conf | 62 +++++++++--------- 17 files changed, 122 insertions(+), 122 deletions(-) diff --git a/confs/global/api.conf b/confs/global/api.conf index cf62567..8780549 100644 --- a/confs/global/api.conf +++ b/confs/global/api.conf @@ -2,7 +2,7 @@ rewrite_by_lua_block { local api = require "api" - local api_whitelist_ip = {% raw %}{{% endraw %}{% if API_WHITELIST_IP != ""%}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} + local api_whitelist_ip = {% raw %}{{% endraw %}{% if API_WHITELIST_IP != ""%}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%} local api_uri = "{{ API_URI }}" local logger = require "logger" diff --git a/confs/global/geoip.conf b/confs/global/geoip.conf index 22fc9cb..697f1d9 100644 --- a/confs/global/geoip.conf +++ b/confs/global/geoip.conf @@ -5,14 +5,14 @@ geoip2 /etc/nginx/geoip.mmdb { } map $geoip2_data_country_code $allowed_country { - default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif %}; + default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif +%}; {% if WHITELIST_COUNTRY != "" %} - {% for country in WHITELIST_COUNTRY.split(" ") %} + {% for country in WHITELIST_COUNTRY.split(" ") +%} {{ country }} yes; {% endfor %} {% endif %} {% if BLACKLIST_COUNTRY != "" %} - {% for country in BLACKLIST_COUNTRY.split(" ") %} + {% for country in BLACKLIST_COUNTRY.split(" ") +%} {{ country }} no; {% endfor %} {% endif %} diff --git a/confs/global/init-lua.conf b/confs/global/init-lua.conf index f674507..0cf33a3 100644 --- a/confs/global/init-lua.conf +++ b/confs/global/init-lua.conf @@ -1,15 +1,15 @@ init_by_lua_block { -local dataloader = require "dataloader" -local logger = require "logger" -local cjson = require "cjson" +local dataloader = require "dataloader" +local logger = require "logger" +local cjson = require "cjson" -local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif %} -local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif %} -local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif %} -local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif %} -local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif %} -local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif %} +local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif +%} +local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif +%} +local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif +%} +local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif +%} +local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif +%} +local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif +%} if use_proxies then dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data) diff --git a/confs/global/multisite-default-server-https.conf b/confs/global/multisite-default-server-https.conf index 2f5e87d..fae416c 100644 --- a/confs/global/multisite-default-server-https.conf +++ b/confs/global/multisite-default-server-https.conf @@ -6,8 +6,8 @@ ssl_prefer_server_ciphers off; ssl_session_tickets off; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; -{% if "TLSv1.2" in HTTPS_PROTOCOLS %} +{% if "TLSv1.2" in HTTPS_PROTOCOLS +%} ssl_dhparam /etc/nginx/dhparam; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -{% endif %} +{% endif +%} include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf; diff --git a/confs/global/multisite-default-server.conf b/confs/global/multisite-default-server.conf index 888719c..22ece54 100644 --- a/confs/global/multisite-default-server.conf +++ b/confs/global/multisite-default-server.conf @@ -1,11 +1,11 @@ server { - {% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %}; + {% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif +%}; server_name _; - {% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %} + {% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif +%} {% if USE_API == "yes" %} location ^~ {{ API_URI }} { include /etc/nginx/api.conf; } {% endif %} - {% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %} + {% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif +%} } diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index cf3df3b..02b2684 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -79,33 +79,33 @@ http { # lua path and dicts lua_package_path "/usr/local/lib/lua/?.lua;/opt/bunkerized-nginx/plugins/?.lua;;"; - {% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %} - {% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %} - {% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %} - {% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif %} - {% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif %} - {% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif %} - {% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif %} - {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif %} - {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif %} - {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif %} - {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif %} - {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %} - {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %} - {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %} + {% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif +%} + {% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif +%} + {% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif +%} + {% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif +%} + {% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif +%} + {% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif +%} + {% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif +%} + {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif +%} + {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif +%} + {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif +%} + {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif +%} + {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif +%} + {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif +%} + {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif +%} lua_shared_dict plugins_data 10m; # shared memory zone for limit_req - {% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %} + {% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif +%} # shared memory zone for limit_conn - {% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif %} + {% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif +%} # whitelist or blacklist country - {% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif %} + {% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif +%} # zone for proxy_cache - {% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %} + {% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif +%} # custom http confs include /opt/bunkerized-nginx/http-confs/*.conf; @@ -114,7 +114,7 @@ http { include /etc/nginx/init-lua.conf; # default server when MULTISITE=yes - {% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif %} + {% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif +%} # server config(s) {% if MULTISITE == "yes" and SERVER_NAME != "" %} @@ -137,13 +137,13 @@ http { {% endif %} {% endif %} {% endfor %} - {% for first_server in map_servers %} + {% for first_server in map_servers +%} include /etc/nginx/{{ first_server }}/server.conf; {% endfor %} - {% elif MULTISITE == "no" %} + {% elif MULTISITE == "no" +%} include /etc/nginx/server.conf; {% endif %} # API - {% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif %} + {% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif +%} } diff --git a/confs/site/authelia-auth-request.conf b/confs/site/authelia-auth-request.conf index 4236af2..ef2c268 100644 --- a/confs/site/authelia-auth-request.conf +++ b/confs/site/authelia-auth-request.conf @@ -21,6 +21,6 @@ proxy_set_header Remote-User $user; proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Name $name; proxy_set_header Remote-Email $email; -{% if AUTHELIA_MODE == "portal" %} +{% if AUTHELIA_MODE == "portal" +%} error_page 401 =302 {{ AUTHELIA_BACKEND }}/?rd=$target_url; {% endif %} diff --git a/confs/site/custom-https.conf b/confs/site/custom-https.conf index 03721b5..9970f70 100644 --- a/confs/site/custom-https.conf +++ b/confs/site/custom-https.conf @@ -4,6 +4,6 @@ ssl_certificate_key {{ HTTPS_CUSTOM_KEY }}; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; ssl_session_tickets off; -{% if STRICT_TRANSPORT_SECURITY != "" %} +{% if STRICT_TRANSPORT_SECURITY != "" +%} more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}'; {% endif %} diff --git a/confs/site/error.conf b/confs/site/error.conf index 36ed521..7a17af8 100644 --- a/confs/site/error.conf +++ b/confs/site/error.conf @@ -14,7 +14,7 @@ location = {{ page }} { {% set default_errors = ["400", "401", "403", "404", "429", "500", "501", "502", "503", "504"] %} {% for default_error in default_errors %} - {% if not default_error + "=" in ERRORS %} + {% if not default_error + "=" in ERRORS +%} error_page {{ default_error }} /errors/{{ default_error }}.html; location = /errors/{{ default_error }}.html { diff --git a/confs/site/https.conf b/confs/site/https.conf index a3fab62..62bd9ea 100644 --- a/confs/site/https.conf +++ b/confs/site/https.conf @@ -22,13 +22,13 @@ ssl_prefer_server_ciphers on; ssl_session_tickets off; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; -{% if STRICT_TRANSPORT_SECURITY != "" %} +{% if STRICT_TRANSPORT_SECURITY != "" +%} more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}'; {% endif %} -{% if "TLSv1.2" in HTTPS_PROTOCOLS %} +{% if "TLSv1.2" in HTTPS_PROTOCOLS +%} ssl_dhparam /etc/nginx/dhparam; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; {% endif %} -{% if AUTO_LETS_ENCRYPT %} +{% if AUTO_LETS_ENCRYPT +%} include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf; {% endif %} diff --git a/confs/site/log-lua.conf b/confs/site/log-lua.conf index 377ac9c..33a5bc7 100644 --- a/confs/site/log-lua.conf +++ b/confs/site/log-lua.conf @@ -1,9 +1,9 @@ log_by_lua_block { -- bad behavior -local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %} +local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif +%} local behavior = require "behavior" -local bad_behavior_status_codes = {% raw %}{{% endraw %}{% if BAD_BEHAVIOR_STATUS_CODES != "" %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} +local bad_behavior_status_codes = {% raw %}{{% endraw %}{% if BAD_BEHAVIOR_STATUS_CODES != "" %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%} local bad_behavior_threshold = {{ BAD_BEHAVIOR_THRESHOLD }} local bad_behavior_count_time = {{ BAD_BEHAVIOR_COUNT_TIME }} local bad_behavior_ban_time = {{ BAD_BEHAVIOR_BAN_TIME }} diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index f4f5a07..e3e0362 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -1,6 +1,6 @@ -{% if ANTIBOT_SESSION_SECRET == "random" %} -set $session_secret {{ random(32) }} ; -{% else %} +{% if ANTIBOT_SESSION_SECRET == "random" +%} +set $session_secret {{ random(32) }}; +{% else +%} set $session_secret {{ ANTIBOT_SESSION_SECRET }}; {% endif %} set $session_check_addr on; @@ -13,48 +13,48 @@ if ngx.req.is_internal() then end -- let's encrypt -local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif %} +local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif +%} -- external blacklists -local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif %} -local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif %} -local use_abusers = {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif %} -local use_tor_exit_nodes = {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif %} -local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif %} +local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif +%} +local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif +%} +local use_abusers = {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif +%} +local use_tor_exit_nodes = {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif +%} +local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif +%} -- countries -local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif %} +local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif +%} -- crowdsec -local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %} +local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif +%} -- antibot -local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif %} -local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif %} -local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif %} -local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif %} +local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif +%} +local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif +%} +local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif +%} +local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif +%} -- resolvers -local dns_resolvers = {% raw %}{{% endraw %}{% if DNS_RESOLVERS != "" %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} +local dns_resolvers = {% raw %}{{% endraw %}{% if DNS_RESOLVERS != "" %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%} -- whitelist -local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif %} -local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes" %}true{% else %}false{% endif %} -local whitelist_ip_list = {% raw %}{{% endraw %}{% if WHITELIST_IP_LIST != "" %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} -local whitelist_reverse_list = {% raw %}{{% endraw %}{% if WHITELIST_REVERSE_LIST != "" %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} +local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif +%} +local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes" %}true{% else %}false{% endif +%} +local whitelist_ip_list = {% raw %}{{% endraw %}{% if WHITELIST_IP_LIST != "" %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%} +local whitelist_reverse_list = {% raw %}{{% endraw %}{% if WHITELIST_REVERSE_LIST != "" %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%} -- blacklist -local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif %} -local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes" %}true{% else %}false{% endif %} -local blacklist_ip_list = {% raw %}{{% endraw %}{% if BLACKLIST_IP_LIST != "" %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} -local blacklist_reverse_list = {% raw %}{{% endraw %}{% if BLACKLIST_REVERSE_LIST != "" %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} +local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif +%} +local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes" %}true{% else %}false{% endif +%} +local blacklist_ip_list = {% raw %}{{% endraw %}{% if BLACKLIST_IP_LIST != "" %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%} +local blacklist_reverse_list = {% raw %}{{% endraw %}{% if BLACKLIST_REVERSE_LIST != "" %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%} -- dnsbl -local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif %} -local dnsbl_list = {% raw %}{{% endraw %}{% if DNSBL_LIST != "" %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} +local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif +%} +local dnsbl_list = {% raw %}{{% endraw %}{% if DNSBL_LIST != "" %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%} -- bad behavior -local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %} +local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif +%} -- include LUA code local whitelist = require "whitelist" @@ -70,8 +70,8 @@ local logger = require "logger" -- user variables local antibot_uri = "{{ ANTIBOT_URI }}" -local whitelist_user_agent = {% raw %}{{% endraw %}{% if WHITELIST_USER_AGENT != "" %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} -local whitelist_uri = {% raw %}{{% endraw %}{% if WHITELIST_URI != "" %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %} +local whitelist_user_agent = {% raw %}{{% endraw %}{% if WHITELIST_USER_AGENT != "" %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%} +local whitelist_uri = {% raw %}{{% endraw %}{% if WHITELIST_URI != "" %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%} -- check if already in whitelist cache if use_whitelist_ip and whitelist.ip_cached_ok() then @@ -309,10 +309,10 @@ ngx.exit(ngx.OK) } -{% if USE_ANTIBOT == "javascript" %} +{% if USE_ANTIBOT == "javascript" +%} include {{ NGINX_PREFIX }}antibot-javascript.conf; -{% elif USE_ANTIBOT == "captcha" %} +{% elif USE_ANTIBOT == "captcha" +%} include {{ NGINX_PREFIX }}antibot-captcha.conf; -{% elif USE_ANTIBOT == "recaptcha" %} +{% elif USE_ANTIBOT == "recaptcha" +%} include {{ NGINX_PREFIX }}antibot-recaptcha.conf; {% endif %} diff --git a/confs/site/modsecurity-rules.conf b/confs/site/modsecurity-rules.conf index aba560d..ada388b 100644 --- a/confs/site/modsecurity-rules.conf +++ b/confs/site/modsecurity-rules.conf @@ -58,10 +58,10 @@ SecAuditLog /var/log/nginx/modsec_audit.log include /opt/bunkerized-nginx/crs-setup.conf # custom CRS configurations before loading rules (exclusions) -{% if is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs") %} +{% if is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs") +%} include /opt/bunkerized-nginx/modsec-crs-confs/*.conf {% endif %} -{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs/" + FIRST_SERVER) %} +{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs/" + FIRST_SERVER) +%} include /opt/bunkerized-nginx/modsec-crs-confs/{{ FIRST_SERVER }}/*.conf {% endif %} @@ -70,9 +70,9 @@ include /opt/bunkerized-nginx/crs/*.conf {% endif %} # custom rules after loading the CRS -{% if is_custom_conf("/opt/bunkerized-nginx/modsec-confs") %} +{% if is_custom_conf("/opt/bunkerized-nginx/modsec-confs") +%} include /opt/bunkerized-nginx/modsec-confs/*.conf {% endif %} -{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-confs/" + FIRST_SERVER) %} +{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-confs/" + FIRST_SERVER) +%} include /opt/bunkerized-nginx/modsec-confs/{{ FIRST_SERVER }}/*.conf {% endif %} diff --git a/confs/site/proxy-cache.conf b/confs/site/proxy-cache.conf index 0daf86d..dbc84d4 100644 --- a/confs/site/proxy-cache.conf +++ b/confs/site/proxy-cache.conf @@ -5,7 +5,7 @@ proxy_cache_key {{ PROXY_CACHE_KEY }}; proxy_no_cache {{ PROXY_NO_CACHE }}; proxy_cache_bypass {{ PROXY_CACHE_BYPASS }}; {% if PROXY_CACHE_VALID != "" %} -{% for element in PROXY_CACHE_VALID.split(" ") %} +{% for element in PROXY_CACHE_VALID.split(" ") +%} proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }}; {% endfor %} {% endif %} diff --git a/confs/site/proxy-real-ip.conf b/confs/site/proxy-real-ip.conf index 490576a..1f56ab5 100644 --- a/confs/site/proxy-real-ip.conf +++ b/confs/site/proxy-real-ip.conf @@ -1,5 +1,5 @@ {% if PROXY_REAL_IP_FROM != "" %} - {% for element in PROXY_REAL_IP_FROM.split(" ") %} + {% for element in PROXY_REAL_IP_FROM.split(" ") +%} set_real_ip_from {{ element }}; {% endfor %} {% endif %} diff --git a/confs/site/reverse-proxy.conf b/confs/site/reverse-proxy.conf index e1b55ae..f448bdf 100644 --- a/confs/site/reverse-proxy.conf +++ b/confs/site/reverse-proxy.conf @@ -1,24 +1,24 @@ {% if USE_REVERSE_PROXY == "yes" %} {% for k, v in all.items() %} - {% if k.startswith("REVERSE_PROXY_URL") and v != "" %} + {% if k.startswith("REVERSE_PROXY_URL") and v != "" +%} {% set url = v %} {% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %} {% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %} {% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %} -location {{ url }} {% raw %}{{% endraw %} +location {{ url }} {% raw %}{{% endraw +%} etag off; proxy_pass {{ host }}; - {% if USE_AUTHELIA == "yes" %} + {% if USE_AUTHELIA == "yes" +%} include {{ NGINX_PREFIX }}authelia-auth-request.conf; {% endif %} include {{ NGINX_PREFIX }}reverse-proxy-headers.conf; - {% if ws == "yes" %} + {% if ws == "yes" +%} proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; {% endif %} {% if headers != "" %} - {% for header in headers.split(";") %} + {% for header in headers.split(";") +%} proxy_set_header {{ header }}; {% endfor %} {% endif %} diff --git a/confs/site/server.conf b/confs/site/server.conf index 0e7411d..138d2f6 100644 --- a/confs/site/server.conf +++ b/confs/site/server.conf @@ -1,24 +1,24 @@ # custom config before server block include /opt/bunkerized-nginx/pre-server-confs/*.conf; -{% if MULTISITE == "yes" %} +{% if MULTISITE == "yes" +%} include /opt/bunkerized-nginx/pre-server-confs/{{ FIRST_SERVER }}/*.conf; {% endif %} server { # FastCGI variables -{% if REMOTE_PHP != "" %} +{% if REMOTE_PHP != "" +%} include {{ NGINX_PREFIX }}fastcgi.conf; {% endif %} # custom config include /opt/bunkerized-nginx/server-confs/*.conf; -{% if MULTISITE == "yes" %} +{% if MULTISITE == "yes" +%} include /opt/bunkerized-nginx/server-confs/{{ FIRST_SERVER }}/*.conf; {% endif %} # proxy real IP -{% if PROXY_REAL_IP == "yes" %} +{% if PROXY_REAL_IP == "yes" +%} include {{ NGINX_PREFIX }}proxy-real-ip.conf; {% endif %} @@ -27,22 +27,22 @@ server { include {{ NGINX_PREFIX }}log-lua.conf; # ModSecurity -{% if USE_MODSECURITY == "yes" %} +{% if USE_MODSECURITY == "yes" +%} include {{ NGINX_PREFIX }}modsecurity.conf; {% endif %} # HTTP listen -{% if LISTEN_HTTP == "yes" %} +{% if LISTEN_HTTP == "yes" +%} listen 0.0.0.0:{{ HTTP_PORT }}; {% endif %} # HTTPS listen + config -{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %} +{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" +%} include {{ NGINX_PREFIX }}https.conf; {% endif %} # HTTP to HTTPS -{% if REDIRECT_HTTP_TO_HTTPS == "yes" %} +{% if REDIRECT_HTTP_TO_HTTPS == "yes" +%} include {{ NGINX_PREFIX }}redirect-http-to-https.conf; {% endif %} @@ -50,12 +50,12 @@ server { server_name {{ SERVER_NAME }}; # disable default server -{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" %} +{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" +%} include {{ NGINX_PREFIX }}disable-default-server.conf; {% endif %} # serve local files -{% if SERVE_FILES == "yes" %} +{% if SERVE_FILES == "yes" +%} include {{ NGINX_PREFIX }}serve-files.conf; {% endif %} @@ -65,17 +65,17 @@ server { } # requests limiting -{% if USE_LIMIT_REQ == "yes" %} +{% if USE_LIMIT_REQ == "yes" +%} include {{ NGINX_PREFIX }}limit-req.conf; {% endif %} # connections limiting -{% if USE_LIMIT_CONN == "yes" %} +{% if USE_LIMIT_CONN == "yes" +%} include {{ NGINX_PREFIX }}limit-conn.conf; {% endif %} # auth basic -{% if USE_AUTH_BASIC == "yes" %} +{% if USE_AUTH_BASIC == "yes" +%} {% if AUTH_BASIC_LOCATION == "sitewide" %} include {{ NGINX_PREFIX }}auth-basic-sitewide.conf; {% else %} @@ -85,48 +85,48 @@ server { # remove headers {% if REMOVE_HEADERS != "" %} - {% for header in REMOVE_HEADERS.split(" ") %} + {% for header in REMOVE_HEADERS.split(" ") +%} more_clear_headers '{{ header }}'; {% endfor %} {% endif %} # X-Frame-Option header -{% if X_FRAME_OPTIONS != "" %} +{% if X_FRAME_OPTIONS != "" +%} include {{ NGINX_PREFIX }}x-frame-options.conf; {% endif %} # X-XSS-Protection header -{% if X_XSS_PROTECTION != "" %} +{% if X_XSS_PROTECTION != "" +%} include {{ NGINX_PREFIX }}x-xss-protection.conf; {% endif %} # X-Content-Type header -{% if X_CONTENT_TYPE_OPTIONS != "" %} +{% if X_CONTENT_TYPE_OPTIONS != "" +%} include {{ NGINX_PREFIX }}x-content-type-options.conf; {% endif %} # Content-Security-Policy header -{% if CONTENT_SECURITY_POLICY != "" %} +{% if CONTENT_SECURITY_POLICY != "" +%} include {{ NGINX_PREFIX }}content-security-policy.conf; {% endif %} # Referrer-Policy header -{% if REFERRER_POLICY != "" %} +{% if REFERRER_POLICY != "" +%} include {{ NGINX_PREFIX }}referrer-policy.conf; {% endif %} # Feature-Policy header -{% if FEATURE_POLICY != "" %} +{% if FEATURE_POLICY != "" +%} include {{ NGINX_PREFIX }}feature-policy.conf; {% endif %} # Permissions-Policy header -{% if PERMISSIONS_POLICY != "" %} +{% if PERMISSIONS_POLICY != "" +%} include {{ NGINX_PREFIX }}permissions-policy.conf; {% endif %} # cookie flags -{% if COOKIE_FLAGS != "" %} +{% if COOKIE_FLAGS != "" +%} include {{ NGINX_PREFIX }}cookie-flags.conf; {% endif %} @@ -134,17 +134,17 @@ server { include {{ NGINX_PREFIX }}error.conf; # client caching -{% if USE_CLIENT_CACHE == "yes" %} +{% if USE_CLIENT_CACHE == "yes" +%} include {{ NGINX_PREFIX }}client-cache.conf; {% endif %} # gzip compression -{% if USE_GZIP == "yes" %} +{% if USE_GZIP == "yes" +%} include {{ NGINX_PREFIX }}gzip.conf; {% endif %} # brotli compression -{% if USE_BROTLI == "yes" %} +{% if USE_BROTLI == "yes" +%} include {{ NGINX_PREFIX }}brotli.conf; {% endif %} @@ -155,33 +155,33 @@ server { server_tokens {{ SERVER_TOKENS }}; # open file caching -{% if USE_OPEN_FILE_CACHE == "yes" %} +{% if USE_OPEN_FILE_CACHE == "yes" +%} include {{ NGINX_PREFIX }}open-file-cache.conf; {% endif %} # proxy caching -{% if USE_PROXY_CACHE == "yes" %} +{% if USE_PROXY_CACHE == "yes" +%} include {{ NGINX_PREFIX }}proxy-cache.conf; {% endif %} # authelia -{% if USE_AUTHELIA == "yes" %} +{% if USE_AUTHELIA == "yes" +%} include {{ NGINX_PREFIX }}authelia-upstream.conf; include {{ NGINX_PREFIX }}authelia-auth-request.conf; {% endif %} # inject into body -{% if INJECT_BODY != "" %} +{% if INJECT_BODY != "" +%} include {{ NGINX_PREFIX}}inject-body.conf; {% endif %} # reverse proxy -{% if USE_REVERSE_PROXY == "yes" %} +{% if USE_REVERSE_PROXY == "yes" +%} include {{ NGINX_PREFIX }}reverse-proxy.conf; {% endif %} # remote PHP -{% if REMOTE_PHP != "" %} +{% if REMOTE_PHP != "" +%} include {{ NGINX_PREFIX }}php.conf; {% endif %}