fixing bugs - run as GID 101 instead of 0, different permissions checks in swarm mode and disable including server confs in swarm mode

2021-04-16 16:56:45 +02:00 · 2021-04-16 16:56:45 +02:00 · 74417abc9c
commit 74417abc9c
parent ba7524a419
10 changed files with 48 additions and 15 deletions
--- a/2
+++ b/2
@ -20,6 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 EXPOSE 8080/tcp 8443/tcp
-USER nginx
+USER nginx:nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/2
+++ b/2
@ -20,6 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 EXPOSE 8080/tcp 8443/tcp
-USER nginx
+USER nginx:nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/2
+++ b/2
@ -27,6 +27,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 EXPOSE 8080/tcp 8443/tcp
-USER nginx
+USER nginx:nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/2
+++ b/2
@ -27,6 +27,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 EXPOSE 8080/tcp 8443/tcp
-USER nginx
+USER nginx:nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/2
+++ b/2
@ -20,6 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 EXPOSE 8080/tcp 8443/tcp
-USER nginx
+USER nginx:nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-bla<p align="center">
+<p align="center">
 	<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/logo.png?raw=true" width="425" />
 </p>
--- a/entrypoint/entrypoint.sh
+++ b/entrypoint/entrypoint.sh
@ -53,7 +53,11 @@ if [ ! -f "/opt/installed" ] ; then
 	echo "[*] Configuring bunkerized-nginx ..."
 	# check permissions
-	/opt/entrypoint/permissions.sh
+	if [ "$SWARM_MODE" = "no" ] ; then
 		/opt/entrypoint/permissions.sh
 	else
 		/opt/entrypoint/permissions-swarm.sh
 	fi
 	if [ "$?" -ne 0 ] ; then
 		exit 1
 	fi
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@ -10,14 +10,18 @@
 cp /opt/confs/global/* /etc/nginx/
 # include server block(s)
-if [ "$MULTISITE" = "yes" ] ; then
+if [ "$SWARM_MODE" = "no" ] ; then
-	includes=""
+	if [ "$MULTISITE" = "yes" ] ; then
-	for server in $SERVER_NAME ; do
+		includes=""
-		includes="${includes}include /etc/nginx/${server}/server.conf;\n"
+		for server in $SERVER_NAME ; do
-	done
+			includes="${includes}include /etc/nginx/${server}/server.conf;\n"
-	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
+		done
 		replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
 	else
 		replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
 	fi
 else
-	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
+	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" ""
 fi
 # setup default server block if multisite
--- a/entrypoint/permissions-swarm.sh
+++ b/entrypoint/permissions-swarm.sh
@ -0,0 +1,25 @@
 #!/bin/bash
 # /etc/letsencrypt
 if [ ! -r "/etc/letsencrypt" ] || [ ! -x "/etc/letsencrypt" ] ; then
 	echo "[!] WARNING - wrong permissions on /etc/letsencrypt"
 	exit 1
 fi
 # /www
 if [ ! -r "/www" ] || [ ! -x "/www" ] ; then
 	echo "[!] ERROR - wrong permissions on /www"
 	exit 2
 fi
 # /etc/nginx
 if [ ! -r "/etc/nginx" ] || [ ! -x "/etc/nginx" ] ; then
 	echo "[!] ERROR - wrong permissions on /etc/nginx"
 	exit 3
 fi
 # /acme-challenge
 if [ ! -r "/acme-challenge" ] || [ ! -x "/acme-challenge" ] ; then
 	echo "[!] ERROR - wrong permissions on /acme-challenge"
 	exit 4
 fi
--- a/entrypoint/permissions.sh
+++ b/entrypoint/permissions.sh
@ -2,7 +2,7 @@
 # /etc/letsencrypt
 if [ ! -w "/etc/letsencrypt" ] || [ ! -r "/etc/letsencrypt" ] || [ ! -x "/etc/letsencrypt" ] ; then
-	echo "[!] ERROR - wrong permissions on /etc/letsencrypt"
+	echo "[!] WARNING - wrong permissions on /etc/letsencrypt"
 	exit 1
 fi