diff --git a/README.md b/README.md index b81fa6d..843173b 100644 --- a/README.md +++ b/README.md @@ -178,7 +178,22 @@ If set to yes, nginx will redirect all HTTP requests to HTTPS. `HTTP2` Values : *yes* | *no* Default value : *yes* -If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled. +If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled. + +`USE_CUSTOM_HTTPS` +Values : *yes* | *no* +Default value : *no* +If set to yes, HTTPS will be enabled with certificate/key of your choice. + +`CUSTOM_HTTPS_CERT` +Values : *\* +Default value : +Full path of the certificate file to use when `USE_CUSTOM_HTTPS` is set to yes. + +`CUSTOM_HTTPS_KEY` +Values : *\* +Default value : +Full path of the key file to use when `USE_CUSTOM_HTTPS` is set to yes. ## ModSecurity `USE_MODSECURITY` @@ -296,7 +311,7 @@ Default value : *yes* If set to yes, allows clients to upload files. `PHP_UPLOAD_MAX_FILESIZE` -Values : ** | *XM* +Values : *\* | *XM* Default value : *10M* Sets the maximum file size allowed when uploading files. @@ -330,7 +345,7 @@ The time interval, in seconds, to search for "strange" HTTP status codes. `FAIL2BAN_MAXRETRY` Values : *\* -Default : value : *10* +Default : value : *20* The number of "strange" HTTP status codes to find between the time interval. ## ClamAV @@ -370,13 +385,11 @@ ENV WRITE_ACCESS yes ``` # TODO -- nginx compile flags -- x86 and ARM versions - README improve - docker tags - Tutorials - Full documentation +- nginx compile flags - Antibot with recaptcha v3 -- Custom TLS certificates - HSTS preload, HPKP - Web UI diff --git a/compile.sh b/compile.sh index 21aec59..3696fca 100644 --- a/compile.sh +++ b/compile.sh @@ -1,4 +1,4 @@ -#/bin/sh +#!/bin/sh NTASK=$(($(nproc)*2)) diff --git a/confs/custom-https.conf b/confs/custom-https.conf new file mode 100644 index 0000000..88289a8 --- /dev/null +++ b/confs/custom-https.conf @@ -0,0 +1,7 @@ +listen 0.0.0.0:443 ssl %HTTP2%; +ssl_certificate %HTTPS_CUSTOM_CERT%; +ssl_certificate_key %HTTPS_CUSTOM_KEY%; +ssl_protocols TLSv1.3; +ssl_prefer_server_ciphers off; +ssl_session_tickets off; +%STRICT_TRANSPORT_SECURITY% diff --git a/confs/php.ini b/confs/php.ini index 45cf105..296e6de 100644 --- a/confs/php.ini +++ b/confs/php.ini @@ -691,7 +691,7 @@ auto_globals_jit = On ; Its value may be 0 to disable the limit. It is ignored if POST data reading ; is disabled through enable_post_data_reading. ; http://php.net/post-max-size -post_max_size = 8M +post_max_size = %PHP_POST_MAX_SIZE% ; Automatically add files before PHP document. ; http://php.net/auto-prepend-file diff --git a/confs/server.conf b/confs/server.conf index f2307c0..8adb5ae 100644 --- a/confs/server.conf +++ b/confs/server.conf @@ -1,6 +1,7 @@ server { %LISTEN_HTTP% %AUTO_LETS_ENCRYPT% + %CUSTOM_HTTPS% %REDIRECT_HTTP_TO_HTTPS% server_name %SERVER_NAME%; %DISABLE_DEFAULT_SERVER% diff --git a/entrypoint.sh b/entrypoint.sh index 0b5a7e7..e83b2aa 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -77,6 +77,7 @@ PHP_ALLOW_URL_FOPEN="${PHP_ALLOW_URL_FOPEN-no}" PHP_ALLOW_URL_INCLUDE="${PHP_ALLOW_URL_INCLUDE-no}" PHP_FILE_UPLOADS="${PHP_FILE_UPLOADS-yes}" PHP_UPLOAD_MAX_FILESIZE="${PHP_UPLOAD_MAX_FILESIZE-10M}" +PHP_POST_MAX_SIZE="${PHP_POST_MAX_SIZE-10M}" PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}" USE_MODSECURITY="${USE_MODSECURITY-yes}" USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}" @@ -99,6 +100,7 @@ AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}" AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-/}" AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}" AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}" +USE_HTTPS_CUSTOM="${USE_HTTPS_CUSTOM-no}" # install additional modules if needed if [ "$ADDITIONAL_MODULES" != "" ] ; then @@ -146,6 +148,7 @@ if [ "$USE_PHP" = "yes" ] ; then fi replace_in_file "/etc/php7/php.ini" "%PHP_UPLOAD_MAX_FILESIZE%" "$PHP_UPLOAD_MAX_FILESIZE" replace_in_file "/etc/php7/php.ini" "%PHP_DISABLE_FUNCTIONS%" "$PHP_DISABLE_FUNCTIONS" + replace_in_file "/etc/php7/php.ini" "%PHP_POST_MAX_SIZE%" "$PHP_POST_MAX_SIZE" else replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" "" fi @@ -245,7 +248,23 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then else replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" "" fi - +if [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then + replace_in_file "/etc/nginx/server.conf" "%CUSTOM_HTTPS%" "include /etc/nginx/custom-https.conf;" + if [ "$HTTP2" = "yes" ] ; then + replace_in_file "/etc/nginx/custom-https.conf" "%HTTP2%" "http2" + else + replace_in_file "/etc/nginx/custom-https.conf" "%HTTP2%" "" + fi + if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then + replace_in_file "/etc/nginx/custom-https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';" + else + replace_in_file "/etc/nginx/custom-https.conf" "%STRICT_TRANSPORT_SECURITY%" "" + fi + replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_CERT%" "$HTTPS_CUSTOM_CERT" + replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_KEY%" "$HTTPS_CUSTOM_KEY" +else + replace_in_file "/etc/nginx/server.conf" "%CUSTOM_HTTPS%" "" +fi if [ "$LISTEN_HTTP" = "yes" ] ; then replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;" else