templating - road to full jinja2 templates

confs2/global/api-temp.conf

@@ -0,0 +1,32 @@
+
+location ~ ^%API_URI%/ping {
+	return 444;
+}
+
+location ~ ^%API_URI% {
+
+rewrite_by_lua_block {
+	
+	local api		= require "api"
+	local api_whitelist_ip  = {{ API_WHITELIST_IP }}
+	local api_uri		= "%API_URI%"
+	local logger		= require "logger"
+
+	if api.is_api_call(api_uri, api_whitelist_ip) then
+		ngx.header.content_type = 'text/plain'
+		if api.do_api_call(api_uri) then
+			logger.log(ngx.NOTICE, "API", "API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
+			ngx.say("ok")
+		else
+			logger.log(ngx.WARN, "API", "API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
+			ngx.say("ko")
+		end
+
+		ngx.exit(ngx.HTTP_OK)
+
+	end
+
+	ngx.exit(ngx.OK)
+}
+
+}

confs2/global/api.conf

@@ -0,0 +1,31 @@
+{{ API_URI }}
+{% set API_WHITELIST_IP_value = "" %}
+{% for element in API_WHITELIST_IP.split(" ") %}
+	{{ element + "toto" }}
+	{% set API_WHITELIST_IP_value = API_WHITELIST_IP_value + '"' + element + '",' %}
+{% endfor %}
+{% set API_WHITELIST_IP_value = API_WHITELIST_IP_value[:-1] %}
+
+rewrite_by_lua_block {
+	
+	local api		= require "api"
+	local api_whitelist_ip	= {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
+	local api_uri		= "%API_URI%"
+	local logger		= require "logger"
+
+	if api.is_api_call(api_uri, api_whitelist_ip) then
+		ngx.header.content_type = 'text/plain'
+		if api.do_api_call(api_uri) then
+			logger.log(ngx.NOTICE, "API", "API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
+			ngx.say("ok")
+		else
+			logger.log(ngx.WARN, "API", "API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
+			ngx.say("ko")
+		end
+
+		ngx.exit(ngx.HTTP_OK)
+
+	end
+
+	ngx.exit(ngx.OK)
+}

confs2/global/cache.conf

@@ -0,0 +1,4 @@
+open_file_cache %CACHE%;
+open_file_cache_errors %CACHE_ERRORS%;
+open_file_cache_min_uses %CACHE_USES%;
+open_file_cache_valid %CACHE_VALID%;

confs2/global/dhparam

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

confs2/global/geoip.conf

@@ -0,0 +1,10 @@
+geoip2 /etc/nginx/geoip.mmdb {
+	auto_reload 5m;
+	$geoip2_metadata_country_build metadata build_epoch;
+	$geoip2_data_country_code country iso_code;
+}
+
+map $geoip2_data_country_code $allowed_country {
+	default %DEFAULT%;
+	%COUNTRY%
+}

confs2/global/init-lua.conf

@@ -0,0 +1,43 @@
+init_by_lua_block {
+
+local dataloader		= require "dataloader"
+local logger			= require "logger"
+
+local use_proxies		= %USE_PROXIES%
+local use_abusers		= %USE_ABUSERS%
+local use_tor_exit_nodes	= %USE_TOR_EXIT_NODES%
+local use_user_agents		= %USE_USER_AGENTS%
+local use_referrers		= %USE_REFERRERS%
+local use_crowdsec		= %USE_CROWDSEC%
+
+if use_proxies then
+	dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
+end
+
+if use_abusers then
+	dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data)
+end
+
+if use_tor_exit_nodes then
+	dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data)
+end
+
+if use_user_agents then
+	dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data)
+end
+
+if use_referrers then
+	dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
+end
+
+if use_crowdsec then
+	local cs = require "crowdsec.CrowdSec"
+	local ok, err = cs.init("/etc/nginx/crowdsec.conf")
+	if ok == nil then
+		logger.log(ngx.ERR, "CROWDSEC", err)
+		error()
+	end
+	logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done")
+end
+
+}

confs2/global/multisite-default-server-https.conf

@@ -0,0 +1,11 @@
+listen 0.0.0.0:%HTTPS_PORT% default_server ssl %HTTP2%;
+ssl_certificate /etc/nginx/default-cert.pem;
+ssl_certificate_key /etc/nginx/default-key.pem;
+ssl_protocols %HTTPS_PROTOCOLS%;
+ssl_prefer_server_ciphers off;
+ssl_session_tickets off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+%SSL_DHPARAM%
+%SSL_CIPHERS%
+%LETS_ENCRYPT_WEBROOT%

confs2/global/multisite-default-server-lets-encrypt-webroot.conf

@@ -0,0 +1,3 @@
+location ~ ^/.well-known/acme-challenge/ {
+	root /acme-challenge;
+}

confs2/global/multisite-default-server.conf

@@ -0,0 +1,6 @@
+server {
+	%LISTEN_HTTP%
+	server_name _;
+	%USE_HTTPS%
+	%MULTISITE_DISABLE_DEFAULT_SERVER%
+}

confs2/global/multisite-disable-default-server.conf

@@ -0,0 +1,3 @@
+location / {
+	return 444;
+}

confs2/global/nginx-temp.conf

@@ -0,0 +1,30 @@
+load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
+
+daemon on;
+
+pid /tmp/nginx-temp.pid;
+
+events {
+        worker_connections 1024;
+        use epoll;
+}
+
+http {
+	proxy_temp_path /tmp/proxy_temp;
+	client_body_temp_path /tmp/client_temp;
+	fastcgi_temp_path /tmp/fastcgi_temp;
+	uwsgi_temp_path /tmp/uwsgi_temp;
+	scgi_temp_path /tmp/scgi_temp;
+	lua_package_path "/usr/local/lib/lua/?.lua;;";
+	server {
+		listen 0.0.0.0:%HTTP_PORT% default_server;
+		server_name _;
+		location ~ ^/.well-known/acme-challenge/ {
+			root /acme-challenge;
+		}
+		%USE_API%
+		location / {
+			return 444;
+		}
+	}
+}

confs2/global/nginx.conf

@@ -0,0 +1,120 @@
+# /etc/nginx/nginx.conf
+
+# load dynamic modules
+load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
+load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
+
+# run in foreground
+daemon off;
+
+# PID file
+pid /tmp/nginx.pid;
+
+# worker number = CPU core(s)
+worker_processes auto;
+
+# faster regexp
+pcre_jit on;
+
+# config files for dynamic modules
+include /etc/nginx/modules/*.conf;
+
+# max open files for each worker
+worker_rlimit_nofile %WORKER_RLIMIT_NOFILE%;
+
+events {
+	# max connections per worker
+	worker_connections %WORKER_CONNECTIONS%;
+
+	# epoll seems to be the best on Linux
+	use epoll;
+}
+
+http {
+	# zero copy within the kernel
+	sendfile on;
+
+	# send packets only if filled
+	tcp_nopush on;
+
+	# remove 200ms delay
+	tcp_nodelay on;
+
+	# load mime types and set default one
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	# write logs to local syslog
+	log_format logf '%LOG_FORMAT%';
+	access_log /var/log/access.log logf;
+	error_log /var/log/error.log %LOG_LEVEL%;
+
+	# temp paths
+	proxy_temp_path /tmp/proxy_temp;
+	client_body_temp_path /tmp/client_temp;
+	fastcgi_temp_path /tmp/fastcgi_temp;
+	uwsgi_temp_path /tmp/uwsgi_temp;
+	scgi_temp_path /tmp/scgi_temp;
+
+	# close connections in FIN_WAIT1 state
+	reset_timedout_connection on;
+
+	# timeouts
+	client_body_timeout 10;
+	client_header_timeout 10;
+	keepalive_timeout 15;
+	send_timeout 10;
+
+	# resolvers to use
+	resolver %DNS_RESOLVERS% ipv6=off;
+
+	# remove ports when sending redirects
+	port_in_redirect off;
+
+	# lua path and dicts
+	lua_package_path "/usr/local/lib/lua/?.lua;;";
+	%WHITELIST_IP_CACHE%
+	%WHITELIST_REVERSE_CACHE%
+	%BLACKLIST_IP_CACHE%
+	%BLACKLIST_REVERSE_CACHE%
+	%DNSBL_CACHE%
+	%BLOCK_PROXIES%
+	%BLOCK_ABUSERS%
+	%BLOCK_TOR_EXIT_NODES%
+	%BLOCK_USER_AGENTS%
+	%BLOCK_REFERRERS%
+	%BAD_BEHAVIOR%
+
+	# shared memory zone for limit_req
+	%LIMIT_REQ_ZONE%
+
+	# shared memory zone for limit_conn
+	%LIMIT_CONN_ZONE%
+
+	# whitelist or blacklist country
+	%USE_COUNTRY%
+
+	# zone for proxy_cache
+	%PROXY_CACHE_PATH%
+
+	# custom http confs
+	include /http-confs/*.conf;
+
+	# LUA init block
+	include /etc/nginx/init-lua.conf;
+
+	# default server when MULTISITE=yes
+	%MULTISITE_DEFAULT_SERVER%
+
+	# server config(s)
+	%INCLUDE_SERVER%
+
+	# API
+	%USE_API%
+}