From 8e3dbf1c70439e42568d262fafa8a156cfac6079 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Mon, 12 Jul 2021 22:21:13 +0200 Subject: [PATCH] fixed some fedora bugs, support LOCAL_PHP and LOCAL_PHP_PATH and sample variables.env --- confs/global/nginx.conf | 2 +- confs/site/fastcgi.conf | 6 ++ confs/site/php.conf | 8 +- confs/site/server.conf | 4 +- helpers/install.sh | 11 ++- misc/set2conf.py | 19 +++++ misc/variables.env | 185 ++++++++++++++++++++++++++++++++++++++++ settings.json | 2 +- 8 files changed, 229 insertions(+), 8 deletions(-) create mode 100755 misc/set2conf.py create mode 100644 misc/variables.env diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index 85d6ef9..65aee58 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -6,7 +6,7 @@ load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so; load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_lua_module.so; load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; -load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so; +#load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; diff --git a/confs/site/fastcgi.conf b/confs/site/fastcgi.conf index 8708187..973fcbc 100644 --- a/confs/site/fastcgi.conf +++ b/confs/site/fastcgi.conf @@ -1,4 +1,10 @@ +{% if REMOTE_PHP != "" +%} fastcgi_param SCRIPT_FILENAME {{ REMOTE_PHP_PATH }}/$fastcgi_script_name; +{% elif LOCAL_PHP != "" +%} +fastcgi_param SCRIPT_FILENAME {{ LOCAL_PHP_PATH }}/$fastcgi_script_name; +{% else +%} +fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; +{% endif %} fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; diff --git a/confs/site/php.conf b/confs/site/php.conf index 0d746e8..7514b7c 100644 --- a/confs/site/php.conf +++ b/confs/site/php.conf @@ -1,4 +1,8 @@ location ~ \.php$ { - fastcgi_pass {{ REMOTE_PHP }}:9000; - fastcgi_index index.php; +{% if REMOTE_PHP != "" +%} + fastcgi_pass {{ REMOTE_PHP }}:9000; +{% elif LOCAL_PHP != "" +%} + fastcgi_pass unix:{{ LOCAL_PHP }}; +{% endif %} + fastcgi_index index.php; } diff --git a/confs/site/server.conf b/confs/site/server.conf index 138d2f6..c620a5a 100644 --- a/confs/site/server.conf +++ b/confs/site/server.conf @@ -7,7 +7,7 @@ include /opt/bunkerized-nginx/pre-server-confs/{{ FIRST_SERVER }}/*.conf; server { # FastCGI variables -{% if REMOTE_PHP != "" +%} +{% if REMOTE_PHP != "" or LOCAL_PHP != "" +%} include {{ NGINX_PREFIX }}fastcgi.conf; {% endif %} @@ -181,7 +181,7 @@ server { {% endif %} # remote PHP -{% if REMOTE_PHP != "" +%} +{% if REMOTE_PHP != "" or LOCAL_PHP != "" +%} include {{ NGINX_PREFIX }}php.conf; {% endif %} diff --git a/helpers/install.sh b/helpers/install.sh index e3cf863..75fb225 100755 --- a/helpers/install.sh +++ b/helpers/install.sh @@ -373,7 +373,7 @@ elif [ "$OS" = "centos" ] ; then CENTOS_DEPS="git autoconf pkg-config pcre-devel automake libtool gcc-c++ make lua-devel gd-devel lua openssl-devel wget brotli-devel gnupg" do_and_check_cmd yum install -y $CENTOS_DEPS elif [ "$OS" = "fedora" ] ; then - FEDORA_DEPS="git autoconf pkg-config pcre-devel automake libtool gcc-c++ make lua-devel gd-devel lua openssl-devel wget brotli-devel gnupg libxslt-devel" + FEDORA_DEPS="git autoconf pkg-config pcre-devel automake libtool gcc-c++ make lua-devel gd-devel lua openssl-devel wget brotli-devel gnupg libxslt-devel perl-ExtUtils-Embed gperftools-devel" do_and_check_cmd dnf install -y $FEDORA_DEPS elif [ "$OS" = "alpine" ] ; then ALPINE_DEPS="git build autoconf libtool automake git geoip-dev yajl-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev lua-dev gd-dev gnupg brotli-dev openssl-dev" @@ -574,6 +574,7 @@ echo "./configure $CONFARGS --add-dynamic-module=/tmp/bunkerized-nginx/ModSecuri do_and_check_cmd chmod +x "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}/configure-fix.sh" CHANGE_DIR="/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}" LUAJIT_LIB="/opt/bunkerized-nginx/deps/lib -Wl,-rpath,/opt/bunkerized-nginx/deps/lib" LUAJIT_INC="/opt/bunkerized-nginx/deps/include/luajit-2.1" MODSECURITY_LIB="/opt/bunkerized-nginx/deps/lib" MODSECURITY_INC="/opt/bunkerized-nginx/deps/include" do_and_check_cmd ./configure-fix.sh CHANGE_DIR="/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}" do_and_check_cmd make -j $NTASK modules +# TODO : move modules to /opt/bunkerized-nginx/modules if [ ! -d "/usr/lib/nginx/modules" ] ; then do_and_check_cmd mkdir -p /usr/lib/nginx/modules fi @@ -603,8 +604,10 @@ elif [ "$OS" = "centos" ] ; then CENTOS_DEPS="git crontabs curl python3 python3-pip procps" do_and_check_cmd yum install -y $CENTOS_DEPS elif [ "$OS" = "fedora" ] ; then - FEDORA_DEPS="git crontabs curl python3 python3-pip procps" + FEDORA_DEPS="git crontabs curl python3 python3-pip procps nginx-mod-stream" do_and_check_cmd dnf install -y $FEDORA_DEPS + # Temp fix + do_and_check_cmd cp /usr/lib64/nginx/modules/ngx_stream_module.so /usr/lib/nginx/modules/ngx_stream_module.so elif [ "$OS" = "alpine" ] ; then ALPINE_DEPS="certbot bash libmaxminddb libgcc lua yajl libstdc++ openssl py3-pip git" do_and_check_cmd apk add --no-cache $ALPINE_DEPS @@ -658,6 +661,10 @@ do_and_check_cmd cp -r /tmp/bunkerized-nginx/defaults /opt/bunkerized-nginx echo "[*] Copy settings" do_and_check_cmd cp /tmp/bunkerized-nginx/settings.json /opt/bunkerized-nginx +# Copy sample variables.env +echo "[*] Copy sample variables.env" +do_and_check_cmd cp /tmp/bunkerized-nginx/misc/variables.env /opt/bunkerized-nginx + # Copy UI if [ "$OS" != "alpine" ] ; then echo "[*] Copy UI" diff --git a/misc/set2conf.py b/misc/set2conf.py new file mode 100755 index 0000000..1ba7221 --- /dev/null +++ b/misc/set2conf.py @@ -0,0 +1,19 @@ +#!/usr/bin/python3 + +import json + +with open("settings.json") as f : + data = json.loads(f.read()) + +output = "" +for cat in data : + output += "# " + cat + "\n" + for param in data[cat]["params"] : + if param["type"] == "multiple" : + params = param["params"] + else : + params = [param] + for true_param in params : + output += "#" + true_param["env"] + "=" + true_param["default"] + "\n" + output += "\n" +print(output) diff --git a/misc/variables.env b/misc/variables.env new file mode 100644 index 0000000..545bd70 --- /dev/null +++ b/misc/variables.env @@ -0,0 +1,185 @@ +# List of environment variables for bunkerized-nginx. +# Manual : https://bunkerized-nginx.readthedocs.io/en/latest/ + +# Antibot +#USE_ANTIBOT=no +#ANTIBOT_URI=/challenge +#ANTIBOT_SESSION_SECRET=random +#ANTIBOT_RECAPTCHA_SITEKEY= +#ANTIBOT_RECAPTCHA_SECRET= +#ANTIBOT_RECAPTCHA_SCORE=0.7 + +# Authelia +#USE_AUTHELIA=no +#AUTHELIA_BACKEND= +#AUTHELIA_UPSTREAM= +#AUTHELIA_MODE=portal + +# Basic auth +#USE_AUTH_BASIC=no +#AUTH_BASIC_LOCATION=sitewide +#AUTH_BASIC_USER=changeme +#AUTH_BASIC_PASSWORD=changeme +#AUTH_BASIC_TEXT=Restricted area + +# Blacklist +#USE_BLACKLIST_IP=yes +#BLACKLIST_IP_LIST= +#USE_BLACKLIST_REVERSE=yes +#BLACKLIST_REVERSE_LIST=.shodan.io +#BLACKLIST_COUNTRY= + +# Block +#BLOCK_USER_AGENT=yes +#BLOCK_TOR_EXIT_NODE=yes +#BLOCK_PROXIES=yes +#BLOCK_ABUSERS=yes +#BLOCK_REFERRER=yes + +# Cache +#USE_CLIENT_CACHE=no +#CLIENT_CACHE_EXTENSIONS=jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2 +#CLIENT_CACHE_CONTROL=public, max-age=15552000 +#CLIENT_CACHE_ETAG=on +#USE_OPEN_FILE_CACHE=no +#OPEN_FILE_CACHE=max=1000 inactive=20s +#OPEN_FILE_CACHE_ERRORS=on +#OPEN_FILE_CACHE_MIN_USES=2 +#OPEN_FILE_CACHE_VALID=30s +#USE_PROXY_CACHE=no +#PROXY_CACHE_PATH_ZONE_SIZE=10m +#PROXY_CACHE_PATH_PARAMS=max_size=100m +#PROXY_CACHE_METHODS=GET HEAD +#PROXY_CACHE_MIN_USES=2 +#PROXY_CACHE_KEY=\$scheme\$host\$request_uri +#PROXY_CACHE_VALID=200=10m 301=10m 302=1h +#PROXY_NO_CACHE=\$http_authorization +#PROXY_CACHE_BYPASS=\$http_authorization + +# Compression +#USE_GZIP=no +#GZIP_COMP_LEVEL=5 +#GZIP_MIN_LENGTH=1000 +#GZIP_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml +#USE_BROTLI=no +#BROTLI_COMP_LEVEL=6 +#BROTLI_MIN_LENGTH=1000 +#BROTLI_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml + +# CrowdSec +#USE_CROWDSEC=no +#CROWDSEC_HOST= +#CROWDSEC_KEY= + +# DNSBL +#USE_DNSBL=yes +#DNSBL_LIST=bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org + +# HTTPS +#AUTO_LETS_ENCRYPT=no +#EMAIL_LETS_ENCRYPT= +#REDIRECT_HTTP_TO_HTTPS=no +#HTTP2=yes +#HTTPS_PROTOCOLS=TLSv1.2 TLSv1.3 +#LISTEN_HTTP=yes +#USE_CUSTOM_HTTPS=no +#CUSTOM_HTTPS_CERT= +#CUSTOM_HTTPS_KEY= +#GENERATE_SELF_SIGNED_SSL=no +#SELF_SIGNED_SSL_EXPIRY=365 +#SELF_SIGNED_SSL_COUNTRY=CH +#SELF_SIGNED_SSL_STATE=Switzerland +#SELF_SIGNED_SSL_CITY=Bern +#SELF_SIGNED_SSL_OU=IT +#SELF_SIGNED_SSL_ORG=Acme Inc +#SELF_SIGNED_SSL_CN=bunkerized + +# Headers +#X_FRAME_OPTIONS=DENY +#X_XSS_PROTECTION=1; mode=block +#X_CONTENT_TYPE_OPTIONS=nosniff +#REFERRER_POLICY=no-referrer +#FEATURE_POLICY=accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none' +#PERMISSIONS_POLICY=accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=() +#COOKIE_FLAGS=* HttpOnly SameSite=Lax +#COOKIE_AUTO_SECURE_FLAG=yes +#STRICT_TRANSPORT_SECURITY=max-age=31536000 +#CONTENT_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-downloads; base-uri 'self'; + +# Info leak +#REMOVE_HEADERS=Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version +#DISABLE_DEFAULT_SERVER=no +#ERRORS= + +# Limit conn +#USE_LIMIT_CONN=yes +#LIMIT_CONN_MAX=50 +#LIMIT_CONN_CACHE=10m + +# Limit req +#USE_LIMIT_REQ=yes +#LIMIT_REQ_RATE=1r/s +#LIMIT_REQ_BURST=2 +#LIMIT_REQ_CACHE=10m + +# Misc +#SERVER_NAME=www.bunkerity.com +#MAX_CLIENT_SIZE=10m +#ALLOWED_METHODS=GET|POST|HEAD +#SERVE_FILES=yes +#INJECT_BODY= + +# ModSecurity +#USE_MODSECURITY=yes +#USE_MODSECURITY_CRS=yes +#MODSECURITY_SEC_AUDIT_ENGINE=RelevantOnly + +# PHP +#REMOTE_PHP= +#REMOTE_PHP_PATH=/app + +# Reverse proxy +#USE_REVERSE_PROXY=no +#REVERSE_PROXY_URL= +#REVERSE_PROXY_HOST= +#REVERSE_PROXY_WS=no +#REVERSE_PROXY_HEADERS= +#PROXY_REAL_IP=no +#PROXY_REAL_IP_FROM=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 +#PROXY_REAL_IP_HEADER=X-Forwarded-For +#PROXY_REAL_IP_RECURSIVE=on + +# Bad behavior +#USE_BAD_BEHAVIOR=yes +#BAD_BEHAVIOR_BAN_TIME=86400 +#BAD_BEHAVIOR_COUNT_TIME=60 +#BAD_BEHAVIOR_STATUS_CODES=400 401 403 404 405 429 444 +#BAD_BEHAVIOR_THRESHOLD=10 + +# API +#USE_API=no +#API_WHITELIST_IP=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 +#API_URI=random +#SWARM_MODE=no + +# nginx +#MULTISITE=no +#DNS_RESOLVERS=127.0.0.11 +#LOG_FORMAT=$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" +#LOG_LEVEL=info +#ROOT_FOLDER=/opt/bunkerized-nginx/www +#ROOT_SITE_SUBFOLDER= +#SERVER_TOKENS=off +#HTTP_PORT=8080 +#HTTPS_PORT=8443 +#WORKER_RLIMIT_NOFILE=2048 +#WORKER_CONNECTIONS=1024 + +# Whitelist +#USE_WHITELIST_IP=yes +#WHITELIST_IP_LIST=23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8 +#USE_WHITELIST_REVERSE=yes +#WHITELIST_REVERSE_LIST=.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net +#WHITELIST_COUNTRY= +#WHITELIST_USER_AGENT= +#WHITELIST_URI= diff --git a/settings.json b/settings.json index 592c5a9..a6874d8 100644 --- a/settings.json +++ b/settings.json @@ -911,7 +911,7 @@ "params": [ { "context": "multisite", - "default": "www.bunkerity.com", + "default": "www.example.com", "env": "SERVER_NAME", "id": "server-name", "label": "Server name",