diff --git a/README.md b/README.md index db1e3ae..d4f7505 100644 --- a/README.md +++ b/README.md @@ -700,6 +700,12 @@ Context : *global*, *multisite* If set to yes, automatic certificate generation and renewal will be setup through Let's Encrypt. This will enable HTTPS on your website for free. You will need to redirect the 80 port to 8080 port inside container and also set the `SERVER_NAME` environment variable. +`AUTO_LETS_ENCRYPT_CRON` +Values : *\* +Default value : 0 2 * * * +Context : *global* +Cron expression of how often lets encrypt is asking for being renewed. + `EMAIL_LETS_ENCRYPT` Values : *contact@yourdomain.com* Default value : *contact@yourdomain.com* @@ -947,11 +953,17 @@ The secret given by Google when `USE_ANTIBOT` is set to *recaptcha*. `BLOCK_USER_AGENT` Values : *yes* | *no* -Default value : *yes* +Default value : *yes* Context : *global*, *multisite* If set to yes, block clients with "bad" user agent. Blacklist can be found [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list) and [here](https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt). +`BLOCK_USER_AGENT_CRON` +Values : *\* +Default value : 5 0 * * * * +Context : *global* +Cron expression of how often blocklist user agent is updated. + `BLOCK_TOR_EXIT_NODE` Values : *yes* | *no* Default value : *yes* @@ -959,6 +971,12 @@ Context : *global*, *multisite* Is set to yes, will block known TOR exit nodes. Blacklist can be found [here](https://iplists.firehol.org/?ipset=tor_exits). +`BLOCK_TOR_EXIT_NODE_CRON` +Values : *\* +Default value : 15 0 * * * * +Context : *global* +Cron expression of how often blocklist tor exit node is updated. + `BLOCK_PROXIES` Values : *yes* | *no* Default value : *yes* @@ -966,6 +984,12 @@ Context : *global*, *multisite* Is set to yes, will block known proxies. Blacklist can be found [here](https://iplists.firehol.org/?ipset=firehol_proxies). +`BLOCK_PROXIES_CRON` +Values : *\* +Default value : 20 0 * * * * +Context : *global* +Cron expression of how often blocklist proxies is updated. + `BLOCK_ABUSERS` Values : *yes* | *no* Default value : *yes* @@ -973,6 +997,12 @@ Context : *global*, *multisite* Is set to yes, will block known abusers. Blacklist can be found [here](https://iplists.firehol.org/?ipset=firehol_abusers_30d). +`BLOCK_ABUSERS_CRON` +Values : *\* +Default value : 30 0 * * * * +Context : *global* +Cron expression of how often blocklist abusers is updated. + `BLOCK_REFERRER` Values : *yes* | *no* Default value : *yes* @@ -980,6 +1010,12 @@ Context : *global*, *multisite* Is set to yes, will block known bad referrer header. Blacklist can be found [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list). +`BLOCK_REFERRER_CRON` +Values : *\* +Default value : 10 0 * * * * +Context : *global* +Cron expression of how often blocklist referrer is updated. + ### DNSBL `USE_DNSBL` @@ -1107,6 +1143,12 @@ Default value : Context : *global*, *multisite* Only allow specific countries accessing your website. Use 2 letters country code separated with space. +`GEOIP_CRON` +Values : *\* +Default value : 30 2 2 * * +Context : *global* +Cron expression of how often geoip will update its database. + ## PHP `REMOTE_PHP` @@ -1167,7 +1209,7 @@ IPs or subnet which should never be ban by fail2ban. Values : *yes* | *no* Default value : *yes* Context : *global*, *multisite* -If set to yes, ClamAV will scan every file uploads and block the upload if the file is detected. +If set to yes, ClamAV will scan every file uploads and block the upload if the file is detected. `USE_CLAMAV_SCAN` Values : *yes* | *no* @@ -1175,12 +1217,24 @@ Default value : *yes* Context : *global* If set to yes, ClamAV will scan all the files inside the container every day. +`USE_CLAMAV_SCAN_CRON` +Values : *\* +Default value : 40 */1 * * * +Context : *global* +Cron expression of how often ClamAV will scan all the files inside the container. + `CLAMAV_SCAN_REMOVE` Values : *yes* | *no* Default value : *yes* Context : *global* If set to yes, ClamAV will automatically remove the detected files. +`CLAMAV_UPDATE_CRON` +Values : *\* +Default value : 0 3 * * * +Context : *global* +Cron expression of how often ClamAV will update its database. + ## Misc `ADDITIONAL_MODULES` @@ -1201,6 +1255,12 @@ Default value : 7 Context : *global* The number of days before rotated files are deleted. +`LOGROTATE_CRON` +Values : *\* +Default value : 0 4 * * * +Context : *global* +Cron expression of how often Logrotate will rotate files. + # Include custom configurations Custom configurations files (ending with .conf suffix) can be added in some directory inside the container : - /http-confs : http context diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh index 141a9a8..f076d6c 100644 --- a/entrypoint/defaults.sh +++ b/entrypoint/defaults.sh @@ -45,11 +45,17 @@ DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}" SERVER_NAME="${SERVER_NAME-www.bunkerity.com}" ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}" BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}" +BLOCK_USER_AGENT_CRON="${BLOCK_USER_AGENT_CRON-5 0 * * *}" BLOCK_REFERRER="${BLOCK_REFERRER-yes}" +BLOCK_REFERRER_CRON="${BLOCK_REFERRER_CRON-10 0 * * *}" BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}" +BLOCK_TOR_EXIT_NODE_CRON="${BLOCK_TOR_EXIT_NODE_CRON-15 * * * *}" BLOCK_PROXIES="${BLOCK_PROXIES-yes}" +BLOCK_PROXIES_CRON="${BLOCK_PROXIES_CRON-20 0 * * *}" BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}" +BLOCK_ABUSERS_CRON="${BLOCK_ABUSERS_CRON-30 0 * * *}" AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}" +AUTO_LETS_ENCRYPT_CRON="${AUTO_LETS_ENCRYPT_CRON-0 2 * * *}" HTTP2="${HTTP2-yes}" HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}" STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}" @@ -70,6 +76,8 @@ FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}" FAIL2BAN_IGNOREIP="${FAIL2BAN_IGNOREIP-127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}" USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}" USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}" +USE_CLAMAV_SCAN_CRON="${USE_CLAMAV_SCAN_CRON-40 */1 * * *}" +CLAMAV_UPDATE_CRON="${CLAMAV_UPDATE_CRON-0 3 * * *}" CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}" USE_AUTH_BASIC="${USE_AUTH_BASIC-no}" AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}" @@ -80,6 +88,7 @@ USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}" ROOT_FOLDER="${ROOT_FOLDER-/www}" LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}" LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}" +LOGROTATE_CRON="${LOGROTATE_CRON-0 4 * * *}" DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11}" USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}" WHITELIST_IP_LIST="${WHITELIST_IP_LIST-127.0.0.1 23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}" @@ -99,6 +108,7 @@ PROXY_REAL_IP="${PROXY_REAL_IP-no}" PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}" PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}" PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}" +GEOIP_CRON="${GEOIP_CRON-30 2 2 * *}" GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}" SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}" SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}" diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index f103252..cdc0e56 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -100,7 +100,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then /opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT" fi fi - echo "0 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root + echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root fi # self-signed certificate @@ -119,7 +119,7 @@ if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes" replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;" fi - echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root + echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/root if [ -f "/cache/geoip.mmdb" ] ; then echo "[*] Copying cached geoip.mmdb ..." cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb @@ -134,7 +134,7 @@ fi # block bad UA if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;" - echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root + echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/root if [ -f "/cache/map-user-agent.conf" ] ; then echo "[*] Copying cached map-user-agent.conf ..." cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf @@ -149,7 +149,7 @@ fi # block bad refferer if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;" - echo "0 0 * * * /opt/scripts/referrers.sh" >> /etc/crontabs/root + echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/root if [ -f "/cache/map-referrer.conf" ] ; then echo "[*] Copying cached map-referrer.conf ..." cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf @@ -163,7 +163,7 @@ fi # block TOR exit nodes if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then - echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root + echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root if [ -f "/cache/block-tor-exit-node.conf" ] ; then echo "[*] Copying cached block-tor-exit-node.conf ..." cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf @@ -175,7 +175,7 @@ fi # block proxies if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then - echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root + echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/root if [ -f "/cache/block-proxies.conf" ] ; then echo "[*] Copying cached block-proxies.conf ..." cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf @@ -187,7 +187,7 @@ fi # block abusers if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then - echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root + echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/root if [ -f "/cache/block-abusers.conf" ] ; then echo "[*] Copying cached block-abusers.conf ..." cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf @@ -279,13 +279,13 @@ fi if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then echo "[*] Updating clamav (in background) ..." freshclam > /dev/null 2>&1 & - echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root + echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root fi if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then - echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root + echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root else - echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root + echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root fi fi @@ -305,4 +305,4 @@ touch /var/log/error.log # setup logrotate replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE" replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE" -echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root +echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root