diff --git a/autoconf/AutoConf.py b/autoconf/AutoConf.py index d4bda1a..02d05fa 100644 --- a/autoconf/AutoConf.py +++ b/autoconf/AutoConf.py @@ -58,7 +58,7 @@ class AutoConf : def __process_instance(self, instance, event, id, name, labels) : if event == "create" : self.__instances[id] = instance - if self.__swarm and len(self.__instances) == 0 : + if self.__swarm and len(self.__instances) == 1 : if self.__config.initconf(self.__instances) : utils.log("[*] initial config succeeded") else : diff --git a/autoconf/Config.py b/autoconf/Config.py index 3ce2e32..ba8fc06 100644 --- a/autoconf/Config.py +++ b/autoconf/Config.py @@ -1,7 +1,7 @@ #!/usr/bin/python3 import utils -import subprocess, shutil, os, traceback, requests +import subprocess, shutil, os, traceback, requests, time class Config : @@ -24,13 +24,18 @@ class Config : i = 0 started = False while i < 5 : - if self.__status(instances) : + if self.__ping(instances) : started = True + break i = i + 1 time.sleep(i) if started : proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/jobs.sh", "nginx"], env=vars, capture_output=True) return proc.returncode == 0 + else : + utils.log("[!] bunkerized-nginx instances are not started") + else : + utils.log("[!] Can't generate global conf") except Exception as e : traceback.print_exc() utils.log("[!] Error while initializing config : " + str(e)) @@ -74,8 +79,8 @@ class Config : vars_defaults.update(vars) # Call site-config.sh to generate the config proc = subprocess.run(["/bin/su", "-s", "/bin/sh", "-c", "/opt/entrypoint/site-config.sh" + " " + vars["SERVER_NAME"], "nginx"], env=vars_defaults, capture_output=True) - if proc.returncode == 0 : - proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/multisite-config.sh", "nginx"], capture_output=True) + if proc.returncode == 0 and vars_defaults["MULTISITE"] == "yes" : + proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/multisite-config.sh", "nginx"], env=vars_defaults, capture_output=True) return proc.returncode == 0 except Exception as e : traceback.print_exc() @@ -132,8 +137,8 @@ class Config : def reload(self, instances) : return self.__api_call(instances, "/reload") - def __status(self, instances) : - return self.__api_call(instances, "/status") + def __ping(self, instances) : + return self.__api_call(instances, "/ping") def __api_call(self, instances, path) : ret = True @@ -154,9 +159,9 @@ class Config : except : pass if req and req.status_code == 200 : - utils.log("[*] Sent reload order to instance " + fqdn + " (service.node.task)") + utils.log("[*] Sent API order " + path + " to instance " + fqdn + " (service.node.task)") else : - utils.log("[!] Can't reload : API error for instance " + fqdn + " (service.node.task)") + utils.log("[!] Can't send API order " + path + " to instance " + fqdn + " (service.node.task)") ret = False # Send SIGHUP to running instance elif instance.status == "running" : diff --git a/autoconf/Dockerfile b/autoconf/Dockerfile index 7604a85..dd90486 100644 --- a/autoconf/Dockerfile +++ b/autoconf/Dockerfile @@ -9,13 +9,21 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ mkdir /opt/entrypoint && \ mkdir -p /opt/confs/site && \ mkdir -p /opt/confs/global && \ + mkdir /opt/scripts && \ addgroup -g 101 nginx && \ - adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx + adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \ + mkdir /var/log/letsencrypt && \ + chown root:nginx /var/log/letsencrypt && \ + chmod 770 /var/log/letsencrypt && \ + mkdir /var/lib/letsencrypt && \ + chown root:nginx /var/lib/letsencrypt && \ + chmod 770 /var/lib/letsencrypt +COPY scripts/* /opt/scripts/ COPY confs/site/ /opt/confs/site COPY confs/global/ /opt/confs/global COPY entrypoint/* /opt/entrypoint/ COPY autoconf/* /opt/entrypoint/ -RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh +RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/autoconf/Dockerfile-amd64 b/autoconf/Dockerfile-amd64 index 603fe1c..c729597 100644 --- a/autoconf/Dockerfile-amd64 +++ b/autoconf/Dockerfile-amd64 @@ -6,7 +6,13 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ mkdir -p /opt/confs/site && \ mkdir -p /opt/confs/global && \ addgroup -g 101 nginx && \ - adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx + adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \ + mkdir /var/log/letsencrypt && \ + chown root:nginx /var/log/letsencrypt && \ + chmod 770 /var/log/letsencrypt && \ + mkdir /var/lib/letsencrypt && \ + chown root:nginx /var/lib/letsencrypt && \ + chmod 770 /var/lib/letsencrypt COPY confs/site/ /opt/confs/site COPY entrypoint/* /opt/entrypoint/ diff --git a/autoconf/Dockerfile-arm32v7 b/autoconf/Dockerfile-arm32v7 index dcbe5e1..1d69c0c 100644 --- a/autoconf/Dockerfile-arm32v7 +++ b/autoconf/Dockerfile-arm32v7 @@ -13,7 +13,13 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ mkdir -p /opt/confs/site && \ mkdir -p /opt/confs/global && \ addgroup -g 101 nginx && \ - adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx + adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \ + mkdir /var/log/letsencrypt && \ + chown root:nginx /var/log/letsencrypt && \ + chmod 770 /var/log/letsencrypt && \ + mkdir /var/lib/letsencrypt && \ + chown root:nginx /var/lib/letsencrypt && \ + chmod 770 /var/lib/letsencrypt COPY confs/site/ /opt/confs/site COPY entrypoint/* /opt/entrypoint/ diff --git a/autoconf/Dockerfile-arm64v8 b/autoconf/Dockerfile-arm64v8 index d7a4be4..aa1a704 100644 --- a/autoconf/Dockerfile-arm64v8 +++ b/autoconf/Dockerfile-arm64v8 @@ -13,7 +13,13 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ mkdir -p /opt/confs/site && \ mkdir -p /opt/confs/global && \ addgroup -g 101 nginx && \ - adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx + adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \ + mkdir /var/log/letsencrypt && \ + chown root:nginx /var/log/letsencrypt && \ + chmod 770 /var/log/letsencrypt && \ + mkdir /var/lib/letsencrypt && \ + chown root:nginx /var/lib/letsencrypt && \ + chmod 770 /var/lib/letsencrypt COPY confs/site/ /opt/confs/site COPY entrypoint/* /opt/entrypoint/ diff --git a/autoconf/Dockerfile-i386 b/autoconf/Dockerfile-i386 index 7c27bc3..7a4df44 100644 --- a/autoconf/Dockerfile-i386 +++ b/autoconf/Dockerfile-i386 @@ -6,7 +6,13 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ mkdir -p /opt/confs/site && \ mkdir -p /opt/confs/global && \ addgroup -g 101 nginx && \ - adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx + adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \ + mkdir /var/log/letsencrypt && \ + chown root:nginx /var/log/letsencrypt && \ + chmod 770 /var/log/letsencrypt && \ + mkdir /var/lib/letsencrypt && \ + chown root:nginx /var/lib/letsencrypt && \ + chmod 770 /var/lib/letsencrypt COPY confs/site/ /opt/confs/site COPY entrypoint/* /opt/entrypoint/ diff --git a/confs/global/api-temp.conf b/confs/global/api-temp.conf index 53f6072..67819d7 100644 --- a/confs/global/api-temp.conf +++ b/confs/global/api-temp.conf @@ -1,5 +1,9 @@ -location ~ ^/%API_URI% { +location ~ ^%API_URI%/ping { + return 444; +} + +location ~ ^%API_URI% { rewrite_by_lua_block { diff --git a/entrypoint/jobs.sh b/entrypoint/jobs.sh index b3a9512..2a34b3f 100644 --- a/entrypoint/jobs.sh +++ b/entrypoint/jobs.sh @@ -13,7 +13,7 @@ if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb else echo "[*] Downloading GeoIP database (in background) ..." - /opt/scripts/geoip.sh & + /opt/scripts/geoip.sh > /dev/null 2>&1 & fi fi @@ -24,7 +24,7 @@ if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf else echo "[*] Downloading bad user-agent list (in background) ..." - /opt/scripts/user-agents.sh & + /opt/scripts/user-agents.sh > /dev/null 2>&1 & fi fi @@ -35,7 +35,7 @@ if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf else echo "[*] Downloading bad referrer list (in background) ..." - /opt/scripts/referrers.sh & + /opt/scripts/referrers.sh > /dev/null 2>&1 & fi fi @@ -46,7 +46,7 @@ if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf else echo "[*] Downloading tor exit nodes list (in background) ..." - /opt/scripts/exit-nodes.sh & + /opt/scripts/exit-nodes.sh > /dev/null 2>&1 & fi fi @@ -57,7 +57,7 @@ if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf else echo "[*] Downloading proxies list (in background) ..." - /opt/scripts/proxies.sh & + /opt/scripts/proxies.sh > /dev/null 2>&1 & fi fi @@ -68,6 +68,6 @@ if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf else echo "[*] Downloading abusers list (in background) ..." - /opt/scripts/abusers.sh & + /opt/scripts/abusers.sh > /dev/null 2>&1 & fi fi diff --git a/prepare.sh b/prepare.sh index b8a6911..0f82ea9 100644 --- a/prepare.sh +++ b/prepare.sh @@ -31,6 +31,9 @@ chmod -R 770 /var/log/nginx touch /var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/fail2ban.log chown nginx:nginx /var/log/*.log chmod 770 /var/log/*.log +mkdir /var/log/letsencrypt +chown nginx:nginx /var/log/letsencrypt +chmod 770 /var/log/letsencrypt # prepare /acme-challenge mkdir /acme-challenge @@ -42,6 +45,11 @@ mkdir /etc/letsencrypt chown root:nginx /etc/letsencrypt chmod 770 /etc/letsencrypt +# prepare /var/lib/letsencrypt +mkdir /var/lib/letsencrypt +chown root:nginx /var/lib/letsencrypt +chmod 770 /var/lib/letsencrypt + # prepare /etc/fail2ban rm -rf /etc/fail2ban/jail.d/*.conf chown -R root:nginx /etc/fail2ban