road to swarm - let's encrypt fix

autoconf/AutoConf.py

@@ -58,7 +58,7 @@ class AutoConf :
 	def __process_instance(self, instance, event, id, name, labels) :
 		if event == "create" :
 			self.__instances[id] = instance
-			if self.__swarm and len(self.__instances) == 0 :
+			if self.__swarm and len(self.__instances) == 1 :
 				if self.__config.initconf(self.__instances) :
 					utils.log("[*] initial config succeeded")
 				else :

autoconf/Config.py

@@ -1,7 +1,7 @@
 #!/usr/bin/python3
 
 import utils
-import subprocess, shutil, os, traceback, requests
+import subprocess, shutil, os, traceback, requests, time
 
 class Config :
 
@@ -24,13 +24,18 @@ class Config :
 				i = 0
 				started = False
 				while i < 5 :
-					if self.__status(instances) :
+					if self.__ping(instances) :
 						started = True
+						break
 					i = i + 1
 					time.sleep(i)
 				if started :
 					proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/jobs.sh", "nginx"], env=vars, capture_output=True)
 					return proc.returncode == 0
+				else :
+					utils.log("[!] bunkerized-nginx instances are not started")
+			else :
+				utils.log("[!] Can't generate global conf")
 		except Exception as e :
 			traceback.print_exc()
 			utils.log("[!] Error while initializing config : " + str(e))
@@ -74,8 +79,8 @@ class Config :
 			vars_defaults.update(vars)
 			# Call site-config.sh to generate the config
 			proc = subprocess.run(["/bin/su", "-s", "/bin/sh", "-c", "/opt/entrypoint/site-config.sh" + " " + vars["SERVER_NAME"], "nginx"], env=vars_defaults, capture_output=True)
-			if proc.returncode == 0 :
+			if proc.returncode == 0 and vars_defaults["MULTISITE"] == "yes" :
-				proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/multisite-config.sh", "nginx"], capture_output=True)
+				proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/multisite-config.sh", "nginx"], env=vars_defaults, capture_output=True)
 				return proc.returncode == 0
 		except Exception as e :
 			traceback.print_exc()
@@ -132,8 +137,8 @@ class Config :
 	def reload(self, instances) :
 		return self.__api_call(instances, "/reload")
 
-	def __status(self, instances) :
+	def __ping(self, instances) :
-		return self.__api_call(instances, "/status")
+		return self.__api_call(instances, "/ping")
 
 	def __api_call(self, instances, path) :
 		ret = True
@@ -154,9 +159,9 @@ class Config :
 					except :
 						pass
 					if req and req.status_code == 200 :
-						utils.log("[*] Sent reload order to instance " + fqdn + " (service.node.task)")
+						utils.log("[*] Sent API order " + path + " to instance " + fqdn + " (service.node.task)")
 					else :
-						utils.log("[!] Can't reload : API error for instance " + fqdn + " (service.node.task)")
+						utils.log("[!] Can't send API order " + path + " to instance " + fqdn + " (service.node.task)")
 						ret = False
 			# Send SIGHUP to running instance
 			elif instance.status == "running" :

autoconf/Dockerfile

@@ -9,13 +9,21 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
     mkdir /opt/entrypoint && \
     mkdir -p /opt/confs/site && \
     mkdir -p /opt/confs/global && \
+    mkdir /opt/scripts && \
     addgroup -g 101 nginx && \
-    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt
 
+COPY scripts/* /opt/scripts/
 COPY confs/site/ /opt/confs/site
 COPY confs/global/ /opt/confs/global
 COPY entrypoint/* /opt/entrypoint/
 COPY autoconf/* /opt/entrypoint/
-RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
 
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

autoconf/Dockerfile-amd64

@@ -6,7 +6,13 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
     mkdir -p /opt/confs/site  && \
     mkdir -p /opt/confs/global && \
     addgroup -g 101 nginx && \
-    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt
 
 COPY confs/site/ /opt/confs/site
 COPY entrypoint/* /opt/entrypoint/

autoconf/Dockerfile-arm32v7

@@ -13,7 +13,13 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
     mkdir -p /opt/confs/site && \
     mkdir -p /opt/confs/global && \
     addgroup -g 101 nginx && \
-    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt
 
 COPY confs/site/ /opt/confs/site
 COPY entrypoint/* /opt/entrypoint/

autoconf/Dockerfile-arm64v8

@@ -13,7 +13,13 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
     mkdir -p /opt/confs/site && \
     mkdir -p /opt/confs/global && \
     addgroup -g 101 nginx && \
-    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt
 
 COPY confs/site/ /opt/confs/site
 COPY entrypoint/* /opt/entrypoint/

autoconf/Dockerfile-i386

@@ -6,7 +6,13 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
     mkdir -p /opt/confs/site && \
     mkdir -p /opt/confs/global && \
     addgroup -g 101 nginx && \
-    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt
 
 COPY confs/site/ /opt/confs/site
 COPY entrypoint/* /opt/entrypoint/

confs/global/api-temp.conf

@@ -1,5 +1,9 @@
 
-location ~ ^/%API_URI% {
+location ~ ^%API_URI%/ping {
+	return 444;
+}
+
+location ~ ^%API_URI% {
 
 rewrite_by_lua_block {
 	

entrypoint/jobs.sh

@@ -13,7 +13,7 @@ if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
 		cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
 	else
 		echo "[*] Downloading GeoIP database (in background) ..."
-		/opt/scripts/geoip.sh &
+		/opt/scripts/geoip.sh > /dev/null 2>&1 &
 	fi
 fi
 
@@ -24,7 +24,7 @@ if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
 		cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
 	else
 		echo "[*] Downloading bad user-agent list (in background) ..."
-		/opt/scripts/user-agents.sh &
+		/opt/scripts/user-agents.sh > /dev/null 2>&1 &
 	fi
 fi
 
@@ -35,7 +35,7 @@ if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
 		cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
 	else
 		echo "[*] Downloading bad referrer list (in background) ..."
-		/opt/scripts/referrers.sh &
+		/opt/scripts/referrers.sh > /dev/null 2>&1 &
 	fi
 fi
 
@@ -46,7 +46,7 @@ if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
 		cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
 	else
 		echo "[*] Downloading tor exit nodes list (in background) ..."
-		/opt/scripts/exit-nodes.sh &
+		/opt/scripts/exit-nodes.sh > /dev/null 2>&1 &
 	fi
 fi
 
@@ -57,7 +57,7 @@ if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
 		cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
 	else
 		echo "[*] Downloading proxies list (in background) ..."
-		/opt/scripts/proxies.sh &
+		/opt/scripts/proxies.sh > /dev/null 2>&1 &
 	fi
 fi
 
@@ -68,6 +68,6 @@ if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
 		cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
 	else
 		echo "[*] Downloading abusers list (in background) ..."
-		/opt/scripts/abusers.sh &
+		/opt/scripts/abusers.sh > /dev/null 2>&1 &
 	fi
 fi

prepare.sh

@@ -31,6 +31,9 @@ chmod -R 770 /var/log/nginx
 touch /var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/fail2ban.log
 chown nginx:nginx /var/log/*.log
 chmod 770 /var/log/*.log
+mkdir /var/log/letsencrypt
+chown nginx:nginx /var/log/letsencrypt
+chmod 770 /var/log/letsencrypt
 
 # prepare /acme-challenge
 mkdir /acme-challenge
@@ -42,6 +45,11 @@ mkdir /etc/letsencrypt
 chown root:nginx /etc/letsencrypt
 chmod 770 /etc/letsencrypt
 
+# prepare /var/lib/letsencrypt
+mkdir /var/lib/letsencrypt
+chown root:nginx /var/lib/letsencrypt
+chmod 770 /var/lib/letsencrypt
+
 # prepare /etc/fail2ban
 rm -rf /etc/fail2ban/jail.d/*.conf
 chown -R root:nginx /etc/fail2ban