From 95f7ca5b2d2c2723b742c60c57d6ecd359d2c86e Mon Sep 17 00:00:00 2001 From: bunkerity Date: Fri, 12 Mar 2021 15:17:45 +0100 Subject: [PATCH] road to swarm support - needs a lot of testing --- Dockerfile | 2 +- Dockerfile-amd64 | 2 +- Dockerfile-arm32v7 | 2 +- Dockerfile-arm64v8 | 2 +- Dockerfile-i386 | 2 +- autoconf/AutoConf.py | 10 +++++-- autoconf/Config.py | 32 ++++++++++++++++++---- autoconf/Dockerfile | 13 ++++----- autoconf/{entrypoint.py => app.py} | 8 +++--- autoconf/entrypoint.sh | 33 ++++++++++++++++++++++ confs/site/main-lua.conf | 7 +++-- entrypoint/clamav.sh | 21 ++++++++++++++ entrypoint/entrypoint.sh | 18 +++++++++++- entrypoint/fail2ban.sh | 20 ++++++++++++++ entrypoint/global-config.sh | 44 ------------------------------ entrypoint/lua.sh | 40 +++++++++++++++++++++++++++ entrypoint/nginx-temp.sh | 19 +++++++++++++ entrypoint/site-config.sh | 2 -- lua/dns.lua | 2 +- 19 files changed, 204 insertions(+), 75 deletions(-) rename autoconf/{entrypoint.py => app.py} (95%) create mode 100644 autoconf/entrypoint.sh create mode 100644 entrypoint/clamav.sh create mode 100644 entrypoint/fail2ban.sh create mode 100644 entrypoint/lua.sh create mode 100644 entrypoint/nginx-temp.sh diff --git a/Dockerfile b/Dockerfile index f3f13ef..2641166 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh -VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs +VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index 5acc7fe..a201837 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -16,7 +16,7 @@ COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh -VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs +VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index afe3538..e8a1f2e 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -23,7 +23,7 @@ COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh -VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs +VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index ea11acc..9ae7e23 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -23,7 +23,7 @@ COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh -VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs +VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-i386 b/Dockerfile-i386 index 5f579c5..2f80f70 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -16,7 +16,7 @@ COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh -VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs +VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/autoconf/AutoConf.py b/autoconf/AutoConf.py index 8564eb2..206c426 100644 --- a/autoconf/AutoConf.py +++ b/autoconf/AutoConf.py @@ -2,11 +2,11 @@ from Config import Config class AutoConf : - def __init__(self, swarm) : + def __init__(self, swarm, api) : self.__swarm = swarm self.__instances = {} self.__sites = {} - self.__config = Config(self.__swarm) + self.__config = Config(self.__swarm, api) def pre_process(self, objs) : for instance in objs : @@ -52,6 +52,12 @@ class AutoConf : def __process_instance(self, instance, event, id, name, labels) : if event == "create" : self.__instances[id] = obj + if self.__swarm : + if self.__config.global(self.__instances) : + utils.log("[*] global config generated") + self.__config.reload(self.__instances) + else : + utils.log("[!] can't generate global config") utils.log("[*] bunkerized-nginx instance created : " + name + " / " + id) elif event == "start" : self.__instances[id].reload() diff --git a/autoconf/Config.py b/autoconf/Config.py index 252814b..2ee2865 100644 --- a/autoconf/Config.py +++ b/autoconf/Config.py @@ -5,8 +5,26 @@ import subprocess, shutil, os, traceback class Config : - def __init__(self, swarm) : + def __init__(self, swarm, api) : self.__swarm = swarm + self.__api = api + + def global(self, instances) : + try : + for instance_id, instance in instances.items() : + env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"] + break + vars + for var_value in env : + var = var_value.split("=")[0] + value = var_value.replace(var + "=", "", 1) + vars[var] = value + proc = subprocess.run(["/opt/entrypoint/global-config"], vars["SERVER_NAME"]], env=vars, capture_output=True) + return proc.returncode == 0 + except Exception as e : + traceback.print_exc() + utils.log("[!] Error while generating config : " + str(e)) + return False def generate(self, instances, vars) : try : @@ -27,7 +45,8 @@ class Config : # Call site-config.sh to generate the config proc = subprocess.run(["/opt/entrypoint/site-config.sh", vars["SERVER_NAME"]], env=vars_defaults, capture_output=True) if proc.returncode == 0 : - return True + proc = subprocess.run(["/opt/entrypoint/multisite-config.sh"], capture_output=True) + return proc.returncode == 0 except Exception as e : traceback.print_exc() utils.log("[!] Error while generating config : " + str(e)) @@ -43,7 +62,7 @@ class Config : # Include the server conf utils.replace_in_file("/etc/nginx/nginx.conf", "}", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n}") - return self.__reload(instances) + return self.reload(instances) except Exception as e : utils.log("[!] Error while activating config : " + str(e)) return False @@ -58,7 +77,7 @@ class Config : # Remove the include utils.replace_in_file("/etc/nginx/nginx.conf", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n", "") - return self.__reload(instances) + return self.reload(instances) except Exception as e : utils.log("[!] Error while deactivating config : " + str(e)) @@ -78,7 +97,7 @@ class Config : utils.log("[!] Error while deactivating config : " + str(e)) return False - def __reload(self, instances) : + def reload(self, instances) : ret = True for instance_id, instance in instances.items() : # Reload the instance object just in case @@ -91,11 +110,12 @@ class Config : nodeID = task["NodeID"] taskID = task["ID"] fqdn = name + "." + nodeID + "." + taskID - req = requests.post("http://" + fqdn + ":8000/reload") + req = requests.post("http://" + fqdn + ":8080" + api + "/reload") if req and req.status_code == 200 : utils.log("[*] Sent reload order to instance " + fqdn + " (service.node.task)") else : utils.log("[!] Can't reload : API error for instance " + fqdn + " (service.node.task)") + ret = False # Send SIGHUP to running instance elif instance.status == "running" : try : diff --git a/autoconf/Dockerfile b/autoconf/Dockerfile index 2de9053..f624ddc 100644 --- a/autoconf/Dockerfile +++ b/autoconf/Dockerfile @@ -1,18 +1,17 @@ FROM alpine -RUN apk add py3-pip apache2-utils bash && \ +RUN apk add py3-pip apache2-utils bash certbot curl logrotate && \ pip3 install docker && \ mkdir /opt/entrypoint && \ - mkdir -p /opt/confs/site + mkdir -p /opt/confs/site && \ + mkdir -p /opt/confs/global COPY confs/site/ /opt/confs/site +COPY confs/global/ /opt/confs/global COPY entrypoint/* /opt/entrypoint/ COPY autoconf/* /opt/entrypoint/ RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh -# Fix CVE-2020-1971 -RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0" +VOLUME /etc/nginx /etc/letsencrypt -VOLUME /etc/nginx - -ENTRYPOINT ["/opt/entrypoint/entrypoint.py"] +ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"] diff --git a/autoconf/entrypoint.py b/autoconf/app.py similarity index 95% rename from autoconf/entrypoint.py rename to autoconf/app.py index 33f5645..809deb6 100644 --- a/autoconf/entrypoint.py +++ b/autoconf/app.py @@ -18,11 +18,11 @@ except Exception as e : # Check if we are in Swarm mode swarm = os.getenv("SWARM_MODE") == "yes" -# Setup cron tasks if we are in Swarm mode -# TODO - # Our object to process events -autoconf = AutoConf(swarm) +api = "" +if swarm : + api = os.getenv("API_URI") +autoconf = AutoConf(swarm, api) # Get all bunkerized-nginx instances and web services created before try : diff --git a/autoconf/entrypoint.sh b/autoconf/entrypoint.sh new file mode 100644 index 0000000..605ac6e --- /dev/null +++ b/autoconf/entrypoint.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +echo "[*] Starting autoconf ..." + +# trap SIGTERM and SIGINT +function trap_exit() { + echo "[*] Catched stop operation" + echo "[*] Stopping crond ..." + pkill -TERM crond + echo "[*] Stopping python3 ..." + pkill -TERM python3 + pkill -TERM tail +} +trap "trap_exit" TERM INT QUIT + +# remove old crontabs +echo "" > /etc/crontabs/root + +# setup logrotate +touch /var/log/jobs.log +echo "0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.conf > /dev/null 2>&1" >> /etc/crontabs/root + +# run autoconf app +/opt/entrypoint/app.py & + +# display logs +tail -F /var/log/jobs.log & +pid="$!" +wait "$pid" + +# stop +echo "[*] autoconf stopped" +exit 0 diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index edcf82d..adc974b 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -6,7 +6,6 @@ access_by_lua_block { local use_whitelist_ip = %USE_WHITELIST_IP% local use_whitelist_reverse = %USE_WHITELIST_REVERSE% local use_user_agent = %USE_USER_AGENT% -local whitelist_useragent_list = { %WHITELIST_USERAGENT_LIST% } local use_referrer = %USE_REFERRER% local use_country = %USE_COUNTRY% local use_blacklist_ip = %USE_BLACKLIST_IP% @@ -19,6 +18,7 @@ local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA% local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA% -- include LUA code + local whitelist = require "whitelist" local blacklist = require "blacklist" local dnsbl = require "dnsbl" @@ -27,8 +27,9 @@ local javascript = require "javascript" local captcha = require "captcha" local recaptcha = require "recaptcha" --- antibot -local antibot_uri = "%ANTIBOT_URI%" +-- user variables +local antibot_uri = "%ANTIBOT_URI%" +local whitelist_useragent_list = {%WHITELIST_USERAGENT_LIST%} -- check if already in whitelist cache if use_whitelist_ip and whitelist.ip_cached_ok() then diff --git a/entrypoint/clamav.sh b/entrypoint/clamav.sh new file mode 100644 index 0000000..59effad --- /dev/null +++ b/entrypoint/clamav.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# load default values +. /opt/entrypoint/defaults.sh + +# load some functions +. /opt/entrypoint/utils.sh + +# clamav setup +if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then + echo "[*] Updating clamav (in background) ..." + freshclam > /dev/null 2>&1 & + echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root +fi +if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then + if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then + echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root + else + echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root + fi +fi diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index 0798caa..562ab9e 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -12,7 +12,6 @@ done # trap SIGTERM and SIGINT function trap_exit() { - rm -f "/opt/running" 2> /dev/null echo "[*] Catched stop operation" echo "[*] Stopping crond ..." pkill -TERM crond @@ -56,6 +55,19 @@ if [ ! -f "/opt/installed" ] ; then # logs config /opt/entrypoint/logs.sh + # lua config + # TODO : move variables from /usr/local/lib/lua + multisite support ? + /opt/entrypoint/lua.sh + + # fail2ban config + /opt/entrypoint/fail2ban.sh + + # clamav config + /opt/entrypoint/clamav.sh + + # start temp nginx to solve Let's Encrypt challenges if needed + /opt/entrypoint/nginx-temp.sh + # only do config if we are not in swarm mode if [ "$SWARM_MODE" = "no" ] ; then # global config @@ -73,6 +85,7 @@ if [ ! -f "/opt/installed" ] ; then echo "[*] Single site - $SERVER_NAME configuration done" fi fi + touch /opt/installed else echo "[*] Skipping configuration process" @@ -97,9 +110,12 @@ if [ "$SWARM_MODE" != "yes" ] ; then done fi +# stop temp config if needed if [ -f "/tmp/nginx-temp.pid" ] ; then nginx -c /etc/nginx/nginx-temp.conf -s quit fi + +# run nginx echo "[*] Running nginx ..." su -s "/usr/sbin/nginx" nginx if [ "$?" -eq 0 ] ; then diff --git a/entrypoint/fail2ban.sh b/entrypoint/fail2ban.sh new file mode 100644 index 0000000..3e73c37 --- /dev/null +++ b/entrypoint/fail2ban.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# load default values +. /opt/entrypoint/defaults.sh + +# load some functions +. /opt/entrypoint/utils.sh + +# fail2ban setup +if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then + rm -rf /etc/fail2ban/jail.d/*.conf + cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local + cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local + cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local + replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME" + replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME" + replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY" + replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_IGNOREIP%" "$FAIL2BAN_IGNOREIP" + replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES" +fi diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index 22996e7..7cb42db 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -7,7 +7,6 @@ . /opt/entrypoint/utils.sh # copy stub confs -cp -r /opt/lua/* /usr/local/lib/lua cp /opt/confs/global/* /etc/nginx/ # remove cron jobs @@ -18,12 +17,6 @@ if [ "$ADDITIONAL_MODULES" != "" ] ; then apk add $ADDITIONAL_MODULES fi -# start nginx with temp conf for let's encrypt challenges -if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then - replace_in_file "/etc/nginx/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT" - nginx -c /etc/nginx/nginx-temp.conf -fi - # include server block(s) if [ "$MULTISITE" = "yes" ] ; then includes="" @@ -196,8 +189,6 @@ if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then fi # DNS resolvers -resolvers=$(spaces_to_lua "$DNS_RESOLVERS") -replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers" replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS" # whitelist IP @@ -206,8 +197,6 @@ if [ "$(has_value USE_WHITELIST_IP yes)" != "" ] ; then else replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "" fi -list=$(spaces_to_lua "$WHITELIST_IP_LIST") -replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list" # whitelist rDNS if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then @@ -215,8 +204,6 @@ if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then else replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "" fi -list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST") -replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list" # blacklist IP if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then @@ -224,8 +211,6 @@ if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then else replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "" fi -list=$(spaces_to_lua "$BLACKLIST_IP_LIST") -replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list" # blacklist rDNS if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then @@ -233,8 +218,6 @@ if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then else replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "" fi -list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST") -replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list" # request limiting if [ "$(has_value USE_LIMIT_REQ yes)" != "" ] ; then @@ -256,8 +239,6 @@ if [ "$(has_value USE_DNSBL yes)" != "" ] ; then else replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;" fi -list=$(spaces_to_lua "$DNSBL_LIST") -replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list" # disable default site if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" = "yes" ] ; then @@ -269,36 +250,11 @@ fi # fail2ban setup if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then echo "" > /etc/nginx/fail2ban-ip.conf - rm -rf /etc/fail2ban/jail.d/*.conf - cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local - cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local - cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local - replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME" - replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME" - replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY" - replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_IGNOREIP%" "$FAIL2BAN_IGNOREIP" - replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES" -fi - -# clamav setup -if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then - echo "[*] Updating clamav (in background) ..." - freshclam > /dev/null 2>&1 & - echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root -fi -if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then - if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then - echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root - else - echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root - fi fi # CrowdSec setup if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;" - replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST" - replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY" else replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "" fi diff --git a/entrypoint/lua.sh b/entrypoint/lua.sh new file mode 100644 index 0000000..182b788 --- /dev/null +++ b/entrypoint/lua.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# load default values +. /opt/entrypoint/defaults.sh + +# load some functions +. /opt/entrypoint/utils.sh + +# copy stub LUA scripts +cp -r /opt/lua/* /usr/local/lib/lua + +# DNS resolvers +resolvers=$(spaces_to_lua "$DNS_RESOLVERS") +replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers" + +# whitelist IP +list=$(spaces_to_lua "$WHITELIST_IP_LIST") +replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list" + +# whitelist rDNS +list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST") +replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list" + +# blacklist IP +list=$(spaces_to_lua "$BLACKLIST_IP_LIST") +replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list" + +# blacklist rDNS +list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST") +replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list" + +# DNSBL +list=$(spaces_to_lua "$DNSBL_LIST") +replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list" + +# CrowdSec setup +if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then + replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST" + replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY" +fi diff --git a/entrypoint/nginx-temp.sh b/entrypoint/nginx-temp.sh new file mode 100644 index 0000000..057ec4c --- /dev/null +++ b/entrypoint/nginx-temp.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# load default values +. /opt/entrypoint/defaults.sh + +# load some functions +. /opt/entrypoint/utils.sh + +# start nginx with temp conf for let's encrypt challenges +if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then + cp /opt/confs/global/nginx-temp.conf /tmp/nginx-temp.conf + replace_in_file "/tmp/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT" + nginx -c /tmp/nginx-temp.conf + if [ "$?" -eq 0 ] ; then + echo "[*] Successfully started temp nginx to solve Let's Encrypt challenges" + else + echo "[!] Can't start temp nginx to solve Let's Encrypt challenges" + fi +fi diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index 0528c7d..f54d6de 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -1,9 +1,7 @@ #!/bin/bash # load default values -set -a . /opt/entrypoint/defaults.sh -set +a # load some functions . /opt/entrypoint/utils.sh diff --git a/lua/dns.lua b/lua/dns.lua index 0287de5..a462757 100644 --- a/lua/dns.lua +++ b/lua/dns.lua @@ -1,6 +1,6 @@ local M = {} local resolver = require "resty.dns.resolver" -local resolvers = {%DNS_RESOLVERS%} +local resolvers = {%DNS_RESOLVERS%} local ip = ngx.var.remote_addr function M.get_reverse()