diff --git a/confs2/global/api-temp.conf b/confs2/global/api-temp.conf index 5a5146b..a368bcc 100644 --- a/confs2/global/api-temp.conf +++ b/confs2/global/api-temp.conf @@ -1,15 +1,15 @@ - -location ~ ^%API_URI%/ping { +# todo : if api_uri == "random" +location ~ ^{{ API_URI }}/ping { return 444; } -location ~ ^%API_URI% { +location ~ {{ API_URI }} { rewrite_by_lua_block { local api = require "api" - local api_whitelist_ip = {{ API_WHITELIST_IP }} - local api_uri = "%API_URI%" + local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} + local api_uri = "{{ API_URI }}" local logger = require "logger" if api.is_api_call(api_uri, api_whitelist_ip) then diff --git a/confs2/global/api.conf b/confs2/global/api.conf index e74a272..1e70b0b 100644 --- a/confs2/global/api.conf +++ b/confs2/global/api.conf @@ -1,16 +1,9 @@ -{{ API_URI }} -{% set API_WHITELIST_IP_value = "" %} -{% for element in API_WHITELIST_IP.split(" ") %} - {{ element + "toto" }} - {% set API_WHITELIST_IP_value = API_WHITELIST_IP_value + '"' + element + '",' %} -{% endfor %} -{% set API_WHITELIST_IP_value = API_WHITELIST_IP_value[:-1] %} - +# todo : if api_uri == "random" rewrite_by_lua_block { local api = require "api" local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} - local api_uri = "%API_URI%" + local api_uri = "{{ API_URI }}" local logger = require "logger" if api.is_api_call(api_uri, api_whitelist_ip) then diff --git a/confs2/global/cache.conf b/confs2/global/cache.conf deleted file mode 100644 index 2b12cfd..0000000 --- a/confs2/global/cache.conf +++ /dev/null @@ -1,4 +0,0 @@ -open_file_cache %CACHE%; -open_file_cache_errors %CACHE_ERRORS%; -open_file_cache_min_uses %CACHE_USES%; -open_file_cache_valid %CACHE_VALID%; diff --git a/confs2/global/geoip.conf b/confs2/global/geoip.conf index 77399f0..0e7994a 100644 --- a/confs2/global/geoip.conf +++ b/confs2/global/geoip.conf @@ -5,6 +5,11 @@ geoip2 /etc/nginx/geoip.mmdb { } map $geoip2_data_country_code $allowed_country { - default %DEFAULT%; - %COUNTRY% + default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif %}; + {% for country in WHITELIST_COUNTRY.split(" ") %} + {{ country }} yes; + {% endfor %} + {% for country in BLACKLIST_COUNTRY.split(" ") %} + {{ country }} no; + {% endfor %} } diff --git a/confs2/global/init-lua.conf b/confs2/global/init-lua.conf index f947cc6..99dbc3f 100644 --- a/confs2/global/init-lua.conf +++ b/confs2/global/init-lua.conf @@ -3,12 +3,12 @@ init_by_lua_block { local dataloader = require "dataloader" local logger = require "logger" -local use_proxies = %USE_PROXIES% -local use_abusers = %USE_ABUSERS% -local use_tor_exit_nodes = %USE_TOR_EXIT_NODES% -local use_user_agents = %USE_USER_AGENTS% -local use_referrers = %USE_REFERRERS% -local use_crowdsec = %USE_CROWDSEC% +local use_proxies = {% if USE_PROXIES == "yes" %}true{% else %}false{% endif %} +local use_abusers = {% if USE_ABUSERS == "yes" %}true{% else %}false{% endif %} +local use_tor_exit_nodes = {% if USE_TOR_EXIT_NODES == "yes" %}true{% else %}false{% endif %} +local use_user_agents = {% if USE_USER_AGENTS == "yes" %}true{% else %}false{% endif %} +local use_referrers = {% if USE_REFERRERS == "yes" %}true{% else %}false{% endif %} +local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %} if use_proxies then dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data) diff --git a/confs2/global/multisite-default-server-https.conf b/confs2/global/multisite-default-server-https.conf index 7f78bb9..2f5e87d 100644 --- a/confs2/global/multisite-default-server-https.conf +++ b/confs2/global/multisite-default-server-https.conf @@ -1,11 +1,13 @@ -listen 0.0.0.0:%HTTPS_PORT% default_server ssl %HTTP2%; +listen 0.0.0.0:{{ HTTPS_PORT }} default_server ssl {% if USE_HTTP2 == "yes" %}http2{% endif %}; ssl_certificate /etc/nginx/default-cert.pem; ssl_certificate_key /etc/nginx/default-key.pem; -ssl_protocols %HTTPS_PROTOCOLS%; +ssl_protocols {{ HTTPS_PROTOCOLS }}; ssl_prefer_server_ciphers off; ssl_session_tickets off; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; -%SSL_DHPARAM% -%SSL_CIPHERS% -%LETS_ENCRYPT_WEBROOT% +{% if "TLSv1.2" in HTTPS_PROTOCOLS %} +ssl_dhparam /etc/nginx/dhparam; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +{% endif %} +include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf; diff --git a/confs2/global/multisite-default-server.conf b/confs2/global/multisite-default-server.conf index fc48b42..74d4029 100644 --- a/confs2/global/multisite-default-server.conf +++ b/confs2/global/multisite-default-server.conf @@ -1,6 +1,7 @@ +toto server { - %LISTEN_HTTP% + {% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %} server_name _; - %USE_HTTPS% - %MULTISITE_DISABLE_DEFAULT_SERVER% + {% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %} + {% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %} } diff --git a/confs2/global/nginx.conf b/confs2/global/nginx.conf index d8e59a0..aa24be7 100644 --- a/confs2/global/nginx.conf +++ b/confs2/global/nginx.conf @@ -26,11 +26,11 @@ pcre_jit on; include /etc/nginx/modules/*.conf; # max open files for each worker -worker_rlimit_nofile %WORKER_RLIMIT_NOFILE%; +worker_rlimit_nofile {{ WORKER_RLIMIT_NOFILE }}; events { # max connections per worker - worker_connections %WORKER_CONNECTIONS%; + worker_connections {{ WORKER_CONNECTIONS }}; # epoll seems to be the best on Linux use epoll; @@ -51,9 +51,9 @@ http { default_type application/octet-stream; # write logs to local syslog - log_format logf '%LOG_FORMAT%'; + log_format logf '{{ LOG_FORMAT }}'; access_log /var/log/access.log logf; - error_log /var/log/error.log %LOG_LEVEL%; + error_log /var/log/error.log {{ LOG_LEVEL }}; # temp paths proxy_temp_path /tmp/proxy_temp; @@ -72,36 +72,39 @@ http { send_timeout 10; # resolvers to use - resolver %DNS_RESOLVERS% ipv6=off; + resolver {{ DNS_RESOLVERS }} ipv6=off; # remove ports when sending redirects port_in_redirect off; # lua path and dicts lua_package_path "/usr/local/lib/lua/?.lua;;"; - %WHITELIST_IP_CACHE% - %WHITELIST_REVERSE_CACHE% - %BLACKLIST_IP_CACHE% - %BLACKLIST_REVERSE_CACHE% - %DNSBL_CACHE% - %BLOCK_PROXIES% - %BLOCK_ABUSERS% - %BLOCK_TOR_EXIT_NODES% - %BLOCK_USER_AGENTS% - %BLOCK_REFERRERS% - %BAD_BEHAVIOR% + {% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %} + {% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %} + {% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %} + {% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif %} + {% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif %} + {% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif %} + {% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif %} + {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif %} + {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif %} + {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif %} + {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif %} + {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %} + {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %} + {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %} # shared memory zone for limit_req - %LIMIT_REQ_ZONE% + {% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %} # shared memory zone for limit_conn - %LIMIT_CONN_ZONE% + {% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif %} # whitelist or blacklist country - %USE_COUNTRY% + {% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif %} # zone for proxy_cache - %PROXY_CACHE_PATH% + {% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %} # custom http confs include /http-confs/*.conf; @@ -110,11 +113,19 @@ http { include /etc/nginx/init-lua.conf; # default server when MULTISITE=yes - %MULTISITE_DEFAULT_SERVER% + {% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif %} # server config(s) - %INCLUDE_SERVER% + {% if SWARM_MODE == "no" %} + {% if MULTISITE == "yes" %} + {% for server_name in SERVER_NAME.split(" ") %} + include /etc/nginx/{{ server_name }}/server.conf; + {% endfor %} + {% else %} + include /etc/nginx/server.conf; + {% endif %} + {% endif %} # API - %USE_API% + {% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif %} } diff --git a/gen/Configurator.py b/gen/Configurator.py index 03b8fa4..ae9d6c1 100644 --- a/gen/Configurator.py +++ b/gen/Configurator.py @@ -40,4 +40,6 @@ class Configurator : real_var = var elif var[len(var.split("_")[0])+1:] in self.__settings : real_var = var[len(var.split("_")[0])+1:] + print(real_var) + print(var[len(var.split("_")[0])+1:]) return real_var != "" and re.search(self.__settings[real_var]["regex"], value) and (not multisite_only or self.__settings[real_var]["context"] == "multisite") diff --git a/gen/Templator.py b/gen/Templator.py index 3daff02..f2a3613 100644 --- a/gen/Templator.py +++ b/gen/Templator.py @@ -21,9 +21,17 @@ class Templator : if os.path.isfile(filename) : relative_filename = filename.replace(self.__input_path, "").replace(type + "/", "") template = self.__template_env.get_template(type + "/" + relative_filename) - output = template.render(real_config) + template.globals["has_value"] = Templator.has_value + output = template.render(real_config, all=real_config) if "/" in relative_filename : directory = relative_filename.replace(relative_filename.split("/")[-1], "") pathlib.Path(output_path + "/" + directory).mkdir(parents=True, exist_ok=True) with open(output_path + "/" + relative_filename, "w") as f : f.write(output) + + @jinja2.contextfunction + def has_value(context, name, value) : + for k, v in context.items() : + if (k == name or k.endswith("_" + name)) and v == value : + return True + return False