From a2543384cd1e649862db0cac38a78655eba7003d Mon Sep 17 00:00:00 2001 From: bunkerity Date: Sat, 13 Mar 2021 15:28:15 +0100 Subject: [PATCH] road to swarm - add openssl to autoconf, fix api_uri in LUA, fix file rights --- autoconf/Dockerfile | 2 +- autoconf/Dockerfile-amd64 | 2 +- autoconf/Dockerfile-arm32v7 | 2 +- autoconf/Dockerfile-arm64v8 | 2 +- autoconf/Dockerfile-i386 | 2 +- autoconf/entrypoint.sh | 5 ++++- confs/global/api.conf | 7 +++---- entrypoint/global-config.sh | 2 ++ lua/api.lua | 5 ++--- 9 files changed, 16 insertions(+), 13 deletions(-) diff --git a/autoconf/Dockerfile b/autoconf/Dockerfile index e888a6b..0b479ee 100644 --- a/autoconf/Dockerfile +++ b/autoconf/Dockerfile @@ -4,7 +4,7 @@ FROM alpine COPY --from=builder /etc/nginx/ /opt/confs/nginx -RUN apk add py3-pip apache2-utils bash certbot curl logrotate && \ +RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ pip3 install docker requests && \ mkdir /opt/entrypoint && \ mkdir -p /opt/confs/site && \ diff --git a/autoconf/Dockerfile-amd64 b/autoconf/Dockerfile-amd64 index 682a680..2e6a0cf 100644 --- a/autoconf/Dockerfile-amd64 +++ b/autoconf/Dockerfile-amd64 @@ -1,6 +1,6 @@ FROM amd64/alpine -RUN apk add py3-pip apache2-utils bash certbot curl logrotate && \ +RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ pip3 install docker requests && \ mkdir /opt/entrypoint && \ mkdir -p /opt/confs/site && \ diff --git a/autoconf/Dockerfile-arm32v7 b/autoconf/Dockerfile-arm32v7 index f604d60..c272ad4 100644 --- a/autoconf/Dockerfile-arm32v7 +++ b/autoconf/Dockerfile-arm32v7 @@ -7,7 +7,7 @@ FROM arm32v7/alpine COPY --from=builder qemu-arm-static /usr/bin -RUN apk add py3-pip apache2-utils bash certbot curl logrotate && \ +RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ pip3 install docker requests && \ mkdir /opt/entrypoint && \ mkdir -p /opt/confs/site && \ diff --git a/autoconf/Dockerfile-arm64v8 b/autoconf/Dockerfile-arm64v8 index 6c6ea4f..ff8b775 100644 --- a/autoconf/Dockerfile-arm64v8 +++ b/autoconf/Dockerfile-arm64v8 @@ -7,7 +7,7 @@ FROM arm64v8/alpine COPY --from=builder qemu-aarch64-static /usr/bin -RUN apk add py3-pip apache2-utils bash certbot curl logrotate && \ +RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ pip3 install docker requests && \ mkdir /opt/entrypoint && \ mkdir -p /opt/confs/site && \ diff --git a/autoconf/Dockerfile-i386 b/autoconf/Dockerfile-i386 index d080b47..fa026d5 100644 --- a/autoconf/Dockerfile-i386 +++ b/autoconf/Dockerfile-i386 @@ -1,6 +1,6 @@ FROM i386/alpine -RUN apk add py3-pip apache2-utils bash certbot curl logrotate && \ +RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \ pip3 install docker requests && \ mkdir /opt/entrypoint && \ mkdir -p /opt/confs/site && \ diff --git a/autoconf/entrypoint.sh b/autoconf/entrypoint.sh index 50dd4e9..5fb1ec1 100644 --- a/autoconf/entrypoint.sh +++ b/autoconf/entrypoint.sh @@ -2,7 +2,7 @@ echo "[*] Starting autoconf ..." -cp /opt/confs/nginx/* /etc/nginx +cp -r /opt/confs/nginx/* /etc/nginx # trap SIGTERM and SIGINT function trap_exit() { @@ -22,6 +22,9 @@ echo "" > /etc/crontabs/root touch /var/log/jobs.log echo "0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.conf > /dev/null 2>&1" >> /etc/crontabs/root +# start cron +crond + # run autoconf app /opt/entrypoint/app.py & diff --git a/confs/global/api.conf b/confs/global/api.conf index e49d562..2bc1773 100644 --- a/confs/global/api.conf +++ b/confs/global/api.conf @@ -1,12 +1,11 @@ rewrite_by_lua_block { local api = require "api" + local api_uri = "%API_URI%" - ngx.var.api_uri = "%API_URI% - - if api.is_api_call() then + if api.is_api_call(api_uri) then ngx.header.content_type = 'text/plain' - if api.do_api_call() then + if api.do_api_call(api_uri) then ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr) ngx.say("ok") else diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index 7cb42db..9c8aab4 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -53,6 +53,7 @@ if [ "$MULTISITE" = "yes" ] ; then replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" "" fi openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" + chmod +r /etc/nginx/default-key.pem if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;" else @@ -98,6 +99,7 @@ fi if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then mkdir /etc/nginx/self-signed-ssl/ openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" + chmod +r /etc/nginx/self-signed-ssl/key.pem fi # country ban/whitelist diff --git a/lua/api.lua b/lua/api.lua index 0bcdae9..a5d256f 100644 --- a/lua/api.lua +++ b/lua/api.lua @@ -1,12 +1,11 @@ local M = {} -local api_uri = ngx.var.api_uri local api_list = {} api_list["^/reload$"] = function () return os.execute("/usr/sbin/nginx -s reload") == 0 end -function M.is_api_call () +function M.is_api_call (api_uri) if ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then for uri, code in pairs(api_list) do if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then @@ -17,7 +16,7 @@ function M.is_api_call () return false end -function M.do_api_call () +function M.do_api_call (api_uri) for uri, code in pairs(api_list) do if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then return code()