Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

road to swarm - add openssl to autoconf, fix api_uri in LUA, fix file rights

Browse Source
This commit is contained in:
bunkerity 2021-03-13 15:28:15 +01:00
parent 3591715f21
commit a2543384cd
9 changed files with 16 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
autoconf/Dockerfile
View File

@ -4,7 +4,7 @@ FROM alpine
COPY --from=builder /etc/nginx/ /opt/confs/nginx COPY --from=builder /etc/nginx/ /opt/confs/nginx
RUN apk add py3-pip apache2-utils bash certbot curl logrotate && \ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \ pip3 install docker requests && \
mkdir /opt/entrypoint && \ mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \ mkdir -p /opt/confs/site && \

2
autoconf/Dockerfile-amd64
View File

@ -1,6 +1,6 @@
FROM amd64/alpine FROM amd64/alpine
RUN apk add py3-pip apache2-utils bash certbot curl logrotate && \ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \ pip3 install docker requests && \
mkdir /opt/entrypoint && \ mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \ mkdir -p /opt/confs/site && \

2
autoconf/Dockerfile-arm32v7
View File

@ -7,7 +7,7 @@ FROM arm32v7/alpine
COPY --from=builder qemu-arm-static /usr/bin COPY --from=builder qemu-arm-static /usr/bin
RUN apk add py3-pip apache2-utils bash certbot curl logrotate && \ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \ pip3 install docker requests && \
mkdir /opt/entrypoint && \ mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \ mkdir -p /opt/confs/site && \

2
autoconf/Dockerfile-arm64v8
View File

@ -7,7 +7,7 @@ FROM arm64v8/alpine
COPY --from=builder qemu-aarch64-static /usr/bin COPY --from=builder qemu-aarch64-static /usr/bin
RUN apk add py3-pip apache2-utils bash certbot curl logrotate && \ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \ pip3 install docker requests && \
mkdir /opt/entrypoint && \ mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \ mkdir -p /opt/confs/site && \

2
autoconf/Dockerfile-i386
View File

@ -1,6 +1,6 @@
FROM i386/alpine FROM i386/alpine
RUN apk add py3-pip apache2-utils bash certbot curl logrotate && \ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \ pip3 install docker requests && \
mkdir /opt/entrypoint && \ mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \ mkdir -p /opt/confs/site && \

5
autoconf/entrypoint.sh
View File

@ -2,7 +2,7 @@
echo "[*] Starting autoconf ..." echo "[*] Starting autoconf ..."
cp /opt/confs/nginx/* /etc/nginx cp -r /opt/confs/nginx/* /etc/nginx
# trap SIGTERM and SIGINT # trap SIGTERM and SIGINT
function trap_exit() { function trap_exit() {
@ -22,6 +22,9 @@ echo "" > /etc/crontabs/root
touch /var/log/jobs.log touch /var/log/jobs.log
echo "0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.conf > /dev/null 2>&1" >> /etc/crontabs/root echo "0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.conf > /dev/null 2>&1" >> /etc/crontabs/root
# start cron
crond
# run autoconf app # run autoconf app
/opt/entrypoint/app.py & /opt/entrypoint/app.py &

7
confs/global/api.conf
View File

@ -1,12 +1,11 @@
rewrite_by_lua_block { rewrite_by_lua_block {
local api = require "api" local api = require "api"
local api_uri = "%API_URI%"
ngx.var.api_uri = "%API_URI% if api.is_api_call(api_uri) then
if api.is_api_call() then
ngx.header.content_type = 'text/plain' ngx.header.content_type = 'text/plain'
if api.do_api_call() then if api.do_api_call(api_uri) then
ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr) ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
ngx.say("ok") ngx.say("ok")
else else

2
entrypoint/global-config.sh
View File

@ -53,6 +53,7 @@ if [ "$MULTISITE" = "yes" ] ; then
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" "" replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" ""
fi fi
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
chmod +r /etc/nginx/default-key.pem
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;" replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;"
else else
@ -98,6 +99,7 @@ fi
if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
mkdir /etc/nginx/self-signed-ssl/ mkdir /etc/nginx/self-signed-ssl/
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
chmod +r /etc/nginx/self-signed-ssl/key.pem
fi fi
# country ban/whitelist # country ban/whitelist

5
lua/api.lua
View File

@ -1,12 +1,11 @@
local M = {} local M = {}
local api_uri = ngx.var.api_uri
local api_list = {} local api_list = {}
api_list["^/reload$"] = function () api_list["^/reload$"] = function ()
return os.execute("/usr/sbin/nginx -s reload") == 0 return os.execute("/usr/sbin/nginx -s reload") == 0
end end
function M.is_api_call () function M.is_api_call (api_uri)
if ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then if ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then
for uri, code in pairs(api_list) do for uri, code in pairs(api_list) do
if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
@ -17,7 +16,7 @@ function M.is_api_call ()
return false return false
end end
function M.do_api_call () function M.do_api_call (api_uri)
for uri, code in pairs(api_list) do for uri, code in pairs(api_list) do
if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
return code() return code()