From a8bc17e836ae69179d6378d679c94c79e9bddb7c Mon Sep 17 00:00:00 2001 From: bunkerity Date: Wed, 26 May 2021 14:50:50 +0200 Subject: [PATCH] templating - started integration into docker image --- Dockerfile | 2 + Dockerfile-amd64 | 2 + Dockerfile-arm32v7 | 2 + Dockerfile-arm64v8 | 2 + Dockerfile-i386 | 2 + confs/global/api-temp.conf | 10 +- confs/global/api.conf | 5 +- confs/global/cache.conf | 4 - confs/global/geoip.conf | 9 +- confs/global/init-lua.conf | 12 +- .../multisite-default-server-https.conf | 12 +- confs/global/multisite-default-server.conf | 7 +- confs/global/nginx.conf | 57 +- confs/site/antibot-captcha.conf | 6 +- confs/site/antibot-javascript.conf | 4 +- confs/site/antibot-recaptcha.conf | 8 +- confs/site/auth-basic-sitewide.conf | 4 +- confs/site/auth-basic.conf | 6 +- confs/site/brotli.conf | 6 +- confs/site/client-cache.conf | 6 +- confs/site/content-security-policy.conf | 2 +- confs/site/cookie-flags.conf | 2 +- confs/site/custom-https.conf | 10 +- confs/site/disable-default-server.conf | 2 +- confs/site/error.conf | 12 +- confs/site/fastcgi.conf | 2 +- confs/site/feature-policy.conf | 2 +- confs/site/gzip.conf | 6 +- {confs2 => confs}/site/htpasswd | 0 confs/site/https.conf | 22 +- confs/site/limit-conn.conf | 2 +- confs/site/limit-req.conf | 2 +- confs/site/log-lua.conf | 10 +- confs/site/main-lua.conf | 72 +- confs/site/modsecurity-rules.conf | 32 +- confs/site/modsecurity.conf | 2 +- confs/site/open-file-cache.conf | 8 +- confs/site/permissions-policy.conf | 2 +- confs/site/php.conf | 2 +- confs/site/proxy-cache.conf | 16 +- confs/site/proxy-real-ip.conf | 10 +- confs/site/referrer-policy.conf | 2 +- confs/site/reverse-proxy.conf | 30 +- confs/site/serve-files.conf | 2 +- confs/site/server.conf | 208 +++++- confs/site/x-content-type-options.conf | 2 +- confs/site/x-frame-options.conf | 2 +- confs/site/x-xss-protection.conf | 2 +- confs2/global/abusers.list | 0 confs2/global/api-temp.conf | 32 - confs2/global/api.conf | 24 - confs2/global/dhparam | 8 - confs2/global/geoip.conf | 15 - confs2/global/init-lua.conf | 43 -- .../multisite-default-server-https.conf | 13 - ...e-default-server-lets-encrypt-webroot.conf | 3 - confs2/global/multisite-default-server.conf | 7 - .../multisite-disable-default-server.conf | 3 - confs2/global/nginx-temp.conf | 30 - confs2/global/nginx.conf | 131 ---- confs2/global/proxies.list | 0 confs2/global/referrers.list | 0 confs2/global/tor-exit-nodes.list | 0 confs2/global/user-agents.list | 0 confs2/site/antibot-captcha.conf | 46 -- confs2/site/antibot-javascript.conf | 45 -- confs2/site/antibot-recaptcha.conf | 44 -- confs2/site/auth-basic-sitewide.conf | 2 - confs2/site/auth-basic.conf | 4 - confs2/site/brotli.conf | 4 - confs2/site/client-cache.conf | 6 - confs2/site/content-security-policy.conf | 1 - confs2/site/cookie-flags.conf | 1 - confs2/site/custom-https.conf | 9 - confs2/site/disable-default-server.conf | 3 - confs2/site/error.conf | 13 - confs2/site/fastcgi.conf | 25 - confs2/site/feature-policy.conf | 1 - confs2/site/gzip.conf | 4 - confs2/site/https.conf | 18 - confs2/site/lets-encrypt-webroot.conf | 3 - confs2/site/limit-conn.conf | 1 - confs2/site/limit-req.conf | 3 - confs2/site/log-lua.conf | 15 - confs2/site/main-lua.conf | 304 --------- confs2/site/modsecurity-clamav.conf | 4 - confs2/site/modsecurity-rules.conf | 83 --- confs2/site/modsecurity.conf | 2 - confs2/site/open-file-cache.conf | 4 - confs2/site/permissions-policy.conf | 1 - confs2/site/php.conf | 4 - confs2/site/proxy-cache.conf | 11 - confs2/site/proxy-real-ip.conf | 8 - confs2/site/redirect-http-to-https.conf | 3 - confs2/site/referrer-policy.conf | 1 - confs2/site/reverse-proxy-headers.conf | 6 - confs2/site/reverse-proxy.conf | 25 - confs2/site/serve-files.conf | 3 - confs2/site/server.conf | 177 ----- confs2/site/x-content-type-options.conf | 1 - confs2/site/x-frame-options.conf | 1 - confs2/site/x-xss-protection.conf | 1 - dependencies.sh | 3 +- entrypoint/certbot.sh | 28 + entrypoint/clamav.sh | 3 - entrypoint/defaults.sh | 133 ---- entrypoint/entrypoint.sh | 32 +- entrypoint/global-config.sh | 257 -------- entrypoint/jobs.sh | 3 - entrypoint/multisite-config.sh | 41 -- entrypoint/nginx-temp.sh | 3 - entrypoint/site-config.sh | 621 ------------------ entrypoint/utils.sh | 20 +- prepare.sh | 2 + settings.json | 27 + 115 files changed, 511 insertions(+), 2490 deletions(-) delete mode 100644 confs/global/cache.conf rename {confs2 => confs}/site/htpasswd (100%) delete mode 100644 confs2/global/abusers.list delete mode 100644 confs2/global/api-temp.conf delete mode 100644 confs2/global/api.conf delete mode 100644 confs2/global/dhparam delete mode 100644 confs2/global/geoip.conf delete mode 100644 confs2/global/init-lua.conf delete mode 100644 confs2/global/multisite-default-server-https.conf delete mode 100644 confs2/global/multisite-default-server-lets-encrypt-webroot.conf delete mode 100644 confs2/global/multisite-default-server.conf delete mode 100644 confs2/global/multisite-disable-default-server.conf delete mode 100644 confs2/global/nginx-temp.conf delete mode 100644 confs2/global/nginx.conf delete mode 100644 confs2/global/proxies.list delete mode 100644 confs2/global/referrers.list delete mode 100644 confs2/global/tor-exit-nodes.list delete mode 100644 confs2/global/user-agents.list delete mode 100644 confs2/site/antibot-captcha.conf delete mode 100644 confs2/site/antibot-javascript.conf delete mode 100644 confs2/site/antibot-recaptcha.conf delete mode 100644 confs2/site/auth-basic-sitewide.conf delete mode 100644 confs2/site/auth-basic.conf delete mode 100644 confs2/site/brotli.conf delete mode 100644 confs2/site/client-cache.conf delete mode 100644 confs2/site/content-security-policy.conf delete mode 100644 confs2/site/cookie-flags.conf delete mode 100644 confs2/site/custom-https.conf delete mode 100644 confs2/site/disable-default-server.conf delete mode 100644 confs2/site/error.conf delete mode 100644 confs2/site/fastcgi.conf delete mode 100644 confs2/site/feature-policy.conf delete mode 100644 confs2/site/gzip.conf delete mode 100644 confs2/site/https.conf delete mode 100644 confs2/site/lets-encrypt-webroot.conf delete mode 100644 confs2/site/limit-conn.conf delete mode 100644 confs2/site/limit-req.conf delete mode 100644 confs2/site/log-lua.conf delete mode 100644 confs2/site/main-lua.conf delete mode 100644 confs2/site/modsecurity-clamav.conf delete mode 100644 confs2/site/modsecurity-rules.conf delete mode 100644 confs2/site/modsecurity.conf delete mode 100644 confs2/site/open-file-cache.conf delete mode 100644 confs2/site/permissions-policy.conf delete mode 100644 confs2/site/php.conf delete mode 100644 confs2/site/proxy-cache.conf delete mode 100644 confs2/site/proxy-real-ip.conf delete mode 100644 confs2/site/redirect-http-to-https.conf delete mode 100644 confs2/site/referrer-policy.conf delete mode 100644 confs2/site/reverse-proxy-headers.conf delete mode 100644 confs2/site/reverse-proxy.conf delete mode 100644 confs2/site/serve-files.conf delete mode 100644 confs2/site/server.conf delete mode 100644 confs2/site/x-content-type-options.conf delete mode 100644 confs2/site/x-frame-options.conf delete mode 100644 confs2/site/x-xss-protection.conf create mode 100644 entrypoint/certbot.sh delete mode 100644 entrypoint/defaults.sh delete mode 100644 entrypoint/global-config.sh delete mode 100644 entrypoint/multisite-config.sh delete mode 100644 entrypoint/site-config.sh diff --git a/Dockerfile b/Dockerfile index 434a82b..2116134 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,11 +11,13 @@ RUN chmod +x /tmp/dependencies.sh && \ /tmp/dependencies.sh && \ rm -rf /tmp/dependencies.sh +COPY gen/ /opt/gen COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY lua/ /usr/local/lib/lua COPY antibot/ /antibot +COPY settings.json /opt COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index fc0735c..456a189 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -11,11 +11,13 @@ RUN chmod +x /tmp/dependencies.sh && \ /tmp/dependencies.sh && \ rm -rf /tmp/dependencies.sh +COPY gen/ /opt/gen COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY lua/ /usr/local/lib/lua COPY antibot/ /antibot +COPY settings.json /opt COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index a3cc5e3..9a54b02 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -18,11 +18,13 @@ RUN chmod +x /tmp/dependencies.sh && \ /tmp/dependencies.sh && \ rm -rf /tmp/dependencies.sh +COPY gen/ /opt/gen COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY lua/ /usr/local/lib/lua COPY antibot/ /antibot +COPY settings.json /opt COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index 927917c..9b4e077 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -18,11 +18,13 @@ RUN chmod +x /tmp/dependencies.sh && \ /tmp/dependencies.sh && \ rm -rf /tmp/dependencies.sh +COPY gen/ /opt/gen COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY lua/ /usr/local/lib/lua COPY antibot/ /antibot +COPY settings.json /opt COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/Dockerfile-i386 b/Dockerfile-i386 index 67d706a..2b97984 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -11,11 +11,13 @@ RUN chmod +x /tmp/dependencies.sh && \ /tmp/dependencies.sh && \ rm -rf /tmp/dependencies.sh +COPY gen/ /opt/gen COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY lua/ /usr/local/lib/lua COPY antibot/ /antibot +COPY settings.json /opt COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/confs/global/api-temp.conf b/confs/global/api-temp.conf index 1dd21aa..a368bcc 100644 --- a/confs/global/api-temp.conf +++ b/confs/global/api-temp.conf @@ -1,15 +1,15 @@ - -location ~ ^%API_URI%/ping { +# todo : if api_uri == "random" +location ~ ^{{ API_URI }}/ping { return 444; } -location ~ ^%API_URI% { +location ~ {{ API_URI }} { rewrite_by_lua_block { local api = require "api" - local api_whitelist_ip = {%API_WHITELIST_IP%} - local api_uri = "%API_URI%" + local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} + local api_uri = "{{ API_URI }}" local logger = require "logger" if api.is_api_call(api_uri, api_whitelist_ip) then diff --git a/confs/global/api.conf b/confs/global/api.conf index 90e348c..1e70b0b 100644 --- a/confs/global/api.conf +++ b/confs/global/api.conf @@ -1,8 +1,9 @@ +# todo : if api_uri == "random" rewrite_by_lua_block { local api = require "api" - local api_whitelist_ip = {%API_WHITELIST_IP%} - local api_uri = "%API_URI%" + local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} + local api_uri = "{{ API_URI }}" local logger = require "logger" if api.is_api_call(api_uri, api_whitelist_ip) then diff --git a/confs/global/cache.conf b/confs/global/cache.conf deleted file mode 100644 index 2b12cfd..0000000 --- a/confs/global/cache.conf +++ /dev/null @@ -1,4 +0,0 @@ -open_file_cache %CACHE%; -open_file_cache_errors %CACHE_ERRORS%; -open_file_cache_min_uses %CACHE_USES%; -open_file_cache_valid %CACHE_VALID%; diff --git a/confs/global/geoip.conf b/confs/global/geoip.conf index 77399f0..0e7994a 100644 --- a/confs/global/geoip.conf +++ b/confs/global/geoip.conf @@ -5,6 +5,11 @@ geoip2 /etc/nginx/geoip.mmdb { } map $geoip2_data_country_code $allowed_country { - default %DEFAULT%; - %COUNTRY% + default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif %}; + {% for country in WHITELIST_COUNTRY.split(" ") %} + {{ country }} yes; + {% endfor %} + {% for country in BLACKLIST_COUNTRY.split(" ") %} + {{ country }} no; + {% endfor %} } diff --git a/confs/global/init-lua.conf b/confs/global/init-lua.conf index f947cc6..ed95133 100644 --- a/confs/global/init-lua.conf +++ b/confs/global/init-lua.conf @@ -3,12 +3,12 @@ init_by_lua_block { local dataloader = require "dataloader" local logger = require "logger" -local use_proxies = %USE_PROXIES% -local use_abusers = %USE_ABUSERS% -local use_tor_exit_nodes = %USE_TOR_EXIT_NODES% -local use_user_agents = %USE_USER_AGENTS% -local use_referrers = %USE_REFERRERS% -local use_crowdsec = %USE_CROWDSEC% +local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif %} +local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif %} +local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif %} +local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif %} +local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif %} +local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif %} if use_proxies then dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data) diff --git a/confs/global/multisite-default-server-https.conf b/confs/global/multisite-default-server-https.conf index 7f78bb9..2f5e87d 100644 --- a/confs/global/multisite-default-server-https.conf +++ b/confs/global/multisite-default-server-https.conf @@ -1,11 +1,13 @@ -listen 0.0.0.0:%HTTPS_PORT% default_server ssl %HTTP2%; +listen 0.0.0.0:{{ HTTPS_PORT }} default_server ssl {% if USE_HTTP2 == "yes" %}http2{% endif %}; ssl_certificate /etc/nginx/default-cert.pem; ssl_certificate_key /etc/nginx/default-key.pem; -ssl_protocols %HTTPS_PROTOCOLS%; +ssl_protocols {{ HTTPS_PROTOCOLS }}; ssl_prefer_server_ciphers off; ssl_session_tickets off; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; -%SSL_DHPARAM% -%SSL_CIPHERS% -%LETS_ENCRYPT_WEBROOT% +{% if "TLSv1.2" in HTTPS_PROTOCOLS %} +ssl_dhparam /etc/nginx/dhparam; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +{% endif %} +include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf; diff --git a/confs/global/multisite-default-server.conf b/confs/global/multisite-default-server.conf index fc48b42..74d4029 100644 --- a/confs/global/multisite-default-server.conf +++ b/confs/global/multisite-default-server.conf @@ -1,6 +1,7 @@ +toto server { - %LISTEN_HTTP% + {% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %} server_name _; - %USE_HTTPS% - %MULTISITE_DISABLE_DEFAULT_SERVER% + {% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %} + {% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %} } diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index d8e59a0..aa24be7 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -26,11 +26,11 @@ pcre_jit on; include /etc/nginx/modules/*.conf; # max open files for each worker -worker_rlimit_nofile %WORKER_RLIMIT_NOFILE%; +worker_rlimit_nofile {{ WORKER_RLIMIT_NOFILE }}; events { # max connections per worker - worker_connections %WORKER_CONNECTIONS%; + worker_connections {{ WORKER_CONNECTIONS }}; # epoll seems to be the best on Linux use epoll; @@ -51,9 +51,9 @@ http { default_type application/octet-stream; # write logs to local syslog - log_format logf '%LOG_FORMAT%'; + log_format logf '{{ LOG_FORMAT }}'; access_log /var/log/access.log logf; - error_log /var/log/error.log %LOG_LEVEL%; + error_log /var/log/error.log {{ LOG_LEVEL }}; # temp paths proxy_temp_path /tmp/proxy_temp; @@ -72,36 +72,39 @@ http { send_timeout 10; # resolvers to use - resolver %DNS_RESOLVERS% ipv6=off; + resolver {{ DNS_RESOLVERS }} ipv6=off; # remove ports when sending redirects port_in_redirect off; # lua path and dicts lua_package_path "/usr/local/lib/lua/?.lua;;"; - %WHITELIST_IP_CACHE% - %WHITELIST_REVERSE_CACHE% - %BLACKLIST_IP_CACHE% - %BLACKLIST_REVERSE_CACHE% - %DNSBL_CACHE% - %BLOCK_PROXIES% - %BLOCK_ABUSERS% - %BLOCK_TOR_EXIT_NODES% - %BLOCK_USER_AGENTS% - %BLOCK_REFERRERS% - %BAD_BEHAVIOR% + {% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %} + {% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %} + {% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %} + {% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif %} + {% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif %} + {% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif %} + {% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif %} + {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif %} + {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif %} + {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif %} + {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif %} + {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %} + {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %} + {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %} # shared memory zone for limit_req - %LIMIT_REQ_ZONE% + {% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %} # shared memory zone for limit_conn - %LIMIT_CONN_ZONE% + {% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif %} # whitelist or blacklist country - %USE_COUNTRY% + {% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif %} # zone for proxy_cache - %PROXY_CACHE_PATH% + {% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %} # custom http confs include /http-confs/*.conf; @@ -110,11 +113,19 @@ http { include /etc/nginx/init-lua.conf; # default server when MULTISITE=yes - %MULTISITE_DEFAULT_SERVER% + {% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif %} # server config(s) - %INCLUDE_SERVER% + {% if SWARM_MODE == "no" %} + {% if MULTISITE == "yes" %} + {% for server_name in SERVER_NAME.split(" ") %} + include /etc/nginx/{{ server_name }}/server.conf; + {% endfor %} + {% else %} + include /etc/nginx/server.conf; + {% endif %} + {% endif %} # API - %USE_API% + {% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif %} } diff --git a/confs/site/antibot-captcha.conf b/confs/site/antibot-captcha.conf index 85d24bf..90905df 100644 --- a/confs/site/antibot-captcha.conf +++ b/confs/site/antibot-captcha.conf @@ -1,4 +1,4 @@ -location = %ANTIBOT_URI% { +location = {{ ANTIBOT_URI }} { default_type 'text/html'; @@ -13,7 +13,7 @@ location = %ANTIBOT_URI% { end local img, res = captcha.get_challenge() cookie.set({captchares = res}) - local code = captcha.get_code(img, "%ANTIBOT_URI%") + local code = captcha.get_code(img, "{{ ANTIBOT_URI }}") ngx.say(code) } } @@ -37,7 +37,7 @@ location = %ANTIBOT_URI% { local check = captcha.check(captcha_user, cookie.get("captchares")) if not check then logger.log(ngx.WARN, "ANTIBOT", "captcha fail (4) for " .. ngx.var.remote_addr) - return ngx.redirect("%ANTIBOT_URI%") + return ngx.redirect("{{ ANTIBOT_URI }}") end cookie.set({captcha = "ok"}) return ngx.redirect(cookie.get("uri")) diff --git a/confs/site/antibot-javascript.conf b/confs/site/antibot-javascript.conf index 2052b9d..32488af 100644 --- a/confs/site/antibot-javascript.conf +++ b/confs/site/antibot-javascript.conf @@ -1,4 +1,4 @@ -location = %ANTIBOT_URI% { +location = {{ ANTIBOT_URI }} { default_type 'text/html'; @@ -12,7 +12,7 @@ location = %ANTIBOT_URI% { return ngx.exit(ngx.HTTP_FORBIDDEN) end local challenge = cookie.get("challenge") - local code = javascript.get_code(challenge, "%ANTIBOT_URI%", cookie.get("uri")) + local code = javascript.get_code(challenge, "{{ ANTIBOT_URI }}", cookie.get("uri")) ngx.say(code) } } diff --git a/confs/site/antibot-recaptcha.conf b/confs/site/antibot-recaptcha.conf index d901f36..d7c46ca 100644 --- a/confs/site/antibot-recaptcha.conf +++ b/confs/site/antibot-recaptcha.conf @@ -1,4 +1,4 @@ -location = %ANTIBOT_URI% { +location = {{ ANTIBOT_URI }} { default_type 'text/html'; @@ -11,7 +11,7 @@ location = %ANTIBOT_URI% { logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (1) for " .. ngx.var.remote_addr) return ngx.exit(ngx.HTTP_FORBIDDEN) end - local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%") + local code = recaptcha.get_code("{{ ANTIBOT_URI }}", "{{ ANTIBOT_RECAPTCHA_SITEKEY }}") ngx.say(code) } } @@ -32,8 +32,8 @@ location = %ANTIBOT_URI% { return ngx.exit(ngx.HTTP_FORBIDDEN) end local token = args["token"] - local check = recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%") - if check < %ANTIBOT_RECAPTCHA_SCORE% then + local check = recaptcha.check(token, "{{ ANTIBOT_RECAPTCHA_SECRET }}") + if check < {{ ANTIBOT_RECAPTCHA_SCORE }} then logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")") return ngx.exit(ngx.HTTP_FORBIDDEN) end diff --git a/confs/site/auth-basic-sitewide.conf b/confs/site/auth-basic-sitewide.conf index 6fce64b..cae4c96 100644 --- a/confs/site/auth-basic-sitewide.conf +++ b/confs/site/auth-basic-sitewide.conf @@ -1,2 +1,2 @@ -auth_basic "%AUTH_BASIC_TEXT%"; -auth_basic_user_file %NGINX_PREFIX%.htpasswd; +auth_basic "{{ AUTH_BASIC_TEXT }}"; +auth_basic_user_file {{ NGINX_PREFIX }}htpasswd; diff --git a/confs/site/auth-basic.conf b/confs/site/auth-basic.conf index f2668ed..4007d11 100644 --- a/confs/site/auth-basic.conf +++ b/confs/site/auth-basic.conf @@ -1,4 +1,4 @@ -location %AUTH_BASIC_LOCATION% { - auth_basic "%AUTH_BASIC_TEXT%"; - auth_basic_user_file %NGINX_PREFIX%.htpasswd; +location {{ AUTH_BASIC_LOCATION }} { + auth_basic "{{ AUTH_BASIC_TEXT }}"; + auth_basic_user_file {{ NGINX_PREFIX }}htpasswd; } diff --git a/confs/site/brotli.conf b/confs/site/brotli.conf index 734513a..f2660e0 100644 --- a/confs/site/brotli.conf +++ b/confs/site/brotli.conf @@ -1,4 +1,4 @@ brotli on; -brotli_types %BROTLI_TYPES%; -brotli_comp_level %BROTLI_COMP_LEVEL%; -brotli_min_length %BROTLI_MIN_LENGTH%; +brotli_types {{ BROTLI_TYPES }}; +brotli_comp_level {{ BROTLI_COMP_LEVEL }}; +brotli_min_length {{ BROTLI_MIN_LENGTH }}; diff --git a/confs/site/client-cache.conf b/confs/site/client-cache.conf index 21271f7..b23717f 100644 --- a/confs/site/client-cache.conf +++ b/confs/site/client-cache.conf @@ -1,6 +1,6 @@ -etag %CLIENT_CACHE_ETAG%; +etag {{ CLIENT_CACHE_ETAG }}; set $cache ""; -if ($uri ~* \.(%CLIENT_CACHE_EXTENSIONS%)$) { - set $cache "%CLIENT_CACHE_CONTROL%"; +if ($uri ~* \.({{ CLIENT_CACHE_EXTENSIONS }})$) { + set $cache "{{ CLIENT_CACHE_CONTROL }}"; } add_header Cache-Control $cache; diff --git a/confs/site/content-security-policy.conf b/confs/site/content-security-policy.conf index 11e3338..8b8a61a 100644 --- a/confs/site/content-security-policy.conf +++ b/confs/site/content-security-policy.conf @@ -1 +1 @@ -more_set_headers "Content-Security-Policy: %CONTENT_SECURITY_POLICY%"; +more_set_headers "Content-Security-Policy: {{ CONTENT_SECURITY_POLICY }}"; diff --git a/confs/site/cookie-flags.conf b/confs/site/cookie-flags.conf index e81ec79..675feb3 100644 --- a/confs/site/cookie-flags.conf +++ b/confs/site/cookie-flags.conf @@ -1 +1 @@ -set_cookie_flag %COOKIE_FLAGS%; +set_cookie_flag {{ COOKIE_FLAGS }}{% if COOKIE_AUTO_SECURE_FLAG == "yes" %} Secure{% endif %}; diff --git a/confs/site/custom-https.conf b/confs/site/custom-https.conf index 88289a8..03721b5 100644 --- a/confs/site/custom-https.conf +++ b/confs/site/custom-https.conf @@ -1,7 +1,9 @@ -listen 0.0.0.0:443 ssl %HTTP2%; -ssl_certificate %HTTPS_CUSTOM_CERT%; -ssl_certificate_key %HTTPS_CUSTOM_KEY%; +listen 0.0.0.0:443 ssl {% if HTTP2 == "yes" %}http2{% endif %}; +ssl_certificate {{ HTTPS_CUSTOM_CERT }}; +ssl_certificate_key {{ HTTPS_CUSTOM_KEY }}; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; ssl_session_tickets off; -%STRICT_TRANSPORT_SECURITY% +{% if STRICT_TRANSPORT_SECURITY != "" %} +more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}'; +{% endif %} diff --git a/confs/site/disable-default-server.conf b/confs/site/disable-default-server.conf index 104794d..900e58d 100644 --- a/confs/site/disable-default-server.conf +++ b/confs/site/disable-default-server.conf @@ -1,3 +1,3 @@ -if ($host !~ ^(%SERVER_NAME%)$) { +if ($host !~ ^({{ SERVER_NAME.replace(" ", "|") }})$) { return 444; } diff --git a/confs/site/error.conf b/confs/site/error.conf index af44ffe..1636d1a 100644 --- a/confs/site/error.conf +++ b/confs/site/error.conf @@ -1,7 +1,13 @@ -error_page %CODE% %PAGE%; +{% if ERRORS != "" %} + {% for element in ERRORS.split(" ") %} + {% set code = element.split("=")[0] %} + {% set page = element.split("=")[1] %} +error_page {{ code }} {{ page }}; -location = %PAGE% { - root %ROOT_FOLDER%; +location = {{ page }} { + root {{ ROOT_FOLDER }}; modsecurity off; internal; } + {% endfor %} +{% endif %} diff --git a/confs/site/fastcgi.conf b/confs/site/fastcgi.conf index acd0b38..c4712cc 100644 --- a/confs/site/fastcgi.conf +++ b/confs/site/fastcgi.conf @@ -13,7 +13,7 @@ fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; +fastcgi_param SERVER_SOFTWARE nginx; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; diff --git a/confs/site/feature-policy.conf b/confs/site/feature-policy.conf index 64c6e8e..009a63e 100644 --- a/confs/site/feature-policy.conf +++ b/confs/site/feature-policy.conf @@ -1 +1 @@ -more_set_headers "Feature-Policy: %FEATURE_POLICY%"; +more_set_headers "Feature-Policy: {{ FEATURE_POLICY }}"; diff --git a/confs/site/gzip.conf b/confs/site/gzip.conf index f0f77fc..3eb755d 100644 --- a/confs/site/gzip.conf +++ b/confs/site/gzip.conf @@ -1,4 +1,4 @@ gzip on; -gzip_comp_level %GZIP_COMP_LEVEL%; -gzip_min_length %GZIP_MIN_LENGTH%; -gzip_types %GZIP_TYPES%; +gzip_comp_level {{ GZIP_COMP_LEVEL }}; +gzip_min_length {{ GZIP_MIN_LENGTH }}; +gzip_types {{ GZIP_TYPES }}; diff --git a/confs2/site/htpasswd b/confs/site/htpasswd similarity index 100% rename from confs2/site/htpasswd rename to confs/site/htpasswd diff --git a/confs/site/https.conf b/confs/site/https.conf index 5a50735..9b13dbd 100644 --- a/confs/site/https.conf +++ b/confs/site/https.conf @@ -1,12 +1,18 @@ -listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%; -ssl_certificate %HTTPS_CERT%; -ssl_certificate_key %HTTPS_KEY%; -ssl_protocols %HTTPS_PROTOCOLS%; +listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %}; +ssl_certificate {{ HTTPS_CERT }}; +ssl_certificate_key {{ HTTPS_KEY }}; +ssl_protocols {{ HTTPS_PROTOCOLS }}; ssl_prefer_server_ciphers on; ssl_session_tickets off; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; -%STRICT_TRANSPORT_SECURITY% -%SSL_DHPARAM% -%SSL_CIPHERS% -%LETS_ENCRYPT_WEBROOT% +{% if STRICT_TRANSPORT_SECURITY != "" %} +more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}'; +{% endif %} +{% if "TLSv1.2" in HTTPS_PROTOCOLS %} +ssl_dhparam /etc/nginx/dhparam; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +{% endif %} +{% if AUTO_LETS_ENCRYPT %} +include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf; +{% endif %} diff --git a/confs/site/limit-conn.conf b/confs/site/limit-conn.conf index 6482ad5..27c9738 100644 --- a/confs/site/limit-conn.conf +++ b/confs/site/limit-conn.conf @@ -1 +1 @@ -limit_conn ddos %LIMIT_CONN_MAX%; +limit_conn ddos {{ LIMIT_CONN_MAX }}; diff --git a/confs/site/limit-req.conf b/confs/site/limit-req.conf index 395d838..35b88fc 100644 --- a/confs/site/limit-req.conf +++ b/confs/site/limit-req.conf @@ -1,3 +1,3 @@ limit_req_status 429; -limit_req zone=limit burst=%LIMIT_REQ_BURST% nodelay; +limit_req zone=limit burst={{ LIMIT_REQ_BURST }} nodelay; diff --git a/confs/site/log-lua.conf b/confs/site/log-lua.conf index 4ed4a7d..e45620f 100644 --- a/confs/site/log-lua.conf +++ b/confs/site/log-lua.conf @@ -1,12 +1,12 @@ log_by_lua_block { -- bad behavior -local use_bad_behavior = %USE_BAD_BEHAVIOR% +local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %} local behavior = require "behavior" -local bad_behavior_status_codes = {%BAD_BEHAVIOR_STATUS_CODES%} -local bad_behavior_threshold = %BAD_BEHAVIOR_THRESHOLD% -local bad_behavior_count_time = %BAD_BEHAVIOR_COUNT_TIME% -local bad_behavior_ban_time = %BAD_BEHAVIOR_BAN_TIME% +local bad_behavior_status_codes = {% raw %}{{% endraw %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local bad_behavior_threshold = {{ BAD_BEHAVIOR_THRESHOLD }} +local bad_behavior_count_time = {{ BAD_BEHAVIOR_COUNT_TIME }} +local bad_behavior_ban_time = {{ BAD_BEHAVIOR_BAN_TIME }} if use_bad_behavior then behavior.count(bad_behavior_status_codes, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time) diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index 58b6a57..a6310d9 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -1,51 +1,55 @@ -set $session_secret %ANTIBOT_SESSION_SECRET%; +{% if ANTIBOT_SESSION_SECRET == "random" %} +set $session_secret {{ random(32) }} ; +{% else %} +set $session_secret {{ ANTIBOT_SESSION_SECRET }}; +{% endif %} set $session_check_addr on; access_by_lua_block { -- let's encrypt -local use_lets_encrypt = %USE_LETS_ENCRYPT% +local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif %} -- external blacklists -local use_user_agents = %USE_USER_AGENTS% -local use_proxies = %USE_PROXIES% -local use_abusers = %USE_ABUSERS% -local use_tor_exit_nodes = %USE_TOR_EXIT_NODES% -local use_referrers = %USE_REFERRERS% +local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif %} +local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif %} +local use_abusers = {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif %} +local use_tor_exit_nodes = {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif %} +local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif %} -- countries -local use_country = %USE_COUNTRY% +local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif %} -- crowdsec -local use_crowdsec = %USE_CROWDSEC% +local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %} -- antibot -local use_antibot_cookie = %USE_ANTIBOT_COOKIE% -local use_antibot_javascript = %USE_ANTIBOT_JAVASCRIPT% -local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA% -local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA% +local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif %} +local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif %} +local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif %} +local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif %} -- resolvers -local dns_resolvers = {%DNS_RESOLVERS%} +local dns_resolvers = {% raw %}{{% endraw %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -- whitelist -local use_whitelist_ip = %USE_WHITELIST_IP% -local use_whitelist_reverse = %USE_WHITELIST_REVERSE% -local whitelist_ip_list = {%WHITELIST_IP_LIST%} -local whitelist_reverse_list = {%WHITELIST_REVERSE_LIST%} +local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif %} +local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes" %}true{% else %}false{% endif %} +local whitelist_ip_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local whitelist_reverse_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -- blacklist -local use_blacklist_ip = %USE_BLACKLIST_IP% -local use_blacklist_reverse = %USE_BLACKLIST_REVERSE% -local blacklist_ip_list = {%BLACKLIST_IP_LIST%} -local blacklist_reverse_list = {%BLACKLIST_REVERSE_LIST%} +local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif %} +local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes" %}true{% else %}false{% endif %} +local blacklist_ip_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local blacklist_reverse_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -- dnsbl -local use_dnsbl = %USE_DNSBL% -local dnsbl_list = {%DNSBL_LIST%} +local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif %} +local dnsbl_list = {% raw %}{{% endraw %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -- bad behavior -local use_bad_behavior = %USE_BAD_BEHAVIOR% +local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %} -- include LUA code local whitelist = require "whitelist" @@ -60,9 +64,9 @@ local behavior = require "behavior" local logger = require "logger" -- user variables -local antibot_uri = "%ANTIBOT_URI%" -local whitelist_user_agent = {%WHITELIST_USER_AGENT%} -local whitelist_uri = {%WHITELIST_URI%} +local antibot_uri = "{{ ANTIBOT_URI }}" +local whitelist_user_agent = {% raw %}{{% endraw %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local whitelist_uri = {% raw %}{{% endraw %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -- check if already in whitelist cache if use_whitelist_ip and whitelist.ip_cached_ok() then @@ -291,8 +295,10 @@ ngx.exit(ngx.OK) } -%INCLUDE_ANTIBOT_JAVASCRIPT% - -%INCLUDE_ANTIBOT_CAPTCHA% - -%INCLUDE_ANTIBOT_RECAPTCHA% +{% if USE_ANTIBOT == "javascript" %} +include {{ NGINX_PREFIX }}antibot-javascript.conf; +{% elif USE_ANTIBOT == "captcha" %} +include {{ NGINX_PREFIX }}antibot-captcha.conf; +{% elif USE_ANTIBOT == "recaptcha" %} +include {{ NGINX_PREFIX }}antibot-recaptcha.conf; +{% endif %} diff --git a/confs/site/modsecurity-rules.conf b/confs/site/modsecurity-rules.conf index 9efdcf5..37f0a7d 100644 --- a/confs/site/modsecurity-rules.conf +++ b/confs/site/modsecurity-rules.conf @@ -49,17 +49,35 @@ SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial # log usefull stuff -SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE% +SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }} SecAuditLogType Serial SecAuditLog /var/log/nginx/modsec_audit.log # scan uploaded files with clamv -%USE_CLAMAV_UPLOAD% +{% if USE_CLAMAV_UPLOAD == "yes" %} +include {{ NGINX_PREFIX }}modsecurity-clamav.conf +{% endif %} + +# include OWASP CRS configuration +{% if USE_MODSECURITY_CRS == "yes" %} +include /opt/owasp/crs.conf + +# custom CRS configurations before loading rules (exclusions) +{% if is_custom_conf("/modsec-crs-confs") %} +include /modsec-crs-confs/*.conf +{% endif %} +{% if MULTISITE == "yes" and is_custom_conf("/modsec-crs-confs/" + FIRST_SERVER) %} +include /modsec-crs-confs/{{ FIRST_SERVER }}/*.conf +{% endif %} # include OWASP CRS rules -%MODSECURITY_INCLUDE_CRS% -%MODSECURITY_INCLUDE_CUSTOM_CRS% -%MODSECURITY_INCLUDE_CRS_RULES% +include /opt/owasp/crs/*.conf +{% endif %} -# include custom rules -%MODSECURITY_INCLUDE_CUSTOM_RULES% +# custom rules after loading the CRS +{% if is_custom_conf("/modsec-confs") %} +include /modsec-confs/*.conf +{% endif %} +{% if MULTISITE == "yes" and is_custom_conf("/modsec-confs/" + FIRST_SERVER) %} +include /modsec-confs/{{ FIRST_SERVER }}/*.conf +{% endif %} diff --git a/confs/site/modsecurity.conf b/confs/site/modsecurity.conf index b30c0f8..380aa21 100644 --- a/confs/site/modsecurity.conf +++ b/confs/site/modsecurity.conf @@ -1,2 +1,2 @@ modsecurity on; -modsecurity_rules_file %MODSEC_RULES_FILE%; +modsecurity_rules_file {{ NGINX_PREFIX }}modsecurity-rules.conf; diff --git a/confs/site/open-file-cache.conf b/confs/site/open-file-cache.conf index 8324dcd..0c2fb01 100644 --- a/confs/site/open-file-cache.conf +++ b/confs/site/open-file-cache.conf @@ -1,4 +1,4 @@ -open_file_cache %OPEN_FILE_CACHE%; -open_file_cache_errors %OPEN_FILE_CACHE_ERRORS%; -open_file_cache_min_uses %OPEN_FILE_CACHE_MIN_USES%; -open_file_cache_valid %OPEN_FILE_CACHE_VALID%; +open_file_cache {{ OPEN_FILE_CACHE }}; +open_file_cache_errors {{ OPEN_FILE_CACHE_ERRORS }}; +open_file_cache_min_uses {{ OPEN_FILE_CACHE_MIN_USES }}; +open_file_cache_valid {{ OPEN_FILE_CACHE_VALID }}; diff --git a/confs/site/permissions-policy.conf b/confs/site/permissions-policy.conf index 3877b8d..6bafbe0 100644 --- a/confs/site/permissions-policy.conf +++ b/confs/site/permissions-policy.conf @@ -1 +1 @@ -more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%"; +more_set_headers "Permissions-Policy: {{ PERMISSIONS_POLICY }}"; diff --git a/confs/site/php.conf b/confs/site/php.conf index 950b986..0d746e8 100644 --- a/confs/site/php.conf +++ b/confs/site/php.conf @@ -1,4 +1,4 @@ location ~ \.php$ { - fastcgi_pass %REMOTE_PHP%:9000; + fastcgi_pass {{ REMOTE_PHP }}:9000; fastcgi_index index.php; } diff --git a/confs/site/proxy-cache.conf b/confs/site/proxy-cache.conf index 37b4a17..0daf86d 100644 --- a/confs/site/proxy-cache.conf +++ b/confs/site/proxy-cache.conf @@ -1,7 +1,11 @@ proxy_cache proxycache; -proxy_cache_methods %PROXY_CACHE_METHODS%; -proxy_cache_min_uses %PROXY_CACHE_MIN_USES%; -proxy_cache_key %PROXY_CACHE_KEY%; -proxy_no_cache %PROXY_NO_CACHE%; -proxy_cache_bypass %PROXY_CACHE_BYPASS%; -%PROXY_CACHE_VALID% +proxy_cache_methods {{ PROXY_CACHE_METHODS }}; +proxy_cache_min_uses {{ PROXY_CACHE_MIN_USES }}; +proxy_cache_key {{ PROXY_CACHE_KEY }}; +proxy_no_cache {{ PROXY_NO_CACHE }}; +proxy_cache_bypass {{ PROXY_CACHE_BYPASS }}; +{% if PROXY_CACHE_VALID != "" %} +{% for element in PROXY_CACHE_VALID.split(" ") %} +proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }}; +{% endfor %} +{% endif %} diff --git a/confs/site/proxy-real-ip.conf b/confs/site/proxy-real-ip.conf index 4d972c4..490576a 100644 --- a/confs/site/proxy-real-ip.conf +++ b/confs/site/proxy-real-ip.conf @@ -1,4 +1,8 @@ -%PROXY_REAL_IP_FROM% -real_ip_header %PROXY_REAL_IP_HEADER%; -real_ip_recursive %PROXY_REAL_IP_RECURSIVE%; +{% if PROXY_REAL_IP_FROM != "" %} + {% for element in PROXY_REAL_IP_FROM.split(" ") %} +set_real_ip_from {{ element }}; + {% endfor %} +{% endif %} +real_ip_header {{ PROXY_REAL_IP_HEADER }}; +real_ip_recursive {{ PROXY_REAL_IP_RECURSIVE }}; diff --git a/confs/site/referrer-policy.conf b/confs/site/referrer-policy.conf index e0dea36..b163485 100644 --- a/confs/site/referrer-policy.conf +++ b/confs/site/referrer-policy.conf @@ -1 +1 @@ -more_set_headers "Referrer-Policy: %REFERRER_POLICY%"; +more_set_headers "Referrer-Policy: {{ REFERRER_POLICY }}"; diff --git a/confs/site/reverse-proxy.conf b/confs/site/reverse-proxy.conf index 2db7d08..284df6e 100644 --- a/confs/site/reverse-proxy.conf +++ b/confs/site/reverse-proxy.conf @@ -1,7 +1,25 @@ -location %REVERSE_PROXY_URL% { +{% if USE_REVERSE_PROXY == "yes" %} + {% for k, v in all.items() %} + {% if k.startswith("REVERSE_PROXY_URL") %} + {% set url = v %} + {% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %} + {% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %} + {% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %} +location {{ url }} {% raw %}{{% endraw %} etag off; - proxy_pass %REVERSE_PROXY_HOST%; - %REVERSE_PROXY_HEADERS% - %REVERSE_PROXY_WS% - %REVERSE_PROXY_CUSTOM_HEADERS% -} + proxy_pass {{ host }}; + include {{ NGINX_PREFIX }}reverse-proxy-headers.conf; + {% if ws == "yes" %} + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + {% endif %} + {% if headers != "" %} + {% for header in headers.split(";") %} + proxy_set_header {{ header }}; + {% endfor %} + {% endif %} +{% raw %}}{% endraw %} + {% endif %} + {% endfor %} +{% endif %} diff --git a/confs/site/serve-files.conf b/confs/site/serve-files.conf index d920e93..4cf51be 100644 --- a/confs/site/serve-files.conf +++ b/confs/site/serve-files.conf @@ -1,3 +1,3 @@ -root %ROOT_FOLDER%; +root {{ ROOT_FOLDER }}/{{ FIRST_SERVER }}; index index.html index.php; try_files $uri $uri/ =404; diff --git a/confs/site/server.conf b/confs/site/server.conf index 9c619b3..f171e4d 100644 --- a/confs/site/server.conf +++ b/confs/site/server.conf @@ -1,41 +1,177 @@ -%PRE_SERVER_CONF% +# custom config before server block +include /pre-server-confs/*.conf; +{% if MULTISITE == "yes" %} +include /pre-server-confs/{{ FIRST_SERVER }}/*.conf; +{% endif %} server { - %FASTCGI_PATH% - %SERVER_CONF% - %PROXY_REAL_IP% - %INCLUDE_LUA% - %USE_MODSECURITY% - %LISTEN_HTTP% - %USE_HTTPS% - %REDIRECT_HTTP_TO_HTTPS% - server_name %SERVER_NAME%; - %DISABLE_DEFAULT_SERVER% - %SERVE_FILES% - if ($request_method !~ ^(%ALLOWED_METHODS%)$) - { + + # FastCGI variables +{% if REMOTE_PHP != "" %} + include {{ NGINX_PREFIX }}fastcgi.conf; +{% endif %} + + # custom config + include /server-confs/*.conf; +{% if MULTISITE == "yes" %} + include /server-confs/{{ FIRST_SERVER }}/*.conf; +{% endif %} + + # proxy real IP +{% if PROXY_REAL_IP == "yes" %} + include {{ NGINX_PREFIX }}proxy-real-ip.conf; +{% endif %} + + # include LUA files + include {{ NGINX_PREFIX }}main-lua.conf; + include {{ NGINX_PREFIX }}log-lua.conf; + + # ModSecurity +{% if USE_MODSECURITY == "yes" %} + include {{ NGINX_PREFIX }}modsecurity.conf; +{% endif %} + + # HTTP listen +{% if LISTEN_HTTP == "yes" %} + listen 0.0.0.0:{{ HTTP_PORT }}; +{% endif %} + + # HTTPS listen + config +{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %} + include {{ NGINX_PREFIX }}https.conf; +{% endif %} + + # HTTP to HTTPS +{% if REDIRECT_HTTP_TO_HTTPS == "yes" %} + include {{ NGINX_PREFIX }}redirect-http-to-https.conf; +{% endif %} + + # server name (vhost) + server_name {{ SERVER_NAME }}; + + # disable default server +{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" %} + include {{ NGINX_PREFIX }}disable-default-server.conf; +{% endif %} + + # serve local files +{% if SERVE_FILES == "yes" %} + include {{ NGINX_PREFIX}}serve-files.conf; +{% endif %} + + # allowed HTTP methods + if ($request_method !~ ^({{ ALLOWED_METHODS }})$) { return 405; } - %LIMIT_REQ% - %LIMIT_CONN% - %AUTH_BASIC% - %REMOVE_HEADERS% - %X_FRAME_OPTIONS% - %X_XSS_PROTECTION% - %X_CONTENT_TYPE_OPTIONS% - %CONTENT_SECURITY_POLICY% - %REFERRER_POLICY% - %FEATURE_POLICY% - %PERMISSIONS_POLICY% - %COOKIE_FLAGS% - %ERRORS% - %USE_CLIENT_CACHE% - %USE_GZIP% - %USE_BROTLI% - client_max_body_size %MAX_CLIENT_SIZE%; - server_tokens %SERVER_TOKENS%; - %USE_OPEN_FILE_CACHE% - %USE_PROXY_CACHE% - %USE_REVERSE_PROXY% - %USE_PHP% + + # requests limiting +{% if USE_LIMIT_REQ == "yes" %} + include {{ NGINX_PREFIX }}limit-req.conf; +{% endif %} + + # connections limiting +{% if USE_LIMIT_CONN == "yes" %} + include {{ NGINX_PREFIX }}limit-conn.conf; +{% endif %} + + # auth basic +{% if USE_AUTH_BASIC == "yes" %} + {% if AUTH_BASIC_LOCATION == "sitewide" %} + include {{ NGINX_PREFIX }}auth-basic-sitewide.conf; + {% else %} + include {{ NGINX_PREFIX }}auth-basic.conf; + {% endif %} +{% endif %} + + # remove headers +{% if REMOVE_HEADERS != "" %} + {% for header in REMOVE_HEADERS.split(" ") %} + more_clear_headers '{{ header }}'; + {% endfor %} +{% endif %} + + # X-Frame-Option header +{% if X_FRAME_OPTIONS != "" %} + include {{ NGINX_PREFIX }}x-frame-options.conf; +{% endif %} + + # X-XSS-Protection header +{% if X_XSS_PROTECTION != "" %} + include {{ NGINX_PREFIX }}x-xss-protection.conf; +{% endif %} + + # X-Content-Type header +{% if X_CONTENT_TYPE_OPTIONS != "" %} + include {{ NGINX_PREFIX }}x-content-type-options.conf; +{% endif %} + + # Content-Security-Policy header +{% if CONTENT_SECURITY_POLICY != "" %} + include {{ NGINX_PREFIX }}content-security-policy.conf; +{% endif %} + + # Referrer-Policy header +{% if REFERRER_POLICY != "" %} + include {{ NGINX_PREFIX }}referrer-policy.conf; +{% endif %} + + # Feature-Policy header +{% if FEATURE_POLICY != "" %} + include {{ NGINX_PREFIX }}feature-policy.conf; +{% endif %} + + # Permissions-Policy header +{% if PERMISSIONS_POLICY != "" %} + include {{ NGINX_PREFIX }}permissions-policy.conf; +{% endif %} + + # cookie flags +{% if COOKIE_FLAGS != "" %} + include {{ NGINX_PREFIX }}cookie-flags.conf; +{% endif %} + + # custom errors + include {{ NGINX_PREFIX }}error.conf; + + # client caching +{% if USE_CLIENT_CACHE == "yes" %} + include {{ NGINX_PREFIX }}client-cache.conf; +{% endif %} + + # gzip compression +{% if USE_GZIP == "yes" %} + include {{ NGINX_PREFIX }}gzip.conf; +{% endif %} + + # brotli compression +{% if USE_GZIP == "yes" %} + include {{ NGINX_PREFIX }}gzip.conf; +{% endif %} + + # maximum body size + client_max_body_size {{ MAX_CLIENT_SIZE }}; + + # enable/disable showing version + server_tokens {{ SERVER_TOKENS }}; + + # open file caching +{% if USE_OPEN_FILE_CACHE == "yes" %} + include {{ NGINX_PREFIX }}open-file-cache.conf; +{% endif %} + + # proxy caching +{% if USE_PROXY_CACHE == "yes" %} + include {{ NGINX_PREFIX }}proxy-cache.conf; +{% endif %} + + # reverse proxy +{% if USE_REVERSE_PROXY == "yes" %} + include {{ NGINX_PREFIX }}reverse-proxy.conf; +{% endif %} + + # remote PHP +{% if REMOTE_PHP != "" %} + include {{ NGINX_PREFIX }}php.conf; +{% endif %} + } diff --git a/confs/site/x-content-type-options.conf b/confs/site/x-content-type-options.conf index 7bd59ef..9a6e6f3 100644 --- a/confs/site/x-content-type-options.conf +++ b/confs/site/x-content-type-options.conf @@ -1 +1 @@ -more_set_headers "X-Content-Type-Options: %X_CONTENT_TYPE_OPTIONS%"; +more_set_headers "X-Content-Type-Options: {{ X_CONTENT_TYPE_OPTIONS }}"; diff --git a/confs/site/x-frame-options.conf b/confs/site/x-frame-options.conf index 52be218..fb928d1 100644 --- a/confs/site/x-frame-options.conf +++ b/confs/site/x-frame-options.conf @@ -1 +1 @@ -more_set_headers "X-Frame-Options: %X_FRAME_OPTIONS%"; +more_set_headers "X-Frame-Options: {{ X_FRAME_OPTIONS }}"; diff --git a/confs/site/x-xss-protection.conf b/confs/site/x-xss-protection.conf index 1394cb4..b48d0f3 100644 --- a/confs/site/x-xss-protection.conf +++ b/confs/site/x-xss-protection.conf @@ -1 +1 @@ -more_set_headers "X-XSS-Protection: %X_XSS_PROTECTION%"; +more_set_headers "X-XSS-Protection: {{ X_XSS_PROTECTION }}"; diff --git a/confs2/global/abusers.list b/confs2/global/abusers.list deleted file mode 100644 index e69de29..0000000 diff --git a/confs2/global/api-temp.conf b/confs2/global/api-temp.conf deleted file mode 100644 index a368bcc..0000000 --- a/confs2/global/api-temp.conf +++ /dev/null @@ -1,32 +0,0 @@ -# todo : if api_uri == "random" -location ~ ^{{ API_URI }}/ping { - return 444; -} - -location ~ {{ API_URI }} { - -rewrite_by_lua_block { - - local api = require "api" - local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} - local api_uri = "{{ API_URI }}" - local logger = require "logger" - - if api.is_api_call(api_uri, api_whitelist_ip) then - ngx.header.content_type = 'text/plain' - if api.do_api_call(api_uri) then - logger.log(ngx.NOTICE, "API", "API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr) - ngx.say("ok") - else - logger.log(ngx.WARN, "API", "API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr) - ngx.say("ko") - end - - ngx.exit(ngx.HTTP_OK) - - end - - ngx.exit(ngx.OK) -} - -} diff --git a/confs2/global/api.conf b/confs2/global/api.conf deleted file mode 100644 index 1e70b0b..0000000 --- a/confs2/global/api.conf +++ /dev/null @@ -1,24 +0,0 @@ -# todo : if api_uri == "random" -rewrite_by_lua_block { - - local api = require "api" - local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} - local api_uri = "{{ API_URI }}" - local logger = require "logger" - - if api.is_api_call(api_uri, api_whitelist_ip) then - ngx.header.content_type = 'text/plain' - if api.do_api_call(api_uri) then - logger.log(ngx.NOTICE, "API", "API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr) - ngx.say("ok") - else - logger.log(ngx.WARN, "API", "API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr) - ngx.say("ko") - end - - ngx.exit(ngx.HTTP_OK) - - end - - ngx.exit(ngx.OK) -} diff --git a/confs2/global/dhparam b/confs2/global/dhparam deleted file mode 100644 index 088f967..0000000 --- a/confs2/global/dhparam +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz -+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a -87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 -YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi -7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD -ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== ------END DH PARAMETERS----- \ No newline at end of file diff --git a/confs2/global/geoip.conf b/confs2/global/geoip.conf deleted file mode 100644 index 0e7994a..0000000 --- a/confs2/global/geoip.conf +++ /dev/null @@ -1,15 +0,0 @@ -geoip2 /etc/nginx/geoip.mmdb { - auto_reload 5m; - $geoip2_metadata_country_build metadata build_epoch; - $geoip2_data_country_code country iso_code; -} - -map $geoip2_data_country_code $allowed_country { - default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif %}; - {% for country in WHITELIST_COUNTRY.split(" ") %} - {{ country }} yes; - {% endfor %} - {% for country in BLACKLIST_COUNTRY.split(" ") %} - {{ country }} no; - {% endfor %} -} diff --git a/confs2/global/init-lua.conf b/confs2/global/init-lua.conf deleted file mode 100644 index 99dbc3f..0000000 --- a/confs2/global/init-lua.conf +++ /dev/null @@ -1,43 +0,0 @@ -init_by_lua_block { - -local dataloader = require "dataloader" -local logger = require "logger" - -local use_proxies = {% if USE_PROXIES == "yes" %}true{% else %}false{% endif %} -local use_abusers = {% if USE_ABUSERS == "yes" %}true{% else %}false{% endif %} -local use_tor_exit_nodes = {% if USE_TOR_EXIT_NODES == "yes" %}true{% else %}false{% endif %} -local use_user_agents = {% if USE_USER_AGENTS == "yes" %}true{% else %}false{% endif %} -local use_referrers = {% if USE_REFERRERS == "yes" %}true{% else %}false{% endif %} -local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %} - -if use_proxies then - dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data) -end - -if use_abusers then - dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data) -end - -if use_tor_exit_nodes then - dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data) -end - -if use_user_agents then - dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data) -end - -if use_referrers then - dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data) -end - -if use_crowdsec then - local cs = require "crowdsec.CrowdSec" - local ok, err = cs.init("/etc/nginx/crowdsec.conf") - if ok == nil then - logger.log(ngx.ERR, "CROWDSEC", err) - error() - end - logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done") -end - -} diff --git a/confs2/global/multisite-default-server-https.conf b/confs2/global/multisite-default-server-https.conf deleted file mode 100644 index 2f5e87d..0000000 --- a/confs2/global/multisite-default-server-https.conf +++ /dev/null @@ -1,13 +0,0 @@ -listen 0.0.0.0:{{ HTTPS_PORT }} default_server ssl {% if USE_HTTP2 == "yes" %}http2{% endif %}; -ssl_certificate /etc/nginx/default-cert.pem; -ssl_certificate_key /etc/nginx/default-key.pem; -ssl_protocols {{ HTTPS_PROTOCOLS }}; -ssl_prefer_server_ciphers off; -ssl_session_tickets off; -ssl_session_timeout 1d; -ssl_session_cache shared:MozSSL:10m; -{% if "TLSv1.2" in HTTPS_PROTOCOLS %} -ssl_dhparam /etc/nginx/dhparam; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -{% endif %} -include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf; diff --git a/confs2/global/multisite-default-server-lets-encrypt-webroot.conf b/confs2/global/multisite-default-server-lets-encrypt-webroot.conf deleted file mode 100644 index 5b8e707..0000000 --- a/confs2/global/multisite-default-server-lets-encrypt-webroot.conf +++ /dev/null @@ -1,3 +0,0 @@ -location ~ ^/.well-known/acme-challenge/ { - root /acme-challenge; -} diff --git a/confs2/global/multisite-default-server.conf b/confs2/global/multisite-default-server.conf deleted file mode 100644 index 74d4029..0000000 --- a/confs2/global/multisite-default-server.conf +++ /dev/null @@ -1,7 +0,0 @@ -toto -server { - {% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %} - server_name _; - {% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %} - {% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %} -} diff --git a/confs2/global/multisite-disable-default-server.conf b/confs2/global/multisite-disable-default-server.conf deleted file mode 100644 index 9c2ea8a..0000000 --- a/confs2/global/multisite-disable-default-server.conf +++ /dev/null @@ -1,3 +0,0 @@ -location / { - return 444; -} diff --git a/confs2/global/nginx-temp.conf b/confs2/global/nginx-temp.conf deleted file mode 100644 index 50c50cd..0000000 --- a/confs2/global/nginx-temp.conf +++ /dev/null @@ -1,30 +0,0 @@ -load_module /usr/lib/nginx/modules/ngx_http_lua_module.so; - -daemon on; - -pid /tmp/nginx-temp.pid; - -events { - worker_connections 1024; - use epoll; -} - -http { - proxy_temp_path /tmp/proxy_temp; - client_body_temp_path /tmp/client_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - lua_package_path "/usr/local/lib/lua/?.lua;;"; - server { - listen 0.0.0.0:%HTTP_PORT% default_server; - server_name _; - location ~ ^/.well-known/acme-challenge/ { - root /acme-challenge; - } - %USE_API% - location / { - return 444; - } - } -} diff --git a/confs2/global/nginx.conf b/confs2/global/nginx.conf deleted file mode 100644 index aa24be7..0000000 --- a/confs2/global/nginx.conf +++ /dev/null @@ -1,131 +0,0 @@ -# /etc/nginx/nginx.conf - -# load dynamic modules -load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so; -load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so; -load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so; -load_module /usr/lib/nginx/modules/ngx_http_lua_module.so; -load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; -load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so; -load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; -load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; - -# run in foreground -daemon off; - -# PID file -pid /tmp/nginx.pid; - -# worker number = CPU core(s) -worker_processes auto; - -# faster regexp -pcre_jit on; - -# config files for dynamic modules -include /etc/nginx/modules/*.conf; - -# max open files for each worker -worker_rlimit_nofile {{ WORKER_RLIMIT_NOFILE }}; - -events { - # max connections per worker - worker_connections {{ WORKER_CONNECTIONS }}; - - # epoll seems to be the best on Linux - use epoll; -} - -http { - # zero copy within the kernel - sendfile on; - - # send packets only if filled - tcp_nopush on; - - # remove 200ms delay - tcp_nodelay on; - - # load mime types and set default one - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # write logs to local syslog - log_format logf '{{ LOG_FORMAT }}'; - access_log /var/log/access.log logf; - error_log /var/log/error.log {{ LOG_LEVEL }}; - - # temp paths - proxy_temp_path /tmp/proxy_temp; - client_body_temp_path /tmp/client_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - - # close connections in FIN_WAIT1 state - reset_timedout_connection on; - - # timeouts - client_body_timeout 10; - client_header_timeout 10; - keepalive_timeout 15; - send_timeout 10; - - # resolvers to use - resolver {{ DNS_RESOLVERS }} ipv6=off; - - # remove ports when sending redirects - port_in_redirect off; - - # lua path and dicts - lua_package_path "/usr/local/lib/lua/?.lua;;"; - {% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %} - {% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %} - {% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %} - {% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif %} - {% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif %} - {% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif %} - {% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif %} - {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif %} - {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif %} - {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif %} - {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif %} - {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %} - {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %} - {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %} - - # shared memory zone for limit_req - {% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %} - - # shared memory zone for limit_conn - {% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif %} - - # whitelist or blacklist country - {% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif %} - - # zone for proxy_cache - {% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %} - - # custom http confs - include /http-confs/*.conf; - - # LUA init block - include /etc/nginx/init-lua.conf; - - # default server when MULTISITE=yes - {% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif %} - - # server config(s) - {% if SWARM_MODE == "no" %} - {% if MULTISITE == "yes" %} - {% for server_name in SERVER_NAME.split(" ") %} - include /etc/nginx/{{ server_name }}/server.conf; - {% endfor %} - {% else %} - include /etc/nginx/server.conf; - {% endif %} - {% endif %} - - # API - {% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif %} -} diff --git a/confs2/global/proxies.list b/confs2/global/proxies.list deleted file mode 100644 index e69de29..0000000 diff --git a/confs2/global/referrers.list b/confs2/global/referrers.list deleted file mode 100644 index e69de29..0000000 diff --git a/confs2/global/tor-exit-nodes.list b/confs2/global/tor-exit-nodes.list deleted file mode 100644 index e69de29..0000000 diff --git a/confs2/global/user-agents.list b/confs2/global/user-agents.list deleted file mode 100644 index e69de29..0000000 diff --git a/confs2/site/antibot-captcha.conf b/confs2/site/antibot-captcha.conf deleted file mode 100644 index 90905df..0000000 --- a/confs2/site/antibot-captcha.conf +++ /dev/null @@ -1,46 +0,0 @@ -location = {{ ANTIBOT_URI }} { - - default_type 'text/html'; - - if ($request_method = GET) { - content_by_lua_block { - local cookie = require "cookie" - local captcha = require "captcha" - local logger = require "logger" - if not cookie.is_set("uri") then - logger.log(ngx.WARN, "ANTIBOT", "captcha fail (1) for " .. ngx.var.remote_addr) - return ngx.exit(ngx.HTTP_FORBIDDEN) - end - local img, res = captcha.get_challenge() - cookie.set({captchares = res}) - local code = captcha.get_code(img, "{{ ANTIBOT_URI }}") - ngx.say(code) - } - } - - if ($request_method = POST) { - access_by_lua_block { - local cookie = require "cookie" - local captcha = require "captcha" - local logger = require "logger" - if not cookie.is_set("captchares") then - logger.log(ngx.WARN, "ANTIBOT", "captcha fail (2) for " .. ngx.var.remote_addr) - return ngx.exit(ngx.HTTP_FORBIDDEN) - end - ngx.req.read_body() - local args, err = ngx.req.get_post_args(1) - if err == "truncated" or not args or not args["captcha"] then - logger.log(ngx.WARN, "ANTIBOT", "captcha fail (3) for " .. ngx.var.remote_addr) - return ngx.exit(ngx.HTTP_FORBIDDEN) - end - local captcha_user = args["captcha"] - local check = captcha.check(captcha_user, cookie.get("captchares")) - if not check then - logger.log(ngx.WARN, "ANTIBOT", "captcha fail (4) for " .. ngx.var.remote_addr) - return ngx.redirect("{{ ANTIBOT_URI }}") - end - cookie.set({captcha = "ok"}) - return ngx.redirect(cookie.get("uri")) - } - } -} diff --git a/confs2/site/antibot-javascript.conf b/confs2/site/antibot-javascript.conf deleted file mode 100644 index 32488af..0000000 --- a/confs2/site/antibot-javascript.conf +++ /dev/null @@ -1,45 +0,0 @@ -location = {{ ANTIBOT_URI }} { - - default_type 'text/html'; - - if ($request_method = GET) { - content_by_lua_block { - local cookie = require "cookie" - local javascript = require "javascript" - local logger = require "logger" - if not cookie.is_set("challenge") then - logger.log(ngx.WARN, "ANTIBOT", "javascript fail (1) for " .. ngx.var.remote_addr) - return ngx.exit(ngx.HTTP_FORBIDDEN) - end - local challenge = cookie.get("challenge") - local code = javascript.get_code(challenge, "{{ ANTIBOT_URI }}", cookie.get("uri")) - ngx.say(code) - } - } - - if ($request_method = POST) { - content_by_lua_block { - local cookie = require "cookie" - local javascript = require "javascript" - local logger = require "logger" - if not cookie.is_set("challenge") then - logger.log(ngx.WARN, "ANTIBOT", "javascript fail (2) for " .. ngx.var.remote_addr) - return ngx.exit(ngx.HTTP_FORBIDDEN) - end - ngx.req.read_body() - local args, err = ngx.req.get_post_args(1) - if err == "truncated" or not args or not args["challenge"] then - logger.log(ngx.WARN, "ANTIBOT", "javascript fail (3) for " .. ngx.var.remote_addr) - return ngx.exit(ngx.HTTP_FORBIDDEN) - end - local challenge = args["challenge"] - local check = javascript.check(cookie.get("challenge"), challenge) - if not check then - logger.log(ngx.WARN, "ANTIBOT", "javascript fail (4) for " .. ngx.var.remote_addr) - return ngx.exit(ngx.HTTP_FORBIDDEN) - end - cookie.set({javascript = "ok"}) - return ngx.exit(ngx.OK) - } - } -} diff --git a/confs2/site/antibot-recaptcha.conf b/confs2/site/antibot-recaptcha.conf deleted file mode 100644 index d7c46ca..0000000 --- a/confs2/site/antibot-recaptcha.conf +++ /dev/null @@ -1,44 +0,0 @@ -location = {{ ANTIBOT_URI }} { - - default_type 'text/html'; - - if ($request_method = GET) { - content_by_lua_block { - local cookie = require "cookie" - local recaptcha = require "recaptcha" - local loggger = require "logger" - if not cookie.is_set("uri") then - logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (1) for " .. ngx.var.remote_addr) - return ngx.exit(ngx.HTTP_FORBIDDEN) - end - local code = recaptcha.get_code("{{ ANTIBOT_URI }}", "{{ ANTIBOT_RECAPTCHA_SITEKEY }}") - ngx.say(code) - } - } - - if ($request_method = POST) { - access_by_lua_block { - local cookie = require "cookie" - local recaptcha = require "recaptcha" - local logger = require "logger" - if not cookie.is_set("uri") then - logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (2) for " .. ngx.var.remote_addr) - return ngx.exit(ngx.HTTP_FORBIDDEN) - end - ngx.req.read_body() - local args, err = ngx.req.get_post_args(1) - if err == "truncated" or not args or not args["token"] then - logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (3) for " .. ngx.var.remote_addr) - return ngx.exit(ngx.HTTP_FORBIDDEN) - end - local token = args["token"] - local check = recaptcha.check(token, "{{ ANTIBOT_RECAPTCHA_SECRET }}") - if check < {{ ANTIBOT_RECAPTCHA_SCORE }} then - logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")") - return ngx.exit(ngx.HTTP_FORBIDDEN) - end - cookie.set({recaptcha = "ok"}) - return ngx.redirect(cookie.get("uri")) - } - } -} diff --git a/confs2/site/auth-basic-sitewide.conf b/confs2/site/auth-basic-sitewide.conf deleted file mode 100644 index cae4c96..0000000 --- a/confs2/site/auth-basic-sitewide.conf +++ /dev/null @@ -1,2 +0,0 @@ -auth_basic "{{ AUTH_BASIC_TEXT }}"; -auth_basic_user_file {{ NGINX_PREFIX }}htpasswd; diff --git a/confs2/site/auth-basic.conf b/confs2/site/auth-basic.conf deleted file mode 100644 index 4007d11..0000000 --- a/confs2/site/auth-basic.conf +++ /dev/null @@ -1,4 +0,0 @@ -location {{ AUTH_BASIC_LOCATION }} { - auth_basic "{{ AUTH_BASIC_TEXT }}"; - auth_basic_user_file {{ NGINX_PREFIX }}htpasswd; -} diff --git a/confs2/site/brotli.conf b/confs2/site/brotli.conf deleted file mode 100644 index f2660e0..0000000 --- a/confs2/site/brotli.conf +++ /dev/null @@ -1,4 +0,0 @@ -brotli on; -brotli_types {{ BROTLI_TYPES }}; -brotli_comp_level {{ BROTLI_COMP_LEVEL }}; -brotli_min_length {{ BROTLI_MIN_LENGTH }}; diff --git a/confs2/site/client-cache.conf b/confs2/site/client-cache.conf deleted file mode 100644 index b23717f..0000000 --- a/confs2/site/client-cache.conf +++ /dev/null @@ -1,6 +0,0 @@ -etag {{ CLIENT_CACHE_ETAG }}; -set $cache ""; -if ($uri ~* \.({{ CLIENT_CACHE_EXTENSIONS }})$) { - set $cache "{{ CLIENT_CACHE_CONTROL }}"; -} -add_header Cache-Control $cache; diff --git a/confs2/site/content-security-policy.conf b/confs2/site/content-security-policy.conf deleted file mode 100644 index 8b8a61a..0000000 --- a/confs2/site/content-security-policy.conf +++ /dev/null @@ -1 +0,0 @@ -more_set_headers "Content-Security-Policy: {{ CONTENT_SECURITY_POLICY }}"; diff --git a/confs2/site/cookie-flags.conf b/confs2/site/cookie-flags.conf deleted file mode 100644 index 675feb3..0000000 --- a/confs2/site/cookie-flags.conf +++ /dev/null @@ -1 +0,0 @@ -set_cookie_flag {{ COOKIE_FLAGS }}{% if COOKIE_AUTO_SECURE_FLAG == "yes" %} Secure{% endif %}; diff --git a/confs2/site/custom-https.conf b/confs2/site/custom-https.conf deleted file mode 100644 index 03721b5..0000000 --- a/confs2/site/custom-https.conf +++ /dev/null @@ -1,9 +0,0 @@ -listen 0.0.0.0:443 ssl {% if HTTP2 == "yes" %}http2{% endif %}; -ssl_certificate {{ HTTPS_CUSTOM_CERT }}; -ssl_certificate_key {{ HTTPS_CUSTOM_KEY }}; -ssl_protocols TLSv1.3; -ssl_prefer_server_ciphers off; -ssl_session_tickets off; -{% if STRICT_TRANSPORT_SECURITY != "" %} -more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}'; -{% endif %} diff --git a/confs2/site/disable-default-server.conf b/confs2/site/disable-default-server.conf deleted file mode 100644 index 900e58d..0000000 --- a/confs2/site/disable-default-server.conf +++ /dev/null @@ -1,3 +0,0 @@ -if ($host !~ ^({{ SERVER_NAME.replace(" ", "|") }})$) { - return 444; -} diff --git a/confs2/site/error.conf b/confs2/site/error.conf deleted file mode 100644 index 1636d1a..0000000 --- a/confs2/site/error.conf +++ /dev/null @@ -1,13 +0,0 @@ -{% if ERRORS != "" %} - {% for element in ERRORS.split(" ") %} - {% set code = element.split("=")[0] %} - {% set page = element.split("=")[1] %} -error_page {{ code }} {{ page }}; - -location = {{ page }} { - root {{ ROOT_FOLDER }}; - modsecurity off; - internal; -} - {% endfor %} -{% endif %} diff --git a/confs2/site/fastcgi.conf b/confs2/site/fastcgi.conf deleted file mode 100644 index c4712cc..0000000 --- a/confs2/site/fastcgi.conf +++ /dev/null @@ -1,25 +0,0 @@ -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; -fastcgi_param REQUEST_SCHEME $scheme; -fastcgi_param HTTPS $https if_not_empty; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -# PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; diff --git a/confs2/site/feature-policy.conf b/confs2/site/feature-policy.conf deleted file mode 100644 index 009a63e..0000000 --- a/confs2/site/feature-policy.conf +++ /dev/null @@ -1 +0,0 @@ -more_set_headers "Feature-Policy: {{ FEATURE_POLICY }}"; diff --git a/confs2/site/gzip.conf b/confs2/site/gzip.conf deleted file mode 100644 index 3eb755d..0000000 --- a/confs2/site/gzip.conf +++ /dev/null @@ -1,4 +0,0 @@ -gzip on; -gzip_comp_level {{ GZIP_COMP_LEVEL }}; -gzip_min_length {{ GZIP_MIN_LENGTH }}; -gzip_types {{ GZIP_TYPES }}; diff --git a/confs2/site/https.conf b/confs2/site/https.conf deleted file mode 100644 index 9b13dbd..0000000 --- a/confs2/site/https.conf +++ /dev/null @@ -1,18 +0,0 @@ -listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %}; -ssl_certificate {{ HTTPS_CERT }}; -ssl_certificate_key {{ HTTPS_KEY }}; -ssl_protocols {{ HTTPS_PROTOCOLS }}; -ssl_prefer_server_ciphers on; -ssl_session_tickets off; -ssl_session_timeout 1d; -ssl_session_cache shared:MozSSL:10m; -{% if STRICT_TRANSPORT_SECURITY != "" %} -more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}'; -{% endif %} -{% if "TLSv1.2" in HTTPS_PROTOCOLS %} -ssl_dhparam /etc/nginx/dhparam; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -{% endif %} -{% if AUTO_LETS_ENCRYPT %} -include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf; -{% endif %} diff --git a/confs2/site/lets-encrypt-webroot.conf b/confs2/site/lets-encrypt-webroot.conf deleted file mode 100644 index 5b8e707..0000000 --- a/confs2/site/lets-encrypt-webroot.conf +++ /dev/null @@ -1,3 +0,0 @@ -location ~ ^/.well-known/acme-challenge/ { - root /acme-challenge; -} diff --git a/confs2/site/limit-conn.conf b/confs2/site/limit-conn.conf deleted file mode 100644 index 27c9738..0000000 --- a/confs2/site/limit-conn.conf +++ /dev/null @@ -1 +0,0 @@ -limit_conn ddos {{ LIMIT_CONN_MAX }}; diff --git a/confs2/site/limit-req.conf b/confs2/site/limit-req.conf deleted file mode 100644 index 35b88fc..0000000 --- a/confs2/site/limit-req.conf +++ /dev/null @@ -1,3 +0,0 @@ -limit_req_status 429; -limit_req zone=limit burst={{ LIMIT_REQ_BURST }} nodelay; - diff --git a/confs2/site/log-lua.conf b/confs2/site/log-lua.conf deleted file mode 100644 index e45620f..0000000 --- a/confs2/site/log-lua.conf +++ /dev/null @@ -1,15 +0,0 @@ -log_by_lua_block { - --- bad behavior -local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %} -local behavior = require "behavior" -local bad_behavior_status_codes = {% raw %}{{% endraw %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -local bad_behavior_threshold = {{ BAD_BEHAVIOR_THRESHOLD }} -local bad_behavior_count_time = {{ BAD_BEHAVIOR_COUNT_TIME }} -local bad_behavior_ban_time = {{ BAD_BEHAVIOR_BAN_TIME }} - -if use_bad_behavior then - behavior.count(bad_behavior_status_codes, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time) -end - -} diff --git a/confs2/site/main-lua.conf b/confs2/site/main-lua.conf deleted file mode 100644 index a6310d9..0000000 --- a/confs2/site/main-lua.conf +++ /dev/null @@ -1,304 +0,0 @@ -{% if ANTIBOT_SESSION_SECRET == "random" %} -set $session_secret {{ random(32) }} ; -{% else %} -set $session_secret {{ ANTIBOT_SESSION_SECRET }}; -{% endif %} -set $session_check_addr on; - -access_by_lua_block { - --- let's encrypt -local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif %} - --- external blacklists -local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif %} -local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif %} -local use_abusers = {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif %} -local use_tor_exit_nodes = {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif %} -local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif %} - --- countries -local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif %} - --- crowdsec -local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %} - --- antibot -local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif %} -local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif %} -local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif %} -local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif %} - --- resolvers -local dns_resolvers = {% raw %}{{% endraw %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} - --- whitelist -local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif %} -local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes" %}true{% else %}false{% endif %} -local whitelist_ip_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -local whitelist_reverse_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} - --- blacklist -local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif %} -local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes" %}true{% else %}false{% endif %} -local blacklist_ip_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -local blacklist_reverse_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} - --- dnsbl -local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif %} -local dnsbl_list = {% raw %}{{% endraw %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} - --- bad behavior -local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %} - --- include LUA code -local whitelist = require "whitelist" -local blacklist = require "blacklist" -local dnsbl = require "dnsbl" -local cookie = require "cookie" -local javascript = require "javascript" -local captcha = require "captcha" -local recaptcha = require "recaptcha" -local iputils = require "resty.iputils" -local behavior = require "behavior" -local logger = require "logger" - --- user variables -local antibot_uri = "{{ ANTIBOT_URI }}" -local whitelist_user_agent = {% raw %}{{% endraw %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -local whitelist_uri = {% raw %}{{% endraw %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} - --- check if already in whitelist cache -if use_whitelist_ip and whitelist.ip_cached_ok() then - ngx.exit(ngx.OK) -end -if use_whitelist_reverse and whitelist.reverse_cached_ok() then - ngx.exit(ngx.OK) -end - --- check if already in blacklist cache -if use_blacklist_ip and blacklist.ip_cached_ko() then - ngx.exit(ngx.HTTP_FORBIDDEN) -end -if use_blacklist_reverse and blacklist.reverse_cached_ko() then - ngx.exit(ngx.HTTP_FORBIDDEN) -end - --- check if already in dnsbl cache -if use_dnsbl and dnsbl.cached_ko() then - ngx.exit(ngx.HTTP_FORBIDDEN) -end - --- check if IP is whitelisted (only if not in cache) -if use_whitelist_ip and not whitelist.ip_cached() then - if whitelist.check_ip(whitelist_ip_list) then - ngx.exit(ngx.OK) - end -end - --- check if reverse is whitelisted (only if not in cache) -if use_whitelist_reverse and not whitelist.reverse_cached() then - if whitelist.check_reverse(whitelist_reverse_list) then - ngx.exit(ngx.OK) - end -end - --- check if URI is whitelisted -for k, v in pairs(whitelist_uri) do - if ngx.var.request_uri == v then - logger.log(ngx.NOTICE, "WHITELIST", "URI " .. v .. " is whitelisted") - ngx.exit(ngx.OK) - end -end - --- check if it's certbot -if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then - logger.log(ngx.INFO, "LETSENCRYPT", "got a visit from Let's Encrypt") - ngx.exit(ngx.OK) -end - --- check if IP is blacklisted (only if not in cache) -if use_blacklist_ip and not blacklist.ip_cached() then - if blacklist.check_ip(blacklist_ip_list) then - ngx.exit(ngx.HTTP_FORBIDDEN) - end -end - --- check if reverse is blacklisted (only if not in cache) -if use_blacklist_reverse and not blacklist.reverse_cached() then - if blacklist.check_reverse(blacklist_reverse_list, dns_resolvers) then - ngx.exit(ngx.HTTP_FORBIDDEN) - end -end - --- check if IP is banned because of "bad behavior" -if use_bad_behavior and behavior.is_banned() then - logger.log(ngx.WARN, "BEHAVIOR", "IP " .. ngx.var.remote_addr .. " is banned because of bad behavior") - ngx.exit(ngx.HTTP_FORBIDDEN) -end - --- check if IP is in proxies list -if use_proxies then - local value, flags = ngx.shared.proxies_data:get(iputils.ip2bin(ngx.var.remote_addr)) - if value ~= nil then - logger.log(ngx.WARN, "PROXIES", "IP " .. ngx.var.remote_addr .. " is in proxies list") - ngx.exit(ngx.HTTP_FORBIDDEN) - end -end - --- check if IP is in abusers list -if use_abusers then - local value, flags = ngx.shared.abusers_data:get(iputils.ip2bin(ngx.var.remote_addr)) - if value ~= nil then - logger.log(ngx.WARN, "ABUSERS", "IP " .. ngx.var.remote_addr .. " is in abusers list") - ngx.exit(ngx.HTTP_FORBIDDEN) - end -end - --- check if IP is in TOR exit nodes list -if use_tor_exit_nodes then - local value, flags = ngx.shared.tor_exit_nodes_data:get(iputils.ip2bin(ngx.var.remote_addr)) - if value ~= nil then - logger.log(ngx.WARN, "TOR", "IP " .. ngx.var.remote_addr .. " is in TOR exit nodes list") - ngx.exit(ngx.HTTP_FORBIDDEN) - end -end - --- check if user-agent is allowed -if use_user_agents and ngx.var.http_user_agent ~= nil then - local whitelisted = false - for k, v in pairs(whitelist_user_agent) do - if string.match(ngx.var.http_user_agent, v) then - logger.log(ngx.NOTICE, "WHITELIST", "User-Agent " .. ngx.var.http_user_agent .. " is whitelisted") - whitelisted = true - break - end - end - if not whitelisted then - local value, flags = ngx.shared.user_agents_cache:get(ngx.var.http_user_agent) - if value == nil then - local patterns = ngx.shared.user_agents_data:get_keys(0) - for i, pattern in ipairs(patterns) do - if string.match(ngx.var.http_user_agent, pattern) then - value = "ko" - ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ko", 86400) - break - end - end - if value == nil then - value = "ok" - ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ok", 86400) - end - end - if value == "ko" then - logger.log(ngx.WARN, "USER-AGENT", "User-Agent " .. ngx.var.http_user_agent .. " is blacklisted") - ngx.exit(ngx.HTTP_FORBIDDEN) - end - end -end - --- check if referrer is allowed -if use_referrer and ngx.var.http_referer ~= nil then - local value, flags = ngx.shared.referrers_cache:get(ngx.var.http_referer) - if value == nil then - local patterns = ngx.shared.referrers_data:get_keys(0) - for i, pattern in ipairs(patterns) do - if string.match(ngx.var.http_referer, pattern) then - value = "ko" - ngx.shared.referrers_cache:set(ngx.var.http_referer, "ko", 86400) - break - end - end - if value == nil then - value = "ok" - ngx.shared.referrers_cache:set(ngx.var.http_referer, "ok", 86400) - end - end - if value == "ko" then - logger.log(ngx.WARN, "REFERRER", "Referrer " .. ngx.var.http_referer .. " is blacklisted") - ngx.exit(ngx.HTTP_FORBIDDEN) - end -end - --- check if country is allowed -if use_country and ngx.var.allowed_country == "no" then - logger.log(ngx.WARN, "COUNTRY", "Country of " .. ngx.var.remote_addr .. " is blacklisted") - ngx.exit(ngx.HTTP_FORBIDDEN) -end - --- check if IP is in DNSBLs (only if not in cache) -if use_dnsbl and not dnsbl.cached() then - if dnsbl.check(dnsbl_list, dns_resolvers) then - ngx.exit(ngx.HTTP_FORBIDDEN) - end -end - --- check if IP is in CrowdSec DB -if use_crowdsec then - local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr) - if ok == nil then - logger.log(ngx.ERR, "CROWDSEC", err) - end - if not ok then - logger.log(ngx.WARN, "CROWDSEC", "denied " .. ngx.var.remote_addr) - ngx.exit(ngx.HTTP_FORBIDDEN) - end -end - --- cookie check -if use_antibot_cookie and ngx.var.uri ~= "/favicon.ico" then - if not cookie.is_set("uri") then - if ngx.var.request_uri ~= antibot_uri then - cookie.set({uri = ngx.var.request_uri}) - return ngx.redirect(antibot_uri) - end - logger.log(ngx.WARN, "ANTIBOT", "cookie fail for " .. ngx.var.remote_addr) - return ngx.exit(ngx.HTTP_FORBIDDEN) - else - if ngx.var.request_uri == antibot_uri then - return ngx.redirect(cookie.get("uri")) - end - end -end - --- javascript check -if use_antibot_javascript and ngx.var.uri ~= "/favicon.ico" then - if not cookie.is_set("javascript") then - if ngx.var.request_uri ~= antibot_uri then - cookie.set({uri = ngx.var.request_uri, challenge = javascript.get_challenge()}) - return ngx.redirect(antibot_uri) - end - end -end - --- captcha check -if use_antibot_captcha and ngx.var.uri ~= "/favicon.ico" then - if not cookie.is_set("captcha") then - if ngx.var.request_uri ~= antibot_uri then - cookie.set({uri = ngx.var.request_uri}) - return ngx.redirect(antibot_uri) - end - end -end - --- recaptcha check -if use_antibot_recaptcha and ngx.var.uri ~= "/favicon.ico" then - if not cookie.is_set("recaptcha") then - if ngx.var.request_uri ~= antibot_uri then - cookie.set({uri = ngx.var.request_uri}) - return ngx.redirect(antibot_uri) - end - end -end - -ngx.exit(ngx.OK) - -} - -{% if USE_ANTIBOT == "javascript" %} -include {{ NGINX_PREFIX }}antibot-javascript.conf; -{% elif USE_ANTIBOT == "captcha" %} -include {{ NGINX_PREFIX }}antibot-captcha.conf; -{% elif USE_ANTIBOT == "recaptcha" %} -include {{ NGINX_PREFIX }}antibot-recaptcha.conf; -{% endif %} diff --git a/confs2/site/modsecurity-clamav.conf b/confs2/site/modsecurity-clamav.conf deleted file mode 100644 index af96b0f..0000000 --- a/confs2/site/modsecurity-clamav.conf +++ /dev/null @@ -1,4 +0,0 @@ -SecUploadDir /tmp -SecUploadKeepFiles On -SecRule FILES_TMPNAMES "@inspectFile /opt/scripts/clamav.sh" \ -"phase:2,t:none,deny,msg:'Virus found in uploaded file',id:'399999'" diff --git a/confs2/site/modsecurity-rules.conf b/confs2/site/modsecurity-rules.conf deleted file mode 100644 index 37f0a7d..0000000 --- a/confs2/site/modsecurity-rules.conf +++ /dev/null @@ -1,83 +0,0 @@ -# process rules with disruptive actions -SecRuleEngine On - -# allow body checks -SecRequestBodyAccess On - -# enable XML parsing -SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ - "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" - -# enable JSON parsing -SecRule REQUEST_HEADERS:Content-Type "application/json" \ - "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" - -# maximum data size -SecRequestBodyLimit 13107200 -SecRequestBodyNoFilesLimit 131072 - -# reject requests if bigger than max data size -SecRequestBodyLimitAction Reject - -# reject if we can't process the body -SecRule REQBODY_ERROR "!@eq 0" \ -"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" - -# be strict with multipart/form-data body -SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ -"id:'200003',phase:2,t:none,log,deny,status:400, \ -msg:'Multipart request body failed strict validation: \ -PE %{REQBODY_PROCESSOR_ERROR}, \ -BQ %{MULTIPART_BOUNDARY_QUOTED}, \ -BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ -DB %{MULTIPART_DATA_BEFORE}, \ -DA %{MULTIPART_DATA_AFTER}, \ -HF %{MULTIPART_HEADER_FOLDING}, \ -LF %{MULTIPART_LF_LINE}, \ -SM %{MULTIPART_MISSING_SEMICOLON}, \ -IQ %{MULTIPART_INVALID_QUOTING}, \ -IP %{MULTIPART_INVALID_PART}, \ -IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ -FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" -SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \ - "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" - -# enable response body checks -SecResponseBodyAccess On -SecResponseBodyMimeType text/plain text/html text/xml application/json -SecResponseBodyLimit 524288 -SecResponseBodyLimitAction ProcessPartial - -# log usefull stuff -SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }} -SecAuditLogType Serial -SecAuditLog /var/log/nginx/modsec_audit.log - -# scan uploaded files with clamv -{% if USE_CLAMAV_UPLOAD == "yes" %} -include {{ NGINX_PREFIX }}modsecurity-clamav.conf -{% endif %} - -# include OWASP CRS configuration -{% if USE_MODSECURITY_CRS == "yes" %} -include /opt/owasp/crs.conf - -# custom CRS configurations before loading rules (exclusions) -{% if is_custom_conf("/modsec-crs-confs") %} -include /modsec-crs-confs/*.conf -{% endif %} -{% if MULTISITE == "yes" and is_custom_conf("/modsec-crs-confs/" + FIRST_SERVER) %} -include /modsec-crs-confs/{{ FIRST_SERVER }}/*.conf -{% endif %} - -# include OWASP CRS rules -include /opt/owasp/crs/*.conf -{% endif %} - -# custom rules after loading the CRS -{% if is_custom_conf("/modsec-confs") %} -include /modsec-confs/*.conf -{% endif %} -{% if MULTISITE == "yes" and is_custom_conf("/modsec-confs/" + FIRST_SERVER) %} -include /modsec-confs/{{ FIRST_SERVER }}/*.conf -{% endif %} diff --git a/confs2/site/modsecurity.conf b/confs2/site/modsecurity.conf deleted file mode 100644 index 380aa21..0000000 --- a/confs2/site/modsecurity.conf +++ /dev/null @@ -1,2 +0,0 @@ -modsecurity on; -modsecurity_rules_file {{ NGINX_PREFIX }}modsecurity-rules.conf; diff --git a/confs2/site/open-file-cache.conf b/confs2/site/open-file-cache.conf deleted file mode 100644 index 0c2fb01..0000000 --- a/confs2/site/open-file-cache.conf +++ /dev/null @@ -1,4 +0,0 @@ -open_file_cache {{ OPEN_FILE_CACHE }}; -open_file_cache_errors {{ OPEN_FILE_CACHE_ERRORS }}; -open_file_cache_min_uses {{ OPEN_FILE_CACHE_MIN_USES }}; -open_file_cache_valid {{ OPEN_FILE_CACHE_VALID }}; diff --git a/confs2/site/permissions-policy.conf b/confs2/site/permissions-policy.conf deleted file mode 100644 index 6bafbe0..0000000 --- a/confs2/site/permissions-policy.conf +++ /dev/null @@ -1 +0,0 @@ -more_set_headers "Permissions-Policy: {{ PERMISSIONS_POLICY }}"; diff --git a/confs2/site/php.conf b/confs2/site/php.conf deleted file mode 100644 index 0d746e8..0000000 --- a/confs2/site/php.conf +++ /dev/null @@ -1,4 +0,0 @@ -location ~ \.php$ { - fastcgi_pass {{ REMOTE_PHP }}:9000; - fastcgi_index index.php; -} diff --git a/confs2/site/proxy-cache.conf b/confs2/site/proxy-cache.conf deleted file mode 100644 index 0daf86d..0000000 --- a/confs2/site/proxy-cache.conf +++ /dev/null @@ -1,11 +0,0 @@ -proxy_cache proxycache; -proxy_cache_methods {{ PROXY_CACHE_METHODS }}; -proxy_cache_min_uses {{ PROXY_CACHE_MIN_USES }}; -proxy_cache_key {{ PROXY_CACHE_KEY }}; -proxy_no_cache {{ PROXY_NO_CACHE }}; -proxy_cache_bypass {{ PROXY_CACHE_BYPASS }}; -{% if PROXY_CACHE_VALID != "" %} -{% for element in PROXY_CACHE_VALID.split(" ") %} -proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }}; -{% endfor %} -{% endif %} diff --git a/confs2/site/proxy-real-ip.conf b/confs2/site/proxy-real-ip.conf deleted file mode 100644 index 490576a..0000000 --- a/confs2/site/proxy-real-ip.conf +++ /dev/null @@ -1,8 +0,0 @@ -{% if PROXY_REAL_IP_FROM != "" %} - {% for element in PROXY_REAL_IP_FROM.split(" ") %} -set_real_ip_from {{ element }}; - {% endfor %} -{% endif %} -real_ip_header {{ PROXY_REAL_IP_HEADER }}; -real_ip_recursive {{ PROXY_REAL_IP_RECURSIVE }}; - diff --git a/confs2/site/redirect-http-to-https.conf b/confs2/site/redirect-http-to-https.conf deleted file mode 100644 index 7a9c74d..0000000 --- a/confs2/site/redirect-http-to-https.conf +++ /dev/null @@ -1,3 +0,0 @@ -if ($scheme = http) { - return 301 https://$host$request_uri; -} diff --git a/confs2/site/referrer-policy.conf b/confs2/site/referrer-policy.conf deleted file mode 100644 index b163485..0000000 --- a/confs2/site/referrer-policy.conf +++ /dev/null @@ -1 +0,0 @@ -more_set_headers "Referrer-Policy: {{ REFERRER_POLICY }}"; diff --git a/confs2/site/reverse-proxy-headers.conf b/confs2/site/reverse-proxy-headers.conf deleted file mode 100644 index 056d7b6..0000000 --- a/confs2/site/reverse-proxy-headers.conf +++ /dev/null @@ -1,6 +0,0 @@ -proxy_set_header Host $host; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-Proto $scheme; -proxy_set_header X-Forwarded-Protocol $scheme; -proxy_set_header X-Forwarded-Host $http_host; diff --git a/confs2/site/reverse-proxy.conf b/confs2/site/reverse-proxy.conf deleted file mode 100644 index 284df6e..0000000 --- a/confs2/site/reverse-proxy.conf +++ /dev/null @@ -1,25 +0,0 @@ -{% if USE_REVERSE_PROXY == "yes" %} - {% for k, v in all.items() %} - {% if k.startswith("REVERSE_PROXY_URL") %} - {% set url = v %} - {% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %} - {% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %} - {% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %} -location {{ url }} {% raw %}{{% endraw %} - etag off; - proxy_pass {{ host }}; - include {{ NGINX_PREFIX }}reverse-proxy-headers.conf; - {% if ws == "yes" %} - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - {% endif %} - {% if headers != "" %} - {% for header in headers.split(";") %} - proxy_set_header {{ header }}; - {% endfor %} - {% endif %} -{% raw %}}{% endraw %} - {% endif %} - {% endfor %} -{% endif %} diff --git a/confs2/site/serve-files.conf b/confs2/site/serve-files.conf deleted file mode 100644 index 4cf51be..0000000 --- a/confs2/site/serve-files.conf +++ /dev/null @@ -1,3 +0,0 @@ -root {{ ROOT_FOLDER }}/{{ FIRST_SERVER }}; -index index.html index.php; -try_files $uri $uri/ =404; diff --git a/confs2/site/server.conf b/confs2/site/server.conf deleted file mode 100644 index 99ba927..0000000 --- a/confs2/site/server.conf +++ /dev/null @@ -1,177 +0,0 @@ -# custom config before server block -include /pre-server-confs/*.conf; -{% if MULTISITE == "yes" %} -include /pre-server-confs/{{ FIRST_SERVER }}/*.conf; -{% endif %} - -server { - - # FastCGI variables -{% if REMOTE_PHP != "" %} - include {{ NGINX_PREFIX }}fastcgi.conf; -{% endif %} - - # custom config - include /server-confs/*.conf; -{% if MULTISITE == "yes" %} - include /server-confs/{{ FIRST_SERVER }}/*.conf; -{% endif %} - - # proxy real IP -{% if PROXY_REAL_IP == "yes" %} - include {{ NGINX_PREFIX }}proxy-real-ip.conf; -{% endif %} - - # include LUA files - include {{ NGINX_PREFIX }}main-lua.conf; - include {{ NGINX_PREFIX }}log-lua.conf; - - # ModSecurity -{% if USE_MODSECURITY == "yes" %} - include {{ NGINX_PREFIX }}modsecurity.conf; -{% endif %} - - # HTTP listen -{% if LISTEN_HTTP == "yes" %} - listen 0.0.0.0:{{ HTTP_PORT }}; -{% endif %} - - # HTTPS listen + config -{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %} - include {{ NGINX_PREFIX }}https.conf; -{% endif %} - - # HTTP to HTTPS -{% if REDIRECT_HTTP_TO_HTTPS == "yes" %} - include {{ NGINX_PREFIX }}redirect-http-to-https.conf; -{% endif %} - - # server name (vhost) - server_name {{ SERVER_NAME }}; - - # disable default server -{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" %} - include {{ NGINX_PREFIX }}disable-default-server.conf; -{% endif %} - - # serve local files -{% if SERVE_FILES == "yes" %} - include {{ NGINX_PREFIX}}serve-files.conf; -{% endif %} - - # allowed HTTP methods - if ($request_method !~ ^({{ ALLOWED_METHODS }})$) { - return 405; - } - - # requests limiting -{% if USE_LIMIT_REQ == "yes" %} - include {{ NGINX_PREFIX }}limit-req.conf; -{% endif %} - - # connections limiting -{% if USE_LIMIT_CONN == "yes" %} - include {{ NGINX_PREFIX }}limit-conn.conf; -{% endif %} - - # auth basic -{% if USE_AUTH_BASIC == "yes" %} - {% if AUTH_BASIC_LOCATION == "sitewide" %} - include {{ NGINX_PREFIX }}auth-basic-sitewide.conf; - {% else %} - include {{ NGINX_PREFIX }}auth-basic.conf; - {% endif %} -{% endif %} - - # remove headers -{% if REMOVE_HEADERS != "" %} - {% for header in REMOVE_HEADERS.split(" ") %} - more_clear_headers '{{ header }}'; - {% endfor %} -{% endif %} - - # X-Frame-Option header -{% if X_FRAME_OPTIONS != "" %} - include {{ NGINX_PREFIX }}x-frame-options.conf; -{% endif %} - - # X-XSS-Protection header -{% if X_XSS_PROTECTION != "" %} - include {{ NGINX_PREFIX }}x-xss-protection.conf; -{% endif %} - - # X-Content-Type header -{% if X_CONTENT_TYPE != "" %} - include {{ NGINX_PREFIX }}x-content-type.conf; -{% endif %} - - # Content-Security-Policy header -{% if CONTENT_SECURITY_POLICY != "" %} - include {{ NGINX_PREFIX }}content-security-policy.conf; -{% endif %} - - # Referrer-Policy header -{% if REFERRER_POLICY != "" %} - include {{ NGINX_PREFIX }}referrer-policy.conf; -{% endif %} - - # Feature-Policy header -{% if FEATURE_POLICY != "" %} - include {{ NGINX_PREFIX }}feature-policy.conf; -{% endif %} - - # Permissions-Policy header -{% if PERMISSIONS_POLICY != "" %} - include {{ NGINX_PREFIX }}permissions-policy.conf; -{% endif %} - - # cookie flags -{% if COOKIE_FLAGS != "" %} - include {{ NGINX_PREFIX }}cookie-flags.conf; -{% endif %} - - # custom errors - include {{ NGINX_PREFIX }}error.conf; - - # client caching -{% if USE_CLIENT_CACHE == "yes" %} - include {{ NGINX_PREFIX }}client-cache.conf; -{% endif %} - - # gzip compression -{% if USE_GZIP == "yes" %} - include {{ NGINX_PREFIX }}gzip.conf; -{% endif %} - - # brotli compression -{% if USE_GZIP == "yes" %} - include {{ NGINX_PREFIX }}gzip.conf; -{% endif %} - - # maximum body size - client_max_body_size {{ MAX_CLIENT_SIZE }}; - - # enable/disable showing version - server_tokens {{ SERVER_TOKENS }}; - - # open file caching -{% if USE_OPEN_FILE_CACHE == "yes" %} - include {{ NGINX_PREFIX }}open-file-cache.conf; -{% endif %} - - # proxy caching -{% if USE_PROXY_CACHE == "yes" %} - include {{ NGINX_PREFIX }}proxy-cache.conf; -{% endif %} - - # reverse proxy -{% if USE_REVERSE_PROXY == "yes" %} - include {{ NGINX_PREFIX }}reverse-proxy.conf; -{% endif %} - - # remote PHP -{% if REMOTE_PHP != "" %} - include {{ NGINX_PREFIX }}php.conf; -{% endif %} - -} diff --git a/confs2/site/x-content-type-options.conf b/confs2/site/x-content-type-options.conf deleted file mode 100644 index 9a6e6f3..0000000 --- a/confs2/site/x-content-type-options.conf +++ /dev/null @@ -1 +0,0 @@ -more_set_headers "X-Content-Type-Options: {{ X_CONTENT_TYPE_OPTIONS }}"; diff --git a/confs2/site/x-frame-options.conf b/confs2/site/x-frame-options.conf deleted file mode 100644 index fb928d1..0000000 --- a/confs2/site/x-frame-options.conf +++ /dev/null @@ -1 +0,0 @@ -more_set_headers "X-Frame-Options: {{ X_FRAME_OPTIONS }}"; diff --git a/confs2/site/x-xss-protection.conf b/confs2/site/x-xss-protection.conf deleted file mode 100644 index b48d0f3..0000000 --- a/confs2/site/x-xss-protection.conf +++ /dev/null @@ -1 +0,0 @@ -more_set_headers "X-XSS-Protection: {{ X_XSS_PROTECTION }}"; diff --git a/dependencies.sh b/dependencies.sh index 965901b..58b56f7 100644 --- a/dependencies.sh +++ b/dependencies.sh @@ -1,4 +1,5 @@ #!/bin/sh # install dependencies -apk add clamav certbot bash libmaxminddb libgcc lua yajl libstdc++ apache2-utils +apk add clamav certbot bash libmaxminddb libgcc lua yajl libstdc++ apache2-utils py3-pip +pip3 install jinja2 diff --git a/entrypoint/certbot.sh b/entrypoint/certbot.sh new file mode 100644 index 0000000..c6778cf --- /dev/null +++ b/entrypoint/certbot.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# load some functions +. /opt/entrypoint/utils.sh + +if [ "$MULTISITE" != "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then + first_server_name=$(echo "$SERVER_NAME" | cut -d " " -f 1) + domains_lets_encrypt=$(echo "$SERVER_NAME" | sed "s/ /,/g") + EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server_name}" + if [ ! -f /etc/letsencrypt/live/${first_server_name}/fullchain.pem ] ; then + echo "[*] Performing Let's Encrypt challenge for $domains_lets_encrypt ..." + /opt/scripts/certbot-new.sh "$domains_lets_encrypt" "$EMAIL_LETS_ENCRYPT" + fi +elif [ "$MULTISITE" = "yes" ] ; then + servers=$(find /etc/nginx -name "site.env" | cut -d '/' -f 4) + for server in $servers ; do + lets_encrypt=$(grep "^AUTO_LETS_ENCRYPT=yes$" /etc/nginx/${server}/site.env) + if [ "$lets_encrypt" != "" ] && [ ! -f /etc/letsencrypt/live/${server}/fullchain.pem ] ; then + server_name=$(grep "^SERVER_NAME=.*$" /etc/nginx/${server}/site.env | sed "s/SERVER_NAME=//" | sed "s/ /,/g") + echo "[*] Performing Let's Encrypt challenge for $server_name ..." + EMAIL_LETS_ENCRYPT=$(grep "^EMAIL_LETS_ENCRYPT=.*$" /etc/nginx/${server}/site.env | sed "s/EMAIL_LETS_ENCRYPT=//") + if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then + EMAIL_LETS_ENCRYPT="contact@${server}" + fi + /opt/scripts/certbot-new.sh "$domains" "EMAIL_LETS_ENCRYPT" + fi + done +fi diff --git a/entrypoint/clamav.sh b/entrypoint/clamav.sh index eb41a79..df3222f 100644 --- a/entrypoint/clamav.sh +++ b/entrypoint/clamav.sh @@ -1,8 +1,5 @@ #!/bin/bash -# load default values -. /opt/entrypoint/defaults.sh - # load some functions . /opt/entrypoint/utils.sh diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh deleted file mode 100644 index 8ca5e19..0000000 --- a/entrypoint/defaults.sh +++ /dev/null @@ -1,133 +0,0 @@ -#!/bin/bash - -MULTISITE="${MULTISITE-no}" -LOG_FORMAT="${LOG_FORMAT-\$host \$remote_addr - \$remote_user [\$time_local] \"\$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}" -LOG_LEVEL="${LOG_LEVEL-info}" -HTTP_PORT="${HTTP_PORT-8080}" -HTTPS_PORT="${HTTPS_PORT-8443}" -MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}" -SERVER_TOKENS="${SERVER_TOKENS-off}" -WORKER_CONNECTIONS="${WORKER_CONNECTIONS-1024}" -WORKER_RLIMIT_NOFILE="${WORKER_RLIMIT_NOFILE-2048}" -USE_CLIENT_CACHE="${USE_CLIENT_CACHE-no}" -CLIENT_CACHE_EXTENSIONS="${CLIENT_CACHE_EXTENSIONS-jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2}" -CLIENT_CACHE_CONTROL="${CLIENT_CACHE_CONTROL-public, max-age=15552000}" -CLIENT_CACHE_ETAG="${CLIENT_CACHE_ETAG-on}" -USE_OPEN_FILE_CACHE="${USE_OPEN_FILE_CACHE-no}" -OPEN_FILE_CACHE="${OPEN_FILE_CACHE-max=1000 inactive=20s}" -OPEN_FILE_CACHE_ERRORS="${OPEN_FILE_CACHE_ERRORS-on}" -OPEN_FILE_CACHE_MIN_USES="${OPEN_FILE_CACHE_MIN_USES-2}" -OPEN_FILE_CACHE_VALID="${OPEN_FILE_CACHE_VALID-30s}" -USE_PROXY_CACHE="${USE_PROXY_CACHE-no}" -PROXY_CACHE_PATH_ZONE_SIZE="${PROXY_CACHE_PATH_ZONE_SIZE-10m}" -PROXY_CACHE_PATH_PARAMS="${PROXY_CACHE_PATH_PARAMS-max_size=100m}" -PROXY_CACHE_METHODS="${PROXY_CACHE_METHODS-GET HEAD}" -PROXY_CACHE_MIN_USES="${PROXY_CACHE_MIN_USES-2}" -PROXY_CACHE_KEY="${PROXY_CACHE_KEY-\$scheme\$host\$request_uri}" -PROXY_CACHE_VALID="${PROXY_CACHE_VALID-200=10m 301=10m 302=1h}" -PROXY_NO_CACHE="${PROXY_NO_CACHE-\$http_authorization}" -PROXY_CACHE_BYPASS="${PROXY_CACHE_BYPASS-\$http_authorization}" -USE_GZIP="${USE_GZIP-no}" -GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL-5}" -GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH-1000}" -GZIP_TYPES="${GZIP_TYPES-application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml}" -USE_BROTLI="${USE_BROTLI-no}" -BROTLI_COMP_LEVEL="${BROTLI_COMP_LEVEL-6}" -BROTLI_MIN_LENGTH="${BROTLI_MIN_LENGTH-1000}" -BROTLI_TYPES="${BROTLI_TYPES-application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml}" -REMOTE_PHP_PATH="${REMOTE_PHP_PATH-/app}" -USE_REVERSE_PROXY="${USE_REVERSE_PROXY-no}" -REMOVE_HEADERS="${REMOVE_HEADERS-Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version}" -X_FRAME_OPTIONS="${X_FRAME_OPTIONS-DENY}" -X_XSS_PROTECTION="${X_XSS_PROTECTION-1; mode=block}" -X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS-nosniff}" -REFERRER_POLICY="${REFERRER_POLICY-no-referrer}" -PERMISSIONS_POLICY="${PERMISSIONS_POLICY-accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()}" -FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}" -DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}" -SERVER_NAME="${SERVER_NAME-www.bunkerity.com}" -ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}" -BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}" -WHITELIST_USER_AGENT="${WHITELIST_USER_AGENT-}" -BLOCK_USER_AGENT_CRON="${BLOCK_USER_AGENT_CRON-30 0 * * *}" -BLOCK_REFERRER="${BLOCK_REFERRER-yes}" -BLOCK_REFERRER_CRON="${BLOCK_REFERRER_CRON-45 0 * * *}" -BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}" -BLOCK_TOR_EXIT_NODE_CRON="${BLOCK_TOR_EXIT_NODE_CRON-0 */1 * * *}" -BLOCK_PROXIES="${BLOCK_PROXIES-yes}" -BLOCK_PROXIES_CRON="${BLOCK_PROXIES_CRON-0 3 * * *}" -BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}" -BLOCK_ABUSERS_CRON="${BLOCK_ABUSERS_CRON-0 2 * * *}" -AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}" -AUTO_LETS_ENCRYPT_CRON="${AUTO_LETS_ENCRYPT_CRON-15 0 * * *}" -HTTP2="${HTTP2-yes}" -HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}" -STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}" -USE_MODSECURITY="${USE_MODSECURITY-yes}" -USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}" -MODSECURITY_SEC_AUDIT_ENGINE="${MODSECURITY_SEC_AUDIT_ENGINE-RelevantOnly}" -CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-downloads; base-uri 'self';}" -COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}" -COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}" -SERVE_FILES="${SERVE_FILES-yes}" -REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}" -LISTEN_HTTP="${LISTEN_HTTP-yes}" -USE_BAD_BEHAVIOR="${USE_BAD_BEHAVIOR-yes}" -BAD_BEHAVIOR_STATUS_CODES="${BAD_BEHAVIOR_STATUS_CODES-400 401 403 404 405 429 444}" -BAD_BEHAVIOR_THRESHOLD="${BAD_BEHAVIOR_THRESHOLD-10}" -BAD_BEHAVIOR_BAN_TIME="${BAD_BEHAVIOR_BAN_TIME-86400}" -BAD_BEHAVIOR_COUNT_TIME="${BAD_BEHAVIOR_COUNT_TIME-60}" -USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}" -USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}" -USE_CLAMAV_SCAN_CRON="${USE_CLAMAV_SCAN_CRON-30 1 * * *}" -CLAMAV_UPDATE_CRON="${CLAMAV_UPDATE_CRON-0 1 * * *}" -CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}" -USE_AUTH_BASIC="${USE_AUTH_BASIC-no}" -AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}" -AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}" -AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}" -AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}" -USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}" -ROOT_FOLDER="${ROOT_FOLDER-/www}" -ROOT_SITE_SUBFOLDER="${ROOT_SITE_SUBFOLDER-}" -DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11}" -USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}" -WHITELIST_IP_LIST="${WHITELIST_IP_LIST-127.0.0.1 23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}" -USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}" -WHITELIST_REVERSE_LIST="${WHITELIST_REVERSE_LIST-.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net}" -USE_BLACKLIST_IP="${USE_BLACKLIST_IP-yes}" -BLACKLIST_IP_LIST="${BLACKLIST_IP_LIST-}" -USE_BLACKLIST_REVERSE="${USE_BLACKLIST_REVERSE-yes}" -BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}" -USE_DNSBL="${USE_DNSBL-yes}" -DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}" -USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}" -LIMIT_REQ_RATE="${LIMIT_REQ_RATE-1r/s}" -LIMIT_REQ_BURST="${LIMIT_REQ_BURST-2}" -LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}" -USE_LIMIT_CONN="${USE_LIMIT_CONN-yes}" -LIMIT_CONN_MAX="${LIMIT_CONN_MAX-50}" -LIMIT_CONN_CACHE="${LIMIT_CONN_CACHE-10m}" -PROXY_REAL_IP="${PROXY_REAL_IP-no}" -PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}" -PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}" -PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}" -GEOIP_CRON="${GEOIP_CRON-0 4 2 * *}" -GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}" -SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}" -SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}" -SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}" -SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}" -SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}" -SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}" -SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-web}" -ANTIBOT_URI="${ANTIBOT_URI-/challenge}" -USE_ANTIBOT="${USE_ANTIBOT-no}" -ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}" -ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}" -USE_CROWDSEC="${USE_CROWDSEC-no}" -USE_API="${USE_API-no}" -API_URI="${API_URI-random}" -API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}" -SWARM_MODE="${SWARM_MODE-no}" - diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index 7fe9a78..7e07ed8 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -1,8 +1,5 @@ #!/bin/bash -# load default values -. ./opt/entrypoint/defaults.sh - echo "[*] Starting bunkerized-nginx ..." # trap SIGTERM and SIGINT @@ -19,7 +16,7 @@ trap "trap_exit" TERM INT QUIT function trap_reload() { echo "[*] Catched reload operation" if [ "$MULTISITE" = "yes" ] && [ "$SWARM_MODE" != "yes" ] ; then - /opt/entrypoint/multisite-config.sh + /opt/entrypoint/certbot.sh fi if [ -f /tmp/nginx.pid ] ; then echo "[*] Reloading nginx ..." @@ -41,7 +38,7 @@ if [ ! -f "/opt/installed" ] ; then echo "[*] Configuring bunkerized-nginx ..." # check permissions - if [ "$SWARM_MODE" = "no" ] ; then + if [ "$SWARM_MODE" != "yes" ] ; then /opt/entrypoint/permissions.sh else /opt/entrypoint/permissions-swarm.sh @@ -57,23 +54,18 @@ if [ ! -f "/opt/installed" ] ; then /opt/entrypoint/nginx-temp.sh # only do config if we are not in swarm mode - if [ "$SWARM_MODE" = "no" ] ; then - # global config - /opt/entrypoint/global-config.sh + if [ "$SWARM_MODE" != "yes" ] ; then + # export the variables + env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "/tmp/variables.env" + + # call the generator + /opt/gen/main.py --settings /opt/settings.json --templates /opt/confs --output /etc/nginx --variables /tmp/variables.env + # background jobs /opt/entrypoint/jobs.sh - # multisite configs - if [ "$MULTISITE" = "yes" ] ; then - for server in $SERVER_NAME ; do - /opt/entrypoint/site-config.sh "$server" - echo "[*] Multi site - $server configuration done" - done - /opt/entrypoint/multisite-config.sh - # singlesite config - else - /opt/entrypoint/site-config.sh - echo "[*] Single site - $SERVER_NAME configuration done" - fi + + # certbot + /opt/entrypoint/certbot.sh fi touch /opt/installed diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh deleted file mode 100644 index 89a1b90..0000000 --- a/entrypoint/global-config.sh +++ /dev/null @@ -1,257 +0,0 @@ -#!/bin/bash - -# load default values -. /opt/entrypoint/defaults.sh - -# load some functions -. /opt/entrypoint/utils.sh - -# copy stub confs -cp /opt/confs/global/* /etc/nginx/ - -# include server block(s) -if [ "$SWARM_MODE" = "no" ] ; then - if [ "$MULTISITE" = "yes" ] ; then - includes="" - for server in $SERVER_NAME ; do - includes="${includes}include /etc/nginx/${server}/server.conf;\n" - done - replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes" - else - replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;" - fi -else - replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "" -fi - -# setup default server block if multisite -if [ "$MULTISITE" = "yes" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DEFAULT_SERVER%" "include /etc/nginx/multisite-default-server.conf;" - if [ "$(has_value LISTEN_HTTP yes)" != "" ] ; then - replace_in_file "/etc/nginx/multisite-default-server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT} default_server;" - else - replace_in_file "/etc/nginx/multisite-default-server.conf" "%LISTEN_HTTP%" "" - fi - if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] ; then - replace_in_file "/etc/nginx/multisite-default-server.conf" "%USE_HTTPS%" "include /etc/nginx/multisite-default-server-https.conf;" - replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTPS_PORT%" "$HTTPS_PORT" - if [ "$(has_value HTTP2 yes)" != "" ] ; then - replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTP2%" "http2" - else - replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTP2%" "" - fi - replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS" - if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then - replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;" - replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;" - else - replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_DHPARAM%" "" - replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" "" - fi - openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" - if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then - replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;" - else - replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "" - fi - else - replace_in_file "/etc/nginx/multisite-default-server.conf" "%USE_HTTPS%" "" - fi - if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then - replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;" - else - replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "" - fi -else - replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DEFAULT_SERVER%" "" -fi - -# logging -replace_in_file "/etc/nginx/nginx.conf" "%LOG_FORMAT%" "$LOG_FORMAT" -replace_in_file "/etc/nginx/nginx.conf" "%LOG_LEVEL%" "$LOG_LEVEL" - -# proxy_cache zone -if [ "$(has_value USE_PROXY_CACHE yes)" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%PROXY_CACHE_PATH%" "proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:${PROXY_CACHE_PATH_ZONE_SIZE} ${PROXY_CACHE_PATH_PARAMS};" -else - replace_in_file "/etc/nginx/nginx.conf" "%PROXY_CACHE_PATH%" "" -fi - -# let's encrypt setup -if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then - if [ "$MULTISITE" = "no" ] ; then - FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1) - DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g") - EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}" - if [ ! -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then - echo "[*] Performing Let's Encrypt challenge for $SERVER_NAME ..." - /opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT" - fi - fi - echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/nginx -fi - -# self-signed certificate -if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then - mkdir /etc/nginx/self-signed-ssl/ - openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" -fi - -# country ban/whitelist -if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" "include /etc/nginx/geoip.conf;" - if [ "$WHITELIST_COUNTRY" != "" ] ; then - replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "no" - replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $WHITELIST_COUNTRY | sed 's/ / yes;\\n/g') yes;" - else - replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes" - replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;" - fi - echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/nginx -else - replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" "" -fi - -# block bad UA -if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then - echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/nginx - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENTS%" "lua_shared_dict user_agents_data 1m; lua_shared_dict user_agents_cache 10m;" - replace_in_file "/etc/nginx/init-lua.conf" "%USE_USER_AGENTS%" "true" -else - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENTS%" "" - replace_in_file "/etc/nginx/init-lua.conf" "%USE_USER_AGENTS%" "false" -fi - -# block bad refferer -if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then - echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/nginx - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRERS%" "lua_shared_dict referrers_data 1m; lua_shared_dict referrers_cache 10m;" - replace_in_file "/etc/nginx/init-lua.conf" "%USE_REFERRERS%" "true" -else - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRERS%" "" - replace_in_file "/etc/nginx/init-lua.conf" "%USE_REFERRERS%" "false" -fi - -# block TOR exit nodes -if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then - echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/nginx - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_TOR_EXIT_NODES%" "lua_shared_dict tor_exit_nodes_data 1m;" - replace_in_file "/etc/nginx/init-lua.conf" "%USE_TOR_EXIT_NODES%" "true" -else - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_TOR_EXIT_NODES%" "" - replace_in_file "/etc/nginx/init-lua.conf" "%USE_TOR_EXIT_NODES%" "false" -fi - -# block proxies -if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then - echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/nginx - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_PROXIES%" "lua_shared_dict proxies_data 250m;" - replace_in_file "/etc/nginx/init-lua.conf" "%USE_PROXIES%" "true" -else - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_PROXIES%" "" - replace_in_file "/etc/nginx/init-lua.conf" "%USE_PROXIES%" "false" -fi - -# block abusers -if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then - echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/nginx - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_ABUSERS%" "lua_shared_dict abusers_data 50m;" - replace_in_file "/etc/nginx/init-lua.conf" "%USE_ABUSERS%" "true" -else - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_ABUSERS%" "" - replace_in_file "/etc/nginx/init-lua.conf" "%USE_ABUSERS%" "false" -fi - -# DNS resolvers -replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS" - -# whitelist IP -if [ "$(has_value USE_WHITELIST_IP yes)" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "lua_shared_dict whitelist_ip_cache 10m;" -else - replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "" -fi - -# whitelist rDNS -if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "lua_shared_dict whitelist_reverse_cache 10m;" -else - replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "" -fi - -# blacklist IP -if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "lua_shared_dict blacklist_ip_cache 10m;" -else - replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "" -fi - -# blacklist rDNS -if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "lua_shared_dict blacklist_reverse_cache 10m;" -else - replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "" -fi - -# request limiting -if [ "$(has_value USE_LIMIT_REQ yes)" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr\$uri zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};" -else - replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "" -fi - -# connection limiting -if [ "$(has_value USE_LIMIT_CONN yes)" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "limit_conn_zone \$binary_remote_addr zone=ddos:${LIMIT_CONN_CACHE};" -else - replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "" -fi - -# DNSBL -if [ "$(has_value USE_DNSBL yes)" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;" -else - replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;" -fi - -# disable default site -if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" = "yes" ] ; then - replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;" -else - replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "" -fi - -# bad behavior -if [ "$(has_value USE_BAD_BEHAVIOR yes)" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%BAD_BEHAVIOR%" "lua_shared_dict behavior_ban 10m;\nlua_shared_dict behavior_count 10m;" -else - replace_in_file "/etc/nginx/nginx.conf" "%BAD_BEHAVIOR%" "" -fi - -# CrowdSec setup -if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then - replace_in_file "/etc/nginx/init-lua.conf" "%USE_CROWDSEC%" "true" - cp /opt/crowdsec/crowdsec.conf /etc/nginx - replace_in_file "/etc/nginx/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST" - replace_in_file "/etc/nginx/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY" -else - replace_in_file "/etc/nginx/init-lua.conf" "%USE_CROWDSEC%" "false" -fi - -# API -if [ "$USE_API" = "yes" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" "include /etc/nginx/api.conf;" - if [ "$API_URI" = "random" ] ; then - API_URI="/$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" - echo "[*] Generated API URI : $API_URI" - fi - replace_in_file "/etc/nginx/api.conf" "%API_URI%" "$API_URI" - list=$(spaces_to_lua "$API_WHITELIST_IP") - replace_in_file "/etc/nginx/api.conf" "%API_WHITELIST_IP%" "$list" -else - replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" "" -fi - -# performance tuning -replace_in_file "/etc/nginx/nginx.conf" "%WORKER_CONNECTIONS%" "$WORKER_CONNECTIONS" -replace_in_file "/etc/nginx/nginx.conf" "%WORKER_RLIMIT_NOFILE%" "$WORKER_RLIMIT_NOFILE" diff --git a/entrypoint/jobs.sh b/entrypoint/jobs.sh index 576f945..30eb7f8 100644 --- a/entrypoint/jobs.sh +++ b/entrypoint/jobs.sh @@ -1,8 +1,5 @@ #!/bin/bash -# load default values -. ./opt/entrypoint/defaults.sh - # load some functions . /opt/entrypoint/utils.sh diff --git a/entrypoint/multisite-config.sh b/entrypoint/multisite-config.sh deleted file mode 100644 index 1b679aa..0000000 --- a/entrypoint/multisite-config.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh - -# load default values -. /opt/entrypoint/defaults.sh - -# load some functions -. /opt/entrypoint/utils.sh - -if [ "$MULTISITE" = "yes" ] ; then - servers=$(find /etc/nginx -name "server.conf" | cut -d '/' -f 4) - for server in $servers ; do - if [ "$server" = "server.conf" ] ; then - continue - fi - SERVER_PREFIX="/etc/nginx/${server}/" - if grep "/etc/letsencrypt/live" ${SERVER_PREFIX}https.conf > /dev/null && [ ! -f /etc/letsencrypt/live/${server}/fullchain.pem ] ; then - domains=$(cat ${SERVER_PREFIX}server.conf | sed -nE 's/^.*server_name (.*);$/\1/p' | sed "s/ /,/g") - /opt/scripts/certbot-new.sh "$domains" "$(cat ${SERVER_PREFIX}email-lets-encrypt.txt)" - fi - if grep "modsecurity.conf" ${SERVER_PREFIX}server.conf > /dev/null ; then - modsec_custom="" - if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then - modsec_custom="include /modsec-confs/*.conf\n" - fi - if ls /modsec-confs/${server}/*.conf > /dev/null 2>&1 ; then - modsec_custom="${modsec_custom}include /modsec-confs/${server}/*.conf\n" - fi - replace_in_file "${SERVER_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom" - if grep "owasp/crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then - modsec_crs_custom="" - if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then - modsec_crs_custom="include /modsec-crs-confs/*.conf\n" - fi - if ls /modsec-crs-confs/${server}/*.conf > /dev/null 2>&1 ; then - modsec_crs_custom="${modsec_crs_custom}include /modsec-crs-confs/${server}/*.conf\n" - fi - fi - replace_in_file "${SERVER_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom" - fi - done -fi diff --git a/entrypoint/nginx-temp.sh b/entrypoint/nginx-temp.sh index c254481..dae7594 100644 --- a/entrypoint/nginx-temp.sh +++ b/entrypoint/nginx-temp.sh @@ -1,8 +1,5 @@ #!/bin/bash -# load default values -. /opt/entrypoint/defaults.sh - # load some functions . /opt/entrypoint/utils.sh diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh deleted file mode 100644 index 09953a0..0000000 --- a/entrypoint/site-config.sh +++ /dev/null @@ -1,621 +0,0 @@ -#!/bin/bash - -# load default values -. /opt/entrypoint/defaults.sh - -# load some functions -. /opt/entrypoint/utils.sh - -# get nginx path and override multisite variables -NGINX_PREFIX="/etc/nginx/" -if [ "$MULTISITE" = "yes" ] ; then - first_server=$(echo "$1" | cut -d ' ' -f 1) - NGINX_PREFIX="${NGINX_PREFIX}${first_server}/" - if [ ! -d "$NGINX_PREFIX" ] ; then - mkdir "$NGINX_PREFIX" - fi - ROOT_FOLDER="${ROOT_FOLDER}/$first_server" - for var in $(env | cut -d '=' -f 1 | grep -E "^${first_server}_") ; do - repl_name=$(echo "$var" | sed "s~${first_server}_~~") - repl_value=$(env | grep -E "^${var}=" | sed "s~^${var}=~~") - read -r "$repl_name" <<< $repl_value - done -fi - -if [ "$ROOT_SITE_SUBFOLDER" != "" ] ; then - ROOT_FOLDER="${ROOT_FOLDER}/${ROOT_SITE_SUBFOLDER}" -fi - -set | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "${NGINX_PREFIX}nginx.env" -if [ "$MULTISITE" = "yes" ] ; then - for server in $SERVER_NAME ; do - sed -i "/^${server}_.*=.*/d" "${NGINX_PREFIX}nginx.env" - done - sed -i "s~^SERVER_NAME=.*~SERVER_NAME=${1}~" "${NGINX_PREFIX}nginx.env" -fi - -# copy stub confs -cp /opt/confs/site/* "$NGINX_PREFIX" - -# replace paths -replace_in_file "${NGINX_PREFIX}server.conf" "%INCLUDE_LUA%" "include ${NGINX_PREFIX}main-lua.conf;\ninclude ${NGINX_PREFIX}log-lua.conf;" -if [ "$MULTISITE" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;\ninclude /server-confs/${first_server}/*.conf;" - replace_in_file "${NGINX_PREFIX}server.conf" "%PRE_SERVER_CONF%" "include /pre-server-confs/*.conf;\ninclude /pre-server-confs/${first_server}/*.conf;" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;" - replace_in_file "${NGINX_PREFIX}server.conf" "%PRE_SERVER_CONF%" "include /pre-server-confs/*.conf;" -fi - -# max body size -replace_in_file "${NGINX_PREFIX}server.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE" - -# server tokens -replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS" - -# reverse proxy -if [ "$USE_REVERSE_PROXY" = "yes" ] ; then - i=1 - for var in $(set | cut -d '=' -f 1 | grep "^REVERSE_PROXY_URL") ; do - url=$(echo "$var") - url_value=$(echo "${!var}") - host=$(echo "$var" | sed "s/URL/HOST/") - host_value=$(echo "${!host}") - custom_headers=$(echo "$var" | sed "s/URL/HEADERS/") - custom_headers_value=$(echo "${!custom_headers}") - ws=$(echo "$var" | sed "s/URL/WS/") - ws_value=$(echo "${!ws}") - cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf" - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$url_value" - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value" - if [ "$custom_headers_value" != "" ] ; then - IFS_=$IFS - IFS=';' - for header_value in $(echo $custom_headers_value) ; do - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "proxy_set_header $header_value;\n%REVERSE_PROXY_CUSTOM_HEADERS%" - done - IFS=$IFS_ - fi - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "" - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HEADERS%" "include ${NGINX_PREFIX}reverse-proxy-headers.conf;" - if [ "$ws_value" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" "proxy_http_version 1.1;\nproxy_set_header Upgrade \$http_upgrade;\nproxy_set_header Connection \"Upgrade\";\n" - else - replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" "" - fi - i=$(($i + 1)) - done - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy-*.conf;" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "" -fi - -# proxy caching -if [ "$USE_PROXY_CACHE" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PROXY_CACHE%" "include ${NGINX_PREFIX}proxy-cache.conf;" - replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_METHODS%" "$PROXY_CACHE_METHODS" - replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_MIN_USES%" "$PROXY_CACHE_MIN_USES" - replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_KEY%" "$PROXY_CACHE_KEY" - replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_NO_CACHE%" "$PROXY_NO_CACHE" - replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_BYPASS%" "$PROXY_CACHE_BYPASS" - valids="" - for valid in $PROXY_CACHE_VALID ; do - code="$(echo $valid | cut -d '=' -f 1)" - timing="$(echo $valid | cut -d '=' -f 2)" - valids="${valids}\nproxy_cache_valid ${code} ${timing};" - done - replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_VALID%" "$valids" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PROXY_CACHE%" "" -fi - -# file metadata caching -if [ "$USE_OPEN_FILE_CACHE" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_OPEN_FILE_CACHE%" "include ${NGINX_PREFIX}open-file-cache.conf;" - replace_in_file "${NGINX_PREFIX}open-file-cache.conf" "%OPEN_FILE_CACHE%" "$OPEN_FILE_CACHE" - replace_in_file "${NGINX_PREFIX}open-file-cache.conf" "%OPEN_FILE_CACHE_ERRORS%" "$OPEN_FILE_CACHE_ERRORS" - replace_in_file "${NGINX_PREFIX}open-file-cache.conf" "%OPEN_FILE_CACHE_MIN_USES%" "$OPEN_FILE_CACHE_MIN_USES" - replace_in_file "${NGINX_PREFIX}open-file-cache.conf" "%OPEN_FILE_CACHE_VALID%" "$OPEN_FILE_CACHE_VALID" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_OPEN_FILE_CACHE%" "" -fi - -# client caching -if [ "$USE_CLIENT_CACHE" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_CLIENT_CACHE%" "include ${NGINX_PREFIX}client-cache.conf;" - replace_in_file "${NGINX_PREFIX}client-cache.conf" "%CLIENT_CACHE_EXTENSIONS%" "$CLIENT_CACHE_EXTENSIONS" - replace_in_file "${NGINX_PREFIX}client-cache.conf" "%CLIENT_CACHE_ETAG%" "$CLIENT_CACHE_ETAG" - replace_in_file "${NGINX_PREFIX}client-cache.conf" "%CLIENT_CACHE_CONTROL%" "$CLIENT_CACHE_CONTROL" - -else - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_CLIENT_CACHE%" "" -fi - -# gzip compression -if [ "$USE_GZIP" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_GZIP%" "include ${NGINX_PREFIX}gzip.conf;" - replace_in_file "${NGINX_PREFIX}gzip.conf" "%GZIP_COMP_LEVEL%" "$GZIP_COMP_LEVEL" - replace_in_file "${NGINX_PREFIX}gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH" - replace_in_file "${NGINX_PREFIX}gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_GZIP%" "" -fi - -# brotli compression -if [ "$USE_BROTLI" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_BROTLI%" "include ${NGINX_PREFIX}brotli.conf;" - replace_in_file "${NGINX_PREFIX}brotli.conf" "%BROTLI_COMP_LEVEL%" "$BROTLI_COMP_LEVEL" - replace_in_file "${NGINX_PREFIX}brotli.conf" "%BROTLI_MIN_LENGTH%" "$BROTLI_MIN_LENGTH" - replace_in_file "${NGINX_PREFIX}brotli.conf" "%BROTLI_TYPES%" "$BROTLI_TYPES" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_BROTLI%" "" -fi - -# remote PHP -if [ "$REMOTE_PHP" != "" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "include ${NGINX_PREFIX}php.conf;" - replace_in_file "${NGINX_PREFIX}server.conf" "%FASTCGI_PATH%" "include ${NGINX_PREFIX}fastcgi.conf;" - replace_in_file "${NGINX_PREFIX}php.conf" "%REMOTE_PHP%" "$REMOTE_PHP" - replace_in_file "${NGINX_PREFIX}fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "" - replace_in_file "${NGINX_PREFIX}server.conf" "%FASTCGI_PATH%" "" -fi - -# serve files -if [ "$SERVE_FILES" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%SERVE_FILES%" "include ${NGINX_PREFIX}serve-files.conf;" - replace_in_file "${NGINX_PREFIX}serve-files.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%SERVE_FILES%" "" -fi - -# remove headers -if [ "$REMOVE_HEADERS" != "" ] ; then - remove="" - for header in $REMOVE_HEADERS ; do - remove="${remove}more_clear_headers '$header';\n" - done - replace_in_file "${NGINX_PREFIX}server.conf" "%REMOVE_HEADERS%" "$remove" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%REMOVE_HEADERS%" "" -fi - -# X-Frame-Options header -if [ "$X_FRAME_OPTIONS" != "" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%X_FRAME_OPTIONS%" "include ${NGINX_PREFIX}x-frame-options.conf;" - replace_in_file "${NGINX_PREFIX}x-frame-options.conf" "%X_FRAME_OPTIONS%" "$X_FRAME_OPTIONS" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%X_FRAME_OPTIONS%" "" -fi - -# X-XSS-Protection header -if [ "$X_XSS_PROTECTION" != "" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%X_XSS_PROTECTION%" "include ${NGINX_PREFIX}x-xss-protection.conf;" - replace_in_file "${NGINX_PREFIX}x-xss-protection.conf" "%X_XSS_PROTECTION%" "$X_XSS_PROTECTION" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%X_XSS_PROTECTION%" "" -fi - -# X-Content-Type-Options header -if [ "$X_CONTENT_TYPE_OPTIONS" != "" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%X_CONTENT_TYPE_OPTIONS%" "include ${NGINX_PREFIX}x-content-type-options.conf;" - replace_in_file "${NGINX_PREFIX}x-content-type-options.conf" "%X_CONTENT_TYPE_OPTIONS%" "$X_CONTENT_TYPE_OPTIONS" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%X_CONTENT_TYPE_OPTIONS%" "" -fi - -# Referrer-Policy header -if [ "$REFERRER_POLICY" != "" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%REFERRER_POLICY%" "include ${NGINX_PREFIX}referrer-policy.conf;" - replace_in_file "${NGINX_PREFIX}referrer-policy.conf" "%REFERRER_POLICY%" "$REFERRER_POLICY" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%REFERRER_POLICY%" "" -fi - -# Feature-Policy header -if [ "$FEATURE_POLICY" != "" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%FEATURE_POLICY%" "include ${NGINX_PREFIX}feature-policy.conf;" - replace_in_file "${NGINX_PREFIX}feature-policy.conf" "%FEATURE_POLICY%" "$FEATURE_POLICY" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%FEATURE_POLICY%" "" -fi - -# Permissions-Policy header -if [ "$PERMISSIONS_POLICY" != "" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%PERMISSIONS_POLICY%" "include ${NGINX_PREFIX}permissions-policy.conf;" - replace_in_file "${NGINX_PREFIX}permissions-policy.conf" "%PERMISSIONS_POLICY%" "$PERMISSIONS_POLICY" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%PERMISSIONS_POLICY%" "" -fi - -# Content-Security-Policy header -if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%CONTENT_SECURITY_POLICY%" "include ${NGINX_PREFIX}content-security-policy.conf;" - replace_in_file "${NGINX_PREFIX}content-security-policy.conf" "%CONTENT_SECURITY_POLICY%" "$CONTENT_SECURITY_POLICY" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%CONTENT_SECURITY_POLICY%" "" -fi - -# cookie flags -if [ "$COOKIE_FLAGS" != "" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%COOKIE_FLAGS%" "include ${NGINX_PREFIX}cookie-flags.conf;" - if [ "$COOKIE_AUTO_SECURE_FLAG" = "yes" ] ; then - if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then - COOKIE_FLAGS="${COOKIE_FLAGS} Secure" - fi - fi - replace_in_file "${NGINX_PREFIX}cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%COOKIE_FLAGS%" "" -fi - -# disable default server -if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" != "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%DISABLE_DEFAULT_SERVER%" "include ${NGINX_PREFIX}disable-default-server.conf;" - SERVER_NAME_PIPE=$(echo $SERVER_NAME | sed "s/ /|/g") - replace_in_file "${NGINX_PREFIX}disable-default-server.conf" "%SERVER_NAME%" "$SERVER_NAME_PIPE" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%DISABLE_DEFAULT_SERVER%" "" -fi - -# set the server host name -if [ "$MULTISITE" == "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_NAME%" "$1" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_NAME%" "$SERVER_NAME" -fi - -# allowed HTTP methods -replace_in_file "${NGINX_PREFIX}server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS" - -# country ban -if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_COUNTRY%" "true" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_COUNTRY%" "false" -fi - -# block bad UA -if [ "$BLOCK_USER_AGENT" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENTS%" "true" - if [ "$WHITELIST_USER_AGENT" != "" ] ; then - list=$(spaces_to_lua "$WHITELIST_USER_AGENT") - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" "$list" - else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" "" - fi -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENTS%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" "" -fi - -# whitelist URI -if [ "$WHITELIST_URI" != "" ] ; then - list=$(spaces_to_lua "$WHITELIST_URI") - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_URI%" "$list" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_URI%" "" -fi - -# block bad referrer -if [ "$BLOCK_REFERRER" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_REFERRERS%" "true" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_REFERRER%" "false" -fi - -# block TOR exit nodes -if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_TOR_EXIT_NODES%" "true" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_TOR_EXIT_NODES%" "false" -fi - -# block proxies -if [ "$BLOCK_PROXIES" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_PROXIES%" "true" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_PROXIES%" "false" -fi - -# block abusers -if [ "$BLOCK_ABUSERS" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ABUSERS%" "true" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ABUSERS%" "false" -fi - -# HTTPS config -if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" "include ${NGINX_PREFIX}https.conf;" - replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_PORT%" "$HTTPS_PORT" - if [ "$HTTP2" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}https.conf" "%HTTP2%" "http2" - else - replace_in_file "${NGINX_PREFIX}https.conf" "%HTTP2%" "" - fi - replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS" - if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then - replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;" - replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;" - else - replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_DHPARAM%" "" - replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_CIPHERS%" "" - fi - if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then - replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';" - else - replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" "" - fi - if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "true" - if [ "$MULTISITE" = "no" ] ; then - FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1) - else - FIRST_SERVER_NAME="$first_server" - EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server}" - echo -n "$EMAIL_LETS_ENCRYPT" > ${NGINX_PREFIX}email-lets-encrypt.txt - fi - replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem" - replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem" - replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "include ${NGINX_PREFIX}lets-encrypt-webroot.conf;" - elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false" - replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT" - replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY" - replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "" - elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false" - replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem" - replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem" - replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "" - fi -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false" - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" "" -fi - -# listen on HTTP_PORT -if [ "$LISTEN_HTTP" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT};" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%LISTEN_HTTP%" "" -fi - -# HTTP to HTTPS redirect -if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include ${NGINX_PREFIX}redirect-http-to-https.conf;" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "" -fi - -# ModSecurity config -if [ "$USE_MODSECURITY" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}modsecurity-rules.conf" - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "include ${NGINX_PREFIX}modsecurity.conf;" - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_SEC_AUDIT_ENGINE%" "$MODSECURITY_SEC_AUDIT_ENGINE" - if [ "$MULTISITE" != "yes" ] ; then - modsec_custom="" - if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then - modsec_custom="include /modsec-confs/*.conf\n" - fi - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom" - fi - if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /opt/owasp/crs.conf" - if [ "$MULTISITE" != "yes" ] ; then - modsec_crs_custom="" - if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then - modsec_crs_custom="include /modsec-crs-confs/*.conf\n" - fi - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom" - fi - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /opt/owasp/crs/*.conf" - else - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "" - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "" - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "" - fi -else - replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "" -fi - -# real IP behind reverse proxy -if [ "$PROXY_REAL_IP" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%PROXY_REAL_IP%" "include ${NGINX_PREFIX}proxy-real-ip.conf;" - froms="" - for from in $PROXY_REAL_IP_FROM ; do - froms="${froms}set_real_ip_from ${from};\n" - done - replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms" - replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER" - replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%PROXY_REAL_IP%" "" -fi - -# custom errors -ERRORS="" -for var in $(compgen -e) ; do - var_name=$(echo "$var" | cut -d '_' -f 1) - if [ "z${var_name}" = "zERROR" ] ; then - err_code=$(echo "$var" | cut -d '_' -f 2) - err_page=$(echo "${!var}") - cp /opt/confs/error.conf ${NGINX_PREFIX}error-${err_code}.conf - replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%CODE%" "$err_code" - replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%PAGE%" "$err_page" - replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER" - ERRORS="${ERRORS}include ${NGINX_PREFIX}error-${err_code}.conf;\n" - fi -done -replace_in_file "${NGINX_PREFIX}server.conf" "%ERRORS%" "$ERRORS" - -# auth basic -if [ "$USE_AUTH_BASIC" = "yes" ] ; then - if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "include ${NGINX_PREFIX}auth-basic-sitewide.conf;" - replace_in_file "${NGINX_PREFIX}auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT" - replace_in_file "${NGINX_PREFIX}auth-basic-sitewide.conf" "%NGINX_PREFIX%" "$NGINX_PREFIX" - else - replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "include ${NGINX_PREFIX}auth-basic.conf;" - replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION" - replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT" - replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%NGINX_PREFIX%" "$NGINX_PREFIX" - fi - htpasswd -b -B -c ${NGINX_PREFIX}.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "" -fi - -# whitelist IP -if [ "$USE_WHITELIST_IP" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "true" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "false" -fi -list=$(spaces_to_lua "$WHITELIST_IP_LIST") -replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_IP_LIST%" "$list" - -# whitelist rDNS -if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "true" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "false" -fi -list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST") -replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_REVERSE_LIST%" "$list" - -# blacklist IP -if [ "$USE_BLACKLIST_IP" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "true" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "false" -fi -list=$(spaces_to_lua "$BLACKLIST_IP_LIST") -replace_in_file "${NGINX_PREFIX}main-lua.conf" "%BLACKLIST_IP_LIST%" "$list" - -# blacklist rDNS -if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "true" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false" -fi -list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST") -replace_in_file "${NGINX_PREFIX}main-lua.conf" "%BLACKLIST_REVERSE_LIST%" "$list" - -# DNSBL -if [ "$USE_DNSBL" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "true" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "false" -fi -list=$(spaces_to_lua "$DNSBL_LIST") -replace_in_file "${NGINX_PREFIX}main-lua.conf" "%DNSBL_LIST%" "$list" - -# antibot uri and session secret -replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" -if [ "$ANTIBOT_SESSION_SECRET" = "random" ] ; then - ANTIBOT_SESSION_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32) -fi -replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_SESSION_SECRET%" "$ANTIBOT_SESSION_SECRET" - -# antibot via cookie -if [ "$USE_ANTIBOT" = "cookie" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "" -# antibot via javascript -elif [ "$USE_ANTIBOT" = "javascript" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "true" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "include ${NGINX_PREFIX}antibot-javascript.conf;" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "" - replace_in_file "${NGINX_PREFIX}antibot-javascript.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" -# antibot via captcha -elif [ "$USE_ANTIBOT" = "captcha" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "true" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "include ${NGINX_PREFIX}antibot-captcha.conf;" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "" - replace_in_file "${NGINX_PREFIX}antibot-captcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" -# antibot via recaptcha -elif [ "$USE_ANTIBOT" = "recaptcha" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "true" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "include ${NGINX_PREFIX}antibot-recaptcha.conf;" - replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" - replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SITEKEY%" "$ANTIBOT_RECAPTCHA_SITEKEY" - replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SECRET%" "$ANTIBOT_RECAPTCHA_SECRET" - replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SCORE%" "$ANTIBOT_RECAPTCHA_SCORE" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "" - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "" -fi - -# bad behavior -if [ "$USE_BAD_BEHAVIOR" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BAD_BEHAVIOR%" "true" - replace_in_file "${NGINX_PREFIX}log-lua.conf" "%USE_BAD_BEHAVIOR%" "true" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BAD_BEHAVIOR%" "false" - replace_in_file "${NGINX_PREFIX}log-lua.conf" "%USE_BAD_BEHAVIOR%" "false" -fi -list=$(spaces_to_lua "$BAD_BEHAVIOR_STATUS_CODES") -replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_STATUS_CODES%" "$list" -replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_THRESHOLD%" "$BAD_BEHAVIOR_THRESHOLD" -replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_BAN_TIME%" "$BAD_BEHAVIOR_BAN_TIME" -replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_COUNT_TIME%" "$BAD_BEHAVIOR_COUNT_TIME" - -# request limiting -if [ "$USE_LIMIT_REQ" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" "include ${NGINX_PREFIX}limit-req.conf;" - replace_in_file "${NGINX_PREFIX}limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" "" -fi - -# connection limiting -if [ "$USE_LIMIT_CONN" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" "include ${NGINX_PREFIX}limit-conn.conf;" - replace_in_file "${NGINX_PREFIX}limit-conn.conf" "%LIMIT_CONN_MAX%" "$LIMIT_CONN_MAX" -else - replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" "" -fi - -# clamav scan uploaded files -if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "include ${NGINX_PREFIX}modsecurity-clamav.conf" -else - replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "" -fi - -# CrowdSec -if [ "$USE_CROWDSEC" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "true" -else - replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "false" -fi - -# DNS resolvers -resolvers=$(spaces_to_lua "$DNS_RESOLVERS") -replace_in_file "${NGINX_PREFIX}main-lua.conf" "%DNS_RESOLVERS%" "$resolvers" diff --git a/entrypoint/utils.sh b/entrypoint/utils.sh index be83ccc..56d53b4 100644 --- a/entrypoint/utils.sh +++ b/entrypoint/utils.sh @@ -24,18 +24,20 @@ function spaces_to_lua() { # check if at least one env var (global or multisite) has a specific value function has_value() { - if [ "${!1}" == "$2" ] ; then - echo "ok" - return 0 - fi - for var in $(env | grep -E "^.*_${1}=") ; do - domain=$(echo "$var" | cut -d '_' -f 1) - value=$(echo "$var" | sed "s~^${domain}_${1}=~~") - if [ "$value" == "$2" ] ; then + if [ -f "/etc/nginx/site.env" ] ; then + if [ $(grep "^${1}=${2}$" /etc/nginx/site.env) != "" ] ; then echo "ok" return 0 fi - done + else + servers=$(find /etc/nginx -name "site.env" | cut -d '/' -f 4) + for server in $servers ; do + if [ $(grep "^${1}=${2}$" /etc/nginx/$server/site.env) != "" ] ; then + echo "ok" + return 0 + fi + done + fi } # log to jobs.log diff --git a/prepare.sh b/prepare.sh index f3e960c..748d79e 100644 --- a/prepare.sh +++ b/prepare.sh @@ -10,7 +10,9 @@ chown -R root:nginx /opt find /opt -type f -exec chmod 0740 {} \; find /opt -type d -exec chmod 0750 {} \; chmod ugo+x /opt/entrypoint/* /opt/scripts/* +chmod ugo+x /opt/gen/main.py chmod 770 /opt +chmod 440 /opt/settings.json # prepare /etc/nginx chown -R root:nginx /etc/nginx diff --git a/settings.json b/settings.json index 31d3a77..ed8d843 100644 --- a/settings.json +++ b/settings.json @@ -895,6 +895,15 @@ "label": "Use modsecurity crs", "regex": "^(yes|no)$", "type": "checkbox" + }, + { + "context": "multisite", + "default": "RelevantOnly", + "env": "MODSECURITY_SEC_AUDIT_ENGINE", + "id": "modsecurity-sec-audit-engine", + "label": "SecAuditEngine directive", + "regex": "^(On|Off|RelevantOnly)$", + "type": "text" } ] }, @@ -1278,6 +1287,24 @@ "label": "HTTPS port", "regex": "^[0-9]+$", "type": "text" + }, + { + "context": "global", + "default": "2048", + "env": "WORKER_RLIMIT_NOFILE", + "id": "worker-rlimit-nofile", + "label": "worker_rlimit_nofile directive", + "regex": "^[0-9]+$", + "type": "text" + }, + { + "context": "global", + "default": "1024", + "env": "WORKER_CONNECTIONS", + "id": "worker-connections", + "label": "worker_connections directive", + "regex": "^[0-9]+$", + "type": "text" } ] },