templating - started integration into docker image
This commit is contained in:
bunkerity
@@ -1,15 +1,15 @@
|
||||
|
||||
location ~ ^%API_URI%/ping {
|
||||
# todo : if api_uri == "random"
|
||||
location ~ ^{{ API_URI }}/ping {
|
||||
return 444;
|
||||
}
|
||||
|
||||
location ~ ^%API_URI% {
|
||||
location ~ {{ API_URI }} {
|
||||
|
||||
rewrite_by_lua_block {
|
||||
|
||||
local api = require "api"
|
||||
local api_whitelist_ip = {%API_WHITELIST_IP%}
|
||||
local api_uri = "%API_URI%"
|
||||
local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local api_uri = "{{ API_URI }}"
|
||||
local logger = require "logger"
|
||||
|
||||
if api.is_api_call(api_uri, api_whitelist_ip) then
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
# todo : if api_uri == "random"
|
||||
rewrite_by_lua_block {
|
||||
|
||||
local api = require "api"
|
||||
local api_whitelist_ip = {%API_WHITELIST_IP%}
|
||||
local api_uri = "%API_URI%"
|
||||
local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local api_uri = "{{ API_URI }}"
|
||||
local logger = require "logger"
|
||||
|
||||
if api.is_api_call(api_uri, api_whitelist_ip) then
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
open_file_cache %CACHE%;
|
||||
open_file_cache_errors %CACHE_ERRORS%;
|
||||
open_file_cache_min_uses %CACHE_USES%;
|
||||
open_file_cache_valid %CACHE_VALID%;
|
||||
@@ -5,6 +5,11 @@ geoip2 /etc/nginx/geoip.mmdb {
|
||||
}
|
||||
|
||||
map $geoip2_data_country_code $allowed_country {
|
||||
default %DEFAULT%;
|
||||
%COUNTRY%
|
||||
default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif %};
|
||||
{% for country in WHITELIST_COUNTRY.split(" ") %}
|
||||
{{ country }} yes;
|
||||
{% endfor %}
|
||||
{% for country in BLACKLIST_COUNTRY.split(" ") %}
|
||||
{{ country }} no;
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
@@ -3,12 +3,12 @@ init_by_lua_block {
|
||||
local dataloader = require "dataloader"
|
||||
local logger = require "logger"
|
||||
|
||||
local use_proxies = %USE_PROXIES%
|
||||
local use_abusers = %USE_ABUSERS%
|
||||
local use_tor_exit_nodes = %USE_TOR_EXIT_NODES%
|
||||
local use_user_agents = %USE_USER_AGENTS%
|
||||
local use_referrers = %USE_REFERRERS%
|
||||
local use_crowdsec = %USE_CROWDSEC%
|
||||
local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif %}
|
||||
local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif %}
|
||||
local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif %}
|
||||
local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif %}
|
||||
local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif %}
|
||||
local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif %}
|
||||
|
||||
if use_proxies then
|
||||
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
|
||||
|
||||
@@ -1,11 +1,13 @@
|
||||
listen 0.0.0.0:%HTTPS_PORT% default_server ssl %HTTP2%;
|
||||
listen 0.0.0.0:{{ HTTPS_PORT }} default_server ssl {% if USE_HTTP2 == "yes" %}http2{% endif %};
|
||||
ssl_certificate /etc/nginx/default-cert.pem;
|
||||
ssl_certificate_key /etc/nginx/default-key.pem;
|
||||
ssl_protocols %HTTPS_PROTOCOLS%;
|
||||
ssl_protocols {{ HTTPS_PROTOCOLS }};
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
%SSL_DHPARAM%
|
||||
%SSL_CIPHERS%
|
||||
%LETS_ENCRYPT_WEBROOT%
|
||||
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
|
||||
ssl_dhparam /etc/nginx/dhparam;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
{% endif %}
|
||||
include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
toto
|
||||
server {
|
||||
%LISTEN_HTTP%
|
||||
{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %}
|
||||
server_name _;
|
||||
%USE_HTTPS%
|
||||
%MULTISITE_DISABLE_DEFAULT_SERVER%
|
||||
{% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %}
|
||||
{% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %}
|
||||
}
|
||||
|
||||
@@ -26,11 +26,11 @@ pcre_jit on;
|
||||
include /etc/nginx/modules/*.conf;
|
||||
|
||||
# max open files for each worker
|
||||
worker_rlimit_nofile %WORKER_RLIMIT_NOFILE%;
|
||||
worker_rlimit_nofile {{ WORKER_RLIMIT_NOFILE }};
|
||||
|
||||
events {
|
||||
# max connections per worker
|
||||
worker_connections %WORKER_CONNECTIONS%;
|
||||
worker_connections {{ WORKER_CONNECTIONS }};
|
||||
|
||||
# epoll seems to be the best on Linux
|
||||
use epoll;
|
||||
@@ -51,9 +51,9 @@ http {
|
||||
default_type application/octet-stream;
|
||||
|
||||
# write logs to local syslog
|
||||
log_format logf '%LOG_FORMAT%';
|
||||
log_format logf '{{ LOG_FORMAT }}';
|
||||
access_log /var/log/access.log logf;
|
||||
error_log /var/log/error.log %LOG_LEVEL%;
|
||||
error_log /var/log/error.log {{ LOG_LEVEL }};
|
||||
|
||||
# temp paths
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
@@ -72,36 +72,39 @@ http {
|
||||
send_timeout 10;
|
||||
|
||||
# resolvers to use
|
||||
resolver %DNS_RESOLVERS% ipv6=off;
|
||||
resolver {{ DNS_RESOLVERS }} ipv6=off;
|
||||
|
||||
# remove ports when sending redirects
|
||||
port_in_redirect off;
|
||||
|
||||
# lua path and dicts
|
||||
lua_package_path "/usr/local/lib/lua/?.lua;;";
|
||||
%WHITELIST_IP_CACHE%
|
||||
%WHITELIST_REVERSE_CACHE%
|
||||
%BLACKLIST_IP_CACHE%
|
||||
%BLACKLIST_REVERSE_CACHE%
|
||||
%DNSBL_CACHE%
|
||||
%BLOCK_PROXIES%
|
||||
%BLOCK_ABUSERS%
|
||||
%BLOCK_TOR_EXIT_NODES%
|
||||
%BLOCK_USER_AGENTS%
|
||||
%BLOCK_REFERRERS%
|
||||
%BAD_BEHAVIOR%
|
||||
{% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %}
|
||||
{% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif %}
|
||||
{% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif %}
|
||||
{% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif %}
|
||||
{% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif %}
|
||||
{% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif %}
|
||||
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif %}
|
||||
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif %}
|
||||
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif %}
|
||||
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %}
|
||||
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %}
|
||||
|
||||
# shared memory zone for limit_req
|
||||
%LIMIT_REQ_ZONE%
|
||||
{% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %}
|
||||
|
||||
# shared memory zone for limit_conn
|
||||
%LIMIT_CONN_ZONE%
|
||||
{% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif %}
|
||||
|
||||
# whitelist or blacklist country
|
||||
%USE_COUNTRY%
|
||||
{% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif %}
|
||||
|
||||
# zone for proxy_cache
|
||||
%PROXY_CACHE_PATH%
|
||||
{% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %}
|
||||
|
||||
# custom http confs
|
||||
include /http-confs/*.conf;
|
||||
@@ -110,11 +113,19 @@ http {
|
||||
include /etc/nginx/init-lua.conf;
|
||||
|
||||
# default server when MULTISITE=yes
|
||||
%MULTISITE_DEFAULT_SERVER%
|
||||
{% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif %}
|
||||
|
||||
# server config(s)
|
||||
%INCLUDE_SERVER%
|
||||
{% if SWARM_MODE == "no" %}
|
||||
{% if MULTISITE == "yes" %}
|
||||
{% for server_name in SERVER_NAME.split(" ") %}
|
||||
include /etc/nginx/{{ server_name }}/server.conf;
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
include /etc/nginx/server.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# API
|
||||
%USE_API%
|
||||
{% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif %}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user