From a991b262efdf192c38296c594b85a1579d0e7f5e Mon Sep 17 00:00:00 2001 From: bunkerity Date: Wed, 26 May 2021 17:18:49 +0200 Subject: [PATCH] remove ClamAV because of GPL and started work on read-only filesystem --- Dockerfile | 1 + Dockerfile-amd64 | 1 + Dockerfile-arm32v7 | 1 + Dockerfile-arm64v8 | 1 + Dockerfile-i386 | 1 + confs/site/modsecurity-clamav.conf | 4 ---- confs/site/modsecurity-rules.conf | 5 ----- confs/site/server.conf | 4 ++-- dependencies.sh | 2 +- entrypoint/clamav.sh | 18 ------------------ entrypoint/entrypoint.sh | 10 +++------- entrypoint/jobs.sh | 2 +- entrypoint/utils.sh | 15 ++++----------- examples/hardened/docker-compose.yml | 6 ++++++ misc/cron | 7 +++++++ prepare.sh | 17 ++++++----------- scripts/abusers.sh | 8 ++++++++ scripts/certbot-renew.sh | 8 ++++++++ scripts/clamav.sh | 9 --------- scripts/exit-nodes.sh | 8 ++++++++ scripts/geoip.sh | 8 ++++++++ scripts/proxies.sh | 8 ++++++++ scripts/referrers.sh | 8 ++++++++ scripts/user-agents.sh | 8 ++++++++ 24 files changed, 91 insertions(+), 69 deletions(-) delete mode 100644 confs/site/modsecurity-clamav.conf delete mode 100644 entrypoint/clamav.sh create mode 100644 misc/cron delete mode 100644 scripts/clamav.sh diff --git a/Dockerfile b/Dockerfile index 2116134..8d9ef20 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,6 +18,7 @@ COPY scripts/ /opt/scripts COPY lua/ /usr/local/lib/lua COPY antibot/ /antibot COPY settings.json /opt +COPY misc/cron /etc/crontabs/nginx COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index 456a189..22b1230 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -18,6 +18,7 @@ COPY scripts/ /opt/scripts COPY lua/ /usr/local/lib/lua COPY antibot/ /antibot COPY settings.json /opt +COPY misc/cron /etc/crontabs/nginx COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index 9a54b02..48a979a 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -25,6 +25,7 @@ COPY scripts/ /opt/scripts COPY lua/ /usr/local/lib/lua COPY antibot/ /antibot COPY settings.json /opt +COPY misc/cron /etc/crontabs/nginx COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index 9b4e077..6a75d9d 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -25,6 +25,7 @@ COPY scripts/ /opt/scripts COPY lua/ /usr/local/lib/lua COPY antibot/ /antibot COPY settings.json /opt +COPY misc/cron /etc/crontabs/nginx COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/Dockerfile-i386 b/Dockerfile-i386 index 2b97984..0682123 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -18,6 +18,7 @@ COPY scripts/ /opt/scripts COPY lua/ /usr/local/lib/lua COPY antibot/ /antibot COPY settings.json /opt +COPY misc/cron /etc/crontabs/nginx COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/confs/site/modsecurity-clamav.conf b/confs/site/modsecurity-clamav.conf deleted file mode 100644 index af96b0f..0000000 --- a/confs/site/modsecurity-clamav.conf +++ /dev/null @@ -1,4 +0,0 @@ -SecUploadDir /tmp -SecUploadKeepFiles On -SecRule FILES_TMPNAMES "@inspectFile /opt/scripts/clamav.sh" \ -"phase:2,t:none,deny,msg:'Virus found in uploaded file',id:'399999'" diff --git a/confs/site/modsecurity-rules.conf b/confs/site/modsecurity-rules.conf index 37f0a7d..b3b8354 100644 --- a/confs/site/modsecurity-rules.conf +++ b/confs/site/modsecurity-rules.conf @@ -53,11 +53,6 @@ SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }} SecAuditLogType Serial SecAuditLog /var/log/nginx/modsec_audit.log -# scan uploaded files with clamv -{% if USE_CLAMAV_UPLOAD == "yes" %} -include {{ NGINX_PREFIX }}modsecurity-clamav.conf -{% endif %} - # include OWASP CRS configuration {% if USE_MODSECURITY_CRS == "yes" %} include /opt/owasp/crs.conf diff --git a/confs/site/server.conf b/confs/site/server.conf index f171e4d..c532358 100644 --- a/confs/site/server.conf +++ b/confs/site/server.conf @@ -144,8 +144,8 @@ server { {% endif %} # brotli compression -{% if USE_GZIP == "yes" %} - include {{ NGINX_PREFIX }}gzip.conf; +{% if USE_BROTLI == "yes" %} + include {{ NGINX_PREFIX }}brotli.conf; {% endif %} # maximum body size diff --git a/dependencies.sh b/dependencies.sh index 58b56f7..23aa9e8 100644 --- a/dependencies.sh +++ b/dependencies.sh @@ -1,5 +1,5 @@ #!/bin/sh # install dependencies -apk add clamav certbot bash libmaxminddb libgcc lua yajl libstdc++ apache2-utils py3-pip +apk add certbot bash libmaxminddb libgcc lua yajl libstdc++ apache2-utils py3-pip pip3 install jinja2 diff --git a/entrypoint/clamav.sh b/entrypoint/clamav.sh deleted file mode 100644 index df3222f..0000000 --- a/entrypoint/clamav.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -# load some functions -. /opt/entrypoint/utils.sh - -# clamav setup -if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then - echo "[*] Updating clamav (in background) ..." - freshclam > /dev/null 2>&1 & - echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/nginx -fi -if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then - if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then - echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx - else - echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx - fi -fi diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index 7e07ed8..b2a1df5 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -17,6 +17,7 @@ function trap_reload() { echo "[*] Catched reload operation" if [ "$MULTISITE" = "yes" ] && [ "$SWARM_MODE" != "yes" ] ; then /opt/entrypoint/certbot.sh + /opt/entrypoint/jobs.sh fi if [ -f /tmp/nginx.pid ] ; then echo "[*] Reloading nginx ..." @@ -33,7 +34,7 @@ function trap_reload() { trap "trap_reload" HUP # do the configuration magic if needed -if [ ! -f "/opt/installed" ] ; then +if [ ! -f "/etc/nginx/global.env" ] ; then echo "[*] Configuring bunkerized-nginx ..." @@ -47,9 +48,6 @@ if [ ! -f "/opt/installed" ] ; then exit 1 fi - # clamav config - /opt/entrypoint/clamav.sh - # start temp nginx to solve Let's Encrypt challenges if needed /opt/entrypoint/nginx-temp.sh @@ -67,8 +65,6 @@ if [ ! -f "/opt/installed" ] ; then # certbot /opt/entrypoint/certbot.sh fi - - touch /opt/installed else echo "[*] Skipping configuration process" fi @@ -98,7 +94,7 @@ pid="$!" if [ "$1" == "test" ] ; then sleep 10 echo -n "autotest" > /www/index.html - check=$(curl "http://localhost:${HTTP_PORT}" 2> /dev/null) + check=$(curl "http://localhost:8080") if [ "$check" == "autotest" ] ; then exit 0 fi diff --git a/entrypoint/jobs.sh b/entrypoint/jobs.sh index 30eb7f8..bcbebf6 100644 --- a/entrypoint/jobs.sh +++ b/entrypoint/jobs.sh @@ -4,7 +4,7 @@ . /opt/entrypoint/utils.sh # GeoIP -if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then +if [ "$(has_value BLACKLIST_COUNTRY .+)" != "" ] || [ "$(has_value WHITELIST_COUNTRY .+)" != "" ] ; then if [ -f "/cache/geoip.mmdb" ] ; then echo "[*] Copying cached geoip.mmdb ..." cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb diff --git a/entrypoint/utils.sh b/entrypoint/utils.sh index 56d53b4..4567d5f 100644 --- a/entrypoint/utils.sh +++ b/entrypoint/utils.sh @@ -24,20 +24,13 @@ function spaces_to_lua() { # check if at least one env var (global or multisite) has a specific value function has_value() { - if [ -f "/etc/nginx/site.env" ] ; then - if [ $(grep "^${1}=${2}$" /etc/nginx/site.env) != "" ] ; then + envs=$(find /etc/nginx -name "*.env") + for file in $envs ; do + if [ "$(grep "^${1}=${2}$" $file)" != "" ] ; then echo "ok" return 0 fi - else - servers=$(find /etc/nginx -name "site.env" | cut -d '/' -f 4) - for server in $servers ; do - if [ $(grep "^${1}=${2}$" /etc/nginx/$server/site.env) != "" ] ; then - echo "ok" - return 0 - fi - done - fi + done } # log to jobs.log diff --git a/examples/hardened/docker-compose.yml b/examples/hardened/docker-compose.yml index 1daeaf2..2a52406 100644 --- a/examples/hardened/docker-compose.yml +++ b/examples/hardened/docker-compose.yml @@ -10,6 +10,10 @@ services: # disable setuid/setgid security_opt: - no-new-privileges + # read-only file system + read_only: true + tmpfs: + - /tmp restart: always ports: - 80:8080 @@ -17,6 +21,7 @@ services: # bunkerized-nginx runs as an unprivileged user with UID/GID 101 # don't forget to edit the permissions of the files and folders accordingly volumes: + - cache:/cache - nginx_conf:/etc/nginx - ./web-files:/www:ro - ./letsencrypt:/etc/letsencrypt @@ -38,3 +43,4 @@ services: volumes: nginx_conf: + cache: diff --git a/misc/cron b/misc/cron new file mode 100644 index 0000000..f4167fd --- /dev/null +++ b/misc/cron @@ -0,0 +1,7 @@ +15 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1 +30 0 * * * /opt/scripts/user-agents.sh > /dev/null 2>&1 +45 0 * * * /opt/scripts/referrers.sh > /dev/null 2>&1 +0 1 * * * /opt/scripts/abusers.sh > /dev/null 2>&1 +0 2 * * * /opt/scripts/proxies.sh > /dev/null 2>&1 +0 */1 * * * /opt/scripts/exit-nodes.sh > /dev/null 2>&1 +0 3 2 * * /opt/scripts/geoip.sh > /dev/null 2>&1 diff --git a/prepare.sh b/prepare.sh index 748d79e..96fcc3a 100644 --- a/prepare.sh +++ b/prepare.sh @@ -15,6 +15,11 @@ chmod 770 /opt chmod 440 /opt/settings.json # prepare /etc/nginx +for file in $(ls /etc/nginx) ; do + if [ -f /etc/nginx/$file ] && [ ! -f /opt/confs/global/$file ] ; then + cp /etc/nginx/$file /opt/confs/global + fi +done chown -R root:nginx /etc/nginx chmod -R 770 /etc/nginx @@ -27,14 +32,9 @@ ln -s /proc/1/fd/2 /var/log/nginx/modsec_audit.log ln -s /proc/1/fd/1 /var/log/access.log ln -s /proc/1/fd/2 /var/log/error.log ln -s /proc/1/fd/1 /var/log/jobs.log -ln -s /proc/1/fd/1 /var/log/clamav.log mkdir /var/log/letsencrypt chown nginx:nginx /var/log/letsencrypt chmod 770 /var/log/letsencrypt -rm -rf /var/log/clamav/* -chown root:nginx /var/log/clamav -chmod 770 /var/log/clamav -ln -s /proc/1/fd/1 /var/log/freshclam.log # prepare /acme-challenge mkdir /acme-challenge @@ -63,10 +63,5 @@ chown root:nginx /cache chmod 770 /cache # prepare /etc/crontabs/nginx -touch /etc/crontabs/nginx chown root:nginx /etc/crontabs/nginx -chmod 660 /etc/crontabs/nginx - -# prepare /var/lib/clamav -chown root:nginx /var/lib/clamav -chmod 770 /var/lib/clamav +chmod 440 /etc/crontabs/nginx diff --git a/scripts/abusers.sh b/scripts/abusers.sh index 3b430e1..f80d3b8 100755 --- a/scripts/abusers.sh +++ b/scripts/abusers.sh @@ -3,6 +3,14 @@ # load some functions . /opt/entrypoint/utils.sh +if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then + exit 0 +fi + +if [ "$(has_value BLOCK_ABUSERS yes)" = "" ] ; then + exit 0 +fi + # copy old conf to cache cp /etc/nginx/abusers.list /cache diff --git a/scripts/certbot-renew.sh b/scripts/certbot-renew.sh index c567c23..c52f66e 100644 --- a/scripts/certbot-renew.sh +++ b/scripts/certbot-renew.sh @@ -3,6 +3,14 @@ # load some functions . /opt/entrypoint/utils.sh +if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then + exit 0 +fi + +if [ "$(has_value AUTO_LETS_ENCRYPT yes)" = "" ] ; then + exit 0 +fi + # ask new certificates if needed certbot renew --deploy-hook /opt/scripts/certbot-renew-hook.sh diff --git a/scripts/clamav.sh b/scripts/clamav.sh deleted file mode 100644 index 145cc7a..0000000 --- a/scripts/clamav.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -output=$(clamscan -i --no-summary $1 2> /dev/null) -rm -f $1 -if echo "$output" | grep -q ".* FOUND$" ; then - echo "0 clamscan: $output" -else - echo "1 clamscan: ok" -fi diff --git a/scripts/exit-nodes.sh b/scripts/exit-nodes.sh index fc51e56..fd096fe 100644 --- a/scripts/exit-nodes.sh +++ b/scripts/exit-nodes.sh @@ -3,6 +3,14 @@ # load some functions . /opt/entrypoint/utils.sh +if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then + exit 0 +fi + +if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" = "" ] ; then + exit 0 +fi + # copy old conf to cache cp /etc/nginx/tor-exit-nodes.list /cache diff --git a/scripts/geoip.sh b/scripts/geoip.sh index 94ff06c..bdf8cbf 100644 --- a/scripts/geoip.sh +++ b/scripts/geoip.sh @@ -3,6 +3,14 @@ # load some functions . /opt/entrypoint/utils.sh +if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then + exit 0 +fi + +if [ "$(has_value BLACKLIST_COUNTRY .+)" = "" ] && [ "$(has_value WHITELIST_COUNTRY .+)" = "" ] ; then + exit 0 +fi + # if we are running nginx if [ -f /tmp/nginx.pid ] ; then RELOAD="/usr/sbin/nginx -s reload" diff --git a/scripts/proxies.sh b/scripts/proxies.sh index 7e2084d..32f98f6 100755 --- a/scripts/proxies.sh +++ b/scripts/proxies.sh @@ -3,6 +3,14 @@ # load some functions . /opt/entrypoint/utils.sh +if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then + exit 0 +fi + +if [ "$(has_value BLOCK_PROXIES yes)" = "" ] ; then + exit 0 +fi + # copy old conf to cache cp /etc/nginx/proxies.list /cache diff --git a/scripts/referrers.sh b/scripts/referrers.sh index d1cc065..d2c4cec 100755 --- a/scripts/referrers.sh +++ b/scripts/referrers.sh @@ -3,6 +3,14 @@ # load some functions . /opt/entrypoint/utils.sh +if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then + exit 0 +fi + +if [ "$(has_value BLOCK_REFERRER yes)" = "" ] ; then + exit 0 +fi + # save old conf cp /etc/nginx/referrers.list /cache diff --git a/scripts/user-agents.sh b/scripts/user-agents.sh index 9baff2b..2e5dfd9 100755 --- a/scripts/user-agents.sh +++ b/scripts/user-agents.sh @@ -3,6 +3,14 @@ # load some functions . /opt/entrypoint/utils.sh +if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then + exit 0 +fi + +if [ "$(has_value BLOCK_USER_AGENT yes)" = "" ] ; then + exit 0 +fi + # save old conf cp /etc/nginx/user-agents.list /cache