remove ClamAV because of GPL and started work on read-only filesystem

Dockerfile

@@ -18,6 +18,7 @@ COPY scripts/ /opt/scripts
 COPY lua/ /usr/local/lib/lua
 COPY antibot/ /antibot
 COPY settings.json /opt
+COPY misc/cron /etc/crontabs/nginx
 
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \

Dockerfile-amd64

@@ -18,6 +18,7 @@ COPY scripts/ /opt/scripts
 COPY lua/ /usr/local/lib/lua
 COPY antibot/ /antibot
 COPY settings.json /opt
+COPY misc/cron /etc/crontabs/nginx
 
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \

Dockerfile-arm32v7

@@ -25,6 +25,7 @@ COPY scripts/ /opt/scripts
 COPY lua/ /usr/local/lib/lua
 COPY antibot/ /antibot
 COPY settings.json /opt
+COPY misc/cron /etc/crontabs/nginx
 
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \

Dockerfile-arm64v8

@@ -25,6 +25,7 @@ COPY scripts/ /opt/scripts
 COPY lua/ /usr/local/lib/lua
 COPY antibot/ /antibot
 COPY settings.json /opt
+COPY misc/cron /etc/crontabs/nginx
 
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \

Dockerfile-i386

@@ -18,6 +18,7 @@ COPY scripts/ /opt/scripts
 COPY lua/ /usr/local/lib/lua
 COPY antibot/ /antibot
 COPY settings.json /opt
+COPY misc/cron /etc/crontabs/nginx
 
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \

confs/site/modsecurity-clamav.conf

@@ -1,4 +0,0 @@
-SecUploadDir /tmp
-SecUploadKeepFiles On
-SecRule FILES_TMPNAMES "@inspectFile /opt/scripts/clamav.sh" \
-"phase:2,t:none,deny,msg:'Virus found in uploaded file',id:'399999'"

confs/site/modsecurity-rules.conf

@@ -53,11 +53,6 @@ SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }}
 SecAuditLogType Serial
 SecAuditLog /var/log/nginx/modsec_audit.log
 
-# scan uploaded files with clamv
-{% if USE_CLAMAV_UPLOAD == "yes" %}
-include {{ NGINX_PREFIX }}modsecurity-clamav.conf
-{% endif %}
-
 # include OWASP CRS configuration
 {% if USE_MODSECURITY_CRS == "yes" %}
 include /opt/owasp/crs.conf

confs/site/server.conf

@@ -144,8 +144,8 @@ server {
 {% endif %}
 
 	# brotli compression
-{% if USE_GZIP == "yes" %}
+{% if USE_BROTLI == "yes" %}
-	include {{ NGINX_PREFIX }}gzip.conf;
+	include {{ NGINX_PREFIX }}brotli.conf;
 {% endif %}
 
 	# maximum body size

dependencies.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
 
 # install dependencies
-apk add clamav certbot bash libmaxminddb libgcc lua yajl libstdc++ apache2-utils py3-pip
+apk add certbot bash libmaxminddb libgcc lua yajl libstdc++ apache2-utils py3-pip
 pip3 install jinja2

entrypoint/clamav.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-
-# load some functions
-. /opt/entrypoint/utils.sh
-
-# clamav setup
-if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
-	echo "[*] Updating clamav (in background) ..."
-	freshclam > /dev/null 2>&1 &
-	echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/nginx
-fi
-if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
-	if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
-        	echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
-        else
-		echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
-        fi
-fi

entrypoint/entrypoint.sh

@@ -17,6 +17,7 @@ function trap_reload() {
 	echo "[*] Catched reload operation"
 	if [ "$MULTISITE" = "yes" ] && [ "$SWARM_MODE" != "yes" ] ; then
 		/opt/entrypoint/certbot.sh
+		/opt/entrypoint/jobs.sh
 	fi
 	if [ -f /tmp/nginx.pid ] ; then
 		echo "[*] Reloading nginx ..."
@@ -33,7 +34,7 @@ function trap_reload() {
 trap "trap_reload" HUP
 
 # do the configuration magic if needed
-if [ ! -f "/opt/installed" ] ; then
+if [ ! -f "/etc/nginx/global.env" ] ; then
 
 	echo "[*] Configuring bunkerized-nginx ..."
 
@@ -47,9 +48,6 @@ if [ ! -f "/opt/installed" ] ; then
 		exit 1
 	fi
 
-	# clamav config
-	/opt/entrypoint/clamav.sh
-
 	# start temp nginx to solve Let's Encrypt challenges if needed
 	/opt/entrypoint/nginx-temp.sh
 
@@ -67,8 +65,6 @@ if [ ! -f "/opt/installed" ] ; then
 		# certbot
 		/opt/entrypoint/certbot.sh
 	fi
-
-	touch /opt/installed
 else
 	echo "[*] Skipping configuration process"
 fi
@@ -98,7 +94,7 @@ pid="$!"
 if [ "$1" == "test" ] ; then
 	sleep 10
 	echo -n "autotest" > /www/index.html
-	check=$(curl "http://localhost:${HTTP_PORT}" 2> /dev/null)
+	check=$(curl "http://localhost:8080")
 	if [ "$check" == "autotest" ] ; then
 		exit 0
 	fi

entrypoint/jobs.sh

@@ -4,7 +4,7 @@
 . /opt/entrypoint/utils.sh
 
 # GeoIP
-if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
+if [ "$(has_value BLACKLIST_COUNTRY .+)" != "" ] || [ "$(has_value WHITELIST_COUNTRY .+)" != "" ] ; then
 	if [ -f "/cache/geoip.mmdb" ] ; then
 		echo "[*] Copying cached geoip.mmdb ..."
 		cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb

entrypoint/utils.sh

@@ -24,20 +24,13 @@ function spaces_to_lua() {
 
 # check if at least one env var (global or multisite) has a specific value
 function has_value() {
-	if [ -f "/etc/nginx/site.env" ] ; then
+	envs=$(find /etc/nginx -name "*.env")
-		if [ $(grep "^${1}=${2}$" /etc/nginx/site.env) != "" ] ; then
+	for file in $envs ; do
+		if [ "$(grep "^${1}=${2}$" $file)" != "" ] ; then
 			echo "ok"
 			return 0
 		fi
-	else
+	done
-		servers=$(find /etc/nginx -name "site.env" | cut -d '/' -f 4)
-		for server in $servers ; do
-			if [ $(grep "^${1}=${2}$" /etc/nginx/$server/site.env) != "" ] ; then
-				echo "ok"
-				return 0
-			fi
-		done
-	fi
 }
 
 # log to jobs.log

examples/hardened/docker-compose.yml

@@ -10,6 +10,10 @@ services:
     # disable setuid/setgid
     security_opt:
       - no-new-privileges
+    # read-only file system
+    read_only: true
+    tmpfs:
+      - /tmp
     restart: always
     ports:
       - 80:8080
@@ -17,6 +21,7 @@ services:
     # bunkerized-nginx runs as an unprivileged user with UID/GID 101
     # don't forget to edit the permissions of the files and folders accordingly
     volumes:
+      - cache:/cache
       - nginx_conf:/etc/nginx
       - ./web-files:/www:ro
       - ./letsencrypt:/etc/letsencrypt
@@ -38,3 +43,4 @@ services:
 
 volumes:
   nginx_conf:
+  cache:

misc/cron

@@ -0,0 +1,7 @@
+15 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1
+30 0 * * * /opt/scripts/user-agents.sh > /dev/null 2>&1
+45 0 * * * /opt/scripts/referrers.sh > /dev/null 2>&1
+0 1 * * * /opt/scripts/abusers.sh > /dev/null 2>&1
+0 2 * * * /opt/scripts/proxies.sh > /dev/null 2>&1
+0 */1 * * * /opt/scripts/exit-nodes.sh > /dev/null 2>&1
+0 3 2 * * /opt/scripts/geoip.sh > /dev/null 2>&1

prepare.sh

@@ -15,6 +15,11 @@ chmod 770 /opt
 chmod 440 /opt/settings.json
 
 # prepare /etc/nginx
+for file in $(ls /etc/nginx) ; do
+	if [ -f /etc/nginx/$file ] && [ ! -f /opt/confs/global/$file ] ; then
+		cp /etc/nginx/$file /opt/confs/global
+	fi
+done
 chown -R root:nginx /etc/nginx
 chmod -R 770 /etc/nginx
 
@@ -27,14 +32,9 @@ ln -s /proc/1/fd/2 /var/log/nginx/modsec_audit.log
 ln -s /proc/1/fd/1 /var/log/access.log
 ln -s /proc/1/fd/2 /var/log/error.log
 ln -s /proc/1/fd/1 /var/log/jobs.log
-ln -s /proc/1/fd/1 /var/log/clamav.log
 mkdir /var/log/letsencrypt
 chown nginx:nginx /var/log/letsencrypt
 chmod 770 /var/log/letsencrypt
-rm -rf /var/log/clamav/*
-chown root:nginx /var/log/clamav
-chmod 770 /var/log/clamav
-ln -s /proc/1/fd/1 /var/log/freshclam.log
 
 # prepare /acme-challenge
 mkdir /acme-challenge
@@ -63,10 +63,5 @@ chown root:nginx /cache
 chmod 770 /cache
 
 # prepare /etc/crontabs/nginx
-touch /etc/crontabs/nginx
 chown root:nginx /etc/crontabs/nginx
-chmod 660 /etc/crontabs/nginx
+chmod 440 /etc/crontabs/nginx
-
-# prepare /var/lib/clamav
-chown root:nginx /var/lib/clamav
-chmod 770 /var/lib/clamav

scripts/abusers.sh

@@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh
 
+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value BLOCK_ABUSERS yes)" = "" ] ; then
+	exit 0
+fi
+
 # copy old conf to cache
 cp /etc/nginx/abusers.list /cache
 

scripts/certbot-renew.sh

@@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh
 
+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value AUTO_LETS_ENCRYPT yes)" = "" ] ; then
+	exit 0
+fi
+
 # ask new certificates if needed
 certbot renew --deploy-hook /opt/scripts/certbot-renew-hook.sh
 

scripts/clamav.sh

@@ -1,9 +0,0 @@
-#!/bin/sh
-
-output=$(clamscan -i --no-summary $1 2> /dev/null)
-rm -f $1
-if echo "$output" | grep -q ".* FOUND$" ; then
-	echo "0 clamscan: $output"
-else
-	echo "1 clamscan: ok"
-fi

scripts/exit-nodes.sh

@@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh
 
+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" = "" ] ; then
+	exit 0
+fi
+
 # copy old conf to cache
 cp /etc/nginx/tor-exit-nodes.list /cache
 

scripts/geoip.sh

@@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh
 
+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value BLACKLIST_COUNTRY .+)" = "" ] && [ "$(has_value WHITELIST_COUNTRY .+)" = "" ] ; then
+	exit 0
+fi
+
 # if we are running nginx
 if [ -f /tmp/nginx.pid ] ; then
 	RELOAD="/usr/sbin/nginx -s reload"

scripts/proxies.sh

@@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh
 
+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value BLOCK_PROXIES yes)" = "" ] ; then
+	exit 0
+fi
+
 # copy old conf to cache
 cp /etc/nginx/proxies.list /cache
 

scripts/referrers.sh

@@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh
 
+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value BLOCK_REFERRER yes)" = "" ] ; then
+	exit 0
+fi
+
 # save old conf
 cp /etc/nginx/referrers.list /cache
 

scripts/user-agents.sh

@@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh
 
+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value BLOCK_USER_AGENT yes)" = "" ] ; then
+	exit 0
+fi
+
 # save old conf
 cp /etc/nginx/user-agents.list /cache