From bc01427def792f1125e8e2f3a921dc6d747d0f4a Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Mon, 2 Aug 2021 10:41:46 +0200
Subject: [PATCH] ignore CVE-2021-36159 and redirect job logs as root when
 using autoconf

---
 .github/workflows/build-bunkerized-nginx.yml | 9 +++++++++
 Dockerfile                                   | 5 +++--
 autoconf/Dockerfile                          | 2 +-
 autoconf/entrypoint.sh                       | 5 -----
 autoconf/prepare.sh                          | 4 ----
 misc/cron-autoconf                           | 7 +++++++
 6 files changed, 20 insertions(+), 12 deletions(-)
 create mode 100644 misc/cron-autoconf

diff --git a/.github/workflows/build-bunkerized-nginx.yml b/.github/workflows/build-bunkerized-nginx.yml
index 6e62222..75e8094 100644
--- a/.github/workflows/build-bunkerized-nginx.yml
+++ b/.github/workflows/build-bunkerized-nginx.yml
@@ -16,6 +16,11 @@ jobs:
       # so we need to build the image the traditional way
       - name: Temp build to check security issues
         run: docker build -t bunkerized-nginx .
+   
+      # Temp ignore CVE-2021-36159
+      - name: Temp add .trivyignore
+        run: |
+          echo "CVE-2021-36159" > .trivyignore
 
       - name: Run Trivy security scanner
         uses: aquasecurity/trivy-action@master
@@ -26,6 +31,10 @@ jobs:
           ignore-unfixed: true
           severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
 
+      - name: Temp remove .trivyignore
+        run: |
+          rm -f .trivyignore
+
       - name: Run autotest
         run: docker run bunkerized-nginx test
 
diff --git a/Dockerfile b/Dockerfile
index c004785..695e8d9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,9 +12,10 @@ RUN chmod +x /tmp/docker.sh && \
     /tmp/docker.sh && \
     rm -f /tmp/docker.sh
 
-# Fix CVE-2021-22901, CVE-2021-22898, CVE-2021-22897, CVE-2021-33560 and CVE-2021-36159
+# Fix CVE-2021-22901, CVE-2021-22898, CVE-2021-22897 and CVE-2021-33560
 RUN apk add "curl>=7.77.0-r0" "libgcrypt>=1.8.8-r0"
-RUN apk add "apk-tools>=2.12.6-r0"
+# Temp : can't fix CVE-2021-36159 because fixed version is not available on alpine arm/v7
+# RUN apk add "apk-tools>=2.12.6-r0"
 
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
 
diff --git a/autoconf/Dockerfile b/autoconf/Dockerfile
index a1f4f0c..0b42501 100644
--- a/autoconf/Dockerfile
+++ b/autoconf/Dockerfile
@@ -6,7 +6,7 @@ COPY confs/global/ /opt/bunkerized-nginx/confs/global
 COPY confs/site/ /opt/bunkerized-nginx/confs/site
 COPY jobs/ /opt/bunkerized-nginx/jobs
 COPY settings.json /opt/bunkerized-nginx/
-COPY misc/cron /etc/crontabs/nginx
+COPY misc/cron-autoconf /etc/crontabs/root
 COPY autoconf/entrypoint.sh /opt/bunkerized-nginx/entrypoint/
 COPY autoconf/requirements.txt /opt/bunkerized-nginx/entrypoint/
 COPY autoconf/src/* /opt/bunkerized-nginx/entrypoint/
diff --git a/autoconf/entrypoint.sh b/autoconf/entrypoint.sh
index 66fe64c..3809129 100644
--- a/autoconf/entrypoint.sh
+++ b/autoconf/entrypoint.sh
@@ -8,11 +8,6 @@ if [ "$?" -ne 0 ] ; then
 	exit 1
 fi
 
-#if [ "$SWARM_MODE" = "yes" ] ; then
-#	chown -R root:nginx /etc/nginx
-#	chmod -R 770 /etc/nginx
-#fi
-
 # trap SIGTERM and SIGINT
 function trap_exit() {
 	echo "[*] Catched stop operation"
diff --git a/autoconf/prepare.sh b/autoconf/prepare.sh
index 4288b67..d1e7e5b 100644
--- a/autoconf/prepare.sh
+++ b/autoconf/prepare.sh
@@ -61,7 +61,3 @@ ln -s /modsec-crs-confs /opt/bunkerized-nginx/modsec-crs-confs
 mkdir /modsec-crs-confs
 chown root:nginx /modsec-crs-confs
 chmod 770 /modsec-crs-confs
-
-# prepare /etc/crontabs/nginx
-chown root:nginx /etc/crontabs/nginx
-chmod 440 /etc/crontabs/nginx
diff --git a/misc/cron-autoconf b/misc/cron-autoconf
new file mode 100644
index 0000000..01843ca
--- /dev/null
+++ b/misc/cron-autoconf
@@ -0,0 +1,7 @@
+15 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew" nginx >> /var/log/nginx/jobs.log 2>&1
+30 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name user-agents" nginx >> /var/log/nginx/jobs.log 2>&1
+45 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name referrers" nginx >> /var/log/nginx/jobs.log 2>&1
+0 1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name abusers" nginx >> /var/log/nginx/jobs.log 2>&1
+0 2 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name proxies" nginx >> /var/log/nginx/jobs.log 2>&1
+0 */1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes" nginx >> /var/log/nginx/jobs.log 2>&1
+0 3 2 * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name geoip" nginx >> /var/log/nginx/jobs.log 2>&1