diff --git a/Dockerfile b/Dockerfile index 6632230..5e0bf2b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,6 +25,9 @@ RUN chmod +x /tmp/prepare.sh && \ /tmp/prepare.sh && \ rm -f /tmp/prepare.sh +# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 +RUN apk add "curl>=7.77.0-r0" + VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index 6c3b177..99e5617 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -25,6 +25,9 @@ RUN chmod +x /tmp/prepare.sh && \ /tmp/prepare.sh && \ rm -f /tmp/prepare.sh +# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 +RUN apk add "curl>=7.77.0-r0" + VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index 755c404..8907bf3 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -32,6 +32,9 @@ RUN chmod +x /tmp/prepare.sh && \ /tmp/prepare.sh && \ rm -f /tmp/prepare.sh +# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 +RUN apk add "curl>=7.77.0-r0" + VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index d9bc6f0..bfa2d2f 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -32,6 +32,9 @@ RUN chmod +x /tmp/prepare.sh && \ /tmp/prepare.sh && \ rm -f /tmp/prepare.sh +# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 +RUN apk add "curl>=7.77.0-r0" + VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-i386 b/Dockerfile-i386 index b945099..942dc5c 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -25,6 +25,9 @@ RUN chmod +x /tmp/prepare.sh && \ /tmp/prepare.sh && \ rm -f /tmp/prepare.sh +# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897 +RUN apk add "curl>=7.77.0-r0" + VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/autoconf/Config.py b/autoconf/Config.py index e12416b..61efb80 100644 --- a/autoconf/Config.py +++ b/autoconf/Config.py @@ -27,9 +27,11 @@ class Config : stdout = proc.stdout.decode("ascii") stderr = proc.stderr.decode("ascii") if stdout != "" : - utils.log("[*] Jobs output : " + stdout) + for line in stdout.split("\n") : + utils.log("[*] Jobs output : " + stdout) if stderr != "" : - utils.log("[!] Jobs error : " + stderr) + for line in stderr.split("\n") : + utils.log("[!] Jobs error : " + stderr) return proc.returncode == 0 else : utils.log("[!] bunkerized-nginx tasks are not started") @@ -51,14 +53,16 @@ class Config : stdout = proc.stdout.decode("ascii") stderr = proc.stderr.decode("ascii") if stdout != "": - utils.log("[*] Generator output : " + stdout) + for line in stdout.split("\n") : + utils.log("[*] Generator output : " + stdout) if stderr != "" : - utils.log("[*] Generator error : " + stderr) + for line in stderr.split("\n") : + utils.log("[*] Generator error : " + stderr) # We're done if proc.returncode == 0 : return True - utils.log("[!] Error while generating site config for " + vars["SERVER_NAME"] + " : return code = " + str(proc.returncode)) + utils.log("[!] Error while generating site config for " + env["SERVER_NAME"] + " : return code = " + str(proc.returncode)) except Exception as e : utils.log("[!] Exception while generating site config : " + str(e)) diff --git a/autoconf/dependencies.sh b/autoconf/dependencies.sh index 58f519e..565c2ea 100644 --- a/autoconf/dependencies.sh +++ b/autoconf/dependencies.sh @@ -1,5 +1,5 @@ #!/bin/sh # install dependencies -apk add py3-pip bash certbot curl logrotate openssl +apk add py3-pip bash certbot curl openssl pip3 install docker requests jinja2 diff --git a/confs/site/https.conf b/confs/site/https.conf index 9b13dbd..0ed523f 100644 --- a/confs/site/https.conf +++ b/confs/site/https.conf @@ -1,6 +1,22 @@ listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %}; -ssl_certificate {{ HTTPS_CERT }}; -ssl_certificate_key {{ HTTPS_KEY }}; +{% set paths = {"cert": "", "key": ""} %} +{% if AUTO_LETS_ENCRYPT == "yes" %} + {% set x = paths.update({"cert": "/etc/letsencrypt/live/" + FIRST_SERVER + "/fullchain.pem"}) %} + {% set x = paths.update({"key": "/etc/letsencrypt/live/" + FIRST_SERVER + "/privkey.pem"}) %} +{% elif USE_CUSTOM_HTTPS == "yes" %} + {% set x = paths.update({"cert": CUSTOM_HTTPS_CERT}) %} + {% set x = paths.update({"key": CUSTOM_HTTPS_KEY}) %} +{% elif GENERATE_SELF_SIGNED_HTTPS == "yes" %} + {% if MULTISITE == "yes" %} + {% set x = paths.update({"cert": "/etc/nginx/" + FIRST_SERVER + "/self-cert.pem"}) %} + {% set x = paths.update({"key": "/etc/nginx/" + FIRST_SERVER + "/self-key.pem"}) %} + {% else %} + {% set x = paths.update({"cert": "/etc/nginx/self-cert.pem"}) %} + {% set x = paths.update({"key": "/etc/nginx/self-key.pem"}) %} + {% endif %} +{% endif %} +ssl_certificate {{ paths["cert"] }}; +ssl_certificate_key {{ paths["key"] }}; ssl_protocols {{ HTTPS_PROTOCOLS }}; ssl_prefer_server_ciphers on; ssl_session_tickets off; diff --git a/dependencies.sh b/dependencies.sh index 23aa9e8..24216f0 100644 --- a/dependencies.sh +++ b/dependencies.sh @@ -1,5 +1,5 @@ #!/bin/sh # install dependencies -apk add certbot bash libmaxminddb libgcc lua yajl libstdc++ apache2-utils py3-pip +apk add certbot bash libmaxminddb libgcc lua yajl libstdc++ openssl py3-pip pip3 install jinja2 diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index 934443f..1d7b64a 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -15,8 +15,7 @@ trap "trap_exit" TERM INT QUIT # trap SIGHUP function trap_reload() { echo "[*] Catched reload operation" - if [ "$MULTISITE" = "yes" ] && [ "$SWARM_MODE" != "yes" ] ; then - /opt/entrypoint/certbot.sh + if [ "$SWARM_MODE" != "yes" ] ; then /opt/entrypoint/jobs.sh fi if [ -f /tmp/nginx.pid ] ; then @@ -59,11 +58,8 @@ if [ ! -f "/etc/nginx/global.env" ] ; then # call the generator /opt/gen/main.py --settings /opt/settings.json --templates /opt/confs --output /etc/nginx --variables /tmp/variables.env - # background jobs + # external jobs /opt/entrypoint/jobs.sh - - # certbot - /opt/entrypoint/certbot.sh fi else echo "[*] Skipping configuration process" diff --git a/entrypoint/jobs.sh b/entrypoint/jobs.sh index bcbebf6..fd0732f 100644 --- a/entrypoint/jobs.sh +++ b/entrypoint/jobs.sh @@ -68,3 +68,50 @@ if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then /opt/scripts/abusers.sh > /dev/null 2>&1 & fi fi + +# self signed certs for sites +files=$(has_value GENERATE_SELF_SIGNED_SSL yes) +if [ "$files" != " " ] ; then + for file in $files ; do + site=$(echo $file | cut -f 4 -d '/') + dest="/etc/nginx/" + if [ "$site" != "site.env" ] ; then + dest="${dest}/${site}/" + fi + SELF_SIGNED_SSL_EXPIRY="$(sed -nE 's/^SELF_SIGNED_SSL_EXPIRY=(.*)$/\1/p' $file)" + SELF_SIGNED_SSL_COUNTRY="$(sed -nE 's/^SELF_SIGNED_SSL_COUNTRY=(.*)$/\1/p' $file)" + SELF_SIGNED_SSL_STATE="$(sed -nE 's/^SELF_SIGNED_SSL_STATE=(.*)$/\1/p' $file)" + SELF_SIGNED_SSL_CITY="$(sed -nE 's/^SELF_SIGNED_SSL_CITY=(.*)$/\1/p' $file)" + SELF_SIGNED_SSL_ORG="$(sed -nE 's/^SELF_SIGNED_SSL_ORG=(.*)$/\1/p' $file)" + SELF_SIGNED_SSL_OU="$(sed -nE 's/^SELF_SIGNED_SSL_OU=(.*)$/\1/p' $file)" + SELF_SIGNED_SSL_CN="$(sed -nE 's/^SELF_SIGNED_SSL_CN=(.*)$/\1/p' $file)" + openssl req -nodes -x509 -newkey rsa:4096 -keyout ${dest}self-key.pem -out ${dest}self-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" + done +fi + +# self signed cert for default server +if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] ; then + SELF_SIGNED_SSL_EXPIRY="999" + SELF_SIGNED_SSL_COUNTRY="US" + SELF_SIGNED_SSL_STATE="Utah" + SELF_SIGNED_SSL_CITY="Lehi" + SELF_SIGNED_SSL_ORG="Your Company, Inc." + SELF_SIGNED_SSL_OU="IT" + SELF_SIGNED_SSL_CN="www.yourdomain.com" + openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" +fi + +# certbot +files=$(has_value AUTO_LETS_ENCRYPT yes) +if [ "$files" != " " ] ; then + for file in $files ; do + SERVER_NAME="$(sed -nE 's/^SERVER_NAME=(.*)$/\1/p' $file)" + FIRST_SERVER="$(echo $SERVER_NAME | cut -d ' ' -f 1)" + EMAIL_LETS_ENCRYPT="$(sed -nE 's/^EMAIL_LETS_ENCRYPT=(.*)$/\1/p' $file)" + if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then + EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}" + fi + /opt/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" + + done +fi \ No newline at end of file diff --git a/entrypoint/utils.sh b/entrypoint/utils.sh index 4567d5f..2823af9 100644 --- a/entrypoint/utils.sh +++ b/entrypoint/utils.sh @@ -27,7 +27,7 @@ function has_value() { envs=$(find /etc/nginx -name "*.env") for file in $envs ; do if [ "$(grep "^${1}=${2}$" $file)" != "" ] ; then - echo "ok" + echo "$file" return 0 fi done @@ -38,4 +38,4 @@ function job_log() { when="$(date '+[%Y-%m-%d %H:%M:%S]')" what="$1" echo "$when $what" >> /var/log/jobs.log -} +} \ No newline at end of file