From d12369c90004f30be596c55b9ba9ed91cf4232ac Mon Sep 17 00:00:00 2001 From: bunkerity Date: Wed, 21 Jul 2021 11:55:14 +0200 Subject: [PATCH] jobs - various bugs fixed and old files removed --- confs/global/init-lua.conf | 32 +++++++----- confs/global/nginx.conf | 4 -- confs/site/main-lua.conf | 16 ++++++ entrypoint/certbot.sh | 28 ---------- entrypoint/entrypoint.sh | 7 +-- entrypoint/jobs.sh | 35 ++++++++++--- entrypoint/post-jobs.sh | 59 --------------------- entrypoint/pre-jobs.sh | 80 ----------------------------- examples/swarm-redis/1-config.yml | 38 ++++++++++++++ examples/swarm-redis/2-nginx.yml | 51 ++++++++++++++++++ examples/swarm-redis/3-services.yml | 42 +++++++++++++++ helpers/install.sh | 22 +++++--- jobs/CertbotNew.py | 2 +- jobs/GeoIP.py | 2 +- jobs/Job.py | 10 ++-- jobs/Proxies.py | 2 +- jobs/main.py | 25 +++++++-- jobs/reload.py | 34 ++++++++---- jobs/requirements.txt | 1 + misc/cron | 14 ++--- scripts/abusers.sh | 55 -------------------- scripts/certbot-new.sh | 9 ---- scripts/certbot-renew-hook.sh | 24 --------- scripts/certbot-renew.sh | 21 -------- scripts/exit-nodes.sh | 54 ------------------- scripts/geoip.sh | 51 ------------------ scripts/proxies.sh | 55 -------------------- scripts/referrers.sh | 57 -------------------- scripts/user-agents.sh | 57 -------------------- settings.json | 22 +++++++- tests/linux.sh | 22 +++++--- 31 files changed, 303 insertions(+), 628 deletions(-) delete mode 100644 entrypoint/certbot.sh delete mode 100644 entrypoint/post-jobs.sh delete mode 100644 entrypoint/pre-jobs.sh create mode 100644 examples/swarm-redis/1-config.yml create mode 100644 examples/swarm-redis/2-nginx.yml create mode 100644 examples/swarm-redis/3-services.yml delete mode 100755 scripts/abusers.sh delete mode 100644 scripts/certbot-new.sh delete mode 100644 scripts/certbot-renew-hook.sh delete mode 100644 scripts/certbot-renew.sh delete mode 100644 scripts/exit-nodes.sh delete mode 100644 scripts/geoip.sh delete mode 100755 scripts/proxies.sh delete mode 100755 scripts/referrers.sh delete mode 100755 scripts/user-agents.sh diff --git a/confs/global/init-lua.conf b/confs/global/init-lua.conf index 18e9449..d765985 100644 --- a/confs/global/init-lua.conf +++ b/confs/global/init-lua.conf @@ -4,30 +4,34 @@ local dataloader = require "dataloader" local logger = require "logger" local cjson = require "cjson" +local use_redis = {% if USE_REDIS == "yes" %}true{% else %}false{% endif +%} + local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif +%} local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif +%} local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif +%} local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif +%} local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif +%} -if use_proxies then - dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data) -end +if not use_redis then + if use_proxies then + dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data) + end -if use_abusers then - dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data) -end + if use_abusers then + dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data) + end -if use_tor_exit_nodes then - dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data) -end + if use_tor_exit_nodes then + dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data) + end -if use_user_agents then - dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data) -end + if use_user_agents then + dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data) + end -if use_referrers then - dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data) + if use_referrers then + dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data) + end end -- Load plugins diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index 65aee58..9e22c2a 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -6,13 +6,9 @@ load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so; load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_lua_module.so; load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; -#load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; -# run in foreground -# daemon off; - # PID file pid /tmp/nginx.pid; diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index 08cf91a..87efd8e 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -15,6 +15,10 @@ end -- let's encrypt local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif +%} +-- redis +local use_redis = {% if USE_REDIS == "yes" %}true{% else %}false{% endif +%} +local redis_host = "{{ REDIS_HOST }}" + -- external blacklists local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif +%} local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif +%} @@ -64,6 +68,7 @@ local recaptcha = require "recaptcha" local iputils = require "resty.iputils" local behavior = require "behavior" local logger = require "logger" +local redis = require "resty.redis" -- user variables local antibot_uri = "{{ ANTIBOT_URI }}" @@ -139,6 +144,17 @@ if use_bad_behavior and behavior.is_banned() then ngx.exit(ngx.HTTP_FORBIDDEN) end +-- our redis client +local redis_client = nil +if use_redis then + redis_client = redis:new() + local ok, err = redis_client:connect(redis_host, 6379) + if not ok then + redis_client = nil + logger.log(ngx.ERR, "REDIS", "Can't connect to the Redis service " .. redis_host) + end +end + -- check if IP is in proxies list if use_proxies then local value, flags = ngx.shared.proxies_data:get(iputils.ip2bin(ngx.var.remote_addr)) diff --git a/entrypoint/certbot.sh b/entrypoint/certbot.sh deleted file mode 100644 index cc8fad6..0000000 --- a/entrypoint/certbot.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash - -# load some functions -. /opt/bunkerized-nginx/entrypoint/utils.sh - -if [ "$MULTISITE" != "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then - first_server_name=$(echo "$SERVER_NAME" | cut -d " " -f 1) - domains_lets_encrypt=$(echo "$SERVER_NAME" | sed "s/ /,/g") - EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server_name}" - if [ ! -f /etc/letsencrypt/live/${first_server_name}/fullchain.pem ] ; then - echo "[*] Performing Let's Encrypt challenge for $domains_lets_encrypt ..." - /opt/bunkerized-nginx/scripts/certbot-new.sh "$domains_lets_encrypt" "$EMAIL_LETS_ENCRYPT" - fi -elif [ "$MULTISITE" = "yes" ] ; then - servers=$(find /etc/nginx -name "site.env" | cut -d '/' -f 4) - for server in $servers ; do - lets_encrypt=$(grep "^AUTO_LETS_ENCRYPT=yes$" /etc/nginx/${server}/site.env) - if [ "$lets_encrypt" != "" ] && [ ! -f /etc/letsencrypt/live/${server}/fullchain.pem ] ; then - server_name=$(grep "^SERVER_NAME=.*$" /etc/nginx/${server}/site.env | sed "s/SERVER_NAME=//" | sed "s/ /,/g") - echo "[*] Performing Let's Encrypt challenge for $server_name ..." - EMAIL_LETS_ENCRYPT=$(grep "^EMAIL_LETS_ENCRYPT=.*$" /etc/nginx/${server}/site.env | sed "s/EMAIL_LETS_ENCRYPT=//") - if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then - EMAIL_LETS_ENCRYPT="contact@${server}" - fi - /opt/bunkerized-nginx/scripts/certbot-new.sh "$domains" "EMAIL_LETS_ENCRYPT" - fi - done -fi diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index ad0ea75..62df632 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -16,16 +16,13 @@ trap "trap_exit" TERM INT QUIT function trap_reload() { echo "[*] Catched reload operation" if [ "$SWARM_MODE" != "yes" ] ; then - /opt/bunkerized-nginx/entrypoint/pre-jobs.sh + /opt/bunkerized-nginx/entrypoint/jobs.sh fi if [ -f /tmp/nginx.pid ] ; then echo "[*] Reloading nginx ..." nginx -s reload if [ $? -eq 0 ] ; then echo "[*] Reload successfull" - if [ "$SWARM_MODE" != "yes" ] ; then - /opt/bunkerized-nginx/entrypoint/post-jobs.sh - fi else echo "[!] Reload failed" fi @@ -61,7 +58,7 @@ if [ ! -f "/etc/nginx/global.env" ] ; then # call the generator /opt/bunkerized-nginx/gen/main.py --settings /opt/bunkerized-nginx/settings.json --templates /opt/bunkerized-nginx/confs --output /etc/nginx --variables /tmp/variables.env - # jobs + # call jobs /opt/bunkerized-nginx/entrypoint/jobs.sh fi else diff --git a/entrypoint/jobs.sh b/entrypoint/jobs.sh index f255bf6..4459f8f 100644 --- a/entrypoint/jobs.sh +++ b/entrypoint/jobs.sh @@ -58,7 +58,7 @@ if [ "$files" != "" ] ; then if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}" fi - certbot_output=$(/opt/bunkerized-nginx/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1) + /opt/bunkerized-nginx/jobs/main.py --name certbot-new --domain "$(echo -n $SERVER_NAME | sed 's/ /,/g')" --email "$EMAIL_LETS_ENCRYPT" if [ $? -eq 0 ] ; then echo "[*] Certbot new successfully executed for domain(s) $(echo -n $SERVER_NAME | sed 's/ /,/g')" else @@ -70,11 +70,30 @@ fi # GeoIP if [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ; then - if [ -f "/opt/bunkerized-nginx/cache/geoip.mmdb" ] ; then - echo "[*] Copying cached geoip.mmdb ..." - cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb - elif [ "$(ps aux | grep "geoip\.sh")" = "" ] ; then - echo "[*] Downloading GeoIP database ..." - /opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1 - fi + /opt/bunkerized-nginx/jobs/main.py --name geoip +fi + +# User-Agents +if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then + /opt/bunkerized-nginx/jobs/main.py --name user-agents +fi + +# Referrers +if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then + /opt/bunkerized-nginx/jobs/main.py --name referrers +fi + +# exit nodes +if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then + /opt/bunkerized-nginx/jobs/main.py --name exit-nodes +fi + +# proxies +if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then + /opt/bunkerized-nginx/jobs/main.py --name proxies +fi + +# abusers +if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then + /opt/bunkerized-nginx/jobs/main.py --name abusers fi diff --git a/entrypoint/post-jobs.sh b/entrypoint/post-jobs.sh deleted file mode 100644 index 85d6309..0000000 --- a/entrypoint/post-jobs.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash - -# load some functions -. /opt/bunkerized-nginx/entrypoint/utils.sh - -# User-Agents -if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then - if [ -f "/cache/user-agents.list" ] && [ "$(wc -l /cache/user-agents.list | cut -d ' ' -f 1)" -gt 1 ] ; then - echo "[*] Copying cached user-agents.list ..." - cp /opt/bunkerized-nginx/cache/user-agents.list /etc/nginx/user-agents.list - elif [ "$(ps aux | grep "user-agents\.sh")" = "" ] ; then - echo "[*] Downloading bad user-agent list (in background) ..." - /opt/bunkerized-nginx/scripts/user-agents.sh > /dev/null 2>&1 & - fi -fi - -# Referrers -if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then - if [ -f "/cache/referrers.list" ] && [ "$(wc -l /cache/referrers.list | cut -d ' ' -f 1)" -gt 1 ] ; then - echo "[*] Copying cached referrers.list ..." - cp /opt/bunkerized-nginx/cache/referrers.list /etc/nginx/referrers.list - elif [ "$(ps aux | grep "referrers\.sh")" = "" ] ; then - echo "[*] Downloading bad referrer list (in background) ..." - /opt/bunkerized-nginx/scripts/referrers.sh > /dev/null 2>&1 & - fi -fi - -# exit nodes -if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then - if [ -f "/cache/tor-exit-nodes.list" ] && [ "$(wc -l /cache/tor-exit-nodes.list | cut -d ' ' -f 1)" -gt 1 ] ; then - echo "[*] Copying cached tor-exit-nodes.list ..." - cp /opt/bunkerized-nginx/cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list - elif [ "$(ps aux | grep "exit-nodes\.sh")" = "" ] ; then - echo "[*] Downloading tor exit nodes list (in background) ..." - /opt/bunkerized-nginx/scripts/exit-nodes.sh > /dev/null 2>&1 & - fi -fi - -# proxies -if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then - if [ -f "/cache/proxies.list" ] && [ "$(wc -l /cache/proxies.list | cut -d ' ' -f 1)" -gt 1 ] ; then - echo "[*] Copying cached proxies.list ..." - cp /opt/bunkerized-nginx/cache/proxies.list /etc/nginx/proxies.list - elif [ "$(ps aux | grep "proxies\.sh")" = "" ] ; then - echo "[*] Downloading proxies list (in background) ..." - /opt/bunkerized-nginx/scripts/proxies.sh > /dev/null 2>&1 & - fi -fi - -# abusers -if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then - if [ -f "/cache/abusers.list" ] && [ "$(wc -l /cache/abusers.list | cut -d ' ' -f 1)" -gt 1 ] ; then - echo "[*] Copying cached abusers.list ..." - cp /opt/bunkerized-nginx/cache/abusers.list /etc/nginx/abusers.list - elif [ "$(ps aux | grep "abusers\.sh")" = "" ] ; then - echo "[*] Downloading abusers list (in background) ..." - /opt/bunkerized-nginx/scripts/abusers.sh > /dev/null 2>&1 & - fi -fi diff --git a/entrypoint/pre-jobs.sh b/entrypoint/pre-jobs.sh deleted file mode 100644 index 2ddf05f..0000000 --- a/entrypoint/pre-jobs.sh +++ /dev/null @@ -1,80 +0,0 @@ -#!/bin/bash - -# load some functions -. /opt/bunkerized-nginx/entrypoint/utils.sh - -# self signed certs for sites -files=$(has_value GENERATE_SELF_SIGNED_SSL yes) -if [ "$files" != "" ] ; then - for file in $files ; do - site=$(echo $file | cut -f 4 -d '/') - dest="/etc/nginx/" - if [ "$site" != "site.env" ] ; then - dest="${dest}/${site}/" - fi - SELF_SIGNED_SSL_EXPIRY="$(sed -nE 's/^SELF_SIGNED_SSL_EXPIRY=(.*)$/\1/p' $file)" - SELF_SIGNED_SSL_COUNTRY="$(sed -nE 's/^SELF_SIGNED_SSL_COUNTRY=(.*)$/\1/p' $file)" - SELF_SIGNED_SSL_STATE="$(sed -nE 's/^SELF_SIGNED_SSL_STATE=(.*)$/\1/p' $file)" - SELF_SIGNED_SSL_CITY="$(sed -nE 's/^SELF_SIGNED_SSL_CITY=(.*)$/\1/p' $file)" - SELF_SIGNED_SSL_ORG="$(sed -nE 's/^SELF_SIGNED_SSL_ORG=(.*)$/\1/p' $file)" - SELF_SIGNED_SSL_OU="$(sed -nE 's/^SELF_SIGNED_SSL_OU=(.*)$/\1/p' $file)" - SELF_SIGNED_SSL_CN="$(sed -nE 's/^SELF_SIGNED_SSL_CN=(.*)$/\1/p' $file)" - openssl_output=$(openssl req -nodes -x509 -newkey rsa:4096 -keyout ${dest}self-key.pem -out ${dest}self-cert.pem -days "$SELF_SIGNED_SSL_EXPIRY" -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" 2>&1) - if [ $? -eq 0 ] ; then - echo "[*] Generated self-signed certificate ${dest}self-cert.pem with key ${dest}self-key.pem" - else - echo "[!] Error while generating self-signed certificate : $openssl_output" - fi - done -fi - -# self signed cert for default server -if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] ; then - SELF_SIGNED_SSL_EXPIRY="999" - SELF_SIGNED_SSL_COUNTRY="US" - SELF_SIGNED_SSL_STATE="Utah" - SELF_SIGNED_SSL_CITY="Lehi" - SELF_SIGNED_SSL_ORG="Your Company, Inc." - SELF_SIGNED_SSL_OU="IT" - SELF_SIGNED_SSL_CN="www.yourdomain.com" - openssl_output=$(openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" 2>&1) - if [ $? -eq 0 ] ; then - echo "[*] Generated self-signed certificate for default server" - else - echo "[!] Error while generating self-signed certificate for default server : $openssl_output" - fi -fi - -# certbot -files=$(has_value AUTO_LETS_ENCRYPT yes) -if [ "$files" != "" ] ; then - for file in $files ; do - if [ "$(echo "$file" | grep 'site.env$')" = "" ] ; then - continue - fi - SERVER_NAME="$(sed -nE 's/^SERVER_NAME=(.*)$/\1/p' $file)" - FIRST_SERVER="$(echo $SERVER_NAME | cut -d ' ' -f 1)" - EMAIL_LETS_ENCRYPT="$(sed -nE 's/^EMAIL_LETS_ENCRYPT=(.*)$/\1/p' $file)" - if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then - EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}" - fi - certbot_output=$(/opt/bunkerized-nginx/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1) - if [ $? -eq 0 ] ; then - echo "[*] Certbot new successfully executed for domain(s) $(echo -n $SERVER_NAME | sed 's/ /,/g')" - else - echo "[*] Error while executing certbot new : $certbot_output" - fi - done -fi - - -# GeoIP -if [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ; then - if [ -f "/opt/bunkerized-nginx/cache/geoip.mmdb" ] ; then - echo "[*] Copying cached geoip.mmdb ..." - cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb - elif [ "$(ps aux | grep "geoip\.sh")" = "" ] ; then - echo "[*] Downloading GeoIP database ..." - /opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1 - fi -fi diff --git a/examples/swarm-redis/1-config.yml b/examples/swarm-redis/1-config.yml new file mode 100644 index 0000000..ef92aca --- /dev/null +++ b/examples/swarm-redis/1-config.yml @@ -0,0 +1,38 @@ +version: '3.8' + +services: + + autoconf: + image: bunkerity/bunkerized-nginx-autoconf + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - /shared/confs:/etc/nginx + - /shared/letsencrypt:/etc/letsencrypt + - /shared/acme-challenge:/acme-challenge + - /shared/cache:/cache + environment: + - SWARM_MODE=yes + - API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from nginx + networks: + - net_config + deploy: + replicas: 1 + placement: + constraints: + - "node.role==manager" + + redis: + image: redis:alpine + networks: + - net_config + deploy: + replicas: 1 + placement: + constraints: + - "node.role==worker" + +networks: + net_config: + external: true diff --git a/examples/swarm-redis/2-nginx.yml b/examples/swarm-redis/2-nginx.yml new file mode 100644 index 0000000..fa68ab9 --- /dev/null +++ b/examples/swarm-redis/2-nginx.yml @@ -0,0 +1,51 @@ +version: '3.8' + +services: + + nginx: + image: bunkerity/bunkerized-nginx + ports: + - published: 80 + target: 8080 + mode: host + protocol: tcp + - published: 443 + target: 8443 + mode: host + protocol: tcp + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly + volumes: + - /shared/confs:/etc/nginx:ro + - /shared/letsencrypt:/etc/letsencrypt:ro + - /shared/acme-challenge:/acme-challenge:ro + - /shared/www:/www:ro + - /shared/cache:/cache:ro + environment: + - SWARM_MODE=yes + - USE_API=yes + - API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from autoconf + - MULTISITE=yes + - SERVER_NAME= + - AUTO_LETS_ENCRYPT=yes + - REDIRECT_HTTP_TO_HTTPS=yes + - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes + - USE_REDIS=yes + - REDIS_HOST=redis + networks: + - net_config + - net_services + deploy: + mode: global + placement: + constraints: + - "node.role==worker" + labels: + - "bunkerized-nginx.AUTOCONF" + +networks: + net_config: + external: true + net_services: + external: true diff --git a/examples/swarm-redis/3-services.yml b/examples/swarm-redis/3-services.yml new file mode 100644 index 0000000..f985a35 --- /dev/null +++ b/examples/swarm-redis/3-services.yml @@ -0,0 +1,42 @@ +version: '3.8' + +services: + + app1: + image: php:fpm-alpine + volumes: + - /shared/www/app1.example.com:/www + networks: + - net_services + deploy: + replicas: 1 + placement: + constraints: + - "node.role==worker" + labels: + - "bunkerized-nginx.SERVER_NAME=app1.example.com" + - "bunkerized-nginx.REMOTE_PHP=app1" + - "bunkerized-nginx.REMOTE_PHP_PATH=/www" + + app2: + image: phpmyadmin:apache + environment: + - PMA_ARBITRARY=1 + - PMA_ABSOLUTE_URI=https://app2.example.com + networks: + - net_services + deploy: + replicas: 1 + placement: + constraints: + - "node.role==worker" + labels: + - "bunkerized-nginx.SERVER_NAME=app2.example.com" + - "bunkerized-nginx.USE_PROXY_CACHE=yes" + - "bunkerized-nginx.USE_REVERSE_PROXY=yes" + - "bunkerized-nginx.REVERSE_PROXY_URL=/" + - "bunkerized-nginx.REVERSE_PROXY_HOST=http://app2" + +networks: + net_services: + external: true diff --git a/helpers/install.sh b/helpers/install.sh index 00dd34e..8ce9edf 100755 --- a/helpers/install.sh +++ b/helpers/install.sh @@ -592,6 +592,12 @@ git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485 echo "[*] Install lua-resty-iputils" CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-iputils" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps LUA_LIB_DIR=/opt/bunkerized-nginx/deps/lib/lua install +# Download and install lua-resty-redis +echo "[*] Clone openresty/lua-resty-redis" +git_secure_clone https://github.com/openresty/lua-resty-redis.git 91585affcd9a8da65cb664a5b1e926dde428095a +echo "[*] Install lua-resty-redis" +CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-redis" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps LUA_LIB_DIR=/opt/bunkerized-nginx/deps/lib/lua install + # Download nginx and decompress sources echo "[*] Download nginx-${NGINX_VERSION}.tar.gz" do_and_check_cmd wget -O "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz" "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" @@ -659,21 +665,25 @@ elif [ "$OS" = "alpine" ] ; then fi # Clone the repo -if [ "$OS" != "alpine" ] ; then +if [ "$OS" != "alpine" ] && [ ! -d "/tmp/bunkerized-nginx-test" ] ; then echo "[*] Clone bunkerity/bunkerized-nginx" #CHANGE_DIR="/tmp" do_and_check_cmd git_secure_clone https://github.com/bunkerity/bunkerized-nginx.git 09a2a4f9e531b93684b0916a5146091a818501d3 # TODO : do a secure clone CHANGE_DIR="/tmp" do_and_check_cmd git clone https://github.com/bunkerity/bunkerized-nginx.git CHANGE_DIR="/tmp/bunkerized-nginx" do_and_check_cmd git checkout dev # Docker build case : simply rename the sources -else +elif [ "$OS" == "alpine" ] ; then do_and_check_cmd mv /tmp/bunkerized-nginx-docker /tmp/bunkerized-nginx +# Tests case +else + do_and_check_cmd mv /tmp/bunkerized-nginx-test /tmp/bunkerized-nginx fi # Install Python dependencies echo "[*] Install python dependencies" do_and_check_cmd pip3 install --upgrade pip do_and_check_cmd pip3 install -r /tmp/bunkerized-nginx/gen/requirements.txt +do_and_check_cmd pip3 install -r /tmp/bunkerized-nginx/jobs/requirements.txt if [ "$OS" != "alpine" ] ; then do_and_check_cmd pip3 install -r /tmp/bunkerized-nginx/ui/requirements.txt fi @@ -691,11 +701,7 @@ do_and_check_cmd cp -r /tmp/bunkerized-nginx/entrypoint /opt/bunkerized-nginx echo "[*] Copy configs" do_and_check_cmd cp -r /tmp/bunkerized-nginx/confs /opt/bunkerized-nginx -# Copy scripts -echo "[*] Copy scripts" -do_and_check_cmd cp -r /tmp/bunkerized-nginx/scripts /opt/bunkerized-nginx - -# Copy scripts +# Copy jobs echo "[*] Copy jobs" do_and_check_cmd cp -r /tmp/bunkerized-nginx/jobs /opt/bunkerized-nginx @@ -797,10 +803,10 @@ do_and_check_cmd find /opt/bunkerized-nginx -type f -exec chmod 0740 {} \; do_and_check_cmd find /opt/bunkerized-nginx -type d -exec chmod 0750 {} \; do_and_check_cmd chmod 770 /opt/bunkerized-nginx/cache do_and_check_cmd chmod 770 /opt/bunkerized-nginx/acme-challenge -do_and_check_cmd chmod 750 /opt/bunkerized-nginx/scripts/* do_and_check_cmd chmod 750 /opt/bunkerized-nginx/entrypoint/* do_and_check_cmd chmod 750 /opt/bunkerized-nginx/gen/main.py do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/main.py +do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/reload.py # Set permissions for /usr/local/bin/bunkerized-nginx do_and_check_cmd chown root:root /usr/local/bin/bunkerized-nginx do_and_check_cmd chmod 750 /usr/local/bin/bunkerized-nginx diff --git a/jobs/CertbotNew.py b/jobs/CertbotNew.py index 55e22ad..bc2505f 100644 --- a/jobs/CertbotNew.py +++ b/jobs/CertbotNew.py @@ -1,6 +1,6 @@ from Job import Job -class CertbotRenew(Job) : +class CertbotNew(Job) : def __init__(self, redis_host=None, copy_cache=False, domain="", email="") : name = "certbot-new" diff --git a/jobs/GeoIP.py b/jobs/GeoIP.py index c163f79..dc1257f 100644 --- a/jobs/GeoIP.py +++ b/jobs/GeoIP.py @@ -15,7 +15,7 @@ class GeoIP(Job) : super().run() count = 0 with gzip.open("/etc/nginx/geoip.mmdb.gz", "rb") as f : - with open("/tmp/geoip.mmdb", "w") as f2 + with open("/tmp/geoip.mmdb", "w") as f2 : while True : chunk = f.read(8192) if not chunk : diff --git a/jobs/Job.py b/jobs/Job.py index f60c330..f9afc29 100644 --- a/jobs/Job.py +++ b/jobs/Job.py @@ -1,4 +1,4 @@ -import abc, requests, redis, os, datetime, traceback +import abc, requests, redis, os, datetime, traceback, re, shutil class Job(abc.ABC) : @@ -41,7 +41,7 @@ class Job(abc.ABC) : if self.__redis == None : if os.path.isfile("/tmp/" + self.__filename) : os.remove("/tmp/" + self.__filename) - file = open("/tmp/" + self.__filename, "a") + file = open("/tmp/" + self.__filename, "ab") elif self.__redis != None : pipe = self.__redis.pipeline() @@ -50,7 +50,7 @@ class Job(abc.ABC) : for url in self.__data : data = self.__download_data(url) for chunk in data : - if self.__type == "line" and not re.match(self.__regex, chunk) : + if self.__type == "line" and not re.match(self.__regex, chunk.decode("utf-8")) : continue count += 1 if self.__redis == None : @@ -67,7 +67,7 @@ class Job(abc.ABC) : os.remove("/tmp/" + self.__filename) elif self.__redis != None and count > 0 : - self.__redis.del(self.__redis.keys(self.__name + "_*")) + self.__redis.delete(self.__redis.keys(self.__name + "_*")) pipe.execute() def __download_data(self, url) : @@ -95,7 +95,7 @@ class Job(abc.ABC) : if self.__redis == None or self.__type == "file" : shutil.copyfile("/opt/bunkerized-nginx/cache/" + self.__filename, "/etc/nginx/" + self.__filename) elif self.__redis != None and self.__type == "line" : - self.__redis.del(self.__redis.keys(self.__name + "_*")) + self.__redis.delete(self.__redis.keys(self.__name + "_*")) with open("/opt/bunkerized-nginx/cache/" + self.__filename) as f : pipe = self.__redis.pipeline() while True : diff --git a/jobs/Proxies.py b/jobs/Proxies.py index 3295e94..e30793a 100644 --- a/jobs/Proxies.py +++ b/jobs/Proxies.py @@ -8,4 +8,4 @@ class Proxies(Job) : filename = "proxies.list" type = "line" regex = r"^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$" - super().__init__(name, data, filename, redis_host=redis_host, type=type, regex=regex; copy_cache=copy_cache) + super().__init__(name, data, filename, redis_host=redis_host, type=type, regex=regex, copy_cache=copy_cache) diff --git a/jobs/main.py b/jobs/main.py index 00f33c6..b3ba08d 100644 --- a/jobs/main.py +++ b/jobs/main.py @@ -1,9 +1,13 @@ +#!/usr/bin/python3 + import argparse, sys sys.path.append("/opt/bunkerized-nginx/jobs") import Abusers, CertbotNew, CertbotRenew, ExitNodes, GeoIP, Proxies, Referrers, SelfSignedCert, UserAgents +from reload import reload + JOBS = { "abusers": Abusers.Abusers, "certbot-new": CertbotNew.CertbotNew, @@ -33,10 +37,12 @@ if __name__ == "__main__" : # Check job name if not args.name in JOBS : - print("[!] unknown job " + args.job) + print("[!] unknown job " + args.name) sys.exit(1) + job = args.name # Run job + print("[*] Executing job " + job) ret = 0 if job == "certbot-new" : instance = JOBS[job](redis_host=args.redis, copy_cache=args.cache, domain=args.domain, email=args.email) @@ -45,9 +51,18 @@ if __name__ == "__main__" : else : instance = JOBS[job](redis_host=args.redis, copy_cache=args.cache) if not instance.run() : - print("[!] error while running job " + job) + print("[!] Error while running job " + job) sys.exit(1) - print("[*] job " + job + " successfully executed") - sys.exit(0) + print("[*] Job " + job + " successfully executed") - # TODO : reload + # Reload + # TODO : only reload if needed + do_reload = True + if do_reload : + if not reload() : + print("[!] Error while doing reload operation") + sys.exit(1) + print("[*] Reload operation successfully executed") + + # Done + sys.exit(0) diff --git a/jobs/reload.py b/jobs/reload.py index 3ba4fca..7661c90 100644 --- a/jobs/reload.py +++ b/jobs/reload.py @@ -1,27 +1,41 @@ -import docker, subprocess, os, stat, sys +import docker, subprocess, os, stat, sys, traceback -if __name__ == "__main__" : +def reload() : # Linux or single Docker use case - if os.path.isfile("/usr/sbin/nginx") : + if os.path.isfile("/usr/sbin/nginx") and os.path.isfile("/tmp/nginx.pid") : proc = subprocess.run(["/usr/sbin/nginx", "-s", "reload"], capture_output=True) if proc.returncode != 0 : - print("[!] can't reload nginx (status code = " + str(proc.returncode) + ")" + print("[!] Can't reload nginx (status code = " + str(proc.returncode) + ")") if len(proc.stdout.decode("ascii")) > 1 : print(proc.stdout.decode("ascii")) if len(proc.stderr.decode("ascii")) > 1 : print(proc.stderr.decode("ascii")) - sys.exit(1) + return False + return True # Autoconf case (Docker, Swarm and Ingress) - mode = os.stat("/tmp/autoconf.sock") - elif stat.S_ISSOCK(mode) : + if os.path.exists("/tmp/autoconf.sock") and stat.S_ISSOCK(os.stat("/tmp/autoconf.sock")) : client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) client.connect("/tmp/autoconf.sock") client.send("reload".encode("utf-8")) data = client.recv(512) client.close() - if not data or data.decode("utf-8") != "ok" : - sys.exit(2) + if not data or data.decode("utf-8") != "ok" : + print("[!] Can't reload nginx (data not ok)") + return False + return True - sys.exit(0) + return False + +if __name__ == "__main__" : + try : + print("[*] Starting reload operation ...") + if not reload() : + sys.exit(1) + print("[*] Reload operation successfully executed") + sys.exit(0) + except : + print("[!] Can't reload nginx (exception)") + print(traceback.format_exc()) + sys.exit(2) diff --git a/jobs/requirements.txt b/jobs/requirements.txt index 28bd01f..fea52b9 100644 --- a/jobs/requirements.txt +++ b/jobs/requirements.txt @@ -1,2 +1,3 @@ requests redis +docker diff --git a/misc/cron b/misc/cron index 99496ad..c064030 100644 --- a/misc/cron +++ b/misc/cron @@ -1,7 +1,7 @@ -15 0 * * * /opt/bunkerized-nginx/scripts/certbot-renew.sh > /dev/null 2>&1 -30 0 * * * /opt/bunkerized-nginx/scripts/user-agents.sh > /dev/null 2>&1 -45 0 * * * /opt/bunkerized-nginx/scripts/referrers.sh > /dev/null 2>&1 -0 1 * * * /opt/bunkerized-nginx/scripts/abusers.sh > /dev/null 2>&1 -0 2 * * * /opt/bunkerized-nginx/scripts/proxies.sh > /dev/null 2>&1 -0 */1 * * * /opt/bunkerized-nginx/scripts/exit-nodes.sh > /dev/null 2>&1 -0 3 2 * * /opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1 +15 0 * * * /opt/bunkerized-nginx/jobs/main.py --name certbot-renew >> /var/log/nginx/jobs.log 2>&1 +30 0 * * * /opt/bunkerized-nginx/jobs/main.py --name user-agents >> /var/log/nginx/jobs.log 2>&1 +45 0 * * * /opt/bunkerized-nginx/jobs/main.py --name referrers >> /var/log/nginx/jobs.log 2>&1 +0 1 * * * /opt/bunkerized-nginx/jobs/main.py --name abusers >> /var/log/nginx/jobs.log 2>&1 +0 2 * * * /opt/bunkerized-nginx/jobs/main.py --name proxies >> /var/log/nginx/jobs.log 2>&1 +0 */1 * * * /opt/bunkerized-nginx/jobs/main.py --name exit-nodes >> /var/log/nginx/jobs.log 2>&1 +0 3 2 * * /opt/bunkerized-nginx/jobs/main.py --name geoip >> /var/log/nginx/jobs.log 2>&1 diff --git a/scripts/abusers.sh b/scripts/abusers.sh deleted file mode 100755 index 1ada947..0000000 --- a/scripts/abusers.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# load some functions -. /opt/bunkerized-nginx/entrypoint/utils.sh - -if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then - exit 0 -fi - -if [ "$(has_value BLOCK_ABUSERS yes)" = "" ] ; then - exit 0 -fi - -# copy old conf to cache -cp /etc/nginx/abusers.list /tmp/abusers.list.bak - -# generate the new conf -curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | \ - grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$" > /tmp/abusers.list - -# if we are running nginx -if [ -f /tmp/nginx.pid ] ; then - RELOAD="/usr/sbin/nginx -s reload" -# if we are in autoconf -elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then - RELOAD="/opt/entrypoint/reload.py" -fi - -# check if we have at least 1 line -lines="$(wc -l /tmp/abusers.list | cut -d ' ' -f 1)" -if [ "$lines" -gt 1 ] ; then - job_log "[BLACKLIST] abusers list updated ($lines entries)" - # reload nginx with the new config - cp /tmp/abusers.list /etc/nginx/abusers.list - if [ "$RELOAD" != "" ] ; then - $RELOAD > /dev/null 2>&1 - # new config is ok : save it in the cache - if [ "$?" -eq 0 ] ; then - cp /tmp/abusers.list /opt/bunkerized-nginx/cache - job_log "[NGINX] successfull nginx reload after abusers list update" - else - job_log "[NGINX] failed nginx reload after abusers list update fallback to old list" - #cp /tmp/abusers.list.bak /etc/nginx - $RELOAD > /dev/null 2>&1 - fi - else - cp /tmp/abusers.list /opt/bunkerized-nginx/cache - fi -else - job_log "[BLACKLIST] can't update abusers list" -fi - -rm -f /tmp/abusers.list 2> /dev/null -rm -f /tmp/abusers.list.bak 2> /dev/null - diff --git a/scripts/certbot-new.sh b/scripts/certbot-new.sh deleted file mode 100644 index eafd9a4..0000000 --- a/scripts/certbot-new.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -# generate certificate -certbot certonly --webroot -w /opt/bunkerized-nginx/acme-challenge -n -d "$1" --email "$2" --agree-tos -if [ "$?" -ne 0 ] ; then - exit 1 -fi - -exit 0 diff --git a/scripts/certbot-renew-hook.sh b/scripts/certbot-renew-hook.sh deleted file mode 100644 index 0b16d3d..0000000 --- a/scripts/certbot-renew-hook.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -# load some functions -. /opt/bunkerized-nginx/entrypoint/utils.sh - -job_log "[CERTBOT] certificates have been renewed" - -# if we are running nginx -if [ -f /tmp/nginx.pid ] ; then - RELOAD="/usr/sbin/nginx -s reload" -# if we are in autoconf -elif [ -S /tmp/autoconf.sock ] ; then - RELOAD="/opt/entrypoint/reload.py" -fi - -# reload nginx -if [ "$RELOAD" != "" ] ; then - $RELOAD > /dev/null 2>&1 - if [ "$?" -eq 0 ] ; then - job_log "[NGINX] successfull nginx reload after certbot renew" - else - job_log "[NGINX] failed nginx reload after certbot renew" - fi -fi diff --git a/scripts/certbot-renew.sh b/scripts/certbot-renew.sh deleted file mode 100644 index 84faae4..0000000 --- a/scripts/certbot-renew.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -# load some functions -. /opt/bunkerized-nginx/entrypoint/utils.sh - -if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then - exit 0 -fi - -if [ "$(has_value AUTO_LETS_ENCRYPT yes)" = "" ] ; then - exit 0 -fi - -# ask new certificates if needed -certbot renew --deploy-hook /opt/bunkerized-nginx/scripts/certbot-renew-hook.sh - -if [ "$?" -eq 0 ] ; then - job_log "[CERTBOT] renew operation done" -else - job_log "[CERTBOT] renew operation failed" -fi diff --git a/scripts/exit-nodes.sh b/scripts/exit-nodes.sh deleted file mode 100644 index 6f7cbe4..0000000 --- a/scripts/exit-nodes.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/bash - -# load some functions -. /opt/bunkerized-nginx/entrypoint/utils.sh - -if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then - exit 0 -fi - -if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" = "" ] ; then - exit 0 -fi - -# copy old conf to cache -cp /etc/nginx/tor-exit-nodes.list /tmp/tor-exit-nodes.list.bak - -# generate the new conf -curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | \ - grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$" > /tmp/tor-exit-nodes.list - -# if we are running nginx -if [ -f /tmp/nginx.pid ] ; then - RELOAD="/usr/sbin/nginx -s reload" -# if we are in autoconf -elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then - RELOAD="/opt/entrypoint/reload.py" -fi - -# check if we have at least 1 line -lines="$(wc -l /tmp/tor-exit-nodes.list | cut -d ' ' -f 1)" -if [ "$lines" -gt 1 ] ; then - job_log "[BLACKLIST] TOR exit node list updated ($lines entries)" - # reload nginx with the new config - cp /tmp/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list - if [ "$RELOAD" != "" ] ; then - $RELOAD > /dev/null 2>&1 - # new config is ok : save it in the cache - if [ "$?" -eq 0 ] ; then - cp /tmp/tor-exit-nodes.list /opt/bunkerized-nginx/cache - job_log "[NGINX] successfull nginx reload after TOR exit node list update" - else - job_log "[NGINX] failed nginx reload after TOR exit node list update fallback to old list" - #cp /tmp/tor-exit-nodes.list.bak /etc/nginx/tor-exit-nodes.list - $RELOAD > /dev/null 2>&1 - fi - else - cp /tmp/tor-exit-nodes.list /opt/bunkerized-nginx/cache - fi -else - job_log "[BLACKLIST] can't update TOR exit node list" -fi - -rm -f /tmp/tor-exit-nodes.list 2> /dev/null -rm -f /tmp/tor-exit-nodes.list.bak 2> /dev/null diff --git a/scripts/geoip.sh b/scripts/geoip.sh deleted file mode 100644 index 78bb6ff..0000000 --- a/scripts/geoip.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash - -# load some functions -. /opt/bunkerized-nginx/entrypoint/utils.sh - -if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then - exit 0 -fi - -if [ "$(has_value BLACKLIST_COUNTRY ".\+")" = "" ] && [ "$(has_value WHITELIST_COUNTRY ".\+")" = "" ] ; then - exit 0 -fi - -# if we are running nginx -if [ -f /tmp/nginx.pid ] ; then - RELOAD="/usr/sbin/nginx -s reload" -# if we are in autoconf -elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then - RELOAD="/opt/entrypoint/reload.py" -fi - -# MMDB from https://db-ip.com/db/download/ip-to-country-lite -URL="https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).mmdb.gz" -wget -O /tmp/geoip.mmdb.gz "$URL" > /dev/null 2>&1 -if [ "$?" -eq 0 ] && [ -f /tmp/geoip.mmdb.gz ] ; then - gunzip -f /tmp/geoip.mmdb.gz > /dev/null 2>&1 - if [ "$?" -ne 0 ] ; then - job_log "[GEOIP] can't extract DB from $URL" - exit 1 - fi - mv /tmp/geoip.mmdb /etc/nginx - if [ "$RELOAD" != "" ] ; then - $RELOAD > /dev/null 2>&1 - if [ "$?" -eq 0 ] ; then - cp /etc/nginx/geoip.mmdb /opt/bunkerized-nginx/cache - job_log "[NGINX] successfull nginx reload after GeoIP DB update" - else - job_log "[NGINX] failed nginx reload after GeoIP DB update" - if [ -f /opt/bunkerized-nginx/cache/geoip.mmdb ] ; then - cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb - $RELOAD > /dev/null 2>&1 - fi - fi - else - cp /etc/nginx/geoip.mmdb /opt/bunkerized-nginx/cache - fi -else - job_log "[GEOIP] can't download DB from $URL" -fi - -rm -f /tmp/geoip* 2> /dev/null diff --git a/scripts/proxies.sh b/scripts/proxies.sh deleted file mode 100755 index c16f22d..0000000 --- a/scripts/proxies.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# load some functions -. /opt/bunkerized-nginx/entrypoint/utils.sh - -if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then - exit 0 -fi - -if [ "$(has_value BLOCK_PROXIES yes)" = "" ] ; then - exit 0 -fi - -# copy old conf to cache -cp /etc/nginx/proxies.list /tmp/proxies.list.bak - -# generate the new conf -curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | \ - grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$" > /tmp/proxies.list - -# if we are running nginx -if [ -f /tmp/nginx.pid ] ; then - RELOAD="/usr/sbin/nginx -s reload" -# if we are in autoconf -elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then - RELOAD="/opt/entrypoint/reload.py" -fi - -# check if we have at least 1 line -lines="$(wc -l /tmp/proxies.list | cut -d ' ' -f 1)" -if [ "$lines" -gt 1 ] ; then - job_log "[BLACKLIST] proxies list updated ($lines entries)" - # reload nginx with the new config - cp /tmp/proxies.list /etc/nginx/proxies.list - if [ "$RELOAD" != "" ] ; then - $RELOAD > /dev/null 2>&1 - # new config is ok : save it in the cache - if [ "$?" -eq 0 ] ; then - cp /tmp/proxies.list /opt/bunkerized-nginx/cache - job_log "[NGINX] successfull nginx reload after proxies list update" - else - job_log "[NGINX] failed nginx reload after proxies list update fallback to old list" - #cp /tmp/proxies.list.bak /etc/nginx - $RELOAD > /dev/null 2>&1 - fi - else - cp /tmp/proxies.list /opt/bunkerized-nginx/cache - fi -else - job_log "[BLACKLIST] can't update proxies list" -fi - -rm -f /tmp/proxies.list 2> /dev/null -rm -f /tmp/proxies.list.bak 2> /dev/null - diff --git a/scripts/referrers.sh b/scripts/referrers.sh deleted file mode 100755 index c37d527..0000000 --- a/scripts/referrers.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/bash - -# load some functions -. /opt/bunkerized-nginx/entrypoint/utils.sh - -if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then - exit 0 -fi - -if [ "$(has_value BLOCK_REFERRER yes)" = "" ] ; then - exit 0 -fi - -# save old conf -cp /etc/nginx/referrers.list /tmp/referrers.list.bak - -# generate new conf -BLACKLIST="$(curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list | sed 's:\.:%\.:g;s:\-:%\-:g')" -if [ "$?" -ne 0 ] ; then - job_log "[BLACKLIST] can't update referrers list" - echo -n "" > /tmp/referrers.list -else - echo -e "$BLACKLIST" > /tmp/referrers.list -fi - -# if we are running nginx -if [ -f /tmp/nginx.pid ] ; then - RELOAD="/usr/sbin/nginx -s reload" -# if we are in autoconf -elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then - RELOAD="/opt/entrypoint/reload.py" -fi - -# check number of lines -lines="$(wc -l /tmp/referrers.list | cut -d ' ' -f 1)" -if [ "$lines" -gt 1 ] ; then - cp /tmp/referrers.list /etc/nginx/referrers.list - job_log "[BLACKLIST] referrers list updated ($lines entries)" - if [ "$RELOAD" != "" ] ; then - $RELOAD > /dev/null 2>&1 - if [ "$?" -eq 0 ] ; then - cp /tmp/referrers.list /opt/bunkerized-nginx/cache - job_log "[NGINX] successfull nginx reload after referrers list update" - else - #cp /tmp/referrers.list.bak /etc/nginx - job_log "[NGINX] failed nginx reload after referrers list update fallback to old list" - $RELOAD > /dev/null 2>&1 - fi - else - cp /tmp/referrers.list /opt/bunkerized-nginx/cache - fi -else - job_log "[BLACKLIST] can't update referrers list" -fi - -rm -f /tmp/referrers.list 2> /dev/null -rm -f /tmp/referrers.list.bak 2> /dev/null diff --git a/scripts/user-agents.sh b/scripts/user-agents.sh deleted file mode 100755 index cd8c2a4..0000000 --- a/scripts/user-agents.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/bash - -# load some functions -. /opt/bunkerized-nginx/entrypoint/utils.sh - -if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then - exit 0 -fi - -if [ "$(has_value BLOCK_USER_AGENT yes)" = "" ] ; then - exit 0 -fi - -# save old conf -cp /etc/nginx/user-agents.list /tmp/user-agents.list.bak - -# generate new conf -BLACKLIST="$( (curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list ; curl -s https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt) | sort -u | sed 's:\\ : :g;s:\\\.:%\.:g;s:\\\\:\\:g;s:\\/:/:g;s:\-:%\-:g')" -if [ "$?" -ne 0 ] ; then - job_log "[BLACKLIST] can't update user-agent list" - echo -n "" > /tmp/user-agents.list -else - echo -e "$BLACKLIST" > /tmp/user-agents.list -fi - -# if we are running nginx -if [ -f /tmp/nginx.pid ] ; then - RELOAD="/usr/sbin/nginx -s reload" -# if we are in autoconf -elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then - RELOAD="/opt/entrypoint/reload.py" -fi - -# check number of lines -lines="$(wc -l /tmp/user-agents.list | cut -d ' ' -f 1)" -if [ "$lines" -gt 1 ] ; then - cp /tmp/user-agents.list /etc/nginx/user-agents.list - job_log "[BLACKLIST] user-agent list updated ($lines entries)" - if [ "$RELOAD" != "" ] ; then - $RELOAD > /dev/null 2>&1 - if [ "$?" -eq 0 ] ; then - cp /tmp/user-agents.list /opt/bunkerized-nginx/cache - job_log "[NGINX] successfull nginx reload after user-agent list update" - else - #cp /tmp/user-agents.list.bak /etc/nginx - job_log "[NGINX] failed nginx reload after user-agent list update fallback to old list" - $RELOAD > /dev/null 2>&1 - fi - else - cp /tmp/user-agents.list /opt/bunkerized-nginx/cache - fi -else - job_log "[BLACKLIST] can't update user-agent list" -fi - -rm -f /tmp/user-agents.list 2> /dev/null -rm -f /tmp/user-agents.list.bak 2> /dev/null diff --git a/settings.json b/settings.json index 6a5023f..f7b35e2 100644 --- a/settings.json +++ b/settings.json @@ -1153,8 +1153,8 @@ } ] }, - "API": { - "id": "api", + "Internal": { + "id": "internal", "params": [ { "context": "global", @@ -1191,6 +1191,24 @@ "label": "Swarm mode", "regex": "^(yes|no)$", "type": "checkbox" + }, + { + "context": "global", + "default": "no", + "env": "USE_REDIS", + "id": "use-redis", + "label": "Use external redis when coupled with autoconf", + "regex": "^(yes|no)$", + "type": "checkbox" + }, + { + "context": "global", + "default": "", + "env": "REDIS_HOST", + "id": "redis-host", + "label": "Hostname/IP of the Redis service", + "regex": "^[A-Za-z0-9\\-\\.\\_]+$", + "type": "text" } ] }, diff --git a/tests/linux.sh b/tests/linux.sh index cc9d5a1..112e1cd 100755 --- a/tests/linux.sh +++ b/tests/linux.sh @@ -19,7 +19,15 @@ docker cp helpers/install.sh "$id:/tmp" if [ $? -ne 0 ] ; then echo "[!] docker cp failed" cleanup "$id" - exit 4 + exit 2 +fi + +echo "[*] Copy bunkerized-nginx" +docker cp . "$id:/tmp/bunkerized-nginx-test" +if [ $? -ne 0 ] ; then + echo "[!] docker cp failed" + cleanup "$id" + exit 3 fi echo "[*] Exec install.sh" @@ -27,7 +35,7 @@ docker exec "$id" /bin/bash -c 'chmod +x /tmp/install.sh && /tmp/install.sh' if [ $? -ne 0 ] ; then echo "[!] docker exec failed" cleanup "$id" - exit 5 + exit 4 fi echo "[*] Exec nginx -V" @@ -35,7 +43,7 @@ docker exec "$id" nginx -V if [ $? -ne 0 ] ; then echo "[!] docker exec failed" cleanup "$id" - exit 6 + exit 5 fi echo "[*] Copy variables.env" @@ -43,7 +51,7 @@ docker cp "tests/variables.env" "$id:/opt/bunkerized-nginx" if [ $? -ne 0 ] ; then echo "[!] docker cp failed" cleanup "$id" - exit 7 + exit 6 fi echo "[*] Copy index.html" @@ -51,7 +59,7 @@ docker cp "tests/index.html" "$id:/opt/bunkerized-nginx/www" if [ $? -ne 0 ] ; then echo "[!] docker cp failed" cleanup "$id" - exit 8 + exit 7 fi echo "[*] Exec bunkerized-nginx" @@ -59,7 +67,7 @@ docker exec "$id" bunkerized-nginx if [ $? -ne 0 ] ; then echo "[!] docker exec failed" cleanup "$id" - exit 9 + exit 8 fi echo "[*] Exec curl" @@ -67,7 +75,7 @@ res="$(curl -s -H "User-Agent: LegitOne" http://localhost/)" if [ $? -ne 0 ] || [ "$res" != "ok" ] ; then echo "[!] curl failed" cleanup "$id" - exit 10 + exit 9 fi cleanup "$id"