From e19a7c693dbf969b8da0dec5b53da0cde5637a96 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Wed, 21 Oct 2020 23:28:48 +0200 Subject: [PATCH] run master nginx process as non-root user --- Dockerfile | 7 +++++-- Dockerfile-amd64 | 8 ++++++-- Dockerfile-arm32v7 | 7 +++++-- Dockerfile-arm64v8 | 7 +++++-- Dockerfile-i386 | 7 +++++-- compile.sh | 2 +- confs/auto-lets-encrypt.conf | 7 ------- confs/https.conf | 2 +- confs/nginx.conf | 31 +++++++++++++++++++------------ confs/server.conf | 1 - entrypoint.sh | 31 +++++++++++++++++++++++++++---- scripts/abusers.sh | 2 +- scripts/certbot-renew.sh | 16 ++++++++++------ scripts/exit-nodes.sh | 2 +- scripts/geoip.sh | 2 +- scripts/proxies.sh | 2 +- scripts/user-agents.sh | 2 +- 17 files changed, 89 insertions(+), 47 deletions(-) delete mode 100644 confs/auto-lets-encrypt.conf diff --git a/Dockerfile b/Dockerfile index 5f53f19..8123f1c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,10 +15,13 @@ COPY lua/ /opt/lua RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \ - mkdir /opt/entrypoint.d + mkdir /opt/entrypoint.d && \ + rm -f /var/log/nginx/* && \ + chown root:nginx /var/log/nginx && \ + chmod 770 /var/log/nginx VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp 8443/tcp ENTRYPOINT ["/opt/entrypoint.sh"] diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index 4734e71..729ae3c 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -15,10 +15,14 @@ COPY lua/ /opt/lua RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \ - mkdir /opt/entrypoint.d + mkdir /opt/entrypoint.d && \ + rm -f /var/log/nginx/* && \ + chown root:nginx /var/log/nginx && \ + chmod 770 /var/log/nginx + VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp 8443/tcp ENTRYPOINT ["/opt/entrypoint.sh"] diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index 766a494..3618766 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -22,10 +22,13 @@ COPY lua/ /opt/lua RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \ - mkdir /opt/entrypoint.d + mkdir /opt/entrypoint.d && \ + rm -f /var/log/nginx/* && \ + chown root:nginx /var/log/nginx && \ + chmod 770 /var/log/nginx VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp 8443/tcp ENTRYPOINT ["/opt/entrypoint.sh"] diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index b8ad12b..ea04c5a 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -22,10 +22,13 @@ COPY lua/ /opt/lua RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \ - mkdir /opt/entrypoint.d + mkdir /opt/entrypoint.d && \ + rm -f /var/log/nginx/* && \ + chown root:nginx /var/log/nginx && \ + chmod 770 /var/log/nginx VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp 8443/tcp ENTRYPOINT ["/opt/entrypoint.sh"] diff --git a/Dockerfile-i386 b/Dockerfile-i386 index 2bdd9e0..0c5a148 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -15,10 +15,13 @@ COPY lua/ /opt/lua RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \ - mkdir /opt/entrypoint.d + mkdir /opt/entrypoint.d && \ + rm -f /var/log/nginx/* && \ + chown root:nginx /var/log/nginx && \ + chmod 770 /var/log/nginx VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp 8443/tcp ENTRYPOINT ["/opt/entrypoint.sh"] diff --git a/compile.sh b/compile.sh index cadc7cf..7bcea13 100644 --- a/compile.sh +++ b/compile.sh @@ -122,7 +122,7 @@ CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p') CONFARGS=${CONFARGS/-Os -fomit-frame-pointer/-Os} ./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module make -j $NTASK modules -cp ./objs/*.so /usr/local/nginx/modules/ +cp ./objs/*.so /usr/lib/nginx/modules # remove build dependencies apk del build diff --git a/confs/auto-lets-encrypt.conf b/confs/auto-lets-encrypt.conf deleted file mode 100644 index 9e6edf6..0000000 --- a/confs/auto-lets-encrypt.conf +++ /dev/null @@ -1,7 +0,0 @@ -listen 0.0.0.0:443 ssl %HTTP2%; -ssl_certificate /etc/letsencrypt/live/%FIRST_SERVER_NAME%/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/%FIRST_SERVER_NAME%/privkey.pem; -ssl_protocols TLSv1.3; -ssl_prefer_server_ciphers off; -ssl_session_tickets off; -%STRICT_TRANSPORT_SECURITY% diff --git a/confs/https.conf b/confs/https.conf index 6a094f7..412538a 100644 --- a/confs/https.conf +++ b/confs/https.conf @@ -1,4 +1,4 @@ -listen 0.0.0.0:443 ssl %HTTP2%; +listen 0.0.0.0:8443 ssl %HTTP2%; ssl_certificate %HTTPS_CERT%; ssl_certificate_key %HTTPS_KEY%; ssl_protocols TLSv1.3; diff --git a/confs/nginx.conf b/confs/nginx.conf index b931e46..e642d0b 100644 --- a/confs/nginx.conf +++ b/confs/nginx.conf @@ -1,18 +1,18 @@ # /etc/nginx/nginx.conf # load dynamic modules -load_module /usr/local/nginx/modules/ngx_http_cookie_flag_filter_module.so; -load_module /usr/local/nginx/modules/ngx_http_geoip2_module.so; -load_module /usr/local/nginx/modules/ngx_http_headers_more_filter_module.so; -load_module /usr/local/nginx/modules/ngx_http_lua_module.so; -load_module /usr/local/nginx/modules/ngx_http_modsecurity_module.so; -load_module /usr/local/nginx/modules/ngx_stream_geoip2_module.so; +load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so; +load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so; +load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so; +load_module /usr/lib/nginx/modules/ngx_http_lua_module.so; +load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; +load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so; # run as daemon daemon on; -# do NOT run as root -user nginx; +# PID file +pid /tmp/nginx.pid; # worker number = CPU core(s) worker_processes auto; @@ -51,6 +51,17 @@ http { # maximum request body size client_max_body_size %MAX_CLIENT_SIZE%; + # write logs to local syslog + access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined; + error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn; + + # temp paths + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + # load caching custom config include /etc/nginx/cache.conf; @@ -72,10 +83,6 @@ http { # get real IP address if behind a reverse proxy %PROXY_REAL_IP% - # write logs to local syslog - access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined; - error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn; - # lua path and dicts lua_package_path "/usr/local/lib/lua/?.lua;;"; %WHITELIST_IP_CACHE% diff --git a/confs/server.conf b/confs/server.conf index 61012a6..0569bfb 100644 --- a/confs/server.conf +++ b/confs/server.conf @@ -1,6 +1,5 @@ server { include /server-confs/*.conf; - set $session_secret %ANTIBOT_SESSION_SECRET%; include /etc/nginx/main-lua.conf; %LISTEN_HTTP% %USE_HTTPS% diff --git a/entrypoint.sh b/entrypoint.sh index e6119c2..afece93 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -323,7 +323,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then /opt/scripts/certbot-renew.sh else - certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos + certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port 8080 fi echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then @@ -340,7 +340,7 @@ else fi if [ "$LISTEN_HTTP" = "yes" ] ; then - replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;" + replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:8080;" else replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "" fi @@ -621,8 +621,6 @@ fi crond # start nginx -echo "[*] Running nginx ..." -/usr/sbin/nginx if [ ! -f "/var/log/access.log" ] ; then touch /var/log/access.log fi @@ -633,6 +631,31 @@ if [ ! -f "/var/log/php.log" ] && [ "$USE_PHP" = "yes" ] ; then touch /var/log/php.log fi +# modsec logs +touch /var/log/modsec_audit.log +chown root:nginx /var/log/modsec_audit.log +chmod 760 /var/log/modsec_audit.log + +# nginx default error log +touch /var/log/nginx/error.log +chown root:nginx /var/log/nginx/error.log +chmod 760 /var/log/nginx/error.log + +# nginx configs (and modules through the symlink) +chown -R root:nginx /etc/nginx/ +chmod -R 740 /etc/nginx/ +find /etc/nginx -type d -exec chmod 750 {} \; + +# let's encrypt +if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then + chown -R root:nginx /etc/letsencrypt + chmod -R 740 /etc/letsencrypt + find /etc/letsencrypt -type d -exec chmod 750 {} \; +fi + +echo "[*] Running nginx ..." +su -s "/usr/sbin/nginx" nginx + # start fail2ban if [ "$USE_FAIL2BAN" = "yes" ] ; then fail2ban-server > /dev/null diff --git a/scripts/abusers.sh b/scripts/abusers.sh index 7c94084..f6ac8c9 100755 --- a/scripts/abusers.sh +++ b/scripts/abusers.sh @@ -5,6 +5,6 @@ curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | grep -v while read entry ; do echo "deny ${entry};" >> /etc/nginx/block-abusers.conf done -if [ -f /run/nginx/nginx.pid ] ; then +if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload fi diff --git a/scripts/certbot-renew.sh b/scripts/certbot-renew.sh index 3c7d09d..9ae1444 100644 --- a/scripts/certbot-renew.sh +++ b/scripts/certbot-renew.sh @@ -9,9 +9,9 @@ function replace_in_file() { # check if HTTP enabled # and disable it temporarily if needed -if grep -q "listen 0.0.0.0:80;" "/etc/nginx/server.conf" ; then - replace_in_file "/etc/nginx/server.conf" "listen 0.0.0.0:80;" "#listen 0.0.0.0:80;" - if [ -f /run/nginx/nginx.pid ] ; then +if grep -q "listen 0.0.0.0:8080;" "/etc/nginx/server.conf" ; then + replace_in_file "/etc/nginx/server.conf" "listen 0.0.0.0:8080;" "#listen 0.0.0.0:8080;" + if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload sleep 10 fi @@ -21,11 +21,15 @@ fi certbot renew # enable HTTP again if needed -if grep -q "#listen 0.0.0.0:80;" "/etc/nginx/server.conf" ; then - replace_in_file "/etc/nginx/server.conf" "#listen 0.0.0.0:80;" "listen 0.0.0.0:80;" +if grep -q "#listen 0.0.0.0:8080;" "/etc/nginx/server.conf" ; then + replace_in_file "/etc/nginx/server.conf" "#listen 0.0.0.0:8080;" "listen 0.0.0.0:8080;" fi +chown -R root:nginx /etc/letsencrypt +chmod -R 740 /etc/letsencrypt +find /etc/letsencrypt -type d -exec chmod 750 {} \; + # reload nginx -if [ -f /run/nginx/nginx.pid ] ; then +if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload fi diff --git a/scripts/exit-nodes.sh b/scripts/exit-nodes.sh index 256ef27..8f85047 100644 --- a/scripts/exit-nodes.sh +++ b/scripts/exit-nodes.sh @@ -5,6 +5,6 @@ curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | grep -v "^\#.*" | while read entry ; do echo "deny ${entry};" >> /etc/nginx/block-tor-exit-node.conf done -if [ -f /run/nginx/nginx.pid ] ; then +if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload fi diff --git a/scripts/geoip.sh b/scripts/geoip.sh index b6938df..46c50be 100644 --- a/scripts/geoip.sh +++ b/scripts/geoip.sh @@ -5,7 +5,7 @@ URL="https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).mmdb.gz" wget -O /etc/nginx/geoip.mmdb.gz "$URL" > /dev/null 2>&1 if [ -f /etc/nginx/geoip.mmdb.gz ] ; then gunzip -f /etc/nginx/geoip.mmdb.gz - if [ -f /run/nginx/nginx.pid ] ; then + if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload fi fi diff --git a/scripts/proxies.sh b/scripts/proxies.sh index 0dd1de0..7702b13 100755 --- a/scripts/proxies.sh +++ b/scripts/proxies.sh @@ -5,6 +5,6 @@ curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | grep -v "^\ while read entry ; do echo "deny ${entry};" >> /etc/nginx/block-proxies.conf done -if [ -f /run/nginx/nginx.pid ] ; then +if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload fi diff --git a/scripts/user-agents.sh b/scripts/user-agents.sh index 5a8c4e1..1493003 100755 --- a/scripts/user-agents.sh +++ b/scripts/user-agents.sh @@ -20,6 +20,6 @@ DATA_ESCAPED=$(echo "$DATA" | sed 's: :\\\\ :g' | sed 's:\\\\ yes;: yes;:g' | se cp /opt/confs/map-user-agent.conf /etc/nginx/map-user-agent.conf replace_in_file "/etc/nginx/map-user-agent.conf" "%BLOCK_USER_AGENT%" "$DATA_ESCAPED" -if [ -f /run/nginx/nginx.pid ] ; then +if [ -f /tmp/nginx.pid ] ; then /usr/sbin/nginx -s reload fi