run master nginx process as non-root user

Dockerfile

@@ -15,10 +15,13 @@ COPY lua/ /opt/lua
 
 RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
-    mkdir /opt/entrypoint.d
+    mkdir /opt/entrypoint.d && \
+    rm -f /var/log/nginx/* && \
+    chown root:nginx /var/log/nginx && \
+    chmod 770 /var/log/nginx
 
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
 
-EXPOSE 80/tcp 443/tcp
+EXPOSE 8080/tcp 8443/tcp
 
 ENTRYPOINT ["/opt/entrypoint.sh"]

Dockerfile-amd64

@@ -15,10 +15,14 @@ COPY lua/ /opt/lua
 
 RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
-    mkdir /opt/entrypoint.d
+    mkdir /opt/entrypoint.d && \
+    rm -f /var/log/nginx/* && \
+    chown root:nginx /var/log/nginx && \
+    chmod 770 /var/log/nginx
+
 
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
 
-EXPOSE 80/tcp 443/tcp
+EXPOSE 8080/tcp 8443/tcp
 
 ENTRYPOINT ["/opt/entrypoint.sh"]

Dockerfile-arm32v7

@@ -22,10 +22,13 @@ COPY lua/ /opt/lua
 
 RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
-    mkdir /opt/entrypoint.d
+    mkdir /opt/entrypoint.d && \
+    rm -f /var/log/nginx/* && \
+    chown root:nginx /var/log/nginx && \
+    chmod 770 /var/log/nginx
 
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
 
-EXPOSE 80/tcp 443/tcp
+EXPOSE 8080/tcp 8443/tcp
 
 ENTRYPOINT ["/opt/entrypoint.sh"]

Dockerfile-arm64v8

@@ -22,10 +22,13 @@ COPY lua/ /opt/lua
 
 RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
-    mkdir /opt/entrypoint.d
+    mkdir /opt/entrypoint.d && \
+    rm -f /var/log/nginx/* && \
+    chown root:nginx /var/log/nginx && \
+    chmod 770 /var/log/nginx
 
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
 
-EXPOSE 80/tcp 443/tcp
+EXPOSE 8080/tcp 8443/tcp
 
 ENTRYPOINT ["/opt/entrypoint.sh"]

Dockerfile-i386

@@ -15,10 +15,13 @@ COPY lua/ /opt/lua
 
 RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
-    mkdir /opt/entrypoint.d
+    mkdir /opt/entrypoint.d && \
+    rm -f /var/log/nginx/* && \
+    chown root:nginx /var/log/nginx && \
+    chmod 770 /var/log/nginx
 
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
 
-EXPOSE 80/tcp 443/tcp
+EXPOSE 8080/tcp 8443/tcp
 
 ENTRYPOINT ["/opt/entrypoint.sh"]

compile.sh

@@ -122,7 +122,7 @@ CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')
 CONFARGS=${CONFARGS/-Os -fomit-frame-pointer/-Os}
 ./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module
 make -j $NTASK modules
-cp ./objs/*.so /usr/local/nginx/modules/
+cp ./objs/*.so /usr/lib/nginx/modules
 
 # remove build dependencies
 apk del build

confs/auto-lets-encrypt.conf

@@ -1,7 +0,0 @@
-listen 0.0.0.0:443 ssl %HTTP2%;
-ssl_certificate /etc/letsencrypt/live/%FIRST_SERVER_NAME%/fullchain.pem;
-ssl_certificate_key /etc/letsencrypt/live/%FIRST_SERVER_NAME%/privkey.pem;
-ssl_protocols TLSv1.3;
-ssl_prefer_server_ciphers off;
-ssl_session_tickets off;
-%STRICT_TRANSPORT_SECURITY%

confs/https.conf

@@ -1,4 +1,4 @@
-listen 0.0.0.0:443 ssl %HTTP2%;
+listen 0.0.0.0:8443 ssl %HTTP2%;
 ssl_certificate %HTTPS_CERT%;
 ssl_certificate_key %HTTPS_KEY%;
 ssl_protocols TLSv1.3;

confs/nginx.conf

@@ -1,18 +1,18 @@
 # /etc/nginx/nginx.conf
 
 # load dynamic modules
-load_module /usr/local/nginx/modules/ngx_http_cookie_flag_filter_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so;
-load_module /usr/local/nginx/modules/ngx_http_geoip2_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
-load_module /usr/local/nginx/modules/ngx_http_headers_more_filter_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
-load_module /usr/local/nginx/modules/ngx_http_lua_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
-load_module /usr/local/nginx/modules/ngx_http_modsecurity_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
-load_module /usr/local/nginx/modules/ngx_stream_geoip2_module.so;
+load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
 
 # run as daemon
 daemon on;
 
-# do NOT run as root
+# PID file
-user nginx;
+pid /tmp/nginx.pid;
 
 # worker number = CPU core(s)
 worker_processes auto;
@@ -51,6 +51,17 @@ http {
 	# maximum request body size
 	client_max_body_size %MAX_CLIENT_SIZE%;
 
+	# write logs to local syslog
+	access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined;
+	error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
+
+	# temp paths
+	proxy_temp_path /tmp/proxy_temp;
+	client_body_temp_path /tmp/client_temp;
+	fastcgi_temp_path /tmp/fastcgi_temp;
+	uwsgi_temp_path /tmp/uwsgi_temp;
+	scgi_temp_path /tmp/scgi_temp;
+
 	# load caching custom config
 	include /etc/nginx/cache.conf;
 
@@ -72,10 +83,6 @@ http {
 	# get real IP address if behind a reverse proxy
         %PROXY_REAL_IP%
 
-	# write logs to local syslog
-	access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined;
-	error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
-
 	# lua path and dicts
 	lua_package_path "/usr/local/lib/lua/?.lua;;";
 	%WHITELIST_IP_CACHE%

confs/server.conf

@@ -1,6 +1,5 @@
 server {
 	include /server-confs/*.conf;
-	set $session_secret %ANTIBOT_SESSION_SECRET%;
 	include /etc/nginx/main-lua.conf;
 	%LISTEN_HTTP%
 	%USE_HTTPS%

entrypoint.sh

@@ -323,7 +323,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
 		if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
 			/opt/scripts/certbot-renew.sh
 		else
-			certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos
+			certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port 8080
 		fi
 		echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
 	elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
@@ -340,7 +340,7 @@ else
 fi
 
 if [ "$LISTEN_HTTP" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;"
+	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:8080;"
 else
 	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
 fi
@@ -621,8 +621,6 @@ fi
 crond
 
 # start nginx
-echo "[*] Running nginx ..."
-/usr/sbin/nginx
 if [ ! -f "/var/log/access.log" ] ; then
 	touch /var/log/access.log
 fi
@@ -633,6 +631,31 @@ if [ ! -f "/var/log/php.log" ] && [ "$USE_PHP" = "yes" ] ; then
 	touch /var/log/php.log
 fi
 
+# modsec logs
+touch /var/log/modsec_audit.log
+chown root:nginx /var/log/modsec_audit.log
+chmod 760 /var/log/modsec_audit.log
+
+# nginx default error log
+touch /var/log/nginx/error.log
+chown root:nginx /var/log/nginx/error.log
+chmod 760 /var/log/nginx/error.log
+
+# nginx configs (and modules through the symlink)
+chown -R root:nginx /etc/nginx/
+chmod -R 740 /etc/nginx/
+find /etc/nginx -type d -exec chmod 750 {} \;
+
+# let's encrypt
+if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
+	chown -R root:nginx /etc/letsencrypt
+	chmod -R 740 /etc/letsencrypt
+	find /etc/letsencrypt -type d -exec chmod 750 {} \;
+fi
+
+echo "[*] Running nginx ..."
+su -s "/usr/sbin/nginx" nginx
+
 # start fail2ban
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	fail2ban-server > /dev/null

scripts/abusers.sh

@@ -5,6 +5,6 @@ curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | grep -v
 while read entry ; do
 	echo "deny ${entry};" >> /etc/nginx/block-abusers.conf
 done
-if [ -f /run/nginx/nginx.pid ] ; then
+if [ -f /tmp/nginx.pid ] ; then
 	/usr/sbin/nginx -s reload
 fi

scripts/certbot-renew.sh

@@ -9,9 +9,9 @@ function replace_in_file() {
 
 # check if HTTP enabled
 # and disable it temporarily if needed
-if grep -q "listen 0.0.0.0:80;" "/etc/nginx/server.conf" ; then
+if grep -q "listen 0.0.0.0:8080;" "/etc/nginx/server.conf" ; then
-	replace_in_file "/etc/nginx/server.conf" "listen 0.0.0.0:80;" "#listen 0.0.0.0:80;"
+	replace_in_file "/etc/nginx/server.conf" "listen 0.0.0.0:8080;" "#listen 0.0.0.0:8080;"
-	if [ -f /run/nginx/nginx.pid ] ; then
+	if [ -f /tmp/nginx.pid ] ; then
 		/usr/sbin/nginx -s reload
 		sleep 10
 	fi
@@ -21,11 +21,15 @@ fi
 certbot renew
 
 # enable HTTP again if needed
-if grep -q "#listen 0.0.0.0:80;" "/etc/nginx/server.conf" ; then
+if grep -q "#listen 0.0.0.0:8080;" "/etc/nginx/server.conf" ; then
-	replace_in_file "/etc/nginx/server.conf" "#listen 0.0.0.0:80;" "listen 0.0.0.0:80;"
+	replace_in_file "/etc/nginx/server.conf" "#listen 0.0.0.0:8080;" "listen 0.0.0.0:8080;"
 fi
 
+chown -R root:nginx /etc/letsencrypt
+chmod -R 740 /etc/letsencrypt
+find /etc/letsencrypt -type d -exec chmod 750 {} \;
+
 # reload nginx
-if [ -f /run/nginx/nginx.pid ] ; then
+if [ -f /tmp/nginx.pid ] ; then
 	/usr/sbin/nginx -s reload
 fi

scripts/exit-nodes.sh

@@ -5,6 +5,6 @@ curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | grep -v "^\#.*" |
 while read entry ; do
 	echo "deny ${entry};" >> /etc/nginx/block-tor-exit-node.conf
 done
-if [ -f /run/nginx/nginx.pid ] ; then
+if [ -f /tmp/nginx.pid ] ; then
 	/usr/sbin/nginx -s reload
 fi

scripts/geoip.sh

@@ -5,7 +5,7 @@ URL="https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).mmdb.gz"
 wget -O /etc/nginx/geoip.mmdb.gz "$URL" > /dev/null 2>&1
 if [ -f /etc/nginx/geoip.mmdb.gz ] ; then
 	gunzip -f /etc/nginx/geoip.mmdb.gz
-	if [ -f /run/nginx/nginx.pid ] ; then
+	if [ -f /tmp/nginx.pid ] ; then
 		/usr/sbin/nginx -s reload
 	fi
 fi

scripts/proxies.sh

@@ -5,6 +5,6 @@ curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | grep -v "^\
 while read entry ; do
 	echo "deny ${entry};" >> /etc/nginx/block-proxies.conf
 done
-if [ -f /run/nginx/nginx.pid ] ; then
+if [ -f /tmp/nginx.pid ] ; then
 	/usr/sbin/nginx -s reload
 fi

scripts/user-agents.sh

@@ -20,6 +20,6 @@ DATA_ESCAPED=$(echo "$DATA" | sed 's: :\\\\ :g' | sed 's:\\\\ yes;: yes;:g' | se
 cp /opt/confs/map-user-agent.conf /etc/nginx/map-user-agent.conf
 replace_in_file "/etc/nginx/map-user-agent.conf" "%BLOCK_USER_AGENT%" "$DATA_ESCAPED"
 
-if [ -f /run/nginx/nginx.pid ] ; then
+if [ -f /tmp/nginx.pid ] ; then
 	/usr/sbin/nginx -s reload
 fi