diff --git a/Dockerfile b/Dockerfile index 75f3637..94490c9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,6 +6,11 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* +COPY dependencies.sh /tmp/dependencies.sh +RUN chmod +x /tmp/dependencies.sh && \ + /tmp/dependencies.sh && \ + rm -rf /tmp/dependencies.sh + COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts @@ -14,7 +19,9 @@ COPY logs/ /opt/logs COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh -RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh +RUN chmod +x /tmp/prepare.sh && \ + /tmp/prepare.sh && \ + rm -f /tmp/prepare.sh # fix CVE-2021-20205 RUN apk add "libjpeg-turbo>=2.1.0-r0" diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index cdecc70..b94de2d 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -6,6 +6,11 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* +COPY dependencies.sh /tmp/dependencies.sh +RUN chmod +x /tmp/dependencies.sh && \ + /tmp/dependencies.sh && \ + rm -rf /tmp/dependencies.sh + COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts @@ -14,7 +19,9 @@ COPY logs/ /opt/logs COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh -RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh +RUN chmod +x /tmp/prepare.sh && \ + /tmp/prepare.sh && \ + rm -f /tmp/prepare.sh # fix CVE-2021-20205 RUN apk add "libjpeg-turbo>=2.1.0-r0" diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index 4956e58..1620c69 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -13,6 +13,11 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* +COPY dependencies.sh /tmp/dependencies.sh +RUN chmod +x /tmp/dependencies.sh && \ + /tmp/dependencies.sh && \ + rm -rf /tmp/dependencies.sh + COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts @@ -21,7 +26,9 @@ COPY logs/ /opt/logs COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh -RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh +RUN chmod +x /tmp/prepare.sh && \ + /tmp/prepare.sh && \ + rm -f /tmp/prepare.sh # fix CVE-2021-20205 RUN apk add "libjpeg-turbo>=2.1.0-r0" diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index 2dd06dd..73846cb 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -13,6 +13,11 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* +COPY dependencies.sh /tmp/dependencies.sh +RUN chmod +x /tmp/dependencies.sh && \ + /tmp/dependencies.sh && \ + rm -rf /tmp/dependencies.sh + COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts @@ -21,7 +26,9 @@ COPY logs/ /opt/logs COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh -RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh +RUN chmod +x /tmp/prepare.sh && \ + /tmp/prepare.sh && \ + rm -f /tmp/prepare.sh # fix CVE-2021-20205 RUN apk add "libjpeg-turbo>=2.1.0-r0" diff --git a/Dockerfile-i386 b/Dockerfile-i386 index 9ef9e48..4937ed2 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -6,6 +6,11 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* +COPY dependencies.sh /tmp/dependencies.sh +RUN chmod +x /tmp/dependencies.sh && \ + /tmp/dependencies.sh && \ + rm -rf /tmp/dependencies.sh + COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts @@ -14,7 +19,9 @@ COPY logs/ /opt/logs COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh -RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh +RUN chmod +x /tmp/prepare.sh && \ + /tmp/prepare.sh && \ + rm -f /tmp/prepare.sh # fix CVE-2021-20205 RUN apk add "libjpeg-turbo>=2.1.0-r0" diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index 95482ea..9b11537 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -10,8 +10,8 @@ load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; -# run as daemon -daemon on; +# run in foreground +daemon off; # PID file pid /tmp/nginx.pid; @@ -52,8 +52,8 @@ http { # write logs to local syslog log_format logf '%LOG_FORMAT%'; - access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf; - error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 info; + access_log /var/log/access.log logf; + error_log /var/log/error.log info; # temp paths proxy_temp_path /tmp/proxy_temp; diff --git a/dependencies.sh b/dependencies.sh new file mode 100644 index 0000000..43d3f92 --- /dev/null +++ b/dependencies.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +# install dependencies +apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl clamav apache2-utils openssl lua libgd go jq mariadb-connector-c bash brotli diff --git a/docs/security_tuning.md b/docs/security_tuning.md index 61245d5..5c81221 100644 --- a/docs/security_tuning.md +++ b/docs/security_tuning.md @@ -92,7 +92,7 @@ $ docker run -p 80:8080 \ ## Bad behaviors detection -TODO +When attackers search for and/or exploit vulnerabilities they might generate some suspicious HTTP status codes that a "regular" user won't generate within a period of time. If we detect that kind of behavior we can ban the offending IP address and force the attacker to come with a new one. ## Antibot challenge diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh index 0d21f9a..385f33f 100644 --- a/entrypoint/defaults.sh +++ b/entrypoint/defaults.sh @@ -91,9 +91,6 @@ AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}" USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}" ROOT_FOLDER="${ROOT_FOLDER-/www}" ROOT_SITE_SUBFOLDER="${ROOT_SITE_SUBFOLDER-}" -LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}" -LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}" -LOGROTATE_CRON="${LOGROTATE_CRON-0 0 * * *}" DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11}" USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}" WHITELIST_IP_LIST="${WHITELIST_IP_LIST-127.0.0.1 23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}" diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index 6c77409..67a2870 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -5,25 +5,13 @@ echo "[*] Starting bunkerized-nginx ..." -# execute custom scripts if it's a customized image -for file in /entrypoint.d/* ; do - [ -f "$file" ] && [ -x "$file" ] && "$file" -done - # trap SIGTERM and SIGINT function trap_exit() { echo "[*] Catched stop operation" echo "[*] Stopping crond ..." pkill -TERM crond - if [ "$USE_FAIL2BAN" = "yes" ] ; then - echo "[*] Stopping fail2ban" - fail2ban-client stop > /dev/null - fi echo "[*] Stopping nginx ..." /usr/sbin/nginx -s stop - echo "[*] Stopping rsyslogd ..." - pkill -TERM rsyslogd - pkill -TERM tail } trap "trap_exit" TERM INT QUIT @@ -62,16 +50,10 @@ if [ ! -f "/opt/installed" ] ; then exit 1 fi - # logs config - /opt/entrypoint/logs.sh - # lua config # TODO : move variables from /usr/local/lib/lua + multisite support ? /opt/entrypoint/lua.sh - # fail2ban config - /opt/entrypoint/fail2ban.sh - # clamav config /opt/entrypoint/clamav.sh @@ -103,9 +85,6 @@ else echo "[*] Skipping configuration process" fi -# start rsyslogd -rsyslogd -i /tmp/rsyslogd.pid - # start crond crond @@ -124,22 +103,13 @@ fi # run nginx echo "[*] Running nginx ..." -nginx -if [ "$?" -eq 0 ] ; then - echo "[*] nginx successfully started !" -else - echo "[!] nginx failed to start" -fi - -# list of log files to display -LOGS="/var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/nginx/error.log /var/log/nginx/modsec_audit.log" - -# start fail2ban -if [ "$USE_FAIL2BAN" = "yes" ] ; then - echo "[*] Running fail2ban ..." - fail2ban-server > /dev/null - LOGS="$LOGS /var/log/fail2ban.log" -fi +nginx & +pid="$!" +#if [ "$?" -eq 0 ] ; then +# echo "[*] nginx successfully started !" +#else +# echo "[!] nginx failed to start" +#fi # autotest if [ "$1" == "test" ] ; then @@ -152,9 +122,8 @@ if [ "$1" == "test" ] ; then exit 1 fi -# display logs -tail -F $LOGS & -pid="$!" +# wait for nginx +wait "$pid" while [ -f "/tmp/nginx.pid" ] ; do wait "$pid" done diff --git a/entrypoint/fail2ban.sh b/entrypoint/fail2ban.sh deleted file mode 100644 index 12382f2..0000000 --- a/entrypoint/fail2ban.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -# load default values -. /opt/entrypoint/defaults.sh - -# load some functions -. /opt/entrypoint/utils.sh - -# fail2ban setup -if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then - cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local - cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local - cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local - replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME" - replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME" - replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY" - replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_IGNOREIP%" "$FAIL2BAN_IGNOREIP" - replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES" -fi diff --git a/entrypoint/logs.sh b/entrypoint/logs.sh deleted file mode 100644 index 7bdd614..0000000 --- a/entrypoint/logs.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash - -# load default values -. /opt/entrypoint/defaults.sh - -# load some functions -. /opt/entrypoint/utils.sh - -# copy stub confs -cat /opt/logs/rsyslog.conf > /etc/rsyslog.conf -cat /opt/logs/logrotate.conf > /etc/logrotate.conf - -# create empty logs -touch /var/log/access.log -touch /var/log/error.log -touch /var/log/jobs.log - -# setup logrotate -replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE" -replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE" -echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/nginx - -# setup rsyslog -if [ "$REMOTE_SYSLOG" != "" ] ; then - replace_in_file "/etc/rsyslog.conf" "%REMOTE_SYSLOG%" "local0.* @${REMOTE_SYSLOG};rawFormat" -else - replace_in_file "/etc/rsyslog.conf" "%REMOTE_SYSLOG%" "" -fi diff --git a/prepare.sh b/prepare.sh index 29fc113..95c8b25 100644 --- a/prepare.sh +++ b/prepare.sh @@ -1,11 +1,5 @@ #!/bin/sh -# install dependencies -apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli - -# temp fix ? -chmod 644 /usr/lib/python3.8/site-packages/fail2ban-*/* - # custom entrypoint mkdir /opt/entrypoint.d @@ -28,19 +22,21 @@ chmod -R 770 /etc/nginx # prepare /var/log rm -f /var/log/nginx/* chown root:nginx /var/log/nginx -touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log -chown nginx:nginx /var/log/nginx/* chmod -R 770 /var/log/nginx -touch /var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/fail2ban.log -chown nginx:nginx /var/log/*.log -chmod 770 /var/log/*.log +ln -s /proc/1/fd/2 /var/log/nginx/error.log +ln -s /proc/1/fd/2 /var/log/nginx/modsec_audit.log +ln -s /proc/1/fd/1 /var/log/access.log +ln -s /proc/1/fd/2 /var/log/error.log +ln -s /proc/1/fd/1 /var/log/jobs.log +ln -s /proc/1/fd/1 /var/log/fail2ban.log +ln -s /proc/1/fd/1 /var/log/clamav.log mkdir /var/log/letsencrypt chown nginx:nginx /var/log/letsencrypt chmod 770 /var/log/letsencrypt -touch /var/log/clamav.log -chown root:nginx /var/log/clamav.log -chmod 770 /var/log/clamav.log -find /var/log -type f -exec chmod 0774 {} \; +rm -rf /var/log/clamav/* +chown root:nginx /var/log/clamav +chmod 770 /var/log/clamav +ln -s /proc/1/fd/1 /var/log/freshclam.log # prepare /acme-challenge mkdir /acme-challenge @@ -57,16 +53,6 @@ mkdir /var/lib/letsencrypt chown root:nginx /var/lib/letsencrypt chmod 770 /var/lib/letsencrypt -# prepare /etc/fail2ban -rm -rf /etc/fail2ban/jail.d/*.conf -chown -R root:nginx /etc/fail2ban -find /etc/fail2ban -type f -exec chmod 0760 {} \; -find /etc/fail2ban -type d -exec chmod 0770 {} \; - -# prepare /var/run/fail2ban and /var/lib/fail2ban -chown -R root:nginx /var/run/fail2ban /var/lib/fail2ban -chmod -R 770 /var/run/fail2ban /var/lib/fail2ban - # prepare /usr/local/lib/lua chown -R root:nginx /usr/local/lib/lua chmod 770 /usr/local/lib/lua @@ -79,20 +65,11 @@ mkdir /cache chown root:nginx /cache chmod 770 /cache -# prepare misc files -chown root:nginx /etc/rsyslog.conf /etc/logrotate.conf -chmod 660 /etc/rsyslog.conf /etc/logrotate.conf -chown root:nginx /etc/rsyslog.conf - # prepare /etc/crontabs/nginx touch /etc/crontabs/nginx chown root:nginx /etc/crontabs/nginx chmod 660 /etc/crontabs/nginx -# prepare /var/log/clamav -chown root:nginx /var/log/clamav -chmod 770 /var/log/clamav - # prepare /var/lib/clamav chown root:nginx /var/lib/clamav chmod 770 /var/lib/clamav