From f27d80e0d56aa7b395458cabef67a8763b916fa1 Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Sat, 10 Oct 2020 15:19:35 +0200
Subject: [PATCH] various fixes and lua logging

---
 Dockerfile          |  2 +-
 Dockerfile-amd64    |  2 +-
 Dockerfile-arm32v7  |  2 +-
 Dockerfile-arm64v8  |  2 +-
 Dockerfile-i386     |  2 +-
 confs/main-lua.conf |  2 +-
 entrypoint.sh       | 12 +++++++-----
 lua/blacklist.lua   | 17 +++++++++++------
 lua/dns.lua         |  9 ++++++---
 lua/dnsbl.lua       | 12 ++++++++----
 lua/whitelist.lua   | 17 +++++++++++------
 11 files changed, 49 insertions(+), 30 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 797ac56..2514293 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,7 +12,7 @@ COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 
-RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
+RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
diff --git a/Dockerfile-amd64 b/Dockerfile-amd64
index 79fde4b..e27fb3c 100644
--- a/Dockerfile-amd64
+++ b/Dockerfile-amd64
@@ -12,7 +12,7 @@ COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 
-RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
+RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7
index 7305ce1..8225452 100644
--- a/Dockerfile-arm32v7
+++ b/Dockerfile-arm32v7
@@ -19,7 +19,7 @@ COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 
-RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
+RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8
index 2753a40..2117be4 100644
--- a/Dockerfile-arm64v8
+++ b/Dockerfile-arm64v8
@@ -19,7 +19,7 @@ COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 
-RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
+RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
diff --git a/Dockerfile-i386 b/Dockerfile-i386
index 6c49bfd..78381d7 100644
--- a/Dockerfile-i386
+++ b/Dockerfile-i386
@@ -12,7 +12,7 @@ COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 
-RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
+RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
diff --git a/confs/main-lua.conf b/confs/main-lua.conf
index d80fcdc..57823f5 100644
--- a/confs/main-lua.conf
+++ b/confs/main-lua.conf
@@ -4,7 +4,7 @@ local use_whitelist_ip			= %USE_WHITELIST_IP%
 local use_whitelist_reverse		= %USE_WHITELIST_REVERSE%
 local use_blacklist_ip			= %USE_BLACKLIST_IP%
 local use_blacklist_reverse		= %USE_BLACKLIST_REVERSE%
-local use_dnsbl				= %USE_DNS%
+local use_dnsbl				= %USE_DNSBL%
 
 -- include LUA code
 local whitelist = require "whitelist"
diff --git a/entrypoint.sh b/entrypoint.sh
index eefd93a..f7bbe7f 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -22,6 +22,8 @@ function trap_exit() {
 	fi
 	echo "[*] Stopping nginx ..."
 	/usr/sbin/nginx -s stop
+	echo "[*] Stopping rsyslogd ..."
+	pkill -TERM rsyslogd
 	pkill -TERM tail
 }
 trap "trap_exit" TERM INT
@@ -111,7 +113,7 @@ USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
 FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
 FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
 FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
-FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-20}"
+FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
 USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
 USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
 CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
@@ -143,9 +145,9 @@ PROXY_REAL_IP="${PROXY_REAL_IP-no}"
 PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
 PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
 PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
-GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no"}"
+GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
 SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
-SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-Switzerland}"
+SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
 SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}"
 SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
 SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
@@ -369,7 +371,7 @@ else
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
 fi
 if [ "$PROXY_REAL_IP" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
+	replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
 	froms=""
 	for from in $PROXY_REAL_IP_FROM ; do
 		froms="${froms}set_real_ip_from ${from};\n"
@@ -378,7 +380,7 @@ if [ "$PROXY_REAL_IP" = "yes" ] ; then
 	replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
 	replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
 else
-	replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" ""
+	replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" ""
 fi
 
 
diff --git a/lua/blacklist.lua b/lua/blacklist.lua
index 82f90bc..1bf55e0 100644
--- a/lua/blacklist.lua
+++ b/lua/blacklist.lua
@@ -1,28 +1,30 @@
+local M			= {}
 local dns		= require "dns"
 local ip_list 		= {%BLACKLIST_IP_LIST%}
 local reverse_list	= {%BLACKLIST_REVERSE_LIST%}
 local ip		= ngx.var.remote_addr
 
-function ip_cached_ko ()
+function M.ip_cached_ko ()
 	return ngx.shared.blacklist_ip_cache:get(ip) == "ko"
 end
 
-function reverse_cached_ko ()
+function M.reverse_cached_ko ()
 	return ngx.shared.blacklist_reverse_cache:get(ip) == "ko"
 end
 
-function ip_cached ()
+function M.ip_cached ()
 	return ngx.shared.blacklist_ip_cache:get(ip) ~= nil
 end
 
-function reverse_cached ()
+function M.reverse_cached ()
 	return ngx.shared.blacklist_reverse_cache:get(ip) ~= nil
 end
 
-function check_ip ()
+function M.check_ip ()
 	for k, v in ipairs(ip_list) do
 		if v == ip then
 			ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
+			ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist")
 			return true
 		end
 	end
@@ -30,12 +32,13 @@ function check_ip ()
 	return false
 end
 
-function check_reverse ()
+function M.check_reverse ()
 	local rdns = dns.get_reverse()
 	if rdns ~= "" then
 		for k, v in ipairs(reverse_list) do
 			if rdns:sub(-#v) == v then
 				ngx.shared.blacklist_reverse_cache:set(ip, "ko", 86400)
+				ngx.log(ngx.WARN, "reverse " .. rdns .. " is in blacklist")
 				return true
 			end
 		end
@@ -43,3 +46,5 @@ function check_reverse ()
 	ngx.shared.blacklist_reverse_cache:set(ip, "ok", 86400)
 	return false
 end
+
+return M
diff --git a/lua/dns.lua b/lua/dns.lua
index cf67064..17eae9e 100644
--- a/lua/dns.lua
+++ b/lua/dns.lua
@@ -1,8 +1,9 @@
+local M		= {}
 local resolver	= require "resty.dns.resolver"
 local resolvers	= {%DNS_RESOLVERS%}
 local ip	= ngx.var.remote_addr
 
-function get_reverse()
+function M.get_reverse()
 	local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
 	if not r then
 		return ""
@@ -20,7 +21,7 @@ function get_reverse()
 	return rdns
 end
 
-function get_ips(fqdn)
+function M.get_ips(fqdn)
 	local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
 	if not r then
 		return ""
@@ -35,6 +36,8 @@ function get_ips(fqdn)
 	return ips
 end
 
-function ip_to_arpa()
+function M.ip_to_arpa()
 	return resolver.arpa_str(ip):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "")
 end
+
+return M
diff --git a/lua/dnsbl.lua b/lua/dnsbl.lua
index a360c64..66bd348 100644
--- a/lua/dnsbl.lua
+++ b/lua/dnsbl.lua
@@ -1,24 +1,26 @@
+local M		= {}
 local dns	= require "dns"
 local dnsbls	= {%DNSBL_LIST%}
 local ip	= ngx.var.remote_addr
 
-function cached_ko ()
+function M.cached_ko ()
 	return ngx.shared.dnsbl_cache:get(ip) == "ko"
 end
 
-function cached ()
+function M.cached ()
 	return ngx.shared.dnsbl_cache:get(ip) ~= nil
 end
 
-function check ()
+function M.check ()
 	local rip = dns.ip_to_arpa()
 	for k, v in ipairs(dnsbls) do
 		local req = rip .. "." .. v
 		local ips = dns.get_ips(req)
 		for k2, v2 in ipairs(ips) do
-			a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
+			local a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
 			if a == "127" then
 				ngx.shared.dnsbl_cache:set(ip, "ko", 86400)
+				ngx.log(ngx.WARN, "ip " .. ip .. " is in DNSBL " .. v)
 				return true
 			end
 		end
@@ -26,3 +28,5 @@ function check ()
 	ngx.shared.dnsbl_cache:set(ip, "ok", 86400)
 	return false
 end
+
+return M
diff --git a/lua/whitelist.lua b/lua/whitelist.lua
index 10ca852..403eeec 100644
--- a/lua/whitelist.lua
+++ b/lua/whitelist.lua
@@ -1,28 +1,30 @@
+local M			= {}
 local dns		= require "dns"
 local ip_list 		= {%WHITELIST_IP_LIST%}
 local reverse_list	= {%WHITELIST_REVERSE_LIST%}
 local ip		= ngx.var.remote_addr
 
-function ip_cached_ok ()
+function M.ip_cached_ok ()
 	return ngx.shared.whitelist_ip_cache:get(ip) == "ok"
 end
 
-function reverse_cached_ok ()
+function M.reverse_cached_ok ()
 	return ngx.shared.whitelist_reverse_cache:get(ip) == "ok"
 end
 
-function ip_cached ()
+function M.ip_cached ()
 	return ngx.shared.whitelist_ip_cache:get(ip) ~= nil
 end
 
-function reverse_cached ()
+function M.reverse_cached ()
 	return ngx.shared.whitelist_reverse_cache:get(ip) ~= nil
 end
 
-function check_ip ()
+function M.check_ip ()
 	for k, v in ipairs(ip_list) do
 		if v == ip then
 			ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
+			ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")
 			return true
 		end
 	end
@@ -30,7 +32,7 @@ function check_ip ()
 	return false
 end
 
-function check_reverse ()
+function M.check_reverse ()
 	local rdns = dns.get_reverse()
 	if rdns ~= "" then
 		local whitelisted = false
@@ -45,6 +47,7 @@ function check_reverse ()
 			for k, v in ipairs(ips) do
 				if v == ip then
 					ngx.shared.whitelist_reverse_cache:set(ip, "ok", 86400)
+					ngx.log(ngx.WARN, "reverse " .. rdns .. " is in whitelist")
 					return true
 				end
 			end
@@ -53,3 +56,5 @@ function check_reverse ()
 	ngx.shared.whitelist_reverse_cache:set(ip, "ko", 86400)
 	return false
 end
+
+return M