From f30a06d9435358c03da9a6f97935c675bbd52ece Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Sun, 30 Aug 2020 17:33:59 +0200
Subject: [PATCH] syslog integration and fail2ban improvement

---
 README.md                                 |  7 ++---
 confs/nginx.conf                          |  5 ++--
 confs/php.ini                             |  8 +++---
 confs/syslog.conf                         |  2 ++
 entrypoint.sh                             | 32 +++++++++++++++++------
 fail2ban/nginx-filter.local               |  2 +-
 fail2ban/{jail.local => nginx-jail.local} |  6 ++---
 7 files changed, 40 insertions(+), 22 deletions(-)
 create mode 100644 confs/syslog.conf
 rename fail2ban/{jail.local => nginx-jail.local} (77%)

diff --git a/README.md b/README.md
index d346a25..9b7a309 100644
--- a/README.md
+++ b/README.md
@@ -419,10 +419,11 @@ docker run ... -v /path/to/http/confs:/http-confs ... bunkerity/bunkerized-nginx
 ```
 
 # TODO
-- docker tags
-- Tutorials
-- Full documentation
+- logrotate
+- readme : custom errors
+- remove nginx on default error pages
 - nginx compile flags
 - Antibot with recaptcha v3
 - HSTS preload, HPKP
 - Web UI
+- Full documentation
diff --git a/confs/nginx.conf b/confs/nginx.conf
index 6b7183e..0c388f4 100644
--- a/confs/nginx.conf
+++ b/confs/nginx.conf
@@ -61,8 +61,9 @@ http {
 	# enable/disable sending nginx version
 	server_tokens %SERVER_TOKENS%;
 
-	# where to write logs
-	access_log /var/log/access.log;
+	# write logs to local syslogd
+	access_log syslog:server=unix:/dev/log,nohostname,facility=local0 combined;
+	error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn;
 
 	# server config
 	include /etc/nginx/server.conf;
diff --git a/confs/php.ini b/confs/php.ini
index f6ff499..e9ee9b1 100644
--- a/confs/php.ini
+++ b/confs/php.ini
@@ -585,15 +585,15 @@ html_errors = On
 ; Example:
 ;error_log = php_errors.log
 ; Log errors to syslog (Event Log on Windows).
-;error_log = syslog
+error_log = syslog
 
 ; The syslog ident is a string which is prepended to every message logged
 ; to syslog. Only used when error_log is set to syslog.
-;syslog.ident = php
+syslog.ident = php
 
 ; The syslog facility is used to specify what type of program is logging
 ; the message. Only used when error_log is set to syslog.
-;syslog.facility = user
+syslog.facility = local1
 
 ; Set this to disable filtering control characters (the default).
 ; Some loggers only accept NVT-ASCII, others accept anything that's not
@@ -605,7 +605,7 @@ html_errors = On
 ;   all (all characters)
 ;   raw (like "all", but messages are not split at newlines)
 ; http://php.net/syslog.filter
-;syslog.filter = ascii
+syslog.filter = ascii
 
 ;windows.show_crt_warning
 ; Default value: 0
diff --git a/confs/syslog.conf b/confs/syslog.conf
new file mode 100644
index 0000000..ce951eb
--- /dev/null
+++ b/confs/syslog.conf
@@ -0,0 +1,2 @@
+local0.*	/var/log/nginx.log
+local1.*	/var/log/php.log
diff --git a/entrypoint.sh b/entrypoint.sh
index cf4b363..745a993 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -38,6 +38,7 @@ function replace_in_file() {
 cp /opt/confs/*.conf /etc/nginx
 cp -r /opt/confs/owasp-crs /etc/nginx
 cp /opt/confs/php.ini /etc/php7/php.ini
+cp /opt/confs/syslog.conf /etc/syslog.conf
 
 # remove cron jobs
 echo "" > /etc/crontabs/root
@@ -104,6 +105,8 @@ AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
 AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
 USE_HTTPS_CUSTOM="${USE_HTTPS_CUSTOM-no}"
 ROOT_FOLDER="${ROOT_FOLDER-/www}"
+SYSLOG_MAXSIZE="${SYSLOG_MAXSIZE-1000}"
+SYSLOG_KEEP="${SYSLOG_KEEP-10}"
 
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@@ -352,14 +355,14 @@ fi
 # fail2ban setup
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	echo "" > /etc/nginx/fail2ban-ip.conf
-	rm -rf /etc/fail2ban/jail.d/*
+	rm -rf /etc/fail2ban/jail.d/*.conf
 	replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"
 	cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
 	cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
-	cp /opt/fail2ban/jail.local /etc/fail2ban/jail.local
-	replace_in_file "/etc/fail2ban/jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
-	replace_in_file "/etc/fail2ban/jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
-	replace_in_file "/etc/fail2ban/jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
+	cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
+	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
+	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
+	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
 	replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
 else
 	replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" ""
@@ -367,8 +370,8 @@ fi
 
 # clamav setup
 if [ "$USE_CLAMAV_UPLOAD" = "yes" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
-	echo "[*] Updating clamav ..."
-	freshclam > /dev/null 2>&1
+	echo "[*] Updating clamav (in background) ..."
+	freshclam > /dev/null 2>&1 &
 	echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
 fi
 if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then
@@ -390,6 +393,9 @@ if [ "$WRITE_ACCESS" = "yes" ] ; then
 	chmod g+w -R /www
 fi
 
+# start syslogd
+syslogd -S -s "$SYSLOG_MAXSIZE" -b "$SYSLOG_KEEP"
+
 # start PHP
 if [ "$USE_PHP" = "yes" ] ; then
 	replace_in_file "/etc/php7/php-fpm.d/www.conf" "user = nobody" "user = nginx"
@@ -403,6 +409,12 @@ crond
 # start nginx
 echo "[*] Running nginx ..."
 /usr/sbin/nginx
+if [ ! -f "/var/log/nginx.log" ] ; then
+	touch /var/log/nginx.log
+fi
+if [ ! -f "/var/log/php.log" ] && [ "$USE_PHP" = "yes" ] ; then
+	touch /var/log/php.log
+fi
 
 # start fail2ban
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
@@ -410,7 +422,11 @@ if [ "$USE_FAIL2BAN" = "yes" ] ; then
 fi
 
 # display logs
-tail -f /var/log/access.log &
+if [ "$USE_PHP" = "yes" ] ; then
+	tail -f /var/log/nginx.log /var/log/php.log &
+else
+	tail -f /var/log/nginx.log &
+fi
 wait $!
 
 # sigterm trapped
diff --git a/fail2ban/nginx-filter.local b/fail2ban/nginx-filter.local
index b617713..eb04a86 100644
--- a/fail2ban/nginx-filter.local
+++ b/fail2ban/nginx-filter.local
@@ -2,6 +2,6 @@
 before = common.conf
 
 [Definition]
-failregex = <HOST> - .* \[.*\] ".*" (%FAIL2BAN_STATUS_CODES%) .* ".*" ".*"
+failregex = .* nginx: <HOST> - .* \[.*\] ".*" (%FAIL2BAN_STATUS_CODES%) .* ".*" ".*"
 ignoreregex =
 datepattern = %%d/%%b/%%Y:%%H:%%M:%%S
diff --git a/fail2ban/jail.local b/fail2ban/nginx-jail.local
similarity index 77%
rename from fail2ban/jail.local
rename to fail2ban/nginx-jail.local
index 25b22fb..95b6453 100644
--- a/fail2ban/jail.local
+++ b/fail2ban/nginx-jail.local
@@ -1,9 +1,7 @@
-[DEFAULTS]
+[nginx-filter]
 bantime = %FAIL2BAN_BANTIME%
 findtime = %FAIL2BAN_FINDTIME%
 maxretry = %FAIL2BAN_MAXRETRY%
-
-[nginx-filter]
 enabled = true
 action = nginx-action
-logpath = /var/log/access.log
+logpath = /var/log/nginx.log