syslog integration and fail2ban improvement

README.md

@@ -419,10 +419,11 @@ docker run ... -v /path/to/http/confs:/http-confs ... bunkerity/bunkerized-nginx
 ```
 
 # TODO
-- docker tags
+- logrotate
-- Tutorials
+- readme : custom errors
-- Full documentation
+- remove nginx on default error pages
 - nginx compile flags
 - Antibot with recaptcha v3
 - HSTS preload, HPKP
 - Web UI
+- Full documentation

confs/nginx.conf

@@ -61,8 +61,9 @@ http {
 	# enable/disable sending nginx version
 	server_tokens %SERVER_TOKENS%;
 
-	# where to write logs
+	# write logs to local syslogd
-	access_log /var/log/access.log;
+	access_log syslog:server=unix:/dev/log,nohostname,facility=local0 combined;
+	error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn;
 
 	# server config
 	include /etc/nginx/server.conf;

confs/php.ini

@@ -585,15 +585,15 @@ html_errors = On
 ; Example:
 ;error_log = php_errors.log
 ; Log errors to syslog (Event Log on Windows).
-;error_log = syslog
+error_log = syslog
 
 ; The syslog ident is a string which is prepended to every message logged
 ; to syslog. Only used when error_log is set to syslog.
-;syslog.ident = php
+syslog.ident = php
 
 ; The syslog facility is used to specify what type of program is logging
 ; the message. Only used when error_log is set to syslog.
-;syslog.facility = user
+syslog.facility = local1
 
 ; Set this to disable filtering control characters (the default).
 ; Some loggers only accept NVT-ASCII, others accept anything that's not
@@ -605,7 +605,7 @@ html_errors = On
 ;   all (all characters)
 ;   raw (like "all", but messages are not split at newlines)
 ; http://php.net/syslog.filter
-;syslog.filter = ascii
+syslog.filter = ascii
 
 ;windows.show_crt_warning
 ; Default value: 0

confs/syslog.conf

@@ -0,0 +1,2 @@
+local0.*	/var/log/nginx.log
+local1.*	/var/log/php.log

entrypoint.sh

@@ -38,6 +38,7 @@ function replace_in_file() {
 cp /opt/confs/*.conf /etc/nginx
 cp -r /opt/confs/owasp-crs /etc/nginx
 cp /opt/confs/php.ini /etc/php7/php.ini
+cp /opt/confs/syslog.conf /etc/syslog.conf
 
 # remove cron jobs
 echo "" > /etc/crontabs/root
@@ -104,6 +105,8 @@ AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
 AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
 USE_HTTPS_CUSTOM="${USE_HTTPS_CUSTOM-no}"
 ROOT_FOLDER="${ROOT_FOLDER-/www}"
+SYSLOG_MAXSIZE="${SYSLOG_MAXSIZE-1000}"
+SYSLOG_KEEP="${SYSLOG_KEEP-10}"
 
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@@ -352,14 +355,14 @@ fi
 # fail2ban setup
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	echo "" > /etc/nginx/fail2ban-ip.conf
-	rm -rf /etc/fail2ban/jail.d/*
+	rm -rf /etc/fail2ban/jail.d/*.conf
 	replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"
 	cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
 	cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
-	cp /opt/fail2ban/jail.local /etc/fail2ban/jail.local
+	cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
-	replace_in_file "/etc/fail2ban/jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
+	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
-	replace_in_file "/etc/fail2ban/jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
+	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
-	replace_in_file "/etc/fail2ban/jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
+	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
 	replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
 else
 	replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" ""
@@ -367,8 +370,8 @@ fi
 
 # clamav setup
 if [ "$USE_CLAMAV_UPLOAD" = "yes" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
-	echo "[*] Updating clamav ..."
+	echo "[*] Updating clamav (in background) ..."
-	freshclam > /dev/null 2>&1
+	freshclam > /dev/null 2>&1 &
 	echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
 fi
 if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then
@@ -390,6 +393,9 @@ if [ "$WRITE_ACCESS" = "yes" ] ; then
 	chmod g+w -R /www
 fi
 
+# start syslogd
+syslogd -S -s "$SYSLOG_MAXSIZE" -b "$SYSLOG_KEEP"
+
 # start PHP
 if [ "$USE_PHP" = "yes" ] ; then
 	replace_in_file "/etc/php7/php-fpm.d/www.conf" "user = nobody" "user = nginx"
@@ -403,6 +409,12 @@ crond
 # start nginx
 echo "[*] Running nginx ..."
 /usr/sbin/nginx
+if [ ! -f "/var/log/nginx.log" ] ; then
+	touch /var/log/nginx.log
+fi
+if [ ! -f "/var/log/php.log" ] && [ "$USE_PHP" = "yes" ] ; then
+	touch /var/log/php.log
+fi
 
 # start fail2ban
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
@@ -410,7 +422,11 @@ if [ "$USE_FAIL2BAN" = "yes" ] ; then
 fi
 
 # display logs
-tail -f /var/log/access.log &
+if [ "$USE_PHP" = "yes" ] ; then
+	tail -f /var/log/nginx.log /var/log/php.log &
+else
+	tail -f /var/log/nginx.log &
+fi
 wait $!
 
 # sigterm trapped

fail2ban/nginx-filter.local

@@ -2,6 +2,6 @@
 before = common.conf
 
 [Definition]
-failregex = <HOST> - .* \[.*\] ".*" (%FAIL2BAN_STATUS_CODES%) .* ".*" ".*"
+failregex = .* nginx: <HOST> - .* \[.*\] ".*" (%FAIL2BAN_STATUS_CODES%) .* ".*" ".*"
 ignoreregex =
 datepattern = %%d/%%b/%%Y:%%H:%%M:%%S

fail2ban/nginx-jail.local

@@ -1,9 +1,7 @@
-[DEFAULTS]
+[nginx-filter]
 bantime = %FAIL2BAN_BANTIME%
 findtime = %FAIL2BAN_FINDTIME%
 maxretry = %FAIL2BAN_MAXRETRY%
-
-[nginx-filter]
 enabled = true
 action = nginx-action
-logpath = /var/log/access.log
+logpath = /var/log/nginx.log