From f3721a50dbf1ba4a7d341f1977d47c3981c3c550 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Tue, 29 Sep 2020 23:01:26 +0200 Subject: [PATCH] sitewide auth basic --- README.md | 23 ++++++++++++++++++++++- confs/auth-basic-sitewide.conf | 2 ++ entrypoint.sh | 13 +++++++++---- 3 files changed, 33 insertions(+), 5 deletions(-) create mode 100644 confs/auth-basic-sitewide.conf diff --git a/README.md b/README.md index 82ea454..2582cde 100644 --- a/README.md +++ b/README.md @@ -10,8 +10,9 @@ Non-exhaustive list of features : - Integrated ModSecurity WAF with the OWASP Core Rule Set - Automatic ban of strange behaviors with fail2ban - Block TOR users, bad user-agents, countries, ... +- Perform automatic DNSBL checks - Detect bad files with ClamAV -- Based on alpine and compiled from source +- Based on alpine - Easy to configure with environment variables # Table of contents @@ -291,6 +292,26 @@ Values : *yes* | *no* Default value : *no* Is set to yes, will block TOR clients. +`USE_DNSBL` +Values : *yes* | *no* +Default value : *yes* +If set to yes, DNSBL checks will be performed to the servers specified in the `DNSBL_LIST` environment variable. + +`DNSBL_LIST` +Values : *\* +Default value : *bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org* +The list of DNSBL zones to query when `USE_DNSBL` is set to *yes*. + +`DNSBL_RESOLVERS` +Values : *\* +Default value : *8.8.8.8 8.8.4.4* +The IP addresses of the DNS resolvers to use when `USE_DNSBL` is set to *yes*. + +`DNSBL_CACHE` +Values : *\< \>* +Default value : *10m* +The size of the cache used to keep DNSBL responses. + ## PHP `REMOTE_PHP` Values : *\* diff --git a/confs/auth-basic-sitewide.conf b/confs/auth-basic-sitewide.conf new file mode 100644 index 0000000..93fd4c2 --- /dev/null +++ b/confs/auth-basic-sitewide.conf @@ -0,0 +1,2 @@ +auth_basic "%AUTH_BASIC_TEXT%"; +auth_basic_user_file /etc/nginx/.htpasswd; diff --git a/entrypoint.sh b/entrypoint.sh index 2a8b4a8..b2c4b91 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -113,7 +113,7 @@ USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}" CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}" USE_AUTH_BASIC="${USE_AUTH_BASIC-no}" AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}" -AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-/}" +AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}" AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}" AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}" USE_HTTPS_CUSTOM="${USE_HTTPS_CUSTOM-no}" @@ -370,9 +370,14 @@ else replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" "" fi if [ "$USE_AUTH_BASIC" = "yes" ] ; then - replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;" - replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT"; - replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION"; + if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then + replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic-sitewide.conf;" + replace_in_file "/etc/nginx/auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT"; + else + replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;" + replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION"; + replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT"; + fi htpasswd -b -B -c /etc/nginx/.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD" else replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" ""