sitewide auth basic

README.md

@@ -10,8 +10,9 @@ Non-exhaustive list of features :
 - Integrated ModSecurity WAF with the OWASP Core Rule Set
 - Automatic ban of strange behaviors with fail2ban
 - Block TOR users, bad user-agents, countries, ...
+- Perform automatic DNSBL checks
 - Detect bad files with ClamAV
-- Based on alpine and compiled from source
+- Based on alpine
 - Easy to configure with environment variables
 
 # Table of contents
@@ -291,6 +292,26 @@ Values : *yes* | *no*
 Default value : *no*  
 Is set to yes, will block TOR clients.
 
+`USE_DNSBL`  
+Values : *yes* | *no*  
+Default value : *yes*  
+If set to yes, DNSBL checks will be performed to the servers specified in the `DNSBL_LIST` environment variable.  
+
+`DNSBL_LIST`  
+Values : *\<list of DNS zones separated with spaces\>*  
+Default value : *bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org*  
+The list of DNSBL zones to query when `USE_DNSBL` is set to *yes*.
+
+`DNSBL_RESOLVERS`  
+Values : *\<two IP addresses separated with a space\>*  
+Default value : *8.8.8.8 8.8.4.4*  
+The IP addresses of the DNS resolvers to use when `USE_DNSBL` is set to *yes*.
+
+`DNSBL_CACHE`  
+Values : *\< \>*  
+Default value : *10m*  
+The size of the cache used to keep DNSBL responses.
+
 ## PHP
 `REMOTE_PHP`  
 Values : *\<any valid IP/hostname\>*  

confs/auth-basic-sitewide.conf

@@ -0,0 +1,2 @@
+auth_basic "%AUTH_BASIC_TEXT%";
+auth_basic_user_file /etc/nginx/.htpasswd;

entrypoint.sh

@@ -113,7 +113,7 @@ USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
 CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
 USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
 AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
-AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-/}"
+AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}"
 AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
 AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
 USE_HTTPS_CUSTOM="${USE_HTTPS_CUSTOM-no}"
@@ -370,9 +370,14 @@ else
         replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
 fi
 if [ "$USE_AUTH_BASIC" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;"
+	if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then
-	replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
+		replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic-sitewide.conf;"
-	replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
+		replace_in_file "/etc/nginx/auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
+	else
+		replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;"
+		replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
+		replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
+	fi
 	htpasswd -b -B -c /etc/nginx/.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
 else
 	replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" ""