Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Added the ability to see Real IPs if Nginx is running under another proxy (such as Traefik).

Browse Source
This commit is contained in:
Alex Jarmoszuk 2020-10-06 10:51:10 +02:00
parent 2e0a8307d1
commit fb1a0182e2
No known key found for this signature in database
GPG Key ID: 493B4C56E2380C50
4 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -175,6 +175,11 @@ Default value :
Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code. Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code.
For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder. For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder.
`PROXY_REAL_IP`
Values : *yes* | *no*
Default value : *no*
Use this kind of environment variable to define whether you're using Nginx inside another proxy, this means you will see "X-Forwarded-For" instead of regular "Remote-Addr" IPs inside your logs. Modsecurity will also then work correctly.
## HTTPS ## HTTPS
`AUTO_LETS_ENCRYPT` `AUTO_LETS_ENCRYPT`
Values : *yes* | *no* Values : *yes* | *no*

3
confs/nginx.conf
View File

@ -62,7 +62,8 @@ http {
server_tokens %SERVER_TOKENS%; server_tokens %SERVER_TOKENS%;
# write logs to local syslogd # write logs to local syslogd
access_log syslog:server=unix:/dev/log,nohostname,facility=local0 combined; %PROXY_REAL_IP%
access_log syslog:server=unix:/dev/log,nohostname,facility=local0 %LOG_TYPE%;
error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn; error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn;
# lua path # lua path

3
confs/proxy-real-ip.conf Normal file
View File

@ -0,0 +1,3 @@
log_format proxy '$http_x_real_ip - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';

9
entrypoint.sh
View File

@ -131,6 +131,7 @@ USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}" LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}" LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}" LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
PROXY_REAL_IP="${PROXY_REAL_IP-no}"
# install additional modules if needed # install additional modules if needed
if [ "$ADDITIONAL_MODULES" != "" ] ; then if [ "$ADDITIONAL_MODULES" != "" ] ; then
@ -354,6 +355,14 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
else else
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" "" replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
fi fi
if [ "$PROXY_REAL_IP" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
replace_in_file "/etc/nginx/server.conf" "%LOG_TYPE%" "proxy"
else
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" ""
replace_in_file "/etc/nginx/server.conf" "%LOG_TYPE%" "combined"
fi
ERRORS="" ERRORS=""
for var in $(env) ; do for var in $(env) ; do