From fbf81c94be174b79d649b9928ecb75dca32a03f9 Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Sun, 15 Nov 2020 15:43:41 +0100
Subject: [PATCH] cached blacklists data

---
 Dockerfile                  |  2 +-
 Dockerfile-amd64            |  2 +-
 Dockerfile-arm32v7          |  2 +-
 Dockerfile-arm64v8          |  2 +-
 Dockerfile-i386             |  2 +-
 entrypoint/defaults.sh      |  2 +-
 entrypoint/global-config.sh | 45 ++++++++++++++++++++++++++++---------
 scripts/abusers.sh          |  1 +
 scripts/exit-nodes.sh       |  1 +
 scripts/geoip.sh            |  1 +
 scripts/proxies.sh          |  1 +
 scripts/user-agents.sh      |  1 +
 12 files changed, 46 insertions(+), 16 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 572d4a6..0ddc531 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,7 +28,7 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
     touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
     chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 
 EXPOSE 8080/tcp 8443/tcp
 
diff --git a/Dockerfile-amd64 b/Dockerfile-amd64
index 1c1bbce..787e293 100644
--- a/Dockerfile-amd64
+++ b/Dockerfile-amd64
@@ -28,7 +28,7 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
     touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
     chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 
 EXPOSE 8080/tcp 8443/tcp
 
diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7
index 89a89d7..be069ef 100644
--- a/Dockerfile-arm32v7
+++ b/Dockerfile-arm32v7
@@ -35,7 +35,7 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
     touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
     chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 
 EXPOSE 8080/tcp 8443/tcp
 
diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8
index b50e26c..6716859 100644
--- a/Dockerfile-arm64v8
+++ b/Dockerfile-arm64v8
@@ -35,7 +35,7 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
     touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
     chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 
 EXPOSE 8080/tcp 8443/tcp
 
diff --git a/Dockerfile-i386 b/Dockerfile-i386
index ac3109f..187098f 100644
--- a/Dockerfile-i386
+++ b/Dockerfile-i386
@@ -28,7 +28,7 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
     touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
     chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 
 EXPOSE 8080/tcp 8443/tcp
 
diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh
index 37c4e25..4d09b76 100644
--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-MULTISITE="${MULTISITE-yes}"
+MULTISITE="${MULTISITE-no}"
 HTTP_PORT="${HTTP_PORT-8080}"
 HTTPS_PORT="${HTTPS_PORT-8443}"
 MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh
index 2d9f49f..d1aa13d 100644
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@@ -58,44 +58,69 @@ fi
 
 # country ban
 if [ "$BLOCK_COUNTRY" != "" ] ; then
-	echo "[*] Updating GeoIP database (in background) ..."
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
 	replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\\n/g') no;"
 	echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
-	/opt/scripts/geoip.sh &
+	if [ -f "/cache/geoip.mmdb" ] ; then
+		echo "[*] Copying cached geoip.mmdb ..."
+		cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
+	else
+		echo "[*] Downloading GeoIP database (in background) ..."
+		/opt/scripts/geoip.sh &
+	fi
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" ""
 fi
 
 # block bad UA
 if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
-	echo "[*] Downloading bad user-agent list (in background) ..."
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
-	/opt/scripts/user-agents.sh &
 	echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
+	if [ -f "/cache/map-user-agent.conf" ] ; then
+		echo "[*] Copying cached map-user-agent.conf ..."
+		cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
+	else
+		echo "[*] Downloading bad user-agent list (in background) ..."
+		/opt/scripts/user-agents.sh &
+	fi
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
 fi
 
 # block TOR exit nodes
 if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
-	echo "[*] Downloading tor exit nodes list (in background) ..."
-	/opt/scripts/exit-nodes.sh &
 	echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
+	if [ -f "/cache/block-tor-exit-node.conf" ] ; then
+		echo "[*] Copying cached block-tor-exit-node.conf ..."
+		cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
+	else
+		echo "[*] Downloading tor exit nodes list (in background) ..."
+		/opt/scripts/exit-nodes.sh &
+	fi
 fi
 
 # block proxies
 if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
-	echo "[*] Downloading proxies list (in background) ..."
-	/opt/scripts/proxies.sh &
 	echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
+	if [ -f "/cache/block-proxies.conf" ] ; then
+		echo "[*] Copying cached block-proxies.conf ..."
+		cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
+	else
+		echo "[*] Downloading proxies list (in background) ..."
+		/opt/scripts/proxies.sh &
+	fi
 fi
 
 # block abusers
 if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
-	echo "[*] Downloading abusers list (in background) ..."
-	/opt/scripts/abusers.sh &
 	echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
+	if [ -f "/cache/block-abusers.conf" ] ; then
+		echo "[*] Copying cached block-abusers.conf ..."
+		cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
+	else
+		echo "[*] Downloading abusers list (in background) ..."
+		/opt/scripts/abusers.sh &
+	fi
 fi
 
 # DNS resolvers
diff --git a/scripts/abusers.sh b/scripts/abusers.sh
index df8896b..1f40ebe 100755
--- a/scripts/abusers.sh
+++ b/scripts/abusers.sh
@@ -8,6 +8,7 @@ while read entry ; do
 		echo "deny ${entry};" >> /etc/nginx/block-abusers.conf
 	fi
 done
+cp /etc/nginx/block-abusers.conf /cache
 if [ -f /tmp/nginx.pid ] ; then
 	/usr/sbin/nginx -s reload
 fi
diff --git a/scripts/exit-nodes.sh b/scripts/exit-nodes.sh
index 718c254..91f60c4 100644
--- a/scripts/exit-nodes.sh
+++ b/scripts/exit-nodes.sh
@@ -8,6 +8,7 @@ while read entry ; do
 		echo "deny ${entry};" >> /etc/nginx/block-tor-exit-node.conf
 	fi
 done
+cp /etc/nginx/block-tor-exit-node.conf /cache
 if [ -f /tmp/nginx.pid ] ; then
 	/usr/sbin/nginx -s reload
 fi
diff --git a/scripts/geoip.sh b/scripts/geoip.sh
index 46c50be..f8c29b5 100644
--- a/scripts/geoip.sh
+++ b/scripts/geoip.sh
@@ -5,6 +5,7 @@ URL="https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).mmdb.gz"
 wget -O /etc/nginx/geoip.mmdb.gz "$URL" > /dev/null 2>&1
 if [ -f /etc/nginx/geoip.mmdb.gz ] ; then
 	gunzip -f /etc/nginx/geoip.mmdb.gz
+	cp /etc/nginx/geoip.mmdb /cache
 	if [ -f /tmp/nginx.pid ] ; then
 		/usr/sbin/nginx -s reload
 	fi
diff --git a/scripts/proxies.sh b/scripts/proxies.sh
index 0a6ba32..d5d551b 100755
--- a/scripts/proxies.sh
+++ b/scripts/proxies.sh
@@ -8,6 +8,7 @@ while read entry ; do
 		echo "deny ${entry};" >> /etc/nginx/block-proxies.conf
 	fi
 done
+cp /etc/nginx/block-proxies.conf /cache
 if [ -f /tmp/nginx.pid ] ; then
 	/usr/sbin/nginx -s reload
 fi
diff --git a/scripts/user-agents.sh b/scripts/user-agents.sh
index 7290b18..f1c93c5 100755
--- a/scripts/user-agents.sh
+++ b/scripts/user-agents.sh
@@ -19,6 +19,7 @@ DATA_ESCAPED=$(echo "$DATA" | sed 's: :\\\\ :g' | sed 's:\\\\ yes;: yes;:g' | se
 
 cp /opt/confs/global/map-user-agent.conf /etc/nginx/map-user-agent.conf
 replace_in_file "/etc/nginx/map-user-agent.conf" "%BLOCK_USER_AGENT%" "$DATA_ESCAPED"
+cp /etc/nginx/map-user-agent.conf /cache
 
 if [ -f /tmp/nginx.pid ] ; then
 	/usr/sbin/nginx -s reload