diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..e6561fb --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,26 @@ +# Changelog + +## v1.2.6 - 2021/06/06 + +- Move from "ghetto-style" shell scripts to generic jinja2 templating +- Init work on a basic plugins system +- Move ClamAV to external plugin +- Reduce image size by removing unnecessary dependencies +- Fix CrowdSec example +- Change some global variables to multisite +- Add LOG_LEVEL environment variable +- Read-only container support +- Improved antibot javascript with a basic proof of work +- Update nginx to 1.20.1 +- Support of docker-socket-proxy with web UI +- Add certbot-cloudflare example +- Disable DNSBL checks when IP is local + +## v1.2.5 - 2021/05/14 + +- Performance improvement : move some nginx security checks to LUA and external blacklist parsing enhancement +- Init work on official documentation on readthedocs +- Fix default value for CONTENT_SECURITY_POLICY to allow file downloads +- Add ROOT_SITE_SUBFOLDER environment variable + +## TODO - retrospective changelog diff --git a/autoconf/AutoConf.py b/autoconf/AutoConf.py index 917af49..e362ec5 100644 --- a/autoconf/AutoConf.py +++ b/autoconf/AutoConf.py @@ -1,4 +1,3 @@ -# TODO : hard tests, jobs if swarm mode, check state when generating env, ... from Config import Config import utils import os @@ -94,13 +93,9 @@ class AutoConf : if self.__swarm and len(self.__instances) == 1 : if self.__config.generate(self.__env) : utils.log("[*] Initial config succeeded") - with open("/etc/nginx/autoconf", "w") as f : - f.write("ok") if not self.__config.swarm_wait(self.__instances) : utils.log("[!] Removing bunkerized-nginx instances from list") del self.__instances[id] - os.remove("/etc/nginx/autoconf") - else : utils.log("[!] Initial config failed") utils.log("[*] bunkerized-nginx instance created : " + name + " / " + id) @@ -118,11 +113,6 @@ class AutoConf : elif event == "destroy" or event == "remove" : del self.__instances[id] self.__gen_env() - if self.__swarm and len(self.__instances) == 0 : - with open("/etc/crontabs/nginx", "w") as f : - f.write("") - if os.path.exists("/etc/nginx/autoconf") : - os.remove("/etc/nginx/autoconf") utils.log("[*] bunkerized-nginx instance removed : " + name + " / " + id) def __process_server(self, instance, event, id, name, labels) : diff --git a/autoconf/Config.py b/autoconf/Config.py index 61efb80..ab5fbd6 100644 --- a/autoconf/Config.py +++ b/autoconf/Config.py @@ -9,8 +9,26 @@ class Config : self.__swarm = swarm self.__api = api + def __jobs(self) : + utils.log("[*] Starting jobs ...") + proc = subprocess.run(["/bin/su", "-c", "/opt/entrypoint/jobs.sh", "nginx"], capture_output=True) + stdout = proc.stdout.decode("ascii") + stderr = proc.stderr.decode("ascii") + if stdout != "" : + utils.log("[*] Jobs stdout :") + utils.log(stdout) + if stderr != "" : + utils.log("[!] Jobs stderr :") + utils.log(stderr) + if proc.returncode != 0 : + utils.log("[!] Jobs error : return code != 0") + return False + return True + def swarm_wait(self, instances) : try : + with open("/etc/nginx/autoconf", "w") as f : + f.write("ok") utils.log("[*] Waiting for bunkerized-nginx tasks ...") i = 1 started = False @@ -23,16 +41,7 @@ class Config : utils.log("[!] Waiting " + str(i) + " seconds before retrying to contact bunkerized-nginx tasks") if started : utils.log("[*] bunkerized-nginx tasks started") - proc = subprocess.run(["/bin/su", "-c", "/opt/entrypoint/jobs.sh", "nginx"], capture_output=True) - stdout = proc.stdout.decode("ascii") - stderr = proc.stderr.decode("ascii") - if stdout != "" : - for line in stdout.split("\n") : - utils.log("[*] Jobs output : " + stdout) - if stderr != "" : - for line in stderr.split("\n") : - utils.log("[!] Jobs error : " + stderr) - return proc.returncode == 0 + return True else : utils.log("[!] bunkerized-nginx tasks are not started") except Exception as e : @@ -52,15 +61,17 @@ class Config : # Print stdout/stderr stdout = proc.stdout.decode("ascii") stderr = proc.stderr.decode("ascii") - if stdout != "": - for line in stdout.split("\n") : - utils.log("[*] Generator output : " + stdout) + if stdout != "" : + utils.log("[*] Generator output :") + utils.log(stdout) if stderr != "" : - for line in stderr.split("\n") : - utils.log("[*] Generator error : " + stderr) + utils.log("[*] Generator error :") + utils.log(error) # We're done if proc.returncode == 0 : + if self.__swarm : + return self.__jobs() return True utils.log("[!] Error while generating site config for " + env["SERVER_NAME"] + " : return code = " + str(proc.returncode)) diff --git a/autoconf/entrypoint.sh b/autoconf/entrypoint.sh index 0657fa1..19ee6ee 100644 --- a/autoconf/entrypoint.sh +++ b/autoconf/entrypoint.sh @@ -9,7 +9,6 @@ if [ "$?" -ne 0 ] ; then fi if [ "$SWARM_MODE" = "yes" ] ; then - cp -r /opt/confs/nginx/* /etc/nginx chown -R root:nginx /etc/nginx chmod -R 770 /etc/nginx fi diff --git a/confs/global/fastcgi.conf b/confs/global/fastcgi.conf new file mode 100644 index 0000000..acd0b38 --- /dev/null +++ b/confs/global/fastcgi.conf @@ -0,0 +1,25 @@ +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/confs/global/multisite-default-server.conf b/confs/global/multisite-default-server.conf index f4c3659..888719c 100644 --- a/confs/global/multisite-default-server.conf +++ b/confs/global/multisite-default-server.conf @@ -2,5 +2,10 @@ server { {% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %}; server_name _; {% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %} + {% if USE_API == "yes" %} + location ^~ {{ API_URI }} { + include /etc/nginx/api.conf; + } + {% endif %} {% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %} } diff --git a/docs/environment_variables.md b/docs/environment_variables.md index 9a52926..491e213 100644 --- a/docs/environment_variables.md +++ b/docs/environment_variables.md @@ -14,7 +14,7 @@ Any environment variable tagged as *multisite* context can be used for a specifi `SERVER_NAME` Values : *<first name> <second name> ...* Default value : *www.bunkerity.com* -Context : *global* +Context : *global*, *multisite* Sets the host names of the webserver separated with spaces. This must match the Host header sent by clients. Useful when used with `MULTISITE=yes` and/or `AUTO_LETSENCRYPT=yes` and/or `DISABLE_DEFAULT_SERVER=yes`. @@ -55,7 +55,7 @@ The IP addresses of the DNS resolvers to use when performing DNS lookups. Values : *\* Default value : */www* Context : *global* -The default folder where nginx will search for web files. Don't change it unless you want to make your own image. +The default folder where nginx will search for web files. Don't change it unless you know what you are doing. `ROOT_SITE_SUBFOLDER` Values : *\* @@ -115,12 +115,12 @@ List of header to remove when sending responses to clients. ### Custom error pages -`ERROR_XXX` -Values : *\* +`ERRORS` +Values : *\* Default value : Context : *global*, *multisite* -Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code. -For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder. +Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace errorX with HTTP code. +Example : `ERRORS=404=/404.html 403=/403.html` the /404.html page will be displayed when 404 code is generated (same for 403 and /403.html page). The path is relative to the root web folder. ### HTTP basic authentication @@ -431,55 +431,55 @@ Full path of the key file to use when `USE_CUSTOM_HTTPS` is set to yes. `GENERATE_SELF_SIGNED_SSL` Values : *yes* | *no* Default value : *no* -Context : *global* +Context : *global*, *multisite* If set to yes, HTTPS will be enabled with a container generated self-signed certificate. `SELF_SIGNED_SSL_EXPIRY` Values : *integer* Default value : *365* (1 year) -Context : *global* +Context : *global*, *multisite* Needs `GENERATE_SELF_SIGNED_SSL` to work. Sets the expiry date for the self generated certificate. `SELF_SIGNED_SSL_COUNTRY` Values : *text* Default value : *Switzerland* -Context : *global* +Context : *global*, *multisite* Needs `GENERATE_SELF_SIGNED_SSL` to work. Sets the country for the self generated certificate. `SELF_SIGNED_SSL_STATE` -Values : *text* +Values : *text*, *multisite* Default value : *Switzerland* -Context : *global* +Context : *global*, *multisite* Needs `GENERATE_SELF_SIGNED_SSL` to work. Sets the state for the self generated certificate. `SELF_SIGNED_SSL_CITY` Values : *text* Default value : *Bern* -Context : *global* +Context : *global*, *multisite* Needs `GENERATE_SELF_SIGNED_SSL` to work. Sets the city for the self generated certificate. `SELF_SIGNED_SSL_ORG` Values : *text* Default value : *AcmeInc* -Context : *global* +Context : *global*, *multisite* Needs `GENERATE_SELF_SIGNED_SSL` to work. Sets the organisation name for the self generated certificate. `SELF_SIGNED_SSL_OU` Values : *text* Default value : *IT* -Context : *global* +Context : *global*, *multisite* Needs `GENERATE_SELF_SIGNED_SSL` to work. Sets the organisitional unit for the self generated certificate. `SELF_SIGNED_SSL_CN` Values : *text* Default value : *bunkerity-nginx* -Context : *global* +Context : *global*, *multisite* Needs `GENERATE_SELF_SIGNED_SSL` to work. Sets the CN server name for the self generated certificate. @@ -625,13 +625,13 @@ The minimum score required when `USE_ANTIBOT` is set to *recaptcha*. `ANTIBOT_RECAPTCHA_SITEKEY` Values : *\* Default value : -Context : *global* +Context : *global*, *multisite* The sitekey given by Google when `USE_ANTIBOT` is set to *recaptcha*. `ANTIBOT_RECAPTCHA_SECRET` Values : *\* Default value : -Context : *global* +Context : *global*, *multisite* The secret given by Google when `USE_ANTIBOT` is set to *recaptcha*. ### External blacklists @@ -682,7 +682,7 @@ If set to *yes*, DNSBL checks will be performed to the servers specified in the `DNSBL_LIST` Values : *\* Default value : *bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org* -Context : *global* +Context : *global*, *multisite* The list of DNSBL zones to query when `USE_DNSBL` is set to *yes*. ### CrowdSec @@ -716,7 +716,7 @@ If set to *yes*, lets you define custom IP addresses to be whitelisted through t `WHITELIST_IP_LIST` Values : *\* Default value : *23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8* -Context : *global* +Context : *global*, *multisite* The list of IP addresses and/or network CIDR blocks to whitelist when `USE_WHITELIST_IP` is set to *yes*. The default list contains IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/). `USE_WHITELIST_REVERSE` @@ -728,7 +728,7 @@ If set to *yes*, lets you define custom reverse DNS suffixes to be whitelisted t `WHITELIST_REVERSE_LIST` Values : *\* Default value : *.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net* -Context : *global* +Context : *global*, *multisite* The list of reverse DNS suffixes to whitelist when `USE_WHITELIST_REVERSE` is set to *yes*. The default list contains suffixes of major search engines. `WHITELIST_USER_AGENT` @@ -754,7 +754,7 @@ If set to *yes*, lets you define custom IP addresses to be blacklisted through t `BLACKLIST_IP_LIST` Values : *\* Default value : -Context : *global* +Context : *global*, *multisite* The list of IP addresses and/or network CIDR blocks to blacklist when `USE_BLACKLIST_IP` is set to *yes*. `USE_BLACKLIST_REVERSE` @@ -766,7 +766,7 @@ If set to *yes*, lets you define custom reverse DNS suffixes to be blacklisted t `BLACKLIST_REVERSE_LIST` Values : *\* Default value : *.shodan.io* -Context : *global* +Context : *global*, *multisite* The list of reverse DNS suffixes to blacklist when `USE_BLACKLIST_REVERSE` is set to *yes*. ### Requests limiting @@ -856,25 +856,25 @@ If set to yes, bunkerized-nginx will block users getting too much "suspicious" H `BAD_BEHAVIOR_STATUS_CODES` Values : *\* Default value : *400 401 403 404 405 429 444* -Context : *global* +Context : *global*, *multisite* List of HTTP status codes considered as "suspicious". `BAD_BEHAVIOR_THRESHOLD` Values : ** Default value : *10* -Context : *global* +Context : *global*, *multisite* The number of "suspicious" HTTP status code before the corresponding IP is banned. `BAD_BEHAVIOR_BAN_TIME` Values : ** Default value : *86400* -Context : *global* +Context : *global*, *multisite* The duration time (in seconds) of a ban when the corresponding IP has reached the `BAD_BEHAVIOR_THRESHOLD`. `BAD_BEHAVIOR_COUNT_TIME` Values : ** Default value : *60* -Context : *global* +Context : *global*, *multisite* The duration time (in seconds) before the counter of "suspicious" HTTP is reset. ## misc diff --git a/entrypoint/jobs.sh b/entrypoint/jobs.sh index fd0732f..3474a56 100644 --- a/entrypoint/jobs.sh +++ b/entrypoint/jobs.sh @@ -8,18 +8,18 @@ if [ "$(has_value BLACKLIST_COUNTRY .+)" != "" ] || [ "$(has_value WHITELIST_COU if [ -f "/cache/geoip.mmdb" ] ; then echo "[*] Copying cached geoip.mmdb ..." cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb - else - echo "[*] Downloading GeoIP database (in background) ..." - /opt/scripts/geoip.sh > /dev/null 2>&1 & + elif [ "$(ps aux | grep "geoip\.sh")" = "" ] ; then + echo "[*] Downloading GeoIP database ..." + /opt/scripts/geoip.sh > /dev/null 2>&1 fi fi # User-Agents if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then - if [ -f "/cache/user-agents.list" ] ; then + if [ -f "/cache/user-agents.list" ] && [ "$(wc -l /cache/user-agents.list | cut -d ' ' -f 1)" -gt 1 ] ; then echo "[*] Copying cached user-agents.list ..." cp /cache/user-agents.list /etc/nginx/user-agents.list - else + elif [ "$(ps aux | grep "user-agents\.sh")" = "" ] ; then echo "[*] Downloading bad user-agent list (in background) ..." /opt/scripts/user-agents.sh > /dev/null 2>&1 & fi @@ -27,10 +27,10 @@ fi # Referrers if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then - if [ -f "/cache/referrers.list" ] ; then + if [ -f "/cache/referrers.list" ] && [ "$(wc -l /cache/referrers.list | cut -d ' ' -f 1)" -gt 1 ] ; then echo "[*] Copying cached referrers.list ..." cp /cache/referrers.list /etc/nginx/referrers.list - else + elif [ "$(ps aux | grep "referrers\.sh")" = "" ] ; then echo "[*] Downloading bad referrer list (in background) ..." /opt/scripts/referrers.sh > /dev/null 2>&1 & fi @@ -38,10 +38,10 @@ fi # exit nodes if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then - if [ -f "/cache/tor-exit-nodes.list" ] ; then + if [ -f "/cache/tor-exit-nodes.list" ] && [ "$(wc -l /cache/tor-exit-nodes.list | cut -d ' ' -f 1)" -gt 1 ] ; then echo "[*] Copying cached tor-exit-nodes.list ..." cp /cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list - else + elif [ "$(ps aux | grep "exit-nodes\.sh")" = "" ] ; then echo "[*] Downloading tor exit nodes list (in background) ..." /opt/scripts/exit-nodes.sh > /dev/null 2>&1 & fi @@ -49,10 +49,10 @@ fi # proxies if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then - if [ -f "/cache/proxies.list" ] ; then + if [ -f "/cache/proxies.list" ] && [ "$(wc -l /cache/proxies.list | cut -d ' ' -f 1)" -gt 1 ] ; then echo "[*] Copying cached proxies.list ..." cp /cache/proxies.list /etc/nginx/proxies.list - else + elif [ "$(ps aux | grep "proxies\.sh")" = "" ] ; then echo "[*] Downloading proxies list (in background) ..." /opt/scripts/proxies.sh > /dev/null 2>&1 & fi @@ -60,10 +60,10 @@ fi # abusers if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then - if [ -f "/cache/abusers.list" ] ; then + if [ -f "/cache/abusers.list" ] && [ "$(wc -l /cache/abusers.list | cut -d ' ' -f 1)" -gt 1 ] ; then echo "[*] Copying cached abusers.list ..." cp /cache/abusers.list /etc/nginx/abusers.list - else + elif [ "$(ps aux | grep "abusers\.sh")" = "" ] ; then echo "[*] Downloading abusers list (in background) ..." /opt/scripts/abusers.sh > /dev/null 2>&1 & fi @@ -105,6 +105,9 @@ fi files=$(has_value AUTO_LETS_ENCRYPT yes) if [ "$files" != " " ] ; then for file in $files ; do + if [ "$(echo "$file" | grep 'site.env$')" = "" ] ; then + continue + fi SERVER_NAME="$(sed -nE 's/^SERVER_NAME=(.*)$/\1/p' $file)" FIRST_SERVER="$(echo $SERVER_NAME | cut -d ' ' -f 1)" EMAIL_LETS_ENCRYPT="$(sed -nE 's/^EMAIL_LETS_ENCRYPT=(.*)$/\1/p' $file)" @@ -112,6 +115,5 @@ if [ "$files" != " " ] ; then EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}" fi /opt/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" - done -fi \ No newline at end of file +fi diff --git a/examples/certbot-cloudflare/certbot-new.sh b/examples/certbot-cloudflare/certbot-new.sh index 1298500..29cc94f 100755 --- a/examples/certbot-cloudflare/certbot-new.sh +++ b/examples/certbot-cloudflare/certbot-new.sh @@ -3,8 +3,8 @@ # you need to run it before starting bunkerized-nginx to get the first certificate # edit according to your values -DOMAINS="kakou-corp.fr,*.kakou-corp.fr" -EMAIL="contact@kakou-corp.fr" +DOMAINS="website.com,*.website.com" +EMAIL="contact@website.com" SERVICE="mywww" # ask for the certificate diff --git a/examples/swarm/stack.yml b/examples/swarm/stack.yml index 41856c6..a737d34 100644 --- a/examples/swarm/stack.yml +++ b/examples/swarm/stack.yml @@ -11,6 +11,7 @@ services: - /shared/confs:/etc/nginx - /shared/letsencrypt:/etc/letsencrypt - /shared/acme-challenge:/acme-challenge + - /shared/cache:/cache environment: - SWARM_MODE=yes - API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from nginx @@ -36,10 +37,11 @@ services: # bunkerized-nginx runs as an unprivileged user with UID/GID 101 # don't forget to edit the permissions of the files and folders accordingly volumes: - - /shared/confs:/etc/nginx + - /shared/confs:/etc/nginx:ro - /shared/letsencrypt:/etc/letsencrypt:ro - /shared/acme-challenge:/acme-challenge:ro - /shared/www:/www:ro + - /shared/cache:/cache:ro environment: - SWARM_MODE=yes - USE_API=yes diff --git a/gen/main.py b/gen/main.py index 2780281..f341336 100755 --- a/gen/main.py +++ b/gen/main.py @@ -49,7 +49,7 @@ if __name__ == "__main__" : variables = utils.load_variables(args.variables) configurator.load_variables(variables) config = configurator.get_config() - print(config) + #print(config) # Remove old config for filename in os.listdir(args.output): diff --git a/scripts/abusers.sh b/scripts/abusers.sh index f80d3b8..3a705cb 100755 --- a/scripts/abusers.sh +++ b/scripts/abusers.sh @@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_ABUSERS yes)" = "" ] ; then fi # copy old conf to cache -cp /etc/nginx/abusers.list /cache +cp /etc/nginx/abusers.list /tmp/abusers.list.bak # generate the new conf curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | \ @@ -31,24 +31,25 @@ lines="$(wc -l /tmp/abusers.list | cut -d ' ' -f 1)" if [ "$lines" -gt 1 ] ; then job_log "[BLACKLIST] abusers list updated ($lines entries)" # reload nginx with the new config - mv /tmp/abusers.list /etc/nginx/abusers.list + cp /tmp/abusers.list /etc/nginx/abusers.list if [ "$RELOAD" != "" ] ; then $RELOAD > /dev/null 2>&1 # new config is ok : save it in the cache if [ "$?" -eq 0 ] ; then - cp /etc/nginx/abusers.list /cache + cp /tmp/abusers.list /cache job_log "[NGINX] successfull nginx reload after abusers list update" else job_log "[NGINX] failed nginx reload after abusers list update fallback to old list" - cp /cache/abusers.list /etc/nginx + #cp /tmp/abusers.list.bak /etc/nginx $RELOAD > /dev/null 2>&1 fi else - cp /etc/nginx/abusers.list /cache + cp /tmp/abusers.list /cache fi else job_log "[BLACKLIST] can't update abusers list" fi rm -f /tmp/abusers.list 2> /dev/null +rm -f /tmp/abusers.list.bak 2> /dev/null diff --git a/scripts/exit-nodes.sh b/scripts/exit-nodes.sh index fd096fe..c3abc2b 100644 --- a/scripts/exit-nodes.sh +++ b/scripts/exit-nodes.sh @@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" = "" ] ; then fi # copy old conf to cache -cp /etc/nginx/tor-exit-nodes.list /cache +cp /etc/nginx/tor-exit-nodes.list /tmp/tor-exit-nodes.list.bak # generate the new conf curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | \ @@ -31,23 +31,24 @@ lines="$(wc -l /tmp/tor-exit-nodes.list | cut -d ' ' -f 1)" if [ "$lines" -gt 1 ] ; then job_log "[BLACKLIST] TOR exit node list updated ($lines entries)" # reload nginx with the new config - mv /tmp/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list + cp /tmp/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list if [ "$RELOAD" != "" ] ; then $RELOAD > /dev/null 2>&1 # new config is ok : save it in the cache if [ "$?" -eq 0 ] ; then - cp /etc/nginx/tor-exit-nodes.list /cache + cp /tmp/tor-exit-nodes.list /cache job_log "[NGINX] successfull nginx reload after TOR exit node list update" else job_log "[NGINX] failed nginx reload after TOR exit node list update fallback to old list" - cp /cache/tor-exit-nodes.list /etc/nginx + #cp /tmp/tor-exit-nodes.list.bak /etc/nginx/tor-exit-nodes.list $RELOAD > /dev/null 2>&1 fi else - cp /etc/nginx/tor-exit-nodes.list /cache + cp /tmp/tor-exit-nodes.list /cache fi else job_log "[BLACKLIST] can't update TOR exit node list" fi rm -f /tmp/tor-exit-nodes.list 2> /dev/null +rm -f /tmp/tor-exit-nodes.list.bak 2> /dev/null diff --git a/scripts/proxies.sh b/scripts/proxies.sh index 32f98f6..cd1f082 100755 --- a/scripts/proxies.sh +++ b/scripts/proxies.sh @@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_PROXIES yes)" = "" ] ; then fi # copy old conf to cache -cp /etc/nginx/proxies.list /cache +cp /etc/nginx/proxies.list /tmp/proxies.list.bak # generate the new conf curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | \ @@ -31,24 +31,25 @@ lines="$(wc -l /tmp/proxies.list | cut -d ' ' -f 1)" if [ "$lines" -gt 1 ] ; then job_log "[BLACKLIST] proxies list updated ($lines entries)" # reload nginx with the new config - mv /tmp/proxies.list /etc/nginx/proxies.list + cp /tmp/proxies.list /etc/nginx/proxies.list if [ "$RELOAD" != "" ] ; then $RELOAD > /dev/null 2>&1 # new config is ok : save it in the cache if [ "$?" -eq 0 ] ; then - cp /etc/nginx/proxies.list /cache + cp /tmp/proxies.list /cache job_log "[NGINX] successfull nginx reload after proxies list update" else job_log "[NGINX] failed nginx reload after proxies list update fallback to old list" - cp /cache/proxies.list /etc/nginx + #cp /tmp/proxies.list.bak /etc/nginx $RELOAD > /dev/null 2>&1 fi else - cp /etc/nginx/proxies.list /cache + cp /tmp/proxies.list /cache fi else job_log "[BLACKLIST] can't update proxies list" fi rm -f /tmp/proxies.list 2> /dev/null +rm -f /tmp/proxies.list.bak 2> /dev/null diff --git a/scripts/referrers.sh b/scripts/referrers.sh index d2c4cec..64acdca 100755 --- a/scripts/referrers.sh +++ b/scripts/referrers.sh @@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_REFERRER yes)" = "" ] ; then fi # save old conf -cp /etc/nginx/referrers.list /cache +cp /etc/nginx/referrers.list /tmp/referrers.list.bak # generate new conf BLACKLIST="$(curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list | sed 's:\.:%\.:g;s:\-:%\-:g')" @@ -34,23 +34,24 @@ fi # check number of lines lines="$(wc -l /tmp/referrers.list | cut -d ' ' -f 1)" if [ "$lines" -gt 1 ] ; then - mv /tmp/referrers.list /etc/nginx/referrers.list + cp /tmp/referrers.list /etc/nginx/referrers.list job_log "[BLACKLIST] referrers list updated ($lines entries)" if [ "$RELOAD" != "" ] ; then $RELOAD > /dev/null 2>&1 if [ "$?" -eq 0 ] ; then - cp /etc/nginx/referrers.list /cache + cp /tmp/referrers.list /cache job_log "[NGINX] successfull nginx reload after referrers list update" else - cp /cache/referrers.list /etc/nginx + #cp /tmp/referrers.list.bak /etc/nginx job_log "[NGINX] failed nginx reload after referrers list update fallback to old list" $RELOAD > /dev/null 2>&1 fi else - cp /etc/nginx/referrers.list /cache + cp /tmp/referrers.list /cache fi else job_log "[BLACKLIST] can't update referrers list" fi rm -f /tmp/referrers.list 2> /dev/null +rm -f /tmp/referrers.list.bak 2> /dev/null diff --git a/scripts/user-agents.sh b/scripts/user-agents.sh index 2e5dfd9..84cae50 100755 --- a/scripts/user-agents.sh +++ b/scripts/user-agents.sh @@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_USER_AGENT yes)" = "" ] ; then fi # save old conf -cp /etc/nginx/user-agents.list /cache +cp /etc/nginx/user-agents.list /tmp/user-agents.list.bak # generate new conf BLACKLIST="$( (curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list ; curl -s https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt) | sort -u | sed 's:\\ : :g;s:\\\.:%\.:g;s:\\\\:\\:g;s:\\/:/:g;s:\-:%\-:g')" @@ -34,23 +34,24 @@ fi # check number of lines lines="$(wc -l /tmp/user-agents.list | cut -d ' ' -f 1)" if [ "$lines" -gt 1 ] ; then - mv /tmp/user-agents.list /etc/nginx/user-agents.list + cp /tmp/user-agents.list /etc/nginx/user-agents.list job_log "[BLACKLIST] user-agent list updated ($lines entries)" if [ "$RELOAD" != "" ] ; then $RELOAD > /dev/null 2>&1 if [ "$?" -eq 0 ] ; then - cp /etc/nginx/user-agents.list /cache + cp /tmp/user-agents.list /cache job_log "[NGINX] successfull nginx reload after user-agent list update" else - cp /cache/user-agents.list /etc/nginx + #cp /tmp/user-agents.list.bak /etc/nginx job_log "[NGINX] failed nginx reload after user-agent list update fallback to old list" $RELOAD > /dev/null 2>&1 fi else - cp /etc/nginx/user-agents.list /cache + cp /tmp/user-agents.list /cache fi else job_log "[BLACKLIST] can't update user-agent list" fi rm -f /tmp/user-agents.list 2> /dev/null +rm -f /tmp/user-agents.list.bak 2> /dev/null diff --git a/settings.json b/settings.json index 98f3328..794d9d6 100644 --- a/settings.json +++ b/settings.json @@ -884,7 +884,7 @@ "env": "REMOTE_PHP", "id": "remote-php", "label": "Remote php", - "regex": "^([a-z\\-0-9]+\\.?)*$", + "regex": "^([a-z\\-0-9\\_]+\\.?)*$", "type": "text" }, {