diff --git a/confs/global/geoip.conf b/confs/global/geoip.conf index 318d444..77399f0 100644 --- a/confs/global/geoip.conf +++ b/confs/global/geoip.conf @@ -5,6 +5,6 @@ geoip2 /etc/nginx/geoip.mmdb { } map $geoip2_data_country_code $allowed_country { - default yes; - %BLOCK_COUNTRY% + default %DEFAULT%; + %COUNTRY% } diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index 3dc2061..08c5875 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -84,8 +84,8 @@ http { # shared memory zone for limit_req %LIMIT_REQ_ZONE% - # list of blocked country - %BLOCK_COUNTRY% + # whitelist or blacklist country + %USE_COUNTRY% # list of blocked user agents %BLOCK_USER_AGENT% diff --git a/confs/site/server.conf b/confs/site/server.conf index cdf55bc..cd1bad9 100644 --- a/confs/site/server.conf +++ b/confs/site/server.conf @@ -23,7 +23,7 @@ server { %CONTENT_SECURITY_POLICY% %REFERRER_POLICY% %FEATURE_POLICY% - %BLOCK_COUNTRY% + %USE_COUNTRY% %BLOCK_USER_AGENT% %BLOCK_TOR_EXIT_NODE% %BLOCK_PROXIES% diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh index 6e589d2..4c3a8bb 100644 --- a/entrypoint/defaults.sh +++ b/entrypoint/defaults.sh @@ -42,7 +42,8 @@ FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'non DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}" SERVER_NAME="${SERVER_NAME-www.bunkerity.com}" ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}" -BLOCK_COUNTRY="${BLOCK_COUNTRY-}" +BLACKLIST_COUNTRY="${BLOCK_COUNTRY-}" +WHITELIST_COUNTRY="${WHITELIST_COUNTRY-}" BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}" BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}" BLOCK_PROXIES="${BLOCK_PROXIES-yes}" diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index ddfb440..9687d3d 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -56,10 +56,16 @@ if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" fi -# country ban -if [ "$BLOCK_COUNTRY" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;" - replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\\n/g') no;" +# country ban/whitelist +if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then + replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" "include /etc/nginx/geoip.conf;" + if [ "$WHITELIST_COUNTRY" != "" ] ; then + replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "no" + replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $WHITELIST_COUNTRY | sed 's/ / yes;\\n/g') yes;" + else + replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes" + replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;" + fi echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root if [ -f "/cache/geoip.mmdb" ] ; then echo "[*] Copying cached geoip.mmdb ..." @@ -69,7 +75,7 @@ if [ "$BLOCK_COUNTRY" != "" ] ; then /opt/scripts/geoip.sh & fi else - replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "" + replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" "" fi # block bad UA diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index cf4e312..ef264a0 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -238,10 +238,10 @@ fi replace_in_file "${NGINX_PREFIX}server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS" # country ban -if [ "$BLOCK_COUNTRY" != "" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_COUNTRY%" "include ${NGINX_PREFIX}geoip-server.conf;" +if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then + replace_in_file "${NGINX_PREFIX}server.conf" "%USE_COUNTRY%" "include ${NGINX_PREFIX}geoip-server.conf;" else - replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_COUNTRY%" "" + replace_in_file "${NGINX_PREFIX}server.conf" "%USE_COUNTRY%" "" fi # block bad UA