v1.1.2 - CrowdSec integration and custom ports

Dockerfile

@@ -6,14 +6,20 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
+COPY crowdsec/install.sh /tmp/install.sh
+RUN chmod +x /tmp/install.sh && \
+    /tmp/install.sh && \
+    rm -rf /tmp/*
+
 COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
+COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     rm -f /var/log/nginx/* && \

Dockerfile-amd64

@@ -6,14 +6,20 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
+COPY crowdsec/install.sh /tmp/install.sh
+RUN chmod +x /tmp/install.sh && \
+    /tmp/install.sh && \
+    rm -rf /tmp/*
+
 COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
+COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     rm -f /var/log/nginx/* && \

Dockerfile-arm32v7

@@ -13,14 +13,20 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
+COPY crowdsec/install.sh /tmp/install.sh
+RUN chmod +x /tmp/install.sh && \
+    /tmp/install.sh && \
+    rm -rf /tmp/*
+
 COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
+COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     rm -f /var/log/nginx/* && \

Dockerfile-arm64v8

@@ -13,14 +13,20 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
+COPY crowdsec/install.sh /tmp/install.sh
+RUN chmod +x /tmp/install.sh && \
+    /tmp/install.sh && \
+    rm -rf /tmp/*
+
 COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
+COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     rm -f /var/log/nginx/* && \

Dockerfile-i386

@@ -6,14 +6,20 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
+COPY crowdsec/install.sh /tmp/install.sh
+RUN chmod +x /tmp/install.sh && \
+    /tmp/install.sh && \
+    rm -rf /tmp/*
+
 COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
+COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     rm -f /var/log/nginx/* && \

README.md

@@ -15,7 +15,7 @@ Non-exhaustive list of features :
 - Automatic ban of strange behaviors with fail2ban
 - Antibot challenge through cookie, javascript, captcha or recaptcha v3
 - Block TOR, proxies, bad user-agents, countries, ...
-- Perform automatic DNSBL checks to block known bad IP
+- Block known bad IP with DNSBL and CrowdSec
 - Prevent bruteforce attacks with rate limiting
 - Detect bad files with ClamAV
 - Easy to configure with environment variables
@@ -55,6 +55,7 @@ Fooling automated tools/scanners :
     + [Antibot](#antibot)
     + [External blacklist](#external-blacklist)
     + [DNSBL](#dnsbl)
+    + [CrowdSec](#crowdsec)
     + [Custom whitelisting](#custom-whitelisting)
     + [Custom blacklisting](#custom-blacklisting)
     + [Requests limiting](#requests-limiting)
@@ -199,6 +200,16 @@ Values : *\<any valid path to web files\>
 Default value : */www*  
 The default folder where nginx will search for web files. Don't change it unless you want to make your own image.
 
+`HTTP_PORT`  
+Values : *\<any valid port greater than 1024\>*  
+Default value : *8080*  
+The HTTP port number used by nginx and certbot inside the container.
+
+`HTTPS_PORT`  
+Values : *\<any valid port greater than 1024\>*  
+Default value : *8443*  
+The HTTPS port number used by nginx inside the container.
+
 ### Information leak
 
 `SERVER_TOKENS`  
@@ -514,6 +525,13 @@ Values : *\<list of DNS zones separated with spaces\>*
 Default value : *bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org*  
 The list of DNSBL zones to query when `USE_DNSBL` is set to *yes*.
 
+### CrowdSec
+
+`USE_CROWDSEC`  
+Values : *yes* | *no*  
+Default value : *no*  
+If set to *yes*, [CrowdSec](https://github.com/crowdsecurity/crowdsec) will be enabled with the [nginx collection](https://hub.crowdsec.net/author/crowdsecurity/collections/nginx). API pulls will be done automaticaly.
+
 ### Custom whitelisting
 
 `USE_WHITELIST_IP`  

VERSION

@@ -1 +1 @@
-1.1.1
+1.1.2

confs/crowdsec.conf

@@ -0,0 +1,9 @@
+init_by_lua_block {
+	local cs = require "crowdsec.CrowdSec"
+	local ok, err = cs.init("/usr/local/lib/lua/crowdsec/crowdsec.conf")
+	if ok == nil then
+		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
+		error()
+	end
+	ngx.log(ngx.ERR, "[Crowdsec] Initialisation done")
+}

confs/https.conf

@@ -1,4 +1,4 @@
-listen 0.0.0.0:8443 ssl %HTTP2%;
+listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
 ssl_certificate %HTTPS_CERT%;
 ssl_certificate_key %HTTPS_KEY%;
 ssl_protocols %HTTPS_PROTOCOLS%;

confs/main-lua.conf

@@ -8,6 +8,7 @@ local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
 local use_blacklist_ip		= %USE_BLACKLIST_IP%
 local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
 local use_dnsbl			= %USE_DNSBL%
+local use_crowdsec		= %USE_CROWDSEC%
 local use_antibot_cookie	= %USE_ANTIBOT_COOKIE%
 local use_antibot_javascript	= %USE_ANTIBOT_JAVASCRIPT%
 local use_antibot_captcha	= %USE_ANTIBOT_CAPTCHA%
@@ -81,6 +82,18 @@ if use_dnsbl and not dnsbl.cached() then
 	end
 end
 
+-- check if IP is in CrowdSec DB
+if use_crowdsec then
+	local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
+	if ok == nil then
+		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
+	end
+	if not ok then
+		ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
 -- cookie check
 if use_antibot_cookie then
 	if not cookie.is_set("uri") then

confs/nginx.conf

@@ -91,6 +91,9 @@ http {
 	%BLACKLIST_REVERSE_CACHE%
 	%DNSBL_CACHE%
 
+	# crowdsec init
+	%USE_CROWDSEC%
+	
 	# shared memory zone for limit_req
 	%LIMIT_REQ_ZONE%
 

crowdsec/acquis.yaml

@@ -0,0 +1,6 @@
+filenames:
+  - /var/log/access.log
+  - /var/log/error.log
+labels:
+  type: nginx
+---

crowdsec/install.sh

@@ -0,0 +1,63 @@
+#!/bin/sh
+
+function git_secure_clone() {
+	repo="$1"
+	commit="$2"
+	folder=$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@")
+	git clone "$repo"
+	cd "$folder"
+	git checkout "${commit}^{commit}"
+	if [ $? -ne 0 ] ; then
+		echo "[!] Commit hash $commit is absent from repository $repo !"
+		exit 1
+	fi
+	cd ..
+}
+
+NTASK=$(nproc)
+
+# install build dependencies
+apk add --no-cache --virtual build git bash lua-dev mariadb-dev sqlite-dev gettext make go jq
+
+# build and install crowdsec
+cd /tmp
+git_secure_clone https://github.com/crowdsecurity/crowdsec.git 2fdf7624da381af605baa46f319f2ed3015807e4
+cd crowdsec
+make -j $NTASK build
+./wizard.sh --bininstall
+sed -i 's/^machine_id:.*//' /etc/crowdsec/config/api.yaml
+sed -i 's/^password:.*//' /etc/crowdsec/config/api.yaml
+
+# install nginx collection
+cscli update
+cscli install collection crowdsecurity/nginx
+sed -i "s/^filter:.*$/filter: \"evt.Line.Labels.type == 'nginx'\"/" /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
+sed -i 's/apply_on: message/apply_on: Line.Raw/g' /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
+
+# build and install luasql
+cd /tmp
+git_secure_clone https://github.com/keplerproject/luasql.git 22d4a911f35cf851af9db71124e3998d96fb3fa1
+cd luasql
+make -j $NTASK sqlite3 mysql
+mkdir /usr/local/lib/lua/5.1/luasql
+cp src/*.so /usr/local/lib/lua/5.1/luasql
+
+# install lualogging
+cd /tmp
+git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15
+cd lualogging
+cp -r src/* /usr/local/lib/lua
+
+# install cs-lua-lib
+cd /tmp
+git_secure_clone https://github.com/crowdsecurity/cs-lua-lib.git 97e55a555a8f6d46c1c2032825a4578090283301
+cd cs-lua-lib
+mkdir /usr/local/lib/lua/crowdsec
+cp lib/*.lua /usr/local/lib/lua/crowdsec
+cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
+rm /usr/local/lib/lua/crowdsec/lrucache.lua
+sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
+sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
+
+# remove build dependencies
+apk del build

entrypoint.sh

@@ -54,6 +54,8 @@ cp -r /opt/lua/* /usr/local/lib/lua
 echo "" > /etc/crontabs/root
 
 # set default values
+HTTP_PORT="${HTTP_PORT-8080}"
+HTTPS_PORT="${HTTPS_PORT-8443}"
 MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
 SERVER_TOKENS="${SERVER_TOKENS-off}"
 CACHE="${CACHE-max=1000 inactive=60s}"
@@ -143,6 +145,7 @@ ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
 USE_ANTIBOT="${USE_ANTIBOT-no}"
 ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
 ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
+USE_CROWDSEC="${USE_CROWDSEC-no}"
 
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@@ -257,6 +260,7 @@ fi
 # HTTPS config
 if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" "include /etc/nginx/https.conf;"
+	replace_in_file "/etc/nginx/https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
 	if [ "$HTTP2" = "yes" ] ; then
 		replace_in_file "/etc/nginx/https.conf" "%HTTP2%" "http2"
 	else
@@ -284,7 +288,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
 		if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
 			/opt/scripts/certbot-renew.sh
 		else
-			certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port 8080
+			certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT
 		fi
 		echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
 	elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
@@ -301,7 +305,7 @@ else
 fi
 
 if [ "$LISTEN_HTTP" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:8080;"
+	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT};"
 else
 	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
 fi
@@ -567,6 +571,19 @@ if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	fi
 fi
 
+# CrowdSec setup
+if [ "$USE_CROWDSEC" = "yes" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
+	replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "true"
+	cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml
+	cscli api register >> /etc/crowdsec/config/api.yaml
+	cscli api pull
+	echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
+	replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "false"
+fi
+
 # edit access if needed
 if [ "$WRITE_ACCESS" = "yes" ] ; then
 	chown -R root:nginx /www
@@ -604,6 +621,11 @@ if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	fail2ban-server > /dev/null
 fi
 
+# start crowdsec
+if [ "$USE_CROWDSEC" = "yes" ] ; then
+	crowdsec
+fi
+
 # setup logrotate
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"

examples/nextcloud/docker-compose.yml

@@ -25,6 +25,7 @@ services:
       - LIMIT_REQ_RATE=40r/s
       - LIMIT_REQ_BURST=60
       - ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
+      - X_FRAME_OPTIONS=SAMEORIGIN
 
   mync:
     image: nextcloud:stable-fpm

examples/passbolt/docker-compose.yml

@@ -0,0 +1,42 @@
+version: '3'
+
+services:
+
+  mywww:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt
+      - ./server-confs:/server-confs              # custom confs to reverse proxy to passbolt
+      - ./modsec-crs-confs:/modsec-crs-confs      # disable some false positive
+      - ./modsec-confs:/modsec-confs              # disable some false positive
+    environment:
+      - SERVER_NAME=www.website.com               # replace with your domain
+      - AUTO_LETS_ENCRYPT=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - DISABLE_DEFAULT_SERVER=yes
+      - ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
+
+  mypassbolt:
+    image: passbolt/passbolt
+    restart: always
+    environment:
+      - DATASOURCES_DEFAULT_HOST=mydb
+      - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd  # replace with a stronger password (must match MYSQL_PASSWORD)
+      - DATASOURCES_DEFAULT_USERNAME=user
+      - DATASOURCES_DEFAULT_DATABASE=passbolt
+      - APP_FULL_BASE_URL=https://www.website.com # replace with your URL
+
+  mydb:
+    image: mariadb
+    restart: always
+    volumes:
+      - ./db-data:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd           # replace with a stronger password
+      - MYSQL_DATABASE=passbolt
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd                # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)

examples/passbolt/modsec-confs/passbolt.conf

@@ -0,0 +1,2 @@
+SecRuleRemoveById 942100
+SecRuleRemoveById 930120

examples/passbolt/modsec-crs-confs/passbolt.conf

@@ -0,0 +1,7 @@
+SecAction \
+ "id:900200,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_methods=GET HEAD POST PUT DELETE'"

examples/passbolt/server-confs/reverse-proxy.conf

@@ -0,0 +1,9 @@
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+location / {
+        if ($host = www.website.com) {
+                proxy_pass https://mypassbolt:443$request_uri;
+        }
+}
+

examples/tomcat/docker-compose.yml

@@ -0,0 +1,25 @@
+version: '3'
+
+services:
+
+  myreverse:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt
+      - ./server-confs:/server-confs
+    environment:
+      - SERVER_NAME=app1.website.com         # replace with your domain
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - AUTO_LETS_ENCRYPT=yes
+
+  mytomcat:
+    image: tomcat
+    restart: always
+    volumes:
+      - ./app:/usr/local/tomcat/webapps/

examples/tomcat/server-confs/reverse-proxy.conf

@@ -0,0 +1,6 @@
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+location / {
+	proxy_pass http://mytomcat:8080/sample$request_uri;
+}

scripts/certbot-renew.sh

@@ -9,8 +9,8 @@ function replace_in_file() {
 
 # check if HTTP enabled
 # and disable it temporarily if needed
-if grep -q "listen 0.0.0.0:8080;" "/etc/nginx/server.conf" ; then
+if grep -q "listen" "/etc/nginx/server.conf" ; then
-	replace_in_file "/etc/nginx/server.conf" "listen 0.0.0.0:8080;" "#listen 0.0.0.0:8080;"
+	replace_in_file "/etc/nginx/server.conf" "listen" "#listen"
 	if [ -f /tmp/nginx.pid ] ; then
 		/usr/sbin/nginx -s reload
 		sleep 10
@@ -21,8 +21,8 @@ fi
 certbot renew
 
 # enable HTTP again if needed
-if grep -q "#listen 0.0.0.0:8080;" "/etc/nginx/server.conf" ; then
+if grep -q "#listen" "/etc/nginx/server.conf" ; then
-	replace_in_file "/etc/nginx/server.conf" "#listen 0.0.0.0:8080;" "listen 0.0.0.0:8080;"
+	replace_in_file "/etc/nginx/server.conf" "#listen" "listen"
 fi
 
 chown -R root:nginx /etc/letsencrypt