v1.2.0 release

readme update - v1.2.0 changes
php and nextcloud examples fix
2020-11-23 00:05:22 +01:00 · 2020-11-22 23:39:01 +01:00 · 2020-11-22 17:38:07 +01:00 · 2020-11-21 16:41:27 +01:00 · 2020-11-21 16:21:54 +01:00 · 2020-11-21 15:54:52 +01:00
103 changed files with 2256 additions and 860 deletions
--- a/.github/workflows/autotest.yml
+++ b/.github/workflows/autotest.yml
@@ -0,0 +1,28 @@
 name: Automatic test
 on:
  push:
    branches: [dev, master]
  pull_request:
    branches: [dev, master]
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout source code
        uses: actions/checkout@v2
      - name: Build the image
        run: docker build -t autotest .
      - name: Run autotest
        run: docker run autotest test
      - name: Run Trivy security scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'autotest'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'
--- a/16
+++ b/16
@@ -6,15 +6,21 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*
-COPY entrypoint.sh /opt/entrypoint.sh
+COPY crowdsec/install.sh /tmp/install.sh
 RUN chmod +x /tmp/install.sh && \
    /tmp/install.sh && \
    rm -rf /tmp/*
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 COPY crowdsec/ /opt/crowdsec
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli && \
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+    chmod +x /opt/entrypoint/* /opt/scripts/* && \
    mkdir /opt/entrypoint.d && \
    rm -f /var/log/nginx/* && \
    chown root:nginx /var/log/nginx && \
@@ -22,8 +28,8 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
    chown nginx:nginx /var/log/nginx/*.log
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 EXPOSE 8080/tcp 8443/tcp
-ENTRYPOINT ["/opt/entrypoint.sh"]
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/16
+++ b/16
@@ -6,15 +6,21 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*
-COPY entrypoint.sh /opt/entrypoint.sh
+COPY crowdsec/install.sh /tmp/install.sh
 RUN chmod +x /tmp/install.sh && \
    /tmp/install.sh && \
    rm -rf /tmp/*
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 COPY crowdsec/ /opt/crowdsec
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli && \
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+    chmod +x /opt/entrypoint/* /opt/scripts/* && \
    mkdir /opt/entrypoint.d && \
    rm -f /var/log/nginx/* && \
    chown root:nginx /var/log/nginx && \
@@ -22,8 +28,8 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
    chown nginx:nginx /var/log/nginx/*.log
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 EXPOSE 8080/tcp 8443/tcp
-ENTRYPOINT ["/opt/entrypoint.sh"]
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/16
+++ b/16
@@ -13,15 +13,21 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*
-COPY entrypoint.sh /opt/entrypoint.sh
+COPY crowdsec/install.sh /tmp/install.sh
 RUN chmod +x /tmp/install.sh && \
    /tmp/install.sh && \
    rm -rf /tmp/*
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 COPY crowdsec/ /opt/crowdsec
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli && \
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+    chmod +x /opt/entrypoint/* /opt/scripts/* && \
    mkdir /opt/entrypoint.d && \
    rm -f /var/log/nginx/* && \
    chown root:nginx /var/log/nginx && \
@@ -29,8 +35,8 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
    chown nginx:nginx /var/log/nginx/*.log
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 EXPOSE 8080/tcp 8443/tcp
-ENTRYPOINT ["/opt/entrypoint.sh"]
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/16
+++ b/16
@@ -13,15 +13,21 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*
-COPY entrypoint.sh /opt/entrypoint.sh
+COPY crowdsec/install.sh /tmp/install.sh
 RUN chmod +x /tmp/install.sh && \
    /tmp/install.sh && \
    rm -rf /tmp/*
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 COPY crowdsec/ /opt/crowdsec
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli && \
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+    chmod +x /opt/entrypoint/* /opt/scripts/* && \
    mkdir /opt/entrypoint.d && \
    rm -f /var/log/nginx/* && \
    chown root:nginx /var/log/nginx && \
@@ -29,8 +35,8 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
    chown nginx:nginx /var/log/nginx/*.log
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 EXPOSE 8080/tcp 8443/tcp
-ENTRYPOINT ["/opt/entrypoint.sh"]
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/16
+++ b/16
@@ -6,15 +6,21 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*
-COPY entrypoint.sh /opt/entrypoint.sh
+COPY crowdsec/install.sh /tmp/install.sh
 RUN chmod +x /tmp/install.sh && \
    /tmp/install.sh && \
    rm -rf /tmp/*
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 COPY crowdsec/ /opt/crowdsec
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli && \
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+    chmod +x /opt/entrypoint/* /opt/scripts/* && \
    mkdir /opt/entrypoint.d && \
    rm -f /var/log/nginx/* && \
    chown root:nginx /var/log/nginx && \
@@ -22,8 +28,8 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
    chown nginx:nginx /var/log/nginx/*.log
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 EXPOSE 8080/tcp 8443/tcp
-ENTRYPOINT ["/opt/entrypoint.sh"]
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/README.md
+++ b/README.md
--- a/2
+++ b/2
@@ -1 +1 @@
-1.1.1
+1.2.0
--- a/compile.sh
+++ b/compile.sh
@@ -30,7 +30,7 @@ function git_secure_clone() {
 NTASK=$(nproc)
 # install build dependencies
-apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg
+apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg brotli-dev
 # compile and install ModSecurity library
 cd /tmp
@@ -63,6 +63,8 @@ git_secure_clone https://github.com/openresty/headers-more-nginx-module.git d6d7
 git_secure_clone https://github.com/leev/ngx_http_geoip2_module.git 1cabd8a1f68ea3998f94e9f3504431970f848fbf
 # cookie
 git_secure_clone https://github.com/AirisX/nginx_cookie_flag_module.git c4ff449318474fbbb4ba5f40cb67ccd54dc595d4
 # brotli
 git_secure_clone https://github.com/google/ngx_brotli.git 9aec15e2aa6feea2113119ba06460af70ab3ea62
 # LUA requirements
 git_secure_clone https://github.com/openresty/luajit2.git fe32831adcb3f5fe9259a9ce404fc54e1399bba3
@@ -127,7 +129,7 @@ tar -xvzf nginx-${NGINX_VERSION}.tar.gz
 cd nginx-$NGINX_VERSION
 CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')
 CONFARGS=${CONFARGS/-Os -fomit-frame-pointer/-Os}
-./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module
+./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module --add-dynamic-module=/tmp/ngx_brotli
 make -j $NTASK modules
 cp ./objs/*.so /usr/lib/nginx/modules
--- a/confs/geoip-server.conf
+++ b/confs/geoip-server.conf
@@ -1,3 +0,0 @@
 if ($allowed_country = no) {
 	return 444;
 }
--- a/confs/global/cache.conf
+++ b/confs/global/cache.conf
--- a/confs/global/crowdsec.conf
+++ b/confs/global/crowdsec.conf
@@ -0,0 +1,9 @@
 init_by_lua_block {
 	local cs = require "crowdsec.CrowdSec"
 	local ok, err = cs.init("/usr/local/lib/lua/crowdsec/crowdsec.conf")
 	if ok == nil then
 		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
 		error()
 	end
 	ngx.log(ngx.ERR, "[Crowdsec] Initialisation done")
 }
--- a/confs/global/dhparam
+++ b/confs/global/dhparam
--- a/confs/global/geoip.conf
+++ b/confs/global/geoip.conf
@@ -5,6 +5,6 @@ geoip2 /etc/nginx/geoip.mmdb {
 }
 map $geoip2_data_country_code $allowed_country {
-	default yes;
+	default %DEFAULT%;
-	%BLOCK_COUNTRY%
+	%COUNTRY%
 }
--- a/confs/global/map-user-agent.conf
+++ b/confs/global/map-user-agent.conf
--- a/confs/global/nginx.conf
+++ b/confs/global/nginx.conf
@@ -7,6 +7,8 @@ load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
 load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
 # run as daemon
 daemon on;
@@ -45,12 +47,6 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 	# load gzip custom config
 	include /etc/nginx/gzip.conf;
 	# maximum request body size
 	client_max_body_size %MAX_CLIENT_SIZE%;
 	# write logs to local syslog
 	access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined;
 	error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
@@ -62,9 +58,6 @@ http {
 	uwsgi_temp_path /tmp/uwsgi_temp;
 	scgi_temp_path /tmp/scgi_temp;
 	# load caching custom config
 	include /etc/nginx/cache.conf;
 	# close connections in FIN_WAIT1 state
 	reset_timedout_connection on;
@@ -74,15 +67,9 @@ http {
 	keepalive_timeout 15;
 	send_timeout 10;
 	# enable/disable sending nginx version
 	server_tokens %SERVER_TOKENS%;
 	# resolvers to use
 	resolver %DNS_RESOLVERS% ipv6=off;
 	# get real IP address if behind a reverse proxy
        %PROXY_REAL_IP%
 	# lua path and dicts
 	lua_package_path "/usr/local/lib/lua/?.lua;;";
 	%WHITELIST_IP_CACHE%
@@ -90,22 +77,25 @@ http {
 	%BLACKLIST_IP_CACHE%
 	%BLACKLIST_REVERSE_CACHE%
 	%DNSBL_CACHE%
 	# crowdsec init
 	%USE_CROWDSEC%
 	# shared memory zone for limit_req
 	%LIMIT_REQ_ZONE%
-	# server config
+	# whitelist or blacklist country
-	include /etc/nginx/server.conf;
+	%USE_COUNTRY%
-	# list of blocked country
+	# list of blocked user agents
 	%BLOCK_COUNTRY%
 	# list of blocker user agents
 	%BLOCK_USER_AGENT%
-	# enable/disable ModSecurity
+	# zone for proxy_cache
-	%USE_MODSECURITY%
+	%PROXY_CACHE_PATH%
 	# custom http confs
 	include /http-confs/*.conf;
 	# server config(s)
 	%INCLUDE_SERVER%
 }
--- a/confs/gzip.conf
+++ b/confs/gzip.conf
@@ -1,9 +0,0 @@
 # /etc/nginx/gzip.conf
 # enable/disable gzip compression
 gzip %USE_GZIP%;
 gzip_comp_level %GZIP_COMP_LEVEL%;
 gzip_disable msie6;
 gzip_min_length %GZIP_MIN_LENGTH%;
 gzip_proxied any;
 gzip_types %GZIP_TYPES%;
--- a/confs/modsecurity.conf
+++ b/confs/modsecurity.conf
@@ -1,2 +0,0 @@
 modsecurity on;
 modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;
--- a/confs/site/antibot-captcha.conf
+++ b/confs/site/antibot-captcha.conf
--- a/confs/site/antibot-javascript.conf
+++ b/confs/site/antibot-javascript.conf
--- a/confs/site/antibot-recaptcha.conf
+++ b/confs/site/antibot-recaptcha.conf
--- a/confs/site/auth-basic-sitewide.conf
+++ b/confs/site/auth-basic-sitewide.conf
--- a/confs/site/auth-basic.conf
+++ b/confs/site/auth-basic.conf
--- a/confs/site/block-user-agent.conf
+++ b/confs/site/block-user-agent.conf
--- a/confs/site/brotli.conf
+++ b/confs/site/brotli.conf
@@ -0,0 +1,4 @@
 brotli on;
 brotli_types %BROTLI_TYPES%;
 brotli_comp_level %BROTLI_COMP_LEVEL%;
 brotli_min_length %BROTLI_MIN_LENGTH%;
--- a/confs/site/client-cache.conf
+++ b/confs/site/client-cache.conf
@@ -0,0 +1,4 @@
 location ~* \.(%CLIENT_CACHE_EXTENSIONS%)$ {
 	etag %CLIENT_CACHE_ETAG%;
 	add_header Cache-Control "%CLIENT_CACHE_CONTROL%";
 }
--- a/confs/site/content-security-policy.conf
+++ b/confs/site/content-security-policy.conf
--- a/confs/site/cookie-flags.conf
+++ b/confs/site/cookie-flags.conf
--- a/confs/site/custom-https.conf
+++ b/confs/site/custom-https.conf
--- a/confs/site/disable-default-server.conf
+++ b/confs/site/disable-default-server.conf
--- a/confs/site/error.conf
+++ b/confs/site/error.conf
--- a/confs/site/feature-policy.conf
+++ b/confs/site/feature-policy.conf
--- a/confs/site/gzip.conf
+++ b/confs/site/gzip.conf
@@ -0,0 +1,4 @@
 gzip on;
 gzip_comp_level %GZIP_COMP_LEVEL%;
 gzip_min_length %GZIP_MIN_LENGTH%;
 gzip_types %GZIP_TYPES%;
--- a/confs/site/https.conf
+++ b/confs/site/https.conf
@@ -1,4 +1,4 @@
-listen 0.0.0.0:8443 ssl %HTTP2%;
+listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
 ssl_certificate %HTTPS_CERT%;
 ssl_certificate_key %HTTPS_KEY%;
 ssl_protocols %HTTPS_PROTOCOLS%;
--- a/confs/site/limit-req.conf
+++ b/confs/site/limit-req.conf
--- a/confs/site/main-lua.conf
+++ b/confs/site/main-lua.conf
@@ -5,9 +5,11 @@ access_by_lua_block {
 local use_whitelist_ip		= %USE_WHITELIST_IP%
 local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
 local use_country		= %USE_COUNTRY%
 local use_blacklist_ip		= %USE_BLACKLIST_IP%
 local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
 local use_dnsbl			= %USE_DNSBL%
 local use_crowdsec		= %USE_CROWDSEC%
 local use_antibot_cookie	= %USE_ANTIBOT_COOKIE%
 local use_antibot_javascript	= %USE_ANTIBOT_JAVASCRIPT%
 local use_antibot_captcha	= %USE_ANTIBOT_CAPTCHA%
@@ -33,6 +35,11 @@ if use_whitelist_reverse and whitelist.reverse_cached_ok() then
 	ngx.exit(ngx.OK)
 end
 -- check if country is allowed
 if use_country and ngx.var.allowed_country == "no" then
 	ngx.exit(ngx.HTTP_FORBIDDEN)
 end
 -- check if already in blacklist cache
 if use_blacklist_ip and blacklist.ip_cached_ko() then
 	ngx.exit(ngx.HTTP_FORBIDDEN)
@@ -81,6 +88,18 @@ if use_dnsbl and not dnsbl.cached() then
 	end
 end
 -- check if IP is in CrowdSec DB
 if use_crowdsec then
 	local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
 	if ok == nil then
 		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
 	end
 	if not ok then
 		ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
 		ngx.exit(ngx.HTTP_FORBIDDEN)
 	end
 end
 -- cookie check
 if use_antibot_cookie then
 	if not cookie.is_set("uri") then
--- a/confs/site/modsecurity-clamav.conf
+++ b/confs/site/modsecurity-clamav.conf
--- a/confs/site/modsecurity-rules.conf
+++ b/confs/site/modsecurity-rules.conf
--- a/confs/site/modsecurity.conf
+++ b/confs/site/modsecurity.conf
@@ -0,0 +1,2 @@
 modsecurity on;
 modsecurity_rules_file %MODSEC_RULES_FILE%;
--- a/confs/site/open-file-cache.conf
+++ b/confs/site/open-file-cache.conf
@@ -0,0 +1,4 @@
 open_file_cache %OPEN_FILE_CACHE%;
 open_file_cache_errors %OPEN_FILE_CACHE_ERRORS%;
 open_file_cache_min_uses %OPEN_FILE_CACHE_MIN_USES%;
 open_file_cache_valid %OPEN_FILE_CACHE_VALID%;
--- a/confs/site/permissions-policy.conf
+++ b/confs/site/permissions-policy.conf
@@ -0,0 +1 @@
 more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%";
--- a/confs/site/php.conf
+++ b/confs/site/php.conf
@@ -1,5 +1,4 @@
 location ~ \.php$ {
 	fastcgi_pass      %REMOTE_PHP%:9000;
 	fastcgi_index     index.php;
 	include           fastcgi.conf;
 }
--- a/confs/site/proxy-cache.conf
+++ b/confs/site/proxy-cache.conf
@@ -0,0 +1,7 @@
 proxy_cache proxycache;
 proxy_cache_methods %PROXY_CACHE_METHODS%;
 proxy_cache_min_uses %PROXY_CACHE_MIN_USES%;
 proxy_cache_key %PROXY_CACHE_KEY%;
 proxy_no_cache %PROXY_NO_CACHE%;
 proxy_cache_bypass %PROXY_CACHE_BYPASS%;
 %PROXY_CACHE_VALID%
--- a/confs/site/proxy-real-ip.conf
+++ b/confs/site/proxy-real-ip.conf
--- a/confs/site/redirect-http-to-https.conf
+++ b/confs/site/redirect-http-to-https.conf
--- a/confs/site/referrer-policy.conf
+++ b/confs/site/referrer-policy.conf
--- a/confs/site/reverse-proxy-headers.conf
+++ b/confs/site/reverse-proxy-headers.conf
@@ -0,0 +1,3 @@
 proxy_set_header Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Real-IP $remote_addr;
--- a/confs/site/reverse-proxy.conf
+++ b/confs/site/reverse-proxy.conf
@@ -0,0 +1,3 @@
 location %REVERSE_PROXY_URL% {
 	proxy_pass %REVERSE_PROXY_HOST%;
 }
--- a/confs/site/serve-files.conf
+++ b/confs/site/serve-files.conf
--- a/confs/site/server.conf
+++ b/confs/site/server.conf
@@ -1,6 +1,9 @@
 server {
-	include /server-confs/*.conf;
+	%FASTCGI_PATH%
-	include /etc/nginx/main-lua.conf;
+	%SERVER_CONF%
 	%PROXY_REAL_IP%
 	%MAIN_LUA%
 	%USE_MODSECURITY%
 	%LISTEN_HTTP%
 	%USE_HTTPS%
 	%REDIRECT_HTTP_TO_HTTPS%
@@ -13,15 +16,14 @@ server {
 	}
 	%LIMIT_REQ%
 	%AUTH_BASIC%
-	%USE_PHP%
+	%REMOVE_HEADERS%
 	%HEADER_SERVER%
 	%X_FRAME_OPTIONS%
 	%X_XSS_PROTECTION%
 	%X_CONTENT_TYPE_OPTIONS%
 	%CONTENT_SECURITY_POLICY%
 	%REFERRER_POLICY%
 	%FEATURE_POLICY%
-	%BLOCK_COUNTRY%
+	%PERMISSIONS_POLICY%
 	%BLOCK_USER_AGENT%
 	%BLOCK_TOR_EXIT_NODE%
 	%BLOCK_PROXIES%
@@ -29,4 +31,13 @@ server {
 	%COOKIE_FLAGS%
 	%ERRORS%
 	%USE_FAIL2BAN%
 	%USE_CLIENT_CACHE%
 	%USE_GZIP%
 	%USE_BROTLI%
 	client_max_body_size %MAX_CLIENT_SIZE%;
 	server_tokens %SERVER_TOKENS%;
 	%USE_OPEN_FILE_CACHE%
 	%USE_PROXY_CACHE%
 	%USE_REVERSE_PROXY%
 	%USE_PHP%
 }
--- a/confs/site/x-content-type-options.conf
+++ b/confs/site/x-content-type-options.conf
--- a/confs/site/x-frame-options.conf
+++ b/confs/site/x-frame-options.conf
--- a/confs/site/x-xss-protection.conf
+++ b/confs/site/x-xss-protection.conf
--- a/crowdsec/acquis.yaml
+++ b/crowdsec/acquis.yaml
@@ -0,0 +1,6 @@
 filenames:
  - /var/log/access.log
  - /var/log/error.log
 labels:
  type: nginx
 ---
--- a/crowdsec/install.sh
+++ b/crowdsec/install.sh
@@ -0,0 +1,63 @@
 #!/bin/sh
 function git_secure_clone() {
 	repo="$1"
 	commit="$2"
 	folder=$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@")
 	git clone "$repo"
 	cd "$folder"
 	git checkout "${commit}^{commit}"
 	if [ $? -ne 0 ] ; then
 		echo "[!] Commit hash $commit is absent from repository $repo !"
 		exit 1
 	fi
 	cd ..
 }
 NTASK=$(nproc)
 # install build dependencies
 apk add --no-cache --virtual build git bash lua-dev mariadb-dev sqlite-dev gettext make go jq
 # build and install crowdsec
 cd /tmp
 git_secure_clone https://github.com/crowdsecurity/crowdsec.git 2fdf7624da381af605baa46f319f2ed3015807e4
 cd crowdsec
 make -j $NTASK build
 ./wizard.sh --bininstall
 sed -i 's/^machine_id:.*//' /etc/crowdsec/config/api.yaml
 sed -i 's/^password:.*//' /etc/crowdsec/config/api.yaml
 # install nginx collection
 cscli update
 cscli install collection crowdsecurity/nginx
 sed -i "s/^filter:.*$/filter: \"evt.Line.Labels.type == 'nginx'\"/" /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
 sed -i 's/apply_on: message/apply_on: Line.Raw/g' /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
 # build and install luasql
 cd /tmp
 git_secure_clone https://github.com/keplerproject/luasql.git 22d4a911f35cf851af9db71124e3998d96fb3fa1
 cd luasql
 make -j $NTASK sqlite3 mysql
 mkdir /usr/local/lib/lua/5.1/luasql
 cp src/*.so /usr/local/lib/lua/5.1/luasql
 # install lualogging
 cd /tmp
 git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15
 cd lualogging
 cp -r src/* /usr/local/lib/lua
 # install cs-lua-lib
 cd /tmp
 git_secure_clone https://github.com/crowdsecurity/cs-lua-lib.git 97e55a555a8f6d46c1c2032825a4578090283301
 cd cs-lua-lib
 mkdir /usr/local/lib/lua/crowdsec
 cp lib/*.lua /usr/local/lib/lua/crowdsec
 cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
 rm /usr/local/lib/lua/crowdsec/lrucache.lua
 sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
 sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
 # remove build dependencies
 apk del build
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,622 +0,0 @@
 #!/bin/sh
 echo "[*] Starting bunkerized-nginx ..."
 # execute custom scripts if it's a customized image
 for file in /entrypoint.d/* ; do
    [ -f "$file" ] && [ -x "$file" ] && "$file"
 done
 # trap SIGTERM and SIGINT
 function trap_exit() {
 	echo "[*] Catched stop operation"
 	echo "[*] Stopping crond ..."
 	pkill -TERM crond
 	if [ "$USE_FAIL2BAN" = "yes" ] ; then
 		echo "[*] Stopping fail2ban"
 		fail2ban-client stop > /dev/null
 	fi
 	echo "[*] Stopping nginx ..."
 	/usr/sbin/nginx -s stop
 	echo "[*] Stopping rsyslogd ..."
 	pkill -TERM rsyslogd
 	pkill -TERM tail
 }
 trap "trap_exit" TERM INT
 # replace pattern in file
 function replace_in_file() {
 	# escape slashes
 	pattern=$(echo "$2" | sed "s/\//\\\\\//g")
 	replace=$(echo "$3" | sed "s/\//\\\\\//g")
 	sed -i "s/$pattern/$replace/g" "$1"
 }
 # convert space separated values to LUA
 function spaces_to_lua() {
 	for element in $1 ; do
 		if [ "$result" = "" ] ; then
 			result="\"${element}\""
 		else
 			result="${result}, \"${element}\""
 		fi
 	done
 	echo "$result"
 }
 # copy stub confs
 cp /opt/confs/* /etc/nginx
 cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
 cp /opt/logs/logrotate.conf /etc/logrotate.conf
 cp -r /opt/lua/* /usr/local/lib/lua
 # remove cron jobs
 echo "" > /etc/crontabs/root
 # set default values
 MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
 SERVER_TOKENS="${SERVER_TOKENS-off}"
 CACHE="${CACHE-max=1000 inactive=60s}"
 CACHE_ERRORS="${CACHE_ERRORS-on}"
 CACHE_USES="${CACHE_USES-1}"
 CACHE_VALID="${CACHE_VALID-60s}"
 #CLIENT_CACHE="${CLIENT_CACHE}-css|gif|htm|html|ico|jpeg|jpg|js|png|svg|tif|tiff|eot|otf|ttf|woff|woff2"
 #CLIENT_CACHE_EXPIRES="${CLIENT_CACHE_EXPIRES}-1d}"
 #CLIENT_CACHE_CONTROL=
 USE_GZIP="${USE_GZIP-off}"
 GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL-6}"
 GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH-10240}"
 GZIP_TYPES="${GZIP_TYPES-text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml}"
 REMOTE_PHP_PATH="${REMOTE_PHP_PATH-/app}"
 HEADER_SERVER="${HEADER_SERVER-no}"
 X_FRAME_OPTIONS="${X_FRAME_OPTIONS-DENY}"
 X_XSS_PROTECTION="${X_XSS_PROTECTION-1; mode=block}"
 X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS-nosniff}"
 REFERRER_POLICY="${REFERRER_POLICY-no-referrer}"
 FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}"
 DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
 SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
 ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
 BLOCK_COUNTRY="${BLOCK_COUNTRY-}"
 BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
 BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
 BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
 BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
 AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
 HTTP2="${HTTP2-yes}"
 HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
 STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
 USE_MODSECURITY="${USE_MODSECURITY-yes}"
 USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
 CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';}"
 COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}"
 COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}"
 SERVE_FILES="${SERVE_FILES-yes}"
 WRITE_ACCESS="${WRITE_ACCESS-no}"
 REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
 LISTEN_HTTP="${LISTEN_HTTP-yes}"
 USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
 FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
 FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
 FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
 FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
 USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
 USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
 CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
 USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
 AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
 AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}"
 AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
 AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
 USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
 ROOT_FOLDER="${ROOT_FOLDER-/www}"
 LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
 LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
 DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11 8.8.8.8}"
 USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
 WHITELIST_IP_LIST="${WHITELIST_IP_LIST-23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
 USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}"
 WHITELIST_REVERSE_LIST="${WHITELIST_REVERSE_LIST-.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net}"
 USE_BLACKLIST_IP="${USE_BLACKLIST_IP-yes}"
 BLACKLIST_IP_LIST="${BLACKLIST_IP_LIST-}"
 USE_BLACKLIST_REVERSE="${USE_BLACKLIST_REVERSE-yes}"
 BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}"
 USE_DNSBL="${USE_DNSBL-yes}"
 DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
 USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
 LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
 LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
 LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
 PROXY_REAL_IP="${PROXY_REAL_IP-no}"
 PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
 PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
 PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
 GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
 SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
 SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
 SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}"
 SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
 SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
 SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}"
 SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-web}"
 ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
 USE_ANTIBOT="${USE_ANTIBOT-no}"
 ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
 ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
 	apk add $ADDITIONAL_MODULES
 fi
 # replace values
 replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
 replace_in_file "/etc/nginx/nginx.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
 replace_in_file "/etc/nginx/cache.conf" "%CACHE%" "$CACHE"
 replace_in_file "/etc/nginx/cache.conf" "%CACHE_ERRORS%" "$CACHE_ERRORS"
 replace_in_file "/etc/nginx/cache.conf" "%CACHE_USES%" "$CACHE_USES"
 replace_in_file "/etc/nginx/cache.conf" "%CACHE_VALID%" "$CACHE_VALID"
 replace_in_file "/etc/nginx/gzip.conf" "%USE_GZIP%" "$USE_GZIP"
 replace_in_file "/etc/nginx/gzip.conf" "%GZIP_COMP_LEVEL%" "$GZIP_COMP_LEVEL"
 replace_in_file "/etc/nginx/gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH"
 replace_in_file "/etc/nginx/gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES"
 if [ "$REMOTE_PHP" != "" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" "include /etc/nginx/php.conf;"
 	replace_in_file "/etc/nginx/php.conf" "%REMOTE_PHP%" "$REMOTE_PHP"
 	replace_in_file "/etc/nginx/fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/"
 else
 	replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" ""
 fi
 if [ "$HEADER_SERVER" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" ""
 else
 	replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" "more_clear_headers 'Server';"
 fi
 if [ "$X_FRAME_OPTIONS" != "" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" "include /etc/nginx/x-frame-options.conf;"
 	replace_in_file "/etc/nginx/x-frame-options.conf" "%X_FRAME_OPTIONS%" "$X_FRAME_OPTIONS"
 else
 	replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" ""
 fi
 if [ "$X_XSS_PROTECTION" != "" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" "include /etc/nginx/x-xss-protection.conf;"
 	replace_in_file "/etc/nginx/x-xss-protection.conf" "%X_XSS_PROTECTION%" "$X_XSS_PROTECTION"
 else
 	replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" ""
 fi
 if [ "$X_CONTENT_TYPE_OPTIONS" != "" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" "include /etc/nginx/x-content-type-options.conf;"
 	replace_in_file "/etc/nginx/x-content-type-options.conf" "%X_CONTENT_TYPE_OPTIONS%" "$X_CONTENT_TYPE_OPTIONS"
 else
 	replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" ""
 fi
 if [ "$REFERRER_POLICY" != "" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" "include /etc/nginx/referrer-policy.conf;"
 	replace_in_file "/etc/nginx/referrer-policy.conf" "%REFERRER_POLICY%" "$REFERRER_POLICY"
 else
 	replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" ""
 fi
 if [ "$FEATURE_POLICY" != "" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" "include /etc/nginx/feature-policy.conf;"
 	replace_in_file "/etc/nginx/feature-policy.conf" "%FEATURE_POLICY%" "$FEATURE_POLICY"
 else
 	replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" ""
 fi
 if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%DISABLE_DEFAULT_SERVER%" "include /etc/nginx/disable-default-server.conf;"
 	SERVER_NAME_PIPE=$(echo $SERVER_NAME | sed "s/ /|/g")
 	replace_in_file "/etc/nginx/disable-default-server.conf" "%SERVER_NAME%" "$SERVER_NAME_PIPE"
 else
 	replace_in_file "/etc/nginx/server.conf" "%DISABLE_DEFAULT_SERVER%" ""
 fi
 replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME"
 replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
 if [ "$BLOCK_COUNTRY" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip-server.conf;"
 	replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
 	echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
 	if [ ! -f /etc/nginx/geoip.mmdb ] ; then
 		/opt/scripts/geoip.sh
 	fi
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" ""
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" ""
 fi
 if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/block-user-agent.conf;"
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
 	/opt/scripts/user-agents.sh &
 	echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
 else
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" ""
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
 fi
 if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
 	/opt/scripts/exit-nodes.sh &
 	echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
 else
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
 fi
 if [ "$BLOCK_PROXIES" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" "include /etc/nginx/block-proxies.conf;"
 	/opt/scripts/proxies.sh &
 	echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
 else
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" ""
 fi
 if [ "$BLOCK_ABUSERS" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" "include /etc/nginx/block-abusers.conf;"
 	/opt/scripts/abusers.sh &
 	echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
 else
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" ""
 fi
 # HTTPS config
 if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" "include /etc/nginx/https.conf;"
 	if [ "$HTTP2" = "yes" ] ; then
 		replace_in_file "/etc/nginx/https.conf" "%HTTP2%" "http2"
 	else
 		replace_in_file "/etc/nginx/https.conf" "%HTTP2%" ""
 	fi
 	replace_in_file "/etc/nginx/https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
 	if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
 		replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
 		replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
 	else
 		replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" ""
 		replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" ""
 	fi
 	if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
 		replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
 	else
 		replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
 	fi
 	if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 		FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
 		DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
 		EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
 		replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
 		replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
 		if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
 			/opt/scripts/certbot-renew.sh
 		else
 			certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port 8080
 		fi
 		echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
 	elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
 		replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
 		replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
 	elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
 		mkdir /etc/nginx/self-signed-ssl/
                openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
 		replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
                replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
 	fi
 else
 	replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" ""
 fi
 if [ "$LISTEN_HTTP" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:8080;"
 else
 	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
 fi
 if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include /etc/nginx/redirect-http-to-https.conf;"
 else
 	replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" ""
 fi
 if [ "$USE_MODSECURITY" = "yes" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" "include /etc/nginx/modsecurity.conf;"
 	if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
 		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "include /modsec-confs/*.conf"
 	else
 		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" ""
 	fi
 	if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
 		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
 		if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
 			replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf"
 		else
 			replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
 		fi
 		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
 	else
 		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
 		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
 		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" ""
 	fi
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
 fi
 if [ "$PROXY_REAL_IP" = "yes" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
 	froms=""
 	for from in $PROXY_REAL_IP_FROM ; do
 		froms="${froms}set_real_ip_from ${from};\n"
 	done
 	replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms"
 	replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
 	replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" ""
 fi
 ERRORS=""
 for var in $(env) ; do
 	var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1)
 	if [ "z${var_name}" = "zERROR" ] ; then
 		err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2)
 		err_page=$(echo "$var" | cut -d '=' -f 2)
 		cp /opt/confs/error.conf /etc/nginx/error-${err_code}.conf
 		replace_in_file "/etc/nginx/error-${err_code}.conf" "%CODE%" "$err_code"
 		replace_in_file "/etc/nginx/error-${err_code}.conf" "%PAGE%" "$err_page"
 		replace_in_file "/etc/nginx/error-${err_code}.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
 		ERRORS="${ERRORS}include /etc/nginx/error-${err_code}.conf;\n"
 	fi
 done
 if [ "$ERRORS" != "" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%ERRORS%" "$ERRORS"
 else
 	replace_in_file "/etc/nginx/server.conf" "%ERRORS%" ""
 fi
 if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then
        replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" "include /etc/nginx/content-security-policy.conf;"
        replace_in_file "/etc/nginx/content-security-policy.conf" "%CONTENT_SECURITY_POLICY%" "$CONTENT_SECURITY_POLICY"
 else
        replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" ""
 fi
 if [ "$COOKIE_FLAGS" != "" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" "include /etc/nginx/cookie-flags.conf;"
 	if [ "$COOKIE_AUTO_SECURE_FLAG" = "yes" ] ; then
 		if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
 			COOKIE_FLAGS="${COOKIE_FLAGS} Secure"
 		fi
 	fi
 	replace_in_file "/etc/nginx/cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS"
 else
        replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" ""
 fi
 if [ "$SERVE_FILES" = "yes" ] ; then
        replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" "include /etc/nginx/serve-files.conf;"
        replace_in_file "/etc/nginx/serve-files.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
 else
        replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
 fi
 if [ "$USE_AUTH_BASIC" = "yes" ] ; then
 	if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then
 		replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic-sitewide.conf;"
 		replace_in_file "/etc/nginx/auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
 	else
 		replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;"
 		replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
 		replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
 	fi
 	htpasswd -b -B -c /etc/nginx/.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
 else
 	replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" ""
 fi
 # DNS resolvers
 resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
 replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
 replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS"
 # whitelist IP
 if [ "$USE_WHITELIST_IP" = "yes" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "lua_shared_dict whitelist_ip_cache 10m;"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_IP%" "true"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_IP%" "false"
 fi
 list=$(spaces_to_lua "$WHITELIST_IP_LIST")
 replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
 # whitelist rDNS
 if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "lua_shared_dict whitelist_reverse_cache 10m;"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_REVERSE%" "true"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_REVERSE%" "false"
 fi
 list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
 replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
 # blacklist IP
 if [ "$USE_BLACKLIST_IP" = "yes" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "lua_shared_dict blacklist_ip_cache 10m;"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_IP%" "true"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_IP%" "false"
 fi
 list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
 replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
 # blacklist rDNS
 if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "lua_shared_dict blacklist_reverse_cache 10m;"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_REVERSE%" "true"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false"
 fi
 list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
 replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
 # DNSBL
 if [ "$USE_DNSBL" = "yes" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_DNSBL%" "true"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_DNSBL%" "false"
 fi
 list=$(spaces_to_lua "$DNSBL_LIST")
 replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
 # antibot uri and session secret
 replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
 if [ "$ANTIBOT_SESSION_SECRET" = "random" ] ; then
 	ANTIBOT_SESSION_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
 fi
 replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_SESSION_SECRET%" "$ANTIBOT_SESSION_SECRET"
 # antibot via cookie
 if [ "$USE_ANTIBOT" = "cookie" ] ; then
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
 # antibot via javascript
 elif [ "$USE_ANTIBOT" = "javascript" ] ; then
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "true"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "include /etc/nginx/antibot-javascript.conf;"
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
 	replace_in_file "/etc/nginx/antibot-javascript.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
 # antibot via captcha
 elif [ "$USE_ANTIBOT" = "captcha" ] ; then
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "true"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "include /etc/nginx/antibot-captcha.conf;"
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
 	replace_in_file "/etc/nginx/antibot-captcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
 # antibot via recaptcha
 elif [ "$USE_ANTIBOT" = "recaptcha" ] ; then
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "true"
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "include /etc/nginx/antibot-recaptcha.conf;"
 	replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
 	replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SITEKEY%" "$ANTIBOT_RECAPTCHA_SITEKEY"
 	replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SECRET%" "$ANTIBOT_RECAPTCHA_SECRET"
 	replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SCORE%" "$ANTIBOT_RECAPTCHA_SCORE"
 else
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
 	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
 fi
 if [ "$USE_LIMIT_REQ" = "yes" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
 	replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "include /etc/nginx/limit-req.conf;"
 	replace_in_file "/etc/nginx/limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
 	replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" ""
 fi
 # fail2ban setup
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	echo "" > /etc/nginx/fail2ban-ip.conf
 	rm -rf /etc/fail2ban/jail.d/*.conf
 	replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"
 	cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
 	cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
 	cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
 	replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
 else
 	replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" ""
 fi
 # clamav setup
 if [ "$USE_CLAMAV_UPLOAD" = "yes" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	echo "[*] Updating clamav (in background) ..."
 	freshclam > /dev/null 2>&1 &
 	echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
 fi
 if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then
 	replace_in_file "/etc/nginx/modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "include /etc/nginx/modsecurity-clamav.conf"
 else
 	replace_in_file "/etc/nginx/modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" ""
 fi
 if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
 		echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2> /dev/null" >> /etc/crontabs/root
 	else
 		echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2> /dev/null" >> /etc/crontabs/root
 	fi
 fi
 # edit access if needed
 if [ "$WRITE_ACCESS" = "yes" ] ; then
 	chown -R root:nginx /www
 	chmod g+w -R /www
 fi
 # start rsyslogd
 rsyslogd
 # start crond
 crond
 # create empty logs
 touch /var/log/access.log
 touch /var/log/error.log
 # fix nginx configs rights (and modules through the symlink)
 chown -R root:nginx /etc/nginx/
 chmod -R 740 /etc/nginx/
 find /etc/nginx -type d -exec chmod 750 {} \;
 # fix let's encrypt rights
 if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 	chown -R root:nginx /etc/letsencrypt
 	chmod -R 740 /etc/letsencrypt
 	find /etc/letsencrypt -type d -exec chmod 750 {} \;
 fi
 # start nginx
 echo "[*] Running nginx ..."
 su -s "/usr/sbin/nginx" nginx
 # start fail2ban
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	fail2ban-server > /dev/null
 fi
 # setup logrotate
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
 echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
 # display logs
 LOGS="/var/log/access.log /var/log/error.log"
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	LOGS="$LOGS /var/log/fail2ban.log"
 fi
 tail -F $LOGS &
 wait $!
 # sigterm trapped
 echo "[*] bunkerized-nginx stopped"
 exit 0
--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@@ -0,0 +1,111 @@
 #!/bin/bash
 MULTISITE="${MULTISITE-no}"
 HTTP_PORT="${HTTP_PORT-8080}"
 HTTPS_PORT="${HTTPS_PORT-8443}"
 MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
 SERVER_TOKENS="${SERVER_TOKENS-off}"
 USE_CLIENT_CACHE="${USE_CLIENT_CACHE-no}"
 CLIENT_CACHE_EXTENSIONS="${CLIENT_CACHE_EXTENSIONS-jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2}"
 CLIENT_CACHE_CONTROL="${CLIENT_CACHE_CONTROL-public, max-age=15552000}"
 CLIENT_CACHE_ETAG="${CLIENT_CACHE_ETAG-on}"
 USE_OPEN_FILE_CACHE="${USE_OPEN_FILE_CACHE-no}"
 OPEN_FILE_CACHE="${OPEN_FILE_CACHE-max=1000 inactive=20s}"
 OPEN_FILE_CACHE_ERRORS="${OPEN_FILE_CACHE_ERRORS-on}"
 OPEN_FILE_CACHE_MIN_USES="${OPEN_FILE_CACHE_MIN_USES-2}"
 OPEN_FILE_CACHE_VALID="${OPEN_FILE_CACHE_VALID-30s}"
 USE_PROXY_CACHE="${USE_PROXY_CACHE-no}"
 PROXY_CACHE_PATH_ZONE_SIZE="${PROXY_CACHE_PATH_ZONE_SIZE-10m}"
 PROXY_CACHE_PATH_PARAMS="${PROXY_CACHE_PATH_PARAMS-max_size=100m}"
 PROXY_CACHE_METHODS="${PROXY_CACHE_METHODS-GET HEAD}"
 PROXY_CACHE_MIN_USES="${PROXY_CACHE_MIN_USES-2}"
 PROXY_CACHE_KEY="${PROXY_CACHE_KEY-\$scheme\$host\$request_uri}"
 PROXY_CACHE_VALID="${PROXY_CACHE_VALID-200=10m 301=10m 301=1h any=1m}"
 PROXY_NO_CACHE="${PROXY_NO_CACHE-\$http_authorization}"
 PROXY_CACHE_BYPASS="${PROXY_CACHE_BYPASS-\$http_authorization}"
 USE_GZIP="${USE_GZIP-no}"
 GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL-5}"
 GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH-1000}"
 GZIP_TYPES="${GZIP_TYPES-application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml}"
 USE_BROTLI="${USE_BROTLI-no}"
 BROTLI_COMP_LEVEL="${BROTLI_COMP_LEVEL-6}"
 BROTLI_MIN_LENGTH="${BROTLI_MIN_LENGTH-1000}"
 BROTLI_TYPES="${BROTLI_TYPES-application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml}"
 REMOTE_PHP_PATH="${REMOTE_PHP_PATH-/app}"
 USE_REVERSE_PROXY="${USE_REVERSE_PROXY-no}"
 REMOVE_HEADERS="${REMOVE_HEADERS-Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version}"
 X_FRAME_OPTIONS="${X_FRAME_OPTIONS-DENY}"
 X_XSS_PROTECTION="${X_XSS_PROTECTION-1; mode=block}"
 X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS-nosniff}"
 REFERRER_POLICY="${REFERRER_POLICY-no-referrer}"
 PERMISSIONS_POLICY="${PERMISSIONS_POLICY-accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()}"
 FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}"
 DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
 SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
 ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
 BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
 BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
 BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
 BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
 AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
 HTTP2="${HTTP2-yes}"
 HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
 STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
 USE_MODSECURITY="${USE_MODSECURITY-yes}"
 USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
 CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';}"
 COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}"
 COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}"
 SERVE_FILES="${SERVE_FILES-yes}"
 WRITE_ACCESS="${WRITE_ACCESS-no}"
 REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
 LISTEN_HTTP="${LISTEN_HTTP-yes}"
 USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
 FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
 FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
 FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
 FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
 USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
 USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
 CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
 USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
 AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
 AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}"
 AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
 AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
 USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
 ROOT_FOLDER="${ROOT_FOLDER-/www}"
 LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
 LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
 DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11 8.8.8.8}"
 USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
 WHITELIST_IP_LIST="${WHITELIST_IP_LIST-23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
 USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}"
 WHITELIST_REVERSE_LIST="${WHITELIST_REVERSE_LIST-.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net}"
 USE_BLACKLIST_IP="${USE_BLACKLIST_IP-yes}"
 BLACKLIST_IP_LIST="${BLACKLIST_IP_LIST-}"
 USE_BLACKLIST_REVERSE="${USE_BLACKLIST_REVERSE-yes}"
 BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}"
 USE_DNSBL="${USE_DNSBL-yes}"
 DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
 USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
 LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
 LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
 LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
 PROXY_REAL_IP="${PROXY_REAL_IP-no}"
 PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
 PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
 PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
 GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
 SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
 SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
 SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}"
 SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
 SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
 SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}"
 SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-web}"
 ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
 USE_ANTIBOT="${USE_ANTIBOT-no}"
 ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
 ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
 USE_CROWDSEC="${USE_CROWDSEC-no}"
--- a/entrypoint/entrypoint.sh
+++ b/entrypoint/entrypoint.sh
@@ -0,0 +1,103 @@
 #!/bin/bash
 # load default values
 . ./opt/entrypoint/defaults.sh
 echo "[*] Starting bunkerized-nginx ..."
 # execute custom scripts if it's a customized image
 for file in /entrypoint.d/* ; do
    [ -f "$file" ] && [ -x "$file" ] && "$file"
 done
 # trap SIGTERM and SIGINT
 function trap_exit() {
 	echo "[*] Catched stop operation"
 	echo "[*] Stopping crond ..."
 	pkill -TERM crond
 	if [ "$USE_FAIL2BAN" = "yes" ] ; then
 		echo "[*] Stopping fail2ban"
 		fail2ban-client stop > /dev/null
 	fi
 	echo "[*] Stopping nginx ..."
 	/usr/sbin/nginx -s stop
 	echo "[*] Stopping rsyslogd ..."
 	pkill -TERM rsyslogd
 	pkill -TERM tail
 }
 trap "trap_exit" TERM INT
 # do the configuration magic if needed
 if [ ! -f "/opt/installed" ] ; then
 	echo "[*] Configuring bunkerized-nginx ..."
 	/opt/entrypoint/global-config.sh
 	if [ "$MULTISITE" = "yes" ] ; then
 		for server in $SERVER_NAME ; do
 			/opt/entrypoint/site-config.sh "$server"
 			echo "[*] Multi site - $server configuration done"
 		done
 	else
 		/opt/entrypoint/site-config.sh
 		echo "[*] Single site - $SERVER_NAME configuration done"
 	fi
 	touch /opt/installed
 else
 	echo "[*] Skipping configuration process"
 fi
 # fix nginx configs rights (and modules through the symlink)
 chown -R root:nginx /etc/nginx/
 chmod -R 740 /etc/nginx/
 find /etc/nginx -type d -exec chmod 750 {} \;
 # fix let's encrypt rights
 if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 	chown -R root:nginx /etc/letsencrypt
 	chmod -R 740 /etc/letsencrypt
 	find /etc/letsencrypt -type d -exec chmod 750 {} \;
 fi
 # start rsyslogd
 rsyslogd
 # start crond
 crond
 # start nginx
 echo "[*] Running nginx ..."
 su -s "/usr/sbin/nginx" nginx
 # start fail2ban
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	echo "[*] Running fail2ban ..."
 	fail2ban-server > /dev/null
 fi
 # start crowdsec
 if [ "$USE_CROWDSEC" = "yes" ] ; then
 	echo "[*] Running crowdsec ..."
 	crowdsec
 fi
 # autotest
 if [ "$1" == "test" ] ; then
 	sleep 10
 	echo -n "autotest" > /www/index.html
 	check=$(curl "http://localhost:${HTTP_PORT}" 2> /dev/null)
 	if [ "$check" == "autotest" ] ; then
 		exit 0
 	fi
 	exit 1
 fi
 # display logs
 LOGS="/var/log/access.log /var/log/error.log"
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	LOGS="$LOGS /var/log/fail2ban.log"
 fi
 tail -F $LOGS &
 wait $!
 # sigterm trapped
 echo "[*] bunkerized-nginx stopped"
 exit 0
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@@ -0,0 +1,233 @@
 #!/bin/bash
 # load default values
 . /opt/entrypoint/defaults.sh
 # load some functions
 . /opt/entrypoint/utils.sh
 # copy stub confs
 cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
 cp /opt/logs/logrotate.conf /etc/logrotate.conf
 cp -r /opt/lua/* /usr/local/lib/lua
 cp /opt/confs/global/* /etc/nginx/
 # remove cron jobs
 echo "" > /etc/crontabs/root
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
 	apk add $ADDITIONAL_MODULES
 fi
 # include server block(s)
 if [ "$MULTISITE" = "yes" ] ; then
 	includes=""
 	for server in $SERVER_NAME ; do
 		includes="${includes}include /etc/nginx/${server}/server.conf;\n"
 	done
 	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
 fi
 # proxy_cache zone
 if [ "$(has_value USE_PROXY_CACHE yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%PROXY_CACHE_PATH%" "proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:${PROXY_CACHE_PATH_ZONE_SIZE} ${PROXY_CACHE_PATH_PARAMS};"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%PROXY_CACHE_PATH%" ""
 fi
 # let's encrypt setup
 if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 	FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
 	DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
 	EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
 	if [ ! -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
 		echo "[*] Performing Let's Encrypt challenge ..."
 		certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT
 	fi
 	echo "0 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
 fi
 # self-signed certificate
 if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
 	mkdir /etc/nginx/self-signed-ssl/
        openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
 fi
 # country ban/whitelist
 if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" "include /etc/nginx/geoip.conf;"
 	if [ "$WHITELIST_COUNTRY" != "" ] ; then
 		replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "no"
 		replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $WHITELIST_COUNTRY | sed 's/ / yes;\\n/g') yes;"
 	else
 		replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes"
 		replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;"
 	fi
 	echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
 	if [ -f "/cache/geoip.mmdb" ] ; then
 		echo "[*] Copying cached geoip.mmdb ..."
 		cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
 	else
 		echo "[*] Downloading GeoIP database (in background) ..."
 		/opt/scripts/geoip.sh &
 	fi
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" ""
 fi
 # block bad UA
 if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
 	echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
 	if [ -f "/cache/map-user-agent.conf" ] ; then
 		echo "[*] Copying cached map-user-agent.conf ..."
 		cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
 	else
 		echo "[*] Downloading bad user-agent list (in background) ..."
 		/opt/scripts/user-agents.sh &
 	fi
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
 fi
 # block TOR exit nodes
 if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
 	echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
 	if [ -f "/cache/block-tor-exit-node.conf" ] ; then
 		echo "[*] Copying cached block-tor-exit-node.conf ..."
 		cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
 	else
 		echo "[*] Downloading tor exit nodes list (in background) ..."
 		/opt/scripts/exit-nodes.sh &
 	fi
 fi
 # block proxies
 if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
 	echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
 	if [ -f "/cache/block-proxies.conf" ] ; then
 		echo "[*] Copying cached block-proxies.conf ..."
 		cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
 	else
 		echo "[*] Downloading proxies list (in background) ..."
 		/opt/scripts/proxies.sh &
 	fi
 fi
 # block abusers
 if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
 	echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
 	if [ -f "/cache/block-abusers.conf" ] ; then
 		echo "[*] Copying cached block-abusers.conf ..."
 		cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
 	else
 		echo "[*] Downloading abusers list (in background) ..."
 		/opt/scripts/abusers.sh &
 	fi
 fi
 # DNS resolvers
 resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
 replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
 replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS"
 # whitelist IP
 if [ "$(has_value USE_WHITELIST_IP yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "lua_shared_dict whitelist_ip_cache 10m;"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" ""
 fi
 list=$(spaces_to_lua "$WHITELIST_IP_LIST")
 replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
 # whitelist rDNS
 if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "lua_shared_dict whitelist_reverse_cache 10m;"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" ""
 fi
 list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
 replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
 # blacklist IP
 if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "lua_shared_dict blacklist_ip_cache 10m;"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" ""
 fi
 list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
 replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
 # blacklist rDNS
 if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "lua_shared_dict blacklist_reverse_cache 10m;"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" ""
 fi
 list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
 replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
 # request limiting
 if [ "$(has_value USE_LIMIT_REQ yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
 fi
 # DNSBL
 if [ "$(has_value USE_DNSBL yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
 fi
 list=$(spaces_to_lua "$DNSBL_LIST")
 replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
 # fail2ban setup
 if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
 	rm -rf /etc/fail2ban/jail.d/*.conf
 	cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
 	cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
 	cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
 	replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
 fi
 # clamav setup
 if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	echo "[*] Updating clamav (in background) ..."
 	freshclam > /dev/null 2>&1 &
 	echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
 fi
 if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
 		echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
 	else
 		echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
 	fi
 fi
 # CrowdSec setup
 if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
 	cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml
 	cscli api register >> /etc/crowdsec/config/api.yaml
 	cscli api pull
 	echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
 fi
 # create empty logs
 touch /var/log/access.log
 touch /var/log/error.log
 # setup logrotate
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
 echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@@ -0,0 +1,538 @@
 #!/bin/bash
 # load default values
 . /opt/entrypoint/defaults.sh
 # load some functions
 . /opt/entrypoint/utils.sh
 # get nginx path and override multisite variables
 NGINX_PREFIX="/etc/nginx/"
 if [ "$MULTISITE" = "yes" ] ; then
 	NGINX_PREFIX="${NGINX_PREFIX}${1}/"
 	for var in $(env) ; do
 		name=$(echo "$var" | cut -d '=' -f 1)
 		check=$(echo "$name" | grep "^$1_")
 		if [ "$check" != "" ] ; then
 			repl_name=$(echo "$name" | sed "s~${1}_~~")
 			repl_value=$(echo "$var" | sed "s~${name}=~~")
 			read -r "$repl_name" <<< $repl_value
 		fi
 	done
 	ROOT_FOLDER="${ROOT_FOLDER}/$1"
 fi
 # copy stub confs
 if [ "$MULTISITE" = "yes" ] ; then
 	mkdir "$NGINX_PREFIX"
 fi
 cp /opt/confs/site/* "$NGINX_PREFIX"
 # replace paths
 replace_in_file "${NGINX_PREFIX}server.conf" "%MAIN_LUA%" "include ${NGINX_PREFIX}main-lua.conf;"
 if [ "$MULTISITE" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;\ninclude /server-confs/${1}/*.conf;"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;"
 fi
 # max body size
 replace_in_file "${NGINX_PREFIX}server.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
 # server tokens
 replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
 # reverse proxy
 if [ "$USE_REVERSE_PROXY" = "yes" ] ; then
 	i=1
 	for var in $(env) ; do
 		check1=$(echo "$var" | grep "^REVERSE_PROXY_URL")
 		check2=$(echo "$var" | grep "^${1}_REVERSE_PROXY_URL")
 		if [ "$check1" != "" ] || [ "$check2" != "" ] ; then
 			name=$(echo "$var" | cut -d '=' -f 1)
 			value=$(echo "$var" | sed "s/${name}=//")
 			host=$(echo "$name" | sed "s/URL/HOST/")
 			host_value=$(env | grep "^${host}=" | sed "s/${host}=//")
 			cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf"
 			replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$value"
 			replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value"
 			i=$(($i + 1))
 		fi
 	done
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy-*.conf;"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" ""
 fi
 # proxy caching
 if [ "$USE_PROXY_CACHE" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PROXY_CACHE%" "include ${NGINX_PREFIX}proxy-cache.conf;"
 	replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_METHODS%" "$PROXY_CACHE_METHODS"
 	replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_MIN_USES%" "$PROXY_CACHE_MIN_USES"
 	replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_KEY%" "$PROXY_CACHE_KEY"
 	replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_NO_CACHE%" "$PROXY_NO_CACHE"
 	replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_BYPASS%" "$PROXY_CACHE_BYPASS"
 	valids=""
 	for valid in $PROXY_CACHE_VALID ; do
 		code="$(echo $valid | cut -d '=' -f 1)"
 		timing="$(echo $valid | cut -d '=' -f 2)"
 		valids="${valids}\nproxy_cache_valid ${code} ${timing};"
 	done
 	replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_VALID%" "$valids"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PROXY_CACHE%" ""
 fi
 # file metadata caching
 if [ "$USE_OPEN_FILE_CACHE" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_OPEN_FILE_CACHE%" "include ${NGINX_PREFIX}open-file-cache.conf;"
 	replace_in_file "${NGINX_PREFIX}open-file-cache.conf" "%OPEN_FILE_CACHE%" "$OPEN_FILE_CACHE"
 	replace_in_file "${NGINX_PREFIX}open-file-cache.conf" "%OPEN_FILE_CACHE_ERRORS%" "$OPEN_FILE_CACHE_ERRORS"
 	replace_in_file "${NGINX_PREFIX}open-file-cache.conf" "%OPEN_FILE_CACHE_MIN_USES%" "$OPEN_FILE_CACHE_MIN_USES"
 	replace_in_file "${NGINX_PREFIX}open-file-cache.conf" "%OPEN_FILE_CACHE_VALID%" "$OPEN_FILE_CACHE_VALID"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_OPEN_FILE_CACHE%" ""
 fi
 # client caching
 if [ "$USE_CLIENT_CACHE" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_CLIENT_CACHE%" "include ${NGINX_PREFIX}client-cache.conf;"
 	replace_in_file "${NGINX_PREFIX}client-cache.conf" "%CLIENT_CACHE_EXTENSIONS%" "$CLIENT_CACHE_EXTENSIONS"
 	replace_in_file "${NGINX_PREFIX}client-cache.conf" "%CLIENT_CACHE_ETAG%" "$CLIENT_CACHE_ETAG"
 	replace_in_file "${NGINX_PREFIX}client-cache.conf" "%CLIENT_CACHE_CONTROL%" "$CLIENT_CACHE_CONTROL"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_CLIENT_CACHE%" ""
 fi
 # gzip compression
 if [ "$USE_GZIP" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_GZIP%" "include ${NGINX_PREFIX}gzip.conf;"
 	replace_in_file "${NGINX_PREFIX}gzip.conf" "%GZIP_COMP_LEVEL%" "$GZIP_COMP_LEVEL"
 	replace_in_file "${NGINX_PREFIX}gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH"
 	replace_in_file "${NGINX_PREFIX}gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_GZIP%" ""
 fi
 # brotli compression
 if [ "$USE_BROTLI" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_BROTLI%" "include ${NGINX_PREFIX}brotli.conf;"
 	replace_in_file "${NGINX_PREFIX}brotli.conf" "%BROTLI_COMP_LEVEL%" "$BROTLI_COMP_LEVEL"
 	replace_in_file "${NGINX_PREFIX}brotli.conf" "%BROTLI_MIN_LENGTH%" "$BROTLI_MIN_LENGTH"
 	replace_in_file "${NGINX_PREFIX}brotli.conf" "%BROTLI_TYPES%" "$BROTLI_TYPES"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_BROTLI%" ""
 fi
 # remote PHP
 if [ "$REMOTE_PHP" != "" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "include ${NGINX_PREFIX}php.conf;"
 	replace_in_file "${NGINX_PREFIX}server.conf" "%FASTCGI_PATH%" "include ${NGINX_PREFIX}fastcgi.conf;"
 	replace_in_file "${NGINX_PREFIX}php.conf" "%REMOTE_PHP%" "$REMOTE_PHP"
 	if [ "$MULTISITE" = "yes" ] ; then
 		cp /etc/nginx/fastcgi.conf ${NGINX_PREFIX}fastcgi.conf
 	fi
 	replace_in_file "${NGINX_PREFIX}fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" ""
 	replace_in_file "${NGINX_PREFIX}server.conf" "%FASTCGI_PATH%" ""
 fi
 # serve files
 if [ "$SERVE_FILES" = "yes" ] ; then
        replace_in_file "${NGINX_PREFIX}server.conf" "%SERVE_FILES%" "include ${NGINX_PREFIX}serve-files.conf;"
        replace_in_file "${NGINX_PREFIX}serve-files.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
 else
        replace_in_file "${NGINX_PREFIX}server.conf" "%SERVE_FILES%" ""
 fi
 # remove headers
 if [ "$REMOVE_HEADERS" != "" ] ; then
 	remove=""
 	for header in $REMOVE_HEADERS ; do
 		remove="${remove}more_clear_headers '$header';\n"
 	done
 	replace_in_file "${NGINX_PREFIX}server.conf" "%REMOVE_HEADERS%" "$remove"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%REMOVE_HEADERS%" ""
 fi
 # X-Frame-Options header
 if [ "$X_FRAME_OPTIONS" != "" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%X_FRAME_OPTIONS%" "include ${NGINX_PREFIX}x-frame-options.conf;"
 	replace_in_file "${NGINX_PREFIX}x-frame-options.conf" "%X_FRAME_OPTIONS%" "$X_FRAME_OPTIONS"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%X_FRAME_OPTIONS%" ""
 fi
 # X-XSS-Protection header
 if [ "$X_XSS_PROTECTION" != "" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%X_XSS_PROTECTION%" "include ${NGINX_PREFIX}x-xss-protection.conf;"
 	replace_in_file "${NGINX_PREFIX}x-xss-protection.conf" "%X_XSS_PROTECTION%" "$X_XSS_PROTECTION"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%X_XSS_PROTECTION%" ""
 fi
 # X-Content-Type-Options header
 if [ "$X_CONTENT_TYPE_OPTIONS" != "" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%X_CONTENT_TYPE_OPTIONS%" "include ${NGINX_PREFIX}x-content-type-options.conf;"
 	replace_in_file "${NGINX_PREFIX}x-content-type-options.conf" "%X_CONTENT_TYPE_OPTIONS%" "$X_CONTENT_TYPE_OPTIONS"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%X_CONTENT_TYPE_OPTIONS%" ""
 fi
 # Referrer-Policy header
 if [ "$REFERRER_POLICY" != "" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%REFERRER_POLICY%" "include ${NGINX_PREFIX}referrer-policy.conf;"
 	replace_in_file "${NGINX_PREFIX}referrer-policy.conf" "%REFERRER_POLICY%" "$REFERRER_POLICY"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%REFERRER_POLICY%" ""
 fi
 # Feature-Policy header
 if [ "$FEATURE_POLICY" != "" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%FEATURE_POLICY%" "include ${NGINX_PREFIX}feature-policy.conf;"
 	replace_in_file "${NGINX_PREFIX}feature-policy.conf" "%FEATURE_POLICY%" "$FEATURE_POLICY"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%FEATURE_POLICY%" ""
 fi
 # Permissions-Policy header
 if [ "$PERMISSIONS_POLICY" != "" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%PERMISSIONS_POLICY%" "include ${NGINX_PREFIX}permissions-policy.conf;"
 	replace_in_file "${NGINX_PREFIX}permissions-policy.conf" "%PERMISSIONS_POLICY%" "$PERMISSIONS_POLICY"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%PERMISSIONS_POLICY%" ""
 fi
 # Content-Security-Policy header
 if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then
        replace_in_file "${NGINX_PREFIX}server.conf" "%CONTENT_SECURITY_POLICY%" "include ${NGINX_PREFIX}content-security-policy.conf;"
        replace_in_file "${NGINX_PREFIX}content-security-policy.conf" "%CONTENT_SECURITY_POLICY%" "$CONTENT_SECURITY_POLICY"
 else
        replace_in_file "${NGINX_PREFIX}server.conf" "%CONTENT_SECURITY_POLICY%" ""
 fi
 # cookie flags
 if [ "$COOKIE_FLAGS" != "" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%COOKIE_FLAGS%" "include ${NGINX_PREFIX}cookie-flags.conf;"
 	if [ "$COOKIE_AUTO_SECURE_FLAG" = "yes" ] ; then
 		if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
 			COOKIE_FLAGS="${COOKIE_FLAGS} Secure"
 		fi
 	fi
 	replace_in_file "${NGINX_PREFIX}cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%COOKIE_FLAGS%" ""
 fi
 # disable default server
 if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%DISABLE_DEFAULT_SERVER%" "include ${NGINX_PREFIX}disable-default-server.conf;"
 	if [ "$MULTISITE" == "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}disable-default-server.conf" "%SERVER_NAME%" "$1"
 	else
 		SERVER_NAME_PIPE=$(echo $SERVER_NAME | sed "s/ /|/g")
 		replace_in_file "${NGINX_PREFIX}disable-default-server.conf" "%SERVER_NAME%" "$SERVER_NAME_PIPE"
 	fi
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%DISABLE_DEFAULT_SERVER%" ""
 fi
 # set the server host name
 if [ "$MULTISITE" == "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_NAME%" "$1"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_NAME%" "$SERVER_NAME"
 fi
 # allowed HTTP methods
 replace_in_file "${NGINX_PREFIX}server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
 # country ban
 if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_COUNTRY%" "true"
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_COUNTRY%" "false"
 fi
 # block bad UA
 if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_USER_AGENT%" "include ${NGINX_PREFIX}block-user-agent.conf;"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_USER_AGENT%" ""
 fi
 # block TOR exit nodes
 if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
 fi
 # block proxies
 if [ "$BLOCK_PROXIES" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" "include /etc/nginx/block-proxies.conf;"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" ""
 fi
 # block abusers
 if [ "$BLOCK_ABUSERS" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" "include /etc/nginx/block-abusers.conf;"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" ""
 fi
 # HTTPS config
 if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" "include ${NGINX_PREFIX}https.conf;"
 	replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
 	if [ "$HTTP2" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTP2%" "http2"
 	else
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTP2%" ""
 	fi
 	replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
 	if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
 		replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
 	else
 		replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_DHPARAM%" ""
 		replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_CIPHERS%" ""
 	fi
 	if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
 		replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
 	else
 		replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
 	fi
 	if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 		FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
 	elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
 	elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
 	fi
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" ""
 fi
 # listen on HTTP_PORT
 if [ "$LISTEN_HTTP" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT};"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%LISTEN_HTTP%" ""
 fi
 # HTTP to HTTPS redirect
 if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include ${NGINX_PREFIX}redirect-http-to-https.conf;"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%REDIRECT_HTTP_TO_HTTPS%" ""
 fi
 # ModSecurity config
 if [ "$USE_MODSECURITY" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}/modsecurity-rules.conf"
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "include ${NGINX_PREFIX}modsecurity.conf;"
 	modsec_custom=""
 	if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
 		modsec_custom="include /modsec-confs/*.conf\n"
 	fi
 	if [ "$MULTISITE" = "yes" ] && ls /modsec-confs/${1}/*.conf > /dev/null 2>&1 ; then
 		modsec_custom="${modsec_custom}include /modsec-confs/${1}/*.conf\n"
 	fi
 	replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
 	if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
 		modsec_crs_custom=""
 		if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
 			modsec_crs_custom="include /modsec-crs-confs/*.conf\n"
 		fi
 		if [ "$MULTISITE" = "yes" ] && ls /modsec-crs-confs/${1}/*.conf > /dev/null 2>&1 ; then
 			modsec_crs_custom="${modsec_custom}include /modsec-crs-confs/${1}/*.conf\n"
 		fi
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom"
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
 	else
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" ""
 	fi
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" ""
 fi
 # real IP behind reverse proxy
 if [ "$PROXY_REAL_IP" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%PROXY_REAL_IP%" "include ${NGINX_PREFIX}proxy-real-ip.conf;"
 	froms=""
 	for from in $PROXY_REAL_IP_FROM ; do
 		froms="${froms}set_real_ip_from ${from};\n"
 	done
 	replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms"
 	replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
 	replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%PROXY_REAL_IP%" ""
 fi
 # custom errors
 ERRORS=""
 for var in $(env) ; do
 	var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1)
 	if [ "z${var_name}" = "zERROR" ] ; then
 		err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2)
 		err_page=$(echo "$var" | cut -d '=' -f 2)
 		cp /opt/confs/error.conf ${NGINX_PREFIX}error-${err_code}.conf
 		replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%CODE%" "$err_code"
 		replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%PAGE%" "$err_page"
 		replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
 		ERRORS="${ERRORS}include ${NGINX_PREFIX}error-${err_code}.conf;\n"
 	fi
 done
 replace_in_file "${NGINX_PREFIX}server.conf" "%ERRORS%" "$ERRORS"
 # auth basic
 if [ "$USE_AUTH_BASIC" = "yes" ] ; then
 	if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then
 		replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "include ${NGINX_PREFIX}auth-basic-sitewide.conf;"
 		replace_in_file "${NGINX_PREFIX}auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
 	else
 		replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "include ${NGINX_PREFIX}auth-basic.conf;"
 		replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
 		replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
 	fi
 	htpasswd -b -B -c ${NGINX_PREFIX}.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" ""
 fi
 # whitelist IP
 if [ "$USE_WHITELIST_IP" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "true"
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "false"
 fi
 # whitelist rDNS
 if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "true"
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "false"
 fi
 # blacklist IP
 if [ "$USE_BLACKLIST_IP" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "true"
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "false"
 fi
 # blacklist rDNS
 if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "true"
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false"
 fi
 # DNSBL
 if [ "$USE_DNSBL" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "true"
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "false"
 fi
 # antibot uri and session secret
 replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
 if [ "$ANTIBOT_SESSION_SECRET" = "random" ] ; then
 	ANTIBOT_SESSION_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
 fi
 replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_SESSION_SECRET%" "$ANTIBOT_SESSION_SECRET"
 # antibot via cookie
 if [ "$USE_ANTIBOT" = "cookie" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
 # antibot via javascript
 elif [ "$USE_ANTIBOT" = "javascript" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "true"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "include ${NGINX_PREFIX}antibot-javascript.conf;"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
 	replace_in_file "${NGINX_PREFIX}antibot-javascript.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
 # antibot via captcha
 elif [ "$USE_ANTIBOT" = "captcha" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "true"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "include ${NGINX_PREFIX}antibot-captcha.conf;"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
 	replace_in_file "${NGINX_PREFIX}antibot-captcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
 # antibot via recaptcha
 elif [ "$USE_ANTIBOT" = "recaptcha" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "true"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "include ${NGINX_PREFIX}antibot-recaptcha.conf;"
 	replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
 	replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SITEKEY%" "$ANTIBOT_RECAPTCHA_SITEKEY"
 	replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SECRET%" "$ANTIBOT_RECAPTCHA_SECRET"
 	replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SCORE%" "$ANTIBOT_RECAPTCHA_SCORE"
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
 fi
 # request limiting
 if [ "$USE_LIMIT_REQ" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" "include ${NGINX_PREFIX}limit-req.conf;"
 	replace_in_file "${NGINX_PREFIX}limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" ""
 fi
 # fail2ban
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	echo "" > ${NGINX_PREFIX}fail2ban-ip.conf
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "include ${NGINX_PREFIX}fail2ban-ip.conf;"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" ""
 fi
 # clamav scan uploaded files
 if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "include ${NGINX_PREFIX}modsecurity-clamav.conf"
 else
 	replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" ""
 fi
 # CrowdSec
 if [ "$USE_CROWDSEC" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "true"
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "false"
 fi
--- a/entrypoint/utils.sh
+++ b/entrypoint/utils.sh
@@ -0,0 +1,38 @@
 #!/bin/bash
 # replace pattern in file
 function replace_in_file() {
 	# escape slashes
 	pattern=$(echo "$2" | sed "s/\//\\\\\//g")
 	replace=$(echo "$3" | sed "s/\//\\\\\//g")
 	sed -i "s/$pattern/$replace/g" "$1"
 }
 # convert space separated values to LUA
 function spaces_to_lua() {
 	for element in $1 ; do
 		if [ "$result" = "" ] ; then
 			result="\"${element}\""
 		else
 			result="${result}, \"${element}\""
 		fi
 	done
 	echo "$result"
 }
 # check if at least one env var (global or multisite) has a specific value
 function has_value() {
 	if [ "${!1}" == "$2" ] ; then
 		echo "ok"
 		return 0
 	fi
 	for var in $(env) ; do
 		domain=$(echo "$var" | cut -d '_' -f 1)
 		name=$(echo "$var" | cut -d '=' -f 1 | sed "s~${domain}_~~")
 		value=$(echo "$var" | sed "s~${domain}_${name}=~~")
 		if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then
 			echo "ok"
 			return 0
 		fi
 	done
 }
--- a/examples/basic-website-with-php/docker-compose.yml
+++ b/examples/basic-website-with-php/docker-compose.yml
@@ -9,13 +9,16 @@ services:
      - 80:8080
      - 443:8443
    volumes:
-      - ./web-files:/www
+      - ./web-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
    environment:
      - SERVER_NAME=www.website.com # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - REMOTE_PHP=myphp
      - REMOTE_PHP_PATH=/app
--- a/examples/behind-traefik/docker-compose.yml
+++ b/examples/behind-traefik/docker-compose.yml
@@ -17,9 +17,13 @@ services:
    image: bunkerity/bunkerized-nginx
    restart: always
    volumes:
-      - ./web1:/www
+      - ./web1:/www:ro
    environment:
      - SERVER_NAME=app1.website.com
      - PROXY_REAL_IP=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - REMOTE_PHP=myphp1
      - REMOTE_PHP_PATH=/app
    labels:
@@ -31,9 +35,13 @@ services:
    image: bunkerity/bunkerized-nginx
    restart: always
    volumes:
-      - ./web2:/www
+      - ./web2:/www:ro
    environment:
      - SERVER_NAME=app2.website.com
      - PROXY_REAL_IP=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - REMOTE_PHP=myphp2
      - REMOTE_PHP_PATH=/app
    labels:
--- a/examples/load-balancer/docker-compose.yml
+++ b/examples/load-balancer/docker-compose.yml
@@ -10,14 +10,19 @@ services:
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
-      - ./http-confs:/http-confs
+      - ./http-confs:/http-confs:ro
      - ./server-confs:/server-confs
    environment:
      - SERVER_NAME=www.website.com # replace with your domain
      - SERVE_FILES=no
      - DISABLE_DEFAULT_SERVER=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_PROXY_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://app
  app1:
    build: js-app
--- a/examples/moodle/docker-compose.yml
+++ b/examples/moodle/docker-compose.yml
@@ -10,13 +10,19 @@ services:
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
      - ./server-confs:/server-confs         # custom confs to reverse proxy to moodle
    environment:
      - SERVER_NAME=www.website.com          # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - MAX_CLIENT_SIZE=50m
      - SERVE_FILES=no
      - USE_PROXY_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=https://mymoodle:8443
  mymoodle:
    image: bitnami/moodle
--- a/examples/multisite-basic/docker-compose.yml
+++ b/examples/multisite-basic/docker-compose.yml
@@ -0,0 +1,69 @@
 version: '3'
 services:
  mywww:
    image: bunkerity/bunkerized-nginx
    restart: always
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - ./web-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
    environment:
      - SERVER_NAME=app1.website.com app2.website.com app3.website.com # replace with your domains
      - MULTISITE=yes
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - app1.website.com_REMOTE_PHP=myapp1
      - app1.website.com_REMOTE_PHP_PATH=/app
      - app2.website.com_REMOTE_PHP=myapp2
      - app2.website.com_REMOTE_PHP_PATH=/app
      - app3.website.com_SERVE_FILES=no
      - app3.website.com_USE_CLIENT_CACHE=no
      - app3.website.com_USE_PROXY_CACHE=yes
      - app3.website.com_USE_REVERSE_PROXY=yes
      - app3.website.com_REVERSE_PROXY_URL=/
      - app3.website.com_REVERSE_PROXY_HOST=http://myapp3:3000
    networks:
      - net1
      - net2
      - net3
  myapp1:
    image: php:fpm
    restart: always
    volumes:
      - ./web-files/app1.website.com:/app
    networks:
      - net1
  myapp2:
    image: php:fpm
    restart: always
    volumes:
      - ./web-files/app2.website.com:/app
    networks:
      - net2
  myapp3:
    image: node
    restart: always
    working_dir: /home/node/app
    volumes:
      - ./js-app:/home/node/app
    environment:
      - NODE_ENV=production
    command: bash -c "npm install express && node index.js"
    networks:
      - net3
 networks:
  net1:
  net2:
  net3:
--- a/examples/multisite-basic/js-app/index.js
+++ b/examples/multisite-basic/js-app/index.js
@@ -0,0 +1,12 @@
 const express = require('express')
 const app = express()
 const port = 3000
 app.get('/', (req, res) => {
  res.send('hello from app3 !')
 })
 app.listen(port, () => {
  console.log(`Example app listening at http://localhost:${port}`)
 })
--- a/examples/multisite-basic/js-app/package.json
+++ b/examples/multisite-basic/js-app/package.json
--- a/examples/multisite-basic/server-confs/app3.website.com/reverse-proxy.conf
+++ b/examples/multisite-basic/server-confs/app3.website.com/reverse-proxy.conf
@@ -2,5 +2,5 @@ proxy_set_header Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 location / {
-	proxy_pass http://app$request_uri;
+	proxy_pass http://myapp3:3000;
 }
--- a/examples/multisite-basic/web-files/app1.website.com/index.php
+++ b/examples/multisite-basic/web-files/app1.website.com/index.php
@@ -0,0 +1,5 @@
 <?php
 echo "hello from app1 !";
 ?>
--- a/examples/multisite-basic/web-files/app2.website.com/index.php
+++ b/examples/multisite-basic/web-files/app2.website.com/index.php
@@ -0,0 +1,5 @@
 <?php
 echo "hello from app2 !";
 ?>
--- a/examples/multisite-custom-server-confs/docker-compose.yml
+++ b/examples/multisite-custom-server-confs/docker-compose.yml
@@ -0,0 +1,95 @@
 version: '3'
 services:
  mywww:
    image: bunkerity/bunkerized-nginx
    restart: always
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - ./web-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
      - ./server-confs:/server-confs:ro
      - ./modsec-confs:/modsec-confs:ro
      - ./modsec-crs-confs:/modsec-crs-confs:ro
    environment:
      - SERVER_NAME=wp.website.com nc.website.com # replace with your domains
      - MULTISITE=yes
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - wp.website.com_REMOTE_PHP=mywp
      - wp.website.com_REMOTE_PHP_PATH=/var/www/html
      - nc.website.com_REMOTE_PHP=mync
      - nc.website.com_REMOTE_PHP_PATH=/var/www/html
      - nc.website.com_LIMIT_REQ_RATE=40r/s
      - nc.website.com_LIMIT_REQ_BURST=60
      - nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
      - nc.website.com_X_FRAME_OPTIONS=SAMEORIGIN
      - nc.website.com_FAIL2BAN_STATUS_CODE=400|401|403|405|444
    networks:
      - net1
      - net2
  mywp:
    image: wordpress:fpm-alpine
    restart: always
    volumes:
      - ./web-files/wp.website.com:/var/www/html
    environment:
      - WORDPRESS_DB_HOST=mywpdb
      - WORDPRESS_DB_NAME=wp
      - WORDPRESS_DB_USER=user
      - WORDPRESS_DB_PASSWORD=db-user-pwd    # replace with a stronger password (must match MYSQL_PASSWORD)
      - WORDPRESS_TABLE_PREFIX=prefix_       # best practice : replace with a random prefix
    networks:
      - net1
  mywpdb:
    image: mariadb
    restart: always
    volumes:
      - ./wp-db-data:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
      - MYSQL_DATABASE=wp
      - MYSQL_USER=user
      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
    networks:
      - net1
  mync:
    image: nextcloud:stable-fpm
    restart: always
    volumes:
      - ./web-files/nc.website.com:/var/www/html
    environment:
      - MYSQL_HOST=myncdb
      - MYSQL_DATABASE=nc
      - MYSQL_USER=user
      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match MYSQL_PASSWORD)
    networks:
      - net2
  myncdb:
    image: mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
    volumes:
      - ./nc-db-data:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
      - MYSQL_DATABASE=nc
      - MYSQL_USER=user
      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match MYSQL_PASSWORD)
    networks:
      - net2
 networks:
  net1:
  net2:
--- a/examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf
+++ b/examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf
@@ -0,0 +1 @@
 SecRuleRemoveById 921110
--- a/examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf
+++ b/examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf
@@ -0,0 +1 @@
 SecRuleRemoveById 953120
--- a/examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf
+++ b/examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf
@@ -0,0 +1,15 @@
 SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_nextcloud=1"
 SecAction \
 "id:900200,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
--- a/examples/multisite-custom-server-confs/modsec-crs-confs/wp.website.com/wordpress.conf
+++ b/examples/multisite-custom-server-confs/modsec-crs-confs/wp.website.com/wordpress.conf
@@ -0,0 +1,7 @@
 SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_wordpress=1"
--- a/examples/multisite-custom-server-confs/server-confs/nc.website.com/nextcloud.conf
+++ b/examples/multisite-custom-server-confs/server-confs/nc.website.com/nextcloud.conf
@@ -0,0 +1,32 @@
 location ~ \.php(?:$|/) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include /etc/nginx/nc.website.com/fastcgi.conf;
        fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass mync:9000;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
 }
 location ~ \.(?:css|js|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
 }
 location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
 }
 location / {
        try_files $uri /index.php$request_uri;
 }
--- a/examples/multisite-custom-server-confs/server-confs/wp.website.com/permalinks.conf
+++ b/examples/multisite-custom-server-confs/server-confs/wp.website.com/permalinks.conf
@@ -0,0 +1,4 @@
 location / {
    index index.php index.html index.htm;
    try_files $uri $uri/ /index.php?$args;
 }
--- a/examples/nextcloud/docker-compose.yml
+++ b/examples/nextcloud/docker-compose.yml
@@ -9,25 +9,30 @@ services:
      - 80:8080
      - 443:8443
    volumes:
-      - ./nc-files:/www
+      - ./nc-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs         # custom nginx confs at server context to make Nextcloud working
+      - ./server-confs:/server-confs:ro         # custom nginx confs at server context to make Nextcloud working
-      - ./modsec-crs-confs:/modsec-crs-confs # custom Core Rule Set confs to add Nextcloud exclusions
+      - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Nextcloud exclusions
-      - ./modsec-confs:/modsec-confs         # disable some false positive
+      - ./modsec-confs:/modsec-confs:ro         # disable some false positive
    environment:
      - SERVER_NAME=www.website.com          # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - MAX_CLIENT_SIZE=10G
      - USE_CLIENT_CACHE=yes
      - REMOTE_PHP=mync
      - REMOTE_PHP_PATH=/var/www/html
      - LIMIT_REQ_RATE=40r/s
      - LIMIT_REQ_BURST=60
      - ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
      - X_FRAME_OPTIONS=SAMEORIGIN
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - FAIL2BAN_STATUS_CODE=400|401|403|405|444
  mync:
-    image: nextcloud:stable-fpm
+    image: nextcloud:20-fpm
    restart: always
    volumes:
      - ./nc-files:/var/www/html
--- a/examples/nextcloud/server-confs/nextcloud.conf
+++ b/examples/nextcloud/server-confs/nextcloud.conf
@@ -1,42 +1,32 @@
 location ~ \.php(?:$|/) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi.conf;
        fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass mync:9000;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
 }
 location ~ \.(?:css|js|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
 }
 location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
 }
 location / {
-	rewrite ^ /index.php;
+        try_files $uri /index.php$request_uri;
 }
 location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
 	deny all;
 }
 location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
 	deny all;
 }
 location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
 	include fastcgi_params;
 	fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
 	set $path_info $fastcgi_path_info;
 	try_files $fastcgi_script_name =404;
 	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 	fastcgi_param PATH_INFO $path_info;
 	fastcgi_param HTTPS on;
 	fastcgi_param modHeadersAvailable true;
 	fastcgi_param front_controller_active true;
 	fastcgi_pass mync:9000;
 	fastcgi_intercept_errors on;
 	fastcgi_request_buffering off;
 	include fastcgi.conf;
 }
 location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
 	try_files $uri/ =404;
 	index index.php;
 }
 location ~ \.(?:css|js|woff2?|svg|gif|map|mp4)$ {
 	try_files $uri /index.php$request_uri;
 	add_header Cache-Control "public, max-age=15778463";
 }
 location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
 	try_files $uri /index.php$request_uri;
 }
--- a/examples/passbolt/docker-compose.yml
+++ b/examples/passbolt/docker-compose.yml
@@ -0,0 +1,48 @@
 version: '3'
 services:
  mywww:
    image: bunkerity/bunkerized-nginx
    restart: always
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
      - ./modsec-crs-confs:/modsec-crs-confs:ro      # disable some false positive
      - ./modsec-confs:/modsec-confs:ro              # disable some false positive
    environment:
      - SERVER_NAME=www.website.com                  # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
      - SERVE_FILES=no
      - USE_PROXY_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=https://mypassbolt
  mypassbolt:
    image: passbolt/passbolt
    restart: always
    environment:
      - DATASOURCES_DEFAULT_HOST=mydb
      - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd     # replace with a stronger password (must match MYSQL_PASSWORD)
      - DATASOURCES_DEFAULT_USERNAME=user
      - DATASOURCES_DEFAULT_DATABASE=passbolt
      - APP_FULL_BASE_URL=https://www.website.com    # replace with your URL
  mydb:
    image: mariadb
    restart: always
    volumes:
      - ./db-data:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=db-root-pwd              # replace with a stronger password
      - MYSQL_DATABASE=passbolt
      - MYSQL_USER=user
      - MYSQL_PASSWORD=db-user-pwd                   # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
--- a/examples/passbolt/modsec-confs/passbolt.conf
+++ b/examples/passbolt/modsec-confs/passbolt.conf
@@ -0,0 +1,2 @@
 SecRuleRemoveById 942100
 SecRuleRemoveById 930120
--- a/examples/passbolt/modsec-crs-confs/passbolt.conf
+++ b/examples/passbolt/modsec-crs-confs/passbolt.conf
@@ -0,0 +1,7 @@
 SecAction \
 "id:900200,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.allowed_methods=GET HEAD POST PUT DELETE'"
--- a/examples/reverse-proxy-multisite/docker-compose.yml
+++ b/examples/reverse-proxy-multisite/docker-compose.yml
@@ -10,13 +10,21 @@ services:
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
      - ./server-confs:/server-confs
    environment:
-      - SERVER_NAME=app1.website.com app2.website.com # replace with your domains
+      - MULTISITE=yes
      - SERVER_NAME=app1.website.com app2.website.com # replace with your domain
      - SERVE_FILES=no
      - DISABLE_DEFAULT_SERVER=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_PROXY_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - app1.website.com_REVERSE_PROXY_URL=/
      - app1.website.com_REVERSE_PROXY_HOST=http://app1:3000
      - app2.website.com_REVERSE_PROXY_URL=/
      - app2.website.com_REVERSE_PROXY_HOST=http://app2
  app1:
    image: node
--- a/examples/reverse-proxy-multisite/js-app/index.js
+++ b/examples/reverse-proxy-multisite/js-app/index.js
--- a/examples/reverse-proxy-multisite/js-app/package.json
+++ b/examples/reverse-proxy-multisite/js-app/package.json
@@ -0,0 +1,14 @@
 {
  "name": "js-app",
  "version": "1.0.0",
  "description": "demo",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "express": "^4.17.1"
  }
 }
--- a/examples/reverse-proxy-singlesite/docker-compose.yml
+++ b/examples/reverse-proxy-singlesite/docker-compose.yml
@@ -0,0 +1,44 @@
 version: '3'
 services:
  myreverse:
    image: bunkerity/bunkerized-nginx
    restart: always
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
      - ./server-confs:/server-confs:ro                      # redirect /app1 and /app2 to /app1/ and /app2/
    environment:
      - SERVER_NAME=www.website.com                          # replace with your domain
      - SERVE_FILES=no
      - DISABLE_DEFAULT_SERVER=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_PROXY_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL_1=/app1/
      - REVERSE_PROXY_HOST_1=http://app1:3000/
      - REVERSE_PROXY_URL_2=/app2/
      - REVERSE_PROXY_HOST_2=http://app2/
  app1:
    image: node
    restart: always
    working_dir: /home/node/app
    volumes:
      - ./js-app:/home/node/app
    environment:
      - NODE_ENV=production
    command: bash -c "npm install express && node index.js"
  app2:
    image: phpmyadmin:apache
    restart: always
    environment:
      - PMA_ARBITRARY=1
      - PMA_ABSOLUTE_URI=https://www.website.com/app2/      # replace with your absolute URI
--- a/examples/reverse-proxy-singlesite/js-app/index.js
+++ b/examples/reverse-proxy-singlesite/js-app/index.js
@@ -0,0 +1,12 @@
 const express = require('express')
 const app = express()
 const port = 3000
 app.get('/', (req, res) => {
  res.send('Hello World!')
 })
 app.listen(port, () => {
  console.log(`Example app listening at http://localhost:${port}`)
 })
--- a/examples/reverse-proxy-singlesite/js-app/package.json
+++ b/examples/reverse-proxy-singlesite/js-app/package.json
@@ -0,0 +1,14 @@
 {
  "name": "js-app",
  "version": "1.0.0",
  "description": "demo",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "express": "^4.17.1"
  }
 }
--- a/examples/reverse-proxy-singlesite/server-confs/redirects.conf
+++ b/examples/reverse-proxy-singlesite/server-confs/redirects.conf
@@ -0,0 +1,4 @@
 port_in_redirect off;
 location ~ ^/(app1|app2)$ {
 	rewrite ^(.*)$ $1/ permanent;
 }
--- a/examples/reverse-proxy/server-confs/reverse-proxy.conf
+++ b/examples/reverse-proxy/server-confs/reverse-proxy.conf
@@ -1,12 +0,0 @@
 proxy_set_header Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 location / {
 	if ($host = app1.website.com) {
 		proxy_pass http://app1:3000$request_uri;
 	}
 	if ($host = app2.website.com) {
 		proxy_pass http://app2$request_uri;
 	}
 }
--- a/examples/tomcat/app/sample.war
+++ b/examples/tomcat/app/sample.war
--- a/examples/tomcat/docker-compose.yml
+++ b/examples/tomcat/docker-compose.yml
@@ -0,0 +1,30 @@
 version: '3'
 services:
  myreverse:
    image: bunkerity/bunkerized-nginx
    restart: always
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
    environment:
      - SERVER_NAME=www.website.com                     # replace with your domain
      - SERVE_FILES=no
      - DISABLE_DEFAULT_SERVER=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_PROXY_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://mytomcat:8080/sample/
  mytomcat:
    image: tomcat
    restart: always
    volumes:
      - ./app:/usr/local/tomcat/webapps/
--- a/examples/tomcat/server-confs/reverse-proxy.conf
+++ b/examples/tomcat/server-confs/reverse-proxy.conf
@@ -2,7 +2,5 @@ proxy_set_header Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 location / {
-	if ($host = www.website.com) {
+	proxy_pass http://mytomcat:8080/sample;
 		proxy_pass http://mymoodle:8443$request_uri;
 	}
 }
--- a/examples/tor-hidden-service/docker-compose.yml
+++ b/examples/tor-hidden-service/docker-compose.yml
@@ -15,7 +15,7 @@ services:
    image: bunkerity/bunkerized-nginx
    restart: always
    volumes:
-      - ./web-files:/www
+      - ./web-files:/www:ro
    environment:
      - BLOCK_TOR_EXIT_NODE=no
      - BLOCK_ABUSERS=no
@@ -26,7 +26,10 @@ services:
      - USE_WHITELIST_REVERSE=no
      - USE_BLACKLIST_IP=no
      - USE_BLACKLIST_REVERSE=no
-      - USE_FAIL2BAN=no
+      - USE_ANTIBOT=captcha
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - REMOTE_PHP=myphp
      - REMOTE_PHP_PATH=/app
--- a/examples/wordpress/docker-compose.yml
+++ b/examples/wordpress/docker-compose.yml
@@ -9,16 +9,19 @@ services:
      - 80:8080
      - 443:8443
    volumes:
-      - ./wp-files:/www
+      - ./wp-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs         # custom confs at server context for permalinks
+      - ./server-confs:/server-confs:ro         # custom confs at server context for permalinks
-      - ./modsec-crs-confs:/modsec-crs-confs # custom Core Rule Set confs to add Wordpress exclusions
+      - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Wordpress exclusions
    environment:
-      - SERVER_NAME=www.website.com          # replace with your domain
+      - SERVER_NAME=www.website.com             # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - MAX_CLIENT_SIZE=50m
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - REMOTE_PHP=mywp
      - REMOTE_PHP_PATH=/var/www/html
@@ -31,8 +34,8 @@ services:
      - WORDPRESS_DB_HOST=mydb
      - WORDPRESS_DB_NAME=wp
      - WORDPRESS_DB_USER=user
-      - WORDPRESS_DB_PASSWORD=db-user-pwd    # replace with a stronger password (must match MYSQL_PASSWORD)
+      - WORDPRESS_DB_PASSWORD=db-user-pwd       # replace with a stronger password (must match MYSQL_PASSWORD)
-      - WORDPRESS_TABLE_PREFIX=prefix_       # best practice : replace with a random prefix
+      - WORDPRESS_TABLE_PREFIX=prefix_          # best practice : replace with a random prefix
  mydb:
    image: mariadb
@@ -40,7 +43,7 @@ services:
    volumes:
      - ./db-data:/var/lib/mysql
    environment:
-      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
+      - MYSQL_ROOT_PASSWORD=db-root-pwd         # replace with a stronger password
      - MYSQL_DATABASE=wp
      - MYSQL_USER=user
-      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
+      - MYSQL_PASSWORD=db-user-pwd              # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
--- a/examples/wordpress/web-files/index.php
+++ b/examples/wordpress/web-files/index.php
@@ -1,5 +0,0 @@
 <?php
 echo "Hello World!";
 ?>
--- a/scripts/abusers.sh
+++ b/scripts/abusers.sh
@@ -8,6 +8,7 @@ while read entry ; do
 		echo "deny ${entry};" >> /etc/nginx/block-abusers.conf
 	fi
 done
 cp /etc/nginx/block-abusers.conf /cache
 if [ -f /tmp/nginx.pid ] ; then
 	/usr/sbin/nginx -s reload
 fi
--- a/scripts/certbot-renew.sh
+++ b/scripts/certbot-renew.sh
@@ -7,23 +7,23 @@ function replace_in_file() {
 	sed -i "s/$pattern/$replace/g" "$1"
 }
-# check if HTTP enabled
+# disable HTTP
-# and disable it temporarily if needed
+servers="$(find /etc/nginx -name server.conf)"
-if grep -q "listen 0.0.0.0:8080;" "/etc/nginx/server.conf" ; then
+for f in $servers ; do
-	replace_in_file "/etc/nginx/server.conf" "listen 0.0.0.0:8080;" "#listen 0.0.0.0:8080;"
+	replace_in_file "$f" "listen" "#listen"
-	if [ -f /tmp/nginx.pid ] ; then
+done
-		/usr/sbin/nginx -s reload
+if [ -f /tmp/nginx.pid ] ; then
-		sleep 10
+	/usr/sbin/nginx -s reload
-	fi
+	sleep 10
 fi
 # ask a new certificate if needed
 certbot renew
-# enable HTTP again if needed
+# enable HTTP again
-if grep -q "#listen 0.0.0.0:8080;" "/etc/nginx/server.conf" ; then
+for f in $servers ; do
-	replace_in_file "/etc/nginx/server.conf" "#listen 0.0.0.0:8080;" "listen 0.0.0.0:8080;"
+	replace_in_file "$f" "#listen" "listen"
-fi
+done
 chown -R root:nginx /etc/letsencrypt
 chmod -R 740 /etc/letsencrypt
--- a/scripts/exit-nodes.sh
+++ b/scripts/exit-nodes.sh
@@ -8,6 +8,7 @@ while read entry ; do
 		echo "deny ${entry};" >> /etc/nginx/block-tor-exit-node.conf
 	fi
 done
 cp /etc/nginx/block-tor-exit-node.conf /cache
 if [ -f /tmp/nginx.pid ] ; then
 	/usr/sbin/nginx -s reload
 fi
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
bunkerity	700dfc0184	v1.2.0 release	2020-11-23 00:05:22 +01:00
bunkerity	42e4298b5c	readme update - v1.2.0 changes	2020-11-22 23:39:01 +01:00
bunkerity	813b42cfa9	php and nextcloud examples fix	2020-11-22 17:38:07 +01:00
bunkerity	58fcf0a725	added Permissions-Policy header	2020-11-21 16:41:27 +01:00
bunkerity	5879183802	custom headers to remove	2020-11-21 16:21:54 +01:00
bunkerity	2032596880	automatic trivy scan	2020-11-21 15:54:52 +01:00
bunkerity	eaf817d57a	php config and examples fixes	2020-11-18 15:21:08 +01:00
bunkerity	dd7768c856	whitelist/blacklist country at LUA level to avoid SEO issues	2020-11-18 11:37:42 +01:00
bunkerity	fe1d724c9f	country whitelist/blacklist	2020-11-18 11:21:25 +01:00
bunkerity	0635eb368b	various bug fixes	2020-11-15 20:49:43 +01:00
bunkerity	fbf81c94be	cached blacklists data	2020-11-15 15:43:41 +01:00
bunkerity	ed451877ae	examples update and multiple REVERSE_PROXY_* on single site	2020-11-15 14:55:48 +01:00
bunkerity	0f18e9c552	reverse proxy support via env vars	2020-11-14 17:30:38 +01:00
bunkerity	8f7cb5318e	proxy caching support	2020-11-14 16:58:52 +01:00
bunkerity	60fbbc1013	move some http directives to server	2020-11-14 14:19:27 +01:00
bunkerity	0f0593456c	various fixes	2020-11-13 17:57:39 +01:00
bunkerity	8cdc155ac0	multisite examples and certbot renew fix	2020-11-13 15:10:29 +01:00
bunkerity	1abe1da89e	brotli support	2020-11-12 15:03:45 +01:00
bunkerity	f18c054b42	gzip support	2020-11-12 14:37:01 +01:00
bunkerity	4dea1975e2	client caching	2020-11-12 14:02:48 +01:00
bunkerity	c2b05c463c	fix BLOCK_COUNTRY bug and add support for ModSecurity custom confs when multisite=yes	2020-11-11 22:36:22 +01:00
bunkerity	2da51d92a6	multisite - bug fixes	2020-11-11 16:54:27 +01:00
bunkerity	bd7997497b	autotest through github actions	2020-11-10 15:25:49 +01:00
bunkerity	e89e34a84f	auto test fix	2020-11-08 22:08:50 +01:00
bunkerity	ff02878dd8	auto test setup	2020-11-08 21:59:19 +01:00
bunkerity	44b016be93	road to multi server block support	2020-11-08 17:37:48 +01:00
bunkerity	36c4f3e065	v1.1.2 - CrowdSec integration and custom ports	2020-11-06 22:49:18 +01:00
bunkerity	798f6c726d	examples - nextcloud fix and tomcat	2020-11-06 22:24:34 +01:00
bunkerity	761c14a0b8	custom HTTP and HTTPS ports	2020-11-06 17:11:27 +01:00
bunkerity	4a07eca696	crowdsec integration	2020-11-06 16:56:16 +01:00
bunkerity	e1274a6082	passbolt example	2020-11-04 11:16:26 +01:00
Luka TK	3ec81cd849	Fix broken line in README	2020-11-01 22:52:55 +01:00
		`@@ -1,2 +0,0 @@`
			`modsecurity on;`
			`modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;`
		`@@ -0,0 +1,2 @@`
							`modsecurity on;`
							`modsecurity_rules_file %MODSEC_RULES_FILE%;`
		`@@ -0,0 +1 @@`
							`more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%";`
		`@@ -0,0 +1,2 @@`
							`SecRuleRemoveById 942100`
							`SecRuleRemoveById 930120`