Compare commits
65 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
0bc1f652b4 | ||
|
|
6c7461e298 | ||
|
|
d01bc5e014 | ||
|
|
75c69c8105 | ||
|
e26b8482aa | ||
|
|
f618c73e6c | ||
|
|
78c1e5c676 | ||
|
|
481e10d3ef | ||
|
|
aae2a71983 | ||
|
|
f3bf04e390 | ||
|
|
36cbb927c0 | ||
|
|
95153dbc5d | ||
|
|
26947179a4 | ||
|
|
88f27bfeb8 | ||
|
|
3cc1615c4d | ||
|
|
8bacf722a6 | ||
|
|
2bfc4b41fa | ||
|
587d4a92eb | ||
|
|
c311d0c825 | ||
|
|
0d03f49ebc | ||
|
|
2112c306a8 | ||
|
|
8f9dcc5ab8 | ||
|
|
2fe05d3fd3 | ||
|
|
db04c0345c | ||
|
|
ed8bd902b1 | ||
|
|
3a7aa5d9c0 | ||
|
|
9ec9de6ca2 | ||
|
|
791342cbe6 | ||
|
|
2f23671c3b | ||
|
|
e350a717ff | ||
|
|
e818acb0d1 | ||
|
|
b92f74ed98 | ||
|
|
9688e66508 | ||
|
|
700dfc0184 | ||
|
|
42e4298b5c | ||
|
|
813b42cfa9 | ||
|
|
58fcf0a725 | ||
|
|
5879183802 | ||
|
|
2032596880 | ||
|
|
eaf817d57a | ||
|
|
dd7768c856 | ||
|
|
fe1d724c9f | ||
|
|
0635eb368b | ||
|
|
fbf81c94be | ||
|
|
ed451877ae | ||
|
|
0f18e9c552 | ||
|
|
8f7cb5318e | ||
|
|
60fbbc1013 | ||
|
|
0f0593456c | ||
|
|
8cdc155ac0 | ||
|
|
1abe1da89e | ||
|
|
f18c054b42 | ||
|
|
4dea1975e2 | ||
|
|
c2b05c463c | ||
|
|
2da51d92a6 | ||
|
|
bd7997497b | ||
|
|
e89e34a84f | ||
|
|
ff02878dd8 | ||
|
|
44b016be93 | ||
|
|
36c4f3e065 | ||
|
|
798f6c726d | ||
|
|
761c14a0b8 | ||
|
|
4a07eca696 | ||
|
|
e1274a6082 | ||
|
3ec81cd849 |
28
.github/workflows/autotest.yml
vendored
Normal file
28
.github/workflows/autotest.yml
vendored
Normal file
@@ -0,0 +1,28 @@
|
||||
name: Automatic test
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [dev, master]
|
||||
pull_request:
|
||||
branches: [dev, master]
|
||||
|
||||
jobs:
|
||||
test:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@v2
|
||||
- name: Build the image
|
||||
run: docker build -t autotest .
|
||||
- name: Run autotest
|
||||
run: docker run autotest test
|
||||
- name: Run Trivy security scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'autotest'
|
||||
format: 'table'
|
||||
exit-code: '1'
|
||||
ignore-unfixed: true
|
||||
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
|
||||
|
||||
|
||||
26
Dockerfile
26
Dockerfile
@@ -6,24 +6,38 @@ RUN chmod +x /tmp/compile.sh && \
|
||||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
COPY autoconf/ /opt/autoconf
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli py3-pip && \
|
||||
pip3 install docker && \
|
||||
chmod +x /opt/entrypoint/* /opt/scripts/* /opt/autoconf/autoconf.py && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
chown root:nginx /var/log/nginx && \
|
||||
chmod 750 /var/log/nginx && \
|
||||
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
|
||||
chown nginx:nginx /var/log/nginx/*.log
|
||||
chown nginx:nginx /var/log/nginx/*.log && \
|
||||
mkdir /acme-challenge && \
|
||||
chown root:nginx /acme-challenge && \
|
||||
chmod 750 /acme-challenge
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
|
||||
# Fix CVE-2020-28928
|
||||
RUN apk --no-cache add "musl-utils>1.1.24-r2"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint.sh"]
|
||||
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
|
||||
|
||||
@@ -6,24 +6,38 @@ RUN chmod +x /tmp/compile.sh && \
|
||||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
COPY autoconf/ /opt/autoconf
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli py3-pip && \
|
||||
pip3 install docker && \
|
||||
chmod +x /opt/entrypoint/* /opt/scripts/* /opt/autoconf/autoconf.py && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
chown root:nginx /var/log/nginx && \
|
||||
chmod 750 /var/log/nginx && \
|
||||
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
|
||||
chown nginx:nginx /var/log/nginx/*.log
|
||||
chown nginx:nginx /var/log/nginx/*.log && \
|
||||
mkdir /acme-challenge && \
|
||||
chown root:nginx /acme-challenge && \
|
||||
chmod 750 /acme-challenge
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
|
||||
# Fix CVE-2020-28928
|
||||
RUN apk --no-cache add "musl-utils>1.1.24-r2"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint.sh"]
|
||||
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
|
||||
|
||||
@@ -13,24 +13,38 @@ RUN chmod +x /tmp/compile.sh && \
|
||||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
COPY autoconf/ /opt/autoconf
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli py3-pip && \
|
||||
pip3 install docker && \
|
||||
chmod +x /opt/entrypoint/* /opt/scripts/* /opt/autoconf/autoconf.py && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
chown root:nginx /var/log/nginx && \
|
||||
chmod 750 /var/log/nginx && \
|
||||
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
|
||||
chown nginx:nginx /var/log/nginx/*.log
|
||||
chown nginx:nginx /var/log/nginx/*.log && \
|
||||
mkdir /acme-challenge && \
|
||||
chown root:nginx /acme-challenge && \
|
||||
chmod 750 /acme-challenge
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
|
||||
# Fix CVE-2020-28928
|
||||
RUN apk --no-cache add "musl-utils>1.1.24-r2"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint.sh"]
|
||||
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
|
||||
|
||||
@@ -13,24 +13,38 @@ RUN chmod +x /tmp/compile.sh && \
|
||||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
COPY autoconf/ /opt/autoconf
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli py3-pip && \
|
||||
pip3 install docker && \
|
||||
chmod +x /opt/entrypoint/* /opt/scripts/* /opt/autoconf/autoconf.py && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
chown root:nginx /var/log/nginx && \
|
||||
chmod 750 /var/log/nginx && \
|
||||
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
|
||||
chown nginx:nginx /var/log/nginx/*.log
|
||||
chown nginx:nginx /var/log/nginx/*.log && \
|
||||
mkdir /acme-challenge && \
|
||||
chown root:nginx /acme-challenge && \
|
||||
chmod 750 /acme-challenge
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
|
||||
# Fix CVE-2020-28928
|
||||
RUN apk --no-cache add "musl-utils>1.1.24-r2"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint.sh"]
|
||||
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
|
||||
|
||||
@@ -6,24 +6,38 @@ RUN chmod +x /tmp/compile.sh && \
|
||||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
COPY autoconf/ /opt/autoconf
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli py3-pip && \
|
||||
pip3 install docker && \
|
||||
chmod +x /opt/entrypoint/* /opt/scripts/* /opt/autoconf/autoconf.py && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
chown root:nginx /var/log/nginx && \
|
||||
chmod 750 /var/log/nginx && \
|
||||
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
|
||||
chown nginx:nginx /var/log/nginx/*.log
|
||||
chown nginx:nginx /var/log/nginx/*.log && \
|
||||
mkdir /acme-challenge && \
|
||||
chown root:nginx /acme-challenge && \
|
||||
chmod 750 /acme-challenge
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
|
||||
# Fix CVE-2020-28928
|
||||
RUN apk --no-cache add "musl-utils>1.1.24-r2"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint.sh"]
|
||||
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
|
||||
|
||||
101
autoconf/autoconf.py
Normal file
101
autoconf/autoconf.py
Normal file
@@ -0,0 +1,101 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
import docker, datetime, subprocess, shutil, os
|
||||
|
||||
def log(event) :
|
||||
print("[" + str(datetime.datetime.now().replace(microsecond=0)) + "] AUTOCONF - " + event, flush=True)
|
||||
|
||||
def replace_in_file(file, old_str, new_str) :
|
||||
with open(file) as f :
|
||||
data = f.read()
|
||||
data = data[::-1].replace(old_str[::-1], new_str[::-1], 1)[::-1]
|
||||
with open(file, "w") as f :
|
||||
f.write(data)
|
||||
|
||||
def generate(vars) :
|
||||
vars_defaults = vars.copy()
|
||||
vars_defaults.update(os.environ)
|
||||
vars_defaults.update(vars)
|
||||
subprocess.run(["/opt/entrypoint/site-config.sh", vars["SERVER_NAME"]], env=vars_defaults)
|
||||
log("Generated config for " + vars["SERVER_NAME"])
|
||||
|
||||
def activate(vars) :
|
||||
replace_in_file("/etc/nginx/nginx.conf", "}", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n}")
|
||||
subprocess.run(["/usr/sbin/nginx", "-s", "reload"])
|
||||
log("Activated config for " + vars["SERVER_NAME"])
|
||||
|
||||
def deactivate(vars) :
|
||||
replace_in_file("/etc/nginx/nginx.conf", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n", "")
|
||||
subprocess.run(["/usr/sbin/nginx", "-s", "reload"])
|
||||
log("Deactivated config for " + vars["SERVER_NAME"])
|
||||
|
||||
def remove(vars) :
|
||||
shutil.rmtree("/etc/nginx/" + vars["SERVER_NAME"])
|
||||
log("Removed config for " + vars["SERVER_NAME"])
|
||||
|
||||
def process(id, event, vars) :
|
||||
global containers
|
||||
if event == "create" :
|
||||
generate(vars)
|
||||
containers.append(id)
|
||||
elif event == "start" :
|
||||
activate(vars)
|
||||
elif event == "die" :
|
||||
deactivate(vars)
|
||||
elif event == "destroy" :
|
||||
remove(vars)
|
||||
containers.remove(id)
|
||||
|
||||
containers = []
|
||||
|
||||
client = docker.DockerClient(base_url='unix:///var/run/docker.sock')
|
||||
|
||||
# Process containers created before
|
||||
for container in client.containers.list(all=True, filters={"label" : "bunkerized-nginx.SERVER_NAME"}) :
|
||||
|
||||
# Extract bunkerized-nginx.* labels
|
||||
labels = container.labels.copy()
|
||||
for label in container.labels :
|
||||
if not label.startswith("bunkerized-nginx.") :
|
||||
del labels[label]
|
||||
# Remove bunkerized-nginx. on labels
|
||||
vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in labels.items()}
|
||||
|
||||
# Container is restarting or running
|
||||
if container.status == "restarting" or container.status == "running" :
|
||||
process(container.id, "create", vars)
|
||||
process(container.id, "start", vars)
|
||||
|
||||
# Container is created or exited
|
||||
if container.status == "created" or container.status == "exited" :
|
||||
process(container.id, "create", vars)
|
||||
|
||||
for event in client.events(decode=True) :
|
||||
|
||||
# Process only container events
|
||||
if event["Type"] != "container" :
|
||||
continue
|
||||
|
||||
# Check if a bunkerized-nginx.* label is present
|
||||
present = False
|
||||
for label in event["Actor"]["Attributes"] :
|
||||
if label.startswith("bunkerized-nginx.") :
|
||||
present = True
|
||||
break
|
||||
if not present :
|
||||
continue
|
||||
|
||||
# Only process if we generated a config
|
||||
if not event["id"] in containers and event["Action"] != "create" :
|
||||
continue
|
||||
|
||||
# Extract bunkerized-nginx.* labels
|
||||
labels = event["Actor"]["Attributes"].copy()
|
||||
for label in event["Actor"]["Attributes"] :
|
||||
if not label.startswith("bunkerized-nginx.") :
|
||||
del labels[label]
|
||||
# Remove bunkerized-nginx. on labels
|
||||
vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in labels.items()}
|
||||
|
||||
# Process the event
|
||||
process(event["id"], event["Action"], vars)
|
||||
@@ -30,7 +30,7 @@ function git_secure_clone() {
|
||||
NTASK=$(nproc)
|
||||
|
||||
# install build dependencies
|
||||
apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg
|
||||
apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg brotli-dev
|
||||
|
||||
# compile and install ModSecurity library
|
||||
cd /tmp
|
||||
@@ -63,6 +63,8 @@ git_secure_clone https://github.com/openresty/headers-more-nginx-module.git d6d7
|
||||
git_secure_clone https://github.com/leev/ngx_http_geoip2_module.git 1cabd8a1f68ea3998f94e9f3504431970f848fbf
|
||||
# cookie
|
||||
git_secure_clone https://github.com/AirisX/nginx_cookie_flag_module.git c4ff449318474fbbb4ba5f40cb67ccd54dc595d4
|
||||
# brotli
|
||||
git_secure_clone https://github.com/google/ngx_brotli.git 9aec15e2aa6feea2113119ba06460af70ab3ea62
|
||||
|
||||
# LUA requirements
|
||||
git_secure_clone https://github.com/openresty/luajit2.git fe32831adcb3f5fe9259a9ce404fc54e1399bba3
|
||||
@@ -127,7 +129,7 @@ tar -xvzf nginx-${NGINX_VERSION}.tar.gz
|
||||
cd nginx-$NGINX_VERSION
|
||||
CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')
|
||||
CONFARGS=${CONFARGS/-Os -fomit-frame-pointer/-Os}
|
||||
./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module
|
||||
./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module --add-dynamic-module=/tmp/ngx_brotli
|
||||
make -j $NTASK modules
|
||||
cp ./objs/*.so /usr/lib/nginx/modules
|
||||
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
if ($bad_user_agent = yes) {
|
||||
return 444;
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
if ($allowed_country = no) {
|
||||
return 444;
|
||||
}
|
||||
9
confs/global/crowdsec.conf
Normal file
9
confs/global/crowdsec.conf
Normal file
@@ -0,0 +1,9 @@
|
||||
init_by_lua_block {
|
||||
local cs = require "crowdsec.CrowdSec"
|
||||
local ok, err = cs.init("/usr/local/lib/lua/crowdsec/crowdsec.conf")
|
||||
if ok == nil then
|
||||
ngx.log(ngx.ERR, "[Crowdsec] " .. err)
|
||||
error()
|
||||
end
|
||||
ngx.log(ngx.ERR, "[Crowdsec] Initialisation done")
|
||||
}
|
||||
@@ -5,6 +5,6 @@ geoip2 /etc/nginx/geoip.mmdb {
|
||||
}
|
||||
|
||||
map $geoip2_data_country_code $allowed_country {
|
||||
default yes;
|
||||
%BLOCK_COUNTRY%
|
||||
default %DEFAULT%;
|
||||
%COUNTRY%
|
||||
}
|
||||
1
confs/global/map-referrer.conf
Normal file
1
confs/global/map-referrer.conf
Normal file
@@ -0,0 +1 @@
|
||||
map $http_referer $bad_referrer { hostnames; default no; }
|
||||
1
confs/global/map-user-agent.conf
Normal file
1
confs/global/map-user-agent.conf
Normal file
@@ -0,0 +1 @@
|
||||
map $http_user_agent $bad_user_agent { default no; }
|
||||
11
confs/global/multisite-default-server-https.conf
Normal file
11
confs/global/multisite-default-server-https.conf
Normal file
@@ -0,0 +1,11 @@
|
||||
listen 0.0.0.0:%HTTPS_PORT% default_server ssl %HTTP2%;
|
||||
ssl_certificate /etc/nginx/default-cert.pem;
|
||||
ssl_certificate_key /etc/nginx/default-key.pem;
|
||||
ssl_protocols %HTTPS_PROTOCOLS%;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
%SSL_DHPARAM%
|
||||
%SSL_CIPHERS%
|
||||
%LETS_ENCRYPT_WEBROOT%
|
||||
@@ -0,0 +1,3 @@
|
||||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /acme-challenge;
|
||||
}
|
||||
6
confs/global/multisite-default-server.conf
Normal file
6
confs/global/multisite-default-server.conf
Normal file
@@ -0,0 +1,6 @@
|
||||
server {
|
||||
%LISTEN_HTTP%
|
||||
server_name _;
|
||||
%USE_HTTPS%
|
||||
%MULTISITE_DISABLE_DEFAULT_SERVER%
|
||||
}
|
||||
3
confs/global/multisite-disable-default-server.conf
Normal file
3
confs/global/multisite-disable-default-server.conf
Normal file
@@ -0,0 +1,3 @@
|
||||
location / {
|
||||
return 444;
|
||||
}
|
||||
20
confs/global/nginx-temp.conf
Normal file
20
confs/global/nginx-temp.conf
Normal file
@@ -0,0 +1,20 @@
|
||||
daemon on;
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http {
|
||||
server {
|
||||
listen 0.0.0.0:%HTTP_PORT% default_server;
|
||||
server_name _;
|
||||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /acme-challenge;
|
||||
}
|
||||
location / {
|
||||
return 444;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -7,6 +7,8 @@ load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
|
||||
|
||||
# run as daemon
|
||||
daemon on;
|
||||
@@ -45,14 +47,9 @@ http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# load gzip custom config
|
||||
include /etc/nginx/gzip.conf;
|
||||
|
||||
# maximum request body size
|
||||
client_max_body_size %MAX_CLIENT_SIZE%;
|
||||
|
||||
# write logs to local syslog
|
||||
access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined;
|
||||
log_format logf '%LOG_FORMAT%';
|
||||
access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice logf;
|
||||
error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
|
||||
|
||||
# temp paths
|
||||
@@ -62,9 +59,6 @@ http {
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
# load caching custom config
|
||||
include /etc/nginx/cache.conf;
|
||||
|
||||
# close connections in FIN_WAIT1 state
|
||||
reset_timedout_connection on;
|
||||
|
||||
@@ -74,15 +68,9 @@ http {
|
||||
keepalive_timeout 15;
|
||||
send_timeout 10;
|
||||
|
||||
# enable/disable sending nginx version
|
||||
server_tokens %SERVER_TOKENS%;
|
||||
|
||||
# resolvers to use
|
||||
resolver %DNS_RESOLVERS% ipv6=off;
|
||||
|
||||
# get real IP address if behind a reverse proxy
|
||||
%PROXY_REAL_IP%
|
||||
|
||||
# lua path and dicts
|
||||
lua_package_path "/usr/local/lib/lua/?.lua;;";
|
||||
%WHITELIST_IP_CACHE%
|
||||
@@ -91,21 +79,30 @@ http {
|
||||
%BLACKLIST_REVERSE_CACHE%
|
||||
%DNSBL_CACHE%
|
||||
|
||||
# crowdsec init
|
||||
%USE_CROWDSEC%
|
||||
|
||||
# shared memory zone for limit_req
|
||||
%LIMIT_REQ_ZONE%
|
||||
|
||||
# server config
|
||||
include /etc/nginx/server.conf;
|
||||
# whitelist or blacklist country
|
||||
%USE_COUNTRY%
|
||||
|
||||
# list of blocked country
|
||||
%BLOCK_COUNTRY%
|
||||
|
||||
# list of blocker user agents
|
||||
# list of blocked user agents
|
||||
%BLOCK_USER_AGENT%
|
||||
|
||||
# enable/disable ModSecurity
|
||||
%USE_MODSECURITY%
|
||||
# list of blocked referrers
|
||||
%BLOCK_REFERRER%
|
||||
|
||||
# zone for proxy_cache
|
||||
%PROXY_CACHE_PATH%
|
||||
|
||||
# custom http confs
|
||||
include /http-confs/*.conf;
|
||||
|
||||
# default server when MULTISITE=yes
|
||||
%MULTISITE_DEFAULT_SERVER%
|
||||
|
||||
# server config(s)
|
||||
%INCLUDE_SERVER%
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
# /etc/nginx/gzip.conf
|
||||
|
||||
# enable/disable gzip compression
|
||||
gzip %USE_GZIP%;
|
||||
gzip_comp_level %GZIP_COMP_LEVEL%;
|
||||
gzip_disable msie6;
|
||||
gzip_min_length %GZIP_MIN_LENGTH%;
|
||||
gzip_proxied any;
|
||||
gzip_types %GZIP_TYPES%;
|
||||
@@ -1,4 +0,0 @@
|
||||
map $http_user_agent $bad_user_agent {
|
||||
default no;
|
||||
%BLOCK_USER_AGENT%
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
modsecurity on;
|
||||
modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;
|
||||
4
confs/site/brotli.conf
Normal file
4
confs/site/brotli.conf
Normal file
@@ -0,0 +1,4 @@
|
||||
brotli on;
|
||||
brotli_types %BROTLI_TYPES%;
|
||||
brotli_comp_level %BROTLI_COMP_LEVEL%;
|
||||
brotli_min_length %BROTLI_MIN_LENGTH%;
|
||||
4
confs/site/client-cache.conf
Normal file
4
confs/site/client-cache.conf
Normal file
@@ -0,0 +1,4 @@
|
||||
location ~* \.(%CLIENT_CACHE_EXTENSIONS%)$ {
|
||||
etag %CLIENT_CACHE_ETAG%;
|
||||
add_header Cache-Control "%CLIENT_CACHE_CONTROL%";
|
||||
}
|
||||
4
confs/site/gzip.conf
Normal file
4
confs/site/gzip.conf
Normal file
@@ -0,0 +1,4 @@
|
||||
gzip on;
|
||||
gzip_comp_level %GZIP_COMP_LEVEL%;
|
||||
gzip_min_length %GZIP_MIN_LENGTH%;
|
||||
gzip_types %GZIP_TYPES%;
|
||||
@@ -1,4 +1,4 @@
|
||||
listen 0.0.0.0:8443 ssl %HTTP2%;
|
||||
listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
|
||||
ssl_certificate %HTTPS_CERT%;
|
||||
ssl_certificate_key %HTTPS_KEY%;
|
||||
ssl_protocols %HTTPS_PROTOCOLS%;
|
||||
@@ -9,3 +9,4 @@ ssl_session_cache shared:MozSSL:10m;
|
||||
%STRICT_TRANSPORT_SECURITY%
|
||||
%SSL_DHPARAM%
|
||||
%SSL_CIPHERS%
|
||||
%LETS_ENCRYPT_WEBROOT%
|
||||
3
confs/site/lets-encrypt-webroot.conf
Normal file
3
confs/site/lets-encrypt-webroot.conf
Normal file
@@ -0,0 +1,3 @@
|
||||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /acme-challenge;
|
||||
}
|
||||
@@ -5,9 +5,13 @@ access_by_lua_block {
|
||||
|
||||
local use_whitelist_ip = %USE_WHITELIST_IP%
|
||||
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
|
||||
local use_user_agent = %USE_USER_AGENT%
|
||||
local use_referrer = %USE_REFERRER%
|
||||
local use_country = %USE_COUNTRY%
|
||||
local use_blacklist_ip = %USE_BLACKLIST_IP%
|
||||
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
|
||||
local use_dnsbl = %USE_DNSBL%
|
||||
local use_crowdsec = %USE_CROWDSEC%
|
||||
local use_antibot_cookie = %USE_ANTIBOT_COOKIE%
|
||||
local use_antibot_javascript = %USE_ANTIBOT_JAVASCRIPT%
|
||||
local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA%
|
||||
@@ -74,6 +78,21 @@ if use_blacklist_reverse and not blacklist.reverse_cached() then
|
||||
end
|
||||
end
|
||||
|
||||
-- check if user-agent is allowed
|
||||
if use_user_agent and ngx.var.bad_user_agent == "yes" then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
-- check if referrer is allowed
|
||||
if use_referrer and ngx.var.bad_referrer == "yes" then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
-- check if country is allowed
|
||||
if use_country and ngx.var.allowed_country == "no" then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
-- check if IP is in DNSBLs (only if not in cache)
|
||||
if use_dnsbl and not dnsbl.cached() then
|
||||
if dnsbl.check() then
|
||||
@@ -81,6 +100,18 @@ if use_dnsbl and not dnsbl.cached() then
|
||||
end
|
||||
end
|
||||
|
||||
-- check if IP is in CrowdSec DB
|
||||
if use_crowdsec then
|
||||
local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
|
||||
if ok == nil then
|
||||
ngx.log(ngx.ERR, "[Crowdsec] " .. err)
|
||||
end
|
||||
if not ok then
|
||||
ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- cookie check
|
||||
if use_antibot_cookie then
|
||||
if not cookie.is_set("uri") then
|
||||
2
confs/site/modsecurity.conf
Normal file
2
confs/site/modsecurity.conf
Normal file
@@ -0,0 +1,2 @@
|
||||
modsecurity on;
|
||||
modsecurity_rules_file %MODSEC_RULES_FILE%;
|
||||
4
confs/site/open-file-cache.conf
Normal file
4
confs/site/open-file-cache.conf
Normal file
@@ -0,0 +1,4 @@
|
||||
open_file_cache %OPEN_FILE_CACHE%;
|
||||
open_file_cache_errors %OPEN_FILE_CACHE_ERRORS%;
|
||||
open_file_cache_min_uses %OPEN_FILE_CACHE_MIN_USES%;
|
||||
open_file_cache_valid %OPEN_FILE_CACHE_VALID%;
|
||||
1
confs/site/permissions-policy.conf
Normal file
1
confs/site/permissions-policy.conf
Normal file
@@ -0,0 +1 @@
|
||||
more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%";
|
||||
@@ -1,5 +1,4 @@
|
||||
location ~ \.php$ {
|
||||
fastcgi_pass %REMOTE_PHP%:9000;
|
||||
fastcgi_index index.php;
|
||||
include fastcgi.conf;
|
||||
}
|
||||
7
confs/site/proxy-cache.conf
Normal file
7
confs/site/proxy-cache.conf
Normal file
@@ -0,0 +1,7 @@
|
||||
proxy_cache proxycache;
|
||||
proxy_cache_methods %PROXY_CACHE_METHODS%;
|
||||
proxy_cache_min_uses %PROXY_CACHE_MIN_USES%;
|
||||
proxy_cache_key %PROXY_CACHE_KEY%;
|
||||
proxy_no_cache %PROXY_NO_CACHE%;
|
||||
proxy_cache_bypass %PROXY_CACHE_BYPASS%;
|
||||
%PROXY_CACHE_VALID%
|
||||
@@ -1,6 +1,3 @@
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
location / {
|
||||
proxy_pass http://app$request_uri;
|
||||
}
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
4
confs/site/reverse-proxy.conf
Normal file
4
confs/site/reverse-proxy.conf
Normal file
@@ -0,0 +1,4 @@
|
||||
location %REVERSE_PROXY_URL% {
|
||||
proxy_pass %REVERSE_PROXY_HOST%;
|
||||
%REVERSE_PROXY_WS%
|
||||
}
|
||||
@@ -1,6 +1,9 @@
|
||||
server {
|
||||
include /server-confs/*.conf;
|
||||
include /etc/nginx/main-lua.conf;
|
||||
%FASTCGI_PATH%
|
||||
%SERVER_CONF%
|
||||
%PROXY_REAL_IP%
|
||||
%MAIN_LUA%
|
||||
%USE_MODSECURITY%
|
||||
%LISTEN_HTTP%
|
||||
%USE_HTTPS%
|
||||
%REDIRECT_HTTP_TO_HTTPS%
|
||||
@@ -13,20 +16,27 @@ server {
|
||||
}
|
||||
%LIMIT_REQ%
|
||||
%AUTH_BASIC%
|
||||
%USE_PHP%
|
||||
%HEADER_SERVER%
|
||||
%REMOVE_HEADERS%
|
||||
%X_FRAME_OPTIONS%
|
||||
%X_XSS_PROTECTION%
|
||||
%X_CONTENT_TYPE_OPTIONS%
|
||||
%CONTENT_SECURITY_POLICY%
|
||||
%REFERRER_POLICY%
|
||||
%FEATURE_POLICY%
|
||||
%BLOCK_COUNTRY%
|
||||
%BLOCK_USER_AGENT%
|
||||
%PERMISSIONS_POLICY%
|
||||
%BLOCK_TOR_EXIT_NODE%
|
||||
%BLOCK_PROXIES%
|
||||
%BLOCK_ABUSERS%
|
||||
%COOKIE_FLAGS%
|
||||
%ERRORS%
|
||||
%USE_FAIL2BAN%
|
||||
%USE_CLIENT_CACHE%
|
||||
%USE_GZIP%
|
||||
%USE_BROTLI%
|
||||
client_max_body_size %MAX_CLIENT_SIZE%;
|
||||
server_tokens %SERVER_TOKENS%;
|
||||
%USE_OPEN_FILE_CACHE%
|
||||
%USE_PROXY_CACHE%
|
||||
%USE_REVERSE_PROXY%
|
||||
%USE_PHP%
|
||||
}
|
||||
6
crowdsec/acquis.yaml
Normal file
6
crowdsec/acquis.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
filenames:
|
||||
- /var/log/access.log
|
||||
- /var/log/error.log
|
||||
labels:
|
||||
type: nginx
|
||||
---
|
||||
63
crowdsec/install.sh
Normal file
63
crowdsec/install.sh
Normal file
@@ -0,0 +1,63 @@
|
||||
#!/bin/sh
|
||||
|
||||
function git_secure_clone() {
|
||||
repo="$1"
|
||||
commit="$2"
|
||||
folder=$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@")
|
||||
git clone "$repo"
|
||||
cd "$folder"
|
||||
git checkout "${commit}^{commit}"
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] Commit hash $commit is absent from repository $repo !"
|
||||
exit 1
|
||||
fi
|
||||
cd ..
|
||||
}
|
||||
|
||||
NTASK=$(nproc)
|
||||
|
||||
# install build dependencies
|
||||
apk add --no-cache --virtual build git bash lua-dev mariadb-dev sqlite-dev gettext make go jq
|
||||
|
||||
# build and install crowdsec
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/crowdsecurity/crowdsec.git 2fdf7624da381af605baa46f319f2ed3015807e4
|
||||
cd crowdsec
|
||||
make -j $NTASK build
|
||||
./wizard.sh --bininstall
|
||||
sed -i 's/^machine_id:.*//' /etc/crowdsec/config/api.yaml
|
||||
sed -i 's/^password:.*//' /etc/crowdsec/config/api.yaml
|
||||
|
||||
# install nginx collection
|
||||
cscli update
|
||||
cscli install collection crowdsecurity/nginx
|
||||
sed -i "s/^filter:.*$/filter: \"evt.Line.Labels.type == 'nginx'\"/" /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
|
||||
sed -i 's/apply_on: message/apply_on: Line.Raw/g' /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
|
||||
|
||||
# build and install luasql
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/keplerproject/luasql.git 22d4a911f35cf851af9db71124e3998d96fb3fa1
|
||||
cd luasql
|
||||
make -j $NTASK sqlite3 mysql
|
||||
mkdir /usr/local/lib/lua/5.1/luasql
|
||||
cp src/*.so /usr/local/lib/lua/5.1/luasql
|
||||
|
||||
# install lualogging
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15
|
||||
cd lualogging
|
||||
cp -r src/* /usr/local/lib/lua
|
||||
|
||||
# install cs-lua-lib
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/crowdsecurity/cs-lua-lib.git 97e55a555a8f6d46c1c2032825a4578090283301
|
||||
cd cs-lua-lib
|
||||
mkdir /usr/local/lib/lua/crowdsec
|
||||
cp lib/*.lua /usr/local/lib/lua/crowdsec
|
||||
cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
|
||||
rm /usr/local/lib/lua/crowdsec/lrucache.lua
|
||||
sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
|
||||
sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
|
||||
|
||||
# remove build dependencies
|
||||
apk del build
|
||||
622
entrypoint.sh
622
entrypoint.sh
@@ -1,622 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
echo "[*] Starting bunkerized-nginx ..."
|
||||
|
||||
# execute custom scripts if it's a customized image
|
||||
for file in /entrypoint.d/* ; do
|
||||
[ -f "$file" ] && [ -x "$file" ] && "$file"
|
||||
done
|
||||
|
||||
# trap SIGTERM and SIGINT
|
||||
function trap_exit() {
|
||||
echo "[*] Catched stop operation"
|
||||
echo "[*] Stopping crond ..."
|
||||
pkill -TERM crond
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
echo "[*] Stopping fail2ban"
|
||||
fail2ban-client stop > /dev/null
|
||||
fi
|
||||
echo "[*] Stopping nginx ..."
|
||||
/usr/sbin/nginx -s stop
|
||||
echo "[*] Stopping rsyslogd ..."
|
||||
pkill -TERM rsyslogd
|
||||
pkill -TERM tail
|
||||
}
|
||||
trap "trap_exit" TERM INT
|
||||
|
||||
# replace pattern in file
|
||||
function replace_in_file() {
|
||||
# escape slashes
|
||||
pattern=$(echo "$2" | sed "s/\//\\\\\//g")
|
||||
replace=$(echo "$3" | sed "s/\//\\\\\//g")
|
||||
sed -i "s/$pattern/$replace/g" "$1"
|
||||
}
|
||||
|
||||
# convert space separated values to LUA
|
||||
function spaces_to_lua() {
|
||||
for element in $1 ; do
|
||||
if [ "$result" = "" ] ; then
|
||||
result="\"${element}\""
|
||||
else
|
||||
result="${result}, \"${element}\""
|
||||
fi
|
||||
done
|
||||
echo "$result"
|
||||
}
|
||||
|
||||
# copy stub confs
|
||||
cp /opt/confs/* /etc/nginx
|
||||
cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
|
||||
cp /opt/logs/logrotate.conf /etc/logrotate.conf
|
||||
cp -r /opt/lua/* /usr/local/lib/lua
|
||||
|
||||
# remove cron jobs
|
||||
echo "" > /etc/crontabs/root
|
||||
|
||||
# set default values
|
||||
MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
|
||||
SERVER_TOKENS="${SERVER_TOKENS-off}"
|
||||
CACHE="${CACHE-max=1000 inactive=60s}"
|
||||
CACHE_ERRORS="${CACHE_ERRORS-on}"
|
||||
CACHE_USES="${CACHE_USES-1}"
|
||||
CACHE_VALID="${CACHE_VALID-60s}"
|
||||
#CLIENT_CACHE="${CLIENT_CACHE}-css|gif|htm|html|ico|jpeg|jpg|js|png|svg|tif|tiff|eot|otf|ttf|woff|woff2"
|
||||
#CLIENT_CACHE_EXPIRES="${CLIENT_CACHE_EXPIRES}-1d}"
|
||||
#CLIENT_CACHE_CONTROL=
|
||||
USE_GZIP="${USE_GZIP-off}"
|
||||
GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL-6}"
|
||||
GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH-10240}"
|
||||
GZIP_TYPES="${GZIP_TYPES-text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml}"
|
||||
REMOTE_PHP_PATH="${REMOTE_PHP_PATH-/app}"
|
||||
HEADER_SERVER="${HEADER_SERVER-no}"
|
||||
X_FRAME_OPTIONS="${X_FRAME_OPTIONS-DENY}"
|
||||
X_XSS_PROTECTION="${X_XSS_PROTECTION-1; mode=block}"
|
||||
X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS-nosniff}"
|
||||
REFERRER_POLICY="${REFERRER_POLICY-no-referrer}"
|
||||
FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}"
|
||||
DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
|
||||
SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
|
||||
ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
|
||||
BLOCK_COUNTRY="${BLOCK_COUNTRY-}"
|
||||
BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
|
||||
BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
|
||||
BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
|
||||
BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
|
||||
AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
|
||||
HTTP2="${HTTP2-yes}"
|
||||
HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
|
||||
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
|
||||
USE_MODSECURITY="${USE_MODSECURITY-yes}"
|
||||
USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
|
||||
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';}"
|
||||
COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}"
|
||||
COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}"
|
||||
SERVE_FILES="${SERVE_FILES-yes}"
|
||||
WRITE_ACCESS="${WRITE_ACCESS-no}"
|
||||
REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
|
||||
LISTEN_HTTP="${LISTEN_HTTP-yes}"
|
||||
USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
|
||||
FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
|
||||
FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
|
||||
FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
|
||||
FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
|
||||
USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
|
||||
USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
|
||||
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
|
||||
USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
|
||||
AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
|
||||
AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}"
|
||||
AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
|
||||
AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
|
||||
USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
|
||||
ROOT_FOLDER="${ROOT_FOLDER-/www}"
|
||||
LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
|
||||
LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
|
||||
DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11 8.8.8.8}"
|
||||
USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
|
||||
WHITELIST_IP_LIST="${WHITELIST_IP_LIST-23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
|
||||
USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}"
|
||||
WHITELIST_REVERSE_LIST="${WHITELIST_REVERSE_LIST-.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net}"
|
||||
USE_BLACKLIST_IP="${USE_BLACKLIST_IP-yes}"
|
||||
BLACKLIST_IP_LIST="${BLACKLIST_IP_LIST-}"
|
||||
USE_BLACKLIST_REVERSE="${USE_BLACKLIST_REVERSE-yes}"
|
||||
BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}"
|
||||
USE_DNSBL="${USE_DNSBL-yes}"
|
||||
DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
|
||||
USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
|
||||
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
|
||||
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
|
||||
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
|
||||
PROXY_REAL_IP="${PROXY_REAL_IP-no}"
|
||||
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
|
||||
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
|
||||
PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
|
||||
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
|
||||
SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
|
||||
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
|
||||
SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}"
|
||||
SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
|
||||
SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
|
||||
SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}"
|
||||
SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-web}"
|
||||
ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
|
||||
USE_ANTIBOT="${USE_ANTIBOT-no}"
|
||||
ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
|
||||
ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
|
||||
|
||||
# install additional modules if needed
|
||||
if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
||||
apk add $ADDITIONAL_MODULES
|
||||
fi
|
||||
|
||||
# replace values
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
|
||||
replace_in_file "/etc/nginx/cache.conf" "%CACHE%" "$CACHE"
|
||||
replace_in_file "/etc/nginx/cache.conf" "%CACHE_ERRORS%" "$CACHE_ERRORS"
|
||||
replace_in_file "/etc/nginx/cache.conf" "%CACHE_USES%" "$CACHE_USES"
|
||||
replace_in_file "/etc/nginx/cache.conf" "%CACHE_VALID%" "$CACHE_VALID"
|
||||
replace_in_file "/etc/nginx/gzip.conf" "%USE_GZIP%" "$USE_GZIP"
|
||||
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_COMP_LEVEL%" "$GZIP_COMP_LEVEL"
|
||||
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH"
|
||||
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES"
|
||||
if [ "$REMOTE_PHP" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" "include /etc/nginx/php.conf;"
|
||||
replace_in_file "/etc/nginx/php.conf" "%REMOTE_PHP%" "$REMOTE_PHP"
|
||||
replace_in_file "/etc/nginx/fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" ""
|
||||
fi
|
||||
if [ "$HEADER_SERVER" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" ""
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" "more_clear_headers 'Server';"
|
||||
fi
|
||||
if [ "$X_FRAME_OPTIONS" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" "include /etc/nginx/x-frame-options.conf;"
|
||||
replace_in_file "/etc/nginx/x-frame-options.conf" "%X_FRAME_OPTIONS%" "$X_FRAME_OPTIONS"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" ""
|
||||
fi
|
||||
if [ "$X_XSS_PROTECTION" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" "include /etc/nginx/x-xss-protection.conf;"
|
||||
replace_in_file "/etc/nginx/x-xss-protection.conf" "%X_XSS_PROTECTION%" "$X_XSS_PROTECTION"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" ""
|
||||
fi
|
||||
if [ "$X_CONTENT_TYPE_OPTIONS" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" "include /etc/nginx/x-content-type-options.conf;"
|
||||
replace_in_file "/etc/nginx/x-content-type-options.conf" "%X_CONTENT_TYPE_OPTIONS%" "$X_CONTENT_TYPE_OPTIONS"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" ""
|
||||
fi
|
||||
if [ "$REFERRER_POLICY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" "include /etc/nginx/referrer-policy.conf;"
|
||||
replace_in_file "/etc/nginx/referrer-policy.conf" "%REFERRER_POLICY%" "$REFERRER_POLICY"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" ""
|
||||
fi
|
||||
if [ "$FEATURE_POLICY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" "include /etc/nginx/feature-policy.conf;"
|
||||
replace_in_file "/etc/nginx/feature-policy.conf" "%FEATURE_POLICY%" "$FEATURE_POLICY"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" ""
|
||||
fi
|
||||
if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%DISABLE_DEFAULT_SERVER%" "include /etc/nginx/disable-default-server.conf;"
|
||||
SERVER_NAME_PIPE=$(echo $SERVER_NAME | sed "s/ /|/g")
|
||||
replace_in_file "/etc/nginx/disable-default-server.conf" "%SERVER_NAME%" "$SERVER_NAME_PIPE"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%DISABLE_DEFAULT_SERVER%" ""
|
||||
fi
|
||||
replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME"
|
||||
replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
|
||||
if [ "$BLOCK_COUNTRY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip-server.conf;"
|
||||
replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
|
||||
echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
|
||||
if [ ! -f /etc/nginx/geoip.mmdb ] ; then
|
||||
/opt/scripts/geoip.sh
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" ""
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" ""
|
||||
fi
|
||||
if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/block-user-agent.conf;"
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
|
||||
/opt/scripts/user-agents.sh &
|
||||
echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" ""
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
|
||||
fi
|
||||
if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
|
||||
/opt/scripts/exit-nodes.sh &
|
||||
echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
|
||||
fi
|
||||
if [ "$BLOCK_PROXIES" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" "include /etc/nginx/block-proxies.conf;"
|
||||
/opt/scripts/proxies.sh &
|
||||
echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" ""
|
||||
fi
|
||||
if [ "$BLOCK_ABUSERS" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" "include /etc/nginx/block-abusers.conf;"
|
||||
/opt/scripts/abusers.sh &
|
||||
echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" ""
|
||||
fi
|
||||
|
||||
# HTTPS config
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" "include /etc/nginx/https.conf;"
|
||||
if [ "$HTTP2" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTP2%" "http2"
|
||||
else
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTP2%" ""
|
||||
fi
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
|
||||
if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
|
||||
replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" ""
|
||||
replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" ""
|
||||
fi
|
||||
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
|
||||
else
|
||||
replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
|
||||
fi
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
|
||||
DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
|
||||
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
|
||||
if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
|
||||
/opt/scripts/certbot-renew.sh
|
||||
else
|
||||
certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port 8080
|
||||
fi
|
||||
echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
|
||||
elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
|
||||
elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
mkdir /etc/nginx/self-signed-ssl/
|
||||
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" ""
|
||||
fi
|
||||
|
||||
if [ "$LISTEN_HTTP" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:8080;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
|
||||
fi
|
||||
|
||||
if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include /etc/nginx/redirect-http-to-https.conf;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" ""
|
||||
fi
|
||||
|
||||
if [ "$USE_MODSECURITY" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" "include /etc/nginx/modsecurity.conf;"
|
||||
if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "include /modsec-confs/*.conf"
|
||||
else
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" ""
|
||||
fi
|
||||
if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
|
||||
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf"
|
||||
else
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
|
||||
fi
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
|
||||
else
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" ""
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
|
||||
fi
|
||||
if [ "$PROXY_REAL_IP" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
|
||||
froms=""
|
||||
for from in $PROXY_REAL_IP_FROM ; do
|
||||
froms="${froms}set_real_ip_from ${from};\n"
|
||||
done
|
||||
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms"
|
||||
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
|
||||
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" ""
|
||||
fi
|
||||
|
||||
|
||||
ERRORS=""
|
||||
for var in $(env) ; do
|
||||
var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1)
|
||||
if [ "z${var_name}" = "zERROR" ] ; then
|
||||
err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2)
|
||||
err_page=$(echo "$var" | cut -d '=' -f 2)
|
||||
cp /opt/confs/error.conf /etc/nginx/error-${err_code}.conf
|
||||
replace_in_file "/etc/nginx/error-${err_code}.conf" "%CODE%" "$err_code"
|
||||
replace_in_file "/etc/nginx/error-${err_code}.conf" "%PAGE%" "$err_page"
|
||||
replace_in_file "/etc/nginx/error-${err_code}.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
|
||||
ERRORS="${ERRORS}include /etc/nginx/error-${err_code}.conf;\n"
|
||||
fi
|
||||
done
|
||||
if [ "$ERRORS" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%ERRORS%" "$ERRORS"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%ERRORS%" ""
|
||||
fi
|
||||
if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" "include /etc/nginx/content-security-policy.conf;"
|
||||
replace_in_file "/etc/nginx/content-security-policy.conf" "%CONTENT_SECURITY_POLICY%" "$CONTENT_SECURITY_POLICY"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" ""
|
||||
fi
|
||||
if [ "$COOKIE_FLAGS" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" "include /etc/nginx/cookie-flags.conf;"
|
||||
if [ "$COOKIE_AUTO_SECURE_FLAG" = "yes" ] ; then
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
COOKIE_FLAGS="${COOKIE_FLAGS} Secure"
|
||||
fi
|
||||
fi
|
||||
replace_in_file "/etc/nginx/cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" ""
|
||||
fi
|
||||
if [ "$SERVE_FILES" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" "include /etc/nginx/serve-files.conf;"
|
||||
replace_in_file "/etc/nginx/serve-files.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
|
||||
fi
|
||||
if [ "$USE_AUTH_BASIC" = "yes" ] ; then
|
||||
if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic-sitewide.conf;"
|
||||
replace_in_file "/etc/nginx/auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;"
|
||||
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
|
||||
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
|
||||
fi
|
||||
htpasswd -b -B -c /etc/nginx/.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" ""
|
||||
fi
|
||||
|
||||
# DNS resolvers
|
||||
resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
|
||||
replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS"
|
||||
|
||||
# whitelist IP
|
||||
if [ "$USE_WHITELIST_IP" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "lua_shared_dict whitelist_ip_cache 10m;"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_IP%" "true"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_IP%" "false"
|
||||
fi
|
||||
list=$(spaces_to_lua "$WHITELIST_IP_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
|
||||
|
||||
# whitelist rDNS
|
||||
if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "lua_shared_dict whitelist_reverse_cache 10m;"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_REVERSE%" "true"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_REVERSE%" "false"
|
||||
fi
|
||||
list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
|
||||
|
||||
# blacklist IP
|
||||
if [ "$USE_BLACKLIST_IP" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "lua_shared_dict blacklist_ip_cache 10m;"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_IP%" "true"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_IP%" "false"
|
||||
fi
|
||||
list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
|
||||
|
||||
# blacklist rDNS
|
||||
if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "lua_shared_dict blacklist_reverse_cache 10m;"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_REVERSE%" "true"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false"
|
||||
fi
|
||||
list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
|
||||
|
||||
# DNSBL
|
||||
if [ "$USE_DNSBL" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_DNSBL%" "true"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_DNSBL%" "false"
|
||||
fi
|
||||
list=$(spaces_to_lua "$DNSBL_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
|
||||
|
||||
# antibot uri and session secret
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
|
||||
if [ "$ANTIBOT_SESSION_SECRET" = "random" ] ; then
|
||||
ANTIBOT_SESSION_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
|
||||
fi
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_SESSION_SECRET%" "$ANTIBOT_SESSION_SECRET"
|
||||
|
||||
# antibot via cookie
|
||||
if [ "$USE_ANTIBOT" = "cookie" ] ; then
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
|
||||
# antibot via javascript
|
||||
elif [ "$USE_ANTIBOT" = "javascript" ] ; then
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "true"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "include /etc/nginx/antibot-javascript.conf;"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
|
||||
replace_in_file "/etc/nginx/antibot-javascript.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
|
||||
# antibot via captcha
|
||||
elif [ "$USE_ANTIBOT" = "captcha" ] ; then
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "true"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "include /etc/nginx/antibot-captcha.conf;"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
|
||||
replace_in_file "/etc/nginx/antibot-captcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
|
||||
# antibot via recaptcha
|
||||
elif [ "$USE_ANTIBOT" = "recaptcha" ] ; then
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "true"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "include /etc/nginx/antibot-recaptcha.conf;"
|
||||
replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
|
||||
replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SITEKEY%" "$ANTIBOT_RECAPTCHA_SITEKEY"
|
||||
replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SECRET%" "$ANTIBOT_RECAPTCHA_SECRET"
|
||||
replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SCORE%" "$ANTIBOT_RECAPTCHA_SCORE"
|
||||
else
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
|
||||
fi
|
||||
|
||||
if [ "$USE_LIMIT_REQ" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
|
||||
replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "include /etc/nginx/limit-req.conf;"
|
||||
replace_in_file "/etc/nginx/limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
|
||||
replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" ""
|
||||
fi
|
||||
|
||||
# fail2ban setup
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
echo "" > /etc/nginx/fail2ban-ip.conf
|
||||
rm -rf /etc/fail2ban/jail.d/*.conf
|
||||
replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"
|
||||
cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
|
||||
cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
|
||||
cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
|
||||
replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" ""
|
||||
fi
|
||||
|
||||
# clamav setup
|
||||
if [ "$USE_CLAMAV_UPLOAD" = "yes" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
|
||||
echo "[*] Updating clamav (in background) ..."
|
||||
freshclam > /dev/null 2>&1 &
|
||||
echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
fi
|
||||
if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "include /etc/nginx/modsecurity-clamav.conf"
|
||||
else
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" ""
|
||||
fi
|
||||
if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
|
||||
if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
|
||||
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2> /dev/null" >> /etc/crontabs/root
|
||||
else
|
||||
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2> /dev/null" >> /etc/crontabs/root
|
||||
fi
|
||||
fi
|
||||
|
||||
# edit access if needed
|
||||
if [ "$WRITE_ACCESS" = "yes" ] ; then
|
||||
chown -R root:nginx /www
|
||||
chmod g+w -R /www
|
||||
fi
|
||||
|
||||
# start rsyslogd
|
||||
rsyslogd
|
||||
|
||||
# start crond
|
||||
crond
|
||||
|
||||
# create empty logs
|
||||
touch /var/log/access.log
|
||||
touch /var/log/error.log
|
||||
|
||||
# fix nginx configs rights (and modules through the symlink)
|
||||
chown -R root:nginx /etc/nginx/
|
||||
chmod -R 740 /etc/nginx/
|
||||
find /etc/nginx -type d -exec chmod 750 {} \;
|
||||
|
||||
# fix let's encrypt rights
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
chown -R root:nginx /etc/letsencrypt
|
||||
chmod -R 740 /etc/letsencrypt
|
||||
find /etc/letsencrypt -type d -exec chmod 750 {} \;
|
||||
fi
|
||||
|
||||
# start nginx
|
||||
echo "[*] Running nginx ..."
|
||||
su -s "/usr/sbin/nginx" nginx
|
||||
|
||||
# start fail2ban
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
fail2ban-server > /dev/null
|
||||
fi
|
||||
|
||||
# setup logrotate
|
||||
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
|
||||
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
|
||||
echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
|
||||
# display logs
|
||||
LOGS="/var/log/access.log /var/log/error.log"
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
LOGS="$LOGS /var/log/fail2ban.log"
|
||||
fi
|
||||
tail -F $LOGS &
|
||||
wait $!
|
||||
|
||||
# sigterm trapped
|
||||
echo "[*] bunkerized-nginx stopped"
|
||||
exit 0
|
||||
113
entrypoint/defaults.sh
Normal file
113
entrypoint/defaults.sh
Normal file
@@ -0,0 +1,113 @@
|
||||
#!/bin/bash
|
||||
|
||||
MULTISITE="${MULTISITE-no}"
|
||||
LOG_FORMAT="${LOG_FORMAT-\$remote_addr - \$remote_user \$host [\$time_local] \"\$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}"
|
||||
HTTP_PORT="${HTTP_PORT-8080}"
|
||||
HTTPS_PORT="${HTTPS_PORT-8443}"
|
||||
MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
|
||||
SERVER_TOKENS="${SERVER_TOKENS-off}"
|
||||
USE_CLIENT_CACHE="${USE_CLIENT_CACHE-no}"
|
||||
CLIENT_CACHE_EXTENSIONS="${CLIENT_CACHE_EXTENSIONS-jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2}"
|
||||
CLIENT_CACHE_CONTROL="${CLIENT_CACHE_CONTROL-public, max-age=15552000}"
|
||||
CLIENT_CACHE_ETAG="${CLIENT_CACHE_ETAG-on}"
|
||||
USE_OPEN_FILE_CACHE="${USE_OPEN_FILE_CACHE-no}"
|
||||
OPEN_FILE_CACHE="${OPEN_FILE_CACHE-max=1000 inactive=20s}"
|
||||
OPEN_FILE_CACHE_ERRORS="${OPEN_FILE_CACHE_ERRORS-on}"
|
||||
OPEN_FILE_CACHE_MIN_USES="${OPEN_FILE_CACHE_MIN_USES-2}"
|
||||
OPEN_FILE_CACHE_VALID="${OPEN_FILE_CACHE_VALID-30s}"
|
||||
USE_PROXY_CACHE="${USE_PROXY_CACHE-no}"
|
||||
PROXY_CACHE_PATH_ZONE_SIZE="${PROXY_CACHE_PATH_ZONE_SIZE-10m}"
|
||||
PROXY_CACHE_PATH_PARAMS="${PROXY_CACHE_PATH_PARAMS-max_size=100m}"
|
||||
PROXY_CACHE_METHODS="${PROXY_CACHE_METHODS-GET HEAD}"
|
||||
PROXY_CACHE_MIN_USES="${PROXY_CACHE_MIN_USES-2}"
|
||||
PROXY_CACHE_KEY="${PROXY_CACHE_KEY-\$scheme\$host\$request_uri}"
|
||||
PROXY_CACHE_VALID="${PROXY_CACHE_VALID-200=10m 301=10m 302=1h}"
|
||||
PROXY_NO_CACHE="${PROXY_NO_CACHE-\$http_authorization}"
|
||||
PROXY_CACHE_BYPASS="${PROXY_CACHE_BYPASS-\$http_authorization}"
|
||||
USE_GZIP="${USE_GZIP-no}"
|
||||
GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL-5}"
|
||||
GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH-1000}"
|
||||
GZIP_TYPES="${GZIP_TYPES-application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml}"
|
||||
USE_BROTLI="${USE_BROTLI-no}"
|
||||
BROTLI_COMP_LEVEL="${BROTLI_COMP_LEVEL-6}"
|
||||
BROTLI_MIN_LENGTH="${BROTLI_MIN_LENGTH-1000}"
|
||||
BROTLI_TYPES="${BROTLI_TYPES-application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml}"
|
||||
REMOTE_PHP_PATH="${REMOTE_PHP_PATH-/app}"
|
||||
USE_REVERSE_PROXY="${USE_REVERSE_PROXY-no}"
|
||||
REMOVE_HEADERS="${REMOVE_HEADERS-Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version}"
|
||||
X_FRAME_OPTIONS="${X_FRAME_OPTIONS-DENY}"
|
||||
X_XSS_PROTECTION="${X_XSS_PROTECTION-1; mode=block}"
|
||||
X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS-nosniff}"
|
||||
REFERRER_POLICY="${REFERRER_POLICY-no-referrer}"
|
||||
PERMISSIONS_POLICY="${PERMISSIONS_POLICY-accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()}"
|
||||
FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}"
|
||||
DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
|
||||
SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
|
||||
ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
|
||||
BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
|
||||
BLOCK_REFERRER="${BLOCK_REFERRER-yes}"
|
||||
BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
|
||||
BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
|
||||
BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
|
||||
AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
|
||||
HTTP2="${HTTP2-yes}"
|
||||
HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
|
||||
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
|
||||
USE_MODSECURITY="${USE_MODSECURITY-yes}"
|
||||
USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
|
||||
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';}"
|
||||
COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}"
|
||||
COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}"
|
||||
SERVE_FILES="${SERVE_FILES-yes}"
|
||||
WRITE_ACCESS="${WRITE_ACCESS-no}"
|
||||
REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
|
||||
LISTEN_HTTP="${LISTEN_HTTP-yes}"
|
||||
USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
|
||||
FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
|
||||
FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
|
||||
FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
|
||||
FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
|
||||
USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
|
||||
USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
|
||||
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
|
||||
USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
|
||||
AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
|
||||
AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}"
|
||||
AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
|
||||
AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
|
||||
USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
|
||||
ROOT_FOLDER="${ROOT_FOLDER-/www}"
|
||||
LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
|
||||
LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
|
||||
DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11}"
|
||||
USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
|
||||
WHITELIST_IP_LIST="${WHITELIST_IP_LIST-127.0.0.1 23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
|
||||
USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}"
|
||||
WHITELIST_REVERSE_LIST="${WHITELIST_REVERSE_LIST-.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net}"
|
||||
USE_BLACKLIST_IP="${USE_BLACKLIST_IP-yes}"
|
||||
BLACKLIST_IP_LIST="${BLACKLIST_IP_LIST-}"
|
||||
USE_BLACKLIST_REVERSE="${USE_BLACKLIST_REVERSE-yes}"
|
||||
BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}"
|
||||
USE_DNSBL="${USE_DNSBL-yes}"
|
||||
DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
|
||||
USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
|
||||
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
|
||||
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
|
||||
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
|
||||
PROXY_REAL_IP="${PROXY_REAL_IP-no}"
|
||||
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
|
||||
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
|
||||
PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
|
||||
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
|
||||
SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
|
||||
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
|
||||
SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}"
|
||||
SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
|
||||
SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
|
||||
SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}"
|
||||
SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-web}"
|
||||
ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
|
||||
USE_ANTIBOT="${USE_ANTIBOT-no}"
|
||||
ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
|
||||
ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
|
||||
USE_CROWDSEC="${USE_CROWDSEC-no}"
|
||||
114
entrypoint/entrypoint.sh
Normal file
114
entrypoint/entrypoint.sh
Normal file
@@ -0,0 +1,114 @@
|
||||
#!/bin/bash
|
||||
|
||||
# load default values
|
||||
. ./opt/entrypoint/defaults.sh
|
||||
|
||||
echo "[*] Starting bunkerized-nginx ..."
|
||||
|
||||
# execute custom scripts if it's a customized image
|
||||
for file in /entrypoint.d/* ; do
|
||||
[ -f "$file" ] && [ -x "$file" ] && "$file"
|
||||
done
|
||||
|
||||
# trap SIGTERM and SIGINT
|
||||
function trap_exit() {
|
||||
echo "[*] Catched stop operation"
|
||||
echo "[*] Stopping crond ..."
|
||||
pkill -TERM crond
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
echo "[*] Stopping fail2ban"
|
||||
fail2ban-client stop > /dev/null
|
||||
fi
|
||||
echo "[*] Stopping nginx ..."
|
||||
/usr/sbin/nginx -s stop
|
||||
echo "[*] Stopping rsyslogd ..."
|
||||
pkill -TERM rsyslogd
|
||||
pkill -TERM tail
|
||||
}
|
||||
trap "trap_exit" TERM INT
|
||||
|
||||
# do the configuration magic if needed
|
||||
if [ ! -f "/opt/installed" ] ; then
|
||||
echo "[*] Configuring bunkerized-nginx ..."
|
||||
/opt/entrypoint/global-config.sh
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
for server in $SERVER_NAME ; do
|
||||
/opt/entrypoint/site-config.sh "$server"
|
||||
echo "[*] Multi site - $server configuration done"
|
||||
done
|
||||
else
|
||||
/opt/entrypoint/site-config.sh
|
||||
echo "[*] Single site - $SERVER_NAME configuration done"
|
||||
fi
|
||||
touch /opt/installed
|
||||
else
|
||||
echo "[*] Skipping configuration process"
|
||||
fi
|
||||
|
||||
# fix nginx configs rights (and modules through the symlink)
|
||||
chown -R root:nginx /etc/nginx/
|
||||
chmod -R 740 /etc/nginx/
|
||||
find /etc/nginx -type d -exec chmod 750 {} \;
|
||||
|
||||
# fix let's encrypt rights
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
chown -R root:nginx /etc/letsencrypt
|
||||
chmod -R 740 /etc/letsencrypt
|
||||
find /etc/letsencrypt -type d -exec chmod 750 {} \;
|
||||
fi
|
||||
|
||||
# start rsyslogd
|
||||
rsyslogd
|
||||
|
||||
# start crond
|
||||
crond
|
||||
|
||||
# start nginx
|
||||
if [ -f "/tmp/nginx.pid" ] ; then
|
||||
nginx -s quit
|
||||
fi
|
||||
echo "[*] Running nginx ..."
|
||||
su -s "/usr/sbin/nginx" nginx
|
||||
|
||||
# list of log files to display
|
||||
LOGS="/var/log/access.log /var/log/error.log"
|
||||
|
||||
# start fail2ban
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
echo "[*] Running fail2ban ..."
|
||||
fail2ban-server > /dev/null
|
||||
LOGS="$LOGS /var/log/fail2ban.log"
|
||||
fi
|
||||
|
||||
# start crowdsec
|
||||
if [ "$USE_CROWDSEC" = "yes" ] ; then
|
||||
echo "[*] Running crowdsec ..."
|
||||
crowdsec
|
||||
fi
|
||||
|
||||
# autotest
|
||||
if [ "$1" == "test" ] ; then
|
||||
sleep 10
|
||||
echo -n "autotest" > /www/index.html
|
||||
check=$(curl "http://localhost:${HTTP_PORT}" 2> /dev/null)
|
||||
if [ "$check" == "autotest" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# start the autoconf manager
|
||||
if [ -S "/var/run/docker.sock" ] ; then
|
||||
echo "[*] Running autoconf ..."
|
||||
touch /var/log/autoconf.log
|
||||
/opt/autoconf/autoconf.py > /var/log/autoconf.log 2>&1 &
|
||||
LOGS="$LOGS /var/log/autoconf.log"
|
||||
fi
|
||||
|
||||
# display logs
|
||||
tail -F $LOGS &
|
||||
wait $!
|
||||
|
||||
# sigterm trapped
|
||||
echo "[*] bunkerized-nginx stopped"
|
||||
exit 0
|
||||
309
entrypoint/global-config.sh
Normal file
309
entrypoint/global-config.sh
Normal file
@@ -0,0 +1,309 @@
|
||||
#!/bin/bash
|
||||
|
||||
# load default values
|
||||
. /opt/entrypoint/defaults.sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# copy stub confs
|
||||
cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
|
||||
cp /opt/logs/logrotate.conf /etc/logrotate.conf
|
||||
cp -r /opt/lua/* /usr/local/lib/lua
|
||||
cp /opt/confs/global/* /etc/nginx/
|
||||
|
||||
# remove cron jobs
|
||||
echo "" > /etc/crontabs/root
|
||||
|
||||
# install additional modules if needed
|
||||
if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
||||
apk add $ADDITIONAL_MODULES
|
||||
fi
|
||||
|
||||
# start nginx with temp conf for let's encrypt challenges
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT"
|
||||
nginx -c /etc/nginx/nginx-temp.conf
|
||||
fi
|
||||
|
||||
# include server block(s)
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
includes=""
|
||||
for server in $SERVER_NAME ; do
|
||||
includes="${includes}include /etc/nginx/${server}/server.conf;\n"
|
||||
done
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
|
||||
fi
|
||||
|
||||
# setup default server block if multisite
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DEFAULT_SERVER%" "include /etc/nginx/multisite-default-server.conf;"
|
||||
if [ "$(has_value LISTEN_HTTP yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT} default_server;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%LISTEN_HTTP%" ""
|
||||
fi
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%USE_HTTPS%" "include /etc/nginx/multisite-default-server-https.conf;"
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
|
||||
if [ "$(has_value HTTP2 yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTP2%" "http2"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTP2%" ""
|
||||
fi
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
|
||||
if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_DHPARAM%" ""
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" ""
|
||||
fi
|
||||
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%USE_HTTPS%" ""
|
||||
fi
|
||||
if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" ""
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DEFAULT_SERVER%" ""
|
||||
fi
|
||||
|
||||
# custom log format
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LOG_FORMAT%" "$LOG_FORMAT"
|
||||
|
||||
# proxy_cache zone
|
||||
if [ "$(has_value USE_PROXY_CACHE yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%PROXY_CACHE_PATH%" "proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:${PROXY_CACHE_PATH_ZONE_SIZE} ${PROXY_CACHE_PATH_PARAMS};"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%PROXY_CACHE_PATH%" ""
|
||||
fi
|
||||
|
||||
# let's encrypt setup
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
if [ "$MULTISITE" = "no" ] ; then
|
||||
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
|
||||
DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
|
||||
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
|
||||
if [ ! -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
|
||||
echo "[*] Performing Let's Encrypt challenge for $SERVER_NAME ..."
|
||||
/opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT"
|
||||
fi
|
||||
fi
|
||||
echo "0 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
fi
|
||||
|
||||
# self-signed certificate
|
||||
if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
mkdir /etc/nginx/self-signed-ssl/
|
||||
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
|
||||
fi
|
||||
|
||||
# country ban/whitelist
|
||||
if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" "include /etc/nginx/geoip.conf;"
|
||||
if [ "$WHITELIST_COUNTRY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "no"
|
||||
replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $WHITELIST_COUNTRY | sed 's/ / yes;\\n/g') yes;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes"
|
||||
replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;"
|
||||
fi
|
||||
echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
|
||||
if [ -f "/cache/geoip.mmdb" ] ; then
|
||||
echo "[*] Copying cached geoip.mmdb ..."
|
||||
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
|
||||
else
|
||||
echo "[*] Downloading GeoIP database (in background) ..."
|
||||
/opt/scripts/geoip.sh &
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" ""
|
||||
fi
|
||||
|
||||
# block bad UA
|
||||
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
|
||||
echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
|
||||
if [ -f "/cache/map-user-agent.conf" ] ; then
|
||||
echo "[*] Copying cached map-user-agent.conf ..."
|
||||
cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
|
||||
else
|
||||
echo "[*] Downloading bad user-agent list (in background) ..."
|
||||
/opt/scripts/user-agents.sh &
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
|
||||
fi
|
||||
|
||||
# block bad refferer
|
||||
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;"
|
||||
echo "0 0 * * * /opt/scripts/referrers.sh" >> /etc/crontabs/root
|
||||
if [ -f "/cache/map-referrer.conf" ] ; then
|
||||
echo "[*] Copying cached map-referrer.conf ..."
|
||||
cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
|
||||
else
|
||||
echo "[*] Downloading bad referrer list (in background) ..."
|
||||
/opt/scripts/referrers.sh &
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" ""
|
||||
fi
|
||||
|
||||
# block TOR exit nodes
|
||||
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
|
||||
echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
|
||||
if [ -f "/cache/block-tor-exit-node.conf" ] ; then
|
||||
echo "[*] Copying cached block-tor-exit-node.conf ..."
|
||||
cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
|
||||
else
|
||||
echo "[*] Downloading tor exit nodes list (in background) ..."
|
||||
/opt/scripts/exit-nodes.sh &
|
||||
fi
|
||||
fi
|
||||
|
||||
# block proxies
|
||||
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
|
||||
echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
|
||||
if [ -f "/cache/block-proxies.conf" ] ; then
|
||||
echo "[*] Copying cached block-proxies.conf ..."
|
||||
cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
|
||||
else
|
||||
echo "[*] Downloading proxies list (in background) ..."
|
||||
/opt/scripts/proxies.sh &
|
||||
fi
|
||||
fi
|
||||
|
||||
# block abusers
|
||||
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
|
||||
echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
|
||||
if [ -f "/cache/block-abusers.conf" ] ; then
|
||||
echo "[*] Copying cached block-abusers.conf ..."
|
||||
cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
|
||||
else
|
||||
echo "[*] Downloading abusers list (in background) ..."
|
||||
/opt/scripts/abusers.sh &
|
||||
fi
|
||||
fi
|
||||
|
||||
# DNS resolvers
|
||||
resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
|
||||
replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS"
|
||||
|
||||
# whitelist IP
|
||||
if [ "$(has_value USE_WHITELIST_IP yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "lua_shared_dict whitelist_ip_cache 10m;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" ""
|
||||
fi
|
||||
list=$(spaces_to_lua "$WHITELIST_IP_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
|
||||
|
||||
# whitelist rDNS
|
||||
if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "lua_shared_dict whitelist_reverse_cache 10m;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" ""
|
||||
fi
|
||||
list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
|
||||
|
||||
# blacklist IP
|
||||
if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "lua_shared_dict blacklist_ip_cache 10m;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" ""
|
||||
fi
|
||||
list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
|
||||
|
||||
# blacklist rDNS
|
||||
if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "lua_shared_dict blacklist_reverse_cache 10m;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" ""
|
||||
fi
|
||||
list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
|
||||
|
||||
# request limiting
|
||||
if [ "$(has_value USE_LIMIT_REQ yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
|
||||
fi
|
||||
|
||||
# DNSBL
|
||||
if [ "$(has_value USE_DNSBL yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
|
||||
fi
|
||||
list=$(spaces_to_lua "$DNSBL_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
|
||||
|
||||
# disable default site
|
||||
if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" ""
|
||||
fi
|
||||
|
||||
# fail2ban setup
|
||||
if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
|
||||
echo "" > /etc/nginx/fail2ban-ip.conf
|
||||
rm -rf /etc/fail2ban/jail.d/*.conf
|
||||
cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
|
||||
cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
|
||||
cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
|
||||
replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
|
||||
fi
|
||||
|
||||
# clamav setup
|
||||
if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
|
||||
echo "[*] Updating clamav (in background) ..."
|
||||
freshclam > /dev/null 2>&1 &
|
||||
echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
fi
|
||||
if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
|
||||
if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
|
||||
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
|
||||
else
|
||||
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
|
||||
fi
|
||||
fi
|
||||
|
||||
# CrowdSec setup
|
||||
if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
|
||||
cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml
|
||||
cscli api register >> /etc/crowdsec/config/api.yaml
|
||||
cscli api pull
|
||||
echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
|
||||
fi
|
||||
|
||||
# create empty logs
|
||||
touch /var/log/access.log
|
||||
touch /var/log/error.log
|
||||
|
||||
# setup logrotate
|
||||
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
|
||||
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
|
||||
echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
559
entrypoint/site-config.sh
Normal file
559
entrypoint/site-config.sh
Normal file
@@ -0,0 +1,559 @@
|
||||
#!/bin/bash
|
||||
|
||||
# load default values
|
||||
. /opt/entrypoint/defaults.sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# get nginx path and override multisite variables
|
||||
NGINX_PREFIX="/etc/nginx/"
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
NGINX_PREFIX="${NGINX_PREFIX}${1}/"
|
||||
for var in $(env) ; do
|
||||
name=$(echo "$var" | cut -d '=' -f 1)
|
||||
check=$(echo "$name" | grep "^$1_")
|
||||
if [ "$check" != "" ] ; then
|
||||
repl_name=$(echo "$name" | sed "s~${1}_~~")
|
||||
repl_value=$(echo "$var" | sed "s~${name}=~~")
|
||||
read -r "$repl_name" <<< $repl_value
|
||||
fi
|
||||
done
|
||||
ROOT_FOLDER="${ROOT_FOLDER}/$1"
|
||||
fi
|
||||
|
||||
# copy stub confs
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
mkdir "$NGINX_PREFIX"
|
||||
fi
|
||||
cp /opt/confs/site/* "$NGINX_PREFIX"
|
||||
|
||||
# replace paths
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%MAIN_LUA%" "include ${NGINX_PREFIX}main-lua.conf;"
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;\ninclude /server-confs/${1}/*.conf;"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;"
|
||||
fi
|
||||
|
||||
# max body size
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
|
||||
|
||||
# server tokens
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
|
||||
|
||||
# reverse proxy
|
||||
if [ "$USE_REVERSE_PROXY" = "yes" ] ; then
|
||||
i=1
|
||||
for var in $(env) ; do
|
||||
check1=$(echo "$var" | grep "^REVERSE_PROXY_URL")
|
||||
check2=$(echo "$var" | grep "^${1}_REVERSE_PROXY_URL")
|
||||
if [ "$check1" != "" ] || [ "$check2" != "" ] ; then
|
||||
name=$(echo "$var" | cut -d '=' -f 1)
|
||||
value=$(echo "$var" | sed "s/${name}=//")
|
||||
host=$(echo "$name" | sed "s/URL/HOST/")
|
||||
host_value=$(env | grep "^${host}=" | sed "s/${host}=//")
|
||||
ws=$(echo "$name" | sed "s/URL/WS/")
|
||||
ws_value=$(env | grep "^${ws}=" | sed "s/${ws}=//")
|
||||
cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf"
|
||||
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$value"
|
||||
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value"
|
||||
if [ "$ws_value" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" "proxy_http_version 1.1;\nproxy_set_header Upgrade \$http_upgrade;\nproxy_set_header Connection \"Upgrade\";\n"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" ""
|
||||
fi
|
||||
i=$(($i + 1))
|
||||
fi
|
||||
done
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy-*.conf;"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" ""
|
||||
fi
|
||||
|
||||
# proxy caching
|
||||
if [ "$USE_PROXY_CACHE" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PROXY_CACHE%" "include ${NGINX_PREFIX}proxy-cache.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_METHODS%" "$PROXY_CACHE_METHODS"
|
||||
replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_MIN_USES%" "$PROXY_CACHE_MIN_USES"
|
||||
replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_KEY%" "$PROXY_CACHE_KEY"
|
||||
replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_NO_CACHE%" "$PROXY_NO_CACHE"
|
||||
replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_BYPASS%" "$PROXY_CACHE_BYPASS"
|
||||
valids=""
|
||||
for valid in $PROXY_CACHE_VALID ; do
|
||||
code="$(echo $valid | cut -d '=' -f 1)"
|
||||
timing="$(echo $valid | cut -d '=' -f 2)"
|
||||
valids="${valids}\nproxy_cache_valid ${code} ${timing};"
|
||||
done
|
||||
replace_in_file "${NGINX_PREFIX}proxy-cache.conf" "%PROXY_CACHE_VALID%" "$valids"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PROXY_CACHE%" ""
|
||||
fi
|
||||
|
||||
# file metadata caching
|
||||
if [ "$USE_OPEN_FILE_CACHE" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_OPEN_FILE_CACHE%" "include ${NGINX_PREFIX}open-file-cache.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}open-file-cache.conf" "%OPEN_FILE_CACHE%" "$OPEN_FILE_CACHE"
|
||||
replace_in_file "${NGINX_PREFIX}open-file-cache.conf" "%OPEN_FILE_CACHE_ERRORS%" "$OPEN_FILE_CACHE_ERRORS"
|
||||
replace_in_file "${NGINX_PREFIX}open-file-cache.conf" "%OPEN_FILE_CACHE_MIN_USES%" "$OPEN_FILE_CACHE_MIN_USES"
|
||||
replace_in_file "${NGINX_PREFIX}open-file-cache.conf" "%OPEN_FILE_CACHE_VALID%" "$OPEN_FILE_CACHE_VALID"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_OPEN_FILE_CACHE%" ""
|
||||
fi
|
||||
|
||||
# client caching
|
||||
if [ "$USE_CLIENT_CACHE" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_CLIENT_CACHE%" "include ${NGINX_PREFIX}client-cache.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}client-cache.conf" "%CLIENT_CACHE_EXTENSIONS%" "$CLIENT_CACHE_EXTENSIONS"
|
||||
replace_in_file "${NGINX_PREFIX}client-cache.conf" "%CLIENT_CACHE_ETAG%" "$CLIENT_CACHE_ETAG"
|
||||
replace_in_file "${NGINX_PREFIX}client-cache.conf" "%CLIENT_CACHE_CONTROL%" "$CLIENT_CACHE_CONTROL"
|
||||
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_CLIENT_CACHE%" ""
|
||||
fi
|
||||
|
||||
# gzip compression
|
||||
if [ "$USE_GZIP" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_GZIP%" "include ${NGINX_PREFIX}gzip.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}gzip.conf" "%GZIP_COMP_LEVEL%" "$GZIP_COMP_LEVEL"
|
||||
replace_in_file "${NGINX_PREFIX}gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH"
|
||||
replace_in_file "${NGINX_PREFIX}gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_GZIP%" ""
|
||||
fi
|
||||
|
||||
# brotli compression
|
||||
if [ "$USE_BROTLI" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_BROTLI%" "include ${NGINX_PREFIX}brotli.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}brotli.conf" "%BROTLI_COMP_LEVEL%" "$BROTLI_COMP_LEVEL"
|
||||
replace_in_file "${NGINX_PREFIX}brotli.conf" "%BROTLI_MIN_LENGTH%" "$BROTLI_MIN_LENGTH"
|
||||
replace_in_file "${NGINX_PREFIX}brotli.conf" "%BROTLI_TYPES%" "$BROTLI_TYPES"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_BROTLI%" ""
|
||||
fi
|
||||
|
||||
# remote PHP
|
||||
if [ "$REMOTE_PHP" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "include ${NGINX_PREFIX}php.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%FASTCGI_PATH%" "include ${NGINX_PREFIX}fastcgi.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}php.conf" "%REMOTE_PHP%" "$REMOTE_PHP"
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
cp /etc/nginx/fastcgi.conf ${NGINX_PREFIX}fastcgi.conf && chown root:nginx ${NGINX_PREFIX}fastcgi.conf
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" ""
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%FASTCGI_PATH%" ""
|
||||
fi
|
||||
|
||||
# serve files
|
||||
if [ "$SERVE_FILES" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVE_FILES%" "include ${NGINX_PREFIX}serve-files.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}serve-files.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVE_FILES%" ""
|
||||
fi
|
||||
|
||||
# remove headers
|
||||
if [ "$REMOVE_HEADERS" != "" ] ; then
|
||||
remove=""
|
||||
for header in $REMOVE_HEADERS ; do
|
||||
remove="${remove}more_clear_headers '$header';\n"
|
||||
done
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%REMOVE_HEADERS%" "$remove"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%REMOVE_HEADERS%" ""
|
||||
fi
|
||||
|
||||
# X-Frame-Options header
|
||||
if [ "$X_FRAME_OPTIONS" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%X_FRAME_OPTIONS%" "include ${NGINX_PREFIX}x-frame-options.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}x-frame-options.conf" "%X_FRAME_OPTIONS%" "$X_FRAME_OPTIONS"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%X_FRAME_OPTIONS%" ""
|
||||
fi
|
||||
|
||||
# X-XSS-Protection header
|
||||
if [ "$X_XSS_PROTECTION" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%X_XSS_PROTECTION%" "include ${NGINX_PREFIX}x-xss-protection.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}x-xss-protection.conf" "%X_XSS_PROTECTION%" "$X_XSS_PROTECTION"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%X_XSS_PROTECTION%" ""
|
||||
fi
|
||||
|
||||
# X-Content-Type-Options header
|
||||
if [ "$X_CONTENT_TYPE_OPTIONS" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%X_CONTENT_TYPE_OPTIONS%" "include ${NGINX_PREFIX}x-content-type-options.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}x-content-type-options.conf" "%X_CONTENT_TYPE_OPTIONS%" "$X_CONTENT_TYPE_OPTIONS"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%X_CONTENT_TYPE_OPTIONS%" ""
|
||||
fi
|
||||
|
||||
# Referrer-Policy header
|
||||
if [ "$REFERRER_POLICY" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%REFERRER_POLICY%" "include ${NGINX_PREFIX}referrer-policy.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}referrer-policy.conf" "%REFERRER_POLICY%" "$REFERRER_POLICY"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%REFERRER_POLICY%" ""
|
||||
fi
|
||||
|
||||
# Feature-Policy header
|
||||
if [ "$FEATURE_POLICY" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%FEATURE_POLICY%" "include ${NGINX_PREFIX}feature-policy.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}feature-policy.conf" "%FEATURE_POLICY%" "$FEATURE_POLICY"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%FEATURE_POLICY%" ""
|
||||
fi
|
||||
|
||||
# Permissions-Policy header
|
||||
if [ "$PERMISSIONS_POLICY" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%PERMISSIONS_POLICY%" "include ${NGINX_PREFIX}permissions-policy.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}permissions-policy.conf" "%PERMISSIONS_POLICY%" "$PERMISSIONS_POLICY"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%PERMISSIONS_POLICY%" ""
|
||||
fi
|
||||
|
||||
# Content-Security-Policy header
|
||||
if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%CONTENT_SECURITY_POLICY%" "include ${NGINX_PREFIX}content-security-policy.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}content-security-policy.conf" "%CONTENT_SECURITY_POLICY%" "$CONTENT_SECURITY_POLICY"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%CONTENT_SECURITY_POLICY%" ""
|
||||
fi
|
||||
|
||||
# cookie flags
|
||||
if [ "$COOKIE_FLAGS" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%COOKIE_FLAGS%" "include ${NGINX_PREFIX}cookie-flags.conf;"
|
||||
if [ "$COOKIE_AUTO_SECURE_FLAG" = "yes" ] ; then
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
COOKIE_FLAGS="${COOKIE_FLAGS} Secure"
|
||||
fi
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%COOKIE_FLAGS%" ""
|
||||
fi
|
||||
|
||||
# disable default server
|
||||
if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" != "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%DISABLE_DEFAULT_SERVER%" "include ${NGINX_PREFIX}disable-default-server.conf;"
|
||||
SERVER_NAME_PIPE=$(echo $SERVER_NAME | sed "s/ /|/g")
|
||||
replace_in_file "${NGINX_PREFIX}disable-default-server.conf" "%SERVER_NAME%" "$SERVER_NAME_PIPE"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%DISABLE_DEFAULT_SERVER%" ""
|
||||
fi
|
||||
|
||||
# set the server host name
|
||||
if [ "$MULTISITE" == "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_NAME%" "$1"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_NAME%" "$SERVER_NAME"
|
||||
fi
|
||||
|
||||
# allowed HTTP methods
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
|
||||
|
||||
# country ban
|
||||
if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_COUNTRY%" "true"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_COUNTRY%" "false"
|
||||
fi
|
||||
|
||||
# block bad UA
|
||||
if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "true"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "false"
|
||||
fi
|
||||
|
||||
# block bad referrer
|
||||
if [ "$BLOCK_REFERRER" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_REFERRER%" "true"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_REFERRER%" "false"
|
||||
fi
|
||||
|
||||
# block TOR exit nodes
|
||||
if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
|
||||
fi
|
||||
|
||||
# block proxies
|
||||
if [ "$BLOCK_PROXIES" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" "include /etc/nginx/block-proxies.conf;"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" ""
|
||||
fi
|
||||
|
||||
# block abusers
|
||||
if [ "$BLOCK_ABUSERS" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" "include /etc/nginx/block-abusers.conf;"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" ""
|
||||
fi
|
||||
|
||||
# HTTPS config
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" "include ${NGINX_PREFIX}https.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
|
||||
if [ "$HTTP2" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTP2%" "http2"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTP2%" ""
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
|
||||
if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_DHPARAM%" ""
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_CIPHERS%" ""
|
||||
fi
|
||||
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
|
||||
fi
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
if [ "$MULTISITE" = "no" ] ; then
|
||||
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
|
||||
else
|
||||
FIRST_SERVER_NAME="$1"
|
||||
if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ] ; then
|
||||
echo "[*] Performing Let's Encrypt challenge for $1 ..."
|
||||
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$1}"
|
||||
/opt/scripts/certbot-new.sh "$1" "$EMAIL_LETS_ENCRYPT"
|
||||
fi
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "include ${NGINX_PREFIX}lets-encrypt-webroot.conf;"
|
||||
elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
|
||||
elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
|
||||
fi
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" ""
|
||||
fi
|
||||
|
||||
# listen on HTTP_PORT
|
||||
if [ "$LISTEN_HTTP" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT};"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%LISTEN_HTTP%" ""
|
||||
fi
|
||||
|
||||
# HTTP to HTTPS redirect
|
||||
if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include ${NGINX_PREFIX}redirect-http-to-https.conf;"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%REDIRECT_HTTP_TO_HTTPS%" ""
|
||||
fi
|
||||
|
||||
# ModSecurity config
|
||||
if [ "$USE_MODSECURITY" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}/modsecurity-rules.conf"
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "include ${NGINX_PREFIX}modsecurity.conf;"
|
||||
modsec_custom=""
|
||||
if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
|
||||
modsec_custom="include /modsec-confs/*.conf\n"
|
||||
fi
|
||||
if [ "$MULTISITE" = "yes" ] && ls /modsec-confs/${1}/*.conf > /dev/null 2>&1 ; then
|
||||
modsec_custom="${modsec_custom}include /modsec-confs/${1}/*.conf\n"
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
|
||||
if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
|
||||
modsec_crs_custom=""
|
||||
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
|
||||
modsec_crs_custom="include /modsec-crs-confs/*.conf\n"
|
||||
fi
|
||||
if [ "$MULTISITE" = "yes" ] && ls /modsec-crs-confs/${1}/*.conf > /dev/null 2>&1 ; then
|
||||
modsec_crs_custom="${modsec_custom}include /modsec-crs-confs/${1}/*.conf\n"
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom"
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" ""
|
||||
fi
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" ""
|
||||
fi
|
||||
|
||||
# real IP behind reverse proxy
|
||||
if [ "$PROXY_REAL_IP" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%PROXY_REAL_IP%" "include ${NGINX_PREFIX}proxy-real-ip.conf;"
|
||||
froms=""
|
||||
for from in $PROXY_REAL_IP_FROM ; do
|
||||
froms="${froms}set_real_ip_from ${from};\n"
|
||||
done
|
||||
replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms"
|
||||
replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
|
||||
replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%PROXY_REAL_IP%" ""
|
||||
fi
|
||||
|
||||
# custom errors
|
||||
ERRORS=""
|
||||
for var in $(env) ; do
|
||||
var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1)
|
||||
if [ "z${var_name}" = "zERROR" ] ; then
|
||||
err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2)
|
||||
err_page=$(echo "$var" | cut -d '=' -f 2)
|
||||
cp /opt/confs/error.conf ${NGINX_PREFIX}error-${err_code}.conf
|
||||
replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%CODE%" "$err_code"
|
||||
replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%PAGE%" "$err_page"
|
||||
replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
|
||||
ERRORS="${ERRORS}include ${NGINX_PREFIX}error-${err_code}.conf;\n"
|
||||
fi
|
||||
done
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%ERRORS%" "$ERRORS"
|
||||
|
||||
# auth basic
|
||||
if [ "$USE_AUTH_BASIC" = "yes" ] ; then
|
||||
if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "include ${NGINX_PREFIX}auth-basic-sitewide.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "include ${NGINX_PREFIX}auth-basic.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
|
||||
replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
|
||||
fi
|
||||
htpasswd -b -B -c ${NGINX_PREFIX}.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" ""
|
||||
fi
|
||||
|
||||
# whitelist IP
|
||||
if [ "$USE_WHITELIST_IP" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "true"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "false"
|
||||
fi
|
||||
|
||||
# whitelist rDNS
|
||||
if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "true"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "false"
|
||||
fi
|
||||
|
||||
# blacklist IP
|
||||
if [ "$USE_BLACKLIST_IP" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "true"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "false"
|
||||
fi
|
||||
|
||||
# blacklist rDNS
|
||||
if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "true"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false"
|
||||
fi
|
||||
|
||||
# DNSBL
|
||||
if [ "$USE_DNSBL" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "true"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "false"
|
||||
fi
|
||||
|
||||
# antibot uri and session secret
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
|
||||
if [ "$ANTIBOT_SESSION_SECRET" = "random" ] ; then
|
||||
ANTIBOT_SESSION_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_SESSION_SECRET%" "$ANTIBOT_SESSION_SECRET"
|
||||
|
||||
# antibot via cookie
|
||||
if [ "$USE_ANTIBOT" = "cookie" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
|
||||
# antibot via javascript
|
||||
elif [ "$USE_ANTIBOT" = "javascript" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "true"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "include ${NGINX_PREFIX}antibot-javascript.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
|
||||
replace_in_file "${NGINX_PREFIX}antibot-javascript.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
|
||||
# antibot via captcha
|
||||
elif [ "$USE_ANTIBOT" = "captcha" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "true"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "include ${NGINX_PREFIX}antibot-captcha.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
|
||||
replace_in_file "${NGINX_PREFIX}antibot-captcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
|
||||
# antibot via recaptcha
|
||||
elif [ "$USE_ANTIBOT" = "recaptcha" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "true"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "include ${NGINX_PREFIX}antibot-recaptcha.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
|
||||
replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SITEKEY%" "$ANTIBOT_RECAPTCHA_SITEKEY"
|
||||
replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SECRET%" "$ANTIBOT_RECAPTCHA_SECRET"
|
||||
replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SCORE%" "$ANTIBOT_RECAPTCHA_SCORE"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
|
||||
fi
|
||||
|
||||
# request limiting
|
||||
if [ "$USE_LIMIT_REQ" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" "include ${NGINX_PREFIX}limit-req.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" ""
|
||||
fi
|
||||
|
||||
# fail2ban
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" ""
|
||||
fi
|
||||
|
||||
# clamav scan uploaded files
|
||||
if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "include ${NGINX_PREFIX}modsecurity-clamav.conf"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" ""
|
||||
fi
|
||||
|
||||
# CrowdSec
|
||||
if [ "$USE_CROWDSEC" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "true"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "false"
|
||||
fi
|
||||
38
entrypoint/utils.sh
Normal file
38
entrypoint/utils.sh
Normal file
@@ -0,0 +1,38 @@
|
||||
#!/bin/bash
|
||||
|
||||
# replace pattern in file
|
||||
function replace_in_file() {
|
||||
# escape slashes
|
||||
pattern=$(echo "$2" | sed "s/\//\\\\\//g")
|
||||
replace=$(echo "$3" | sed "s/\//\\\\\//g")
|
||||
sed -i "s/$pattern/$replace/g" "$1"
|
||||
}
|
||||
|
||||
# convert space separated values to LUA
|
||||
function spaces_to_lua() {
|
||||
for element in $1 ; do
|
||||
if [ "$result" = "" ] ; then
|
||||
result="\"${element}\""
|
||||
else
|
||||
result="${result}, \"${element}\""
|
||||
fi
|
||||
done
|
||||
echo "$result"
|
||||
}
|
||||
|
||||
# check if at least one env var (global or multisite) has a specific value
|
||||
function has_value() {
|
||||
if [ "${!1}" == "$2" ] ; then
|
||||
echo "ok"
|
||||
return 0
|
||||
fi
|
||||
for var in $(env) ; do
|
||||
domain=$(echo "$var" | cut -d '_' -f 1)
|
||||
name=$(echo "$var" | cut -d '=' -f 1 | sed "s~${domain}_~~")
|
||||
value=$(echo "$var" | sed "s~${domain}_${name}=~~")
|
||||
if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then
|
||||
echo "ok"
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
}
|
||||
53
examples/autoconf-php/docker-compose.yml
Normal file
53
examples/autoconf-php/docker-compose.yml
Normal file
@@ -0,0 +1,53 @@
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mywww:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
- ./web-files:/www:ro
|
||||
environment:
|
||||
- SERVER_NAME= # must be left blank if you don't want to setup "static" conf
|
||||
- MULTISITE=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
|
||||
myapp1:
|
||||
image: php:fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web-files/app1.website.com:/app
|
||||
labels:
|
||||
- "bunkerized-nginx.SERVER_NAME=app1.website.com" # replace with your domain
|
||||
- "bunkerized-nginx.REMOTE_PHP=myapp1"
|
||||
- "bunkerized-nginx.REMOTE_PHP_PATH=/app"
|
||||
|
||||
myapp2:
|
||||
image: php:fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web-files/app2.website.com:/app
|
||||
labels:
|
||||
- "bunkerized-nginx.SERVER_NAME=app2.website.com" # replace with your domain
|
||||
- "bunkerized-nginx.REMOTE_PHP=myapp2"
|
||||
- "bunkerized-nginx.REMOTE_PHP_PATH=/app"
|
||||
|
||||
myapp3:
|
||||
image: php:fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web-files/app3.website.com:/app
|
||||
labels:
|
||||
- "bunkerized-nginx.SERVER_NAME=app3.website.com" # replace with your domain
|
||||
- "bunkerized-nginx.REMOTE_PHP=myapp3"
|
||||
- "bunkerized-nginx.REMOTE_PHP_PATH=/app"
|
||||
@@ -0,0 +1,5 @@
|
||||
<?php
|
||||
|
||||
echo "Hello from app1 !";
|
||||
|
||||
?>
|
||||
@@ -0,0 +1,5 @@
|
||||
<?php
|
||||
|
||||
echo "Hello from app2 !";
|
||||
|
||||
?>
|
||||
@@ -0,0 +1,5 @@
|
||||
<?php
|
||||
|
||||
echo "Hello from app3 !";
|
||||
|
||||
?>
|
||||
53
examples/autoconf-reverse-proxy/docker-compose.yml
Normal file
53
examples/autoconf-reverse-proxy/docker-compose.yml
Normal file
@@ -0,0 +1,53 @@
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mywww:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
environment:
|
||||
- SERVER_NAME= # must be left blank if you don't want to setup "static" conf
|
||||
- MULTISITE=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
|
||||
myapp1:
|
||||
build: js-app
|
||||
restart: always
|
||||
environment:
|
||||
- NODE_ENV=production
|
||||
labels:
|
||||
- "bunkerized-nginx.SERVER_NAME=app1.website.com" # replace with your domain
|
||||
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
|
||||
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://myapp1:3000"
|
||||
|
||||
myapp2:
|
||||
build: js-app
|
||||
restart: always
|
||||
environment:
|
||||
- NODE_ENV=production
|
||||
labels:
|
||||
- "bunkerized-nginx.SERVER_NAME=app2.website.com" # replace with your domain
|
||||
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
|
||||
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://myapp2:3000"
|
||||
|
||||
myapp3:
|
||||
build: js-app
|
||||
restart: always
|
||||
environment:
|
||||
- NODE_ENV=production
|
||||
labels:
|
||||
- "bunkerized-nginx.SERVER_NAME=app3.website.com" # replace with your domain
|
||||
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
|
||||
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://myapp3:3000"
|
||||
11
examples/autoconf-reverse-proxy/js-app/Dockerfile
Normal file
11
examples/autoconf-reverse-proxy/js-app/Dockerfile
Normal file
@@ -0,0 +1,11 @@
|
||||
FROM node
|
||||
|
||||
COPY app/ /home/node/app
|
||||
|
||||
RUN cd /home/node/app && npm install && chown -R root:node /home/node/app && chmod -R 770 /home/node/app
|
||||
|
||||
WORKDIR /home/node/app
|
||||
|
||||
USER node
|
||||
|
||||
CMD ["node", "index.js"]
|
||||
13
examples/autoconf-reverse-proxy/js-app/app/index.js
Normal file
13
examples/autoconf-reverse-proxy/js-app/app/index.js
Normal file
@@ -0,0 +1,13 @@
|
||||
const express = require('express')
|
||||
const app = express()
|
||||
const port = 3000
|
||||
var os = require("os");
|
||||
|
||||
app.get('/', (req, res) => {
|
||||
res.send('Container id = ' + os.hostname())
|
||||
})
|
||||
|
||||
app.listen(port, () => {
|
||||
console.log(`Example app listening at http://localhost:${port}`)
|
||||
})
|
||||
|
||||
@@ -9,13 +9,16 @@ services:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./web-files:/www
|
||||
- ./web-files:/www:ro
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- REMOTE_PHP=myphp
|
||||
- REMOTE_PHP_PATH=/app
|
||||
|
||||
|
||||
@@ -17,9 +17,13 @@ services:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web1:/www
|
||||
- ./web1:/www:ro
|
||||
environment:
|
||||
- SERVER_NAME=app1.website.com
|
||||
- PROXY_REAL_IP=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- REMOTE_PHP=myphp1
|
||||
- REMOTE_PHP_PATH=/app
|
||||
labels:
|
||||
@@ -31,9 +35,13 @@ services:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web2:/www
|
||||
- ./web2:/www:ro
|
||||
environment:
|
||||
- SERVER_NAME=app2.website.com
|
||||
- PROXY_REAL_IP=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- REMOTE_PHP=myphp2
|
||||
- REMOTE_PHP_PATH=/app
|
||||
labels:
|
||||
|
||||
@@ -10,14 +10,19 @@ services:
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
- ./http-confs:/http-confs
|
||||
- ./server-confs:/server-confs
|
||||
- ./http-confs:/http-confs:ro
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain
|
||||
- SERVE_FILES=no
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
- REVERSE_PROXY_URL=/
|
||||
- REVERSE_PROXY_HOST=http://app
|
||||
|
||||
app1:
|
||||
build: js-app
|
||||
|
||||
@@ -10,13 +10,19 @@ services:
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
- ./server-confs:/server-confs # custom confs to reverse proxy to moodle
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- MAX_CLIENT_SIZE=50m
|
||||
- SERVE_FILES=no
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
- REVERSE_PROXY_URL=/
|
||||
- REVERSE_PROXY_HOST=https://mymoodle:8443
|
||||
|
||||
mymoodle:
|
||||
image: bitnami/moodle
|
||||
@@ -27,7 +33,7 @@ services:
|
||||
environment:
|
||||
- MOODLE_USERNAME=admin # replace with your moodle admin username
|
||||
- MOODLE_PASSWORD=password # replace with your moodle admin password
|
||||
- MOODLE_EMAIL=moodle@website.com # replace with your moodle admin email
|
||||
- MOODLE_EMAIL=moodle@website.com # replace with your moodle admin email
|
||||
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
|
||||
- MOODLE_DATABASE_HOST=mydb
|
||||
- MOODLE_DATABASE_NAME=moodle
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
location / {
|
||||
if ($host = www.website.com) {
|
||||
proxy_pass http://mymoodle:8443$request_uri;
|
||||
}
|
||||
}
|
||||
69
examples/multisite-basic/docker-compose.yml
Normal file
69
examples/multisite-basic/docker-compose.yml
Normal file
@@ -0,0 +1,69 @@
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mywww:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./web-files:/www:ro
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
environment:
|
||||
- SERVER_NAME=app1.website.com app2.website.com app3.website.com # replace with your domains
|
||||
- MULTISITE=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- app1.website.com_REMOTE_PHP=myapp1
|
||||
- app1.website.com_REMOTE_PHP_PATH=/app
|
||||
- app2.website.com_REMOTE_PHP=myapp2
|
||||
- app2.website.com_REMOTE_PHP_PATH=/app
|
||||
- app3.website.com_SERVE_FILES=no
|
||||
- app3.website.com_USE_CLIENT_CACHE=no
|
||||
- app3.website.com_USE_PROXY_CACHE=yes
|
||||
- app3.website.com_USE_REVERSE_PROXY=yes
|
||||
- app3.website.com_REVERSE_PROXY_URL=/
|
||||
- app3.website.com_REVERSE_PROXY_HOST=http://myapp3:3000
|
||||
networks:
|
||||
- net1
|
||||
- net2
|
||||
- net3
|
||||
|
||||
myapp1:
|
||||
image: php:fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web-files/app1.website.com:/app
|
||||
networks:
|
||||
- net1
|
||||
|
||||
myapp2:
|
||||
image: php:fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web-files/app2.website.com:/app
|
||||
networks:
|
||||
- net2
|
||||
|
||||
myapp3:
|
||||
image: node
|
||||
restart: always
|
||||
working_dir: /home/node/app
|
||||
volumes:
|
||||
- ./js-app:/home/node/app
|
||||
environment:
|
||||
- NODE_ENV=production
|
||||
command: bash -c "npm install express && node index.js"
|
||||
networks:
|
||||
- net3
|
||||
|
||||
networks:
|
||||
net1:
|
||||
net2:
|
||||
net3:
|
||||
12
examples/multisite-basic/js-app/index.js
Normal file
12
examples/multisite-basic/js-app/index.js
Normal file
@@ -0,0 +1,12 @@
|
||||
const express = require('express')
|
||||
const app = express()
|
||||
const port = 3000
|
||||
|
||||
app.get('/', (req, res) => {
|
||||
res.send('hello from app3 !')
|
||||
})
|
||||
|
||||
app.listen(port, () => {
|
||||
console.log(`Example app listening at http://localhost:${port}`)
|
||||
})
|
||||
|
||||
14
examples/multisite-basic/js-app/package.json
Normal file
14
examples/multisite-basic/js-app/package.json
Normal file
@@ -0,0 +1,14 @@
|
||||
{
|
||||
"name": "js-app",
|
||||
"version": "1.0.0",
|
||||
"description": "demo",
|
||||
"main": "index.js",
|
||||
"scripts": {
|
||||
"test": "echo \"Error: no test specified\" && exit 1"
|
||||
},
|
||||
"author": "",
|
||||
"license": "ISC",
|
||||
"dependencies": {
|
||||
"express": "^4.17.1"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
<?php
|
||||
|
||||
echo "hello from app1 !";
|
||||
|
||||
?>
|
||||
@@ -0,0 +1,5 @@
|
||||
<?php
|
||||
|
||||
echo "hello from app2 !";
|
||||
|
||||
?>
|
||||
95
examples/multisite-custom-server-confs/docker-compose.yml
Normal file
95
examples/multisite-custom-server-confs/docker-compose.yml
Normal file
@@ -0,0 +1,95 @@
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mywww:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./web-files:/www:ro
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
- ./server-confs:/server-confs:ro
|
||||
- ./modsec-confs:/modsec-confs:ro
|
||||
- ./modsec-crs-confs:/modsec-crs-confs:ro
|
||||
environment:
|
||||
- SERVER_NAME=wp.website.com nc.website.com # replace with your domains
|
||||
- MULTISITE=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- wp.website.com_REMOTE_PHP=mywp
|
||||
- wp.website.com_REMOTE_PHP_PATH=/var/www/html
|
||||
- nc.website.com_REMOTE_PHP=mync
|
||||
- nc.website.com_REMOTE_PHP_PATH=/var/www/html
|
||||
- nc.website.com_LIMIT_REQ_RATE=40r/s
|
||||
- nc.website.com_LIMIT_REQ_BURST=60
|
||||
- nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
|
||||
- nc.website.com_X_FRAME_OPTIONS=SAMEORIGIN
|
||||
- nc.website.com_FAIL2BAN_STATUS_CODE=400|401|403|405|444
|
||||
networks:
|
||||
- net1
|
||||
- net2
|
||||
|
||||
mywp:
|
||||
image: wordpress:fpm-alpine
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web-files/wp.website.com:/var/www/html
|
||||
environment:
|
||||
- WORDPRESS_DB_HOST=mywpdb
|
||||
- WORDPRESS_DB_NAME=wp
|
||||
- WORDPRESS_DB_USER=user
|
||||
- WORDPRESS_DB_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
|
||||
- WORDPRESS_TABLE_PREFIX=prefix_ # best practice : replace with a random prefix
|
||||
networks:
|
||||
- net1
|
||||
|
||||
mywpdb:
|
||||
image: mariadb
|
||||
restart: always
|
||||
volumes:
|
||||
- ./wp-db-data:/var/lib/mysql
|
||||
environment:
|
||||
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
|
||||
- MYSQL_DATABASE=wp
|
||||
- MYSQL_USER=user
|
||||
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
|
||||
networks:
|
||||
- net1
|
||||
|
||||
mync:
|
||||
image: nextcloud:stable-fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web-files/nc.website.com:/var/www/html
|
||||
environment:
|
||||
- MYSQL_HOST=myncdb
|
||||
- MYSQL_DATABASE=nc
|
||||
- MYSQL_USER=user
|
||||
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
|
||||
networks:
|
||||
- net2
|
||||
|
||||
myncdb:
|
||||
image: mariadb
|
||||
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
|
||||
restart: always
|
||||
volumes:
|
||||
- ./nc-db-data:/var/lib/mysql
|
||||
environment:
|
||||
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
|
||||
- MYSQL_DATABASE=nc
|
||||
- MYSQL_USER=user
|
||||
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
|
||||
networks:
|
||||
- net2
|
||||
|
||||
networks:
|
||||
net1:
|
||||
net2:
|
||||
@@ -0,0 +1 @@
|
||||
SecRuleRemoveById 921110
|
||||
@@ -0,0 +1 @@
|
||||
SecRuleRemoveById 953120
|
||||
@@ -0,0 +1,15 @@
|
||||
SecAction \
|
||||
"id:900130,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:tx.crs_exclusions_nextcloud=1"
|
||||
|
||||
SecAction \
|
||||
"id:900200,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
|
||||
@@ -0,0 +1,7 @@
|
||||
SecAction \
|
||||
"id:900130,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:tx.crs_exclusions_wordpress=1"
|
||||
@@ -0,0 +1,32 @@
|
||||
location ~ \.php(?:$|/) {
|
||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||
set $path_info $fastcgi_path_info;
|
||||
|
||||
try_files $fastcgi_script_name =404;
|
||||
|
||||
include /etc/nginx/nc.website.com/fastcgi.conf;
|
||||
fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
fastcgi_param HTTPS on;
|
||||
|
||||
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
|
||||
fastcgi_param front_controller_active true; # Enable pretty urls
|
||||
fastcgi_pass mync:9000;
|
||||
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
}
|
||||
|
||||
location ~ \.(?:css|js|svg|gif)$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
expires 6M; # Cache-Control policy borrowed from `.htaccess`
|
||||
}
|
||||
|
||||
location ~ \.woff2?$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
||||
}
|
||||
|
||||
location / {
|
||||
try_files $uri /index.php$request_uri;
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
location / {
|
||||
index index.php index.html index.htm;
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
@@ -9,25 +9,30 @@ services:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./nc-files:/www
|
||||
- ./nc-files:/www:ro
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
- ./server-confs:/server-confs # custom nginx confs at server context to make Nextcloud working
|
||||
- ./modsec-crs-confs:/modsec-crs-confs # custom Core Rule Set confs to add Nextcloud exclusions
|
||||
- ./modsec-confs:/modsec-confs # disable some false positive
|
||||
- ./server-confs:/server-confs:ro # custom nginx confs at server context to make Nextcloud working
|
||||
- ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Nextcloud exclusions
|
||||
- ./modsec-confs:/modsec-confs:ro # disable some false positive
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- MAX_CLIENT_SIZE=10G
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- REMOTE_PHP=mync
|
||||
- REMOTE_PHP_PATH=/var/www/html
|
||||
- LIMIT_REQ_RATE=40r/s
|
||||
- LIMIT_REQ_BURST=60
|
||||
- ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
|
||||
- X_FRAME_OPTIONS=SAMEORIGIN
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- FAIL2BAN_STATUS_CODE=400|401|403|405|444
|
||||
|
||||
mync:
|
||||
image: nextcloud:stable-fpm
|
||||
image: nextcloud:20-fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./nc-files:/var/www/html
|
||||
|
||||
@@ -1,42 +1,32 @@
|
||||
location ~ \.php(?:$|/) {
|
||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||
set $path_info $fastcgi_path_info;
|
||||
|
||||
try_files $fastcgi_script_name =404;
|
||||
|
||||
include fastcgi.conf;
|
||||
fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
fastcgi_param HTTPS on;
|
||||
|
||||
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
|
||||
fastcgi_param front_controller_active true; # Enable pretty urls
|
||||
fastcgi_pass mync:9000;
|
||||
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
}
|
||||
|
||||
location ~ \.(?:css|js|svg|gif)$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
expires 6M; # Cache-Control policy borrowed from `.htaccess`
|
||||
}
|
||||
|
||||
location ~ \.woff2?$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
||||
}
|
||||
|
||||
location / {
|
||||
rewrite ^ /index.php;
|
||||
try_files $uri /index.php$request_uri;
|
||||
}
|
||||
|
||||
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
|
||||
include fastcgi_params;
|
||||
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
|
||||
set $path_info $fastcgi_path_info;
|
||||
try_files $fastcgi_script_name =404;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
fastcgi_param HTTPS on;
|
||||
fastcgi_param modHeadersAvailable true;
|
||||
fastcgi_param front_controller_active true;
|
||||
fastcgi_pass mync:9000;
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
include fastcgi.conf;
|
||||
}
|
||||
|
||||
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
|
||||
try_files $uri/ =404;
|
||||
index index.php;
|
||||
}
|
||||
|
||||
location ~ \.(?:css|js|woff2?|svg|gif|map|mp4)$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
add_header Cache-Control "public, max-age=15778463";
|
||||
}
|
||||
|
||||
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
}
|
||||
|
||||
|
||||
48
examples/passbolt/docker-compose.yml
Normal file
48
examples/passbolt/docker-compose.yml
Normal file
@@ -0,0 +1,48 @@
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mywww:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
- ./modsec-crs-confs:/modsec-crs-confs:ro # disable some false positive
|
||||
- ./modsec-confs:/modsec-confs:ro # disable some false positive
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
|
||||
- SERVE_FILES=no
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
- REVERSE_PROXY_URL=/
|
||||
- REVERSE_PROXY_HOST=https://mypassbolt
|
||||
|
||||
mypassbolt:
|
||||
image: passbolt/passbolt
|
||||
restart: always
|
||||
environment:
|
||||
- DATASOURCES_DEFAULT_HOST=mydb
|
||||
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
|
||||
- DATASOURCES_DEFAULT_USERNAME=user
|
||||
- DATASOURCES_DEFAULT_DATABASE=passbolt
|
||||
- APP_FULL_BASE_URL=https://www.website.com # replace with your URL
|
||||
|
||||
mydb:
|
||||
image: mariadb
|
||||
restart: always
|
||||
volumes:
|
||||
- ./db-data:/var/lib/mysql
|
||||
environment:
|
||||
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
|
||||
- MYSQL_DATABASE=passbolt
|
||||
- MYSQL_USER=user
|
||||
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
|
||||
2
examples/passbolt/modsec-confs/passbolt.conf
Normal file
2
examples/passbolt/modsec-confs/passbolt.conf
Normal file
@@ -0,0 +1,2 @@
|
||||
SecRuleRemoveById 942100
|
||||
SecRuleRemoveById 930120
|
||||
7
examples/passbolt/modsec-crs-confs/passbolt.conf
Normal file
7
examples/passbolt/modsec-crs-confs/passbolt.conf
Normal file
@@ -0,0 +1,7 @@
|
||||
SecAction \
|
||||
"id:900200,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:'tx.allowed_methods=GET HEAD POST PUT DELETE'"
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user