v1.2.5 - performance improvement

Update issue templates

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,17 @@
+---
+name: Bug report
+about: Something is not working as expected
+title: "[BUG]"
+labels: bug
+assignees: ''
+
+---
+
+**Description**
+Concise description of what you're trying to do, the expected behavior and the current bug.
+
+**How to reproduce**
+Give steps on how to reproduce the bug (e.g. : commands, configs, tests, environment, version, ...).
+
+**Logs**
+The logs generated by bunkerized-nginx. **DON'T FORGET TO REMOVE PRIVATE DATA LIKE IP ADDRESSES !**

.github/workflows/autotest-bunkerized-nginx-autoconf.yml

@@ -0,0 +1,26 @@
+name: Automatic test on autoconf
+
+on:
+  push:
+    branches: [dev, master]
+  pull_request:
+    branches: [dev, master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v2
+      - name: Build the image
+        run: docker build -t autotest-autoconf -f autoconf/Dockerfile .
+      - name: Run Trivy security scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'autotest-autoconf'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
+
+

.github/workflows/autotest-bunkerized-nginx-ui.yml

@@ -0,0 +1,26 @@
+name: Automatic test on ui
+
+on:
+  push:
+    branches: [dev, master]
+  pull_request:
+    branches: [dev, master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v2
+      - name: Build the image
+        run: docker build -t autotest-ui -f ui/Dockerfile .
+      - name: Run Trivy security scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'autotest-ui'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
+
+

.github/workflows/autotest-bunkerized-nginx.yml

@@ -0,0 +1,28 @@
+name: Automatic test
+
+on:
+  push:
+    branches: [dev, master]
+  pull_request:
+    branches: [dev, master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v2
+      - name: Build the image
+        run: docker build -t autotest .
+      - name: Run autotest
+        run: docker run autotest test
+      - name: Run Trivy security scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'autotest'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
+          skip-dirs: '/usr/lib/go'
+

.gitignore

@@ -0,0 +1,2 @@
+.idea/
+docs/_build/

Dockerfile

@@ -1,4 +1,4 @@
-FROM nginx:stable-alpine
+FROM nginx:1.20.0-alpine
 
 COPY nginx-keys/ /tmp/nginx-keys
 COPY compile.sh /tmp/compile.sh
@@ -6,24 +6,28 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
-COPY entrypoint.sh /opt/entrypoint.sh
+COPY dependencies.sh /tmp/dependencies.sh
+RUN chmod +x /tmp/dependencies.sh && \
+    /tmp/dependencies.sh && \
+    rm -rf /tmp/dependencies.sh
+
+COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
-COPY fail2ban/ /opt/fail2ban
-COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+COPY prepare.sh /tmp/prepare.sh
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+RUN chmod +x /tmp/prepare.sh && \
-    mkdir /opt/entrypoint.d && \
+    /tmp/prepare.sh && \
-    rm -f /var/log/nginx/* && \
+    rm -f /tmp/prepare.sh
-    chown root:nginx /var/log/nginx && \
-    chmod 750 /var/log/nginx && \
-    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp
 
-ENTRYPOINT ["/opt/entrypoint.sh"]
+USER nginx:nginx
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-amd64

@@ -1,4 +1,4 @@
-FROM amd64/nginx:stable-alpine
+FROM amd64/nginx:1.20.0-alpine
 
 COPY nginx-keys/ /tmp/nginx-keys
 COPY compile.sh /tmp/compile.sh
@@ -6,24 +6,28 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
-COPY entrypoint.sh /opt/entrypoint.sh
+COPY dependencies.sh /tmp/dependencies.sh
+RUN chmod +x /tmp/dependencies.sh && \
+    /tmp/dependencies.sh && \
+    rm -rf /tmp/dependencies.sh
+
+COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
-COPY fail2ban/ /opt/fail2ban
-COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+COPY prepare.sh /tmp/prepare.sh
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+RUN chmod +x /tmp/prepare.sh && \
-    mkdir /opt/entrypoint.d && \
+    /tmp/prepare.sh && \
-    rm -f /var/log/nginx/* && \
+    rm -f /tmp/prepare.sh
-    chown root:nginx /var/log/nginx && \
-    chmod 750 /var/log/nginx && \
-    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp
 
-ENTRYPOINT ["/opt/entrypoint.sh"]
+USER nginx:nginx
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-arm32v7

@@ -3,7 +3,7 @@ FROM alpine AS builder
 ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz
 RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
 
-FROM arm32v7/nginx:stable-alpine
+FROM arm32v7/nginx:1.20.0-alpine
 
 COPY --from=builder qemu-arm-static /usr/bin
 
@@ -13,24 +13,28 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
-COPY entrypoint.sh /opt/entrypoint.sh
+COPY dependencies.sh /tmp/dependencies.sh
+RUN chmod +x /tmp/dependencies.sh && \
+    /tmp/dependencies.sh && \
+    rm -rf /tmp/dependencies.sh
+
+COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
-COPY fail2ban/ /opt/fail2ban
-COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+COPY prepare.sh /tmp/prepare.sh
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+RUN chmod +x /tmp/prepare.sh && \
-    mkdir /opt/entrypoint.d && \
+    /tmp/prepare.sh && \
-    rm -f /var/log/nginx/* && \
+    rm -f /tmp/prepare.sh
-    chown root:nginx /var/log/nginx && \
-    chmod 750 /var/log/nginx && \
-    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp
 
-ENTRYPOINT ["/opt/entrypoint.sh"]
+USER nginx:nginx
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-arm64v8

@@ -3,7 +3,7 @@ FROM alpine AS builder
 ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz
 RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
 
-FROM arm64v8/nginx:stable-alpine
+FROM arm64v8/nginx:1.20.0-alpine
 
 COPY --from=builder qemu-aarch64-static /usr/bin
 
@@ -13,24 +13,28 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
-COPY entrypoint.sh /opt/entrypoint.sh
+COPY dependencies.sh /tmp/dependencies.sh
+RUN chmod +x /tmp/dependencies.sh && \
+    /tmp/dependencies.sh && \
+    rm -rf /tmp/dependencies.sh
+
+COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
-COPY fail2ban/ /opt/fail2ban
-COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+COPY prepare.sh /tmp/prepare.sh
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+RUN chmod +x /tmp/prepare.sh && \
-    mkdir /opt/entrypoint.d && \
+    /tmp/prepare.sh && \
-    rm -f /var/log/nginx/* && \
+    rm -f /tmp/prepare.sh
-    chown root:nginx /var/log/nginx && \
-    chmod 750 /var/log/nginx && \
-    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp
 
-ENTRYPOINT ["/opt/entrypoint.sh"]
+USER nginx:nginx
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-i386

@@ -1,4 +1,4 @@
-FROM i386/nginx:stable-alpine
+FROM i386/nginx:1.20.0-alpine
 
 COPY nginx-keys/ /tmp/nginx-keys
 COPY compile.sh /tmp/compile.sh
@@ -6,24 +6,28 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
-COPY entrypoint.sh /opt/entrypoint.sh
+COPY dependencies.sh /tmp/dependencies.sh
+RUN chmod +x /tmp/dependencies.sh && \
+    /tmp/dependencies.sh && \
+    rm -rf /tmp/dependencies.sh
+
+COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
-COPY fail2ban/ /opt/fail2ban
-COPY logs/ /opt/logs
 COPY lua/ /opt/lua
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+COPY prepare.sh /tmp/prepare.sh
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+RUN chmod +x /tmp/prepare.sh && \
-    mkdir /opt/entrypoint.d && \
+    /tmp/prepare.sh && \
-    rm -f /var/log/nginx/* && \
+    rm -f /tmp/prepare.sh
-    chown root:nginx /var/log/nginx && \
-    chmod 750 /var/log/nginx && \
-    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp
 
-ENTRYPOINT ["/opt/entrypoint.sh"]
+USER nginx:nginx
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

VERSION

@@ -1 +1 @@
-1.1.1
+1.2.5

autoconf/AutoConf.py

@@ -0,0 +1,131 @@
+from Config import Config
+import utils
+import os
+
+class AutoConf :
+
+	def __init__(self, swarm, api) :
+		self.__swarm = swarm
+		self.__servers = {}
+		self.__instances = {}
+		self.__sites = {}
+		self.__config = Config(self.__swarm, api)
+
+	def get_server(self, id) :
+		if id in self.__servers :
+			return self.__servers[id]
+		return False
+
+	def reload(self) :
+		return self.__config.reload(self.__instances)
+
+	def pre_process(self, objs) :
+		for instance in objs :
+			(id, name, labels) = self.__get_infos(instance)
+			if "bunkerized-nginx.AUTOCONF" in labels :
+				if self.__swarm :
+					self.__process_instance(instance, "create", id, name, labels)
+				else :
+					if instance.status in ("restarting", "running", "created", "exited") :
+						self.__process_instance(instance, "create", id, name, labels)
+					if instance.status == "running" :
+						self.__process_instance(instance, "start", id, name, labels)
+
+		for server in objs :
+			(id, name, labels) = self.__get_infos(server)
+			if "bunkerized-nginx.SERVER_NAME" in labels :
+				if self.__swarm :
+					self.__process_server(server, "create", id, name, labels)
+				else :
+					if server.status in ("restarting", "running", "created", "exited") :
+						self.__process_server(server, "create", id, name, labels)
+					if server.status == "running" :
+						self.__process_server(server, "start", id, name, labels)
+
+	def process(self, obj, event) :
+		(id, name, labels) = self.__get_infos(obj)
+		if "bunkerized-nginx.AUTOCONF" in labels :
+			self.__process_instance(obj, event, id, name, labels)
+		elif "bunkerized-nginx.SERVER_NAME" in labels :
+			self.__process_server(obj, event, id, name, labels)
+
+	def __get_infos(self, obj) :
+		if self.__swarm :
+			id = obj.id
+			name = obj.name
+			labels = obj.attrs["Spec"]["Labels"]
+		else :
+			id = obj.id
+			name = obj.name
+			labels = obj.labels
+		return (id, name, labels)
+
+	def __process_instance(self, instance, event, id, name, labels) :
+		if event == "create" :
+			self.__instances[id] = instance
+			if self.__swarm and len(self.__instances) == 1 :
+				if self.__config.initconf(self.__instances) :
+					utils.log("[*] Initial config succeeded")
+				else :
+					utils.log("[!] Initial config failed")
+			utils.log("[*] bunkerized-nginx instance created : " + name + " / " + id)
+		elif event == "start" :
+			self.__instances[id].reload()
+			utils.log("[*] bunkerized-nginx instance started : " + name + " / " + id)
+		elif event == "die" :
+			self.__instances[id].reload()
+			utils.log("[*] bunkerized-nginx instance stopped : " + name + " / " + id)
+		elif event == "destroy" or event == "remove" :
+			del self.__instances[id]
+			if self.__swarm and len(self.__instances) == 0 :
+				with open("/etc/crontabs/nginx", "w") as f :
+					f.write("")
+				if os.path.exists("/etc/nginx/autoconf") :
+					os.remove("/etc/nginx/autoconf")
+			utils.log("[*] bunkerized-nginx instance removed : " + name + " / " + id)
+
+	def __process_server(self, instance, event, id, name, labels) :
+		vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in labels.items() if k.startswith("bunkerized-nginx.")}
+		if event == "create" :
+			utils.log("[*] Generating config for " + vars["SERVER_NAME"] + " ...")
+			if self.__config.generate(self.__instances, vars) :
+				utils.log("[*] Generated config for " + vars["SERVER_NAME"])
+				self.__servers[id] = instance
+				if self.__swarm :
+					utils.log("[*] Activating config for " + vars["SERVER_NAME"] + " ...")
+					if self.__config.activate(self.__instances, vars) :
+						utils.log("[*] Activated config for " + vars["SERVER_NAME"])
+					else :
+						utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
+			else :
+				utils.log("[!] Can't generate config for " + vars["SERVER_NAME"])
+		elif event == "start" :
+			if id in self.__servers :
+				self.__servers[id].reload()
+				utils.log("[*] Activating config for " + vars["SERVER_NAME"] + " ...")
+				if self.__config.activate(self.__instances, vars) :
+					utils.log("[*] Activated config for " + vars["SERVER_NAME"])
+				else :
+					utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
+		elif event == "die" :
+			if id in self.__servers :
+				self.__servers[id].reload()
+				utils.log("[*] Deactivating config for " + vars["SERVER_NAME"])
+				if self.__config.deactivate(self.__instances, vars) :
+					utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
+				else :
+					utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
+		elif event == "destroy" or event == "remove" :
+			if id in self.__servers :
+				if self.__swarm :
+					utils.log("[*] Deactivating config for " + vars["SERVER_NAME"])
+					if self.__config.deactivate(self.__instances, vars) :
+						utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
+					else :
+						utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
+				del self.__servers[id]
+				utils.log("[*] Removing config for " + vars["SERVER_NAME"])
+				if self.__config.remove(vars) :
+					utils.log("[*] Removed config for " + vars["SERVER_NAME"])
+				else :
+					utils.log("[!] Can't remove config for " + vars["SERVER_NAME"])

autoconf/Config.py

@@ -0,0 +1,209 @@
+#!/usr/bin/python3
+
+import utils
+import subprocess, shutil, os, traceback, requests, time
+
+class Config :
+
+	def __init__(self, swarm, api) :
+		self.__swarm = swarm
+		self.__api = api
+
+
+	def initconf(self, instances) :
+		try :
+			for instance_id, instance in instances.items() :
+				env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
+				break
+			vars = {}
+			for var_value in env :
+				var = var_value.split("=")[0]
+				value = var_value.replace(var + "=", "", 1)
+				vars[var] = value
+
+			utils.log("[*] Generating global config ...")
+			if not self.globalconf(instances) :
+				utils.log("[!] Can't generate global config")
+				return False
+			utils.log("[*] Generated global config")
+
+			if "SERVER_NAME" in vars and vars["SERVER_NAME"] != "" :
+				for server in vars["SERVER_NAME"].split(" ") :
+					vars_site = vars.copy()
+					vars_site["SERVER_NAME"] = server
+					utils.log("[*] Generating config for " + vars["SERVER_NAME"] + " ...")
+					if not self.generate(instances, vars_site) or not self.activate(instances, vars_site, reload=False) :
+						utils.log("[!] Can't generate/activate site config for " + server)
+						return False
+					utils.log("[*] Generated config for " + vars["SERVER_NAME"])
+			with open("/etc/nginx/autoconf", "w") as f :
+				f.write("ok")
+
+			utils.log("[*] Waiting for bunkerized-nginx tasks ...")
+			i = 1
+			started = False
+			while i <= 10 :
+				time.sleep(i)
+				if self.__ping(instances) :
+					started = True
+					break
+				i = i + 1
+				utils.log("[!] Waiting " + str(i) + " seconds before retrying to contact bunkerized-nginx tasks")
+			if started :
+				utils.log("[*] bunkerized-nginx tasks started")
+				proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/jobs.sh", "nginx"], env=vars, capture_output=True)
+				return proc.returncode == 0
+			else :
+				utils.log("[!] bunkerized-nginx tasks are not started")
+		except Exception as e :
+			utils.log("[!] Error while initializing config : " + str(e))
+		return False
+
+	def globalconf(self, instances) :
+		try :
+			for instance_id, instance in instances.items() :
+				env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
+				break
+			vars = {}
+			for var_value in env :
+				var = var_value.split("=")[0]
+				value = var_value.replace(var + "=", "", 1)
+				vars[var] = value
+			proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/global-config.sh", "nginx"], env=vars, capture_output=True)
+			if proc.returncode == 0 :
+				return True
+			else :
+				utils.log("[*] Error while generating global config : return code = " + str(proc.returncode))
+		except Exception as e :
+			utils.log("[!] Exception while generating global config : " + str(e))
+		return False
+
+	def generate(self, instances, vars) :
+		try :
+			# Get env vars from bunkerized-nginx instances
+			vars_instances = {}
+			for instance_id, instance in instances.items() :
+				if self.__swarm :
+					env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
+				else :
+					env = instance.attrs["Config"]["Env"]
+				for var_value in env :
+					var = var_value.split("=")[0]
+					value = var_value.replace(var + "=", "", 1)
+					vars_instances[var] = value
+			vars_defaults = vars.copy()
+			vars_defaults.update(vars_instances)
+			vars_defaults.update(vars)
+			# Call site-config.sh to generate the config
+			proc = subprocess.run(["/bin/su", "-s", "/bin/sh", "-c", "/opt/entrypoint/site-config.sh" + " \"" + vars["SERVER_NAME"] + "\"", "nginx"], env=vars_defaults, capture_output=True)
+			if proc.returncode == 0 and vars_defaults["MULTISITE"] == "yes" and self.__swarm :
+				proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/multisite-config.sh", "nginx"], env=vars_defaults, capture_output=True)
+			if proc.returncode == 0 :
+				return True
+			utils.log("[!] Error while generating site config for " + vars["SERVER_NAME"] + "  : return code = " + str(proc.returncode))
+		except Exception as e :
+			utils.log("[!] Exception while generating site config : " + str(e))
+		return False
+
+	def activate(self, instances, vars, reload=True) :
+		try :
+			# Get first server name
+			first_server_name = vars["SERVER_NAME"].split(" ")[0]
+
+			# Check if file exists
+			if not os.path.isfile("/etc/nginx/" + first_server_name + "/server.conf") :
+				utils.log("[!] /etc/nginx/" + first_server_name + "/server.conf doesn't exist")
+				return False
+
+			# Include the server conf
+			utils.replace_in_file("/etc/nginx/nginx.conf", "}", "include /etc/nginx/" + first_server_name + "/server.conf;\n}")
+
+			# Reload
+			if not reload or self.reload(instances) :
+				return True
+
+		except Exception as e :
+			utils.log("[!] Exception while activating config : " + str(e))
+
+		return False
+
+	def deactivate(self, instances, vars) :
+		try :
+			# Get first server name
+			first_server_name = vars["SERVER_NAME"].split(" ")[0]
+
+			# Check if file exists
+			if not os.path.isfile("/etc/nginx/" + first_server_name + "/server.conf") :
+				utils.log("[!] /etc/nginx/" + first_server_name + "/server.conf doesn't exist")
+				return False
+
+			# Remove the include
+			utils.replace_in_file("/etc/nginx/nginx.conf", "include /etc/nginx/" + first_server_name + "/server.conf;\n", "")
+
+			# Reload
+			if self.reload(instances) :
+				return True
+
+		except Exception as e :
+			utils.log("[!] Exception while deactivating config : " + str(e))
+
+		return False
+
+	def remove(self, vars) :
+		try :
+			# Get first server name
+			first_server_name = vars["SERVER_NAME"].split(" ")[0]
+
+			# Check if file exists
+			if not os.path.isfile("/etc/nginx/" + first_server_name + "/server.conf") :
+				utils.log("[!] /etc/nginx/" + first_server_name + "/server.conf doesn't exist")
+				return False
+
+			# Remove the folder
+			shutil.rmtree("/etc/nginx/" + first_server_name)
+			return True
+		except Exception as e :
+			utils.log("[!] Error while deactivating config : " + str(e))
+
+		return False
+
+	def reload(self, instances) :
+		return self.__api_call(instances, "/reload")
+
+	def __ping(self, instances) :
+		return self.__api_call(instances, "/ping")
+
+	def __api_call(self, instances, path) :
+		ret = True
+		for instance_id, instance in instances.items() :
+			# Reload the instance object just in case
+			instance.reload()
+			# Reload via API
+			if self.__swarm :
+				# Send POST request on http://serviceName.NodeID.TaskID:8000/action
+				name = instance.name
+				for task in instance.tasks() :
+					if task["Status"]["State"] != "running" :
+						continue
+					nodeID = task["NodeID"]
+					taskID = task["ID"]
+					fqdn = name + "." + nodeID + "." + taskID
+					req = False
+					try :
+						req = requests.post("http://" + fqdn + ":8080" + self.__api + path)
+					except :
+						pass
+					if req and req.status_code == 200 :
+						utils.log("[*] Sent API order " + path + " to instance " + fqdn + " (service.node.task)")
+					else :
+						utils.log("[!] Can't send API order " + path + " to instance " + fqdn + " (service.node.task)")
+						ret = False
+			# Send SIGHUP to running instance
+			elif instance.status == "running" :
+				try :
+					instance.kill("SIGHUP")
+					utils.log("[*] Sent SIGHUP signal to bunkerized-nginx instance " + instance.name + " / " + instance.id)
+				except docker.errors.APIError as e :
+					utils.log("[!] Docker error while sending SIGHUP signal : " + str(e))
+					ret = False
+		return ret

autoconf/Dockerfile

@@ -0,0 +1,45 @@
+FROM nginx:stable-alpine AS builder
+
+FROM alpine
+
+COPY --from=builder /etc/nginx/ /opt/confs/nginx
+
+RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
+    pip3 install docker requests && \
+    mkdir /opt/entrypoint && \
+    mkdir -p /opt/confs/site && \
+    mkdir -p /opt/confs/global && \
+    mkdir /opt/scripts && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /etc/letsencrypt && \
+    chown root:nginx /etc/letsencrypt && \
+    chmod 770 /etc/letsencrypt && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt && \
+    mkdir /cache && \
+    chown root:nginx /cache && \
+    chmod 770 /cache && \
+    touch /var/log/jobs.log && \
+    chown root:nginx /var/log/jobs.log && \
+    chmod 770 /var/log/jobs.log && \
+    chown -R root:nginx /opt/confs/nginx && \
+    chmod -R 770 /opt/confs/nginx && \
+    mkdir /acme-challenge && \
+    chown root:nginx /acme-challenge && \
+    chmod 770 /acme-challenge
+
+
+COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
+COPY scripts/* /opt/scripts/
+COPY confs/site/ /opt/confs/site
+COPY confs/global/ /opt/confs/global
+COPY entrypoint/* /opt/entrypoint/
+COPY autoconf/* /opt/entrypoint/
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

autoconf/Dockerfile-amd64

@@ -0,0 +1,44 @@
+FROM nginx:stable-alpine AS builder
+
+FROM amd64/alpine
+
+COPY --from=builder /etc/nginx/ /opt/confs/nginx
+
+RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
+    pip3 install docker requests && \
+    mkdir /opt/entrypoint && \
+    mkdir -p /opt/confs/site && \
+    mkdir -p /opt/confs/global && \
+    mkdir /opt/scripts && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /etc/letsencrypt && \
+    chown root:nginx /etc/letsencrypt && \
+    chmod 770 /etc/letsencrypt && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt && \
+    mkdir /cache && \
+    chown root:nginx /cache && \
+    chmod 770 /cache && \
+    touch /var/log/jobs.log && \
+    chown root:nginx /var/log/jobs.log && \
+    chmod 770 /var/log/jobs.log && \
+    chown -R root:nginx /opt/confs/nginx && \
+    chmod -R 770 /opt/confs/nginx && \
+    mkdir /acme-challenge && \
+    chown root:nginx /acme-challenge && \
+    chmod 770 /acme-challenge
+
+COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
+COPY scripts/* /opt/scripts/
+COPY confs/global/ /opt/confs/global
+COPY confs/site/ /opt/confs/site
+COPY entrypoint/* /opt/entrypoint/
+COPY autoconf/* /opt/entrypoint/
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

autoconf/Dockerfile-arm32v7

@@ -0,0 +1,50 @@
+FROM alpine AS builder
+
+ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz
+RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
+
+FROM nginx:stable-alpine AS builder2
+
+FROM arm32v7/alpine
+
+COPY --from=builder qemu-arm-static /usr/bin
+COPY --from=builder2 /etc/nginx/ /opt/confs/nginx
+
+RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
+    pip3 install docker requests && \
+    mkdir /opt/entrypoint && \
+    mkdir -p /opt/confs/site && \
+    mkdir -p /opt/confs/global && \
+    mkdir /opt/scripts && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /etc/letsencrypt && \
+    chown root:nginx /etc/letsencrypt && \
+    chmod 770 /etc/letsencrypt && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt && \
+    mkdir /cache && \
+    chown root:nginx /cache && \
+    chmod 770 /cache && \
+    touch /var/log/jobs.log && \
+    chown root:nginx /var/log/jobs.log && \
+    chmod 770 /var/log/jobs.log && \
+    chown -R root:nginx /opt/confs/nginx && \
+    chmod -R 770 /opt/confs/nginx && \
+    mkdir /acme-challenge && \
+    chown root:nginx /acme-challenge && \
+    chmod 770 /acme-challenge
+
+COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
+COPY scripts/* /opt/scripts/
+COPY confs/global/ /opt/confs/global
+COPY confs/site/ /opt/confs/site
+COPY entrypoint/* /opt/entrypoint/
+COPY autoconf/* /opt/entrypoint/
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

autoconf/Dockerfile-arm64v8

@@ -0,0 +1,50 @@
+FROM alpine AS builder
+
+ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz
+RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
+
+FROM nginx:stable-alpine AS builder2
+
+FROM arm64v8/alpine
+
+COPY --from=builder qemu-aarch64-static /usr/bin
+COPY --from=builder2 /etc/nginx/ /opt/confs/nginx
+
+RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
+    pip3 install docker requests && \
+    mkdir /opt/entrypoint && \
+    mkdir -p /opt/confs/site && \
+    mkdir -p /opt/confs/global && \
+    mkdir /opt/scripts && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /etc/letsencrypt && \
+    chown root:nginx /etc/letsencrypt && \
+    chmod 770 /etc/letsencrypt && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt && \
+    mkdir /cache && \
+    chown root:nginx /cache && \
+    chmod 770 /cache && \
+    touch /var/log/jobs.log && \
+    chown root:nginx /var/log/jobs.log && \
+    chmod 770 /var/log/jobs.log && \
+    chown -R root:nginx /opt/confs/nginx && \
+    chmod -R 770 /opt/confs/nginx && \
+    mkdir /acme-challenge && \
+    chown root:nginx /acme-challenge && \
+    chmod 770 /acme-challenge
+
+COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
+COPY scripts/* /opt/scripts/
+COPY confs/global/ /opt/confs/global
+COPY confs/site/ /opt/confs/site
+COPY entrypoint/* /opt/entrypoint/
+COPY autoconf/* /opt/entrypoint/
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

autoconf/Dockerfile-i386

@@ -0,0 +1,44 @@
+FROM nginx:stable-alpine AS builder
+
+FROM i386/alpine
+
+COPY --from=builder /etc/nginx/ /opt/confs/nginx
+
+RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
+    pip3 install docker requests && \
+    mkdir /opt/entrypoint && \
+    mkdir -p /opt/confs/site && \
+    mkdir -p /opt/confs/global && \
+    mkdir /opt/scripts && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /etc/letsencrypt && \
+    chown root:nginx /etc/letsencrypt && \
+    chmod 770 /etc/letsencrypt && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt && \
+    mkdir /cache && \
+    chown root:nginx /cache && \
+    chmod 770 /cache && \
+    touch /var/log/jobs.log && \
+    chown root:nginx /var/log/jobs.log && \
+    chmod 770 /var/log/jobs.log && \
+    chown -R root:nginx /opt/confs/nginx && \
+    chmod -R 770 /opt/confs/nginx && \
+    mkdir /acme-challenge && \
+    chown root:nginx /acme-challenge && \
+    chmod 770 /acme-challenge
+
+COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
+COPY scripts/* /opt/scripts/
+COPY confs/global/ /opt/confs/global
+COPY confs/site/ /opt/confs/site
+COPY entrypoint/* /opt/entrypoint/
+COPY autoconf/* /opt/entrypoint/
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

autoconf/ReloadServer.py

@@ -0,0 +1,28 @@
+import socketserver, threading, utils, os, stat
+
+class ReloadServerHandler(socketserver.StreamRequestHandler):
+
+	def handle(self) :
+		try :
+			data = self.request.recv(512)
+			if not data :
+				return
+			with self.server.lock :
+				ret = self.server.autoconf.reload()
+			if ret :
+				self.request.sendall("ok".encode("utf-8"))
+			else :
+				self.request.sendall("ko".encode("utf-8"))
+		except Exception as e :
+			utils.log("Exception " + str(e))
+
+def run_reload_server(autoconf, lock) :
+	server = socketserver.UnixStreamServer("/tmp/autoconf.sock", ReloadServerHandler)
+	os.chown("/tmp/autoconf.sock", 0, 101)
+	os.chmod("/tmp/autoconf.sock", 0o770)
+	server.autoconf = autoconf
+	server.lock = lock
+	thread = threading.Thread(target=server.serve_forever)
+	thread.daemon = True
+	thread.start()
+	return (server, thread)

autoconf/app.py

@@ -0,0 +1,73 @@
+#!/usr/bin/python3
+
+from AutoConf import AutoConf
+from ReloadServer import run_reload_server
+import utils
+import docker, os, stat, sys, select, threading
+
+# Connect to the endpoint
+endpoint = "/var/run/docker.sock"
+if not os.path.exists(endpoint) or not stat.S_ISSOCK(os.stat(endpoint).st_mode) :
+	utils.log("[!] /var/run/docker.sock not found (is it mounted ?)")
+	sys.exit(1)
+try :
+	client = docker.DockerClient(base_url='unix:///var/run/docker.sock')
+except Exception as e :
+	utils.log("[!] Can't instantiate DockerClient : " + str(e))
+	sys.exit(2)
+
+# Check if we are in Swarm mode
+swarm = os.getenv("SWARM_MODE") == "yes"
+
+# Our object to process events
+api = ""
+if swarm :
+	api = os.getenv("API_URI")
+autoconf = AutoConf(swarm, api)
+lock = threading.Lock()
+if swarm :
+	(server, thread) = run_reload_server(autoconf, lock)
+
+# Get all bunkerized-nginx instances and web services created before
+try :
+	if swarm :
+		before = client.services.list(filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.services.list(filters={"label" : "bunkerized-nginx.SERVER_NAME"})
+	else :
+		before = client.containers.list(all=True, filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.containers.list(filters={"label" : "bunkerized-nginx.SERVER_NAME"})
+except docker.errors.APIError as e :
+	utils.log("[!] Docker API error " + str(e))
+	sys.exit(3)
+
+# Process them before events
+with lock :
+	autoconf.pre_process(before)
+
+# Process events received from Docker
+try :
+	utils.log("[*] Listening for Docker events ...")
+	for event in client.events(decode=True) :
+
+		# Process only container/service events
+		if (swarm and event["Type"] != "service") or (not swarm and event["Type"] != "container") :
+			continue
+
+		# Get Container/Service object
+		try :
+			if swarm :
+				id = service_id=event["Actor"]["ID"]
+				server = client.services.get(service_id=id)
+			else :
+				id = event["id"]
+				server = client.containers.get(id)
+		except docker.errors.NotFound as e :
+			server = autoconf.get_server(id)
+			if not server :
+				continue
+
+		# Process the event
+		with lock :
+			autoconf.process(server, event["Action"])
+
+except docker.errors.APIError as e :
+	utils.log("[!] Docker API error " + str(e))
+	sys.exit(4)

autoconf/entrypoint.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+echo "[*] Starting autoconf ..."
+
+# check permissions
+su -s "/opt/entrypoint/permissions.sh" nginx
+if [ "$?" -ne 0 ] ; then
+	exit 1
+fi
+
+if [ "$SWARM_MODE" = "yes" ] ; then
+	cp -r /opt/confs/nginx/* /etc/nginx
+	chown -R root:nginx /etc/nginx
+	chmod -R 770 /etc/nginx
+fi
+
+# trap SIGTERM and SIGINT
+function trap_exit() {
+	echo "[*] Catched stop operation"
+	echo "[*] Stopping crond ..."
+	pkill -TERM crond
+	echo "[*] Stopping python3 ..."
+	pkill -TERM python3
+	pkill -TERM tail
+}
+trap "trap_exit" TERM INT QUIT
+
+# remove old crontabs
+echo "" > /etc/crontabs/root
+
+# setup logrotate
+touch /var/log/jobs.log
+echo "0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.conf > /dev/null 2>&1" >> /etc/crontabs/root
+
+# start cron
+crond
+
+# run autoconf app
+/opt/entrypoint/app.py &
+
+# display logs
+tail -F /var/log/jobs.log &
+pid="$!"
+wait "$pid"
+
+# stop
+echo "[*] autoconf stopped"
+exit 0

autoconf/hooks/post_push

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+curl -Lo manifest-tool https://github.com/estesp/manifest-tool/releases/download/v1.0.3/manifest-tool-linux-amd64
+chmod +x manifest-tool
+
+VERSION=$(cat VERSION | tr -d '\n')
+if [ "$SOURCE_BRANCH" = "dev" ] ; then
+	./manifest-tool push from-args --ignore-missing --platforms linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 --template bunkerity/bunkerized-nginx-autoconf:dev-ARCHVARIANT --target bunkerity/bunkerized-nginx-autoconf:dev
+elif [ "$SOURCE_BRANCH" = "master" ] ; then
+	./manifest-tool push from-args --ignore-missing --platforms linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 --template bunkerity/bunkerized-nginx-autoconf:ARCHVARIANT --target bunkerity/bunkerized-nginx-autoconf:${VERSION}
+	./manifest-tool push from-args --ignore-missing --platforms linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 --template bunkerity/bunkerized-nginx-autoconf:ARCHVARIANT --target bunkerity/bunkerized-nginx-autoconf:latest
+fi

autoconf/hooks/pre_build

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# Register qemu-*-static for all supported processors except the
+# current one, but also remove all registered binfmt_misc before
+docker run --rm --privileged multiarch/qemu-user-static:register --reset

autoconf/misc/logrotate.conf

@@ -1,4 +1,4 @@
-/var/log/*.log /var/log/clamav/*.log /var/log/nginx/*.log {
+/var/log/*.log /var/log/letsencrypt/*.log {
 	# compress old files using gzip
 	compress
 
@@ -6,8 +6,8 @@
 	daily
 
 	# remove old logs after X days
-	maxage %LOGROTATE_MAXAGE%
+	maxage 7
-	rotate %LOGROTATE_MAXAGE%
+	rotate 7
 
 	# no errors if a file is missing
 	missingok
@@ -16,7 +16,7 @@
 	nomail
 
 	# mininum size of a logfile before rotating
-	minsize %LOGROTATE_MINSIZE%
+	minsize 10M
 
 	# make a copy and truncate the files
 	copytruncate

autoconf/reload.py

@@ -0,0 +1,19 @@
+#!/usr/bin/python3
+
+import sys, socket, os
+
+if not os.path.exists("/tmp/autoconf.sock") :
+	sys.exit(1)
+
+try :
+	client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+	client.connect("/tmp/autoconf.sock")
+	client.send("reload".encode("utf-8"))
+	data = client.recv(512)
+	client.close()
+	if not data or data.decode("utf-8") != "ok" :
+		sys.exit(3)
+except Exception as e :
+	sys.exit(2)
+
+sys.exit(0)

autoconf/utils.py

@@ -0,0 +1,24 @@
+#!/usr/bin/python3
+
+import datetime
+
+def log(event) :
+	print("[" + str(datetime.datetime.now().replace(microsecond=0)) + "] " + event, flush=True)
+
+def replace_in_file(file, old_str, new_str) :
+	with open(file) as f :
+		data = f.read()
+	data = data[::-1].replace(old_str[::-1], new_str[::-1], 1)[::-1]
+	with open(file, "w") as f :
+		f.write(data)
+
+def install_cron(service, vars, crons) :
+	for var in vars :
+		if var in crons :
+			with open("/etc/crontabs/root", "a+") as f :
+				f.write(vars[var] + " /opt/cron/" + crons[var] + ".py " + service["Actor"]["ID"])
+
+def uninstall_cron(service, vars, crons) :
+	for var in vars :
+		if var in crons :
+			replace_in_file("/etc/crontabs/root", vars[var] + " /opt/cron/" + crons[var] + ".py " + service["Actor"]["ID"] + "\n", "")

compile.sh

@@ -30,7 +30,7 @@ function git_secure_clone() {
 NTASK=$(nproc)
 
 # install build dependencies
-apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg
+apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg brotli-dev openssl-dev
 
 # compile and install ModSecurity library
 cd /tmp
@@ -50,8 +50,9 @@ make install-strip
 cd /tmp
 git_secure_clone https://github.com/coreruleset/coreruleset.git 7776fe23f127fd2315bad0e400bdceb2cabb97dc
 cd coreruleset
-cp -r rules /etc/nginx/owasp-crs
+mkdir /opt/owasp
-cp crs-setup.conf.example /etc/nginx/owasp-crs.conf
+cp -r rules /opt/owasp/crs
+cp crs-setup.conf.example /opt/owasp/crs.conf
 
 # get nginx modules
 cd /tmp
@@ -63,6 +64,8 @@ git_secure_clone https://github.com/openresty/headers-more-nginx-module.git d6d7
 git_secure_clone https://github.com/leev/ngx_http_geoip2_module.git 1cabd8a1f68ea3998f94e9f3504431970f848fbf
 # cookie
 git_secure_clone https://github.com/AirisX/nginx_cookie_flag_module.git c4ff449318474fbbb4ba5f40cb67ccd54dc595d4
+# brotli
+git_secure_clone https://github.com/google/ngx_brotli.git 9aec15e2aa6feea2113119ba06460af70ab3ea62
 
 # LUA requirements
 git_secure_clone https://github.com/openresty/luajit2.git fe32831adcb3f5fe9259a9ce404fc54e1399bba3
@@ -109,6 +112,34 @@ git_secure_clone https://github.com/ledgetech/lua-resty-http.git 984fdc260543763
 cd lua-resty-http
 make install
 cd /tmp
+git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15
+cd lualogging
+cp -r src/* /usr/local/lib/lua
+cd /tmp
+git_secure_clone https://github.com/diegonehab/luasocket.git 5b18e475f38fcf28429b1cc4b17baee3b9793a62
+cd luasocket
+make -j $NTASK
+make CDIR_linux=lib/lua/5.1 LDIR_linux=lib/lua install
+cd /tmp
+git_secure_clone https://github.com/brunoos/luasec.git c6704919bdc85f3324340bdb35c2795a02f7d625
+cd luasec
+make linux -j $NTASK
+make LUACPATH=/usr/local/lib/lua/5.1 LUAPATH=/usr/local/lib/lua install
+cd /tmp
+git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc453dcf51a391bc9e9a36ca77958b0
+cd lua-cs-bouncer
+mkdir /usr/local/lib/lua/crowdsec
+cp lib/*.lua /usr/local/lib/lua/crowdsec
+cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
+sed -i 's/^API_URL=.*/API_URL=%CROWDSEC_HOST%/' /usr/local/lib/lua/crowdsec/crowdsec.conf
+sed -i 's/^API_KEY=.*/API_KEY=%CROWDSEC_KEY%/' /usr/local/lib/lua/crowdsec/crowdsec.conf
+sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
+sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
+cd /tmp
+git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485e830421266eee5c0f386c32c835dba4
+cd lua-resty-iputils
+make LUA_LIB_DIR=/usr/local/lib/lua install
+cd /tmp
 git_secure_clone https://github.com/openresty/lua-nginx-module.git 2d23bc4f0a29ed79aaaa754c11bffb1080aa44ba
 export LUAJIT_LIB=/usr/local/lib
 export LUAJIT_INC=/usr/local/include/luajit-2.1
@@ -126,8 +157,8 @@ fi
 tar -xvzf nginx-${NGINX_VERSION}.tar.gz
 cd nginx-$NGINX_VERSION
 CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')
-CONFARGS=${CONFARGS/-Os -fomit-frame-pointer/-Os}
+CONFARGS=${CONFARGS/-Os -fomit-frame-pointer -g/-Os}
-./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module
+./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module --add-dynamic-module=/tmp/ngx_brotli
 make -j $NTASK modules
 cp ./objs/*.so /usr/lib/nginx/modules
 

confs/auth-basic-sitewide.conf

@@ -1,2 +0,0 @@
-auth_basic "%AUTH_BASIC_TEXT%";
-auth_basic_user_file /etc/nginx/.htpasswd;

confs/block-user-agent.conf

@@ -1,3 +0,0 @@
-if ($bad_user_agent = yes) {
-	return 444;
-}

confs/geoip-server.conf

@@ -1,3 +0,0 @@
-if ($allowed_country = no) {
-	return 444;
-}

confs/global/api-temp.conf

@@ -0,0 +1,30 @@
+
+location ~ ^%API_URI%/ping {
+	return 444;
+}
+
+location ~ ^%API_URI% {
+
+rewrite_by_lua_block {
+	
+	local api = require "api"
+	local api_uri = "%API_URI%"
+
+	if api.is_api_call(api_uri) then
+		ngx.header.content_type = 'text/plain'
+		if api.do_api_call(api_uri) then
+			ngx.log(ngx.NOTICE, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
+			ngx.say("ok")
+		else
+			ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
+			ngx.say("ko")
+		end
+
+		ngx.exit(ngx.HTTP_OK)
+
+	end
+
+	ngx.exit(ngx.OK)
+}
+
+}

confs/global/api.conf

@@ -0,0 +1,21 @@
+rewrite_by_lua_block {
+	
+	local api = require "api"
+	local api_uri = "%API_URI%"
+
+	if api.is_api_call(api_uri) then
+		ngx.header.content_type = 'text/plain'
+		if api.do_api_call(api_uri) then
+			ngx.log(ngx.NOTICE, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
+			ngx.say("ok")
+		else
+			ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
+			ngx.say("ko")
+		end
+
+		ngx.exit(ngx.HTTP_OK)
+
+	end
+
+	ngx.exit(ngx.OK)
+}

confs/global/crowdsec.conf

@@ -0,0 +1,9 @@
+init_by_lua_block {
+	local cs = require "crowdsec.CrowdSec"
+	local ok, err = cs.init("/usr/local/lib/lua/crowdsec/crowdsec.conf")
+	if ok == nil then
+		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
+		error()
+	end
+	ngx.log(ngx.NOTICE, "[Crowdsec] Initialisation done")
+}

confs/global/geoip.conf

@@ -5,6 +5,6 @@ geoip2 /etc/nginx/geoip.mmdb {
 }
 
 map $geoip2_data_country_code $allowed_country {
-	default yes;
+	default %DEFAULT%;
-	%BLOCK_COUNTRY%
+	%COUNTRY%
 }

confs/global/init-lua.conf

@@ -0,0 +1,31 @@
+init_by_lua_block {
+
+local dataloader		= require "dataloader"
+
+local use_proxies		= %USE_PROXIES%
+local use_abusers		= %USE_ABUSERS%
+local use_tor_exit_nodes	= %USE_TOR_EXIT_NODES%
+local use_user_agents		= %USE_USER_AGENTS%
+local use_referrers		= %USE_REFERRERS%
+
+if use_proxies then
+	dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
+end
+
+if use_abusers then
+	dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data)
+end
+
+if use_tor_exit_nodes then
+	dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data)
+end
+
+if use_user_agents then
+	dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data)
+end
+
+if use_referrers then
+	dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
+end
+
+}

confs/global/multisite-default-server-https.conf

@@ -0,0 +1,11 @@
+listen 0.0.0.0:%HTTPS_PORT% default_server ssl %HTTP2%;
+ssl_certificate /etc/nginx/default-cert.pem;
+ssl_certificate_key /etc/nginx/default-key.pem;
+ssl_protocols %HTTPS_PROTOCOLS%;
+ssl_prefer_server_ciphers off;
+ssl_session_tickets off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+%SSL_DHPARAM%
+%SSL_CIPHERS%
+%LETS_ENCRYPT_WEBROOT%

confs/global/multisite-default-server-lets-encrypt-webroot.conf

@@ -0,0 +1,3 @@
+location ~ ^/.well-known/acme-challenge/ {
+	root /acme-challenge;
+}

confs/global/multisite-default-server.conf

@@ -0,0 +1,6 @@
+server {
+	%LISTEN_HTTP%
+	server_name _;
+	%USE_HTTPS%
+	%MULTISITE_DISABLE_DEFAULT_SERVER%
+}

confs/global/multisite-disable-default-server.conf

@@ -0,0 +1,3 @@
+location / {
+	return 444;
+}

confs/global/nginx-temp.conf

@@ -0,0 +1,30 @@
+load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
+
+daemon on;
+
+pid /tmp/nginx-temp.pid;
+
+events {
+        worker_connections 1024;
+        use epoll;
+}
+
+http {
+	proxy_temp_path /tmp/proxy_temp;
+	client_body_temp_path /tmp/client_temp;
+	fastcgi_temp_path /tmp/fastcgi_temp;
+	uwsgi_temp_path /tmp/uwsgi_temp;
+	scgi_temp_path /tmp/scgi_temp;
+	lua_package_path "/usr/local/lib/lua/?.lua;;";
+	server {
+		listen 0.0.0.0:%HTTP_PORT% default_server;
+		server_name _;
+		location ~ ^/.well-known/acme-challenge/ {
+			root /acme-challenge;
+		}
+		%USE_API%
+		location / {
+			return 444;
+		}
+	}
+}

confs/global/nginx.conf

@@ -7,9 +7,11 @@ load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
 load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
 
-# run as daemon
+# run in foreground
-daemon on;
+daemon off;
 
 # PID file
 pid /tmp/nginx.pid;
@@ -23,9 +25,12 @@ pcre_jit on;
 # config files for dynamic modules
 include /etc/nginx/modules/*.conf;
 
+# max open files for each worker
+worker_rlimit_nofile %WORKER_RLIMIT_NOFILE%;
+
 events {
 	# max connections per worker
-	worker_connections 1024;
+	worker_connections %WORKER_CONNECTIONS%;
 
 	# epoll seems to be the best on Linux
 	use epoll;
@@ -45,15 +50,10 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 
-	# load gzip custom config
-	include /etc/nginx/gzip.conf;
-
-	# maximum request body size
-	client_max_body_size %MAX_CLIENT_SIZE%;
-
 	# write logs to local syslog
-	access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined;
+	log_format logf '%LOG_FORMAT%';
-	error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
+	access_log /var/log/access.log logf;
+	error_log /var/log/error.log info;
 
 	# temp paths
 	proxy_temp_path /tmp/proxy_temp;
@@ -62,26 +62,20 @@ http {
 	uwsgi_temp_path /tmp/uwsgi_temp;
 	scgi_temp_path /tmp/scgi_temp;
 
-	# load caching custom config
-	include /etc/nginx/cache.conf;
-
 	# close connections in FIN_WAIT1 state
 	reset_timedout_connection on;
 
 	# timeouts
-	client_body_timeout 12;
+	client_body_timeout 10;
-	client_header_timeout 12;
+	client_header_timeout 10;
 	keepalive_timeout 15;
 	send_timeout 10;
 
-	# enable/disable sending nginx version
-	server_tokens %SERVER_TOKENS%;
-
 	# resolvers to use
 	resolver %DNS_RESOLVERS% ipv6=off;
 
-	# get real IP address if behind a reverse proxy
+	# remove ports when sending redirects
-        %PROXY_REAL_IP%
+	port_in_redirect off;
 
 	# lua path and dicts
 	lua_package_path "/usr/local/lib/lua/?.lua;;";
@@ -90,22 +84,40 @@ http {
 	%BLACKLIST_IP_CACHE%
 	%BLACKLIST_REVERSE_CACHE%
 	%DNSBL_CACHE%
+	%BLOCK_PROXIES%
+	%BLOCK_ABUSERS%
+	%BLOCK_TOR_EXIT_NODES%
+	%BLOCK_USER_AGENTS%
+	%BLOCK_REFERRERS%
+	%BAD_BEHAVIOR%
+
+	# crowdsec init
+	%USE_CROWDSEC%
 	
 	# shared memory zone for limit_req
 	%LIMIT_REQ_ZONE%
 
-	# server config
+	# shared memory zone for limit_conn
-	include /etc/nginx/server.conf;
+	%LIMIT_CONN_ZONE%
 
-	# list of blocked country
+	# whitelist or blacklist country
-	%BLOCK_COUNTRY%
+	%USE_COUNTRY%
 
-	# list of blocker user agents
+	# zone for proxy_cache
-	%BLOCK_USER_AGENT%
+	%PROXY_CACHE_PATH%
-
-	# enable/disable ModSecurity
-	%USE_MODSECURITY%
 
 	# custom http confs
 	include /http-confs/*.conf;
+
+	# LUA init block
+	include /etc/nginx/init-lua.conf;
+
+	# default server when MULTISITE=yes
+	%MULTISITE_DEFAULT_SERVER%
+
+	# server config(s)
+	%INCLUDE_SERVER%
+
+	# API
+	%USE_API%
 }

confs/gzip.conf

@@ -1,9 +0,0 @@
-# /etc/nginx/gzip.conf
-
-# enable/disable gzip compression
-gzip %USE_GZIP%;
-gzip_comp_level %GZIP_COMP_LEVEL%;
-gzip_disable msie6;
-gzip_min_length %GZIP_MIN_LENGTH%;
-gzip_proxied any;
-gzip_types %GZIP_TYPES%;

confs/main-lua.conf

@@ -1,137 +0,0 @@
-set $session_secret %ANTIBOT_SESSION_SECRET%;
-set $session_check_addr on;
-
-access_by_lua_block {
-
-local use_whitelist_ip		= %USE_WHITELIST_IP%
-local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
-local use_blacklist_ip		= %USE_BLACKLIST_IP%
-local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
-local use_dnsbl			= %USE_DNSBL%
-local use_antibot_cookie	= %USE_ANTIBOT_COOKIE%
-local use_antibot_javascript	= %USE_ANTIBOT_JAVASCRIPT%
-local use_antibot_captcha	= %USE_ANTIBOT_CAPTCHA%
-local use_antibot_recaptcha	= %USE_ANTIBOT_RECAPTCHA%
-
--- include LUA code
-local whitelist		= require "whitelist"
-local blacklist		= require "blacklist"
-local dnsbl		= require "dnsbl"
-local cookie		= require "cookie"
-local javascript	= require "javascript"
-local captcha		= require "captcha"
-local recaptcha		= require "recaptcha"
-
--- antibot
-local antibot_uri = "%ANTIBOT_URI%"
-
--- check if already in whitelist cache
-if use_whitelist_ip and whitelist.ip_cached_ok() then
-	ngx.exit(ngx.OK)
-end
-if use_whitelist_reverse and whitelist.reverse_cached_ok() then
-	ngx.exit(ngx.OK)
-end
-
--- check if already in blacklist cache
-if use_blacklist_ip and blacklist.ip_cached_ko() then
-	ngx.exit(ngx.HTTP_FORBIDDEN)
-end
-if use_blacklist_reverse and blacklist.reverse_cached_ko() then
-	ngx.exit(ngx.HTTP_FORBIDDEN)
-end
-
--- check if already in dnsbl cache
-if use_dnsbl and dnsbl.cached_ko() then
-	ngx.exit(ngx.HTTP_FORBIDDEN)
-end
-
--- check if IP is whitelisted (only if not in cache)
-if use_whitelist_ip and not whitelist.ip_cached() then
-	if whitelist.check_ip() then
-		ngx.exit(ngx.OK)
-	end
-end
-
--- check if reverse is whitelisted (only if not in cache)
-if use_whitelist_reverse and not whitelist.reverse_cached() then
-	if whitelist.check_reverse() then
-		ngx.exit(ngx.OK)
-	end
-end
-
--- check if IP is blacklisted (only if not in cache)
-if use_blacklist_ip and not blacklist.ip_cached() then
-	if blacklist.check_ip() then
-		ngx.exit(ngx.HTTP_FORBIDDEN)
-	end
-end
-
--- check if reverse is blacklisted (only if not in cache)
-if use_blacklist_reverse and not blacklist.reverse_cached() then
-	if blacklist.check_reverse() then
-		ngx.exit(ngx.HTTP_FORBIDDEN)
-	end
-end
-
--- check if IP is in DNSBLs (only if not in cache)
-if use_dnsbl and not dnsbl.cached() then
-	if dnsbl.check() then
-		ngx.exit(ngx.HTTP_FORBIDDEN)
-	end
-end
-
--- cookie check
-if use_antibot_cookie then
-	if not cookie.is_set("uri") then
-		if ngx.var.request_uri ~= antibot_uri then
-			cookie.set({uri = ngx.var.request_uri})
-			return ngx.redirect(antibot_uri)
-		end
-		return ngx.exit(ngx.HTTP_FORBIDDEN)
-	else
-		if ngx.var.request_uri == antibot_uri then
-			return ngx.redirect(cookie.get("uri"))
-		end
-	end
-end
-
--- javascript check
-if use_antibot_javascript then
-	if not cookie.is_set("javascript") then
-		if ngx.var.request_uri ~= antibot_uri then
-			cookie.set({uri = ngx.var.request_uri, challenge = javascript.get_challenge()})
-			return ngx.redirect(antibot_uri)
-		end
-	end
-end
-
--- captcha check
-if use_antibot_captcha then
-	if not cookie.is_set("captcha") then
-		if ngx.var.request_uri ~= antibot_uri and ngx.var.request_uri ~= "/favicon.ico" then
-			cookie.set({uri = ngx.var.request_uri})
-			return ngx.redirect(antibot_uri)
-		end
-	end
-end
-
--- recaptcha check
-if use_antibot_recaptcha then
-	if not cookie.is_set("recaptcha") then
-		if ngx.var.request_uri ~= antibot_uri and ngx.var.request_uri ~= "/favicon.ico" then
-			cookie.set({uri = ngx.var.request_uri})
-			return ngx.redirect(antibot_uri)
-		end
-	end
-end
-
-ngx.exit(ngx.OK)
-
-}
-
-%INCLUDE_ANTIBOT_JAVASCRIPT%
-
-%INCLUDE_ANTIBOT_CAPTCHA%
-
-%INCLUDE_ANTIBOT_RECAPTCHA%

confs/map-user-agent.conf

@@ -1,4 +0,0 @@
-map $http_user_agent $bad_user_agent {
-	default no;
-	%BLOCK_USER_AGENT%
-}

confs/modsecurity.conf

@@ -1,2 +0,0 @@
-modsecurity on;
-modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;

confs/site/antibot-captcha.conf

@@ -7,6 +7,7 @@ location = %ANTIBOT_URI% {
 			local cookie	= require "cookie"
 			local captcha	= require "captcha"
 			if not cookie.is_set("uri") then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (1) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local img, res = captcha.get_challenge()
@@ -21,16 +22,19 @@ location = %ANTIBOT_URI% {
 			local cookie	= require "cookie"
 			local captcha	= require "captcha"
 			if not cookie.is_set("captchares") then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (2) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			ngx.req.read_body()
 			local args, err = ngx.req.get_post_args(1)
 			if err == "truncated" or not args or not args["captcha"] then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (3) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local captcha_user	= args["captcha"]
 			local check		= captcha.check(captcha_user, cookie.get("captchares"))
 			if not check then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (4) for " .. ngx.var.remote_addr)
 				return ngx.redirect("%ANTIBOT_URI%")
 			end
 			cookie.set({captcha = "ok"})

confs/site/antibot-javascript.conf

@@ -7,6 +7,7 @@ location = %ANTIBOT_URI% {
 			local cookie		= require "cookie"
 			local javascript	= require "javascript"
 			if not cookie.is_set("challenge") then
+				ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (1) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local challenge	= cookie.get("challenge")
@@ -20,16 +21,19 @@ location = %ANTIBOT_URI% {
 			local cookie		= require "cookie"
 			local javascript	= require "javascript"
 			if not cookie.is_set("challenge") then
+				ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (2) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			ngx.req.read_body()
 			local args, err = ngx.req.get_post_args(1)
 			if err == "truncated" or not args or not args["challenge"] then
+				ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (3) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
-			local challenge	= args["challenge"]
+			local challenge		= args["challenge"]
 			local check		= javascript.check(cookie.get("challenge"), challenge)
 			if not check then
+				ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (4) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			cookie.set({javascript = "ok"})

confs/site/antibot-recaptcha.conf

@@ -7,6 +7,7 @@ location = %ANTIBOT_URI% {
 			local cookie	= require "cookie"
 			local recaptcha	= require "recaptcha"
 			if not cookie.is_set("uri") then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (1) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%")
@@ -19,17 +20,19 @@ location = %ANTIBOT_URI% {
 			local cookie	= require "cookie"
 			local recaptcha	= require "recaptcha"
 			if not cookie.is_set("uri") then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (2) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			ngx.req.read_body()
 			local args, err = ngx.req.get_post_args(1)
 			if err == "truncated" or not args or not args["token"] then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (3) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local token	= args["token"]
 			local check	= recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%")
 			if check < %ANTIBOT_RECAPTCHA_SCORE% then
-				ngx.log(ngx.WARN, "client has recaptcha score of " .. tostring(check))
+				ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			cookie.set({recaptcha = "ok"})

confs/site/auth-basic-sitewide.conf

@@ -0,0 +1,2 @@
+auth_basic "%AUTH_BASIC_TEXT%";
+auth_basic_user_file %NGINX_PREFIX%.htpasswd;

confs/site/auth-basic.conf

@@ -1,4 +1,4 @@
 location %AUTH_BASIC_LOCATION% {
 	auth_basic "%AUTH_BASIC_TEXT%";
-	auth_basic_user_file /etc/nginx/.htpasswd; 
+	auth_basic_user_file %NGINX_PREFIX%.htpasswd; 
 }

confs/site/brotli.conf

@@ -0,0 +1,4 @@
+brotli on;
+brotli_types %BROTLI_TYPES%;
+brotli_comp_level %BROTLI_COMP_LEVEL%;
+brotli_min_length %BROTLI_MIN_LENGTH%;

confs/site/client-cache.conf

@@ -0,0 +1,6 @@
+etag %CLIENT_CACHE_ETAG%;
+set $cache "";
+if ($uri ~* \.(%CLIENT_CACHE_EXTENSIONS%)$) {
+	set $cache "%CLIENT_CACHE_CONTROL%";
+}
+add_header Cache-Control $cache;

confs/site/fastcgi.conf

@@ -0,0 +1,25 @@
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

confs/site/gzip.conf

@@ -0,0 +1,4 @@
+gzip on;
+gzip_comp_level %GZIP_COMP_LEVEL%;
+gzip_min_length %GZIP_MIN_LENGTH%;
+gzip_types %GZIP_TYPES%;

confs/site/https.conf

@@ -1,11 +1,12 @@
-listen 0.0.0.0:8443 ssl %HTTP2%;
+listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
 ssl_certificate %HTTPS_CERT%;
 ssl_certificate_key %HTTPS_KEY%;
 ssl_protocols %HTTPS_PROTOCOLS%;
-ssl_prefer_server_ciphers off;
+ssl_prefer_server_ciphers on;
 ssl_session_tickets off;
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m;
 %STRICT_TRANSPORT_SECURITY%
 %SSL_DHPARAM%
 %SSL_CIPHERS%
+%LETS_ENCRYPT_WEBROOT%

confs/site/lets-encrypt-webroot.conf

@@ -0,0 +1,3 @@
+location ~ ^/.well-known/acme-challenge/ {
+	root /acme-challenge;
+}

confs/site/limit-conn.conf

@@ -0,0 +1 @@
+limit_conn ddos %LIMIT_CONN_MAX%;

confs/site/log-lua.conf

@@ -0,0 +1,11 @@
+log_by_lua_block {
+
+local use_bad_behavior	= %USE_BAD_BEHAVIOR%
+
+local behavior		= require "behavior"
+
+if use_bad_behavior then
+	behavior.count()	
+end
+
+}

confs/site/main-lua.conf

@@ -0,0 +1,271 @@
+set $session_secret %ANTIBOT_SESSION_SECRET%;
+set $session_check_addr on;
+
+access_by_lua_block {
+
+local use_lets_encrypt		= %USE_LETS_ENCRYPT%
+local use_whitelist_ip		= %USE_WHITELIST_IP%
+local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
+local use_user_agents		= %USE_USER_AGENTS%
+local use_proxies		= %USE_PROXIES%
+local use_abusers		= %USE_ABUSERS%
+local use_tor_exit_nodes	= %USE_TOR_EXIT_NODES%
+local use_referrers		= %USE_REFERRERS%
+local use_country		= %USE_COUNTRY%
+local use_blacklist_ip		= %USE_BLACKLIST_IP%
+local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
+local use_dnsbl			= %USE_DNSBL%
+local use_crowdsec		= %USE_CROWDSEC%
+local use_antibot_cookie	= %USE_ANTIBOT_COOKIE%
+local use_antibot_javascript	= %USE_ANTIBOT_JAVASCRIPT%
+local use_antibot_captcha	= %USE_ANTIBOT_CAPTCHA%
+local use_antibot_recaptcha	= %USE_ANTIBOT_RECAPTCHA%
+local use_bad_behavior		= %USE_BAD_BEHAVIOR%
+
+-- include LUA code
+local whitelist		= require "whitelist"
+local blacklist		= require "blacklist"
+local dnsbl		= require "dnsbl"
+local cookie		= require "cookie"
+local javascript	= require "javascript"
+local captcha		= require "captcha"
+local recaptcha		= require "recaptcha"
+local iputils		= require "resty.iputils"
+local behavior		= require "behavior"
+
+-- user variables
+local antibot_uri		= "%ANTIBOT_URI%"
+local whitelist_user_agent	= {%WHITELIST_USER_AGENT%}
+local whitelist_uri		= {%WHITELIST_URI%}
+
+-- check if already in whitelist cache
+if use_whitelist_ip and whitelist.ip_cached_ok() then
+	ngx.exit(ngx.OK)
+end
+if use_whitelist_reverse and whitelist.reverse_cached_ok() then
+	ngx.exit(ngx.OK)
+end
+
+-- check if already in blacklist cache
+if use_blacklist_ip and blacklist.ip_cached_ko() then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+if use_blacklist_reverse and blacklist.reverse_cached_ko() then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if already in dnsbl cache
+if use_dnsbl and dnsbl.cached_ko() then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if IP is whitelisted (only if not in cache)
+if use_whitelist_ip and not whitelist.ip_cached() then
+	if whitelist.check_ip() then
+		ngx.exit(ngx.OK)
+	end
+end
+
+-- check if reverse is whitelisted (only if not in cache)
+if use_whitelist_reverse and not whitelist.reverse_cached() then
+	if whitelist.check_reverse() then
+		ngx.exit(ngx.OK)
+	end
+end
+
+-- check if URI is whitelisted
+for k, v in pairs(whitelist_uri) do
+	if ngx.var.request_uri == v then
+		ngx.log(ngx.NOTICE, "[WHITELIST] URI " .. v .. " is whitelisted")
+		ngx.exit(ngx.OK)
+	end
+end
+
+-- check if it's certbot
+if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
+	ngx.exit(ngx.OK)
+end
+
+-- check if IP is blacklisted (only if not in cache)
+if use_blacklist_ip and not blacklist.ip_cached() then
+	if blacklist.check_ip() then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if reverse is blacklisted (only if not in cache)
+if use_blacklist_reverse and not blacklist.reverse_cached() then
+	if blacklist.check_reverse() then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if IP is banned because of "bad behavior"
+if use_bad_behavior and behavior.is_banned() then
+	ngx.log(ngx.NOTICE, "[BLOCK] IP " .. ngx.var.remote_addr .. " is banned because of bad behavior")
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if IP is in proxies list
+if use_proxies then
+	local value, flags = ngx.shared.proxies_data:get(iputils.ip2bin(ngx.var.remote_addr))
+	if value ~= nil then
+		ngx.log(ngx.NOTICE, "[BLOCK] IP " .. ngx.var.remote_addr .. " is in proxies list")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if IP is in abusers list
+if use_abusers then
+	local value, flags = ngx.shared.abusers_data:get(iputils.ip2bin(ngx.var.remote_addr))
+	if value ~= nil then
+		ngx.log(ngx.NOTICE, "[BLOCK] IP " .. ngx.var.remote_addr .. " is in abusers list")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if IP is in TOR exit nodes list
+if use_tor_exit_nodes then
+	local value, flags = ngx.shared.tor_exit_nodes_data:get(iputils.ip2bin(ngx.var.remote_addr))
+	if value ~= nil then
+		ngx.log(ngx.NOTICE, "[BLOCK] IP " .. ngx.var.remote_addr .. " is in TOR exit nodes list")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if user-agent is allowed
+if use_user_agents and ngx.var.http_user_agent ~= nil then
+	local whitelisted = false
+	for k, v in pairs(whitelist_user_agent) do
+		if string.match(ngx.var.http_user_agent, v) then
+			ngx.log(ngx.NOTICE, "[ALLOW] User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
+			whitelisted = true
+			break
+		end
+	end
+	if not whitelisted then
+		local value, flags = ngx.shared.user_agents_cache:get(ngx.var.http_user_agent)
+		if value == nil then
+			local patterns = ngx.shared.user_agents_data:get_keys(0)
+			for i, pattern in ipairs(patterns) do
+				if string.match(ngx.var.http_user_agent, pattern) then
+					value = "ko"
+					ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ko", 86400)
+					break
+				end
+			end
+			if value == nil then
+				value = "ok"
+				ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ok", 86400)
+			end
+		end
+		if value == "ko" then
+			ngx.log(ngx.NOTICE, "[BLOCK] User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
+			ngx.exit(ngx.HTTP_FORBIDDEN)
+		end
+	end
+end
+
+-- check if referrer is allowed
+if use_referrer and ngx.var.http_referer ~= nil then
+	local value, flags = ngx.shared.referrers_cache:get(ngx.var.http_referer)
+	if value == nil then
+		local patterns = ngx.shared.referrers_data:get_keys(0)
+		for i, pattern in ipairs(patterns) do
+			if string.match(ngx.var.http_referer, pattern) then
+				value = "ko"
+				ngx.shared.referrers_cache:set(ngx.var.http_referer, "ko", 86400)
+				break
+			end
+		end
+		if value == nil then
+			value = "ok"
+			ngx.shared.referrers_cache:set(ngx.var.http_referer, "ok", 86400)
+		end
+	end
+	if value == "ko" then
+		ngx.log(ngx.NOTICE, "[BLOCK] Referrer " .. ngx.var.http_referer .. " is blacklisted")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if country is allowed
+if use_country and ngx.var.allowed_country == "no" then
+	ngx.log(ngx.NOTICE, "[BLOCK] Country of " .. ngx.var.remote_addr .. " is blacklisted")
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if IP is in DNSBLs (only if not in cache)
+if use_dnsbl and not dnsbl.cached() then
+	if dnsbl.check() then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if IP is in CrowdSec DB
+if use_crowdsec then
+	local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
+	if ok == nil then
+		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
+	end
+	if not ok then
+		ngx.log(ngx.NOTICE, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- cookie check
+if use_antibot_cookie then
+	if not cookie.is_set("uri") then
+		if ngx.var.request_uri ~= antibot_uri then
+			cookie.set({uri = ngx.var.request_uri})
+			return ngx.redirect(antibot_uri)
+		end
+		ngx.log(ngx.NOTICE, "[ANTIBOT] cookie fail for " .. ngx.var.remote_addr)
+		return ngx.exit(ngx.HTTP_FORBIDDEN)
+	else
+		if ngx.var.request_uri == antibot_uri then
+			return ngx.redirect(cookie.get("uri"))
+		end
+	end
+end
+
+-- javascript check
+if use_antibot_javascript then
+	if not cookie.is_set("javascript") then
+		if ngx.var.request_uri ~= antibot_uri then
+			cookie.set({uri = ngx.var.request_uri, challenge = javascript.get_challenge()})
+			return ngx.redirect(antibot_uri)
+		end
+	end
+end
+
+-- captcha check
+if use_antibot_captcha then
+	if not cookie.is_set("captcha") then
+		if ngx.var.request_uri ~= antibot_uri then
+			cookie.set({uri = ngx.var.request_uri})
+			return ngx.redirect(antibot_uri)
+		end
+	end
+end
+
+-- recaptcha check
+if use_antibot_recaptcha then
+	if not cookie.is_set("recaptcha") then
+		if ngx.var.request_uri ~= antibot_uri then
+			cookie.set({uri = ngx.var.request_uri})
+			return ngx.redirect(antibot_uri)
+		end
+	end
+end
+
+ngx.exit(ngx.OK)
+
+}
+
+%INCLUDE_ANTIBOT_JAVASCRIPT%
+
+%INCLUDE_ANTIBOT_CAPTCHA%
+
+%INCLUDE_ANTIBOT_RECAPTCHA%

confs/site/modsecurity-rules.conf

@@ -49,8 +49,7 @@ SecResponseBodyLimit 524288
 SecResponseBodyLimitAction ProcessPartial
 
 # log usefull stuff
-SecAuditEngine RelevantOnly
+SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE%
-SecAuditLogRelevantStatus "^(?:5|4(?!04))"
 SecAuditLogType Serial
 SecAuditLog /var/log/nginx/modsec_audit.log
 

confs/site/modsecurity.conf

@@ -0,0 +1,2 @@
+modsecurity on;
+modsecurity_rules_file %MODSEC_RULES_FILE%;

confs/site/open-file-cache.conf

@@ -0,0 +1,4 @@
+open_file_cache %OPEN_FILE_CACHE%;
+open_file_cache_errors %OPEN_FILE_CACHE_ERRORS%;
+open_file_cache_min_uses %OPEN_FILE_CACHE_MIN_USES%;
+open_file_cache_valid %OPEN_FILE_CACHE_VALID%;

confs/site/permissions-policy.conf

@@ -0,0 +1 @@
+more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%";

confs/site/php.conf

@@ -1,5 +1,4 @@
 location ~ \.php$ {
 	fastcgi_pass      %REMOTE_PHP%:9000;
 	fastcgi_index     index.php;
-	include           fastcgi.conf;
 }

confs/site/proxy-cache.conf

@@ -0,0 +1,7 @@
+proxy_cache proxycache;
+proxy_cache_methods %PROXY_CACHE_METHODS%;
+proxy_cache_min_uses %PROXY_CACHE_MIN_USES%;
+proxy_cache_key %PROXY_CACHE_KEY%;
+proxy_no_cache %PROXY_NO_CACHE%;
+proxy_cache_bypass %PROXY_CACHE_BYPASS%;
+%PROXY_CACHE_VALID%

confs/site/reverse-proxy-headers.conf

@@ -0,0 +1,6 @@
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Protocol $scheme;
+proxy_set_header X-Forwarded-Host $http_host;

confs/site/reverse-proxy.conf

@@ -0,0 +1,7 @@
+location %REVERSE_PROXY_URL% {
+	etag off;
+	proxy_pass %REVERSE_PROXY_HOST%;
+	%REVERSE_PROXY_HEADERS%
+	%REVERSE_PROXY_WS%
+	%REVERSE_PROXY_CUSTOM_HEADERS%
+}

confs/site/server.conf

@@ -1,6 +1,11 @@
+%PRE_SERVER_CONF%
+
 server {
-	include /server-confs/*.conf;
+	%FASTCGI_PATH%
-	include /etc/nginx/main-lua.conf;
+	%SERVER_CONF%
+	%PROXY_REAL_IP%
+	%INCLUDE_LUA%
+	%USE_MODSECURITY%
 	%LISTEN_HTTP%
 	%USE_HTTPS%
 	%REDIRECT_HTTP_TO_HTTPS%
@@ -12,21 +17,25 @@ server {
 		return 405;
 	}
 	%LIMIT_REQ%
+	%LIMIT_CONN%
 	%AUTH_BASIC%
-	%USE_PHP%
+	%REMOVE_HEADERS%
-	%HEADER_SERVER%
 	%X_FRAME_OPTIONS%
 	%X_XSS_PROTECTION%
 	%X_CONTENT_TYPE_OPTIONS%
 	%CONTENT_SECURITY_POLICY%
 	%REFERRER_POLICY%
 	%FEATURE_POLICY%
-	%BLOCK_COUNTRY%
+	%PERMISSIONS_POLICY%
-	%BLOCK_USER_AGENT%
-	%BLOCK_TOR_EXIT_NODE%
-	%BLOCK_PROXIES%
-	%BLOCK_ABUSERS%
 	%COOKIE_FLAGS%
 	%ERRORS%
-	%USE_FAIL2BAN%
+	%USE_CLIENT_CACHE%
+	%USE_GZIP%
+	%USE_BROTLI%
+	client_max_body_size %MAX_CLIENT_SIZE%;
+	server_tokens %SERVER_TOKENS%;
+	%USE_OPEN_FILE_CACHE%
+	%USE_PROXY_CACHE%
+	%USE_REVERSE_PROXY%
+	%USE_PHP%
 }

dependencies.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+# install dependencies
+apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl clamav apache2-utils openssl lua libgd go jq mariadb-connector-c bash brotli

docs/Makefile

@@ -0,0 +1,20 @@
+# Minimal makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line, and also
+# from the environment for the first two.
+SPHINXOPTS    ?=
+SPHINXBUILD   ?= sphinx-build
+SOURCEDIR     = .
+BUILDDIR      = _build
+
+# Put it first so that "make" without argument is like "make help".
+help:
+	@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+
+.PHONY: help Makefile
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)

docs/conf.py

@@ -0,0 +1,55 @@
+# Configuration file for the Sphinx documentation builder.
+#
+# This file only contains a selection of the most common options. For a full
+# list see the documentation:
+# https://www.sphinx-doc.org/en/master/usage/configuration.html
+
+# -- Path setup --------------------------------------------------------------
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+# import os
+# import sys
+# sys.path.insert(0, os.path.abspath('.'))
+
+
+# -- Project information -----------------------------------------------------
+
+project = 'bunkerized-nginx'
+copyright = '2021, bunkerity'
+author = 'bunkerity'
+
+# The full version, including alpha/beta/rc tags
+release = 'v1.2.5'
+
+
+# -- General configuration ---------------------------------------------------
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = ['myst_parser']
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path.
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
+
+# -- Options for HTML output -------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+#
+import sphinx_rtd_theme
+html_theme = "sphinx_rtd_theme"
+html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']

docs/environment_variables.md

@@ -0,0 +1,956 @@
+# List of environment variables
+
+## nginx
+
+### Misc
+
+`MULTISITE`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*  
+When set to *no*, only one server block will be generated. Otherwise one server per host defined in the `SERVER_NAME` environment variable will be generated.  
+Any environment variable tagged as *multisite* context can be used for a specific server block with the following format : *host_VARIABLE=value*. If the variable is used without the host prefix it will be applied to all the server blocks (but still can be overriden).
+
+`SERVER_NAME`  
+Values : *<first name> <second name> ...*  
+Default value : *www.bunkerity.com*  
+Context : *global*  
+Sets the host names of the webserver separated with spaces. This must match the Host header sent by clients.  
+Useful when used with `MULTISITE=yes` and/or `AUTO_LETSENCRYPT=yes` and/or `DISABLE_DEFAULT_SERVER=yes`.
+
+`MAX_CLIENT_SIZE`  
+Values : *0* | *Xm*  
+Default value : *10m*  
+Context : *global*, *multisite*  
+Sets the maximum body size before nginx returns a 413 error code.  
+Setting to 0 means "infinite" body size.
+
+`ALLOWED_METHODS`  
+Values : *allowed HTTP methods separated with | char*  
+Default value : *GET|POST|HEAD*  
+Context : *global*, *multisite*  
+Only the HTTP methods listed here will be accepted by nginx. If not listed, nginx will close the connection.
+
+`DISABLE_DEFAULT_SERVER`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*  
+If set to yes, nginx will only respond to HTTP request when the Host header match a FQDN specified in the `SERVER_NAME` environment variable.  
+For example, it will close the connection if a bot access the site with direct ip.
+
+`SERVE_FILES`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to yes, nginx will serve files from /www directory within the container.  
+A use case to not serving files is when you setup bunkerized-nginx as a reverse proxy.
+
+`DNS_RESOLVERS`  
+Values : *\<two IP addresses separated with a space\>*  
+Default value : *127.0.0.11*  
+Context : *global*  
+The IP addresses of the DNS resolvers to use when performing DNS lookups.
+
+`ROOT_FOLDER`  
+Values : *\<any valid path to web files\>*  
+Default value : */www*  
+Context : *global*  
+The default folder where nginx will search for web files. Don't change it unless you want to make your own image.
+
+`ROOT_SITE_SUBFOLDER`  
+Values : *\<any valid directory name\>*  
+Default value :  
+Context : *global*, *multisite*  
+The subfolder where nginx will search for site web files.
+
+`LOG_FORMAT`  
+Values : *\<any values accepted by the log_format directive\>*  
+Default value : *$host $remote_addr - $remote_user \[$time_local\] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"*  
+Context : *global*  
+The log format used by nginx to generate logs. More info [here](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format).
+
+`HTTP_PORT`  
+Values : *\<any valid port greater than 1024\>*  
+Default value : *8080*  
+Context : *global*  
+The HTTP port number used by nginx inside the container.
+
+`HTTPS_PORT`  
+Values : *\<any valid port greater than 1024\>*  
+Default value : *8443*  
+Context : *global*  
+The HTTPS port number used by nginx inside the container.
+
+### Information leak
+
+`SERVER_TOKENS`  
+Values : *on* | *off*  
+Default value : *off*  
+Context : *global*  
+If set to on, nginx will display server version in Server header and default error pages.
+
+`REMOVE_HEADERS`  
+Values : \<*list of headers separated with space*\>  
+Default value : *Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version*  
+Context : *global*, *multisite*  
+List of header to remove when sending responses to clients.
+
+### Custom error pages
+
+`ERROR_XXX`  
+Values : *\<relative path to the error page\>*  
+Default value :  
+Context : *global*, *multisite*  
+Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code.  
+For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder.
+
+### HTTP basic authentication
+
+`USE_AUTH_BASIC`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+If set to yes, enables HTTP basic authentication at the location `AUTH_BASIC_LOCATION` with user `AUTH_BASIC_USER` and password `AUTH_BASIC_PASSWORD`.
+
+`AUTH_BASIC_LOCATION`  
+Values : *sitewide* | */somedir* | *\<any valid location\>*  
+Default value : *sitewide*  
+Context : *global*, *multisite*  
+The location to restrict when `USE_AUTH_BASIC` is set to *yes*. If the special value *sitewide* is used then auth basic will be set at server level outside any location context.
+
+`AUTH_BASIC_USER`  
+Values : *\<any valid username\>*  
+Default value : *changeme*  
+Context : *global*, *multisite*  
+The username allowed to access `AUTH_BASIC_LOCATION` when `USE_AUTH_BASIC` is set to yes.
+
+`AUTH_BASIC_PASSWORD`  
+Values : *\<any valid password\>*  
+Default value : *changeme*  
+Context : *global*, *multisite*  
+The password of `AUTH_BASIC_USER` when `USE_AUTH_BASIC` is set to yes.
+
+`AUTH_BASIC_TEXT`  
+Values : *\<any valid text\>*  
+Default value : *Restricted area*  
+Context : *global*, *multisite*  
+The text displayed inside the login prompt when `USE_AUTH_BASIC` is set to yes.
+
+### Reverse proxy
+
+`USE_REVERSE_PROXY`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+Set this environment variable to *yes* if you want to use bunkerized-nginx as a reverse proxy.
+
+`REVERSE_PROXY_URL`  
+Values : \<*any valid location path*\>  
+Default value :  
+Context : *global*, *multisite*  
+Only valid when `USE_REVERSE_PROXY` is set to *yes*. Let's you define the location path to match when acting as a reverse proxy.  
+You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_URL_1`, `REVERSE_PROXY_URL_2`, `REVERSE_PROXY_URL_3`, ...
+
+`REVERSE_PROXY_HOST`  
+Values : \<*any valid proxy_pass value*\>  
+Default value :  
+Context : *global*, *multisite*  
+Only valid when `USE_REVERSE_PROXY` is set to *yes*. Let's you define the proxy_pass destination to use when acting as a reverse proxy.  
+You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_HOST_1`, `REVERSE_PROXY_HOST_2`, `REVERSE_PROXY_HOST_3`, ...
+
+`REVERSE_PROXY_WS`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* when the corresponding `REVERSE_PROXY_HOST` is a WebSocket server.  
+You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_WS_1`, `REVERSE_PROXY_WS_2`, `REVERSE_PROXY_WS_3`, ...
+
+`REVERSE_PROXY_HEADERS`  
+Values : *\<list of custom headers separated with a semicolon like this : header1 value1;header2 value2...\>* 
+Default value :  
+Context : *global*, *multisite*  
+Only valid when `USE_REVERSE_PROXY` is set to *yes*.  
+You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_HEADERS_1`, `REVERSE_PROXY_HEADERS_2`, `REVERSE_PROXY_HEADERS_3`, ...
+
+`PROXY_REAL_IP`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+Set this environment variable to *yes* if you're using bunkerized-nginx behind a reverse proxy. This means you will see the real client address instead of the proxy one inside your logs. Modsecurity, fail2ban and others security tools will also then work correctly.
+
+`PROXY_REAL_IP_FROM`  
+Values : *\<list of trusted IP addresses and/or networks separated with spaces\>*  
+Default value : *192.168.0.0/16 172.16.0.0/12 10.0.0.0/8*  
+Context : *global*, *multisite*  
+When `PROXY_REAL_IP` is set to *yes*, lets you define the trusted IPs/networks allowed to send the correct client address.
+
+`PROXY_REAL_IP_HEADER`  
+Values : *X-Forwarded-For* | *X-Real-IP* | *custom header*  
+Default value : *X-Forwarded-For*  
+Context : *global*, *multisite*  
+When `PROXY_REAL_IP` is set to *yes*, lets you define the header that contains the real client IP address.
+
+`PROXY_REAL_IP_RECURSIVE`  
+Values : *on* | *off*  
+Default value : *on*  
+Context : *global*, *multisite*  
+When `PROXY_REAL_IP` is set to *yes*, setting this to *on* avoid spoofing attacks using the header defined in `PROXY_REAL_IP_HEADER`.
+
+### Compression
+
+`USE_GZIP`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+When set to *yes*, nginx will use the gzip algorithm to compress responses sent to clients.
+
+`GZIP_COMP_LEVEL`  
+Values : \<*any integer between 1 and 9*\>  
+Default value : *5*  
+Context : *global*, *multisite*  
+The gzip compression level to use when `USE_GZIP` is set to *yes*.
+
+`GZIP_MIN_LENGTH`  
+Values : \<*any positive integer*\>  
+Default value : *1000*  
+Context : *global*, *multisite*  
+The minimum size (in bytes) of a response required to compress when `USE_GZIP` is set to *yes*.
+
+`GZIP_TYPES`  
+Values : \<*list of mime types separated with space*\>  
+Default value : *application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml*  
+Context : *global*, *multisite*  
+List of response MIME type required to compress when `USE_GZIP` is set to *yes*.
+
+`USE_BROTLI`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+When set to *yes*, nginx will use the brotli algorithm to compress responses sent to clients.
+
+`BROTLI_COMP_LEVEL`  
+Values : \<*any integer between 1 and 9*\>  
+Default value : *5*  
+Context : *global*, *multisite*  
+The brotli compression level to use when `USE_BROTLI` is set to *yes*.
+
+`BROTLI_MIN_LENGTH`  
+Values : \<*any positive integer*\>  
+Default value : *1000*  
+Context : *global*, *multisite*  
+The minimum size (in bytes) of a response required to compress when `USE_BROTLI` is set to *yes*.
+
+`BROTLI_TYPES`  
+Values : \<*list of mime types separated with space*\>  
+Default value : *application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml*  
+Context : *global*, *multisite*  
+List of response MIME type required to compress when `USE_BROTLI` is set to *yes*.
+
+### Cache
+
+`USE_CLIENT_CACHE`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+When set to *yes*, clients will be told to cache some files locally.
+
+`CLIENT_CACHE_EXTENSIONS`  
+Values : \<*list of extensions separated with |*\>  
+Default value : *jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2*  
+Context : *global*, *multisite*  
+List of file extensions that clients should cache when `USE_CLIENT_CACHE` is set to *yes*.
+
+`CLIENT_CACHE_CONTROL`  
+Values : \<*Cache-Control header value*\>  
+Default value : *public, max-age=15552000*  
+Context : *global*, *multisite*  
+Content of the [Cache-Control](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control) header to send when `USE_CLIENT_CACHE` is set to *yes*.
+
+`CLIENT_CACHE_ETAG`  
+Values : *on* | *off*  
+Default value : *on*  
+Context : *global*, *multisite*  
+Whether or not nginx will send the [ETag](https://en.wikipedia.org/wiki/HTTP_ETag) header when `USE_CLIENT_CACHE` is set to *yes*.
+
+`USE_OPEN_FILE_CACHE`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+When set to *yes*, nginx will cache open fd, existence of directories, ... See [open_file_cache](http://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache).
+
+`OPEN_FILE_CACHE`  
+Values : \<*any valid open_file_cache parameters*\>  
+Default value : *max=1000 inactive=20s*  
+Context : *global*, *multisite*  
+Parameters to use with open_file_cache when `USE_OPEN_FILE_CACHE` is set to *yes*.
+
+`OPEN_FILE_CACHE_ERRORS`  
+Values : *on* | *off*  
+Default value : *on*  
+Context : *global*, *multisite*  
+Whether or not nginx should cache file lookup errors when `USE_OPEN_FILE_CACHE` is set to *yes*.
+
+`OPEN_FILE_CACHE_MIN_USES`  
+Values : \<*any valid integer *\>  
+Default value : *2*  
+Context : *global*, *multisite*  
+The minimum number of file accesses required to cache the fd when `USE_OPEN_FILE_CACHE` is set to *yes*.
+
+`OPEN_FILE_CACHE_VALID`  
+Values : \<*any time value like Xs, Xm, Xh, ...*\>  
+Default value : *30s*  
+Context : *global*, *multisite*  
+The time after which cached elements should be validated when `USE_OPEN_FILE_CACHE` is set to *yes*.
+
+`USE_PROXY_CACHE`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+When set to *yes*, nginx will cache responses from proxied applications. See [proxy_cache](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache).
+
+`PROXY_CACHE_PATH_ZONE_SIZE`  
+Values : \<*any valid size like Xk, Xm, Xg, ...*\>  
+Default value : *10m*  
+Context : *global*, *multisite*  
+Maximum size of cached metadata when `USE_PROXY_CACHE` is set to *yes*.
+ 
+`PROXY_CACHE_PATH_PARAMS`  
+Values : \<*any valid parameters to proxy_cache_path directive*\>  
+Default value : *max_size=100m*  
+Context : *global*, *multisite*  
+Parameters to use for [proxy_cache_path](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path) directive when `USE_PROXY_CACHE` is set to *yes*.
+
+`PROXY_CACHE_METHODS`  
+Values : \<*list of HTTP methods separated with space*\>  
+Default value : *GET HEAD*  
+Context : *global*, *multisite*  
+The HTTP methods that should trigger a cache operation when `USE_PROXY_CACHE` is set to *yes*.
+ 
+`PROXY_CACHE_MIN_USES`  
+Values : \<*any positive integer*\>  
+Default value : *2*  
+Context : *global*, *multisite*  
+The minimum number of requests before the response is cached when `USE_PROXY_CACHE` is set to *yes*.
+
+`PROXY_CACHE_KEY`  
+Values : \<*list of variables*\>  
+Default value : *$scheme$host$request_uri*  
+Context : *global*, *multisite*  
+The key used to uniquely identify a cached response when `USE_PROXY_CACHE` is set to *yes*.
+
+`PROXY_CACHE_VALID`  
+Values : \<*status=time list separated with space*\>  
+Default value : *200=10m 301=10m 302=1h*  
+Context : *global*, *multisite*  
+Define the caching time depending on the HTTP status code (list of status=time separated with space) when `USE_PROXY_CACHE` is set to *yes*.
+
+`PROXY_NO_CACHE`  
+Values : \<*list of variables*\>  
+Default value : *$http_authorization*  
+Context : *global*, *multisite*  
+Conditions that must be met to disable caching of the response when `USE_PROXY_CACHE` is set to *yes*.
+
+`PROXY_CACHE_BYPASS`  
+Values : \<*list of variables*\>
+Default value : *$http_authorization*  
+Context : *global*, *multisite* 
+Conditions that must be met to bypass the cache when `USE_PROXY_CACHE` is set to *yes*.
+
+## HTTPS
+
+### Let's Encrypt
+
+`AUTO_LETS_ENCRYPT`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+If set to yes, automatic certificate generation and renewal will be setup through Let's Encrypt. This will enable HTTPS on your website for free.  
+You will need to redirect the 80 port to 8080 port inside container and also set the `SERVER_NAME` environment variable.
+
+`EMAIL_LETS_ENCRYPT`  
+Values : *contact@yourdomain.com*  
+Default value : *contact@first-domain-in-server-name*  
+Context : *global*, *multisite*  
+Define the contact email address declare in the certificate.
+
+### HTTP
+
+`LISTEN_HTTP`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to no, nginx will not in listen on HTTP (port 80).  
+Useful if you only want HTTPS access to your website.
+
+`REDIRECT_HTTP_TO_HTTPS`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+If set to yes, nginx will redirect all HTTP requests to HTTPS.  
+
+### Custom certificate
+
+`USE_CUSTOM_HTTPS`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+If set to yes, HTTPS will be enabled with certificate/key of your choice.  
+
+`CUSTOM_HTTPS_CERT`  
+Values : *\<any valid path inside the container\>*  
+Default value :  
+Context : *global*, *multisite*  
+Full path of the certificate or bundle file to use when `USE_CUSTOM_HTTPS` is set to yes. If your chain of trust contains one or more intermediate certificate(s), you will need to bundle them into a single file (more info [here](https://nginx.org/en/docs/http/configuring_https_servers.html#chains)).  
+
+`CUSTOM_HTTPS_KEY`  
+Values : *\<any valid path inside the container\>*  
+Default value :  
+Context : *global*, *multisite*  
+Full path of the key file to use when `USE_CUSTOM_HTTPS` is set to yes.  
+
+### Self-signed certificate
+
+`GENERATE_SELF_SIGNED_SSL`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*  
+If set to yes, HTTPS will be enabled with a container generated self-signed certificate.
+
+`SELF_SIGNED_SSL_EXPIRY`  
+Values : *integer*  
+Default value : *365* (1 year)  
+Context : *global*  
+Needs `GENERATE_SELF_SIGNED_SSL` to work.
+Sets the expiry date for the self generated certificate.
+
+`SELF_SIGNED_SSL_COUNTRY`  
+Values : *text*  
+Default value : *Switzerland*  
+Context : *global*  
+Needs `GENERATE_SELF_SIGNED_SSL` to work.
+Sets the country for the self generated certificate.
+
+`SELF_SIGNED_SSL_STATE`  
+Values : *text*  
+Default value : *Switzerland*  
+Context : *global*  
+Needs `GENERATE_SELF_SIGNED_SSL` to work.
+Sets the state for the self generated certificate.
+
+`SELF_SIGNED_SSL_CITY`  
+Values : *text*  
+Default value : *Bern*  
+Context : *global*  
+Needs `GENERATE_SELF_SIGNED_SSL` to work.
+Sets the city for the self generated certificate.
+
+`SELF_SIGNED_SSL_ORG`  
+Values : *text*  
+Default value : *AcmeInc*  
+Context : *global*  
+Needs `GENERATE_SELF_SIGNED_SSL` to work.
+Sets the organisation name for the self generated certificate.
+
+`SELF_SIGNED_SSL_OU`  
+Values : *text*  
+Default value : *IT*  
+Context : *global*  
+Needs `GENERATE_SELF_SIGNED_SSL` to work.
+Sets the organisitional unit for the self generated certificate.
+
+`SELF_SIGNED_SSL_CN`  
+Values : *text*  
+Default value : *bunkerity-nginx*  
+Context : *global*  
+Needs `GENERATE_SELF_SIGNED_SSL` to work.
+Sets the CN server name for the self generated certificate.
+
+### Misc
+
+`HTTP2`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled.  
+
+`HTTPS_PROTOCOLS`  
+Values : *TLSv1.2* | *TLSv1.3* | *TLSv1.2 TLSv1.3*  
+Default value : *TLSv1.2 TLSv1.3*  
+Context : *global*, *multisite*  
+The supported version of TLS. We recommend the default value *TLSv1.2 TLSv1.3* for compatibility reasons.
+
+## ModSecurity
+
+`USE_MODSECURITY`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to yes, the ModSecurity WAF will be enabled.  
+You can include custom rules by adding .conf files into the /modsec-confs/ directory inside the container (i.e : through a volume).  
+
+`USE_MODSECURITY_CRS`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to yes, the [OWASP ModSecurity Core Rule Set](https://coreruleset.org/) will be used. It provides generic rules to detect common web attacks.  
+You can customize the CRS (i.e. : add WordPress exclusions) by adding custom .conf files into the /modsec-crs-confs/ directory inside the container (i.e : through a volume). Files inside this directory are included before the CRS rules. If you need to tweak (i.e. : SecRuleUpdateTargetById) put .conf files inside the /modsec-confs/ which is included after the CRS rules.
+
+## Security headers
+
+`X_FRAME_OPTIONS`  
+Values : *DENY* | *SAMEORIGIN* | *ALLOW-FROM https://www.website.net*
+Default value : *DENY*  
+Context : *global*, *multisite*  
+Policy to be used when the site is displayed through iframe. Can be used to mitigate clickjacking attacks. 
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).
+
+`X_XSS_PROTECTION`  
+Values : *0* | *1* | *1; mode=block*  
+Default value : *1; mode=block*  
+Context : *global*, *multisite*  
+Policy to be used when XSS is detected by the browser. Only works with Internet Explorer.  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).  
+
+`X_CONTENT_TYPE_OPTIONS`  
+Values : *nosniff*  
+Default value : *nosniff*  
+Context : *global*, *multisite*  
+Tells the browser to be strict about MIME type.  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options).
+
+`REFERRER_POLICY`  
+Values : *no-referrer* | *no-referrer-when-downgrade* | *origin* | *origin-when-cross-origin* | *same-origin* | *strict-origin* | *strict-origin-when-cross-origin* | *unsafe-url*  
+Default value : *no-referrer*  
+Context : *global*, *multisite*  
+Policy to be used for the Referer header.  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy).
+
+`FEATURE_POLICY`  
+Values : *&lt;directive&gt; &lt;allow list&gt;*  
+Default value : *accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'*  
+Context : *global*, *multisite*  
+Tells the browser which features can be used on the website.  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy).
+
+`PERMISSIONS_POLICY`  
+Values : *feature=(allow list)*  
+Default value : accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()  
+Context : *global*, *multisite*  
+Tells the browser which features can be used on the website.  
+More info [here](https://www.w3.org/TR/permissions-policy-1/).
+
+`COOKIE_FLAGS`  
+Values : *\* HttpOnly* | *MyCookie secure SameSite=Lax* | *...*  
+Default value : *\* HttpOnly SameSite=Lax*  
+Context : *global*, *multisite*  
+Adds some security to the cookies set by the server.  
+Accepted value can be found [here](https://github.com/AirisX/nginx_cookie_flag_module).
+
+`COOKIE_AUTO_SECURE_FLAG`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+When set to *yes*, the *secure* will be automatically added to cookies when using HTTPS.
+
+`STRICT_TRANSPORT_SECURITY`  
+Values : *max-age=expireTime [; includeSubDomains] [; preload]*  
+Default value : *max-age=31536000*  
+Context : *global*, *multisite*  
+Tells the browser to use exclusively HTTPS instead of HTTP when communicating with the server.  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security).
+
+`CONTENT_SECURITY_POLICY`  
+Values : *\<directive 1\>; \<directive 2\>; ...*  
+Default value : *object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-downloads; base-uri 'self';*  
+Context : *global*, *multisite*  
+Policy to be used when loading resources (scripts, forms, frames, ...).  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
+
+## Blocking
+
+### Antibot
+
+`USE_ANTIBOT`  
+Values : *no* | *cookie* | *javascript* | *captcha* | *recaptcha*  
+Default value : *no*  
+Context : *global*, *multisite*  
+If set to another allowed value than *no*, users must complete a "challenge" before accessing the pages on your website :
+- *cookie* : asks the users to set a cookie
+- *javascript* : users must execute a javascript code
+- *captcha* : a text captcha must be resolved by the users
+- *recaptcha* : use [Google reCAPTCHA v3](https://developers.google.com/recaptcha/intro) score to allow/deny users 
+
+`ANTIBOT_URI`  
+Values : *\<any valid uri\>*  
+Default value : */challenge*  
+Context : *global*, *multisite*  
+A valid and unused URI to redirect users when `USE_ANTIBOT` is used. Be sure that it doesn't exist on your website.
+
+`ANTIBOT_SESSION_SECRET`  
+Values : *random* | *\<32 chars of your choice\>*  
+Default value : *random*  
+Context : *global*, *multisite*  
+A secret used to generate sessions when `USE_ANTIBOT` is set. Using the special *random* value will generate a random one. Be sure to use the same value when you are in a multi-server environment (so sessions are valid in all the servers).
+
+`ANTIBOT_RECAPTCHA_SCORE`  
+Values : *\<0.0 to 1.0\>*  
+Default value : *0.7*  
+Context : *global*, *multisite*  
+The minimum score required when `USE_ANTIBOT` is set to *recaptcha*.
+
+`ANTIBOT_RECAPTCHA_SITEKEY`  
+Values : *\<public key given by Google\>*  
+Default value :  
+Context : *global*  
+The sitekey given by Google when `USE_ANTIBOT` is set to *recaptcha*.
+
+`ANTIBOT_RECAPTCHA_SECRET`  
+Values : *\<private key given by Google\>*  
+Default value :  
+Context : *global*  
+The secret given by Google when `USE_ANTIBOT` is set to *recaptcha*.
+
+### External blacklists
+
+`BLOCK_USER_AGENT`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to yes, block clients with "bad" user agent.  
+Blacklist can be found [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list) and [here](https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt).
+
+`BLOCK_TOR_EXIT_NODE`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+Is set to yes, will block known TOR exit nodes.  
+Blacklist can be found [here](https://iplists.firehol.org/?ipset=tor_exits).
+
+`BLOCK_PROXIES`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+Is set to yes, will block known proxies.  
+Blacklist can be found [here](https://iplists.firehol.org/?ipset=firehol_proxies).
+
+`BLOCK_ABUSERS`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+Is set to yes, will block known abusers.  
+Blacklist can be found [here](https://iplists.firehol.org/?ipset=firehol_abusers_30d).
+
+`BLOCK_REFERRER`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+Is set to yes, will block known bad referrer header.  
+Blacklist can be found [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list).
+
+### DNSBL
+
+`USE_DNSBL`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to *yes*, DNSBL checks will be performed to the servers specified in the `DNSBL_LIST` environment variable.  
+
+`DNSBL_LIST`  
+Values : *\<list of DNS zones separated with spaces\>*  
+Default value : *bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org*  
+Context : *global*  
+The list of DNSBL zones to query when `USE_DNSBL` is set to *yes*.
+
+### CrowdSec
+
+`USE_CROWDSEC`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+If set to *yes*, [CrowdSec](https://github.com/crowdsecurity/crowdsec) will be enabled. Please note that you need a CrowdSec instance running see example [here](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/crowdsec).
+
+`CROWDSEC_HOST`  
+Values : *\<full URL to the CrowdSec instance API\>*  
+Default value :  
+Context : *global*  
+The full URL to the CrowdSec API.
+
+`CROWDSEC_KEY`  
+Values : *\<CrowdSec bouncer key\>*  
+Default value :  
+Context : *global*  
+The CrowdSec key given by *cscli bouncer add BouncerName*.
+
+### Custom whitelisting
+
+`USE_WHITELIST_IP`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to *yes*, lets you define custom IP addresses to be whitelisted through the `WHITELIST_IP_LIST` environment variable.
+
+`WHITELIST_IP_LIST`  
+Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*  
+Default value : *23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8*  
+Context : *global*  
+The list of IP addresses and/or network CIDR blocks to whitelist when `USE_WHITELIST_IP` is set to *yes*. The default list contains IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/).
+
+`USE_WHITELIST_REVERSE`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to *yes*, lets you define custom reverse DNS suffixes to be whitelisted through the `WHITELIST_REVERSE_LIST` environment variable.
+
+`WHITELIST_REVERSE_LIST`  
+Values : *\<list of reverse DNS suffixes separated with spaces\>*  
+Default value : *.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net*  
+Context : *global*  
+The list of reverse DNS suffixes to whitelist when `USE_WHITELIST_REVERSE` is set to *yes*. The default list contains suffixes of major search engines.
+
+`WHITELIST_USER_AGENT`  
+Values : *\<list of regexes separated with spaces\>*  
+Default value :  
+Context : *global*, *multisite*  
+Whitelist user agent from being blocked by `BLOCK_USER_AGENT`.
+
+`WHITELIST_URI`  
+Values : *\<list of URI separated with spaces\>*  
+Default value :  
+Context : *global*, *multisite*  
+URI listed here have security checks like bad user-agents, bad IP, ... disabled. Useful when using callbacks for example.
+
+### Custom blacklisting
+
+`USE_BLACKLIST_IP`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to *yes*, lets you define custom IP addresses to be blacklisted through the `BLACKLIST_IP_LIST` environment variable.
+
+`BLACKLIST_IP_LIST`  
+Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*  
+Default value :  
+Context : *global*  
+The list of IP addresses and/or network CIDR blocks to blacklist when `USE_BLACKLIST_IP` is set to *yes*.
+
+`USE_BLACKLIST_REVERSE`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to *yes*, lets you define custom reverse DNS suffixes to be blacklisted through the `BLACKLIST_REVERSE_LIST` environment variable.
+
+`BLACKLIST_REVERSE_LIST`  
+Values : *\<list of reverse DNS suffixes separated with spaces\>*  
+Default value : *.shodan.io*  
+Context : *global*  
+The list of reverse DNS suffixes to blacklist when `USE_BLACKLIST_REVERSE` is set to *yes*.
+
+### Requests limiting
+
+`USE_LIMIT_REQ`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to yes, the amount of HTTP requests made by a user for a given resource will be limited during a period of time.  
+More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/) (the key used is $binary_remote_addr$uri).
+
+`LIMIT_REQ_RATE`  
+Values : *Xr/s* | *Xr/m*  
+Default value : *1r/s*  
+Context : *global*, *multisite*  
+The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 1 request to the same URI and from the same IP per second.
+
+`LIMIT_REQ_BURST`  
+Values : *<any valid integer\>*  
+Default value : *2*  
+Context : *global*, *multisite*  
+The number of requests to put in queue before rejecting requests.
+
+`LIMIT_REQ_CACHE`  
+Values : *Xm* | *Xk*    
+Default value : *10m*  
+Context : *global*  
+The size of the cache to store information about request limiting.
+
+### Connections limiting
+
+`USE_LIMIT_CONN`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to yes, the number of connections made by an ip will be limited during a period of time. (ie. very small/weak ddos protection)  
+More info connections limiting [here](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html).
+
+`LIMIT_CONN_MAX`  
+Values : *<any valid integer\>*  
+Default value : *50*  
+Context : *global*, *multisite*  
+The maximum number of connections per ip to put in queue before rejecting requests.
+
+`LIMIT_CONN_CACHE`  
+Values : *Xm* | *Xk*    
+Default value : *10m*  
+Context : *global*  
+The size of the cache to store information about connection limiting.
+
+### Countries
+
+`BLACKLIST_COUNTRY`  
+Values : *\<country code 1\> \<country code 2\> ...*  
+Default value :  
+Context : *global*, *multisite*  
+Block some countries from accessing your website. Use 2 letters country code separated with space.
+
+`WHITELIST_COUNTRY`  
+Values : *\<country code 1\> \<country code 2\> ...*  
+Default value :  
+Context : *global*, *multisite*  
+Only allow specific countries accessing your website. Use 2 letters country code separated with space.
+
+## PHP
+
+`REMOTE_PHP`  
+Values : *\<any valid IP/hostname\>*  
+Default value :  
+Context : *global*, *multisite*  
+Set the IP/hostname address of a remote PHP-FPM to execute .php files.
+
+`REMOTE_PHP_PATH`  
+Values : *\<any valid absolute path\>*  
+Default value : */app*  
+Context : *global*, *multisite*  
+The path where the PHP files are located inside the server specified in `REMOTE_PHP`.
+
+## Bad behavior
+
+`USE_BAD_BEHAVIOR`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to yes, bunkerized-nginx will block users getting too much "suspicious" HTTP codes in a period of time.  
+
+`BAD_BEHAVIOR_STATUS_CODES`   
+Values : *\<HTTP status codes separated with space\>*  
+Default value : *400 401 403 404 405 429 444*  
+Context : *global*  
+List of HTTP status codes considered as "suspicious".   
+
+`BAD_BEHAVIOR_THRESHOLD`  
+Values : *<any positive integer>*  
+Default value : *10*  
+Context : *global*  
+The number of "suspicious" HTTP status code before the corresponding IP is banned.
+
+`BAD_BEHAVIOR_BAN_TIME`  
+Values : *<any positive integer>*  
+Default value : *86400*  
+Context : *global*  
+The duration time (in seconds) of a ban when the corresponding IP has reached the `BAD_BEHAVIOR_THRESHOLD`.
+
+`BAD_BEHAVIOR_COUNT_TIME`  
+Values : *<any positive integer>*  
+Default value : *60*  
+Context : *global*  
+The duration time (in seconds) before the counter of "suspicious" HTTP is reset.
+
+## ClamAV
+
+`USE_CLAMAV_UPLOAD`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+If set to yes, ClamAV will scan every file uploads and block the upload if the file is detected.
+
+`USE_CLAMAV_SCAN`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*  
+If set to yes, ClamAV will scan all the files inside the container every day.  
+
+`CLAMAV_SCAN_REMOVE`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*  
+If set to yes, ClamAV will automatically remove the detected files.  
+
+## Cron jobs
+
+`AUTO_LETS_ENCRYPT_CRON`  
+Values : *\<cron expression\>*   
+Default value : *15 0 \* \* \**  
+Context : *global*  
+Cron expression of how often certbot will try to renew the certificates.
+
+`BLOCK_USER_AGENT_CRON`  
+Values : *\<cron expression\>*   
+Default value : *30 0 \* \* \* \**  
+Context : *global*  
+Cron expression of how often the blacklist of user agent is updated.
+
+`BLOCK_TOR_EXIT_NODE_CRON`  
+Values : *\<cron expression\>*   
+Default value : *0 \*/1 \* \* \* \**  
+Context : *global*  
+Cron expression of how often the blacklist of tor exit node is updated.
+
+`BLOCK_PROXIES_CRON`  
+Values : *\<cron expression\>*   
+Default value : *0 3 \* \* \* \**  
+Context : *global*  
+Cron expression of how often the blacklist of proxies is updated.
+
+`BLOCK_ABUSERS_CRON`  
+Values : *\<cron expression\>*   
+Default value : *0 2 \* \* \* \**  
+Context : *global*  
+Cron expression of how often the blacklist of abusers is updated.
+
+`BLOCK_REFERRER_CRON`  
+Values : *\<cron expression\>*   
+Default value : *45 0 \* \* \* \**  
+Context : *global*  
+Cron expression of how often the blacklist of referrer is updated.
+
+`GEOIP_CRON`  
+Values : *\<cron expression\>*  
+Default value : *0 4 2 \* \**  
+Context : *global*  
+Cron expression of how often the GeoIP database is updated.
+
+`USE_CLAMAV_SCAN_CRON`  
+Values : *\<cron expression\>*   
+Default value : *30 1 \* \* \**  
+Context : *global*  
+Cron expression of how often ClamAV will scan all the files inside the container.
+
+`CLAMAV_UPDATE_CRON`  
+Values : *\<cron expression\>*   
+Default value : *0 1 \* \* \**  
+Context : *global*  
+Cron expression of how often ClamAV will update its database.
+
+## misc
+
+`SWARM_MODE`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*  
+Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
+
+`USE_API`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*  
+Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
+
+`API_URI`  
+Values : *random* | *\<any valid URI path\>*  
+Default value : *random*  
+Context : *global*  
+Set it to a random path when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
+
+`API_WHITELIST_IP`  
+Values : *\<list of IP/CIDR separated with space\>*  
+Default value : *192.168.0.0/16 172.16.0.0/12 10.0.0.0/8*  
+Context : *global*  
+List of IP/CIDR block allowed to send API order using the `API_URI` uri.

docs/index.md

@@ -0,0 +1,12 @@
+# bunkerized-nginx official documentation
+
+```{toctree}
+:maxdepth: 2
+:caption: Contents
+introduction
+quickstart_guide
+security_tuning
+troubleshooting
+volumes
+environment_variables
+```

docs/introduction.md

@@ -0,0 +1,29 @@
+# Introduction
+
+<p align="center">
+	<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/logo.png?raw=true" width="425" />
+</p>
+
+nginx Docker image secure by default.  
+
+Avoid the hassle of following security best practices "by hand" each time you need a web server or reverse proxy. Bunkerized-nginx provides generic security configs, settings and tools so you don't need to do it yourself.
+
+Non-exhaustive list of features :
+- HTTPS support with transparent Let's Encrypt automation
+- State-of-the-art web security : HTTP security headers, prevent leaks, TLS hardening, ...
+- Integrated ModSecurity WAF with the OWASP Core Rule Set
+- Automatic ban of strange behaviors
+- Antibot challenge through cookie, javascript, captcha or recaptcha v3
+- Block TOR, proxies, bad user-agents, countries, ...
+- Block known bad IP with DNSBL and CrowdSec
+- Prevent bruteforce attacks with rate limiting
+- Detect bad files with ClamAV
+- Easy to configure with environment variables or web UI
+- Automatic configuration with container labels
+- Docker Swarm support
+
+Fooling automated tools/scanners :
+
+<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/demo.gif?raw=true" />
+
+You can find a live demo at <a href="https://demo-nginx.bunkerity.com" target="_blank">https://demo-nginx.bunkerity.com</a>, feel free to do some security tests.

docs/make.bat

@@ -0,0 +1,35 @@
+@ECHO OFF
+
+pushd %~dp0
+
+REM Command file for Sphinx documentation
+
+if "%SPHINXBUILD%" == "" (
+	set SPHINXBUILD=sphinx-build
+)
+set SOURCEDIR=.
+set BUILDDIR=_build
+
+if "%1" == "" goto help
+
+%SPHINXBUILD% >NUL 2>NUL
+if errorlevel 9009 (
+	echo.
+	echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
+	echo.installed, then set the SPHINXBUILD environment variable to point
+	echo.to the full path of the 'sphinx-build' executable. Alternatively you
+	echo.may add the Sphinx directory to PATH.
+	echo.
+	echo.If you don't have Sphinx installed, grab it from
+	echo.http://sphinx-doc.org/
+	exit /b 1
+)
+
+%SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
+goto end
+
+:help
+%SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
+
+:end
+popd

docs/quickstart_guide.md

@@ -0,0 +1,346 @@
+# Quickstart guide
+
+## Run HTTP server with default settings
+
+```shell
+docker run -p 80:8080 -v /path/to/web/files:/www:ro bunkerity/bunkerized-nginx
+```
+
+Web files are stored in the /www directory, the container will serve files from there. Please note that *bunkerized-nginx* doesn't run as root but as an unprivileged user with UID/GID 101 therefore you should set the rights of */path/to/web/files* accordingly.
+
+## In combination with PHP
+
+```shell
+docker network create mynet
+```
+
+```shell
+docker run --network mynet \
+           -p 80:8080 \
+           -v /path/to/web/files:/www:ro \
+           -e REMOTE_PHP=myphp \
+           -e REMOTE_PHP_PATH=/app \
+           bunkerity/bunkerized-nginx
+```
+
+```shell
+docker run --network mynet \
+           --name myphp \
+           -v /path/to/web/files:/app \
+           php:fpm
+```
+
+The `REMOTE_PHP` environment variable lets you define the address of a remote PHP-FPM instance that will execute the .php files. `REMOTE_PHP_PATH` must be set to the directory where the PHP container will find the files.
+
+## Run HTTPS server with automated Let's Encrypt
+
+```shell
+docker run -p 80:8080 \
+           -p 443:8443 \
+           -v /path/to/web/files:/www:ro \
+           -v /where/to/save/certificates:/etc/letsencrypt \
+           -e SERVER_NAME=www.yourdomain.com \
+           -e AUTO_LETS_ENCRYPT=yes \
+           -e REDIRECT_HTTP_TO_HTTPS=yes \
+           bunkerity/bunkerized-nginx
+```
+
+Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive. Please note that *bunkerized-nginx* doesn't run as root but as an unprivileged user with UID/GID 101 therefore you should set the rights of */where/to/save/certificates* accordingly.
+
+If you don't want your webserver to listen on HTTP add the environment variable `LISTEN_HTTP` with a *no* value (e.g. HTTPS only). But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
+
+Here you have three environment variables :
+- `SERVER_NAME` : define the FQDN of your webserver, this is mandatory for Let's Encrypt (www.yourdomain.com should point to your IP address)
+- `AUTO_LETS_ENCRYPT` : enable automatic Let's Encrypt creation and renewal of certificates
+- `REDIRECT_HTTP_TO_HTTPS` : enable HTTP to HTTPS redirection
+
+## As a reverse proxy
+
+```shell
+docker run -p 80:8080 \
+           -e USE_REVERSE_PROXY=yes \
+           -e REVERSE_PROXY_URL=/ \
+           -e REVERSE_PROXY_HOST=http://myserver:8080 \
+           bunkerity/bunkerized-nginx
+```
+
+This is a simple reverse proxy to a unique application. If you have more than one application you can add more REVERSE_PROXY_URL/REVERSE_PROXY_HOST by appending a suffix number like this :
+
+```shell
+docker run -p 80:8080 \
+           -e USE_REVERSE_PROXY=yes \
+           -e REVERSE_PROXY_URL_1=/app1/ \
+           -e REVERSE_PROXY_HOST_1=http://myapp1:3000/ \
+           -e REVERSE_PROXY_URL_2=/app2/ \
+           -e REVERSE_PROXY_HOST_2=http://myapp2:3000/ \
+           bunkerity/bunkerized-nginx
+```
+
+## Behind a reverse proxy
+
+```shell
+docker run -p 80:8080 \
+           -v /path/to/web/files:/www \
+           -e PROXY_REAL_IP=yes \
+           bunkerity/bunkerized-nginx
+```
+
+The `PROXY_REAL_IP` environment variable, when set to *yes*, activates the [ngx_http_realip_module](https://nginx.org/en/docs/http/ngx_http_realip_module.html) to get the real client IP from the reverse proxy.
+
+See [this section](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#reverse-proxy) if you need to tweak some values (trusted ip/network, header, ...).
+
+## Multisite
+
+By default, bunkerized-nginx will only create one server block. When setting the `MULTISITE` environment variable to *yes*, one server block will be created for each host defined in the `SERVER_NAME` environment variable.  
+You can set/override values for a specific server by prefixing the environment variable with one of the server name previously defined.
+
+```shell
+docker run -p 80:8080 \
+           -p 443:8443 \
+           -v /where/to/save/certificates:/etc/letsencrypt \
+           -e SERVER_NAME=app1.domain.com app2.domain.com \
+           -e MULTISITE=yes \
+           -e AUTO_LETS_ENCRYPT=yes \
+           -e REDIRECT_HTTP_TO_HTTPS=yes \
+           -e USE_REVERSE_PROXY=yes \
+           -e app1.domain.com_REVERSE_PROXY_URL=/ \
+           -e app1.domain.com_REVERSE_PROXY_HOST=http://myapp1:8000 \
+           -e app2.domain.com_REVERSE_PROXY_URL=/ \
+           -e app2.domain.com_REVERSE_PROXY_HOST=http://myapp2:8000 \
+           bunkerity/bunkerized-nginx
+```
+
+The `USE_REVERSE_PROXY` is a *global* variable that will be applied to each server block. Whereas the `app1.domain.com_*` and `app2.domain.com_*` will only be applied to the app1.domain.com and app2.domain.com server block respectively.
+
+When serving files, the web root directory should contains subdirectories named as the servers defined in the `SERVER_NAME` environment variable. Here is an example :
+
+```shell
+
+docker run -p 80:8080 \
+           -p 443:8443 \
+           -v /where/to/save/certificates:/etc/letsencrypt \
+           -v /where/are/web/files:/www:ro \
+           -e SERVER_NAME=app1.domain.com app2.domain.com \
+           -e MULTISITE=yes \
+           -e AUTO_LETS_ENCRYPT=yes \
+           -e REDIRECT_HTTP_TO_HTTPS=yes \
+           -e app1.domain.com_REMOTE_PHP=php1 \
+           -e app1.domain.com_REMOTE_PHP_PATH=/app \
+           -e app2.domain.com_REMOTE_PHP=php2 \
+           -e app2.domain.com_REMOTE_PHP_PATH=/app \
+           bunkerity/bunkerized-nginx
+```
+
+The */where/are/web/files* directory should have a structure like this :
+```shell
+/where/are/web/files
+├── app1.domain.com
+│   └── index.php
+│   └── ...
+└── app2.domain.com
+    └── index.php
+    └── ...
+```
+
+## Automatic configuration
+
+The downside of using environment variables is that you need to recreate a new container each time you want to add or remove a web service. An alternative is to use the *bunkerized-nginx-autoconf* image which listens for Docker events and "automagically" generates the configuration.
+
+First we need a volume that will store the configurations :
+
+```shell
+docker volume create nginx_conf
+```
+
+Then we run bunkerized-nginx with the `bunkerized-nginx.AUTOCONF` label, mount the created volume at /etc/nginx and set some default configurations for our services (e.g. : automatic Let's Encrypt and HTTP to HTTPS redirect) : 
+
+```shell
+docker network create mynet
+
+docker run -p 80:8080 \
+           -p 443:8443 \
+           --network mynet \
+           -v /where/to/save/certificates:/etc/letsencrypt \
+           -v /where/are/web/files:/www:ro \
+           -v nginx_conf:/etc/nginx \
+           -e SERVER_NAME= \
+           -e MULTISITE=yes \
+           -e AUTO_LETS_ENCRYPT=yes \
+           -e REDIRECT_HTTP_TO_HTTPS=yes \
+           -l bunkerized.nginx.AUTOCONF \
+           bunkerity/bunkerized-nginx
+```
+
+When setting `SERVER_NAME` to nothing bunkerized-nginx won't create any server block (in case we only want automatic configuration). 
+
+Once bunkerized-nginx is created, let's setup the autoconf container :
+
+```shell
+docker run -v /var/run/docker.sock:/var/run/docker.sock:ro \
+           -v nginx_conf:/etc/nginx \
+           bunkerity/bunkerized-nginx-autoconf
+```
+
+We can now create a new container and use labels to dynamically configure bunkerized-nginx. Labels for automatic configuration are the same as environment variables but with the "bunkerized-nginx." prefix.
+
+Here is a PHP example :
+
+```shell
+docker run --network mynet \
+           --name myapp \
+           -v /where/are/web/files/app.domain.com:/app \
+           -l bunkerized-nginx.SERVER_NAME=app.domain.com \
+           -l bunkerized-nginx.REMOTE_PHP=myapp \
+           -l bunkerized-nginx.REMOTE_PHP_PATH=/app \
+           php:fpm
+```
+
+And a reverse proxy example :
+
+```shell
+docker run --network mynet \
+           --name anotherapp \
+           -l bunkerized-nginx.SERVER_NAME=app2.domain.com \
+           -l bunkerized-nginx.USE_REVERSE_PROXY=yes \
+           -l bunkerized-nginx.REVERSE_PROXY_URL=/ \
+           -l bunkerized-nginx.REVERSE_PROXY_HOST=http://anotherapp \
+           tutum/hello-world
+```
+
+## Swarm mode
+
+Automatic configuration through labels is also supported in swarm mode. The *bunkerized-nginx-autoconf* is used to listen for Swarm events (e.g. service create/rm) and "automagically" edit configurations files and reload nginx.
+
+As a use case we will assume the following :
+- Some managers are also workers (they will only run the *autoconf* container for obvious security reasons)
+- The bunkerized-nginx service will be deployed on all workers (global mode) so clients can connect to each of them (e.g. load balancing, CDN, edge proxy, ...)
+- There is a shared folder mounted on managers and workers (e.g. NFS, GlusterFS, CephFS, ...)
+
+Let's start by creating the network to allow communications between our services :
+```shell
+docker network create -d overlay mynet
+```
+
+We can now create the *autoconf* service that will listen to swarm events :
+```shell
+docker service create --name autoconf \
+                      --network mynet \
+                      --mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
+                      --mount type=bind,source=/shared/confs,destination=/etc/nginx \
+                      --mount type=bind,source=/shared/letsencrypt,destination=/etc/letsencrypt \
+                      --mount type=bind,source=/shared/acme-challenge,destination=/acme-challenge \
+                      -e SWARM_MODE=yes \
+                      -e API_URI=/ChangeMeToSomethingHardToGuess \
+                      --replicas 1 \
+                      --constraint node.role==manager \
+                      bunkerity/bunkerized-nginx-autoconf
+```
+
+**You need to change `API_URI` to something hard to guess since there is no other security mechanism to protect the API at the moment.**
+
+When *autoconf* is created, it's time for the *bunkerized-nginx* service to be up :
+
+```shell
+docker service create --name nginx \
+                      --network mynet \
+                      -p published=80,target=8080,mode=host \
+                      -p published=443,target=8443,mode=host \
+                      --mount type=bind,source=/shared/confs,destination=/etc/nginx \
+                      --mount type=bind,source=/shared/letsencrypt,destination=/etc/letsencrypt,ro \
+                      --mount type=bind,source=/shared/acme-challenge,destination=/acme-challenge,ro \
+                      --mount type=bind,source=/shared/www,destination=/www,ro \
+                      -e SWARM_MODE=yes \
+                      -e USE_API=yes \
+                      -e API_URI=/ChangeMeToSomethingHardToGuess \
+                      -e MULTISITE=yes \
+                      -e SERVER_NAME= \
+                      -e AUTO_LETS_ENCRYPT=yes \
+                      -e REDIRECT_HTTP_TO_HTTPS=yes \
+                      -l bunkerized-nginx.AUTOCONF \
+                      --mode global \
+                      --constraint node.role==worker \
+                      bunkerity/bunkerized-nginx
+```
+
+The `API_URI` value must be the same as the one specified for the *autoconf* service.
+
+We can now create a new service and use labels to dynamically configure bunkerized-nginx. Labels for automatic configuration are the same as environment variables but with the "bunkerized-nginx." prefix.
+
+Here is a PHP example :
+
+```shell
+docker service create --name myapp \
+                      --network mynet \
+                      --mount type=bind,source=/shared/www/app.domain.com,destination=/app \
+                      -l bunkerized-nginx.SERVER_NAME=app.domain.com \
+                      -l bunkerized-nginx.REMOTE_PHP=myapp \
+                      -l bunkerized-nginx.REMOTE_PHP_PATH=/app \
+                      --constraint node.role==worker \
+                      php:fpm
+```
+
+And a reverse proxy example :
+
+```shell
+docker service create --name anotherapp \
+                      --network mynet \
+                      -l bunkerized-nginx.SERVER_NAME=app2.domain.com \
+                      -l bunkerized-nginx.USE_REVERSE_PROXY=yes \
+                      -l bunkerized-nginx.REVERSE_PROXY_URL=/ \
+                      -l bunkerized-nginx.REVERSE_PROXY_HOST=http://anotherapp \
+                      --constraint node.role==worker \
+                      tutum/hello-world
+```
+
+## Web UI
+
+**This feature exposes, for now, a security risk because you need to mount the docker socket inside a container exposing a web application. You can test it but you should not use it in servers facing the internet.**  
+
+A dedicated image, *bunkerized-nginx-ui*, lets you manage bunkerized-nginx instances and services configurations through a web user interface. This feature is still in beta, feel free to open a new issue if you find a bug and/or you have an idea to improve it. 
+
+First we need a volume that will store the configurations :
+
+```shell
+docker volume create nginx_conf
+```
+
+Then, we can create the bunkerized-nginx instance with the `bunkerized-nginx.UI` label and a reverse proxy configuration for our web UI :
+
+```shell
+docker network create mynet
+
+docker run -p 80:8080 \
+           -p 443:8443 \
+           --network mynet \
+           -v nginx_conf:/etc/nginx \
+           -v /where/are/web/files:/www:ro \
+           -v /where/to/save/certificates:/etc/letsencrypt \
+           -e SERVER_NAME=admin.domain.com \
+           -e MULTISITE=yes \
+           -e AUTO_LETS_ENCRYPT=yes \
+           -e REDIRECT_HTTP_TO_HTTPS=yes \
+           -e DISABLE_DEFAULT_SERVER=yes \
+           -e admin.domain.com_SERVE_FILES=no \
+           -e admin.domain.com_USE_AUTH_BASIC=yes \
+           -e admin.domain.com_AUTH_BASIC_USER=admin \
+           -e admin.domain.com_AUTH_BASIC_PASSWORD=password \
+           -e admin.domain.com_USE_REVERSE_PROXY=yes \
+           -e admin.domain.com_REVERSE_PROXY_URL=/webui/ \
+           -e admin.domain.com_REVERSE_PROXY_HOST=http://myui:5000/ \
+           -l bunkerized-nginx.UI \
+           bunkerity/bunkerized-nginx
+```
+
+The `AUTH_BASIC` environment variables let you define a login/password that must be provided before accessing to the web UI. At the moment, there is no authentication mechanism integrated into bunkerized-nginx-ui.
+
+We can now create the bunkerized-nginx-ui container that will host the web UI behind bunkerized-nginx :
+
+```shell
+docker run --network mynet \
+           -v /var/run/docker.sock:/var/run/docker.sock:ro \
+           -v nginx_conf:/etc/nginx \
+           -e ABSOLUTE_URI=https://admin.domain.com/webui/ \
+           bunkerity/bunkerized-nginx-ui
+```
+
+After that, the web UI should be accessible from https://admin.domain.com/webui/.

docs/requirements.txt

@@ -0,0 +1,3 @@
+sphinx
+sphinx-rtd-theme
+myst-parser