hotfix - fix API in autoconf swarm mode

Fix lua mistake

.github/workflows/autotest-bunkerized-nginx-autoconf.yml

@@ -0,0 +1,26 @@
+name: Automatic test on autoconf
+
+on:
+  push:
+    branches: [dev, master]
+  pull_request:
+    branches: [dev, master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v2
+      - name: Build the image
+        run: docker build -t autotest-autoconf -f autoconf/Dockerfile .
+      - name: Run Trivy security scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'autotest-autoconf'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
+
+

.github/workflows/autotest-bunkerized-nginx-ui.yml

@@ -0,0 +1,26 @@
+name: Automatic test on ui
+
+on:
+  push:
+    branches: [dev, master]
+  pull_request:
+    branches: [dev, master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v2
+      - name: Build the image
+        run: docker build -t autotest-ui -f ui/Dockerfile .
+      - name: Run Trivy security scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'autotest-ui'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
+
+

.github/workflows/autotest-bunkerized-nginx.yml

@@ -0,0 +1,28 @@
+name: Automatic test
+
+on:
+  push:
+    branches: [dev, master]
+  pull_request:
+    branches: [dev, master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v2
+      - name: Build the image
+        run: docker build -t autotest .
+      - name: Run autotest
+        run: docker run autotest test
+      - name: Run Trivy security scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'autotest'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
+
+

.gitignore

@@ -0,0 +1 @@
+.idea/

Dockerfile

@@ -1,4 +1,4 @@
-FROM nginx:stable-alpine
+FROM nginx:1.20.0-alpine
 
 COPY nginx-keys/ /tmp/nginx-keys
 COPY compile.sh /tmp/compile.sh
@@ -6,30 +6,23 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
-COPY crowdsec/install.sh /tmp/install.sh
+COPY entrypoint/ /opt/entrypoint
-RUN chmod +x /tmp/install.sh && \
-    /tmp/install.sh && \
-    rm -rf /tmp/*
-
-COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
-COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
+COPY prepare.sh /tmp/prepare.sh
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
-    mkdir /opt/entrypoint.d && \
-    rm -f /var/log/nginx/* && \
-    chown root:nginx /var/log/nginx && \
-    chmod 750 /var/log/nginx && \
-    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp
 
-ENTRYPOINT ["/opt/entrypoint.sh"]
+USER nginx:nginx
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-amd64

@@ -1,4 +1,4 @@
-FROM amd64/nginx:stable-alpine
+FROM amd64/nginx:1.20.0-alpine
 
 COPY nginx-keys/ /tmp/nginx-keys
 COPY compile.sh /tmp/compile.sh
@@ -6,30 +6,23 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
-COPY crowdsec/install.sh /tmp/install.sh
+COPY entrypoint/ /opt/entrypoint
-RUN chmod +x /tmp/install.sh && \
-    /tmp/install.sh && \
-    rm -rf /tmp/*
-
-COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
-COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
+COPY prepare.sh /tmp/prepare.sh
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
-    mkdir /opt/entrypoint.d && \
-    rm -f /var/log/nginx/* && \
-    chown root:nginx /var/log/nginx && \
-    chmod 750 /var/log/nginx && \
-    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp
 
-ENTRYPOINT ["/opt/entrypoint.sh"]
+USER nginx:nginx
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-arm32v7

@@ -3,7 +3,7 @@ FROM alpine AS builder
 ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz
 RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
 
-FROM arm32v7/nginx:stable-alpine
+FROM arm32v7/nginx:1.20.0-alpine
 
 COPY --from=builder qemu-arm-static /usr/bin
 
@@ -13,30 +13,23 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
-COPY crowdsec/install.sh /tmp/install.sh
+COPY entrypoint/ /opt/entrypoint
-RUN chmod +x /tmp/install.sh && \
-    /tmp/install.sh && \
-    rm -rf /tmp/*
-
-COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
-COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
+COPY prepare.sh /tmp/prepare.sh
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
-    mkdir /opt/entrypoint.d && \
-    rm -f /var/log/nginx/* && \
-    chown root:nginx /var/log/nginx && \
-    chmod 750 /var/log/nginx && \
-    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp
 
-ENTRYPOINT ["/opt/entrypoint.sh"]
+USER nginx:nginx
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-arm64v8

@@ -3,7 +3,7 @@ FROM alpine AS builder
 ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz
 RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
 
-FROM arm64v8/nginx:stable-alpine
+FROM arm64v8/nginx:1.20.0-alpine
 
 COPY --from=builder qemu-aarch64-static /usr/bin
 
@@ -13,30 +13,23 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
-COPY crowdsec/install.sh /tmp/install.sh
+COPY entrypoint/ /opt/entrypoint
-RUN chmod +x /tmp/install.sh && \
-    /tmp/install.sh && \
-    rm -rf /tmp/*
-
-COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
-COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
+COPY prepare.sh /tmp/prepare.sh
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
-    mkdir /opt/entrypoint.d && \
-    rm -f /var/log/nginx/* && \
-    chown root:nginx /var/log/nginx && \
-    chmod 750 /var/log/nginx && \
-    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp
 
-ENTRYPOINT ["/opt/entrypoint.sh"]
+USER nginx:nginx
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-i386

@@ -1,4 +1,4 @@
-FROM i386/nginx:stable-alpine
+FROM i386/nginx:1.20.0-alpine
 
 COPY nginx-keys/ /tmp/nginx-keys
 COPY compile.sh /tmp/compile.sh
@@ -6,30 +6,23 @@ RUN chmod +x /tmp/compile.sh && \
     /tmp/compile.sh && \
     rm -rf /tmp/*
 
-COPY crowdsec/install.sh /tmp/install.sh
+COPY entrypoint/ /opt/entrypoint
-RUN chmod +x /tmp/install.sh && \
-    /tmp/install.sh && \
-    rm -rf /tmp/*
-
-COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
-COPY crowdsec/ /opt/crowdsec
 
-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
+COPY prepare.sh /tmp/prepare.sh
-    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
+RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
-    mkdir /opt/entrypoint.d && \
-    rm -f /var/log/nginx/* && \
-    chown root:nginx /var/log/nginx && \
-    chmod 750 /var/log/nginx && \
-    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
 
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp
 
-ENTRYPOINT ["/opt/entrypoint.sh"]
+USER nginx:nginx
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

VERSION

@@ -1 +1 @@
-1.1.2
+1.2.4

autoconf/AutoConf.py

@@ -0,0 +1,131 @@
+from Config import Config
+import utils
+import os
+
+class AutoConf :
+
+	def __init__(self, swarm, api) :
+		self.__swarm = swarm
+		self.__servers = {}
+		self.__instances = {}
+		self.__sites = {}
+		self.__config = Config(self.__swarm, api)
+
+	def get_server(self, id) :
+		if id in self.__servers :
+			return self.__servers[id]
+		return False
+
+	def reload(self) :
+		return self.__config.reload(self.__instances)
+
+	def pre_process(self, objs) :
+		for instance in objs :
+			(id, name, labels) = self.__get_infos(instance)
+			if "bunkerized-nginx.AUTOCONF" in labels :
+				if self.__swarm :
+					self.__process_instance(instance, "create", id, name, labels)
+				else :
+					if instance.status in ("restarting", "running", "created", "exited") :
+						self.__process_instance(instance, "create", id, name, labels)
+					if instance.status == "running" :
+						self.__process_instance(instance, "start", id, name, labels)
+
+		for server in objs :
+			(id, name, labels) = self.__get_infos(server)
+			if "bunkerized-nginx.SERVER_NAME" in labels :
+				if self.__swarm :
+					self.__process_server(server, "create", id, name, labels)
+				else :
+					if server.status in ("restarting", "running", "created", "exited") :
+						self.__process_server(server, "create", id, name, labels)
+					if server.status == "running" :
+						self.__process_server(server, "start", id, name, labels)
+
+	def process(self, obj, event) :
+		(id, name, labels) = self.__get_infos(obj)
+		if "bunkerized-nginx.AUTOCONF" in labels :
+			self.__process_instance(obj, event, id, name, labels)
+		elif "bunkerized-nginx.SERVER_NAME" in labels :
+			self.__process_server(obj, event, id, name, labels)
+
+	def __get_infos(self, obj) :
+		if self.__swarm :
+			id = obj.id
+			name = obj.name
+			labels = obj.attrs["Spec"]["Labels"]
+		else :
+			id = obj.id
+			name = obj.name
+			labels = obj.labels
+		return (id, name, labels)
+
+	def __process_instance(self, instance, event, id, name, labels) :
+		if event == "create" :
+			self.__instances[id] = instance
+			if self.__swarm and len(self.__instances) == 1 :
+				if self.__config.initconf(self.__instances) :
+					utils.log("[*] Initial config succeeded")
+				else :
+					utils.log("[!] Initial config failed")
+			utils.log("[*] bunkerized-nginx instance created : " + name + " / " + id)
+		elif event == "start" :
+			self.__instances[id].reload()
+			utils.log("[*] bunkerized-nginx instance started : " + name + " / " + id)
+		elif event == "die" :
+			self.__instances[id].reload()
+			utils.log("[*] bunkerized-nginx instance stopped : " + name + " / " + id)
+		elif event == "destroy" or event == "remove" :
+			del self.__instances[id]
+			if self.__swarm and len(self.__instances) == 0 :
+				with open("/etc/crontabs/nginx", "w") as f :
+					f.write("")
+				if os.path.exists("/etc/nginx/autoconf") :
+					os.remove("/etc/nginx/autoconf")
+			utils.log("[*] bunkerized-nginx instance removed : " + name + " / " + id)
+
+	def __process_server(self, instance, event, id, name, labels) :
+		vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in labels.items() if k.startswith("bunkerized-nginx.")}
+		if event == "create" :
+			utils.log("[*] Generating config for " + vars["SERVER_NAME"] + " ...")
+			if self.__config.generate(self.__instances, vars) :
+				utils.log("[*] Generated config for " + vars["SERVER_NAME"])
+				self.__servers[id] = instance
+				if self.__swarm :
+					utils.log("[*] Activating config for " + vars["SERVER_NAME"] + " ...")
+					if self.__config.activate(self.__instances, vars) :
+						utils.log("[*] Activated config for " + vars["SERVER_NAME"])
+					else :
+						utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
+			else :
+				utils.log("[!] Can't generate config for " + vars["SERVER_NAME"])
+		elif event == "start" :
+			if id in self.__servers :
+				self.__servers[id].reload()
+				utils.log("[*] Activating config for " + vars["SERVER_NAME"] + " ...")
+				if self.__config.activate(self.__instances, vars) :
+					utils.log("[*] Activated config for " + vars["SERVER_NAME"])
+				else :
+					utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
+		elif event == "die" :
+			if id in self.__servers :
+				self.__servers[id].reload()
+				utils.log("[*] Deactivating config for " + vars["SERVER_NAME"])
+				if self.__config.deactivate(self.__instances, vars) :
+					utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
+				else :
+					utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
+		elif event == "destroy" or event == "remove" :
+			if id in self.__servers :
+				if self.__swarm :
+					utils.log("[*] Deactivating config for " + vars["SERVER_NAME"])
+					if self.__config.deactivate(self.__instances, vars) :
+						utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
+					else :
+						utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
+				del self.__servers[id]
+				utils.log("[*] Removing config for " + vars["SERVER_NAME"])
+				if self.__config.remove(vars) :
+					utils.log("[*] Removed config for " + vars["SERVER_NAME"])
+				else :
+					utils.log("[!] Can't remove config for " + vars["SERVER_NAME"])

autoconf/Config.py

@@ -0,0 +1,209 @@
+#!/usr/bin/python3
+
+import utils
+import subprocess, shutil, os, traceback, requests, time
+
+class Config :
+
+	def __init__(self, swarm, api) :
+		self.__swarm = swarm
+		self.__api = api
+
+
+	def initconf(self, instances) :
+		try :
+			for instance_id, instance in instances.items() :
+				env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
+				break
+			vars = {}
+			for var_value in env :
+				var = var_value.split("=")[0]
+				value = var_value.replace(var + "=", "", 1)
+				vars[var] = value
+
+			utils.log("[*] Generating global config ...")
+			if not self.globalconf(instances) :
+				utils.log("[!] Can't generate global config")
+				return False
+			utils.log("[*] Generated global config")
+
+			if "SERVER_NAME" in vars and vars["SERVER_NAME"] != "" :
+				for server in vars["SERVER_NAME"].split(" ") :
+					vars_site = vars.copy()
+					vars_site["SERVER_NAME"] = server
+					utils.log("[*] Generating config for " + vars["SERVER_NAME"] + " ...")
+					if not self.generate(instances, vars_site) or not self.activate(instances, vars_site, reload=False) :
+						utils.log("[!] Can't generate/activate site config for " + server)
+						return False
+					utils.log("[*] Generated config for " + vars["SERVER_NAME"])
+			with open("/etc/nginx/autoconf", "w") as f :
+				f.write("ok")
+
+			utils.log("[*] Waiting for bunkerized-nginx tasks ...")
+			i = 1
+			started = False
+			while i <= 10 :
+				time.sleep(i)
+				if self.__ping(instances) :
+					started = True
+					break
+				i = i + 1
+				utils.log("[!] Waiting " + str(i) + " seconds before retrying to contact bunkerized-nginx tasks")
+			if started :
+				utils.log("[*] bunkerized-nginx tasks started")
+				proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/jobs.sh", "nginx"], env=vars, capture_output=True)
+				return proc.returncode == 0
+			else :
+				utils.log("[!] bunkerized-nginx tasks are not started")
+		except Exception as e :
+			utils.log("[!] Error while initializing config : " + str(e))
+		return False
+
+	def globalconf(self, instances) :
+		try :
+			for instance_id, instance in instances.items() :
+				env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
+				break
+			vars = {}
+			for var_value in env :
+				var = var_value.split("=")[0]
+				value = var_value.replace(var + "=", "", 1)
+				vars[var] = value
+			proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/global-config.sh", "nginx"], env=vars, capture_output=True)
+			if proc.returncode == 0 :
+				return True
+			else :
+				utils.log("[*] Error while generating global config : return code = " + str(proc.returncode))
+		except Exception as e :
+			utils.log("[!] Exception while generating global config : " + str(e))
+		return False
+
+	def generate(self, instances, vars) :
+		try :
+			# Get env vars from bunkerized-nginx instances
+			vars_instances = {}
+			for instance_id, instance in instances.items() :
+				if self.__swarm :
+					env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
+				else :
+					env = instance.attrs["Config"]["Env"]
+				for var_value in env :
+					var = var_value.split("=")[0]
+					value = var_value.replace(var + "=", "", 1)
+					vars_instances[var] = value
+			vars_defaults = vars.copy()
+			vars_defaults.update(vars_instances)
+			vars_defaults.update(vars)
+			# Call site-config.sh to generate the config
+			proc = subprocess.run(["/bin/su", "-s", "/bin/sh", "-c", "/opt/entrypoint/site-config.sh" + " \"" + vars["SERVER_NAME"] + "\"", "nginx"], env=vars_defaults, capture_output=True)
+			if proc.returncode == 0 and vars_defaults["MULTISITE"] == "yes" and self.__swarm :
+				proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/multisite-config.sh", "nginx"], env=vars_defaults, capture_output=True)
+			if proc.returncode == 0 :
+				return True
+			utils.log("[!] Error while generating site config for " + vars["SERVER_NAME"] + "  : return code = " + str(proc.returncode))
+		except Exception as e :
+			utils.log("[!] Exception while generating site config : " + str(e))
+		return False
+
+	def activate(self, instances, vars, reload=True) :
+		try :
+			# Get first server name
+			first_server_name = vars["SERVER_NAME"].split(" ")[0]
+
+			# Check if file exists
+			if not os.path.isfile("/etc/nginx/" + first_server_name + "/server.conf") :
+				utils.log("[!] /etc/nginx/" + first_server_name + "/server.conf doesn't exist")
+				return False
+
+			# Include the server conf
+			utils.replace_in_file("/etc/nginx/nginx.conf", "}", "include /etc/nginx/" + first_server_name + "/server.conf;\n}")
+
+			# Reload
+			if not reload or self.reload(instances) :
+				return True
+
+		except Exception as e :
+			utils.log("[!] Exception while activating config : " + str(e))
+
+		return False
+
+	def deactivate(self, instances, vars) :
+		try :
+			# Get first server name
+			first_server_name = vars["SERVER_NAME"].split(" ")[0]
+
+			# Check if file exists
+			if not os.path.isfile("/etc/nginx/" + first_server_name + "/server.conf") :
+				utils.log("[!] /etc/nginx/" + first_server_name + "/server.conf doesn't exist")
+				return False
+
+			# Remove the include
+			utils.replace_in_file("/etc/nginx/nginx.conf", "include /etc/nginx/" + first_server_name + "/server.conf;\n", "")
+
+			# Reload
+			if self.reload(instances) :
+				return True
+
+		except Exception as e :
+			utils.log("[!] Exception while deactivating config : " + str(e))
+
+		return False
+
+	def remove(self, vars) :
+		try :
+			# Get first server name
+			first_server_name = vars["SERVER_NAME"].split(" ")[0]
+
+			# Check if file exists
+			if not os.path.isfile("/etc/nginx/" + first_server_name + "/server.conf") :
+				utils.log("[!] /etc/nginx/" + first_server_name + "/server.conf doesn't exist")
+				return False
+
+			# Remove the folder
+			shutil.rmtree("/etc/nginx/" + first_server_name)
+			return True
+		except Exception as e :
+			utils.log("[!] Error while deactivating config : " + str(e))
+
+		return False
+
+	def reload(self, instances) :
+		return self.__api_call(instances, "/reload")
+
+	def __ping(self, instances) :
+		return self.__api_call(instances, "/ping")
+
+	def __api_call(self, instances, path) :
+		ret = True
+		for instance_id, instance in instances.items() :
+			# Reload the instance object just in case
+			instance.reload()
+			# Reload via API
+			if self.__swarm :
+				# Send POST request on http://serviceName.NodeID.TaskID:8000/action
+				name = instance.name
+				for task in instance.tasks() :
+					if task["Status"]["State"] != "running" :
+						continue
+					nodeID = task["NodeID"]
+					taskID = task["ID"]
+					fqdn = name + "." + nodeID + "." + taskID
+					req = False
+					try :
+						req = requests.post("http://" + fqdn + ":8080" + self.__api + path)
+					except :
+						pass
+					if req and req.status_code == 200 :
+						utils.log("[*] Sent API order " + path + " to instance " + fqdn + " (service.node.task)")
+					else :
+						utils.log("[!] Can't send API order " + path + " to instance " + fqdn + " (service.node.task)")
+						ret = False
+			# Send SIGHUP to running instance
+			elif instance.status == "running" :
+				try :
+					instance.kill("SIGHUP")
+					utils.log("[*] Sent SIGHUP signal to bunkerized-nginx instance " + instance.name + " / " + instance.id)
+				except docker.errors.APIError as e :
+					utils.log("[!] Docker error while sending SIGHUP signal : " + str(e))
+					ret = False
+		return ret

autoconf/Dockerfile

@@ -0,0 +1,45 @@
+FROM nginx:stable-alpine AS builder
+
+FROM alpine
+
+COPY --from=builder /etc/nginx/ /opt/confs/nginx
+
+RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
+    pip3 install docker requests && \
+    mkdir /opt/entrypoint && \
+    mkdir -p /opt/confs/site && \
+    mkdir -p /opt/confs/global && \
+    mkdir /opt/scripts && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /etc/letsencrypt && \
+    chown root:nginx /etc/letsencrypt && \
+    chmod 770 /etc/letsencrypt && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt && \
+    mkdir /cache && \
+    chown root:nginx /cache && \
+    chmod 770 /cache && \
+    touch /var/log/jobs.log && \
+    chown root:nginx /var/log/jobs.log && \
+    chmod 770 /var/log/jobs.log && \
+    chown -R root:nginx /opt/confs/nginx && \
+    chmod -R 770 /opt/confs/nginx && \
+    mkdir /acme-challenge && \
+    chown root:nginx /acme-challenge && \
+    chmod 770 /acme-challenge
+
+
+COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
+COPY scripts/* /opt/scripts/
+COPY confs/site/ /opt/confs/site
+COPY confs/global/ /opt/confs/global
+COPY entrypoint/* /opt/entrypoint/
+COPY autoconf/* /opt/entrypoint/
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

autoconf/Dockerfile-amd64

@@ -0,0 +1,44 @@
+FROM nginx:stable-alpine AS builder
+
+FROM amd64/alpine
+
+COPY --from=builder /etc/nginx/ /opt/confs/nginx
+
+RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
+    pip3 install docker requests && \
+    mkdir /opt/entrypoint && \
+    mkdir -p /opt/confs/site && \
+    mkdir -p /opt/confs/global && \
+    mkdir /opt/scripts && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /etc/letsencrypt && \
+    chown root:nginx /etc/letsencrypt && \
+    chmod 770 /etc/letsencrypt && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt && \
+    mkdir /cache && \
+    chown root:nginx /cache && \
+    chmod 770 /cache && \
+    touch /var/log/jobs.log && \
+    chown root:nginx /var/log/jobs.log && \
+    chmod 770 /var/log/jobs.log && \
+    chown -R root:nginx /opt/confs/nginx && \
+    chmod -R 770 /opt/confs/nginx && \
+    mkdir /acme-challenge && \
+    chown root:nginx /acme-challenge && \
+    chmod 770 /acme-challenge
+
+COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
+COPY scripts/* /opt/scripts/
+COPY confs/global/ /opt/confs/global
+COPY confs/site/ /opt/confs/site
+COPY entrypoint/* /opt/entrypoint/
+COPY autoconf/* /opt/entrypoint/
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

autoconf/Dockerfile-arm32v7

@@ -0,0 +1,50 @@
+FROM alpine AS builder
+
+ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz
+RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
+
+FROM nginx:stable-alpine AS builder2
+
+FROM arm32v7/alpine
+
+COPY --from=builder qemu-arm-static /usr/bin
+COPY --from=builder2 /etc/nginx/ /opt/confs/nginx
+
+RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
+    pip3 install docker requests && \
+    mkdir /opt/entrypoint && \
+    mkdir -p /opt/confs/site && \
+    mkdir -p /opt/confs/global && \
+    mkdir /opt/scripts && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /etc/letsencrypt && \
+    chown root:nginx /etc/letsencrypt && \
+    chmod 770 /etc/letsencrypt && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt && \
+    mkdir /cache && \
+    chown root:nginx /cache && \
+    chmod 770 /cache && \
+    touch /var/log/jobs.log && \
+    chown root:nginx /var/log/jobs.log && \
+    chmod 770 /var/log/jobs.log && \
+    chown -R root:nginx /opt/confs/nginx && \
+    chmod -R 770 /opt/confs/nginx && \
+    mkdir /acme-challenge && \
+    chown root:nginx /acme-challenge && \
+    chmod 770 /acme-challenge
+
+COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
+COPY scripts/* /opt/scripts/
+COPY confs/global/ /opt/confs/global
+COPY confs/site/ /opt/confs/site
+COPY entrypoint/* /opt/entrypoint/
+COPY autoconf/* /opt/entrypoint/
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

autoconf/Dockerfile-arm64v8

@@ -0,0 +1,50 @@
+FROM alpine AS builder
+
+ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz
+RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
+
+FROM nginx:stable-alpine AS builder2
+
+FROM arm64v8/alpine
+
+COPY --from=builder qemu-aarch64-static /usr/bin
+COPY --from=builder2 /etc/nginx/ /opt/confs/nginx
+
+RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
+    pip3 install docker requests && \
+    mkdir /opt/entrypoint && \
+    mkdir -p /opt/confs/site && \
+    mkdir -p /opt/confs/global && \
+    mkdir /opt/scripts && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /etc/letsencrypt && \
+    chown root:nginx /etc/letsencrypt && \
+    chmod 770 /etc/letsencrypt && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt && \
+    mkdir /cache && \
+    chown root:nginx /cache && \
+    chmod 770 /cache && \
+    touch /var/log/jobs.log && \
+    chown root:nginx /var/log/jobs.log && \
+    chmod 770 /var/log/jobs.log && \
+    chown -R root:nginx /opt/confs/nginx && \
+    chmod -R 770 /opt/confs/nginx && \
+    mkdir /acme-challenge && \
+    chown root:nginx /acme-challenge && \
+    chmod 770 /acme-challenge
+
+COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
+COPY scripts/* /opt/scripts/
+COPY confs/global/ /opt/confs/global
+COPY confs/site/ /opt/confs/site
+COPY entrypoint/* /opt/entrypoint/
+COPY autoconf/* /opt/entrypoint/
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

autoconf/Dockerfile-i386

@@ -0,0 +1,44 @@
+FROM nginx:stable-alpine AS builder
+
+FROM i386/alpine
+
+COPY --from=builder /etc/nginx/ /opt/confs/nginx
+
+RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
+    pip3 install docker requests && \
+    mkdir /opt/entrypoint && \
+    mkdir -p /opt/confs/site && \
+    mkdir -p /opt/confs/global && \
+    mkdir /opt/scripts && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
+    mkdir /etc/letsencrypt && \
+    chown root:nginx /etc/letsencrypt && \
+    chmod 770 /etc/letsencrypt && \
+    mkdir /var/log/letsencrypt && \
+    chown root:nginx /var/log/letsencrypt && \
+    chmod 770 /var/log/letsencrypt && \
+    mkdir /var/lib/letsencrypt && \
+    chown root:nginx /var/lib/letsencrypt && \
+    chmod 770 /var/lib/letsencrypt && \
+    mkdir /cache && \
+    chown root:nginx /cache && \
+    chmod 770 /cache && \
+    touch /var/log/jobs.log && \
+    chown root:nginx /var/log/jobs.log && \
+    chmod 770 /var/log/jobs.log && \
+    chown -R root:nginx /opt/confs/nginx && \
+    chmod -R 770 /opt/confs/nginx && \
+    mkdir /acme-challenge && \
+    chown root:nginx /acme-challenge && \
+    chmod 770 /acme-challenge
+
+COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
+COPY scripts/* /opt/scripts/
+COPY confs/global/ /opt/confs/global
+COPY confs/site/ /opt/confs/site
+COPY entrypoint/* /opt/entrypoint/
+COPY autoconf/* /opt/entrypoint/
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
+
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

autoconf/ReloadServer.py

@@ -0,0 +1,28 @@
+import socketserver, threading, utils, os, stat
+
+class ReloadServerHandler(socketserver.StreamRequestHandler):
+
+	def handle(self) :
+		try :
+			data = self.request.recv(512)
+			if not data :
+				return
+			with self.server.lock :
+				ret = self.server.autoconf.reload()
+			if ret :
+				self.request.sendall("ok".encode("utf-8"))
+			else :
+				self.request.sendall("ko".encode("utf-8"))
+		except Exception as e :
+			utils.log("Exception " + str(e))
+
+def run_reload_server(autoconf, lock) :
+	server = socketserver.UnixStreamServer("/tmp/autoconf.sock", ReloadServerHandler)
+	os.chown("/tmp/autoconf.sock", 0, 101)
+	os.chmod("/tmp/autoconf.sock", 0o770)
+	server.autoconf = autoconf
+	server.lock = lock
+	thread = threading.Thread(target=server.serve_forever)
+	thread.daemon = True
+	thread.start()
+	return (server, thread)

autoconf/app.py

@@ -0,0 +1,73 @@
+#!/usr/bin/python3
+
+from AutoConf import AutoConf
+from ReloadServer import run_reload_server
+import utils
+import docker, os, stat, sys, select, threading
+
+# Connect to the endpoint
+endpoint = "/var/run/docker.sock"
+if not os.path.exists(endpoint) or not stat.S_ISSOCK(os.stat(endpoint).st_mode) :
+	utils.log("[!] /var/run/docker.sock not found (is it mounted ?)")
+	sys.exit(1)
+try :
+	client = docker.DockerClient(base_url='unix:///var/run/docker.sock')
+except Exception as e :
+	utils.log("[!] Can't instantiate DockerClient : " + str(e))
+	sys.exit(2)
+
+# Check if we are in Swarm mode
+swarm = os.getenv("SWARM_MODE") == "yes"
+
+# Our object to process events
+api = ""
+if swarm :
+	api = os.getenv("API_URI")
+autoconf = AutoConf(swarm, api)
+lock = threading.Lock()
+if swarm :
+	(server, thread) = run_reload_server(autoconf, lock)
+
+# Get all bunkerized-nginx instances and web services created before
+try :
+	if swarm :
+		before = client.services.list(filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.services.list(filters={"label" : "bunkerized-nginx.SERVER_NAME"})
+	else :
+		before = client.containers.list(all=True, filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.containers.list(filters={"label" : "bunkerized-nginx.SERVER_NAME"})
+except docker.errors.APIError as e :
+	utils.log("[!] Docker API error " + str(e))
+	sys.exit(3)
+
+# Process them before events
+with lock :
+	autoconf.pre_process(before)
+
+# Process events received from Docker
+try :
+	utils.log("[*] Listening for Docker events ...")
+	for event in client.events(decode=True) :
+
+		# Process only container/service events
+		if (swarm and event["Type"] != "service") or (not swarm and event["Type"] != "container") :
+			continue
+
+		# Get Container/Service object
+		try :
+			if swarm :
+				id = service_id=event["Actor"]["ID"]
+				server = client.services.get(service_id=id)
+			else :
+				id = event["id"]
+				server = client.containers.get(id)
+		except docker.errors.NotFound as e :
+			server = autoconf.get_server(id)
+			if not server :
+				continue
+
+		# Process the event
+		with lock :
+			autoconf.process(server, event["Action"])
+
+except docker.errors.APIError as e :
+	utils.log("[!] Docker API error " + str(e))
+	sys.exit(4)

autoconf/entrypoint.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+echo "[*] Starting autoconf ..."
+
+# check permissions
+su -s "/opt/entrypoint/permissions.sh" nginx
+if [ "$?" -ne 0 ] ; then
+	exit 1
+fi
+
+if [ "$SWARM_MODE" = "yes" ] ; then
+	cp -r /opt/confs/nginx/* /etc/nginx
+	chown -R root:nginx /etc/nginx
+	chmod -R 770 /etc/nginx
+fi
+
+# trap SIGTERM and SIGINT
+function trap_exit() {
+	echo "[*] Catched stop operation"
+	echo "[*] Stopping crond ..."
+	pkill -TERM crond
+	echo "[*] Stopping python3 ..."
+	pkill -TERM python3
+	pkill -TERM tail
+}
+trap "trap_exit" TERM INT QUIT
+
+# remove old crontabs
+echo "" > /etc/crontabs/root
+
+# setup logrotate
+touch /var/log/jobs.log
+echo "0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.conf > /dev/null 2>&1" >> /etc/crontabs/root
+
+# start cron
+crond
+
+# run autoconf app
+/opt/entrypoint/app.py &
+
+# display logs
+tail -F /var/log/jobs.log &
+pid="$!"
+wait "$pid"
+
+# stop
+echo "[*] autoconf stopped"
+exit 0

autoconf/hooks/post_push

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+curl -Lo manifest-tool https://github.com/estesp/manifest-tool/releases/download/v1.0.3/manifest-tool-linux-amd64
+chmod +x manifest-tool
+
+VERSION=$(cat VERSION | tr -d '\n')
+if [ "$SOURCE_BRANCH" = "dev" ] ; then
+	./manifest-tool push from-args --ignore-missing --platforms linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 --template bunkerity/bunkerized-nginx-autoconf:dev-ARCHVARIANT --target bunkerity/bunkerized-nginx-autoconf:dev
+elif [ "$SOURCE_BRANCH" = "master" ] ; then
+	./manifest-tool push from-args --ignore-missing --platforms linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 --template bunkerity/bunkerized-nginx-autoconf:ARCHVARIANT --target bunkerity/bunkerized-nginx-autoconf:${VERSION}
+	./manifest-tool push from-args --ignore-missing --platforms linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 --template bunkerity/bunkerized-nginx-autoconf:ARCHVARIANT --target bunkerity/bunkerized-nginx-autoconf:latest
+fi

autoconf/hooks/pre_build

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# Register qemu-*-static for all supported processors except the
+# current one, but also remove all registered binfmt_misc before
+docker run --rm --privileged multiarch/qemu-user-static:register --reset

autoconf/misc/logrotate.conf

@@ -0,0 +1,23 @@
+/var/log/*.log /var/log/letsencrypt/*.log {
+	# compress old files using gzip
+	compress
+
+	# rotate everyday
+	daily
+
+	# remove old logs after X days
+	maxage 7
+	rotate 7
+
+	# no errors if a file is missing
+	missingok
+
+	# disable mailing
+	nomail
+
+	# mininum size of a logfile before rotating
+	minsize 10M
+
+	# make a copy and truncate the files
+	copytruncate
+}

autoconf/reload.py

@@ -0,0 +1,19 @@
+#!/usr/bin/python3
+
+import sys, socket, os
+
+if not os.path.exists("/tmp/autoconf.sock") :
+	sys.exit(1)
+
+try :
+	client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+	client.connect("/tmp/autoconf.sock")
+	client.send("reload".encode("utf-8"))
+	data = client.recv(512)
+	client.close()
+	if not data or data.decode("utf-8") != "ok" :
+		sys.exit(3)
+except Exception as e :
+	sys.exit(2)
+
+sys.exit(0)

autoconf/utils.py

@@ -0,0 +1,24 @@
+#!/usr/bin/python3
+
+import datetime
+
+def log(event) :
+	print("[" + str(datetime.datetime.now().replace(microsecond=0)) + "] " + event, flush=True)
+
+def replace_in_file(file, old_str, new_str) :
+	with open(file) as f :
+		data = f.read()
+	data = data[::-1].replace(old_str[::-1], new_str[::-1], 1)[::-1]
+	with open(file, "w") as f :
+		f.write(data)
+
+def install_cron(service, vars, crons) :
+	for var in vars :
+		if var in crons :
+			with open("/etc/crontabs/root", "a+") as f :
+				f.write(vars[var] + " /opt/cron/" + crons[var] + ".py " + service["Actor"]["ID"])
+
+def uninstall_cron(service, vars, crons) :
+	for var in vars :
+		if var in crons :
+			replace_in_file("/etc/crontabs/root", vars[var] + " /opt/cron/" + crons[var] + ".py " + service["Actor"]["ID"] + "\n", "")

compile.sh

@@ -30,7 +30,7 @@ function git_secure_clone() {
 NTASK=$(nproc)
 
 # install build dependencies
-apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg
+apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg brotli-dev openssl-dev
 
 # compile and install ModSecurity library
 cd /tmp
@@ -50,8 +50,9 @@ make install-strip
 cd /tmp
 git_secure_clone https://github.com/coreruleset/coreruleset.git 7776fe23f127fd2315bad0e400bdceb2cabb97dc
 cd coreruleset
-cp -r rules /etc/nginx/owasp-crs
+mkdir /opt/owasp
-cp crs-setup.conf.example /etc/nginx/owasp-crs.conf
+cp -r rules /opt/owasp/crs
+cp crs-setup.conf.example /opt/owasp/crs.conf
 
 # get nginx modules
 cd /tmp
@@ -63,6 +64,8 @@ git_secure_clone https://github.com/openresty/headers-more-nginx-module.git d6d7
 git_secure_clone https://github.com/leev/ngx_http_geoip2_module.git 1cabd8a1f68ea3998f94e9f3504431970f848fbf
 # cookie
 git_secure_clone https://github.com/AirisX/nginx_cookie_flag_module.git c4ff449318474fbbb4ba5f40cb67ccd54dc595d4
+# brotli
+git_secure_clone https://github.com/google/ngx_brotli.git 9aec15e2aa6feea2113119ba06460af70ab3ea62
 
 # LUA requirements
 git_secure_clone https://github.com/openresty/luajit2.git fe32831adcb3f5fe9259a9ce404fc54e1399bba3
@@ -109,6 +112,34 @@ git_secure_clone https://github.com/ledgetech/lua-resty-http.git 984fdc260543763
 cd lua-resty-http
 make install
 cd /tmp
+git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15
+cd lualogging
+cp -r src/* /usr/local/lib/lua
+cd /tmp
+git_secure_clone https://github.com/diegonehab/luasocket.git 5b18e475f38fcf28429b1cc4b17baee3b9793a62
+cd luasocket
+make -j $NTASK
+make CDIR_linux=lib/lua/5.1 LDIR_linux=lib/lua install
+cd /tmp
+git_secure_clone https://github.com/brunoos/luasec.git c6704919bdc85f3324340bdb35c2795a02f7d625
+cd luasec
+make linux -j $NTASK
+make LUACPATH=/usr/local/lib/lua/5.1 LUAPATH=/usr/local/lib/lua install
+cd /tmp
+git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc453dcf51a391bc9e9a36ca77958b0
+cd lua-cs-bouncer
+mkdir /usr/local/lib/lua/crowdsec
+cp lib/*.lua /usr/local/lib/lua/crowdsec
+cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
+sed -i 's/^API_URL=.*/API_URL=%CROWDSEC_HOST%/' /usr/local/lib/lua/crowdsec/crowdsec.conf
+sed -i 's/^API_KEY=.*/API_KEY=%CROWDSEC_KEY%/' /usr/local/lib/lua/crowdsec/crowdsec.conf
+sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
+sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
+cd /tmp
+git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485e830421266eee5c0f386c32c835dba4
+cd lua-resty-iputils
+make LUA_LIB_DIR=/usr/local/lib/lua install
+cd /tmp
 git_secure_clone https://github.com/openresty/lua-nginx-module.git 2d23bc4f0a29ed79aaaa754c11bffb1080aa44ba
 export LUAJIT_LIB=/usr/local/lib
 export LUAJIT_INC=/usr/local/include/luajit-2.1
@@ -126,8 +157,8 @@ fi
 tar -xvzf nginx-${NGINX_VERSION}.tar.gz
 cd nginx-$NGINX_VERSION
 CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')
-CONFARGS=${CONFARGS/-Os -fomit-frame-pointer/-Os}
+CONFARGS=${CONFARGS/-Os -fomit-frame-pointer -g/-Os}
-./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module
+./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module --add-dynamic-module=/tmp/ngx_brotli
 make -j $NTASK modules
 cp ./objs/*.so /usr/lib/nginx/modules
 

confs/auth-basic-sitewide.conf

@@ -1,2 +0,0 @@
-auth_basic "%AUTH_BASIC_TEXT%";
-auth_basic_user_file /etc/nginx/.htpasswd;

confs/block-user-agent.conf

@@ -1,3 +0,0 @@
-if ($bad_user_agent = yes) {
-	return 444;
-}

confs/geoip-server.conf

@@ -1,3 +0,0 @@
-if ($allowed_country = no) {
-	return 444;
-}

confs/global/api-temp.conf

@@ -0,0 +1,30 @@
+
+location ~ ^%API_URI%/ping {
+	return 444;
+}
+
+location ~ ^%API_URI% {
+
+rewrite_by_lua_block {
+	
+	local api = require "api"
+	local api_uri = "%API_URI%"
+
+	if api.is_api_call(api_uri) then
+		ngx.header.content_type = 'text/plain'
+		if api.do_api_call(api_uri) then
+			ngx.log(ngx.NOTICE, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
+			ngx.say("ok")
+		else
+			ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
+			ngx.say("ko")
+		end
+
+		ngx.exit(ngx.HTTP_OK)
+
+	end
+
+	ngx.exit(ngx.OK)
+}
+
+}

confs/global/api.conf

@@ -0,0 +1,21 @@
+rewrite_by_lua_block {
+	
+	local api = require "api"
+	local api_uri = "%API_URI%"
+
+	if api.is_api_call(api_uri) then
+		ngx.header.content_type = 'text/plain'
+		if api.do_api_call(api_uri) then
+			ngx.log(ngx.NOTICE, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
+			ngx.say("ok")
+		else
+			ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
+			ngx.say("ko")
+		end
+
+		ngx.exit(ngx.HTTP_OK)
+
+	end
+
+	ngx.exit(ngx.OK)
+}

confs/global/crowdsec.conf

@@ -5,5 +5,5 @@ init_by_lua_block {
 		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
 		error()
 	end
-	ngx.log(ngx.ERR, "[Crowdsec] Initialisation done")
+	ngx.log(ngx.NOTICE, "[Crowdsec] Initialisation done")
 }

confs/global/geoip.conf

@@ -5,6 +5,6 @@ geoip2 /etc/nginx/geoip.mmdb {
 }
 
 map $geoip2_data_country_code $allowed_country {
-	default yes;
+	default %DEFAULT%;
-	%BLOCK_COUNTRY%
+	%COUNTRY%
 }

confs/global/map-referrer.conf

@@ -0,0 +1 @@
+map $http_referer $bad_referrer { hostnames; default no; }

confs/global/map-user-agent.conf

@@ -0,0 +1 @@
+map $http_user_agent $bad_user_agent { default no; }

confs/global/multisite-default-server-https.conf

@@ -0,0 +1,11 @@
+listen 0.0.0.0:%HTTPS_PORT% default_server ssl %HTTP2%;
+ssl_certificate /etc/nginx/default-cert.pem;
+ssl_certificate_key /etc/nginx/default-key.pem;
+ssl_protocols %HTTPS_PROTOCOLS%;
+ssl_prefer_server_ciphers off;
+ssl_session_tickets off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+%SSL_DHPARAM%
+%SSL_CIPHERS%
+%LETS_ENCRYPT_WEBROOT%

confs/global/multisite-default-server-lets-encrypt-webroot.conf

@@ -0,0 +1,3 @@
+location ~ ^/.well-known/acme-challenge/ {
+	root /acme-challenge;
+}

confs/global/multisite-default-server.conf

@@ -0,0 +1,6 @@
+server {
+	%LISTEN_HTTP%
+	server_name _;
+	%USE_HTTPS%
+	%MULTISITE_DISABLE_DEFAULT_SERVER%
+}

confs/global/multisite-disable-default-server.conf

@@ -0,0 +1,3 @@
+location / {
+	return 444;
+}

confs/global/nginx-temp.conf

@@ -0,0 +1,30 @@
+load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
+
+daemon on;
+
+pid /tmp/nginx-temp.pid;
+
+events {
+        worker_connections 1024;
+        use epoll;
+}
+
+http {
+	proxy_temp_path /tmp/proxy_temp;
+	client_body_temp_path /tmp/client_temp;
+	fastcgi_temp_path /tmp/fastcgi_temp;
+	uwsgi_temp_path /tmp/uwsgi_temp;
+	scgi_temp_path /tmp/scgi_temp;
+	lua_package_path "/usr/local/lib/lua/?.lua;;";
+	server {
+		listen 0.0.0.0:%HTTP_PORT% default_server;
+		server_name _;
+		location ~ ^/.well-known/acme-challenge/ {
+			root /acme-challenge;
+		}
+		%USE_API%
+		location / {
+			return 444;
+		}
+	}
+}

confs/global/nginx.conf

@@ -7,6 +7,8 @@ load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
 load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
 
 # run as daemon
 daemon on;
@@ -45,15 +47,10 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 
-	# load gzip custom config
-	include /etc/nginx/gzip.conf;
-
-	# maximum request body size
-	client_max_body_size %MAX_CLIENT_SIZE%;
-
 	# write logs to local syslog
-	access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined;
+	log_format logf '%LOG_FORMAT%';
-	error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
+	access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf;
+	error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 notice;
 
 	# temp paths
 	proxy_temp_path /tmp/proxy_temp;
@@ -62,9 +59,6 @@ http {
 	uwsgi_temp_path /tmp/uwsgi_temp;
 	scgi_temp_path /tmp/scgi_temp;
 
-	# load caching custom config
-	include /etc/nginx/cache.conf;
-
 	# close connections in FIN_WAIT1 state
 	reset_timedout_connection on;
 
@@ -74,14 +68,11 @@ http {
 	keepalive_timeout 15;
 	send_timeout 10;
 
-	# enable/disable sending nginx version
-	server_tokens %SERVER_TOKENS%;
-
 	# resolvers to use
 	resolver %DNS_RESOLVERS% ipv6=off;
 
-	# get real IP address if behind a reverse proxy
+	# remove ports when sending redirects
-        %PROXY_REAL_IP%
+	port_in_redirect off;
 
 	# lua path and dicts
 	lua_package_path "/usr/local/lib/lua/?.lua;;";
@@ -97,18 +88,30 @@ http {
 	# shared memory zone for limit_req
 	%LIMIT_REQ_ZONE%
 
-	# server config
+	# shared memory zone for limit_conn
-	include /etc/nginx/server.conf;
+	%LIMIT_CONN_ZONE%
 
-	# list of blocked country
+	# whitelist or blacklist country
-	%BLOCK_COUNTRY%
+	%USE_COUNTRY%
 
-	# list of blocker user agents
+	# list of blocked user agents
 	%BLOCK_USER_AGENT%
 
-	# enable/disable ModSecurity
+	# list of blocked referrers
-	%USE_MODSECURITY%
+	%BLOCK_REFERRER%
+
+	# zone for proxy_cache
+	%PROXY_CACHE_PATH%
 
 	# custom http confs
 	include /http-confs/*.conf;
+
+	# default server when MULTISITE=yes
+	%MULTISITE_DEFAULT_SERVER%
+
+	# server config(s)
+	%INCLUDE_SERVER%
+
+	# API
+	%USE_API%
 }

confs/gzip.conf

@@ -1,9 +0,0 @@
-# /etc/nginx/gzip.conf
-
-# enable/disable gzip compression
-gzip %USE_GZIP%;
-gzip_comp_level %GZIP_COMP_LEVEL%;
-gzip_disable msie6;
-gzip_min_length %GZIP_MIN_LENGTH%;
-gzip_proxied any;
-gzip_types %GZIP_TYPES%;

confs/map-user-agent.conf

@@ -1,4 +0,0 @@
-map $http_user_agent $bad_user_agent {
-	default no;
-	%BLOCK_USER_AGENT%
-}

confs/modsecurity.conf

@@ -1,2 +0,0 @@
-modsecurity on;
-modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;

confs/site/antibot-captcha.conf

@@ -7,6 +7,7 @@ location = %ANTIBOT_URI% {
 			local cookie	= require "cookie"
 			local captcha	= require "captcha"
 			if not cookie.is_set("uri") then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (1) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local img, res = captcha.get_challenge()
@@ -21,16 +22,19 @@ location = %ANTIBOT_URI% {
 			local cookie	= require "cookie"
 			local captcha	= require "captcha"
 			if not cookie.is_set("captchares") then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (2) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			ngx.req.read_body()
 			local args, err = ngx.req.get_post_args(1)
 			if err == "truncated" or not args or not args["captcha"] then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (3) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local captcha_user	= args["captcha"]
 			local check		= captcha.check(captcha_user, cookie.get("captchares"))
 			if not check then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (4) for " .. ngx.var.remote_addr)
 				return ngx.redirect("%ANTIBOT_URI%")
 			end
 			cookie.set({captcha = "ok"})

confs/site/antibot-javascript.conf

@@ -7,6 +7,7 @@ location = %ANTIBOT_URI% {
 			local cookie		= require "cookie"
 			local javascript	= require "javascript"
 			if not cookie.is_set("challenge") then
+				ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (1) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local challenge	= cookie.get("challenge")
@@ -20,16 +21,19 @@ location = %ANTIBOT_URI% {
 			local cookie		= require "cookie"
 			local javascript	= require "javascript"
 			if not cookie.is_set("challenge") then
+				ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (2) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			ngx.req.read_body()
 			local args, err = ngx.req.get_post_args(1)
 			if err == "truncated" or not args or not args["challenge"] then
+				ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (3) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local challenge		= args["challenge"]
 			local check		= javascript.check(cookie.get("challenge"), challenge)
 			if not check then
+				ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (4) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			cookie.set({javascript = "ok"})

confs/site/antibot-recaptcha.conf

@@ -7,6 +7,7 @@ location = %ANTIBOT_URI% {
 			local cookie	= require "cookie"
 			local recaptcha	= require "recaptcha"
 			if not cookie.is_set("uri") then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (1) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%")
@@ -19,17 +20,19 @@ location = %ANTIBOT_URI% {
 			local cookie	= require "cookie"
 			local recaptcha	= require "recaptcha"
 			if not cookie.is_set("uri") then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (2) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			ngx.req.read_body()
 			local args, err = ngx.req.get_post_args(1)
 			if err == "truncated" or not args or not args["token"] then
+				ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (3) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local token	= args["token"]
 			local check	= recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%")
 			if check < %ANTIBOT_RECAPTCHA_SCORE% then
-				ngx.log(ngx.WARN, "client has recaptcha score of " .. tostring(check))
+				ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			cookie.set({recaptcha = "ok"})

confs/site/auth-basic-sitewide.conf

@@ -0,0 +1,2 @@
+auth_basic "%AUTH_BASIC_TEXT%";
+auth_basic_user_file %NGINX_PREFIX%.htpasswd;

confs/site/auth-basic.conf

@@ -1,4 +1,4 @@
 location %AUTH_BASIC_LOCATION% {
 	auth_basic "%AUTH_BASIC_TEXT%";
-	auth_basic_user_file /etc/nginx/.htpasswd; 
+	auth_basic_user_file %NGINX_PREFIX%.htpasswd; 
 }

confs/site/brotli.conf

@@ -0,0 +1,4 @@
+brotli on;
+brotli_types %BROTLI_TYPES%;
+brotli_comp_level %BROTLI_COMP_LEVEL%;
+brotli_min_length %BROTLI_MIN_LENGTH%;

confs/site/client-cache.conf

@@ -0,0 +1,6 @@
+etag %CLIENT_CACHE_ETAG%;
+set $cache "";
+if ($uri ~* \.(%CLIENT_CACHE_EXTENSIONS%)$) {
+	set $cache "%CLIENT_CACHE_CONTROL%";
+}
+add_header Cache-Control $cache;

confs/site/fastcgi.conf

@@ -0,0 +1,25 @@
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

confs/site/gzip.conf

@@ -0,0 +1,4 @@
+gzip on;
+gzip_comp_level %GZIP_COMP_LEVEL%;
+gzip_min_length %GZIP_MIN_LENGTH%;
+gzip_types %GZIP_TYPES%;

confs/site/https.conf

@@ -2,10 +2,11 @@ listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
 ssl_certificate %HTTPS_CERT%;
 ssl_certificate_key %HTTPS_KEY%;
 ssl_protocols %HTTPS_PROTOCOLS%;
-ssl_prefer_server_ciphers off;
+ssl_prefer_server_ciphers on;
 ssl_session_tickets off;
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m;
 %STRICT_TRANSPORT_SECURITY%
 %SSL_DHPARAM%
 %SSL_CIPHERS%
+%LETS_ENCRYPT_WEBROOT%

confs/site/lets-encrypt-webroot.conf

@@ -0,0 +1,3 @@
+location ~ ^/.well-known/acme-challenge/ {
+	root /acme-challenge;
+}

confs/site/limit-conn.conf

@@ -0,0 +1 @@
+limit_conn ddos %LIMIT_CONN_MAX%;

confs/site/main-lua.conf

@@ -3,8 +3,12 @@ set $session_check_addr on;
 
 access_by_lua_block {
 
+local use_lets_encrypt		= %USE_LETS_ENCRYPT%
 local use_whitelist_ip		= %USE_WHITELIST_IP%
 local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
+local use_user_agent		= %USE_USER_AGENT%
+local use_referrer		= %USE_REFERRER%
+local use_country		= %USE_COUNTRY%
 local use_blacklist_ip		= %USE_BLACKLIST_IP%
 local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
 local use_dnsbl			= %USE_DNSBL%
@@ -23,8 +27,10 @@ local javascript	= require "javascript"
 local captcha		= require "captcha"
 local recaptcha		= require "recaptcha"
 
--- antibot
+-- user variables
 local antibot_uri		= "%ANTIBOT_URI%"
+local whitelist_user_agent	= {%WHITELIST_USER_AGENT%}
+local whitelist_uri		= {%WHITELIST_URI%}
 
 -- check if already in whitelist cache
 if use_whitelist_ip and whitelist.ip_cached_ok() then
@@ -61,6 +67,19 @@ if use_whitelist_reverse and not whitelist.reverse_cached() then
 	end
 end
 
+-- check if URI is whitelisted
+for k, v in pairs(whitelist_uri) do
+	if ngx.var.request_uri == v then
+		ngx.log(ngx.NOTICE, "[WHITELIST] URI " .. v .. " is whitelisted")
+		ngx.exit(ngx.OK)
+	end
+end
+
+-- check if it's certbot
+if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
+	ngx.exit(ngx.OK)
+end
+
 -- check if IP is blacklisted (only if not in cache)
 if use_blacklist_ip and not blacklist.ip_cached() then
 	if blacklist.check_ip() then
@@ -75,6 +94,34 @@ if use_blacklist_reverse and not blacklist.reverse_cached() then
 	end
 end
 
+-- check if user-agent is allowed
+if use_user_agent and ngx.var.bad_user_agent == "yes" then
+	local block = false
+	for k, v in pairs(whitelist_user_agent) do
+		if string.match(ngx.var.http_user_agent, v) then
+			ngx.log(ngx.NOTICE, "[ALLOW] User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
+			block = false
+			break
+		end
+	end
+	if block then
+		ngx.log(ngx.NOTICE, "[BLOCK] User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if referrer is allowed
+if use_referrer and ngx.var.bad_referrer == "yes" then
+	ngx.log(ngx.NOTICE, "[BLOCK] Referrer " .. ngx.var.http_referer .. " is blacklisted")
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if country is allowed
+if use_country and ngx.var.allowed_country == "no" then
+	ngx.log(ngx.NOTICE, "[BLOCK] Country of " .. ngx.var.remote_addr .. " is blacklisted")
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
 -- check if IP is in DNSBLs (only if not in cache)
 if use_dnsbl and not dnsbl.cached() then
 	if dnsbl.check() then
@@ -89,7 +136,7 @@ if use_crowdsec then
 		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
 	end
 	if not ok then
-		ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
+		ngx.log(ngx.NOTICE, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
 		ngx.exit(ngx.HTTP_FORBIDDEN)
 	end
 end
@@ -101,6 +148,7 @@ if use_antibot_cookie then
 			cookie.set({uri = ngx.var.request_uri})
 			return ngx.redirect(antibot_uri)
 		end
+		ngx.log(ngx.NOTICE, "[ANTIBOT] cookie fail for " .. ngx.var.remote_addr)
 		return ngx.exit(ngx.HTTP_FORBIDDEN)
 	else
 		if ngx.var.request_uri == antibot_uri then
@@ -122,7 +170,7 @@ end
 -- captcha check
 if use_antibot_captcha then
 	if not cookie.is_set("captcha") then
-		if ngx.var.request_uri ~= antibot_uri and ngx.var.request_uri ~= "/favicon.ico" then
+		if ngx.var.request_uri ~= antibot_uri then
 			cookie.set({uri = ngx.var.request_uri})
 			return ngx.redirect(antibot_uri)
 		end
@@ -132,7 +180,7 @@ end
 -- recaptcha check
 if use_antibot_recaptcha then
 	if not cookie.is_set("recaptcha") then
-		if ngx.var.request_uri ~= antibot_uri and ngx.var.request_uri ~= "/favicon.ico" then
+		if ngx.var.request_uri ~= antibot_uri then
 			cookie.set({uri = ngx.var.request_uri})
 			return ngx.redirect(antibot_uri)
 		end

confs/site/modsecurity-rules.conf

@@ -50,7 +50,6 @@ SecResponseBodyLimitAction ProcessPartial
 
 # log usefull stuff
 SecAuditEngine RelevantOnly
-SecAuditLogRelevantStatus "^(?:5|4(?!04))"
 SecAuditLogType Serial
 SecAuditLog /var/log/nginx/modsec_audit.log
 

confs/site/modsecurity.conf

@@ -0,0 +1,2 @@
+modsecurity on;
+modsecurity_rules_file %MODSEC_RULES_FILE%;

confs/site/open-file-cache.conf

@@ -0,0 +1,4 @@
+open_file_cache %OPEN_FILE_CACHE%;
+open_file_cache_errors %OPEN_FILE_CACHE_ERRORS%;
+open_file_cache_min_uses %OPEN_FILE_CACHE_MIN_USES%;
+open_file_cache_valid %OPEN_FILE_CACHE_VALID%;

confs/site/permissions-policy.conf

@@ -0,0 +1 @@
+more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%";

confs/site/php.conf

@@ -1,5 +1,4 @@
 location ~ \.php$ {
 	fastcgi_pass      %REMOTE_PHP%:9000;
 	fastcgi_index     index.php;
-	include           fastcgi.conf;
 }

confs/site/proxy-cache.conf

@@ -0,0 +1,7 @@
+proxy_cache proxycache;
+proxy_cache_methods %PROXY_CACHE_METHODS%;
+proxy_cache_min_uses %PROXY_CACHE_MIN_USES%;
+proxy_cache_key %PROXY_CACHE_KEY%;
+proxy_no_cache %PROXY_NO_CACHE%;
+proxy_cache_bypass %PROXY_CACHE_BYPASS%;
+%PROXY_CACHE_VALID%

confs/site/reverse-proxy-headers.conf

@@ -0,0 +1,6 @@
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Protocol $scheme;
+proxy_set_header X-Forwarded-Host $http_host;

confs/site/reverse-proxy.conf

@@ -0,0 +1,7 @@
+location %REVERSE_PROXY_URL% {
+	etag off;
+	proxy_pass %REVERSE_PROXY_HOST%;
+	%REVERSE_PROXY_HEADERS%
+	%REVERSE_PROXY_WS%
+	%REVERSE_PROXY_CUSTOM_HEADERS%
+}

confs/site/server.conf

@@ -1,6 +1,11 @@
+%PRE_SERVER_CONF%
+
 server {
-	include /server-confs/*.conf;
+	%FASTCGI_PATH%
-	include /etc/nginx/main-lua.conf;
+	%SERVER_CONF%
+	%PROXY_REAL_IP%
+	%MAIN_LUA%
+	%USE_MODSECURITY%
 	%LISTEN_HTTP%
 	%USE_HTTPS%
 	%REDIRECT_HTTP_TO_HTTPS%
@@ -12,21 +17,29 @@ server {
 		return 405;
 	}
 	%LIMIT_REQ%
+	%LIMIT_CONN%
 	%AUTH_BASIC%
-	%USE_PHP%
+	%REMOVE_HEADERS%
-	%HEADER_SERVER%
 	%X_FRAME_OPTIONS%
 	%X_XSS_PROTECTION%
 	%X_CONTENT_TYPE_OPTIONS%
 	%CONTENT_SECURITY_POLICY%
 	%REFERRER_POLICY%
 	%FEATURE_POLICY%
-	%BLOCK_COUNTRY%
+	%PERMISSIONS_POLICY%
-	%BLOCK_USER_AGENT%
 	%BLOCK_TOR_EXIT_NODE%
 	%BLOCK_PROXIES%
 	%BLOCK_ABUSERS%
 	%COOKIE_FLAGS%
 	%ERRORS%
 	%USE_FAIL2BAN%
+	%USE_CLIENT_CACHE%
+	%USE_GZIP%
+	%USE_BROTLI%
+	client_max_body_size %MAX_CLIENT_SIZE%;
+	server_tokens %SERVER_TOKENS%;
+	%USE_OPEN_FILE_CACHE%
+	%USE_PROXY_CACHE%
+	%USE_REVERSE_PROXY%
+	%USE_PHP%
 }

crowdsec/install.sh

@@ -1,63 +0,0 @@
-#!/bin/sh
-
-function git_secure_clone() {
-	repo="$1"
-	commit="$2"
-	folder=$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@")
-	git clone "$repo"
-	cd "$folder"
-	git checkout "${commit}^{commit}"
-	if [ $? -ne 0 ] ; then
-		echo "[!] Commit hash $commit is absent from repository $repo !"
-		exit 1
-	fi
-	cd ..
-}
-
-NTASK=$(nproc)
-
-# install build dependencies
-apk add --no-cache --virtual build git bash lua-dev mariadb-dev sqlite-dev gettext make go jq
-
-# build and install crowdsec
-cd /tmp
-git_secure_clone https://github.com/crowdsecurity/crowdsec.git 2fdf7624da381af605baa46f319f2ed3015807e4
-cd crowdsec
-make -j $NTASK build
-./wizard.sh --bininstall
-sed -i 's/^machine_id:.*//' /etc/crowdsec/config/api.yaml
-sed -i 's/^password:.*//' /etc/crowdsec/config/api.yaml
-
-# install nginx collection
-cscli update
-cscli install collection crowdsecurity/nginx
-sed -i "s/^filter:.*$/filter: \"evt.Line.Labels.type == 'nginx'\"/" /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
-sed -i 's/apply_on: message/apply_on: Line.Raw/g' /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
-
-# build and install luasql
-cd /tmp
-git_secure_clone https://github.com/keplerproject/luasql.git 22d4a911f35cf851af9db71124e3998d96fb3fa1
-cd luasql
-make -j $NTASK sqlite3 mysql
-mkdir /usr/local/lib/lua/5.1/luasql
-cp src/*.so /usr/local/lib/lua/5.1/luasql
-
-# install lualogging
-cd /tmp
-git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15
-cd lualogging
-cp -r src/* /usr/local/lib/lua
-
-# install cs-lua-lib
-cd /tmp
-git_secure_clone https://github.com/crowdsecurity/cs-lua-lib.git 97e55a555a8f6d46c1c2032825a4578090283301
-cd cs-lua-lib
-mkdir /usr/local/lib/lua/crowdsec
-cp lib/*.lua /usr/local/lib/lua/crowdsec
-cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
-rm /usr/local/lib/lua/crowdsec/lrucache.lua
-sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
-sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
-
-# remove build dependencies
-apk del build

entrypoint.sh

@@ -1,644 +0,0 @@
-#!/bin/sh
-
-echo "[*] Starting bunkerized-nginx ..."
-
-# execute custom scripts if it's a customized image
-for file in /entrypoint.d/* ; do
-    [ -f "$file" ] && [ -x "$file" ] && "$file"
-done
-
-# trap SIGTERM and SIGINT
-function trap_exit() {
-	echo "[*] Catched stop operation"
-	echo "[*] Stopping crond ..."
-	pkill -TERM crond
-	if [ "$USE_FAIL2BAN" = "yes" ] ; then
-		echo "[*] Stopping fail2ban"
-		fail2ban-client stop > /dev/null
-	fi
-	echo "[*] Stopping nginx ..."
-	/usr/sbin/nginx -s stop
-	echo "[*] Stopping rsyslogd ..."
-	pkill -TERM rsyslogd
-	pkill -TERM tail
-}
-trap "trap_exit" TERM INT
-
-# replace pattern in file
-function replace_in_file() {
-	# escape slashes
-	pattern=$(echo "$2" | sed "s/\//\\\\\//g")
-	replace=$(echo "$3" | sed "s/\//\\\\\//g")
-	sed -i "s/$pattern/$replace/g" "$1"
-}
-
-# convert space separated values to LUA
-function spaces_to_lua() {
-	for element in $1 ; do
-		if [ "$result" = "" ] ; then
-			result="\"${element}\""
-		else
-			result="${result}, \"${element}\""
-		fi
-	done
-	echo "$result"
-}
-
-# copy stub confs
-cp /opt/confs/* /etc/nginx
-cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
-cp /opt/logs/logrotate.conf /etc/logrotate.conf
-cp -r /opt/lua/* /usr/local/lib/lua
-
-# remove cron jobs
-echo "" > /etc/crontabs/root
-
-# set default values
-HTTP_PORT="${HTTP_PORT-8080}"
-HTTPS_PORT="${HTTPS_PORT-8443}"
-MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
-SERVER_TOKENS="${SERVER_TOKENS-off}"
-CACHE="${CACHE-max=1000 inactive=60s}"
-CACHE_ERRORS="${CACHE_ERRORS-on}"
-CACHE_USES="${CACHE_USES-1}"
-CACHE_VALID="${CACHE_VALID-60s}"
-#CLIENT_CACHE="${CLIENT_CACHE}-css|gif|htm|html|ico|jpeg|jpg|js|png|svg|tif|tiff|eot|otf|ttf|woff|woff2"
-#CLIENT_CACHE_EXPIRES="${CLIENT_CACHE_EXPIRES}-1d}"
-#CLIENT_CACHE_CONTROL=
-USE_GZIP="${USE_GZIP-off}"
-GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL-6}"
-GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH-10240}"
-GZIP_TYPES="${GZIP_TYPES-text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml}"
-REMOTE_PHP_PATH="${REMOTE_PHP_PATH-/app}"
-HEADER_SERVER="${HEADER_SERVER-no}"
-X_FRAME_OPTIONS="${X_FRAME_OPTIONS-DENY}"
-X_XSS_PROTECTION="${X_XSS_PROTECTION-1; mode=block}"
-X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS-nosniff}"
-REFERRER_POLICY="${REFERRER_POLICY-no-referrer}"
-FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}"
-DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
-SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
-ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
-BLOCK_COUNTRY="${BLOCK_COUNTRY-}"
-BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
-BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
-BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
-BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
-AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
-HTTP2="${HTTP2-yes}"
-HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
-STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
-USE_MODSECURITY="${USE_MODSECURITY-yes}"
-USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
-CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';}"
-COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}"
-COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}"
-SERVE_FILES="${SERVE_FILES-yes}"
-WRITE_ACCESS="${WRITE_ACCESS-no}"
-REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
-LISTEN_HTTP="${LISTEN_HTTP-yes}"
-USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
-FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
-FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
-FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
-FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
-USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
-USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
-CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
-USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
-AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
-AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}"
-AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
-AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
-USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
-ROOT_FOLDER="${ROOT_FOLDER-/www}"
-LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
-LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
-DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11 8.8.8.8}"
-USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
-WHITELIST_IP_LIST="${WHITELIST_IP_LIST-23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
-USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}"
-WHITELIST_REVERSE_LIST="${WHITELIST_REVERSE_LIST-.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net}"
-USE_BLACKLIST_IP="${USE_BLACKLIST_IP-yes}"
-BLACKLIST_IP_LIST="${BLACKLIST_IP_LIST-}"
-USE_BLACKLIST_REVERSE="${USE_BLACKLIST_REVERSE-yes}"
-BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}"
-USE_DNSBL="${USE_DNSBL-yes}"
-DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
-USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
-LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
-LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
-LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
-PROXY_REAL_IP="${PROXY_REAL_IP-no}"
-PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
-PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
-PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
-GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
-SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
-SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
-SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}"
-SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
-SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
-SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}"
-SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-web}"
-ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
-USE_ANTIBOT="${USE_ANTIBOT-no}"
-ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
-ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
-USE_CROWDSEC="${USE_CROWDSEC-no}"
-
-# install additional modules if needed
-if [ "$ADDITIONAL_MODULES" != "" ] ; then
-	apk add $ADDITIONAL_MODULES
-fi
-
-# replace values
-replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
-replace_in_file "/etc/nginx/nginx.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
-replace_in_file "/etc/nginx/cache.conf" "%CACHE%" "$CACHE"
-replace_in_file "/etc/nginx/cache.conf" "%CACHE_ERRORS%" "$CACHE_ERRORS"
-replace_in_file "/etc/nginx/cache.conf" "%CACHE_USES%" "$CACHE_USES"
-replace_in_file "/etc/nginx/cache.conf" "%CACHE_VALID%" "$CACHE_VALID"
-replace_in_file "/etc/nginx/gzip.conf" "%USE_GZIP%" "$USE_GZIP"
-replace_in_file "/etc/nginx/gzip.conf" "%GZIP_COMP_LEVEL%" "$GZIP_COMP_LEVEL"
-replace_in_file "/etc/nginx/gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH"
-replace_in_file "/etc/nginx/gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES"
-if [ "$REMOTE_PHP" != "" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" "include /etc/nginx/php.conf;"
-	replace_in_file "/etc/nginx/php.conf" "%REMOTE_PHP%" "$REMOTE_PHP"
-	replace_in_file "/etc/nginx/fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/"
-else
-	replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" ""
-fi
-if [ "$HEADER_SERVER" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" ""
-else
-	replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" "more_clear_headers 'Server';"
-fi
-if [ "$X_FRAME_OPTIONS" != "" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" "include /etc/nginx/x-frame-options.conf;"
-	replace_in_file "/etc/nginx/x-frame-options.conf" "%X_FRAME_OPTIONS%" "$X_FRAME_OPTIONS"
-else
-	replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" ""
-fi
-if [ "$X_XSS_PROTECTION" != "" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" "include /etc/nginx/x-xss-protection.conf;"
-	replace_in_file "/etc/nginx/x-xss-protection.conf" "%X_XSS_PROTECTION%" "$X_XSS_PROTECTION"
-else
-	replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" ""
-fi
-if [ "$X_CONTENT_TYPE_OPTIONS" != "" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" "include /etc/nginx/x-content-type-options.conf;"
-	replace_in_file "/etc/nginx/x-content-type-options.conf" "%X_CONTENT_TYPE_OPTIONS%" "$X_CONTENT_TYPE_OPTIONS"
-else
-	replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" ""
-fi
-if [ "$REFERRER_POLICY" != "" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" "include /etc/nginx/referrer-policy.conf;"
-	replace_in_file "/etc/nginx/referrer-policy.conf" "%REFERRER_POLICY%" "$REFERRER_POLICY"
-else
-	replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" ""
-fi
-if [ "$FEATURE_POLICY" != "" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" "include /etc/nginx/feature-policy.conf;"
-	replace_in_file "/etc/nginx/feature-policy.conf" "%FEATURE_POLICY%" "$FEATURE_POLICY"
-else
-	replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" ""
-fi
-if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%DISABLE_DEFAULT_SERVER%" "include /etc/nginx/disable-default-server.conf;"
-	SERVER_NAME_PIPE=$(echo $SERVER_NAME | sed "s/ /|/g")
-	replace_in_file "/etc/nginx/disable-default-server.conf" "%SERVER_NAME%" "$SERVER_NAME_PIPE"
-else
-	replace_in_file "/etc/nginx/server.conf" "%DISABLE_DEFAULT_SERVER%" ""
-fi
-replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME"
-replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
-if [ "$BLOCK_COUNTRY" != "" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
-	replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip-server.conf;"
-	replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
-	echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
-	if [ ! -f /etc/nginx/geoip.mmdb ] ; then
-		/opt/scripts/geoip.sh
-	fi
-else
-	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" ""
-	replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" ""
-fi
-if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/block-user-agent.conf;"
-	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
-	/opt/scripts/user-agents.sh &
-	echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
-else
-	replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" ""
-	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
-fi
-if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
-	/opt/scripts/exit-nodes.sh &
-	echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
-else
-	replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
-fi
-if [ "$BLOCK_PROXIES" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" "include /etc/nginx/block-proxies.conf;"
-	/opt/scripts/proxies.sh &
-	echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
-else
-	replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" ""
-fi
-if [ "$BLOCK_ABUSERS" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" "include /etc/nginx/block-abusers.conf;"
-	/opt/scripts/abusers.sh &
-	echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
-else
-	replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" ""
-fi
-
-# HTTPS config
-if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" "include /etc/nginx/https.conf;"
-	replace_in_file "/etc/nginx/https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
-	if [ "$HTTP2" = "yes" ] ; then
-		replace_in_file "/etc/nginx/https.conf" "%HTTP2%" "http2"
-	else
-		replace_in_file "/etc/nginx/https.conf" "%HTTP2%" ""
-	fi
-	replace_in_file "/etc/nginx/https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
-	if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
-		replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
-		replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
-	else
-		replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" ""
-		replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" ""
-	fi
-	if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
-		replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
-	else
-		replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
-	fi
-	if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
-		FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
-		DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
-		EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
-		replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
-		replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
-		if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
-			/opt/scripts/certbot-renew.sh
-		else
-			certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT
-		fi
-		echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
-	elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
-		replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
-		replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
-	elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
-		mkdir /etc/nginx/self-signed-ssl/
-                openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
-		replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
-                replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
-	fi
-else
-	replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" ""
-fi
-
-if [ "$LISTEN_HTTP" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT};"
-else
-	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
-fi
-
-if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include /etc/nginx/redirect-http-to-https.conf;"
-else
-	replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" ""
-fi
-
-if [ "$USE_MODSECURITY" = "yes" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" "include /etc/nginx/modsecurity.conf;"
-	if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
-		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "include /modsec-confs/*.conf"
-	else
-		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" ""
-	fi
-	if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
-		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
-		if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
-			replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf"
-		else
-			replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
-		fi
-		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
-	else
-		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
-		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
-		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" ""
-	fi
-else
-	replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
-fi
-if [ "$PROXY_REAL_IP" = "yes" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
-	froms=""
-	for from in $PROXY_REAL_IP_FROM ; do
-		froms="${froms}set_real_ip_from ${from};\n"
-	done
-	replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms"
-	replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
-	replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
-else
-	replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" ""
-fi
-
-
-ERRORS=""
-for var in $(env) ; do
-	var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1)
-	if [ "z${var_name}" = "zERROR" ] ; then
-		err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2)
-		err_page=$(echo "$var" | cut -d '=' -f 2)
-		cp /opt/confs/error.conf /etc/nginx/error-${err_code}.conf
-		replace_in_file "/etc/nginx/error-${err_code}.conf" "%CODE%" "$err_code"
-		replace_in_file "/etc/nginx/error-${err_code}.conf" "%PAGE%" "$err_page"
-		replace_in_file "/etc/nginx/error-${err_code}.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
-		ERRORS="${ERRORS}include /etc/nginx/error-${err_code}.conf;\n"
-	fi
-done
-if [ "$ERRORS" != "" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%ERRORS%" "$ERRORS"
-else
-	replace_in_file "/etc/nginx/server.conf" "%ERRORS%" ""
-fi
-if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then
-        replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" "include /etc/nginx/content-security-policy.conf;"
-        replace_in_file "/etc/nginx/content-security-policy.conf" "%CONTENT_SECURITY_POLICY%" "$CONTENT_SECURITY_POLICY"
-else
-        replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" ""
-fi
-if [ "$COOKIE_FLAGS" != "" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" "include /etc/nginx/cookie-flags.conf;"
-	if [ "$COOKIE_AUTO_SECURE_FLAG" = "yes" ] ; then
-		if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
-			COOKIE_FLAGS="${COOKIE_FLAGS} Secure"
-		fi
-	fi
-	replace_in_file "/etc/nginx/cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS"
-else
-        replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" ""
-fi
-if [ "$SERVE_FILES" = "yes" ] ; then
-        replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" "include /etc/nginx/serve-files.conf;"
-        replace_in_file "/etc/nginx/serve-files.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
-else
-        replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
-fi
-if [ "$USE_AUTH_BASIC" = "yes" ] ; then
-	if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then
-		replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic-sitewide.conf;"
-		replace_in_file "/etc/nginx/auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
-	else
-		replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;"
-		replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
-		replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
-	fi
-	htpasswd -b -B -c /etc/nginx/.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
-else
-	replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" ""
-fi
-
-# DNS resolvers
-resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
-replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
-replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS"
-
-# whitelist IP
-if [ "$USE_WHITELIST_IP" = "yes" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "lua_shared_dict whitelist_ip_cache 10m;"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_IP%" "true"
-else
-	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_IP%" "false"
-fi
-list=$(spaces_to_lua "$WHITELIST_IP_LIST")
-replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
-
-# whitelist rDNS
-if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "lua_shared_dict whitelist_reverse_cache 10m;"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_REVERSE%" "true"
-else
-	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_REVERSE%" "false"
-fi
-list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
-replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
-
-# blacklist IP
-if [ "$USE_BLACKLIST_IP" = "yes" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "lua_shared_dict blacklist_ip_cache 10m;"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_IP%" "true"
-else
-	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_IP%" "false"
-fi
-list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
-replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
-
-# blacklist rDNS
-if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "lua_shared_dict blacklist_reverse_cache 10m;"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_REVERSE%" "true"
-else
-	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false"
-fi
-list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
-replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
-
-# DNSBL
-if [ "$USE_DNSBL" = "yes" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_DNSBL%" "true"
-else
-	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_DNSBL%" "false"
-fi
-list=$(spaces_to_lua "$DNSBL_LIST")
-replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
-
-# antibot uri and session secret
-replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
-if [ "$ANTIBOT_SESSION_SECRET" = "random" ] ; then
-	ANTIBOT_SESSION_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
-fi
-replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_SESSION_SECRET%" "$ANTIBOT_SESSION_SECRET"
-
-# antibot via cookie
-if [ "$USE_ANTIBOT" = "cookie" ] ; then
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
-# antibot via javascript
-elif [ "$USE_ANTIBOT" = "javascript" ] ; then
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "true"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "include /etc/nginx/antibot-javascript.conf;"
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
-	replace_in_file "/etc/nginx/antibot-javascript.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
-# antibot via captcha
-elif [ "$USE_ANTIBOT" = "captcha" ] ; then
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "true"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "include /etc/nginx/antibot-captcha.conf;"
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
-	replace_in_file "/etc/nginx/antibot-captcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
-# antibot via recaptcha
-elif [ "$USE_ANTIBOT" = "recaptcha" ] ; then
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "true"
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "include /etc/nginx/antibot-recaptcha.conf;"
-	replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
-	replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SITEKEY%" "$ANTIBOT_RECAPTCHA_SITEKEY"
-	replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SECRET%" "$ANTIBOT_RECAPTCHA_SECRET"
-	replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SCORE%" "$ANTIBOT_RECAPTCHA_SCORE"
-else
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
-fi
-
-if [ "$USE_LIMIT_REQ" = "yes" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
-	replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "include /etc/nginx/limit-req.conf;"
-	replace_in_file "/etc/nginx/limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST"
-else
-	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
-	replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" ""
-fi
-
-# fail2ban setup
-if [ "$USE_FAIL2BAN" = "yes" ] ; then
-	echo "" > /etc/nginx/fail2ban-ip.conf
-	rm -rf /etc/fail2ban/jail.d/*.conf
-	replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"
-	cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
-	cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
-	cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
-	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
-	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
-	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
-	replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
-else
-	replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" ""
-fi
-
-# clamav setup
-if [ "$USE_CLAMAV_UPLOAD" = "yes" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
-	echo "[*] Updating clamav (in background) ..."
-	freshclam > /dev/null 2>&1 &
-	echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
-fi
-if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then
-	replace_in_file "/etc/nginx/modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "include /etc/nginx/modsecurity-clamav.conf"
-else
-	replace_in_file "/etc/nginx/modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" ""
-fi
-if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
-	if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
-		echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2> /dev/null" >> /etc/crontabs/root
-	else
-		echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2> /dev/null" >> /etc/crontabs/root
-	fi
-fi
-
-# CrowdSec setup
-if [ "$USE_CROWDSEC" = "yes" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "true"
-	cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml
-	cscli api register >> /etc/crowdsec/config/api.yaml
-	cscli api pull
-	echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root
-else
-	replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
-	replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "false"
-fi
-
-# edit access if needed
-if [ "$WRITE_ACCESS" = "yes" ] ; then
-	chown -R root:nginx /www
-	chmod g+w -R /www
-fi
-
-# start rsyslogd
-rsyslogd
-
-# start crond
-crond
-
-# create empty logs
-touch /var/log/access.log
-touch /var/log/error.log
-
-# fix nginx configs rights (and modules through the symlink)
-chown -R root:nginx /etc/nginx/
-chmod -R 740 /etc/nginx/
-find /etc/nginx -type d -exec chmod 750 {} \;
-
-# fix let's encrypt rights
-if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
-	chown -R root:nginx /etc/letsencrypt
-	chmod -R 740 /etc/letsencrypt
-	find /etc/letsencrypt -type d -exec chmod 750 {} \;
-fi
-
-# start nginx
-echo "[*] Running nginx ..."
-su -s "/usr/sbin/nginx" nginx
-
-# start fail2ban
-if [ "$USE_FAIL2BAN" = "yes" ] ; then
-	fail2ban-server > /dev/null
-fi
-
-# start crowdsec
-if [ "$USE_CROWDSEC" = "yes" ] ; then
-	crowdsec
-fi
-
-# setup logrotate
-replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
-replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
-echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
-
-# display logs
-LOGS="/var/log/access.log /var/log/error.log"
-if [ "$USE_FAIL2BAN" = "yes" ] ; then
-	LOGS="$LOGS /var/log/fail2ban.log"
-fi
-tail -F $LOGS &
-wait $!
-
-# sigterm trapped
-echo "[*] bunkerized-nginx stopped"
-exit 0

entrypoint/clamav.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# load default values
+. /opt/entrypoint/defaults.sh
+
+# load some functions
+. /opt/entrypoint/utils.sh
+
+# clamav setup
+if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
+	echo "[*] Updating clamav (in background) ..."
+	freshclam > /dev/null 2>&1 &
+	echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/nginx
+fi
+if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
+	if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
+        	echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
+        else
+		echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
+        fi
+fi

entrypoint/defaults.sh

@@ -0,0 +1,132 @@
+#!/bin/bash
+
+MULTISITE="${MULTISITE-no}"
+LOG_FORMAT="${LOG_FORMAT-\$host \$remote_addr - \$remote_user [\$time_local] \"\$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}"
+HTTP_PORT="${HTTP_PORT-8080}"
+HTTPS_PORT="${HTTPS_PORT-8443}"
+MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
+SERVER_TOKENS="${SERVER_TOKENS-off}"
+USE_CLIENT_CACHE="${USE_CLIENT_CACHE-no}"
+CLIENT_CACHE_EXTENSIONS="${CLIENT_CACHE_EXTENSIONS-jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2}"
+CLIENT_CACHE_CONTROL="${CLIENT_CACHE_CONTROL-public, max-age=15552000}"
+CLIENT_CACHE_ETAG="${CLIENT_CACHE_ETAG-on}"
+USE_OPEN_FILE_CACHE="${USE_OPEN_FILE_CACHE-no}"
+OPEN_FILE_CACHE="${OPEN_FILE_CACHE-max=1000 inactive=20s}"
+OPEN_FILE_CACHE_ERRORS="${OPEN_FILE_CACHE_ERRORS-on}"
+OPEN_FILE_CACHE_MIN_USES="${OPEN_FILE_CACHE_MIN_USES-2}"
+OPEN_FILE_CACHE_VALID="${OPEN_FILE_CACHE_VALID-30s}"
+USE_PROXY_CACHE="${USE_PROXY_CACHE-no}"
+PROXY_CACHE_PATH_ZONE_SIZE="${PROXY_CACHE_PATH_ZONE_SIZE-10m}"
+PROXY_CACHE_PATH_PARAMS="${PROXY_CACHE_PATH_PARAMS-max_size=100m}"
+PROXY_CACHE_METHODS="${PROXY_CACHE_METHODS-GET HEAD}"
+PROXY_CACHE_MIN_USES="${PROXY_CACHE_MIN_USES-2}"
+PROXY_CACHE_KEY="${PROXY_CACHE_KEY-\$scheme\$host\$request_uri}"
+PROXY_CACHE_VALID="${PROXY_CACHE_VALID-200=10m 301=10m 302=1h}"
+PROXY_NO_CACHE="${PROXY_NO_CACHE-\$http_authorization}"
+PROXY_CACHE_BYPASS="${PROXY_CACHE_BYPASS-\$http_authorization}"
+USE_GZIP="${USE_GZIP-no}"
+GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL-5}"
+GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH-1000}"
+GZIP_TYPES="${GZIP_TYPES-application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml}"
+USE_BROTLI="${USE_BROTLI-no}"
+BROTLI_COMP_LEVEL="${BROTLI_COMP_LEVEL-6}"
+BROTLI_MIN_LENGTH="${BROTLI_MIN_LENGTH-1000}"
+BROTLI_TYPES="${BROTLI_TYPES-application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml}"
+REMOTE_PHP_PATH="${REMOTE_PHP_PATH-/app}"
+USE_REVERSE_PROXY="${USE_REVERSE_PROXY-no}"
+REMOVE_HEADERS="${REMOVE_HEADERS-Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version}"
+X_FRAME_OPTIONS="${X_FRAME_OPTIONS-DENY}"
+X_XSS_PROTECTION="${X_XSS_PROTECTION-1; mode=block}"
+X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS-nosniff}"
+REFERRER_POLICY="${REFERRER_POLICY-no-referrer}"
+PERMISSIONS_POLICY="${PERMISSIONS_POLICY-accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()}"
+FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}"
+DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
+SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
+ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
+BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
+WHITELIST_USER_AGENT="${WHITELIST_USER_AGENT-}"
+BLOCK_USER_AGENT_CRON="${BLOCK_USER_AGENT_CRON-30 0 * * *}"
+BLOCK_REFERRER="${BLOCK_REFERRER-yes}"
+BLOCK_REFERRER_CRON="${BLOCK_REFERRER_CRON-45 0 * * *}"
+BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
+BLOCK_TOR_EXIT_NODE_CRON="${BLOCK_TOR_EXIT_NODE_CRON-0 */1 * * *}"
+BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
+BLOCK_PROXIES_CRON="${BLOCK_PROXIES_CRON-0 3 * * *}"
+BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
+BLOCK_ABUSERS_CRON="${BLOCK_ABUSERS_CRON-0 2 * * *}"
+AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
+AUTO_LETS_ENCRYPT_CRON="${AUTO_LETS_ENCRYPT_CRON-15 0 * * *}"
+HTTP2="${HTTP2-yes}"
+HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
+STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
+USE_MODSECURITY="${USE_MODSECURITY-yes}"
+USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
+CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';}"
+COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}"
+COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}"
+SERVE_FILES="${SERVE_FILES-yes}"
+WRITE_ACCESS="${WRITE_ACCESS-no}"
+REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
+LISTEN_HTTP="${LISTEN_HTTP-yes}"
+USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
+FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
+FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
+FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
+FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
+FAIL2BAN_IGNOREIP="${FAIL2BAN_IGNOREIP-127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
+USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
+USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
+USE_CLAMAV_SCAN_CRON="${USE_CLAMAV_SCAN_CRON-30 1 * * *}"
+CLAMAV_UPDATE_CRON="${CLAMAV_UPDATE_CRON-0 1 * * *}"
+CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
+USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
+AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
+AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}"
+AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
+AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
+USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
+ROOT_FOLDER="${ROOT_FOLDER-/www}"
+LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
+LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
+LOGROTATE_CRON="${LOGROTATE_CRON-0 0 * * *}"
+DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11}"
+USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
+WHITELIST_IP_LIST="${WHITELIST_IP_LIST-127.0.0.1 23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
+USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}"
+WHITELIST_REVERSE_LIST="${WHITELIST_REVERSE_LIST-.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net}"
+USE_BLACKLIST_IP="${USE_BLACKLIST_IP-yes}"
+BLACKLIST_IP_LIST="${BLACKLIST_IP_LIST-}"
+USE_BLACKLIST_REVERSE="${USE_BLACKLIST_REVERSE-yes}"
+BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}"
+USE_DNSBL="${USE_DNSBL-yes}"
+DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
+USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
+LIMIT_REQ_RATE="${LIMIT_REQ_RATE-1r/s}"
+LIMIT_REQ_BURST="${LIMIT_REQ_BURST-2}"
+LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
+USE_LIMIT_CONN="${USE_LIMIT_CONN-yes}"
+LIMIT_CONN_MAX="${LIMIT_CONN_MAX-50}"
+LIMIT_CONN_CACHE="${LIMIT_CONN_CACHE-10m}"
+PROXY_REAL_IP="${PROXY_REAL_IP-no}"
+PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
+PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
+PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
+GEOIP_CRON="${GEOIP_CRON-0 4 2 * *}"
+GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
+SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
+SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
+SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}"
+SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
+SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
+SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}"
+SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-web}"
+ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
+USE_ANTIBOT="${USE_ANTIBOT-no}"
+ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
+ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
+USE_CROWDSEC="${USE_CROWDSEC-no}"
+USE_API="${USE_API-no}"
+API_URI="${API_URI-random}"
+API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
+SWARM_MODE="${SWARM_MODE-no}"

entrypoint/entrypoint.sh

@@ -0,0 +1,164 @@
+#!/bin/bash
+
+# load default values
+. ./opt/entrypoint/defaults.sh
+
+echo "[*] Starting bunkerized-nginx ..."
+
+# execute custom scripts if it's a customized image
+for file in /entrypoint.d/* ; do
+    [ -f "$file" ] && [ -x "$file" ] && "$file"
+done
+
+# trap SIGTERM and SIGINT
+function trap_exit() {
+	echo "[*] Catched stop operation"
+	echo "[*] Stopping crond ..."
+	pkill -TERM crond
+	if [ "$USE_FAIL2BAN" = "yes" ] ; then
+		echo "[*] Stopping fail2ban"
+		fail2ban-client stop > /dev/null
+	fi
+	echo "[*] Stopping nginx ..."
+	/usr/sbin/nginx -s stop
+	echo "[*] Stopping rsyslogd ..."
+	pkill -TERM rsyslogd
+	pkill -TERM tail
+}
+trap "trap_exit" TERM INT QUIT
+
+# trap SIGHUP
+function trap_reload() {
+	echo "[*] Catched reload operation"
+	if [ "$MULTISITE" = "yes" ] && [ "$SWARM_MODE" != "yes" ] ; then
+		/opt/entrypoint/multisite-config.sh
+	fi
+	if [ -f /tmp/nginx.pid ] ; then
+		echo "[*] Reloading nginx ..."
+		nginx -s reload
+		if [ $? -eq 0 ] ; then
+			echo "[*] Reload successfull"
+		else
+			echo "[!] Reload failed"
+		fi
+	else
+		echo "[!] Ignored reload operation because nginx is not running"
+	fi
+}
+trap "trap_reload" HUP
+
+# do the configuration magic if needed
+if [ ! -f "/opt/installed" ] ; then
+
+	echo "[*] Configuring bunkerized-nginx ..."
+
+	# check permissions
+	if [ "$SWARM_MODE" = "no" ] ; then
+		/opt/entrypoint/permissions.sh
+	else
+		/opt/entrypoint/permissions-swarm.sh
+	fi
+	if [ "$?" -ne 0 ] ; then
+		exit 1
+	fi
+
+	# logs config
+	/opt/entrypoint/logs.sh
+
+	# lua config
+	# TODO : move variables from /usr/local/lib/lua + multisite support ?
+	/opt/entrypoint/lua.sh
+
+	# fail2ban config
+	/opt/entrypoint/fail2ban.sh
+
+	# clamav config
+	/opt/entrypoint/clamav.sh
+
+	# start temp nginx to solve Let's Encrypt challenges if needed
+	/opt/entrypoint/nginx-temp.sh
+
+	# only do config if we are not in swarm mode
+	if [ "$SWARM_MODE" = "no" ] ; then
+		# global config
+		/opt/entrypoint/global-config.sh
+		# background jobs
+		/opt/entrypoint/jobs.sh
+		# multisite configs
+		if [ "$MULTISITE" = "yes" ] ; then
+			for server in $SERVER_NAME ; do
+				/opt/entrypoint/site-config.sh "$server"
+				echo "[*] Multi site - $server configuration done"
+			done
+			/opt/entrypoint/multisite-config.sh
+		# singlesite config
+		else
+			/opt/entrypoint/site-config.sh
+			echo "[*] Single site - $SERVER_NAME configuration done"
+		fi
+	fi
+
+	touch /opt/installed
+else
+	echo "[*] Skipping configuration process"
+fi
+
+# start rsyslogd
+rsyslogd -i /tmp/rsyslogd.pid
+
+# start crond
+crond
+
+# wait until config has been generated if we are in swarm mode
+if [ "$SWARM_MODE" = "yes" ] ; then
+	echo "[*] Waiting until config has been generated ..."
+	while [ ! -f "/etc/nginx/autoconf" ] ; do
+		sleep 1
+	done
+fi
+
+# stop temp config if needed
+if [ -f "/tmp/nginx-temp.pid" ] ; then
+	nginx -c /tmp/nginx-temp.conf -s quit
+fi
+
+# run nginx
+echo "[*] Running nginx ..."
+nginx
+if [ "$?" -eq 0 ] ; then
+	echo "[*] nginx successfully started !"
+else
+	echo "[!] nginx failed to start"
+fi
+
+# list of log files to display
+LOGS="/var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/nginx/modsec_audit.log"
+
+# start fail2ban
+if [ "$USE_FAIL2BAN" = "yes" ] ; then
+	echo "[*] Running fail2ban ..."
+	fail2ban-server > /dev/null
+	LOGS="$LOGS /var/log/fail2ban.log"
+fi
+
+# autotest
+if [ "$1" == "test" ] ; then
+	sleep 10
+	echo -n "autotest" > /www/index.html
+	check=$(curl "http://localhost:${HTTP_PORT}" 2> /dev/null)
+	if [ "$check" == "autotest" ] ; then
+		exit 0
+	fi
+	exit 1
+fi
+
+# display logs
+tail -F $LOGS &
+pid="$!"
+while [ -f "/tmp/nginx.pid" ] ; do
+	wait "$pid"
+done
+
+# sigterm trapped
+echo "[*] bunkerized-nginx stopped"
+exit 0

entrypoint/fail2ban.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# load default values
+. /opt/entrypoint/defaults.sh
+
+# load some functions
+. /opt/entrypoint/utils.sh
+
+# fail2ban setup
+if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
+	cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
+	cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
+	cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
+	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
+	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
+	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
+	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_IGNOREIP%" "$FAIL2BAN_IGNOREIP"
+	replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
+fi

entrypoint/global-config.sh

@@ -0,0 +1,226 @@
+#!/bin/bash
+
+# load default values
+. /opt/entrypoint/defaults.sh
+
+# load some functions
+. /opt/entrypoint/utils.sh
+
+# copy stub confs
+cp /opt/confs/global/* /etc/nginx/
+
+# include server block(s)
+if [ "$SWARM_MODE" = "no" ] ; then
+	if [ "$MULTISITE" = "yes" ] ; then
+		includes=""
+		for server in $SERVER_NAME ; do
+			includes="${includes}include /etc/nginx/${server}/server.conf;\n"
+		done
+		replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
+	else
+		replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
+	fi
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" ""
+fi
+
+# setup default server block if multisite
+if [ "$MULTISITE" = "yes" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DEFAULT_SERVER%" "include /etc/nginx/multisite-default-server.conf;"
+	if [ "$(has_value LISTEN_HTTP yes)" != "" ] ; then
+		replace_in_file "/etc/nginx/multisite-default-server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT} default_server;"
+	else
+		replace_in_file "/etc/nginx/multisite-default-server.conf" "%LISTEN_HTTP%" ""
+	fi
+	if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] ; then
+		replace_in_file "/etc/nginx/multisite-default-server.conf" "%USE_HTTPS%" "include /etc/nginx/multisite-default-server-https.conf;"
+		replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
+		if [ "$(has_value HTTP2 yes)" != "" ] ; then
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTP2%" "http2"
+		else
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTP2%" ""
+		fi
+		replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
+		if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
+		else
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_DHPARAM%" ""
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" ""
+		fi
+		openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
+		if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;"
+		else
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
+		fi
+	else
+		replace_in_file "/etc/nginx/multisite-default-server.conf" "%USE_HTTPS%" ""
+	fi
+	if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
+		replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;"
+	else
+		replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" ""
+	fi
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DEFAULT_SERVER%" ""
+fi
+
+# custom log format
+replace_in_file "/etc/nginx/nginx.conf" "%LOG_FORMAT%" "$LOG_FORMAT"
+
+# proxy_cache zone
+if [ "$(has_value USE_PROXY_CACHE yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%PROXY_CACHE_PATH%" "proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:${PROXY_CACHE_PATH_ZONE_SIZE} ${PROXY_CACHE_PATH_PARAMS};"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%PROXY_CACHE_PATH%" ""
+fi
+
+# let's encrypt setup
+if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
+	if [ "$MULTISITE" = "no" ] ; then
+		FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
+		DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
+		EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
+		if [ ! -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
+			echo "[*] Performing Let's Encrypt challenge for $SERVER_NAME ..."
+			/opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT"
+		fi
+	fi
+	echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
+fi
+
+# self-signed certificate
+if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
+	mkdir /etc/nginx/self-signed-ssl/
+        openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
+fi
+
+# country ban/whitelist
+if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" "include /etc/nginx/geoip.conf;"
+	if [ "$WHITELIST_COUNTRY" != "" ] ; then
+		replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "no"
+		replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $WHITELIST_COUNTRY | sed 's/ / yes;\\n/g') yes;"
+	else
+		replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes"
+		replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;"
+	fi
+	echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/nginx
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" ""
+fi
+
+# block bad UA
+if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
+	echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/nginx
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
+fi
+
+# block bad refferer
+if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;"
+	echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/nginx
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" ""
+fi
+
+# block TOR exit nodes
+if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
+	echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/nginx
+fi
+
+# block proxies
+if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
+	echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/nginx
+fi
+
+# block abusers
+if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
+	echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/nginx
+fi
+
+# DNS resolvers
+replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS"
+
+# whitelist IP
+if [ "$(has_value USE_WHITELIST_IP yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "lua_shared_dict whitelist_ip_cache 10m;"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" ""
+fi
+
+# whitelist rDNS
+if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "lua_shared_dict whitelist_reverse_cache 10m;"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" ""
+fi
+
+# blacklist IP
+if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "lua_shared_dict blacklist_ip_cache 10m;"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" ""
+fi
+
+# blacklist rDNS
+if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "lua_shared_dict blacklist_reverse_cache 10m;"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" ""
+fi
+
+# request limiting
+if [ "$(has_value USE_LIMIT_REQ yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr\$uri zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
+fi
+
+# connection limiting
+if [ "$(has_value USE_LIMIT_CONN yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "limit_conn_zone \$binary_remote_addr zone=ddos:${LIMIT_CONN_CACHE};"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" ""
+fi
+
+# DNSBL
+if [ "$(has_value USE_DNSBL yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
+fi
+
+# disable default site
+if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" = "yes" ] ; then
+	replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;"
+else
+	replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" ""
+fi
+
+# fail2ban setup
+if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
+	echo "" > /etc/nginx/fail2ban-ip.conf
+fi
+
+# CrowdSec setup
+if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
+fi
+
+# API
+if [ "$USE_API" = "yes" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" "include /etc/nginx/api.conf;"
+	if [ "$API_URI" = "random" ] ; then
+		API_URI="/$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
+		echo "[*] Generated API URI : $API_URI"
+	fi
+	replace_in_file "/etc/nginx/api.conf" "%API_URI%" "$API_URI"
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" ""
+fi

entrypoint/jobs.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+# load default values
+. ./opt/entrypoint/defaults.sh
+
+# load some functions
+. /opt/entrypoint/utils.sh
+
+# GeoIP
+if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
+	if [ -f "/cache/geoip.mmdb" ] ; then
+		echo "[*] Copying cached geoip.mmdb ..."
+		cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
+	else
+		echo "[*] Downloading GeoIP database (in background) ..."
+		/opt/scripts/geoip.sh > /dev/null 2>&1 &
+	fi
+fi
+
+# User-Agents
+if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
+	if [ -f "/cache/map-user-agent.conf" ] ; then
+		echo "[*] Copying cached map-user-agent.conf ..."
+		cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
+	else
+		echo "[*] Downloading bad user-agent list (in background) ..."
+		/opt/scripts/user-agents.sh > /dev/null 2>&1 &
+	fi
+fi
+
+# Referrers
+if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
+	if [ -f "/cache/map-referrer.conf" ] ; then
+		echo "[*] Copying cached map-referrer.conf ..."
+		cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
+	else
+		echo "[*] Downloading bad referrer list (in background) ..."
+		/opt/scripts/referrers.sh > /dev/null 2>&1 &
+	fi
+fi
+
+# exit nodes
+if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
+	if [ -f "/cache/block-tor-exit-node.conf" ] ; then
+		echo "[*] Copying cached block-tor-exit-node.conf ..."
+		cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
+	else
+		echo "[*] Downloading tor exit nodes list (in background) ..."
+		/opt/scripts/exit-nodes.sh > /dev/null 2>&1 &
+	fi
+fi
+
+# proxies
+if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
+	if [ -f "/cache/block-proxies.conf" ] ; then
+		echo "[*] Copying cached block-proxies.conf ..."
+		cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
+	else
+		echo "[*] Downloading proxies list (in background) ..."
+		/opt/scripts/proxies.sh > /dev/null 2>&1 &
+	fi
+fi
+
+# abusers
+if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
+	if [ -f "/cache/block-abusers.conf" ] ; then
+		echo "[*] Copying cached block-abusers.conf ..."
+		cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
+	else
+		echo "[*] Downloading abusers list (in background) ..."
+		/opt/scripts/abusers.sh > /dev/null 2>&1 &
+	fi
+fi

entrypoint/logs.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# load default values
+. /opt/entrypoint/defaults.sh
+
+# load some functions
+. /opt/entrypoint/utils.sh
+
+# copy stub confs
+cat /opt/logs/rsyslog.conf > /etc/rsyslog.conf
+cat /opt/logs/logrotate.conf > /etc/logrotate.conf
+
+# create empty logs
+touch /var/log/access.log
+touch /var/log/error.log
+touch /var/log/jobs.log
+
+# setup logrotate
+replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
+replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
+echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
+
+# setup rsyslog
+if [ "$REMOTE_SYSLOG" != "" ] ; then
+	replace_in_file "/etc/rsyslog.conf" "%REMOTE_SYSLOG%" "local0.* @${REMOTE_SYSLOG};rawFormat"
+else
+	replace_in_file "/etc/rsyslog.conf" "%REMOTE_SYSLOG%" ""
+fi

entrypoint/lua.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# load default values
+. /opt/entrypoint/defaults.sh
+
+# load some functions
+. /opt/entrypoint/utils.sh
+
+# copy stub LUA scripts
+cp -r /opt/lua/* /usr/local/lib/lua
+
+# DNS resolvers
+resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
+replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
+
+# whitelist IP
+list=$(spaces_to_lua "$WHITELIST_IP_LIST")
+replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
+
+# whitelist rDNS
+list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
+replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
+
+# blacklist IP
+list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
+replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
+
+# blacklist rDNS
+list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
+replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
+
+# DNSBL
+list=$(spaces_to_lua "$DNSBL_LIST")
+replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
+
+# CrowdSec setup
+if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
+	replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST"
+	replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY"
+fi
+
+# Whitelist IP for API
+if [ "$USE_API" = "yes" ] ; then
+	list=$(spaces_to_lua "$API_WHITELIST_IP")
+	replace_in_file "/usr/local/lib/lua/api.lua" "%API_WHITELIST_IP%" "$list"
+fi

entrypoint/multisite-config.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# load default values
+. /opt/entrypoint/defaults.sh
+
+# load some functions
+. /opt/entrypoint/utils.sh
+
+if [ "$MULTISITE" = "yes" ] ; then
+	servers=$(find /etc/nginx -name "server.conf" | cut -d '/' -f 4)
+	for server in $servers ; do
+		if [ "$server" = "server.conf" ] ; then
+			continue
+		fi
+		SERVER_PREFIX="/etc/nginx/${server}/"
+		if grep "/etc/letsencrypt/live" ${SERVER_PREFIX}https.conf > /dev/null && [ ! -f /etc/letsencrypt/live/${server}/fullchain.pem ] ; then
+			domains=$(cat ${SERVER_PREFIX}server.conf | sed -nE 's/^.*server_name (.*);$/\1/p' | sed "s/ /,/g")
+			/opt/scripts/certbot-new.sh "$domains" "$(cat ${SERVER_PREFIX}email-lets-encrypt.txt)"
+		fi
+		if grep "modsecurity.conf" ${SERVER_PREFIX}server.conf > /dev/null ; then
+			modsec_custom=""
+			if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
+				modsec_custom="include /modsec-confs/*.conf\n"
+			fi
+			if ls /modsec-confs/${server}/*.conf > /dev/null 2>&1 ; then
+				modsec_custom="${modsec_custom}include /modsec-confs/${server}/*.conf\n"
+			fi
+			replace_in_file "${SERVER_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
+			if grep "owasp/crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then
+				modsec_crs_custom=""
+				if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
+					modsec_crs_custom="include /modsec-crs-confs/*.conf\n"
+				fi
+				if ls /modsec-crs-confs/${server}/*.conf > /dev/null 2>&1 ; then
+					modsec_crs_custom="${modsec_crs_custom}include /modsec-crs-confs/${server}/*.conf\n"
+				fi
+			fi
+			replace_in_file "${SERVER_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom"
+		fi
+	done
+fi

entrypoint/nginx-temp.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# load default values
+. /opt/entrypoint/defaults.sh
+
+# load some functions
+. /opt/entrypoint/utils.sh
+
+# start nginx with temp conf for let's encrypt challenges and API
+if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$SWARM_MODE" = "yes" ] ; then
+	cp /opt/confs/global/nginx-temp.conf /tmp/nginx-temp.conf
+	cp /opt/confs/global/api-temp.conf /tmp/api.conf
+	if [ "$SWARM_MODE" = "yes" ] ; then
+		replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" "include /tmp/api.conf;"
+		replace_in_file "/tmp/api.conf" "%API_URI%" "$API_URI"
+	else
+		replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" ""
+	fi
+	replace_in_file "/tmp/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT"
+	nginx -c /tmp/nginx-temp.conf
+	if [ "$?" -eq 0 ] ; then
+		echo "[*] Successfully started temp nginx"
+	else
+		echo "[!] Can't start temp nginx"
+	fi
+fi

entrypoint/permissions-swarm.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# /etc/letsencrypt
+if [ ! -r "/etc/letsencrypt" ] || [ ! -x "/etc/letsencrypt" ] ; then
+	echo "[!] WARNING - wrong permissions on /etc/letsencrypt"
+	exit 1
+fi
+
+# /www
+if [ ! -r "/www" ] || [ ! -x "/www" ] ; then
+	echo "[!] ERROR - wrong permissions on /www"
+	exit 2
+fi
+
+# /etc/nginx
+if [ ! -r "/etc/nginx" ] || [ ! -x "/etc/nginx" ] ; then
+	echo "[!] ERROR - wrong permissions on /etc/nginx"
+	exit 3
+fi
+
+# /acme-challenge
+if [ ! -r "/acme-challenge" ] || [ ! -x "/acme-challenge" ] ; then
+	echo "[!] ERROR - wrong permissions on /acme-challenge"
+	exit 4
+fi