Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: Makussu:v1.2.1
Branches Tags
Makussu:master Makussu:dev Makussu:gh-pages
Makussu:v1.4.1 Makussu:v1.4.0 Makussu:v1.3.2 Makussu:v1.3.1 Makussu:v1.3.0 Makussu:v1.2.8 Makussu:v1.2.7 Makussu:v1.2.6 Makussu:v1.2.5 Makussu:v1.2.4 Makussu:v1.2.3 Makussu:v1.2.2 Makussu:v1.2.1 Makussu:v1.2.0 Makussu:v1.1.2 Makussu:v1.1.1 Makussu:v1.1.0 Makussu:v1.0.0
...
compare: Makussu:v1.2.4
Branches Tags
Makussu:dev Makussu:gh-pages Makussu:master
Makussu:v1.4.1 Makussu:v1.4.0 Makussu:v1.3.2 Makussu:v1.3.1 Makussu:v1.3.0 Makussu:v1.2.8 Makussu:v1.2.7 Makussu:v1.2.6 Makussu:v1.2.5 Makussu:v1.2.4 Makussu:v1.2.3 Makussu:v1.2.2 Makussu:v1.2.1 Makussu:v1.2.0 Makussu:v1.1.2 Makussu:v1.1.1 Makussu:v1.1.0 Makussu:v1.0.0

142 Commits
v1.2.1 ... v1.2.4

Author SHA1 Message Date
bunkerity
07be626842 hotfix - fix API in autoconf swarm mode 2021-04-28 17:40:54 +02:00
bunkerity
3bb164395e hotfix - move API_WHITELIST_IP edit to lua.sh 2021-04-28 17:00:50 +02:00
bunkerity
bc2568a172 v1.2.4 - nginx 1.20.0 support 2021-04-27 17:43:38 +02:00
Bunkerity
5ec74880d8 update README for v1.2.4 2021-04-27 17:40:33 +02:00
bunkerity
f84fd7c9a2 fix permissions issues for autoconf and fix volume for ghost example 2021-04-27 16:49:45 +02:00
bunkerity
6521d7a27a fix client cache so it works in combination with reverse proxy and examples update 2021-04-27 15:31:56 +02:00
bunkerity
813607fbc3 improve crowdsec example and disable modsec logging when not necessary 2021-04-27 11:21:30 +02:00
bunkerity
843644f806 log - replace some WARN tags from LUA logs with NOTICE to avoid confusion 2021-04-27 09:57:07 +02:00
bunkerity
19fa0eb25f log - print modsec_audit.log to make debugging easier 2021-04-27 09:46:40 +02:00
bunkerity
b4df287228 log - send logs to remote syslog server 2021-04-27 09:30:10 +02:00
florian
5ce41edc03 api - whitelist IP/network for API 2021-04-26 22:22:34 +02:00
florian
a3cfb50b4d example - fix certbot wildcard 2021-04-26 21:34:18 +02:00
bunkerity
25494acace example - wildcard certificate with certbot 2021-04-26 17:44:48 +02:00
bunkerity
a98dae1fb6 fix CVE-2021-20205 and examples update 2021-04-26 17:00:23 +02:00
bunkerity
1a7abab570 nginx 1.20.0 support 2021-04-26 14:59:12 +02:00
florian
42b7a57f01 fix autoconf bug when removing config with multiple server name and increase default LIMIT_CONN_MAX for average website with HTTP2 2021-04-26 11:39:12 +02:00
bunkerity
02f9fbe5fc autoconf - fix certbot bug when multiple server_name for one service 2021-04-20 11:46:53 +02:00
bunkerity
69fe066777 autoconf - fix bug when multiple server_name for one service 2021-04-20 10:00:25 +02:00
bunkerity
74417abc9c fixing bugs - run as GID 101 instead of 0, different permissions checks in swarm mode and disable including server confs in swarm mode 2021-04-16 16:56:45 +02:00
bunkerity
ba7524a419 fixed LUA bug 2021-04-13 17:27:52 +02:00
bunkerity
b55aafb997 finding the LUA bug 2021-04-13 17:01:27 +02:00
Bunkerity
deeb7a76a2 Merge pull request #117 from thelittlefireman/patch-9 
Fix lua mistake
 2021-04-13 16:49:45 +02:00
thelittlefireman
ee8aaa4e7e fix lua crash 2 2021-04-11 15:45:46 +02:00
thelittlefireman
605d59a45c Fix lua mistake 
#116
 2021-04-11 15:33:31 +02:00
bunkerity
b85c991b6e bug fixes - /usr/local/lib/lua rights and syntax error in site-config 2021-04-09 17:40:19 +02:00
bunkerity
0d3658adf0 REVERSE_PROXY_HEADERS - use proxy_set_header instead of more_set_headers 2021-04-09 17:27:22 +02:00
bunkerity
0b22209c96 documentation - userns remap feature 2021-04-09 16:22:31 +02:00
bunkerity
e44a1f3e14 added the uri to limit_req_zone key to limit bruteforce attack on a specific resource instead of the whole service 2021-04-09 15:54:26 +02:00
bunkerity
aa614f82f9 print error when permissions are wrong on common volumes 2021-04-09 14:54:15 +02:00
bunkerity
c03d410b0a refactored whitelisting of user-agents 2021-04-09 14:23:52 +02:00
bunkerity
e190167bfc CIDR support with whitelist/blacklist IP 2021-04-09 14:10:17 +02:00
bunkerity
31e72dce1c fix /usr/local/lib/lua rights and multiple server_name support with autoconf 2021-04-09 11:37:13 +02:00
bunkerity
b8105fc558 feature - whitelist URI 2021-04-09 10:31:00 +02:00
bunkerity
e73c10fd80 crowdsec - fix permissions on /usr/local/lib/lua and on /var/log files 2021-04-09 10:01:23 +02:00
bunkerity
a122a259c0 minor fix on AutoConf logs and auto disable etag with reverse proxy 2021-04-09 09:51:17 +02:00
bunkerity
7c4894d3b8 autoconf - fix remove event, generate config from nginx vars, more logs 2021-03-26 15:18:35 +01:00
bunkerity
533c2a1034 fix sed script when writing site env 2021-03-22 09:38:36 +01:00
bunkerity
5611d544d6 remove reference to USE_PHP 2021-03-19 09:38:44 +01:00
bunkerity
397182f18d add link to twitter account 2021-03-18 18:11:52 +01:00
bunkerity
c5c5fb17b5 v1.2.3 - swarm support 2021-03-18 18:08:42 +01:00
bunkerity
017a7780fb README update, default cron update and new parameters to ui 2021-03-18 17:11:58 +01:00
bunkerity
34d9db7a8b web ui - bug fixes 2021-03-18 12:34:46 +01:00
bunkerity
361c66ca61 fixed bugs with MULTISITE variables and swarm example 2021-03-18 10:29:37 +01:00
bunkerity
afc6678855 road to v1.2.3 - fixing bugs 2021-03-17 17:55:56 +01:00
bunkerity
c40fb33175 road to swarm - automatic reload after jobs 2021-03-17 12:16:56 +01:00
bunkerity
93ad3c0b51 road to swarm - let's encrypt fix 2021-03-17 10:37:20 +01:00
bunkerity
ceed904882 road to swarm - still some mess to fix 2021-03-16 17:56:24 +01:00
Bunkerity
b8027d2bac Merge pull request #102 from thelittlefireman/proxy_custom_headers 
[NEED TESTING] Enhancement add custom proxy headers #97
 2021-03-16 10:08:05 +01:00
Bunkerity
8d03a14a6a Merge pull request #103 from thelittlefireman/fix_truncated_3 
Fix truncated 3
 2021-03-16 10:06:05 +01:00
thelittlefireman
d16f4517a4 Enhancement add custom proxy headers #97 2021-03-15 23:24:58 +01:00
thelittlefireman
89ca91b3ff Fix truncated variables (last commit) 2021-03-15 22:54:30 +01:00
bunkerity
6a714e2ece road to swarm - fix race condition on initial configuration 2021-03-14 16:50:08 +01:00
bunkerity
0d3da03534 prepare /www directory, fix log socket path and whitelist acme challenges path 2021-03-14 12:33:59 +01:00
bunkerity
33163f65b3 init work on disabling root processes 2021-03-13 22:52:23 +01:00
bunkerity
a2543384cd road to swarm - add openssl to autoconf, fix api_uri in LUA, fix file rights 2021-03-13 15:28:15 +01:00
bunkerity
3591715f21 road to swarm - fixing things 2021-03-12 17:31:26 +01:00
bunkerity
95f7ca5b2d road to swarm support - needs a lot of testing 2021-03-12 15:17:45 +01:00
bunkerity
816fa47cbb introducing SWARM_MODE env var 2021-03-12 12:40:52 +01:00
Bunkerity
7756c2df3c Merge pull request #98 from mromanelli9/fix/readme 
Fix README
 2021-03-12 10:44:06 +01:00
bunkerity
7509ec2f2c basic API to be used in swarm mode 2021-03-12 10:42:31 +01:00
Marco Romanelli
6e93575e16 remove ALLOWALL from X_FRAME_OPTIONS options 2021-03-11 14:41:23 +01:00
Marco Romanelli
ba4c977550 remove old anchor 2021-03-11 11:49:46 +01:00
bunkerity
781e4c8cbb autoconf little work on swarm support 2021-03-10 17:24:02 +01:00
bunkerity
e04c783d1e autoconf - init work on swarm mode 2021-03-09 17:33:22 +01:00
bunkerity
e12b656bd5 Merge branch 'patch-7' of https://github.com/thelittlefireman/bunkerized-nginx into dev 2021-03-08 14:06:54 +01:00
bunkerity
cae05447d3 custom crontab values 2021-03-08 13:58:14 +01:00
bunkerity
4b58e22657 Merge branch 'patch-5' of https://github.com/thelittlefireman/bunkerized-nginx into dev 2021-03-08 13:52:35 +01:00
bunkerity
6b56e21a09 Merge branch 'whitelist_ua' of https://github.com/thelittlefireman/bunkerized-nginx into dev 2021-03-08 13:46:28 +01:00
bunkerity
544a09e8da Update lua-cs-bouncer 2021-03-08 12:02:56 +01:00
bunkerity
8386dd4a2a custom config outside server block 2021-03-08 11:53:11 +01:00
root
f052a25168 Merge branch 'pre_server_confs' of https://github.com/thelittlefireman/bunkerized-nginx into dev 2021-03-08 11:47:45 +01:00
Bunkerity
43750f5536 Merge pull request #73 from thelittlefireman/patch-4 
Add missing reverse proxy header (X-Forwarded-Host)
 2021-03-08 10:16:31 +01:00
Bunkerity
9142afdb54 Merge pull request #72 from thelittlefireman/patch-3 
Fix #71 - limit connection by IP
 2021-03-08 10:15:14 +01:00
thelittlefireman
66c4fed791 Fix env variable with space are truncated 2 
Fix #82
 2021-03-05 23:59:38 +01:00
thelittlefireman
f41846e9d6 Fix env variable with space are truncated 
Fix #82
 2021-03-05 23:56:19 +01:00
thelittlefireman
92cc705b92 Reduce memory usage : set cron tasks at different hours. 2021-03-03 13:02:56 +01:00
thelittlefireman
47fb3a05b3 Upgrade crowdsecurity/lua-cs-bouncer 
Upgrade crowdsecurity/lua-cs-bouncer to latest version to include commit dcfba46ccd
 2021-03-03 10:01:04 +01:00
thelittlefireman
5940f402c7 improve default tls security 2021-02-28 23:59:22 +01:00
thelittlefireman
d9ca275d53 Add before server {} config. 2021-02-03 14:17:20 +01:00
thelittlefireman
8353bd9c85 Allow to add a whitelist by site on user-agent 2021-02-03 13:51:15 +01:00
thelittlefireman
d902e2f297 Add last missing reverse proxy header 
X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host]
 2021-01-03 16:28:51 +01:00
thelittlefireman
1a8b8043c8 Add LIMIT_CONN var to server.conf 2021-01-02 14:26:52 +01:00
thelittlefireman
65120a7e97 Add USE_CONN_LIMIT info to Readme.md 
and fix small typo
 2021-01-02 14:25:34 +01:00
thelittlefireman
b093a47554 Add default values for LIMIT_CONN 2021-01-02 14:18:26 +01:00
thelittlefireman
73dbf03c9a add USE_LIMIT_CONN zone to global config 2021-01-02 14:15:18 +01:00
thelittlefireman
6ee746236a Add USE_LIMIT_CONN to site-config 2021-01-02 14:11:36 +01:00
thelittlefireman
fa935eb6e3 edit nginx.conf to add limit_conn 2021-01-02 14:04:34 +01:00
thelittlefireman
cf231e13cb Add limit-conn.conf 2021-01-02 13:35:18 +01:00
bunkerity
d5d699252c v1.2.2 - web UI (beta) 2020-12-30 21:22:18 +01:00
bunkerity
50f95420b5 README update - road to v1.2.2 2020-12-30 17:57:00 +01:00
bunkerity
dc382c3e04 various fixes - autoconf process order, multisite config and examples 2020-12-30 16:22:10 +01:00
bunkerity
0026328f25 edit default FAIL2BAN_IGNOREIP subnets 2020-12-30 14:31:16 +01:00
Bunkerity
9023ab5aed Merge pull request #67 from thelittlefireman/patch-2 
Fix #66
 2020-12-30 14:28:34 +01:00
thelittlefireman
124474ad66 Edit README.md to add FAIL2BAN_IGNOREIP 2020-12-29 03:47:41 +01:00
thelittlefireman
eac9c8f513 Prepare FAIL2BAN_IGNOREIP to avoid self blocking 2020-12-29 03:43:38 +01:00
thelittlefireman
1ee490de6d Prepare FAIL2BAN_IGNOREIP to avoid self blocking 2020-12-29 03:41:27 +01:00
bunkerity
825e6a747e crowdsec v1 integrated 2020-12-28 21:41:30 +01:00
bunkerity
09a984c86b started crowdsec v1 integration 2020-12-28 18:42:20 +01:00
bunkerity
fd7afa17b3 fix missing ';' in include 2020-12-28 11:43:43 +01:00
Bunkerity
b9b7fdfcc4 Merge pull request #63 from thelittlefireman/patch-1 
Fix missing proxy headers
 2020-12-28 11:38:07 +01:00
bunkerity
58e1d66bc7 UI - minor alert css fix 2020-12-28 11:37:13 +01:00
bunkerity
7026643f8a UI - fix missing MULTISITE env var when managing services 2020-12-28 10:20:29 +01:00
bunkerity
06f688fe97 fixed stop and reload operations 2020-12-27 22:25:07 +01:00
bunkerity
c65b78b1cc UI - instances/services backend update (needs testing) 2020-12-27 17:04:59 +01:00
bunkerity
f9b9b9546f UI - introduced multiple config parameters (like reverse proxy) in frontend 2020-12-27 14:42:52 +01:00
bunkerity
b5fe6335c7 UI - instances backend started 2020-12-24 14:55:11 +01:00
bunkerity
951f3957fd UI - default service values 2020-12-24 11:36:19 +01:00
bunkerity
0f520b8914 UI - services backend started 2020-12-23 22:29:50 +01:00
bunkerity
569ad75c42 UI - config.json refactoring 2020-12-23 11:31:37 +01:00
bunkerity
bd7b6af668 UI - load config template from json 2020-12-22 22:35:15 +01:00
bunkerity
459bb8ea1c UI services modals and default CSP update (fix new tab links) 2020-12-22 11:42:49 +01:00
bunkerity
208b5acb30 UI - minor services list improvement 2020-12-21 17:34:45 +01:00
bunkerity
59b2fed416 UI - basic services list 2020-12-21 15:32:15 +01:00
thelittlefireman
a4871a915e Add missing proxy headers 2020-12-20 16:21:01 +01:00
thelittlefireman
026783f018 Fix missing reverse proxy headers 2020-12-20 16:19:27 +01:00
thelittlefireman
8115853453 Fix missing proxy headers on site-config.sh 2020-12-20 16:16:26 +01:00
bunkerity
c5f283b00e UI - minor front update 2020-12-18 17:23:23 +01:00
bunkerity
03ce7a6483 fix modsec double inclusion when MULTISITE=yes 2020-12-18 10:40:05 +01:00
bunkerity
3f7e2c54b3 JOBS - fixed some job script and right temp nginx reload 2020-12-16 18:56:11 +01:00
bunkerity
bb0f46d8af JOBS - fix job_log 2020-12-16 16:06:36 +01:00
bunkerity
c5b32dfc4c fix CVE-2020-1971 again 2020-12-16 15:47:02 +01:00
bunkerity
9a4f96ad18 fix CVE-2020-1971 2020-12-16 15:40:38 +01:00
bunkerity
f258426f55 JOBS - fallback to old conf in case reload failed 2020-12-16 15:22:49 +01:00
bunkerity
119e963612 JOBS - be more verbose about jobs failure/success 2020-12-16 11:43:41 +01:00
Bunkerity
373988670a Merge pull request #54 from thelittlefireman/patch-4 
Fix #52
 2020-12-16 10:04:21 +01:00
thelittlefireman
2a956f2cd3 Fix #52 
Fix #52
 2020-12-13 12:39:46 +01:00
bunkerity
15a37a8682 UI - minor UI improvement 2020-12-12 17:28:45 +01:00
bunkerity
3a3d527907 UI - basic read fixes 2020-12-11 17:03:43 +01:00
bunkerity
e6b5f460c9 UI - basic read from docker API 2020-12-11 15:17:18 +01:00
bunkerity
002e3ed2ba security tests for autoconf and ui 2020-12-11 11:49:22 +01:00
bunkerity
7b55acbe8b web UI example and CVE-2020-8231 fix again 2020-12-11 11:44:45 +01:00
bunkerity
559b7835d4 ui - automated build 2020-12-11 10:52:44 +01:00
bunkerity
4ea01bd93f print some logs when blocking bots 2020-12-10 22:36:32 +01:00
bunkerity
a73891a3b8 fix CVE-2020-8231 2020-12-10 21:42:24 +01:00
bunkerity
26199f52c8 remove additional / in modsecurity include 2020-12-10 21:32:44 +01:00
bunkerity
5c3f94a84f edit reverse proxy var name in README 2020-12-10 21:25:39 +01:00
bunkerity
043fcdc136 autoconf - automated build 2020-12-09 18:30:12 +01:00
bunkerity
b86ded3d1c autoconf - multi arch Dockerfile 2020-12-09 17:36:39 +01:00
bunkerity
92569679b6 dynamic reload of nginx by sending SIGHUP 2020-12-09 17:00:09 +01:00
bunkerity
15e74e4860 more work on standalone autoconf 2020-12-09 12:00:54 +01:00
bunkerity
fd0a6412d0 init work on standalone autoconf 2020-12-08 23:27:23 +01:00
bunkerity
419fdfc86e fix auth basic when MULTISITE=yes 2020-12-08 11:29:43 +01:00
168 changed files with 14499 additions and 735 deletions
Expand all files Collapse all files

26
.github/workflows/autotest-bunkerized-nginx-autoconf.yml vendored Normal file
View File

@@ -0,0 +1,26 @@
name: Automatic test on autoconf
on:
push:
branches: [dev, master]
pull_request:
branches: [dev, master]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v2
- name: Build the image
run: docker build -t autotest-autoconf -f autoconf/Dockerfile .
- name: Run Trivy security scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'autotest-autoconf'
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'

26
.github/workflows/autotest-bunkerized-nginx-ui.yml vendored Normal file
View File

@@ -0,0 +1,26 @@
name: Automatic test on ui
on:
push:
branches: [dev, master]
pull_request:
branches: [dev, master]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v2
- name: Build the image
run: docker build -t autotest-ui -f ui/Dockerfile .
- name: Run Trivy security scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'autotest-ui'
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'

0
.github/workflows/autotest.yml → .github/workflows/autotest-bunkerized-nginx.yml vendored
View File

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.idea/

31
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM nginx:stable-alpine
FROM nginx:1.20.0-alpine
COPY nginx-keys/ /tmp/nginx-keys
COPY compile.sh /tmp/compile.sh
@@ -6,38 +6,23 @@ RUN chmod +x /tmp/compile.sh && \
/tmp/compile.sh && \
rm -rf /tmp/*
COPY crowdsec/install.sh /tmp/install.sh
RUN chmod +x /tmp/install.sh && \
/tmp/install.sh && \
rm -rf /tmp/*
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY fail2ban/ /opt/fail2ban
COPY logs/ /opt/logs
COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec
COPY autoconf/ /opt/autoconf
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli py3-pip && \
pip3 install docker && \
chmod +x /opt/entrypoint/* /opt/scripts/* /opt/autoconf/autoconf.py && \
mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \
chown root:nginx /var/log/nginx && \
chmod 750 /var/log/nginx && \
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
chown nginx:nginx /var/log/nginx/*.log && \
mkdir /acme-challenge && \
chown root:nginx /acme-challenge && \
chmod 750 /acme-challenge
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
# Fix CVE-2020-28928
RUN apk --no-cache add "musl-utils>1.1.24-r2"
# fix CVE-2021-20205
RUN apk add "libjpeg-turbo>=2.1.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
EXPOSE 8080/tcp 8443/tcp
USER nginx:nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

31
Dockerfile-amd64
View File

@@ -1,4 +1,4 @@
FROM amd64/nginx:stable-alpine
FROM amd64/nginx:1.20.0-alpine
COPY nginx-keys/ /tmp/nginx-keys
COPY compile.sh /tmp/compile.sh
@@ -6,38 +6,23 @@ RUN chmod +x /tmp/compile.sh && \
/tmp/compile.sh && \
rm -rf /tmp/*
COPY crowdsec/install.sh /tmp/install.sh
RUN chmod +x /tmp/install.sh && \
/tmp/install.sh && \
rm -rf /tmp/*
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY fail2ban/ /opt/fail2ban
COPY logs/ /opt/logs
COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec
COPY autoconf/ /opt/autoconf
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli py3-pip && \
pip3 install docker && \
chmod +x /opt/entrypoint/* /opt/scripts/* /opt/autoconf/autoconf.py && \
mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \
chown root:nginx /var/log/nginx && \
chmod 750 /var/log/nginx && \
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
chown nginx:nginx /var/log/nginx/*.log && \
mkdir /acme-challenge && \
chown root:nginx /acme-challenge && \
chmod 750 /acme-challenge
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
# Fix CVE-2020-28928
RUN apk --no-cache add "musl-utils>1.1.24-r2"
# fix CVE-2021-20205
RUN apk add "libjpeg-turbo>=2.1.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
EXPOSE 8080/tcp 8443/tcp
USER nginx:nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

31
Dockerfile-arm32v7
View File

@@ -3,7 +3,7 @@ FROM alpine AS builder
ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz
RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
FROM arm32v7/nginx:stable-alpine
FROM arm32v7/nginx:1.20.0-alpine
COPY --from=builder qemu-arm-static /usr/bin
@@ -13,38 +13,23 @@ RUN chmod +x /tmp/compile.sh && \
/tmp/compile.sh && \
rm -rf /tmp/*
COPY crowdsec/install.sh /tmp/install.sh
RUN chmod +x /tmp/install.sh && \
/tmp/install.sh && \
rm -rf /tmp/*
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY fail2ban/ /opt/fail2ban
COPY logs/ /opt/logs
COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec
COPY autoconf/ /opt/autoconf
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli py3-pip && \
pip3 install docker && \
chmod +x /opt/entrypoint/* /opt/scripts/* /opt/autoconf/autoconf.py && \
mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \
chown root:nginx /var/log/nginx && \
chmod 750 /var/log/nginx && \
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
chown nginx:nginx /var/log/nginx/*.log && \
mkdir /acme-challenge && \
chown root:nginx /acme-challenge && \
chmod 750 /acme-challenge
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
# Fix CVE-2020-28928
RUN apk --no-cache add "musl-utils>1.1.24-r2"
# fix CVE-2021-20205
RUN apk add "libjpeg-turbo>=2.1.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
EXPOSE 8080/tcp 8443/tcp
USER nginx:nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

31
Dockerfile-arm64v8
View File

@@ -3,7 +3,7 @@ FROM alpine AS builder
ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz
RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
FROM arm64v8/nginx:stable-alpine
FROM arm64v8/nginx:1.20.0-alpine
COPY --from=builder qemu-aarch64-static /usr/bin
@@ -13,38 +13,23 @@ RUN chmod +x /tmp/compile.sh && \
/tmp/compile.sh && \
rm -rf /tmp/*
COPY crowdsec/install.sh /tmp/install.sh
RUN chmod +x /tmp/install.sh && \
/tmp/install.sh && \
rm -rf /tmp/*
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY fail2ban/ /opt/fail2ban
COPY logs/ /opt/logs
COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec
COPY autoconf/ /opt/autoconf
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli py3-pip && \
pip3 install docker && \
chmod +x /opt/entrypoint/* /opt/scripts/* /opt/autoconf/autoconf.py && \
mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \
chown root:nginx /var/log/nginx && \
chmod 750 /var/log/nginx && \
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
chown nginx:nginx /var/log/nginx/*.log && \
mkdir /acme-challenge && \
chown root:nginx /acme-challenge && \
chmod 750 /acme-challenge
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
# Fix CVE-2020-28928
RUN apk --no-cache add "musl-utils>1.1.24-r2"
# fix CVE-2021-20205
RUN apk add "libjpeg-turbo>=2.1.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
EXPOSE 8080/tcp 8443/tcp
USER nginx:nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

31
Dockerfile-i386
View File

@@ -1,4 +1,4 @@
FROM i386/nginx:stable-alpine
FROM i386/nginx:1.20.0-alpine
COPY nginx-keys/ /tmp/nginx-keys
COPY compile.sh /tmp/compile.sh
@@ -6,38 +6,23 @@ RUN chmod +x /tmp/compile.sh && \
/tmp/compile.sh && \
rm -rf /tmp/*
COPY crowdsec/install.sh /tmp/install.sh
RUN chmod +x /tmp/install.sh && \
/tmp/install.sh && \
rm -rf /tmp/*
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY fail2ban/ /opt/fail2ban
COPY logs/ /opt/logs
COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec
COPY autoconf/ /opt/autoconf
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli py3-pip && \
pip3 install docker && \
chmod +x /opt/entrypoint/* /opt/scripts/* /opt/autoconf/autoconf.py && \
mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \
chown root:nginx /var/log/nginx && \
chmod 750 /var/log/nginx && \
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
chown nginx:nginx /var/log/nginx/*.log && \
mkdir /acme-challenge && \
chown root:nginx /acme-challenge && \
chmod 750 /acme-challenge
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
# Fix CVE-2020-28928
RUN apk --no-cache add "musl-utils>1.1.24-r2"
# fix CVE-2021-20205
RUN apk add "libjpeg-turbo>=2.1.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
EXPOSE 8080/tcp 8443/tcp
USER nginx:nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

514
README.md
View File

@@ -1,8 +1,20 @@
# bunkerized-nginx
<p align="center">
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/logo.png?raw=true" width="425" />
</p>
<img src="https://img.shields.io/badge/bunkerized--nginx-1.2.0-blue" /> <img src="https://img.shields.io/badge/nginx-1.18.0-blue" /> <img src="https://img.shields.io/github/last-commit/bunkerity/bunkerized-nginx" /> <img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerized-nginx/Automatic%20test?label=automatic%20test" /> <img src="https://img.shields.io/docker/cloud/build/bunkerity/bunkerized-nginx" />
<p align="center">
<img src="https://img.shields.io/badge/bunkerized--nginx-1.2.4-blue" />
<img src="https://img.shields.io/badge/nginx-1.20.0-blue" />
<img src="https://img.shields.io/github/last-commit/bunkerity/bunkerized-nginx" />
<img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerized-nginx/Automatic%20test?label=automatic%20test" />
<img src="https://img.shields.io/docker/cloud/build/bunkerity/bunkerized-nginx" />
</p>
<p align="center">
<a href="https://matrix.to/#/#bunkerized-nginx:matrix.org"><img src="https://img.shields.io/badge/matrix%20chat-%23bunkerized--nginx%3Amatrix.org-blue" /></a>
<a href="https://www.bunkerity.com"><img src="https://img.shields.io/badge/website-www.bunkerity.com-blue" /></a>
<a href="https://twitter.com/bunkerity"><img src="https://img.shields.io/twitter/follow/bunkerity?style=social" /></a>
</p>
nginx Docker image secure by default.
@@ -18,17 +30,21 @@ Non-exhaustive list of features :
- Block known bad IP with DNSBL and CrowdSec
- Prevent bruteforce attacks with rate limiting
- Detect bad files with ClamAV
- Easy to configure with environment variables
- Easy to configure with environment variables or web UI
- Automatic configuration with container labels
- Docker Swarm support
Fooling automated tools/scanners :
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/demo.gif?raw=true" />
You can find a live demo at https://demo-nginx.bunkerity.com, feel free to do some security tests.
# Table of contents
- [bunkerized-nginx](#bunkerized-nginx)
<details>
<summary>Click to show</summary>
- [Table of contents](#table-of-contents)
- [Live demo](#live-demo)
- [Quickstart guide](#quickstart-guide)
* [Run HTTP server with default settings](#run-http-server-with-default-settings)
* [In combination with PHP](#in-combination-with-php)
@@ -37,8 +53,13 @@ Fooling automated tools/scanners :
* [Behind a reverse proxy](#behind-a-reverse-proxy)
* [Multisite](#multisite)
* [Automatic configuration](#automatic-configuration)
* [Swarm mode](#swarm-mode)
* [Web UI](#web-ui)
* [Antibot challenge](#antibot-challenge)
* [Hardening](#hardening)
- [Tutorials and examples](#tutorials-and-examples)
- [Include custom configurations](#include-custom-configurations)
- [Cache data](#cache-data)
- [List of environment variables](#list-of-environment-variables)
* [nginx](#nginx)
+ [Misc](#misc)
@@ -64,17 +85,15 @@ Fooling automated tools/scanners :
+ [Custom whitelisting](#custom-whitelisting)
+ [Custom blacklisting](#custom-blacklisting)
+ [Requests limiting](#requests-limiting)
+ [Connections limiting](#connections-limiting)
+ [Countries](#countries)
* [PHP](#php)
* [Fail2ban](#fail2ban)
* [ClamAV](#clamav)
* [Logrotate](#logrotate)
* [Cron jobs](#cron-jobs)
* [Misc](#misc-2)
- [Include custom configurations](#include-custom-configurations)
- [Cache data](#cache-data)
- [Create your own image](#create-your-own-image)
# Live demo
You can find a live demo at https://demo-nginx.bunkerity.com.
</details>
# Quickstart guide
@@ -84,7 +103,7 @@ You can find a live demo at https://demo-nginx.bunkerity.com.
docker run -p 80:8080 -v /path/to/web/files:/www:ro bunkerity/bunkerized-nginx
```
Web files are stored in the /www directory, the container will serve files from there.
Web files are stored in the /www directory, the container will serve files from there. Please note that *bunkerized-nginx* doesn't run as root but with an unprivileged user with UID/GID 101 therefore you should set the rights of */path/to/web/files* accordingly.
## In combination with PHP
@@ -117,8 +136,9 @@ docker run -p 80:8080 \
bunkerity/bunkerized-nginx
```
Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive.
If you don't want your webserver to listen on HTTP add the environment variable `LISTEN_HTTP` with a *no* value. But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive. Please note that *bunkerized-nginx* doesn't run as root but with an unprivileged user with UID/GID 101 therefore you should set the rights of */where/to/save/certificates* accordingly.
If you don't want your webserver to listen on HTTP add the environment variable `LISTEN_HTTP` with a *no* value (e.g. HTTPS only). But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
Here you have three environment variables :
- `SERVER_NAME` : define the FQDN of your webserver, this is mandatory for Let's Encrypt (www.yourdomain.com should point to your IP address)
@@ -174,10 +194,10 @@ docker run -p 80:8080 \
-e AUTO_LETS_ENCRYPT=yes \
-e REDIRECT_HTTP_TO_HTTPS=yes \
-e USE_REVERSE_PROXY=yes \
-e app1.domain.com_PROXY_URL=/ \
-e app1.domain.com_PROXY_HOST=http://myapp1:8000 \
-e app2.domain.com_PROXY_URL=/ \
-e app2.domain.com_PROXY_HOST=http://myapp2:8000 \
-e app1.domain.com_REVERSE_PROXY_URL=/ \
-e app1.domain.com_REVERSE_PROXY_HOST=http://myapp1:8000 \
-e app2.domain.com_REVERSE_PROXY_URL=/ \
-e app2.domain.com_REVERSE_PROXY_HOST=http://myapp2:8000 \
bunkerity/bunkerized-nginx
```
@@ -215,9 +235,15 @@ The */where/are/web/files* directory should have a structure like this :
## Automatic configuration
**This feature exposes, for now, a security risk because you need to mount the docker socket inside the container. You can test it but you should not use it in servers facing the internet.**
The downside of using environment variables is that you need to recreate a new container each time you want to add or remove a web service. An alternative is to use the *bunkerized-nginx-autoconf* image which listens for Docker events and "automagically" generates the configuration.
The downside of using environment variables is that you need to recreate a new container each time you want to add or remove aweb service. An alternative is to tell bunkerized-nginx to listen for Docker events by mounting the socket inside the container :
First we need a volume that will store the configurations :
```shell
docker volume create nginx_conf
```
Then we run bunkerized-nginx with the `bunkerized-nginx.AUTOCONF` label, mount the created volume at /etc/nginx and set some default configurations for our services (e.g. : automatic Let's Encrypt and HTTP to HTTPS redirect) :
```shell
docker network create mynet
@@ -227,17 +253,28 @@ docker run -p 80:8080 \
--network mynet \
-v /where/to/save/certificates:/etc/letsencrypt \
-v /where/are/web/files:/www:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v nginx_conf:/etc/nginx \
-e SERVER_NAME= \
-e MULTISITE=yes \
-e AUTO_LETS_ENCRYPT=yes \
-e REDIRECT_HTTP_TO_HTTPS=yes \
-l bunkerized.nginx.AUTOCONF \
bunkerity/bunkerized-nginx
```
Please note by setting `SERVER_NAME` to nothing bunkerized-nginx won't create any server block.
When setting `SERVER_NAME` to nothing bunkerized-nginx won't create any server block (in case we only want automatic configuration).
You can now create a new container and use labels to dynamically configure bunkerized-nginx :
Once bunkerized-nginx is created, let's setup the autoconf container :
```shell
docker run -v /var/run/docker.sock:/var/run/docker.sock:ro \
-v nginx_conf:/etc/nginx \
bunkerity/bunkerized-nginx-autoconf
```
We can now create a new container and use labels to dynamically configure bunkerized-nginx. Labels for automatic configuration are the same as environment variables but with the "bunkerized-nginx." prefix.
Here is a PHP example :
```shell
docker run --network mynet \
@@ -246,11 +283,158 @@ docker run --network mynet \
-l bunkerized-nginx.SERVER_NAME=app.domain.com \
-l bunkerized-nginx.REMOTE_PHP=myapp \
-l bunkerized-nginx.REMOTE_PHP_PATH=/app \
php:fpm
```
And a reverse proxy example :
```shell
docker run --network mynet \
--name anotherapp \
-l bunkerized-nginx.SERVER_NAME=app2.domain.com \
-l bunkerized-nginx.USE_REVERSE_PROXY=yes \
-l bunkerized-nginx.REVERSE_PROXY_URL=/ \
-l bunkerized-nginx.REVERSE_PROXY_HOST=http://anotherapp
tutum/hello-world
```
## Swarm mode
Automatic configuration through labels is also supported in swarm mode. The *bunkerized-nginx-autoconf* is used to listen for Swarm events (e.g. service create/rm) and "automagically" edit configurations files and reload nginx.
As a use case we will assume the following :
- Some managers are also workers (they will only run the *autoconf* container for obvious security reasons)
- The bunkerized-nginx service will be deployed on all workers (global mode) so clients can connect to each of them (e.g. load balancing, CDN, edge proxy, ...)
- There is a shared folder mounted on managers and workers (e.g. NFS, GlusterFS, CephFS, ...)
Let's start by creating the network to allow communications between our services :
```shell
docker network create -d overlay mynet
```
We can now create the *autoconf* service that will listen to swarm events :
```shell
docker service create --name autoconf \
--network mynet \
--mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
--mount type=bind,source=/shared/confs,destination=/etc/nginx \
--mount type=bind,source=/shared/letsencrypt,destination=/etc/letsencrypt \
--mount type=bind,source=/shared/acme-challenge,destination=/acme-challenge \
-e SWARM_MODE=yes \
-e API_URI=/ChangeMeToSomethingHardToGuess \
--replicas 1 \
--constraint node.role==manager \
bunkerity/bunkerized-nginx-autoconf
```
**You need to change `API_URI` to something hard to guess since there is no other security mechanism to protect the API at the moment.**
When *autoconf* is created, it's time for the *bunkerized-nginx* service to be up :
```shell
docker service create --name nginx \
--network mynet \
-p published=80,target=8080,mode=host \
-p published=443,target=8443,mode=host \
--mount type=bind,source=/shared/confs,destination=/etc/nginx \
--mount type=bind,source=/shared/letsencrypt,destination=/etc/letsencrypt,ro \
--mount type=bind,source=/shared/acme-challenge,destination=/acme-challenge,ro \
--mount type=bind,source=/shared/www,destination=/www,ro \
-e SWARM_MODE=yes \
-e USE_API=yes \
-e API_URI=/ChangeMeToSomethingHardToGuess \
-e MULTISITE=yes \
-e SERVER_NAME= \
-e AUTO_LETS_ENCRYPT=yes \
-e REDIRECT_HTTP_TO_HTTPS=yes \
-l bunkerized-nginx.AUTOCONF \
--mode global \
--constraint node.role==worker \
bunkerity/bunkerized-nginx
```
Labels for automatic configuration are the same as environment variables but with the "bunkerized-nginx." prefix.
The `API_URI` value must be the same as the one specified for the *autoconf* service.
We can now create a new service and use labels to dynamically configure bunkerized-nginx. Labels for automatic configuration are the same as environment variables but with the "bunkerized-nginx." prefix.
Here is a PHP example :
```shell
docker service create --name myapp \
--network mynet \
--mount type=bind,source=/shared/www/app.domain.com,destination=/app \
-l bunkerized-nginx.SERVER_NAME=app.domain.com \
-l bunkerized-nginx.REMOTE_PHP=myapp \
-l bunkerized-nginx.REMOTE_PHP_PATH=/app \
--constraint node.role==worker \
php:fpm
```
And a reverse proxy example :
```shell
docker service create --name anotherapp \
--network mynet \
-l bunkerized-nginx.SERVER_NAME=app2.domain.com \
-l bunkerized-nginx.USE_REVERSE_PROXY=yes \
-l bunkerized-nginx.REVERSE_PROXY_URL=/ \
-l bunkerized-nginx.REVERSE_PROXY_HOST=http://anotherapp \
--constraint node.role==worker \
tutum/hello-world
```
## Web UI
**This feature exposes, for now, a security risk because you need to mount the docker socket inside a container exposing a web application. You can test it but you should not use it in servers facing the internet.**
A dedicated image, *bunkerized-nginx-ui*, lets you manage bunkerized-nginx instances and services configurations through a web user interface. This feature is still in beta, feel free to open a new issue if you find a bug and/or you have an idea to improve it.
First we need a volume that will store the configurations :
```shell
docker volume create nginx_conf
```
Then, we can create the bunkerized-nginx instance with the `bunkerized-nginx.UI` label and a reverse proxy configuration for our web UI :
```shell
docker network create mynet
docker run -p 80:8080 \
-p 443:8443 \
--network mynet \
-v nginx_conf:/etc/nginx \
-v /where/are/web/files:/www:ro \
-v /where/to/save/certificates:/etc/letsencrypt \
-e SERVER_NAME=admin.domain.com \
-e MULTISITE=yes \
-e AUTO_LETS_ENCRYPT=yes \
-e REDIRECT_HTTP_TO_HTTPS=yes \
-e DISABLE_DEFAULT_SERVER=yes \
-e admin.domain.com_SERVE_FILES=no \
-e admin.domain.com_USE_AUTH_BASIC=yes \
-e admin.domain.com_AUTH_BASIC_USER=admin \
-e admin.domain.com_AUTH_BASIC_PASSWORD=password \
-e admin.domain.com_USE_REVERSE_PROXY=yes \
-e admin.domain.com_REVERSE_PROXY_URL=/webui/ \
-e admin.domain.com_REVERSE_PROXY_HOST=http://myui:5000/ \
-l bunkerized-nginx.UI \
bunkerity/bunkerized-nginx
```
The `AUTH_BASIC` environment variables let you define a login/password that must be provided before accessing to the web UI. At the moment, there is no authentication mechanism integrated into bunkerized-nginx-ui.
We can now create the bunkerized-nginx-ui container that will host the web UI behind bunkerized-nginx :
```shell
docker run --network mynet \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v nginx_conf:/etc/nginx \
-e ABSOLUTE_URI=https://admin.domain.com/webui/ \
bunkerity/bunkerized-nginx-ui
```
After that, the web UI should be accessible from https://admin.domain.com/webui/.
## Antibot challenge
@@ -260,9 +444,70 @@ docker run -p 80:8080 -v /path/to/web/files:/www -e USE_ANTIBOT=captcha bunkerit
When `USE_ANTIBOT` is set to *captcha*, every users visiting your website must complete a captcha before accessing the pages. Others challenges are also available : *cookie*, *javascript* or *recaptcha* (more info [here](#antibot)).
## Hardening
### Drop capabilities
By default, *bunkerized-nginx* runs as non-root user inside the container and should not use any of the default [capabilities](https://docs.docker.com/engine/security/#linux-kernel-capabilities) allowed by Docker. You can safely remove all capabilities to harden the container :
```shell
docker run ... --drop-cap=all ... bunkerity/bunkerized-nginx
```
### User namespace remap
Another hardening trick is [user namespace remapping](https://docs.docker.com/engine/security/userns-remap/) : it allows you to map the UID/GID of users inside a container to another UID/GID on the host. For example, you can map the user nginx with UID/GID 101 inside the container to a non-existent user with UID/GID 100101 on the host.
Let's assume you have the /etc/subuid and /etc/subgid files like this :
```
user:100000:65536
```
It means that everything done inside the container will be remapped to UID/GID 100101 (100000 + 101) on the host.
Please note that you must set the rights on the volumes (e.g. : /etc/letsencrypt, /www, ...) according to the remapped UID/GID :
```shell
$ chown root:100101 /path/to/letsencrypt
$ chmod 770 /path/to/letsencrypt
$ docker run ... -v /path/to/letsencrypt:/etc/letsencrypt ... bunkerity/bunkerized-nginx
```
# Tutorials and examples
You will find some docker-compose.yml examples in the [examples directory](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples) and tutorials about bunkerized-nginx in our [blog](https://www.bunkerity.com/category/bunkerized-nginx/).
You will find some docker-compose examples in the [examples directory](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples) and tutorials on our [blog](https://www.bunkerity.com/blog).
# Include custom configurations
Custom configurations files (ending with .conf suffix) can be added in some directory inside the container :
- /http-confs : http context
- /server-confs : server context
- /pre-server-confs : before server context (add map or upstream config for example)
You just need to use a volume like this :
```shell
docker run ... -v /path/to/http/confs:/http-confs:ro ... -v /path/to/server/confs:/server-confs:ro ... bunkerity/bunkerized-nginx
```
When `MULTISITE` is set to *yes*, .conf files inside the /server-confs directory are loaded by all the server blocks. You can also set custom configuration for a specific server block by adding files in a subdirectory named as the host defined in the `SERVER_NAME` environment variable. Here is an example :
```shell
docker run ... -v /path/to/server/confs:/server-confs:ro ... -e MULTISITE=yes -e "SERVER_NAME=app1.domain.com app2.domain.com" ... bunkerity/bunkerized-nginx
```
The */path/to/server/confs* directory should have a structure like this :
```
/path/to/server/confs
├── app1.domain.com
│   └── custom.conf
│   └── ...
└── app2.domain.com
└── custom.conf
└── ...
```
# Cache data
You can store cached data (blacklists, geoip DB, ...) to avoid downloading them again after a container deletion by mounting a volume on the /cache directory :
```shell
docker run ... -v /path/to/cache:/cache ... bunkerity/bunkerized-nginx
```
# List of environment variables
@@ -300,7 +545,7 @@ Only the HTTP methods listed here will be accepted by nginx. If not listed, ngin
`DISABLE_DEFAULT_SERVER`
Values : *yes* | *no*
Default value : *no*
Context : *global*, *multisite*
Context : *global*
If set to yes, nginx will only respond to HTTP request when the Host header match a FQDN specified in the `SERVER_NAME` environment variable.
For example, it will close the connection if a bot access the site with direct ip.
@@ -318,14 +563,14 @@ Context : *global*
The IP addresses of the DNS resolvers to use when performing DNS lookups.
`ROOT_FOLDER`
Values : *\<any valid path to web files\>
Values : *\<any valid path to web files\>*
Default value : */www*
Context : *global*
The default folder where nginx will search for web files. Don't change it unless you want to make your own image.
`LOG_FORMAT`
Values : *\<any values accepted by the log_format directive\>*
Default value : *$remote_addr - $remote_user $host \[$time_local\] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"*
Default value : *$host $remote_addr - $remote_user \[$time_local\] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"*
Context : *global*
The log format used by nginx to generate logs. More info [here](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format).
@@ -333,7 +578,7 @@ The log format used by nginx to generate logs. More info [here](http://nginx.org
Values : *\<any valid port greater than 1024\>*
Default value : *8080*
Context : *global*
The HTTP port number used by nginx and certbot inside the container.
The HTTP port number used by nginx inside the container.
`HTTPS_PORT`
Values : *\<any valid port greater than 1024\>*
@@ -425,6 +670,13 @@ Context : *global*, *multisite*
Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* when the corresponding `REVERSE_PROXY_HOST` is a WebSocket server.
You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_WS_1`, `REVERSE_PROXY_WS_2`, `REVERSE_PROXY_WS_3`, ...
`REVERSE_PROXY_HEADERS`
Values : *\<list of custom headers separated with a semicolon like this : header1 value1;header2 value2...\>*
Default value :
Context : *global*, *multisite*
Only valid when `USE_REVERSE_PROXY` is set to *yes*.
You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_HEADERS_1`, `REVERSE_PROXY_HEADERS_2`, `REVERSE_PROXY_HEADERS_3`, ...
`PROXY_REAL_IP`
Values : *yes* | *no*
Default value : *no*
@@ -646,19 +898,19 @@ If set to yes, nginx will redirect all HTTP requests to HTTPS.
`USE_CUSTOM_HTTPS`
Values : *yes* | *no*
Default value : *no*
Context : *global*
Context : *global*, *multisite*
If set to yes, HTTPS will be enabled with certificate/key of your choice.
`CUSTOM_HTTPS_CERT`
Values : *\<any valid path inside the container\>*
Default value :
Context : *global*
Context : *global*, *multisite*
Full path of the certificate file to use when `USE_CUSTOM_HTTPS` is set to yes.
`CUSTOM_HTTPS_KEY`
Values : *\<any valid path inside the container\>*
Default value :
Context : *global*
Context : *global*, *multisite*
Full path of the key file to use when `USE_CUSTOM_HTTPS` is set to yes.
### Self-signed certificate
@@ -751,7 +1003,7 @@ You can customize the CRS (i.e. : add WordPress exclusions) by adding custom .co
## Security headers
`X_FRAME_OPTIONS`
Values : *DENY* | *SAMEORIGIN* | *ALLOW-FROM https://www.website.net* | *ALLOWALL*
Values : *DENY* | *SAMEORIGIN* | *ALLOW-FROM https://www.website.net*
Default value : *DENY*
Context : *global*, *multisite*
Policy to be used when the site is displayed through iframe. Can be used to mitigate clickjacking attacks.
@@ -814,7 +1066,7 @@ More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Stric
`CONTENT_SECURITY_POLICY`
Values : *\<directive 1\>; \<directive 2\>; ...*
Default value : *default-src 'self'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer*
Default value : *object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';*
Context : *global*, *multisite*
Policy to be used when loading resources (scripts, forms, frames, ...).
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
@@ -920,7 +1172,19 @@ The list of DNSBL zones to query when `USE_DNSBL` is set to *yes*.
Values : *yes* | *no*
Default value : *no*
Context : *global*, *multisite*
If set to *yes*, [CrowdSec](https://github.com/crowdsecurity/crowdsec) will be enabled with the [nginx collection](https://hub.crowdsec.net/author/crowdsecurity/collections/nginx). API pulls will be done automaticaly.
If set to *yes*, [CrowdSec](https://github.com/crowdsecurity/crowdsec) will be enabled. Please note that you need a CrowdSec instance running see example [here](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/crowdsec).
`CROWDSEC_HOST`
Values : *\<full URL to the CrowdSec instance API\>*
Default value :
Context : *global*
The full URL to the CrowdSec API.
`CROWDSEC_KEY`
Values : *\<CrowdSec bouncer key\>*
Default value :
Context : *global*
The CrowdSec key given by *cscli bouncer add BouncerName*.
### Custom whitelisting
@@ -931,10 +1195,10 @@ Context : *global*, *multisite*
If set to *yes*, lets you define custom IP addresses to be whitelisted through the `WHITELIST_IP_LIST` environment variable.
`WHITELIST_IP_LIST`
Values : *\<list of IP addresses separated with spaces\>*
Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*
Default value : *23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8*
Context : *global*
The list of IP addresses to whitelist when `USE_WHITELIST_IP` is set to *yes*. The default list contains IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/).
The list of IP addresses and/or network CIDR blocks to whitelist when `USE_WHITELIST_IP` is set to *yes*. The default list contains IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/).
`USE_WHITELIST_REVERSE`
Values : *yes* | *no*
@@ -948,6 +1212,18 @@ Default value : *.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .c
Context : *global*
The list of reverse DNS suffixes to whitelist when `USE_WHITELIST_REVERSE` is set to *yes*. The default list contains suffixes of major search engines.
`WHITELIST_USER_AGENT`
Values : *\<list of regexes separated with spaces\>*
Default value :
Context : *global*, *multisite*
Whitelist user agent from being blocked by `BLOCK_USER_AGENT`.
`WHITELIST_URI`
Values : *\<list of URI separated with spaces\>*
Default value :
Context : *global*, *multisite*
URI listed here have security checks like bad user-agents, bad IP, ... disabled. Useful when using callbacks for example.
### Custom blacklisting
`USE_BLACKLIST_IP`
@@ -957,10 +1233,10 @@ Context : *global*, *multisite*
If set to *yes*, lets you define custom IP addresses to be blacklisted through the `BLACKLIST_IP_LIST` environment variable.
`BLACKLIST_IP_LIST`
Values : *\<list of IP addresses separated with spaces\>*
Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*
Default value :
Context : *global*
The list of IP addresses to blacklist when `USE_BLACKLIST_IP` is set to *yes*.
The list of IP addresses and/or network CIDR blocks to blacklist when `USE_BLACKLIST_IP` is set to *yes*.
`USE_BLACKLIST_REVERSE`
Values : *yes* | *no*
@@ -980,20 +1256,20 @@ The list of reverse DNS suffixes to blacklist when `USE_BLACKLIST_REVERSE` is se
Values : *yes* | *no*
Default value : *yes*
Context : *global*, *multisite*
If set to yes, the amount of HTTP requests made by a user will be limited during a period of time.
More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/).
If set to yes, the amount of HTTP requests made by a user for a given resource will be limited during a period of time.
More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/) (the key used is $binary_remote_addr$uri).
`LIMIT_REQ_RATE`
Values : *Xr/s* | *Xr/m*
Default value : *20r/s*
Default value : *1r/s*
Context : *global*, *multisite*
The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 10 requests per second.
The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 1 request to the same URI and from the same IP per second.
`LIMIT_REQ_BURST`
Values : *<any valid integer\>*
Default value : *40*
Default value : *2*
Context : *global*, *multisite*
The number of of requests to put in queue before rejecting requests.
The number of requests to put in queue before rejecting requests.
`LIMIT_REQ_CACHE`
Values : *Xm* | *Xk*
@@ -1001,6 +1277,27 @@ Default value : *10m*
Context : *global*
The size of the cache to store information about request limiting.
### Connections limiting
`USE_LIMIT_CONN`
Values : *yes* | *no*
Default value : *yes*
Context : *global*, *multisite*
If set to yes, the number of connections made by an ip will be limited during a period of time. (ie. very small/weak ddos protection)
More info connections limiting [here](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html).
`LIMIT_CONN_MAX`
Values : *<any valid integer\>*
Default value : *50*
Context : *global*, *multisite*
The maximum number of connections per ip to put in queue before rejecting requests.
`LIMIT_CONN_CACHE`
Values : *Xm* | *Xk*
Default value : *10m*
Context : *global*
The size of the cache to store information about connection limiting.
### Countries
`BLACKLIST_COUNTRY`
@@ -1021,7 +1318,7 @@ Only allow specific countries accessing your website. Use 2 letters country code
Values : *\<any valid IP/hostname\>*
Default value :
Context : *global*, *multisite*
Set the IP/hostname address of a remote PHP-FPM to execute .php files. See `USE_PHP` if you want to run a PHP-FPM instance on the same container as bunkerized-nginx.
Set the IP/hostname address of a remote PHP-FPM to execute .php files.
`REMOTE_PHP_PATH`
Values : *\<any valid absolute path\>*
@@ -1063,6 +1360,12 @@ Default : value : *15*
Context : *global*
The number of "strange" HTTP status codes to find between the time interval.
`FAIL2BAN_IGNOREIP`
Values : *\<list of IP addresses or subnet separated with spaces\>*
Default value : 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
Context : *global*
IPs or subnet which should never be ban by fail2ban.
## ClamAV
`USE_CLAMAV_UPLOAD`
@@ -1083,13 +1386,15 @@ Default value : *yes*
Context : *global*
If set to yes, ClamAV will automatically remove the detected files.
## Misc
## Syslog
`ADDITIONAL_MODULES`
Values : *\<list of packages separated with space\>*
`REMOTE_SYSLOG`
Values : *\<any IP/hostname\>*
Default value :
Context : *global*
You can specify additional modules to install. All [alpine packages](https://pkgs.alpinelinux.org/packages) are valid.
When defined, rsyslog will send logs (access.log and error.log) to the corresponding IP/hostname using syslog UDP protocol.
## Logrotate
`LOGROTATE_MINSIZE`
Values : *x* | *xk* | *xM* | *xG*
@@ -1103,37 +1408,90 @@ Default value : 7
Context : *global*
The number of days before rotated files are deleted.
# Include custom configurations
Custom configurations files (ending with .conf suffix) can be added in some directory inside the container :
- /http-confs : http context
- /server-confs : server context
## Cron jobs
You just need to use a volume like this :
```shell
docker run ... -v /path/to/http/confs:/http-confs:ro ... -v /path/to/server/confs:/server-confs:ro ... bunkerity/bunkerized-nginx
```
`AUTO_LETS_ENCRYPT_CRON`
Values : *\<cron expression\>*
Default value : *15 0 \* \* \**
Context : *global*
Cron expression of how often certbot will try to renew the certificates.
When `MULTISITE` is set to *yes*, .conf files inside the /server-confs directory are loaded by all the server blocks. You can also set custom configuration for a specific server block by adding files in a subdirectory named as the host defined in the `SERVER_NAME` environment variable. Here is an example :
`BLOCK_USER_AGENT_CRON`
Values : *\<cron expression\>*
Default value : *30 0 \* \* \* \**
Context : *global*
Cron expression of how often the blacklist of user agent is updated.
```shell
docker run ... -v /path/to/server/confs:/server-confs:ro ... -e MULTISITE=yes -e "SERVER_NAME=app1.domain.com app2.domain.com" ... bunkerity/bunkerized-nginx
```
`BLOCK_TOR_EXIT_NODE_CRON`
Values : *\<cron expression\>*
Default value : *0 \*/1 \* \* \* \**
Context : *global*
Cron expression of how often the blacklist of tor exit node is updated.
The */path/to/server/confs* directory should have a structure like this :
```
/path/to/server/confs
├── app1.domain.com
│   └── custom.conf
│   └── ...
└── app2.domain.com
└── custom.conf
└── ...
```
`BLOCK_PROXIES_CRON`
Values : *\<cron expression\>*
Default value : *0 3 \* \* \* \**
Context : *global*
Cron expression of how often the blacklist of proxies is updated.
# Cache data
`BLOCK_ABUSERS_CRON`
Values : *\<cron expression\>*
Default value : *0 2 \* \* \* \**
Context : *global*
Cron expression of how often the blacklist of abusers is updated.
You can store cached data (blacklists, geoip DB, ...) to avoid downloading them again after a container deletion by mounting a volume on the /cache directory :
`BLOCK_REFERRER_CRON`
Values : *\<cron expression\>*
Default value : *45 0 \* \* \* \**
Context : *global*
Cron expression of how often the blacklist of referrer is updated.
```shell
docker run ... -v /path/to/cache:/cache ... bunkerity/bunkerized-nginx
```
`GEOIP_CRON`
Values : *\<cron expression\>*
Default value : *0 4 2 \* \**
Context : *global*
Cron expression of how often the GeoIP database is updated.
`USE_CLAMAV_SCAN_CRON`
Values : *\<cron expression\>*
Default value : *30 1 \* \* \**
Context : *global*
Cron expression of how often ClamAV will scan all the files inside the container.
`CLAMAV_UPDATE_CRON`
Values : *\<cron expression\>*
Default value : *0 1 \* \* \**
Context : *global*
Cron expression of how often ClamAV will update its database.
`LOGROTATE_CRON`
Values : *\<cron expression\>*
Default value : *0 0 \* \* \**
Context : *global*
Cron expression of how often Logrotate will rotate files.
## misc
`SWARM_MODE`
Values : *yes* | *no*
Default value : *no*
Context : *global*
Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
`USE_API`
Values : *yes* | *no*
Default value : *no*
Context : *global*
Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
`API_URI`
Values : *random* | *\<any valid URI path\>*
Default value : *random*
Context : *global*
Set it to a random path when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
`API_WHITELIST_IP`
Values : *\<list of IP/CIDR separated with space\>*
Default value : *192.168.0.0/16 172.16.0.0/12 10.0.0.0/8*
Context : *global*
List of IP/CIDR block allowed to send API order using the `API_URI` uri.

2
VERSION
View File

@@ -1 +1 @@
1.2.1
1.2.4

131
autoconf/AutoConf.py Normal file
View File

@@ -0,0 +1,131 @@
from Config import Config
import utils
import os
class AutoConf :
def __init__(self, swarm, api) :
self.__swarm = swarm
self.__servers = {}
self.__instances = {}
self.__sites = {}
self.__config = Config(self.__swarm, api)
def get_server(self, id) :
if id in self.__servers :
return self.__servers[id]
return False
def reload(self) :
return self.__config.reload(self.__instances)
def pre_process(self, objs) :
for instance in objs :
(id, name, labels) = self.__get_infos(instance)
if "bunkerized-nginx.AUTOCONF" in labels :
if self.__swarm :
self.__process_instance(instance, "create", id, name, labels)
else :
if instance.status in ("restarting", "running", "created", "exited") :
self.__process_instance(instance, "create", id, name, labels)
if instance.status == "running" :
self.__process_instance(instance, "start", id, name, labels)
for server in objs :
(id, name, labels) = self.__get_infos(server)
if "bunkerized-nginx.SERVER_NAME" in labels :
if self.__swarm :
self.__process_server(server, "create", id, name, labels)
else :
if server.status in ("restarting", "running", "created", "exited") :
self.__process_server(server, "create", id, name, labels)
if server.status == "running" :
self.__process_server(server, "start", id, name, labels)
def process(self, obj, event) :
(id, name, labels) = self.__get_infos(obj)
if "bunkerized-nginx.AUTOCONF" in labels :
self.__process_instance(obj, event, id, name, labels)
elif "bunkerized-nginx.SERVER_NAME" in labels :
self.__process_server(obj, event, id, name, labels)
def __get_infos(self, obj) :
if self.__swarm :
id = obj.id
name = obj.name
labels = obj.attrs["Spec"]["Labels"]
else :
id = obj.id
name = obj.name
labels = obj.labels
return (id, name, labels)
def __process_instance(self, instance, event, id, name, labels) :
if event == "create" :
self.__instances[id] = instance
if self.__swarm and len(self.__instances) == 1 :
if self.__config.initconf(self.__instances) :
utils.log("[*] Initial config succeeded")
else :
utils.log("[!] Initial config failed")
utils.log("[*] bunkerized-nginx instance created : " + name + " / " + id)
elif event == "start" :
self.__instances[id].reload()
utils.log("[*] bunkerized-nginx instance started : " + name + " / " + id)
elif event == "die" :
self.__instances[id].reload()
utils.log("[*] bunkerized-nginx instance stopped : " + name + " / " + id)
elif event == "destroy" or event == "remove" :
del self.__instances[id]
if self.__swarm and len(self.__instances) == 0 :
with open("/etc/crontabs/nginx", "w") as f :
f.write("")
if os.path.exists("/etc/nginx/autoconf") :
os.remove("/etc/nginx/autoconf")
utils.log("[*] bunkerized-nginx instance removed : " + name + " / " + id)
def __process_server(self, instance, event, id, name, labels) :
vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in labels.items() if k.startswith("bunkerized-nginx.")}
if event == "create" :
utils.log("[*] Generating config for " + vars["SERVER_NAME"] + " ...")
if self.__config.generate(self.__instances, vars) :
utils.log("[*] Generated config for " + vars["SERVER_NAME"])
self.__servers[id] = instance
if self.__swarm :
utils.log("[*] Activating config for " + vars["SERVER_NAME"] + " ...")
if self.__config.activate(self.__instances, vars) :
utils.log("[*] Activated config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't generate config for " + vars["SERVER_NAME"])
elif event == "start" :
if id in self.__servers :
self.__servers[id].reload()
utils.log("[*] Activating config for " + vars["SERVER_NAME"] + " ...")
if self.__config.activate(self.__instances, vars) :
utils.log("[*] Activated config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
elif event == "die" :
if id in self.__servers :
self.__servers[id].reload()
utils.log("[*] Deactivating config for " + vars["SERVER_NAME"])
if self.__config.deactivate(self.__instances, vars) :
utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
elif event == "destroy" or event == "remove" :
if id in self.__servers :
if self.__swarm :
utils.log("[*] Deactivating config for " + vars["SERVER_NAME"])
if self.__config.deactivate(self.__instances, vars) :
utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
del self.__servers[id]
utils.log("[*] Removing config for " + vars["SERVER_NAME"])
if self.__config.remove(vars) :
utils.log("[*] Removed config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't remove config for " + vars["SERVER_NAME"])

209
autoconf/Config.py Normal file
View File

@@ -0,0 +1,209 @@
#!/usr/bin/python3
import utils
import subprocess, shutil, os, traceback, requests, time
class Config :
def __init__(self, swarm, api) :
self.__swarm = swarm
self.__api = api
def initconf(self, instances) :
try :
for instance_id, instance in instances.items() :
env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
break
vars = {}
for var_value in env :
var = var_value.split("=")[0]
value = var_value.replace(var + "=", "", 1)
vars[var] = value
utils.log("[*] Generating global config ...")
if not self.globalconf(instances) :
utils.log("[!] Can't generate global config")
return False
utils.log("[*] Generated global config")
if "SERVER_NAME" in vars and vars["SERVER_NAME"] != "" :
for server in vars["SERVER_NAME"].split(" ") :
vars_site = vars.copy()
vars_site["SERVER_NAME"] = server
utils.log("[*] Generating config for " + vars["SERVER_NAME"] + " ...")
if not self.generate(instances, vars_site) or not self.activate(instances, vars_site, reload=False) :
utils.log("[!] Can't generate/activate site config for " + server)
return False
utils.log("[*] Generated config for " + vars["SERVER_NAME"])
with open("/etc/nginx/autoconf", "w") as f :
f.write("ok")
utils.log("[*] Waiting for bunkerized-nginx tasks ...")
i = 1
started = False
while i <= 10 :
time.sleep(i)
if self.__ping(instances) :
started = True
break
i = i + 1
utils.log("[!] Waiting " + str(i) + " seconds before retrying to contact bunkerized-nginx tasks")
if started :
utils.log("[*] bunkerized-nginx tasks started")
proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/jobs.sh", "nginx"], env=vars, capture_output=True)
return proc.returncode == 0
else :
utils.log("[!] bunkerized-nginx tasks are not started")
except Exception as e :
utils.log("[!] Error while initializing config : " + str(e))
return False
def globalconf(self, instances) :
try :
for instance_id, instance in instances.items() :
env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
break
vars = {}
for var_value in env :
var = var_value.split("=")[0]
value = var_value.replace(var + "=", "", 1)
vars[var] = value
proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/global-config.sh", "nginx"], env=vars, capture_output=True)
if proc.returncode == 0 :
return True
else :
utils.log("[*] Error while generating global config : return code = " + str(proc.returncode))
except Exception as e :
utils.log("[!] Exception while generating global config : " + str(e))
return False
def generate(self, instances, vars) :
try :
# Get env vars from bunkerized-nginx instances
vars_instances = {}
for instance_id, instance in instances.items() :
if self.__swarm :
env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
else :
env = instance.attrs["Config"]["Env"]
for var_value in env :
var = var_value.split("=")[0]
value = var_value.replace(var + "=", "", 1)
vars_instances[var] = value
vars_defaults = vars.copy()
vars_defaults.update(vars_instances)
vars_defaults.update(vars)
# Call site-config.sh to generate the config
proc = subprocess.run(["/bin/su", "-s", "/bin/sh", "-c", "/opt/entrypoint/site-config.sh" + " \"" + vars["SERVER_NAME"] + "\"", "nginx"], env=vars_defaults, capture_output=True)
if proc.returncode == 0 and vars_defaults["MULTISITE"] == "yes" and self.__swarm :
proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/multisite-config.sh", "nginx"], env=vars_defaults, capture_output=True)
if proc.returncode == 0 :
return True
utils.log("[!] Error while generating site config for " + vars["SERVER_NAME"] + " : return code = " + str(proc.returncode))
except Exception as e :
utils.log("[!] Exception while generating site config : " + str(e))
return False
def activate(self, instances, vars, reload=True) :
try :
# Get first server name
first_server_name = vars["SERVER_NAME"].split(" ")[0]
# Check if file exists
if not os.path.isfile("/etc/nginx/" + first_server_name + "/server.conf") :
utils.log("[!] /etc/nginx/" + first_server_name + "/server.conf doesn't exist")
return False
# Include the server conf
utils.replace_in_file("/etc/nginx/nginx.conf", "}", "include /etc/nginx/" + first_server_name + "/server.conf;\n}")
# Reload
if not reload or self.reload(instances) :
return True
except Exception as e :
utils.log("[!] Exception while activating config : " + str(e))
return False
def deactivate(self, instances, vars) :
try :
# Get first server name
first_server_name = vars["SERVER_NAME"].split(" ")[0]
# Check if file exists
if not os.path.isfile("/etc/nginx/" + first_server_name + "/server.conf") :
utils.log("[!] /etc/nginx/" + first_server_name + "/server.conf doesn't exist")
return False
# Remove the include
utils.replace_in_file("/etc/nginx/nginx.conf", "include /etc/nginx/" + first_server_name + "/server.conf;\n", "")
# Reload
if self.reload(instances) :
return True
except Exception as e :
utils.log("[!] Exception while deactivating config : " + str(e))
return False
def remove(self, vars) :
try :
# Get first server name
first_server_name = vars["SERVER_NAME"].split(" ")[0]
# Check if file exists
if not os.path.isfile("/etc/nginx/" + first_server_name + "/server.conf") :
utils.log("[!] /etc/nginx/" + first_server_name + "/server.conf doesn't exist")
return False
# Remove the folder
shutil.rmtree("/etc/nginx/" + first_server_name)
return True
except Exception as e :
utils.log("[!] Error while deactivating config : " + str(e))
return False
def reload(self, instances) :
return self.__api_call(instances, "/reload")
def __ping(self, instances) :
return self.__api_call(instances, "/ping")
def __api_call(self, instances, path) :
ret = True
for instance_id, instance in instances.items() :
# Reload the instance object just in case
instance.reload()
# Reload via API
if self.__swarm :
# Send POST request on http://serviceName.NodeID.TaskID:8000/action
name = instance.name
for task in instance.tasks() :
if task["Status"]["State"] != "running" :
continue
nodeID = task["NodeID"]
taskID = task["ID"]
fqdn = name + "." + nodeID + "." + taskID
req = False
try :
req = requests.post("http://" + fqdn + ":8080" + self.__api + path)
except :
pass
if req and req.status_code == 200 :
utils.log("[*] Sent API order " + path + " to instance " + fqdn + " (service.node.task)")
else :
utils.log("[!] Can't send API order " + path + " to instance " + fqdn + " (service.node.task)")
ret = False
# Send SIGHUP to running instance
elif instance.status == "running" :
try :
instance.kill("SIGHUP")
utils.log("[*] Sent SIGHUP signal to bunkerized-nginx instance " + instance.name + " / " + instance.id)
except docker.errors.APIError as e :
utils.log("[!] Docker error while sending SIGHUP signal : " + str(e))
ret = False
return ret

45
autoconf/Dockerfile Normal file
View File

@@ -0,0 +1,45 @@
FROM nginx:stable-alpine AS builder
FROM alpine
COPY --from=builder /etc/nginx/ /opt/confs/nginx
RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \
mkdir -p /opt/confs/global && \
mkdir /opt/scripts && \
addgroup -g 101 nginx && \
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
mkdir /etc/letsencrypt && \
chown root:nginx /etc/letsencrypt && \
chmod 770 /etc/letsencrypt && \
mkdir /var/log/letsencrypt && \
chown root:nginx /var/log/letsencrypt && \
chmod 770 /var/log/letsencrypt && \
mkdir /var/lib/letsencrypt && \
chown root:nginx /var/lib/letsencrypt && \
chmod 770 /var/lib/letsencrypt && \
mkdir /cache && \
chown root:nginx /cache && \
chmod 770 /cache && \
touch /var/log/jobs.log && \
chown root:nginx /var/log/jobs.log && \
chmod 770 /var/log/jobs.log && \
chown -R root:nginx /opt/confs/nginx && \
chmod -R 770 /opt/confs/nginx && \
mkdir /acme-challenge && \
chown root:nginx /acme-challenge && \
chmod 770 /acme-challenge
COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
COPY scripts/* /opt/scripts/
COPY confs/site/ /opt/confs/site
COPY confs/global/ /opt/confs/global
COPY entrypoint/* /opt/entrypoint/
COPY autoconf/* /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

44
autoconf/Dockerfile-amd64 Normal file
View File

@@ -0,0 +1,44 @@
FROM nginx:stable-alpine AS builder
FROM amd64/alpine
COPY --from=builder /etc/nginx/ /opt/confs/nginx
RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \
mkdir -p /opt/confs/global && \
mkdir /opt/scripts && \
addgroup -g 101 nginx && \
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
mkdir /etc/letsencrypt && \
chown root:nginx /etc/letsencrypt && \
chmod 770 /etc/letsencrypt && \
mkdir /var/log/letsencrypt && \
chown root:nginx /var/log/letsencrypt && \
chmod 770 /var/log/letsencrypt && \
mkdir /var/lib/letsencrypt && \
chown root:nginx /var/lib/letsencrypt && \
chmod 770 /var/lib/letsencrypt && \
mkdir /cache && \
chown root:nginx /cache && \
chmod 770 /cache && \
touch /var/log/jobs.log && \
chown root:nginx /var/log/jobs.log && \
chmod 770 /var/log/jobs.log && \
chown -R root:nginx /opt/confs/nginx && \
chmod -R 770 /opt/confs/nginx && \
mkdir /acme-challenge && \
chown root:nginx /acme-challenge && \
chmod 770 /acme-challenge
COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
COPY scripts/* /opt/scripts/
COPY confs/global/ /opt/confs/global
COPY confs/site/ /opt/confs/site
COPY entrypoint/* /opt/entrypoint/
COPY autoconf/* /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

50
autoconf/Dockerfile-arm32v7 Normal file
View File

@@ -0,0 +1,50 @@
FROM alpine AS builder
ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz
RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
FROM nginx:stable-alpine AS builder2
FROM arm32v7/alpine
COPY --from=builder qemu-arm-static /usr/bin
COPY --from=builder2 /etc/nginx/ /opt/confs/nginx
RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \
mkdir -p /opt/confs/global && \
mkdir /opt/scripts && \
addgroup -g 101 nginx && \
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
mkdir /etc/letsencrypt && \
chown root:nginx /etc/letsencrypt && \
chmod 770 /etc/letsencrypt && \
mkdir /var/log/letsencrypt && \
chown root:nginx /var/log/letsencrypt && \
chmod 770 /var/log/letsencrypt && \
mkdir /var/lib/letsencrypt && \
chown root:nginx /var/lib/letsencrypt && \
chmod 770 /var/lib/letsencrypt && \
mkdir /cache && \
chown root:nginx /cache && \
chmod 770 /cache && \
touch /var/log/jobs.log && \
chown root:nginx /var/log/jobs.log && \
chmod 770 /var/log/jobs.log && \
chown -R root:nginx /opt/confs/nginx && \
chmod -R 770 /opt/confs/nginx && \
mkdir /acme-challenge && \
chown root:nginx /acme-challenge && \
chmod 770 /acme-challenge
COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
COPY scripts/* /opt/scripts/
COPY confs/global/ /opt/confs/global
COPY confs/site/ /opt/confs/site
COPY entrypoint/* /opt/entrypoint/
COPY autoconf/* /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

50
autoconf/Dockerfile-arm64v8 Normal file
View File

@@ -0,0 +1,50 @@
FROM alpine AS builder
ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz
RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
FROM nginx:stable-alpine AS builder2
FROM arm64v8/alpine
COPY --from=builder qemu-aarch64-static /usr/bin
COPY --from=builder2 /etc/nginx/ /opt/confs/nginx
RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \
mkdir -p /opt/confs/global && \
mkdir /opt/scripts && \
addgroup -g 101 nginx && \
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
mkdir /etc/letsencrypt && \
chown root:nginx /etc/letsencrypt && \
chmod 770 /etc/letsencrypt && \
mkdir /var/log/letsencrypt && \
chown root:nginx /var/log/letsencrypt && \
chmod 770 /var/log/letsencrypt && \
mkdir /var/lib/letsencrypt && \
chown root:nginx /var/lib/letsencrypt && \
chmod 770 /var/lib/letsencrypt && \
mkdir /cache && \
chown root:nginx /cache && \
chmod 770 /cache && \
touch /var/log/jobs.log && \
chown root:nginx /var/log/jobs.log && \
chmod 770 /var/log/jobs.log && \
chown -R root:nginx /opt/confs/nginx && \
chmod -R 770 /opt/confs/nginx && \
mkdir /acme-challenge && \
chown root:nginx /acme-challenge && \
chmod 770 /acme-challenge
COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
COPY scripts/* /opt/scripts/
COPY confs/global/ /opt/confs/global
COPY confs/site/ /opt/confs/site
COPY entrypoint/* /opt/entrypoint/
COPY autoconf/* /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

44
autoconf/Dockerfile-i386 Normal file
View File

@@ -0,0 +1,44 @@
FROM nginx:stable-alpine AS builder
FROM i386/alpine
COPY --from=builder /etc/nginx/ /opt/confs/nginx
RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \
mkdir -p /opt/confs/global && \
mkdir /opt/scripts && \
addgroup -g 101 nginx && \
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
mkdir /etc/letsencrypt && \
chown root:nginx /etc/letsencrypt && \
chmod 770 /etc/letsencrypt && \
mkdir /var/log/letsencrypt && \
chown root:nginx /var/log/letsencrypt && \
chmod 770 /var/log/letsencrypt && \
mkdir /var/lib/letsencrypt && \
chown root:nginx /var/lib/letsencrypt && \
chmod 770 /var/lib/letsencrypt && \
mkdir /cache && \
chown root:nginx /cache && \
chmod 770 /cache && \
touch /var/log/jobs.log && \
chown root:nginx /var/log/jobs.log && \
chmod 770 /var/log/jobs.log && \
chown -R root:nginx /opt/confs/nginx && \
chmod -R 770 /opt/confs/nginx && \
mkdir /acme-challenge && \
chown root:nginx /acme-challenge && \
chmod 770 /acme-challenge
COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
COPY scripts/* /opt/scripts/
COPY confs/global/ /opt/confs/global
COPY confs/site/ /opt/confs/site
COPY entrypoint/* /opt/entrypoint/
COPY autoconf/* /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

28
autoconf/ReloadServer.py Normal file
View File

@@ -0,0 +1,28 @@
import socketserver, threading, utils, os, stat
class ReloadServerHandler(socketserver.StreamRequestHandler):
def handle(self) :
try :
data = self.request.recv(512)
if not data :
return
with self.server.lock :
ret = self.server.autoconf.reload()
if ret :
self.request.sendall("ok".encode("utf-8"))
else :
self.request.sendall("ko".encode("utf-8"))
except Exception as e :
utils.log("Exception " + str(e))
def run_reload_server(autoconf, lock) :
server = socketserver.UnixStreamServer("/tmp/autoconf.sock", ReloadServerHandler)
os.chown("/tmp/autoconf.sock", 0, 101)
os.chmod("/tmp/autoconf.sock", 0o770)
server.autoconf = autoconf
server.lock = lock
thread = threading.Thread(target=server.serve_forever)
thread.daemon = True
thread.start()
return (server, thread)

73
autoconf/app.py Normal file
View File

@@ -0,0 +1,73 @@
#!/usr/bin/python3
from AutoConf import AutoConf
from ReloadServer import run_reload_server
import utils
import docker, os, stat, sys, select, threading
# Connect to the endpoint
endpoint = "/var/run/docker.sock"
if not os.path.exists(endpoint) or not stat.S_ISSOCK(os.stat(endpoint).st_mode) :
utils.log("[!] /var/run/docker.sock not found (is it mounted ?)")
sys.exit(1)
try :
client = docker.DockerClient(base_url='unix:///var/run/docker.sock')
except Exception as e :
utils.log("[!] Can't instantiate DockerClient : " + str(e))
sys.exit(2)
# Check if we are in Swarm mode
swarm = os.getenv("SWARM_MODE") == "yes"
# Our object to process events
api = ""
if swarm :
api = os.getenv("API_URI")
autoconf = AutoConf(swarm, api)
lock = threading.Lock()
if swarm :
(server, thread) = run_reload_server(autoconf, lock)
# Get all bunkerized-nginx instances and web services created before
try :
if swarm :
before = client.services.list(filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.services.list(filters={"label" : "bunkerized-nginx.SERVER_NAME"})
else :
before = client.containers.list(all=True, filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.containers.list(filters={"label" : "bunkerized-nginx.SERVER_NAME"})
except docker.errors.APIError as e :
utils.log("[!] Docker API error " + str(e))
sys.exit(3)
# Process them before events
with lock :
autoconf.pre_process(before)
# Process events received from Docker
try :
utils.log("[*] Listening for Docker events ...")
for event in client.events(decode=True) :
# Process only container/service events
if (swarm and event["Type"] != "service") or (not swarm and event["Type"] != "container") :
continue
# Get Container/Service object
try :
if swarm :
id = service_id=event["Actor"]["ID"]
server = client.services.get(service_id=id)
else :
id = event["id"]
server = client.containers.get(id)
except docker.errors.NotFound as e :
server = autoconf.get_server(id)
if not server :
continue
# Process the event
with lock :
autoconf.process(server, event["Action"])
except docker.errors.APIError as e :
utils.log("[!] Docker API error " + str(e))
sys.exit(4)

101
autoconf/autoconf.py
View File

@@ -1,101 +0,0 @@
#!/usr/bin/python3
import docker, datetime, subprocess, shutil, os
def log(event) :
print("[" + str(datetime.datetime.now().replace(microsecond=0)) + "] AUTOCONF - " + event, flush=True)
def replace_in_file(file, old_str, new_str) :
with open(file) as f :
data = f.read()
data = data[::-1].replace(old_str[::-1], new_str[::-1], 1)[::-1]
with open(file, "w") as f :
f.write(data)
def generate(vars) :
vars_defaults = vars.copy()
vars_defaults.update(os.environ)
vars_defaults.update(vars)
subprocess.run(["/opt/entrypoint/site-config.sh", vars["SERVER_NAME"]], env=vars_defaults)
log("Generated config for " + vars["SERVER_NAME"])
def activate(vars) :
replace_in_file("/etc/nginx/nginx.conf", "}", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n}")
subprocess.run(["/usr/sbin/nginx", "-s", "reload"])
log("Activated config for " + vars["SERVER_NAME"])
def deactivate(vars) :
replace_in_file("/etc/nginx/nginx.conf", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n", "")
subprocess.run(["/usr/sbin/nginx", "-s", "reload"])
log("Deactivated config for " + vars["SERVER_NAME"])
def remove(vars) :
shutil.rmtree("/etc/nginx/" + vars["SERVER_NAME"])
log("Removed config for " + vars["SERVER_NAME"])
def process(id, event, vars) :
global containers
if event == "create" :
generate(vars)
containers.append(id)
elif event == "start" :
activate(vars)
elif event == "die" :
deactivate(vars)
elif event == "destroy" :
remove(vars)
containers.remove(id)
containers = []
client = docker.DockerClient(base_url='unix:///var/run/docker.sock')
# Process containers created before
for container in client.containers.list(all=True, filters={"label" : "bunkerized-nginx.SERVER_NAME"}) :
# Extract bunkerized-nginx.* labels
labels = container.labels.copy()
for label in container.labels :
if not label.startswith("bunkerized-nginx.") :
del labels[label]
# Remove bunkerized-nginx. on labels
vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in labels.items()}
# Container is restarting or running
if container.status == "restarting" or container.status == "running" :
process(container.id, "create", vars)
process(container.id, "start", vars)
# Container is created or exited
if container.status == "created" or container.status == "exited" :
process(container.id, "create", vars)
for event in client.events(decode=True) :
# Process only container events
if event["Type"] != "container" :
continue
# Check if a bunkerized-nginx.* label is present
present = False
for label in event["Actor"]["Attributes"] :
if label.startswith("bunkerized-nginx.") :
present = True
break
if not present :
continue
# Only process if we generated a config
if not event["id"] in containers and event["Action"] != "create" :
continue
# Extract bunkerized-nginx.* labels
labels = event["Actor"]["Attributes"].copy()
for label in event["Actor"]["Attributes"] :
if not label.startswith("bunkerized-nginx.") :
del labels[label]
# Remove bunkerized-nginx. on labels
vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in labels.items()}
# Process the event
process(event["id"], event["Action"], vars)

48
autoconf/entrypoint.sh Normal file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
echo "[*] Starting autoconf ..."
# check permissions
su -s "/opt/entrypoint/permissions.sh" nginx
if [ "$?" -ne 0 ] ; then
exit 1
fi
if [ "$SWARM_MODE" = "yes" ] ; then
cp -r /opt/confs/nginx/* /etc/nginx
chown -R root:nginx /etc/nginx
chmod -R 770 /etc/nginx
fi
# trap SIGTERM and SIGINT
function trap_exit() {
echo "[*] Catched stop operation"
echo "[*] Stopping crond ..."
pkill -TERM crond
echo "[*] Stopping python3 ..."
pkill -TERM python3
pkill -TERM tail
}
trap "trap_exit" TERM INT QUIT
# remove old crontabs
echo "" > /etc/crontabs/root
# setup logrotate
touch /var/log/jobs.log
echo "0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.conf > /dev/null 2>&1" >> /etc/crontabs/root
# start cron
crond
# run autoconf app
/opt/entrypoint/app.py &
# display logs
tail -F /var/log/jobs.log &
pid="$!"
wait "$pid"
# stop
echo "[*] autoconf stopped"
exit 0

12
autoconf/hooks/post_push Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/bash
curl -Lo manifest-tool https://github.com/estesp/manifest-tool/releases/download/v1.0.3/manifest-tool-linux-amd64
chmod +x manifest-tool
VERSION=$(cat VERSION | tr -d '\n')
if [ "$SOURCE_BRANCH" = "dev" ] ; then
./manifest-tool push from-args --ignore-missing --platforms linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 --template bunkerity/bunkerized-nginx-autoconf:dev-ARCHVARIANT --target bunkerity/bunkerized-nginx-autoconf:dev
elif [ "$SOURCE_BRANCH" = "master" ] ; then
./manifest-tool push from-args --ignore-missing --platforms linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 --template bunkerity/bunkerized-nginx-autoconf:ARCHVARIANT --target bunkerity/bunkerized-nginx-autoconf:${VERSION}
./manifest-tool push from-args --ignore-missing --platforms linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 --template bunkerity/bunkerized-nginx-autoconf:ARCHVARIANT --target bunkerity/bunkerized-nginx-autoconf:latest
fi

5
autoconf/hooks/pre_build Normal file
View File

@@ -0,0 +1,5 @@
#!/bin/bash
# Register qemu-*-static for all supported processors except the
# current one, but also remove all registered binfmt_misc before
docker run --rm --privileged multiarch/qemu-user-static:register --reset

23
autoconf/misc/logrotate.conf Normal file
View File

@@ -0,0 +1,23 @@
/var/log/*.log /var/log/letsencrypt/*.log {
# compress old files using gzip
compress
# rotate everyday
daily
# remove old logs after X days
maxage 7
rotate 7
# no errors if a file is missing
missingok
# disable mailing
nomail
# mininum size of a logfile before rotating
minsize 10M
# make a copy and truncate the files
copytruncate
}

19
autoconf/reload.py Normal file
View File

@@ -0,0 +1,19 @@
#!/usr/bin/python3
import sys, socket, os
if not os.path.exists("/tmp/autoconf.sock") :
sys.exit(1)
try :
client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
client.connect("/tmp/autoconf.sock")
client.send("reload".encode("utf-8"))
data = client.recv(512)
client.close()
if not data or data.decode("utf-8") != "ok" :
sys.exit(3)
except Exception as e :
sys.exit(2)
sys.exit(0)

24
autoconf/utils.py Normal file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/python3
import datetime
def log(event) :
print("[" + str(datetime.datetime.now().replace(microsecond=0)) + "] " + event, flush=True)
def replace_in_file(file, old_str, new_str) :
with open(file) as f :
data = f.read()
data = data[::-1].replace(old_str[::-1], new_str[::-1], 1)[::-1]
with open(file, "w") as f :
f.write(data)
def install_cron(service, vars, crons) :
for var in vars :
if var in crons :
with open("/etc/crontabs/root", "a+") as f :
f.write(vars[var] + " /opt/cron/" + crons[var] + ".py " + service["Actor"]["ID"])
def uninstall_cron(service, vars, crons) :
for var in vars :
if var in crons :
replace_in_file("/etc/crontabs/root", vars[var] + " /opt/cron/" + crons[var] + ".py " + service["Actor"]["ID"] + "\n", "")

37
compile.sh
View File

@@ -30,7 +30,7 @@ function git_secure_clone() {
NTASK=$(nproc)
# install build dependencies
apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg brotli-dev
apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg brotli-dev openssl-dev
# compile and install ModSecurity library
cd /tmp
@@ -50,8 +50,9 @@ make install-strip
cd /tmp
git_secure_clone https://github.com/coreruleset/coreruleset.git 7776fe23f127fd2315bad0e400bdceb2cabb97dc
cd coreruleset
cp -r rules /etc/nginx/owasp-crs
cp crs-setup.conf.example /etc/nginx/owasp-crs.conf
mkdir /opt/owasp
cp -r rules /opt/owasp/crs
cp crs-setup.conf.example /opt/owasp/crs.conf
# get nginx modules
cd /tmp
@@ -111,6 +112,34 @@ git_secure_clone https://github.com/ledgetech/lua-resty-http.git 984fdc260543763
cd lua-resty-http
make install
cd /tmp
git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15
cd lualogging
cp -r src/* /usr/local/lib/lua
cd /tmp
git_secure_clone https://github.com/diegonehab/luasocket.git 5b18e475f38fcf28429b1cc4b17baee3b9793a62
cd luasocket
make -j $NTASK
make CDIR_linux=lib/lua/5.1 LDIR_linux=lib/lua install
cd /tmp
git_secure_clone https://github.com/brunoos/luasec.git c6704919bdc85f3324340bdb35c2795a02f7d625
cd luasec
make linux -j $NTASK
make LUACPATH=/usr/local/lib/lua/5.1 LUAPATH=/usr/local/lib/lua install
cd /tmp
git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc453dcf51a391bc9e9a36ca77958b0
cd lua-cs-bouncer
mkdir /usr/local/lib/lua/crowdsec
cp lib/*.lua /usr/local/lib/lua/crowdsec
cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
sed -i 's/^API_URL=.*/API_URL=%CROWDSEC_HOST%/' /usr/local/lib/lua/crowdsec/crowdsec.conf
sed -i 's/^API_KEY=.*/API_KEY=%CROWDSEC_KEY%/' /usr/local/lib/lua/crowdsec/crowdsec.conf
sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
cd /tmp
git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485e830421266eee5c0f386c32c835dba4
cd lua-resty-iputils
make LUA_LIB_DIR=/usr/local/lib/lua install
cd /tmp
git_secure_clone https://github.com/openresty/lua-nginx-module.git 2d23bc4f0a29ed79aaaa754c11bffb1080aa44ba
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.1
@@ -128,7 +157,7 @@ fi
tar -xvzf nginx-${NGINX_VERSION}.tar.gz
cd nginx-$NGINX_VERSION
CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')
CONFARGS=${CONFARGS/-Os -fomit-frame-pointer/-Os}
CONFARGS=${CONFARGS/-Os -fomit-frame-pointer -g/-Os}
./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module --add-dynamic-module=/tmp/ngx_brotli
make -j $NTASK modules
cp ./objs/*.so /usr/lib/nginx/modules

30
confs/global/api-temp.conf Normal file
View File

@@ -0,0 +1,30 @@
location ~ ^%API_URI%/ping {
return 444;
}
location ~ ^%API_URI% {
rewrite_by_lua_block {
local api = require "api"
local api_uri = "%API_URI%"
if api.is_api_call(api_uri) then
ngx.header.content_type = 'text/plain'
if api.do_api_call(api_uri) then
ngx.log(ngx.NOTICE, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
ngx.say("ok")
else
ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
ngx.say("ko")
end
ngx.exit(ngx.HTTP_OK)
end
ngx.exit(ngx.OK)
}
}

21
confs/global/api.conf Normal file
View File

@@ -0,0 +1,21 @@
rewrite_by_lua_block {
local api = require "api"
local api_uri = "%API_URI%"
if api.is_api_call(api_uri) then
ngx.header.content_type = 'text/plain'
if api.do_api_call(api_uri) then
ngx.log(ngx.NOTICE, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
ngx.say("ok")
else
ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
ngx.say("ko")
end
ngx.exit(ngx.HTTP_OK)
end
ngx.exit(ngx.OK)
}

0
confs/global/block-abusers.conf Normal file
View File

0
confs/global/block-proxies.conf Normal file
View File

0
confs/global/block-tor-exit-node.conf Normal file
View File

2
confs/global/crowdsec.conf
View File

@@ -5,5 +5,5 @@ init_by_lua_block {
ngx.log(ngx.ERR, "[Crowdsec] " .. err)
error()
end
ngx.log(ngx.ERR, "[Crowdsec] Initialisation done")
ngx.log(ngx.NOTICE, "[Crowdsec] Initialisation done")
}

12
confs/global/nginx-temp.conf
View File

@@ -1,5 +1,8 @@
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
daemon on;
pid /tmp/nginx.pid;
pid /tmp/nginx-temp.pid;
events {
worker_connections 1024;
@@ -7,12 +10,19 @@ events {
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
lua_package_path "/usr/local/lib/lua/?.lua;;";
server {
listen 0.0.0.0:%HTTP_PORT% default_server;
server_name _;
location ~ ^/.well-known/acme-challenge/ {
root /acme-challenge;
}
%USE_API%
location / {
return 444;
}

13
confs/global/nginx.conf
View File

@@ -49,8 +49,8 @@ http {
# write logs to local syslog
log_format logf '%LOG_FORMAT%';
access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice logf;
error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf;
error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 notice;
# temp paths
proxy_temp_path /tmp/proxy_temp;
@@ -71,6 +71,9 @@ http {
# resolvers to use
resolver %DNS_RESOLVERS% ipv6=off;
# remove ports when sending redirects
port_in_redirect off;
# lua path and dicts
lua_package_path "/usr/local/lib/lua/?.lua;;";
%WHITELIST_IP_CACHE%
@@ -85,6 +88,9 @@ http {
# shared memory zone for limit_req
%LIMIT_REQ_ZONE%
# shared memory zone for limit_conn
%LIMIT_CONN_ZONE%
# whitelist or blacklist country
%USE_COUNTRY%
@@ -105,4 +111,7 @@ http {
# server config(s)
%INCLUDE_SERVER%
# API
%USE_API%
}

4
confs/site/antibot-captcha.conf
View File

@@ -7,6 +7,7 @@ location = %ANTIBOT_URI% {
local cookie = require "cookie"
local captcha = require "captcha"
if not cookie.is_set("uri") then
ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (1) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local img, res = captcha.get_challenge()
@@ -21,16 +22,19 @@ location = %ANTIBOT_URI% {
local cookie = require "cookie"
local captcha = require "captcha"
if not cookie.is_set("captchares") then
ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (2) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.read_body()
local args, err = ngx.req.get_post_args(1)
if err == "truncated" or not args or not args["captcha"] then
ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (3) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local captcha_user = args["captcha"]
local check = captcha.check(captcha_user, cookie.get("captchares"))
if not check then
ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (4) for " .. ngx.var.remote_addr)
return ngx.redirect("%ANTIBOT_URI%")
end
cookie.set({captcha = "ok"})

4
confs/site/antibot-javascript.conf
View File

@@ -7,6 +7,7 @@ location = %ANTIBOT_URI% {
local cookie = require "cookie"
local javascript = require "javascript"
if not cookie.is_set("challenge") then
ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (1) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local challenge = cookie.get("challenge")
@@ -20,16 +21,19 @@ location = %ANTIBOT_URI% {
local cookie = require "cookie"
local javascript = require "javascript"
if not cookie.is_set("challenge") then
ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (2) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.read_body()
local args, err = ngx.req.get_post_args(1)
if err == "truncated" or not args or not args["challenge"] then
ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (3) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local challenge = args["challenge"]
local check = javascript.check(cookie.get("challenge"), challenge)
if not check then
ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (4) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
cookie.set({javascript = "ok"})

5
confs/site/antibot-recaptcha.conf
View File

@@ -7,6 +7,7 @@ location = %ANTIBOT_URI% {
local cookie = require "cookie"
local recaptcha = require "recaptcha"
if not cookie.is_set("uri") then
ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (1) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%")
@@ -19,17 +20,19 @@ location = %ANTIBOT_URI% {
local cookie = require "cookie"
local recaptcha = require "recaptcha"
if not cookie.is_set("uri") then
ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (2) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.read_body()
local args, err = ngx.req.get_post_args(1)
if err == "truncated" or not args or not args["token"] then
ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (3) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local token = args["token"]
local check = recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%")
if check < %ANTIBOT_RECAPTCHA_SCORE% then
ngx.log(ngx.WARN, "client has recaptcha score of " .. tostring(check))
ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
cookie.set({recaptcha = "ok"})

2
confs/site/auth-basic-sitewide.conf
View File

@@ -1,2 +1,2 @@
auth_basic "%AUTH_BASIC_TEXT%";
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic_user_file %NGINX_PREFIX%.htpasswd;

2
confs/site/auth-basic.conf
View File

@@ -1,4 +1,4 @@
location %AUTH_BASIC_LOCATION% {
auth_basic "%AUTH_BASIC_TEXT%";
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic_user_file %NGINX_PREFIX%.htpasswd;
}

6
confs/site/client-cache.conf
View File

@@ -1,4 +1,6 @@
location ~* \.(%CLIENT_CACHE_EXTENSIONS%)$ {
etag %CLIENT_CACHE_ETAG%;
add_header Cache-Control "%CLIENT_CACHE_CONTROL%";
set $cache "";
if ($uri ~* \.(%CLIENT_CACHE_EXTENSIONS%)$) {
set $cache "%CLIENT_CACHE_CONTROL%";
}
add_header Cache-Control $cache;

25
confs/site/fastcgi.conf Normal file
View File

@@ -0,0 +1,25 @@
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

2
confs/site/https.conf
View File

@@ -2,7 +2,7 @@ listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
ssl_certificate %HTTPS_CERT%;
ssl_certificate_key %HTTPS_KEY%;
ssl_protocols %HTTPS_PROTOCOLS%;
ssl_prefer_server_ciphers off;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;

1
confs/site/limit-conn.conf Normal file
View File

@@ -0,0 +1 @@
limit_conn ddos %LIMIT_CONN_MAX%;

38
confs/site/main-lua.conf
View File

@@ -3,6 +3,7 @@ set $session_check_addr on;
access_by_lua_block {
local use_lets_encrypt = %USE_LETS_ENCRYPT%
local use_whitelist_ip = %USE_WHITELIST_IP%
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
local use_user_agent = %USE_USER_AGENT%
@@ -26,8 +27,10 @@ local javascript = require "javascript"
local captcha = require "captcha"
local recaptcha = require "recaptcha"
-- antibot
-- user variables
local antibot_uri = "%ANTIBOT_URI%"
local whitelist_user_agent = {%WHITELIST_USER_AGENT%}
local whitelist_uri = {%WHITELIST_URI%}
-- check if already in whitelist cache
if use_whitelist_ip and whitelist.ip_cached_ok() then
@@ -64,6 +67,19 @@ if use_whitelist_reverse and not whitelist.reverse_cached() then
end
end
-- check if URI is whitelisted
for k, v in pairs(whitelist_uri) do
if ngx.var.request_uri == v then
ngx.log(ngx.NOTICE, "[WHITELIST] URI " .. v .. " is whitelisted")
ngx.exit(ngx.OK)
end
end
-- check if it's certbot
if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
ngx.exit(ngx.OK)
end
-- check if IP is blacklisted (only if not in cache)
if use_blacklist_ip and not blacklist.ip_cached() then
if blacklist.check_ip() then
@@ -80,16 +96,29 @@ end
-- check if user-agent is allowed
if use_user_agent and ngx.var.bad_user_agent == "yes" then
local block = false
for k, v in pairs(whitelist_user_agent) do
if string.match(ngx.var.http_user_agent, v) then
ngx.log(ngx.NOTICE, "[ALLOW] User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
block = false
break
end
end
if block then
ngx.log(ngx.NOTICE, "[BLOCK] User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
-- check if referrer is allowed
if use_referrer and ngx.var.bad_referrer == "yes" then
ngx.log(ngx.NOTICE, "[BLOCK] Referrer " .. ngx.var.http_referer .. " is blacklisted")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
-- check if country is allowed
if use_country and ngx.var.allowed_country == "no" then
ngx.log(ngx.NOTICE, "[BLOCK] Country of " .. ngx.var.remote_addr .. " is blacklisted")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
@@ -107,7 +136,7 @@ if use_crowdsec then
ngx.log(ngx.ERR, "[Crowdsec] " .. err)
end
if not ok then
ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
ngx.log(ngx.NOTICE, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
@@ -119,6 +148,7 @@ if use_antibot_cookie then
cookie.set({uri = ngx.var.request_uri})
return ngx.redirect(antibot_uri)
end
ngx.log(ngx.NOTICE, "[ANTIBOT] cookie fail for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
else
if ngx.var.request_uri == antibot_uri then
@@ -140,7 +170,7 @@ end
-- captcha check
if use_antibot_captcha then
if not cookie.is_set("captcha") then
if ngx.var.request_uri ~= antibot_uri and ngx.var.request_uri ~= "/favicon.ico" then
if ngx.var.request_uri ~= antibot_uri then
cookie.set({uri = ngx.var.request_uri})
return ngx.redirect(antibot_uri)
end
@@ -150,7 +180,7 @@ end
-- recaptcha check
if use_antibot_recaptcha then
if not cookie.is_set("recaptcha") then
if ngx.var.request_uri ~= antibot_uri and ngx.var.request_uri ~= "/favicon.ico" then
if ngx.var.request_uri ~= antibot_uri then
cookie.set({uri = ngx.var.request_uri})
return ngx.redirect(antibot_uri)
end

1
confs/site/modsecurity-rules.conf
View File

@@ -50,7 +50,6 @@ SecResponseBodyLimitAction ProcessPartial
# log usefull stuff
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log

3
confs/site/reverse-proxy-headers.conf
View File

@@ -1,3 +1,6 @@
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;

3
confs/site/reverse-proxy.conf
View File

@@ -1,4 +1,7 @@
location %REVERSE_PROXY_URL% {
etag off;
proxy_pass %REVERSE_PROXY_HOST%;
%REVERSE_PROXY_HEADERS%
%REVERSE_PROXY_WS%
%REVERSE_PROXY_CUSTOM_HEADERS%
}

3
confs/site/server.conf
View File

@@ -1,3 +1,5 @@
%PRE_SERVER_CONF%
server {
%FASTCGI_PATH%
%SERVER_CONF%
@@ -15,6 +17,7 @@ server {
return 405;
}
%LIMIT_REQ%
%LIMIT_CONN%
%AUTH_BASIC%
%REMOVE_HEADERS%
%X_FRAME_OPTIONS%

63
crowdsec/install.sh
View File

@@ -1,63 +0,0 @@
#!/bin/sh
function git_secure_clone() {
repo="$1"
commit="$2"
folder=$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@")
git clone "$repo"
cd "$folder"
git checkout "${commit}^{commit}"
if [ $? -ne 0 ] ; then
echo "[!] Commit hash $commit is absent from repository $repo !"
exit 1
fi
cd ..
}
NTASK=$(nproc)
# install build dependencies
apk add --no-cache --virtual build git bash lua-dev mariadb-dev sqlite-dev gettext make go jq
# build and install crowdsec
cd /tmp
git_secure_clone https://github.com/crowdsecurity/crowdsec.git 2fdf7624da381af605baa46f319f2ed3015807e4
cd crowdsec
make -j $NTASK build
./wizard.sh --bininstall
sed -i 's/^machine_id:.*//' /etc/crowdsec/config/api.yaml
sed -i 's/^password:.*//' /etc/crowdsec/config/api.yaml
# install nginx collection
cscli update
cscli install collection crowdsecurity/nginx
sed -i "s/^filter:.*$/filter: \"evt.Line.Labels.type == 'nginx'\"/" /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
sed -i 's/apply_on: message/apply_on: Line.Raw/g' /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
# build and install luasql
cd /tmp
git_secure_clone https://github.com/keplerproject/luasql.git 22d4a911f35cf851af9db71124e3998d96fb3fa1
cd luasql
make -j $NTASK sqlite3 mysql
mkdir /usr/local/lib/lua/5.1/luasql
cp src/*.so /usr/local/lib/lua/5.1/luasql
# install lualogging
cd /tmp
git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15
cd lualogging
cp -r src/* /usr/local/lib/lua
# install cs-lua-lib
cd /tmp
git_secure_clone https://github.com/crowdsecurity/cs-lua-lib.git 97e55a555a8f6d46c1c2032825a4578090283301
cd cs-lua-lib
mkdir /usr/local/lib/lua/crowdsec
cp lib/*.lua /usr/local/lib/lua/crowdsec
cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
rm /usr/local/lib/lua/crowdsec/lrucache.lua
sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
# remove build dependencies
apk del build

21
entrypoint/clamav.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# load default values
. /opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
# clamav setup
if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
echo "[*] Updating clamav (in background) ..."
freshclam > /dev/null 2>&1 &
echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/nginx
fi
if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
else
echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
fi
fi

27
entrypoint/defaults.sh
View File

@@ -1,7 +1,7 @@
#!/bin/bash
MULTISITE="${MULTISITE-no}"
LOG_FORMAT="${LOG_FORMAT-\$remote_addr - \$remote_user \$host [\$time_local] \"\$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}"
LOG_FORMAT="${LOG_FORMAT-\$host \$remote_addr - \$remote_user [\$time_local] \"\$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}"
HTTP_PORT="${HTTP_PORT-8080}"
HTTPS_PORT="${HTTPS_PORT-8443}"
MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
@@ -45,17 +45,24 @@ DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
WHITELIST_USER_AGENT="${WHITELIST_USER_AGENT-}"
BLOCK_USER_AGENT_CRON="${BLOCK_USER_AGENT_CRON-30 0 * * *}"
BLOCK_REFERRER="${BLOCK_REFERRER-yes}"
BLOCK_REFERRER_CRON="${BLOCK_REFERRER_CRON-45 0 * * *}"
BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
BLOCK_TOR_EXIT_NODE_CRON="${BLOCK_TOR_EXIT_NODE_CRON-0 */1 * * *}"
BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
BLOCK_PROXIES_CRON="${BLOCK_PROXIES_CRON-0 3 * * *}"
BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
BLOCK_ABUSERS_CRON="${BLOCK_ABUSERS_CRON-0 2 * * *}"
AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
AUTO_LETS_ENCRYPT_CRON="${AUTO_LETS_ENCRYPT_CRON-15 0 * * *}"
HTTP2="${HTTP2-yes}"
HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
USE_MODSECURITY="${USE_MODSECURITY-yes}"
USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';}"
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';}"
COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}"
COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}"
SERVE_FILES="${SERVE_FILES-yes}"
@@ -67,8 +74,11 @@ FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
FAIL2BAN_IGNOREIP="${FAIL2BAN_IGNOREIP-127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
USE_CLAMAV_SCAN_CRON="${USE_CLAMAV_SCAN_CRON-30 1 * * *}"
CLAMAV_UPDATE_CRON="${CLAMAV_UPDATE_CRON-0 1 * * *}"
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
@@ -79,6 +89,7 @@ USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
ROOT_FOLDER="${ROOT_FOLDER-/www}"
LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
LOGROTATE_CRON="${LOGROTATE_CRON-0 0 * * *}"
DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11}"
USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
WHITELIST_IP_LIST="${WHITELIST_IP_LIST-127.0.0.1 23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
@@ -91,13 +102,17 @@ BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}"
USE_DNSBL="${USE_DNSBL-yes}"
DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-1r/s}"
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-2}"
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
USE_LIMIT_CONN="${USE_LIMIT_CONN-yes}"
LIMIT_CONN_MAX="${LIMIT_CONN_MAX-50}"
LIMIT_CONN_CACHE="${LIMIT_CONN_CACHE-10m}"
PROXY_REAL_IP="${PROXY_REAL_IP-no}"
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
GEOIP_CRON="${GEOIP_CRON-0 4 2 * *}"
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
@@ -111,3 +126,7 @@ USE_ANTIBOT="${USE_ANTIBOT-no}"
ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
USE_CROWDSEC="${USE_CROWDSEC-no}"
USE_API="${USE_API-no}"
API_URI="${API_URI-random}"
API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
SWARM_MODE="${SWARM_MODE-no}"

118
entrypoint/entrypoint.sh
View File

@@ -25,53 +25,114 @@ function trap_exit() {
pkill -TERM rsyslogd
pkill -TERM tail
}
trap "trap_exit" TERM INT
trap "trap_exit" TERM INT QUIT
# trap SIGHUP
function trap_reload() {
echo "[*] Catched reload operation"
if [ "$MULTISITE" = "yes" ] && [ "$SWARM_MODE" != "yes" ] ; then
/opt/entrypoint/multisite-config.sh
fi
if [ -f /tmp/nginx.pid ] ; then
echo "[*] Reloading nginx ..."
nginx -s reload
if [ $? -eq 0 ] ; then
echo "[*] Reload successfull"
else
echo "[!] Reload failed"
fi
else
echo "[!] Ignored reload operation because nginx is not running"
fi
}
trap "trap_reload" HUP
# do the configuration magic if needed
if [ ! -f "/opt/installed" ] ; then
echo "[*] Configuring bunkerized-nginx ..."
# check permissions
if [ "$SWARM_MODE" = "no" ] ; then
/opt/entrypoint/permissions.sh
else
/opt/entrypoint/permissions-swarm.sh
fi
if [ "$?" -ne 0 ] ; then
exit 1
fi
# logs config
/opt/entrypoint/logs.sh
# lua config
# TODO : move variables from /usr/local/lib/lua + multisite support ?
/opt/entrypoint/lua.sh
# fail2ban config
/opt/entrypoint/fail2ban.sh
# clamav config
/opt/entrypoint/clamav.sh
# start temp nginx to solve Let's Encrypt challenges if needed
/opt/entrypoint/nginx-temp.sh
# only do config if we are not in swarm mode
if [ "$SWARM_MODE" = "no" ] ; then
# global config
/opt/entrypoint/global-config.sh
# background jobs
/opt/entrypoint/jobs.sh
# multisite configs
if [ "$MULTISITE" = "yes" ] ; then
for server in $SERVER_NAME ; do
/opt/entrypoint/site-config.sh "$server"
echo "[*] Multi site - $server configuration done"
done
/opt/entrypoint/multisite-config.sh
# singlesite config
else
/opt/entrypoint/site-config.sh
echo "[*] Single site - $SERVER_NAME configuration done"
fi
fi
touch /opt/installed
else
echo "[*] Skipping configuration process"
fi
# fix nginx configs rights (and modules through the symlink)
chown -R root:nginx /etc/nginx/
chmod -R 740 /etc/nginx/
find /etc/nginx -type d -exec chmod 750 {} \;
# fix let's encrypt rights
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
chown -R root:nginx /etc/letsencrypt
chmod -R 740 /etc/letsencrypt
find /etc/letsencrypt -type d -exec chmod 750 {} \;
fi
# start rsyslogd
rsyslogd
rsyslogd -i /tmp/rsyslogd.pid
# start crond
crond
# start nginx
if [ -f "/tmp/nginx.pid" ] ; then
nginx -s quit
# wait until config has been generated if we are in swarm mode
if [ "$SWARM_MODE" = "yes" ] ; then
echo "[*] Waiting until config has been generated ..."
while [ ! -f "/etc/nginx/autoconf" ] ; do
sleep 1
done
fi
# stop temp config if needed
if [ -f "/tmp/nginx-temp.pid" ] ; then
nginx -c /tmp/nginx-temp.conf -s quit
fi
# run nginx
echo "[*] Running nginx ..."
su -s "/usr/sbin/nginx" nginx
nginx
if [ "$?" -eq 0 ] ; then
echo "[*] nginx successfully started !"
else
echo "[!] nginx failed to start"
fi
# list of log files to display
LOGS="/var/log/access.log /var/log/error.log"
LOGS="/var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/nginx/modsec_audit.log"
# start fail2ban
if [ "$USE_FAIL2BAN" = "yes" ] ; then
@@ -80,12 +141,6 @@ if [ "$USE_FAIL2BAN" = "yes" ] ; then
LOGS="$LOGS /var/log/fail2ban.log"
fi
# start crowdsec
if [ "$USE_CROWDSEC" = "yes" ] ; then
echo "[*] Running crowdsec ..."
crowdsec
fi
# autotest
if [ "$1" == "test" ] ; then
sleep 10
@@ -97,17 +152,12 @@ if [ "$1" == "test" ] ; then
exit 1
fi
# start the autoconf manager
if [ -S "/var/run/docker.sock" ] ; then
echo "[*] Running autoconf ..."
touch /var/log/autoconf.log
/opt/autoconf/autoconf.py > /var/log/autoconf.log 2>&1 &
LOGS="$LOGS /var/log/autoconf.log"
fi
# display logs
tail -F $LOGS &
wait $!
pid="$!"
while [ -f "/tmp/nginx.pid" ] ; do
wait "$pid"
done
# sigterm trapped
echo "[*] bunkerized-nginx stopped"

19
entrypoint/fail2ban.sh Normal file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
# load default values
. /opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
# fail2ban setup
if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_IGNOREIP%" "$FAIL2BAN_IGNOREIP"
replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
fi

143
entrypoint/global-config.sh
View File

@@ -7,26 +7,10 @@
. /opt/entrypoint/utils.sh
# copy stub confs
cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
cp /opt/logs/logrotate.conf /etc/logrotate.conf
cp -r /opt/lua/* /usr/local/lib/lua
cp /opt/confs/global/* /etc/nginx/
# remove cron jobs
echo "" > /etc/crontabs/root
# install additional modules if needed
if [ "$ADDITIONAL_MODULES" != "" ] ; then
apk add $ADDITIONAL_MODULES
fi
# start nginx with temp conf for let's encrypt challenges
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT"
nginx -c /etc/nginx/nginx-temp.conf
fi
# include server block(s)
if [ "$SWARM_MODE" = "no" ] ; then
if [ "$MULTISITE" = "yes" ] ; then
includes=""
for server in $SERVER_NAME ; do
@@ -36,6 +20,9 @@ if [ "$MULTISITE" = "yes" ] ; then
else
replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
fi
else
replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" ""
fi
# setup default server block if multisite
if [ "$MULTISITE" = "yes" ] ; then
@@ -100,7 +87,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
/opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT"
fi
fi
echo "0 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
fi
# self-signed certificate
@@ -119,14 +106,7 @@ if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes"
replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;"
fi
echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
if [ -f "/cache/geoip.mmdb" ] ; then
echo "[*] Copying cached geoip.mmdb ..."
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
else
echo "[*] Downloading GeoIP database (in background) ..."
/opt/scripts/geoip.sh &
fi
echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/nginx
else
replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" ""
fi
@@ -134,14 +114,7 @@ fi
# block bad UA
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
if [ -f "/cache/map-user-agent.conf" ] ; then
echo "[*] Copying cached map-user-agent.conf ..."
cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
else
echo "[*] Downloading bad user-agent list (in background) ..."
/opt/scripts/user-agents.sh &
fi
echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/nginx
else
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
fi
@@ -149,57 +122,27 @@ fi
# block bad refferer
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;"
echo "0 0 * * * /opt/scripts/referrers.sh" >> /etc/crontabs/root
if [ -f "/cache/map-referrer.conf" ] ; then
echo "[*] Copying cached map-referrer.conf ..."
cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
else
echo "[*] Downloading bad referrer list (in background) ..."
/opt/scripts/referrers.sh &
fi
echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/nginx
else
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" ""
fi
# block TOR exit nodes
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
if [ -f "/cache/block-tor-exit-node.conf" ] ; then
echo "[*] Copying cached block-tor-exit-node.conf ..."
cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
else
echo "[*] Downloading tor exit nodes list (in background) ..."
/opt/scripts/exit-nodes.sh &
fi
echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/nginx
fi
# block proxies
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
if [ -f "/cache/block-proxies.conf" ] ; then
echo "[*] Copying cached block-proxies.conf ..."
cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
else
echo "[*] Downloading proxies list (in background) ..."
/opt/scripts/proxies.sh &
fi
echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/nginx
fi
# block abusers
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
if [ -f "/cache/block-abusers.conf" ] ; then
echo "[*] Copying cached block-abusers.conf ..."
cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
else
echo "[*] Downloading abusers list (in background) ..."
/opt/scripts/abusers.sh &
fi
echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/nginx
fi
# DNS resolvers
resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS"
# whitelist IP
@@ -208,8 +151,6 @@ if [ "$(has_value USE_WHITELIST_IP yes)" != "" ] ; then
else
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" ""
fi
list=$(spaces_to_lua "$WHITELIST_IP_LIST")
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
# whitelist rDNS
if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then
@@ -217,8 +158,6 @@ if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then
else
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" ""
fi
list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
# blacklist IP
if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then
@@ -226,8 +165,6 @@ if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then
else
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" ""
fi
list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
# blacklist rDNS
if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then
@@ -235,24 +172,27 @@ if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then
else
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" ""
fi
list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
# request limiting
if [ "$(has_value USE_LIMIT_REQ yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr\$uri zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
else
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
fi
# connection limiting
if [ "$(has_value USE_LIMIT_CONN yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "limit_conn_zone \$binary_remote_addr zone=ddos:${LIMIT_CONN_CACHE};"
else
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" ""
fi
# DNSBL
if [ "$(has_value USE_DNSBL yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
else
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
fi
list=$(spaces_to_lua "$DNSBL_LIST")
replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
# disable default site
if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" = "yes" ] ; then
@@ -264,46 +204,23 @@ fi
# fail2ban setup
if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
echo "" > /etc/nginx/fail2ban-ip.conf
rm -rf /etc/fail2ban/jail.d/*.conf
cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
fi
# clamav setup
if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
echo "[*] Updating clamav (in background) ..."
freshclam > /dev/null 2>&1 &
echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
fi
if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
else
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
fi
fi
# CrowdSec setup
if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml
cscli api register >> /etc/crowdsec/config/api.yaml
cscli api pull
echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
fi
# create empty logs
touch /var/log/access.log
touch /var/log/error.log
# setup logrotate
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
# API
if [ "$USE_API" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" "include /etc/nginx/api.conf;"
if [ "$API_URI" = "random" ] ; then
API_URI="/$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
echo "[*] Generated API URI : $API_URI"
fi
replace_in_file "/etc/nginx/api.conf" "%API_URI%" "$API_URI"
else
replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" ""
fi

73
entrypoint/jobs.sh Normal file
View File

@@ -0,0 +1,73 @@
#!/bin/bash
# load default values
. ./opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
# GeoIP
if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
if [ -f "/cache/geoip.mmdb" ] ; then
echo "[*] Copying cached geoip.mmdb ..."
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
else
echo "[*] Downloading GeoIP database (in background) ..."
/opt/scripts/geoip.sh > /dev/null 2>&1 &
fi
fi
# User-Agents
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
if [ -f "/cache/map-user-agent.conf" ] ; then
echo "[*] Copying cached map-user-agent.conf ..."
cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
else
echo "[*] Downloading bad user-agent list (in background) ..."
/opt/scripts/user-agents.sh > /dev/null 2>&1 &
fi
fi
# Referrers
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
if [ -f "/cache/map-referrer.conf" ] ; then
echo "[*] Copying cached map-referrer.conf ..."
cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
else
echo "[*] Downloading bad referrer list (in background) ..."
/opt/scripts/referrers.sh > /dev/null 2>&1 &
fi
fi
# exit nodes
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
if [ -f "/cache/block-tor-exit-node.conf" ] ; then
echo "[*] Copying cached block-tor-exit-node.conf ..."
cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
else
echo "[*] Downloading tor exit nodes list (in background) ..."
/opt/scripts/exit-nodes.sh > /dev/null 2>&1 &
fi
fi
# proxies
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
if [ -f "/cache/block-proxies.conf" ] ; then
echo "[*] Copying cached block-proxies.conf ..."
cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
else
echo "[*] Downloading proxies list (in background) ..."
/opt/scripts/proxies.sh > /dev/null 2>&1 &
fi
fi
# abusers
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
if [ -f "/cache/block-abusers.conf" ] ; then
echo "[*] Copying cached block-abusers.conf ..."
cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
else
echo "[*] Downloading abusers list (in background) ..."
/opt/scripts/abusers.sh > /dev/null 2>&1 &
fi
fi

28
entrypoint/logs.sh Normal file
View File

@@ -0,0 +1,28 @@
#!/bin/bash
# load default values
. /opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
# copy stub confs
cat /opt/logs/rsyslog.conf > /etc/rsyslog.conf
cat /opt/logs/logrotate.conf > /etc/logrotate.conf
# create empty logs
touch /var/log/access.log
touch /var/log/error.log
touch /var/log/jobs.log
# setup logrotate
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
# setup rsyslog
if [ "$REMOTE_SYSLOG" != "" ] ; then
replace_in_file "/etc/rsyslog.conf" "%REMOTE_SYSLOG%" "local0.* @${REMOTE_SYSLOG};rawFormat"
else
replace_in_file "/etc/rsyslog.conf" "%REMOTE_SYSLOG%" ""
fi

46
entrypoint/lua.sh Normal file
View File

@@ -0,0 +1,46 @@
#!/bin/bash
# load default values
. /opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
# copy stub LUA scripts
cp -r /opt/lua/* /usr/local/lib/lua
# DNS resolvers
resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
# whitelist IP
list=$(spaces_to_lua "$WHITELIST_IP_LIST")
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
# whitelist rDNS
list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
# blacklist IP
list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
# blacklist rDNS
list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
# DNSBL
list=$(spaces_to_lua "$DNSBL_LIST")
replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
# CrowdSec setup
if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST"
replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY"
fi
# Whitelist IP for API
if [ "$USE_API" = "yes" ] ; then
list=$(spaces_to_lua "$API_WHITELIST_IP")
replace_in_file "/usr/local/lib/lua/api.lua" "%API_WHITELIST_IP%" "$list"
fi

41
entrypoint/multisite-config.sh Normal file
View File

@@ -0,0 +1,41 @@
#!/bin/sh
# load default values
. /opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
if [ "$MULTISITE" = "yes" ] ; then
servers=$(find /etc/nginx -name "server.conf" | cut -d '/' -f 4)
for server in $servers ; do
if [ "$server" = "server.conf" ] ; then
continue
fi
SERVER_PREFIX="/etc/nginx/${server}/"
if grep "/etc/letsencrypt/live" ${SERVER_PREFIX}https.conf > /dev/null && [ ! -f /etc/letsencrypt/live/${server}/fullchain.pem ] ; then
domains=$(cat ${SERVER_PREFIX}server.conf | sed -nE 's/^.*server_name (.*);$/\1/p' | sed "s/ /,/g")
/opt/scripts/certbot-new.sh "$domains" "$(cat ${SERVER_PREFIX}email-lets-encrypt.txt)"
fi
if grep "modsecurity.conf" ${SERVER_PREFIX}server.conf > /dev/null ; then
modsec_custom=""
if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
modsec_custom="include /modsec-confs/*.conf\n"
fi
if ls /modsec-confs/${server}/*.conf > /dev/null 2>&1 ; then
modsec_custom="${modsec_custom}include /modsec-confs/${server}/*.conf\n"
fi
replace_in_file "${SERVER_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
if grep "owasp/crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then
modsec_crs_custom=""
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
modsec_crs_custom="include /modsec-crs-confs/*.conf\n"
fi
if ls /modsec-crs-confs/${server}/*.conf > /dev/null 2>&1 ; then
modsec_crs_custom="${modsec_crs_custom}include /modsec-crs-confs/${server}/*.conf\n"
fi
fi
replace_in_file "${SERVER_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom"
fi
done
fi

26
entrypoint/nginx-temp.sh Normal file
View File

@@ -0,0 +1,26 @@
#!/bin/bash
# load default values
. /opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
# start nginx with temp conf for let's encrypt challenges and API
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$SWARM_MODE" = "yes" ] ; then
cp /opt/confs/global/nginx-temp.conf /tmp/nginx-temp.conf
cp /opt/confs/global/api-temp.conf /tmp/api.conf
if [ "$SWARM_MODE" = "yes" ] ; then
replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" "include /tmp/api.conf;"
replace_in_file "/tmp/api.conf" "%API_URI%" "$API_URI"
else
replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" ""
fi
replace_in_file "/tmp/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT"
nginx -c /tmp/nginx-temp.conf
if [ "$?" -eq 0 ] ; then
echo "[*] Successfully started temp nginx"
else
echo "[!] Can't start temp nginx"
fi
fi

25
entrypoint/permissions-swarm.sh Normal file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
# /etc/letsencrypt
if [ ! -r "/etc/letsencrypt" ] || [ ! -x "/etc/letsencrypt" ] ; then
echo "[!] WARNING - wrong permissions on /etc/letsencrypt"
exit 1
fi
# /www
if [ ! -r "/www" ] || [ ! -x "/www" ] ; then
echo "[!] ERROR - wrong permissions on /www"
exit 2
fi
# /etc/nginx
if [ ! -r "/etc/nginx" ] || [ ! -x "/etc/nginx" ] ; then
echo "[!] ERROR - wrong permissions on /etc/nginx"
exit 3
fi
# /acme-challenge
if [ ! -r "/acme-challenge" ] || [ ! -x "/acme-challenge" ] ; then
echo "[!] ERROR - wrong permissions on /acme-challenge"
exit 4
fi

29
entrypoint/permissions.sh Normal file
View File

@@ -0,0 +1,29 @@
#!/bin/bash
# /etc/letsencrypt
if [ ! -w "/etc/letsencrypt" ] || [ ! -r "/etc/letsencrypt" ] || [ ! -x "/etc/letsencrypt" ] ; then
echo "[!] WARNING - wrong permissions on /etc/letsencrypt"
exit 1
fi
if [ -f "/usr/sbin/nginx" ] ; then
# /www
if [ ! -r "/www" ] || [ ! -x "/www" ] ; then
echo "[!] ERROR - wrong permissions on /www"
exit 2
fi
fi
# /acme-challenge
if [ ! -w "/acme-challenge" ] || [ ! -r "/acme-challenge" ] || [ ! -x "/acme-challenge" ] ; then
echo "[!] ERROR - wrong permissions on /acme-challenge"
exit 3
fi
# /etc/nginx
if [ ! -w "/etc/nginx" ] || [ ! -r "/etc/nginx" ] || [ ! -x "/etc/nginx" ] ; then
echo "[!] ERROR - wrong permissions on /etc/nginx"
exit 4
fi

136
entrypoint/site-config.sh
View File

@@ -9,31 +9,38 @@
# get nginx path and override multisite variables
NGINX_PREFIX="/etc/nginx/"
if [ "$MULTISITE" = "yes" ] ; then
NGINX_PREFIX="${NGINX_PREFIX}${1}/"
for var in $(env) ; do
name=$(echo "$var" | cut -d '=' -f 1)
check=$(echo "$name" | grep "^$1_")
if [ "$check" != "" ] ; then
repl_name=$(echo "$name" | sed "s~${1}_~~")
repl_value=$(echo "$var" | sed "s~${name}=~~")
read -r "$repl_name" <<< $repl_value
first_server=$(echo "$1" | cut -d ' ' -f 1)
NGINX_PREFIX="${NGINX_PREFIX}${first_server}/"
if [ ! -d "$NGINX_PREFIX" ] ; then
mkdir "$NGINX_PREFIX"
fi
ROOT_FOLDER="${ROOT_FOLDER}/$first_server"
for var in $(env | cut -d '=' -f 1 | grep -E "^${first_server}_") ; do
repl_name=$(echo "$var" | sed "s~${first_server}_~~")
repl_value=$(env | grep -E "^${var}=" | sed "s~^${var}=~~")
read -r "$repl_name" <<< $repl_value
done
ROOT_FOLDER="${ROOT_FOLDER}/$1"
fi
set | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "${NGINX_PREFIX}nginx.env"
if [ "$MULTISITE" = "yes" ] ; then
for server in $SERVER_NAME ; do
sed -i "/^${server}_.*=.*/d" "${NGINX_PREFIX}nginx.env"
done
sed -i "s~^SERVER_NAME=.*~SERVER_NAME=${1}~" "${NGINX_PREFIX}nginx.env"
fi
# copy stub confs
if [ "$MULTISITE" = "yes" ] ; then
mkdir "$NGINX_PREFIX"
fi
cp /opt/confs/site/* "$NGINX_PREFIX"
# replace paths
replace_in_file "${NGINX_PREFIX}server.conf" "%MAIN_LUA%" "include ${NGINX_PREFIX}main-lua.conf;"
if [ "$MULTISITE" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;\ninclude /server-confs/${1}/*.conf;"
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;\ninclude /server-confs/${first_server}/*.conf;"
replace_in_file "${NGINX_PREFIX}server.conf" "%PRE_SERVER_CONF%" "include /pre-server-confs/*.conf;\ninclude /pre-server-confs/${first_server}/*.conf;"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;"
replace_in_file "${NGINX_PREFIX}server.conf" "%PRE_SERVER_CONF%" "include /pre-server-confs/*.conf;"
fi
# max body size
@@ -45,26 +52,34 @@ replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
# reverse proxy
if [ "$USE_REVERSE_PROXY" = "yes" ] ; then
i=1
for var in $(env) ; do
check1=$(echo "$var" | grep "^REVERSE_PROXY_URL")
check2=$(echo "$var" | grep "^${1}_REVERSE_PROXY_URL")
if [ "$check1" != "" ] || [ "$check2" != "" ] ; then
name=$(echo "$var" | cut -d '=' -f 1)
value=$(echo "$var" | sed "s/${name}=//")
host=$(echo "$name" | sed "s/URL/HOST/")
host_value=$(env | grep "^${host}=" | sed "s/${host}=//")
ws=$(echo "$name" | sed "s/URL/WS/")
ws_value=$(env | grep "^${ws}=" | sed "s/${ws}=//")
for var in $(set | cut -d '=' -f 1 | grep "^REVERSE_PROXY_URL") ; do
url=$(echo "$var")
url_value=$(echo "${!var}")
host=$(echo "$var" | sed "s/URL/HOST/")
host_value=$(echo "${!host}")
custom_headers=$(echo "$var" | sed "s/URL/HEADERS/")
custom_headers_value=$(echo "${!custom_headers}")
ws=$(echo "$var" | sed "s/URL/WS/")
ws_value=$(echo "${!ws}")
cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf"
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$value"
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$url_value"
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value"
if [ "$custom_headers_value" != "" ] ; then
IFS_=$IFS
IFS=';'
for header_value in $(echo $custom_headers_value) ; do
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "proxy_set_header $header_value;\n%REVERSE_PROXY_CUSTOM_HEADERS%"
done
IFS=$IFS_
fi
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" ""
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HEADERS%" "include ${NGINX_PREFIX}reverse-proxy-headers.conf;"
if [ "$ws_value" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" "proxy_http_version 1.1;\nproxy_set_header Upgrade \$http_upgrade;\nproxy_set_header Connection \"Upgrade\";\n"
else
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" ""
fi
i=$(($i + 1))
fi
done
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy-*.conf;"
else
@@ -137,9 +152,6 @@ if [ "$REMOTE_PHP" != "" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "include ${NGINX_PREFIX}php.conf;"
replace_in_file "${NGINX_PREFIX}server.conf" "%FASTCGI_PATH%" "include ${NGINX_PREFIX}fastcgi.conf;"
replace_in_file "${NGINX_PREFIX}php.conf" "%REMOTE_PHP%" "$REMOTE_PHP"
if [ "$MULTISITE" = "yes" ] ; then
cp /etc/nginx/fastcgi.conf ${NGINX_PREFIX}fastcgi.conf && chown root:nginx ${NGINX_PREFIX}fastcgi.conf
fi
replace_in_file "${NGINX_PREFIX}fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" ""
@@ -263,8 +275,23 @@ fi
# block bad UA
if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "true"
if [ "$WHITELIST_USER_AGENT" != "" ] ; then
list=$(spaces_to_lua "$WHITELIST_USER_AGENT")
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" "$list"
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" ""
fi
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" ""
fi
# whitelist URI
if [ "$WHITELIST_URI" != "" ] ; then
list=$(spaces_to_lua "$WHITELIST_URI")
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_URI%" "$list"
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_URI%" ""
fi
# block bad referrer
@@ -318,29 +345,30 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
fi
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "true"
if [ "$MULTISITE" = "no" ] ; then
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
else
FIRST_SERVER_NAME="$1"
if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ] ; then
echo "[*] Performing Let's Encrypt challenge for $1 ..."
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$1}"
/opt/scripts/certbot-new.sh "$1" "$EMAIL_LETS_ENCRYPT"
fi
FIRST_SERVER_NAME="$first_server"
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server}"
echo -n "$EMAIL_LETS_ENCRYPT" > ${NGINX_PREFIX}email-lets-encrypt.txt
fi
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "include ${NGINX_PREFIX}lets-encrypt-webroot.conf;"
elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
fi
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" ""
fi
@@ -360,27 +388,25 @@ fi
# ModSecurity config
if [ "$USE_MODSECURITY" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}/modsecurity-rules.conf"
replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}modsecurity-rules.conf"
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "include ${NGINX_PREFIX}modsecurity.conf;"
if [ "$MULTISITE" != "yes" ] ; then
modsec_custom=""
if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
modsec_custom="include /modsec-confs/*.conf\n"
fi
if [ "$MULTISITE" = "yes" ] && ls /modsec-confs/${1}/*.conf > /dev/null 2>&1 ; then
modsec_custom="${modsec_custom}include /modsec-confs/${1}/*.conf\n"
fi
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
fi
if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /opt/owasp/crs.conf"
if [ "$MULTISITE" != "yes" ] ; then
modsec_crs_custom=""
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
modsec_crs_custom="include /modsec-crs-confs/*.conf\n"
fi
if [ "$MULTISITE" = "yes" ] && ls /modsec-crs-confs/${1}/*.conf > /dev/null 2>&1 ; then
modsec_crs_custom="${modsec_custom}include /modsec-crs-confs/${1}/*.conf\n"
fi
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom"
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
fi
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /opt/owasp/crs/*.conf"
else
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
@@ -406,11 +432,11 @@ fi
# custom errors
ERRORS=""
for var in $(env) ; do
var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1)
for var in $(compgen -e) ; do
var_name=$(echo "$var" | cut -d '_' -f 1)
if [ "z${var_name}" = "zERROR" ] ; then
err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2)
err_page=$(echo "$var" | cut -d '=' -f 2)
err_code=$(echo "$var" | cut -d '_' -f 2)
err_page=$(echo "${!var}")
cp /opt/confs/error.conf ${NGINX_PREFIX}error-${err_code}.conf
replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%CODE%" "$err_code"
replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%PAGE%" "$err_page"
@@ -424,11 +450,13 @@ replace_in_file "${NGINX_PREFIX}server.conf" "%ERRORS%" "$ERRORS"
if [ "$USE_AUTH_BASIC" = "yes" ] ; then
if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "include ${NGINX_PREFIX}auth-basic-sitewide.conf;"
replace_in_file "${NGINX_PREFIX}auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
replace_in_file "${NGINX_PREFIX}auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT"
replace_in_file "${NGINX_PREFIX}auth-basic-sitewide.conf" "%NGINX_PREFIX%" "$NGINX_PREFIX"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "include ${NGINX_PREFIX}auth-basic.conf;"
replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION"
replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT"
replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%NGINX_PREFIX%" "$NGINX_PREFIX"
fi
htpasswd -b -B -c ${NGINX_PREFIX}.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
else
@@ -537,6 +565,14 @@ else
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" ""
fi
# connection limiting
if [ "$USE_LIMIT_CONN" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" "include ${NGINX_PREFIX}limit-conn.conf;"
replace_in_file "${NGINX_PREFIX}limit-conn.conf" "%LIMIT_CONN_MAX%" "$LIMIT_CONN_MAX"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" ""
fi
# fail2ban
if [ "$USE_FAIL2BAN" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"

18
entrypoint/utils.sh
View File

@@ -5,7 +5,9 @@ function replace_in_file() {
# escape slashes
pattern=$(echo "$2" | sed "s/\//\\\\\//g")
replace=$(echo "$3" | sed "s/\//\\\\\//g")
sed -i "s/$pattern/$replace/g" "$1"
sed "s/$pattern/$replace/g" "$1" > /tmp/sed
cat /tmp/sed > "$1"
rm /tmp/sed
}
# convert space separated values to LUA
@@ -26,13 +28,19 @@ function has_value() {
echo "ok"
return 0
fi
for var in $(env) ; do
for var in $(env | grep -E "^.*_${1}=") ; do
domain=$(echo "$var" | cut -d '_' -f 1)
name=$(echo "$var" | cut -d '=' -f 1 | sed "s~${domain}_~~")
value=$(echo "$var" | sed "s~${domain}_${name}=~~")
if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then
value=$(echo "$var" | sed "s~^${domain}_${1}=~~")
if [ "$value" == "$2" ] ; then
echo "ok"
return 0
fi
done
}
# log to jobs.log
function job_log() {
when="$(date '+[%Y-%m-%d %H:%M:%S]')"
what="$1"
echo "$when $what" >> /var/log/jobs.log
}

17
examples/autoconf-php/docker-compose.yml
View File

@@ -9,9 +9,9 @@ services:
- 80:8080
- 443:8443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/etc/letsencrypt
- ./web-files:/www:ro
- autoconf:/etc/nginx
environment:
- SERVER_NAME= # must be left blank if you don't want to setup "static" conf
- MULTISITE=yes
@@ -20,7 +20,17 @@ services:
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
labels:
- "bunkerized-nginx.AUTOCONF"
myautoconf:
image: bunkerity/bunkerized-nginx-autoconf
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- autoconf:/etc/nginx
depends_on:
- mywww
myapp1:
image: php:fpm
@@ -51,3 +61,6 @@ services:
- "bunkerized-nginx.SERVER_NAME=app3.website.com" # replace with your domain
- "bunkerized-nginx.REMOTE_PHP=myapp3"
- "bunkerized-nginx.REMOTE_PHP_PATH=/app"
volumes:
autoconf:

18
examples/autoconf-reverse-proxy/docker-compose.yml
View File

@@ -9,8 +9,8 @@ services:
- 80:8080
- 443:8443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/etc/letsencrypt
- autoconf:/etc/nginx
environment:
- SERVER_NAME= # must be left blank if you don't want to setup "static" conf
- MULTISITE=yes
@@ -18,9 +18,20 @@ services:
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_PROXY_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
labels:
- "bunkerized-nginx.AUTOCONF"
myautoconf:
image: bunkerity/bunkerized-nginx-autoconf
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- autoconf:/etc/nginx
depends_on:
- mywww
myapp1:
build: js-app
@@ -51,3 +62,6 @@ services:
- "bunkerized-nginx.SERVER_NAME=app3.website.com" # replace with your domain
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://myapp3:3000"
volumes:
autoconf:

1
examples/basic-website-with-php/docker-compose.yml
View File

@@ -18,7 +18,6 @@ services:
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- REMOTE_PHP=myphp
- REMOTE_PHP_PATH=/app

2
examples/behind-traefik/docker-compose.yml
View File

@@ -23,7 +23,6 @@ services:
- PROXY_REAL_IP=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- REMOTE_PHP=myphp1
- REMOTE_PHP_PATH=/app
labels:
@@ -41,7 +40,6 @@ services:
- PROXY_REAL_IP=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- REMOTE_PHP=myphp2
- REMOTE_PHP_PATH=/app
labels:

26
examples/certbot-wildcard/certbot-wildcard.sh Executable file
View File

@@ -0,0 +1,26 @@
#!/bin/sh
# you need to run it before starting bunkerized-nginx
# since it's manual there is no auto renew, you need to run it again before it expires
DOMAIN="*.website.com"
SERVICE="mywww"
# ask for wildcard certificate
# it's interactive and you will need to add a DNS entry
docker run --rm -it -v "${PWD}/letsencrypt:/etc/letsencrypt" certbot/certbot certonly --manual -d $DOMAIN --agree-tos
if [ $? -ne 0 ] ; then
echo "error while getting certificate for $DOMAIN"
exit 1
fi
# fix permissions
chown -R 101:101 "${PWD}/letsencrypt"
# reload nginx if it's already running (in case of a "renew")
if [ -z `docker-compose ps -q $SERVICE` ] || [ -z `docker ps -q --no-trunc | grep $(docker-compose ps -q $SERVICE)` ]; then
echo "bunkerized-nginx is not running, skipping nginx reload"
else
echo "bunkerized-nginx is running, sending reload order"
docker-compose exec $SERVICE nginx -s reload
fi

39
examples/certbot-wildcard/docker-compose.yml Normal file
View File

@@ -0,0 +1,39 @@
version: '3'
services:
mywww:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
- 443:8443
volumes:
- ./web-files:/www:ro
- ./letsencrypt:/letsencrypt:ro
environment:
- SERVER_NAME=app1.website.com app2.website.com # replace with your domains
- MULTISITE=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/letsencrypt/live/website.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/letsencrypt/live/website.com/privkey.pem
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- app1.website.com_REMOTE_PHP=myapp1
- app1.website.com_REMOTE_PHP_PATH=/app
- app2.website.com_REMOTE_PHP=myapp2
- app2.website.com_REMOTE_PHP_PATH=/app
myapp1:
image: php:fpm
restart: always
volumes:
- ./web-files/app1.website.com:/app
myapp2:
image: php:fpm
restart: always
volumes:
- ./web-files/app2.website.com:/app

5
examples/certbot-wildcard/web-files/app1.website.com/index.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
echo "hello from app1 !";
?>

5
examples/certbot-wildcard/web-files/app2.website.com/index.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
echo "hello from app2 !";
?>

0
crowdsec/acquis.yaml → examples/crowdsec/acquis.yaml
View File

23
examples/crowdsec/bouncer_key.sh Normal file
View File

@@ -0,0 +1,23 @@
#!/bin/sh
# first, you need to run the crowdsec service
echo "running crowdsec service ..."
docker-compose up -d mycrowdsec
# wait a little until it's up
sleep 10
# get the bouncer key
docker-compose exec mycrowdsec cscli bouncers add MyBouncer
# enter the key into the CROWDSEC_KEY environment variable
read -p -s "edit CROWDSEC_KEY env var in docker-compose.yml file and press enter"
# start all services
docker-compose up -d
# wait a little until it's up
sleep 10
# restart crowdsec so it reads the log files
docker-compose restart mycrowdsec

69
examples/crowdsec/docker-compose.yml Normal file
View File

@@ -0,0 +1,69 @@
version: '3'
services:
mywww:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
- 443:8443
volumes:
- ./web-files:/www:ro
- ./letsencrypt:/etc/letsencrypt
- nginx_logs:/var/log
environment:
- SERVER_NAME=app1.website.com app2.website.com # replace with your domains
- MULTISITE=yes
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_CROWDSEC=yes
- CROWDSEC_HOST=http://mycrowdsec:8080
- CROWDSEC_KEY= # you need to generate it (see bouncer_key.sh)
- app1.website.com_REMOTE_PHP=myapp1
- app1.website.com_REMOTE_PHP_PATH=/app
- app2.website.com_REMOTE_PHP=myapp2
- app2.website.com_REMOTE_PHP_PATH=/app
networks:
- net0
- net1
- net2
mycrowdsec:
image: crowdsecurity/crowdsec:v1.0.13
restart: always
volumes:
- ./acquis.yaml:/etc/crowdsec/acquis.yaml
- nginx_logs:/var/log:ro
environment:
- COLLECTIONS=crowdsecurity/nginx
- REGISTER_TO_ONLINE_API=true
networks:
- net0
myapp1:
image: php:fpm
restart: always
volumes:
- ./web-files/app1.website.com:/app
networks:
- net1
myapp2:
image: php:fpm
restart: always
volumes:
- ./web-files/app2.website.com:/app
networks:
- net2
networks:
net0:
net1:
net2:
volumes:
nginx_logs:

5
examples/crowdsec/web-files/app1.website.com/index.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
echo "hello from app1 !";
?>

5
examples/crowdsec/web-files/app2.website.com/index.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
echo "hello from app2 !";
?>

30
examples/ghost/docker-compose.yml Normal file
View File

@@ -0,0 +1,30 @@
version: '3'
services:
myreverse:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
- 443:8443
volumes:
- ./letsencrypt:/etc/letsencrypt
environment:
- SERVER_NAME=www.website.com # replace with your domain
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myghost:2368/
myghost:
image: ghost:alpine
volumes:
- ./data-ghost:/var/lib/ghost/content
environment:
- url=https://www.website.com # replace with your domain

30
examples/gogs/docker-compose.yml Normal file
View File

@@ -0,0 +1,30 @@
version: '3'
services:
myreverse:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
- 443:8443
volumes:
- ./letsencrypt:/etc/letsencrypt
- ./modsec-crs-confs:/modsec-crs-confs:ro # fix FP with CRS
environment:
- SERVER_NAME=www.website.com # replace with your domain
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mygogs:3000/
mygogs:
image: gogs/gogs
volumes:
- ./data-gogs:/data

7
examples/gogs/modsec-crs-confs/gogs.conf Normal file
View File

@@ -0,0 +1,7 @@
SecAction \
"id:900220,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"

45
examples/joomla/docker-compose.yml Normal file
View File

@@ -0,0 +1,45 @@
version: '3'
services:
mywww:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
- 443:8443
volumes:
- ./joomla-files:/www:ro
- ./letsencrypt:/etc/letsencrypt
environment:
- SERVER_NAME=www.website.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- MAX_CLIENT_SIZE=50m
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- REMOTE_PHP=myjoomla
- REMOTE_PHP_PATH=/var/www/html
myjoomla:
image: joomla:fpm-alpine
restart: always
volumes:
- ./joomla-files:/var/www/html
environment:
- JOOMLA_DB_HOST=mydb
- JOOMLA_DB_NAME=joomladb
- JOOMLA_DB_USER=user
- JOOMLA_DB_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
mydb:
image: mariadb
restart: always
volumes:
- ./db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=joomladb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)

2
examples/load-balancer/docker-compose.yml
View File

@@ -18,8 +18,8 @@ services:
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://app

2
examples/moodle/docker-compose.yml
View File

@@ -18,8 +18,8 @@ services:
- MAX_CLIENT_SIZE=50m
- SERVE_FILES=no
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=https://mymoodle:8443

2
examples/multisite-basic/docker-compose.yml
View File

@@ -19,13 +19,11 @@ services:
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- app1.website.com_REMOTE_PHP=myapp1
- app1.website.com_REMOTE_PHP_PATH=/app
- app2.website.com_REMOTE_PHP=myapp2
- app2.website.com_REMOTE_PHP_PATH=/app
- app3.website.com_SERVE_FILES=no
- app3.website.com_USE_CLIENT_CACHE=no
- app3.website.com_USE_PROXY_CACHE=yes
- app3.website.com_USE_REVERSE_PROXY=yes
- app3.website.com_REVERSE_PROXY_URL=/

7
examples/multisite-custom-server-confs/docker-compose.yml
View File

@@ -22,14 +22,13 @@ services:
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- wp.website.com_REMOTE_PHP=mywp
- wp.website.com_REMOTE_PHP_PATH=/var/www/html
- nc.website.com_REMOTE_PHP=mync
- nc.website.com_REMOTE_PHP_PATH=/var/www/html
- nc.website.com_LIMIT_REQ_RATE=40r/s
- nc.website.com_LIMIT_REQ_BURST=60
- nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
- nc.website.com_LIMIT_REQ_RATE=5r/s
- nc.website.com_LIMIT_REQ_BURST=10
- nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
- nc.website.com_X_FRAME_OPTIONS=SAMEORIGIN
- nc.website.com_FAIL2BAN_STATUS_CODE=400|401|403|405|444
networks:

1
examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf
View File

@@ -1 +1,2 @@
SecRuleRemoveById 921110
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS"

3
examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf
View File

@@ -1 +1,4 @@
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
SecRuleRemoveById 953120

2
examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf
View File

@@ -12,4 +12,4 @@ SecAction \
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"

9
examples/nextcloud/docker-compose.yml
View File

@@ -23,16 +23,15 @@ services:
- USE_CLIENT_CACHE=yes
- REMOTE_PHP=mync
- REMOTE_PHP_PATH=/var/www/html
- LIMIT_REQ_RATE=40r/s
- LIMIT_REQ_BURST=60
- ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
- LIMIT_REQ_RATE=5r/s
- LIMIT_REQ_BURST=10
- ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
- X_FRAME_OPTIONS=SAMEORIGIN
- USE_GZIP=yes
- USE_BROTLI=yes
- FAIL2BAN_STATUS_CODE=400|401|403|405|444
mync:
image: nextcloud:20-fpm
image: nextcloud:21-fpm
restart: always
volumes:
- ./nc-files:/var/www/html

1
examples/nextcloud/modsec-confs/nextcloud.conf
View File

@@ -1 +1,2 @@
SecRuleRemoveById 921110
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS"

2
examples/nextcloud/modsec-crs-confs/nextcloud.conf
View File

@@ -12,4 +12,4 @@ SecAction \
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"

2
examples/passbolt/docker-compose.yml
View File

@@ -20,8 +20,8 @@ services:
- ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
- SERVE_FILES=no
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=https://mypassbolt

3
examples/prestashop/docker-compose.yml
View File

@@ -20,9 +20,10 @@ services:
- MAX_CLIENT_SIZE=50m
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- REMOTE_PHP=myprestashop
- REMOTE_PHP_PATH=/var/www/html
- LIMIT_REQ_RATE=5r/s
- LIMIT_REQ_BURST=10
myprestashop:
image: prestashop/prestashop:1.7-fpm

46
examples/redmine/docker-compose.yml Normal file
View File

@@ -0,0 +1,46 @@
version: '3'
services:
myreverse:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
- 443:8443
volumes:
- ./letsencrypt:/etc/letsencrypt
environment:
- SERVER_NAME=www.website.com # replace with your domain
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myredmine:3000/
myredmine:
image: redmine
restart: always
volumes:
- ./redmine-data:/usr/src/redmine/files
environment:
- REDMINE_DB_MYSQL=mydb
- REDMINE_DB_DATABASE=redminedb
- REDMINE_DB_USERNAME=user
- REDMINE_DB_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
mydb:
image: mariadb
restart: always
volumes:
- ./db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=redminedb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)

2
examples/reverse-proxy-multisite/docker-compose.yml
View File

@@ -18,8 +18,8 @@ services:
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
- app1.website.com_REVERSE_PROXY_URL=/
- app1.website.com_REVERSE_PROXY_HOST=http://app1:3000

2
examples/reverse-proxy-singlesite/docker-compose.yml
View File

@@ -18,8 +18,8 @@ services:
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL_1=/app1/
- REVERSE_PROXY_HOST_1=http://app1:3000/

4
examples/reverse-proxy-websocket/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
myreverse:
image: bunkerity/bunkerized-nginx:dev
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
@@ -17,8 +17,8 @@ services:
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/ws/
- REVERSE_PROXY_HOST=http://myws:8010/

99
examples/swarm/stack.yml Normal file
View File

@@ -0,0 +1,99 @@
version: '3.8'
services:
autoconf:
image: bunkerity/bunkerized-nginx-autoconf
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /shared/confs:/etc/nginx
- /shared/letsencrypt:/etc/letsencrypt
- /shared/acme-challenge:/acme-challenge
environment:
- SWARM_MODE=yes
- API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from nginx
networks:
- net_config
deploy:
replicas: 1
placement:
constraints:
- "node.role==manager"
nginx:
image: bunkerity/bunkerized-nginx
ports:
- published: 80
target: 8080
mode: host
protocol: tcp
- published: 443
target: 8443
mode: host
protocol: tcp
volumes:
- /shared/confs:/etc/nginx
- /shared/letsencrypt:/etc/letsencrypt:ro
- /shared/acme-challenge:/acme-challenge:ro
- /shared/www:/www:ro
environment:
- SWARM_MODE=yes
- USE_API=yes
- API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from autoconf
- MULTISITE=yes
- SERVER_NAME=
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
networks:
- net_config
- net_services
deploy:
mode: global
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerized-nginx.AUTOCONF"
app1:
image: php:fpm-alpine
volumes:
- /shared/www/app1.website.com:/www
networks:
- net_services
deploy:
replicas: 1
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerized-nginx.SERVER_NAME=app1.website.com"
- "bunkerized-nginx.REMOTE_PHP=php"
- "bunkerized-nginx.REMOTE_PHP_PATH=/www"
app2:
image: phpmyadmin:apache
environment:
- PMA_ARBITRARY=1
- PMA_ABSOLUTE_URI=https://app2.website.com
networks:
- net_services
deploy:
replicas: 1
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerized-nginx.SERVER_NAME=app2.website.com"
- "bunkerized-nginx.USE_PROXY_CACHE=yes"
- "bunkerized-nginx.USE_REVERSE_PROXY=yes"
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://app2"
networks:
net_config:
driver: overlay
net_services:
driver: overlay

2
examples/tomcat/docker-compose.yml
View File

@@ -17,8 +17,8 @@ services:
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mytomcat:8080/sample/

Some files were not shown because too many files have changed in this diff Show More