Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: Makussu:v1.2.2
Branches Tags
Makussu:master Makussu:dev Makussu:gh-pages
Makussu:v1.4.1 Makussu:v1.4.0 Makussu:v1.3.2 Makussu:v1.3.1 Makussu:v1.3.0 Makussu:v1.2.8 Makussu:v1.2.7 Makussu:v1.2.6 Makussu:v1.2.5 Makussu:v1.2.4 Makussu:v1.2.3 Makussu:v1.2.2 Makussu:v1.2.1 Makussu:v1.2.0 Makussu:v1.1.2 Makussu:v1.1.1 Makussu:v1.1.0 Makussu:v1.0.0
...
compare: Makussu:v1.2.3
Branches Tags
Makussu:dev Makussu:gh-pages Makussu:master
Makussu:v1.4.1 Makussu:v1.4.0 Makussu:v1.3.2 Makussu:v1.3.1 Makussu:v1.3.0 Makussu:v1.2.8 Makussu:v1.2.7 Makussu:v1.2.6 Makussu:v1.2.5 Makussu:v1.2.4 Makussu:v1.2.3 Makussu:v1.2.2 Makussu:v1.2.1 Makussu:v1.2.0 Makussu:v1.1.2 Makussu:v1.1.1 Makussu:v1.1.0 Makussu:v1.0.0

50 Commits
v1.2.2 ... v1.2.3

Author SHA1 Message Date
bunkerity
397182f18d add link to twitter account 2021-03-18 18:11:52 +01:00
bunkerity
c5c5fb17b5 v1.2.3 - swarm support 2021-03-18 18:08:42 +01:00
bunkerity
017a7780fb README update, default cron update and new parameters to ui 2021-03-18 17:11:58 +01:00
bunkerity
34d9db7a8b web ui - bug fixes 2021-03-18 12:34:46 +01:00
bunkerity
361c66ca61 fixed bugs with MULTISITE variables and swarm example 2021-03-18 10:29:37 +01:00
bunkerity
afc6678855 road to v1.2.3 - fixing bugs 2021-03-17 17:55:56 +01:00
bunkerity
c40fb33175 road to swarm - automatic reload after jobs 2021-03-17 12:16:56 +01:00
bunkerity
93ad3c0b51 road to swarm - let's encrypt fix 2021-03-17 10:37:20 +01:00
bunkerity
ceed904882 road to swarm - still some mess to fix 2021-03-16 17:56:24 +01:00
Bunkerity
b8027d2bac Merge pull request #102 from thelittlefireman/proxy_custom_headers 
[NEED TESTING] Enhancement add custom proxy headers #97
 2021-03-16 10:08:05 +01:00
Bunkerity
8d03a14a6a Merge pull request #103 from thelittlefireman/fix_truncated_3 
Fix truncated 3
 2021-03-16 10:06:05 +01:00
thelittlefireman
d16f4517a4 Enhancement add custom proxy headers #97 2021-03-15 23:24:58 +01:00
thelittlefireman
89ca91b3ff Fix truncated variables (last commit) 2021-03-15 22:54:30 +01:00
bunkerity
6a714e2ece road to swarm - fix race condition on initial configuration 2021-03-14 16:50:08 +01:00
bunkerity
0d3da03534 prepare /www directory, fix log socket path and whitelist acme challenges path 2021-03-14 12:33:59 +01:00
bunkerity
33163f65b3 init work on disabling root processes 2021-03-13 22:52:23 +01:00
bunkerity
a2543384cd road to swarm - add openssl to autoconf, fix api_uri in LUA, fix file rights 2021-03-13 15:28:15 +01:00
bunkerity
3591715f21 road to swarm - fixing things 2021-03-12 17:31:26 +01:00
bunkerity
95f7ca5b2d road to swarm support - needs a lot of testing 2021-03-12 15:17:45 +01:00
bunkerity
816fa47cbb introducing SWARM_MODE env var 2021-03-12 12:40:52 +01:00
Bunkerity
7756c2df3c Merge pull request #98 from mromanelli9/fix/readme 
Fix README
 2021-03-12 10:44:06 +01:00
bunkerity
7509ec2f2c basic API to be used in swarm mode 2021-03-12 10:42:31 +01:00
Marco Romanelli
6e93575e16 remove ALLOWALL from X_FRAME_OPTIONS options 2021-03-11 14:41:23 +01:00
Marco Romanelli
ba4c977550 remove old anchor 2021-03-11 11:49:46 +01:00
bunkerity
781e4c8cbb autoconf little work on swarm support 2021-03-10 17:24:02 +01:00
bunkerity
e04c783d1e autoconf - init work on swarm mode 2021-03-09 17:33:22 +01:00
bunkerity
e12b656bd5 Merge branch 'patch-7' of https://github.com/thelittlefireman/bunkerized-nginx into dev 2021-03-08 14:06:54 +01:00
bunkerity
cae05447d3 custom crontab values 2021-03-08 13:58:14 +01:00
bunkerity
4b58e22657 Merge branch 'patch-5' of https://github.com/thelittlefireman/bunkerized-nginx into dev 2021-03-08 13:52:35 +01:00
bunkerity
6b56e21a09 Merge branch 'whitelist_ua' of https://github.com/thelittlefireman/bunkerized-nginx into dev 2021-03-08 13:46:28 +01:00
bunkerity
544a09e8da Update lua-cs-bouncer 2021-03-08 12:02:56 +01:00
bunkerity
8386dd4a2a custom config outside server block 2021-03-08 11:53:11 +01:00
root
f052a25168 Merge branch 'pre_server_confs' of https://github.com/thelittlefireman/bunkerized-nginx into dev 2021-03-08 11:47:45 +01:00
Bunkerity
43750f5536 Merge pull request #73 from thelittlefireman/patch-4 
Add missing reverse proxy header (X-Forwarded-Host)
 2021-03-08 10:16:31 +01:00
Bunkerity
9142afdb54 Merge pull request #72 from thelittlefireman/patch-3 
Fix #71 - limit connection by IP
 2021-03-08 10:15:14 +01:00
thelittlefireman
66c4fed791 Fix env variable with space are truncated 2 
Fix #82
 2021-03-05 23:59:38 +01:00
thelittlefireman
f41846e9d6 Fix env variable with space are truncated 
Fix #82
 2021-03-05 23:56:19 +01:00
thelittlefireman
92cc705b92 Reduce memory usage : set cron tasks at different hours. 2021-03-03 13:02:56 +01:00
thelittlefireman
47fb3a05b3 Upgrade crowdsecurity/lua-cs-bouncer 
Upgrade crowdsecurity/lua-cs-bouncer to latest version to include commit dcfba46ccd
 2021-03-03 10:01:04 +01:00
thelittlefireman
5940f402c7 improve default tls security 2021-02-28 23:59:22 +01:00
thelittlefireman
d9ca275d53 Add before server {} config. 2021-02-03 14:17:20 +01:00
thelittlefireman
8353bd9c85 Allow to add a whitelist by site on user-agent 2021-02-03 13:51:15 +01:00
thelittlefireman
d902e2f297 Add last missing reverse proxy header 
X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host]
 2021-01-03 16:28:51 +01:00
thelittlefireman
1a8b8043c8 Add LIMIT_CONN var to server.conf 2021-01-02 14:26:52 +01:00
thelittlefireman
65120a7e97 Add USE_CONN_LIMIT info to Readme.md 
and fix small typo
 2021-01-02 14:25:34 +01:00
thelittlefireman
b093a47554 Add default values for LIMIT_CONN 2021-01-02 14:18:26 +01:00
thelittlefireman
73dbf03c9a add USE_LIMIT_CONN zone to global config 2021-01-02 14:15:18 +01:00
thelittlefireman
6ee746236a Add USE_LIMIT_CONN to site-config 2021-01-02 14:11:36 +01:00
thelittlefireman
fa935eb6e3 edit nginx.conf to add limit_conn 2021-01-02 14:04:34 +01:00
thelittlefireman
cf231e13cb Add limit-conn.conf 2021-01-02 13:35:18 +01:00
73 changed files with 1755 additions and 806 deletions
Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.idea/

7
Dockerfile
View File

@@ -16,11 +16,10 @@ COPY lua/ /opt/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
# Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
EXPOSE 8080/tcp 8443/tcp
USER nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

7
Dockerfile-amd64
View File

@@ -16,11 +16,10 @@ COPY lua/ /opt/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
# Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
EXPOSE 8080/tcp 8443/tcp
USER nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

7
Dockerfile-arm32v7
View File

@@ -23,11 +23,10 @@ COPY lua/ /opt/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
# Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
EXPOSE 8080/tcp 8443/tcp
USER nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

7
Dockerfile-arm64v8
View File

@@ -23,11 +23,10 @@ COPY lua/ /opt/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
# Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
EXPOSE 8080/tcp 8443/tcp
USER nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

7
Dockerfile-i386
View File

@@ -16,11 +16,10 @@ COPY lua/ /opt/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
# Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
EXPOSE 8080/tcp 8443/tcp
USER nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

324
README.md
View File

@@ -1,8 +1,16 @@
# bunkerized-nginx
<p align="center">
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/logo.png?raw=true" width="425" />
</p>
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/logo.png?raw=true" width="425" />
<img src="https://img.shields.io/badge/bunkerized--nginx-1.2.2-blue" /> <img src="https://img.shields.io/badge/nginx-1.18.0-blue" /> <img src="https://img.shields.io/github/last-commit/bunkerity/bunkerized-nginx" /> <a href="https://matrix.to/#/#bunkerized-nginx:matrix.org"><img src="https://img.shields.io/badge/matrix%20chat-%23bunkerized--nginx%3Amatrix.org-blue" /></a> <img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerized-nginx/Automatic%20test?label=automatic%20test" /> <img src="https://img.shields.io/docker/cloud/build/bunkerity/bunkerized-nginx" />
<p align="center">
<img src="https://img.shields.io/badge/bunkerized--nginx-1.2.3-blue" />
<img src="https://img.shields.io/badge/nginx-1.18.0-blue" />
<img src="https://img.shields.io/github/last-commit/bunkerity/bunkerized-nginx" />
<a href="https://matrix.to/#/#bunkerized-nginx:matrix.org"><img src="https://img.shields.io/badge/matrix%20chat-%23bunkerized--nginx%3Amatrix.org-blue" /></a>
<img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerized-nginx/Automatic%20test?label=automatic%20test" />
<img src="https://img.shields.io/docker/cloud/build/bunkerity/bunkerized-nginx" />
<a href="https://twitter.com/bunkerity"><img src="https://img.shields.io/twitter/follow/bunkerity?style=social" /></a>
</p>
nginx Docker image secure by default.
@@ -20,13 +28,13 @@ Non-exhaustive list of features :
- Detect bad files with ClamAV
- Easy to configure with environment variables or web UI
- Automatic configuration with container labels
- Docker Swarm support
Fooling automated tools/scanners :
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/demo.gif?raw=true" />
# Table of contents
- [bunkerized-nginx](#bunkerized-nginx)
- [Table of contents](#table-of-contents)
- [Live demo](#live-demo)
- [Quickstart guide](#quickstart-guide)
@@ -37,9 +45,13 @@ Fooling automated tools/scanners :
* [Behind a reverse proxy](#behind-a-reverse-proxy)
* [Multisite](#multisite)
* [Automatic configuration](#automatic-configuration)
* [Swarm mode](#swarm-mode)
* [Web UI](#web-ui)
* [Antibot challenge](#antibot-challenge)
* [Hardening](#hardening)
- [Tutorials and examples](#tutorials-and-examples)
- [Include custom configurations](#include-custom-configurations)
- [Cache data](#cache-data)
- [List of environment variables](#list-of-environment-variables)
* [nginx](#nginx)
+ [Misc](#misc)
@@ -65,14 +77,14 @@ Fooling automated tools/scanners :
+ [Custom whitelisting](#custom-whitelisting)
+ [Custom blacklisting](#custom-blacklisting)
+ [Requests limiting](#requests-limiting)
+ [Connections limiting](#connections-limiting)
+ [Countries](#countries)
* [PHP](#php)
* [Fail2ban](#fail2ban)
* [ClamAV](#clamav)
* [Logrotate](#logrotate)
* [Cron jobs](#cron-jobs)
* [Misc](#misc-2)
- [Include custom configurations](#include-custom-configurations)
- [Cache data](#cache-data)
- [Create your own image](#create-your-own-image)
# Live demo
You can find a live demo at https://demo-nginx.bunkerity.com.
@@ -85,7 +97,7 @@ You can find a live demo at https://demo-nginx.bunkerity.com.
docker run -p 80:8080 -v /path/to/web/files:/www:ro bunkerity/bunkerized-nginx
```
Web files are stored in the /www directory, the container will serve files from there.
Web files are stored in the /www directory, the container will serve files from there. Please note that *bunkerized-nginx* doesn't run as root but with an unprivileged user with UID/GID 101 therefore you should set the rights of */path/to/web/files* accordingly.
## In combination with PHP
@@ -118,8 +130,9 @@ docker run -p 80:8080 \
bunkerity/bunkerized-nginx
```
Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive.
If you don't want your webserver to listen on HTTP add the environment variable `LISTEN_HTTP` with a *no* value. But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive. Please note that *bunkerized-nginx* doesn't run as root but with an unprivileged user with UID/GID 101 therefore you should set the rights of */where/to/save/certificates* accordingly.
If you don't want your webserver to listen on HTTP add the environment variable `LISTEN_HTTP` with a *no* value (e.g. HTTPS only). But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
Here you have three environment variables :
- `SERVER_NAME` : define the FQDN of your webserver, this is mandatory for Let's Encrypt (www.yourdomain.com should point to your IP address)
@@ -279,6 +292,91 @@ docker run --network mynet \
tutum/hello-world
```
## Swarm mode
Automatic configuration through labels is also supported in swarm mode. The *bunkerized-nginx-autoconf* is used to listen for Swarm events (e.g. service create/rm) and "automagically" edit configurations files and reload nginx.
As a use case we will assume the following :
- Some managers are also workers (they will only run the *autoconf* container for obvious security reasons)
- The bunkerized-nginx service will be deployed on all workers (global mode) so clients can connect to each of them (e.g. load balancing, CDN, edge proxy, ...)
- There is a shared folder mounted on managers and workers (e.g. NFS, GlusterFS, CephFS, ...)
Let's start by creating the network to allow communications between our services :
```shell
docker network create -d overlay mynet
```
We can now create the *autoconf* service that will listen to swarm events :
```shell
docker service create --name autoconf \
--network mynet \
--mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
--mount type=bind,source=/shared/confs,destination=/etc/nginx \
--mount type=bind,source=/shared/letsencrypt,destination=/etc/letsencrypt \
--mount type=bind,source=/shared/acme-challenge,destination=/acme-challenge \
-e SWARM_MODE=yes \
-e API_URI=/ChangeMeToSomethingHardToGuess \
--replicas 1 \
--constraint node.role==manager \
bunkerity/bunkerized-nginx-autoconf
```
**You need to change `API_URI` to something hard to guess since there is no other security mechanism to protect the API at the moment.**
When *autoconf* is created, it's time for the *bunkerized-nginx* service to be up :
```shell
docker service create --name nginx \
--network mynet \
-p published=80,target=8080,mode=host \
-p published=443,target=8443,mode=host \
--mount type=bind,source=/shared/confs,destination=/etc/nginx \
--mount type=bind,source=/shared/letsencrypt,destination=/etc/letsencrypt,ro \
--mount type=bind,source=/shared/acme-challenge,destination=/acme-challenge,ro \
--mount type=bind,source=/shared/www,destination=/www,ro \
-e SWARM_MODE=yes \
-e USE_API=yes \
-e API_URI=/ChangeMeToSomethingHardToGuess \
-e MULTISITE=yes \
-e SERVER_NAME= \
-e AUTO_LETS_ENCRYPT=yes \
-e REDIRECT_HTTP_TO_HTTPS=yes \
-l bunkerized-nginx.AUTOCONF \
--mode global \
--constraint node.role==worker \
bunkerity/bunkerized-nginx
```
The `API_URI` value must be the same as the one specified for the *autoconf* service.
We can now create a new service and use labels to dynamically configure bunkerized-nginx. Labels for automatic configuration are the same as environment variables but with the "bunkerized-nginx." prefix.
Here is a PHP example :
```shell
docker service create --name myapp \
--network mynet \
--mount type=bind,source=/shared/www/app.domain.com,destination=/app \
-l bunkerized-nginx.SERVER_NAME=app.domain.com \
-l bunkerized-nginx.REMOTE_PHP=myapp \
-l bunkerized-nginx.REMOTE_PHP_PATH=/app \
--constraint node.role==worker \
php:fpm
```
And a reverse proxy example :
```shell
docker service create --name anotherapp \
--network mynet \
-l bunkerized-nginx.SERVER_NAME=app2.domain.com \
-l bunkerized-nginx.USE_REVERSE_PROXY=yes \
-l bunkerized-nginx.REVERSE_PROXY_URL=/ \
-l bunkerized-nginx.REVERSE_PROXY_HOST=http://anotherapp \
--constraint node.role==worker \
tutum/hello-world
```
## Web UI
**This feature exposes, for now, a security risk because you need to mount the docker socket inside a container exposing a web application. You can test it but you should not use it in servers facing the internet.**
@@ -340,9 +438,53 @@ docker run -p 80:8080 -v /path/to/web/files:/www -e USE_ANTIBOT=captcha bunkerit
When `USE_ANTIBOT` is set to *captcha*, every users visiting your website must complete a captcha before accessing the pages. Others challenges are also available : *cookie*, *javascript* or *recaptcha* (more info [here](#antibot)).
## Hardening
By default, *bunkerized-nginx* runs as non-root user inside the container and should not use any of the default [capabilities](https://docs.docker.com/engine/security/#linux-kernel-capabilities) allowed by Docker. You can safely remove all capabilities to harden the container :
```shell
docker run ... --drop-cap=all ... bunkerity/bunkerized-nginx
```
# Tutorials and examples
You will find some docker-compose.yml examples in the [examples directory](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples).
You will find some docker-compose examples in the [examples directory](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples).
# Include custom configurations
Custom configurations files (ending with .conf suffix) can be added in some directory inside the container :
- /http-confs : http context
- /server-confs : server context
- /pre-server-confs : before server context (add map or upstream config for example)
You just need to use a volume like this :
```shell
docker run ... -v /path/to/http/confs:/http-confs:ro ... -v /path/to/server/confs:/server-confs:ro ... bunkerity/bunkerized-nginx
```
When `MULTISITE` is set to *yes*, .conf files inside the /server-confs directory are loaded by all the server blocks. You can also set custom configuration for a specific server block by adding files in a subdirectory named as the host defined in the `SERVER_NAME` environment variable. Here is an example :
```shell
docker run ... -v /path/to/server/confs:/server-confs:ro ... -e MULTISITE=yes -e "SERVER_NAME=app1.domain.com app2.domain.com" ... bunkerity/bunkerized-nginx
```
The */path/to/server/confs* directory should have a structure like this :
```
/path/to/server/confs
├── app1.domain.com
│   └── custom.conf
│   └── ...
└── app2.domain.com
└── custom.conf
└── ...
```
# Cache data
You can store cached data (blacklists, geoip DB, ...) to avoid downloading them again after a container deletion by mounting a volume on the /cache directory :
```shell
docker run ... -v /path/to/cache:/cache ... bunkerity/bunkerized-nginx
```
# List of environment variables
@@ -380,7 +522,7 @@ Only the HTTP methods listed here will be accepted by nginx. If not listed, ngin
`DISABLE_DEFAULT_SERVER`
Values : *yes* | *no*
Default value : *no*
Context : *global*, *multisite*
Context : *global*
If set to yes, nginx will only respond to HTTP request when the Host header match a FQDN specified in the `SERVER_NAME` environment variable.
For example, it will close the connection if a bot access the site with direct ip.
@@ -398,7 +540,7 @@ Context : *global*
The IP addresses of the DNS resolvers to use when performing DNS lookups.
`ROOT_FOLDER`
Values : *\<any valid path to web files\>
Values : *\<any valid path to web files\>*
Default value : */www*
Context : *global*
The default folder where nginx will search for web files. Don't change it unless you want to make your own image.
@@ -413,7 +555,7 @@ The log format used by nginx to generate logs. More info [here](http://nginx.org
Values : *\<any valid port greater than 1024\>*
Default value : *8080*
Context : *global*
The HTTP port number used by nginx and certbot inside the container.
The HTTP port number used by nginx inside the container.
`HTTPS_PORT`
Values : *\<any valid port greater than 1024\>*
@@ -505,6 +647,14 @@ Context : *global*, *multisite*
Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* when the corresponding `REVERSE_PROXY_HOST` is a WebSocket server.
You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_WS_1`, `REVERSE_PROXY_WS_2`, `REVERSE_PROXY_WS_3`, ...
`REVERSE_PROXY_HEADERS`
Values : *\<list of custom headers separated with a semicolon\>*
Examples : Access-Control-Allow-Origin 'https://mydomain.dev'; Custom_Api_Header 'test';
Default value : ""
Context : *global*, *multisite*
Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* when the corresponding `REVERSE_PROXY_HOST` is a WebSocket server.
You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_HEADERS_1`, `REVERSE_PROXY_HEADERS_2`, `REVERSE_PROXY_HEADERS_3`, ...
`PROXY_REAL_IP`
Values : *yes* | *no*
Default value : *no*
@@ -831,7 +981,7 @@ You can customize the CRS (i.e. : add WordPress exclusions) by adding custom .co
## Security headers
`X_FRAME_OPTIONS`
Values : *DENY* | *SAMEORIGIN* | *ALLOW-FROM https://www.website.net* | *ALLOWALL*
Values : *DENY* | *SAMEORIGIN* | *ALLOW-FROM https://www.website.net*
Default value : *DENY*
Context : *global*, *multisite*
Policy to be used when the site is displayed through iframe. Can be used to mitigate clickjacking attacks.
@@ -947,7 +1097,7 @@ The secret given by Google when `USE_ANTIBOT` is set to *recaptcha*.
`BLOCK_USER_AGENT`
Values : *yes* | *no*
Default value : *yes*
Default value : *yes*
Context : *global*, *multisite*
If set to yes, block clients with "bad" user agent.
Blacklist can be found [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list) and [here](https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt).
@@ -1040,6 +1190,12 @@ Default value : *.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .c
Context : *global*
The list of reverse DNS suffixes to whitelist when `USE_WHITELIST_REVERSE` is set to *yes*. The default list contains suffixes of major search engines.
`WHITELIST_USER_AGENT`
Values : *\<list of regexes separated with spaces\>*
Default value :
Context : *global*, *multisite*
Whitelist user agent from being blocked by `BLOCK_USER_AGENT`.
### Custom blacklisting
`USE_BLACKLIST_IP`
@@ -1085,7 +1241,7 @@ The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 10 requ
Values : *<any valid integer\>*
Default value : *40*
Context : *global*, *multisite*
The number of of requests to put in queue before rejecting requests.
The number of requests to put in queue before rejecting requests.
`LIMIT_REQ_CACHE`
Values : *Xm* | *Xk*
@@ -1093,6 +1249,27 @@ Default value : *10m*
Context : *global*
The size of the cache to store information about request limiting.
### Connections limiting
`USE_LIMIT_CONN`
Values : *yes* | *no*
Default value : *yes*
Context : *global*, *multisite*
If set to yes, the number of connections made by an ip will be limited during a period of time. (ie. Very small/weak ddos protection)
More info connections limiting [here](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html).
`LIMIT_CONN_MAX`
Values : *<any valid integer\>*
Default value : *40*
Context : *global*, *multisite*
The maximum number of connections per ip to put in queue before rejecting requests.
`LIMIT_CONN_CACHE`
Values : *Xm* | *Xk*
Default value : *10m*
Context : *global*
The size of the cache to store information about connection limiting.
### Countries
`BLACKLIST_COUNTRY`
@@ -1167,7 +1344,7 @@ IPs or subnet which should never be ban by fail2ban.
Values : *yes* | *no*
Default value : *yes*
Context : *global*, *multisite*
If set to yes, ClamAV will scan every file uploads and block the upload if the file is detected.
If set to yes, ClamAV will scan every file uploads and block the upload if the file is detected.
`USE_CLAMAV_SCAN`
Values : *yes* | *no*
@@ -1181,13 +1358,7 @@ Default value : *yes*
Context : *global*
If set to yes, ClamAV will automatically remove the detected files.
## Misc
`ADDITIONAL_MODULES`
Values : *\<list of packages separated with space\>*
Default value :
Context : *global*
You can specify additional modules to install. All [alpine packages](https://pkgs.alpinelinux.org/packages) are valid.
## Logrotate
`LOGROTATE_MINSIZE`
Values : *x* | *xk* | *xM* | *xG*
@@ -1201,37 +1372,84 @@ Default value : 7
Context : *global*
The number of days before rotated files are deleted.
# Include custom configurations
Custom configurations files (ending with .conf suffix) can be added in some directory inside the container :
- /http-confs : http context
- /server-confs : server context
## Cron jobs
You just need to use a volume like this :
```shell
docker run ... -v /path/to/http/confs:/http-confs:ro ... -v /path/to/server/confs:/server-confs:ro ... bunkerity/bunkerized-nginx
```
`AUTO_LETS_ENCRYPT_CRON`
Values : *\<cron expression\>*
Default value : *15 0 \* \* \**
Context : *global*
Cron expression of how often certbot will try to renew the certificates.
When `MULTISITE` is set to *yes*, .conf files inside the /server-confs directory are loaded by all the server blocks. You can also set custom configuration for a specific server block by adding files in a subdirectory named as the host defined in the `SERVER_NAME` environment variable. Here is an example :
`BLOCK_USER_AGENT_CRON`
Values : *\<cron expression\>*
Default value : *30 0 \* \* \* \**
Context : *global*
Cron expression of how often the blacklist of user agent is updated.
```shell
docker run ... -v /path/to/server/confs:/server-confs:ro ... -e MULTISITE=yes -e "SERVER_NAME=app1.domain.com app2.domain.com" ... bunkerity/bunkerized-nginx
```
`BLOCK_TOR_EXIT_NODE_CRON`
Values : *\<cron expression\>*
Default value : *0 \*/1 \* \* \* \**
Context : *global*
Cron expression of how often the blacklist of tor exit node is updated.
The */path/to/server/confs* directory should have a structure like this :
```
/path/to/server/confs
├── app1.domain.com
│   └── custom.conf
│   └── ...
└── app2.domain.com
└── custom.conf
└── ...
```
`BLOCK_PROXIES_CRON`
Values : *\<cron expression\>*
Default value : *0 3 \* \* \* \**
Context : *global*
Cron expression of how often the blacklist of proxies is updated.
# Cache data
`BLOCK_ABUSERS_CRON`
Values : *\<cron expression\>*
Default value : *0 2 \* \* \* \**
Context : *global*
Cron expression of how often the blacklist of abusers is updated.
You can store cached data (blacklists, geoip DB, ...) to avoid downloading them again after a container deletion by mounting a volume on the /cache directory :
`BLOCK_REFERRER_CRON`
Values : *\<cron expression\>*
Default value : *45 0 \* \* \* \**
Context : *global*
Cron expression of how often the blacklist of referrer is updated.
```shell
docker run ... -v /path/to/cache:/cache ... bunkerity/bunkerized-nginx
```
`GEOIP_CRON`
Values : *\<cron expression\>*
Default value : *0 4 2 \* \**
Context : *global*
Cron expression of how often the GeoIP database is updated.
`USE_CLAMAV_SCAN_CRON`
Values : *\<cron expression\>*
Default value : *30 1 \* \* \**
Context : *global*
Cron expression of how often ClamAV will scan all the files inside the container.
`CLAMAV_UPDATE_CRON`
Values : *\<cron expression\>*
Default value : *0 1 \* \* \**
Context : *global*
Cron expression of how often ClamAV will update its database.
`LOGROTATE_CRON`
Values : *\<cron expression\>*
Default value : *0 0 \* \* \**
Context : *global*
Cron expression of how often Logrotate will rotate files.
## misc
`SWARM_MODE`
Values : *yes* | *no*
Default value : *no*
Context : *global*
Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
`USE_API`
Values : *yes* | *no*
Default value : *no*
Context : *global*
Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
`API_URI`
Values : *random* | *\<any valid URI path\>*
Default value : *random*
Context : *global*
Set it to a random path when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).

2
VERSION
View File

@@ -1 +1 @@
1.2.2
1.2.3

120
autoconf/AutoConf.py Normal file
View File

@@ -0,0 +1,120 @@
from Config import Config
import utils
import os
class AutoConf :
def __init__(self, swarm, api) :
self.__swarm = swarm
self.__servers = {}
self.__instances = {}
self.__sites = {}
self.__config = Config(self.__swarm, api)
def reload(self) :
return self.__config.reload(self.__instances)
def pre_process(self, objs) :
for instance in objs :
(id, name, labels) = self.__get_infos(instance)
if "bunkerized-nginx.AUTOCONF" in labels :
if self.__swarm :
self.__process_instance(instance, "create", id, name, labels)
else :
if instance.status in ("restarting", "running", "created", "exited") :
self.__process_instance(instance, "create", id, name, labels)
if instance.status == "running" :
self.__process_instance(instance, "start", id, name, labels)
for server in objs :
(id, name, labels) = self.__get_infos(server)
if "bunkerized-nginx.SERVER_NAME" in labels :
if self.__swarm :
self.__process_server(server, "create", id, name, labels)
else :
if server.status in ("restarting", "running", "created", "exited") :
self.__process_server(server, "create", id, name, labels)
if server.status == "running" :
self.__process_server(server, "start", id, name, labels)
def process(self, obj, event) :
(id, name, labels) = self.__get_infos(obj)
if "bunkerized-nginx.AUTOCONF" in labels :
self.__process_instance(obj, event, id, name, labels)
elif "bunkerized-nginx.SERVER_NAME" in labels :
self.__process_server(obj, event, id, name, labels)
def __get_infos(self, obj) :
if self.__swarm :
id = obj.id
name = obj.name
labels = obj.attrs["Spec"]["Labels"]
else :
id = obj.id
name = obj.name
labels = obj.labels
return (id, name, labels)
def __process_instance(self, instance, event, id, name, labels) :
if event == "create" :
self.__instances[id] = instance
if self.__swarm and len(self.__instances) == 1 :
if self.__config.initconf(self.__instances) :
utils.log("[*] initial config succeeded")
else :
utils.log("[!] initial config failed")
utils.log("[*] bunkerized-nginx instance created : " + name + " / " + id)
elif event == "start" :
self.__instances[id].reload()
utils.log("[*] bunkerized-nginx instance started : " + name + " / " + id)
elif event == "die" :
self.__instances[id].reload()
utils.log("[*] bunkerized-nginx instance stopped : " + name + " / " + id)
elif event == "destroy" or event == "remove" :
del self.__instances[id]
if self.__swarm and len(self.__instances) == 0 :
with open("/etc/crontabs/nginx", "w") as f :
f.write("")
if os.path.exists("/etc/nginx/autoconf") :
os.remove("/etc/nginx/autoconf")
utils.log("[*] bunkerized-nginx instance removed : " + name + " / " + id)
def __process_server(self, instance, event, id, name, labels) :
vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in labels.items() if k.startswith("bunkerized-nginx.")}
if event == "create" :
if self.__config.generate(self.__instances, vars) :
utils.log("[*] Generated config for " + vars["SERVER_NAME"])
self.__servers[id] = instance
if self.__swarm :
if self.__config.activate(self.__instances, vars) :
utils.log("[*] Activated config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't generate config for " + vars["SERVER_NAME"])
elif event == "start" :
if id in self.__servers :
self.__servers[id].reload()
if self.__config.activate(self.__instances, vars) :
utils.log("[*] Activated config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
elif event == "die" :
if id in self.__servers :
self.__servers[id].reload()
if self.__config.deactivate(self.__instances, vars) :
utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
elif event == "destroy" or event == "remove" :
if id in self.__servers :
if self.__swarm :
if self.__config.deactivate(self.__instances, vars) :
utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
del self.__servers[id]
if self.__config.remove(vars) :
utils.log("[*] Removed config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't remove config for " + vars["SERVER_NAME"])

178
autoconf/Config.py Normal file
View File

@@ -0,0 +1,178 @@
#!/usr/bin/python3
import utils
import subprocess, shutil, os, traceback, requests, time
class Config :
def __init__(self, swarm, api) :
self.__swarm = swarm
self.__api = api
def initconf(self, instances) :
try :
for instance_id, instance in instances.items() :
env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
break
vars = {}
for var_value in env :
var = var_value.split("=")[0]
value = var_value.replace(var + "=", "", 1)
vars[var] = value
if self.globalconf(instances) :
i = 0
started = False
while i < 10 :
if self.__ping(instances) :
started = True
break
i = i + 1
utils.log("[!] Waiting " + str(i) + " seconds before retrying to contact nginx instances")
time.sleep(i)
if started :
proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/jobs.sh", "nginx"], env=vars, capture_output=True)
return proc.returncode == 0
else :
utils.log("[!] bunkerized-nginx instances are not started")
else :
utils.log("[!] Can't generate global conf")
except Exception as e :
traceback.print_exc()
utils.log("[!] Error while initializing config : " + str(e))
return False
def globalconf(self, instances) :
try :
for instance_id, instance in instances.items() :
env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
break
vars = {}
for var_value in env :
var = var_value.split("=")[0]
value = var_value.replace(var + "=", "", 1)
vars[var] = value
proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/global-config.sh", "nginx"], env=vars, capture_output=True)
if proc.returncode == 0 :
with open("/etc/nginx/autoconf", "w") as f :
f.write("ok")
return True
except Exception as e :
traceback.print_exc()
utils.log("[!] Error while generating global config : " + str(e))
return False
def generate(self, instances, vars) :
try :
# Get env vars from bunkerized-nginx instances
vars_instances = {}
for instance_id, instance in instances.items() :
if self.__swarm :
env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
else :
env = instance.attrs["Config"]["Env"]
for var_value in env :
var = var_value.split("=")[0]
value = var_value.replace(var + "=", "", 1)
vars_instances[var] = value
vars_defaults = vars.copy()
vars_defaults.update(vars_instances)
vars_defaults.update(vars)
# Call site-config.sh to generate the config
proc = subprocess.run(["/bin/su", "-s", "/bin/sh", "-c", "/opt/entrypoint/site-config.sh" + " " + vars["SERVER_NAME"], "nginx"], env=vars_defaults, capture_output=True)
if proc.returncode == 0 and vars_defaults["MULTISITE"] == "yes" and self.__swarm :
proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/multisite-config.sh", "nginx"], env=vars_defaults, capture_output=True)
return proc.returncode == 0
return proc.returncode == 0
except Exception as e :
traceback.print_exc()
utils.log("[!] Error while generating site config : " + str(e))
return False
def activate(self, instances, vars) :
try :
# Check if file exists
if not os.path.isfile("/etc/nginx/" + vars["SERVER_NAME"] + "/server.conf") :
utils.log("[!] /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf doesn't exist")
return False
# Include the server conf
utils.replace_in_file("/etc/nginx/nginx.conf", "}", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n}")
return self.reload(instances)
except Exception as e :
traceback.print_exc()
utils.log("[!] Error while activating config : " + str(e))
return False
def deactivate(self, instances, vars) :
try :
# Check if file exists
if not os.path.isfile("/etc/nginx/" + vars["SERVER_NAME"] + "/server.conf") :
utils.log("[!] /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf doesn't exist")
return False
# Remove the include
utils.replace_in_file("/etc/nginx/nginx.conf", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n", "")
return self.reload(instances)
except Exception as e :
traceback.print_exc()
utils.log("[!] Error while deactivating config : " + str(e))
return False
def remove(self, instances, vars) :
try :
# Check if file exists
if not os.path.isfile("/etc/nginx/" + vars["SERVER_NAME"] + "/server.conf") :
utils.log("[!] /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf doesn't exist")
return False
# Remove the folder
shutil.rmtree("/etc/nginx/" + vars["SERVER_NAME"])
return True
except Exception as e :
utils.log("[!] Error while deactivating config : " + str(e))
return False
def reload(self, instances) :
return self.__api_call(instances, "/reload")
def __ping(self, instances) :
return self.__api_call(instances, "/ping")
def __api_call(self, instances, path) :
ret = True
for instance_id, instance in instances.items() :
# Reload the instance object just in case
instance.reload()
# Reload via API
if self.__swarm :
# Send POST request on http://serviceName.NodeID.TaskID:8000/reload
name = instance.name
for task in instance.tasks() :
if task["Status"]["State"] != "running" :
continue
nodeID = task["NodeID"]
taskID = task["ID"]
fqdn = name + "." + nodeID + "." + taskID
req = False
try :
req = requests.post("http://" + fqdn + ":8080" + self.__api + path)
except :
pass
if req and req.status_code == 200 :
utils.log("[*] Sent API order " + path + " to instance " + fqdn + " (service.node.task)")
else :
utils.log("[!] Can't send API order " + path + " to instance " + fqdn + " (service.node.task)")
ret = False
# Send SIGHUP to running instance
elif instance.status == "running" :
try :
instance.kill("SIGHUP")
utils.log("[*] Sent SIGHUP signal to bunkerized-nginx instance " + instance.name + " / " + instance.id)
except docker.errors.APIError as e :
utils.log("[!] Docker error while sending SIGHUP signal : " + str(e))
ret = False
return ret

42
autoconf/Dockerfile
View File

@@ -1,18 +1,38 @@
FROM nginx:stable-alpine AS builder
FROM alpine
RUN apk add py3-pip apache2-utils bash && \
pip3 install docker && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site
COPY --from=builder /etc/nginx/ /opt/confs/nginx
RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \
mkdir -p /opt/confs/global && \
mkdir /opt/scripts && \
addgroup -g 101 nginx && \
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
mkdir /var/log/letsencrypt && \
chown root:nginx /var/log/letsencrypt && \
chmod 770 /var/log/letsencrypt && \
mkdir /var/lib/letsencrypt && \
chown root:nginx /var/lib/letsencrypt && \
chmod 770 /var/lib/letsencrypt && \
mkdir /cache && \
chown root:nginx /cache && \
chmod 770 /cache && \
touch /var/log/jobs.log && \
chown root:nginx /var/log/jobs.log && \
chmod 770 /var/log/jobs.log && \
chown -R root:nginx /opt/confs/nginx && \
chmod -R 770 /opt/confs/nginx
COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
COPY scripts/* /opt/scripts/
COPY confs/site/ /opt/confs/site
COPY confs/global/ /opt/confs/global
COPY entrypoint/* /opt/entrypoint/
COPY autoconf/* /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
# Fix CVE-2020-1971
RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /etc/nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.py"]
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

41
autoconf/Dockerfile-amd64
View File

@@ -1,18 +1,37 @@
FROM nginx:stable-alpine AS builder
FROM amd64/alpine
RUN apk add py3-pip apache2-utils bash && \
pip3 install docker && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site
COPY --from=builder /etc/nginx/ /opt/confs/nginx
RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \
mkdir -p /opt/confs/global && \
addgroup -g 101 nginx && \
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
mkdir /var/log/letsencrypt && \
chown root:nginx /var/log/letsencrypt && \
chmod 770 /var/log/letsencrypt && \
mkdir /var/lib/letsencrypt && \
chown root:nginx /var/lib/letsencrypt && \
chmod 770 /var/lib/letsencrypt && \
mkdir /cache && \
chown root:nginx /cache && \
chmod 770 /cache && \
touch /var/log/jobs.log && \
chown root:nginx /var/log/jobs.log && \
chmod 770 /var/log/jobs.log && \
chown -R root:nginx /opt/confs/nginx && \
chmod -R 770 /opt/confs/nginx
COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
COPY scripts/* /opt/scripts/
COPY confs/global/ /opt/confs/global
COPY confs/site/ /opt/confs/site
COPY entrypoint/* /opt/entrypoint/
COPY autoconf/* /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
# Fix CVE-2020-1971
RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /etc/nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.py"]
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

38
autoconf/Dockerfile-arm32v7
View File

@@ -3,23 +3,41 @@ FROM alpine AS builder
ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz
RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
FROM nginx:stable-alpine AS builder2
FROM arm32v7/alpine
COPY --from=builder qemu-arm-static /usr/bin
COPY --from=builder2 /etc/nginx/ /opt/confs/nginx
RUN apk add py3-pip apache2-utils bash && \
pip3 install docker && \
RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site
mkdir -p /opt/confs/site && \
mkdir -p /opt/confs/global && \
addgroup -g 101 nginx && \
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
mkdir /var/log/letsencrypt && \
chown root:nginx /var/log/letsencrypt && \
chmod 770 /var/log/letsencrypt && \
mkdir /var/lib/letsencrypt && \
chown root:nginx /var/lib/letsencrypt && \
chmod 770 /var/lib/letsencrypt && \
mkdir /cache && \
chown root:nginx /cache && \
chmod 770 /cache && \
touch /var/log/jobs.log && \
chown root:nginx /var/log/jobs.log && \
chmod 770 /var/log/jobs.log && \
chown -R root:nginx /opt/confs/nginx && \
chmod -R 770 /opt/confs/nginx
COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
COPY scripts/* /opt/scripts/
COPY confs/global/ /opt/confs/global
COPY confs/site/ /opt/confs/site
COPY entrypoint/* /opt/entrypoint/
COPY autoconf/* /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
# Fix CVE-2020-1971
RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /etc/nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.py"]
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

38
autoconf/Dockerfile-arm64v8
View File

@@ -3,23 +3,41 @@ FROM alpine AS builder
ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz
RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
FROM nginx:stable-alpine AS builder2
FROM arm64v8/alpine
COPY --from=builder qemu-aarch64-static /usr/bin
COPY --from=builder2 /etc/nginx/ /opt/confs/nginx
RUN apk add py3-pip apache2-utils bash && \
pip3 install docker && \
RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site
mkdir -p /opt/confs/site && \
mkdir -p /opt/confs/global && \
addgroup -g 101 nginx && \
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
mkdir /var/log/letsencrypt && \
chown root:nginx /var/log/letsencrypt && \
chmod 770 /var/log/letsencrypt && \
mkdir /var/lib/letsencrypt && \
chown root:nginx /var/lib/letsencrypt && \
chmod 770 /var/lib/letsencrypt && \
mkdir /cache && \
chown root:nginx /cache && \
chmod 770 /cache && \
touch /var/log/jobs.log && \
chown root:nginx /var/log/jobs.log && \
chmod 770 /var/log/jobs.log && \
chown -R root:nginx /opt/confs/nginx && \
chmod -R 770 /opt/confs/nginx
COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
COPY scripts/* /opt/scripts/
COPY confs/global/ /opt/confs/global
COPY confs/site/ /opt/confs/site
COPY entrypoint/* /opt/entrypoint/
COPY autoconf/* /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
# Fix CVE-2020-1971
RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /etc/nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.py"]
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

41
autoconf/Dockerfile-i386
View File

@@ -1,18 +1,37 @@
FROM nginx:stable-alpine AS builder
FROM i386/alpine
RUN apk add py3-pip apache2-utils bash && \
pip3 install docker && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site
COPY --from=builder /etc/nginx/ /opt/confs/nginx
RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
pip3 install docker requests && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site && \
mkdir -p /opt/confs/global && \
addgroup -g 101 nginx && \
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
mkdir /var/log/letsencrypt && \
chown root:nginx /var/log/letsencrypt && \
chmod 770 /var/log/letsencrypt && \
mkdir /var/lib/letsencrypt && \
chown root:nginx /var/lib/letsencrypt && \
chmod 770 /var/lib/letsencrypt && \
mkdir /cache && \
chown root:nginx /cache && \
chmod 770 /cache && \
touch /var/log/jobs.log && \
chown root:nginx /var/log/jobs.log && \
chmod 770 /var/log/jobs.log && \
chown -R root:nginx /opt/confs/nginx && \
chmod -R 770 /opt/confs/nginx
COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
COPY scripts/* /opt/scripts/
COPY confs/global/ /opt/confs/global
COPY confs/site/ /opt/confs/site
COPY entrypoint/* /opt/entrypoint/
COPY autoconf/* /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
# Fix CVE-2020-1971
RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /etc/nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.py"]
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

28
autoconf/ReloadServer.py Normal file
View File

@@ -0,0 +1,28 @@
import socketserver, threading, utils, os, stat
class ReloadServerHandler(socketserver.StreamRequestHandler):
def handle(self) :
try :
data = self.request.recv(512)
if not data :
return
with self.server.lock :
ret = self.server.autoconf.reload()
if ret :
self.request.sendall("ok".encode("utf-8"))
else :
self.request.sendall("ko".encode("utf-8"))
except Exception as e :
utils.log("Exception " + str(e))
def run_reload_server(autoconf, lock) :
server = socketserver.UnixStreamServer("/tmp/autoconf.sock", ReloadServerHandler)
os.chown("/tmp/autoconf.sock", 0, 101)
os.chmod("/tmp/autoconf.sock", 0o770)
server.autoconf = autoconf
server.lock = lock
thread = threading.Thread(target=server.serve_forever)
thread.daemon = True
thread.start()
return (server, thread)

68
autoconf/app.py Normal file
View File

@@ -0,0 +1,68 @@
#!/usr/bin/python3
from AutoConf import AutoConf
from ReloadServer import run_reload_server
import utils
import docker, os, stat, sys, select, threading
# Connect to the endpoint
endpoint = "/var/run/docker.sock"
if not os.path.exists(endpoint) or not stat.S_ISSOCK(os.stat(endpoint).st_mode) :
utils.log("[!] /var/run/docker.sock not found (is it mounted ?)")
sys.exit(1)
try :
client = docker.DockerClient(base_url='unix:///var/run/docker.sock')
except Exception as e :
utils.log("[!] Can't instantiate DockerClient : " + str(e))
sys.exit(2)
# Check if we are in Swarm mode
swarm = os.getenv("SWARM_MODE") == "yes"
# Our object to process events
api = ""
if swarm :
api = os.getenv("API_URI")
autoconf = AutoConf(swarm, api)
lock = threading.Lock()
if swarm :
(server, thread) = run_reload_server(autoconf, lock)
# Get all bunkerized-nginx instances and web services created before
try :
if swarm :
before = client.services.list(filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.services.list(filters={"label" : "bunkerized-nginx.SERVER_NAME"})
else :
before = client.containers.list(all=True, filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.containers.list(filters={"label" : "bunkerized-nginx.SERVER_NAME"})
except docker.errors.APIError as e :
utils.log("[!] Docker API error " + str(e))
sys.exit(3)
# Process them before events
with lock :
autoconf.pre_process(before)
# Process events received from Docker
try :
for event in client.events(decode=True) :
# Process only container/service events
if (swarm and event["Type"] != "service") or (not swarm and event["Type"] != "container") :
continue
# Get Container/Service object
try :
if swarm :
server = client.services.get(service_id=event["Actor"]["ID"])
else :
server = client.containers.get(event["id"])
except docker.errors.NotFound as e :
continue
# Process the event
with lock :
autoconf.process(server, event["Action"])
except docker.errors.APIError as e :
utils.log("[!] Docker API error " + str(e))
sys.exit(4)

85
autoconf/config.py
View File

@@ -1,85 +0,0 @@
#!/usr/bin/python3
import utils
import subprocess, shutil, os, traceback
def generate(instances, vars) :
try :
# Get env vars from bunkerized-nginx instances
vars_instances = {}
for instance_id, instance in instances.items() :
for var_value in instance.attrs["Config"]["Env"] :
var = var_value.split("=")[0]
value = var_value.replace(var + "=", "", 1)
vars_instances[var] = value
vars_defaults = vars.copy()
vars_defaults.update(vars_instances)
vars_defaults.update(vars)
# Call site-config.sh to generate the config
proc = subprocess.run(["/opt/entrypoint/site-config.sh", vars["SERVER_NAME"]], env=vars_defaults, capture_output=True)
if proc.returncode == 0 :
return True
except Exception as e :
traceback.print_exc()
utils.log("[!] Error while generating config : " + str(e))
return False
def activate(instances, vars) :
try :
# Check if file exists
if not os.path.isfile("/etc/nginx/" + vars["SERVER_NAME"] + "/server.conf") :
utils.log("[!] /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf doesn't exist")
return False
# Include the server conf
utils.replace_in_file("/etc/nginx/nginx.conf", "}", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n}")
# Send SIGHUP to all running instances
for instance_id, instance in instances.items() :
if instance.status == "running" :
try :
instance.kill("SIGHUP")
utils.log("[*] Sent SIGHUP signal to bunkerized-nginx instance " + instance.name + " / " + instance.id)
except docker.errors.APIError as e :
utils.log("[!] Docker error while sending SIGHUP signal : " + str(e))
return True
except Exception as e :
utils.log("[!] Error while activating config : " + str(e))
return False
def deactivate(instances, vars) :
try :
# Check if file exists
if not os.path.isfile("/etc/nginx/" + vars["SERVER_NAME"] + "/server.conf") :
utils.log("[!] /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf doesn't exist")
return False
# Remove the include
utils.replace_in_file("/etc/nginx/nginx.conf", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n", "")
# Send SIGHUP to all running instances
for instance_id, instance in instances.items() :
if instance.status == "running" :
try :
instance.kill("SIGHUP")
utils.log("[*] Sent SIGHUP signal to bunkerized-nginx instance " + instance.name + " / " + instance.id)
except docker.errors.APIError as e :
utils.log("[!] Docker error while sending SIGHUP signal : " + str(e))
return True
except Exception as e :
utils.log("[!] Error while deactivating config : " + str(e))
return False
def remove(instances, vars) :
try :
# Check if file exists
if not os.path.isfile("/etc/nginx/" + vars["SERVER_NAME"] + "/server.conf") :
utils.log("[!] /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf doesn't exist")
return False
# Remove the folder
shutil.rmtree("/etc/nginx/" + vars["SERVER_NAME"])
return True
except Exception as e :
utils.log("[!] Error while deactivating config : " + str(e))
return False

118
autoconf/entrypoint.py
View File

@@ -1,118 +0,0 @@
#!/usr/bin/python3
import utils, config
import docker, os, stat, sys
def process(container, event) :
global instances, containers
# Process instance event
if "bunkerized-nginx.AUTOCONF" in container.labels :
if event == "create" :
instances[container.id] = container
utils.log("[*] bunkerized-nginx instance created : " + container.name + " / " + container.id)
elif event == "start" :
instances[container.id].reload()
utils.log("[*] bunkerized-nginx instance started : " + container.name + " / " + container.id)
elif event == "die" :
instances[container.id].reload()
utils.log("[*] bunkerized-nginx instance stopped : " + container.name + " / " + container.id)
elif event == "destroy" :
del instances[container.id]
utils.log("[*] bunkerized-nginx instance removed : " + container.name + " / " + container.id)
# Process container event
elif "bunkerized-nginx.SERVER_NAME" in container.labels :
# Convert labels to env vars
vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in container.labels.items() if k.startswith("bunkerized-nginx.")}
if event == "create" :
if config.generate(instances, vars) :
utils.log("[*] Generated config for " + vars["SERVER_NAME"])
containers[container.id] = container
else :
utils.log("[!] Can't generate config for " + vars["SERVER_NAME"])
elif event == "start" :
if container.id in containers :
containers[container.id].reload()
if config.activate(instances, vars) :
utils.log("[*] Activated config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
elif event == "die" :
if container.id in containers :
containers[container.id].reload()
if config.deactivate(instances, vars) :
utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
elif event == "destroy" :
if container.id in containers :
del containers[container.id]
if config.remove(vars) :
utils.log("[*] Removed config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't remove config for " + vars["SERVER_NAME"])
# Connect to the endpoint
endpoint = "/var/run/docker.sock"
if not os.path.exists(endpoint) or not stat.S_ISSOCK(os.stat(endpoint).st_mode) :
utils.log("[!] /var/run/docker.sock not found (is it mounted ?)")
sys.exit(1)
try :
client = docker.DockerClient(base_url='unix:///var/run/docker.sock')
except Exception as e :
utils.log("[!] Can't instantiate DockerClient : " + str(e))
sys.exit(2)
# Get all bunkerized-nginx instances and web services created before
instances = {}
containers = {}
try :
before = client.containers.list(all=True, filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.containers.list(all=True, filters={"label" : "bunkerized-nginx.SERVER_NAME"})
except docker.errors.APIError as e :
utils.log("[!] Docker API error " + str(e))
sys.exit(3)
# Process instances first
for instance in before :
if "bunkerized-nginx.AUTOCONF" in instance.labels :
if instance.status in ("restarting", "running", "created", "exited") :
process(instance, "create")
if instance.status == "running" :
process(instance, "start")
# Containers after
for container in before :
if "bunkerized-nginx.SERVER_NAME" in container.labels :
if container.status in ("restarting", "running", "created", "exited") :
process(container, "create")
if container.status == "running" :
process(container, "start")
# Process events received from Docker
try :
for event in client.events(decode=True) :
# Process only container events
if event["Type"] != "container" :
continue
# Get Container object
try :
container = client.containers.get(event["id"])
except docker.errors.NotFound as e :
continue
# Check if there is an interesting label
interesting = False
for label in container.labels :
if label in ("bunkerized-nginx.SERVER_NAME", "bunkerized-nginx.AUTOCONF") :
interesting = True
break
if not interesting :
continue
# Process the event
process(container, event["Action"])
except docker.errors.APIError as e :
utils.log("[!] Docker API error " + str(e))
sys.exit(4)

42
autoconf/entrypoint.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
echo "[*] Starting autoconf ..."
if [ "$SWARM_MODE" = "yes" ] ; then
cp -r /opt/confs/nginx/* /etc/nginx
chown -R root:nginx /etc/nginx
chmod -R 770 /etc/nginx
fi
# trap SIGTERM and SIGINT
function trap_exit() {
echo "[*] Catched stop operation"
echo "[*] Stopping crond ..."
pkill -TERM crond
echo "[*] Stopping python3 ..."
pkill -TERM python3
pkill -TERM tail
}
trap "trap_exit" TERM INT QUIT
# remove old crontabs
echo "" > /etc/crontabs/root
# setup logrotate
touch /var/log/jobs.log
echo "0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.conf > /dev/null 2>&1" >> /etc/crontabs/root
# start cron
crond
# run autoconf app
/opt/entrypoint/app.py &
# display logs
tail -F /var/log/jobs.log &
pid="$!"
wait "$pid"
# stop
echo "[*] autoconf stopped"
exit 0

23
autoconf/misc/logrotate.conf Normal file
View File

@@ -0,0 +1,23 @@
/var/log/*.log /var/log/letsencrypt/*.log {
# compress old files using gzip
compress
# rotate everyday
daily
# remove old logs after X days
maxage 7
rotate 7
# no errors if a file is missing
missingok
# disable mailing
nomail
# mininum size of a logfile before rotating
minsize 10M
# make a copy and truncate the files
copytruncate
}

19
autoconf/reload.py Normal file
View File

@@ -0,0 +1,19 @@
#!/usr/bin/python3
import sys, socket, os
if not os.path.exists("/tmp/autoconf.sock") :
sys.exit(1)
try :
client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
client.connect("/tmp/autoconf.sock")
client.send("reload".encode("utf-8"))
data = client.recv(512)
client.close()
if not data or data.decode("utf-8") != "ok" :
sys.exit(3)
except Exception as e :
sys.exit(2)
sys.exit(0)

11
autoconf/utils.py
View File

@@ -11,3 +11,14 @@ def replace_in_file(file, old_str, new_str) :
data = data[::-1].replace(old_str[::-1], new_str[::-1], 1)[::-1]
with open(file, "w") as f :
f.write(data)
def install_cron(service, vars, crons) :
for var in vars :
if var in crons :
with open("/etc/crontabs/root", "a+") as f :
f.write(vars[var] + " /opt/cron/" + crons[var] + ".py " + service["Actor"]["ID"])
def uninstall_cron(service, vars, crons) :
for var in vars :
if var in crons :
replace_in_file("/etc/crontabs/root", vars[var] + " /opt/cron/" + crons[var] + ".py " + service["Actor"]["ID"] + "\n", "")

7
compile.sh
View File

@@ -50,8 +50,9 @@ make install-strip
cd /tmp
git_secure_clone https://github.com/coreruleset/coreruleset.git 7776fe23f127fd2315bad0e400bdceb2cabb97dc
cd coreruleset
cp -r rules /etc/nginx/owasp-crs
cp crs-setup.conf.example /etc/nginx/owasp-crs.conf
mkdir /opt/owasp
cp -r rules /opt/owasp/crs
cp crs-setup.conf.example /opt/owasp/crs.conf
# get nginx modules
cd /tmp
@@ -125,7 +126,7 @@ cd luasec
make linux -j $NTASK
make LUACPATH=/usr/local/lib/lua/5.1 LUAPATH=/usr/local/lib/lua install
cd /tmp
git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 71c4247d6b66234e3f3426b2ea721ad50c741579
git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc453dcf51a391bc9e9a36ca77958b0
cd lua-cs-bouncer
mkdir /usr/local/lib/lua/crowdsec
cp lib/*.lua /usr/local/lib/lua/crowdsec

30
confs/global/api-temp.conf Normal file
View File

@@ -0,0 +1,30 @@
location ~ ^%API_URI%/ping {
return 444;
}
location ~ ^%API_URI% {
rewrite_by_lua_block {
local api = require "api"
local api_uri = "%API_URI%"
if api.is_api_call(api_uri) then
ngx.header.content_type = 'text/plain'
if api.do_api_call(api_uri) then
ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
ngx.say("ok")
else
ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
ngx.say("ko")
end
ngx.exit(ngx.HTTP_OK)
end
ngx.exit(ngx.OK)
}
}

21
confs/global/api.conf Normal file
View File

@@ -0,0 +1,21 @@
rewrite_by_lua_block {
local api = require "api"
local api_uri = "%API_URI%"
if api.is_api_call(api_uri) then
ngx.header.content_type = 'text/plain'
if api.do_api_call(api_uri) then
ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
ngx.say("ok")
else
ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
ngx.say("ko")
end
ngx.exit(ngx.HTTP_OK)
end
ngx.exit(ngx.OK)
}

9
confs/global/nginx-temp.conf
View File

@@ -1,3 +1,5 @@
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
daemon on;
pid /tmp/nginx-temp.pid;
@@ -8,12 +10,19 @@ events {
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
lua_package_path "/usr/local/lib/lua/?.lua;;";
server {
listen 0.0.0.0:%HTTP_PORT% default_server;
server_name _;
location ~ ^/.well-known/acme-challenge/ {
root /acme-challenge;
}
%USE_API%
location / {
return 444;
}

10
confs/global/nginx.conf
View File

@@ -49,8 +49,8 @@ http {
# write logs to local syslog
log_format logf '%LOG_FORMAT%';
access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice logf;
error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf;
error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 warn;
# temp paths
proxy_temp_path /tmp/proxy_temp;
@@ -88,6 +88,9 @@ http {
# shared memory zone for limit_req
%LIMIT_REQ_ZONE%
# shared memory zone for limit_conn
%LIMIT_CONN_ZONE%
# whitelist or blacklist country
%USE_COUNTRY%
@@ -108,4 +111,7 @@ http {
# server config(s)
%INCLUDE_SERVER%
# API
%USE_API%
}

2
confs/site/https.conf
View File

@@ -2,7 +2,7 @@ listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
ssl_certificate %HTTPS_CERT%;
ssl_certificate_key %HTTPS_KEY%;
ssl_protocols %HTTPS_PROTOCOLS%;
ssl_prefer_server_ciphers off;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;

1
confs/site/limit-conn.conf Normal file
View File

@@ -0,0 +1 @@
limit_conn ddos %LIMIT_CONN_MAX%;

25
confs/site/main-lua.conf
View File

@@ -3,6 +3,7 @@ set $session_check_addr on;
access_by_lua_block {
local use_lets_encrypt = %USE_LETS_ENCRYPT%
local use_whitelist_ip = %USE_WHITELIST_IP%
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
local use_user_agent = %USE_USER_AGENT%
@@ -18,6 +19,7 @@ local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA%
local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA%
-- include LUA code
local whitelist = require "whitelist"
local blacklist = require "blacklist"
local dnsbl = require "dnsbl"
@@ -26,8 +28,14 @@ local javascript = require "javascript"
local captcha = require "captcha"
local recaptcha = require "recaptcha"
-- antibot
local antibot_uri = "%ANTIBOT_URI%"
-- user variables
local antibot_uri = "%ANTIBOT_URI%"
local whitelist_user_agent = {%WHITELIST_USER_AGENT%}
-- check if it's let's encrypt bot
if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
ngx.exit(ngx.OK)
end
-- check if already in whitelist cache
if use_whitelist_ip and whitelist.ip_cached_ok() then
@@ -80,6 +88,19 @@ end
-- check if user-agent is allowed
if use_user_agent and ngx.var.bad_user_agent == "yes" then
local headers = ngx.req.get_headers()
local ua = headers["User-Agent"]
if not whitelist_user_agent ~= "" then
local k_ua_white, v_ua_white = next(whitelist_user_agent, nil)
while v_ua_white do
local rst_whitelist = string.match(ua, v_ua_white)
if rst_whitelist ~= nil and rst_whitelist ~= "" then
ngx.log(ngx.WARN, "[ALLOW] User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
ngx.exit(ngx.OK)
end
k_ua_white, v_ua_white = next(whitelist_user_agent, k_ua_white)
end
end
ngx.log(ngx.WARN, "[BLOCK] User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
ngx.exit(ngx.HTTP_FORBIDDEN)
end

1
confs/site/reverse-proxy-headers.conf
View File

@@ -3,3 +3,4 @@ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;

1
confs/site/reverse-proxy.conf
View File

@@ -2,4 +2,5 @@ location %REVERSE_PROXY_URL% {
proxy_pass %REVERSE_PROXY_HOST%;
%REVERSE_PROXY_HEADERS%
%REVERSE_PROXY_WS%
%REVERSE_PROXY_CUSTOM_HEADERS%
}

3
confs/site/server.conf
View File

@@ -1,3 +1,5 @@
%PRE_SERVER_CONF%
server {
%FASTCGI_PATH%
%SERVER_CONF%
@@ -15,6 +17,7 @@ server {
return 405;
}
%LIMIT_REQ%
%LIMIT_CONN%
%AUTH_BASIC%
%REMOVE_HEADERS%
%X_FRAME_OPTIONS%

21
entrypoint/clamav.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# load default values
. /opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
# clamav setup
if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
echo "[*] Updating clamav (in background) ..."
freshclam > /dev/null 2>&1 &
echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/nginx
fi
if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
else
echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
fi
fi

17
entrypoint/defaults.sh
View File

@@ -45,11 +45,18 @@ DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
WHITELIST_USER_AGENT="${WHITELIST_USER_AGENT-}"
BLOCK_USER_AGENT_CRON="${BLOCK_USER_AGENT_CRON-30 0 * * *}"
BLOCK_REFERRER="${BLOCK_REFERRER-yes}"
BLOCK_REFERRER_CRON="${BLOCK_REFERRER_CRON-45 0 * * *}"
BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
BLOCK_TOR_EXIT_NODE_CRON="${BLOCK_TOR_EXIT_NODE_CRON-0 */1 * * *}"
BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
BLOCK_PROXIES_CRON="${BLOCK_PROXIES_CRON-0 3 * * *}"
BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
BLOCK_ABUSERS_CRON="${BLOCK_ABUSERS_CRON-0 2 * * *}"
AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
AUTO_LETS_ENCRYPT_CRON="${AUTO_LETS_ENCRYPT_CRON-15 0 * * *}"
HTTP2="${HTTP2-yes}"
HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
@@ -70,6 +77,8 @@ FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
FAIL2BAN_IGNOREIP="${FAIL2BAN_IGNOREIP-127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
USE_CLAMAV_SCAN_CRON="${USE_CLAMAV_SCAN_CRON-30 1 * * *}"
CLAMAV_UPDATE_CRON="${CLAMAV_UPDATE_CRON-0 1 * * *}"
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
@@ -80,6 +89,7 @@ USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
ROOT_FOLDER="${ROOT_FOLDER-/www}"
LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
LOGROTATE_CRON="${LOGROTATE_CRON-0 0 * * *}"
DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11}"
USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
WHITELIST_IP_LIST="${WHITELIST_IP_LIST-127.0.0.1 23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
@@ -95,10 +105,14 @@ USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
USE_LIMIT_CONN="${USE_LIMIT_CONN-yes}"
LIMIT_CONN_MAX="${LIMIT_CONN_MAX-40}"
LIMIT_CONN_CACHE="${LIMIT_CONN_CACHE-10m}"
PROXY_REAL_IP="${PROXY_REAL_IP-no}"
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
GEOIP_CRON="${GEOIP_CRON-0 4 2 * *}"
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
@@ -112,3 +126,6 @@ USE_ANTIBOT="${USE_ANTIBOT-no}"
ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
USE_CROWDSEC="${USE_CROWDSEC-no}"
USE_API="${USE_API-no}"
API_URI="${API_URI-random}"
SWARM_MODE="${SWARM_MODE-no}"

83
entrypoint/entrypoint.sh
View File

@@ -12,7 +12,6 @@ done
# trap SIGTERM and SIGINT
function trap_exit() {
rm -f "/opt/running" 2> /dev/null
echo "[*] Catched stop operation"
echo "[*] Stopping crond ..."
pkill -TERM crond
@@ -31,12 +30,12 @@ trap "trap_exit" TERM INT QUIT
# trap SIGHUP
function trap_reload() {
echo "[*] Catched reload operation"
if [ "$MULTISITE" = "yes" ] ; then
if [ "$MULTISITE" = "yes" ] && [ "$SWARM_MODE" != "yes" ] ; then
/opt/entrypoint/multisite-config.sh
fi
if [ -f /tmp/nginx.pid ] ; then
echo "[*] Reloading nginx ..."
/usr/sbin/nginx -s reload
nginx -s reload
if [ $? -eq 0 ] ; then
echo "[*] Reload successfull"
else
@@ -50,44 +49,76 @@ trap "trap_reload" HUP
# do the configuration magic if needed
if [ ! -f "/opt/installed" ] ; then
echo "[*] Configuring bunkerized-nginx ..."
/opt/entrypoint/global-config.sh
if [ "$MULTISITE" = "yes" ] ; then
for server in $SERVER_NAME ; do
/opt/entrypoint/site-config.sh "$server"
echo "[*] Multi site - $server configuration done"
done
/opt/entrypoint/multisite-config.sh
else
/opt/entrypoint/site-config.sh
echo "[*] Single site - $SERVER_NAME configuration done"
# logs config
/opt/entrypoint/logs.sh
# lua config
# TODO : move variables from /usr/local/lib/lua + multisite support ?
/opt/entrypoint/lua.sh
# fail2ban config
/opt/entrypoint/fail2ban.sh
# clamav config
/opt/entrypoint/clamav.sh
# start temp nginx to solve Let's Encrypt challenges if needed
/opt/entrypoint/nginx-temp.sh
# only do config if we are not in swarm mode
if [ "$SWARM_MODE" = "no" ] ; then
# global config
/opt/entrypoint/global-config.sh
# background jobs
/opt/entrypoint/jobs.sh
# multisite configs
if [ "$MULTISITE" = "yes" ] ; then
for server in $SERVER_NAME ; do
/opt/entrypoint/site-config.sh "$server"
echo "[*] Multi site - $server configuration done"
done
/opt/entrypoint/multisite-config.sh
# singlesite config
else
/opt/entrypoint/site-config.sh
echo "[*] Single site - $SERVER_NAME configuration done"
fi
fi
touch /opt/installed
else
echo "[*] Skipping configuration process"
fi
# fix nginx configs rights (and modules through the symlink)
chown -R root:nginx /etc/nginx/
chmod -R 740 /etc/nginx/
find /etc/nginx -type d -exec chmod 750 {} \;
# start rsyslogd
rsyslogd
rsyslogd -i /tmp/rsyslogd.pid
# start crond
crond
# start nginx
if [ -f "/tmp/nginx-temp.pid" ] ; then
nginx -c /etc/nginx/nginx-temp.conf -s quit
# wait until config has been generated if we are in swarm mode
if [ "$SWARM_MODE" = "yes" ] ; then
echo "[*] Waiting until config has been generated ..."
while [ ! -f "/etc/nginx/autoconf" ] ; do
sleep 1
done
fi
# stop temp config if needed
if [ -f "/tmp/nginx-temp.pid" ] ; then
nginx -c /tmp/nginx-temp.conf -s quit
fi
# run nginx
echo "[*] Running nginx ..."
su -s "/usr/sbin/nginx" nginx
nginx
if [ "$?" -eq 0 ] ; then
touch "/opt/running"
echo "[*] nginx successfully started !"
else
rm -f "/opt/running" 2> /dev/null
echo "[!] nginx failed to start"
fi
# list of log files to display
@@ -114,7 +145,7 @@ fi
# display logs
tail -F $LOGS &
pid="$!"
while [ -f "/opt/running" ] ; do
while [ -f "/tmp/nginx.pid" ] ; do
wait "$pid"
done

19
entrypoint/fail2ban.sh Normal file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
# load default values
. /opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
# fail2ban setup
if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_IGNOREIP%" "$FAIL2BAN_IGNOREIP"
replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
fi

136
entrypoint/global-config.sh
View File

@@ -7,25 +7,8 @@
. /opt/entrypoint/utils.sh
# copy stub confs
cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
cp /opt/logs/logrotate.conf /etc/logrotate.conf
cp -r /opt/lua/* /usr/local/lib/lua
cp /opt/confs/global/* /etc/nginx/
# remove cron jobs
echo "" > /etc/crontabs/root
# install additional modules if needed
if [ "$ADDITIONAL_MODULES" != "" ] ; then
apk add $ADDITIONAL_MODULES
fi
# start nginx with temp conf for let's encrypt challenges
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT"
nginx -c /etc/nginx/nginx-temp.conf
fi
# include server block(s)
if [ "$MULTISITE" = "yes" ] ; then
includes=""
@@ -100,7 +83,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
/opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT"
fi
fi
echo "0 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
fi
# self-signed certificate
@@ -119,14 +102,7 @@ if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes"
replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;"
fi
echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
if [ -f "/cache/geoip.mmdb" ] ; then
echo "[*] Copying cached geoip.mmdb ..."
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
else
echo "[*] Downloading GeoIP database (in background) ..."
/opt/scripts/geoip.sh &
fi
echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/nginx
else
replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" ""
fi
@@ -134,14 +110,7 @@ fi
# block bad UA
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
if [ -f "/cache/map-user-agent.conf" ] ; then
echo "[*] Copying cached map-user-agent.conf ..."
cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
else
echo "[*] Downloading bad user-agent list (in background) ..."
/opt/scripts/user-agents.sh &
fi
echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/nginx
else
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
fi
@@ -149,57 +118,27 @@ fi
# block bad refferer
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;"
echo "0 0 * * * /opt/scripts/referrers.sh" >> /etc/crontabs/root
if [ -f "/cache/map-referrer.conf" ] ; then
echo "[*] Copying cached map-referrer.conf ..."
cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
else
echo "[*] Downloading bad referrer list (in background) ..."
/opt/scripts/referrers.sh &
fi
echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/nginx
else
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" ""
fi
# block TOR exit nodes
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
if [ -f "/cache/block-tor-exit-node.conf" ] ; then
echo "[*] Copying cached block-tor-exit-node.conf ..."
cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
else
echo "[*] Downloading tor exit nodes list (in background) ..."
/opt/scripts/exit-nodes.sh &
fi
echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/nginx
fi
# block proxies
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
if [ -f "/cache/block-proxies.conf" ] ; then
echo "[*] Copying cached block-proxies.conf ..."
cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
else
echo "[*] Downloading proxies list (in background) ..."
/opt/scripts/proxies.sh &
fi
echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/nginx
fi
# block abusers
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
if [ -f "/cache/block-abusers.conf" ] ; then
echo "[*] Copying cached block-abusers.conf ..."
cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
else
echo "[*] Downloading abusers list (in background) ..."
/opt/scripts/abusers.sh &
fi
echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/nginx
fi
# DNS resolvers
resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS"
# whitelist IP
@@ -208,8 +147,6 @@ if [ "$(has_value USE_WHITELIST_IP yes)" != "" ] ; then
else
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" ""
fi
list=$(spaces_to_lua "$WHITELIST_IP_LIST")
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
# whitelist rDNS
if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then
@@ -217,8 +154,6 @@ if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then
else
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" ""
fi
list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
# blacklist IP
if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then
@@ -226,8 +161,6 @@ if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then
else
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" ""
fi
list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
# blacklist rDNS
if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then
@@ -235,8 +168,6 @@ if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then
else
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" ""
fi
list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
# request limiting
if [ "$(has_value USE_LIMIT_REQ yes)" != "" ] ; then
@@ -245,14 +176,19 @@ else
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
fi
# connection limiting
if [ "$(has_value USE_LIMIT_CONN yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "limit_conn_zone \$binary_remote_addr zone=ddos:${LIMIT_CONN_CACHE};"
else
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" ""
fi
# DNSBL
if [ "$(has_value USE_DNSBL yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
else
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
fi
list=$(spaces_to_lua "$DNSBL_LIST")
replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
# disable default site
if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" = "yes" ] ; then
@@ -264,45 +200,23 @@ fi
# fail2ban setup
if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
echo "" > /etc/nginx/fail2ban-ip.conf
rm -rf /etc/fail2ban/jail.d/*.conf
cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_IGNOREIP%" "$FAIL2BAN_IGNOREIP"
replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
fi
# clamav setup
if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
echo "[*] Updating clamav (in background) ..."
freshclam > /dev/null 2>&1 &
echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
fi
if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
else
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
fi
fi
# CrowdSec setup
if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST"
replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY"
else
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
fi
# create empty logs
touch /var/log/access.log
touch /var/log/error.log
# setup logrotate
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
# API
if [ "$USE_API" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" "include /etc/nginx/api.conf;"
if [ "$API_URI" = "random" ] ; then
API_URI="/$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
echo "[*] Generated API URI : $API_URI"
fi
replace_in_file "/etc/nginx/api.conf" "%API_URI%" "$API_URI"
else
replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" ""
fi

73
entrypoint/jobs.sh Normal file
View File

@@ -0,0 +1,73 @@
#!/bin/bash
# load default values
. ./opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
# GeoIP
if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
if [ -f "/cache/geoip.mmdb" ] ; then
echo "[*] Copying cached geoip.mmdb ..."
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
else
echo "[*] Downloading GeoIP database (in background) ..."
/opt/scripts/geoip.sh > /dev/null 2>&1 &
fi
fi
# User-Agents
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
if [ -f "/cache/map-user-agent.conf" ] ; then
echo "[*] Copying cached map-user-agent.conf ..."
cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
else
echo "[*] Downloading bad user-agent list (in background) ..."
/opt/scripts/user-agents.sh > /dev/null 2>&1 &
fi
fi
# Referrers
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
if [ -f "/cache/map-referrer.conf" ] ; then
echo "[*] Copying cached map-referrer.conf ..."
cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
else
echo "[*] Downloading bad referrer list (in background) ..."
/opt/scripts/referrers.sh > /dev/null 2>&1 &
fi
fi
# exit nodes
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
if [ -f "/cache/block-tor-exit-node.conf" ] ; then
echo "[*] Copying cached block-tor-exit-node.conf ..."
cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
else
echo "[*] Downloading tor exit nodes list (in background) ..."
/opt/scripts/exit-nodes.sh > /dev/null 2>&1 &
fi
fi
# proxies
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
if [ -f "/cache/block-proxies.conf" ] ; then
echo "[*] Copying cached block-proxies.conf ..."
cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
else
echo "[*] Downloading proxies list (in background) ..."
/opt/scripts/proxies.sh > /dev/null 2>&1 &
fi
fi
# abusers
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
if [ -f "/cache/block-abusers.conf" ] ; then
echo "[*] Copying cached block-abusers.conf ..."
cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
else
echo "[*] Downloading abusers list (in background) ..."
/opt/scripts/abusers.sh > /dev/null 2>&1 &
fi
fi

21
entrypoint/logs.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# load default values
. /opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
# copy stub confs
cat /opt/logs/rsyslog.conf > /etc/rsyslog.conf
cat /opt/logs/logrotate.conf > /etc/logrotate.conf
# create empty logs
touch /var/log/access.log
touch /var/log/error.log
touch /var/log/jobs.log
# setup logrotate
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/nginx

40
entrypoint/lua.sh Normal file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
# load default values
. /opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
# copy stub LUA scripts
cp -r /opt/lua/* /usr/local/lib/lua
# DNS resolvers
resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
# whitelist IP
list=$(spaces_to_lua "$WHITELIST_IP_LIST")
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
# whitelist rDNS
list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
# blacklist IP
list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
# blacklist rDNS
list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
# DNSBL
list=$(spaces_to_lua "$DNSBL_LIST")
replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
# CrowdSec setup
if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST"
replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY"
fi

7
entrypoint/multisite-config.sh
View File

@@ -6,11 +6,6 @@
# load some functions
. /opt/entrypoint/utils.sh
# fix nginx configs rights (and modules through the symlink)
chown -R root:nginx /etc/nginx/
chmod -R 740 /etc/nginx/
find /etc/nginx -type d -exec chmod 750 {} \;
if [ "$MULTISITE" = "yes" ] ; then
servers=$(find /etc/nginx -name "server.conf" | cut -d '/' -f 4)
for server in $servers ; do
@@ -30,7 +25,7 @@ if [ "$MULTISITE" = "yes" ] ; then
modsec_custom="${modsec_custom}include /modsec-confs/${server}/*.conf\n"
fi
replace_in_file "${SERVER_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
if grep "owasp-crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then
if grep "owasp/crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then
modsec_crs_custom=""
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
modsec_crs_custom="include /modsec-crs-confs/*.conf\n"

26
entrypoint/nginx-temp.sh Normal file
View File

@@ -0,0 +1,26 @@
#!/bin/bash
# load default values
. /opt/entrypoint/defaults.sh
# load some functions
. /opt/entrypoint/utils.sh
# start nginx with temp conf for let's encrypt challenges and API
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$SWARM_MODE" = "yes" ] ; then
cp /opt/confs/global/nginx-temp.conf /tmp/nginx-temp.conf
cp /opt/confs/global/api-temp.conf /tmp/api.conf
if [ "$SWARM_MODE" = "yes" ] ; then
replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" "include /tmp/api.conf;"
replace_in_file "/tmp/api.conf" "%API_URI%" "$API_URI"
else
replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" ""
fi
replace_in_file "/tmp/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT"
nginx -c /tmp/nginx-temp.conf
if [ "$?" -eq 0 ] ; then
echo "[*] Successfully started temp nginx"
else
echo "[!] Can't start temp nginx"
fi
fi

110
entrypoint/site-config.sh
View File

@@ -1,9 +1,7 @@
#!/bin/bash
# load default values
set -a
. /opt/entrypoint/defaults.sh
set +a
# load some functions
. /opt/entrypoint/utils.sh
@@ -17,27 +15,21 @@ if [ "$MULTISITE" = "yes" ] ; then
fi
ROOT_FOLDER="${ROOT_FOLDER}/$1"
fi
env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION)=" > "${NGINX_PREFIX}nginx.env"
if [ "$MULTISITE" = "yes" ] ; then
sed -i "s~^SERVER_NAME=.*~SERVER_NAME=$1~" "${NGINX_PREFIX}nginx.env"
for var in $(env | cut -d '=' -f 1 | grep -E "^${1}_") ; do
repl_name=$(echo "$var" | sed "s~${1}_~~")
repl_value=$(env | grep -E "^${var}=" | sed "s~^${var}=~~")
read -r "$repl_name" <<< $repl_value
done
fi
set | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "${NGINX_PREFIX}nginx.env"
if [ "$MULTISITE" = "yes" ] ; then
for server in $SERVER_NAME ; do
if [ "$server" != "$1" ] ; then
sed -i "/^${server}_.*=.*/d" "${NGINX_PREFIX}nginx.env"
fi
done
for var in $(env) ; do
name=$(echo "$var" | cut -d '=' -f 1)
check=$(echo "$name" | grep "^$1_")
if [ "$check" != "" ] ; then
repl_name=$(echo "$name" | sed "s~${1}_~~")
repl_value=$(echo "$var" | sed "s~${name}=~~")
read -r "$repl_name" <<< $repl_value
sed -i "/^${repl_name}=.*/d" "${NGINX_PREFIX}nginx.env"
sed -i "/^${name}=.*/d" "${NGINX_PREFIX}nginx.env"
echo "${repl_name}=${repl_value}" >> "${NGINX_PREFIX}nginx.env"
fi
sed -i "~^${server}_.*=.*~d" "${NGINX_PREFIX}nginx.env"
done
sed -i "~^SERVER_NAME=.*~SERVER_NAME=${1}~" "${NGINX_PREFIX}nginx.env"
fi
# copy stub confs
@@ -47,8 +39,10 @@ cp /opt/confs/site/* "$NGINX_PREFIX"
replace_in_file "${NGINX_PREFIX}server.conf" "%MAIN_LUA%" "include ${NGINX_PREFIX}main-lua.conf;"
if [ "$MULTISITE" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;\ninclude /server-confs/${1}/*.conf;"
replace_in_file "${NGINX_PREFIX}server.conf" "%PRE_SERVER_CONF%" "include /pre-server-confs/*.conf;\ninclude /pre-server-confs/${1}/*.conf;"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;"
replace_in_file "${NGINX_PREFIX}server.conf" "%PRE_SERVER_CONF%" "include /pre-server-confs/*.conf;"
fi
# max body size
@@ -60,27 +54,34 @@ replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
# reverse proxy
if [ "$USE_REVERSE_PROXY" = "yes" ] ; then
i=1
for var in $(env) ; do
check1=$(echo "$var" | grep "^REVERSE_PROXY_URL")
check2=$(echo "$var" | grep "^${1}_REVERSE_PROXY_URL")
if [ "$check1" != "" ] || [ "$check2" != "" ] ; then
name=$(echo "$var" | cut -d '=' -f 1)
value=$(echo "$var" | sed "s/${name}=//")
host=$(echo "$name" | sed "s/URL/HOST/")
host_value=$(env | grep "^${host}=" | sed "s/${host}=//")
ws=$(echo "$name" | sed "s/URL/WS/")
ws_value=$(env | grep "^${ws}=" | sed "s/${ws}=//")
cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf"
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$value"
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value"
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HEADERS%" "include ${NGINX_PREFIX}reverse-proxy-headers.conf;"
if [ "$ws_value" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" "proxy_http_version 1.1;\nproxy_set_header Upgrade \$http_upgrade;\nproxy_set_header Connection \"Upgrade\";\n"
else
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" ""
fi
i=$(($i + 1))
for var in $(set | cut -d '=' -f 1 | grep "^REVERSE_PROXY_URL") ; do
url=$(echo "$var")
url_value=$(echo "${!var}")
host=$(echo "$var" | sed "s/URL/HOST/")
host_value=$(echo "${!host}")
custom_headers=$(echo "$var" | sed "s/URL/HEADERS/")
custom_headers_value=$(echo "${!custom_headers}")
ws=$(echo "$var" | sed "s/URL/WS/")
ws_value=$(echo "${!ws}")
cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf"
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$url_value"
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value"
if [ "$custom_headers_value" != "" ] ; then
IFS_=$IFS
IFS=';'
for header_value in $(echo "$custom_headers_value") ; do
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "more_set_headers $header_value;\n%REVERSE_PROXY_CUSTOM_HEADERS%"
done
IFS=$IFS_
fi
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" ""
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HEADERS%" "include ${NGINX_PREFIX}reverse-proxy-headers.conf;"
if [ "$ws_value" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" "proxy_http_version 1.1;\nproxy_set_header Upgrade \$http_upgrade;\nproxy_set_header Connection \"Upgrade\";\n"
else
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" ""
fi
i=$(($i + 1))
done
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy-*.conf;"
else
@@ -276,8 +277,15 @@ fi
# block bad UA
if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "true"
if [ "$WHITELIST_USER_AGENT" != "" ] ; then
list=$(spaces_to_lua "$WHITELIST_USER_AGENT")
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" "$list"
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" ""
fi
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" ""
fi
# block bad referrer
@@ -331,6 +339,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
fi
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "true"
if [ "$MULTISITE" = "no" ] ; then
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
else
@@ -342,15 +351,18 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "include ${NGINX_PREFIX}lets-encrypt-webroot.conf;"
elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
fi
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" ""
fi
@@ -380,7 +392,7 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
fi
if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /opt/owasp/crs.conf"
if [ "$MULTISITE" != "yes" ] ; then
modsec_crs_custom=""
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
@@ -388,7 +400,7 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
fi
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom"
fi
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /opt/owasp/crs/*.conf"
else
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
@@ -414,11 +426,11 @@ fi
# custom errors
ERRORS=""
for var in $(env) ; do
var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1)
for var in $(compgen -e) ; do
var_name=$(echo "$var" | cut -d '_' -f 1)
if [ "z${var_name}" = "zERROR" ] ; then
err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2)
err_page=$(echo "$var" | cut -d '=' -f 2)
err_code=$(echo "$var" | cut -d '_' -f 2)
err_page=$(echo "${!var}")
cp /opt/confs/error.conf ${NGINX_PREFIX}error-${err_code}.conf
replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%CODE%" "$err_code"
replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%PAGE%" "$err_page"
@@ -547,6 +559,14 @@ else
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" ""
fi
# connection limiting
if [ "$USE_LIMIT_CONN" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" "include ${NGINX_PREFIX}limit-conn.conf;"
replace_in_file "${NGINX_PREFIX}limit-conn.conf" "%LIMIT_CONN_MAX%" "$LIMIT_CONN_MAX"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" ""
fi
# fail2ban
if [ "$USE_FAIL2BAN" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"

18
entrypoint/utils.sh
View File

@@ -5,7 +5,9 @@ function replace_in_file() {
# escape slashes
pattern=$(echo "$2" | sed "s/\//\\\\\//g")
replace=$(echo "$3" | sed "s/\//\\\\\//g")
sed -i "s/$pattern/$replace/g" "$1"
sed "s/$pattern/$replace/g" "$1" > /tmp/sed
cat /tmp/sed > "$1"
rm /tmp/sed
}
# convert space separated values to LUA
@@ -26,13 +28,19 @@ function has_value() {
echo "ok"
return 0
fi
for var in $(env) ; do
for var in $(env | grep -E "^.*_${1}=") ; do
domain=$(echo "$var" | cut -d '_' -f 1)
name=$(echo "$var" | cut -d '=' -f 1 | sed "s~${domain}_~~")
value=$(echo "$var" | sed "s~${domain}_${name}=~~")
if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then
value=$(echo "$var" | sed "s~^${domain}_${1}=~~")
if [ "$value" == "$2" ] ; then
echo "ok"
return 0
fi
done
}
# log to jobs.log
function job_log() {
when="$(date '+[%Y-%m-%d %H:%M:%S]')"
what="$1"
echo "$when $what" >> /var/log/jobs.log
}

97
examples/swarm/stack.yml Normal file
View File

@@ -0,0 +1,97 @@
version: '3.8'
services:
autoconf:
image: bunkerity/bunkerized-nginx-autoconf
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /shared/confs:/etc/nginx
- /shared/letsencrypt:/etc/letsencrypt
- /shared/acme-challenge:/acme-challenge
environment:
- SWARM_MODE=yes
- API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from nginx
networks:
- net_config
deploy:
replicas: 1
placement:
constraints:
- "node.role==manager"
nginx:
image: bunkerity/bunkerized-nginx
ports:
- published: 80
target: 8080
mode: host
protocol: tcp
- published: 443
target: 8443
mode: host
protocol: tcp
volumes:
- /shared/confs:/etc/nginx:ro
- /shared/letsencrypt:/etc/letsencrypt:ro
- /shared/acme-challenge:/acme-challenge:ro
- /shared/www:/www:ro
environment:
- SWARM_MODE=yes
- USE_API=yes
- API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from autoconf
- MULTISITE=yes
- SERVER_NAME=
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
networks:
- net_config
- net_services
deploy:
mode: global
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerized-nginx.AUTOCONF"
app1:
image: php:fpm-alpine
volumes:
- /shared/www/app1.website.com:/www
networks:
- net_services
deploy:
replicas: 1
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerized-nginx.SERVER_NAME=app1.website.com"
- "bunkerized-nginx.REMOTE_PHP=php"
- "bunkerized-nginx.REMOTE_PHP_PATH=/www"
app2:
image: phpmyadmin:apache
environment:
- PMA_ARBITRARY=1
- PMA_ABSOLUTE_URI=https://app2.website.com
networks:
- net_services
deploy:
replicas: 1
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerized-nginx.SERVER_NAME=app2.website.com"
- "bunkerized-nginx.USE_REVERSE_PROXY=yes"
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://app2"
networks:
net_config:
driver: overlay
net_services:
driver: overlay

2
logs/logrotate.conf
View File

@@ -1,4 +1,4 @@
/var/log/*.log /var/log/clamav/*.log /var/log/nginx/*.log {
/var/log/*.log /var/log/clamav/*.log /var/log/nginx/*.log /var/log/letsencrypt/*.log {
# compress old files using gzip
compress

14
logs/rsyslog.conf
View File

@@ -4,11 +4,11 @@
$WorkDirectory /var/lib/rsyslog
# Sets default permissions for all log files.
$FileOwner root
$FileGroup root
$FileCreateMode 0600
$DirCreateMode 0700
$Umask 0077
$FileOwner nginx
$FileGroup nginx
$FileCreateMode 0660
$DirCreateMode 0770
$Umask 0007
# Include all config files in /etc/rsyslog.d/.
include(file="/etc/rsyslog.d/*.conf" mode="optional")
@@ -16,10 +16,10 @@ include(file="/etc/rsyslog.d/*.conf" mode="optional")
#### Modules ####
# Provides --MARK-- message capability.
module(load="immark")
#module(load="immark")
# Provides support for local system logging (e.g. via logger command).
module(load="imuxsock")
module(load="imuxsock" SysSock.Name="/tmp/log")
# Nginx
$template rawFormat,"%msg:2:2048%\n"

31
lua/api.lua Normal file
View File

@@ -0,0 +1,31 @@
local M = {}
local api_list = {}
api_list["^/ping$"] = function ()
return true
end
api_list["^/reload$"] = function ()
return os.execute("/usr/sbin/nginx -s reload") == 0
end
function M.is_api_call (api_uri)
if ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then
for uri, code in pairs(api_list) do
if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
return true
end
end
end
return false
end
function M.do_api_call (api_uri)
for uri, code in pairs(api_list) do
if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
return code()
end
end
end
return M

2
lua/dns.lua
View File

@@ -1,6 +1,6 @@
local M = {}
local resolver = require "resty.dns.resolver"
local resolvers = {%DNS_RESOLVERS%}
local resolvers = {%DNS_RESOLVERS%}
local ip = ngx.var.remote_addr
function M.get_reverse()

88
prepare.sh
View File

@@ -3,18 +3,92 @@
# install dependencies
apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli
# make scripts executable
chmod +x /opt/entrypoint/* /opt/scripts/*
# temp fix ?
chmod 644 /usr/lib/python3.8/site-packages/fail2ban-*/*
# custom entrypoint
mkdir /opt/entrypoint.d
# log files/folders rights
# prepare /www
mkdir /www
chown -R root:nginx /www
chmod -R 770 /www
# prepare /opt
chown -R root:nginx /opt
find /opt -type f -exec chmod 0740 {} \;
find /opt -type d -exec chmod 0750 {} \;
chmod ugo+x /opt/entrypoint/* /opt/scripts/*
chmod 770 /opt
# prepare /etc/nginx
chown -R root:nginx /etc/nginx
chmod -R 770 /etc/nginx
# prepare /var/log
rm -f /var/log/nginx/*
chown root:nginx /var/log/nginx
chmod 750 /var/log/nginx
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log
chown nginx:nginx /var/log/nginx/*.log
chown nginx:nginx /var/log/nginx/*
chmod -R 770 /var/log/nginx
touch /var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/fail2ban.log
chown nginx:nginx /var/log/*.log
chmod 770 /var/log/*.log
mkdir /var/log/letsencrypt
chown nginx:nginx /var/log/letsencrypt
chmod 770 /var/log/letsencrypt
touch /var/log/clamav.log
chown root:nginx /var/log/clamav.log
chmod 770 /var/log/clamav.log
# let's encrypt webroot
# prepare /acme-challenge
mkdir /acme-challenge
chown root:nginx /acme-challenge
chmod 750 /acme-challenge
chmod 770 /acme-challenge
# prepare /etc/letsencrypt
mkdir /etc/letsencrypt
chown root:nginx /etc/letsencrypt
chmod 770 /etc/letsencrypt
# prepare /var/lib/letsencrypt
mkdir /var/lib/letsencrypt
chown root:nginx /var/lib/letsencrypt
chmod 770 /var/lib/letsencrypt
# prepare /etc/fail2ban
rm -rf /etc/fail2ban/jail.d/*.conf
chown -R root:nginx /etc/fail2ban
find /etc/fail2ban -type f -exec chmod 0760 {} \;
find /etc/fail2ban -type d -exec chmod 0770 {} \;
# prepare /var/run/fail2ban and /var/lib/fail2ban
chown -R root:nginx /var/run/fail2ban /var/lib/fail2ban
chmod -R 770 /var/run/fail2ban /var/lib/fail2ban
# prepare /usr/local/lib/lua
chown root:nginx /usr/local/lib/lua
chmod 770 /usr/local/lib/lua
# prepare /cache
mkdir /cache
chown root:nginx /cache
chmod 770 /cache
# prepare misc files
chown root:nginx /etc/rsyslog.conf /etc/logrotate.conf
chmod 660 /etc/rsyslog.conf /etc/logrotate.conf
chown root:nginx /etc/rsyslog.conf
# prepare /etc/crontabs/nginx
touch /etc/crontabs/nginx
chown root:nginx /etc/crontabs/nginx
chmod 660 /etc/crontabs/nginx
# prepare /var/log/clamav
chown root:nginx /var/log/clamav
chmod 770 /var/log/clamav
# prepare /var/lib/clamav
chown root:nginx /var/lib/clamav
chmod 770 /var/lib/clamav

16
scripts/abusers.sh
View File

@@ -1,11 +1,19 @@
#!/bin/sh
# load some functions
. /opt/scripts/utils.sh
. /opt/entrypoint/utils.sh
# copy old conf to cache
cp /etc/nginx/block-abusers.conf /cache
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload > /dev/null 2>&1"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# generate the new conf
curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | grep -v "^\#.*" |
while read entry ; do
@@ -21,8 +29,8 @@ if [ "$lines" -gt 1 ] ; then
job_log "[BLACKLIST] abusers list updated ($lines entries)"
# reload nginx with the new config
mv /tmp/block-abusers.conf /etc/nginx/block-abusers.conf
if [ -f /tmp/nginx.pid ] ; then
/usr/sbin/nginx -s reload > /dev/null 2>&1
if [ "$RELOAD" != "" ] ; then
$RELOAD
# new config is ok : save it in the cache
if [ "$?" -eq 0 ] ; then
cp /etc/nginx/block-abusers.conf /cache
@@ -30,7 +38,7 @@ if [ "$lines" -gt 1 ] ; then
else
job_log "[NGINX] failed nginx reload after abusers list update fallback to old list"
cp /cache/block-abusers.conf /etc/nginx
/usr/sbin/nginx -s reload > /dev/null 2>&1
$RELOAD
fi
else
cp /etc/nginx/block-abusers.conf /cache

4
scripts/certbot-new.sh
View File

@@ -6,8 +6,4 @@ if [ "$?" -ne 0 ] ; then
exit 1
fi
# fix rights
chown -R root:nginx /etc/letsencrypt
chmod -R 740 /etc/letsencrypt
find /etc/letsencrypt -type d -exec chmod 750 {} \;
exit 0

17
scripts/certbot-renew-hook.sh
View File

@@ -1,18 +1,21 @@
#!/bin/sh
# load some functions
. /opt/scripts/utils.sh
. /opt/entrypoint/utils.sh
job_log "[CERTBOT] certificates have been renewed"
# fix rights
chown -R root:nginx /etc/letsencrypt
chmod -R 740 /etc/letsencrypt
find /etc/letsencrypt -type d -exec chmod 750 {} \;
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload > /dev/null 2>&1"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] ; then
RELOAD="echo reload > /tmp/autoconf.sock"
fi
# reload nginx
if [ -f /tmp/nginx.pid ] ; then
/usr/sbin/nginx -s reload > /dev/null 2>&1
if [ "$RELOAD" != "" ] ; then
$RELOAD
if [ "$?" -eq 0 ] ; then
job_log "[NGINX] successfull nginx reload after certbot renew"
else

2
scripts/certbot-renew.sh
View File

@@ -1,7 +1,7 @@
#!/bin/sh
# load some functions
. /opt/scripts/utils.sh
. /opt/entrypoint/utils.sh
# ask new certificates if needed
certbot renew --deploy-hook /opt/scripts/certbot-renew-hook.sh

16
scripts/exit-nodes.sh
View File

@@ -1,11 +1,19 @@
#!/bin/sh
# load some functions
. /opt/scripts/utils.sh
. /opt/entrypoint/utils.sh
# copy old conf to cache
cp /etc/nginx/block-tor-exit-node.conf /cache
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload > /dev/null 2>&1"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# generate the new conf
curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | grep -v "^\#.*" |
while read entry ; do
@@ -21,8 +29,8 @@ if [ "$lines" -gt 1 ] ; then
job_log "[BLACKLIST] TOR exit node list updated ($lines entries)"
# reload nginx with the new config
mv /tmp/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
if [ -f /tmp/nginx.pid ] ; then
/usr/sbin/nginx -s reload > /dev/null 2>&1
if [ "$RELOAD" != "" ] ; then
$RELOAD
# new config is ok : save it in the cache
if [ "$?" -eq 0 ] ; then
cp /etc/nginx/block-tor-exit-node.conf /cache
@@ -30,7 +38,7 @@ if [ "$lines" -gt 1 ] ; then
else
job_log "[NGINX] failed nginx reload after TOR exit node list update fallback to old list"
cp /cache/block-tor-exit-node.conf /etc/nginx
/usr/sbin/nginx -s reload > /dev/null 2>&1
$RELOAD
fi
else
cp /etc/nginx/block-tor-exit-node.conf /cache

16
scripts/geoip.sh
View File

@@ -1,7 +1,15 @@
#!/bin/sh
# load some functions
. /opt/scripts/utils.sh
. /opt/entrypoint/utils.sh
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload > /dev/null 2>&1"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# MMDB from https://db-ip.com/db/download/ip-to-country-lite
URL="https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).mmdb.gz"
@@ -13,8 +21,8 @@ if [ "$?" -eq 0 ] && [ -f /tmp/geoip.mmdb.gz ] ; then
exit 1
fi
mv /tmp/geoip.mmdb /etc/nginx
if [ -f /tmp/nginx.pid ] ; then
/usr/sbin/nginx -s reload > /dev/null 2>&1
if [ "$RELOAD" != "" ] ; then
$RELOAD
if [ "$?" -eq 0 ] ; then
cp /etc/nginx/geoip.mmdb /cache
job_log "[NGINX] successfull nginx reload after GeoIP DB update"
@@ -22,7 +30,7 @@ if [ "$?" -eq 0 ] && [ -f /tmp/geoip.mmdb.gz ] ; then
job_log "[NGINX] failed nginx reload after GeoIP DB update"
if [ -f /cache/geoip.mmdb ] ; then
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
/usr/sbin/nginx -s reload > /dev/null 2>&1
$RELOAD
fi
fi
else

2
scripts/logrotate.sh
View File

@@ -1,7 +1,7 @@
#!/bin/sh
# load some functions
. /opt/scripts/utils.sh
. /opt/entrypoint/utils.sh
logrotate -f /etc/logrotate.conf > /dev/null 2>&1

16
scripts/proxies.sh
View File

@@ -1,11 +1,19 @@
#!/bin/sh
# load some functions
. /opt/scripts/utils.sh
. /opt/entrypoint/utils.sh
# copy old conf to cache
cp /etc/nginx/block-proxies.conf /cache
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload > /dev/null 2>&1"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# generate the new conf
curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | grep -v "^\#.*" |
while read entry ; do
@@ -21,8 +29,8 @@ if [ "$lines" -gt 1 ] ; then
job_log "[BLACKLIST] proxies list updated ($lines entries)"
# reload nginx with the new config
mv /tmp/block-proxies.conf /etc/nginx/block-proxies.conf
if [ -f /tmp/nginx.pid ] ; then
/usr/sbin/nginx -s reload > /dev/null 2>&1
if [ "$RELOAD" != "" ] ; then
$RELOAD
# new config is ok : save it in the cache
if [ "$?" -eq 0 ] ; then
cp /etc/nginx/block-proxies.conf /cache
@@ -30,7 +38,7 @@ if [ "$lines" -gt 1 ] ; then
else
job_log "[NGINX] failed nginx reload after proxies list update fallback to old list"
cp /cache/block-proxies.conf /etc/nginx
/usr/sbin/nginx -s reload > /dev/null 2>&1
$RELOAD
fi
else
cp /etc/nginx/block-proxies.conf /cache

16
scripts/referrers.sh
View File

@@ -1,11 +1,19 @@
#!/bin/sh
# load some functions
. /opt/scripts/utils.sh
. /opt/entrypoint/utils.sh
# save old conf
cp /etc/nginx/map-referrer.conf /cache
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload > /dev/null 2>&1"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# generate new conf
BLACKLIST="$(curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list)"
if [ "$?" -ne 0 ] ; then
@@ -23,15 +31,15 @@ lines="$(wc -l /tmp/map-referrer.conf | cut -d ' ' -f 1)"
if [ "$lines" -gt 1 ] ; then
mv /tmp/map-referrer.conf /etc/nginx/map-referrer.conf
job_log "[BLACKLIST] referrers list updated ($lines entries)"
if [ -f /tmp/nginx.pid ] ; then
/usr/sbin/nginx -s reload > /dev/null 2>&1
if [ "$RELOAD" != "" ] ; then
$RELOAD
if [ "$?" -eq 0 ] ; then
cp /etc/nginx/map-referrer.conf /cache
job_log "[NGINX] successfull nginx reload after referrers list update"
else
cp /cache/map-referrer.conf /etc/nginx
job_log "[NGINX] failed nginx reload after referrers list update fallback to old list"
/usr/sbin/nginx -s reload > /dev/null 2>&1
$RELOAD
fi
else
cp /etc/nginx/map-referrer.conf /cache

16
scripts/user-agents.sh
View File

@@ -1,11 +1,19 @@
#!/bin/sh
# load some functions
. /opt/scripts/utils.sh
. /opt/entrypoint/utils.sh
# save old conf
cp /etc/nginx/map-user-agent.conf /cache
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload > /dev/null 2>&1"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# generate new conf
BLACKLIST="$(curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list)
$(curl -s https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt)"
@@ -25,15 +33,15 @@ lines="$(wc -l /tmp/map-user-agent.conf | cut -d ' ' -f 1)"
if [ "$lines" -gt 1 ] ; then
mv /tmp/map-user-agent.conf /etc/nginx/map-user-agent.conf
job_log "[BLACKLIST] user-agent list updated ($lines entries)"
if [ -f /tmp/nginx.pid ] ; then
/usr/sbin/nginx -s reload > /dev/null 2>&1
if [ "$RELOAD" != "" ] ; then
$RELOAD
if [ "$?" -eq 0 ] ; then
cp /etc/nginx/map-user-agent.conf /cache
job_log "[NGINX] successfull nginx reload after user-agent list update"
else
cp /cache/map-user-agent.conf /etc/nginx
job_log "[NGINX] failed nginx reload after user-agent list update fallback to old list"
/usr/sbin/nginx -s reload > /dev/null 2>&1
$RELOAD
fi
else
cp /etc/nginx/map-user-agent.conf /cache

8
scripts/utils.sh
View File

@@ -1,8 +0,0 @@
#!/bin/sh
function job_log() {
when="$(date '+[%d/%m/%Y %H:%M:%S]')"
what="$1"
echo "$when $what" >> /var/log/jobs.log
}

13
ui/Dockerfile
View File

@@ -3,18 +3,19 @@ FROM alpine
RUN apk add py3-pip apache2-utils bash && \
pip3 install docker flask && \
mkdir /opt/entrypoint && \
mkdir -p /opt/confs/site
mkdir -p /opt/confs/site && \
addgroup -g 101 nginx && \
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
mkdir /etc/nginx && \
chown root:nginx /etc/nginx && \
chmod 770 /etc/nginx
COPY confs/site/ /opt/confs/site
COPY entrypoint/* /opt/entrypoint/
COPY ui/ /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
# Fix CVE-2020-1971
RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /etc/nginx
EXPOSE 5000
WORKDIR /opt/entrypoint

3
ui/Dockerfile-amd64
View File

@@ -10,9 +10,6 @@ COPY entrypoint/* /opt/entrypoint/
COPY ui/ /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
# Fix CVE-2020-1971
RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /etc/nginx
EXPOSE 5000

3
ui/Dockerfile-arm32v7
View File

@@ -17,9 +17,6 @@ COPY entrypoint/* /opt/entrypoint/
COPY ui/ /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
# Fix CVE-2020-1971
RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /etc/nginx
EXPOSE 5000

3
ui/Dockerfile-arm64v8
View File

@@ -17,9 +17,6 @@ COPY entrypoint/* /opt/entrypoint/
COPY ui/ /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
# Fix CVE-2020-1971
RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /etc/nginx
EXPOSE 5000

3
ui/Dockerfile-i386
View File

@@ -10,9 +10,6 @@ COPY entrypoint/* /opt/entrypoint/
COPY ui/ /opt/entrypoint/
RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
# Fix CVE-2020-1971
RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
VOLUME /etc/nginx
EXPOSE 5000

38
ui/config.json
View File

@@ -136,6 +136,15 @@
"id":"reverse-proxy-ws",
"multiple":"Reverse proxy",
"default":""
},
{
"type":"text",
"label":"Reverse proxy custom headers",
"env":"REVERSE_PROXY_HEADERS",
"regex":".*",
"id":"reverse-proxy-headers",
"multiple":"Reverse proxy",
"default":""
}
]
},
@@ -684,6 +693,14 @@
"regex":"^([A-Z]{2} ?)*$",
"id":"whitelist-country",
"default":""
},
{
"type":"text",
"label":"Whitelist user agent",
"env":"WHITELIST_USER_AGENT",
"regex":".*",
"id":"whitelist-user-agent",
"default":""
}
]
},
@@ -716,6 +733,27 @@
}
]
},
"Limit conn":{
"id":"limit-conn",
"params":[
{
"type":"checkbox",
"label":"Use limit conn",
"env":"USE_LIMIT_CONN",
"regex":"^(yes|no)$",
"id":"use-limit-conn",
"default":"yes"
},
{
"type":"text",
"label":"Limit conn max",
"env":"LIMIT_CONN_MAX",
"regex":"^\\d+$",
"id":"limit-conn-max",
"default":"40"
}
]
},
"Limit req":{
"id":"limit-req",
"params":[

85
ui/config.py
View File

@@ -1,85 +0,0 @@
#!/usr/bin/python3
import utils
import subprocess, shutil, os, traceback
def generate(instances, vars) :
try :
# Get env vars from bunkerized-nginx instances
vars_instances = {}
for instance_id, instance in instances.items() :
for var_value in instance.attrs["Config"]["Env"] :
var = var_value.split("=")[0]
value = var_value.replace(var + "=", "", 1)
vars_instances[var] = value
vars_defaults = vars.copy()
vars_defaults.update(vars_instances)
vars_defaults.update(vars)
# Call site-config.sh to generate the config
proc = subprocess.run(["/opt/entrypoint/site-config.sh", vars["SERVER_NAME"]], env=vars_defaults, capture_output=True)
if proc.returncode == 0 :
return True
except Exception as e :
traceback.print_exc()
utils.log("[!] Error while generating config : " + str(e))
return False
def activate(instances, vars) :
try :
# Check if file exists
if not os.path.isfile("/etc/nginx/" + vars["SERVER_NAME"] + "/server.conf") :
utils.log("[!] /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf doesn't exist")
return False
# Include the server conf
utils.replace_in_file("/etc/nginx/nginx.conf", "}", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n}")
# Send SIGHUP to all running instances
for instance_id, instance in instances.items() :
if instance.status == "running" :
try :
instance.kill("SIGHUP")
utils.log("[*] Sent SIGHUP signal to bunkerized-nginx instance " + instance.name + " / " + instance.id)
except docker.errors.APIError as e :
utils.log("[!] Docker error while sending SIGHUP signal : " + str(e))
return True
except Exception as e :
utils.log("[!] Error while activating config : " + str(e))
return False
def deactivate(instances, vars) :
try :
# Check if file exists
if not os.path.isfile("/etc/nginx/" + vars["SERVER_NAME"] + "/server.conf") :
utils.log("[!] /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf doesn't exist")
return False
# Remove the include
utils.replace_in_file("/etc/nginx/nginx.conf", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n", "")
# Send SIGHUP to all running instances
for instance_id, instance in instances.items() :
if instance.status == "running" :
try :
instance.kill("SIGHUP")
utils.log("[*] Sent SIGHUP signal to bunkerized-nginx instance " + instance.name + " / " + instance.id)
except docker.errors.APIError as e :
utils.log("[!] Docker error while sending SIGHUP signal : " + str(e))
return True
except Exception as e :
utils.log("[!] Error while deactivating config : " + str(e))
return False
def remove(instances, vars) :
try :
# Check if file exists
if not os.path.isfile("/etc/nginx/" + vars["SERVER_NAME"] + "/server.conf") :
utils.log("[!] /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf doesn't exist")
return False
# Remove the folder
shutil.rmtree("/etc/nginx/" + vars["SERVER_NAME"])
return True
except Exception as e :
utils.log("[!] Error while deactivating config : " + str(e))
return False

109
ui/entrypoint-autoconf.py
View File

@@ -1,109 +0,0 @@
#!/usr/bin/python3
import utils, config
import docker, os, stat, sys
def process(container, event) :
global instances, containers
# Process instance event
if "bunkerized-nginx.AUTOCONF" in container.labels :
if event == "create" :
instances[container.id] = container
utils.log("[*] bunkerized-nginx instance created : " + container.name + " / " + container.id)
elif event == "start" :
instances[container.id].reload()
utils.log("[*] bunkerized-nginx instance started : " + container.name + " / " + container.id)
elif event == "die" :
instances[container.id].reload()
utils.log("[*] bunkerized-nginx instance stopped : " + container.name + " / " + container.id)
elif event == "destroy" :
del instances[container.id]
utils.log("[*] bunkerized-nginx instance removed : " + container.name + " / " + container.id)
# Process container event
elif "bunkerized-nginx.SERVER_NAME" in container.labels :
# Convert labels to env vars
vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in container.labels.items() if k.startswith("bunkerized-nginx.")}
if event == "create" :
if config.generate(instances, vars) :
utils.log("[*] Generated config for " + vars["SERVER_NAME"])
containers[container.id] = container
else :
utils.log("[!] Can't generate config for " + vars["SERVER_NAME"])
elif event == "start" :
if container.id in containers :
containers[container.id].reload()
if config.activate(instances, vars) :
utils.log("[*] Activated config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
elif event == "die" :
if container.id in containers :
containers[container.id].reload()
if config.deactivate(instances, vars) :
utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
elif event == "destroy" :
if container.id in containers :
del containers[container.id]
if config.remove(vars) :
utils.log("[*] Removed config for " + vars["SERVER_NAME"])
else :
utils.log("[!] Can't remove config for " + vars["SERVER_NAME"])
# Connect to the endpoint
endpoint = "/var/run/docker.sock"
if not os.path.exists(endpoint) or not stat.S_ISSOCK(os.stat(endpoint).st_mode) :
utils.log("[!] /var/run/docker.sock not found (is it mounted ?)")
sys.exit(1)
try :
client = docker.DockerClient(base_url='unix:///var/run/docker.sock')
except Exception as e :
utils.log("[!] Can't instantiate DockerClient : " + str(e))
sys.exit(2)
# Get all bunkerized-nginx instances and web services created before
instances = {}
containers = {}
try :
before = client.containers.list(all=True, filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.containers.list(all=True, filters={"label" : "bunkerized-nginx.SERVER_NAME"})
except docker.errors.APIError as e :
utils.log("[!] Docker API error " + str(e))
sys.exit(3)
for container in before :
if container.status in ("restarting", "running", "created", "exited") :
process(container, "create")
if container.status == "running" :
process(container, "start")
# Process events received from Docker
try :
for event in client.events(decode=True) :
# Process only container events
if event["Type"] != "container" :
continue
# Get Container object
try :
container = client.containers.get(event["id"])
except docker.errors.NotFound as e :
continue
# Check if there is an interesting label
interesting = False
for label in container.labels :
if label in ("bunkerized-nginx.SERVER_NAME", "bunkerized-nginx.AUTOCONF") :
interesting = True
break
if not interesting :
continue
# Process the event
process(container, event["Action"])
except docker.errors.APIError as e :
utils.log("[!] Docker API error " + str(e))
sys.exit(4)

2
ui/utils.py
View File

@@ -15,6 +15,8 @@ def replace_in_file(file, old_str, new_str) :
def env_to_summary_class(var, value) :
if type(var) is list and type(value) is list :
for i in range(0, len(var)) :
if not isinstance(var[i], str) :
continue
if re.search(value[i], var[i]) :
return "check text-success"
return "times text-danger"

4
ui/wrappers.py
View File

@@ -1,6 +1,6 @@
#!/usr/bin/python3
import utils, config
import utils
import docker, os, stat, sys, subprocess, shutil
def get_client() :
@@ -55,7 +55,7 @@ def reload_instances(client) :
return True, i
def new_service(client, env) :
proc = subprocess.run(["/opt/entrypoint/site-config.sh", env["SERVER_NAME"]], env=env, capture_output=True)
proc = subprocess.run(["/bin/su", "-s", "/bin/sh", "-c", "/opt/entrypoint/site-config.sh" + " " + env["SERVER_NAME"], "nginx"], env=env, capture_output=True)
if proc.returncode != 0 :
return False, "Error code " + str(proc.returncode) + " while generating config."
utils.replace_in_file("/etc/nginx/nginx.conf", "}", "include /etc/nginx/" + env["SERVER_NAME"] + "/server.conf;\n}")