hotfix - fix API in autoconf swarm mode

hotfix - move API_WHITELIST_IP edit to lua.sh
v1.2.4 - nginx 1.20.0 support
2021-04-28 17:40:54 +02:00 · 2021-04-28 17:00:50 +02:00 · 2021-04-27 17:43:38 +02:00 · 2021-04-27 17:40:33 +02:00 · 2021-04-27 16:49:45 +02:00 · 2021-04-27 15:31:56 +02:00
118 changed files with 2381 additions and 915 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
 .idea/
--- a/10
+++ b/10
@@ -1,4 +1,4 @@
-FROM nginx:stable-alpine
+FROM nginx:1.20.0-alpine
 COPY nginx-keys/ /tmp/nginx-keys
 COPY compile.sh /tmp/compile.sh
@@ -16,11 +16,13 @@ COPY lua/ /opt/lua
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
-# Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
+# fix CVE-2021-20205
-RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 EXPOSE 8080/tcp 8443/tcp
 USER nginx:nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/10
+++ b/10
@@ -1,4 +1,4 @@
-FROM amd64/nginx:stable-alpine
+FROM amd64/nginx:1.20.0-alpine
 COPY nginx-keys/ /tmp/nginx-keys
 COPY compile.sh /tmp/compile.sh
@@ -16,11 +16,13 @@ COPY lua/ /opt/lua
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
-# Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
+# fix CVE-2021-20205
-RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 EXPOSE 8080/tcp 8443/tcp
 USER nginx:nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/10
+++ b/10
@@ -3,7 +3,7 @@ FROM alpine AS builder
 ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz
 RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
-FROM arm32v7/nginx:stable-alpine
+FROM arm32v7/nginx:1.20.0-alpine
 COPY --from=builder qemu-arm-static /usr/bin
@@ -23,11 +23,13 @@ COPY lua/ /opt/lua
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
-# Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
+# fix CVE-2021-20205
-RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 EXPOSE 8080/tcp 8443/tcp
 USER nginx:nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/10
+++ b/10
@@ -3,7 +3,7 @@ FROM alpine AS builder
 ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz
 RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
-FROM arm64v8/nginx:stable-alpine
+FROM arm64v8/nginx:1.20.0-alpine
 COPY --from=builder qemu-aarch64-static /usr/bin
@@ -23,11 +23,13 @@ COPY lua/ /opt/lua
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
-# Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
+# fix CVE-2021-20205
-RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 EXPOSE 8080/tcp 8443/tcp
 USER nginx:nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/10
+++ b/10
@@ -1,4 +1,4 @@
-FROM i386/nginx:stable-alpine
+FROM i386/nginx:1.20.0-alpine
 COPY nginx-keys/ /tmp/nginx-keys
 COPY compile.sh /tmp/compile.sh
@@ -16,11 +16,13 @@ COPY lua/ /opt/lua
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
-# Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
+# fix CVE-2021-20205
-RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
-VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 EXPOSE 8080/tcp 8443/tcp
 USER nginx:nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
--- a/README.md
+++ b/README.md
@@ -1,8 +1,20 @@
-# bunkerized-nginx
+<p align="center">
 	<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/logo.png?raw=true" width="425" />
 </p>
-<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/logo.png?raw=true" width="425" />
+<p align="center">
        <img src="https://img.shields.io/badge/bunkerized--nginx-1.2.4-blue" />
        <img src="https://img.shields.io/badge/nginx-1.20.0-blue" />
        <img src="https://img.shields.io/github/last-commit/bunkerity/bunkerized-nginx" />
        <img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerized-nginx/Automatic%20test?label=automatic%20test" />
        <img src="https://img.shields.io/docker/cloud/build/bunkerity/bunkerized-nginx" />
 </p>
-<img src="https://img.shields.io/badge/bunkerized--nginx-1.2.2-blue" /> <img src="https://img.shields.io/badge/nginx-1.18.0-blue" /> <img src="https://img.shields.io/github/last-commit/bunkerity/bunkerized-nginx" /> <a href="https://matrix.to/#/#bunkerized-nginx:matrix.org"><img src="https://img.shields.io/badge/matrix%20chat-%23bunkerized--nginx%3Amatrix.org-blue" /></a> <img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerized-nginx/Automatic%20test?label=automatic%20test" /> <img src="https://img.shields.io/docker/cloud/build/bunkerity/bunkerized-nginx" />
+<p align="center">
 	<a href="https://matrix.to/#/#bunkerized-nginx:matrix.org"><img src="https://img.shields.io/badge/matrix%20chat-%23bunkerized--nginx%3Amatrix.org-blue" /></a>
        <a href="https://www.bunkerity.com"><img src="https://img.shields.io/badge/website-www.bunkerity.com-blue" /></a>  
        <a href="https://twitter.com/bunkerity"><img src="https://img.shields.io/twitter/follow/bunkerity?style=social" /></a>
 </p>
 nginx Docker image secure by default.  
@@ -20,15 +32,19 @@ Non-exhaustive list of features :
 - Detect bad files with ClamAV
 - Easy to configure with environment variables or web UI
 - Automatic configuration with container labels
 - Docker Swarm support
 Fooling automated tools/scanners :
 <img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/demo.gif?raw=true" />
 You can find a live demo at https://demo-nginx.bunkerity.com, feel free to do some security tests.
 # Table of contents
- [bunkerized-nginx](#bunkerized-nginx)
+<details>
 	<summary>Click to show</summary>
 - [Table of contents](#table-of-contents)
 - [Live demo](#live-demo)
 - [Quickstart guide](#quickstart-guide)
  * [Run HTTP server with default settings](#run-http-server-with-default-settings)
  * [In combination with PHP](#in-combination-with-php)
@@ -37,9 +53,13 @@ Fooling automated tools/scanners :
  * [Behind a reverse proxy](#behind-a-reverse-proxy)
  * [Multisite](#multisite)
  * [Automatic configuration](#automatic-configuration)
  * [Swarm mode](#swarm-mode)
  * [Web UI](#web-ui)
  * [Antibot challenge](#antibot-challenge)
  * [Hardening](#hardening)
 - [Tutorials and examples](#tutorials-and-examples)
 - [Include custom configurations](#include-custom-configurations)
 - [Cache data](#cache-data)
 - [List of environment variables](#list-of-environment-variables)
  * [nginx](#nginx)
    + [Misc](#misc)
@@ -65,17 +85,15 @@ Fooling automated tools/scanners :
    + [Custom whitelisting](#custom-whitelisting)
    + [Custom blacklisting](#custom-blacklisting)
    + [Requests limiting](#requests-limiting)
    + [Connections limiting](#connections-limiting)
    + [Countries](#countries)
  * [PHP](#php)
  * [Fail2ban](#fail2ban)
  * [ClamAV](#clamav)
  * [Logrotate](#logrotate)
  * [Cron jobs](#cron-jobs)
  * [Misc](#misc-2)
- [Include custom configurations](#include-custom-configurations)
+</details>
 - [Cache data](#cache-data)
 - [Create your own image](#create-your-own-image)
 # Live demo
 You can find a live demo at https://demo-nginx.bunkerity.com.
 # Quickstart guide
@@ -85,7 +103,7 @@ You can find a live demo at https://demo-nginx.bunkerity.com.
 docker run -p 80:8080 -v /path/to/web/files:/www:ro bunkerity/bunkerized-nginx
 ```
-Web files are stored in the /www directory, the container will serve files from there.
+Web files are stored in the /www directory, the container will serve files from there. Please note that *bunkerized-nginx* doesn't run as root but with an unprivileged user with UID/GID 101 therefore you should set the rights of */path/to/web/files* accordingly.
 ## In combination with PHP
@@ -118,8 +136,9 @@ docker run -p 80:8080 \
           bunkerity/bunkerized-nginx
 ```
-Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive.  
+Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive. Please note that *bunkerized-nginx* doesn't run as root but with an unprivileged user with UID/GID 101 therefore you should set the rights of */where/to/save/certificates* accordingly.
-If you don't want your webserver to listen on HTTP add the environment variable `LISTEN_HTTP` with a *no* value. But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
+
 If you don't want your webserver to listen on HTTP add the environment variable `LISTEN_HTTP` with a *no* value (e.g. HTTPS only). But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
 Here you have three environment variables :
 - `SERVER_NAME` : define the FQDN of your webserver, this is mandatory for Let's Encrypt (www.yourdomain.com should point to your IP address)
@@ -279,6 +298,91 @@ docker run --network mynet \
           tutum/hello-world
 ```
 ## Swarm mode
 Automatic configuration through labels is also supported in swarm mode. The *bunkerized-nginx-autoconf* is used to listen for Swarm events (e.g. service create/rm) and "automagically" edit configurations files and reload nginx.
 As a use case we will assume the following :
 - Some managers are also workers (they will only run the *autoconf* container for obvious security reasons)
 - The bunkerized-nginx service will be deployed on all workers (global mode) so clients can connect to each of them (e.g. load balancing, CDN, edge proxy, ...)
 - There is a shared folder mounted on managers and workers (e.g. NFS, GlusterFS, CephFS, ...)
 Let's start by creating the network to allow communications between our services :
 ```shell
 docker network create -d overlay mynet
 ```
 We can now create the *autoconf* service that will listen to swarm events :
 ```shell
 docker service create --name autoconf \
                      --network mynet \
                      --mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
                      --mount type=bind,source=/shared/confs,destination=/etc/nginx \
                      --mount type=bind,source=/shared/letsencrypt,destination=/etc/letsencrypt \
                      --mount type=bind,source=/shared/acme-challenge,destination=/acme-challenge \
                      -e SWARM_MODE=yes \
                      -e API_URI=/ChangeMeToSomethingHardToGuess \
                      --replicas 1 \
                      --constraint node.role==manager \
                      bunkerity/bunkerized-nginx-autoconf
 ```
 **You need to change `API_URI` to something hard to guess since there is no other security mechanism to protect the API at the moment.**
 When *autoconf* is created, it's time for the *bunkerized-nginx* service to be up :
 ```shell
 docker service create --name nginx \
                      --network mynet \
                      -p published=80,target=8080,mode=host \
                      -p published=443,target=8443,mode=host \
                      --mount type=bind,source=/shared/confs,destination=/etc/nginx \
                      --mount type=bind,source=/shared/letsencrypt,destination=/etc/letsencrypt,ro \
                      --mount type=bind,source=/shared/acme-challenge,destination=/acme-challenge,ro \
                      --mount type=bind,source=/shared/www,destination=/www,ro \
                      -e SWARM_MODE=yes \
                      -e USE_API=yes \
                      -e API_URI=/ChangeMeToSomethingHardToGuess \
                      -e MULTISITE=yes \
                      -e SERVER_NAME= \
                      -e AUTO_LETS_ENCRYPT=yes \
                      -e REDIRECT_HTTP_TO_HTTPS=yes \
                      -l bunkerized-nginx.AUTOCONF \
                      --mode global \
                      --constraint node.role==worker \
                      bunkerity/bunkerized-nginx
 ```
 The `API_URI` value must be the same as the one specified for the *autoconf* service.
 We can now create a new service and use labels to dynamically configure bunkerized-nginx. Labels for automatic configuration are the same as environment variables but with the "bunkerized-nginx." prefix.
 Here is a PHP example :
 ```shell
 docker service create --name myapp \
                      --network mynet \
                      --mount type=bind,source=/shared/www/app.domain.com,destination=/app \
                      -l bunkerized-nginx.SERVER_NAME=app.domain.com \
                      -l bunkerized-nginx.REMOTE_PHP=myapp \
                      -l bunkerized-nginx.REMOTE_PHP_PATH=/app \
                      --constraint node.role==worker \
                      php:fpm
 ```
 And a reverse proxy example :
 ```shell
 docker service create --name anotherapp \
                      --network mynet \
                      -l bunkerized-nginx.SERVER_NAME=app2.domain.com \
                      -l bunkerized-nginx.USE_REVERSE_PROXY=yes \
                      -l bunkerized-nginx.REVERSE_PROXY_URL=/ \
                      -l bunkerized-nginx.REVERSE_PROXY_HOST=http://anotherapp \
                      --constraint node.role==worker \
                      tutum/hello-world
 ```
 ## Web UI
 **This feature exposes, for now, a security risk because you need to mount the docker socket inside a container exposing a web application. You can test it but you should not use it in servers facing the internet.**  
@@ -340,9 +444,70 @@ docker run -p 80:8080 -v /path/to/web/files:/www -e USE_ANTIBOT=captcha bunkerit
 When `USE_ANTIBOT` is set to *captcha*, every users visiting your website must complete a captcha before accessing the pages. Others challenges are also available : *cookie*, *javascript* or *recaptcha* (more info [here](#antibot)).
 ## Hardening
 ### Drop capabilities
 By default, *bunkerized-nginx* runs as non-root user inside the container and should not use any of the default [capabilities](https://docs.docker.com/engine/security/#linux-kernel-capabilities) allowed by Docker. You can safely remove all capabilities to harden the container :
 ```shell
 docker run ... --drop-cap=all ... bunkerity/bunkerized-nginx
 ```
 ### User namespace remap
 Another hardening trick is [user namespace remapping](https://docs.docker.com/engine/security/userns-remap/) : it allows you to map the UID/GID of users inside a container to another UID/GID on the host. For example, you can map the user nginx with UID/GID 101 inside the container to a non-existent user with UID/GID 100101 on the host.
 Let's assume you have the /etc/subuid and /etc/subgid files like this :  
 ```
 user:100000:65536
 ```
 It means that everything done inside the container will be remapped to UID/GID 100101 (100000 + 101) on the host.
 Please note that you must set the rights on the volumes (e.g. : /etc/letsencrypt, /www, ...) according to the remapped UID/GID :  
 ```shell
 $ chown root:100101 /path/to/letsencrypt
 $ chmod 770 /path/to/letsencrypt
 $ docker run ... -v /path/to/letsencrypt:/etc/letsencrypt ... bunkerity/bunkerized-nginx
 ```
 # Tutorials and examples
-You will find some docker-compose.yml examples in the [examples directory](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples).  
+You will find some docker-compose examples in the [examples directory](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples) and tutorials on our [blog](https://www.bunkerity.com/blog).  
 # Include custom configurations
 Custom configurations files (ending with .conf suffix) can be added in some directory inside the container :
  - /http-confs : http context
  - /server-confs : server context
  - /pre-server-confs : before server context (add map or upstream config for example)
 You just need to use a volume like this :
 ```shell
 docker run ... -v /path/to/http/confs:/http-confs:ro ... -v /path/to/server/confs:/server-confs:ro ... bunkerity/bunkerized-nginx
 ```
 When `MULTISITE` is set to *yes*, .conf files inside the /server-confs directory are loaded by all the server blocks. You can also set custom configuration for a specific server block by adding files in a subdirectory named as the host defined in the `SERVER_NAME` environment variable. Here is an example :
 ```shell
 docker run ... -v /path/to/server/confs:/server-confs:ro ... -e MULTISITE=yes -e "SERVER_NAME=app1.domain.com app2.domain.com" ... bunkerity/bunkerized-nginx
 ```
 The */path/to/server/confs* directory should have a structure like this :
 ```
 /path/to/server/confs
 ├── app1.domain.com
 │   └── custom.conf
 │   └── ...
 └── app2.domain.com
    └── custom.conf
    └── ...
 ```
 # Cache data
 You can store cached data (blacklists, geoip DB, ...) to avoid downloading them again after a container deletion by mounting a volume on the /cache directory :
 ```shell
 docker run ... -v /path/to/cache:/cache ... bunkerity/bunkerized-nginx
 ```
 # List of environment variables
@@ -380,7 +545,7 @@ Only the HTTP methods listed here will be accepted by nginx. If not listed, ngin
 `DISABLE_DEFAULT_SERVER`  
 Values : *yes* | *no*  
 Default value : *no*  
-Context : *global*, *multisite*  
+Context : *global*  
 If set to yes, nginx will only respond to HTTP request when the Host header match a FQDN specified in the `SERVER_NAME` environment variable.  
 For example, it will close the connection if a bot access the site with direct ip.
@@ -398,7 +563,7 @@ Context : *global*
 The IP addresses of the DNS resolvers to use when performing DNS lookups.
 `ROOT_FOLDER`  
-Values : *\<any valid path to web files\>  
+Values : *\<any valid path to web files\>*  
 Default value : */www*  
 Context : *global*  
 The default folder where nginx will search for web files. Don't change it unless you want to make your own image.
@@ -413,7 +578,7 @@ The log format used by nginx to generate logs. More info [here](http://nginx.org
 Values : *\<any valid port greater than 1024\>*  
 Default value : *8080*  
 Context : *global*  
-The HTTP port number used by nginx and certbot inside the container.
+The HTTP port number used by nginx inside the container.
 `HTTPS_PORT`  
 Values : *\<any valid port greater than 1024\>*  
@@ -505,6 +670,13 @@ Context : *global*, *multisite*
 Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* when the corresponding `REVERSE_PROXY_HOST` is a WebSocket server.  
 You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_WS_1`, `REVERSE_PROXY_WS_2`, `REVERSE_PROXY_WS_3`, ...
 `REVERSE_PROXY_HEADERS`  
 Values : *\<list of custom headers separated with a semicolon like this : header1 value1;header2 value2...\>* 
 Default value :  
 Context : *global*, *multisite*  
 Only valid when `USE_REVERSE_PROXY` is set to *yes*.  
 You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_HEADERS_1`, `REVERSE_PROXY_HEADERS_2`, `REVERSE_PROXY_HEADERS_3`, ...
 `PROXY_REAL_IP`  
 Values : *yes* | *no*  
 Default value : *no*  
@@ -726,19 +898,19 @@ If set to yes, nginx will redirect all HTTP requests to HTTPS.
 `USE_CUSTOM_HTTPS`  
 Values : *yes* | *no*  
 Default value : *no*  
-Context : *global*  
+Context : *global*, *multisite*  
 If set to yes, HTTPS will be enabled with certificate/key of your choice.  
 `CUSTOM_HTTPS_CERT`  
 Values : *\<any valid path inside the container\>*  
 Default value :  
-Context : *global*  
+Context : *global*, *multisite*  
 Full path of the certificate file to use when `USE_CUSTOM_HTTPS` is set to yes.  
 `CUSTOM_HTTPS_KEY`  
 Values : *\<any valid path inside the container\>*  
 Default value :  
-Context : *global*  
+Context : *global*, *multisite*  
 Full path of the key file to use when `USE_CUSTOM_HTTPS` is set to yes.  
 ### Self-signed certificate
@@ -831,7 +1003,7 @@ You can customize the CRS (i.e. : add WordPress exclusions) by adding custom .co
 ## Security headers
 `X_FRAME_OPTIONS`  
-Values : *DENY* | *SAMEORIGIN* | *ALLOW-FROM https://www.website.net* | *ALLOWALL*  
+Values : *DENY* | *SAMEORIGIN* | *ALLOW-FROM https://www.website.net*
 Default value : *DENY*  
 Context : *global*, *multisite*  
 Policy to be used when the site is displayed through iframe. Can be used to mitigate clickjacking attacks. 
@@ -947,7 +1119,7 @@ The secret given by Google when `USE_ANTIBOT` is set to *recaptcha*.
 `BLOCK_USER_AGENT`  
 Values : *yes* | *no*  
-Default value : *yes*
+Default value : *yes*  
 Context : *global*, *multisite*  
 If set to yes, block clients with "bad" user agent.  
 Blacklist can be found [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list) and [here](https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt).
@@ -1023,10 +1195,10 @@ Context : *global*, *multisite*
 If set to *yes*, lets you define custom IP addresses to be whitelisted through the `WHITELIST_IP_LIST` environment variable.
 `WHITELIST_IP_LIST`  
-Values : *\<list of IP addresses separated with spaces\>*  
+Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*  
 Default value : *23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8*  
 Context : *global*  
-The list of IP addresses to whitelist when `USE_WHITELIST_IP` is set to *yes*. The default list contains IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/).
+The list of IP addresses and/or network CIDR blocks to whitelist when `USE_WHITELIST_IP` is set to *yes*. The default list contains IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/).
 `USE_WHITELIST_REVERSE`  
 Values : *yes* | *no*  
@@ -1040,6 +1212,18 @@ Default value : *.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .c
 Context : *global*  
 The list of reverse DNS suffixes to whitelist when `USE_WHITELIST_REVERSE` is set to *yes*. The default list contains suffixes of major search engines.
 `WHITELIST_USER_AGENT`  
 Values : *\<list of regexes separated with spaces\>*  
 Default value :  
 Context : *global*, *multisite*  
 Whitelist user agent from being blocked by `BLOCK_USER_AGENT`.
 `WHITELIST_URI`  
 Values : *\<list of URI separated with spaces\>*  
 Default value :  
 Context : *global*, *multisite*  
 URI listed here have security checks like bad user-agents, bad IP, ... disabled. Useful when using callbacks for example.
 ### Custom blacklisting
 `USE_BLACKLIST_IP`  
@@ -1049,10 +1233,10 @@ Context : *global*, *multisite*
 If set to *yes*, lets you define custom IP addresses to be blacklisted through the `BLACKLIST_IP_LIST` environment variable.
 `BLACKLIST_IP_LIST`  
-Values : *\<list of IP addresses separated with spaces\>*  
+Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*  
 Default value :  
 Context : *global*  
-The list of IP addresses to blacklist when `USE_BLACKLIST_IP` is set to *yes*.
+The list of IP addresses and/or network CIDR blocks to blacklist when `USE_BLACKLIST_IP` is set to *yes*.
 `USE_BLACKLIST_REVERSE`  
 Values : *yes* | *no*  
@@ -1072,20 +1256,20 @@ The list of reverse DNS suffixes to blacklist when `USE_BLACKLIST_REVERSE` is se
 Values : *yes* | *no*  
 Default value : *yes*  
 Context : *global*, *multisite*  
-If set to yes, the amount of HTTP requests made by a user will be limited during a period of time.  
+If set to yes, the amount of HTTP requests made by a user for a given resource will be limited during a period of time.  
-More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/).
+More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/) (the key used is $binary_remote_addr$uri).
 `LIMIT_REQ_RATE`  
 Values : *Xr/s* | *Xr/m*  
-Default value : *20r/s*  
+Default value : *1r/s*  
 Context : *global*, *multisite*  
-The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 10 requests per second.
+The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 1 request to the same URI and from the same IP per second.
 `LIMIT_REQ_BURST`  
 Values : *<any valid integer\>*  
-Default value : *40*  
+Default value : *2*  
 Context : *global*, *multisite*  
-The number of of requests to put in queue before rejecting requests.
+The number of requests to put in queue before rejecting requests.
 `LIMIT_REQ_CACHE`  
 Values : *Xm* | *Xk*    
@@ -1093,6 +1277,27 @@ Default value : *10m*
 Context : *global*  
 The size of the cache to store information about request limiting.
 ### Connections limiting
 `USE_LIMIT_CONN`  
 Values : *yes* | *no*  
 Default value : *yes*  
 Context : *global*, *multisite*  
 If set to yes, the number of connections made by an ip will be limited during a period of time. (ie. very small/weak ddos protection)  
 More info connections limiting [here](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html).
 `LIMIT_CONN_MAX`  
 Values : *<any valid integer\>*  
 Default value : *50*  
 Context : *global*, *multisite*  
 The maximum number of connections per ip to put in queue before rejecting requests.
 `LIMIT_CONN_CACHE`  
 Values : *Xm* | *Xk*    
 Default value : *10m*  
 Context : *global*  
 The size of the cache to store information about connection limiting.
 ### Countries
 `BLACKLIST_COUNTRY`  
@@ -1113,7 +1318,7 @@ Only allow specific countries accessing your website. Use 2 letters country code
 Values : *\<any valid IP/hostname\>*  
 Default value :  
 Context : *global*, *multisite*  
-Set the IP/hostname address of a remote PHP-FPM to execute .php files. See `USE_PHP` if you want to run a PHP-FPM instance on the same container as bunkerized-nginx.
+Set the IP/hostname address of a remote PHP-FPM to execute .php files.
 `REMOTE_PHP_PATH`  
 Values : *\<any valid absolute path\>*  
@@ -1167,7 +1372,7 @@ IPs or subnet which should never be ban by fail2ban.
 Values : *yes* | *no*  
 Default value : *yes*  
 Context : *global*, *multisite*  
-If set to yes, ClamAV will scan every file uploads and block the upload if the file is detected.  
+If set to yes, ClamAV will scan every file uploads and block the upload if the file is detected.
 `USE_CLAMAV_SCAN`  
 Values : *yes* | *no*  
@@ -1181,13 +1386,15 @@ Default value : *yes*
 Context : *global*  
 If set to yes, ClamAV will automatically remove the detected files.  
-## Misc
+## Syslog
-`ADDITIONAL_MODULES`  
+`REMOTE_SYSLOG`  
-Values : *\<list of packages separated with space\>*  
+Values : *\<any IP/hostname\>*  
 Default value :  
 Context : *global*  
-You can specify additional modules to install. All [alpine packages](https://pkgs.alpinelinux.org/packages) are valid.  
+When defined, rsyslog will send logs (access.log and error.log) to the corresponding IP/hostname using syslog UDP protocol.
 ## Logrotate
 `LOGROTATE_MINSIZE`  
 Values : *x* | *xk* | *xM* | *xG*  
@@ -1201,37 +1408,90 @@ Default value : 7
 Context : *global*  
 The number of days before rotated files are deleted.
-# Include custom configurations
+## Cron jobs
 Custom configurations files (ending with .conf suffix) can be added in some directory inside the container :
  - /http-confs : http context
  - /server-confs : server context
-You just need to use a volume like this :
+`AUTO_LETS_ENCRYPT_CRON`  
-```shell
+Values : *\<cron expression\>*   
-docker run ... -v /path/to/http/confs:/http-confs:ro ... -v /path/to/server/confs:/server-confs:ro ... bunkerity/bunkerized-nginx
+Default value : *15 0 \* \* \**  
-```
+Context : *global*  
 Cron expression of how often certbot will try to renew the certificates.
-When `MULTISITE` is set to *yes*, .conf files inside the /server-confs directory are loaded by all the server blocks. You can also set custom configuration for a specific server block by adding files in a subdirectory named as the host defined in the `SERVER_NAME` environment variable. Here is an example :
+`BLOCK_USER_AGENT_CRON`  
 Values : *\<cron expression\>*   
 Default value : *30 0 \* \* \* \**  
 Context : *global*  
 Cron expression of how often the blacklist of user agent is updated.
-```shell
+`BLOCK_TOR_EXIT_NODE_CRON`  
-docker run ... -v /path/to/server/confs:/server-confs:ro ... -e MULTISITE=yes -e "SERVER_NAME=app1.domain.com app2.domain.com" ... bunkerity/bunkerized-nginx
+Values : *\<cron expression\>*   
-```
+Default value : *0 \*/1 \* \* \* \**  
 Context : *global*  
 Cron expression of how often the blacklist of tor exit node is updated.
-The */path/to/server/confs* directory should have a structure like this :
+`BLOCK_PROXIES_CRON`  
-```
+Values : *\<cron expression\>*   
-/path/to/server/confs
+Default value : *0 3 \* \* \* \**  
-├── app1.domain.com
+Context : *global*  
-│   └── custom.conf
+Cron expression of how often the blacklist of proxies is updated.
 │   └── ...
 └── app2.domain.com
    └── custom.conf
    └── ...
 ```
-# Cache data
+`BLOCK_ABUSERS_CRON`  
 Values : *\<cron expression\>*   
 Default value : *0 2 \* \* \* \**  
 Context : *global*  
 Cron expression of how often the blacklist of abusers is updated.
-You can store cached data (blacklists, geoip DB, ...) to avoid downloading them again after a container deletion by mounting a volume on the /cache directory :
+`BLOCK_REFERRER_CRON`  
 Values : *\<cron expression\>*   
 Default value : *45 0 \* \* \* \**  
 Context : *global*  
 Cron expression of how often the blacklist of referrer is updated.
-```shell
+`GEOIP_CRON`  
-docker run ... -v /path/to/cache:/cache ... bunkerity/bunkerized-nginx
+Values : *\<cron expression\>*  
-```
+Default value : *0 4 2 \* \**  
 Context : *global*  
 Cron expression of how often the GeoIP database is updated.
 `USE_CLAMAV_SCAN_CRON`  
 Values : *\<cron expression\>*   
 Default value : *30 1 \* \* \**  
 Context : *global*  
 Cron expression of how often ClamAV will scan all the files inside the container.
 `CLAMAV_UPDATE_CRON`  
 Values : *\<cron expression\>*   
 Default value : *0 1 \* \* \**  
 Context : *global*  
 Cron expression of how often ClamAV will update its database.
 `LOGROTATE_CRON`  
 Values : *\<cron expression\>*   
 Default value : *0 0 \* \* \**  
 Context : *global*  
 Cron expression of how often Logrotate will rotate files.
 ## misc
 `SWARM_MODE`  
 Values : *yes* | *no*  
 Default value : *no*  
 Context : *global*  
 Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
 `USE_API`  
 Values : *yes* | *no*  
 Default value : *no*  
 Context : *global*  
 Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
 `API_URI`  
 Values : *random* | *\<any valid URI path\>*  
 Default value : *random*  
 Context : *global*  
 Set it to a random path when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
 `API_WHITELIST_IP`  
 Values : *\<list of IP/CIDR separated with space\>*  
 Default value : *192.168.0.0/16 172.16.0.0/12 10.0.0.0/8*  
 Context : *global*  
 List of IP/CIDR block allowed to send API order using the `API_URI` uri.
--- a/2
+++ b/2
@@ -1 +1 @@
-1.2.2
+1.2.4
--- a/autoconf/AutoConf.py
+++ b/autoconf/AutoConf.py
@@ -0,0 +1,131 @@
 from Config import Config
 import utils
 import os
 class AutoConf :
 	def __init__(self, swarm, api) :
 		self.__swarm = swarm
 		self.__servers = {}
 		self.__instances = {}
 		self.__sites = {}
 		self.__config = Config(self.__swarm, api)
 	def get_server(self, id) :
 		if id in self.__servers :
 			return self.__servers[id]
 		return False
 	def reload(self) :
 		return self.__config.reload(self.__instances)
 	def pre_process(self, objs) :
 		for instance in objs :
 			(id, name, labels) = self.__get_infos(instance)
 			if "bunkerized-nginx.AUTOCONF" in labels :
 				if self.__swarm :
 					self.__process_instance(instance, "create", id, name, labels)
 				else :
 					if instance.status in ("restarting", "running", "created", "exited") :
 						self.__process_instance(instance, "create", id, name, labels)
 					if instance.status == "running" :
 						self.__process_instance(instance, "start", id, name, labels)
 		for server in objs :
 			(id, name, labels) = self.__get_infos(server)
 			if "bunkerized-nginx.SERVER_NAME" in labels :
 				if self.__swarm :
 					self.__process_server(server, "create", id, name, labels)
 				else :
 					if server.status in ("restarting", "running", "created", "exited") :
 						self.__process_server(server, "create", id, name, labels)
 					if server.status == "running" :
 						self.__process_server(server, "start", id, name, labels)
 	def process(self, obj, event) :
 		(id, name, labels) = self.__get_infos(obj)
 		if "bunkerized-nginx.AUTOCONF" in labels :
 			self.__process_instance(obj, event, id, name, labels)
 		elif "bunkerized-nginx.SERVER_NAME" in labels :
 			self.__process_server(obj, event, id, name, labels)
 	def __get_infos(self, obj) :
 		if self.__swarm :
 			id = obj.id
 			name = obj.name
 			labels = obj.attrs["Spec"]["Labels"]
 		else :
 			id = obj.id
 			name = obj.name
 			labels = obj.labels
 		return (id, name, labels)
 	def __process_instance(self, instance, event, id, name, labels) :
 		if event == "create" :
 			self.__instances[id] = instance
 			if self.__swarm and len(self.__instances) == 1 :
 				if self.__config.initconf(self.__instances) :
 					utils.log("[*] Initial config succeeded")
 				else :
 					utils.log("[!] Initial config failed")
 			utils.log("[*] bunkerized-nginx instance created : " + name + " / " + id)
 		elif event == "start" :
 			self.__instances[id].reload()
 			utils.log("[*] bunkerized-nginx instance started : " + name + " / " + id)
 		elif event == "die" :
 			self.__instances[id].reload()
 			utils.log("[*] bunkerized-nginx instance stopped : " + name + " / " + id)
 		elif event == "destroy" or event == "remove" :
 			del self.__instances[id]
 			if self.__swarm and len(self.__instances) == 0 :
 				with open("/etc/crontabs/nginx", "w") as f :
 					f.write("")
 				if os.path.exists("/etc/nginx/autoconf") :
 					os.remove("/etc/nginx/autoconf")
 			utils.log("[*] bunkerized-nginx instance removed : " + name + " / " + id)
 	def __process_server(self, instance, event, id, name, labels) :
 		vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in labels.items() if k.startswith("bunkerized-nginx.")}
 		if event == "create" :
 			utils.log("[*] Generating config for " + vars["SERVER_NAME"] + " ...")
 			if self.__config.generate(self.__instances, vars) :
 				utils.log("[*] Generated config for " + vars["SERVER_NAME"])
 				self.__servers[id] = instance
 				if self.__swarm :
 					utils.log("[*] Activating config for " + vars["SERVER_NAME"] + " ...")
 					if self.__config.activate(self.__instances, vars) :
 						utils.log("[*] Activated config for " + vars["SERVER_NAME"])
 					else :
 						utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
 			else :
 				utils.log("[!] Can't generate config for " + vars["SERVER_NAME"])
 		elif event == "start" :
 			if id in self.__servers :
 				self.__servers[id].reload()
 				utils.log("[*] Activating config for " + vars["SERVER_NAME"] + " ...")
 				if self.__config.activate(self.__instances, vars) :
 					utils.log("[*] Activated config for " + vars["SERVER_NAME"])
 				else :
 					utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
 		elif event == "die" :
 			if id in self.__servers :
 				self.__servers[id].reload()
 				utils.log("[*] Deactivating config for " + vars["SERVER_NAME"])
 				if self.__config.deactivate(self.__instances, vars) :
 					utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
 				else :
 					utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
 		elif event == "destroy" or event == "remove" :
 			if id in self.__servers :
 				if self.__swarm :
 					utils.log("[*] Deactivating config for " + vars["SERVER_NAME"])
 					if self.__config.deactivate(self.__instances, vars) :
 						utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
 					else :
 						utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
 				del self.__servers[id]
 				utils.log("[*] Removing config for " + vars["SERVER_NAME"])
 				if self.__config.remove(vars) :
 					utils.log("[*] Removed config for " + vars["SERVER_NAME"])
 				else :
 					utils.log("[!] Can't remove config for " + vars["SERVER_NAME"])
--- a/autoconf/Config.py
+++ b/autoconf/Config.py
@@ -0,0 +1,209 @@
 #!/usr/bin/python3
 import utils
 import subprocess, shutil, os, traceback, requests, time
 class Config :
 	def __init__(self, swarm, api) :
 		self.__swarm = swarm
 		self.__api = api
 	def initconf(self, instances) :
 		try :
 			for instance_id, instance in instances.items() :
 				env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
 				break
 			vars = {}
 			for var_value in env :
 				var = var_value.split("=")[0]
 				value = var_value.replace(var + "=", "", 1)
 				vars[var] = value
 			utils.log("[*] Generating global config ...")
 			if not self.globalconf(instances) :
 				utils.log("[!] Can't generate global config")
 				return False
 			utils.log("[*] Generated global config")
 			if "SERVER_NAME" in vars and vars["SERVER_NAME"] != "" :
 				for server in vars["SERVER_NAME"].split(" ") :
 					vars_site = vars.copy()
 					vars_site["SERVER_NAME"] = server
 					utils.log("[*] Generating config for " + vars["SERVER_NAME"] + " ...")
 					if not self.generate(instances, vars_site) or not self.activate(instances, vars_site, reload=False) :
 						utils.log("[!] Can't generate/activate site config for " + server)
 						return False
 					utils.log("[*] Generated config for " + vars["SERVER_NAME"])
 			with open("/etc/nginx/autoconf", "w") as f :
 				f.write("ok")
 			utils.log("[*] Waiting for bunkerized-nginx tasks ...")
 			i = 1
 			started = False
 			while i <= 10 :
 				time.sleep(i)
 				if self.__ping(instances) :
 					started = True
 					break
 				i = i + 1
 				utils.log("[!] Waiting " + str(i) + " seconds before retrying to contact bunkerized-nginx tasks")
 			if started :
 				utils.log("[*] bunkerized-nginx tasks started")
 				proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/jobs.sh", "nginx"], env=vars, capture_output=True)
 				return proc.returncode == 0
 			else :
 				utils.log("[!] bunkerized-nginx tasks are not started")
 		except Exception as e :
 			utils.log("[!] Error while initializing config : " + str(e))
 		return False
 	def globalconf(self, instances) :
 		try :
 			for instance_id, instance in instances.items() :
 				env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
 				break
 			vars = {}
 			for var_value in env :
 				var = var_value.split("=")[0]
 				value = var_value.replace(var + "=", "", 1)
 				vars[var] = value
 			proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/global-config.sh", "nginx"], env=vars, capture_output=True)
 			if proc.returncode == 0 :
 				return True
 			else :
 				utils.log("[*] Error while generating global config : return code = " + str(proc.returncode))
 		except Exception as e :
 			utils.log("[!] Exception while generating global config : " + str(e))
 		return False
 	def generate(self, instances, vars) :
 		try :
 			# Get env vars from bunkerized-nginx instances
 			vars_instances = {}
 			for instance_id, instance in instances.items() :
 				if self.__swarm :
 					env = instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"]["Env"]
 				else :
 					env = instance.attrs["Config"]["Env"]
 				for var_value in env :
 					var = var_value.split("=")[0]
 					value = var_value.replace(var + "=", "", 1)
 					vars_instances[var] = value
 			vars_defaults = vars.copy()
 			vars_defaults.update(vars_instances)
 			vars_defaults.update(vars)
 			# Call site-config.sh to generate the config
 			proc = subprocess.run(["/bin/su", "-s", "/bin/sh", "-c", "/opt/entrypoint/site-config.sh" + " \"" + vars["SERVER_NAME"] + "\"", "nginx"], env=vars_defaults, capture_output=True)
 			if proc.returncode == 0 and vars_defaults["MULTISITE"] == "yes" and self.__swarm :
 				proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/multisite-config.sh", "nginx"], env=vars_defaults, capture_output=True)
 			if proc.returncode == 0 :
 				return True
 			utils.log("[!] Error while generating site config for " + vars["SERVER_NAME"] + "  : return code = " + str(proc.returncode))
 		except Exception as e :
 			utils.log("[!] Exception while generating site config : " + str(e))
 		return False
 	def activate(self, instances, vars, reload=True) :
 		try :
 			# Get first server name
 			first_server_name = vars["SERVER_NAME"].split(" ")[0]
 			# Check if file exists
 			if not os.path.isfile("/etc/nginx/" + first_server_name + "/server.conf") :
 				utils.log("[!] /etc/nginx/" + first_server_name + "/server.conf doesn't exist")
 				return False
 			# Include the server conf
 			utils.replace_in_file("/etc/nginx/nginx.conf", "}", "include /etc/nginx/" + first_server_name + "/server.conf;\n}")
 			# Reload
 			if not reload or self.reload(instances) :
 				return True
 		except Exception as e :
 			utils.log("[!] Exception while activating config : " + str(e))
 		return False
 	def deactivate(self, instances, vars) :
 		try :
 			# Get first server name
 			first_server_name = vars["SERVER_NAME"].split(" ")[0]
 			# Check if file exists
 			if not os.path.isfile("/etc/nginx/" + first_server_name + "/server.conf") :
 				utils.log("[!] /etc/nginx/" + first_server_name + "/server.conf doesn't exist")
 				return False
 			# Remove the include
 			utils.replace_in_file("/etc/nginx/nginx.conf", "include /etc/nginx/" + first_server_name + "/server.conf;\n", "")
 			# Reload
 			if self.reload(instances) :
 				return True
 		except Exception as e :
 			utils.log("[!] Exception while deactivating config : " + str(e))
 		return False
 	def remove(self, vars) :
 		try :
 			# Get first server name
 			first_server_name = vars["SERVER_NAME"].split(" ")[0]
 			# Check if file exists
 			if not os.path.isfile("/etc/nginx/" + first_server_name + "/server.conf") :
 				utils.log("[!] /etc/nginx/" + first_server_name + "/server.conf doesn't exist")
 				return False
 			# Remove the folder
 			shutil.rmtree("/etc/nginx/" + first_server_name)
 			return True
 		except Exception as e :
 			utils.log("[!] Error while deactivating config : " + str(e))
 		return False
 	def reload(self, instances) :
 		return self.__api_call(instances, "/reload")
 	def __ping(self, instances) :
 		return self.__api_call(instances, "/ping")
 	def __api_call(self, instances, path) :
 		ret = True
 		for instance_id, instance in instances.items() :
 			# Reload the instance object just in case
 			instance.reload()
 			# Reload via API
 			if self.__swarm :
 				# Send POST request on http://serviceName.NodeID.TaskID:8000/action
 				name = instance.name
 				for task in instance.tasks() :
 					if task["Status"]["State"] != "running" :
 						continue
 					nodeID = task["NodeID"]
 					taskID = task["ID"]
 					fqdn = name + "." + nodeID + "." + taskID
 					req = False
 					try :
 						req = requests.post("http://" + fqdn + ":8080" + self.__api + path)
 					except :
 						pass
 					if req and req.status_code == 200 :
 						utils.log("[*] Sent API order " + path + " to instance " + fqdn + " (service.node.task)")
 					else :
 						utils.log("[!] Can't send API order " + path + " to instance " + fqdn + " (service.node.task)")
 						ret = False
 			# Send SIGHUP to running instance
 			elif instance.status == "running" :
 				try :
 					instance.kill("SIGHUP")
 					utils.log("[*] Sent SIGHUP signal to bunkerized-nginx instance " + instance.name + " / " + instance.id)
 				except docker.errors.APIError as e :
 					utils.log("[!] Docker error while sending SIGHUP signal : " + str(e))
 					ret = False
 		return ret
--- a/autoconf/Dockerfile
+++ b/autoconf/Dockerfile
@@ -1,18 +1,45 @@
 FROM nginx:stable-alpine AS builder
 FROM alpine
-RUN apk add py3-pip apache2-utils bash && \
+COPY --from=builder /etc/nginx/ /opt/confs/nginx
    pip3 install docker && \
    mkdir /opt/entrypoint && \
    mkdir -p /opt/confs/site
 RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
    pip3 install docker requests && \
    mkdir /opt/entrypoint && \
    mkdir -p /opt/confs/site && \
    mkdir -p /opt/confs/global && \
    mkdir /opt/scripts && \
    addgroup -g 101 nginx && \
    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
    mkdir /etc/letsencrypt && \
    chown root:nginx /etc/letsencrypt && \
    chmod 770 /etc/letsencrypt && \
    mkdir /var/log/letsencrypt && \
    chown root:nginx /var/log/letsencrypt && \
    chmod 770 /var/log/letsencrypt && \
    mkdir /var/lib/letsencrypt && \
    chown root:nginx /var/lib/letsencrypt && \
    chmod 770 /var/lib/letsencrypt && \
    mkdir /cache && \
    chown root:nginx /cache && \
    chmod 770 /cache && \
    touch /var/log/jobs.log && \
    chown root:nginx /var/log/jobs.log && \
    chmod 770 /var/log/jobs.log && \
    chown -R root:nginx /opt/confs/nginx && \
    chmod -R 770 /opt/confs/nginx && \
    mkdir /acme-challenge && \
    chown root:nginx /acme-challenge && \
    chmod 770 /acme-challenge
 COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
 COPY scripts/* /opt/scripts/
 COPY confs/site/ /opt/confs/site
 COPY confs/global/ /opt/confs/global
 COPY entrypoint/* /opt/entrypoint/
 COPY autoconf/* /opt/entrypoint/
-RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
-# Fix CVE-2020-1971
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
 RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 VOLUME /etc/nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.py"]
--- a/autoconf/Dockerfile-amd64
+++ b/autoconf/Dockerfile-amd64
@@ -1,18 +1,44 @@
 FROM nginx:stable-alpine AS builder
 FROM amd64/alpine
-RUN apk add py3-pip apache2-utils bash && \
+COPY --from=builder /etc/nginx/ /opt/confs/nginx
    pip3 install docker && \
    mkdir /opt/entrypoint && \
    mkdir -p /opt/confs/site
 RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
    pip3 install docker requests && \
    mkdir /opt/entrypoint && \
    mkdir -p /opt/confs/site && \
    mkdir -p /opt/confs/global && \
    mkdir /opt/scripts && \
    addgroup -g 101 nginx && \
    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
    mkdir /etc/letsencrypt && \
    chown root:nginx /etc/letsencrypt && \
    chmod 770 /etc/letsencrypt && \
    mkdir /var/log/letsencrypt && \
    chown root:nginx /var/log/letsencrypt && \
    chmod 770 /var/log/letsencrypt && \
    mkdir /var/lib/letsencrypt && \
    chown root:nginx /var/lib/letsencrypt && \
    chmod 770 /var/lib/letsencrypt && \
    mkdir /cache && \
    chown root:nginx /cache && \
    chmod 770 /cache && \
    touch /var/log/jobs.log && \
    chown root:nginx /var/log/jobs.log && \
    chmod 770 /var/log/jobs.log && \
    chown -R root:nginx /opt/confs/nginx && \
    chmod -R 770 /opt/confs/nginx && \
    mkdir /acme-challenge && \
    chown root:nginx /acme-challenge && \
    chmod 770 /acme-challenge
 COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
 COPY scripts/* /opt/scripts/
 COPY confs/global/ /opt/confs/global
 COPY confs/site/ /opt/confs/site
 COPY entrypoint/* /opt/entrypoint/
 COPY autoconf/* /opt/entrypoint/
-RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
-# Fix CVE-2020-1971
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
 RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 VOLUME /etc/nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.py"]
--- a/autoconf/Dockerfile-arm32v7
+++ b/autoconf/Dockerfile-arm32v7
@@ -3,23 +3,48 @@ FROM alpine AS builder
 ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz
 RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
 FROM nginx:stable-alpine AS builder2
 FROM arm32v7/alpine
 COPY --from=builder qemu-arm-static /usr/bin
 COPY --from=builder2 /etc/nginx/ /opt/confs/nginx
-RUN apk add py3-pip apache2-utils bash && \
+RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
-    pip3 install docker && \
+    pip3 install docker requests && \
    mkdir /opt/entrypoint && \
-    mkdir -p /opt/confs/site
+    mkdir -p /opt/confs/site && \
    mkdir -p /opt/confs/global && \
    mkdir /opt/scripts && \
    addgroup -g 101 nginx && \
    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
    mkdir /etc/letsencrypt && \
    chown root:nginx /etc/letsencrypt && \
    chmod 770 /etc/letsencrypt && \
    mkdir /var/log/letsencrypt && \
    chown root:nginx /var/log/letsencrypt && \
    chmod 770 /var/log/letsencrypt && \
    mkdir /var/lib/letsencrypt && \
    chown root:nginx /var/lib/letsencrypt && \
    chmod 770 /var/lib/letsencrypt && \
    mkdir /cache && \
    chown root:nginx /cache && \
    chmod 770 /cache && \
    touch /var/log/jobs.log && \
    chown root:nginx /var/log/jobs.log && \
    chmod 770 /var/log/jobs.log && \
    chown -R root:nginx /opt/confs/nginx && \
    chmod -R 770 /opt/confs/nginx && \
    mkdir /acme-challenge && \
    chown root:nginx /acme-challenge && \
    chmod 770 /acme-challenge
 COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
 COPY scripts/* /opt/scripts/
 COPY confs/global/ /opt/confs/global
 COPY confs/site/ /opt/confs/site
 COPY entrypoint/* /opt/entrypoint/
 COPY autoconf/* /opt/entrypoint/
-RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
-# Fix CVE-2020-1971
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
 RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 VOLUME /etc/nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.py"]
--- a/autoconf/Dockerfile-arm64v8
+++ b/autoconf/Dockerfile-arm64v8
@@ -3,23 +3,48 @@ FROM alpine AS builder
 ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz
 RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
 FROM nginx:stable-alpine AS builder2
 FROM arm64v8/alpine
 COPY --from=builder qemu-aarch64-static /usr/bin
 COPY --from=builder2 /etc/nginx/ /opt/confs/nginx
-RUN apk add py3-pip apache2-utils bash && \
+RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
-    pip3 install docker && \
+    pip3 install docker requests && \
    mkdir /opt/entrypoint && \
-    mkdir -p /opt/confs/site
+    mkdir -p /opt/confs/site && \
    mkdir -p /opt/confs/global && \
    mkdir /opt/scripts && \
    addgroup -g 101 nginx && \
    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
    mkdir /etc/letsencrypt && \
    chown root:nginx /etc/letsencrypt && \
    chmod 770 /etc/letsencrypt && \
    mkdir /var/log/letsencrypt && \
    chown root:nginx /var/log/letsencrypt && \
    chmod 770 /var/log/letsencrypt && \
    mkdir /var/lib/letsencrypt && \
    chown root:nginx /var/lib/letsencrypt && \
    chmod 770 /var/lib/letsencrypt && \
    mkdir /cache && \
    chown root:nginx /cache && \
    chmod 770 /cache && \
    touch /var/log/jobs.log && \
    chown root:nginx /var/log/jobs.log && \
    chmod 770 /var/log/jobs.log && \
    chown -R root:nginx /opt/confs/nginx && \
    chmod -R 770 /opt/confs/nginx && \
    mkdir /acme-challenge && \
    chown root:nginx /acme-challenge && \
    chmod 770 /acme-challenge
 COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
 COPY scripts/* /opt/scripts/
 COPY confs/global/ /opt/confs/global
 COPY confs/site/ /opt/confs/site
 COPY entrypoint/* /opt/entrypoint/
 COPY autoconf/* /opt/entrypoint/
-RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
-# Fix CVE-2020-1971
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
 RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 VOLUME /etc/nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.py"]
--- a/autoconf/Dockerfile-i386
+++ b/autoconf/Dockerfile-i386
@@ -1,18 +1,44 @@
 FROM nginx:stable-alpine AS builder
 FROM i386/alpine
-RUN apk add py3-pip apache2-utils bash && \
+COPY --from=builder /etc/nginx/ /opt/confs/nginx
    pip3 install docker && \
    mkdir /opt/entrypoint && \
    mkdir -p /opt/confs/site
 RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
    pip3 install docker requests && \
    mkdir /opt/entrypoint && \
    mkdir -p /opt/confs/site && \
    mkdir -p /opt/confs/global && \
    mkdir /opt/scripts && \
    addgroup -g 101 nginx && \
    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx && \
    mkdir /etc/letsencrypt && \
    chown root:nginx /etc/letsencrypt && \
    chmod 770 /etc/letsencrypt && \
    mkdir /var/log/letsencrypt && \
    chown root:nginx /var/log/letsencrypt && \
    chmod 770 /var/log/letsencrypt && \
    mkdir /var/lib/letsencrypt && \
    chown root:nginx /var/lib/letsencrypt && \
    chmod 770 /var/lib/letsencrypt && \
    mkdir /cache && \
    chown root:nginx /cache && \
    chmod 770 /cache && \
    touch /var/log/jobs.log && \
    chown root:nginx /var/log/jobs.log && \
    chmod 770 /var/log/jobs.log && \
    chown -R root:nginx /opt/confs/nginx && \
    chmod -R 770 /opt/confs/nginx && \
    mkdir /acme-challenge && \
    chown root:nginx /acme-challenge && \
    chmod 770 /acme-challenge
 COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
 COPY scripts/* /opt/scripts/
 COPY confs/global/ /opt/confs/global
 COPY confs/site/ /opt/confs/site
 COPY entrypoint/* /opt/entrypoint/
 COPY autoconf/* /opt/entrypoint/
-RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
+RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh /opt/scripts/*.sh
-# Fix CVE-2020-1971
+ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
 RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 VOLUME /etc/nginx
 ENTRYPOINT ["/opt/entrypoint/entrypoint.py"]
--- a/autoconf/ReloadServer.py
+++ b/autoconf/ReloadServer.py
@@ -0,0 +1,28 @@
 import socketserver, threading, utils, os, stat
 class ReloadServerHandler(socketserver.StreamRequestHandler):
 	def handle(self) :
 		try :
 			data = self.request.recv(512)
 			if not data :
 				return
 			with self.server.lock :
 				ret = self.server.autoconf.reload()
 			if ret :
 				self.request.sendall("ok".encode("utf-8"))
 			else :
 				self.request.sendall("ko".encode("utf-8"))
 		except Exception as e :
 			utils.log("Exception " + str(e))
 def run_reload_server(autoconf, lock) :
 	server = socketserver.UnixStreamServer("/tmp/autoconf.sock", ReloadServerHandler)
 	os.chown("/tmp/autoconf.sock", 0, 101)
 	os.chmod("/tmp/autoconf.sock", 0o770)
 	server.autoconf = autoconf
 	server.lock = lock
 	thread = threading.Thread(target=server.serve_forever)
 	thread.daemon = True
 	thread.start()
 	return (server, thread)
--- a/autoconf/app.py
+++ b/autoconf/app.py
@@ -0,0 +1,73 @@
 #!/usr/bin/python3
 from AutoConf import AutoConf
 from ReloadServer import run_reload_server
 import utils
 import docker, os, stat, sys, select, threading
 # Connect to the endpoint
 endpoint = "/var/run/docker.sock"
 if not os.path.exists(endpoint) or not stat.S_ISSOCK(os.stat(endpoint).st_mode) :
 	utils.log("[!] /var/run/docker.sock not found (is it mounted ?)")
 	sys.exit(1)
 try :
 	client = docker.DockerClient(base_url='unix:///var/run/docker.sock')
 except Exception as e :
 	utils.log("[!] Can't instantiate DockerClient : " + str(e))
 	sys.exit(2)
 # Check if we are in Swarm mode
 swarm = os.getenv("SWARM_MODE") == "yes"
 # Our object to process events
 api = ""
 if swarm :
 	api = os.getenv("API_URI")
 autoconf = AutoConf(swarm, api)
 lock = threading.Lock()
 if swarm :
 	(server, thread) = run_reload_server(autoconf, lock)
 # Get all bunkerized-nginx instances and web services created before
 try :
 	if swarm :
 		before = client.services.list(filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.services.list(filters={"label" : "bunkerized-nginx.SERVER_NAME"})
 	else :
 		before = client.containers.list(all=True, filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.containers.list(filters={"label" : "bunkerized-nginx.SERVER_NAME"})
 except docker.errors.APIError as e :
 	utils.log("[!] Docker API error " + str(e))
 	sys.exit(3)
 # Process them before events
 with lock :
 	autoconf.pre_process(before)
 # Process events received from Docker
 try :
 	utils.log("[*] Listening for Docker events ...")
 	for event in client.events(decode=True) :
 		# Process only container/service events
 		if (swarm and event["Type"] != "service") or (not swarm and event["Type"] != "container") :
 			continue
 		# Get Container/Service object
 		try :
 			if swarm :
 				id = service_id=event["Actor"]["ID"]
 				server = client.services.get(service_id=id)
 			else :
 				id = event["id"]
 				server = client.containers.get(id)
 		except docker.errors.NotFound as e :
 			server = autoconf.get_server(id)
 			if not server :
 				continue
 		# Process the event
 		with lock :
 			autoconf.process(server, event["Action"])
 except docker.errors.APIError as e :
 	utils.log("[!] Docker API error " + str(e))
 	sys.exit(4)
--- a/autoconf/config.py
+++ b/autoconf/config.py
@@ -1,85 +0,0 @@
 #!/usr/bin/python3
 import utils
 import subprocess, shutil, os, traceback
 def generate(instances, vars) :
 	try :
 		# Get env vars from bunkerized-nginx instances
 		vars_instances = {}
 		for instance_id, instance in instances.items() :
 			for var_value in instance.attrs["Config"]["Env"] :
 				var = var_value.split("=")[0]
 				value = var_value.replace(var + "=", "", 1)
 				vars_instances[var] = value
 		vars_defaults = vars.copy()
 		vars_defaults.update(vars_instances)
 		vars_defaults.update(vars)
 		# Call site-config.sh to generate the config
 		proc = subprocess.run(["/opt/entrypoint/site-config.sh", vars["SERVER_NAME"]], env=vars_defaults, capture_output=True)
 		if proc.returncode == 0 :
 			return True
 	except Exception as e :
 		traceback.print_exc()
 		utils.log("[!] Error while generating config : " + str(e))
 	return False
 def activate(instances, vars) :
 	try :
 		# Check if file exists
 		if not os.path.isfile("/etc/nginx/" + vars["SERVER_NAME"] + "/server.conf") :
 			utils.log("[!] /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf doesn't exist")
 			return False
 		# Include the server conf
 		utils.replace_in_file("/etc/nginx/nginx.conf", "}", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n}")
 		# Send SIGHUP to all running instances
 		for instance_id, instance in instances.items() :
 			if instance.status == "running" :
 				try :
 					instance.kill("SIGHUP")
 					utils.log("[*] Sent SIGHUP signal to bunkerized-nginx instance " + instance.name + " / " + instance.id)
 				except docker.errors.APIError as e :
 					utils.log("[!] Docker error while sending SIGHUP signal : " + str(e))
 		return True
 	except Exception as e :
 		utils.log("[!] Error while activating config : " + str(e))
 	return False
 def deactivate(instances, vars) :
 	try :
 		# Check if file exists
 		if not os.path.isfile("/etc/nginx/" + vars["SERVER_NAME"] + "/server.conf") :
 			utils.log("[!] /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf doesn't exist")
 			return False
 		# Remove the include
 		utils.replace_in_file("/etc/nginx/nginx.conf", "include /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf;\n", "")
 		# Send SIGHUP to all running instances
 		for instance_id, instance in instances.items() :
 			if instance.status == "running" :
 				try :
 					instance.kill("SIGHUP")
 					utils.log("[*] Sent SIGHUP signal to bunkerized-nginx instance " + instance.name + " / " + instance.id)
 				except docker.errors.APIError as e :
 					utils.log("[!] Docker error while sending SIGHUP signal : " + str(e))
 		return True
 	except Exception as e :
 		utils.log("[!] Error while deactivating config : " + str(e))
 	return False
 def remove(instances, vars) :
 	try :
 		# Check if file exists
 		if not os.path.isfile("/etc/nginx/" + vars["SERVER_NAME"] + "/server.conf") :
 			utils.log("[!] /etc/nginx/" + vars["SERVER_NAME"] + "/server.conf doesn't exist")
 			return False
 		# Remove the folder
 		shutil.rmtree("/etc/nginx/" + vars["SERVER_NAME"])
 		return True
 	except Exception as e :
 		utils.log("[!] Error while deactivating config : " + str(e))
 	return False
--- a/autoconf/entrypoint.py
+++ b/autoconf/entrypoint.py
@@ -1,118 +0,0 @@
 #!/usr/bin/python3
 import utils, config
 import docker, os, stat, sys
 def process(container, event) :
 	global instances, containers
 	# Process instance event
 	if "bunkerized-nginx.AUTOCONF" in container.labels :
 		if event == "create" :
 			instances[container.id] = container
 			utils.log("[*] bunkerized-nginx instance created : " + container.name + " / " + container.id)
 		elif event == "start" :
 			instances[container.id].reload()
 			utils.log("[*] bunkerized-nginx instance started : " + container.name + " / " + container.id)
 		elif event == "die" :
 			instances[container.id].reload()
 			utils.log("[*] bunkerized-nginx instance stopped : " + container.name + " / " + container.id)
 		elif event == "destroy" :
 			del instances[container.id]
 			utils.log("[*] bunkerized-nginx instance removed : " + container.name + " / " + container.id)
 	# Process container event
 	elif "bunkerized-nginx.SERVER_NAME" in container.labels :
 		# Convert labels to env vars
 		vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in container.labels.items() if k.startswith("bunkerized-nginx.")}
 		if event == "create" :
 			if config.generate(instances, vars) :
 				utils.log("[*] Generated config for " + vars["SERVER_NAME"])
 				containers[container.id] = container
 			else :
 				utils.log("[!] Can't generate config for " + vars["SERVER_NAME"])
 		elif event == "start" :
 			if container.id in containers :
 				containers[container.id].reload()
 				if config.activate(instances, vars) :
 					utils.log("[*] Activated config for " + vars["SERVER_NAME"])
 				else :
 					utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
 		elif event == "die" :
 			if container.id in containers :
 				containers[container.id].reload()
 				if config.deactivate(instances, vars) :
 					utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
 				else :
 					utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
 		elif event == "destroy" :
 			if container.id in containers :
 				del containers[container.id]
 				if config.remove(vars) :
 					utils.log("[*] Removed config for " + vars["SERVER_NAME"])
 				else :
 					utils.log("[!] Can't remove config for " + vars["SERVER_NAME"])
 # Connect to the endpoint
 endpoint = "/var/run/docker.sock"
 if not os.path.exists(endpoint) or not stat.S_ISSOCK(os.stat(endpoint).st_mode) :
 	utils.log("[!] /var/run/docker.sock not found (is it mounted ?)")
 	sys.exit(1)
 try :
 	client = docker.DockerClient(base_url='unix:///var/run/docker.sock')
 except Exception as e :
 	utils.log("[!] Can't instantiate DockerClient : " + str(e))
 	sys.exit(2)
 # Get all bunkerized-nginx instances and web services created before
 instances = {}
 containers = {}
 try :
 	before = client.containers.list(all=True, filters={"label" : "bunkerized-nginx.AUTOCONF"}) + client.containers.list(all=True, filters={"label" : "bunkerized-nginx.SERVER_NAME"})
 except docker.errors.APIError as e :
 	utils.log("[!] Docker API error " + str(e))
 	sys.exit(3)
 # Process instances first
 for instance in before :
 	if "bunkerized-nginx.AUTOCONF" in instance.labels :
 		if instance.status in ("restarting", "running", "created", "exited") :
 			process(instance, "create")
 		if instance.status == "running" :
 			process(instance, "start")
 # Containers after
 for container in before :
 	if "bunkerized-nginx.SERVER_NAME" in container.labels :
 		if container.status in ("restarting", "running", "created", "exited") :
 			process(container, "create")
 		if container.status == "running" :
 			process(container, "start")
 # Process events received from Docker
 try :
 	for event in client.events(decode=True) :
 		# Process only container events
 		if event["Type"] != "container" :
 			continue
 		# Get Container object
 		try :
 			container = client.containers.get(event["id"])
 		except docker.errors.NotFound as e :
 			continue
 		# Check if there is an interesting label
 		interesting = False
 		for label in container.labels :
 			if label in ("bunkerized-nginx.SERVER_NAME", "bunkerized-nginx.AUTOCONF") :
 				interesting = True
 				break
 		if not interesting :
 			continue
 		# Process the event
 		process(container, event["Action"])
 except docker.errors.APIError as e :
 	utils.log("[!] Docker API error " + str(e))
 	sys.exit(4)
--- a/autoconf/entrypoint.sh
+++ b/autoconf/entrypoint.sh
@@ -0,0 +1,48 @@
 #!/bin/bash
 echo "[*] Starting autoconf ..."
 # check permissions
 su -s "/opt/entrypoint/permissions.sh" nginx
 if [ "$?" -ne 0 ] ; then
 	exit 1
 fi
 if [ "$SWARM_MODE" = "yes" ] ; then
 	cp -r /opt/confs/nginx/* /etc/nginx
 	chown -R root:nginx /etc/nginx
 	chmod -R 770 /etc/nginx
 fi
 # trap SIGTERM and SIGINT
 function trap_exit() {
 	echo "[*] Catched stop operation"
 	echo "[*] Stopping crond ..."
 	pkill -TERM crond
 	echo "[*] Stopping python3 ..."
 	pkill -TERM python3
 	pkill -TERM tail
 }
 trap "trap_exit" TERM INT QUIT
 # remove old crontabs
 echo "" > /etc/crontabs/root
 # setup logrotate
 touch /var/log/jobs.log
 echo "0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.conf > /dev/null 2>&1" >> /etc/crontabs/root
 # start cron
 crond
 # run autoconf app
 /opt/entrypoint/app.py &
 # display logs
 tail -F /var/log/jobs.log &
 pid="$!"
 wait "$pid"
 # stop
 echo "[*] autoconf stopped"
 exit 0
--- a/autoconf/misc/logrotate.conf
+++ b/autoconf/misc/logrotate.conf
@@ -0,0 +1,23 @@
 /var/log/*.log /var/log/letsencrypt/*.log {
 	# compress old files using gzip
 	compress
 	# rotate everyday
 	daily
 	# remove old logs after X days
 	maxage 7
 	rotate 7
 	# no errors if a file is missing
 	missingok
 	# disable mailing
 	nomail
 	# mininum size of a logfile before rotating
 	minsize 10M
 	# make a copy and truncate the files
 	copytruncate
 }
--- a/autoconf/reload.py
+++ b/autoconf/reload.py
@@ -0,0 +1,19 @@
 #!/usr/bin/python3
 import sys, socket, os
 if not os.path.exists("/tmp/autoconf.sock") :
 	sys.exit(1)
 try :
 	client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
 	client.connect("/tmp/autoconf.sock")
 	client.send("reload".encode("utf-8"))
 	data = client.recv(512)
 	client.close()
 	if not data or data.decode("utf-8") != "ok" :
 		sys.exit(3)
 except Exception as e :
 	sys.exit(2)
 sys.exit(0)
--- a/autoconf/utils.py
+++ b/autoconf/utils.py
@@ -11,3 +11,14 @@ def replace_in_file(file, old_str, new_str) :
 	data = data[::-1].replace(old_str[::-1], new_str[::-1], 1)[::-1]
 	with open(file, "w") as f :
 		f.write(data)
 def install_cron(service, vars, crons) :
 	for var in vars :
 		if var in crons :
 			with open("/etc/crontabs/root", "a+") as f :
 				f.write(vars[var] + " /opt/cron/" + crons[var] + ".py " + service["Actor"]["ID"])
 def uninstall_cron(service, vars, crons) :
 	for var in vars :
 		if var in crons :
 			replace_in_file("/etc/crontabs/root", vars[var] + " /opt/cron/" + crons[var] + ".py " + service["Actor"]["ID"] + "\n", "")
--- a/compile.sh
+++ b/compile.sh
@@ -50,8 +50,9 @@ make install-strip
 cd /tmp
 git_secure_clone https://github.com/coreruleset/coreruleset.git 7776fe23f127fd2315bad0e400bdceb2cabb97dc
 cd coreruleset
-cp -r rules /etc/nginx/owasp-crs
+mkdir /opt/owasp
-cp crs-setup.conf.example /etc/nginx/owasp-crs.conf
+cp -r rules /opt/owasp/crs
 cp crs-setup.conf.example /opt/owasp/crs.conf
 # get nginx modules
 cd /tmp
@@ -125,7 +126,7 @@ cd luasec
 make linux -j $NTASK
 make LUACPATH=/usr/local/lib/lua/5.1 LUAPATH=/usr/local/lib/lua install
 cd /tmp
-git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 71c4247d6b66234e3f3426b2ea721ad50c741579
+git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc453dcf51a391bc9e9a36ca77958b0
 cd lua-cs-bouncer
 mkdir /usr/local/lib/lua/crowdsec
 cp lib/*.lua /usr/local/lib/lua/crowdsec
@@ -135,6 +136,10 @@ sed -i 's/^API_KEY=.*/API_KEY=%CROWDSEC_KEY%/' /usr/local/lib/lua/crowdsec/crowd
 sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
 sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
 cd /tmp
 git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485e830421266eee5c0f386c32c835dba4
 cd lua-resty-iputils
 make LUA_LIB_DIR=/usr/local/lib/lua install
 cd /tmp
 git_secure_clone https://github.com/openresty/lua-nginx-module.git 2d23bc4f0a29ed79aaaa754c11bffb1080aa44ba
 export LUAJIT_LIB=/usr/local/lib
 export LUAJIT_INC=/usr/local/include/luajit-2.1
@@ -152,7 +157,7 @@ fi
 tar -xvzf nginx-${NGINX_VERSION}.tar.gz
 cd nginx-$NGINX_VERSION
 CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')
-CONFARGS=${CONFARGS/-Os -fomit-frame-pointer/-Os}
+CONFARGS=${CONFARGS/-Os -fomit-frame-pointer -g/-Os}
 ./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module --add-dynamic-module=/tmp/ngx_brotli
 make -j $NTASK modules
 cp ./objs/*.so /usr/lib/nginx/modules
--- a/confs/global/api-temp.conf
+++ b/confs/global/api-temp.conf
@@ -0,0 +1,30 @@
 location ~ ^%API_URI%/ping {
 	return 444;
 }
 location ~ ^%API_URI% {
 rewrite_by_lua_block {
 	local api = require "api"
 	local api_uri = "%API_URI%"
 	if api.is_api_call(api_uri) then
 		ngx.header.content_type = 'text/plain'
 		if api.do_api_call(api_uri) then
 			ngx.log(ngx.NOTICE, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
 			ngx.say("ok")
 		else
 			ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
 			ngx.say("ko")
 		end
 		ngx.exit(ngx.HTTP_OK)
 	end
 	ngx.exit(ngx.OK)
 }
 }
--- a/confs/global/api.conf
+++ b/confs/global/api.conf
@@ -0,0 +1,21 @@
 rewrite_by_lua_block {
 	local api = require "api"
 	local api_uri = "%API_URI%"
 	if api.is_api_call(api_uri) then
 		ngx.header.content_type = 'text/plain'
 		if api.do_api_call(api_uri) then
 			ngx.log(ngx.NOTICE, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
 			ngx.say("ok")
 		else
 			ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
 			ngx.say("ko")
 		end
 		ngx.exit(ngx.HTTP_OK)
 	end
 	ngx.exit(ngx.OK)
 }
--- a/confs/global/crowdsec.conf
+++ b/confs/global/crowdsec.conf
@@ -5,5 +5,5 @@ init_by_lua_block {
 		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
 		error()
 	end
-	ngx.log(ngx.ERR, "[Crowdsec] Initialisation done")
+	ngx.log(ngx.NOTICE, "[Crowdsec] Initialisation done")
 }
--- a/confs/global/nginx-temp.conf
+++ b/confs/global/nginx-temp.conf
@@ -1,3 +1,5 @@
 load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
 daemon on;
 pid /tmp/nginx-temp.pid;
@@ -8,12 +10,19 @@ events {
 }
 http {
 	proxy_temp_path /tmp/proxy_temp;
 	client_body_temp_path /tmp/client_temp;
 	fastcgi_temp_path /tmp/fastcgi_temp;
 	uwsgi_temp_path /tmp/uwsgi_temp;
 	scgi_temp_path /tmp/scgi_temp;
 	lua_package_path "/usr/local/lib/lua/?.lua;;";
 	server {
 		listen 0.0.0.0:%HTTP_PORT% default_server;
 		server_name _;
 		location ~ ^/.well-known/acme-challenge/ {
 			root /acme-challenge;
 		}
 		%USE_API%
 		location / {
 			return 444;
 		}
--- a/confs/global/nginx.conf
+++ b/confs/global/nginx.conf
@@ -49,8 +49,8 @@ http {
 	# write logs to local syslog
 	log_format logf '%LOG_FORMAT%';
-	access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice logf;
+	access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf;
-	error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
+	error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 notice;
 	# temp paths
 	proxy_temp_path /tmp/proxy_temp;
@@ -88,6 +88,9 @@ http {
 	# shared memory zone for limit_req
 	%LIMIT_REQ_ZONE%
 	# shared memory zone for limit_conn
 	%LIMIT_CONN_ZONE%
 	# whitelist or blacklist country
 	%USE_COUNTRY%
@@ -108,4 +111,7 @@ http {
 	# server config(s)
 	%INCLUDE_SERVER%
 	# API
 	%USE_API%
 }
--- a/confs/site/antibot-captcha.conf
+++ b/confs/site/antibot-captcha.conf
@@ -7,7 +7,7 @@ location = %ANTIBOT_URI% {
 			local cookie	= require "cookie"
 			local captcha	= require "captcha"
 			if not cookie.is_set("uri") then
-				ngx.log(ngx.WARN, "[ANTIBOT] captcha fail (1) for " .. ngx.var.remote_addr)
+				ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (1) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local img, res = captcha.get_challenge()
@@ -22,19 +22,19 @@ location = %ANTIBOT_URI% {
 			local cookie	= require "cookie"
 			local captcha	= require "captcha"
 			if not cookie.is_set("captchares") then
-				ngx.log(ngx.WARN, "[ANTIBOT] captcha fail (2) for " .. ngx.var.remote_addr)
+				ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (2) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			ngx.req.read_body()
 			local args, err = ngx.req.get_post_args(1)
 			if err == "truncated" or not args or not args["captcha"] then
-				ngx.log(ngx.WARN, "[ANTIBOT] captcha fail (3) for " .. ngx.var.remote_addr)
+				ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (3) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local captcha_user	= args["captcha"]
 			local check		= captcha.check(captcha_user, cookie.get("captchares"))
 			if not check then
-				ngx.log(ngx.WARN, "[ANTIBOT] captcha fail (4) for " .. ngx.var.remote_addr)
+				ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (4) for " .. ngx.var.remote_addr)
 				return ngx.redirect("%ANTIBOT_URI%")
 			end
 			cookie.set({captcha = "ok"})
--- a/confs/site/antibot-recaptcha.conf
+++ b/confs/site/antibot-recaptcha.conf
@@ -7,7 +7,7 @@ location = %ANTIBOT_URI% {
 			local cookie	= require "cookie"
 			local recaptcha	= require "recaptcha"
 			if not cookie.is_set("uri") then
-				ngx.log(ngx.WARN, "[ANTIBOT] recaptcha fail (1) for " .. ngx.var.remote_addr)
+				ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (1) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%")
@@ -20,19 +20,19 @@ location = %ANTIBOT_URI% {
 			local cookie	= require "cookie"
 			local recaptcha	= require "recaptcha"
 			if not cookie.is_set("uri") then
-				ngx.log(ngx.WARN, "[ANTIBOT] recaptcha fail (2) for " .. ngx.var.remote_addr)
+				ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (2) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			ngx.req.read_body()
 			local args, err = ngx.req.get_post_args(1)
 			if err == "truncated" or not args or not args["token"] then
-				ngx.log(ngx.WARN, "[ANTIBOT] recaptcha fail (3) for " .. ngx.var.remote_addr)
+				ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (3) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local token	= args["token"]
 			local check	= recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%")
 			if check < %ANTIBOT_RECAPTCHA_SCORE% then
-				ngx.log(ngx.WARN, "[ANTIBOT] recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
+				ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			cookie.set({recaptcha = "ok"})
--- a/confs/site/client-cache.conf
+++ b/confs/site/client-cache.conf
@@ -1,4 +1,6 @@
-location ~* \.(%CLIENT_CACHE_EXTENSIONS%)$ {
+etag %CLIENT_CACHE_ETAG%;
-	etag %CLIENT_CACHE_ETAG%;
+set $cache "";
-	add_header Cache-Control "%CLIENT_CACHE_CONTROL%";
+if ($uri ~* \.(%CLIENT_CACHE_EXTENSIONS%)$) {
 	set $cache "%CLIENT_CACHE_CONTROL%";
 }
 add_header Cache-Control $cache;
--- a/confs/site/https.conf
+++ b/confs/site/https.conf
@@ -2,7 +2,7 @@ listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
 ssl_certificate %HTTPS_CERT%;
 ssl_certificate_key %HTTPS_KEY%;
 ssl_protocols %HTTPS_PROTOCOLS%;
-ssl_prefer_server_ciphers off;
+ssl_prefer_server_ciphers on;
 ssl_session_tickets off;
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m;
--- a/confs/site/limit-conn.conf
+++ b/confs/site/limit-conn.conf
@@ -0,0 +1 @@
 limit_conn ddos %LIMIT_CONN_MAX%;
--- a/confs/site/main-lua.conf
+++ b/confs/site/main-lua.conf
@@ -3,6 +3,7 @@ set $session_check_addr on;
 access_by_lua_block {
 local use_lets_encrypt		= %USE_LETS_ENCRYPT%
 local use_whitelist_ip		= %USE_WHITELIST_IP%
 local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
 local use_user_agent		= %USE_USER_AGENT%
@@ -26,8 +27,10 @@ local javascript	= require "javascript"
 local captcha		= require "captcha"
 local recaptcha		= require "recaptcha"
-- antibot
+-- user variables
-local antibot_uri = "%ANTIBOT_URI%"
+local antibot_uri		= "%ANTIBOT_URI%"
 local whitelist_user_agent	= {%WHITELIST_USER_AGENT%}
 local whitelist_uri		= {%WHITELIST_URI%}
 -- check if already in whitelist cache
 if use_whitelist_ip and whitelist.ip_cached_ok() then
@@ -64,6 +67,19 @@ if use_whitelist_reverse and not whitelist.reverse_cached() then
 	end
 end
 -- check if URI is whitelisted
 for k, v in pairs(whitelist_uri) do
 	if ngx.var.request_uri == v then
 		ngx.log(ngx.NOTICE, "[WHITELIST] URI " .. v .. " is whitelisted")
 		ngx.exit(ngx.OK)
 	end
 end
 -- check if it's certbot
 if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
 	ngx.exit(ngx.OK)
 end
 -- check if IP is blacklisted (only if not in cache)
 if use_blacklist_ip and not blacklist.ip_cached() then
 	if blacklist.check_ip() then
@@ -80,19 +96,29 @@ end
 -- check if user-agent is allowed
 if use_user_agent and ngx.var.bad_user_agent == "yes" then
-	ngx.log(ngx.WARN, "[BLOCK] User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
+	local block = false
-	ngx.exit(ngx.HTTP_FORBIDDEN)
+	for k, v in pairs(whitelist_user_agent) do
 		if string.match(ngx.var.http_user_agent, v) then
 			ngx.log(ngx.NOTICE, "[ALLOW] User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
 			block = false
 			break
 		end
 	end
 	if block then
 		ngx.log(ngx.NOTICE, "[BLOCK] User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
 		ngx.exit(ngx.HTTP_FORBIDDEN)
 	end
 end
 -- check if referrer is allowed
 if use_referrer and ngx.var.bad_referrer == "yes" then
-	ngx.log(ngx.WARN, "[BLOCK] Referrer " .. ngx.var.http_referer .. " is blacklisted")
+	ngx.log(ngx.NOTICE, "[BLOCK] Referrer " .. ngx.var.http_referer .. " is blacklisted")
 	ngx.exit(ngx.HTTP_FORBIDDEN)
 end
 -- check if country is allowed
 if use_country and ngx.var.allowed_country == "no" then
-	ngx.log(ngx.WARN, "[BLOCK] Country of " .. ngx.var.remote_addr .. " is blacklisted")
+	ngx.log(ngx.NOTICE, "[BLOCK] Country of " .. ngx.var.remote_addr .. " is blacklisted")
 	ngx.exit(ngx.HTTP_FORBIDDEN)
 end
@@ -110,7 +136,7 @@ if use_crowdsec then
 		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
 	end
 	if not ok then
-		ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
+		ngx.log(ngx.NOTICE, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
 		ngx.exit(ngx.HTTP_FORBIDDEN)
 	end
 end
@@ -122,7 +148,7 @@ if use_antibot_cookie then
 			cookie.set({uri = ngx.var.request_uri})
 			return ngx.redirect(antibot_uri)
 		end
-		ngx.log(ngx.WARN, "[ANTIBOT] cookie fail for " .. ngx.var.remote_addr)
+		ngx.log(ngx.NOTICE, "[ANTIBOT] cookie fail for " .. ngx.var.remote_addr)
 		return ngx.exit(ngx.HTTP_FORBIDDEN)
 	else
 		if ngx.var.request_uri == antibot_uri then
--- a/confs/site/modsecurity-rules.conf
+++ b/confs/site/modsecurity-rules.conf
@@ -50,7 +50,6 @@ SecResponseBodyLimitAction ProcessPartial
 # log usefull stuff
 SecAuditEngine RelevantOnly
 SecAuditLogRelevantStatus "^(?:5|4(?!04))"
 SecAuditLogType Serial
 SecAuditLog /var/log/nginx/modsec_audit.log
--- a/confs/site/reverse-proxy-headers.conf
+++ b/confs/site/reverse-proxy-headers.conf
@@ -3,3 +3,4 @@ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Protocol $scheme;
 proxy_set_header X-Forwarded-Host $http_host;
--- a/confs/site/reverse-proxy.conf
+++ b/confs/site/reverse-proxy.conf
@@ -1,5 +1,7 @@
 location %REVERSE_PROXY_URL% {
 	etag off;
 	proxy_pass %REVERSE_PROXY_HOST%;
 	%REVERSE_PROXY_HEADERS%
 	%REVERSE_PROXY_WS%
 	%REVERSE_PROXY_CUSTOM_HEADERS%
 }
--- a/confs/site/server.conf
+++ b/confs/site/server.conf
@@ -1,3 +1,5 @@
 %PRE_SERVER_CONF%
 server {
 	%FASTCGI_PATH%
 	%SERVER_CONF%
@@ -15,6 +17,7 @@ server {
 		return 405;
 	}
 	%LIMIT_REQ%
 	%LIMIT_CONN%
 	%AUTH_BASIC%
 	%REMOVE_HEADERS%
 	%X_FRAME_OPTIONS%
--- a/entrypoint/clamav.sh
+++ b/entrypoint/clamav.sh
@@ -0,0 +1,21 @@
 #!/bin/bash
 # load default values
 . /opt/entrypoint/defaults.sh
 # load some functions
 . /opt/entrypoint/utils.sh
 # clamav setup
 if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	echo "[*] Updating clamav (in background) ..."
 	freshclam > /dev/null 2>&1 &
 	echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/nginx
 fi
 if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
        	echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
        else
 		echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
        fi
 fi
--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@@ -45,11 +45,18 @@ DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
 SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
 ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
 BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
 WHITELIST_USER_AGENT="${WHITELIST_USER_AGENT-}"
 BLOCK_USER_AGENT_CRON="${BLOCK_USER_AGENT_CRON-30 0 * * *}"
 BLOCK_REFERRER="${BLOCK_REFERRER-yes}"
 BLOCK_REFERRER_CRON="${BLOCK_REFERRER_CRON-45 0 * * *}"
 BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
 BLOCK_TOR_EXIT_NODE_CRON="${BLOCK_TOR_EXIT_NODE_CRON-0 */1 * * *}"
 BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
 BLOCK_PROXIES_CRON="${BLOCK_PROXIES_CRON-0 3 * * *}"
 BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
 BLOCK_ABUSERS_CRON="${BLOCK_ABUSERS_CRON-0 2 * * *}"
 AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
 AUTO_LETS_ENCRYPT_CRON="${AUTO_LETS_ENCRYPT_CRON-15 0 * * *}"
 HTTP2="${HTTP2-yes}"
 HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
 STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
@@ -70,6 +77,8 @@ FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
 FAIL2BAN_IGNOREIP="${FAIL2BAN_IGNOREIP-127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
 USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
 USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
 USE_CLAMAV_SCAN_CRON="${USE_CLAMAV_SCAN_CRON-30 1 * * *}"
 CLAMAV_UPDATE_CRON="${CLAMAV_UPDATE_CRON-0 1 * * *}"
 CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
 USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
 AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
@@ -80,6 +89,7 @@ USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
 ROOT_FOLDER="${ROOT_FOLDER-/www}"
 LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
 LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
 LOGROTATE_CRON="${LOGROTATE_CRON-0 0 * * *}"
 DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11}"
 USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
 WHITELIST_IP_LIST="${WHITELIST_IP_LIST-127.0.0.1 23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
@@ -92,13 +102,17 @@ BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}"
 USE_DNSBL="${USE_DNSBL-yes}"
 DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
 USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
-LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
+LIMIT_REQ_RATE="${LIMIT_REQ_RATE-1r/s}"
-LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
+LIMIT_REQ_BURST="${LIMIT_REQ_BURST-2}"
 LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
 USE_LIMIT_CONN="${USE_LIMIT_CONN-yes}"
 LIMIT_CONN_MAX="${LIMIT_CONN_MAX-50}"
 LIMIT_CONN_CACHE="${LIMIT_CONN_CACHE-10m}"
 PROXY_REAL_IP="${PROXY_REAL_IP-no}"
 PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
 PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
 PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
 GEOIP_CRON="${GEOIP_CRON-0 4 2 * *}"
 GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
 SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
 SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
@@ -112,3 +126,7 @@ USE_ANTIBOT="${USE_ANTIBOT-no}"
 ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
 ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
 USE_CROWDSEC="${USE_CROWDSEC-no}"
 USE_API="${USE_API-no}"
 API_URI="${API_URI-random}"
 API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
 SWARM_MODE="${SWARM_MODE-no}"
--- a/entrypoint/entrypoint.sh
+++ b/entrypoint/entrypoint.sh
@@ -12,7 +12,6 @@ done
 # trap SIGTERM and SIGINT
 function trap_exit() {
 	rm -f "/opt/running" 2> /dev/null
 	echo "[*] Catched stop operation"
 	echo "[*] Stopping crond ..."
 	pkill -TERM crond
@@ -31,12 +30,12 @@ trap "trap_exit" TERM INT QUIT
 # trap SIGHUP
 function trap_reload() {
 	echo "[*] Catched reload operation"
-	if [ "$MULTISITE" = "yes" ] ; then
+	if [ "$MULTISITE" = "yes" ] && [ "$SWARM_MODE" != "yes" ] ; then
 		/opt/entrypoint/multisite-config.sh
 	fi
 	if [ -f /tmp/nginx.pid ] ; then
 		echo "[*] Reloading nginx ..."
-		/usr/sbin/nginx -s reload
+		nginx -s reload
 		if [ $? -eq 0 ] ; then
 			echo "[*] Reload successfull"
 		else
@@ -50,48 +49,90 @@ trap "trap_reload" HUP
 # do the configuration magic if needed
 if [ ! -f "/opt/installed" ] ; then
 	echo "[*] Configuring bunkerized-nginx ..."
-	/opt/entrypoint/global-config.sh
+
-	if [ "$MULTISITE" = "yes" ] ; then
+	# check permissions
-		for server in $SERVER_NAME ; do
+	if [ "$SWARM_MODE" = "no" ] ; then
-			/opt/entrypoint/site-config.sh "$server"
+		/opt/entrypoint/permissions.sh
 			echo "[*] Multi site - $server configuration done"
 		done
 		/opt/entrypoint/multisite-config.sh
 	else
-		/opt/entrypoint/site-config.sh
+		/opt/entrypoint/permissions-swarm.sh
 		echo "[*] Single site - $SERVER_NAME configuration done"
 	fi
 	if [ "$?" -ne 0 ] ; then
 		exit 1
 	fi
 	# logs config
 	/opt/entrypoint/logs.sh
 	# lua config
 	# TODO : move variables from /usr/local/lib/lua + multisite support ?
 	/opt/entrypoint/lua.sh
 	# fail2ban config
 	/opt/entrypoint/fail2ban.sh
 	# clamav config
 	/opt/entrypoint/clamav.sh
 	# start temp nginx to solve Let's Encrypt challenges if needed
 	/opt/entrypoint/nginx-temp.sh
 	# only do config if we are not in swarm mode
 	if [ "$SWARM_MODE" = "no" ] ; then
 		# global config
 		/opt/entrypoint/global-config.sh
 		# background jobs
 		/opt/entrypoint/jobs.sh
 		# multisite configs
 		if [ "$MULTISITE" = "yes" ] ; then
 			for server in $SERVER_NAME ; do
 				/opt/entrypoint/site-config.sh "$server"
 				echo "[*] Multi site - $server configuration done"
 			done
 			/opt/entrypoint/multisite-config.sh
 		# singlesite config
 		else
 			/opt/entrypoint/site-config.sh
 			echo "[*] Single site - $SERVER_NAME configuration done"
 		fi
 	fi
 	touch /opt/installed
 else
 	echo "[*] Skipping configuration process"
 fi
 # fix nginx configs rights (and modules through the symlink)
 chown -R root:nginx /etc/nginx/
 chmod -R 740 /etc/nginx/
 find /etc/nginx -type d -exec chmod 750 {} \;
 # start rsyslogd
-rsyslogd
+rsyslogd -i /tmp/rsyslogd.pid
 # start crond
 crond
-# start nginx
+# wait until config has been generated if we are in swarm mode
-if [ -f "/tmp/nginx-temp.pid" ] ; then
+if [ "$SWARM_MODE" = "yes" ] ; then
-	nginx -c /etc/nginx/nginx-temp.conf -s quit
+	echo "[*] Waiting until config has been generated ..."
 	while [ ! -f "/etc/nginx/autoconf" ] ; do
 		sleep 1
 	done
 fi
 # stop temp config if needed
 if [ -f "/tmp/nginx-temp.pid" ] ; then
 	nginx -c /tmp/nginx-temp.conf -s quit
 fi
 # run nginx
 echo "[*] Running nginx ..."
-su -s "/usr/sbin/nginx" nginx
+nginx
 if [ "$?" -eq 0 ] ; then
-	touch "/opt/running"
+	echo "[*] nginx successfully started !"
 else
-	rm -f "/opt/running" 2> /dev/null
+	echo "[!] nginx failed to start"
 fi
 # list of log files to display
-LOGS="/var/log/access.log /var/log/error.log /var/log/jobs.log"
+LOGS="/var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/nginx/modsec_audit.log"
 # start fail2ban
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
@@ -114,7 +155,7 @@ fi
 # display logs
 tail -F $LOGS &
 pid="$!"
-while [ -f "/opt/running" ] ; do
+while [ -f "/tmp/nginx.pid" ] ; do
 	wait "$pid"
 done
--- a/entrypoint/fail2ban.sh
+++ b/entrypoint/fail2ban.sh
@@ -0,0 +1,19 @@
 #!/bin/bash
 # load default values
 . /opt/entrypoint/defaults.sh
 # load some functions
 . /opt/entrypoint/utils.sh
 # fail2ban setup
 if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
 	cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
 	cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
 	cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_IGNOREIP%" "$FAIL2BAN_IGNOREIP"
 	replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
 fi
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@@ -7,34 +7,21 @@
 . /opt/entrypoint/utils.sh
 # copy stub confs
 cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
 cp /opt/logs/logrotate.conf /etc/logrotate.conf
 cp -r /opt/lua/* /usr/local/lib/lua
 cp /opt/confs/global/* /etc/nginx/
 # remove cron jobs
 echo "" > /etc/crontabs/root
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
 	apk add $ADDITIONAL_MODULES
 fi
 # start nginx with temp conf for let's encrypt challenges
 if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT"
 	nginx -c /etc/nginx/nginx-temp.conf
 fi
 # include server block(s)
-if [ "$MULTISITE" = "yes" ] ; then
+if [ "$SWARM_MODE" = "no" ] ; then
-	includes=""
+	if [ "$MULTISITE" = "yes" ] ; then
-	for server in $SERVER_NAME ; do
+		includes=""
-		includes="${includes}include /etc/nginx/${server}/server.conf;\n"
+		for server in $SERVER_NAME ; do
-	done
+			includes="${includes}include /etc/nginx/${server}/server.conf;\n"
-	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
+		done
 		replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
 	else
 		replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
 	fi
 else
-	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
+	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" ""
 fi
 # setup default server block if multisite
@@ -100,7 +87,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 			/opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT"
 		fi
 	fi
-	echo "0 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
+	echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
 fi
 # self-signed certificate
@@ -119,14 +106,7 @@ if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
 		replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes"
 		replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;"
 	fi
-	echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
+	echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/geoip.mmdb" ] ; then
 		echo "[*] Copying cached geoip.mmdb ..."
 		cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
 	else
 		echo "[*] Downloading GeoIP database (in background) ..."
 		/opt/scripts/geoip.sh &
 	fi
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" ""
 fi
@@ -134,14 +114,7 @@ fi
 # block bad UA
 if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
-	echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
+	echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/map-user-agent.conf" ] ; then
 		echo "[*] Copying cached map-user-agent.conf ..."
 		cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
 	else
 		echo "[*] Downloading bad user-agent list (in background) ..."
 		/opt/scripts/user-agents.sh &
 	fi
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
 fi
@@ -149,57 +122,27 @@ fi
 # block bad refferer
 if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;"
-	echo "0 0 * * * /opt/scripts/referrers.sh" >> /etc/crontabs/root
+	echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/map-referrer.conf" ] ; then
 		echo "[*] Copying cached map-referrer.conf ..."
 		cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
 	else
 		echo "[*] Downloading bad referrer list (in background) ..."
 		/opt/scripts/referrers.sh &
 	fi
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" ""
 fi
 # block TOR exit nodes
 if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
-	echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
+	echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/block-tor-exit-node.conf" ] ; then
 		echo "[*] Copying cached block-tor-exit-node.conf ..."
 		cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
 	else
 		echo "[*] Downloading tor exit nodes list (in background) ..."
 		/opt/scripts/exit-nodes.sh &
 	fi
 fi
 # block proxies
 if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
-	echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
+	echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/block-proxies.conf" ] ; then
 		echo "[*] Copying cached block-proxies.conf ..."
 		cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
 	else
 		echo "[*] Downloading proxies list (in background) ..."
 		/opt/scripts/proxies.sh &
 	fi
 fi
 # block abusers
 if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
-	echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
+	echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/block-abusers.conf" ] ; then
 		echo "[*] Copying cached block-abusers.conf ..."
 		cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
 	else
 		echo "[*] Downloading abusers list (in background) ..."
 		/opt/scripts/abusers.sh &
 	fi
 fi
 # DNS resolvers
 resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
 replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
 replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS"
 # whitelist IP
@@ -208,8 +151,6 @@ if [ "$(has_value USE_WHITELIST_IP yes)" != "" ] ; then
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" ""
 fi
 list=$(spaces_to_lua "$WHITELIST_IP_LIST")
 replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
 # whitelist rDNS
 if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then
@@ -217,8 +158,6 @@ if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" ""
 fi
 list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
 replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
 # blacklist IP
 if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then
@@ -226,8 +165,6 @@ if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" ""
 fi
 list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
 replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
 # blacklist rDNS
 if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then
@@ -235,24 +172,27 @@ if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" ""
 fi
 list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
 replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
 # request limiting
 if [ "$(has_value USE_LIMIT_REQ yes)" != "" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
+	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr\$uri zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
 fi
 # connection limiting
 if [ "$(has_value USE_LIMIT_CONN yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" "limit_conn_zone \$binary_remote_addr zone=ddos:${LIMIT_CONN_CACHE};"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_CONN_ZONE%" ""
 fi
 # DNSBL
 if [ "$(has_value USE_DNSBL yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
 fi
 list=$(spaces_to_lua "$DNSBL_LIST")
 replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
 # disable default site
 if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" = "yes" ] ; then
@@ -264,45 +204,23 @@ fi
 # fail2ban setup
 if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
 	echo "" > /etc/nginx/fail2ban-ip.conf
 	rm -rf /etc/fail2ban/jail.d/*.conf
 	cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
 	cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
 	cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
 	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_IGNOREIP%" "$FAIL2BAN_IGNOREIP"
 	replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
 fi
 # clamav setup
 if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	echo "[*] Updating clamav (in background) ..."
 	freshclam > /dev/null 2>&1 &
 	echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
 fi
 if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
 		echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
 	else
 		echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
 	fi
 fi
 # CrowdSec setup
 if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
 	replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST"
 	replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
 fi
-# create empty logs
+# API
-touch /var/log/access.log
+if [ "$USE_API" = "yes" ] ; then
-touch /var/log/error.log
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" "include /etc/nginx/api.conf;"
-
+	if [ "$API_URI" = "random" ] ; then
-# setup logrotate
+		API_URI="/$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
-replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
+		echo "[*] Generated API URI : $API_URI"
-replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
+	fi
-echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
+	replace_in_file "/etc/nginx/api.conf" "%API_URI%" "$API_URI"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" ""
 fi
--- a/entrypoint/jobs.sh
+++ b/entrypoint/jobs.sh
@@ -0,0 +1,73 @@
 #!/bin/bash
 # load default values
 . ./opt/entrypoint/defaults.sh
 # load some functions
 . /opt/entrypoint/utils.sh
 # GeoIP
 if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
 	if [ -f "/cache/geoip.mmdb" ] ; then
 		echo "[*] Copying cached geoip.mmdb ..."
 		cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
 	else
 		echo "[*] Downloading GeoIP database (in background) ..."
 		/opt/scripts/geoip.sh > /dev/null 2>&1 &
 	fi
 fi
 # User-Agents
 if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
 	if [ -f "/cache/map-user-agent.conf" ] ; then
 		echo "[*] Copying cached map-user-agent.conf ..."
 		cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
 	else
 		echo "[*] Downloading bad user-agent list (in background) ..."
 		/opt/scripts/user-agents.sh > /dev/null 2>&1 &
 	fi
 fi
 # Referrers
 if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
 	if [ -f "/cache/map-referrer.conf" ] ; then
 		echo "[*] Copying cached map-referrer.conf ..."
 		cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
 	else
 		echo "[*] Downloading bad referrer list (in background) ..."
 		/opt/scripts/referrers.sh > /dev/null 2>&1 &
 	fi
 fi
 # exit nodes
 if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
 	if [ -f "/cache/block-tor-exit-node.conf" ] ; then
 		echo "[*] Copying cached block-tor-exit-node.conf ..."
 		cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
 	else
 		echo "[*] Downloading tor exit nodes list (in background) ..."
 		/opt/scripts/exit-nodes.sh > /dev/null 2>&1 &
 	fi
 fi
 # proxies
 if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
 	if [ -f "/cache/block-proxies.conf" ] ; then
 		echo "[*] Copying cached block-proxies.conf ..."
 		cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
 	else
 		echo "[*] Downloading proxies list (in background) ..."
 		/opt/scripts/proxies.sh > /dev/null 2>&1 &
 	fi
 fi
 # abusers
 if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
 	if [ -f "/cache/block-abusers.conf" ] ; then
 		echo "[*] Copying cached block-abusers.conf ..."
 		cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
 	else
 		echo "[*] Downloading abusers list (in background) ..."
 		/opt/scripts/abusers.sh > /dev/null 2>&1 &
 	fi
 fi
--- a/entrypoint/logs.sh
+++ b/entrypoint/logs.sh
@@ -0,0 +1,28 @@
 #!/bin/bash
 # load default values
 . /opt/entrypoint/defaults.sh
 # load some functions
 . /opt/entrypoint/utils.sh
 # copy stub confs
 cat /opt/logs/rsyslog.conf > /etc/rsyslog.conf
 cat /opt/logs/logrotate.conf > /etc/logrotate.conf
 # create empty logs
 touch /var/log/access.log
 touch /var/log/error.log
 touch /var/log/jobs.log
 # setup logrotate
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
 echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
 # setup rsyslog
 if [ "$REMOTE_SYSLOG" != "" ] ; then
 	replace_in_file "/etc/rsyslog.conf" "%REMOTE_SYSLOG%" "local0.* @${REMOTE_SYSLOG};rawFormat"
 else
 	replace_in_file "/etc/rsyslog.conf" "%REMOTE_SYSLOG%" ""
 fi
--- a/entrypoint/lua.sh
+++ b/entrypoint/lua.sh
@@ -0,0 +1,46 @@
 #!/bin/bash
 # load default values
 . /opt/entrypoint/defaults.sh
 # load some functions
 . /opt/entrypoint/utils.sh
 # copy stub LUA scripts
 cp -r /opt/lua/* /usr/local/lib/lua
 # DNS resolvers
 resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
 replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
 # whitelist IP
 list=$(spaces_to_lua "$WHITELIST_IP_LIST")
 replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
 # whitelist rDNS
 list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
 replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
 # blacklist IP
 list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
 replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
 # blacklist rDNS
 list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
 replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
 # DNSBL
 list=$(spaces_to_lua "$DNSBL_LIST")
 replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
 # CrowdSec setup
 if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
 	replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST"
 	replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY"
 fi
 # Whitelist IP for API
 if [ "$USE_API" = "yes" ] ; then
 	list=$(spaces_to_lua "$API_WHITELIST_IP")
 	replace_in_file "/usr/local/lib/lua/api.lua" "%API_WHITELIST_IP%" "$list"
 fi
--- a/entrypoint/multisite-config.sh
+++ b/entrypoint/multisite-config.sh
@@ -6,11 +6,6 @@
 # load some functions
 . /opt/entrypoint/utils.sh
 # fix nginx configs rights (and modules through the symlink)
 chown -R root:nginx /etc/nginx/
 chmod -R 740 /etc/nginx/
 find /etc/nginx -type d -exec chmod 750 {} \;
 if [ "$MULTISITE" = "yes" ] ; then
 	servers=$(find /etc/nginx -name "server.conf" | cut -d '/' -f 4)
 	for server in $servers ; do
@@ -19,7 +14,8 @@ if [ "$MULTISITE" = "yes" ] ; then
 		fi
 		SERVER_PREFIX="/etc/nginx/${server}/"
 		if grep "/etc/letsencrypt/live" ${SERVER_PREFIX}https.conf > /dev/null && [ ! -f /etc/letsencrypt/live/${server}/fullchain.pem ] ; then
-			/opt/scripts/certbot-new.sh "$server" "$(cat ${SERVER_PREFIX}email-lets-encrypt.txt)"
+			domains=$(cat ${SERVER_PREFIX}server.conf | sed -nE 's/^.*server_name (.*);$/\1/p' | sed "s/ /,/g")
 			/opt/scripts/certbot-new.sh "$domains" "$(cat ${SERVER_PREFIX}email-lets-encrypt.txt)"
 		fi
 		if grep "modsecurity.conf" ${SERVER_PREFIX}server.conf > /dev/null ; then
 			modsec_custom=""
@@ -30,7 +26,7 @@ if [ "$MULTISITE" = "yes" ] ; then
 				modsec_custom="${modsec_custom}include /modsec-confs/${server}/*.conf\n"
 			fi
 			replace_in_file "${SERVER_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
-			if grep "owasp-crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then
+			if grep "owasp/crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then
 				modsec_crs_custom=""
 				if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
 					modsec_crs_custom="include /modsec-crs-confs/*.conf\n"
--- a/entrypoint/nginx-temp.sh
+++ b/entrypoint/nginx-temp.sh
@@ -0,0 +1,26 @@
 #!/bin/bash
 # load default values
 . /opt/entrypoint/defaults.sh
 # load some functions
 . /opt/entrypoint/utils.sh
 # start nginx with temp conf for let's encrypt challenges and API
 if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$SWARM_MODE" = "yes" ] ; then
 	cp /opt/confs/global/nginx-temp.conf /tmp/nginx-temp.conf
 	cp /opt/confs/global/api-temp.conf /tmp/api.conf
 	if [ "$SWARM_MODE" = "yes" ] ; then
 		replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" "include /tmp/api.conf;"
 		replace_in_file "/tmp/api.conf" "%API_URI%" "$API_URI"
 	else
 		replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" ""
 	fi
 	replace_in_file "/tmp/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT"
 	nginx -c /tmp/nginx-temp.conf
 	if [ "$?" -eq 0 ] ; then
 		echo "[*] Successfully started temp nginx"
 	else
 		echo "[!] Can't start temp nginx"
 	fi
 fi
--- a/entrypoint/permissions-swarm.sh
+++ b/entrypoint/permissions-swarm.sh
@@ -0,0 +1,25 @@
 #!/bin/bash
 # /etc/letsencrypt
 if [ ! -r "/etc/letsencrypt" ] || [ ! -x "/etc/letsencrypt" ] ; then
 	echo "[!] WARNING - wrong permissions on /etc/letsencrypt"
 	exit 1
 fi
 # /www
 if [ ! -r "/www" ] || [ ! -x "/www" ] ; then
 	echo "[!] ERROR - wrong permissions on /www"
 	exit 2
 fi
 # /etc/nginx
 if [ ! -r "/etc/nginx" ] || [ ! -x "/etc/nginx" ] ; then
 	echo "[!] ERROR - wrong permissions on /etc/nginx"
 	exit 3
 fi
 # /acme-challenge
 if [ ! -r "/acme-challenge" ] || [ ! -x "/acme-challenge" ] ; then
 	echo "[!] ERROR - wrong permissions on /acme-challenge"
 	exit 4
 fi
--- a/entrypoint/permissions.sh
+++ b/entrypoint/permissions.sh
@@ -0,0 +1,29 @@
 #!/bin/bash
 # /etc/letsencrypt
 if [ ! -w "/etc/letsencrypt" ] || [ ! -r "/etc/letsencrypt" ] || [ ! -x "/etc/letsencrypt" ] ; then
 	echo "[!] WARNING - wrong permissions on /etc/letsencrypt"
 	exit 1
 fi
 if [ -f "/usr/sbin/nginx" ] ; then
 	# /www
 	if [ ! -r "/www" ] || [ ! -x "/www" ] ; then
 		echo "[!] ERROR - wrong permissions on /www"
 		exit 2
 	fi
 fi
 # /acme-challenge
 if [ ! -w "/acme-challenge" ] || [ ! -r "/acme-challenge" ] || [ ! -x "/acme-challenge" ] ; then
 	echo "[!] ERROR - wrong permissions on /acme-challenge"
 	exit 3
 fi
 # /etc/nginx
 if [ ! -w "/etc/nginx" ] || [ ! -r "/etc/nginx" ] || [ ! -x "/etc/nginx" ] ; then
 	echo "[!] ERROR - wrong permissions on /etc/nginx"
 	exit 4
 fi
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@@ -1,9 +1,7 @@
 #!/bin/bash
 # load default values
 set -a
 . /opt/entrypoint/defaults.sh
 set +a
 # load some functions
 . /opt/entrypoint/utils.sh
@@ -11,33 +9,25 @@ set +a
 # get nginx path and override multisite variables
 NGINX_PREFIX="/etc/nginx/"
 if [ "$MULTISITE" = "yes" ] ; then
-	NGINX_PREFIX="${NGINX_PREFIX}${1}/"
+	first_server=$(echo "$1" | cut -d ' ' -f 1)
 	NGINX_PREFIX="${NGINX_PREFIX}${first_server}/"
 	if [ ! -d "$NGINX_PREFIX" ] ; then
 		mkdir "$NGINX_PREFIX"
 	fi
-	ROOT_FOLDER="${ROOT_FOLDER}/$1"
+	ROOT_FOLDER="${ROOT_FOLDER}/$first_server"
 	for var in $(env | cut -d '=' -f 1 | grep -E "^${first_server}_") ; do
 		repl_name=$(echo "$var" | sed "s~${first_server}_~~")
 		repl_value=$(env | grep -E "^${var}=" | sed "s~^${var}=~~")
 		read -r "$repl_name" <<< $repl_value
 	done
 fi
 env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION)=" > "${NGINX_PREFIX}nginx.env"
 set | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "${NGINX_PREFIX}nginx.env"
 if [ "$MULTISITE" = "yes" ] ; then
 	sed -i "s~^SERVER_NAME=.*~SERVER_NAME=$1~" "${NGINX_PREFIX}nginx.env"
 	for server in $SERVER_NAME ; do
-		if [ "$server" != "$1" ] ; then
+		sed -i "/^${server}_.*=.*/d" "${NGINX_PREFIX}nginx.env"
 			sed -i "/^${server}_.*=.*/d" "${NGINX_PREFIX}nginx.env"
 		fi
 	done
 	for var in $(env) ; do
 		name=$(echo "$var" | cut -d '=' -f 1)
 		check=$(echo "$name" | grep "^$1_")
 		if [ "$check" != "" ] ; then
 			repl_name=$(echo "$name" | sed "s~${1}_~~")
 			repl_value=$(echo "$var" | sed "s~${name}=~~")
 			read -r "$repl_name" <<< $repl_value
 			sed -i "/^${repl_name}=.*/d" "${NGINX_PREFIX}nginx.env"
 			sed -i "/^${name}=.*/d" "${NGINX_PREFIX}nginx.env"
 			echo "${repl_name}=${repl_value}" >> "${NGINX_PREFIX}nginx.env"
 		fi
 	done
 	sed -i "s~^SERVER_NAME=.*~SERVER_NAME=${1}~" "${NGINX_PREFIX}nginx.env"
 fi
 # copy stub confs
@@ -46,9 +36,11 @@ cp /opt/confs/site/* "$NGINX_PREFIX"
 # replace paths
 replace_in_file "${NGINX_PREFIX}server.conf" "%MAIN_LUA%" "include ${NGINX_PREFIX}main-lua.conf;"
 if [ "$MULTISITE" = "yes" ] ; then
-	replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;\ninclude /server-confs/${1}/*.conf;"
+	replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;\ninclude /server-confs/${first_server}/*.conf;"
 	replace_in_file "${NGINX_PREFIX}server.conf" "%PRE_SERVER_CONF%" "include /pre-server-confs/*.conf;\ninclude /pre-server-confs/${first_server}/*.conf;"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;"
 	replace_in_file "${NGINX_PREFIX}server.conf" "%PRE_SERVER_CONF%" "include /pre-server-confs/*.conf;"
 fi
 # max body size
@@ -60,27 +52,34 @@ replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
 # reverse proxy
 if [ "$USE_REVERSE_PROXY" = "yes" ] ; then
 	i=1
-	for var in $(env) ; do
+	for var in $(set | cut -d '=' -f 1 | grep "^REVERSE_PROXY_URL") ; do
-		check1=$(echo "$var" | grep "^REVERSE_PROXY_URL")
+		url=$(echo "$var")
-		check2=$(echo "$var" | grep "^${1}_REVERSE_PROXY_URL")
+		url_value=$(echo "${!var}")
-		if [ "$check1" != "" ] || [ "$check2" != "" ] ; then
+		host=$(echo "$var" | sed "s/URL/HOST/")
-			name=$(echo "$var" | cut -d '=' -f 1)
+		host_value=$(echo "${!host}")
-			value=$(echo "$var" | sed "s/${name}=//")
+		custom_headers=$(echo "$var" | sed "s/URL/HEADERS/")
-			host=$(echo "$name" | sed "s/URL/HOST/")
+		custom_headers_value=$(echo "${!custom_headers}")
-			host_value=$(env | grep "^${host}=" | sed "s/${host}=//")
+		ws=$(echo "$var" | sed "s/URL/WS/")
-			ws=$(echo "$name" | sed "s/URL/WS/")
+		ws_value=$(echo "${!ws}")
-			ws_value=$(env | grep "^${ws}=" | sed "s/${ws}=//")
+		cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf"
-			cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf"
+		replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$url_value"
-			replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$value"
+		replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value"
-			replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value"
+		if [ "$custom_headers_value" != "" ] ; then
-			replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HEADERS%" "include ${NGINX_PREFIX}reverse-proxy-headers.conf;"
+			IFS_=$IFS
-			if [ "$ws_value" = "yes" ] ; then
+			IFS=';'
-				replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" "proxy_http_version 1.1;\nproxy_set_header Upgrade \$http_upgrade;\nproxy_set_header Connection \"Upgrade\";\n"
+			for header_value in $(echo $custom_headers_value) ; do
-			else
+				replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "proxy_set_header $header_value;\n%REVERSE_PROXY_CUSTOM_HEADERS%"
-				replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" ""
+			done
-			fi
+			IFS=$IFS_
 			i=$(($i + 1))
 		fi
 		replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" ""
 		replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HEADERS%" "include ${NGINX_PREFIX}reverse-proxy-headers.conf;"
 		if [ "$ws_value" = "yes" ] ; then
 			replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" "proxy_http_version 1.1;\nproxy_set_header Upgrade \$http_upgrade;\nproxy_set_header Connection \"Upgrade\";\n"
 		else
 			replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_WS%" ""
 		fi
 		i=$(($i + 1))
 	done
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy-*.conf;"
 else
@@ -276,8 +275,23 @@ fi
 # block bad UA
 if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "true"
 	if [ "$WHITELIST_USER_AGENT" != "" ] ; then
 		list=$(spaces_to_lua "$WHITELIST_USER_AGENT")
 		replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" "$list"
 	else
 		replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" ""
 	fi
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "false"
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" ""
 fi
 # whitelist URI
 if [ "$WHITELIST_URI" != "" ] ; then
 	list=$(spaces_to_lua "$WHITELIST_URI")
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_URI%" "$list"
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_URI%" ""
 fi
 # block bad referrer
@@ -331,26 +345,30 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
 		replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
 	fi
 	if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "true"
 		if [ "$MULTISITE" = "no" ] ; then
 			FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
 		else
-			FIRST_SERVER_NAME="$1"
+			FIRST_SERVER_NAME="$first_server"
-			EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$1}"
+			EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server}"
 			echo -n "$EMAIL_LETS_ENCRYPT" > ${NGINX_PREFIX}email-lets-encrypt.txt
 		fi
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "include ${NGINX_PREFIX}lets-encrypt-webroot.conf;"
 	elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
 	elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
 	fi
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" ""
 fi
@@ -380,7 +398,7 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
 	fi
 	if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
-		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
+		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /opt/owasp/crs.conf"
 		if [ "$MULTISITE" != "yes" ] ; then
 			modsec_crs_custom=""
 			if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
@@ -388,7 +406,7 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
 			fi
 			replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom"
 		fi
-		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
+		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /opt/owasp/crs/*.conf"
 	else
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
@@ -414,11 +432,11 @@ fi
 # custom errors
 ERRORS=""
-for var in $(env) ; do
+for var in $(compgen -e) ; do
-	var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1)
+	var_name=$(echo "$var" | cut -d '_' -f 1)
 	if [ "z${var_name}" = "zERROR" ] ; then
-		err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2)
+		err_code=$(echo "$var" | cut -d '_' -f 2)
-		err_page=$(echo "$var" | cut -d '=' -f 2)
+		err_page=$(echo "${!var}")
 		cp /opt/confs/error.conf ${NGINX_PREFIX}error-${err_code}.conf
 		replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%CODE%" "$err_code"
 		replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%PAGE%" "$err_page"
@@ -547,6 +565,14 @@ else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" ""
 fi
 # connection limiting
 if [ "$USE_LIMIT_CONN" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" "include ${NGINX_PREFIX}limit-conn.conf;"
 	replace_in_file "${NGINX_PREFIX}limit-conn.conf" "%LIMIT_CONN_MAX%" "$LIMIT_CONN_MAX"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_CONN%" ""
 fi
 # fail2ban
 if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"
--- a/entrypoint/utils.sh
+++ b/entrypoint/utils.sh
@@ -5,7 +5,9 @@ function replace_in_file() {
 	# escape slashes
 	pattern=$(echo "$2" | sed "s/\//\\\\\//g")
 	replace=$(echo "$3" | sed "s/\//\\\\\//g")
-	sed -i "s/$pattern/$replace/g" "$1"
+	sed "s/$pattern/$replace/g" "$1" > /tmp/sed
 	cat /tmp/sed > "$1"
 	rm /tmp/sed
 }
 # convert space separated values to LUA
@@ -26,13 +28,19 @@ function has_value() {
 		echo "ok"
 		return 0
 	fi
-	for var in $(env) ; do
+	for var in $(env | grep -E "^.*_${1}=") ; do
 		domain=$(echo "$var" | cut -d '_' -f 1)
-		name=$(echo "$var" | cut -d '=' -f 1 | sed "s~${domain}_~~")
+		value=$(echo "$var" | sed "s~^${domain}_${1}=~~")
-		value=$(echo "$var" | sed "s~${domain}_${name}=~~")
+		if [ "$value" == "$2" ] ; then
 		if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then
 			echo "ok"
 			return 0
 		fi
 	done
 }
 # log to jobs.log
 function job_log() {
 	when="$(date '+[%Y-%m-%d %H:%M:%S]')"
 	what="$1"
 	echo "$when $what" >> /var/log/jobs.log
 }
--- a/examples/autoconf-php/docker-compose.yml
+++ b/examples/autoconf-php/docker-compose.yml
@@ -20,7 +20,6 @@ services:
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
    labels:
      - "bunkerized-nginx.AUTOCONF"
--- a/examples/autoconf-reverse-proxy/docker-compose.yml
+++ b/examples/autoconf-reverse-proxy/docker-compose.yml
@@ -18,8 +18,8 @@ services:
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_PROXY_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
    labels:
      - "bunkerized-nginx.AUTOCONF"
--- a/examples/basic-website-with-php/docker-compose.yml
+++ b/examples/basic-website-with-php/docker-compose.yml
@@ -18,7 +18,6 @@ services:
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - REMOTE_PHP=myphp
      - REMOTE_PHP_PATH=/app
--- a/examples/behind-traefik/docker-compose.yml
+++ b/examples/behind-traefik/docker-compose.yml
@@ -23,7 +23,6 @@ services:
      - PROXY_REAL_IP=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - REMOTE_PHP=myphp1
      - REMOTE_PHP_PATH=/app
    labels:
@@ -41,7 +40,6 @@ services:
      - PROXY_REAL_IP=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - REMOTE_PHP=myphp2
      - REMOTE_PHP_PATH=/app
    labels:
--- a/examples/certbot-wildcard/certbot-wildcard.sh
+++ b/examples/certbot-wildcard/certbot-wildcard.sh
@@ -0,0 +1,26 @@
 #!/bin/sh
 # you need to run it before starting bunkerized-nginx
 # since it's manual there is no auto renew, you need to run it again before it expires
 DOMAIN="*.website.com"
 SERVICE="mywww"
 # ask for wildcard certificate
 # it's interactive and you will need to add a DNS entry
 docker run --rm -it -v "${PWD}/letsencrypt:/etc/letsencrypt" certbot/certbot certonly --manual -d $DOMAIN --agree-tos
 if [ $? -ne 0 ] ; then
 	echo "error while getting certificate for $DOMAIN"
 	exit 1
 fi
 # fix permissions
 chown -R 101:101 "${PWD}/letsencrypt"
 # reload nginx if it's already running (in case of a "renew")
 if [ -z `docker-compose ps -q $SERVICE` ] || [ -z `docker ps -q --no-trunc | grep $(docker-compose ps -q $SERVICE)` ]; then
 	echo "bunkerized-nginx is not running, skipping nginx reload"
 else
 	echo "bunkerized-nginx is running, sending reload order"
 	docker-compose exec $SERVICE nginx -s reload
 fi
--- a/examples/certbot-wildcard/docker-compose.yml
+++ b/examples/certbot-wildcard/docker-compose.yml
@@ -0,0 +1,39 @@
 version: '3'
 services:
  mywww:
    image: bunkerity/bunkerized-nginx
    restart: always
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - ./web-files:/www:ro
      - ./letsencrypt:/letsencrypt:ro
    environment:
      - SERVER_NAME=app1.website.com app2.website.com # replace with your domains
      - MULTISITE=yes
      - USE_CUSTOM_HTTPS=yes
      - CUSTOM_HTTPS_CERT=/letsencrypt/live/website.com/fullchain.pem
      - CUSTOM_HTTPS_KEY=/letsencrypt/live/website.com/privkey.pem
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - app1.website.com_REMOTE_PHP=myapp1
      - app1.website.com_REMOTE_PHP_PATH=/app
      - app2.website.com_REMOTE_PHP=myapp2
      - app2.website.com_REMOTE_PHP_PATH=/app
  myapp1:
    image: php:fpm
    restart: always
    volumes:
      - ./web-files/app1.website.com:/app
  myapp2:
    image: php:fpm
    restart: always
    volumes:
      - ./web-files/app2.website.com:/app
--- a/examples/certbot-wildcard/web-files/app1.website.com/index.php
+++ b/examples/certbot-wildcard/web-files/app1.website.com/index.php
@@ -0,0 +1,5 @@
 <?php
 echo "hello from app1 !";
 ?>
--- a/examples/certbot-wildcard/web-files/app2.website.com/index.php
+++ b/examples/certbot-wildcard/web-files/app2.website.com/index.php
@@ -0,0 +1,5 @@
 <?php
 echo "hello from app2 !";
 ?>
--- a/examples/crowdsec/bouncer_key.sh
+++ b/examples/crowdsec/bouncer_key.sh
@@ -1,3 +1,23 @@
 #!/bin/sh
 # first, you need to run the crowdsec service
 echo "running crowdsec service ..."
 docker-compose up -d mycrowdsec
 # wait a little until it's up
 sleep 10
 # get the bouncer key
 docker-compose exec mycrowdsec cscli bouncers add MyBouncer
 # enter the key into the CROWDSEC_KEY environment variable
 read -p -s "edit CROWDSEC_KEY env var in docker-compose.yml file and press enter"
 # start all services
 docker-compose up -d
 # wait a little until it's up
 sleep 10
 # restart crowdsec so it reads the log files
 docker-compose restart mycrowdsec
--- a/examples/crowdsec/docker-compose.yml
+++ b/examples/crowdsec/docker-compose.yml
@@ -20,7 +20,6 @@ services:
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_CROWDSEC=yes
      - CROWDSEC_HOST=http://mycrowdsec:8080
      - CROWDSEC_KEY=                                 # you need to generate it (see bouncer_key.sh)
@@ -34,7 +33,7 @@ services:
      - net2
  mycrowdsec:
-    image: crowdsecurity/crowdsec:v1.0.2
+    image: crowdsecurity/crowdsec:v1.0.13
    restart: always
    volumes:
      - ./acquis.yaml:/etc/crowdsec/acquis.yaml
--- a/examples/ghost/docker-compose.yml
+++ b/examples/ghost/docker-compose.yml
@@ -0,0 +1,30 @@
 version: '3'
 services:
  myreverse:
    image: bunkerity/bunkerized-nginx
    restart: always
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
    environment:
      - SERVER_NAME=www.website.com                          # replace with your domain
      - SERVE_FILES=no
      - DISABLE_DEFAULT_SERVER=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_PROXY_CACHE=yes
      - USE_GZIP=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://myghost:2368/
  myghost:
    image: ghost:alpine
    volumes:
      - ./data-ghost:/var/lib/ghost/content
    environment:
      - url=https://www.website.com                          # replace with your domain
--- a/examples/gogs/docker-compose.yml
+++ b/examples/gogs/docker-compose.yml
@@ -0,0 +1,30 @@
 version: '3'
 services:
  myreverse:
    image: bunkerity/bunkerized-nginx
    restart: always
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
      - ./modsec-crs-confs:/modsec-crs-confs:ro              # fix FP with CRS
    environment:
      - SERVER_NAME=www.website.com                          # replace with your domain
      - SERVE_FILES=no
      - DISABLE_DEFAULT_SERVER=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_PROXY_CACHE=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://mygogs:3000/
  mygogs:
    image: gogs/gogs
    volumes:
      - ./data-gogs:/data
--- a/examples/gogs/modsec-crs-confs/gogs.conf
+++ b/examples/gogs/modsec-crs-confs/gogs.conf
@@ -0,0 +1,7 @@
 SecAction \
 "id:900220,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
--- a/examples/joomla/docker-compose.yml
+++ b/examples/joomla/docker-compose.yml
@@ -0,0 +1,45 @@
 version: '3'
 services:
  mywww:
    image: bunkerity/bunkerized-nginx
    restart: always
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - ./joomla-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
    environment:
      - SERVER_NAME=www.website.com             # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - MAX_CLIENT_SIZE=50m
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - REMOTE_PHP=myjoomla
      - REMOTE_PHP_PATH=/var/www/html
  myjoomla:
    image: joomla:fpm-alpine
    restart: always
    volumes:
      - ./joomla-files:/var/www/html
    environment:
      - JOOMLA_DB_HOST=mydb
      - JOOMLA_DB_NAME=joomladb
      - JOOMLA_DB_USER=user
      - JOOMLA_DB_PASSWORD=db-user-pwd          # replace with a stronger password (must match MYSQL_PASSWORD)
  mydb:
    image: mariadb
    restart: always
    volumes:
      - ./db-data:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=db-root-pwd         # replace with a stronger password
      - MYSQL_DATABASE=joomladb
      - MYSQL_USER=user
      - MYSQL_PASSWORD=db-user-pwd              # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
--- a/examples/load-balancer/docker-compose.yml
+++ b/examples/load-balancer/docker-compose.yml
@@ -18,8 +18,8 @@ services:
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_PROXY_CACHE=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://app
--- a/examples/moodle/docker-compose.yml
+++ b/examples/moodle/docker-compose.yml
@@ -18,8 +18,8 @@ services:
      - MAX_CLIENT_SIZE=50m
      - SERVE_FILES=no
      - USE_PROXY_CACHE=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=https://mymoodle:8443
--- a/examples/multisite-basic/docker-compose.yml
+++ b/examples/multisite-basic/docker-compose.yml
@@ -19,13 +19,11 @@ services:
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - app1.website.com_REMOTE_PHP=myapp1
      - app1.website.com_REMOTE_PHP_PATH=/app
      - app2.website.com_REMOTE_PHP=myapp2
      - app2.website.com_REMOTE_PHP_PATH=/app
      - app3.website.com_SERVE_FILES=no
      - app3.website.com_USE_CLIENT_CACHE=no
      - app3.website.com_USE_PROXY_CACHE=yes
      - app3.website.com_USE_REVERSE_PROXY=yes
      - app3.website.com_REVERSE_PROXY_URL=/
--- a/examples/multisite-custom-server-confs/docker-compose.yml
+++ b/examples/multisite-custom-server-confs/docker-compose.yml
@@ -22,14 +22,13 @@ services:
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - wp.website.com_REMOTE_PHP=mywp
      - wp.website.com_REMOTE_PHP_PATH=/var/www/html
      - nc.website.com_REMOTE_PHP=mync
      - nc.website.com_REMOTE_PHP_PATH=/var/www/html
-      - nc.website.com_LIMIT_REQ_RATE=40r/s
+      - nc.website.com_LIMIT_REQ_RATE=5r/s
-      - nc.website.com_LIMIT_REQ_BURST=60
+      - nc.website.com_LIMIT_REQ_BURST=10
-      - nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
+      - nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
      - nc.website.com_X_FRAME_OPTIONS=SAMEORIGIN
      - nc.website.com_FAIL2BAN_STATUS_CODE=400|401|403|405|444
    networks:
--- a/examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf
+++ b/examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf
@@ -1 +1,2 @@
 SecRuleRemoveById 921110
 SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS"
--- a/examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf
+++ b/examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf
@@ -1 +1,4 @@
 SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
 SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
 SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
 SecRuleRemoveById 953120
--- a/examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf
+++ b/examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf
@@ -12,4 +12,4 @@ SecAction \
  nolog,\
  pass,\
  t:none,\
-  setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
+  setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
--- a/examples/nextcloud/docker-compose.yml
+++ b/examples/nextcloud/docker-compose.yml
@@ -23,16 +23,15 @@ services:
      - USE_CLIENT_CACHE=yes
      - REMOTE_PHP=mync
      - REMOTE_PHP_PATH=/var/www/html
-      - LIMIT_REQ_RATE=40r/s
+      - LIMIT_REQ_RATE=5r/s
-      - LIMIT_REQ_BURST=60
+      - LIMIT_REQ_BURST=10
-      - ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
+      - ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
      - X_FRAME_OPTIONS=SAMEORIGIN
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - FAIL2BAN_STATUS_CODE=400|401|403|405|444
  mync:
-    image: nextcloud:20-fpm
+    image: nextcloud:21-fpm
    restart: always
    volumes:
      - ./nc-files:/var/www/html
--- a/examples/nextcloud/modsec-confs/nextcloud.conf
+++ b/examples/nextcloud/modsec-confs/nextcloud.conf
@@ -1 +1,2 @@
 SecRuleRemoveById 921110
 SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS"
--- a/examples/nextcloud/modsec-crs-confs/nextcloud.conf
+++ b/examples/nextcloud/modsec-crs-confs/nextcloud.conf
@@ -12,4 +12,4 @@ SecAction \
  nolog,\
  pass,\
  t:none,\
-  setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
+  setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
--- a/examples/passbolt/docker-compose.yml
+++ b/examples/passbolt/docker-compose.yml
@@ -20,8 +20,8 @@ services:
      - ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
      - SERVE_FILES=no
      - USE_PROXY_CACHE=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=https://mypassbolt
--- a/examples/prestashop/docker-compose.yml
+++ b/examples/prestashop/docker-compose.yml
@@ -20,9 +20,10 @@ services:
      - MAX_CLIENT_SIZE=50m
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - REMOTE_PHP=myprestashop
      - REMOTE_PHP_PATH=/var/www/html
      - LIMIT_REQ_RATE=5r/s
      - LIMIT_REQ_BURST=10
  myprestashop:
    image: prestashop/prestashop:1.7-fpm
--- a/examples/redmine/docker-compose.yml
+++ b/examples/redmine/docker-compose.yml
@@ -0,0 +1,46 @@
 version: '3'
 services:
  myreverse:
    image: bunkerity/bunkerized-nginx
    restart: always
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
    environment:
      - SERVER_NAME=www.website.com             # replace with your domain
      - SERVE_FILES=no
      - DISABLE_DEFAULT_SERVER=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_PROXY_CACHE=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://myredmine:3000/
  myredmine:
    image: redmine
    restart: always
    volumes:
      - ./redmine-data:/usr/src/redmine/files
    environment:
      - REDMINE_DB_MYSQL=mydb
      - REDMINE_DB_DATABASE=redminedb
      - REDMINE_DB_USERNAME=user
      - REDMINE_DB_PASSWORD=db-user-pwd         # replace with a stronger password (must match MYSQL_PASSWORD)
  mydb:
    image: mariadb
    restart: always
    volumes:
      - ./db-data:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=db-root-pwd         # replace with a stronger password
      - MYSQL_DATABASE=redminedb
      - MYSQL_USER=user
      - MYSQL_PASSWORD=db-user-pwd              # replace with a stronger password (must match REDMINE_DB_PASSWORD)
--- a/examples/reverse-proxy-multisite/docker-compose.yml
+++ b/examples/reverse-proxy-multisite/docker-compose.yml
@@ -18,8 +18,8 @@ services:
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_PROXY_CACHE=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - app1.website.com_REVERSE_PROXY_URL=/
      - app1.website.com_REVERSE_PROXY_HOST=http://app1:3000
--- a/examples/reverse-proxy-singlesite/docker-compose.yml
+++ b/examples/reverse-proxy-singlesite/docker-compose.yml
@@ -18,8 +18,8 @@ services:
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_PROXY_CACHE=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL_1=/app1/
      - REVERSE_PROXY_HOST_1=http://app1:3000/
--- a/examples/reverse-proxy-websocket/docker-compose.yml
+++ b/examples/reverse-proxy-websocket/docker-compose.yml
@@ -17,8 +17,8 @@ services:
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_PROXY_CACHE=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/ws/
      - REVERSE_PROXY_HOST=http://myws:8010/
--- a/examples/swarm/stack.yml
+++ b/examples/swarm/stack.yml
@@ -0,0 +1,99 @@
 version: '3.8'
 services:
  autoconf:
    image: bunkerity/bunkerized-nginx-autoconf
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /shared/confs:/etc/nginx
      - /shared/letsencrypt:/etc/letsencrypt
      - /shared/acme-challenge:/acme-challenge
    environment:
      - SWARM_MODE=yes
      - API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from nginx
    networks:
      - net_config
    deploy:
      replicas: 1
      placement:
        constraints:
          - "node.role==manager"
  nginx:
    image: bunkerity/bunkerized-nginx
    ports:
      - published: 80
        target: 8080
        mode: host
        protocol: tcp
      - published: 443
        target: 8443
        mode: host
        protocol: tcp
    volumes:
      - /shared/confs:/etc/nginx
      - /shared/letsencrypt:/etc/letsencrypt:ro
      - /shared/acme-challenge:/acme-challenge:ro
      - /shared/www:/www:ro
    environment:
      - SWARM_MODE=yes
      - USE_API=yes
      - API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from autoconf
      - MULTISITE=yes
      - SERVER_NAME=
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
    networks:
      - net_config
      - net_services
    deploy:
      mode: global
      placement:
        constraints:
          - "node.role==worker"
      labels:
        - "bunkerized-nginx.AUTOCONF"
 app1:
    image: php:fpm-alpine
    volumes:
      - /shared/www/app1.website.com:/www
    networks:
      - net_services
    deploy:
      replicas: 1
      placement:
        constraints:
          - "node.role==worker"
      labels:
        - "bunkerized-nginx.SERVER_NAME=app1.website.com"
        - "bunkerized-nginx.REMOTE_PHP=php"
        - "bunkerized-nginx.REMOTE_PHP_PATH=/www"
  app2:
    image: phpmyadmin:apache
    environment:
      - PMA_ARBITRARY=1
      - PMA_ABSOLUTE_URI=https://app2.website.com
    networks:
      - net_services
    deploy:
      replicas: 1
      placement:
        constraints:
          - "node.role==worker"
      labels:
        - "bunkerized-nginx.SERVER_NAME=app2.website.com"
        - "bunkerized-nginx.USE_PROXY_CACHE=yes"
        - "bunkerized-nginx.USE_REVERSE_PROXY=yes"
        - "bunkerized-nginx.REVERSE_PROXY_URL=/"
        - "bunkerized-nginx.REVERSE_PROXY_HOST=http://app2"
 networks:
  net_config:
    driver: overlay
  net_services:
    driver: overlay  
--- a/examples/tomcat/docker-compose.yml
+++ b/examples/tomcat/docker-compose.yml
@@ -17,8 +17,8 @@ services:
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_PROXY_CACHE=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://mytomcat:8080/sample/
--- a/examples/tor-hidden-service/docker-compose.yml
+++ b/examples/tor-hidden-service/docker-compose.yml
@@ -29,7 +29,6 @@ services:
      - USE_ANTIBOT=captcha
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - REMOTE_PHP=myphp
      - REMOTE_PHP_PATH=/app
--- a/examples/web-ui/docker-compose.yml
+++ b/examples/web-ui/docker-compose.yml
@@ -18,8 +18,8 @@ services:
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - admin.website.com_SERVE_FILES=no
      - admin.website.com_USE_AUTH_BASIC=yes
      - admin.website.com_AUTH_BASIC_USER=admin                # change it to something hard to guess
--- a/examples/wordpress/docker-compose.yml
+++ b/examples/wordpress/docker-compose.yml
@@ -13,6 +13,7 @@ services:
      - ./letsencrypt:/etc/letsencrypt
      - ./server-confs:/server-confs:ro         # custom confs at server context for permalinks
      - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Wordpress exclusions
      - ./modsec-confs:/modsec-confs:ro         # avoid some FP with CRS
    environment:
      - SERVER_NAME=www.website.com             # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
@@ -21,7 +22,6 @@ services:
      - MAX_CLIENT_SIZE=50m
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_BROTLI=yes
      - REMOTE_PHP=mywp
      - REMOTE_PHP_PATH=/var/www/html
--- a/examples/wordpress/modsec-confs/wordpress.conf
+++ b/examples/wordpress/modsec-confs/wordpress.conf
@@ -0,0 +1,4 @@
 SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
 SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
 SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
 SecRuleRemoveById 953120
--- a/logs/logrotate.conf
+++ b/logs/logrotate.conf
@@ -1,4 +1,4 @@
-/var/log/*.log /var/log/clamav/*.log /var/log/nginx/*.log {
+/var/log/*.log /var/log/clamav/*.log /var/log/nginx/*.log /var/log/letsencrypt/*.log {
 	# compress old files using gzip
 	compress
--- a/logs/rsyslog.conf
+++ b/logs/rsyslog.conf
@@ -4,11 +4,11 @@
 $WorkDirectory /var/lib/rsyslog
 # Sets default permissions for all log files.
-$FileOwner root
+$FileOwner nginx
-$FileGroup root
+$FileGroup nginx
-$FileCreateMode 0600
+$FileCreateMode 0660
-$DirCreateMode 0700
+$DirCreateMode 0770
-$Umask 0077
+$Umask 0007
 # Include all config files in /etc/rsyslog.d/.
 include(file="/etc/rsyslog.d/*.conf" mode="optional")
@@ -16,12 +16,14 @@ include(file="/etc/rsyslog.d/*.conf" mode="optional")
 #### Modules ####
 # Provides --MARK-- message capability.
-module(load="immark")
+#module(load="immark")
 # Provides support for local system logging (e.g. via logger command).
-module(load="imuxsock")
+module(load="imuxsock" SysSock.Name="/tmp/log")
 # Nginx
 $template rawFormat,"%msg:2:2048%\n"
 local0.=notice                  /var/log/access.log;rawFormat
 local0.*;local0.!=notice        /var/log/error.log;rawFormat
 %REMOTE_SYSLOG%
--- a/lua/api.lua
+++ b/lua/api.lua
@@ -0,0 +1,34 @@
 local M			= {}
 local api_list		= {}
 local api_whitelist_ip	= {%API_WHITELIST_IP%}
 local iputils		= require "resty.iputils"
 local whitelist		= iputils.parse_cidrs(api_whitelist_ip)
 api_list["^/ping$"] = function ()
 	return true
 end
 api_list["^/reload$"] = function ()
 	return os.execute("/usr/sbin/nginx -s reload") == 0
 end
 function M.is_api_call (api_uri)
 	if iputils.ip_in_cidrs(ngx.var.remote_addr, whitelist) and ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then
 		for uri, code in pairs(api_list) do
 			if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
 				return true
 			end
 		end
 	end
 	return false
 end
 function M.do_api_call (api_uri)
 	for uri, code in pairs(api_list) do
 		if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
 			return code()
 		end
 	end
 end
 return M
--- a/lua/blacklist.lua
+++ b/lua/blacklist.lua
@@ -1,6 +1,8 @@
 local M			= {}
 local dns		= require "dns"
 local iputils		= require "resty.iputils"
 local ip_list 		= {%BLACKLIST_IP_LIST%}
 local blacklist		= iputils.parse_cidrs(ip_list)
 local reverse_list	= {%BLACKLIST_REVERSE_LIST%}
 local ip		= ngx.var.remote_addr
@@ -21,10 +23,10 @@ function M.reverse_cached ()
 end
 function M.check_ip ()
-	for k, v in ipairs(ip_list) do
+	if #ip_list > 0 then
-		if v == ip then
+		if iputils.ip_in_cidrs(ip, blacklist) then
 			ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
-			ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist")
+			ngx.log(ngx.NOTICE, "ip " .. ip .. " is in blacklist")
 			return true
 		end
 	end
@@ -33,13 +35,15 @@ function M.check_ip ()
 end
 function M.check_reverse ()
-	local rdns = dns.get_reverse()
+	if #reverse_list > 0 then
-	if rdns ~= "" then
+		local rdns = dns.get_reverse()
-		for k, v in ipairs(reverse_list) do
+		if rdns ~= "" then
-			if rdns:sub(-#v) == v then
+			for k, v in ipairs(reverse_list) do
-				ngx.shared.blacklist_reverse_cache:set(ip, "ko", 86400)
+				if rdns:sub(-#v) == v then
-				ngx.log(ngx.WARN, "reverse " .. rdns .. " is in blacklist")
+					ngx.shared.blacklist_reverse_cache:set(ip, "ko", 86400)
-				return true
+					ngx.log(ngx.NOTICE, "reverse " .. rdns .. " is in blacklist")
 					return true
 				end
 			end
 		end
 	end
--- a/lua/dns.lua
+++ b/lua/dns.lua
@@ -1,6 +1,6 @@
 local M		= {}
 local resolver	= require "resty.dns.resolver"
-local resolvers	= {%DNS_RESOLVERS%}
+local resolvers = {%DNS_RESOLVERS%}
 local ip	= ngx.var.remote_addr
 function M.get_reverse()
--- a/lua/dnsbl.lua
+++ b/lua/dnsbl.lua
@@ -20,7 +20,7 @@ function M.check ()
 			local a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
 			if a == "127" then
 				ngx.shared.dnsbl_cache:set(ip, "ko", 86400)
-				ngx.log(ngx.WARN, "ip " .. ip .. " is in DNSBL " .. v)
+				ngx.log(ngx.NOTICE, "ip " .. ip .. " is in DNSBL " .. v)
 				return true
 			end
 		end
--- a/lua/whitelist.lua
+++ b/lua/whitelist.lua
@@ -1,7 +1,9 @@
 local M			= {}
 local dns		= require "dns"
 local iputils		= require "resty.iputils"
 local ip_list 		= {%WHITELIST_IP_LIST%}
 local reverse_list	= {%WHITELIST_REVERSE_LIST%}
 local whitelist		= iputils.parse_cidrs(ip_list)
 local ip		= ngx.var.remote_addr
 function M.ip_cached_ok ()
@@ -21,10 +23,10 @@ function M.reverse_cached ()
 end
 function M.check_ip ()
-	for k, v in ipairs(ip_list) do
+	if #ip_list > 0 then
-		if v == ip then
+		if iputils.ip_in_cidrs(ip, whitelist) then
 			ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
-			ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")
+			ngx.log(ngx.NOTICE, "ip " .. ip .. " is in whitelist")
 			return true
 		end
 	end
@@ -33,22 +35,24 @@ function M.check_ip ()
 end
 function M.check_reverse ()
-	local rdns = dns.get_reverse()
+	if #reverse_list > 0 then
-	if rdns ~= "" then
+		local rdns = dns.get_reverse()
-		local whitelisted = false
+		if rdns ~= "" then
-		for k, v in ipairs(reverse_list) do
+			local whitelisted = false
-			if rdns:sub(-#v) == v then
+			for k, v in ipairs(reverse_list) do
-				whitelisted = true
+				if rdns:sub(-#v) == v then
-				break
+					whitelisted = true
 					break
 				end
 			end
-		end
+			if whitelisted then
-		if whitelisted then
+				local ips = dns.get_ips(rdns)
-			local ips = dns.get_ips(rdns)
+				for k, v in ipairs(ips) do
-			for k, v in ipairs(ips) do
+					if v == ip then
-				if v == ip then
+						ngx.shared.whitelist_reverse_cache:set(ip, "ok", 86400)
-					ngx.shared.whitelist_reverse_cache:set(ip, "ok", 86400)
+						ngx.log(ngx.NOTICE, "reverse " .. rdns .. " is in whitelist")
-					ngx.log(ngx.WARN, "reverse " .. rdns .. " is in whitelist")
+						return true
-					return true
+					end
 				end
 			end
 		end
--- a/prepare.sh
+++ b/prepare.sh
@@ -3,18 +3,96 @@
 # install dependencies
 apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli
-# make scripts executable
+# temp fix ?
-chmod +x /opt/entrypoint/* /opt/scripts/*
+chmod 644 /usr/lib/python3.8/site-packages/fail2ban-*/*
 # custom entrypoint
 mkdir /opt/entrypoint.d
-# log files/folders rights
+# prepare /www
 mkdir /www
 chown -R root:nginx /www
 chmod -R 770 /www
 # prepare /opt
 chown -R root:nginx /opt
 find /opt -type f -exec chmod 0740 {} \;
 find /opt -type d -exec chmod 0750 {} \;
 chmod ugo+x /opt/entrypoint/* /opt/scripts/*
 chmod 770 /opt
 # prepare /etc/nginx
 chown -R root:nginx /etc/nginx
 chmod -R 770 /etc/nginx
 # prepare /var/log
 rm -f /var/log/nginx/*
 chown root:nginx /var/log/nginx
 chmod 750 /var/log/nginx
 touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log
-chown nginx:nginx /var/log/nginx/*.log
+chown nginx:nginx /var/log/nginx/*
 chmod -R 770 /var/log/nginx
 touch /var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/fail2ban.log
 chown nginx:nginx /var/log/*.log
 chmod 770 /var/log/*.log
 mkdir /var/log/letsencrypt
 chown nginx:nginx /var/log/letsencrypt
 chmod 770 /var/log/letsencrypt
 touch /var/log/clamav.log
 chown root:nginx /var/log/clamav.log
 chmod 770 /var/log/clamav.log
 find /var/log -type f -exec chmod 0774 {} \;
-# let's encrypt webroot
+# prepare /acme-challenge
 mkdir /acme-challenge
 chown root:nginx /acme-challenge
-chmod 750 /acme-challenge
+chmod 770 /acme-challenge
 # prepare /etc/letsencrypt
 mkdir /etc/letsencrypt
 chown root:nginx /etc/letsencrypt
 chmod 770 /etc/letsencrypt
 # prepare /var/lib/letsencrypt
 mkdir /var/lib/letsencrypt
 chown root:nginx /var/lib/letsencrypt
 chmod 770 /var/lib/letsencrypt
 # prepare /etc/fail2ban
 rm -rf /etc/fail2ban/jail.d/*.conf
 chown -R root:nginx /etc/fail2ban
 find /etc/fail2ban -type f -exec chmod 0760 {} \;
 find /etc/fail2ban -type d -exec chmod 0770 {} \;
 # prepare /var/run/fail2ban and /var/lib/fail2ban
 chown -R root:nginx /var/run/fail2ban /var/lib/fail2ban
 chmod -R 770 /var/run/fail2ban /var/lib/fail2ban
 # prepare /usr/local/lib/lua
 chown -R root:nginx /usr/local/lib/lua
 chmod 770 /usr/local/lib/lua
 find /usr/local/lib/lua -type f -name "*.conf" -exec chmod 0760 {} \;
 find /usr/local/lib/lua -type f -name "*.lua" -exec chmod 0760 {} \;
 find /usr/local/lib/lua -type d -exec chmod 0770 {} \;
 # prepare /cache
 mkdir /cache
 chown root:nginx /cache
 chmod 770 /cache
 # prepare misc files
 chown root:nginx /etc/rsyslog.conf /etc/logrotate.conf
 chmod 660 /etc/rsyslog.conf /etc/logrotate.conf
 chown root:nginx /etc/rsyslog.conf
 # prepare /etc/crontabs/nginx
 touch /etc/crontabs/nginx
 chown root:nginx /etc/crontabs/nginx
 chmod 660 /etc/crontabs/nginx
 # prepare /var/log/clamav
 chown root:nginx /var/log/clamav
 chmod 770 /var/log/clamav
 # prepare /var/lib/clamav
 chown root:nginx /var/lib/clamav
 chmod 770 /var/lib/clamav
--- a/scripts/abusers.sh
+++ b/scripts/abusers.sh
@@ -1,11 +1,19 @@
 #!/bin/sh
 # load some functions
-. /opt/scripts/utils.sh
+. /opt/entrypoint/utils.sh
 # copy old conf to cache
 cp /etc/nginx/block-abusers.conf /cache
 # if we are running nginx
 if [ -f /tmp/nginx.pid ] ; then
 	RELOAD="/usr/sbin/nginx -s reload > /dev/null 2>&1"
 # if we are in autoconf
 elif [ -S /tmp/autoconf.sock ] ; then
 	RELOAD="/opt/entrypoint/reload.py"
 fi
 # generate the new conf
 curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | grep -v "^\#.*" |
 while read entry ; do
@@ -21,8 +29,8 @@ if [ "$lines" -gt 1 ] ; then
 	job_log "[BLACKLIST] abusers list updated ($lines entries)"
 	# reload nginx with the new config
 	mv /tmp/block-abusers.conf /etc/nginx/block-abusers.conf
-	if [ -f /tmp/nginx.pid ] ; then
+	if [ "$RELOAD" != "" ] ; then
-		/usr/sbin/nginx -s reload > /dev/null 2>&1
+		$RELOAD
 		# new config is ok : save it in the cache
 		if [ "$?" -eq 0 ] ; then
 			cp /etc/nginx/block-abusers.conf /cache
@@ -30,7 +38,7 @@ if [ "$lines" -gt 1 ] ; then
 		else
 			job_log "[NGINX] failed nginx reload after abusers list update fallback to old list"
 			cp /cache/block-abusers.conf /etc/nginx
-			/usr/sbin/nginx -s reload > /dev/null 2>&1
+			$RELOAD
 		fi
 	else
 		cp /etc/nginx/block-abusers.conf /cache
--- a/scripts/certbot-new.sh
+++ b/scripts/certbot-new.sh
@@ -6,8 +6,4 @@ if [ "$?" -ne 0 ] ; then
 	exit 1
 fi
 # fix rights
 chown -R root:nginx /etc/letsencrypt
 chmod -R 740 /etc/letsencrypt
 find /etc/letsencrypt -type d -exec chmod 750 {} \;
 exit 0
--- a/scripts/certbot-renew-hook.sh
+++ b/scripts/certbot-renew-hook.sh
@@ -1,18 +1,21 @@
 #!/bin/sh
 # load some functions
-. /opt/scripts/utils.sh
+. /opt/entrypoint/utils.sh
 job_log "[CERTBOT] certificates have been renewed"
-# fix rights
+# if we are running nginx
-chown -R root:nginx /etc/letsencrypt
+if [ -f /tmp/nginx.pid ] ; then
-chmod -R 740 /etc/letsencrypt
+	RELOAD="/usr/sbin/nginx -s reload > /dev/null 2>&1"
-find /etc/letsencrypt -type d -exec chmod 750 {} \;
+# if we are in autoconf
 elif [ -S /tmp/autoconf.sock ] ; then
 	RELOAD="echo reload > /tmp/autoconf.sock"
 fi
 # reload nginx
-if [ -f /tmp/nginx.pid ] ; then
+if [ "$RELOAD" != "" ] ; then
-	/usr/sbin/nginx -s reload > /dev/null 2>&1
+	$RELOAD
 	if [ "$?" -eq 0 ] ; then
 		job_log "[NGINX] successfull nginx reload after certbot renew"
 	else
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
bunkerity	07be626842	hotfix - fix API in autoconf swarm mode	2021-04-28 17:40:54 +02:00
bunkerity	3bb164395e	hotfix - move API_WHITELIST_IP edit to lua.sh	2021-04-28 17:00:50 +02:00
bunkerity	bc2568a172	v1.2.4 - nginx 1.20.0 support	2021-04-27 17:43:38 +02:00
Bunkerity	5ec74880d8	update README for v1.2.4	2021-04-27 17:40:33 +02:00
bunkerity	f84fd7c9a2	fix permissions issues for autoconf and fix volume for ghost example	2021-04-27 16:49:45 +02:00
bunkerity	6521d7a27a	fix client cache so it works in combination with reverse proxy and examples update	2021-04-27 15:31:56 +02:00
bunkerity	813607fbc3	improve crowdsec example and disable modsec logging when not necessary	2021-04-27 11:21:30 +02:00
bunkerity	843644f806	log - replace some WARN tags from LUA logs with NOTICE to avoid confusion	2021-04-27 09:57:07 +02:00
bunkerity	19fa0eb25f	log - print modsec_audit.log to make debugging easier	2021-04-27 09:46:40 +02:00
bunkerity	b4df287228	log - send logs to remote syslog server	2021-04-27 09:30:10 +02:00
florian	5ce41edc03	api - whitelist IP/network for API	2021-04-26 22:22:34 +02:00
florian	a3cfb50b4d	example - fix certbot wildcard	2021-04-26 21:34:18 +02:00
bunkerity	25494acace	example - wildcard certificate with certbot	2021-04-26 17:44:48 +02:00
bunkerity	a98dae1fb6	fix CVE-2021-20205 and examples update	2021-04-26 17:00:23 +02:00
bunkerity	1a7abab570	nginx 1.20.0 support	2021-04-26 14:59:12 +02:00
florian	42b7a57f01	fix autoconf bug when removing config with multiple server name and increase default LIMIT_CONN_MAX for average website with HTTP2	2021-04-26 11:39:12 +02:00
bunkerity	02f9fbe5fc	autoconf - fix certbot bug when multiple server_name for one service	2021-04-20 11:46:53 +02:00
bunkerity	69fe066777	autoconf - fix bug when multiple server_name for one service	2021-04-20 10:00:25 +02:00
bunkerity	74417abc9c	fixing bugs - run as GID 101 instead of 0, different permissions checks in swarm mode and disable including server confs in swarm mode	2021-04-16 16:56:45 +02:00
bunkerity	ba7524a419	fixed LUA bug	2021-04-13 17:27:52 +02:00
bunkerity	b55aafb997	finding the LUA bug	2021-04-13 17:01:27 +02:00
Bunkerity	deeb7a76a2	Merge pull request #117 from thelittlefireman/patch-9 Fix lua mistake	2021-04-13 16:49:45 +02:00
thelittlefireman	ee8aaa4e7e	fix lua crash 2	2021-04-11 15:45:46 +02:00
thelittlefireman	605d59a45c	Fix lua mistake #116	2021-04-11 15:33:31 +02:00
bunkerity	b85c991b6e	bug fixes - /usr/local/lib/lua rights and syntax error in site-config	2021-04-09 17:40:19 +02:00
bunkerity	0d3658adf0	REVERSE_PROXY_HEADERS - use proxy_set_header instead of more_set_headers	2021-04-09 17:27:22 +02:00
bunkerity	0b22209c96	documentation - userns remap feature	2021-04-09 16:22:31 +02:00
bunkerity	e44a1f3e14	added the uri to limit_req_zone key to limit bruteforce attack on a specific resource instead of the whole service	2021-04-09 15:54:26 +02:00
bunkerity	aa614f82f9	print error when permissions are wrong on common volumes	2021-04-09 14:54:15 +02:00
bunkerity	c03d410b0a	refactored whitelisting of user-agents	2021-04-09 14:23:52 +02:00
bunkerity	e190167bfc	CIDR support with whitelist/blacklist IP	2021-04-09 14:10:17 +02:00
bunkerity	31e72dce1c	fix /usr/local/lib/lua rights and multiple server_name support with autoconf	2021-04-09 11:37:13 +02:00
bunkerity	b8105fc558	feature - whitelist URI	2021-04-09 10:31:00 +02:00
bunkerity	e73c10fd80	crowdsec - fix permissions on /usr/local/lib/lua and on /var/log files	2021-04-09 10:01:23 +02:00
bunkerity	a122a259c0	minor fix on AutoConf logs and auto disable etag with reverse proxy	2021-04-09 09:51:17 +02:00
bunkerity	7c4894d3b8	autoconf - fix remove event, generate config from nginx vars, more logs	2021-03-26 15:18:35 +01:00
bunkerity	533c2a1034	fix sed script when writing site env	2021-03-22 09:38:36 +01:00
bunkerity	5611d544d6	remove reference to USE_PHP	2021-03-19 09:38:44 +01:00
bunkerity	397182f18d	add link to twitter account	2021-03-18 18:11:52 +01:00
bunkerity	c5c5fb17b5	v1.2.3 - swarm support	2021-03-18 18:08:42 +01:00
bunkerity	017a7780fb	README update, default cron update and new parameters to ui	2021-03-18 17:11:58 +01:00
bunkerity	34d9db7a8b	web ui - bug fixes	2021-03-18 12:34:46 +01:00
bunkerity	361c66ca61	fixed bugs with MULTISITE variables and swarm example	2021-03-18 10:29:37 +01:00
bunkerity	afc6678855	road to v1.2.3 - fixing bugs	2021-03-17 17:55:56 +01:00
bunkerity	c40fb33175	road to swarm - automatic reload after jobs	2021-03-17 12:16:56 +01:00
bunkerity	93ad3c0b51	road to swarm - let's encrypt fix	2021-03-17 10:37:20 +01:00
bunkerity	ceed904882	road to swarm - still some mess to fix	2021-03-16 17:56:24 +01:00
Bunkerity	b8027d2bac	Merge pull request #102 from thelittlefireman/proxy_custom_headers [NEED TESTING] Enhancement add custom proxy headers #97	2021-03-16 10:08:05 +01:00
Bunkerity	8d03a14a6a	Merge pull request #103 from thelittlefireman/fix_truncated_3 Fix truncated 3	2021-03-16 10:06:05 +01:00
thelittlefireman	d16f4517a4	Enhancement add custom proxy headers #97	2021-03-15 23:24:58 +01:00
thelittlefireman	89ca91b3ff	Fix truncated variables (last commit)	2021-03-15 22:54:30 +01:00
bunkerity	6a714e2ece	road to swarm - fix race condition on initial configuration	2021-03-14 16:50:08 +01:00
bunkerity	0d3da03534	prepare /www directory, fix log socket path and whitelist acme challenges path	2021-03-14 12:33:59 +01:00
bunkerity	33163f65b3	init work on disabling root processes	2021-03-13 22:52:23 +01:00
bunkerity	a2543384cd	road to swarm - add openssl to autoconf, fix api_uri in LUA, fix file rights	2021-03-13 15:28:15 +01:00
bunkerity	3591715f21	road to swarm - fixing things	2021-03-12 17:31:26 +01:00
bunkerity	95f7ca5b2d	road to swarm support - needs a lot of testing	2021-03-12 15:17:45 +01:00
bunkerity	816fa47cbb	introducing SWARM_MODE env var	2021-03-12 12:40:52 +01:00
Bunkerity	7756c2df3c	Merge pull request #98 from mromanelli9/fix/readme Fix README	2021-03-12 10:44:06 +01:00
bunkerity	7509ec2f2c	basic API to be used in swarm mode	2021-03-12 10:42:31 +01:00
Marco Romanelli	6e93575e16	remove ALLOWALL from X_FRAME_OPTIONS options	2021-03-11 14:41:23 +01:00
Marco Romanelli	ba4c977550	remove old anchor	2021-03-11 11:49:46 +01:00
bunkerity	781e4c8cbb	autoconf little work on swarm support	2021-03-10 17:24:02 +01:00
bunkerity	e04c783d1e	autoconf - init work on swarm mode	2021-03-09 17:33:22 +01:00
bunkerity	e12b656bd5	Merge branch 'patch-7' of https://github.com/thelittlefireman/bunkerized-nginx into dev	2021-03-08 14:06:54 +01:00
bunkerity	cae05447d3	custom crontab values	2021-03-08 13:58:14 +01:00
bunkerity	4b58e22657	Merge branch 'patch-5' of https://github.com/thelittlefireman/bunkerized-nginx into dev	2021-03-08 13:52:35 +01:00
bunkerity	6b56e21a09	Merge branch 'whitelist_ua' of https://github.com/thelittlefireman/bunkerized-nginx into dev	2021-03-08 13:46:28 +01:00
bunkerity	544a09e8da	Update lua-cs-bouncer	2021-03-08 12:02:56 +01:00
bunkerity	8386dd4a2a	custom config outside server block	2021-03-08 11:53:11 +01:00
root	f052a25168	Merge branch 'pre_server_confs' of https://github.com/thelittlefireman/bunkerized-nginx into dev	2021-03-08 11:47:45 +01:00
Bunkerity	43750f5536	Merge pull request #73 from thelittlefireman/patch-4 Add missing reverse proxy header (X-Forwarded-Host)	2021-03-08 10:16:31 +01:00
Bunkerity	9142afdb54	Merge pull request #72 from thelittlefireman/patch-3 Fix #71 - limit connection by IP	2021-03-08 10:15:14 +01:00
thelittlefireman	66c4fed791	Fix env variable with space are truncated 2 Fix #82	2021-03-05 23:59:38 +01:00
thelittlefireman	f41846e9d6	Fix env variable with space are truncated Fix #82	2021-03-05 23:56:19 +01:00
thelittlefireman	92cc705b92	Reduce memory usage : set cron tasks at different hours.	2021-03-03 13:02:56 +01:00
thelittlefireman	47fb3a05b3	Upgrade crowdsecurity/lua-cs-bouncer Upgrade crowdsecurity/lua-cs-bouncer to latest version to include commit `dcfba46ccd`	2021-03-03 10:01:04 +01:00
thelittlefireman	5940f402c7	improve default tls security	2021-02-28 23:59:22 +01:00
thelittlefireman	d9ca275d53	Add before `server {}` config.	2021-02-03 14:17:20 +01:00
thelittlefireman	8353bd9c85	Allow to add a whitelist by site on user-agent	2021-02-03 13:51:15 +01:00
thelittlefireman	d902e2f297	Add last missing reverse proxy header X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host]	2021-01-03 16:28:51 +01:00
thelittlefireman	1a8b8043c8	Add LIMIT_CONN var to server.conf	2021-01-02 14:26:52 +01:00
thelittlefireman	65120a7e97	Add USE_CONN_LIMIT info to Readme.md and fix small typo	2021-01-02 14:25:34 +01:00
thelittlefireman	b093a47554	Add default values for LIMIT_CONN	2021-01-02 14:18:26 +01:00
thelittlefireman	73dbf03c9a	add USE_LIMIT_CONN zone to global config	2021-01-02 14:15:18 +01:00
thelittlefireman	6ee746236a	Add USE_LIMIT_CONN to site-config	2021-01-02 14:11:36 +01:00
thelittlefireman	fa935eb6e3	edit nginx.conf to add limit_conn	2021-01-02 14:04:34 +01:00
thelittlefireman	cf231e13cb	Add limit-conn.conf	2021-01-02 13:35:18 +01:00
`@@ -1 +1,2 @@`
	`SecRuleRemoveById 921110`	`SecRuleRemoveById 921110`
		`SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS"`