Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: Makussu:v1.2.6
Branches Tags
Makussu:master Makussu:dev Makussu:gh-pages
Makussu:v1.4.1 Makussu:v1.4.0 Makussu:v1.3.2 Makussu:v1.3.1 Makussu:v1.3.0 Makussu:v1.2.8 Makussu:v1.2.7 Makussu:v1.2.6 Makussu:v1.2.5 Makussu:v1.2.4 Makussu:v1.2.3 Makussu:v1.2.2 Makussu:v1.2.1 Makussu:v1.2.0 Makussu:v1.1.2 Makussu:v1.1.1 Makussu:v1.1.0 Makussu:v1.0.0
...
compare: Makussu:v1.2.7
Branches Tags
Makussu:dev Makussu:gh-pages Makussu:master
Makussu:v1.4.1 Makussu:v1.4.0 Makussu:v1.3.2 Makussu:v1.3.1 Makussu:v1.3.0 Makussu:v1.2.8 Makussu:v1.2.7 Makussu:v1.2.6 Makussu:v1.2.5 Makussu:v1.2.4 Makussu:v1.2.3 Makussu:v1.2.2 Makussu:v1.2.1 Makussu:v1.2.0 Makussu:v1.1.2 Makussu:v1.1.1 Makussu:v1.1.0 Makussu:v1.0.0

20 Commits
v1.2.6 ... v1.2.7

Author SHA1 Message Date
bunkerity
15bdb076c8 hotfix - fix docs get_git_branch 2021-06-15 17:10:34 +02:00
bunkerity
d62c4f466d v1.2.7 release 2021-06-15 16:53:37 +02:00
bunkerity
ad52ef3260 autoconf - prevent race condition by checking health state 2021-06-15 09:52:33 +02:00
Bunkerity
3bd3b6fd7a Merge pull request #145 from thelittlefireman/patch-10 
Upgrade ModSecurity-nginx to v1.0.2 - @thelittlefireman
 2021-06-15 08:42:42 +02:00
thelittlefireman
e41acc20c2 Upgrade ModSecurity-nginx to v1.0.2 2021-06-15 00:01:23 +02:00
bunkerity
3c721dc2a0 add HEALTHCHECK to Dockerfile and append 10.0.0.0/8 to DNSBL whitelist 2021-06-14 20:54:36 +02:00
bunkerity
491d879fec jobs - cleaning the mess when using autoconf without swarm mode 2021-06-14 17:58:38 +02:00
bunkerity
52534510ec fix bug when AUTO_LETS_ENCRYPT=yes and certbot can't resolve challenges 2021-06-14 14:59:27 +02:00
bunkerity
2c7337576d jobs - fix syntax error 2021-06-14 13:39:27 +02:00
bunkerity
9e4961ccb5 docs - rename sitemap to bypass rtd rewrite 2021-06-14 10:21:30 +02:00
bunkerity
01857d8ac0 gen - display the reason when ignoring a variable 2021-06-14 09:58:04 +02:00
bunkerity
ab9f9e0a4c jobs - fix jobs when MULTISITE=yes 2021-06-14 09:02:16 +02:00
bunkerity
29dc64ca30 actions - add Docker cache to speedup auto build on the dev branch 2021-06-11 15:14:10 +02:00
bunkerity
b5cd4e0375 docker - build and push images from GitHub actions because of future DockerHub restrictions on autobuild 2021-06-11 13:39:39 +02:00
bunkerity
16101144c5 self-signed cert - fix bugs 2021-06-11 11:39:36 +02:00
bunkerity
95510e6e1d settings - add underscore to CUSTOM_HTTPS_CERT/KEY regex 2021-06-11 11:08:35 +02:00
bunkerity
dd5890e760 geoip - fix bug when using GeoIP 2021-06-11 11:01:13 +02:00
bunkerity
c3a437fa82 docs - rename the sitemap to avoid conflicts ? 2021-06-08 09:31:28 +02:00
bunkerity
518ddd3236 docs - custom robots.txt 2021-06-08 09:18:28 +02:00
bunkerity
177a82ee6e docs - automated sitemap.yml 2021-06-08 09:06:21 +02:00
45 changed files with 443 additions and 500 deletions
Expand all files Collapse all files

50
.github/workflows/build-bunkerized-nginx-autoconf.yml vendored Normal file
View File

@@ -0,0 +1,50 @@
name: Build and push bunkerized-nginx-autoconf
on:
push:
branches: [dev, master]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v2
- name: Set variables
run: |
VER=$(cat VERSION | tr -d '\n')
echo "VERSION=$VER" >> $GITHUB_ENV
- name: Setup QEMU
uses: docker/setup-qemu-action@v1
- name: Setup Buildx
uses: docker/setup-buildx-action@v1
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push (dev)
uses: docker/build-push-action@v2
if: github.ref == 'refs/heads/dev'
with:
context: .
file: autoconf/Dockerfile
platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
push: true
tags: bunkerity/bunkerized-nginx-autoconf:dev
- name: Build and push (master)
uses: docker/build-push-action@v2
if: github.ref == 'refs/heads/master'
with:
context: .
file: autoconf/Dockerfile
platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
push: true
tags: bunkerity/bunkerized-nginx-autoconf:latest,bunkerity/bunkerized-nginx-autoconf:${{ env.VERSION }}

50
.github/workflows/build-bunkerized-nginx-ui.yml vendored Normal file
View File

@@ -0,0 +1,50 @@
name: Build and push bunkerized-nginx-ui
on:
push:
branches: [dev, master]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v2
- name: Set variables
run: |
VER=$(cat VERSION | tr -d '\n')
echo "VERSION=$VER" >> $GITHUB_ENV
- name: Setup QEMU
uses: docker/setup-qemu-action@v1
- name: Setup Buildx
uses: docker/setup-buildx-action@v1
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push (dev)
uses: docker/build-push-action@v2
if: github.ref == 'refs/heads/dev'
with:
context: .
file: ui/Dockerfile
platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
push: true
tags: bunkerity/bunkerized-nginx-ui:dev
- name: Build and push (master)
uses: docker/build-push-action@v2
if: github.ref == 'refs/heads/master'
with:
context: .
file: ui/Dockerfile
platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
push: true
tags: bunkerity/bunkerized-nginx-ui:latest,bunkerity/bunkerized-nginx-ui:${{ env.VERSION }}

65
.github/workflows/build-bunkerized-nginx.yml vendored Normal file
View File

@@ -0,0 +1,65 @@
name: Build and push bunkerized-nginx
on:
push:
branches: [dev, master]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v2
- name: Set variables
run: |
VER=$(cat VERSION | tr -d '\n')
echo "VERSION=$VER" >> $GITHUB_ENV
- name: Setup QEMU
uses: docker/setup-qemu-action@v1
- name: Setup Buildx
uses: docker/setup-buildx-action@v1
- name: Setup Docker cache
uses: actions/cache@v2
if: github.ref == 'refs/heads/dev'
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push (dev)
uses: docker/build-push-action@v2
if: github.ref == 'refs/heads/dev'
with:
context: .
platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
push: true
tags: bunkerity/bunkerized-nginx:dev
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new
- name: Move Docker cache
if: github.ref == 'refs/heads/dev'
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
- name: Build and push (master)
uses: docker/build-push-action@v2
if: github.ref == 'refs/heads/master'
with:
context: .
platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
push: true
tags: bunkerity/bunkerized-nginx:latest,bunkerity/bunkerized-nginx:${{ env.VERSION }}

15
CHANGELOG.md
View File

@@ -1,5 +1,20 @@
# Changelog
## v1.2.7 - 2021/06/14
- Add custom robots.txt and sitemap to RTD
- Fix missing GeoIP DB bug when using BLACKLIST/WHITELIST_COUNTRY
- Add underscore "_" to allowed chars for CUSTOM_HTTPS_CERT/KEY
- Fix bug when using automatic self-signed certificate
- Build and push images from GitHub actions instead of Docker Hub autobuild
- Display the reason when generator is ignoring a variable
- Various bug fixes related to certbot and jobs
- Split jobs into pre and post jobs
- Add HEALTHCHECK to image
- Fix race condition when using autoconf without Swarm by checking healthy state
- Bump modsecurity-nginx to v1.0.2
- Community chat with bridged platforms
## v1.2.6 - 2021/06/06
- Move from "ghetto-style" shell scripts to generic jinja2 templating

4
CONTRIBUTING.md
View File

@@ -8,6 +8,10 @@ We accept many types of contributions whether they are technical or not. Every c
The first thing you can do is to talk about the project. You can share it on social media, make a blog post about it or simply tell your friends/colleagues that's an awesome project.
## Join the community chat
You can join [the community chat](https://coso.me/bunkerity-chat) to talk about the project and ask for help. Please note that you can choose the platform you want, thanks to [matterbridge](https://github.com/42wim/matterbridge) all messages coming from a platform are relayed to the others.
## Reporting bugs / ask for features
The preferred way to report bugs and asking for features is using [issues](https://github.com/bunkerity/bunkerized-nginx/issues). Before opening a new one, please check if a related issue is already opened using the "filters" bar. When creating a new issue please select and fill the "Bug report" or "Feature request" template.

2
Dockerfile
View File

@@ -35,4 +35,6 @@ EXPOSE 8080/tcp 8443/tcp
USER nginx:nginx
HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 CMD [ -f /tmp/nginx.pid ] || exit 1
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

38
Dockerfile-amd64
View File

@@ -1,38 +0,0 @@
FROM amd64/nginx:1.20.1-alpine
COPY nginx-keys/ /tmp/nginx-keys
COPY compile.sh /tmp/compile.sh
RUN chmod +x /tmp/compile.sh && \
/tmp/compile.sh && \
rm -rf /tmp/*
COPY dependencies.sh /tmp/dependencies.sh
RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -rf /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /usr/local/lib/lua
COPY antibot/ /antibot
COPY defaults/ /defaults
COPY settings.json /opt
COPY misc/cron /etc/crontabs/nginx
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \
/tmp/prepare.sh && \
rm -f /tmp/prepare.sh
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
RUN apk add "curl>=7.77.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
EXPOSE 8080/tcp 8443/tcp
USER nginx:nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

45
Dockerfile-arm32v7
View File

@@ -1,45 +0,0 @@
FROM alpine AS builder
ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz
RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
FROM arm32v7/nginx:1.20.1-alpine
COPY --from=builder qemu-arm-static /usr/bin
COPY nginx-keys/ /tmp/nginx-keys
COPY compile.sh /tmp/compile.sh
RUN chmod +x /tmp/compile.sh && \
/tmp/compile.sh && \
rm -rf /tmp/*
COPY dependencies.sh /tmp/dependencies.sh
RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -rf /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /usr/local/lib/lua
COPY antibot/ /antibot
COPY defaults/ /defaults
COPY settings.json /opt
COPY misc/cron /etc/crontabs/nginx
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \
/tmp/prepare.sh && \
rm -f /tmp/prepare.sh
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
RUN apk add "curl>=7.77.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
EXPOSE 8080/tcp 8443/tcp
USER nginx:nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

45
Dockerfile-arm64v8
View File

@@ -1,45 +0,0 @@
FROM alpine AS builder
ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz
RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
FROM arm64v8/nginx:1.20.1-alpine
COPY --from=builder qemu-aarch64-static /usr/bin
COPY nginx-keys/ /tmp/nginx-keys
COPY compile.sh /tmp/compile.sh
RUN chmod +x /tmp/compile.sh && \
/tmp/compile.sh && \
rm -rf /tmp/*
COPY dependencies.sh /tmp/dependencies.sh
RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -rf /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /usr/local/lib/lua
COPY antibot/ /antibot
COPY defaults/ /defaults
COPY settings.json /opt
COPY misc/cron /etc/crontabs/nginx
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \
/tmp/prepare.sh && \
rm -f /tmp/prepare.sh
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
RUN apk add "curl>=7.77.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
EXPOSE 8080/tcp 8443/tcp
USER nginx:nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

38
Dockerfile-i386
View File

@@ -1,38 +0,0 @@
FROM i386/nginx:1.20.1-alpine
COPY nginx-keys/ /tmp/nginx-keys
COPY compile.sh /tmp/compile.sh
RUN chmod +x /tmp/compile.sh && \
/tmp/compile.sh && \
rm -rf /tmp/*
COPY dependencies.sh /tmp/dependencies.sh
RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -rf /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /usr/local/lib/lua
COPY antibot/ /antibot
COPY defaults/ /defaults
COPY settings.json /opt
COPY misc/cron /etc/crontabs/nginx
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \
/tmp/prepare.sh && \
rm -f /tmp/prepare.sh
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
RUN apk add "curl>=7.77.0-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
EXPOSE 8080/tcp 8443/tcp
USER nginx:nginx
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

6
README.md
View File

@@ -3,11 +3,11 @@
</p>
<p align="center">
<img src="https://img.shields.io/badge/bunkerized--nginx-1.2.6-blue" />
<img src="https://img.shields.io/badge/bunkerized--nginx-1.2.7-blue" />
<img src="https://img.shields.io/badge/nginx-1.20.1-blue" />
<img src="https://img.shields.io/github/last-commit/bunkerity/bunkerized-nginx" />
<img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerized-nginx/Automatic%20test?label=automatic%20test" />
<img src="https://img.shields.io/docker/cloud/build/bunkerity/bunkerized-nginx" />
<img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerized-nginx/Build%20and%20push%20bunkerized-nginx?label=docker%20build" />
<img src="https://img.shields.io/readthedocs/bunkerized-nginx" />
</p>
@@ -19,7 +19,7 @@
<span> | </span>
<a href="https://www.bunkerity.com/category/bunkerized-nginx/">Blog posts</a>
<span> | </span>
<a href="https://matrix.to/#/#bunkerized-nginx:matrix.org">Community chat</a>
<a href="https://coso.me/bunkerity-chat">Community chat</a>
<span> | </span>
<a href="https://coso.me/bunkerity">Follow us</a>
</strong>

2
VERSION
View File

@@ -1 +1 @@
1.2.6
1.2.7

29
autoconf/AutoConf.py
View File

@@ -1,6 +1,9 @@
from Config import Config
import utils
import os
import os, time
class AutoConf :
def __init__(self, swarm, api) :
@@ -20,7 +23,7 @@ class AutoConf :
def __gen_env(self) :
self.__env.clear()
# TODO : check actual state (e.g. : running ?)
# TODO : check actual state (e.g. : running, stopped ?)
for id, instance in self.__instances.items() :
env = []
if self.__swarm :
@@ -29,6 +32,10 @@ class AutoConf :
env = instance.attrs["Config"]["Env"]
for entry in env :
self.__env[entry.split("=")[0]] = entry.replace(entry.split("=")[0] + "=", "", 1)
blacklist = ["NGINX_VERSION", "NJS_VERSION", "PATH", "PKG_RELEASE"]
for entry in blacklist :
if entry in self.__env :
del self.__env[entry]
if not "SERVER_NAME" in self.__env or self.__env["SERVER_NAME"] == "" :
self.__env["SERVER_NAME"] = []
else :
@@ -90,15 +97,29 @@ class AutoConf :
if event == "create" :
self.__instances[id] = instance
self.__gen_env()
utils.log("[*] bunkerized-nginx instance created : " + name + " / " + id)
if self.__swarm and len(self.__instances) == 1 :
if self.__config.generate(self.__env) :
utils.log("[*] Initial config succeeded")
if not self.__config.swarm_wait(self.__instances) :
utils.log("[!] Removing bunkerized-nginx instances from list")
utils.log("[!] Removing bunkerized-nginx instances from list (API not available)")
del self.__instances[id]
else :
utils.log("[!] Initial config failed")
utils.log("[*] bunkerized-nginx instance created : " + name + " / " + id)
elif not self.__swarm and len(self.__instances) == 1 :
utils.log("[*] Wait until bunkerized-nginx is healthy (timeout = 120s) ...")
i = 0
healthy = False
while i < 120 :
self.__instances[id].reload()
if self.__instances[id].attrs["State"]["Health"]["Status"] == "healthy" :
healthy = True
break
time.sleep(1)
i = i + 1
if not healthy :
utils.log("[!] Removing bunkerized-nginx instances from list (unhealthy)")
del self.__instances[id]
elif event == "start" :
self.__instances[id].reload()

18
autoconf/Config.py
View File

@@ -9,12 +9,12 @@ class Config :
self.__swarm = swarm
self.__api = api
def __jobs(self) :
utils.log("[*] Starting jobs ...")
proc = subprocess.run(["/bin/su", "-c", "/opt/entrypoint/jobs.sh", "nginx"], capture_output=True)
def __jobs(self, type) :
utils.log("[*] Starting jobs (type = " + type + ") ...")
proc = subprocess.run(["/bin/su", "-c", "/opt/entrypoint/" + type + "-jobs.sh", "nginx"], capture_output=True)
stdout = proc.stdout.decode("ascii")
stderr = proc.stderr.decode("ascii")
if stdout != "" :
if len(stdout) > 1 :
utils.log("[*] Jobs stdout :")
utils.log(stdout)
if stderr != "" :
@@ -61,7 +61,7 @@ class Config :
# Print stdout/stderr
stdout = proc.stdout.decode("ascii")
stderr = proc.stderr.decode("ascii")
if stdout != "" :
if len(stdout) > 1 :
utils.log("[*] Generator output :")
utils.log(stdout)
if stderr != "" :
@@ -71,7 +71,7 @@ class Config :
# We're done
if proc.returncode == 0 :
if self.__swarm :
return self.__jobs()
return self.__jobs("pre")
return True
utils.log("[!] Error while generating site config for " + env["SERVER_NAME"] + " : return code = " + str(proc.returncode))
@@ -80,7 +80,11 @@ class Config :
return False
def reload(self, instances) :
return self.__api_call(instances, "/reload")
if self.__api_call(instances, "/reload") :
if self.__swarm :
return self.__jobs("post")
return True
return False
def __ping(self, instances) :
return self.__api_call(instances, "/ping")

22
autoconf/Dockerfile-amd64
View File

@@ -1,22 +0,0 @@
FROM amd64/alpine
COPY autoconf/dependencies.sh /tmp
RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -f /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/global/ /opt/confs/global
COPY confs/site/ /opt/confs/site
COPY scripts/ /opt/scripts
COPY settings.json /opt
COPY misc/cron /etc/crontabs/nginx
COPY autoconf/* /opt/entrypoint/
COPY autoconf/prepare.sh /tmp
RUN chmod +x /tmp/prepare.sh && \
/tmp/prepare.sh && \
rm -f /tmp/prepare.sh
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

29
autoconf/Dockerfile-arm32v7
View File

@@ -1,29 +0,0 @@
FROM alpine AS builder
ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz
RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
FROM arm32v7/alpine
COPY --from=builder qemu-arm-static /usr/bin
COPY autoconf/dependencies.sh /tmp
RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -f /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/global/ /opt/confs/global
COPY confs/site/ /opt/confs/site
COPY scripts/ /opt/scripts
COPY settings.json /opt
COPY misc/cron /etc/crontabs/nginx
COPY autoconf/* /opt/entrypoint/
COPY autoconf/prepare.sh /tmp
RUN chmod +x /tmp/prepare.sh && \
/tmp/prepare.sh && \
rm -f /tmp/prepare.sh
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

29
autoconf/Dockerfile-arm64v8
View File

@@ -1,29 +0,0 @@
FROM alpine AS builder
ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz
RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
FROM arm64v8/alpine
COPY --from=builder qemu-aarch64-static /usr/bin
COPY autoconf/dependencies.sh /tmp
RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -f /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/global/ /opt/confs/global
COPY confs/site/ /opt/confs/site
COPY scripts/ /opt/scripts
COPY settings.json /opt
COPY misc/cron /etc/crontabs/nginx
COPY autoconf/* /opt/entrypoint/
COPY autoconf/prepare.sh /tmp
RUN chmod +x /tmp/prepare.sh && \
/tmp/prepare.sh && \
rm -f /tmp/prepare.sh
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

22
autoconf/Dockerfile-i386
View File

@@ -1,22 +0,0 @@
FROM i386/alpine
COPY autoconf/dependencies.sh /tmp
RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -f /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/global/ /opt/confs/global
COPY confs/site/ /opt/confs/site
COPY scripts/ /opt/scripts
COPY settings.json /opt
COPY misc/cron /etc/crontabs/nginx
COPY autoconf/* /opt/entrypoint/
COPY autoconf/prepare.sh /tmp
RUN chmod +x /tmp/prepare.sh && \
/tmp/prepare.sh && \
rm -f /tmp/prepare.sh
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

2
compile.sh
View File

@@ -57,7 +57,7 @@ cp crs-setup.conf.example /opt/owasp/crs.conf
# get nginx modules
cd /tmp
# ModSecurity connector for nginx
git_secure_clone https://github.com/SpiderLabs/ModSecurity-nginx.git 22e53aba4e3ae8c7d59a3672d6727e49246afe96
git_secure_clone https://github.com/SpiderLabs/ModSecurity-nginx.git 2497e6ac654d0b117b9534aa735b757c6b11c84f
# headers more
git_secure_clone https://github.com/openresty/headers-more-nginx-module.git d6d7ebab3c0c5b32ab421ba186783d3e5d2c6a17
# geoip

2
confs/site/https.conf
View File

@@ -6,7 +6,7 @@ listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %};
{% elif USE_CUSTOM_HTTPS == "yes" %}
{% set x = paths.update({"cert": CUSTOM_HTTPS_CERT}) %}
{% set x = paths.update({"key": CUSTOM_HTTPS_KEY}) %}
{% elif GENERATE_SELF_SIGNED_HTTPS == "yes" %}
{% elif GENERATE_SELF_SIGNED_SSL == "yes" %}
{% if MULTISITE == "yes" %}
{% set x = paths.update({"cert": "/etc/nginx/" + FIRST_SERVER + "/self-cert.pem"}) %}
{% set x = paths.update({"key": "/etc/nginx/" + FIRST_SERVER + "/self-key.pem"}) %}

45
docs/conf.py
View File

@@ -14,15 +14,43 @@
# import sys
# sys.path.insert(0, os.path.abspath('.'))
import os, subprocess, re
def get_git_branch():
"""Get the git branch this repository is currently on"""
path_to_here = os.path.abspath(os.path.dirname(__file__))
# Invoke git to get the current branch which we use to get the theme
try:
p = subprocess.Popen(['git', 'branch'], stdout=subprocess.PIPE, cwd=path_to_here)
# This will contain something like "* (HEAD detached at origin/MYBRANCH)"
# or something like "* MYBRANCH"
branch_output = p.communicate()[0].decode("ascii")
# This is if git is in a normal branch state
match = re.search(r'\* (?P<branch_name>[^\(\)\n ]+)', branch_output)
if match:
return match.groupdict()['branch_name']
# git is in a detached HEAD state
match = re.search(r'\(HEAD detached at origin/(?P<branch_name>[^\)]+)\)', branch_output)
if match:
return match.groupdict()['branch_name']
except Exception as e :
print(e)
print(u'Could not get the branch')
# Couldn't figure out the branch probably due to an error
return None
# -- Project information -----------------------------------------------------
project = 'bunkerized-nginx'
copyright = '2021, bunkerity'
author = 'bunkerity'
# The full version, including alpha/beta/rc tags
release = 'v1.2.5'
release = 'v1.2.7'
# -- General configuration ---------------------------------------------------
@@ -30,7 +58,7 @@ release = 'v1.2.5'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = ['myst_parser']
extensions = ['myst_parser', 'sphinx_sitemap']
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
@@ -53,3 +81,14 @@ html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['_static']
# for sitemap
sitemap_filename = "sm.xml"
branch = get_git_branch()
if branch == "master" :
html_baseurl = 'https://bunkerized-nginx.readthedocs.io/en/latest/'
else :
html_baseurl = 'https://bunkerized-nginx.readthedocs.io/en/dev/'
# custom robots.txt
html_extra_path = ['robots.txt']

1
docs/requirements.txt
View File

@@ -1,3 +1,4 @@
sphinx
sphinx-rtd-theme
myst-parser
sphinx-sitemap

5
docs/robots.txt Normal file
View File

@@ -0,0 +1,5 @@
User-agent: *
Disallow: /en/dev/
Sitemap: https://bunkerized-nginx.readthedocs.io/en/latest/sm.xml

10
entrypoint/entrypoint.sh
View File

@@ -16,13 +16,14 @@ trap "trap_exit" TERM INT QUIT
function trap_reload() {
echo "[*] Catched reload operation"
if [ "$SWARM_MODE" != "yes" ] ; then
/opt/entrypoint/jobs.sh
/opt/entrypoint/pre-jobs.sh
fi
if [ -f /tmp/nginx.pid ] ; then
echo "[*] Reloading nginx ..."
nginx -s reload
if [ $? -eq 0 ] ; then
echo "[*] Reload successfull"
/opt/entrypoint/post-jobs.sh
else
echo "[!] Reload failed"
fi
@@ -58,8 +59,8 @@ if [ ! -f "/etc/nginx/global.env" ] ; then
# call the generator
/opt/gen/main.py --settings /opt/settings.json --templates /opt/confs --output /etc/nginx --variables /tmp/variables.env
# external jobs
/opt/entrypoint/jobs.sh
# pre-jobs
/opt/entrypoint/pre-jobs.sh
fi
else
echo "[*] Skipping configuration process"
@@ -97,6 +98,9 @@ if [ "$1" == "test" ] ; then
exit 1
fi
# post jobs
/opt/entrypoint/post-jobs.sh
# wait for nginx
wait "$pid"
while [ -f "/tmp/nginx.pid" ] ; do

2
entrypoint/nginx-temp.sh
View File

@@ -4,7 +4,7 @@
. /opt/entrypoint/utils.sh
# start nginx with temp conf for let's encrypt challenges and API
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$SWARM_MODE" = "yes" ] ; then
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$SWARM_MODE" = "yes" ] || [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
cp /opt/confs/global/nginx-temp.conf /tmp/nginx-temp.conf
cp /opt/confs/global/api-temp.conf /tmp/api.conf
if [ "$SWARM_MODE" = "yes" ] ; then

59
entrypoint/post-jobs.sh Normal file
View File

@@ -0,0 +1,59 @@
#!/bin/bash
# load some functions
. /opt/entrypoint/utils.sh
# User-Agents
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
if [ -f "/cache/user-agents.list" ] && [ "$(wc -l /cache/user-agents.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached user-agents.list ..."
cp /cache/user-agents.list /etc/nginx/user-agents.list
elif [ "$(ps aux | grep "user-agents\.sh")" = "" ] ; then
echo "[*] Downloading bad user-agent list (in background) ..."
/opt/scripts/user-agents.sh > /dev/null 2>&1 &
fi
fi
# Referrers
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
if [ -f "/cache/referrers.list" ] && [ "$(wc -l /cache/referrers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached referrers.list ..."
cp /cache/referrers.list /etc/nginx/referrers.list
elif [ "$(ps aux | grep "referrers\.sh")" = "" ] ; then
echo "[*] Downloading bad referrer list (in background) ..."
/opt/scripts/referrers.sh > /dev/null 2>&1 &
fi
fi
# exit nodes
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
if [ -f "/cache/tor-exit-nodes.list" ] && [ "$(wc -l /cache/tor-exit-nodes.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached tor-exit-nodes.list ..."
cp /cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
elif [ "$(ps aux | grep "exit-nodes\.sh")" = "" ] ; then
echo "[*] Downloading tor exit nodes list (in background) ..."
/opt/scripts/exit-nodes.sh > /dev/null 2>&1 &
fi
fi
# proxies
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
if [ -f "/cache/proxies.list" ] && [ "$(wc -l /cache/proxies.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached proxies.list ..."
cp /cache/proxies.list /etc/nginx/proxies.list
elif [ "$(ps aux | grep "proxies\.sh")" = "" ] ; then
echo "[*] Downloading proxies list (in background) ..."
/opt/scripts/proxies.sh > /dev/null 2>&1 &
fi
fi
# abusers
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
if [ -f "/cache/abusers.list" ] && [ "$(wc -l /cache/abusers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached abusers.list ..."
cp /cache/abusers.list /etc/nginx/abusers.list
elif [ "$(ps aux | grep "abusers\.sh")" = "" ] ; then
echo "[*] Downloading abusers list (in background) ..."
/opt/scripts/abusers.sh > /dev/null 2>&1 &
fi
fi

67
entrypoint/jobs.sh → entrypoint/pre-jobs.sh
View File

@@ -5,7 +5,7 @@
# self signed certs for sites
files=$(has_value GENERATE_SELF_SIGNED_SSL yes)
if [ "$files" != " " ] ; then
if [ "$files" != "" ] ; then
for file in $files ; do
site=$(echo $file | cut -f 4 -d '/')
dest="/etc/nginx/"
@@ -19,7 +19,7 @@ if [ "$files" != " " ] ; then
SELF_SIGNED_SSL_ORG="$(sed -nE 's/^SELF_SIGNED_SSL_ORG=(.*)$/\1/p' $file)"
SELF_SIGNED_SSL_OU="$(sed -nE 's/^SELF_SIGNED_SSL_OU=(.*)$/\1/p' $file)"
SELF_SIGNED_SSL_CN="$(sed -nE 's/^SELF_SIGNED_SSL_CN=(.*)$/\1/p' $file)"
openssl_output=$(openssl req -nodes -x509 -newkey rsa:4096 -keyout ${dest}self-key.pem -out ${dest}self-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" 2>&1)
openssl_output=$(openssl req -nodes -x509 -newkey rsa:4096 -keyout ${dest}self-key.pem -out ${dest}self-cert.pem -days "$SELF_SIGNED_SSL_EXPIRY" -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" 2>&1)
if [ $? -eq 0 ] ; then
echo "[*] Generated self-signed certificate ${dest}self-cert.pem with key ${dest}self-key.pem"
else
@@ -47,7 +47,7 @@ fi
# certbot
files=$(has_value AUTO_LETS_ENCRYPT yes)
if [ "$files" != " " ] ; then
if [ "$files" != "" ] ; then
for file in $files ; do
if [ "$(echo "$file" | grep 'site.env$')" = "" ] ; then
continue
@@ -58,9 +58,9 @@ if [ "$files" != " " ] ; then
if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}"
fi
certbot_outpout=$(/opt/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1)
certbot_output=$(/opt/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1)
if [ $? -eq 0 ] ; then
echo "[*] Certbot new successfully executed"
echo "[*] Certbot new successfully executed for domain(s) $(echo -n $SERVER_NAME | sed 's/ /,/g')"
else
echo "[*] Error while executing certbot new : $certbot_output"
fi
@@ -69,7 +69,7 @@ fi
# GeoIP
if [ "$(has_value BLACKLIST_COUNTRY .+)" != "" ] || [ "$(has_value WHITELIST_COUNTRY .+)" != "" ] ; then
if [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ; then
if [ -f "/cache/geoip.mmdb" ] ; then
echo "[*] Copying cached geoip.mmdb ..."
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
@@ -78,58 +78,3 @@ if [ "$(has_value BLACKLIST_COUNTRY .+)" != "" ] || [ "$(has_value WHITELIST_COU
/opt/scripts/geoip.sh > /dev/null 2>&1
fi
fi
# User-Agents
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
if [ -f "/cache/user-agents.list" ] && [ "$(wc -l /cache/user-agents.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached user-agents.list ..."
cp /cache/user-agents.list /etc/nginx/user-agents.list
elif [ "$(ps aux | grep "user-agents\.sh")" = "" ] ; then
echo "[*] Downloading bad user-agent list (in background) ..."
/opt/scripts/user-agents.sh > /dev/null 2>&1 &
fi
fi
# Referrers
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
if [ -f "/cache/referrers.list" ] && [ "$(wc -l /cache/referrers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached referrers.list ..."
cp /cache/referrers.list /etc/nginx/referrers.list
elif [ "$(ps aux | grep "referrers\.sh")" = "" ] ; then
echo "[*] Downloading bad referrer list (in background) ..."
/opt/scripts/referrers.sh > /dev/null 2>&1 &
fi
fi
# exit nodes
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
if [ -f "/cache/tor-exit-nodes.list" ] && [ "$(wc -l /cache/tor-exit-nodes.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached tor-exit-nodes.list ..."
cp /cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
elif [ "$(ps aux | grep "exit-nodes\.sh")" = "" ] ; then
echo "[*] Downloading tor exit nodes list (in background) ..."
/opt/scripts/exit-nodes.sh > /dev/null 2>&1 &
fi
fi
# proxies
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
if [ -f "/cache/proxies.list" ] && [ "$(wc -l /cache/proxies.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached proxies.list ..."
cp /cache/proxies.list /etc/nginx/proxies.list
elif [ "$(ps aux | grep "proxies\.sh")" = "" ] ; then
echo "[*] Downloading proxies list (in background) ..."
/opt/scripts/proxies.sh > /dev/null 2>&1 &
fi
fi
# abusers
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
if [ -f "/cache/abusers.list" ] && [ "$(wc -l /cache/abusers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached abusers.list ..."
cp /cache/abusers.list /etc/nginx/abusers.list
elif [ "$(ps aux | grep "abusers\.sh")" = "" ] ; then
echo "[*] Downloading abusers list (in background) ..."
/opt/scripts/abusers.sh > /dev/null 2>&1 &
fi
fi

1
entrypoint/utils.sh
View File

@@ -28,7 +28,6 @@ function has_value() {
for file in $envs ; do
if [ "$(grep "^${1}=${2}$" $file)" != "" ] ; then
echo "$file"
return 0
fi
done
}

13
gen/Configurator.py
View File

@@ -21,10 +21,11 @@ class Configurator :
def load_variables(self, vars, multisite_only=False) :
for var, value in vars.items() :
if self.__check_var(var, value) :
check, reason = self.__check_var(var, value)
if check :
self.__variables[var] = value
else :
print("Ignoring " + var + "=" + value)
print("Ignoring " + var + "=" + value + " (" + reason + ")")
def get_config(self) :
config = {}
@@ -45,4 +46,10 @@ class Configurator :
real_var = "_".join(var.split("_")[:-1])
else :
real_var = "_".join(var.split("_")[:-1][1:])
return real_var != "" and re.search(self.__settings[real_var]["regex"], value) and (not multisite_only or self.__settings[real_var]["context"] == "multisite")
if real_var == "" :
return False, "doesn't exist"
elif not re.search(self.__settings[real_var]["regex"], value) :
return False, "doesn't match regex : " + self.__settings[real_var]["regex"]
elif multisite_only and self.__settings[real_var]["context"] != "multisite" :
return False, "not at multisite context"
return True, ""

13
gen/main.py
View File

@@ -52,12 +52,13 @@ if __name__ == "__main__" :
#print(config)
# Remove old config
for filename in os.listdir(args.output):
file_path = os.path.join(args.output, filename)
if os.path.isfile(file_path) or os.path.islink(file_path):
os.unlink(file_path)
elif os.path.isdir(file_path):
shutil.rmtree(file_path)
# TODO : remove unnecessary files after rendering
# for filename in os.listdir(args.output):
# file_path = os.path.join(args.output, filename)
# if os.path.isfile(file_path) or os.path.islink(file_path):
# os.unlink(file_path)
# elif os.path.isdir(file_path):
# shutil.rmtree(file_path)
# Generate the files from templates and config
templator = Templator(config, args.templates, args.output, args.target)

12
hooks/post_push
View File

@@ -1,12 +0,0 @@
#!/bin/bash
curl -Lo manifest-tool https://github.com/estesp/manifest-tool/releases/download/v1.0.3/manifest-tool-linux-amd64
chmod +x manifest-tool
VERSION=$(cat VERSION | tr -d '\n')
if [ "$SOURCE_BRANCH" = "dev" ] ; then
./manifest-tool push from-args --ignore-missing --platforms linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 --template bunkerity/bunkerized-nginx:dev-ARCHVARIANT --target bunkerity/bunkerized-nginx:dev
elif [ "$SOURCE_BRANCH" = "master" ] ; then
./manifest-tool push from-args --ignore-missing --platforms linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 --template bunkerity/bunkerized-nginx:ARCHVARIANT --target bunkerity/bunkerized-nginx:${VERSION}
./manifest-tool push from-args --ignore-missing --platforms linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 --template bunkerity/bunkerized-nginx:ARCHVARIANT --target bunkerity/bunkerized-nginx:latest
fi

5
hooks/pre_build
View File

@@ -1,5 +0,0 @@
#!/bin/bash
# Register qemu-*-static for all supported processors except the
# current one, but also remove all registered binfmt_misc before
docker run --rm --privileged multiarch/qemu-user-static:register --reset

2
lua/dnsbl.lua
View File

@@ -12,7 +12,7 @@ function M.cached ()
end
function M.check (dnsbls, resolvers)
local local_ips = iputils.parse_cidrs({"127.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"})
local local_ips = iputils.parse_cidrs({"127.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "10.0.0.0/8"})
if iputils.ip_in_cidrs(ngx.var.remote_addr, local_ips) then
ngx.shared.dnsbl_cache:set(ngx.var.remote_addr, "ok", 86400)
return false

2
scripts/abusers.sh
View File

@@ -3,7 +3,7 @@
# load some functions
. /opt/entrypoint/utils.sh
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi

2
scripts/certbot-renew.sh
View File

@@ -3,7 +3,7 @@
# load some functions
. /opt/entrypoint/utils.sh
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi

2
scripts/exit-nodes.sh
View File

@@ -3,7 +3,7 @@
# load some functions
. /opt/entrypoint/utils.sh
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi

4
scripts/geoip.sh
View File

@@ -3,11 +3,11 @@
# load some functions
. /opt/entrypoint/utils.sh
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi
if [ "$(has_value BLACKLIST_COUNTRY .+)" = "" ] && [ "$(has_value WHITELIST_COUNTRY .+)" = "" ] ; then
if [ "$(has_value BLACKLIST_COUNTRY ".\+")" = "" ] && [ "$(has_value WHITELIST_COUNTRY ".\+")" = "" ] ; then
exit 0
fi

2
scripts/proxies.sh
View File

@@ -3,7 +3,7 @@
# load some functions
. /opt/entrypoint/utils.sh
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi

2
scripts/referrers.sh
View File

@@ -3,7 +3,7 @@
# load some functions
. /opt/entrypoint/utils.sh
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi

2
scripts/user-agents.sh
View File

@@ -3,7 +3,7 @@
# load some functions
. /opt/entrypoint/utils.sh
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi

67
settings.json
View File

@@ -579,7 +579,7 @@
"env": "CUSTOM_HTTPS_CERT",
"id": "custom-https-cert",
"label": "Custom TLS certificate path",
"regex": "^[A-Za-z\\.0-9\\/\\-]*$",
"regex": "^[A-Za-z\\.0-9\\/\\-\\_]*$",
"type": "text"
},
{
@@ -588,7 +588,7 @@
"env": "CUSTOM_HTTPS_KEY",
"id": "custom-https-key",
"label": "Custom TLS certificate key",
"regex": "^[A-Za-z\\.0-9\\/\\-]*$",
"regex": "^[A-Za-z\\.0-9\\/\\-\\_]*$",
"type": "text"
},
{
@@ -599,6 +599,69 @@
"label": "Generate a self-signed TLS certificate",
"regex": "^(yes|no)$",
"type": "checkbox"
},
{
"context": "multisite",
"default": "365",
"env": "SELF_SIGNED_SSL_EXPIRY",
"id": "self-signed-ssl-expiry",
"label": "Expire date of the self-signed certificate",
"regex": "^[0-9]+$",
"type": "text"
},
{
"context": "multisite",
"default": "CH",
"env": "SELF_SIGNED_SSL_COUNTRY",
"id": "self-signed-ssl-country",
"label": "Country of the self-signed certificate",
"regex": "^[:print:]+$",
"type": "text"
},
{
"context": "multisite",
"default": "Switzerland",
"env": "SELF_SIGNED_SSL_STATE",
"id": "self-signed-ssl-state",
"label": "State of the self-signed certificate",
"regex": "^[:print:]+$",
"type": "text"
},
{
"context": "multisite",
"default": "Bern",
"env": "SELF_SIGNED_SSL_CITY",
"id": "self-signed-ssl-city",
"label": "City of the self-signed certificate",
"regex": "^[:print:]+$",
"type": "text"
},
{
"context": "multisite",
"default": "IT",
"env": "SELF_SIGNED_SSL_OU",
"id": "self-signed-ssl-ou",
"label": "Organizational Unit of the self-signed certificate",
"regex": "^[:print:]+$",
"type": "text"
},
{
"context": "multisite",
"default": "Acme Inc",
"env": "SELF_SIGNED_SSL_ORG",
"id": "self-signed-ssl-org",
"label": "Organization name of the self-signed certificate",
"regex": "^[:print:]+$",
"type": "text"
},
{
"context": "multisite",
"default": "bunkerized",
"env": "SELF_SIGNED_SSL_CN",
"id": "self-signed-ssl-cn",
"label": "Common Name of the self-signed certificate",
"regex": "^[:print:]+$",
"type": "text"
}
]
},

23
ui/Dockerfile-amd64
View File

@@ -1,23 +0,0 @@
FROM amd64/alpine
COPY ui/dependencies.sh /tmp
RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -f /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY confs/site/ /opt/confs/site
COPY confs/global/ /opt/confs/global
COPY ui/ /opt/entrypoint
COPY settings.json /opt
COPY ui/prepare.sh /tmp
RUN chmod +x /tmp/prepare.sh && \
/tmp/prepare.sh && \
rm -f /tmp/prepare.sh
EXPOSE 5000
WORKDIR /opt/entrypoint
ENV FLASK_APP entrypoint.py
ENTRYPOINT ["/usr/bin/python3", "-m", "flask", "run", "--host=0.0.0.0"]

30
ui/Dockerfile-arm32v7
View File

@@ -1,30 +0,0 @@
FROM alpine AS builder
ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-arm.tar.gz
RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
FROM arm32v7/alpine
COPY --from=builder qemu-arm-static /usr/bin
COPY ui/dependencies.sh /tmp
RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -f /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY confs/site/ /opt/confs/site
COPY confs/global/ /opt/confs/global
COPY ui/ /opt/entrypoint
COPY settings.json /opt
COPY ui/prepare.sh /tmp
RUN chmod +x /tmp/prepare.sh && \
/tmp/prepare.sh && \
rm -f /tmp/prepare.sh
EXPOSE 5000
WORKDIR /opt/entrypoint
ENV FLASK_APP entrypoint.py
ENTRYPOINT ["/usr/bin/python3", "-m", "flask", "run", "--host=0.0.0.0"]

30
ui/Dockerfile-arm64v8
View File

@@ -1,30 +0,0 @@
FROM alpine AS builder
ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v4.0.0%2Bbalena2/qemu-4.0.0.balena2-aarch64.tar.gz
RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1
FROM arm64v8/alpine
COPY --from=builder qemu-aarch64-static /usr/bin
COPY ui/dependencies.sh /tmp
RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -f /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY confs/site/ /opt/confs/site
COPY confs/global/ /opt/confs/global
COPY ui/ /opt/entrypoint
COPY settings.json /opt
COPY ui/prepare.sh /tmp
RUN chmod +x /tmp/prepare.sh && \
/tmp/prepare.sh && \
rm -f /tmp/prepare.sh
EXPOSE 5000
WORKDIR /opt/entrypoint
ENV FLASK_APP entrypoint.py
ENTRYPOINT ["/usr/bin/python3", "-m", "flask", "run", "--host=0.0.0.0"]

23
ui/Dockerfile-i386
View File

@@ -1,23 +0,0 @@
FROM i386/alpine
COPY ui/dependencies.sh /tmp
RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -f /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY confs/site/ /opt/confs/site
COPY confs/global/ /opt/confs/global
COPY ui/ /opt/entrypoint
COPY settings.json /opt
COPY ui/prepare.sh /tmp
RUN chmod +x /tmp/prepare.sh && \
/tmp/prepare.sh && \
rm -f /tmp/prepare.sh
EXPOSE 5000
WORKDIR /opt/entrypoint
ENV FLASK_APP entrypoint.py
ENTRYPOINT ["/usr/bin/python3", "-m", "flask", "run", "--host=0.0.0.0"]