v1.3.1 release

conf - add REVERSE_PROXY_KEEPALIVE
Merge branch 'patch-15' of github.com:thelittlefireman/bunkerized-nginx into keepalive
2021-09-02 17:18:57 +02:00 · 2021-09-02 12:03:56 +02:00 · 2021-09-02 11:52:38 +02:00 · 2021-09-02 10:34:58 +02:00 · 2021-09-02 09:36:28 +02:00 · 2021-08-30 22:34:19 +02:00
20 changed files with 141 additions and 35 deletions
--- a/.github/workflows/build-bunkerized-nginx-autoconf.yml
+++ b/.github/workflows/build-bunkerized-nginx-autoconf.yml
@@ -20,6 +20,7 @@ jobs:
      - name: Run Trivy security scanner
        uses: aquasecurity/trivy-action@master
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          image-ref: 'bunkerized-nginx-autoconf'
          format: 'table'
          exit-code: '1'
--- a/.github/workflows/build-bunkerized-nginx-ui.yml
+++ b/.github/workflows/build-bunkerized-nginx-ui.yml
@@ -20,6 +20,7 @@ jobs:
      - name: Run Trivy security scanner
        uses: aquasecurity/trivy-action@master
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          image-ref: 'bunkerized-nginx-ui'
          format: 'table'
          exit-code: '1'
--- a/.github/workflows/build-bunkerized-nginx.yml
+++ b/.github/workflows/build-bunkerized-nginx.yml
@@ -20,6 +20,7 @@ jobs:
      - name: Run Trivy security scanner
        uses: aquasecurity/trivy-action@master
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          image-ref: 'bunkerized-nginx'
          format: 'table'
          exit-code: '1'
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,15 @@
 # Changelog
-## v1.3.0
+## v1.3.1 - 2021/09/02
 - Use ModSecurity v3.0.4 instead of v3.0.5 to fix memory leak
 - Fix ignored variables to control jobs
 - Fix bug when LISTEN_HTTP=no and MULTISITE=yes
 - Add CUSTOM_HEADER variable
 - Add REVERSE_PROXY_BUFFERING variable
 - Fix documentation for modsec and modsec-crs special folders
 ## v1.3.0 - 2021/08/23
 - Kubernetes integration in beta
 - Linux integration in beta
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 </p>
 <p align="center">
-        <img src="https://img.shields.io/badge/bunkerized--nginx-1.3.0-blue" />
+        <img src="https://img.shields.io/badge/bunkerized--nginx-1.3.1-blue" />
        <img src="https://img.shields.io/badge/nginx-1.20.1-blue" />
        <img src="https://img.shields.io/github/last-commit/bunkerity/bunkerized-nginx" />
        <img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerized-nginx/Automatic%20test?label=automatic%20test" />
--- a/2
+++ b/2
@@ -1 +1 @@
-1.3.0
+1.3.1
--- a/confs/global/multisite-default-server.conf
+++ b/confs/global/multisite-default-server.conf
@@ -1,5 +1,5 @@
 server {
-	{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif +%};
+	{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server;{% endif +%}
 	server_name _;
 	{% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif +%}
 	include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;
--- a/confs/site/custom-headers.conf
+++ b/confs/site/custom-headers.conf
@@ -0,0 +1,5 @@
 {% for k, v in all.items() +%}
 	{% if k.startswith("CUSTOM_HEADER") and v != "" +%}
 more_set_header "{{ v }}";
 	{% endif %}
 {% endfor %}
--- a/confs/site/reverse-proxy.conf
+++ b/confs/site/reverse-proxy.conf
@@ -5,10 +5,17 @@
 			{% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %}
 			{% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %}
 			{% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %}
 			{% set buffering = all[k.replace("URL", "BUFFERING")] if k.replace("URL", "BUFFERING") in all else "yes" %}
 			{% set keepalive = all[k.replace("URL", "KEEPALIVE")] if k.replace("URL", "KEEPALIVE") in all else "yes" %}
 location {{ url }} {% raw %}{{% endraw +%}
 	etag off;
 	set $backend "{{ host }}";
 	proxy_pass $backend;
 	{% if buffering == "yes" +%}
 	proxy_buffering on;
 	{% else +%}
 	proxy_buffering off;
 	{% endif %}
 	{% if USE_AUTHELIA == "yes" +%}
 	include {{ NGINX_PREFIX }}authelia-auth-request.conf;
 	{% endif %}
@@ -17,6 +24,9 @@ location {{ url }} {% raw %}{{% endraw +%}
 	proxy_http_version 1.1;
 	proxy_set_header Upgrade $http_upgrade;
 	proxy_set_header Connection "Upgrade";
 			{% elif keepalive == "yes" +%}
 	proxy_http_version 1.1;
 	proxy_set_header Connection "";
 			{% endif %}
 			{% if headers != "" %}
 				{% for header in headers.split(";") +%}
--- a/confs/site/server.conf
+++ b/confs/site/server.conf
@@ -180,6 +180,9 @@ server {
 	include {{ NGINX_PREFIX }}redirect-to.conf;
 {% endif %}
 	# custom headers
 	include {{ NGINX_PREFIX }}custom-headers.conf;
 	# reverse proxy
 {% if USE_REVERSE_PROXY == "yes" +%}
 	include {{ NGINX_PREFIX }}reverse-proxy.conf;
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -50,7 +50,7 @@ copyright = '2021, bunkerity'
 author = 'bunkerity'
 # The full version, including alpha/beta/rc tags
-release = 'v1.3.0'
+release = 'v1.3.1'
 # -- General configuration ---------------------------------------------------
--- a/docs/environment_variables.md
+++ b/docs/environment_variables.md
@@ -123,6 +123,12 @@ Default value : *no*
 Context : *global*, *multisite*  
 When set to yes and `REDIRECT_TO` is set it will append the requested path to the redirection (e.g., https://example.com/something redirects to https://www.example.com/something).
 `CUSTOM_HEADER`  
 Values : *\<HeaderName: HeaderValue\>*  
 Default value :  
 Context : *global*, *multisite*  
 Add custom HTTP header of your choice to clients. You can add multiple headers by appending a number as a suffix of the environment variable : `CUSTOM_HEADER_1`, `CUSTOM_HEADER_2`, `CUSTOM_HEADER_3`, ...
 ### Information leak
 `SERVER_TOKENS`  
@@ -207,6 +213,20 @@ Context : *global*, *multisite*
 Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* when the corresponding `REVERSE_PROXY_HOST` is a WebSocket server.  
 You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_WS_1`, `REVERSE_PROXY_WS_2`, `REVERSE_PROXY_WS_3`, ...
 `REVERSE_PROXY_BUFFERING`  
 Values : *yes* | *no*  
 Default value : *yes*  
 Context : *global*, *multisite*  
 Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* then the [proxy_buffering](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) directive will be set to `on` or `off` otherwise.  
 You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_BUFFERING_1`, `REVERSE_PROXY_BUFFERING_2`, `REVERSE_PROXY_BUFFERING_3`, ...
 `REVERSE_PROXY_KEEPALIVE`  
 Values : *yes* | *no*  
 Default value : *yes*  
 Context : *global*, *multisite*  
 Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* to enable keepalive connections with the backend (needs a HTTP 1.1 backend) or *no* otherwise.  
 You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_KEEPALIVE_1`, `REVERSE_PROXY_KEEPALIVE_2`, `REVERSE_PROXY_KEEPALIVE_3`, ...
 `REVERSE_PROXY_HEADERS`  
 Values : *\<list of custom headers separated with a semicolon like this : header1 value1;header2 value2...\>* 
 Default value :  
--- a/docs/integrations.md
+++ b/docs/integrations.md
@@ -726,12 +726,12 @@ Unlike containers, Linux integration can be tedious because bunkerized-nginx has
 First of all you will need to install bunkerized-nginx. The recommended way is to use the official installer script :
 ```shell
-$ curl -fsSL https://github.com/bunkerity/bunkerized-nginx/releases/download/v1.3.0/linux-install.sh -o /tmp/bunkerized-nginx.sh
+$ curl -fsSL https://github.com/bunkerity/bunkerized-nginx/releases/download/v1.3.1/linux-install.sh -o /tmp/bunkerized-nginx.sh
 ```
 Before executing it, you should also check the signature :
 ```shell
-$ curl -fsSL https://github.com/bunkerity/bunkerized-nginx/releases/download/v1.3.0/linux-install.sh.asc -o /tmp/bunkerized-nginx.sh.asc
+$ curl -fsSL https://github.com/bunkerity/bunkerized-nginx/releases/download/v1.3.1/linux-install.sh.asc -o /tmp/bunkerized-nginx.sh.asc
 $ gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys contact@bunkerity.com
 $ gpg --verify /tmp/bunkerized-nginx.sh.asc /tmp/bunkerized-nginx.sh
 ```
--- a/docs/special_folders.md
+++ b/docs/special_folders.md
@@ -46,7 +46,7 @@ Examples :
 ## ModSecurity configurations
-This special folder contains .conf files that will be loaded by ModSecurity before the OWASP Core Rule Set is loaded. The typical use case is when you want to specify exclusions for the CRS.
+This special folder contains .conf files that will be loaded by ModSecurity after the OWASP Core Rule Set is loaded. The typical use case is to edit loaded CRS rules to avoid false positives.
 Location (container) : `/modsec-confs`  
 Location (Linux) : `/opt/bunkerized-nginx/modsec-confs`  
@@ -59,7 +59,7 @@ Examples :
 ## CRS configurations
-This special folder contains .conf file that will be loaded by ModSecurity after the OWASP Core Rule Set is loaded. The typical use case is to edit loaded CRS rules to avoid false positives.
+This special folder contains .conf file that will be loaded by ModSecurity before the OWASP Core Rule Set is loaded. The typical use case is when you want to specify exclusions for the CRS.
 Location (container) : `/modsec-crs-confs`  
 Location (Linux) : `/opt/bunkerized-nginx/modsec-crs-confs`  
--- a/helpers/install.sh
+++ b/helpers/install.sh
@@ -459,7 +459,10 @@ CHANGE_DIR="/tmp/bunkerized-nginx/libmaxminddb-1.6.0" do_and_check_cmd make inst
 # Download, compile and install ModSecurity
 echo "[*] Clone SpiderLabs/ModSecurity"
-git_secure_clone https://github.com/SpiderLabs/ModSecurity.git bf881a4eda343d37629e39ede5e28b70dc4067c0
+# TODO : looks like memory leak is happening with ModSecurity 3.0.5
 # so we keep 3.0.4 until a fixed version is available
 #git_secure_clone https://github.com/SpiderLabs/ModSecurity.git bf881a4eda343d37629e39ede5e28b70dc4067c0
 git_secure_clone https://github.com/SpiderLabs/ModSecurity.git 753145fbd1d6751a6b14fdd700921eb3cc3a1d35
 echo "[*] Compile and install ModSecurity"
 # temp fix : Debian run it twice
 cd /tmp/bunkerized-nginx/ModSecurity && ./build.sh > /dev/null 2>&1
@@ -671,7 +674,7 @@ fi
 # Clone the repo
 if [ "$OS" != "alpine" ] && [ ! -d "/tmp/bunkerized-nginx-test" ] ; then
 	echo "[*] Clone bunkerity/bunkerized-nginx"
-	CHANGE_DIR="/tmp" do_and_check_cmd git_secure_clone https://github.com/bunkerity/bunkerized-nginx.git 8808f161c5f92911ae485623d96f6ef24fe42ffe
+	CHANGE_DIR="/tmp" do_and_check_cmd git_secure_clone https://github.com/bunkerity/bunkerized-nginx.git 3d2f5e2389e5f75131ae22f822a673b92cb12cca
 	# TODO : dev only
 	#CHANGE_DIR="/tmp" do_and_check_cmd git clone https://github.com/bunkerity/bunkerized-nginx.git
 	#CHANGE_DIR="/tmp/bunkerized-nginx" do_and_check_cmd git checkout dev
--- a/jobs/Job.py
+++ b/jobs/Job.py
@@ -15,10 +15,13 @@ class ReloadRet(enum.Enum) :
 class JobManagement() :
 	def __init__(self) :
 		self.__docker_nginx = False
 		self.__local_nginx = False
 		if os.path.isfile("/usr/sbin/nginx") and os.path.isfile("/tmp/nginx.pid") :
 			self.__local_nginx = True
 		self.__autoconf_socket = None
 		if os.path.isfile("/usr/sbin/nginx") and os.path.isfile("/tmp/nginx.pid") and not os.path.isfile("/opt/bunkerized-nginx/ui/linux.sh") :
 			self.__docker_nginx = True
 		if os.path.isfile("/usr/sbin/nginx") and os.path.isfile("/tmp/nginx.pid") and os.path.isfile("/opt/bunkerized-nginx/ui/linux.sh") :
 			self.__local_nginx = True
 		if os.path.exists("/tmp/autoconf.sock") and stat.S_ISSOCK(os.stat("/tmp/autoconf.sock").st_mode) :
 			self.__autoconf_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
 			self.__autoconf_socket.connect("/tmp/autoconf.sock")
@@ -43,10 +46,22 @@ class JobManagement() :
 		return True
 	def reload(self) :
-		if self.__autoconf_socket != None :
+		if self.__docker_nginx :
 			proc = subprocess.run(["/usr/sbin/nginx", "-s", "reload"], capture_output=True)
 			if proc.returncode != 0 :
 				log("reload", "ERROR", "can't reload nginx (status code = " + str(proc.returncode) + ")")
 				if len(proc.stdout.decode("ascii")) > 1 :
 					log("reload", "ERROR", proc.stdout.decode("ascii"))
 				if len(proc.stderr.decode("ascii")) > 1 :
 					log("reload", "ERROR", proc.stderr.decode("ascii"))
 				return ReloadRet.KO
 			return ReloadRet.OK
 		elif self.__autoconf_socket != None :
 			if self.__autoconf_order(b"reload") :
 				return ReloadRet.OK
 			return ReloadRet.KO
 		elif self.__local_nginx :
 			proc = subprocess.run(["sudo", "/opt/bunkerized-nginx/ui/linux.sh", "reload"], capture_output=True)
 			if proc.returncode != 0 :
@@ -57,6 +72,7 @@ class JobManagement() :
 					log("reload", "ERROR", proc.stderr.decode("ascii"))
 				return ReloadRet.KO
 			return ReloadRet.OK
 		return ReloadRet.NO
 class Job(abc.ABC) :
--- a/misc/cron
+++ b/misc/cron
@@ -1,7 +1,7 @@
-15 0 * * * /opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew >> /var/log/nginx/jobs.log 2>&1
+15 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew >> /var/log/nginx/jobs.log 2>&1
-30 0 * * * /opt/bunkerized-nginx/jobs/main.py --reload --name user-agents >> /var/log/nginx/jobs.log 2>&1
+30 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name user-agents >> /var/log/nginx/jobs.log 2>&1
-45 0 * * * /opt/bunkerized-nginx/jobs/main.py --reload --name referrers >> /var/log/nginx/jobs.log 2>&1
+45 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_REFERRER yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name referrers >> /var/log/nginx/jobs.log 2>&1
-0 1 * * * /opt/bunkerized-nginx/jobs/main.py --reload --name abusers >> /var/log/nginx/jobs.log 2>&1
+0 1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_ABUSERS yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name abusers >> /var/log/nginx/jobs.log 2>&1
-0 2 * * * /opt/bunkerized-nginx/jobs/main.py --reload --name proxies >> /var/log/nginx/jobs.log 2>&1
+0 2 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_PROXIES yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name proxies >> /var/log/nginx/jobs.log 2>&1
-0 */1 * * * /opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes >> /var/log/nginx/jobs.log 2>&1
+0 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes >> /var/log/nginx/jobs.log 2>&1
-0 3 2 * * /opt/bunkerized-nginx/jobs/main.py --reload --name geoip >> /var/log/nginx/jobs.log 2>&1
+0 3 2 * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ] && /opt/bunkerized-nginx/jobs/main.py --reload --name geoip >> /var/log/nginx/jobs.log 2>&1
--- a/misc/cron-autoconf
+++ b/misc/cron-autoconf
@@ -1,7 +1,7 @@
-15 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name certbot-renew" nginx >> /var/log/nginx/jobs.log 2>&1
+15 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name certbot-renew" nginx >> /var/log/nginx/jobs.log 2>&1
-30 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name user-agents" nginx >> /var/log/nginx/jobs.log 2>&1
+30 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name user-agents" nginx >> /var/log/nginx/jobs.log 2>&1
-45 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name referrers" nginx >> /var/log/nginx/jobs.log 2>&1
+45 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_REFERRER yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name referrers" nginx >> /var/log/nginx/jobs.log 2>&1
-0 1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name abusers" nginx >> /var/log/nginx/jobs.log 2>&1
+0 1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_ABUSERS yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name abusers" nginx >> /var/log/nginx/jobs.log 2>&1
-0 2 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name proxies" nginx >> /var/log/nginx/jobs.log 2>&1
+0 2 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_PROXIES yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name proxies" nginx >> /var/log/nginx/jobs.log 2>&1
-0 */1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name exit-nodes" nginx >> /var/log/nginx/jobs.log 2>&1
+0 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name exit-nodes" nginx >> /var/log/nginx/jobs.log 2>&1
-0 3 2 * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name geoip" nginx >> /var/log/nginx/jobs.log 2>&1
+0 3 2 * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name geoip" nginx >> /var/log/nginx/jobs.log 2>&1
--- a/misc/cron-linux
+++ b/misc/cron-linux
@@ -1,7 +1,7 @@
-15 0 * * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew >> /var/log/nginx/jobs.log 2>&1
+15 0 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew >> /var/log/nginx/jobs.log 2>&1
-30 0 * * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name user-agents >> /var/log/nginx/jobs.log 2>&1
+30 0 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name user-agents >> /var/log/nginx/jobs.log 2>&1
-45 0 * * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name referrers >> /var/log/nginx/jobs.log 2>&1
+45 0 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_REFERRER yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name referrers >> /var/log/nginx/jobs.log 2>&1
-0 1 * * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name abusers >> /var/log/nginx/jobs.log 2>&1
+0 1 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_ABUSERS yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name abusers >> /var/log/nginx/jobs.log 2>&1
-0 2 * * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name proxies >> /var/log/nginx/jobs.log 2>&1
+0 2 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_PROXIES yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name proxies >> /var/log/nginx/jobs.log 2>&1
-0 */1 * * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes >> /var/log/nginx/jobs.log 2>&1
+0 */1 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes >> /var/log/nginx/jobs.log 2>&1
-0 3 2 * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name geoip >> /var/log/nginx/jobs.log 2>&1
+0 3 2 * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ] && /opt/bunkerized-nginx/jobs/main.py --reload --name geoip >> /var/log/nginx/jobs.log 2>&1
--- a/settings.json
+++ b/settings.json
@@ -775,6 +775,23 @@
                "label": "Content security policy",
                "regex": "^([\\S ]*)$",
                "type": "text"
            },
            {
                "id": "custom-headers",
                "label": "Custom headers",
                "params" : [
                    {
                        "context": "multisite",
                        "default": "",
                        "env": "CUSTOM_HEADER",
                        "id": "custom-headers",
                        "label": "Custom header",
                        "multiple": "Custom headers",
                        "regex": "^([\\S ]*)$",
                        "type": "text"
                    }
                ],
                "type": "multiple"
            }
        ]
    },
@@ -1070,6 +1087,26 @@
                        "regex": "^(yes|no)$",
                        "type": "checkbox"
                    },
                    {
                        "context": "multisite",
                        "default": "yes",
                        "env": "REVERSE_PROXY_BUFFERING",
                        "id": "reverse-proxy-buffering",
                        "label": "Reverse proxy buffering",
                        "multiple": "Reverse proxy",
                        "regex": "^(yes|no)$",
                        "type": "checkbox"
                    },
                    {
                        "context": "multisite",
                        "default": "yes",
                        "env": "REVERSE_PROXY_KEEPALIVE",
                        "id": "reverse-proxy-keepalive",
                        "label": "Reverse proxy keepalive",
                        "multiple": "Reverse proxy",
                        "regex": "^(yes|no)$",
                        "type": "checkbox"
                    },
                    {
                        "context": "multisite",
                        "default": "",
Author	SHA1	Message	Date
bunkerity	f0f1c79d40	v1.3.1 release	2021-09-02 17:18:57 +02:00
bunkerity	3d2f5e2389	conf - add REVERSE_PROXY_KEEPALIVE	2021-09-02 12:03:56 +02:00
bunkerity	b079c99fb9	Merge branch 'patch-15' of github.com:thelittlefireman/bunkerized-nginx into keepalive	2021-09-02 11:52:38 +02:00
bunkerity	2e403c6ebc	config - add CUSTOM_HEADER	2021-09-02 10:34:58 +02:00
bunkerity	f75a05584e	config - add REVERSE_PROXY_BUFFERING	2021-09-02 09:36:28 +02:00
florian	148edf6814	tests - add github token to trivy scanner	2021-08-30 22:34:19 +02:00
Florian Pitance	a19d8aa041	Merge pull request #180 from vepito/vepito-patch-1 Fix typo related to non-HTTP configuration	2021-08-30 21:17:34 +02:00
Florian Pitance	480cff86bc	Merge pull request #179 from thelittlefireman/patch-16 Mismatch in docs with modsec folder	2021-08-30 21:15:15 +02:00
Florian Pitance	35df3423d0	missing blank line	2021-08-30 21:14:04 +02:00
Florian Pitance	29f4069de7	switch the use cases	2021-08-30 21:12:59 +02:00
vepito	72e4384596	Fix typo related to non-HTTP configuration Fix typo that prevents non-HTTP configuration to be working when MULTISITE is used	2021-08-29 02:59:24 +02:00
bunkerity	a4a2647737	jobs - fix docker reload and only do cron jobs when necessary	2021-08-26 15:48:38 +02:00
thelittlefireman	892e533694	Missmatch in docs with modsec folder	2021-08-25 22:32:47 +02:00
bunkerity	a056141609	deps - use ModSecurity v3.0.4 instead of v3.0.5 to avoid memory leak	2021-08-25 17:12:38 +02:00
thelittlefireman	9de628f3eb	Missing proxy_set_header for keep alive	2021-08-18 23:47:01 +02:00
thelittlefireman	6cc1abc893	Allow keep alive connection when ws is off This help improves performance.	2021-08-18 23:42:18 +02:00