#!/bin/bash function git_secure_checkout() { if [ "$CHANGE_DIR" != "" ] ; then cd "$CHANGE_DIR" fi path="$1" commit="$2" cd "$path" output="$(git checkout "${commit}^{commit}" 2>&1)" if [ $? -ne 0 ] ; then echo "[!] Commit hash $commit is absent from submodules $path !" echo "$output" cleanup exit 4 fi } function git_secure_clone() { cd /tmp/bunkerized-nginx repo="$1" commit="$2" folder="$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@")" output="$(git clone "$repo" 2>&1)" if [ $? -ne 0 ] ; then echo "[!] Error cloning $1" echo "$output" cleanup exit 2 fi cd "$folder" output="$(git checkout "${commit}^{commit}" 2>&1)" if [ $? -ne 0 ] ; then echo "[!] Commit hash $commit is absent from repository $repo" echo "$output" cleanup exit 3 fi } function secure_download() { cd /tmp/bunkerized-nginx link="$1" file="$2" hash="$3" output="$(wget -q -O "$file" "$link" 2>&1)" if [ $? -ne 0 ] ; then echo "[!] Error downloading $link" echo "$output" cleanup exit 5 fi check="$(sha512sum "$file" | cut -d ' ' -f 1)" if [ "$check" != "$hash" ] ; then echo "[!] Wrong hash from file $link (expected $hash got $check)" cleanup exit 6 fi } function do_and_check_cmd() { if [ "$CHANGE_DIR" != "" ] ; then cd "$CHANGE_DIR" fi output=$("$@" 2>&1) ret="$?" if [ $ret -ne 0 ] ; then echo "[!] Error from command : $*" echo "$output" cleanup exit $ret fi #echo $output return 0 } function cleanup() { echo "[*] Cleaning /tmp/bunkerized-nginx" rm -rf /tmp/bunkerized-nginx } function get_sign_repo_key() { key="-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt 97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5 XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoAhsDBgsJCAcDAgYV CAIJCgsEFgIDAQIeAQIXgAUCV2K1+AUJGB4fQQAKCRCr9b2Ce9m/YloaB/9XGrol kocm7l/tsVjaBQCteXKuwsm4XhCuAQ6YAwA1L1UheGOG/aa2xJvrXE8X32tgcTjr KoYoXWcdxaFjlXGTt6jV85qRguUzvMOxxSEM2Dn115etN9piPl0Zz+4rkx8+2vJG F+eMlruPXg/zd88NvyLq5gGHEsFRBMVufYmHtNfcp4okC1klWiRIRSdp4QY1wdrN 1O+/oCTl8Bzy6hcHjLIq3aoumcLxMjtBoclc/5OTioLDwSDfVx7rWyfRhcBzVbwD oe/PD08AoAA6fxXvWjSxy+dGhEaXoTHjkCbz/l6NxrK3JFyauDgU4K4MytsZ1HDi MgMW8hZXxszoICTTiQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/ Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6 cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y Va3l3WuB+rgKjsQ= =EWWI -----END PGP PUBLIC KEY BLOCK-----" echo "$key" } function get_sign_repo_key_rsa() { key="-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/hT2Chq4hhn+zasCn1gv N3AVdNYGm4FVkJmWzHBc3lvoTLIMR1uoopg9EbH2faBG3yQjxtAkUme6aauaSmpm LNvhCfENsrDhRx8KRqwNgvM8jQLOCEMZ2WSGxE4HEsBbQ7p9F4qj8D2YMrl1ZvTw Gy2UW3wc5vMEf90lsoKmQQS3UJOUxHw0fhJ8vzNUVUeMQpRAjjRfVAQdnoxXSNSw +OQD2z9obDf6YhQclNbe8itoKRckbfe1sxh5/TFef0y+wJkTzOKXK9yWnJrQp8V3 gmfJy6nnaErhxbocMg55QG7vCNejuV0a384ax0SRTNSZyIhps2Yuswbx9CLX8l+r bQIDAQAB -----END PUBLIC KEY-----" echo "$key" } function get_sign_source_keys() { keys="-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (FreeBSD) mQENBE7SKu8BCADQo6x4ZQfAcPlJMLmL8zBEBUS6GyKMMMDtrTh3Yaq481HB54oR 0cpKL05Ff9upjrIzLD5TJUCzYYM9GQOhguDUP8+ZU9JpSz3yO2TvH7WBbUZ8FADf hblmmUBLNgOWgLo3W+FYhl3mz1GFS2Fvid6Tfn02L8CBAj7jxbjL1Qj/OA/WmLLc m6BMTqI7IBlYW2vyIOIHasISGiAwZfp0ucMeXXvTtt14LGa8qXVcFnJTdwbf03AS ljhYrQnKnpl3VpDAoQt8C68YCwjaNJW59hKqWB+XeIJ9CW98+EOAxLAFszSyGanp rCqPd0numj9TIddjcRkTA/ZbmCWK+xjpVBGXABEBAAG0IU1heGltIERvdW5pbiA8 bWRvdW5pbkBtZG91bmluLnJ1PokBOAQTAQIAIgUCTtIq7wIbAwYLCQgHAwIGFQgC CQoLBBYCAwECHgECF4AACgkQUgqZk6HAUvj+iwf/b4FS6zVzJ5T0v1vcQGD4ZzXe D5xMC4BJW414wVMU15rfX7aCdtoCYBNiApPxEd7SwiyxWRhRA9bikUq87JEgmnyV 0iYbHZvCvc1jOkx4WR7E45t1Mi29KBoPaFXA9X5adZkYcOQLDxa2Z8m6LGXnlF6N tJkxQ8APrjZsdrbDvo3HxU9muPcq49ydzhgwfLwpUs11LYkwB0An9WRPuv3jporZ /XgI6RfPMZ5NIx+FRRCjn6DnfHboY9rNF6NzrOReJRBhXCi6I+KkHHEnMoyg8XET 9lVkfHTOl81aIZqrAloX3/00TkYWyM2zO9oYpOg6eUFCX/Lw4MJZsTcT5EKVxIhG BBARAgAGBQJO01Y/AAoJEOzw6QssFyCDVyQAn3qwTZlcZgyyzWu9Cs8gJ0CXREaS AJ92QjGLT9DijTcbB+q9OS/nl16Z/IhGBBARAgAGBQJO02JDAAoJEKk3YTmlJMU+ P64AnjCKEXFelSVMtgefJk3+vpyt3QX1AKCH9M3MbTWPeDUL+MpULlfdyfvjj7kB DQRO0irvAQgA0LjCc8S6oZzjiap2MjRNhRFA5BYjXZRZBdKF2VP74avt2/RELq8G W0n7JWmKn6vvrXabEGLyfkCngAhTq9tJ/K7LPx/bmlO5+jboO/1inH2BTtLiHjAX vicXZk3oaZt2Sotx5mMI3yzpFQRVqZXsi0LpUTPJEh3oS8IdYRjslQh1A7P5hfCZ wtzwb/hKm8upODe/ITUMuXeWfLuQj/uEU6wMzmfMHb+jlYMWtb+v98aJa2FODeKP mWCXLa7bliXp1SSeBOEfIgEAmjM6QGlDx5sZhr2Ss2xSPRdZ8DqD7oiRVzmstX1Y oxEzC0yXfaefC7SgM0nMnaTvYEOYJ9CH3wARAQABiQEfBBgBAgAJBQJO0irvAhsM AAoJEFIKmZOhwFL4844H/jo8icCcS6eOWvnen7lg0FcCo1fIm4wW3tEmkQdchSHE CJDq7pgTloN65pwB5tBoT47cyYNZA9eTfJVgRc74q5cexKOYrMC3KuAqWbwqXhkV s0nkWxnOIidTHSXvBZfDFA4Idwte94Thrzf8Pn8UESudTiqrWoCBXk2UyVsl03gJ blSJAeJGYPPeo+Yj6m63OWe2+/S2VTgmbPS/RObn0Aeg7yuff0n5+ytEt2KL51gO QE2uIxTCawHr12PsllPkbqPk/PagIttfEJqn9b0CrqPC3HREePb2aMJ/Ctw/76CO wn0mtXeIXLCTvBmznXfaMKllsqbsy2nCJ2P2uJjOntw= =Tavt -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF4TqFoBEADNbls05thIAYVVKdMDRdtzGk7HXGqx60u/kh4BL9HskUpyYFTp N07RJ1TyyusfD7I3skuGHvtQhqdTwHPDEPL5qrAnHps9XWUQrtU7hflcIKt43iDe TvfVVhN0nPir2++C4qvNnrC/UCisyz00H/I9mobl2qzyKyLT8BnUBVuXDfOTlUCY oF4z5BieOMvg1DZNKFDnK67ZuO4JXgtMlu4Q3tFd7qSWCWGuCuAGgn6eWFYMzCbB rPyBYwb7xyycQzqmJiD7Qm9OeVHmZj5rG5hGM14MyTSUVJle0U+CJCF9lmfVuR/c ySy7WmQgIg327x5Y5xa3pKZAvIAycnDabAk/08p59BG7UdAi2S7+2SicAH89/81V g4BI4mZp+IuxaP+S+ckaRf1CUvRAJuLTqUeBSuOzjag+ibD6rqusuZ1MZqLxnXyu gAztNDcmEFa/pqp5bgWbrlTF6zKt4cQf+a/JqFGatsfSzmrIyIZ6GEqgb8oXDDIt Z1AqsTfp6ZBC1vITE9+b0zBw6qq/nGD0Iq47Vp1VxmlxmnoeR4ir8z/oSukPulLU K3IqkmRNGEilINrtBt5jFbBlx8kwdCYvxEF6ymibBBqvwwv65jrrKheBQm+HrrVS aMQmo4Qzj/h/ZLL9KENHibNwUypJnvwEvw0YkAyjICvoNzDUsM+92+B/ewARAQAB tCFNYXhpbSBLb25vdmFsb3YgPG1heGltQG5naW54LmNvbT6JAlcEEwEKAEECGwMF CwkIBwMFFQoJCAsFFgIDAQACHgECF4ACGQEWIQRB25JxPTv0v/PukQacXn+i9Ul3 1AUCXhgw1wUJBagi/QAKCRCcXn+i9Ul31LltD/40KNFPvDaORz35udrm0cyVIgbI lq7Vswfo5JIr8MyJ+VKJFQ2n2JiQT8QbX52Sy5P80ktSAFqcT3vtWB7bI6RfJ8Jx YM/w3XKnNMoUt7Q/cqZK5Ra/csmaCWqP4UVUvUBjHvly0MpnE1kxEDUglrcyVKjt fxB/GXeUpKOELXG44zvW2CP9Mce0FbDxrh8iCai9MK+2oSt1aJV+gONLWscRgsc7 6q9/4KUXByt0qxScYPRQRIaxpIA8sCno21owcMOf8aQtun6Ytf+UIovl9DmK2pRm Ifc2JruW1Jx2r7z955ZFNgTA380jEL85dWbgbHF/pYPlwcTCnaAf294kefjrX9DN rejbZZ3Fh2QGs0tWW5+wncVWndq4jLQTeamUdzw5MPpOh+bZoHT+7z1PDGWe+PIn DTbfaFYL7MsXwScMUsexKLOoDO6KKpZjcsw9/b5JsJmP73ZEj02BjRudapObiRxm MtDl8Zmpg7ZUqMHEuUzyEyI5nSWu4njjrWJO0CnsjLpv2UxAbxDn1NGc/DoyxM1l 4SQv4AJuSLo1x7PTRb9V9HkWqxXf+yCkNpV9UjmlrH104gWL6sof6rX8Jo6k+Sz+ yyQHcVbrJ95Y3hQU7QMMnotzVbL7BRtWMtDYTp7q+gYbZ0s+YRXjaHcA5IuV65tM tEPwGpOCofQ2avkdqIhdBBARCgAdFiEEZVBsAu/CUPG3o9aU7PDpCywXIIMFAl4T qXUACgkQ7PDpCywXIIN5CQCgyNFrUBGlUvH9QlDSE/umzoyXW/UAn0ve2/HzpMVN uPMAAgnHYE2R0eiEtCNNYXhpbSBLb25vdmFsb3YgPG1heGltQEZyZWVCU0Qub3Jn PokCVAQTAQoAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBEHbknE9O/S/ 8+6RBpxef6L1SXfUBQJeGDDXBQkFqCL9AAoJEJxef6L1SXfUJ/IQALtwaB7mlBUB NdzqQRIZAVSnJZ2w6+Iul7Ax4gKrqWj6SvL/5jEdZm65D0kjxJIHq+dO+lJIMLzp rBkfZ0kkxOPQ1rw/QR31qHLAibknrwIQQVtzFvVg4iW7IZefx6WGbJJC5IbjBUBf HATqbXmMAcLILh9+t4q7Qvwi2b8ZIsC37cktthad7j4kvXqV5BJ4I+PoDT0CcW48 wgTfMwhib52pLMu3Ghk56kwHBtYSHUDrA4KWRzRHxQ+RoUXLIdtmMRbp8ztwBMJZ +J/9TLrb3YHUidS3l2nE55l9dJZycCU2EOAhJMbFKbmfW/9we/Sm+vnoALGExepl FgdGz2NTqPA4ha2y2rBC73TSkfM+4amIrr6kSbeofjQL/w5+fhxAvM5oXuzffPK9 8IR31d66JUTjeueobguzh9ApeHElmihimRJk0KP+NVAMNCIZmlMuOXHPwnCajcBh Sh9kFGy6tPPPZYQOHSm5KvyjIJDfmkFfJ5ybazkmsGhZMzQs4ZHItC1jf0vYCqsr d3eVEQesy5nDlSC2lWK84R+J+qTL82ZbCc/VZMniCBCC9xIvEOU9gtIH+58vF8dq l/jTmGp2h1/kHlJfn0cnxKJDzn2IG16jqR7VdWQEO5hjEMaZdxhM1jPGRdkM82fB Wwv8BLBpgBstyQlxJ/NNO5+dCtZYWRcviF0EEBEKAB0WIQRlUGwC78JQ8bej1pTs 8OkLLBcggwUCXhOpbwAKCRDs8OkLLBcgg/jfAKCO7DIiB2DGBfLCFftmyuZJN2A6 ZgCfV/cclX++mLyiyYqr2BXnrQk4NVG5Ag0EXhOoWgEQAOmkirptbymUR2JP9DrP e7aELbUw4bcMx4/nQo1QyKxjDhUdgUui4OiqxmhMjT2IlgFvcYsMeLiYGa/EdBkd Yq4DtEwc++2eybFQA1z6Hrk+sxdd8neN4azUa5sqVvUwenQ7UMPclSQJaE1nVGCZ KKVyNsK36RJrE0JfdmE1zKZFWmTCTZ/D/hTCq+hjMpCV+VWFaz3h4S+XsZiBgLB4 +zmyHjyU6E+ecELvAHoXwMbAPiFzzms824Fc1BKHjnc8BBzfUVdIBGhxOVNHDSj3 oxPsiBnuvSlQMlGx0YNLw/tTfw+CFOot5o/KIq9svUp8W9mdj6kKaqBLNxpjHbhQ yvVSK7O5uS62emMHkRwgu1tmP98d3bGlXRn+S+2MCuyqdFaK40B6vnkPnXpl5ggE w8JoH11ahNeJ5tX8/JpX/0aQmapt7CKwcgELJap+Qp8i/MFXef7FK/nE0lFIL95o l9uthd/beX6dz/EEw61lC17Opd3y0N+Dy+eJ0wbULdgKrblZ0PxsumLeICGLs7/P O9/3nQHJRjmFaVG10t5bL/77gvQ4l7HcuLS1GGHh+RM6EsFuuiqI+aFcDFyRITli g0QRq4y/C6nqhTWEyYriIi8Dq6JxXisklC1WvSIgPwq1/msmrbiKcJZFPoNtMVtO dzL3naM5IWOa290R541GjkEVABEBAAGJAjwEGAEKACYCGwwWIQRB25JxPTv0v/Pu kQacXn+i9Ul31AUCXhgw/QUJBagjIwAKCRCcXn+i9Ul31MQDEACeO6ZBLEWswuyU RErntoHkY6wIkpfMiERjgfqbNkrdBgXg8dT7kPsXFEtv3ZccjPbsRecJaXdmwGab mp9MUDYG3SiqgFNriJTv2WECzgYKrZQg38JVwfl7OHPaV2fwZvG56a4qKpIZ3wIg 4acfEPkHQ2ygpKnEJD4IsEK225PtYq5lmNfntvDhbuTPh2vY8T9w0udGCzp4JS60 zLeGGat+52PislEtrSa2B7zSMzGmOqDidaDbEfzdzL+IteZHWDGmYNQ8yICIv6Wj A80k7uhzDWJf5RMQSNybBykrlWSooaVrBWHgDky5ldAQjDtVrMkBpzglH8FQ44i+ la9caRDfw0Lfxg52vV4eXtpSHAYx3cFREEW9xpTOwOE7Qg0JyHAkUKNb8DJgyehC BjSeeiMFiZX1plyYFrUAB8dVXi9Z7kqOjTpfYU6kAxDXzQhlqqgYRwoFJQcsQ1Ll jKptAs6glmDx8dJcjUrK/eH24GGg46eGv2wxY4+sItXfLQ2oeU4uh/vORjvgeeNp er4z5KLuKxwgpaobavtRZmZSZdGrdC93Si27dpSRiWYn1csoTxG0zZhUVFFW68I4 I5PIdJwblvxayVKdg0aVW/RwDsOLH0twVxwnOPSjLPEB2IwGnlX6rN38cRnibPXM yh4LsaVRdhbFe9aNd/O5iNgDcQtCUg== =/pFc -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (FreeBSD) mQENBE5E4vkBCADPkWWzk7W5cXOqeZ1ULNSj8nt5azbYjfQ8OyR2AaDW8J7oazYH reIHKid5uZVJxwr1uLoMloGiYTdy4XYIF2WcOfDnjNGumrAT0Nd4Kdax/pHr5Pdp jFsO4BkHyWk/5/zDCijyoGYLBR6I8hqn+WDuLG/sTtVuTWkUeOlfxb2eZdLyZ3oP 5T5FXtWTpKvr2y7RGshmS6EJnjiVvvErdbNItFXghqvBBaFOJaS2PRBEO9RfKpti i+eS/cmlrm+Tjv44EPfQyLtAmCQ8uqfL50uIKEp6/dsC/OVJ6JlJOYl4j90DX7vB TJaOyUm4s+BLF2BK+Ow8+s+B6jQ5noa/o16NABEBAAG0IFNlcmdleSBCdWRuZXZp dGNoIDxzYkBuZ2lueC5jb20+iQE+BBMBAgAoBQJOROQ6AhsDBQkJZgGABgsJCAcD AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCmT9Wxets5qEQgB/43Mxmiy7DjXEbxIYkC 9xPC4kf1X+bHkJ9BtAgaYDQewjtQ7vS98TKJBibm3l4egmBjFWjCpL8845n966+u XDqrDWJtOPUXvSEQNXGlijDGSxxpdK2dxDOKIOC8nIlZq/Xz/Uqjb2ZrszmYK2LD IHI1mN9HdI6aTt41QbtG0nkaPPgv3MEvxSMVCzVddroyPXvf/ErT4OSYU+dqJhH+ SBIezuF0suzH/siCksbSBZHIst5rggpjsZvijP5YFH/hpEsR+tKXo9EFk49xn9Ou WdmpOEs7CKDbTApkh9XN/Pk5nJQ/HIDuW8pkgzf2wxNWlMSYw6xnozDkeIqpJcDD 4niqiEYEEBECAAYFAk5OYocACgkQ7PDpCywXIIMKtQCfaAl2rvbEImu6MnDR32KG HTDH2TEAoNeWrSlavyFzbSQka53E9Gs6gF63tCBTZXJnZXkgQnVkbmV2aXRjaCA8 c2JAd2FlbWUubmV0PokBQQQTAQIAKwIbAwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AFAk5OR38CGQEACgkQpk/VsXrbOagPmAf/QmIEDkkiovc1MgQ81lh4 eeHfvtptb+U4GVCu07DQUR9kEtN6Jqi65gKb95fEztI14PpX+euiWrc/RlnsxWc0 jYF0UmyacWLN6oHPoxlCK5+7zyoz5UTNrYGkTfWfcNtTU509CEZRClBNjMZOTZjP QhdR+Ce6tngRcQvMGNaLjJkKuY7vPh6FjT5oqxpnEIRTsWq6bUaeCXm7j9x0as1Z w1E5D5it3Ug3VlAe58jFJmRgatOsWznKuNoLRjQ2Chp2ce+dLgXriuJMrvEsn5S4 dImUGL5DVYWDVZNG+r85XnOhMfKG308pZby1uzFvD+j3P6yMj1tpaCAAi5lUkHh6 bIhGBBARAgAGBQJOTmJ/AAoJEOzw6QssFyCDH50AoMyJPvPDTYXK5KHOlPYPZQ5M OuCAAJ9zQ/3hKedm3xCLGl4Y6hjxJNlUTbkBDQROROL5AQgAuGIfx9aVOOXVdj8b XvjBQt+UkBURYGACHFQ69w71Aupsg9pZ7FgwgVKxnoNlmRag8sInjQbs3M/lS0sB dg75zZ7Ph7aPev8RAqdtX5+xxvujv1cmkFBExFuC5Wp/Yfzk/lPWZR4vXZrTpRiF PLMlRu0CEJFqoqPPygGFar02Q7rO+da35pxAuYrOWGM7MNr8H/vk13+GiqniBQCa uSoWwZQzaEdG5VGgm/vAwPzO+Cbam3r+Hs7OieykAy8fv+B+qhHn8Vc/520iGvdO IAKpxl6oZrkbNL/wozOOLZni7iWl30C43ujxPiGRlg/YotHmhlnMic85QKyakXCS WXI/JQARAQABiQElBBgBAgAPBQJOROL5AhsMBQkJZgGAAAoJEKZP1bF62zmoGCwH /2a6zlu4Jwmv21vuroaAzECV8gp1luBeagn23EgMMukYhkbwLtL/0twAHmZlkpzl atfq/EH2PgOasl2biJixqp7o9V7Uw6PS5JoY+1IrLEurG+FU2TN/Ysp12al4Z0Hh p4yBRSEikISO9gkeUThixDPX1PjCpx8G/ZYqk+8jRCcDgWsUc/WV3VGPht68oDd7 56/hfQYc/V3eJmm5WYLVGV7Q69tGtp6D09SpoeqCD2K77auEBRVJ4jaT4B2/EfSb x6y7Dy4Oxm8TBOQ2EZw2vEixKxtEt86/oBtLUkqVockPq/Ek9AL+KzT6VR1xU+Cm CoHAyoqJeb/xLBwuKWg0/4U= =iFlP -----END PGP PUBLIC KEY BLOCK-----" echo "$keys" } # Variables NTASK=$(nproc) # Check if we are root if [ $(id -u) -ne 0 ] ; then echo "[!] Run me as root" exit 1 fi # Detect OS OS="" if [ "$(grep Debian /etc/os-release)" != "" ] ; then OS="debian" elif [ "$(grep Ubuntu /etc/os-release)" != "" ] ; then OS="ubuntu" elif [ "$(grep CentOS /etc/os-release)" != "" ] ; then OS="centos" elif [ "$(grep Fedora /etc/os-release)" != "" ] ; then OS="fedora" elif [ "$(grep Alpine /etc/os-release)" != "" ] ; then OS="alpine" fi if [ "$OS" = "" ] ; then echo "[!] Unsupported Operating System" exit 1 fi # Create /tmp/bunkerized-nginx echo "[*] Prepare /tmp/bunkerized-nginx" if [ -e "/tmp/bunkerized-nginx" ] ; then do_and_check_cmd rm -rf /tmp/bunkerized-nginx fi do_and_check_cmd mkdir /tmp/bunkerized-nginx # Create /opt/bunkerized-nginx echo "[*] Prepare /opt/bunkerized-nginx" if [ -e "/opt/bunkerized-nginx" ] ; then do_and_check_cmd rm -rf /opt/bunkerized-nginx fi do_and_check_cmd mkdir -p /opt/bunkerized-nginx/deps # Check nginx version NGINX_VERSION="$(nginx -V 2>&1 | sed -rn 's~^nginx version: nginx/(.*)$~\1~p')" # Add nginx official repo and install if [ "$NGINX_VERSION" = "" ] ; then get_sign_repo_key > /tmp/bunkerized-nginx/nginx_signing.key if [ "$OS" = "debian" ] || [ "$OS" = "ubuntu" ] ; then echo "[*] Add nginx official repository" do_and_check_cmd cp /tmp/bunkerized-nginx/nginx_signing.key /etc/apt/trusted.gpg.d/nginx_signing.asc do_and_check_cmd apt update DEBIAN_FRONTEND=noninteractive do_and_check_cmd apt install -y gnupg2 ca-certificates lsb-release software-properties-common do_and_check_cmd add-apt-repository "deb http://nginx.org/packages/${OS} $(lsb_release -cs) nginx" do_and_check_cmd apt update echo "[*] Install nginx" DEBIAN_FRONTEND=noninteractive do_and_check_cmd apt install -y nginx elif [ "$OS" = "centos" ] ; then echo "[*] Add nginx official repository" do_and_check_cmd yum install -y yum-utils cp /tmp/bunkerized-nginx/nginx_signing.key /etc/pki/rpm-gpg/RPM-GPG-KEY-nginx do_and_check_cmd rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-nginx repo="[nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-nginx enabled=1 module_hotfixes=true" echo "$repo" > /etc/yum.repos.d/nginx.repo echo "[*] Install nginx" do_and_check_cmd yum install -y nginx elif [ "$OS" = "fedora" ] ; then echo "[*] Install nginx" do_and_check_cmd dnf install -y nginx elif [ "$OS" = "alpine" ] ; then echo "[*] Add nginx official repository" get_sign_repo_key_rsa > /etc/apk/keys/nginx_signing.rsa.pub echo "@nginx http://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories echo "[*] Install nginx" do_and_check_cmd apk add nginx@nginx fi NGINX_VERSION="$(nginx -V 2>&1 | sed -rn 's~^nginx version: nginx/(.*)$~\1~p')" fi echo "[*] Detected nginx version ${NGINX_VERSION}" if [ "$NGINX_VERSION" != "1.20.1" ] ; then echo "/!\\ Warning : we recommend you to use nginx v1.20.1, you should uninstall your nginx version and run this script again ! /!\\" fi # Install dependencies echo "[*] Update packet list" if [ "$OS" = "debian" ] || [ "$OS" = "ubuntu" ] ; then do_and_check_cmd apt update fi echo "[*] Install compilation dependencies" if [ "$OS" = "debian" ] || [ "$OS" = "ubuntu" ] ; then DEBIAN_DEPS="git autoconf pkg-config libpcre++-dev automake libtool g++ make liblua5.1-0-dev libgd-dev lua5.1 libssl-dev wget libbrotli-dev gnupg" DEBIAN_FRONTEND=noninteractive do_and_check_cmd apt install -y $DEBIAN_DEPS do_and_check_cmd cp -r /usr/include/lua5.1/* /usr/include elif [ "$OS" = "centos" ] ; then do_and_check_cmd yum install -y epel-release CENTOS_DEPS="git autoconf pkg-config pcre-devel automake libtool gcc-c++ make lua-devel gd-devel lua openssl-devel wget brotli-devel gnupg" do_and_check_cmd yum install -y $CENTOS_DEPS elif [ "$OS" = "fedora" ] ; then FEDORA_DEPS="git autoconf pkg-config pcre-devel automake libtool gcc-c++ make lua-devel gd-devel lua openssl-devel wget brotli-devel gnupg libxslt-devel perl-ExtUtils-Embed gperftools-devel" do_and_check_cmd dnf install -y $FEDORA_DEPS elif [ "$OS" = "alpine" ] ; then ALPINE_DEPS="git build autoconf libtool automake git geoip-dev yajl-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev lua-dev gd-dev gnupg brotli-dev openssl-dev" do_and_check_cmd apk add --no-cache --virtual build $ALPINE_DEPS fi # Download, compile and install libmaxminddb echo "[*] Download maxmind/libmaxminddb" secure_download "https://github.com/maxmind/libmaxminddb/releases/download/1.6.0/libmaxminddb-1.6.0.tar.gz" "libmaxminddb-1.6.0.tar.gz" "9394e8dd959982d4ef5d15a928d32700722ed9d6c9988d9cc1bf2f4e67de0a53cc6987e90aaef3a6926c9ff36ac378f7a1fe47818fda4f5a3a22539210b2d004" CHANGE_DIR="/tmp/bunkerized-nginx" do_and_check_cmd tar -xzf libmaxminddb-1.6.0.tar.gz echo "[*] Compile and install libmaxminddb" CHANGE_DIR="/tmp/bunkerized-nginx/libmaxminddb-1.6.0" do_and_check_cmd ./configure --prefix=/opt/bunkerized-nginx/deps CHANGE_DIR="/tmp/bunkerized-nginx/libmaxminddb-1.6.0" do_and_check_cmd make -j $NTASK CHANGE_DIR="/tmp/bunkerized-nginx/libmaxminddb-1.6.0" do_and_check_cmd make install # Download, compile and install ModSecurity echo "[*] Clone SpiderLabs/ModSecurity" git_secure_clone https://github.com/SpiderLabs/ModSecurity.git bf881a4eda343d37629e39ede5e28b70dc4067c0 echo "[*] Compile and install ModSecurity" # temp fix : Debian run it twice cd /tmp/bunkerized-nginx/ModSecurity && ./build.sh > /dev/null 2>&1 CHANGE_DIR="/tmp/bunkerized-nginx/ModSecurity" do_and_check_cmd sh build.sh CHANGE_DIR="/tmp/bunkerized-nginx/ModSecurity" do_and_check_cmd git submodule init CHANGE_DIR="/tmp/bunkerized-nginx/ModSecurity" do_and_check_cmd git submodule update CHANGE_DIR="/tmp/bunkerized-nginx/ModSecurity" git_secure_checkout bindings/python 47a6925df187f96e4593afab18dc92d5f22bd4d5 CHANGE_DIR="/tmp/bunkerized-nginx/ModSecurity" git_secure_checkout others/libinjection bf234eb2f385b969c4f803b35fda53cffdd93922 CHANGE_DIR="/tmp/bunkerized-nginx/ModSecurity" git_secure_checkout test/test-cases/secrules-language-tests d03f4c1e930440df46c1faa37d820a919704d9da CHANGE_DIR="/tmp/bunkerized-nginx/ModSecurity" do_and_check_cmd ./configure --disable-doxygen-doc --disable-dependency-tracking --disable-examples --prefix=/opt/bunkerized-nginx/deps --with-maxmind=/opt/bunkerized-nginx/deps CHANGE_DIR="/tmp/bunkerized-nginx/ModSecurity" do_and_check_cmd make -j $NTASK CHANGE_DIR="/tmp/bunkerized-nginx/ModSecurity" do_and_check_cmd make install-strip # Download and install OWASP Core Rule Set echo "[*] Clone coreruleset/coreruleset" git_secure_clone https://github.com/coreruleset/coreruleset.git 18703f1bc47e9c4ec4096853d5fb4e2a204a07a2 echo "[*] Install coreruleset" do_and_check_cmd mkdir /opt/bunkerized-nginx/crs do_and_check_cmd cp -r /tmp/bunkerized-nginx/coreruleset/rules/* /opt/bunkerized-nginx/crs do_and_check_cmd cp /tmp/bunkerized-nginx/coreruleset/crs-setup.conf.example /opt/bunkerized-nginx/crs-setup.conf # Download ModSecurity-nginx module echo "[*] Clone SpiderLabs/ModSecurity-nginx" git_secure_clone https://github.com/SpiderLabs/ModSecurity-nginx.git 2497e6ac654d0b117b9534aa735b757c6b11c84f # Download headers more module echo "[*] Clone openresty/headers-more-nginx-module" git_secure_clone https://github.com/openresty/headers-more-nginx-module.git f85af9649b858e21b400a2150a4c7b8ebd36e921 # Download GeoIP moduke echo "[*] Clone leev/ngx_http_geoip2_module" git_secure_clone https://github.com/leev/ngx_http_geoip2_module.git 1cabd8a1f68ea3998f94e9f3504431970f848fbf do_and_check_cmd sed -i '1s:^:ngx_feature_path=/opt/bunkerized-nginx/deps/include\n:' /tmp/bunkerized-nginx/ngx_http_geoip2_module/config do_and_check_cmd sed -i 's:^ngx_feature_libs=.*$:ngx_feature_libs="-Wl,-rpath,/opt/bunkerized-nginx/deps/lib -L/opt/bunkerized-nginx/deps/lib -lmaxminddb":' /tmp/bunkerized-nginx/ngx_http_geoip2_module/config # Download cookie flag module echo "[*] Clone AirisX/nginx_cookie_flag_module" git_secure_clone https://github.com/AirisX/nginx_cookie_flag_module.git c4ff449318474fbbb4ba5f40cb67ccd54dc595d4 # Download brotli module echo "[*] Clone google/ngx_brotli" git_secure_clone https://github.com/google/ngx_brotli.git 9aec15e2aa6feea2113119ba06460af70ab3ea62 # Download lua-nginx module git_secure_clone https://github.com/openresty/lua-nginx-module.git 9007d673e28938f5dfa7720438991e22b794d225 # Download, compile and install luajit2 echo "[*] Clone openresty/luajit2" git_secure_clone https://github.com/openresty/luajit2.git 5ff674c5d9b75d6018994dfac3ce38aab3b8db12 echo "[*] Compile luajit2" CHANGE_DIR="/tmp/bunkerized-nginx/luajit2" do_and_check_cmd make -j $NTASK echo "[*] Install luajit2" CHANGE_DIR="/tmp/bunkerized-nginx/luajit2" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps install # Download and install lua-resty-core echo "[*] Clone openresty/lua-resty-core" git_secure_clone https://github.com/openresty/lua-resty-core.git 12f26310a35e45c37157420f7e1f395a0e36e457 echo "[*] Install lua-resty-core" CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-core" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps install # Download and install lua-resty-lrucache echo "[*] Clone openresty/lua-resty-lrucache" git_secure_clone https://github.com/openresty/lua-resty-lrucache.git f20bb8ac9489ba87d90d78f929552c2eab153caa echo "[*] Install lua-resty-lrucache" CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-lrucache" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps install # Download and install lua-resty-dns echo "[*] Clone openresty/lua-resty-dns" git_secure_clone https://github.com/openresty/lua-resty-dns.git 869d2fbb009b6ada93a5a10cb93acd1cc12bd53f echo "[*] Install lua-resty-dns" CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-dns" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps install # Download and install lua-resty-session echo "[*] Clone bungle/lua-resty-session" git_secure_clone https://github.com/bungle/lua-resty-session.git 2cd1f8484fdd429505ac33abf7a44adda1f367bf echo "[*] Install lua-resty-session" do_and_check_cmd cp -r /tmp/bunkerized-nginx/lua-resty-session/lib/resty/* /opt/bunkerized-nginx/deps/lib/lua/resty # Download and install lua-resty-random echo "[*] Clone bungle/lua-resty-random" git_secure_clone https://github.com/bungle/lua-resty-random.git 17b604f7f7dd217557ca548fc1a9a0d373386480 echo "[*] Install lua-resty-random" CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-random" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps install # Download and install lua-resty-string echo "[*] Clone openresty/lua-resty-string" git_secure_clone https://github.com/openresty/lua-resty-string.git 3624678ca1c7c32e2fb16c18b7511863e074d542 echo "[*] Install lua-resty-string" CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-string" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps install # Download, compile and install lua-cjson echo "[*] Clone openresty/lua-cjson" git_secure_clone https://github.com/openresty/lua-cjson.git 0df488874f52a881d14b5876babaa780bb6200ee echo "[*] Compile lua-cjson" CHANGE_DIR="/tmp/bunkerized-nginx/lua-cjson" do_and_check_cmd make -j $NTASK echo "[*] Install lua-cjson" CHANGE_DIR="/tmp/bunkerized-nginx/lua-cjson" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps LUA_CMODULE_DIR=/opt/bunkerized-nginx/deps/lib/lua LUA_MODULE_DIR=/opt/bunkerized-nginx/deps/lib/lua install CHANGE_DIR="/tmp/bunkerized-nginx/lua-cjson" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps LUA_CMODULE_DIR=/opt/bunkerized-nginx/deps/lib/lua LUA_MODULE_DIR=/opt/bunkerized-nginx/deps/lib/lua install-extra # Download, compile and install lua-gd echo "[*] Clone ittner/lua-gd" git_secure_clone https://github.com/ittner/lua-gd.git 2ce8e478a8591afd71e607506bc8c64b161bbd30 echo "[*] Compile lua-gd" if [ "$OS" = "centos" ] || [ "$OS" = "fedora" ] ; then CHANGE_DIR="/tmp/bunkerized-nginx/lua-gd" do_and_check_cmd make LUAPKG=lua LUABIN=lua -j $NTASK else CHANGE_DIR="/tmp/bunkerized-nginx/lua-gd" do_and_check_cmd make -j $NTASK fi echo "[*] Install lua-gd" CHANGE_DIR="/tmp/bunkerized-nginx/lua-gd" do_and_check_cmd make INSTALL_PATH=/opt/bunkerized-nginx/deps/lib/lua install # Download and install lua-resty-http echo "[*] Clone ledgetech/lua-resty-http" git_secure_clone https://github.com/ledgetech/lua-resty-http.git 9bf951dfe162dd9710a0e1f4525738d4902e9d20 echo "[*] Install lua-resty-http" CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-http" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps install # Download and install lualogging echo "[*] Clone Neopallium/lualogging" git_secure_clone https://github.com/lunarmodules/lualogging.git 5973188a1f8fc31abd98aceed2a4853986d779e9 echo "[*] Install lualogging" do_and_check_cmd cp -r /tmp/bunkerized-nginx/lualogging/src/* /opt/bunkerized-nginx/deps/lib/lua # Download, compile and install luasocket echo "[*] Clone diegonehab/luasocket" git_secure_clone https://github.com/diegonehab/luasocket.git 5b18e475f38fcf28429b1cc4b17baee3b9793a62 echo "[*] Compile luasocket" CHANGE_DIR="/tmp/bunkerized-nginx/luasocket" do_and_check_cmd make -j $NTASK echo "[*] Install luasocket" CHANGE_DIR="/tmp/bunkerized-nginx/luasocket" do_and_check_cmd make prefix=/opt/bunkerized-nginx/deps CDIR_linux=lib/lua LDIR_linux=lib/lua install # Download, compile and install luasec echo "[*] Clone brunoos/luasec" git_secure_clone https://github.com/brunoos/luasec.git d5df31561751ec0d4098dfc09c92ece215a56a5a echo "[*] Compile luasec" CHANGE_DIR="/tmp/bunkerized-nginx/luasec" do_and_check_cmd make linux -j $NTASK echo "[*] Install luasec" CHANGE_DIR="/tmp/bunkerized-nginx/luasec" do_and_check_cmd make LUACPATH=/opt/bunkerized-nginx/deps/lib/lua LUAPATH=/opt/bunkerized-nginx/deps/lib/lua install # Download and install lua-cs-bouncer echo "[*] Clone crowdsecurity/lua-cs-bouncer" git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc453dcf51a391bc9e9a36ca77958b0 echo "[*] Install lua-cs-bouncer" if [ ! -d /opt/bunkerized-nginx/deps/lib/lua/crowdsec ] ; then do_and_check_cmd mkdir /opt/bunkerized-nginx/deps/lib/lua/crowdsec fi do_and_check_cmd cp -r /tmp/bunkerized-nginx/lua-cs-bouncer/lib/* /opt/bunkerized-nginx/deps/lib/lua/crowdsec do_and_check_cmd sed -i 's/require "lrucache"/require "resty.lrucache"/' /opt/bunkerized-nginx/deps/lib/lua/crowdsec/CrowdSec.lua do_and_check_cmd sed -i 's/require "config"/require "crowdsec.config"/' /opt/bunkerized-nginx/deps/lib/lua/crowdsec/CrowdSec.lua # Download and install lua-resty-iputils echo "[*] Clone hamishforbes/lua-resty-iputils" git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485e830421266eee5c0f386c32c835dba4 echo "[*] Install lua-resty-iputils" CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-iputils" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps LUA_LIB_DIR=/opt/bunkerized-nginx/deps/lib/lua install # Download nginx and decompress sources echo "[*] Download nginx-${NGINX_VERSION}.tar.gz" do_and_check_cmd wget -O "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz" "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" do_and_check_cmd wget -O "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz.asc" "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz.asc" get_sign_source_keys > /tmp/bunkerized-nginx/nginx.key do_and_check_cmd gpg --import /tmp/bunkerized-nginx/nginx.key check=$(gpg --verify /tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz.asc /tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz 2>&1 | grep "^gpg: Good signature from ") if [ "$check" = "" ] ; then echo "[!] Wrong signature from nginx source !!!" cleanup exit 1 fi CHANGE_DIR="/tmp/bunkerized-nginx" do_and_check_cmd tar -xvzf nginx-${NGINX_VERSION}.tar.gz # Compile dynamic modules echo "[*] Compile dynamic modules" CONFARGS="$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')" CONFARGS="${CONFARGS/-Os -fomit-frame-pointer -g/-Os}" if [ "$OS" = "fedora" ] ; then CONFARGS="$(echo -n "$CONFARGS" | sed "s/--with-ld-opt='.*'//" | sed "s/--with-cc-opt='.*'//")" fi echo "\#!/bin/bash" > "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}/configure-fix.sh" echo "./configure $CONFARGS --add-dynamic-module=/tmp/bunkerized-nginx/ModSecurity-nginx --add-dynamic-module=/tmp/bunkerized-nginx/headers-more-nginx-module --add-dynamic-module=/tmp/bunkerized-nginx/ngx_http_geoip2_module --add-dynamic-module=/tmp/bunkerized-nginx/nginx_cookie_flag_module --add-dynamic-module=/tmp/bunkerized-nginx/lua-nginx-module --add-dynamic-module=/tmp/bunkerized-nginx/ngx_brotli" >> "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}/configure-fix.sh" do_and_check_cmd chmod +x "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}/configure-fix.sh" CHANGE_DIR="/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}" LUAJIT_LIB="/opt/bunkerized-nginx/deps/lib -Wl,-rpath,/opt/bunkerized-nginx/deps/lib" LUAJIT_INC="/opt/bunkerized-nginx/deps/include/luajit-2.1" MODSECURITY_LIB="/opt/bunkerized-nginx/deps/lib" MODSECURITY_INC="/opt/bunkerized-nginx/deps/include" do_and_check_cmd ./configure-fix.sh CHANGE_DIR="/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}" do_and_check_cmd make -j $NTASK modules # TODO : move modules to /opt/bunkerized-nginx/modules if [ ! -d "/usr/lib/nginx/modules" ] ; then do_and_check_cmd mkdir -p /usr/lib/nginx/modules fi do_and_check_cmd chown -R root:root /usr/lib/nginx do_and_check_cmd chmod -R 755 /usr/lib/nginx CHANGE_DIR="/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}" do_and_check_cmd cp ./objs/*.so /usr/lib/nginx/modules do_and_check_cmd chmod 744 /usr/lib/nginx/modules/* # Remove alpine build dependencies if [ "$OS" = "alpine" ] ; then apk del build > /dev/null 2>&1 fi cleanup echo "[*] Dependencies for bunkerized-nginx successfully installed !" # Install dependencies echo "[*] Update packet list" if [ "$OS" = "debian" ] || [ "$OS" = "ubuntu" ] ; then do_and_check_cmd apt update fi echo "[*] Install runtime dependencies" if [ "$OS" = "debian" ] || [ "$OS" = "ubuntu" ] ; then DEBIAN_DEPS="git cron curl python3 python3-pip procps" DEBIAN_FRONTEND=noninteractive do_and_check_cmd apt install -y $DEBIAN_DEPS elif [ "$OS" = "centos" ] ; then do_and_check_cmd yum install -y epel-release CENTOS_DEPS="git crontabs curl python3 python3-pip procps" do_and_check_cmd yum install -y $CENTOS_DEPS elif [ "$OS" = "fedora" ] ; then FEDORA_DEPS="git crontabs curl python3 python3-pip procps nginx-mod-stream" do_and_check_cmd dnf install -y $FEDORA_DEPS # Temp fix do_and_check_cmd cp /usr/lib64/nginx/modules/ngx_stream_module.so /usr/lib/nginx/modules/ngx_stream_module.so elif [ "$OS" = "alpine" ] ; then ALPINE_DEPS="certbot bash libmaxminddb libgcc lua yajl libstdc++ openssl py3-pip git" do_and_check_cmd apk add --no-cache $ALPINE_DEPS fi # Clone the repo echo "[*] Clone bunkerity/bunkerized-nginx" #CHANGE_DIR="/tmp" do_and_check_cmd git_secure_clone https://github.com/bunkerity/bunkerized-nginx.git 09a2a4f9e531b93684b0916a5146091a818501d3 # TODO : do a secure clone CHANGE_DIR="/tmp" do_and_check_cmd git clone https://github.com/bunkerity/bunkerized-nginx.git CHANGE_DIR="/tmp/bunkerized-nginx" do_and_check_cmd git checkout dev # Install Python dependencies echo "[*] Install python dependencies" do_and_check_cmd pip3 install --upgrade pip do_and_check_cmd pip3 install -r /tmp/bunkerized-nginx/gen/requirements.txt if [ "$OS" != "alpine" ] ; then do_and_check_cmd pip3 install -r /tmp/bunkerized-nginx/ui/requirements.txt fi do_and_check_cmd pip3 install cryptography --upgrade # Copy generator echo "[*] Copy generator" do_and_check_cmd cp -r /tmp/bunkerized-nginx/gen /opt/bunkerized-nginx # Copy entrypoint echo "[*] Copy entrypoint" do_and_check_cmd cp -r /tmp/bunkerized-nginx/entrypoint /opt/bunkerized-nginx # Copy configs echo "[*] Copy configs" do_and_check_cmd cp -r /tmp/bunkerized-nginx/confs /opt/bunkerized-nginx # Copy scripts echo "[*] Copy scripts" do_and_check_cmd cp -r /tmp/bunkerized-nginx/scripts /opt/bunkerized-nginx # Copy LUA echo "[*] Copy LUA" do_and_check_cmd cp -r /tmp/bunkerized-nginx/lua /opt/bunkerized-nginx # Copy antibot echo "[*] Copy antibot" do_and_check_cmd cp -r /tmp/bunkerized-nginx/antibot /opt/bunkerized-nginx # Copy defaults echo "[*] Copy defaults" do_and_check_cmd cp -r /tmp/bunkerized-nginx/defaults /opt/bunkerized-nginx # Copy settings echo "[*] Copy settings" do_and_check_cmd cp /tmp/bunkerized-nginx/settings.json /opt/bunkerized-nginx # Copy sample variables.env echo "[*] Copy sample variables.env" do_and_check_cmd cp /tmp/bunkerized-nginx/misc/variables.env /opt/bunkerized-nginx # Copy UI if [ "$OS" != "alpine" ] ; then echo "[*] Copy UI" do_and_check_cmd cp -r /tmp/bunkerized-nginx/ui /opt/bunkerized-nginx do_and_check_cmd cp /tmp/bunkerized-nginx/ui/bunkerized-nginx-ui.service /etc/systemd/system fi # Copy bunkerized-nginx echo "[*] Copy bunkerized-nginx" do_and_check_cmd cp /tmp/bunkerized-nginx/helpers/bunkerized-nginx /usr/local/bin # Create nginx user if [ "$(grep "nginx:" /etc/passwd)" = "" ] ; then echo "[*] Add nginx user" do_and_check_cmd useradd -d /opt/bunkerized-nginx -s /usr/sbin/nologin nginx fi # Create www folder if [ ! -d "/opt/bunkerized-nginx/www" ] ; then echo "[*] Create /opt/bunkerized-nginx/www folder" do_and_check_cmd mkdir /opt/bunkerized-nginx/www fi # Create http-confs folder if [ ! -d "/opt/bunkerized-nginx/http-confs" ] ; then echo "[*] Create /opt/bunkerized-nginx/http-confs folder" do_and_check_cmd mkdir /opt/bunkerized-nginx/http-confs fi # Create server-confs folder if [ ! -d "/opt/bunkerized-nginx/server-confs" ] ; then echo "[*] Create /opt/bunkerized-nginx/server-confs folder" do_and_check_cmd mkdir /opt/bunkerized-nginx/server-confs fi # Create modsec-confs folder if [ ! -d "/opt/bunkerized-nginx/modsec-confs" ] ; then echo "[*] Create /opt/bunkerized-nginx/modsec-confs folder" do_and_check_cmd mkdir /opt/bunkerized-nginx/modsec-confs fi # Create modsec-crs-confs folder if [ ! -d "/opt/bunkerized-nginx/modsec-crs-confs" ] ; then echo "[*] Create /opt/bunkerized-nginx/modsec-crs-confs folder" do_and_check_cmd mkdir /opt/bunkerized-nginx/modsec-crs-confs fi # Create cache folder if [ ! -d "/opt/bunkerized-nginx/cache" ] ; then echo "[*] Create /opt/bunkerized-nginx/cache folder" do_and_check_cmd mkdir /opt/bunkerized-nginx/cache fi # Create pre-server-confs folder if [ ! -d "/opt/bunkerized-nginx/pre-server-confs" ] ; then echo "[*] Create /opt/bunkerized-nginx/pre-server-confs folder" do_and_check_cmd mkdir /opt/bunkerized-nginx/pre-server-confs fi # Create acme-challenge folder if [ ! -d "/opt/bunkerized-nginx/acme-challenge" ] ; then echo "[*] Create /opt/bunkerized-nginx/acme-challenge folder" do_and_check_cmd mkdir /opt/bunkerized-nginx/acme-challenge fi # Create plugins folder if [ ! -d "/opt/bunkerized-nginx/plugins" ] ; then echo "[*] Create /opt/bunkerized-nginx/plugins folder" do_and_check_cmd mkdir /opt/bunkerized-nginx/plugins fi # Set permissions for /opt/bunkerized-nginx echo "[*] Set permissions on files and folders" do_and_check_cmd chown -R root:nginx /opt/bunkerized-nginx do_and_check_cmd find /opt/bunkerized-nginx -type f -exec chmod 0740 {} \; do_and_check_cmd find /opt/bunkerized-nginx -type d -exec chmod 0750 {} \; do_and_check_cmd chmod 770 /opt/bunkerized-nginx/cache do_and_check_cmd chmod 770 /opt/bunkerized-nginx/acme-challenge do_and_check_cmd chmod 750 /opt/bunkerized-nginx/scripts/* do_and_check_cmd chmod 750 /opt/bunkerized-nginx/entrypoint/* do_and_check_cmd chmod 750 /opt/bunkerized-nginx/gen/main.py # Set permissions for /usr/local/bin/bunkerized-nginx do_and_check_cmd chown root:root /usr/local/bin/bunkerized-nginx do_and_check_cmd chmod 750 /usr/local/bin/bunkerized-nginx # Set permissions for /opt do_and_check_cmd chmod u+rx /opt # Set permissions for /etc/nginx do_and_check_cmd chown -R nginx:nginx /etc/nginx do_and_check_cmd find /etc/nginx -type f -exec chmod 0774 {} \; do_and_check_cmd find /etc/nginx -type d -exec chmod 0775 {} \; # Set permissions for /etc/systemd/system/bunkerized-nginx-ui.service if [ "$OS" != "alpine" ] ; then do_and_check_cmd chown root:root /etc/systemd/system/bunkerized-nginx-ui.service do_and_check_cmd chmod 744 /etc/systemd/system/bunkerized-nginx-ui.service fi # Prepare log files and folders echo "[*] Prepare log files and folders" if [ ! -e "/var/log/nginx" ] ; then do_and_check_cmd mkdir /var/log/nginx fi if [ ! -e "/var/log/nginx/access.log" ] ; then do_and_check_cmd touch /var/log/nginx/access.log fi if [ ! -e "/var/log/nginx/error.log" ] ; then do_and_check_cmd touch /var/log/nginx/error.log fi if [ ! -e "/var/log/nginx/modsec_audit.log" ] ; then do_and_check_cmd touch /var/log/nginx/modsec_audit.log fi if [ ! -e "/var/log/nginx/jobs.log" ] ; then do_and_check_cmd touch /var/log/nginx/jobs.log fi if [ ! -e "/var/log/nginx/ui.log" ] ; then do_and_check_cmd touch /var/log/nginx/ui.log fi do_and_check_cmd chown -R root:nginx /var/log/nginx do_and_check_cmd chmod -R 770 /var/log/nginx/ # Prepare Let's Encrypt files and folders echo "[*] Prepare Let's Encrypt files and folders" if [ ! -e "/var/log/letsencrypt" ] ; then do_and_check_cmd mkdir /var/log/letsencrypt fi do_and_check_cmd chown root:nginx /var/log/letsencrypt do_and_check_cmd chmod 770 /var/log/letsencrypt if [ ! -e "/etc/letsencrypt" ] ; then do_and_check_cmd mkdir /etc/letsencrypt fi do_and_check_cmd chown root:nginx /etc/letsencrypt do_and_check_cmd chmod 770 /etc/letsencrypt if [ ! -e "/var/lib/letsencrypt" ] ; then do_and_check_cmd mkdir /var/lib/letsencrypt fi do_and_check_cmd chown root:nginx /var/lib/letsencrypt do_and_check_cmd chmod 770 /var/lib/letsencrypt # Install cron echo "[*] Add jobs to crontab" if [ "$OS" = "debian" ] || [ "$OS" = "ubuntu" ] ; then CRON_PATH="/var/spool/cron/crontabs/nginx" elif [ "$OS" = "centos" ] || [ "$OS" = "fedora" ] ; then CRON_PATH="/var/spool/cron/nginx" elif [ "$OS" = "alpine" ] ; then CRON_PATH="/etc/crontabs/nginx" fi do_and_check_cmd cp /tmp/bunkerized-nginx/misc/cron "$CRON_PATH" do_and_check_cmd chown root:nginx "$CRON_PATH" do_and_check_cmd chmod 740 "$CRON_PATH" # Download abusers list echo "[*] Download abusers list" do_and_check_cmd /opt/bunkerized-nginx/scripts/abusers.sh # Download TOR exit nodes list echo "[*] Download TOR exit nodes list" do_and_check_cmd /opt/bunkerized-nginx/scripts/exit-nodes.sh # Download proxies list echo "[*] Download proxies list" do_and_check_cmd /opt/bunkerized-nginx/scripts/proxies.sh # Download referrers list echo "[*] Download referrers list" do_and_check_cmd /opt/bunkerized-nginx/scripts/referrers.sh # Download user agents list echo "[*] Download user agents list" do_and_check_cmd /opt/bunkerized-nginx/scripts/user-agents.sh # Download geoip database echo "[*] Download geoip DB" do_and_check_cmd /opt/bunkerized-nginx/scripts/geoip.sh # We're done echo "[*] Remove temp files" do_and_check_cmd rm -rf /tmp/bunkerized-nginx echo "[*] bunkerized-nginx successfully installed !"