librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

prepare /www directory, fix log socket path and whitelist acme challenges path

This commit is contained in:
bunkerity 2021-03-14 12:33:59 +01:00
parent 33163f65b3
commit 0d3da03534
5 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
confs/global/nginx.conf
View File

@ -49,8 +49,8 @@ http {
# write logs to local syslog
log_format logf '%LOG_FORMAT%';
access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice logf;
error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf;
error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 warn;
# temp paths
proxy_temp_path /tmp/proxy_temp;

6
confs/site/main-lua.conf
View File

@ -3,6 +3,7 @@ set $session_check_addr on;
access_by_lua_block {
local use_lets_encrypt = %USE_LETS_ENCRYPT%
local use_whitelist_ip = %USE_WHITELIST_IP%
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
local use_user_agent = %USE_USER_AGENT%
@ -31,6 +32,11 @@ local recaptcha = require "recaptcha"
local antibot_uri = "%ANTIBOT_URI%"
local whitelist_useragent_list = {%WHITELIST_USERAGENT_LIST%}
-- check if it's let's encrypt bot
if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
ngx.exit(ngx.OK)
end
-- check if already in whitelist cache
if use_whitelist_ip and whitelist.ip_cached_ok() then
ngx.exit(ngx.OK)

5
entrypoint/global-config.sh
View File

@ -9,11 +9,6 @@
# copy stub confs
cp /opt/confs/global/* /etc/nginx/
# install additional modules if needed
if [ "$ADDITIONAL_MODULES" != "" ] ; then
apk add $ADDITIONAL_MODULES
fi
# include server block(s)
if [ "$MULTISITE" = "yes" ] ; then
includes=""

4
entrypoint/site-config.sh
View File

@ -336,6 +336,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
fi
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "true"
if [ "$MULTISITE" = "no" ] ; then
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
else
@ -347,15 +348,18 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "include ${NGINX_PREFIX}lets-encrypt-webroot.conf;"
elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
fi
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" ""
fi

4
prepare.sh
View File

@ -6,6 +6,10 @@ apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clama
# custom entrypoint
mkdir /opt/entrypoint.d
# prepare /www
chown -R root:nginx /www
chmod -R 770 /www
# prepare /opt
chown -R root:nginx /opt
find /opt -type f -exec chmod 0740 {} \;