prepare /www directory, fix log socket path and whitelist acme challenges path
This commit is contained in:
parent
33163f65b3
commit
0d3da03534
|
@ -49,8 +49,8 @@ http {
|
|||
|
||||
# write logs to local syslog
|
||||
log_format logf '%LOG_FORMAT%';
|
||||
access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice logf;
|
||||
error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
|
||||
access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf;
|
||||
error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 warn;
|
||||
|
||||
# temp paths
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
|
|
|
@ -3,6 +3,7 @@ set $session_check_addr on;
|
|||
|
||||
access_by_lua_block {
|
||||
|
||||
local use_lets_encrypt = %USE_LETS_ENCRYPT%
|
||||
local use_whitelist_ip = %USE_WHITELIST_IP%
|
||||
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
|
||||
local use_user_agent = %USE_USER_AGENT%
|
||||
|
@ -31,6 +32,11 @@ local recaptcha = require "recaptcha"
|
|||
local antibot_uri = "%ANTIBOT_URI%"
|
||||
local whitelist_useragent_list = {%WHITELIST_USERAGENT_LIST%}
|
||||
|
||||
-- check if it's let's encrypt bot
|
||||
if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
|
||||
-- check if already in whitelist cache
|
||||
if use_whitelist_ip and whitelist.ip_cached_ok() then
|
||||
ngx.exit(ngx.OK)
|
||||
|
|
|
@ -9,11 +9,6 @@
|
|||
# copy stub confs
|
||||
cp /opt/confs/global/* /etc/nginx/
|
||||
|
||||
# install additional modules if needed
|
||||
if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
||||
apk add $ADDITIONAL_MODULES
|
||||
fi
|
||||
|
||||
# include server block(s)
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
includes=""
|
||||
|
|
|
@ -336,6 +336,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
|
|||
replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
|
||||
fi
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "true"
|
||||
if [ "$MULTISITE" = "no" ] ; then
|
||||
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
|
||||
else
|
||||
|
@ -347,15 +348,18 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
|
|||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "include ${NGINX_PREFIX}lets-encrypt-webroot.conf;"
|
||||
elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
|
||||
elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
|
||||
replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
|
||||
fi
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_LETS_ENCRYPT%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" ""
|
||||
fi
|
||||
|
||||
|
|
|
@ -6,6 +6,10 @@ apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clama
|
|||
# custom entrypoint
|
||||
mkdir /opt/entrypoint.d
|
||||
|
||||
# prepare /www
|
||||
chown -R root:nginx /www
|
||||
chmod -R 770 /www
|
||||
|
||||
# prepare /opt
|
||||
chown -R root:nginx /opt
|
||||
find /opt -type f -exec chmod 0740 {} \;
|
||||
|
|
Loading…
Reference in New Issue