logrotate support
This commit is contained in:
bunkerity
parent
f30a06d943
commit
1aa1dcf50d
|
|
@ -10,6 +10,7 @@ COPY confs/ /opt/confs
|
|||
COPY scripts/ /opt/scripts
|
||||
COPY misc/*.mmdb /etc/nginx/geoip.mmdb
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
|
|
|
|||
26
README.md
26
README.md
|
|
@ -119,7 +119,7 @@ A use case to not serving files is when you setup bunkerized-nginx as a reverse
|
|||
`ROOT_FOLDER`
|
||||
Values : *\<any valid path to web files\>
|
||||
Default value : */www*
|
||||
The default folder where nginx will search for web files. Don't change it unless you want to make your own image (TODO).
|
||||
The default folder where nginx will search for web files. Don't change it unless you want to make your own image.
|
||||
|
||||
`MAX_CLIENT_SIZE`
|
||||
Values : *0* | *Xm*
|
||||
|
|
@ -164,6 +164,12 @@ Values : *\<any valid text\>*
|
|||
Default value : *Restricted area*
|
||||
The text displayed inside the login prompt when `USE_AUTH_BASIC` is set to yes.
|
||||
|
||||
`ERROR_XXX`
|
||||
Values : *\<relative path to the error page\>*
|
||||
Default value :
|
||||
Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code.
|
||||
For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder.
|
||||
|
||||
## HTTPS
|
||||
`AUTO_LETS_ENCRYPT`
|
||||
Values : *yes* | *no*
|
||||
|
|
@ -383,6 +389,16 @@ Default value :
|
|||
You can specify additional modules to install. All [alpine packages](https://pkgs.alpinelinux.org/packages) are valid.
|
||||
A use case is to use this to install PHP extensions (e.g. : php7-json php7-xml php7-curl ...).
|
||||
|
||||
`LOGROTATE_MINSIZE`
|
||||
Values : *x* | *xk* | *xM* | *xG*
|
||||
Default value : 10M
|
||||
The minimum size of a log file before being rotated (no letter = bytes, k = kilobytes, M = megabytes, G = gigabytes).
|
||||
|
||||
`LOGROTATE_MAXAGE`
|
||||
Values : *\<any integer\>*
|
||||
Default value : 7
|
||||
The number of days before rotated files are deleted.
|
||||
|
||||
# Create your own image
|
||||
|
||||
You can use bunkerity/bunkerized-nginx as a base image for your web application.
|
||||
|
|
@ -408,6 +424,8 @@ ENV WRITE_ACCESS yes
|
|||
ENV ADDITIONAL_MODULES php7-mysqli php7-json php7-session
|
||||
```
|
||||
|
||||
You can have a look at (bunkerized-phpmyadmin)[https://github.com/bunkerity/bunkerized-phpmyadmin] which is a secure phpMyAdmin Docker image based on bunkerized-nginx.
|
||||
|
||||
# Include custom configurations
|
||||
Custom configurations files (ending with .conf suffix) can be added in some directory inside the container :
|
||||
- /http-confs : http context
|
||||
|
|
@ -419,11 +437,9 @@ docker run ... -v /path/to/http/confs:/http-confs ... bunkerity/bunkerized-nginx
|
|||
```
|
||||
|
||||
# TODO
|
||||
- logrotate
|
||||
- readme : custom errors
|
||||
- remove nginx on default error pages
|
||||
- nginx compile flags
|
||||
- search for hardcoded /www in configs
|
||||
- Antibot with recaptcha v3
|
||||
- HSTS preload, HPKP
|
||||
- Web UI
|
||||
- Full documentation
|
||||
- nginx compile flags ?
|
||||
|
|
|
|||
|
|
@ -29,11 +29,14 @@ git clone https://github.com/AirisX/nginx_cookie_flag_module.git
|
|||
|
||||
# compile and install nginx
|
||||
cd /tmp
|
||||
git clone https://github.com/nginx/nginx.git
|
||||
cd nginx
|
||||
VERSION="1.18.0"
|
||||
wget https://nginx.org/download/nginx-${VERSION}.tar.gz
|
||||
tar -xvzf nginx-${VERSION}.tar.gz
|
||||
cd nginx-${VERSION}
|
||||
./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module
|
||||
make -j $NTASK
|
||||
make install
|
||||
strip /usr/sbin/nginx
|
||||
|
||||
# remove build dependencies
|
||||
apk del build
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
error_page %CODE% %PAGE%;
|
||||
|
||||
location = %PAGE% {
|
||||
root /www;
|
||||
root %ROOT_FOLDER%;
|
||||
modsecurity off;
|
||||
internal;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -38,7 +38,8 @@ function replace_in_file() {
|
|||
cp /opt/confs/*.conf /etc/nginx
|
||||
cp -r /opt/confs/owasp-crs /etc/nginx
|
||||
cp /opt/confs/php.ini /etc/php7/php.ini
|
||||
cp /opt/confs/syslog.conf /etc/syslog.conf
|
||||
cp /opt/logs/syslog.conf /etc/syslog.conf
|
||||
cp /opt/logs/logrotate.conf /etc/logrotate.conf
|
||||
|
||||
# remove cron jobs
|
||||
echo "" > /etc/crontabs/root
|
||||
|
|
@ -105,8 +106,8 @@ AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
|
|||
AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
|
||||
USE_HTTPS_CUSTOM="${USE_HTTPS_CUSTOM-no}"
|
||||
ROOT_FOLDER="${ROOT_FOLDER-/www}"
|
||||
SYSLOG_MAXSIZE="${SYSLOG_MAXSIZE-1000}"
|
||||
SYSLOG_KEEP="${SYSLOG_KEEP-10}"
|
||||
LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
|
||||
LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
|
||||
|
||||
# install additional modules if needed
|
||||
if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
||||
|
|
@ -317,6 +318,7 @@ for var in $(env) ; do
|
|||
cp /opt/confs/error.conf /etc/nginx/error-${err_code}.conf
|
||||
replace_in_file "/etc/nginx/error-${err_code}.conf" "%CODE%" "$err_code"
|
||||
replace_in_file "/etc/nginx/error-${err_code}.conf" "%PAGE%" "$err_page"
|
||||
replace_in_file "/etc/nginx/error-${err_code}.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
|
||||
ERRORS="${ERRORS}include /etc/nginx/error-${err_code}.conf;\n"
|
||||
fi
|
||||
done
|
||||
|
|
@ -394,7 +396,7 @@ if [ "$WRITE_ACCESS" = "yes" ] ; then
|
|||
fi
|
||||
|
||||
# start syslogd
|
||||
syslogd -S -s "$SYSLOG_MAXSIZE" -b "$SYSLOG_KEEP"
|
||||
syslogd -S
|
||||
|
||||
# start PHP
|
||||
if [ "$USE_PHP" = "yes" ] ; then
|
||||
|
|
@ -421,6 +423,11 @@ if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
|||
fail2ban-server > /dev/null
|
||||
fi
|
||||
|
||||
# setup logrotate
|
||||
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
|
||||
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
|
||||
echo "0 0 * * * logrotate -f /etc/logrotate.conf > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
|
||||
# display logs
|
||||
if [ "$USE_PHP" = "yes" ] ; then
|
||||
tail -f /var/log/nginx.log /var/log/php.log &
|
||||
|
|
|
|||
|
|
@ -0,0 +1,19 @@
|
|||
/var/log/messages /var/log/*.log /var/log/clamav/*.log /var/log/php7/*.log {
|
||||
# compress old files using gzip
|
||||
compress
|
||||
|
||||
# rotate everyday
|
||||
daily
|
||||
|
||||
# remove old logs after X days
|
||||
maxage %LOGROTATE_MAXAGE%
|
||||
|
||||
# no errors if a file is missing
|
||||
missingok
|
||||
|
||||
# disable mailing
|
||||
nomail
|
||||
|
||||
# mininum size of a logfile before rotating
|
||||
minsize %LOGROTATE_MINSIZE%
|
||||
}
|
||||
Loading…
Reference in New Issue