linux/docker - common /opt/bunkerized-nginx folder

.github/workflows/linux-bunkerized-nginx.yml

@@ -0,0 +1,20 @@
+name: Automatic test for Linux
+
+on:
+  push:
+    branches: [dev, master]
+  pull_request:
+    branches: [dev, master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v2
+      - name: Debian test
+        run: ./tests/linux.sh debian:buster-slim
+      - name: Ubuntu test
+        run: ./tests/linux.sh ubuntu:focal
+      - name: CentOS test
+        run: ./tests/linux.sh centos.sh

Dockerfile

@@ -9,14 +9,14 @@ RUN apk add --no-cache bash && \
 RUN apk add --no-cache certbot bash libmaxminddb libgcc lua yajl libstdc++ openssl py3-pip && \
     pip3 install jinja2
 
-COPY gen/ /opt/gen
-COPY entrypoint/ /opt/entrypoint
-COPY confs/ /opt/confs
-COPY scripts/ /opt/scripts
+COPY gen/ /opt/bunkerized-nginx/gen
+COPY entrypoint/ /opt/bunkerized-nginx/entrypoint
+COPY confs/ /opt/bunkerized-nginx/confs
+COPY scripts/ /opt/bunkerized-nginx/scripts
 COPY lua/ /usr/local/lib/lua
-COPY antibot/ /antibot
-COPY defaults/ /defaults
-COPY settings.json /opt
+COPY antibot/ /opt/bunkerized-nginx/antibot
+COPY defaults/ /opt/bunkerized-nginx/defaults
+COPY settings.json /opt/bunkerized-nginx
 COPY misc/cron /etc/crontabs/nginx
 
 COPY prepare.sh /tmp/prepare.sh
@@ -35,4 +35,4 @@ USER nginx:nginx
 
 HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 CMD [ -f /tmp/nginx.pid ] || exit 1
 
-ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
+ENTRYPOINT ["/opt/bunkerized-nginx/entrypoint/entrypoint.sh"]

confs/global/nginx.conf

@@ -108,7 +108,7 @@ http {
 	{% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %}
 
 	# custom http confs
-	include /http-confs/*.conf;
+	include /opt/bunkerized-nginx/http-confs/*.conf;
 
 	# LUA init block
 	include /etc/nginx/init-lua.conf;

confs/site/modsecurity-rules.conf

@@ -58,11 +58,11 @@ SecAuditLog /var/log/nginx/modsec_audit.log
 include /opt/bunkerized-nginx/crs-setup.conf
 
 # custom CRS configurations before loading rules (exclusions) 
-{% if is_custom_conf("/modsec-crs-confs") %}
-include /modsec-crs-confs/*.conf
+{% if is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs") %}
+include /opt/bunkerized-nginx/modsec-crs-confs/*.conf
 {% endif %}
-{% if MULTISITE == "yes" and is_custom_conf("/modsec-crs-confs/" + FIRST_SERVER) %}
-include /modsec-crs-confs/{{ FIRST_SERVER }}/*.conf
+{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs/" + FIRST_SERVER) %}
+include /opt/bunkerized-nginx/modsec-crs-confs/{{ FIRST_SERVER }}/*.conf
 {% endif %}
 
 # include OWASP CRS rules
@@ -70,9 +70,9 @@ include /opt/bunkerized-nginx/crs/*.conf
 {% endif %}
 
 # custom rules after loading the CRS
-{% if is_custom_conf("/modsec-confs") %}
-include /modsec-confs/*.conf
+{% if is_custom_conf("/opt/bunkerized-nginx/modsec-confs") %}
+include /opt/bunkerized-nginx/modsec-confs/*.conf
 {% endif %}
-{% if MULTISITE == "yes" and is_custom_conf("/modsec-confs/" + FIRST_SERVER) %}
-include /modsec-confs/{{ FIRST_SERVER }}/*.conf
+{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-confs/" + FIRST_SERVER) %}
+include /opt/bunkerized-nginx/modsec-confs/{{ FIRST_SERVER }}/*.conf
 {% endif %}

confs/site/server.conf

@@ -1,7 +1,7 @@
 # custom config before server block
-include /pre-server-confs/*.conf;
+include /opt/bunkerized-nginx/pre-server-confs/*.conf;
 {% if MULTISITE == "yes" %}
-include /pre-server-confs/{{ FIRST_SERVER }}/*.conf;
+include /opt/bunkerized-nginx/pre-server-confs/{{ FIRST_SERVER }}/*.conf;
 {% endif %}
 
 server {
@@ -12,9 +12,9 @@ server {
 {% endif %}
 
 	# custom config
-	include /server-confs/*.conf;
+	include /opt/bunkerized-nginx/server-confs/*.conf;
 {% if MULTISITE == "yes" %}
-	include /server-confs/{{ FIRST_SERVER }}/*.conf;
+	include /opt/bunkerized-nginx/server-confs/{{ FIRST_SERVER }}/*.conf;
 {% endif %}
 
 	# proxy real IP

entrypoint/certbot.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # load some functions
-. /opt/entrypoint/utils.sh
+. /opt/bunkerized-nginx/entrypoint/utils.sh
 
 if [ "$MULTISITE" != "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 	first_server_name=$(echo "$SERVER_NAME" | cut -d " " -f 1)
@@ -9,7 +9,7 @@ if [ "$MULTISITE" != "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 	EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server_name}"
 	if [ ! -f /etc/letsencrypt/live/${first_server_name}/fullchain.pem ] ; then
 		echo "[*] Performing Let's Encrypt challenge for $domains_lets_encrypt ..."
-		/opt/scripts/certbot-new.sh "$domains_lets_encrypt" "$EMAIL_LETS_ENCRYPT"
+		/opt/bunkerized-nginx/scripts/certbot-new.sh "$domains_lets_encrypt" "$EMAIL_LETS_ENCRYPT"
 	fi
 elif [ "$MULTISITE" = "yes" ] ; then
 	servers=$(find /etc/nginx -name "site.env" | cut -d '/' -f 4)
@@ -22,7 +22,7 @@ elif [ "$MULTISITE" = "yes" ] ; then
 			if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
 				EMAIL_LETS_ENCRYPT="contact@${server}"
 			fi
-			/opt/scripts/certbot-new.sh "$domains" "EMAIL_LETS_ENCRYPT"
+			/opt/bunkerized-nginx/scripts/certbot-new.sh "$domains" "EMAIL_LETS_ENCRYPT"
 		fi
 	done
 fi

entrypoint/entrypoint.sh

@@ -16,14 +16,14 @@ trap "trap_exit" TERM INT QUIT
 function trap_reload() {
 	echo "[*] Catched reload operation"
 	if [ "$SWARM_MODE" != "yes" ] ; then
-		/opt/entrypoint/pre-jobs.sh
+		/opt/bunkerized-nginx/entrypoint/pre-jobs.sh
 	fi
 	if [ -f /tmp/nginx.pid ] ; then
 		echo "[*] Reloading nginx ..."
 		nginx -s reload
 		if [ $? -eq 0 ] ; then
 			echo "[*] Reload successfull"
-			/opt/entrypoint/post-jobs.sh
+			/opt/bunkerized-nginx/entrypoint/post-jobs.sh
 		else
 			echo "[!] Reload failed"
 		fi
@@ -40,16 +40,16 @@ if [ ! -f "/etc/nginx/global.env" ] ; then
 
 	# check permissions
 	if [ "$SWARM_MODE" != "yes" ] ; then
-		/opt/entrypoint/permissions.sh
+		/opt/bunkerized-nginx/entrypoint/permissions.sh
 	else
-		/opt/entrypoint/permissions-swarm.sh
+		/opt/bunkerized-nginx/entrypoint/permissions-swarm.sh
 	fi
 	if [ "$?" -ne 0 ] ; then
 		exit 1
 	fi
 
 	# start temp nginx to solve Let's Encrypt challenges if needed
-	/opt/entrypoint/nginx-temp.sh
+	/opt/bunkerized-nginx/entrypoint/nginx-temp.sh
 
 	# only do config if we are not in swarm mode
 	if [ "$SWARM_MODE" != "yes" ] ; then
@@ -57,10 +57,10 @@ if [ ! -f "/etc/nginx/global.env" ] ; then
 		env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "/tmp/variables.env"
 
 		# call the generator
-		/opt/gen/main.py --settings /opt/settings.json --templates /opt/confs --output /etc/nginx --variables /tmp/variables.env
+		/opt/bunkerized-nginx/gen/main.py --settings /opt/bunkerized-nginx/settings.json --templates /opt/bunkerized-nginx/confs --output /etc/nginx --variables /tmp/variables.env
 
 		# pre-jobs
-		/opt/entrypoint/pre-jobs.sh
+		/opt/bunkerized-nginx/entrypoint/pre-jobs.sh
 	fi
 else
 	echo "[*] Skipping configuration process"
@@ -90,7 +90,7 @@ pid="$!"
 # autotest
 if [ "$1" == "test" ] ; then
 	sleep 10
-	echo -n "autotest" > /www/index.html
+	echo -n "autotest" > /opt/bunkerized-nginx/www/index.html
 	check=$(curl -H "User-Agent: legit" "http://localhost:8080")
 	if [ "$check" == "autotest" ] ; then
 		exit 0
@@ -99,7 +99,7 @@ if [ "$1" == "test" ] ; then
 fi
 
 # post jobs
-/opt/entrypoint/post-jobs.sh
+/opt/bunkerized-nginx/entrypoint/post-jobs.sh
 
 # wait for nginx
 wait "$pid"

entrypoint/nginx-temp.sh

@@ -1,12 +1,12 @@
 #!/bin/bash
 
 # load some functions
-. /opt/entrypoint/utils.sh
+. /opt/bunkerized-nginx/entrypoint/utils.sh
 
 # start nginx with temp conf for let's encrypt challenges and API
 if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$SWARM_MODE" = "yes" ] || [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
-	cp /opt/confs/global/nginx-temp.conf /tmp/nginx-temp.conf
-	cp /opt/confs/global/api-temp.conf /tmp/api.conf
+	cp /opt/bunkerized-nginx/confs/global/nginx-temp.conf /tmp/nginx-temp.conf
+	cp /opt/bunkerized-nginx/confs/global/api-temp.conf /tmp/api.conf
 	if [ "$SWARM_MODE" = "yes" ] ; then
 		replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" "include /tmp/api.conf;"
 		replace_in_file "/tmp/api.conf" "%API_URI%" "$API_URI"

entrypoint/post-jobs.sh

@@ -1,16 +1,16 @@
 #!/bin/bash
 
 # load some functions
-. /opt/entrypoint/utils.sh
+. /opt/bunkerized-nginx/entrypoint/utils.sh
 
 # User-Agents
 if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
 	if [ -f "/cache/user-agents.list" ] && [ "$(wc -l /cache/user-agents.list | cut -d ' ' -f 1)" -gt 1 ] ; then
 		echo "[*] Copying cached user-agents.list ..."
-		cp /cache/user-agents.list /etc/nginx/user-agents.list
+		cp /opt/bunkerized-nginx/cache/user-agents.list /etc/nginx/user-agents.list
 	elif [ "$(ps aux | grep "user-agents\.sh")" = "" ] ; then
 		echo "[*] Downloading bad user-agent list (in background) ..."
-		/opt/scripts/user-agents.sh > /dev/null 2>&1 &
+		/opt/bunkerized-nginx/scripts/user-agents.sh > /dev/null 2>&1 &
 	fi
 fi
 
@@ -18,10 +18,10 @@ fi
 if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
 	if [ -f "/cache/referrers.list" ] && [ "$(wc -l /cache/referrers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
 		echo "[*] Copying cached referrers.list ..."
-		cp /cache/referrers.list /etc/nginx/referrers.list
+		cp /opt/bunkerized-nginx/cache/referrers.list /etc/nginx/referrers.list
 	elif [ "$(ps aux | grep "referrers\.sh")" = "" ] ; then
 		echo "[*] Downloading bad referrer list (in background) ..."
-		/opt/scripts/referrers.sh > /dev/null 2>&1 &
+		/opt/bunkerized-nginx/scripts/referrers.sh > /dev/null 2>&1 &
 	fi
 fi
 
@@ -29,10 +29,10 @@ fi
 if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
 	if [ -f "/cache/tor-exit-nodes.list" ] && [ "$(wc -l /cache/tor-exit-nodes.list | cut -d ' ' -f 1)" -gt 1 ] ; then
 		echo "[*] Copying cached tor-exit-nodes.list ..."
-		cp /cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
+		cp /opt/bunkerized-nginx/cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
 	elif [ "$(ps aux | grep "exit-nodes\.sh")" = "" ] ; then
 		echo "[*] Downloading tor exit nodes list (in background) ..."
-		/opt/scripts/exit-nodes.sh > /dev/null 2>&1 &
+		/opt/bunkerized-nginx/scripts/exit-nodes.sh > /dev/null 2>&1 &
 	fi
 fi
 
@@ -40,10 +40,10 @@ fi
 if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
 	if [ -f "/cache/proxies.list" ] && [ "$(wc -l /cache/proxies.list | cut -d ' ' -f 1)" -gt 1 ] ; then
 		echo "[*] Copying cached proxies.list ..."
-		cp /cache/proxies.list /etc/nginx/proxies.list
+		cp /opt/bunkerized-nginx/cache/proxies.list /etc/nginx/proxies.list
 	elif [ "$(ps aux | grep "proxies\.sh")" = "" ] ; then
 		echo "[*] Downloading proxies list (in background) ..."
-		/opt/scripts/proxies.sh > /dev/null 2>&1 &
+		/opt/bunkerized-nginx/scripts/proxies.sh > /dev/null 2>&1 &
 	fi
 fi
 
@@ -51,9 +51,9 @@ fi
 if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
 	if [ -f "/cache/abusers.list" ] && [ "$(wc -l /cache/abusers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
 		echo "[*] Copying cached abusers.list ..."
-		cp /cache/abusers.list /etc/nginx/abusers.list
+		cp /opt/bunkerized-nginx/cache/abusers.list /etc/nginx/abusers.list
 	elif [ "$(ps aux | grep "abusers\.sh")" = "" ] ; then
 		echo "[*] Downloading abusers list (in background) ..."
-		/opt/scripts/abusers.sh > /dev/null 2>&1 &
+		/opt/bunkerized-nginx/scripts/abusers.sh > /dev/null 2>&1 &
 	fi
 fi

entrypoint/pre-jobs.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # load some functions
-. /opt/entrypoint/utils.sh
+. /opt/bunkerized-nginx/entrypoint/utils.sh
 
 # self signed certs for sites
 files=$(has_value GENERATE_SELF_SIGNED_SSL yes)
@@ -58,7 +58,7 @@ if [ "$files" != "" ] ; then
 		if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
 			EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}"
 		fi
-		certbot_output=$(/opt/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1)
+		certbot_output=$(/opt/bunkerized-nginx/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1)
 		if [ $? -eq 0 ] ; then
 			echo "[*] Certbot new successfully executed for domain(s) $(echo -n $SERVER_NAME | sed 's/ /,/g')"
 		else
@@ -70,11 +70,11 @@ fi
 
 # GeoIP
 if [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ; then
-	if [ -f "/cache/geoip.mmdb" ] ; then
+	if [ -f "/opt/bunkerized-nginx/cache/geoip.mmdb" ] ; then
 		echo "[*] Copying cached geoip.mmdb ..."
-		cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
+		cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb
 	elif [ "$(ps aux | grep "geoip\.sh")" = "" ] ; then
 		echo "[*] Downloading GeoIP database ..."
-		/opt/scripts/geoip.sh > /dev/null 2>&1
+		/opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1
 	fi
 fi

helpers/install.sh

@@ -115,7 +115,7 @@ do_and_check_cmd cp -r /tmp/bunkerized-nginx/lua/* /usr/local/lib/lua
 echo "[*] Copy antibot"
 do_and_check_cmd cp -r /tmp/bunkerized-nginx/antibot /opt/bunkerized-nginx
 
-# Copy antibot
+# Copy defaults
 echo "[*] Copy defaults"
 do_and_check_cmd cp -r /tmp/bunkerized-nginx/defaults /opt/bunkerized-nginx
 
@@ -129,6 +129,69 @@ if [ "$(grep "nginx:" /etc/passwd)" = "" ] ; then
 	do_and_check_cmd useradd -d /opt/bunkerized-nginx -s /usr/sbin/nologin nginx
 fi
 
+# Create www folder
+if [ ! -d "/opt/bunkerized-nginx/www" ] ; then
+	echo "[*] Create /opt/bunkerized-nginx/www folder"
+	do_and_check_cmd mkdir /opt/bunkerized-nginx/www
+fi
+
+# Create http-confs folder
+if [ ! -d "/opt/bunkerized-nginx/http-confs" ] ; then
+	echo "[*] Create /opt/bunkerized-nginx/http-confs folder"
+	do_and_check_cmd mkdir /opt/bunkerized-nginx/http-confs
+fi
+
+# Create server-confs folder
+if [ ! -d "/opt/bunkerized-nginx/server-confs" ] ; then
+	echo "[*] Create /opt/bunkerized-nginx/server-confs folder"
+	do_and_check_cmd mkdir /opt/bunkerized-nginx/server-confs
+fi
+
+# Create modsec-confs folder
+if [ ! -d "/opt/bunkerized-nginx/modsec-confs" ] ; then
+	echo "[*] Create /opt/bunkerized-nginx/modsec-confs folder"
+	do_and_check_cmd mkdir /opt/bunkerized-nginx/modsec-confs
+fi
+
+# Create modsec-crs-confs folder
+if [ ! -d "/opt/bunkerized-nginx/modsec-crs-confs" ] ; then
+	echo "[*] Create /opt/bunkerized-nginx/modsec-crs-confs folder"
+	do_and_check_cmd mkdir /opt/bunkerized-nginx/modsec-crs-confs
+fi
+
+# Create cache folder
+if [ ! -d "/opt/bunkerized-nginx/cache" ] ; then
+	echo "[*] Create /opt/bunkerized-nginx/cache folder"
+	do_and_check_cmd mkdir /opt/bunkerized-nginx/cache
+fi
+
+# Create pre-server-confs folder
+if [ ! -d "/opt/bunkerized-nginx/pre-server-confs" ] ; then
+	echo "[*] Create /opt/bunkerized-nginx/pre-server-confs folder"
+	do_and_check_cmd mkdir /opt/bunkerized-nginx/pre-server-confs
+fi
+
+# Create acme-challenge folder
+if [ ! -d "/opt/bunkerized-nginx/acme-challenge" ] ; then
+	echo "[*] Create /opt/bunkerized-nginx/acme-challenge folder"
+	do_and_check_cmd mkdir /opt/bunkerized-nginx/acme-challenge
+fi
+
+# Create plugins folder
+if [ ! -d "/opt/bunkerized-nginx/plugins" ] ; then
+	echo "[*] Create /opt/bunkerized-nginx/plugins folder"
+	do_and_check_cmd mkdir /opt/bunkerized-nginx/plugins
+fi
+
+# Set permissions for /opt/bunkerized-nginx
+echo "[*] Set permissions for /opt/bunkerized-nginx files and folders"
+do_and_check_cmd chown -R root:nginx /opt/bunkerized-nginx
+do_and_check_cmd find /opt -type f -exec chmod 0740 {} \;
+do_and_check_cmd find /opt -type d -exec chmod 0750 {} \;
+do_and_check_cmd chmod 770 /opt/bunkerized-nginx/cache
+do_and_check_cmd chmod 770 /opt/bunkerized-nginx/acme-challenge
+do_and_check_cmd chmod 750 /opt/bunkerized-nginx/scripts/*
+
 # Install cron
 echo "[*] Add jobs to crontab"
 if [ "$OS" = "debian" ] || [ "$OS" = "ubuntu" ] ; then
@@ -139,27 +202,27 @@ fi
 
 # Download abusers list
 echo "[*] Download abusers list"
-# TODO : call external script
+do_and_check_cmd /opt/bunkerized-nginx/scripts/abusers.sh
 
 # Download TOR exit nodes list
 echo "[*] Download TOR exit nodes list"
-# TODO : call external script
+do_and_check_cmd /opt/bunkerized-nginx/scripts/exit-nodes.sh
 
 # Download proxies list
 echo "[*] Download proxies list"
-# TODO : call external script
+do_and_check_cmd /opt/bunkerized-nginx/scripts/proxies.sh
 
 # Download referrers list
 echo "[*] Download referrers list"
-# TODO : call external script
+do_and_check_cmd /opt/bunkerized-nginx/scripts/referrers.sh
 
 # Download user agents list
 echo "[*] Download user agents list"
-# TODO : call external script
+do_and_check_cmd /opt/bunkerized-nginx/scripts/user-agents.sh
 
 # Download geoip database
 echo "[*] Download proxies list"
-# TODO : call external script
+do_and_check_cmd /opt/bunkerized-nginx/scripts/geoip.sh
 
 # We're done
 echo "[*] bunkerized-nginx successfully installed !"

misc/cron

@@ -1,7 +1,7 @@
-15 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1
-30 0 * * * /opt/scripts/user-agents.sh > /dev/null 2>&1
-45 0 * * * /opt/scripts/referrers.sh > /dev/null 2>&1
-0 1 * * * /opt/scripts/abusers.sh > /dev/null 2>&1
-0 2 * * * /opt/scripts/proxies.sh > /dev/null 2>&1
-0 */1 * * * /opt/scripts/exit-nodes.sh > /dev/null 2>&1
-0 3 2 * * /opt/scripts/geoip.sh > /dev/null 2>&1
+15 0 * * * /opt/bunkerized-nginx/scripts/certbot-renew.sh > /dev/null 2>&1
+30 0 * * * /opt/bunkerized-nginx/scripts/user-agents.sh > /dev/null 2>&1
+45 0 * * * /opt/bunkerized-nginx/scripts/referrers.sh > /dev/null 2>&1
+0 1 * * * /opt/bunkerized-nginx/scripts/abusers.sh > /dev/null 2>&1
+0 2 * * * /opt/bunkerized-nginx/scripts/proxies.sh > /dev/null 2>&1
+0 */1 * * * /opt/bunkerized-nginx/scripts/exit-nodes.sh > /dev/null 2>&1
+0 3 2 * * /opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1

prepare.sh

@@ -6,13 +6,13 @@ chown -R root:nginx /www
 chmod -R 770 /www
 
 # prepare /opt
-chown -R root:nginx /opt
+chown -R root:nginx /opt/bunkerized-nginx
 find /opt -type f -exec chmod 0740 {} \;
 find /opt -type d -exec chmod 0750 {} \;
-chmod ugo+x /opt/entrypoint/* /opt/scripts/*
-chmod ugo+x /opt/gen/main.py
-chmod 770 /opt
-chmod 440 /opt/settings.json
+chmod ugo+x /opt/bunkerized-nginx/entrypoint/* /opt/bunkerized-nginx/scripts/*
+chmod ugo+x /opt/bunkerized-nginx/gen/main.py
+chmod 770 /opt/bunkerized-nginx
+chmod 440 /opt/bunkerized-nginx/settings.json
 
 # prepare /etc/nginx
 for file in $(ls /etc/nginx) ; do
@@ -69,4 +69,15 @@ chmod 440 /etc/crontabs/nginx
 # prepare /plugins
 mkdir /plugins
 chown root:nginx /plugins
-chmod 770 /plugins
+chmod 770 /plugins
+
+# prepare symlinks
+ln -s /www /opt/bunkerized-nginx/www
+ln -s /http-confs /opt/bunkerized-nginx/http-confs
+ln -s /server-confs /opt/bunkerized-nginx/server-confs
+ln -s /modsec-confs /opt/bunkerized-nginx/modsec-confs
+ln -s /modsec-crs-confs /opt/bunkerized-nginx/modsec-crs-confs
+ln -s /cache /opt/bunkerized-nginx/cache
+ln -s /pre-server-confs /opt/bunkerized-nginx/pre-server-confs
+ln -s /acme-challenge /opt/bunkerized-nginx/acme-challenge
+ln -s /plugins /opt/bunkerized-nginx/plugins

scripts/abusers.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # load some functions
-. /opt/entrypoint/utils.sh
+. /opt/bunkerized-nginx/entrypoint/utils.sh
 
 if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
 	exit 0
@@ -36,7 +36,7 @@ if [ "$lines" -gt 1 ] ; then
 		$RELOAD > /dev/null 2>&1
 		# new config is ok : save it in the cache
 		if [ "$?" -eq 0 ] ; then
-			cp /tmp/abusers.list /cache
+			cp /tmp/abusers.list /opt/bunkerized-nginx/cache
 			job_log "[NGINX] successfull nginx reload after abusers list update"
 		else
 			job_log "[NGINX] failed nginx reload after abusers list update fallback to old list"
@@ -44,7 +44,7 @@ if [ "$lines" -gt 1 ] ; then
 			$RELOAD > /dev/null 2>&1
 		fi
 	else
-		cp /tmp/abusers.list /cache
+		cp /tmp/abusers.list /opt/bunkerized-nginx/cache
 	fi
 else
 	job_log "[BLACKLIST] can't update abusers list"

scripts/certbot-new.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # generate certificate
-certbot certonly --webroot -w /acme-challenge -n -d "$1" --email "$2" --agree-tos
+certbot certonly --webroot -w /opt/bunkerized-nginx/acme-challenge -n -d "$1" --email "$2" --agree-tos
 if [ "$?" -ne 0 ] ; then
 	exit 1
 fi

scripts/certbot-renew-hook.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # load some functions
-. /opt/entrypoint/utils.sh
+. /opt/bunkerized-nginx/entrypoint/utils.sh
 
 job_log "[CERTBOT] certificates have been renewed"
 

scripts/certbot-renew.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # load some functions
-. /opt/entrypoint/utils.sh
+. /opt/bunkerized-nginx/entrypoint/utils.sh
 
 if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
 	exit 0
@@ -12,7 +12,7 @@ if [ "$(has_value AUTO_LETS_ENCRYPT yes)" = "" ] ; then
 fi
 
 # ask new certificates if needed
-certbot renew --deploy-hook /opt/scripts/certbot-renew-hook.sh
+certbot renew --deploy-hook /opt/bunkerized-nginx/scripts/certbot-renew-hook.sh
 
 if [ "$?" -eq 0 ] ; then
 	job_log "[CERTBOT] renew operation done"

scripts/exit-nodes.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # load some functions
-. /opt/entrypoint/utils.sh
+. /opt/bunkerized-nginx/entrypoint/utils.sh
 
 if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
 	exit 0
@@ -36,7 +36,7 @@ if [ "$lines" -gt 1 ] ; then
 		$RELOAD > /dev/null 2>&1
 		# new config is ok : save it in the cache
 		if [ "$?" -eq 0 ] ; then
-			cp /tmp/tor-exit-nodes.list /cache
+			cp /tmp/tor-exit-nodes.list /opt/bunkerized-nginx/cache
 			job_log "[NGINX] successfull nginx reload after TOR exit node list update"
 		else
 			job_log "[NGINX] failed nginx reload after TOR exit node list update fallback to old list"
@@ -44,7 +44,7 @@ if [ "$lines" -gt 1 ] ; then
 			$RELOAD > /dev/null 2>&1
 		fi
 	else
-		cp /tmp/tor-exit-nodes.list /cache
+		cp /tmp/tor-exit-nodes.list /opt/bunkerized-nginx/cache
 	fi
 else
 	job_log "[BLACKLIST] can't update TOR exit node list"

scripts/geoip.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # load some functions
-. /opt/entrypoint/utils.sh
+. /opt/bunkerized-nginx/entrypoint/utils.sh
 
 if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
 	exit 0
@@ -32,17 +32,17 @@ if [ "$?" -eq 0 ] && [ -f /tmp/geoip.mmdb.gz ] ; then
 	if [ "$RELOAD" != "" ] ; then
 		$RELOAD > /dev/null 2>&1
 		if [ "$?" -eq 0 ] ; then
-			cp /etc/nginx/geoip.mmdb /cache
+			cp /etc/nginx/geoip.mmdb /opt/bunkerized-nginx/cache
 			job_log "[NGINX] successfull nginx reload after GeoIP DB update"
 		else
 			job_log "[NGINX] failed nginx reload after GeoIP DB update"
-			if [ -f /cache/geoip.mmdb ] ; then
-				cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
+			if [ -f /opt/bunkerized-nginx/cache/geoip.mmdb ] ; then
+				cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb
 				$RELOAD > /dev/null 2>&1
 			fi
 		fi
 	else
-		cp /etc/nginx/geoip.mmdb /cache
+		cp /etc/nginx/geoip.mmdb /opt/bunkerized-nginx/cache
 	fi
 else
 	job_log "[GEOIP] can't download DB from $URL"

scripts/proxies.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # load some functions
-. /opt/entrypoint/utils.sh
+. /opt/bunkerized-nginx/entrypoint/utils.sh
 
 if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
 	exit 0
@@ -36,7 +36,7 @@ if [ "$lines" -gt 1 ] ; then
 		$RELOAD > /dev/null 2>&1
 		# new config is ok : save it in the cache
 		if [ "$?" -eq 0 ] ; then
-			cp /tmp/proxies.list /cache
+			cp /tmp/proxies.list /opt/bunkerized-nginx/cache
 			job_log "[NGINX] successfull nginx reload after proxies list update"
 		else
 			job_log "[NGINX] failed nginx reload after proxies list update fallback to old list"
@@ -44,7 +44,7 @@ if [ "$lines" -gt 1 ] ; then
 			$RELOAD > /dev/null 2>&1
 		fi
 	else
-		cp /tmp/proxies.list /cache
+		cp /tmp/proxies.list /opt/bunkerized-nginx/cache
 	fi
 else
 	job_log "[BLACKLIST] can't update proxies list"

scripts/referrers.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # load some functions
-. /opt/entrypoint/utils.sh
+. /opt/bunkerized-nginx/entrypoint/utils.sh
 
 if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
 	exit 0
@@ -39,7 +39,7 @@ if [ "$lines" -gt 1 ] ; then
 	if [ "$RELOAD" != "" ] ; then
 		$RELOAD > /dev/null 2>&1
 		if [ "$?" -eq 0 ] ; then
-			cp /tmp/referrers.list /cache
+			cp /tmp/referrers.list /opt/bunkerized-nginx/cache
 			job_log "[NGINX] successfull nginx reload after referrers list update"
 		else
 			#cp /tmp/referrers.list.bak /etc/nginx
@@ -47,7 +47,7 @@ if [ "$lines" -gt 1 ] ; then
 			$RELOAD > /dev/null 2>&1
 		fi
 	else
-		cp /tmp/referrers.list /cache
+		cp /tmp/referrers.list /opt/bunkerized-nginx/cache
 	fi
 else
 	job_log "[BLACKLIST] can't update referrers list"

scripts/user-agents.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # load some functions
-. /opt/entrypoint/utils.sh
+. /opt/bunkerized-nginx/entrypoint/utils.sh
 
 if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
 	exit 0
@@ -39,7 +39,7 @@ if [ "$lines" -gt 1 ] ; then
 	if [ "$RELOAD" != "" ] ; then
 		$RELOAD > /dev/null 2>&1
 		if [ "$?" -eq 0 ] ; then
-			cp /tmp/user-agents.list /cache
+			cp /tmp/user-agents.list /opt/bunkerized-nginx/cache
 			job_log "[NGINX] successfull nginx reload after user-agent list update"
 		else
 			#cp /tmp/user-agents.list.bak /etc/nginx
@@ -47,7 +47,7 @@ if [ "$lines" -gt 1 ] ; then
 			$RELOAD > /dev/null 2>&1
 		fi
 	else
-		cp /tmp/user-agents.list /cache
+		cp /tmp/user-agents.list /opt/bunkerized-nginx/cache
 	fi
 else
 	job_log "[BLACKLIST] can't update user-agent list"

settings.json

@@ -1190,7 +1190,7 @@
             },
             {
                 "context": "global",
-                "default": "/www",
+                "default": "/opt/bunkerized-nginx/www",
                 "env": "ROOT_FOLDER",
                 "id": "root-folder",
                 "label": "Root folder",

tests/linux.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+image="$1"
+
+echo "[*] Run $image"
+id="$(docker run -d -it "$image")"
+if [ $? -ne 0 ] ; then
+	echo "[!] docker run failed"
+	exit 1
+fi
+
+echo "[*] Copy dependencies.sh"
+docker cp helpers/dependencies.sh "$id:/tmp"
+if [ $? -ne 0 ] ; then
+	echo "[!] docker cp failed"
+	exit 2
+fi
+
+echo "[*] Exec dependencies.sh"
+docker exec "$id" /bin/bash -c 'chmod +x /tmp/dependencies.sh && /tmp/dependencies.sh'
+if [ $? -ne 0 ] ; then
+	echo "[!] docker exec failed"
+	exit 3
+fi
+
+echo "[*] Copy install.sh"
+docker cp helpers/install.sh "$id:/tmp"
+if [ $? -ne 0 ] ; then
+	echo "[!] docker cp failed"
+	exit 4
+fi
+
+echo "[*] Exec install.sh"
+docker exec "$id" /bin/bash -c 'chmod +x /tmp/install.sh && /tmp/install.sh'
+if [ $? -ne 0 ] ; then
+	echo "[!] docker exec failed"
+	exit 4
+fi
+
+echo "[*] Exec nginx -V"
+docker exec "$id" nginx -V
+if [ $? -ne 0 ] ; then
+	echo "[!] docker exec failed"
+	exit 5
+fi