mirror of
https://github.com/bunkerity/bunkerized-nginx
synced 2023-12-13 21:30:18 +01:00
linux/docker - common /opt/bunkerized-nginx folder
This commit is contained in:
parent
bbb5134a39
commit
1e02368e8a
24 changed files with 236 additions and 97 deletions
20
.github/workflows/linux-bunkerized-nginx.yml
vendored
Normal file
20
.github/workflows/linux-bunkerized-nginx.yml
vendored
Normal file
|
@ -0,0 +1,20 @@
|
|||
name: Automatic test for Linux
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [dev, master]
|
||||
pull_request:
|
||||
branches: [dev, master]
|
||||
|
||||
jobs:
|
||||
test:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@v2
|
||||
- name: Debian test
|
||||
run: ./tests/linux.sh debian:buster-slim
|
||||
- name: Ubuntu test
|
||||
run: ./tests/linux.sh ubuntu:focal
|
||||
- name: CentOS test
|
||||
run: ./tests/linux.sh centos.sh
|
16
Dockerfile
16
Dockerfile
|
@ -9,14 +9,14 @@ RUN apk add --no-cache bash && \
|
|||
RUN apk add --no-cache certbot bash libmaxminddb libgcc lua yajl libstdc++ openssl py3-pip && \
|
||||
pip3 install jinja2
|
||||
|
||||
COPY gen/ /opt/gen
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY gen/ /opt/bunkerized-nginx/gen
|
||||
COPY entrypoint/ /opt/bunkerized-nginx/entrypoint
|
||||
COPY confs/ /opt/bunkerized-nginx/confs
|
||||
COPY scripts/ /opt/bunkerized-nginx/scripts
|
||||
COPY lua/ /usr/local/lib/lua
|
||||
COPY antibot/ /antibot
|
||||
COPY defaults/ /defaults
|
||||
COPY settings.json /opt
|
||||
COPY antibot/ /opt/bunkerized-nginx/antibot
|
||||
COPY defaults/ /opt/bunkerized-nginx/defaults
|
||||
COPY settings.json /opt/bunkerized-nginx
|
||||
COPY misc/cron /etc/crontabs/nginx
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
|
@ -35,4 +35,4 @@ USER nginx:nginx
|
|||
|
||||
HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 CMD [ -f /tmp/nginx.pid ] || exit 1
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
|
||||
ENTRYPOINT ["/opt/bunkerized-nginx/entrypoint/entrypoint.sh"]
|
||||
|
|
|
@ -108,7 +108,7 @@ http {
|
|||
{% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %}
|
||||
|
||||
# custom http confs
|
||||
include /http-confs/*.conf;
|
||||
include /opt/bunkerized-nginx/http-confs/*.conf;
|
||||
|
||||
# LUA init block
|
||||
include /etc/nginx/init-lua.conf;
|
||||
|
|
|
@ -58,11 +58,11 @@ SecAuditLog /var/log/nginx/modsec_audit.log
|
|||
include /opt/bunkerized-nginx/crs-setup.conf
|
||||
|
||||
# custom CRS configurations before loading rules (exclusions)
|
||||
{% if is_custom_conf("/modsec-crs-confs") %}
|
||||
include /modsec-crs-confs/*.conf
|
||||
{% if is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs") %}
|
||||
include /opt/bunkerized-nginx/modsec-crs-confs/*.conf
|
||||
{% endif %}
|
||||
{% if MULTISITE == "yes" and is_custom_conf("/modsec-crs-confs/" + FIRST_SERVER) %}
|
||||
include /modsec-crs-confs/{{ FIRST_SERVER }}/*.conf
|
||||
{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs/" + FIRST_SERVER) %}
|
||||
include /opt/bunkerized-nginx/modsec-crs-confs/{{ FIRST_SERVER }}/*.conf
|
||||
{% endif %}
|
||||
|
||||
# include OWASP CRS rules
|
||||
|
@ -70,9 +70,9 @@ include /opt/bunkerized-nginx/crs/*.conf
|
|||
{% endif %}
|
||||
|
||||
# custom rules after loading the CRS
|
||||
{% if is_custom_conf("/modsec-confs") %}
|
||||
include /modsec-confs/*.conf
|
||||
{% if is_custom_conf("/opt/bunkerized-nginx/modsec-confs") %}
|
||||
include /opt/bunkerized-nginx/modsec-confs/*.conf
|
||||
{% endif %}
|
||||
{% if MULTISITE == "yes" and is_custom_conf("/modsec-confs/" + FIRST_SERVER) %}
|
||||
include /modsec-confs/{{ FIRST_SERVER }}/*.conf
|
||||
{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-confs/" + FIRST_SERVER) %}
|
||||
include /opt/bunkerized-nginx/modsec-confs/{{ FIRST_SERVER }}/*.conf
|
||||
{% endif %}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# custom config before server block
|
||||
include /pre-server-confs/*.conf;
|
||||
include /opt/bunkerized-nginx/pre-server-confs/*.conf;
|
||||
{% if MULTISITE == "yes" %}
|
||||
include /pre-server-confs/{{ FIRST_SERVER }}/*.conf;
|
||||
include /opt/bunkerized-nginx/pre-server-confs/{{ FIRST_SERVER }}/*.conf;
|
||||
{% endif %}
|
||||
|
||||
server {
|
||||
|
@ -12,9 +12,9 @@ server {
|
|||
{% endif %}
|
||||
|
||||
# custom config
|
||||
include /server-confs/*.conf;
|
||||
include /opt/bunkerized-nginx/server-confs/*.conf;
|
||||
{% if MULTISITE == "yes" %}
|
||||
include /server-confs/{{ FIRST_SERVER }}/*.conf;
|
||||
include /opt/bunkerized-nginx/server-confs/{{ FIRST_SERVER }}/*.conf;
|
||||
{% endif %}
|
||||
|
||||
# proxy real IP
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$MULTISITE" != "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
first_server_name=$(echo "$SERVER_NAME" | cut -d " " -f 1)
|
||||
|
@ -9,7 +9,7 @@ if [ "$MULTISITE" != "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
|||
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server_name}"
|
||||
if [ ! -f /etc/letsencrypt/live/${first_server_name}/fullchain.pem ] ; then
|
||||
echo "[*] Performing Let's Encrypt challenge for $domains_lets_encrypt ..."
|
||||
/opt/scripts/certbot-new.sh "$domains_lets_encrypt" "$EMAIL_LETS_ENCRYPT"
|
||||
/opt/bunkerized-nginx/scripts/certbot-new.sh "$domains_lets_encrypt" "$EMAIL_LETS_ENCRYPT"
|
||||
fi
|
||||
elif [ "$MULTISITE" = "yes" ] ; then
|
||||
servers=$(find /etc/nginx -name "site.env" | cut -d '/' -f 4)
|
||||
|
@ -22,7 +22,7 @@ elif [ "$MULTISITE" = "yes" ] ; then
|
|||
if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
|
||||
EMAIL_LETS_ENCRYPT="contact@${server}"
|
||||
fi
|
||||
/opt/scripts/certbot-new.sh "$domains" "EMAIL_LETS_ENCRYPT"
|
||||
/opt/bunkerized-nginx/scripts/certbot-new.sh "$domains" "EMAIL_LETS_ENCRYPT"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
|
|
@ -16,14 +16,14 @@ trap "trap_exit" TERM INT QUIT
|
|||
function trap_reload() {
|
||||
echo "[*] Catched reload operation"
|
||||
if [ "$SWARM_MODE" != "yes" ] ; then
|
||||
/opt/entrypoint/pre-jobs.sh
|
||||
/opt/bunkerized-nginx/entrypoint/pre-jobs.sh
|
||||
fi
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
echo "[*] Reloading nginx ..."
|
||||
nginx -s reload
|
||||
if [ $? -eq 0 ] ; then
|
||||
echo "[*] Reload successfull"
|
||||
/opt/entrypoint/post-jobs.sh
|
||||
/opt/bunkerized-nginx/entrypoint/post-jobs.sh
|
||||
else
|
||||
echo "[!] Reload failed"
|
||||
fi
|
||||
|
@ -40,16 +40,16 @@ if [ ! -f "/etc/nginx/global.env" ] ; then
|
|||
|
||||
# check permissions
|
||||
if [ "$SWARM_MODE" != "yes" ] ; then
|
||||
/opt/entrypoint/permissions.sh
|
||||
/opt/bunkerized-nginx/entrypoint/permissions.sh
|
||||
else
|
||||
/opt/entrypoint/permissions-swarm.sh
|
||||
/opt/bunkerized-nginx/entrypoint/permissions-swarm.sh
|
||||
fi
|
||||
if [ "$?" -ne 0 ] ; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# start temp nginx to solve Let's Encrypt challenges if needed
|
||||
/opt/entrypoint/nginx-temp.sh
|
||||
/opt/bunkerized-nginx/entrypoint/nginx-temp.sh
|
||||
|
||||
# only do config if we are not in swarm mode
|
||||
if [ "$SWARM_MODE" != "yes" ] ; then
|
||||
|
@ -57,10 +57,10 @@ if [ ! -f "/etc/nginx/global.env" ] ; then
|
|||
env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "/tmp/variables.env"
|
||||
|
||||
# call the generator
|
||||
/opt/gen/main.py --settings /opt/settings.json --templates /opt/confs --output /etc/nginx --variables /tmp/variables.env
|
||||
/opt/bunkerized-nginx/gen/main.py --settings /opt/bunkerized-nginx/settings.json --templates /opt/bunkerized-nginx/confs --output /etc/nginx --variables /tmp/variables.env
|
||||
|
||||
# pre-jobs
|
||||
/opt/entrypoint/pre-jobs.sh
|
||||
/opt/bunkerized-nginx/entrypoint/pre-jobs.sh
|
||||
fi
|
||||
else
|
||||
echo "[*] Skipping configuration process"
|
||||
|
@ -90,7 +90,7 @@ pid="$!"
|
|||
# autotest
|
||||
if [ "$1" == "test" ] ; then
|
||||
sleep 10
|
||||
echo -n "autotest" > /www/index.html
|
||||
echo -n "autotest" > /opt/bunkerized-nginx/www/index.html
|
||||
check=$(curl -H "User-Agent: legit" "http://localhost:8080")
|
||||
if [ "$check" == "autotest" ] ; then
|
||||
exit 0
|
||||
|
@ -99,7 +99,7 @@ if [ "$1" == "test" ] ; then
|
|||
fi
|
||||
|
||||
# post jobs
|
||||
/opt/entrypoint/post-jobs.sh
|
||||
/opt/bunkerized-nginx/entrypoint/post-jobs.sh
|
||||
|
||||
# wait for nginx
|
||||
wait "$pid"
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
# start nginx with temp conf for let's encrypt challenges and API
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$SWARM_MODE" = "yes" ] || [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
cp /opt/confs/global/nginx-temp.conf /tmp/nginx-temp.conf
|
||||
cp /opt/confs/global/api-temp.conf /tmp/api.conf
|
||||
cp /opt/bunkerized-nginx/confs/global/nginx-temp.conf /tmp/nginx-temp.conf
|
||||
cp /opt/bunkerized-nginx/confs/global/api-temp.conf /tmp/api.conf
|
||||
if [ "$SWARM_MODE" = "yes" ] ; then
|
||||
replace_in_file "/tmp/nginx-temp.conf" "%USE_API%" "include /tmp/api.conf;"
|
||||
replace_in_file "/tmp/api.conf" "%API_URI%" "$API_URI"
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
# User-Agents
|
||||
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
|
||||
if [ -f "/cache/user-agents.list" ] && [ "$(wc -l /cache/user-agents.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached user-agents.list ..."
|
||||
cp /cache/user-agents.list /etc/nginx/user-agents.list
|
||||
cp /opt/bunkerized-nginx/cache/user-agents.list /etc/nginx/user-agents.list
|
||||
elif [ "$(ps aux | grep "user-agents\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading bad user-agent list (in background) ..."
|
||||
/opt/scripts/user-agents.sh > /dev/null 2>&1 &
|
||||
/opt/bunkerized-nginx/scripts/user-agents.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -18,10 +18,10 @@ fi
|
|||
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
|
||||
if [ -f "/cache/referrers.list" ] && [ "$(wc -l /cache/referrers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached referrers.list ..."
|
||||
cp /cache/referrers.list /etc/nginx/referrers.list
|
||||
cp /opt/bunkerized-nginx/cache/referrers.list /etc/nginx/referrers.list
|
||||
elif [ "$(ps aux | grep "referrers\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading bad referrer list (in background) ..."
|
||||
/opt/scripts/referrers.sh > /dev/null 2>&1 &
|
||||
/opt/bunkerized-nginx/scripts/referrers.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -29,10 +29,10 @@ fi
|
|||
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
|
||||
if [ -f "/cache/tor-exit-nodes.list" ] && [ "$(wc -l /cache/tor-exit-nodes.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached tor-exit-nodes.list ..."
|
||||
cp /cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
|
||||
cp /opt/bunkerized-nginx/cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
|
||||
elif [ "$(ps aux | grep "exit-nodes\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading tor exit nodes list (in background) ..."
|
||||
/opt/scripts/exit-nodes.sh > /dev/null 2>&1 &
|
||||
/opt/bunkerized-nginx/scripts/exit-nodes.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -40,10 +40,10 @@ fi
|
|||
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
|
||||
if [ -f "/cache/proxies.list" ] && [ "$(wc -l /cache/proxies.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached proxies.list ..."
|
||||
cp /cache/proxies.list /etc/nginx/proxies.list
|
||||
cp /opt/bunkerized-nginx/cache/proxies.list /etc/nginx/proxies.list
|
||||
elif [ "$(ps aux | grep "proxies\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading proxies list (in background) ..."
|
||||
/opt/scripts/proxies.sh > /dev/null 2>&1 &
|
||||
/opt/bunkerized-nginx/scripts/proxies.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -51,9 +51,9 @@ fi
|
|||
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
|
||||
if [ -f "/cache/abusers.list" ] && [ "$(wc -l /cache/abusers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached abusers.list ..."
|
||||
cp /cache/abusers.list /etc/nginx/abusers.list
|
||||
cp /opt/bunkerized-nginx/cache/abusers.list /etc/nginx/abusers.list
|
||||
elif [ "$(ps aux | grep "abusers\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading abusers list (in background) ..."
|
||||
/opt/scripts/abusers.sh > /dev/null 2>&1 &
|
||||
/opt/bunkerized-nginx/scripts/abusers.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
# self signed certs for sites
|
||||
files=$(has_value GENERATE_SELF_SIGNED_SSL yes)
|
||||
|
@ -58,7 +58,7 @@ if [ "$files" != "" ] ; then
|
|||
if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
|
||||
EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}"
|
||||
fi
|
||||
certbot_output=$(/opt/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1)
|
||||
certbot_output=$(/opt/bunkerized-nginx/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1)
|
||||
if [ $? -eq 0 ] ; then
|
||||
echo "[*] Certbot new successfully executed for domain(s) $(echo -n $SERVER_NAME | sed 's/ /,/g')"
|
||||
else
|
||||
|
@ -70,11 +70,11 @@ fi
|
|||
|
||||
# GeoIP
|
||||
if [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ; then
|
||||
if [ -f "/cache/geoip.mmdb" ] ; then
|
||||
if [ -f "/opt/bunkerized-nginx/cache/geoip.mmdb" ] ; then
|
||||
echo "[*] Copying cached geoip.mmdb ..."
|
||||
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
|
||||
cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb
|
||||
elif [ "$(ps aux | grep "geoip\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading GeoIP database ..."
|
||||
/opt/scripts/geoip.sh > /dev/null 2>&1
|
||||
/opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -115,7 +115,7 @@ do_and_check_cmd cp -r /tmp/bunkerized-nginx/lua/* /usr/local/lib/lua
|
|||
echo "[*] Copy antibot"
|
||||
do_and_check_cmd cp -r /tmp/bunkerized-nginx/antibot /opt/bunkerized-nginx
|
||||
|
||||
# Copy antibot
|
||||
# Copy defaults
|
||||
echo "[*] Copy defaults"
|
||||
do_and_check_cmd cp -r /tmp/bunkerized-nginx/defaults /opt/bunkerized-nginx
|
||||
|
||||
|
@ -129,6 +129,69 @@ if [ "$(grep "nginx:" /etc/passwd)" = "" ] ; then
|
|||
do_and_check_cmd useradd -d /opt/bunkerized-nginx -s /usr/sbin/nologin nginx
|
||||
fi
|
||||
|
||||
# Create www folder
|
||||
if [ ! -d "/opt/bunkerized-nginx/www" ] ; then
|
||||
echo "[*] Create /opt/bunkerized-nginx/www folder"
|
||||
do_and_check_cmd mkdir /opt/bunkerized-nginx/www
|
||||
fi
|
||||
|
||||
# Create http-confs folder
|
||||
if [ ! -d "/opt/bunkerized-nginx/http-confs" ] ; then
|
||||
echo "[*] Create /opt/bunkerized-nginx/http-confs folder"
|
||||
do_and_check_cmd mkdir /opt/bunkerized-nginx/http-confs
|
||||
fi
|
||||
|
||||
# Create server-confs folder
|
||||
if [ ! -d "/opt/bunkerized-nginx/server-confs" ] ; then
|
||||
echo "[*] Create /opt/bunkerized-nginx/server-confs folder"
|
||||
do_and_check_cmd mkdir /opt/bunkerized-nginx/server-confs
|
||||
fi
|
||||
|
||||
# Create modsec-confs folder
|
||||
if [ ! -d "/opt/bunkerized-nginx/modsec-confs" ] ; then
|
||||
echo "[*] Create /opt/bunkerized-nginx/modsec-confs folder"
|
||||
do_and_check_cmd mkdir /opt/bunkerized-nginx/modsec-confs
|
||||
fi
|
||||
|
||||
# Create modsec-crs-confs folder
|
||||
if [ ! -d "/opt/bunkerized-nginx/modsec-crs-confs" ] ; then
|
||||
echo "[*] Create /opt/bunkerized-nginx/modsec-crs-confs folder"
|
||||
do_and_check_cmd mkdir /opt/bunkerized-nginx/modsec-crs-confs
|
||||
fi
|
||||
|
||||
# Create cache folder
|
||||
if [ ! -d "/opt/bunkerized-nginx/cache" ] ; then
|
||||
echo "[*] Create /opt/bunkerized-nginx/cache folder"
|
||||
do_and_check_cmd mkdir /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
|
||||
# Create pre-server-confs folder
|
||||
if [ ! -d "/opt/bunkerized-nginx/pre-server-confs" ] ; then
|
||||
echo "[*] Create /opt/bunkerized-nginx/pre-server-confs folder"
|
||||
do_and_check_cmd mkdir /opt/bunkerized-nginx/pre-server-confs
|
||||
fi
|
||||
|
||||
# Create acme-challenge folder
|
||||
if [ ! -d "/opt/bunkerized-nginx/acme-challenge" ] ; then
|
||||
echo "[*] Create /opt/bunkerized-nginx/acme-challenge folder"
|
||||
do_and_check_cmd mkdir /opt/bunkerized-nginx/acme-challenge
|
||||
fi
|
||||
|
||||
# Create plugins folder
|
||||
if [ ! -d "/opt/bunkerized-nginx/plugins" ] ; then
|
||||
echo "[*] Create /opt/bunkerized-nginx/plugins folder"
|
||||
do_and_check_cmd mkdir /opt/bunkerized-nginx/plugins
|
||||
fi
|
||||
|
||||
# Set permissions for /opt/bunkerized-nginx
|
||||
echo "[*] Set permissions for /opt/bunkerized-nginx files and folders"
|
||||
do_and_check_cmd chown -R root:nginx /opt/bunkerized-nginx
|
||||
do_and_check_cmd find /opt -type f -exec chmod 0740 {} \;
|
||||
do_and_check_cmd find /opt -type d -exec chmod 0750 {} \;
|
||||
do_and_check_cmd chmod 770 /opt/bunkerized-nginx/cache
|
||||
do_and_check_cmd chmod 770 /opt/bunkerized-nginx/acme-challenge
|
||||
do_and_check_cmd chmod 750 /opt/bunkerized-nginx/scripts/*
|
||||
|
||||
# Install cron
|
||||
echo "[*] Add jobs to crontab"
|
||||
if [ "$OS" = "debian" ] || [ "$OS" = "ubuntu" ] ; then
|
||||
|
@ -139,27 +202,27 @@ fi
|
|||
|
||||
# Download abusers list
|
||||
echo "[*] Download abusers list"
|
||||
# TODO : call external script
|
||||
do_and_check_cmd /opt/bunkerized-nginx/scripts/abusers.sh
|
||||
|
||||
# Download TOR exit nodes list
|
||||
echo "[*] Download TOR exit nodes list"
|
||||
# TODO : call external script
|
||||
do_and_check_cmd /opt/bunkerized-nginx/scripts/exit-nodes.sh
|
||||
|
||||
# Download proxies list
|
||||
echo "[*] Download proxies list"
|
||||
# TODO : call external script
|
||||
do_and_check_cmd /opt/bunkerized-nginx/scripts/proxies.sh
|
||||
|
||||
# Download referrers list
|
||||
echo "[*] Download referrers list"
|
||||
# TODO : call external script
|
||||
do_and_check_cmd /opt/bunkerized-nginx/scripts/referrers.sh
|
||||
|
||||
# Download user agents list
|
||||
echo "[*] Download user agents list"
|
||||
# TODO : call external script
|
||||
do_and_check_cmd /opt/bunkerized-nginx/scripts/user-agents.sh
|
||||
|
||||
# Download geoip database
|
||||
echo "[*] Download proxies list"
|
||||
# TODO : call external script
|
||||
do_and_check_cmd /opt/bunkerized-nginx/scripts/geoip.sh
|
||||
|
||||
# We're done
|
||||
echo "[*] bunkerized-nginx successfully installed !"
|
||||
|
|
14
misc/cron
14
misc/cron
|
@ -1,7 +1,7 @@
|
|||
15 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1
|
||||
30 0 * * * /opt/scripts/user-agents.sh > /dev/null 2>&1
|
||||
45 0 * * * /opt/scripts/referrers.sh > /dev/null 2>&1
|
||||
0 1 * * * /opt/scripts/abusers.sh > /dev/null 2>&1
|
||||
0 2 * * * /opt/scripts/proxies.sh > /dev/null 2>&1
|
||||
0 */1 * * * /opt/scripts/exit-nodes.sh > /dev/null 2>&1
|
||||
0 3 2 * * /opt/scripts/geoip.sh > /dev/null 2>&1
|
||||
15 0 * * * /opt/bunkerized-nginx/scripts/certbot-renew.sh > /dev/null 2>&1
|
||||
30 0 * * * /opt/bunkerized-nginx/scripts/user-agents.sh > /dev/null 2>&1
|
||||
45 0 * * * /opt/bunkerized-nginx/scripts/referrers.sh > /dev/null 2>&1
|
||||
0 1 * * * /opt/bunkerized-nginx/scripts/abusers.sh > /dev/null 2>&1
|
||||
0 2 * * * /opt/bunkerized-nginx/scripts/proxies.sh > /dev/null 2>&1
|
||||
0 */1 * * * /opt/bunkerized-nginx/scripts/exit-nodes.sh > /dev/null 2>&1
|
||||
0 3 2 * * /opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1
|
||||
|
|
21
prepare.sh
21
prepare.sh
|
@ -6,13 +6,13 @@ chown -R root:nginx /www
|
|||
chmod -R 770 /www
|
||||
|
||||
# prepare /opt
|
||||
chown -R root:nginx /opt
|
||||
chown -R root:nginx /opt/bunkerized-nginx
|
||||
find /opt -type f -exec chmod 0740 {} \;
|
||||
find /opt -type d -exec chmod 0750 {} \;
|
||||
chmod ugo+x /opt/entrypoint/* /opt/scripts/*
|
||||
chmod ugo+x /opt/gen/main.py
|
||||
chmod 770 /opt
|
||||
chmod 440 /opt/settings.json
|
||||
chmod ugo+x /opt/bunkerized-nginx/entrypoint/* /opt/bunkerized-nginx/scripts/*
|
||||
chmod ugo+x /opt/bunkerized-nginx/gen/main.py
|
||||
chmod 770 /opt/bunkerized-nginx
|
||||
chmod 440 /opt/bunkerized-nginx/settings.json
|
||||
|
||||
# prepare /etc/nginx
|
||||
for file in $(ls /etc/nginx) ; do
|
||||
|
@ -70,3 +70,14 @@ chmod 440 /etc/crontabs/nginx
|
|||
mkdir /plugins
|
||||
chown root:nginx /plugins
|
||||
chmod 770 /plugins
|
||||
|
||||
# prepare symlinks
|
||||
ln -s /www /opt/bunkerized-nginx/www
|
||||
ln -s /http-confs /opt/bunkerized-nginx/http-confs
|
||||
ln -s /server-confs /opt/bunkerized-nginx/server-confs
|
||||
ln -s /modsec-confs /opt/bunkerized-nginx/modsec-confs
|
||||
ln -s /modsec-crs-confs /opt/bunkerized-nginx/modsec-crs-confs
|
||||
ln -s /cache /opt/bunkerized-nginx/cache
|
||||
ln -s /pre-server-confs /opt/bunkerized-nginx/pre-server-confs
|
||||
ln -s /acme-challenge /opt/bunkerized-nginx/acme-challenge
|
||||
ln -s /plugins /opt/bunkerized-nginx/plugins
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
|
@ -36,7 +36,7 @@ if [ "$lines" -gt 1 ] ; then
|
|||
$RELOAD > /dev/null 2>&1
|
||||
# new config is ok : save it in the cache
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /tmp/abusers.list /cache
|
||||
cp /tmp/abusers.list /opt/bunkerized-nginx/cache
|
||||
job_log "[NGINX] successfull nginx reload after abusers list update"
|
||||
else
|
||||
job_log "[NGINX] failed nginx reload after abusers list update fallback to old list"
|
||||
|
@ -44,7 +44,7 @@ if [ "$lines" -gt 1 ] ; then
|
|||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /tmp/abusers.list /cache
|
||||
cp /tmp/abusers.list /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update abusers list"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# generate certificate
|
||||
certbot certonly --webroot -w /acme-challenge -n -d "$1" --email "$2" --agree-tos
|
||||
certbot certonly --webroot -w /opt/bunkerized-nginx/acme-challenge -n -d "$1" --email "$2" --agree-tos
|
||||
if [ "$?" -ne 0 ] ; then
|
||||
exit 1
|
||||
fi
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
job_log "[CERTBOT] certificates have been renewed"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
|
@ -12,7 +12,7 @@ if [ "$(has_value AUTO_LETS_ENCRYPT yes)" = "" ] ; then
|
|||
fi
|
||||
|
||||
# ask new certificates if needed
|
||||
certbot renew --deploy-hook /opt/scripts/certbot-renew-hook.sh
|
||||
certbot renew --deploy-hook /opt/bunkerized-nginx/scripts/certbot-renew-hook.sh
|
||||
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
job_log "[CERTBOT] renew operation done"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
|
@ -36,7 +36,7 @@ if [ "$lines" -gt 1 ] ; then
|
|||
$RELOAD > /dev/null 2>&1
|
||||
# new config is ok : save it in the cache
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /tmp/tor-exit-nodes.list /cache
|
||||
cp /tmp/tor-exit-nodes.list /opt/bunkerized-nginx/cache
|
||||
job_log "[NGINX] successfull nginx reload after TOR exit node list update"
|
||||
else
|
||||
job_log "[NGINX] failed nginx reload after TOR exit node list update fallback to old list"
|
||||
|
@ -44,7 +44,7 @@ if [ "$lines" -gt 1 ] ; then
|
|||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /tmp/tor-exit-nodes.list /cache
|
||||
cp /tmp/tor-exit-nodes.list /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update TOR exit node list"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
|
@ -32,17 +32,17 @@ if [ "$?" -eq 0 ] && [ -f /tmp/geoip.mmdb.gz ] ; then
|
|||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /etc/nginx/geoip.mmdb /cache
|
||||
cp /etc/nginx/geoip.mmdb /opt/bunkerized-nginx/cache
|
||||
job_log "[NGINX] successfull nginx reload after GeoIP DB update"
|
||||
else
|
||||
job_log "[NGINX] failed nginx reload after GeoIP DB update"
|
||||
if [ -f /cache/geoip.mmdb ] ; then
|
||||
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
|
||||
if [ -f /opt/bunkerized-nginx/cache/geoip.mmdb ] ; then
|
||||
cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb
|
||||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
fi
|
||||
else
|
||||
cp /etc/nginx/geoip.mmdb /cache
|
||||
cp /etc/nginx/geoip.mmdb /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
else
|
||||
job_log "[GEOIP] can't download DB from $URL"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
|
@ -36,7 +36,7 @@ if [ "$lines" -gt 1 ] ; then
|
|||
$RELOAD > /dev/null 2>&1
|
||||
# new config is ok : save it in the cache
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /tmp/proxies.list /cache
|
||||
cp /tmp/proxies.list /opt/bunkerized-nginx/cache
|
||||
job_log "[NGINX] successfull nginx reload after proxies list update"
|
||||
else
|
||||
job_log "[NGINX] failed nginx reload after proxies list update fallback to old list"
|
||||
|
@ -44,7 +44,7 @@ if [ "$lines" -gt 1 ] ; then
|
|||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /tmp/proxies.list /cache
|
||||
cp /tmp/proxies.list /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update proxies list"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
|
@ -39,7 +39,7 @@ if [ "$lines" -gt 1 ] ; then
|
|||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /tmp/referrers.list /cache
|
||||
cp /tmp/referrers.list /opt/bunkerized-nginx/cache
|
||||
job_log "[NGINX] successfull nginx reload after referrers list update"
|
||||
else
|
||||
#cp /tmp/referrers.list.bak /etc/nginx
|
||||
|
@ -47,7 +47,7 @@ if [ "$lines" -gt 1 ] ; then
|
|||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /tmp/referrers.list /cache
|
||||
cp /tmp/referrers.list /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update referrers list"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
|
@ -39,7 +39,7 @@ if [ "$lines" -gt 1 ] ; then
|
|||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /tmp/user-agents.list /cache
|
||||
cp /tmp/user-agents.list /opt/bunkerized-nginx/cache
|
||||
job_log "[NGINX] successfull nginx reload after user-agent list update"
|
||||
else
|
||||
#cp /tmp/user-agents.list.bak /etc/nginx
|
||||
|
@ -47,7 +47,7 @@ if [ "$lines" -gt 1 ] ; then
|
|||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /tmp/user-agents.list /cache
|
||||
cp /tmp/user-agents.list /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update user-agent list"
|
||||
|
|
|
@ -1190,7 +1190,7 @@
|
|||
},
|
||||
{
|
||||
"context": "global",
|
||||
"default": "/www",
|
||||
"default": "/opt/bunkerized-nginx/www",
|
||||
"env": "ROOT_FOLDER",
|
||||
"id": "root-folder",
|
||||
"label": "Root folder",
|
||||
|
|
45
tests/linux.sh
Normal file
45
tests/linux.sh
Normal file
|
@ -0,0 +1,45 @@
|
|||
#!/bin/sh
|
||||
|
||||
image="$1"
|
||||
|
||||
echo "[*] Run $image"
|
||||
id="$(docker run -d -it "$image")"
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker run failed"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "[*] Copy dependencies.sh"
|
||||
docker cp helpers/dependencies.sh "$id:/tmp"
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker cp failed"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
echo "[*] Exec dependencies.sh"
|
||||
docker exec "$id" /bin/bash -c 'chmod +x /tmp/dependencies.sh && /tmp/dependencies.sh'
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker exec failed"
|
||||
exit 3
|
||||
fi
|
||||
|
||||
echo "[*] Copy install.sh"
|
||||
docker cp helpers/install.sh "$id:/tmp"
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker cp failed"
|
||||
exit 4
|
||||
fi
|
||||
|
||||
echo "[*] Exec install.sh"
|
||||
docker exec "$id" /bin/bash -c 'chmod +x /tmp/install.sh && /tmp/install.sh'
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker exec failed"
|
||||
exit 4
|
||||
fi
|
||||
|
||||
echo "[*] Exec nginx -V"
|
||||
docker exec "$id" nginx -V
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker exec failed"
|
||||
exit 5
|
||||
fi
|
Loading…
Reference in a new issue