multisite - bug fixes
This commit is contained in:
bunkerity
parent
bd7997497b
commit
2da51d92a6
|
|
@ -19,7 +19,7 @@ COPY logs/ /opt/logs
|
|||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
|
||||
chmod +x /opt/entrypoint/* /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ COPY logs/ /opt/logs
|
|||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
|
||||
chmod +x /opt/entrypoint/* /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ COPY logs/ /opt/logs
|
|||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
|
||||
chmod +x /opt/entrypoint/* /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ COPY logs/ /opt/logs
|
|||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
|
||||
chmod +x /opt/entrypoint/* /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ COPY logs/ /opt/logs
|
|||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash && \
|
||||
chmod +x /opt/entrypoint/* /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
modsecurity on;
|
||||
modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;
|
||||
modsecurity_rules_file %MODSEC_RULES_FILE%;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
location ~ \.php$ {
|
||||
fastcgi_pass %REMOTE_PHP%:9000;
|
||||
fastcgi_index index.php;
|
||||
include fastcgi.conf;
|
||||
include /etc/nginx/fastcgi.conf;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
server {
|
||||
include /server-confs/*.conf;
|
||||
include /etc/nginx/main-lua.conf;
|
||||
%SERVER_CONF%
|
||||
%MAIN_LUA%
|
||||
%PROXY_REAL_IP%
|
||||
%USE_MODSECURITY%
|
||||
%LISTEN_HTTP%
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
HTTP_PORT="${HTTP_PORT-8080}"
|
||||
HTTPS_PORT="${HTTPS_PORT-8443}"
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
# load default values
|
||||
. ./opt/entrypoint/defaults.sh
|
||||
|
|
@ -32,7 +32,7 @@ if [ ! -f "/opt/installed" ] ; then
|
|||
echo "[*] Configuring bunkerized-nginx ..."
|
||||
/opt/entrypoint/global-config.sh
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
for server in "$SERVER_NAME" ; do
|
||||
for server in $SERVER_NAME ; do
|
||||
/opt/entrypoint/site-config.sh "$server"
|
||||
echo "[*] Multi site - $server configuration done"
|
||||
done
|
||||
|
|
@ -63,20 +63,22 @@ rsyslogd
|
|||
# start crond
|
||||
crond
|
||||
|
||||
# start nginx
|
||||
echo "[*] Running nginx ..."
|
||||
su -s "/usr/sbin/nginx" nginx
|
||||
|
||||
# start fail2ban
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
echo "[*] Running fail2ban ..."
|
||||
fail2ban-server > /dev/null
|
||||
fi
|
||||
|
||||
# start crowdsec
|
||||
if [ "$USE_CROWDSEC" = "yes" ] ; then
|
||||
echo "[*] Running crowdsec ..."
|
||||
crowdsec
|
||||
fi
|
||||
|
||||
# start nginx
|
||||
echo "[*] Running nginx ..."
|
||||
su -s "/usr/sbin/nginx" nginx
|
||||
|
||||
# autotest
|
||||
if [ "$1" == "test" ] ; then
|
||||
sleep 10
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
# load default values
|
||||
. /opt/entrypoint/defaults.sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
|
@ -20,7 +23,7 @@ fi
|
|||
# include server block(s)
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
includes=""
|
||||
for server in "$SERVER_NAME" ; do
|
||||
for server in $SERVER_NAME ; do
|
||||
includes="${includes}include /etc/nginx/${server}/server.conf;\n"
|
||||
done
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
|
||||
|
|
@ -54,7 +57,7 @@ fi
|
|||
|
||||
# self-signed certificate
|
||||
if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
mkdir /etc/nginx/self-signed-ssl/
|
||||
mkdir /etc/nginx/self-signed-ssl/
|
||||
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
|
||||
fi
|
||||
|
||||
|
|
@ -148,6 +151,15 @@ else
|
|||
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
|
||||
fi
|
||||
|
||||
# DNSBL
|
||||
if [ "$(has_value USE_DNSBL yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
|
||||
fi
|
||||
list=$(spaces_to_lua "$DNSBL_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
|
||||
|
||||
# fail2ban setup
|
||||
if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
|
||||
rm -rf /etc/fail2ban/jail.d/*.conf
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
# load default values
|
||||
. /opt/entrypoint/defaults.sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
|
@ -7,12 +10,13 @@
|
|||
NGINX_PREFIX="/etc/nginx/"
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
NGINX_PREFIX="${NGINX_PREFIX}${1}/"
|
||||
for var in env ; do
|
||||
for var in $(env) ; do
|
||||
name=$(echo "$var" | cut -d '=' -f 1)
|
||||
check=$(echo "name" | grep "^$1_")
|
||||
check=$(echo "$name" | grep "^$1_")
|
||||
if [ "$check" != "" ] ; then
|
||||
repl_name=$(echo "$name" | sed "s/${1}_//")
|
||||
repl_value=$(echo "$var" | sed "s/${name}//")
|
||||
repl_name=$(echo "$name" | sed "s~${1}_~~")
|
||||
repl_value=$(echo "$var" | sed "s~${name}=~~")
|
||||
echo "$SERVER_NAME (check ok) : $repl_name - $repl_value"
|
||||
read -r "$repl_name" <<< $repl_value
|
||||
fi
|
||||
done
|
||||
|
|
@ -25,6 +29,15 @@ if [ "$MULTISITE" = "yes" ] ; then
|
|||
fi
|
||||
cp /opt/confs/site/* "$NGINX_PREFIX"
|
||||
|
||||
# replace paths
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%MAIN_LUA%" "include ${NGINX_PREFIX}main-lua.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}/modsecurity-rules.conf"
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/${1}/*.conf;"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_CONF%" "include /server-confs/*.conf;"
|
||||
fi
|
||||
|
||||
# remote PHP
|
||||
if [ "$REMOTE_PHP" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "include ${NGINX_PREFIX}php.conf;"
|
||||
|
|
@ -149,21 +162,21 @@ fi
|
|||
|
||||
# block TOR exit nodes
|
||||
if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "include ${NGINX_PREFIX}block-tor-exit-node.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
|
||||
fi
|
||||
|
||||
# block proxies
|
||||
if [ "$BLOCK_PROXIES" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" "include ${NGINX_PREFIX}block-proxies.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" "include /etc/nginx/block-proxies.conf;"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" ""
|
||||
fi
|
||||
|
||||
# block abusers
|
||||
if [ "$BLOCK_ABUSERS" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" "include ${NGINX_PREFIX}block-abusers.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" "include /etc/nginx/block-abusers.conf;"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" ""
|
||||
fi
|
||||
|
|
@ -228,13 +241,13 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
|
|||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" ""
|
||||
fi
|
||||
if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include ${NGINX_PREFIX}owasp-crs.conf"
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
|
||||
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include ${NGINX_PREFIX}owasp-crs/*.conf"
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
# replace pattern in file
|
||||
function replace_in_file() {
|
||||
|
|
@ -28,8 +28,8 @@ function has_value() {
|
|||
fi
|
||||
for var in $(env) ; do
|
||||
domain=$(echo "$var" | cut -d '_' -f 1)
|
||||
name=$(echo "$var" | cut -d '=' -f 1 | sed "s/${domain}_//")
|
||||
value=$(echo "$var" | sed "s/${domain}_${name}=//")
|
||||
name=$(echo "$var" | cut -d '=' -f 1 | sed "s~${domain}_~~")
|
||||
value=$(echo "$var" | sed "s~${domain}_${name}=~~")
|
||||
if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then
|
||||
echo "ok"
|
||||
return 0
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ for ua in $BLACKLIST ; do
|
|||
done
|
||||
DATA_ESCAPED=$(echo "$DATA" | sed 's: :\\\\ :g' | sed 's:\\\\ yes;: yes;:g' | sed 's:\\\\\\ :\\\\ :g')
|
||||
|
||||
cp /opt/confs/map-user-agent.conf /etc/nginx/map-user-agent.conf
|
||||
cp /opt/confs/global/map-user-agent.conf /etc/nginx/map-user-agent.conf
|
||||
replace_in_file "/etc/nginx/map-user-agent.conf" "%BLOCK_USER_AGENT%" "$DATA_ESCAPED"
|
||||
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
|
|
|
|||
Loading…
Reference in New Issue