init work on disabling root processes
This commit is contained in:
parent
a2543384cd
commit
33163f65b3
|
@ -20,4 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
|
|||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
USER nginx
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
|
||||
|
|
|
@ -20,4 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
|
|||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
USER nginx
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
|
||||
|
|
|
@ -27,4 +27,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
|
|||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
USER nginx
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
|
||||
|
|
|
@ -27,4 +27,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
|
|||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
USER nginx
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
|
||||
|
|
|
@ -20,4 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
|
|||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
USER nginx
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]
|
||||
|
|
|
@ -5,6 +5,7 @@ class AutoConf :
|
|||
|
||||
def __init__(self, swarm, api) :
|
||||
self.__swarm = swarm
|
||||
self.__servers = {}
|
||||
self.__instances = {}
|
||||
self.__sites = {}
|
||||
self.__config = Config(self.__swarm, api)
|
||||
|
@ -72,11 +73,11 @@ class AutoConf :
|
|||
def __process_server(self, instance, event, id, name, labels) :
|
||||
vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in labels.items() if k.startswith("bunkerized-nginx.")}
|
||||
if event == "create" :
|
||||
if self.__config.generate(instances, vars) :
|
||||
if self.__config.generate(self.__instances, vars) :
|
||||
utils.log("[*] Generated config for " + vars["SERVER_NAME"])
|
||||
self.__servers[id] = obj
|
||||
self.__servers[id] = instance
|
||||
if self.__swarm :
|
||||
if self.__config.activate(instances, vars) :
|
||||
if self.__config.activate(self.__instances, vars) :
|
||||
utils.log("[*] Activated config for " + vars["SERVER_NAME"])
|
||||
else :
|
||||
utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
|
||||
|
@ -85,21 +86,21 @@ class AutoConf :
|
|||
elif event == "start" :
|
||||
if id in self.__servers :
|
||||
self.__servers[id].reload()
|
||||
if self.__config.activate(instances, vars) :
|
||||
if self.__config.activate(self.__instances, vars) :
|
||||
utils.log("[*] Activated config for " + vars["SERVER_NAME"])
|
||||
else :
|
||||
utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
|
||||
elif event == "die" :
|
||||
if id in self.__servers :
|
||||
self.__servers[id].reload()
|
||||
if self.__config.deactivate(instances, vars) :
|
||||
if self.__config.deactivate(self.__instances, vars) :
|
||||
utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
|
||||
else :
|
||||
utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
|
||||
elif event == "destroy" or event == "remove" :
|
||||
if id in self.__servers :
|
||||
if self.__swarm :
|
||||
if self.__config.deactivate(instances, vars) :
|
||||
if self.__config.deactivate(self.__instances, vars) :
|
||||
utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
|
||||
else :
|
||||
utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
|
||||
|
|
|
@ -8,7 +8,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
|
|||
pip3 install docker requests && \
|
||||
mkdir /opt/entrypoint && \
|
||||
mkdir -p /opt/confs/site && \
|
||||
mkdir -p /opt/confs/global
|
||||
mkdir -p /opt/confs/global && \
|
||||
addgroup -g 101 nginx && \
|
||||
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
|
||||
|
||||
COPY confs/site/ /opt/confs/site
|
||||
COPY confs/global/ /opt/confs/global
|
||||
|
|
|
@ -4,7 +4,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
|
|||
pip3 install docker requests && \
|
||||
mkdir /opt/entrypoint && \
|
||||
mkdir -p /opt/confs/site && \
|
||||
mkdir -p /opt/confs/global
|
||||
mkdir -p /opt/confs/global && \
|
||||
addgroup -g 101 nginx && \
|
||||
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
|
||||
|
||||
COPY confs/site/ /opt/confs/site
|
||||
COPY entrypoint/* /opt/entrypoint/
|
||||
|
|
|
@ -11,7 +11,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
|
|||
pip3 install docker requests && \
|
||||
mkdir /opt/entrypoint && \
|
||||
mkdir -p /opt/confs/site && \
|
||||
mkdir -p /opt/confs/global
|
||||
mkdir -p /opt/confs/global && \
|
||||
addgroup -g 101 nginx && \
|
||||
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
|
||||
|
||||
COPY confs/site/ /opt/confs/site
|
||||
COPY entrypoint/* /opt/entrypoint/
|
||||
|
|
|
@ -11,7 +11,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
|
|||
pip3 install docker requests && \
|
||||
mkdir /opt/entrypoint && \
|
||||
mkdir -p /opt/confs/site && \
|
||||
mkdir -p /opt/confs/global
|
||||
mkdir -p /opt/confs/global && \
|
||||
addgroup -g 101 nginx && \
|
||||
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
|
||||
|
||||
COPY confs/site/ /opt/confs/site
|
||||
COPY entrypoint/* /opt/entrypoint/
|
||||
|
|
|
@ -4,7 +4,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
|
|||
pip3 install docker requests && \
|
||||
mkdir /opt/entrypoint && \
|
||||
mkdir -p /opt/confs/site && \
|
||||
mkdir -p /opt/confs/global
|
||||
mkdir -p /opt/confs/global && \
|
||||
addgroup -g 101 nginx && \
|
||||
adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
|
||||
|
||||
COPY confs/site/ /opt/confs/site
|
||||
COPY entrypoint/* /opt/entrypoint/
|
||||
|
|
|
@ -50,8 +50,9 @@ make install-strip
|
|||
cd /tmp
|
||||
git_secure_clone https://github.com/coreruleset/coreruleset.git 7776fe23f127fd2315bad0e400bdceb2cabb97dc
|
||||
cd coreruleset
|
||||
cp -r rules /etc/nginx/owasp-crs
|
||||
cp crs-setup.conf.example /etc/nginx/owasp-crs.conf
|
||||
mkdir /opt/owasp
|
||||
cp -r rules /opt/owasp/crs
|
||||
cp crs-setup.conf.example /opt/owasp/crs.conf
|
||||
|
||||
# get nginx modules
|
||||
cd /tmp
|
||||
|
|
|
@ -10,12 +10,12 @@
|
|||
if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
|
||||
echo "[*] Updating clamav (in background) ..."
|
||||
freshclam > /dev/null 2>&1 &
|
||||
echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/nginx
|
||||
fi
|
||||
if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
|
||||
if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
|
||||
echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
|
||||
echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
|
||||
else
|
||||
echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
|
||||
echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -35,7 +35,7 @@ function trap_reload() {
|
|||
fi
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
echo "[*] Reloading nginx ..."
|
||||
/usr/sbin/nginx -s reload
|
||||
nginx -s reload
|
||||
if [ $? -eq 0 ] ; then
|
||||
echo "[*] Reload successfull"
|
||||
else
|
||||
|
@ -91,13 +91,8 @@ else
|
|||
echo "[*] Skipping configuration process"
|
||||
fi
|
||||
|
||||
# fix nginx configs rights (and modules through the symlink)
|
||||
chown -R root:nginx /etc/nginx/
|
||||
chmod -R 740 /etc/nginx/
|
||||
find /etc/nginx -type d -exec chmod 750 {} \;
|
||||
|
||||
# start rsyslogd
|
||||
rsyslogd
|
||||
rsyslogd -i /tmp/rsyslogd.pid
|
||||
|
||||
# start crond
|
||||
crond
|
||||
|
@ -117,7 +112,7 @@ fi
|
|||
|
||||
# run nginx
|
||||
echo "[*] Running nginx ..."
|
||||
su -s "/usr/sbin/nginx" nginx
|
||||
nginx
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
echo "[*] nginx successfully started !"
|
||||
else
|
||||
|
|
|
@ -8,7 +8,6 @@
|
|||
|
||||
# fail2ban setup
|
||||
if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
|
||||
rm -rf /etc/fail2ban/jail.d/*.conf
|
||||
cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
|
||||
cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
|
||||
cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
|
||||
|
|
|
@ -9,9 +9,6 @@
|
|||
# copy stub confs
|
||||
cp /opt/confs/global/* /etc/nginx/
|
||||
|
||||
# remove cron jobs
|
||||
echo "" > /etc/crontabs/root
|
||||
|
||||
# install additional modules if needed
|
||||
if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
||||
apk add $ADDITIONAL_MODULES
|
||||
|
@ -53,7 +50,6 @@ if [ "$MULTISITE" = "yes" ] ; then
|
|||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" ""
|
||||
fi
|
||||
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
|
||||
chmod +r /etc/nginx/default-key.pem
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;"
|
||||
else
|
||||
|
@ -92,14 +88,13 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
|||
/opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT"
|
||||
fi
|
||||
fi
|
||||
echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
|
||||
fi
|
||||
|
||||
# self-signed certificate
|
||||
if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
mkdir /etc/nginx/self-signed-ssl/
|
||||
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
|
||||
chmod +r /etc/nginx/self-signed-ssl/key.pem
|
||||
fi
|
||||
|
||||
# country ban/whitelist
|
||||
|
@ -112,7 +107,7 @@ if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
|
|||
replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes"
|
||||
replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;"
|
||||
fi
|
||||
echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/root
|
||||
echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/nginx
|
||||
if [ -f "/cache/geoip.mmdb" ] ; then
|
||||
echo "[*] Copying cached geoip.mmdb ..."
|
||||
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
|
||||
|
@ -127,7 +122,7 @@ fi
|
|||
# block bad UA
|
||||
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
|
||||
echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/root
|
||||
echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/nginx
|
||||
if [ -f "/cache/map-user-agent.conf" ] ; then
|
||||
echo "[*] Copying cached map-user-agent.conf ..."
|
||||
cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
|
||||
|
@ -142,7 +137,7 @@ fi
|
|||
# block bad refferer
|
||||
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;"
|
||||
echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/root
|
||||
echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/nginx
|
||||
if [ -f "/cache/map-referrer.conf" ] ; then
|
||||
echo "[*] Copying cached map-referrer.conf ..."
|
||||
cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
|
||||
|
@ -156,7 +151,7 @@ fi
|
|||
|
||||
# block TOR exit nodes
|
||||
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
|
||||
echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
|
||||
echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/nginx
|
||||
if [ -f "/cache/block-tor-exit-node.conf" ] ; then
|
||||
echo "[*] Copying cached block-tor-exit-node.conf ..."
|
||||
cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
|
||||
|
@ -168,7 +163,7 @@ fi
|
|||
|
||||
# block proxies
|
||||
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
|
||||
echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/root
|
||||
echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/nginx
|
||||
if [ -f "/cache/block-proxies.conf" ] ; then
|
||||
echo "[*] Copying cached block-proxies.conf ..."
|
||||
cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
|
||||
|
@ -180,7 +175,7 @@ fi
|
|||
|
||||
# block abusers
|
||||
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
|
||||
echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/root
|
||||
echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/nginx
|
||||
if [ -f "/cache/block-abusers.conf" ] ; then
|
||||
echo "[*] Copying cached block-abusers.conf ..."
|
||||
cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
|
||||
|
|
|
@ -7,8 +7,8 @@
|
|||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# copy stub confs
|
||||
cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
|
||||
cp /opt/logs/logrotate.conf /etc/logrotate.conf
|
||||
cat /opt/logs/rsyslog.conf > /etc/rsyslog.conf
|
||||
cat /opt/logs/logrotate.conf > /etc/logrotate.conf
|
||||
|
||||
# create empty logs
|
||||
touch /var/log/access.log
|
||||
|
@ -18,4 +18,4 @@ touch /var/log/jobs.log
|
|||
# setup logrotate
|
||||
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
|
||||
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
|
||||
echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
|
||||
|
|
|
@ -6,11 +6,6 @@
|
|||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# fix nginx configs rights (and modules through the symlink)
|
||||
chown -R root:nginx /etc/nginx/
|
||||
chmod -R 740 /etc/nginx/
|
||||
find /etc/nginx -type d -exec chmod 750 {} \;
|
||||
|
||||
if [ "$MULTISITE" = "yes" ] ; then
|
||||
servers=$(find /etc/nginx -name "server.conf" | cut -d '/' -f 4)
|
||||
for server in $servers ; do
|
||||
|
@ -30,7 +25,7 @@ if [ "$MULTISITE" = "yes" ] ; then
|
|||
modsec_custom="${modsec_custom}include /modsec-confs/${server}/*.conf\n"
|
||||
fi
|
||||
replace_in_file "${SERVER_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
|
||||
if grep "owasp-crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then
|
||||
if grep "owasp/crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then
|
||||
modsec_crs_custom=""
|
||||
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
|
||||
modsec_crs_custom="include /modsec-crs-confs/*.conf\n"
|
||||
|
|
|
@ -385,7 +385,7 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
|
|||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
|
||||
fi
|
||||
if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /opt/owasp/crs.conf"
|
||||
if [ "$MULTISITE" != "yes" ] ; then
|
||||
modsec_crs_custom=""
|
||||
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
|
||||
|
@ -393,7 +393,7 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
|
|||
fi
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom"
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /opt/owasp/crs/*.conf"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
|
||||
|
|
|
@ -5,7 +5,9 @@ function replace_in_file() {
|
|||
# escape slashes
|
||||
pattern=$(echo "$2" | sed "s/\//\\\\\//g")
|
||||
replace=$(echo "$3" | sed "s/\//\\\\\//g")
|
||||
sed -i "s/$pattern/$replace/g" "$1"
|
||||
sed "s/$pattern/$replace/g" "$1" > /tmp/sed
|
||||
cat /tmp/sed > "$1"
|
||||
rm /tmp/sed
|
||||
}
|
||||
|
||||
# convert space separated values to LUA
|
||||
|
|
|
@ -4,11 +4,11 @@
|
|||
$WorkDirectory /var/lib/rsyslog
|
||||
|
||||
# Sets default permissions for all log files.
|
||||
$FileOwner root
|
||||
$FileGroup root
|
||||
$FileCreateMode 0600
|
||||
$DirCreateMode 0700
|
||||
$Umask 0077
|
||||
$FileOwner nginx
|
||||
$FileGroup nginx
|
||||
$FileCreateMode 0660
|
||||
$DirCreateMode 0770
|
||||
$Umask 0007
|
||||
|
||||
# Include all config files in /etc/rsyslog.d/.
|
||||
include(file="/etc/rsyslog.d/*.conf" mode="optional")
|
||||
|
@ -16,10 +16,10 @@ include(file="/etc/rsyslog.d/*.conf" mode="optional")
|
|||
#### Modules ####
|
||||
|
||||
# Provides --MARK-- message capability.
|
||||
module(load="immark")
|
||||
#module(load="immark")
|
||||
|
||||
# Provides support for local system logging (e.g. via logger command).
|
||||
module(load="imuxsock")
|
||||
module(load="imuxsock" SysSock.Name="/tmp/log")
|
||||
|
||||
# Nginx
|
||||
$template rawFormat,"%msg:2:2048%\n"
|
||||
|
|
61
prepare.sh
61
prepare.sh
|
@ -3,18 +3,65 @@
|
|||
# install dependencies
|
||||
apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli
|
||||
|
||||
# make scripts executable
|
||||
chmod +x /opt/entrypoint/* /opt/scripts/*
|
||||
# custom entrypoint
|
||||
mkdir /opt/entrypoint.d
|
||||
|
||||
# log files/folders rights
|
||||
# prepare /opt
|
||||
chown -R root:nginx /opt
|
||||
find /opt -type f -exec chmod 0740 {} \;
|
||||
find /opt -type d -exec chmod 0750 {} \;
|
||||
chmod ugo+x /opt/entrypoint/* /opt/scripts/*
|
||||
chmod 770 /opt
|
||||
|
||||
# prepare /etc/nginx
|
||||
chown -R root:nginx /etc/nginx
|
||||
chmod -R 770 /etc/nginx
|
||||
|
||||
# prepare /var/log
|
||||
rm -f /var/log/nginx/*
|
||||
chown root:nginx /var/log/nginx
|
||||
chmod 750 /var/log/nginx
|
||||
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log
|
||||
chown nginx:nginx /var/log/nginx/*.log
|
||||
chown nginx:nginx /var/log/nginx/*
|
||||
chmod -R 770 /var/log/nginx
|
||||
touch /var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/fail2ban.log
|
||||
chown nginx:nginx /var/log/*.log
|
||||
chmod 770 /var/log/*.log
|
||||
|
||||
# let's encrypt webroot
|
||||
# prepare /acme-challenge
|
||||
mkdir /acme-challenge
|
||||
chown root:nginx /acme-challenge
|
||||
chmod 750 /acme-challenge
|
||||
chmod 770 /acme-challenge
|
||||
|
||||
# prepare /etc/letsencrypt
|
||||
mkdir /etc/letsencrypt
|
||||
chown root:nginx /etc/letsencrypt
|
||||
chmod 770 /etc/letsencrypt
|
||||
|
||||
# prepare /etc/fail2ban
|
||||
rm -rf /etc/fail2ban/jail.d/*.conf
|
||||
chown -R root:nginx /etc/fail2ban
|
||||
find /etc/fail2ban -type f -exec chmod 0760 {} \;
|
||||
find /etc/fail2ban -type d -exec chmod 0770 {} \;
|
||||
|
||||
# prepare /var/run/fail2ban and /var/lib/fail2ban
|
||||
chown -R root:nginx /var/run/fail2ban /var/lib/fail2ban
|
||||
chmod -R 770 /var/run/fail2ban /var/lib/fail2ban
|
||||
|
||||
# prepare /usr/local/lib/lua
|
||||
chown root:nginx /usr/local/lib/lua
|
||||
chmod 770 /usr/local/lib/lua
|
||||
|
||||
# prepare /cache
|
||||
mkdir /cache
|
||||
chown root:nginx /cache
|
||||
chmod 770 /cache
|
||||
|
||||
# prepare misc files
|
||||
chown root:nginx /etc/rsyslog.conf /etc/logrotate.conf
|
||||
chmod 660 /etc/rsyslog.conf /etc/logrotate.conf
|
||||
chown root:nginx /etc/rsyslog.conf
|
||||
|
||||
# prepare /etc/crontabs/nginx
|
||||
touch /etc/crontabs/nginx
|
||||
chown root:nginx /etc/crontabs/nginx
|
||||
chmod 660 /etc/crontabs/nginx
|
||||
|
|
Loading…
Reference in New Issue