mirror of
https://github.com/bunkerity/bunkerized-nginx
synced 2023-12-13 21:30:18 +01:00
plugins - started basic plugin system
This commit is contained in:
parent
62217a3210
commit
388fc1a0e8
9 changed files with 56 additions and 12 deletions
|
@ -29,7 +29,7 @@ RUN chmod +x /tmp/prepare.sh && \
|
|||
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
|
||||
RUN apk add "curl>=7.77.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
|
|
|
@ -29,7 +29,7 @@ RUN chmod +x /tmp/prepare.sh && \
|
|||
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
|
||||
RUN apk add "curl>=7.77.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ RUN chmod +x /tmp/prepare.sh && \
|
|||
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
|
||||
RUN apk add "curl>=7.77.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ RUN chmod +x /tmp/prepare.sh && \
|
|||
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
|
||||
RUN apk add "curl>=7.77.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
|
|
|
@ -29,7 +29,7 @@ RUN chmod +x /tmp/prepare.sh && \
|
|||
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
|
||||
RUN apk add "curl>=7.77.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
init_by_lua_block {
|
||||
|
||||
local dataloader = require "dataloader"
|
||||
local logger = require "logger"
|
||||
local dataloader = require "dataloader"
|
||||
local logger = require "logger"
|
||||
local cjson = require "cjson"
|
||||
|
||||
local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif %}
|
||||
local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif %}
|
||||
local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif %}
|
||||
local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif %}
|
||||
local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif %}
|
||||
local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif %}
|
||||
local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif %}
|
||||
local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif %}
|
||||
local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif %}
|
||||
local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif %}
|
||||
|
||||
if use_proxies then
|
||||
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
|
||||
|
@ -40,4 +41,32 @@ if use_crowdsec then
|
|||
logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done")
|
||||
end
|
||||
|
||||
-- Load plugins
|
||||
ngx.shared.plugins_data:safe_set("plugins", nil, 0)
|
||||
local p = io.popen("find /plugins -maxdepth 1 -type d ! -path /plugins")
|
||||
for dir in p:lines() do
|
||||
-- read JSON
|
||||
local file = io.open(dir .. "/plugin.json")
|
||||
if file then
|
||||
-- store settings
|
||||
local data = cjson.decode(file:read("*a"))
|
||||
for k, v in pairs(data.settings) do
|
||||
ngx.shared.plugins_data:safe_set(data.id .. "_" .. k, v, 0)
|
||||
end
|
||||
file:close()
|
||||
-- store plugin
|
||||
local plugins, flags = ngx.shared.plugins_data:get("plugins")
|
||||
if plugins == nil then
|
||||
ngx.shared.plugins_data:safe_set("plugins", data.id, 0)
|
||||
else
|
||||
ngx.shared.plugins_data:safe_set("plugins", plugins .. " " .. data.id, 0)
|
||||
end
|
||||
logger.log(ngx.ERR, "PLUGINS", "*NOT AN ERROR* plugin " .. data.name .. "/" .. data.version .. " has been loaded")
|
||||
else
|
||||
logger.log(ngx.ERR, "PLUGINS", "Can't load " .. dir .. "/plugin.json")
|
||||
end
|
||||
|
||||
end
|
||||
p:close()
|
||||
|
||||
}
|
||||
|
|
|
@ -78,7 +78,7 @@ http {
|
|||
port_in_redirect off;
|
||||
|
||||
# lua path and dicts
|
||||
lua_package_path "/usr/local/lib/lua/?.lua;;";
|
||||
lua_package_path "/usr/local/lib/lua/?.lua;/plugins/?.lua;;";
|
||||
{% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %}
|
||||
{% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %}
|
||||
|
@ -93,6 +93,7 @@ http {
|
|||
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %}
|
||||
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %}
|
||||
lua_shared_dict plugins_data 10m;
|
||||
|
||||
# shared memory zone for limit_req
|
||||
{% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %}
|
||||
|
|
|
@ -291,6 +291,15 @@ if use_antibot_recaptcha and ngx.var.uri ~= "/favicon.ico" then
|
|||
end
|
||||
end
|
||||
|
||||
-- plugins check
|
||||
local plugins, flags = ngx.shared.plugins_data:get("plugins")
|
||||
if plugins ~= nil then
|
||||
for plugin_id in string.gmatch(plugins, "%w+") do
|
||||
local plugin = require(plugin_id .. "/" .. plugin_id)
|
||||
plugin.check()
|
||||
end
|
||||
end
|
||||
|
||||
ngx.exit(ngx.OK)
|
||||
|
||||
}
|
||||
|
|
|
@ -65,3 +65,8 @@ chmod 770 /cache
|
|||
# prepare /etc/crontabs/nginx
|
||||
chown root:nginx /etc/crontabs/nginx
|
||||
chmod 440 /etc/crontabs/nginx
|
||||
|
||||
# prepare /plugins
|
||||
mkdir /plugins
|
||||
chown root:nginx /plugins
|
||||
chmod 770 /plugins
|
Loading…
Reference in a new issue