librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

road to multi server block support

This commit is contained in:
bunkerity 2020-11-08 17:37:48 +01:00
parent 36c4f3e065
commit 44b016be93
No known key found for this signature in database
GPG Key ID: 654FFF51CEF7CC47
46 changed files with 851 additions and 668 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile
View File

@ -11,7 +11,7 @@ RUN chmod +x /tmp/install.sh && \
/tmp/install.sh && \
rm -rf /tmp/*
COPY entrypoint.sh /opt/entrypoint.sh
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY fail2ban/ /opt/fail2ban
@ -20,7 +20,7 @@ COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
chmod +x /opt/entrypoint/* /opt/scripts/* && \
mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \
chown root:nginx /var/log/nginx && \
@ -32,4 +32,4 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
EXPOSE 8080/tcp 8443/tcp
ENTRYPOINT ["/opt/entrypoint.sh"]
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

6
Dockerfile-amd64
View File

@ -11,7 +11,7 @@ RUN chmod +x /tmp/install.sh && \
/tmp/install.sh && \
rm -rf /tmp/*
COPY entrypoint.sh /opt/entrypoint.sh
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY fail2ban/ /opt/fail2ban
@ -20,7 +20,7 @@ COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
chmod +x /opt/entrypoint/* /opt/scripts/* && \
mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \
chown root:nginx /var/log/nginx && \
@ -32,4 +32,4 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
EXPOSE 8080/tcp 8443/tcp
ENTRYPOINT ["/opt/entrypoint.sh"]
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

6
Dockerfile-arm32v7
View File

@ -18,7 +18,7 @@ RUN chmod +x /tmp/install.sh && \
/tmp/install.sh && \
rm -rf /tmp/*
COPY entrypoint.sh /opt/entrypoint.sh
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY fail2ban/ /opt/fail2ban
@ -27,7 +27,7 @@ COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
chmod +x /opt/entrypoint/* /opt/scripts/* && \
mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \
chown root:nginx /var/log/nginx && \
@ -39,4 +39,4 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
EXPOSE 8080/tcp 8443/tcp
ENTRYPOINT ["/opt/entrypoint.sh"]
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

6
Dockerfile-arm64v8
View File

@ -18,7 +18,7 @@ RUN chmod +x /tmp/install.sh && \
/tmp/install.sh && \
rm -rf /tmp/*
COPY entrypoint.sh /opt/entrypoint.sh
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY fail2ban/ /opt/fail2ban
@ -27,7 +27,7 @@ COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
chmod +x /opt/entrypoint/* /opt/scripts/* && \
mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \
chown root:nginx /var/log/nginx && \
@ -39,4 +39,4 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
EXPOSE 8080/tcp 8443/tcp
ENTRYPOINT ["/opt/entrypoint.sh"]
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

6
Dockerfile-i386
View File

@ -11,7 +11,7 @@ RUN chmod +x /tmp/install.sh && \
/tmp/install.sh && \
rm -rf /tmp/*
COPY entrypoint.sh /opt/entrypoint.sh
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY fail2ban/ /opt/fail2ban
@ -20,7 +20,7 @@ COPY lua/ /opt/lua
COPY crowdsec/ /opt/crowdsec
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
chmod +x /opt/entrypoint/* /opt/scripts/* && \
mkdir /opt/entrypoint.d && \
rm -f /var/log/nginx/* && \
chown root:nginx /var/log/nginx && \
@ -32,4 +32,4 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
EXPOSE 8080/tcp 8443/tcp
ENTRYPOINT ["/opt/entrypoint.sh"]
ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

0
confs/cache.conf → confs/global/cache.conf
View File

0
confs/crowdsec.conf → confs/global/crowdsec.conf
View File

0
confs/dhparam → confs/global/dhparam
View File

0
confs/geoip.conf → confs/global/geoip.conf
View File

0
confs/gzip.conf → confs/global/gzip.conf
View File

0
confs/map-user-agent.conf → confs/global/map-user-agent.conf
View File

12
confs/nginx.conf → confs/global/nginx.conf
View File

@ -80,9 +80,6 @@ http {
# resolvers to use
resolver %DNS_RESOLVERS% ipv6=off;
# get real IP address if behind a reverse proxy
%PROXY_REAL_IP%
# lua path and dicts
lua_package_path "/usr/local/lib/lua/?.lua;;";
%WHITELIST_IP_CACHE%
@ -97,18 +94,15 @@ http {
# shared memory zone for limit_req
%LIMIT_REQ_ZONE%
# server config
include /etc/nginx/server.conf;
# list of blocked country
%BLOCK_COUNTRY%
# list of blocker user agents
%BLOCK_USER_AGENT%
# enable/disable ModSecurity
%USE_MODSECURITY%
# custom http confs
include /http-confs/*.conf;
# server config(s)
%INCLUDE_SERVER%
}

0
confs/antibot-captcha.conf → confs/site/antibot-captcha.conf
View File

0
confs/antibot-javascript.conf → confs/site/antibot-javascript.conf
View File

0
confs/antibot-recaptcha.conf → confs/site/antibot-recaptcha.conf
View File

0
confs/auth-basic-sitewide.conf → confs/site/auth-basic-sitewide.conf
View File

0
confs/auth-basic.conf → confs/site/auth-basic.conf
View File

0
confs/block-user-agent.conf → confs/site/block-user-agent.conf
View File

0
confs/content-security-policy.conf → confs/site/content-security-policy.conf
View File

0
confs/cookie-flags.conf → confs/site/cookie-flags.conf
View File

0
confs/custom-https.conf → confs/site/custom-https.conf
View File

0
confs/disable-default-server.conf → confs/site/disable-default-server.conf
View File

0
confs/error.conf → confs/site/error.conf
View File

0
confs/feature-policy.conf → confs/site/feature-policy.conf
View File

0
confs/geoip-server.conf → confs/site/geoip-server.conf
View File

0
confs/https.conf → confs/site/https.conf
View File

0
confs/limit-req.conf → confs/site/limit-req.conf
View File

0
confs/main-lua.conf → confs/site/main-lua.conf
View File

0
confs/modsecurity-clamav.conf → confs/site/modsecurity-clamav.conf
View File

0
confs/modsecurity-rules.conf → confs/site/modsecurity-rules.conf
View File

0
confs/modsecurity.conf → confs/site/modsecurity.conf
View File

0
confs/php.conf → confs/site/php.conf
View File

0
confs/proxy-real-ip.conf → confs/site/proxy-real-ip.conf
View File

0
confs/redirect-http-to-https.conf → confs/site/redirect-http-to-https.conf
View File

0
confs/referrer-policy.conf → confs/site/referrer-policy.conf
View File

0
confs/serve-files.conf → confs/site/serve-files.conf
View File

2
confs/server.conf → confs/site/server.conf
View File

@ -1,6 +1,8 @@
server {
include /server-confs/*.conf;
include /etc/nginx/main-lua.conf;
%PROXY_REAL_IP%
%USE_MODSECURITY%
%LISTEN_HTTP%
%USE_HTTPS%
%REDIRECT_HTTP_TO_HTTPS%

0
confs/x-content-type-options.conf → confs/site/x-content-type-options.conf
View File

0
confs/x-frame-options.conf → confs/site/x-frame-options.conf
View File

0
confs/x-xss-protection.conf → confs/site/x-xss-protection.conf
View File

644
entrypoint.sh
View File

@ -1,644 +0,0 @@
#!/bin/sh
echo "[*] Starting bunkerized-nginx ..."
# execute custom scripts if it's a customized image
for file in /entrypoint.d/* ; do
[ -f "$file" ] && [ -x "$file" ] && "$file"
done
# trap SIGTERM and SIGINT
function trap_exit() {
echo "[*] Catched stop operation"
echo "[*] Stopping crond ..."
pkill -TERM crond
if [ "$USE_FAIL2BAN" = "yes" ] ; then
echo "[*] Stopping fail2ban"
fail2ban-client stop > /dev/null
fi
echo "[*] Stopping nginx ..."
/usr/sbin/nginx -s stop
echo "[*] Stopping rsyslogd ..."
pkill -TERM rsyslogd
pkill -TERM tail
}
trap "trap_exit" TERM INT
# replace pattern in file
function replace_in_file() {
# escape slashes
pattern=$(echo "$2" | sed "s/\//\\\\\//g")
replace=$(echo "$3" | sed "s/\//\\\\\//g")
sed -i "s/$pattern/$replace/g" "$1"
}
# convert space separated values to LUA
function spaces_to_lua() {
for element in $1 ; do
if [ "$result" = "" ] ; then
result="\"${element}\""
else
result="${result}, \"${element}\""
fi
done
echo "$result"
}
# copy stub confs
cp /opt/confs/* /etc/nginx
cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
cp /opt/logs/logrotate.conf /etc/logrotate.conf
cp -r /opt/lua/* /usr/local/lib/lua
# remove cron jobs
echo "" > /etc/crontabs/root
# set default values
HTTP_PORT="${HTTP_PORT-8080}"
HTTPS_PORT="${HTTPS_PORT-8443}"
MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
SERVER_TOKENS="${SERVER_TOKENS-off}"
CACHE="${CACHE-max=1000 inactive=60s}"
CACHE_ERRORS="${CACHE_ERRORS-on}"
CACHE_USES="${CACHE_USES-1}"
CACHE_VALID="${CACHE_VALID-60s}"
#CLIENT_CACHE="${CLIENT_CACHE}-css|gif|htm|html|ico|jpeg|jpg|js|png|svg|tif|tiff|eot|otf|ttf|woff|woff2"
#CLIENT_CACHE_EXPIRES="${CLIENT_CACHE_EXPIRES}-1d}"
#CLIENT_CACHE_CONTROL=
USE_GZIP="${USE_GZIP-off}"
GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL-6}"
GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH-10240}"
GZIP_TYPES="${GZIP_TYPES-text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml}"
REMOTE_PHP_PATH="${REMOTE_PHP_PATH-/app}"
HEADER_SERVER="${HEADER_SERVER-no}"
X_FRAME_OPTIONS="${X_FRAME_OPTIONS-DENY}"
X_XSS_PROTECTION="${X_XSS_PROTECTION-1; mode=block}"
X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS-nosniff}"
REFERRER_POLICY="${REFERRER_POLICY-no-referrer}"
FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}"
DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
BLOCK_COUNTRY="${BLOCK_COUNTRY-}"
BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
HTTP2="${HTTP2-yes}"
HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
USE_MODSECURITY="${USE_MODSECURITY-yes}"
USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';}"
COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}"
COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}"
SERVE_FILES="${SERVE_FILES-yes}"
WRITE_ACCESS="${WRITE_ACCESS-no}"
REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
LISTEN_HTTP="${LISTEN_HTTP-yes}"
USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}"
AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
ROOT_FOLDER="${ROOT_FOLDER-/www}"
LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11 8.8.8.8}"
USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
WHITELIST_IP_LIST="${WHITELIST_IP_LIST-23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}"
WHITELIST_REVERSE_LIST="${WHITELIST_REVERSE_LIST-.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net}"
USE_BLACKLIST_IP="${USE_BLACKLIST_IP-yes}"
BLACKLIST_IP_LIST="${BLACKLIST_IP_LIST-}"
USE_BLACKLIST_REVERSE="${USE_BLACKLIST_REVERSE-yes}"
BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}"
USE_DNSBL="${USE_DNSBL-yes}"
DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
PROXY_REAL_IP="${PROXY_REAL_IP-no}"
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}"
SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}"
SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-web}"
ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
USE_ANTIBOT="${USE_ANTIBOT-no}"
ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
USE_CROWDSEC="${USE_CROWDSEC-no}"
# install additional modules if needed
if [ "$ADDITIONAL_MODULES" != "" ] ; then
apk add $ADDITIONAL_MODULES
fi
# replace values
replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
replace_in_file "/etc/nginx/nginx.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
replace_in_file "/etc/nginx/cache.conf" "%CACHE%" "$CACHE"
replace_in_file "/etc/nginx/cache.conf" "%CACHE_ERRORS%" "$CACHE_ERRORS"
replace_in_file "/etc/nginx/cache.conf" "%CACHE_USES%" "$CACHE_USES"
replace_in_file "/etc/nginx/cache.conf" "%CACHE_VALID%" "$CACHE_VALID"
replace_in_file "/etc/nginx/gzip.conf" "%USE_GZIP%" "$USE_GZIP"
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_COMP_LEVEL%" "$GZIP_COMP_LEVEL"
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH"
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES"
if [ "$REMOTE_PHP" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" "include /etc/nginx/php.conf;"
replace_in_file "/etc/nginx/php.conf" "%REMOTE_PHP%" "$REMOTE_PHP"
replace_in_file "/etc/nginx/fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/"
else
replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" ""
fi
if [ "$HEADER_SERVER" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" ""
else
replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" "more_clear_headers 'Server';"
fi
if [ "$X_FRAME_OPTIONS" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" "include /etc/nginx/x-frame-options.conf;"
replace_in_file "/etc/nginx/x-frame-options.conf" "%X_FRAME_OPTIONS%" "$X_FRAME_OPTIONS"
else
replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" ""
fi
if [ "$X_XSS_PROTECTION" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" "include /etc/nginx/x-xss-protection.conf;"
replace_in_file "/etc/nginx/x-xss-protection.conf" "%X_XSS_PROTECTION%" "$X_XSS_PROTECTION"
else
replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" ""
fi
if [ "$X_CONTENT_TYPE_OPTIONS" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" "include /etc/nginx/x-content-type-options.conf;"
replace_in_file "/etc/nginx/x-content-type-options.conf" "%X_CONTENT_TYPE_OPTIONS%" "$X_CONTENT_TYPE_OPTIONS"
else
replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" ""
fi
if [ "$REFERRER_POLICY" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" "include /etc/nginx/referrer-policy.conf;"
replace_in_file "/etc/nginx/referrer-policy.conf" "%REFERRER_POLICY%" "$REFERRER_POLICY"
else
replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" ""
fi
if [ "$FEATURE_POLICY" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" "include /etc/nginx/feature-policy.conf;"
replace_in_file "/etc/nginx/feature-policy.conf" "%FEATURE_POLICY%" "$FEATURE_POLICY"
else
replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" ""
fi
if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%DISABLE_DEFAULT_SERVER%" "include /etc/nginx/disable-default-server.conf;"
SERVER_NAME_PIPE=$(echo $SERVER_NAME | sed "s/ /|/g")
replace_in_file "/etc/nginx/disable-default-server.conf" "%SERVER_NAME%" "$SERVER_NAME_PIPE"
else
replace_in_file "/etc/nginx/server.conf" "%DISABLE_DEFAULT_SERVER%" ""
fi
replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME"
replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
if [ "$BLOCK_COUNTRY" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip-server.conf;"
replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
if [ ! -f /etc/nginx/geoip.mmdb ] ; then
/opt/scripts/geoip.sh
fi
else
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" ""
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" ""
fi
if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/block-user-agent.conf;"
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
/opt/scripts/user-agents.sh &
echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" ""
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
fi
if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
/opt/scripts/exit-nodes.sh &
echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
fi
if [ "$BLOCK_PROXIES" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" "include /etc/nginx/block-proxies.conf;"
/opt/scripts/proxies.sh &
echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" ""
fi
if [ "$BLOCK_ABUSERS" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" "include /etc/nginx/block-abusers.conf;"
/opt/scripts/abusers.sh &
echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" ""
fi
# HTTPS config
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" "include /etc/nginx/https.conf;"
replace_in_file "/etc/nginx/https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
if [ "$HTTP2" = "yes" ] ; then
replace_in_file "/etc/nginx/https.conf" "%HTTP2%" "http2"
else
replace_in_file "/etc/nginx/https.conf" "%HTTP2%" ""
fi
replace_in_file "/etc/nginx/https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
else
replace_in_file "/etc/nginx/https.conf" "%SSL_DHPARAM%" ""
replace_in_file "/etc/nginx/https.conf" "%SSL_CIPHERS%" ""
fi
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
else
replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
fi
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
/opt/scripts/certbot-renew.sh
else
certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT
fi
echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
mkdir /etc/nginx/self-signed-ssl/
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
fi
else
replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" ""
fi
if [ "$LISTEN_HTTP" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT};"
else
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
fi
if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include /etc/nginx/redirect-http-to-https.conf;"
else
replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" ""
fi
if [ "$USE_MODSECURITY" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" "include /etc/nginx/modsecurity.conf;"
if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "include /modsec-confs/*.conf"
else
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" ""
fi
if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf"
else
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
fi
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
else
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" ""
fi
else
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
fi
if [ "$PROXY_REAL_IP" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
froms=""
for from in $PROXY_REAL_IP_FROM ; do
froms="${froms}set_real_ip_from ${from};\n"
done
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms"
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
else
replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" ""
fi
ERRORS=""
for var in $(env) ; do
var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1)
if [ "z${var_name}" = "zERROR" ] ; then
err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2)
err_page=$(echo "$var" | cut -d '=' -f 2)
cp /opt/confs/error.conf /etc/nginx/error-${err_code}.conf
replace_in_file "/etc/nginx/error-${err_code}.conf" "%CODE%" "$err_code"
replace_in_file "/etc/nginx/error-${err_code}.conf" "%PAGE%" "$err_page"
replace_in_file "/etc/nginx/error-${err_code}.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
ERRORS="${ERRORS}include /etc/nginx/error-${err_code}.conf;\n"
fi
done
if [ "$ERRORS" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%ERRORS%" "$ERRORS"
else
replace_in_file "/etc/nginx/server.conf" "%ERRORS%" ""
fi
if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" "include /etc/nginx/content-security-policy.conf;"
replace_in_file "/etc/nginx/content-security-policy.conf" "%CONTENT_SECURITY_POLICY%" "$CONTENT_SECURITY_POLICY"
else
replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" ""
fi
if [ "$COOKIE_FLAGS" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" "include /etc/nginx/cookie-flags.conf;"
if [ "$COOKIE_AUTO_SECURE_FLAG" = "yes" ] ; then
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
COOKIE_FLAGS="${COOKIE_FLAGS} Secure"
fi
fi
replace_in_file "/etc/nginx/cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS"
else
replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" ""
fi
if [ "$SERVE_FILES" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" "include /etc/nginx/serve-files.conf;"
replace_in_file "/etc/nginx/serve-files.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
else
replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
fi
if [ "$USE_AUTH_BASIC" = "yes" ] ; then
if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic-sitewide.conf;"
replace_in_file "/etc/nginx/auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
else
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;"
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
fi
htpasswd -b -B -c /etc/nginx/.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
else
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" ""
fi
# DNS resolvers
resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS"
# whitelist IP
if [ "$USE_WHITELIST_IP" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "lua_shared_dict whitelist_ip_cache 10m;"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_IP%" "true"
else
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_IP%" "false"
fi
list=$(spaces_to_lua "$WHITELIST_IP_LIST")
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
# whitelist rDNS
if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "lua_shared_dict whitelist_reverse_cache 10m;"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_REVERSE%" "true"
else
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%USE_WHITELIST_REVERSE%" "false"
fi
list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
# blacklist IP
if [ "$USE_BLACKLIST_IP" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "lua_shared_dict blacklist_ip_cache 10m;"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_IP%" "true"
else
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_IP%" "false"
fi
list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
# blacklist rDNS
if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "lua_shared_dict blacklist_reverse_cache 10m;"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_REVERSE%" "true"
else
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false"
fi
list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
# DNSBL
if [ "$USE_DNSBL" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" "lua_shared_dict dnsbl_cache 10m;"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_DNSBL%" "true"
else
replace_in_file "/etc/nginx/nginx.conf" "%DNSBL_CACHE%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%USE_DNSBL%" "false"
fi
list=$(spaces_to_lua "$DNSBL_LIST")
replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
# antibot uri and session secret
replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
if [ "$ANTIBOT_SESSION_SECRET" = "random" ] ; then
ANTIBOT_SESSION_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
fi
replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_SESSION_SECRET%" "$ANTIBOT_SESSION_SECRET"
# antibot via cookie
if [ "$USE_ANTIBOT" = "cookie" ] ; then
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
# antibot via javascript
elif [ "$USE_ANTIBOT" = "javascript" ] ; then
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "true"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "include /etc/nginx/antibot-javascript.conf;"
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
replace_in_file "/etc/nginx/antibot-javascript.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
# antibot via captcha
elif [ "$USE_ANTIBOT" = "captcha" ] ; then
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "true"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "include /etc/nginx/antibot-captcha.conf;"
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
replace_in_file "/etc/nginx/antibot-captcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
# antibot via recaptcha
elif [ "$USE_ANTIBOT" = "recaptcha" ] ; then
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "true"
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "include /etc/nginx/antibot-recaptcha.conf;"
replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SITEKEY%" "$ANTIBOT_RECAPTCHA_SITEKEY"
replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SECRET%" "$ANTIBOT_RECAPTCHA_SECRET"
replace_in_file "/etc/nginx/antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SCORE%" "$ANTIBOT_RECAPTCHA_SCORE"
else
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
fi
if [ "$USE_LIMIT_REQ" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "include /etc/nginx/limit-req.conf;"
replace_in_file "/etc/nginx/limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST"
else
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" ""
fi
# fail2ban setup
if [ "$USE_FAIL2BAN" = "yes" ] ; then
echo "" > /etc/nginx/fail2ban-ip.conf
rm -rf /etc/fail2ban/jail.d/*.conf
replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"
cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
else
replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" ""
fi
# clamav setup
if [ "$USE_CLAMAV_UPLOAD" = "yes" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
echo "[*] Updating clamav (in background) ..."
freshclam > /dev/null 2>&1 &
echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
fi
if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "include /etc/nginx/modsecurity-clamav.conf"
else
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" ""
fi
if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2> /dev/null" >> /etc/crontabs/root
else
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2> /dev/null" >> /etc/crontabs/root
fi
fi
# CrowdSec setup
if [ "$USE_CROWDSEC" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "true"
cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml
cscli api register >> /etc/crowdsec/config/api.yaml
cscli api pull
echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "false"
fi
# edit access if needed
if [ "$WRITE_ACCESS" = "yes" ] ; then
chown -R root:nginx /www
chmod g+w -R /www
fi
# start rsyslogd
rsyslogd
# start crond
crond
# create empty logs
touch /var/log/access.log
touch /var/log/error.log
# fix nginx configs rights (and modules through the symlink)
chown -R root:nginx /etc/nginx/
chmod -R 740 /etc/nginx/
find /etc/nginx -type d -exec chmod 750 {} \;
# fix let's encrypt rights
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
chown -R root:nginx /etc/letsencrypt
chmod -R 740 /etc/letsencrypt
find /etc/letsencrypt -type d -exec chmod 750 {} \;
fi
# start nginx
echo "[*] Running nginx ..."
su -s "/usr/sbin/nginx" nginx
# start fail2ban
if [ "$USE_FAIL2BAN" = "yes" ] ; then
fail2ban-server > /dev/null
fi
# start crowdsec
if [ "$USE_CROWDSEC" = "yes" ] ; then
crowdsec
fi
# setup logrotate
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
# display logs
LOGS="/var/log/access.log /var/log/error.log"
if [ "$USE_FAIL2BAN" = "yes" ] ; then
LOGS="$LOGS /var/log/fail2ban.log"
fi
tail -F $LOGS &
wait $!
# sigterm trapped
echo "[*] bunkerized-nginx stopped"
exit 0

94
entrypoint/defaults.sh Normal file
View File

@ -0,0 +1,94 @@
#!/bin/sh
HTTP_PORT="${HTTP_PORT-8080}"
HTTPS_PORT="${HTTPS_PORT-8443}"
MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
SERVER_TOKENS="${SERVER_TOKENS-off}"
CACHE="${CACHE-max=1000 inactive=60s}"
CACHE_ERRORS="${CACHE_ERRORS-on}"
CACHE_USES="${CACHE_USES-1}"
CACHE_VALID="${CACHE_VALID-60s}"
#CLIENT_CACHE="${CLIENT_CACHE}-css|gif|htm|html|ico|jpeg|jpg|js|png|svg|tif|tiff|eot|otf|ttf|woff|woff2"
#CLIENT_CACHE_EXPIRES="${CLIENT_CACHE_EXPIRES}-1d}"
#CLIENT_CACHE_CONTROL=
USE_GZIP="${USE_GZIP-off}"
GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL-6}"
GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH-10240}"
GZIP_TYPES="${GZIP_TYPES-text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml}"
REMOTE_PHP_PATH="${REMOTE_PHP_PATH-/app}"
HEADER_SERVER="${HEADER_SERVER-no}"
X_FRAME_OPTIONS="${X_FRAME_OPTIONS-DENY}"
X_XSS_PROTECTION="${X_XSS_PROTECTION-1; mode=block}"
X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS-nosniff}"
REFERRER_POLICY="${REFERRER_POLICY-no-referrer}"
FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}"
DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
BLOCK_COUNTRY="${BLOCK_COUNTRY-}"
BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
HTTP2="${HTTP2-yes}"
HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
USE_MODSECURITY="${USE_MODSECURITY-yes}"
USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';}"
COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}"
COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}"
SERVE_FILES="${SERVE_FILES-yes}"
WRITE_ACCESS="${WRITE_ACCESS-no}"
REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
LISTEN_HTTP="${LISTEN_HTTP-yes}"
USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}"
AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
ROOT_FOLDER="${ROOT_FOLDER-/www}"
LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11 8.8.8.8}"
USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
WHITELIST_IP_LIST="${WHITELIST_IP_LIST-23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}"
WHITELIST_REVERSE_LIST="${WHITELIST_REVERSE_LIST-.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net}"
USE_BLACKLIST_IP="${USE_BLACKLIST_IP-yes}"
BLACKLIST_IP_LIST="${BLACKLIST_IP_LIST-}"
USE_BLACKLIST_REVERSE="${USE_BLACKLIST_REVERSE-yes}"
BLACKLIST_REVERSE_LIST="${BLACKLIST_REVERSE_LIST-.shodan.io}"
USE_DNSBL="${USE_DNSBL-yes}"
DNSBL_LIST="${DNSBL_LIST-bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org}"
USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
PROXY_REAL_IP="${PROXY_REAL_IP-no}"
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}"
SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}"
SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-web}"
ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
USE_ANTIBOT="${USE_ANTIBOT-no}"
ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
USE_CROWDSEC="${USE_CROWDSEC-no}"

90
entrypoint/entrypoint.sh Normal file
View File

@ -0,0 +1,90 @@
#!/bin/sh
# load default values
. ./opt/entrypoint/defaults.sh
echo "[*] Starting bunkerized-nginx ..."
# execute custom scripts if it's a customized image
for file in /entrypoint.d/* ; do
[ -f "$file" ] && [ -x "$file" ] && "$file"
done
# trap SIGTERM and SIGINT
function trap_exit() {
echo "[*] Catched stop operation"
echo "[*] Stopping crond ..."
pkill -TERM crond
if [ "$USE_FAIL2BAN" = "yes" ] ; then
echo "[*] Stopping fail2ban"
fail2ban-client stop > /dev/null
fi
echo "[*] Stopping nginx ..."
/usr/sbin/nginx -s stop
echo "[*] Stopping rsyslogd ..."
pkill -TERM rsyslogd
pkill -TERM tail
}
trap "trap_exit" TERM INT
# do the configuration magic if needed
if [ ! -f "/opt/installed" ] ; then
echo "[*] Configuring bunkerized-nginx ..."
/opt/entrypoint/global-config.sh
if [ "$MULTISITE" = "yes" ] ; then
for server in "$SERVER_NAME" ; do
/opt/entrypoint/site-config.sh "$server"
echo "[*] Multi site - $server configuration done"
done
else
/opt/entrypoint/site-config.sh
echo "[*] Single site - $SERVER_NAME configuration done"
fi
touch /opt/installed
else
echo "[*] Skipping configuration process"
fi
# fix nginx configs rights (and modules through the symlink)
chown -R root:nginx /etc/nginx/
chmod -R 740 /etc/nginx/
find /etc/nginx -type d -exec chmod 750 {} \;
# fix let's encrypt rights
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
chown -R root:nginx /etc/letsencrypt
chmod -R 740 /etc/letsencrypt
find /etc/letsencrypt -type d -exec chmod 750 {} \;
fi
# start rsyslogd
rsyslogd
# start crond
crond
# start fail2ban
if [ "$USE_FAIL2BAN" = "yes" ] ; then
fail2ban-server > /dev/null
fi
# start crowdsec
if [ "$USE_CROWDSEC" = "yes" ] ; then
crowdsec
fi
# start nginx
echo "[*] Running nginx ..."
su -s "/usr/sbin/nginx" nginx
# display logs
LOGS="/var/log/access.log /var/log/error.log"
if [ "$USE_FAIL2BAN" = "yes" ] ; then
LOGS="$LOGS /var/log/fail2ban.log"
fi
tail -F $LOGS &
wait $!
# sigterm trapped
echo "[*] bunkerized-nginx stopped"
exit 0

195
entrypoint/global-config.sh Normal file
View File

@ -0,0 +1,195 @@
#!/bin/sh
# load some functions
. /opt/entrypoint/utils.sh
# copy stub confs
cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
cp /opt/logs/logrotate.conf /etc/logrotate.conf
cp -r /opt/lua/* /usr/local/lib/lua
cp /opt/confs/global/* /etc/nginx/
# remove cron jobs
echo "" > /etc/crontabs/root
# install additional modules if needed
if [ "$ADDITIONAL_MODULES" != "" ] ; then
apk add $ADDITIONAL_MODULES
fi
# include server block(s)
if [ "$MULTISITE" = "yes" ] ; then
includes=""
for server in "$SERVER_NAME" ; do
includes="${includes}include /etc/nginx/${server}/server.conf;\n"
done
replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
else
replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
fi
# global values
replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
replace_in_file "/etc/nginx/nginx.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
replace_in_file "/etc/nginx/cache.conf" "%CACHE%" "$CACHE"
replace_in_file "/etc/nginx/cache.conf" "%CACHE_ERRORS%" "$CACHE_ERRORS"
replace_in_file "/etc/nginx/cache.conf" "%CACHE_USES%" "$CACHE_USES"
replace_in_file "/etc/nginx/cache.conf" "%CACHE_VALID%" "$CACHE_VALID"
replace_in_file "/etc/nginx/gzip.conf" "%USE_GZIP%" "$USE_GZIP"
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_COMP_LEVEL%" "$GZIP_COMP_LEVEL"
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH"
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES"
# let's encrypt setup
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
if [ ! -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
echo "[*] Performing Let's Encrypt challenge ..."
certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT
fi
echo "0 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
fi
# self-signed certificate
if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
mkdir /etc/nginx/self-signed-ssl/
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
fi
# country ban
if [ "$BLOCK_COUNTRY" != "" ] ; then
echo "[*] Updating GeoIP database (in background) ..."
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
/opt/scripts/geoip.sh &
else
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" ""
fi
# block bad UA
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
echo "[*] Downloading bad user-agent list (in background) ..."
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
/opt/scripts/user-agents.sh &
echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
fi
# block TOR exit nodes
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
echo "[*] Downloading tor exit nodes list (in background) ..."
/opt/scripts/exit-nodes.sh &
echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
fi
# block proxies
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
echo "[*] Downloading proxies list (in background) ..."
/opt/scripts/proxies.sh &
echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
fi
# block abusers
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
echo "[*] Downloading abusers list (in background) ..."
/opt/scripts/abusers.sh &
echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
fi
# DNS resolvers
resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
replace_in_file "/etc/nginx/nginx.conf" "%DNS_RESOLVERS%" "$DNS_RESOLVERS"
# whitelist IP
if [ "$(has_value USE_WHITELIST_IP yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" "lua_shared_dict whitelist_ip_cache 10m;"
else
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_IP_CACHE%" ""
fi
list=$(spaces_to_lua "$WHITELIST_IP_LIST")
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
# whitelist rDNS
if [ "$(has_value USE_WHITELIST_REVERSE yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" "lua_shared_dict whitelist_reverse_cache 10m;"
else
replace_in_file "/etc/nginx/nginx.conf" "%WHITELIST_REVERSE_CACHE%" ""
fi
list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
# blacklist IP
if [ "$(has_value USE_BLACKLIST_IP yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" "lua_shared_dict blacklist_ip_cache 10m;"
else
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_IP_CACHE%" ""
fi
list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
# blacklist rDNS
if [ "$(has_value USE_BLACKLIST_REVERSE yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" "lua_shared_dict blacklist_reverse_cache 10m;"
else
replace_in_file "/etc/nginx/nginx.conf" "%BLACKLIST_REVERSE_CACHE%" ""
fi
list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
# request limiting
if [ "$(has_value USE_LIMIT_REQ yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
else
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" ""
fi
# fail2ban setup
if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
rm -rf /etc/fail2ban/jail.d/*.conf
cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
fi
# clamav setup
if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
echo "[*] Updating clamav (in background) ..."
freshclam > /dev/null 2>&1 &
echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
fi
if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
else
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
fi
fi
# CrowdSec setup
if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml
cscli api register >> /etc/crowdsec/config/api.yaml
cscli api pull
echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
fi
# create empty logs
touch /var/log/access.log
touch /var/log/error.log
# setup logrotate
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root

414
entrypoint/site-config.sh Normal file
View File

@ -0,0 +1,414 @@
#!/bin/sh
# load some functions
. /opt/entrypoint/utils.sh
# get nginx path and override multisite variables
NGINX_PREFIX="/etc/nginx/"
if [ "$MULTISITE" = "yes" ] ; then
NGINX_PREFIX="${NGINX_PREFIX}${1}/"
for var in env ; do
name=$(echo "$var" | cut -d '=' -f 1)
check=$(echo "name" | grep "^$1_")
if [ "$check" != "" ] ; then
repl_name=$(echo "$name" | sed "s/${1}_//")
repl_value=$(echo "$var" | sed "s/${name}//")
read -r "$repl_name" <<< $repl_value
fi
done
ROOT_FOLDER="${ROOT_FOLDER}/$1"
fi
# copy stub confs
if [ "$MULTISITE" = "yes" ] ; then
mkdir "$NGINX_PREFIX"
fi
cp /opt/confs/site/* "$NGINX_PREFIX"
# remote PHP
if [ "$REMOTE_PHP" != "" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "include ${NGINX_PREFIX}php.conf;"
replace_in_file "${NGINX_PREFIX}php.conf" "%REMOTE_PHP%" "$REMOTE_PHP"
replace_in_file "${NGINX_PREFIX}fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" ""
fi
# serve files
if [ "$SERVE_FILES" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVE_FILES%" "include ${NGINX_PREFIX}serve-files.conf;"
replace_in_file "${NGINX_PREFIX}serve-files.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVE_FILES%" ""
fi
# remove server header
if [ "$HEADER_SERVER" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%HEADER_SERVER%" ""
else
replace_in_file "${NGINX_PREFIX}server.conf" "%HEADER_SERVER%" "more_clear_headers 'Server';"
fi
# X-Frame-Options header
if [ "$X_FRAME_OPTIONS" != "" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%X_FRAME_OPTIONS%" "include ${NGINX_PREFIX}x-frame-options.conf;"
replace_in_file "${NGINX_PREFIX}x-frame-options.conf" "%X_FRAME_OPTIONS%" "$X_FRAME_OPTIONS"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%X_FRAME_OPTIONS%" ""
fi
# X-XSS-Protection header
if [ "$X_XSS_PROTECTION" != "" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%X_XSS_PROTECTION%" "include ${NGINX_PREFIX}x-xss-protection.conf;"
replace_in_file "${NGINX_PREFIX}x-xss-protection.conf" "%X_XSS_PROTECTION%" "$X_XSS_PROTECTION"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%X_XSS_PROTECTION%" ""
fi
# X-Content-Type-Options header
if [ "$X_CONTENT_TYPE_OPTIONS" != "" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%X_CONTENT_TYPE_OPTIONS%" "include ${NGINX_PREFIX}x-content-type-options.conf;"
replace_in_file "${NGINX_PREFIX}x-content-type-options.conf" "%X_CONTENT_TYPE_OPTIONS%" "$X_CONTENT_TYPE_OPTIONS"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%X_CONTENT_TYPE_OPTIONS%" ""
fi
# Referrer-Policy header
if [ "$REFERRER_POLICY" != "" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%REFERRER_POLICY%" "include ${NGINX_PREFIX}referrer-policy.conf;"
replace_in_file "${NGINX_PREFIX}referrer-policy.conf" "%REFERRER_POLICY%" "$REFERRER_POLICY"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%REFERRER_POLICY%" ""
fi
# Feature-Policy header
if [ "$FEATURE_POLICY" != "" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%FEATURE_POLICY%" "include ${NGINX_PREFIX}feature-policy.conf;"
replace_in_file "${NGINX_PREFIX}feature-policy.conf" "%FEATURE_POLICY%" "$FEATURE_POLICY"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%FEATURE_POLICY%" ""
fi
# Content-Security-Policy header
if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%CONTENT_SECURITY_POLICY%" "include ${NGINX_PREFIX}content-security-policy.conf;"
replace_in_file "${NGINX_PREFIX}content-security-policy.conf" "%CONTENT_SECURITY_POLICY%" "$CONTENT_SECURITY_POLICY"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%CONTENT_SECURITY_POLICY%" ""
fi
# cookie flags
if [ "$COOKIE_FLAGS" != "" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%COOKIE_FLAGS%" "include ${NGINX_PREFIX}cookie-flags.conf;"
if [ "$COOKIE_AUTO_SECURE_FLAG" = "yes" ] ; then
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
COOKIE_FLAGS="${COOKIE_FLAGS} Secure"
fi
fi
replace_in_file "${NGINX_PREFIX}cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%COOKIE_FLAGS%" ""
fi
# disable default server
if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%DISABLE_DEFAULT_SERVER%" "include ${NGINX_PREFIX}disable-default-server.conf;"
if [ "$MULTISITE" == "yes" ] ; then
replace_in_file "${NGINX_PREFIX}disable-default-server.conf" "%SERVER_NAME%" "$1"
else
SERVER_NAME_PIPE=$(echo $SERVER_NAME | sed "s/ /|/g")
replace_in_file "${NGINX_PREFIX}disable-default-server.conf" "%SERVER_NAME%" "$SERVER_NAME_PIPE"
fi
else
replace_in_file "${NGINX_PREFIX}server.conf" "%DISABLE_DEFAULT_SERVER%" ""
fi
# set the server host name
if [ "$MULTISITE" == "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_NAME%" "$1"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%SERVER_NAME%" "$SERVER_NAME"
fi
# allowed HTTP methods
replace_in_file "${NGINX_PREFIX}server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
# country ban
if [ "$BLOCK_COUNTRY" != "" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_COUNTRY%" "include ${NGINX_PREFIX}geoip-server.conf;"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_COUNTRY%" ""
fi
# block bad UA
if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_USER_AGENT%" "include ${NGINX_PREFIX}block-user-agent.conf;"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_USER_AGENT%" ""
fi
# block TOR exit nodes
if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "include ${NGINX_PREFIX}block-tor-exit-node.conf;"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
fi
# block proxies
if [ "$BLOCK_PROXIES" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" "include ${NGINX_PREFIX}block-proxies.conf;"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_PROXIES%" ""
fi
# block abusers
if [ "$BLOCK_ABUSERS" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" "include ${NGINX_PREFIX}block-abusers.conf;"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_ABUSERS%" ""
fi
# HTTPS config
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" "include ${NGINX_PREFIX}https.conf;"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
if [ "$HTTP2" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTP2%" "http2"
else
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTP2%" ""
fi
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
else
replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_DHPARAM%" ""
replace_in_file "${NGINX_PREFIX}https.conf" "%SSL_CIPHERS%" ""
fi
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
else
replace_in_file "${NGINX_PREFIX}https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
fi
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
fi
else
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" ""
fi
# listen on HTTP_PORT
if [ "$LISTEN_HTTP" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT};"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%LISTEN_HTTP%" ""
fi
# HTTP to HTTPS redirect
if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include ${NGINX_PREFIX}redirect-http-to-https.conf;"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%REDIRECT_HTTP_TO_HTTPS%" ""
fi
# ModSecurity config
if [ "$USE_MODSECURITY" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "include ${NGINX_PREFIX}modsecurity.conf;"
if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "include /modsec-confs/*.conf"
else
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" ""
fi
if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include ${NGINX_PREFIX}owasp-crs.conf"
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf"
else
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
fi
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include ${NGINX_PREFIX}owasp-crs/*.conf"
else
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" ""
fi
else
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" ""
fi
# real IP behind reverse proxy
if [ "$PROXY_REAL_IP" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%PROXY_REAL_IP%" "include ${NGINX_PREFIX}proxy-real-ip.conf;"
froms=""
for from in $PROXY_REAL_IP_FROM ; do
froms="${froms}set_real_ip_from ${from};\n"
done
replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms"
replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
replace_in_file "${NGINX_PREFIX}proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%PROXY_REAL_IP%" ""
fi
# custom errors
ERRORS=""
for var in $(env) ; do
var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1)
if [ "z${var_name}" = "zERROR" ] ; then
err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2)
err_page=$(echo "$var" | cut -d '=' -f 2)
cp /opt/confs/error.conf ${NGINX_PREFIX}error-${err_code}.conf
replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%CODE%" "$err_code"
replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%PAGE%" "$err_page"
replace_in_file "${NGINX_PREFIX}error-${err_code}.conf" "%ROOT_FOLDER%" "$ROOT_FOLDER"
ERRORS="${ERRORS}include ${NGINX_PREFIX}error-${err_code}.conf;\n"
fi
done
replace_in_file "${NGINX_PREFIX}server.conf" "%ERRORS%" "$ERRORS"
# auth basic
if [ "$USE_AUTH_BASIC" = "yes" ] ; then
if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "include ${NGINX_PREFIX}auth-basic-sitewide.conf;"
replace_in_file "${NGINX_PREFIX}auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
else
replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" "include ${NGINX_PREFIX}auth-basic.conf;"
replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
replace_in_file "${NGINX_PREFIX}auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
fi
htpasswd -b -B -c ${NGINX_PREFIX}.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%AUTH_BASIC%" ""
fi
# whitelist IP
if [ "$USE_WHITELIST_IP" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "true"
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "false"
fi
# whitelist rDNS
if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "true"
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "false"
fi
# blacklist IP
if [ "$USE_BLACKLIST_IP" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "true"
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "false"
fi
# blacklist rDNS
if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "true"
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false"
fi
# DNSBL
if [ "$USE_DNSBL" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "true"
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "false"
fi
# antibot uri and session secret
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
if [ "$ANTIBOT_SESSION_SECRET" = "random" ] ; then
ANTIBOT_SESSION_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
fi
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_SESSION_SECRET%" "$ANTIBOT_SESSION_SECRET"
# antibot via cookie
if [ "$USE_ANTIBOT" = "cookie" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
# antibot via javascript
elif [ "$USE_ANTIBOT" = "javascript" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "true"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "include ${NGINX_PREFIX}antibot-javascript.conf;"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
replace_in_file "${NGINX_PREFIX}antibot-javascript.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
# antibot via captcha
elif [ "$USE_ANTIBOT" = "captcha" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "true"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" "include ${NGINX_PREFIX}antibot-captcha.conf;"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
replace_in_file "${NGINX_PREFIX}antibot-captcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
# antibot via recaptcha
elif [ "$USE_ANTIBOT" = "recaptcha" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "true"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" "include ${NGINX_PREFIX}antibot-recaptcha.conf;"
replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SITEKEY%" "$ANTIBOT_RECAPTCHA_SITEKEY"
replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SECRET%" "$ANTIBOT_RECAPTCHA_SECRET"
replace_in_file "${NGINX_PREFIX}antibot-recaptcha.conf" "%ANTIBOT_RECAPTCHA_SCORE%" "$ANTIBOT_RECAPTCHA_SCORE"
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_CAPTCHA%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_ANTIBOT_RECAPTCHA%" "false"
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_CAPTCHA%" ""
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%INCLUDE_ANTIBOT_RECAPTCHA%" ""
fi
# request limiting
if [ "$USE_LIMIT_REQ" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" "include ${NGINX_PREFIX}limit-req.conf;"
replace_in_file "${NGINX_PREFIX}limit-req.conf" "%LIMIT_REQ_BURST%" "$LIMIT_REQ_BURST"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%LIMIT_REQ%" ""
fi
# fail2ban
if [ "$USE_FAIL2BAN" = "yes" ] ; then
echo "" > ${NGINX_PREFIX}fail2ban-ip.conf
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" "include ${NGINX_PREFIX}fail2ban-ip.conf;"
else
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_FAIL2BAN%" ""
fi
# clamav scan uploaded files
if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" "include ${NGINX_PREFIX}modsecurity-clamav.conf"
else
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%USE_CLAMAV_UPLOAD%" ""
fi
# CrowdSec
if [ "$USE_CROWDSEC" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "true"
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "false"
fi

38
entrypoint/utils.sh Normal file
View File

@ -0,0 +1,38 @@
#!/bin/sh
# replace pattern in file
function replace_in_file() {
# escape slashes
pattern=$(echo "$2" | sed "s/\//\\\\\//g")
replace=$(echo "$3" | sed "s/\//\\\\\//g")
sed -i "s/$pattern/$replace/g" "$1"
}
# convert space separated values to LUA
function spaces_to_lua() {
for element in $1 ; do
if [ "$result" = "" ] ; then
result="\"${element}\""
else
result="${result}, \"${element}\""
fi
done
echo "$result"
}
# check if at least one env var (global or multisite) has a specific value
function has_value() {
if [ "${!1}" == "$2" ] ; then
echo "ok"
return 0
fi
for var in $(env) ; do
domain=$(echo "$var" | cut -d '_' -f 1)
name=$(echo "$var" | cut -d '=' -f 1 | sed "s/${domain}_//")
value=$(echo "$var" | sed "s/${domain}_${name}=//")
if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then
echo "ok"
return 0
fi
done
}