docs, various fixes and certbot-cloudflare example
This commit is contained in:
parent
e8f5db0b29
commit
678ad70b01
33
README.md
33
README.md
|
@ -15,6 +15,8 @@
|
|||
<strong>
|
||||
<a href="https://bunkerized-nginx.readthedocs.io">Documentation</a>
|
||||
<span> | </span>
|
||||
<a href="https://github.com/bunkerity/bunkerized-nginx/tree/master/examples">Examples</a>
|
||||
<span> | </span>
|
||||
<a href="https://www.bunkerity.com/category/bunkerized-nginx/">Blog posts</a>
|
||||
<span> | </span>
|
||||
<a href="https://matrix.to/#/#bunkerized-nginx:matrix.org">Community chat</a>
|
||||
|
@ -36,6 +38,7 @@ Non-exhaustive list of features :
|
|||
- Block TOR, proxies, bad user-agents, countries, ...
|
||||
- Block known bad IP with DNSBL and CrowdSec
|
||||
- Prevent bruteforce attacks with rate limiting
|
||||
- Plugins system for external security checks (e.g. : ClamAV)
|
||||
- Easy to configure with environment variables or web UI
|
||||
- Automatic configuration with container labels
|
||||
- Docker Swarm support
|
||||
|
@ -365,13 +368,27 @@ docker service create --name anotherapp \
|
|||
|
||||
A dedicated image, *bunkerized-nginx-ui*, lets you manage bunkerized-nginx instances and services configurations through a web user interface. This feature is still in beta, feel free to open a new issue if you find a bug and/or you have an idea to improve it.
|
||||
|
||||
First we need a volume that will store the configurations :
|
||||
First we need a volume that will store the configurations and a network because bunkerized-nginx will be used as a reverse proxy for the web UI :
|
||||
|
||||
```shell
|
||||
docker volume create nginx_conf
|
||||
docker network create mynet
|
||||
```
|
||||
|
||||
Then, we can create the bunkerized-nginx instance with the `bunkerized-nginx.UI` label and a reverse proxy configuration for our web UI :
|
||||
Let's create the bunkerized-nginx-ui container that will host the web UI behind bunkerized-nginx :
|
||||
|
||||
```shell
|
||||
docker run --network mynet \
|
||||
--name myui \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||
-v nginx_conf:/etc/nginx \
|
||||
-e ABSOLUTE_URI=https://admin.domain.com/webui/ \
|
||||
bunkerity/bunkerized-nginx-ui
|
||||
```
|
||||
|
||||
You will need to edit the `ABSOLUTE_URI` environment variable to reflect your actual URI of the web UI.
|
||||
|
||||
We can now setup the bunkerized-nginx instance with the `bunkerized-nginx.UI` label and a reverse proxy configuration for our web UI :
|
||||
|
||||
```shell
|
||||
docker network create mynet
|
||||
|
@ -401,17 +418,7 @@ docker run -p 80:8080 \
|
|||
|
||||
The `AUTH_BASIC` environment variables let you define a login/password that must be provided before accessing to the web UI. At the moment, there is no authentication mechanism integrated into bunkerized-nginx-ui so **using auth basic with a strong password coupled with a "hard to guess" URI is strongly recommended**.
|
||||
|
||||
We can now create the bunkerized-nginx-ui container that will host the web UI behind bunkerized-nginx :
|
||||
|
||||
```shell
|
||||
docker run --network mynet \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||
-v nginx_conf:/etc/nginx \
|
||||
-e ABSOLUTE_URI=https://admin.domain.com/webui/ \
|
||||
bunkerity/bunkerized-nginx-ui
|
||||
```
|
||||
|
||||
After that, the web UI should be accessible from https://admin.domain.com/webui/.
|
||||
Web UI should now be accessible from https://admin.domain.com/webui/.
|
||||
|
||||
# Security tuning
|
||||
|
||||
|
|
|
@ -7,6 +7,11 @@ set $session_check_addr on;
|
|||
|
||||
access_by_lua_block {
|
||||
|
||||
-- disable checks for internal requests
|
||||
if ngx.req.is_internal() then
|
||||
return
|
||||
end
|
||||
|
||||
-- let's encrypt
|
||||
local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Non-exhaustive list of features :
|
|||
- Block TOR, proxies, bad user-agents, countries, ...
|
||||
- Block known bad IP with DNSBL and CrowdSec
|
||||
- Prevent bruteforce attacks with rate limiting
|
||||
- Plugin system for external security checks (e.g. : ClamAV)
|
||||
- Plugins system for external security checks (e.g. : ClamAV)
|
||||
- Easy to configure with environment variables or web UI
|
||||
- Automatic configuration with container labels
|
||||
- Docker Swarm support
|
||||
|
|
|
@ -78,7 +78,7 @@ Under the hood, bunkerized-nginx uses the [lua nginx module](https://github.com/
|
|||
|
||||
### Dependencies
|
||||
|
||||
Since the core already uses some external libraries you can use it in your own plugins too (see the [compile.sh](https://github.com/bunkerity/bunkerized-nginx/blob/master/compile.sh file) and the [core lua files](https://github.com/bunkerity/bunkerized-nginx/tree/master/lua)).
|
||||
Since the core already uses some external libraries you can use it in your own plugins too (see the [compile.sh](https://github.com/bunkerity/bunkerized-nginx/blob/master/compile.sh) file and the [core lua files](https://github.com/bunkerity/bunkerized-nginx/tree/master/lua)).
|
||||
|
||||
In case you need to add dependencies, you can do it by placing the corresponding files into the same folder of your main plugin code. Here is an example with a file named **dependency.lua** :
|
||||
|
||||
|
|
|
@ -296,13 +296,27 @@ docker service create --name anotherapp \
|
|||
|
||||
A dedicated image, *bunkerized-nginx-ui*, lets you manage bunkerized-nginx instances and services configurations through a web user interface. This feature is still in beta, feel free to open a new issue if you find a bug and/or you have an idea to improve it.
|
||||
|
||||
First we need a volume that will store the configurations :
|
||||
First we need a volume that will store the configurations and a network because bunkerized-nginx will be used as a reverse proxy for the web UI :
|
||||
|
||||
```shell
|
||||
docker volume create nginx_conf
|
||||
docker network create mynet
|
||||
```
|
||||
|
||||
Then, we can create the bunkerized-nginx instance with the `bunkerized-nginx.UI` label and a reverse proxy configuration for our web UI :
|
||||
Let's create the bunkerized-nginx-ui container that will host the web UI behind bunkerized-nginx :
|
||||
|
||||
```shell
|
||||
docker run --network mynet \
|
||||
--name myui \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||
-v nginx_conf:/etc/nginx \
|
||||
-e ABSOLUTE_URI=https://admin.domain.com/webui/ \
|
||||
bunkerity/bunkerized-nginx-ui
|
||||
```
|
||||
|
||||
You will need to edit the `ABSOLUTE_URI` environment variable to reflect your actual URI of the web UI.
|
||||
|
||||
We can now setup the bunkerized-nginx instance with the `bunkerized-nginx.UI` label and a reverse proxy configuration for our web UI :
|
||||
|
||||
```shell
|
||||
docker network create mynet
|
||||
|
@ -332,14 +346,4 @@ docker run -p 80:8080 \
|
|||
|
||||
The `AUTH_BASIC` environment variables let you define a login/password that must be provided before accessing to the web UI. At the moment, there is no authentication mechanism integrated into bunkerized-nginx-ui so **using auth basic with a strong password coupled with a "hard to guess" URI is strongly recommended**.
|
||||
|
||||
We can now create the bunkerized-nginx-ui container that will host the web UI behind bunkerized-nginx :
|
||||
|
||||
```shell
|
||||
docker run --network mynet \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||
-v nginx_conf:/etc/nginx \
|
||||
-e ABSOLUTE_URI=https://admin.domain.com/webui/ \
|
||||
bunkerity/bunkerized-nginx-ui
|
||||
```
|
||||
|
||||
After that, the web UI should be accessible from https://admin.domain.com/webui/.
|
||||
Web UI should now be accessible from https://admin.domain.com/webui/.
|
||||
|
|
|
@ -89,3 +89,5 @@ Mountpoint : `/plugins`
|
|||
|
||||
Description :
|
||||
This volume is used to extend bunkerized-nginx with [additional plugins](https://bunkerized-nginx.readthedocs.io/en/latest/plugins.html). Please note that you will need to have a subdirectory for each plugin you want to enable.
|
||||
|
||||
Read-only : yes
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
#!/bin/sh
|
||||
|
||||
# you need to run it before starting bunkerized-nginx to get the first certificate
|
||||
|
||||
# edit according to your values
|
||||
DOMAINS="kakou-corp.fr,*.kakou-corp.fr"
|
||||
EMAIL="contact@kakou-corp.fr"
|
||||
SERVICE="mywww"
|
||||
|
||||
# ask for the certificate
|
||||
# don't forget to first edit the cloudflare.ini file
|
||||
docker run --rm \
|
||||
-v "${PWD}/cloudflare.ini:/tmp/cloudflare.ini" \
|
||||
-v "${PWD}/letsencrypt:/etc/letsencrypt" \
|
||||
certbot/dns-cloudflare \
|
||||
certonly \
|
||||
--dns-cloudflare \
|
||||
--dns-cloudflare-credentials /tmp/cloudflare.ini \
|
||||
--dns-cloudflare-propagation-seconds 60 \
|
||||
-d "$DOMAINS" \
|
||||
--email "$EMAIL" \
|
||||
--agree-tos \
|
||||
--no-eff-email
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "error while getting certificate for $DOMAINS"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# fix permissions
|
||||
chgrp -R 101 "${PWD}/letsencrypt"
|
||||
chmod -R 750 "${PWD}/letsencrypt"
|
||||
|
||||
echo "Certificate for $DOMAINS created !"
|
|
@ -0,0 +1,28 @@
|
|||
#!/bin/sh
|
||||
|
||||
# you should add it to your crontab like :
|
||||
# 0 0 * * * cd /your/folder && ./certbot-renew.sh
|
||||
|
||||
# edit with your service name
|
||||
SERVICE="mywww"
|
||||
|
||||
# ask for the renew
|
||||
# don't forget to first edit the cloudflare.ini file
|
||||
docker run --rm \
|
||||
-v "${PWD}/cloudflare.ini:/tmp/cloudflare.ini" \
|
||||
-v "${PWD}/letsencrypt:/etc/letsencrypt" \
|
||||
certbot/dns-cloudflare \
|
||||
renew
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "error while getting certificate for $DOMAINS"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# fix permissions
|
||||
chgrp -R 101 "${PWD}/letsencrypt"
|
||||
chmod -R 750 "${PWD}/letsencrypt"
|
||||
|
||||
# reload bunkerized-nginx
|
||||
docker-compose kill -s SIGHUP mywww
|
||||
|
||||
echo "Certificate(s) renewed (if needed) !"
|
|
@ -0,0 +1,5 @@
|
|||
# Cloudflare API token used by Certbot
|
||||
# More info :
|
||||
# https://certbot-dns-cloudflare.readthedocs.io/en/stable/index.html#credentials
|
||||
# https://developers.cloudflare.com/api/tokens/create
|
||||
dns_cloudflare_api_token = YOUR-API-TOKEN-HERE
|
|
@ -0,0 +1,36 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mywww:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
|
||||
# don't forget to edit the permissions of the files and folders accordingly
|
||||
volumes:
|
||||
- ./web-files:/www:ro
|
||||
- ./letsencrypt:/letsencrypt:ro
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain(s)
|
||||
- USE_CUSTOM_HTTPS=yes
|
||||
- CUSTOM_HTTPS_CERT=/letsencrypt/live/website.com/fullchain.pem # replace with your path
|
||||
- CUSTOM_HTTPS_KEY=/letsencrypt/live/website.com/privkey.pem # replace with your path
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- PROXY_REAL_IP=yes
|
||||
# networks from https://www.cloudflare.com/ips-v4/
|
||||
# you should check if the networks listed are up to date
|
||||
- PROXY_REAL_IP_FROM=173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 172.64.0.0/13 131.0.72.0/22 104.16.0.0/13 104.24.0.0/14
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- REMOTE_PHP=myphp
|
||||
- REMOTE_PHP_PATH=/app
|
||||
|
||||
myphp:
|
||||
image: php:fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web-files:/app
|
|
@ -0,0 +1,5 @@
|
|||
<?php
|
||||
|
||||
echo "Hello World behind Cloudflare !";
|
||||
|
||||
?>
|
|
@ -3,19 +3,28 @@
|
|||
# you need to run it before starting bunkerized-nginx
|
||||
# since it's manual there is no auto renew, you need to run it again before it expires
|
||||
|
||||
DOMAIN="*.website.com"
|
||||
# replace with your values
|
||||
DOMAINS="website.com,*.website.com"
|
||||
SERVICE="mywww"
|
||||
|
||||
# ask for wildcard certificate
|
||||
# it's interactive and you will need to add a DNS entry
|
||||
docker run --rm -it -v "${PWD}/letsencrypt:/etc/letsencrypt" certbot/certbot certonly --manual -d $DOMAIN --agree-tos
|
||||
docker run --rm \
|
||||
-it \
|
||||
-v "${PWD}/letsencrypt:/etc/letsencrypt" \
|
||||
certbot/certbot \
|
||||
certonly \
|
||||
--manual \
|
||||
-d "$DOMAINS" \
|
||||
--agree-tos
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "error while getting certificate for $DOMAIN"
|
||||
echo "error while getting certificate for $DOMAINS"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# fix permissions
|
||||
chown -R 101:101 "${PWD}/letsencrypt"
|
||||
chgrp -R 101 "${PWD}/letsencrypt"
|
||||
chmod -R 750 "${PWD}/letsencrypt"
|
||||
|
||||
# reload nginx if it's already running (in case of a "renew")
|
||||
if [ -z `docker-compose ps -q $SERVICE` ] || [ -z `docker ps -q --no-trunc | grep $(docker-compose ps -q $SERVICE)` ]; then
|
||||
|
|
|
@ -579,7 +579,7 @@
|
|||
"env": "CUSTOM_HTTPS_CERT",
|
||||
"id": "custom-https-cert",
|
||||
"label": "Custom TLS certificate path",
|
||||
"regex": "^[A-Za-z\\.0-9\\/]*$",
|
||||
"regex": "^[A-Za-z\\.0-9\\/\\-]*$",
|
||||
"type": "text"
|
||||
},
|
||||
{
|
||||
|
@ -588,7 +588,7 @@
|
|||
"env": "CUSTOM_HTTPS_KEY",
|
||||
"id": "custom-https-key",
|
||||
"label": "Custom TLS certificate key",
|
||||
"regex": "^[A-Za-z\\.0-9\\/]*$",
|
||||
"regex": "^[A-Za-z\\.0-9\\/\\-]*$",
|
||||
"type": "text"
|
||||
},
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue