block country and various fixes
This commit is contained in:
parent
ecf2de8b72
commit
69ac95b29e
|
@ -8,7 +8,7 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY misc/GeoLite2-Country.mmdb /etc/nginx/geoip.mmdb
|
||||
COPY misc/*.mmdb /etc/nginx/geoip.mmdb
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
|
|
|
@ -197,7 +197,6 @@ Default value : system, exec, shell_exec, passthru, phpinfo, show_source, highli
|
|||
List of PHP functions blacklisted. They can't be used anywhere in PHP code.
|
||||
|
||||
## TODO
|
||||
- Listen HTTP through env var (remove temp when renewing with certbot - error if redirect also enabled)
|
||||
- Block country alternative as maxmind db
|
||||
- Test with default wordpress install
|
||||
- Test with custom confs reverse proxy
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
if ($allowed_country = no) {
|
||||
return 444;
|
||||
}
|
|
@ -1,7 +1,10 @@
|
|||
geoip2 /etc/nginx/geoip.mmdb {
|
||||
auto_reload 5m;
|
||||
$geoip2_metadata_country_build metadata build_epoch;
|
||||
$geoip2_data_country_code country iso_code;
|
||||
}
|
||||
|
||||
map $geoip2_data_country_code $allowed_country {
|
||||
default yes;
|
||||
%BLOCK_COUNTRY%
|
||||
}
|
||||
if ($allowed_country = no) {
|
||||
return 403;
|
||||
}
|
||||
|
|
|
@ -70,15 +70,8 @@ http {
|
|||
# disable default server
|
||||
%DISABLE_DEFAULT_SERVER%
|
||||
|
||||
# redirect HTTP to HTTPS
|
||||
%REDIRECT_HTTP_TO_HTTPS%
|
||||
|
||||
# geoip2 config
|
||||
geoip2 /etc/nginx/geoip.mmdb {
|
||||
auto_reload 5m;
|
||||
$geoip2_metadata_country_build metadata build_epoch;
|
||||
$geoip2_data_country_code country iso_code;
|
||||
}
|
||||
# check if country is blocked
|
||||
%BLOCK_COUNTRY%
|
||||
|
||||
# check if user agent is blocked
|
||||
%BLOCK_USER_AGENT%
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
server {
|
||||
listen 80;
|
||||
server_name %SERVER_NAME%;
|
||||
if ($scheme = http) {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
|
|
@ -1,11 +1,12 @@
|
|||
server {
|
||||
%LISTEN_HTTP%
|
||||
%AUTO_LETS_ENCRYPT%
|
||||
%REDIRECT_HTTP_TO_HTTPS%
|
||||
server_name %SERVER_NAME%;
|
||||
%SERVE_FILES%
|
||||
if ($request_method !~ ^(%ALLOWED_METHODS%)$)
|
||||
{
|
||||
return 405;
|
||||
return 405;
|
||||
}
|
||||
%USE_PHP%
|
||||
%HEADER_SERVER%
|
||||
|
|
|
@ -62,6 +62,7 @@ COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly}"
|
|||
SERVE_FILES="${SERVE_FILES-yes}"
|
||||
WRITE_ACCESS="${WRITE_ACCESS-no}"
|
||||
REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
|
||||
LISTEN_HTTP="${LISTEN_HTTP-yes}"
|
||||
|
||||
# install additional modules if needed
|
||||
if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
||||
|
@ -154,14 +155,12 @@ else
|
|||
fi
|
||||
replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME"
|
||||
replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
|
||||
#if [ ! -f /etc/nginx/geoip.mmdb ] ; then
|
||||
# /opt/scripts/geolite.sh
|
||||
#fi
|
||||
if [ "$BLOCK_COUNTRY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip-server.conf;"
|
||||
replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
|
||||
echo "0 0 * * * /opt/scripts/geolite.sh" >> /etc/crontabs/root
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" ""
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" ""
|
||||
fi
|
||||
if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
|
||||
|
@ -181,7 +180,6 @@ else
|
|||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
|
||||
fi
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
|
||||
|
||||
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
|
||||
DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
|
||||
|
@ -208,14 +206,18 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
|||
echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" ""
|
||||
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;"
|
||||
fi
|
||||
|
||||
# TODO : only do this if TLS is used
|
||||
if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include /etc/nginx/redirect-http-to-https.conf;"
|
||||
if [ "$LISTEN_HTTP" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%REDIRECT_HTTP_TO_HTTPS%" ""
|
||||
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
|
||||
fi
|
||||
|
||||
if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include /etc/nginx/redirect-http-to-https.conf;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" ""
|
||||
fi
|
||||
|
||||
if [ "$USE_MODSECURITY" = "yes" ] ; then
|
||||
|
|
Binary file not shown.
|
@ -7,21 +7,22 @@ function replace_in_file() {
|
|||
sed -i "s/$pattern/$replace/g" "$1"
|
||||
}
|
||||
|
||||
# check if HTTP to HTTPS is enabled
|
||||
# then disable it temporarily
|
||||
if grep -q "include /etc/nginx/redirect-http-to-https.conf;" "/etc/nginx/nginx.conf" ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "include /etc/nginx/redirect-http-to-https.conf;" "#include /etc/nginx/redirect-http-to-https.conf;"
|
||||
# check if HTTP enabled
|
||||
# and disable it temporarily if needed
|
||||
if grep -q "listen 0.0.0.0:80;" "/etc/nginx/server.conf" ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "listen 0.0.0.0:80;" "#listen 0.0.0.0:80;"
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
sleep 10
|
||||
fi
|
||||
fi
|
||||
|
||||
# ask a new certificate if needed
|
||||
certbot renew
|
||||
|
||||
# enable HTTP to HTTPS if needed
|
||||
if grep -q "#include /etc/nginx/redirect-http-to-https.conf;" "/etc/nginx/nginx.conf" ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "#include /etc/nginx/redirect-http-to-https.conf;" "include /etc/nginx/redirect-http-to-https.conf;"
|
||||
# enable HTTP again if needed
|
||||
if grep -q "#listen 0.0.0.0:80;" "/etc/nginx/server.conf" ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "#listen 0.0.0.0:80;" "listen 0.0.0.0:80;"
|
||||
fi
|
||||
|
||||
# reload nginx
|
||||
|
|
Loading…
Reference in New Issue