block country and various fixes

Dockerfile

@@ -8,7 +8,7 @@ RUN chmod +x /tmp/compile.sh && \
 COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
-COPY misc/GeoLite2-Country.mmdb /etc/nginx/geoip.mmdb
+COPY misc/*.mmdb /etc/nginx/geoip.mmdb
 
 RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \

README.md

@@ -197,7 +197,6 @@ Default value : system, exec, shell_exec, passthru, phpinfo, show_source, highli
 List of PHP functions blacklisted. They can't be used anywhere in PHP code.
 
 ## TODO
-- Listen HTTP through env var (remove temp when renewing with certbot - error if redirect also enabled)
 - Block country alternative as maxmind db
 - Test with default wordpress install
 - Test with custom confs reverse proxy

confs/geoip-server.conf

@@ -0,0 +1,3 @@
+if ($allowed_country = no) {
+	return 444;
+}

confs/geoip.conf

@@ -1,7 +1,10 @@
+geoip2 /etc/nginx/geoip.mmdb {
+	auto_reload 5m;
+	$geoip2_metadata_country_build metadata build_epoch;
+	$geoip2_data_country_code country iso_code;
+}
+
 map $geoip2_data_country_code $allowed_country {
 	default yes;
 	%BLOCK_COUNTRY%
 }
-if ($allowed_country = no) {
-	return 403;
-}

confs/nginx.conf

@@ -70,15 +70,8 @@ http {
 	# disable default server
 	%DISABLE_DEFAULT_SERVER%
 
-	# redirect HTTP to HTTPS
-	%REDIRECT_HTTP_TO_HTTPS%
-
-	# geoip2 config
-	geoip2 /etc/nginx/geoip.mmdb {
-		auto_reload 5m;
-		$geoip2_metadata_country_build metadata build_epoch;
-		$geoip2_data_country_code country iso_code;
-	}
+	# check if country is blocked
+	%BLOCK_COUNTRY%
 
 	# check if user agent is blocked
 	%BLOCK_USER_AGENT%

confs/redirect-http-to-https.conf

@@ -1,5 +1,3 @@
-server {
-	listen 80;
-	server_name %SERVER_NAME%;
+if ($scheme = http) {
 	return 301 https://$host$request_uri;
 }

confs/server.conf

@@ -1,11 +1,12 @@
 server {
 	%LISTEN_HTTP%
 	%AUTO_LETS_ENCRYPT%
+	%REDIRECT_HTTP_TO_HTTPS%
 	server_name %SERVER_NAME%;
 	%SERVE_FILES%
 	if ($request_method !~ ^(%ALLOWED_METHODS%)$)
 	{
-		return 405; 
+		return 405;
 	}
 	%USE_PHP%
 	%HEADER_SERVER%

entrypoint.sh

@@ -62,6 +62,7 @@ COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly}"
 SERVE_FILES="${SERVE_FILES-yes}"
 WRITE_ACCESS="${WRITE_ACCESS-no}"
 REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
+LISTEN_HTTP="${LISTEN_HTTP-yes}"
 
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@@ -154,14 +155,12 @@ else
 fi
 replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME"
 replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
-#if [ ! -f /etc/nginx/geoip.mmdb ] ; then
-#	/opt/scripts/geolite.sh
-#fi
 if [ "$BLOCK_COUNTRY" != "" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
+	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
+	replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip-server.conf;"
 	replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
-	echo "0 0 * * * /opt/scripts/geolite.sh" >> /etc/crontabs/root
 else
+	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" ""
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" ""
 fi
 if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
@@ -181,7 +180,6 @@ else
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
 fi
 if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
-	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
 
 	FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
 	DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
@@ -208,14 +206,18 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 	echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
 else
 	replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" ""
-	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;"
 fi
 
-# TODO : only do this if TLS is used
-if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include /etc/nginx/redirect-http-to-https.conf;"
+if [ "$LISTEN_HTTP" = "yes" ] ; then
+	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;"
 else
-	replace_in_file "/etc/nginx/nginx.conf" "%REDIRECT_HTTP_TO_HTTPS%" ""
+	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
+fi
+
+if [ "$REDIRECT_HTTP_TO_HTTPS" = "yes" ] ; then
+	replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" "include /etc/nginx/redirect-http-to-https.conf;"
+else
+	replace_in_file "/etc/nginx/server.conf" "%REDIRECT_HTTP_TO_HTTPS%" ""
 fi
 
 if [ "$USE_MODSECURITY" = "yes" ] ; then

scripts/certbot-renew.sh

@@ -7,21 +7,22 @@ function replace_in_file() {
 	sed -i "s/$pattern/$replace/g" "$1"
 }
 
-# check if HTTP to HTTPS is enabled
-# then disable it temporarily
-if grep -q "include /etc/nginx/redirect-http-to-https.conf;" "/etc/nginx/nginx.conf" ; then
-	replace_in_file "/etc/nginx/nginx.conf" "include /etc/nginx/redirect-http-to-https.conf;" "#include /etc/nginx/redirect-http-to-https.conf;"
+# check if HTTP enabled
+# and disable it temporarily if needed
+if grep -q "listen 0.0.0.0:80;" "/etc/nginx/server.conf" ; then
+	replace_in_file "/etc/nginx/server.conf" "listen 0.0.0.0:80;" "#listen 0.0.0.0:80;"
 	if [ -f /run/nginx/nginx.pid ] ; then
 		/usr/sbin/nginx -s reload
+		sleep 10
 	fi
 fi
 
 # ask a new certificate if needed
 certbot renew
 
-# enable HTTP to HTTPS if needed
-if grep -q "#include /etc/nginx/redirect-http-to-https.conf;" "/etc/nginx/nginx.conf" ; then
-	replace_in_file "/etc/nginx/nginx.conf" "#include /etc/nginx/redirect-http-to-https.conf;" "include /etc/nginx/redirect-http-to-https.conf;"
+# enable HTTP again if needed
+if grep -q "#listen 0.0.0.0:80;" "/etc/nginx/server.conf" ; then
+	replace_in_file "/etc/nginx/server.conf" "#listen 0.0.0.0:80;" "listen 0.0.0.0:80;"
 fi
 
 # reload nginx