integrated ajarmoszuk work
This commit is contained in:
bunkerity
parent
919b418d58
commit
6e3c2ddcc2
89
README.md
89
README.md
|
|
@ -175,10 +175,25 @@ Default value :
|
|||
Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code.
|
||||
For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder.
|
||||
|
||||
`PROXY_REAL_IP`
|
||||
Values : *yes* | *no*
|
||||
Default value : *no*
|
||||
Use this kind of environment variable to define whether you're using Nginx inside another proxy, this means you will see "X-Forwarded-For" instead of regular "Remote-Addr" IPs inside your logs. Modsecurity will also then work correctly.
|
||||
`PROXY_REAL_IP`
|
||||
Values : *yes* | *no*
|
||||
Default value : *no*
|
||||
Set this environment variable to *yes* if you're using bunkerized-nginx behind a reverse proxy. This means you will see the real client address instead of the proxy one inside your logs. Modsecurity, fail2ban and others security tools will also then work correctly.
|
||||
|
||||
`PROXY_REAL_IP_FROM`
|
||||
Values : *\<list of trusted IP addresses and/or networks separated with spaces\>*
|
||||
Default value : *192.168.0.0/16 172.16.0.0/12 10.0.0.0/8*
|
||||
When `PROXY_REAL_IP` is set to *yes*, lets you define the trusted IPs/networks allowed to send the correct client address.
|
||||
|
||||
`PROXY_REAL_IP_HEADER`
|
||||
Values : *X-Forwarded-For* | *X-Real-IP* | *custom header*
|
||||
Default value : *X-Forwarded-For*
|
||||
When `PROXY_REAL_IP` is set to *yes*, lets you define the header that contains the real client IP address.
|
||||
|
||||
`PROXY_REAL_IP_RECURSIVE`
|
||||
Values : *on* | *off*
|
||||
Default value : *on*
|
||||
When `PROXY_REAL_IP` is set to *yes*, setting this to *on* avoid spoofing attacks using the header defined in `PROXY_REAL_IP_HEADER`.
|
||||
|
||||
## HTTPS
|
||||
`AUTO_LETS_ENCRYPT`
|
||||
|
|
@ -203,7 +218,7 @@ Values : *yes* | *no*
|
|||
Default value : *yes*
|
||||
If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled.
|
||||
|
||||
`USE_CUSTOM_HTTPS`
|
||||
`USE_CUSTOM_HTTPS`
|
||||
Values : *yes* | *no*
|
||||
Default value : *no*
|
||||
If set to yes, HTTPS will be enabled with certificate/key of your choice.
|
||||
|
|
@ -218,51 +233,51 @@ Values : *\<any valid path inside the container\>*
|
|||
Default value :
|
||||
Full path of the key file to use when `USE_CUSTOM_HTTPS` is set to yes.
|
||||
|
||||
`GENERATE_SELF_SIGNED_SSL`
|
||||
Values : *yes* | *no*
|
||||
Default value : *no*
|
||||
If set to yes, HTTPS will be enabled with a container generated self signed SSL.
|
||||
`GENERATE_SELF_SIGNED_SSL`
|
||||
Values : *yes* | *no*
|
||||
Default value : *no*
|
||||
If set to yes, HTTPS will be enabled with a container generated self-signed certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_EXPIRY`
|
||||
Values : *integer*
|
||||
Default value : *365* (1 year)
|
||||
Needs "GENERATE_SELF_SIGNED_SSL" to work.
|
||||
`SELF_SIGNED_SSL_EXPIRY`
|
||||
Values : *integer*
|
||||
Default value : *365* (1 year)
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the expiry date for the self generated certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_COUNTRY`
|
||||
Values : *text*
|
||||
Default value : *Switzerland*
|
||||
Needs "GENERATE_SELF_SIGNED_SSL" to work.
|
||||
`SELF_SIGNED_SSL_COUNTRY`
|
||||
Values : *text*
|
||||
Default value : *Switzerland*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the country for the self generated certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_STATE`
|
||||
Values : *text*
|
||||
Default value : *Switzerland*
|
||||
Needs "GENERATE_SELF_SIGNED_SSL" to work.
|
||||
`SELF_SIGNED_SSL_STATE`
|
||||
Values : *text*
|
||||
Default value : *Switzerland*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the state for the self generated certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_CITY`
|
||||
Values : *text*
|
||||
Default value : *Bern*
|
||||
Needs "GENERATE_SELF_SIGNED_SSL" to work.
|
||||
`SELF_SIGNED_SSL_CITY`
|
||||
Values : *text*
|
||||
Default value : *Bern*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the city for the self generated certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_ORG`
|
||||
Values : *text*
|
||||
Default value : *AcmeInc*
|
||||
Needs "GENERATE_SELF_SIGNED_SSL" to work.
|
||||
`SELF_SIGNED_SSL_ORG`
|
||||
Values : *text*
|
||||
Default value : *AcmeInc*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the organisation name for the self generated certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_OU`
|
||||
Values : *text*
|
||||
Default value : *IT*
|
||||
Needs "GENERATE_SELF_SIGNED_SSL" to work.
|
||||
`SELF_SIGNED_SSL_OU`
|
||||
Values : *text*
|
||||
Default value : *IT*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the organisitional unit for the self generated certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_CN`
|
||||
Values : *text*
|
||||
Default value : *bunkerity-nginx*
|
||||
Needs "GENERATE_SELF_SIGNED_SSL" to work.
|
||||
`SELF_SIGNED_SSL_CN`
|
||||
Values : *text*
|
||||
Default value : *bunkerity-nginx*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the CN server name for the self generated certificate.
|
||||
|
||||
## ModSecurity
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
listen 0.0.0.0:443 ssl %HTTP2%;
|
||||
ssl_certificate %HTTPS_CERT%;
|
||||
ssl_certificate_key %HTTPS_KEY%;
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
%STRICT_TRANSPORT_SECURITY%
|
||||
|
|
@ -61,9 +61,11 @@ http {
|
|||
# enable/disable sending nginx version
|
||||
server_tokens %SERVER_TOKENS%;
|
||||
|
||||
# write logs to local syslogd
|
||||
# get real IP address if behind a reverse proxy
|
||||
%PROXY_REAL_IP%
|
||||
access_log syslog:server=unix:/dev/log,nohostname,facility=local0 %LOG_TYPE%;
|
||||
|
||||
# write logs to local syslogd
|
||||
access_log syslog:server=unix:/dev/log,nohostname,facility=local0 combined;
|
||||
error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn;
|
||||
|
||||
# lua path
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
log_format proxy '$http_x_real_ip - $remote_user [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent"';
|
||||
%PROXY_REAL_IP_FROM%
|
||||
real_ip_header %PROXY_REAL_IP_HEADER%;
|
||||
real_ip_recursive %PROXY_REAL_IP_RECURSIVE%;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,7 @@
|
|||
server {
|
||||
include /server-confs/*.conf;
|
||||
%LISTEN_HTTP%
|
||||
%AUTO_LETS_ENCRYPT%
|
||||
%CUSTOM_HTTPS%
|
||||
%USE_HTTPS%
|
||||
%REDIRECT_HTTP_TO_HTTPS%
|
||||
server_name %SERVER_NAME%;
|
||||
%DISABLE_DEFAULT_SERVER%
|
||||
|
|
|
|||
|
|
@ -132,6 +132,9 @@ LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
|
|||
LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
|
||||
LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
|
||||
PROXY_REAL_IP="${PROXY_REAL_IP-no}"
|
||||
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
|
||||
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
|
||||
PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
|
||||
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no"}"
|
||||
SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
|
||||
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-Switzerland}"
|
||||
|
|
@ -283,59 +286,45 @@ if [ "$BLOCK_ABUSERS" = "yes" ] ; then
|
|||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" ""
|
||||
fi
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] && [ "$USE_CUSTOM_HTTPS" = "no" ]; then
|
||||
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
|
||||
DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
|
||||
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
|
||||
|
||||
replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" "include /etc/nginx/auto-lets-encrypt.conf;"
|
||||
|
||||
# HTTPS config
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" "include /etc/nginx/https.conf;"
|
||||
if [ "$HTTP2" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%HTTP2%" "http2"
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTP2%" "http2"
|
||||
else
|
||||
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%HTTP2%" ""
|
||||
fi
|
||||
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%FIRST_SERVER_NAME%" "$FIRST_SERVER_NAME"
|
||||
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
|
||||
else
|
||||
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%STRICT_TRANSPORT_SECURITY%" ""
|
||||
fi
|
||||
if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
|
||||
/opt/scripts/certbot-renew.sh
|
||||
else
|
||||
certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos
|
||||
fi
|
||||
echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" ""
|
||||
fi
|
||||
if [ "$USE_CUSTOM_HTTPS" = "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "no" ]; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%CUSTOM_HTTPS%" "include /etc/nginx/custom-https.conf;"
|
||||
if [ "$HTTP2" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/custom-https.conf" "%HTTP2%" "http2"
|
||||
else
|
||||
replace_in_file "/etc/nginx/custom-https.conf" "%HTTP2%" ""
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTP2%" ""
|
||||
fi
|
||||
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/custom-https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
|
||||
replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
|
||||
else
|
||||
replace_in_file "/etc/nginx/custom-https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
|
||||
replace_in_file "/etc/nginx/https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
|
||||
fi
|
||||
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_CERT%" "$HTTPS_CUSTOM_CERT"
|
||||
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_KEY%" "$HTTPS_CUSTOM_KEY"
|
||||
if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
|
||||
DOMAINS_LETS_ENCRYPT=$(echo "$SERVER_NAME" | sed "s/ /,/g")
|
||||
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
|
||||
if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
|
||||
/opt/scripts/certbot-renew.sh
|
||||
else
|
||||
certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos
|
||||
fi
|
||||
echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
|
||||
elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
|
||||
elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
|
||||
mkdir /etc/nginx/self-signed-ssl/
|
||||
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
|
||||
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
|
||||
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
|
||||
else
|
||||
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_CERT%" "$HTTPS_CUSTOM_CERT"
|
||||
replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_KEY%" "$HTTPS_CUSTOM_KEY"
|
||||
fi
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
|
||||
replace_in_file "/etc/nginx/https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%CUSTOM_HTTPS%" ""
|
||||
replace_in_file "/etc/nginx/server.conf" "%USE_HTTPS%" ""
|
||||
fi
|
||||
|
||||
if [ "$LISTEN_HTTP" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;"
|
||||
else
|
||||
|
|
@ -372,11 +361,16 @@ else
|
|||
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
|
||||
fi
|
||||
if [ "$PROXY_REAL_IP" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
|
||||
replace_in_file "/etc/nginx/server.conf" "%LOG_TYPE%" "proxy"
|
||||
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
|
||||
froms=""
|
||||
for from in $PROXY_REAL_IP_FROM ; do
|
||||
froms="${froms}set_real_ip_from ${from};\n"
|
||||
done
|
||||
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_FROM%" "$froms"
|
||||
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
|
||||
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" ""
|
||||
replace_in_file "/etc/nginx/server.conf" "%LOG_TYPE%" "combined"
|
||||
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" ""
|
||||
fi
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue