templates - add missing new line when necessary
This commit is contained in:
bunkerity
parent
c4aef1d606
commit
70f9f8417e
|
|
@ -2,7 +2,7 @@
|
|||
rewrite_by_lua_block {
|
||||
|
||||
local api = require "api"
|
||||
local api_whitelist_ip = {% raw %}{{% endraw %}{% if API_WHITELIST_IP != ""%}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %}
|
||||
local api_whitelist_ip = {% raw %}{{% endraw %}{% if API_WHITELIST_IP != ""%}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%}
|
||||
local api_uri = "{{ API_URI }}"
|
||||
local logger = require "logger"
|
||||
|
||||
|
|
|
|||
|
|
@ -5,14 +5,14 @@ geoip2 /etc/nginx/geoip.mmdb {
|
|||
}
|
||||
|
||||
map $geoip2_data_country_code $allowed_country {
|
||||
default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif %};
|
||||
default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif +%};
|
||||
{% if WHITELIST_COUNTRY != "" %}
|
||||
{% for country in WHITELIST_COUNTRY.split(" ") %}
|
||||
{% for country in WHITELIST_COUNTRY.split(" ") +%}
|
||||
{{ country }} yes;
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if BLACKLIST_COUNTRY != "" %}
|
||||
{% for country in BLACKLIST_COUNTRY.split(" ") %}
|
||||
{% for country in BLACKLIST_COUNTRY.split(" ") +%}
|
||||
{{ country }} no;
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -1,15 +1,15 @@
|
|||
init_by_lua_block {
|
||||
|
||||
local dataloader = require "dataloader"
|
||||
local logger = require "logger"
|
||||
local cjson = require "cjson"
|
||||
local dataloader = require "dataloader"
|
||||
local logger = require "logger"
|
||||
local cjson = require "cjson"
|
||||
|
||||
local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif %}
|
||||
local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif %}
|
||||
local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif %}
|
||||
local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif %}
|
||||
local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif %}
|
||||
local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif %}
|
||||
local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif +%}
|
||||
local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif +%}
|
||||
local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif +%}
|
||||
local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif +%}
|
||||
local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif +%}
|
||||
local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif +%}
|
||||
|
||||
if use_proxies then
|
||||
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
|
||||
|
|
|
|||
|
|
@ -6,8 +6,8 @@ ssl_prefer_server_ciphers off;
|
|||
ssl_session_tickets off;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
|
||||
{% if "TLSv1.2" in HTTPS_PROTOCOLS +%}
|
||||
ssl_dhparam /etc/nginx/dhparam;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
{% endif %}
|
||||
{% endif +%}
|
||||
include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
server {
|
||||
{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %};
|
||||
{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif +%};
|
||||
server_name _;
|
||||
{% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %}
|
||||
{% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif +%}
|
||||
{% if USE_API == "yes" %}
|
||||
location ^~ {{ API_URI }} {
|
||||
include /etc/nginx/api.conf;
|
||||
}
|
||||
{% endif %}
|
||||
{% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %}
|
||||
{% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif +%}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -79,33 +79,33 @@ http {
|
|||
|
||||
# lua path and dicts
|
||||
lua_package_path "/usr/local/lib/lua/?.lua;/opt/bunkerized-nginx/plugins/?.lua;;";
|
||||
{% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %}
|
||||
{% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif %}
|
||||
{% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif %}
|
||||
{% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif %}
|
||||
{% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif %}
|
||||
{% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif %}
|
||||
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif %}
|
||||
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif %}
|
||||
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif %}
|
||||
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %}
|
||||
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %}
|
||||
{% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif +%}
|
||||
{% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif +%}
|
||||
{% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif +%}
|
||||
{% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif +%}
|
||||
{% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif +%}
|
||||
{% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif +%}
|
||||
{% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif +%}
|
||||
{% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif +%}
|
||||
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif +%}
|
||||
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif +%}
|
||||
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif +%}
|
||||
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif +%}
|
||||
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif +%}
|
||||
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif +%}
|
||||
lua_shared_dict plugins_data 10m;
|
||||
|
||||
# shared memory zone for limit_req
|
||||
{% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %}
|
||||
{% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif +%}
|
||||
|
||||
# shared memory zone for limit_conn
|
||||
{% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif %}
|
||||
{% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif +%}
|
||||
|
||||
# whitelist or blacklist country
|
||||
{% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif %}
|
||||
{% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif +%}
|
||||
|
||||
# zone for proxy_cache
|
||||
{% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %}
|
||||
{% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif +%}
|
||||
|
||||
# custom http confs
|
||||
include /opt/bunkerized-nginx/http-confs/*.conf;
|
||||
|
|
@ -114,7 +114,7 @@ http {
|
|||
include /etc/nginx/init-lua.conf;
|
||||
|
||||
# default server when MULTISITE=yes
|
||||
{% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif %}
|
||||
{% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif +%}
|
||||
|
||||
# server config(s)
|
||||
{% if MULTISITE == "yes" and SERVER_NAME != "" %}
|
||||
|
|
@ -137,13 +137,13 @@ http {
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% for first_server in map_servers %}
|
||||
{% for first_server in map_servers +%}
|
||||
include /etc/nginx/{{ first_server }}/server.conf;
|
||||
{% endfor %}
|
||||
{% elif MULTISITE == "no" %}
|
||||
{% elif MULTISITE == "no" +%}
|
||||
include /etc/nginx/server.conf;
|
||||
{% endif %}
|
||||
|
||||
# API
|
||||
{% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif %}
|
||||
{% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif +%}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,6 +21,6 @@ proxy_set_header Remote-User $user;
|
|||
proxy_set_header Remote-Groups $groups;
|
||||
proxy_set_header Remote-Name $name;
|
||||
proxy_set_header Remote-Email $email;
|
||||
{% if AUTHELIA_MODE == "portal" %}
|
||||
{% if AUTHELIA_MODE == "portal" +%}
|
||||
error_page 401 =302 {{ AUTHELIA_BACKEND }}/?rd=$target_url;
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -4,6 +4,6 @@ ssl_certificate_key {{ HTTPS_CUSTOM_KEY }};
|
|||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
{% if STRICT_TRANSPORT_SECURITY != "" %}
|
||||
{% if STRICT_TRANSPORT_SECURITY != "" +%}
|
||||
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ location = {{ page }} {
|
|||
|
||||
{% set default_errors = ["400", "401", "403", "404", "429", "500", "501", "502", "503", "504"] %}
|
||||
{% for default_error in default_errors %}
|
||||
{% if not default_error + "=" in ERRORS %}
|
||||
{% if not default_error + "=" in ERRORS +%}
|
||||
error_page {{ default_error }} /errors/{{ default_error }}.html;
|
||||
|
||||
location = /errors/{{ default_error }}.html {
|
||||
|
|
|
|||
|
|
@ -22,13 +22,13 @@ ssl_prefer_server_ciphers on;
|
|||
ssl_session_tickets off;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
{% if STRICT_TRANSPORT_SECURITY != "" %}
|
||||
{% if STRICT_TRANSPORT_SECURITY != "" +%}
|
||||
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
|
||||
{% endif %}
|
||||
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
|
||||
{% if "TLSv1.2" in HTTPS_PROTOCOLS +%}
|
||||
ssl_dhparam /etc/nginx/dhparam;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
{% endif %}
|
||||
{% if AUTO_LETS_ENCRYPT %}
|
||||
{% if AUTO_LETS_ENCRYPT +%}
|
||||
include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf;
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -1,9 +1,9 @@
|
|||
log_by_lua_block {
|
||||
|
||||
-- bad behavior
|
||||
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
|
||||
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif +%}
|
||||
local behavior = require "behavior"
|
||||
local bad_behavior_status_codes = {% raw %}{{% endraw %}{% if BAD_BEHAVIOR_STATUS_CODES != "" %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %}
|
||||
local bad_behavior_status_codes = {% raw %}{{% endraw %}{% if BAD_BEHAVIOR_STATUS_CODES != "" %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%}
|
||||
local bad_behavior_threshold = {{ BAD_BEHAVIOR_THRESHOLD }}
|
||||
local bad_behavior_count_time = {{ BAD_BEHAVIOR_COUNT_TIME }}
|
||||
local bad_behavior_ban_time = {{ BAD_BEHAVIOR_BAN_TIME }}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{% if ANTIBOT_SESSION_SECRET == "random" %}
|
||||
set $session_secret {{ random(32) }} ;
|
||||
{% else %}
|
||||
{% if ANTIBOT_SESSION_SECRET == "random" +%}
|
||||
set $session_secret {{ random(32) }};
|
||||
{% else +%}
|
||||
set $session_secret {{ ANTIBOT_SESSION_SECRET }};
|
||||
{% endif %}
|
||||
set $session_check_addr on;
|
||||
|
|
@ -13,48 +13,48 @@ if ngx.req.is_internal() then
|
|||
end
|
||||
|
||||
-- let's encrypt
|
||||
local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif %}
|
||||
local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif +%}
|
||||
|
||||
-- external blacklists
|
||||
local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif %}
|
||||
local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif %}
|
||||
local use_abusers = {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif %}
|
||||
local use_tor_exit_nodes = {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif %}
|
||||
local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif %}
|
||||
local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif +%}
|
||||
local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif +%}
|
||||
local use_abusers = {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif +%}
|
||||
local use_tor_exit_nodes = {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif +%}
|
||||
local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif +%}
|
||||
|
||||
-- countries
|
||||
local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif %}
|
||||
local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif +%}
|
||||
|
||||
-- crowdsec
|
||||
local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %}
|
||||
local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif +%}
|
||||
|
||||
-- antibot
|
||||
local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif %}
|
||||
local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif %}
|
||||
local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif %}
|
||||
local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif %}
|
||||
local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif +%}
|
||||
local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif +%}
|
||||
local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif +%}
|
||||
local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif +%}
|
||||
|
||||
-- resolvers
|
||||
local dns_resolvers = {% raw %}{{% endraw %}{% if DNS_RESOLVERS != "" %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %}
|
||||
local dns_resolvers = {% raw %}{{% endraw %}{% if DNS_RESOLVERS != "" %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%}
|
||||
|
||||
-- whitelist
|
||||
local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif %}
|
||||
local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes" %}true{% else %}false{% endif %}
|
||||
local whitelist_ip_list = {% raw %}{{% endraw %}{% if WHITELIST_IP_LIST != "" %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %}
|
||||
local whitelist_reverse_list = {% raw %}{{% endraw %}{% if WHITELIST_REVERSE_LIST != "" %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %}
|
||||
local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif +%}
|
||||
local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes" %}true{% else %}false{% endif +%}
|
||||
local whitelist_ip_list = {% raw %}{{% endraw %}{% if WHITELIST_IP_LIST != "" %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%}
|
||||
local whitelist_reverse_list = {% raw %}{{% endraw %}{% if WHITELIST_REVERSE_LIST != "" %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%}
|
||||
|
||||
-- blacklist
|
||||
local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif %}
|
||||
local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes" %}true{% else %}false{% endif %}
|
||||
local blacklist_ip_list = {% raw %}{{% endraw %}{% if BLACKLIST_IP_LIST != "" %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %}
|
||||
local blacklist_reverse_list = {% raw %}{{% endraw %}{% if BLACKLIST_REVERSE_LIST != "" %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %}
|
||||
local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif +%}
|
||||
local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes" %}true{% else %}false{% endif +%}
|
||||
local blacklist_ip_list = {% raw %}{{% endraw %}{% if BLACKLIST_IP_LIST != "" %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%}
|
||||
local blacklist_reverse_list = {% raw %}{{% endraw %}{% if BLACKLIST_REVERSE_LIST != "" %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%}
|
||||
|
||||
-- dnsbl
|
||||
local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif %}
|
||||
local dnsbl_list = {% raw %}{{% endraw %}{% if DNSBL_LIST != "" %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %}
|
||||
local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif +%}
|
||||
local dnsbl_list = {% raw %}{{% endraw %}{% if DNSBL_LIST != "" %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%}
|
||||
|
||||
-- bad behavior
|
||||
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
|
||||
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif +%}
|
||||
|
||||
-- include LUA code
|
||||
local whitelist = require "whitelist"
|
||||
|
|
@ -70,8 +70,8 @@ local logger = require "logger"
|
|||
|
||||
-- user variables
|
||||
local antibot_uri = "{{ ANTIBOT_URI }}"
|
||||
local whitelist_user_agent = {% raw %}{{% endraw %}{% if WHITELIST_USER_AGENT != "" %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %}
|
||||
local whitelist_uri = {% raw %}{{% endraw %}{% if WHITELIST_URI != "" %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw %}
|
||||
local whitelist_user_agent = {% raw %}{{% endraw %}{% if WHITELIST_USER_AGENT != "" %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%}
|
||||
local whitelist_uri = {% raw %}{{% endraw %}{% if WHITELIST_URI != "" %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% endif %}{% raw %}}{% endraw +%}
|
||||
|
||||
-- check if already in whitelist cache
|
||||
if use_whitelist_ip and whitelist.ip_cached_ok() then
|
||||
|
|
@ -309,10 +309,10 @@ ngx.exit(ngx.OK)
|
|||
|
||||
}
|
||||
|
||||
{% if USE_ANTIBOT == "javascript" %}
|
||||
{% if USE_ANTIBOT == "javascript" +%}
|
||||
include {{ NGINX_PREFIX }}antibot-javascript.conf;
|
||||
{% elif USE_ANTIBOT == "captcha" %}
|
||||
{% elif USE_ANTIBOT == "captcha" +%}
|
||||
include {{ NGINX_PREFIX }}antibot-captcha.conf;
|
||||
{% elif USE_ANTIBOT == "recaptcha" %}
|
||||
{% elif USE_ANTIBOT == "recaptcha" +%}
|
||||
include {{ NGINX_PREFIX }}antibot-recaptcha.conf;
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -58,10 +58,10 @@ SecAuditLog /var/log/nginx/modsec_audit.log
|
|||
include /opt/bunkerized-nginx/crs-setup.conf
|
||||
|
||||
# custom CRS configurations before loading rules (exclusions)
|
||||
{% if is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs") %}
|
||||
{% if is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs") +%}
|
||||
include /opt/bunkerized-nginx/modsec-crs-confs/*.conf
|
||||
{% endif %}
|
||||
{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs/" + FIRST_SERVER) %}
|
||||
{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs/" + FIRST_SERVER) +%}
|
||||
include /opt/bunkerized-nginx/modsec-crs-confs/{{ FIRST_SERVER }}/*.conf
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -70,9 +70,9 @@ include /opt/bunkerized-nginx/crs/*.conf
|
|||
{% endif %}
|
||||
|
||||
# custom rules after loading the CRS
|
||||
{% if is_custom_conf("/opt/bunkerized-nginx/modsec-confs") %}
|
||||
{% if is_custom_conf("/opt/bunkerized-nginx/modsec-confs") +%}
|
||||
include /opt/bunkerized-nginx/modsec-confs/*.conf
|
||||
{% endif %}
|
||||
{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-confs/" + FIRST_SERVER) %}
|
||||
{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-confs/" + FIRST_SERVER) +%}
|
||||
include /opt/bunkerized-nginx/modsec-confs/{{ FIRST_SERVER }}/*.conf
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ proxy_cache_key {{ PROXY_CACHE_KEY }};
|
|||
proxy_no_cache {{ PROXY_NO_CACHE }};
|
||||
proxy_cache_bypass {{ PROXY_CACHE_BYPASS }};
|
||||
{% if PROXY_CACHE_VALID != "" %}
|
||||
{% for element in PROXY_CACHE_VALID.split(" ") %}
|
||||
{% for element in PROXY_CACHE_VALID.split(" ") +%}
|
||||
proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
{% if PROXY_REAL_IP_FROM != "" %}
|
||||
{% for element in PROXY_REAL_IP_FROM.split(" ") %}
|
||||
{% for element in PROXY_REAL_IP_FROM.split(" ") +%}
|
||||
set_real_ip_from {{ element }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -1,24 +1,24 @@
|
|||
{% if USE_REVERSE_PROXY == "yes" %}
|
||||
{% for k, v in all.items() %}
|
||||
{% if k.startswith("REVERSE_PROXY_URL") and v != "" %}
|
||||
{% if k.startswith("REVERSE_PROXY_URL") and v != "" +%}
|
||||
{% set url = v %}
|
||||
{% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %}
|
||||
{% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %}
|
||||
{% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %}
|
||||
location {{ url }} {% raw %}{{% endraw %}
|
||||
location {{ url }} {% raw %}{{% endraw +%}
|
||||
etag off;
|
||||
proxy_pass {{ host }};
|
||||
{% if USE_AUTHELIA == "yes" %}
|
||||
{% if USE_AUTHELIA == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}authelia-auth-request.conf;
|
||||
{% endif %}
|
||||
include {{ NGINX_PREFIX }}reverse-proxy-headers.conf;
|
||||
{% if ws == "yes" %}
|
||||
{% if ws == "yes" +%}
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
{% endif %}
|
||||
{% if headers != "" %}
|
||||
{% for header in headers.split(";") %}
|
||||
{% for header in headers.split(";") +%}
|
||||
proxy_set_header {{ header }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -1,24 +1,24 @@
|
|||
# custom config before server block
|
||||
include /opt/bunkerized-nginx/pre-server-confs/*.conf;
|
||||
{% if MULTISITE == "yes" %}
|
||||
{% if MULTISITE == "yes" +%}
|
||||
include /opt/bunkerized-nginx/pre-server-confs/{{ FIRST_SERVER }}/*.conf;
|
||||
{% endif %}
|
||||
|
||||
server {
|
||||
|
||||
# FastCGI variables
|
||||
{% if REMOTE_PHP != "" %}
|
||||
{% if REMOTE_PHP != "" +%}
|
||||
include {{ NGINX_PREFIX }}fastcgi.conf;
|
||||
{% endif %}
|
||||
|
||||
# custom config
|
||||
include /opt/bunkerized-nginx/server-confs/*.conf;
|
||||
{% if MULTISITE == "yes" %}
|
||||
{% if MULTISITE == "yes" +%}
|
||||
include /opt/bunkerized-nginx/server-confs/{{ FIRST_SERVER }}/*.conf;
|
||||
{% endif %}
|
||||
|
||||
# proxy real IP
|
||||
{% if PROXY_REAL_IP == "yes" %}
|
||||
{% if PROXY_REAL_IP == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}proxy-real-ip.conf;
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -27,22 +27,22 @@ server {
|
|||
include {{ NGINX_PREFIX }}log-lua.conf;
|
||||
|
||||
# ModSecurity
|
||||
{% if USE_MODSECURITY == "yes" %}
|
||||
{% if USE_MODSECURITY == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}modsecurity.conf;
|
||||
{% endif %}
|
||||
|
||||
# HTTP listen
|
||||
{% if LISTEN_HTTP == "yes" %}
|
||||
{% if LISTEN_HTTP == "yes" +%}
|
||||
listen 0.0.0.0:{{ HTTP_PORT }};
|
||||
{% endif %}
|
||||
|
||||
# HTTPS listen + config
|
||||
{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %}
|
||||
{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}https.conf;
|
||||
{% endif %}
|
||||
|
||||
# HTTP to HTTPS
|
||||
{% if REDIRECT_HTTP_TO_HTTPS == "yes" %}
|
||||
{% if REDIRECT_HTTP_TO_HTTPS == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}redirect-http-to-https.conf;
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -50,12 +50,12 @@ server {
|
|||
server_name {{ SERVER_NAME }};
|
||||
|
||||
# disable default server
|
||||
{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" %}
|
||||
{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" +%}
|
||||
include {{ NGINX_PREFIX }}disable-default-server.conf;
|
||||
{% endif %}
|
||||
|
||||
# serve local files
|
||||
{% if SERVE_FILES == "yes" %}
|
||||
{% if SERVE_FILES == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}serve-files.conf;
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -65,17 +65,17 @@ server {
|
|||
}
|
||||
|
||||
# requests limiting
|
||||
{% if USE_LIMIT_REQ == "yes" %}
|
||||
{% if USE_LIMIT_REQ == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}limit-req.conf;
|
||||
{% endif %}
|
||||
|
||||
# connections limiting
|
||||
{% if USE_LIMIT_CONN == "yes" %}
|
||||
{% if USE_LIMIT_CONN == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}limit-conn.conf;
|
||||
{% endif %}
|
||||
|
||||
# auth basic
|
||||
{% if USE_AUTH_BASIC == "yes" %}
|
||||
{% if USE_AUTH_BASIC == "yes" +%}
|
||||
{% if AUTH_BASIC_LOCATION == "sitewide" %}
|
||||
include {{ NGINX_PREFIX }}auth-basic-sitewide.conf;
|
||||
{% else %}
|
||||
|
|
@ -85,48 +85,48 @@ server {
|
|||
|
||||
# remove headers
|
||||
{% if REMOVE_HEADERS != "" %}
|
||||
{% for header in REMOVE_HEADERS.split(" ") %}
|
||||
{% for header in REMOVE_HEADERS.split(" ") +%}
|
||||
more_clear_headers '{{ header }}';
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# X-Frame-Option header
|
||||
{% if X_FRAME_OPTIONS != "" %}
|
||||
{% if X_FRAME_OPTIONS != "" +%}
|
||||
include {{ NGINX_PREFIX }}x-frame-options.conf;
|
||||
{% endif %}
|
||||
|
||||
# X-XSS-Protection header
|
||||
{% if X_XSS_PROTECTION != "" %}
|
||||
{% if X_XSS_PROTECTION != "" +%}
|
||||
include {{ NGINX_PREFIX }}x-xss-protection.conf;
|
||||
{% endif %}
|
||||
|
||||
# X-Content-Type header
|
||||
{% if X_CONTENT_TYPE_OPTIONS != "" %}
|
||||
{% if X_CONTENT_TYPE_OPTIONS != "" +%}
|
||||
include {{ NGINX_PREFIX }}x-content-type-options.conf;
|
||||
{% endif %}
|
||||
|
||||
# Content-Security-Policy header
|
||||
{% if CONTENT_SECURITY_POLICY != "" %}
|
||||
{% if CONTENT_SECURITY_POLICY != "" +%}
|
||||
include {{ NGINX_PREFIX }}content-security-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# Referrer-Policy header
|
||||
{% if REFERRER_POLICY != "" %}
|
||||
{% if REFERRER_POLICY != "" +%}
|
||||
include {{ NGINX_PREFIX }}referrer-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# Feature-Policy header
|
||||
{% if FEATURE_POLICY != "" %}
|
||||
{% if FEATURE_POLICY != "" +%}
|
||||
include {{ NGINX_PREFIX }}feature-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# Permissions-Policy header
|
||||
{% if PERMISSIONS_POLICY != "" %}
|
||||
{% if PERMISSIONS_POLICY != "" +%}
|
||||
include {{ NGINX_PREFIX }}permissions-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# cookie flags
|
||||
{% if COOKIE_FLAGS != "" %}
|
||||
{% if COOKIE_FLAGS != "" +%}
|
||||
include {{ NGINX_PREFIX }}cookie-flags.conf;
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -134,17 +134,17 @@ server {
|
|||
include {{ NGINX_PREFIX }}error.conf;
|
||||
|
||||
# client caching
|
||||
{% if USE_CLIENT_CACHE == "yes" %}
|
||||
{% if USE_CLIENT_CACHE == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}client-cache.conf;
|
||||
{% endif %}
|
||||
|
||||
# gzip compression
|
||||
{% if USE_GZIP == "yes" %}
|
||||
{% if USE_GZIP == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}gzip.conf;
|
||||
{% endif %}
|
||||
|
||||
# brotli compression
|
||||
{% if USE_BROTLI == "yes" %}
|
||||
{% if USE_BROTLI == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}brotli.conf;
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -155,33 +155,33 @@ server {
|
|||
server_tokens {{ SERVER_TOKENS }};
|
||||
|
||||
# open file caching
|
||||
{% if USE_OPEN_FILE_CACHE == "yes" %}
|
||||
{% if USE_OPEN_FILE_CACHE == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}open-file-cache.conf;
|
||||
{% endif %}
|
||||
|
||||
# proxy caching
|
||||
{% if USE_PROXY_CACHE == "yes" %}
|
||||
{% if USE_PROXY_CACHE == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}proxy-cache.conf;
|
||||
{% endif %}
|
||||
|
||||
# authelia
|
||||
{% if USE_AUTHELIA == "yes" %}
|
||||
{% if USE_AUTHELIA == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}authelia-upstream.conf;
|
||||
include {{ NGINX_PREFIX }}authelia-auth-request.conf;
|
||||
{% endif %}
|
||||
|
||||
# inject into body
|
||||
{% if INJECT_BODY != "" %}
|
||||
{% if INJECT_BODY != "" +%}
|
||||
include {{ NGINX_PREFIX}}inject-body.conf;
|
||||
{% endif %}
|
||||
|
||||
# reverse proxy
|
||||
{% if USE_REVERSE_PROXY == "yes" %}
|
||||
{% if USE_REVERSE_PROXY == "yes" +%}
|
||||
include {{ NGINX_PREFIX }}reverse-proxy.conf;
|
||||
{% endif %}
|
||||
|
||||
# remote PHP
|
||||
{% if REMOTE_PHP != "" %}
|
||||
{% if REMOTE_PHP != "" +%}
|
||||
include {{ NGINX_PREFIX }}php.conf;
|
||||
{% endif %}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue