fixing bugs - run as GID 101 instead of 0, different permissions checks in swarm mode and disable including server confs in swarm mode

Dockerfile

@@ -20,6 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 
 EXPOSE 8080/tcp 8443/tcp
 
-USER nginx
+USER nginx:nginx
 
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-amd64

@@ -20,6 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 
 EXPOSE 8080/tcp 8443/tcp
 
-USER nginx
+USER nginx:nginx
 
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-arm32v7

@@ -27,6 +27,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 
 EXPOSE 8080/tcp 8443/tcp
 
-USER nginx
+USER nginx:nginx
 
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-arm64v8

@@ -27,6 +27,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 
 EXPOSE 8080/tcp 8443/tcp
 
-USER nginx
+USER nginx:nginx
 
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-i386

@@ -20,6 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 
 EXPOSE 8080/tcp 8443/tcp
 
-USER nginx
+USER nginx:nginx
 
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

README.md

@@ -1,4 +1,4 @@
-bla<p align="center">
+<p align="center">
 	<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/logo.png?raw=true" width="425" />
 </p>
 

entrypoint/entrypoint.sh

@@ -53,7 +53,11 @@ if [ ! -f "/opt/installed" ] ; then
 	echo "[*] Configuring bunkerized-nginx ..."
 
 	# check permissions
-	/opt/entrypoint/permissions.sh
+	if [ "$SWARM_MODE" = "no" ] ; then
+		/opt/entrypoint/permissions.sh
+	else
+		/opt/entrypoint/permissions-swarm.sh
+	fi
 	if [ "$?" -ne 0 ] ; then
 		exit 1
 	fi

entrypoint/global-config.sh

@@ -10,14 +10,18 @@
 cp /opt/confs/global/* /etc/nginx/
 
 # include server block(s)
-if [ "$MULTISITE" = "yes" ] ; then
-	includes=""
-	for server in $SERVER_NAME ; do
-		includes="${includes}include /etc/nginx/${server}/server.conf;\n"
-	done
-	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
+if [ "$SWARM_MODE" = "no" ] ; then
+	if [ "$MULTISITE" = "yes" ] ; then
+		includes=""
+		for server in $SERVER_NAME ; do
+			includes="${includes}include /etc/nginx/${server}/server.conf;\n"
+		done
+		replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "$includes"
+	else
+		replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
+	fi
 else
-	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
+	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" ""
 fi
 
 # setup default server block if multisite

entrypoint/permissions-swarm.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# /etc/letsencrypt
+if [ ! -r "/etc/letsencrypt" ] || [ ! -x "/etc/letsencrypt" ] ; then
+	echo "[!] WARNING - wrong permissions on /etc/letsencrypt"
+	exit 1
+fi
+
+# /www
+if [ ! -r "/www" ] || [ ! -x "/www" ] ; then
+	echo "[!] ERROR - wrong permissions on /www"
+	exit 2
+fi
+
+# /etc/nginx
+if [ ! -r "/etc/nginx" ] || [ ! -x "/etc/nginx" ] ; then
+	echo "[!] ERROR - wrong permissions on /etc/nginx"
+	exit 3
+fi
+
+# /acme-challenge
+if [ ! -r "/acme-challenge" ] || [ ! -x "/acme-challenge" ] ; then
+	echo "[!] ERROR - wrong permissions on /acme-challenge"
+	exit 4
+fi

entrypoint/permissions.sh

@@ -2,7 +2,7 @@
 
 # /etc/letsencrypt
 if [ ! -w "/etc/letsencrypt" ] || [ ! -r "/etc/letsencrypt" ] || [ ! -x "/etc/letsencrypt" ] ; then
-	echo "[!] ERROR - wrong permissions on /etc/letsencrypt"
+	echo "[!] WARNING - wrong permissions on /etc/letsencrypt"
 	exit 1
 fi