templating - road to full jinja2 templates
This commit is contained in:
parent
c65dda3917
commit
801530baf3
|
@ -0,0 +1,32 @@
|
|||
|
||||
location ~ ^%API_URI%/ping {
|
||||
return 444;
|
||||
}
|
||||
|
||||
location ~ ^%API_URI% {
|
||||
|
||||
rewrite_by_lua_block {
|
||||
|
||||
local api = require "api"
|
||||
local api_whitelist_ip = {{ API_WHITELIST_IP }}
|
||||
local api_uri = "%API_URI%"
|
||||
local logger = require "logger"
|
||||
|
||||
if api.is_api_call(api_uri, api_whitelist_ip) then
|
||||
ngx.header.content_type = 'text/plain'
|
||||
if api.do_api_call(api_uri) then
|
||||
logger.log(ngx.NOTICE, "API", "API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
|
||||
ngx.say("ok")
|
||||
else
|
||||
logger.log(ngx.WARN, "API", "API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
|
||||
ngx.say("ko")
|
||||
end
|
||||
|
||||
ngx.exit(ngx.HTTP_OK)
|
||||
|
||||
end
|
||||
|
||||
ngx.exit(ngx.OK)
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
{{ API_URI }}
|
||||
{% set API_WHITELIST_IP_value = "" %}
|
||||
{% for element in API_WHITELIST_IP.split(" ") %}
|
||||
{{ element + "toto" }}
|
||||
{% set API_WHITELIST_IP_value = API_WHITELIST_IP_value + '"' + element + '",' %}
|
||||
{% endfor %}
|
||||
{% set API_WHITELIST_IP_value = API_WHITELIST_IP_value[:-1] %}
|
||||
|
||||
rewrite_by_lua_block {
|
||||
|
||||
local api = require "api"
|
||||
local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local api_uri = "%API_URI%"
|
||||
local logger = require "logger"
|
||||
|
||||
if api.is_api_call(api_uri, api_whitelist_ip) then
|
||||
ngx.header.content_type = 'text/plain'
|
||||
if api.do_api_call(api_uri) then
|
||||
logger.log(ngx.NOTICE, "API", "API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
|
||||
ngx.say("ok")
|
||||
else
|
||||
logger.log(ngx.WARN, "API", "API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
|
||||
ngx.say("ko")
|
||||
end
|
||||
|
||||
ngx.exit(ngx.HTTP_OK)
|
||||
|
||||
end
|
||||
|
||||
ngx.exit(ngx.OK)
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
open_file_cache %CACHE%;
|
||||
open_file_cache_errors %CACHE_ERRORS%;
|
||||
open_file_cache_min_uses %CACHE_USES%;
|
||||
open_file_cache_valid %CACHE_VALID%;
|
|
@ -0,0 +1,8 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
|
@ -0,0 +1,10 @@
|
|||
geoip2 /etc/nginx/geoip.mmdb {
|
||||
auto_reload 5m;
|
||||
$geoip2_metadata_country_build metadata build_epoch;
|
||||
$geoip2_data_country_code country iso_code;
|
||||
}
|
||||
|
||||
map $geoip2_data_country_code $allowed_country {
|
||||
default %DEFAULT%;
|
||||
%COUNTRY%
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
init_by_lua_block {
|
||||
|
||||
local dataloader = require "dataloader"
|
||||
local logger = require "logger"
|
||||
|
||||
local use_proxies = %USE_PROXIES%
|
||||
local use_abusers = %USE_ABUSERS%
|
||||
local use_tor_exit_nodes = %USE_TOR_EXIT_NODES%
|
||||
local use_user_agents = %USE_USER_AGENTS%
|
||||
local use_referrers = %USE_REFERRERS%
|
||||
local use_crowdsec = %USE_CROWDSEC%
|
||||
|
||||
if use_proxies then
|
||||
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
|
||||
end
|
||||
|
||||
if use_abusers then
|
||||
dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data)
|
||||
end
|
||||
|
||||
if use_tor_exit_nodes then
|
||||
dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data)
|
||||
end
|
||||
|
||||
if use_user_agents then
|
||||
dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data)
|
||||
end
|
||||
|
||||
if use_referrers then
|
||||
dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
|
||||
end
|
||||
|
||||
if use_crowdsec then
|
||||
local cs = require "crowdsec.CrowdSec"
|
||||
local ok, err = cs.init("/etc/nginx/crowdsec.conf")
|
||||
if ok == nil then
|
||||
logger.log(ngx.ERR, "CROWDSEC", err)
|
||||
error()
|
||||
end
|
||||
logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done")
|
||||
end
|
||||
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
listen 0.0.0.0:%HTTPS_PORT% default_server ssl %HTTP2%;
|
||||
ssl_certificate /etc/nginx/default-cert.pem;
|
||||
ssl_certificate_key /etc/nginx/default-key.pem;
|
||||
ssl_protocols %HTTPS_PROTOCOLS%;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
%SSL_DHPARAM%
|
||||
%SSL_CIPHERS%
|
||||
%LETS_ENCRYPT_WEBROOT%
|
|
@ -0,0 +1,3 @@
|
|||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /acme-challenge;
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
server {
|
||||
%LISTEN_HTTP%
|
||||
server_name _;
|
||||
%USE_HTTPS%
|
||||
%MULTISITE_DISABLE_DEFAULT_SERVER%
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
location / {
|
||||
return 444;
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
|
||||
|
||||
daemon on;
|
||||
|
||||
pid /tmp/nginx-temp.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http {
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
lua_package_path "/usr/local/lib/lua/?.lua;;";
|
||||
server {
|
||||
listen 0.0.0.0:%HTTP_PORT% default_server;
|
||||
server_name _;
|
||||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /acme-challenge;
|
||||
}
|
||||
%USE_API%
|
||||
location / {
|
||||
return 444;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,120 @@
|
|||
# /etc/nginx/nginx.conf
|
||||
|
||||
# load dynamic modules
|
||||
load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
|
||||
|
||||
# run in foreground
|
||||
daemon off;
|
||||
|
||||
# PID file
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
# worker number = CPU core(s)
|
||||
worker_processes auto;
|
||||
|
||||
# faster regexp
|
||||
pcre_jit on;
|
||||
|
||||
# config files for dynamic modules
|
||||
include /etc/nginx/modules/*.conf;
|
||||
|
||||
# max open files for each worker
|
||||
worker_rlimit_nofile %WORKER_RLIMIT_NOFILE%;
|
||||
|
||||
events {
|
||||
# max connections per worker
|
||||
worker_connections %WORKER_CONNECTIONS%;
|
||||
|
||||
# epoll seems to be the best on Linux
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http {
|
||||
# zero copy within the kernel
|
||||
sendfile on;
|
||||
|
||||
# send packets only if filled
|
||||
tcp_nopush on;
|
||||
|
||||
# remove 200ms delay
|
||||
tcp_nodelay on;
|
||||
|
||||
# load mime types and set default one
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# write logs to local syslog
|
||||
log_format logf '%LOG_FORMAT%';
|
||||
access_log /var/log/access.log logf;
|
||||
error_log /var/log/error.log %LOG_LEVEL%;
|
||||
|
||||
# temp paths
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
# close connections in FIN_WAIT1 state
|
||||
reset_timedout_connection on;
|
||||
|
||||
# timeouts
|
||||
client_body_timeout 10;
|
||||
client_header_timeout 10;
|
||||
keepalive_timeout 15;
|
||||
send_timeout 10;
|
||||
|
||||
# resolvers to use
|
||||
resolver %DNS_RESOLVERS% ipv6=off;
|
||||
|
||||
# remove ports when sending redirects
|
||||
port_in_redirect off;
|
||||
|
||||
# lua path and dicts
|
||||
lua_package_path "/usr/local/lib/lua/?.lua;;";
|
||||
%WHITELIST_IP_CACHE%
|
||||
%WHITELIST_REVERSE_CACHE%
|
||||
%BLACKLIST_IP_CACHE%
|
||||
%BLACKLIST_REVERSE_CACHE%
|
||||
%DNSBL_CACHE%
|
||||
%BLOCK_PROXIES%
|
||||
%BLOCK_ABUSERS%
|
||||
%BLOCK_TOR_EXIT_NODES%
|
||||
%BLOCK_USER_AGENTS%
|
||||
%BLOCK_REFERRERS%
|
||||
%BAD_BEHAVIOR%
|
||||
|
||||
# shared memory zone for limit_req
|
||||
%LIMIT_REQ_ZONE%
|
||||
|
||||
# shared memory zone for limit_conn
|
||||
%LIMIT_CONN_ZONE%
|
||||
|
||||
# whitelist or blacklist country
|
||||
%USE_COUNTRY%
|
||||
|
||||
# zone for proxy_cache
|
||||
%PROXY_CACHE_PATH%
|
||||
|
||||
# custom http confs
|
||||
include /http-confs/*.conf;
|
||||
|
||||
# LUA init block
|
||||
include /etc/nginx/init-lua.conf;
|
||||
|
||||
# default server when MULTISITE=yes
|
||||
%MULTISITE_DEFAULT_SERVER%
|
||||
|
||||
# server config(s)
|
||||
%INCLUDE_SERVER%
|
||||
|
||||
# API
|
||||
%USE_API%
|
||||
}
|
|
@ -0,0 +1,46 @@
|
|||
location = %ANTIBOT_URI% {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
if ($request_method = GET) {
|
||||
content_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local captcha = require "captcha"
|
||||
local logger = require "logger"
|
||||
if not cookie.is_set("uri") then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (1) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local img, res = captcha.get_challenge()
|
||||
cookie.set({captchares = res})
|
||||
local code = captcha.get_code(img, "%ANTIBOT_URI%")
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
||||
if ($request_method = POST) {
|
||||
access_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local captcha = require "captcha"
|
||||
local logger = require "logger"
|
||||
if not cookie.is_set("captchares") then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (2) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
ngx.req.read_body()
|
||||
local args, err = ngx.req.get_post_args(1)
|
||||
if err == "truncated" or not args or not args["captcha"] then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (3) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local captcha_user = args["captcha"]
|
||||
local check = captcha.check(captcha_user, cookie.get("captchares"))
|
||||
if not check then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (4) for " .. ngx.var.remote_addr)
|
||||
return ngx.redirect("%ANTIBOT_URI%")
|
||||
end
|
||||
cookie.set({captcha = "ok"})
|
||||
return ngx.redirect(cookie.get("uri"))
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,45 @@
|
|||
location = %ANTIBOT_URI% {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
if ($request_method = GET) {
|
||||
content_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local javascript = require "javascript"
|
||||
local logger = require "logger"
|
||||
if not cookie.is_set("challenge") then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (1) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local challenge = cookie.get("challenge")
|
||||
local code = javascript.get_code(challenge, "%ANTIBOT_URI%", cookie.get("uri"))
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
||||
if ($request_method = POST) {
|
||||
content_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local javascript = require "javascript"
|
||||
local logger = require "logger"
|
||||
if not cookie.is_set("challenge") then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (2) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
ngx.req.read_body()
|
||||
local args, err = ngx.req.get_post_args(1)
|
||||
if err == "truncated" or not args or not args["challenge"] then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (3) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local challenge = args["challenge"]
|
||||
local check = javascript.check(cookie.get("challenge"), challenge)
|
||||
if not check then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (4) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
cookie.set({javascript = "ok"})
|
||||
return ngx.exit(ngx.OK)
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
location = %ANTIBOT_URI% {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
if ($request_method = GET) {
|
||||
content_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local recaptcha = require "recaptcha"
|
||||
local loggger = require "logger"
|
||||
if not cookie.is_set("uri") then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (1) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%")
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
||||
if ($request_method = POST) {
|
||||
access_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local recaptcha = require "recaptcha"
|
||||
local logger = require "logger"
|
||||
if not cookie.is_set("uri") then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (2) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
ngx.req.read_body()
|
||||
local args, err = ngx.req.get_post_args(1)
|
||||
if err == "truncated" or not args or not args["token"] then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (3) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local token = args["token"]
|
||||
local check = recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%")
|
||||
if check < %ANTIBOT_RECAPTCHA_SCORE% then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
cookie.set({recaptcha = "ok"})
|
||||
return ngx.redirect(cookie.get("uri"))
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,2 @@
|
|||
auth_basic "%AUTH_BASIC_TEXT%";
|
||||
auth_basic_user_file %NGINX_PREFIX%.htpasswd;
|
|
@ -0,0 +1,4 @@
|
|||
location %AUTH_BASIC_LOCATION% {
|
||||
auth_basic "%AUTH_BASIC_TEXT%";
|
||||
auth_basic_user_file %NGINX_PREFIX%.htpasswd;
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
brotli on;
|
||||
brotli_types %BROTLI_TYPES%;
|
||||
brotli_comp_level %BROTLI_COMP_LEVEL%;
|
||||
brotli_min_length %BROTLI_MIN_LENGTH%;
|
|
@ -0,0 +1,6 @@
|
|||
etag %CLIENT_CACHE_ETAG%;
|
||||
set $cache "";
|
||||
if ($uri ~* \.(%CLIENT_CACHE_EXTENSIONS%)$) {
|
||||
set $cache "%CLIENT_CACHE_CONTROL%";
|
||||
}
|
||||
add_header Cache-Control $cache;
|
|
@ -0,0 +1 @@
|
|||
more_set_headers "Content-Security-Policy: %CONTENT_SECURITY_POLICY%";
|
|
@ -0,0 +1 @@
|
|||
set_cookie_flag %COOKIE_FLAGS%;
|
|
@ -0,0 +1,7 @@
|
|||
listen 0.0.0.0:443 ssl %HTTP2%;
|
||||
ssl_certificate %HTTPS_CUSTOM_CERT%;
|
||||
ssl_certificate_key %HTTPS_CUSTOM_KEY%;
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
%STRICT_TRANSPORT_SECURITY%
|
|
@ -0,0 +1,3 @@
|
|||
if ($host !~ ^(%SERVER_NAME%)$) {
|
||||
return 444;
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
error_page %CODE% %PAGE%;
|
||||
|
||||
location = %PAGE% {
|
||||
root %ROOT_FOLDER%;
|
||||
modsecurity off;
|
||||
internal;
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param REQUEST_METHOD $request_method;
|
||||
fastcgi_param CONTENT_TYPE $content_type;
|
||||
fastcgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
fastcgi_param REQUEST_URI $request_uri;
|
||||
fastcgi_param DOCUMENT_URI $document_uri;
|
||||
fastcgi_param DOCUMENT_ROOT $document_root;
|
||||
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||||
fastcgi_param REQUEST_SCHEME $scheme;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
|
@ -0,0 +1 @@
|
|||
more_set_headers "Feature-Policy: %FEATURE_POLICY%";
|
|
@ -0,0 +1,4 @@
|
|||
gzip on;
|
||||
gzip_comp_level %GZIP_COMP_LEVEL%;
|
||||
gzip_min_length %GZIP_MIN_LENGTH%;
|
||||
gzip_types %GZIP_TYPES%;
|
|
@ -0,0 +1,12 @@
|
|||
listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
|
||||
ssl_certificate %HTTPS_CERT%;
|
||||
ssl_certificate_key %HTTPS_KEY%;
|
||||
ssl_protocols %HTTPS_PROTOCOLS%;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_tickets off;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
%STRICT_TRANSPORT_SECURITY%
|
||||
%SSL_DHPARAM%
|
||||
%SSL_CIPHERS%
|
||||
%LETS_ENCRYPT_WEBROOT%
|
|
@ -0,0 +1,3 @@
|
|||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /acme-challenge;
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
limit_conn ddos %LIMIT_CONN_MAX%;
|
|
@ -0,0 +1,3 @@
|
|||
limit_req_status 429;
|
||||
limit_req zone=limit burst=%LIMIT_REQ_BURST% nodelay;
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
log_by_lua_block {
|
||||
|
||||
-- bad behavior
|
||||
local use_bad_behavior = %USE_BAD_BEHAVIOR%
|
||||
local behavior = require "behavior"
|
||||
local bad_behavior_status_codes = {{ BAD_BEHAVIOR_STATUS_CODES }}
|
||||
local bad_behavior_threshold = %BAD_BEHAVIOR_THRESHOLD%
|
||||
local bad_behavior_count_time = %BAD_BEHAVIOR_COUNT_TIME%
|
||||
local bad_behavior_ban_time = %BAD_BEHAVIOR_BAN_TIME%
|
||||
|
||||
if use_bad_behavior then
|
||||
behavior.count(bad_behavior_status_codes, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time)
|
||||
end
|
||||
|
||||
}
|
|
@ -0,0 +1,298 @@
|
|||
set $session_secret %ANTIBOT_SESSION_SECRET%;
|
||||
set $session_check_addr on;
|
||||
|
||||
access_by_lua_block {
|
||||
|
||||
-- let's encrypt
|
||||
local use_lets_encrypt = %USE_LETS_ENCRYPT%
|
||||
|
||||
-- external blacklists
|
||||
local use_user_agents = %USE_USER_AGENTS%
|
||||
local use_proxies = %USE_PROXIES%
|
||||
local use_abusers = %USE_ABUSERS%
|
||||
local use_tor_exit_nodes = %USE_TOR_EXIT_NODES%
|
||||
local use_referrers = %USE_REFERRERS%
|
||||
|
||||
-- countries
|
||||
local use_country = %USE_COUNTRY%
|
||||
|
||||
-- crowdsec
|
||||
local use_crowdsec = %USE_CROWDSEC%
|
||||
|
||||
-- antibot
|
||||
local use_antibot_cookie = %USE_ANTIBOT_COOKIE%
|
||||
local use_antibot_javascript = %USE_ANTIBOT_JAVASCRIPT%
|
||||
local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA%
|
||||
local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA%
|
||||
|
||||
-- resolvers
|
||||
local dns_resolvers = {{ DNS_RESOLVERS }}
|
||||
|
||||
-- whitelist
|
||||
local use_whitelist_ip = %USE_WHITELIST_IP%
|
||||
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
|
||||
local whitelist_ip_list = {{ WHITELIST_IP_LIST }}
|
||||
local whitelist_reverse_list = {{ WHITELIST_REVERSE_LIST }}
|
||||
|
||||
-- blacklist
|
||||
local use_blacklist_ip = %USE_BLACKLIST_IP%
|
||||
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
|
||||
local blacklist_ip_list = {{ BLACKLIST_IP_LIST }}
|
||||
local blacklist_reverse_list = {{ BLACKLIST_REVERSE_LIST }}
|
||||
|
||||
-- dnsbl
|
||||
local use_dnsbl = %USE_DNSBL%
|
||||
local dnsbl_list = {{ DNSBL_LIST }}
|
||||
|
||||
-- bad behavior
|
||||
local use_bad_behavior = %USE_BAD_BEHAVIOR%
|
||||
|
||||
-- include LUA code
|
||||
local whitelist = require "whitelist"
|
||||
local blacklist = require "blacklist"
|
||||
local dnsbl = require "dnsbl"
|
||||
local cookie = require "cookie"
|
||||
local javascript = require "javascript"
|
||||
local captcha = require "captcha"
|
||||
local recaptcha = require "recaptcha"
|
||||
local iputils = require "resty.iputils"
|
||||
local behavior = require "behavior"
|
||||
local logger = require "logger"
|
||||
|
||||
-- user variables
|
||||
local antibot_uri = "%ANTIBOT_URI%"
|
||||
local whitelist_user_agent = {{ WHITELIST_USER_AGENT }}
|
||||
local whitelist_uri = {{ WHITELIST_URI }}
|
||||
|
||||
-- check if already in whitelist cache
|
||||
if use_whitelist_ip and whitelist.ip_cached_ok() then
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
if use_whitelist_reverse and whitelist.reverse_cached_ok() then
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
|
||||
-- check if already in blacklist cache
|
||||
if use_blacklist_ip and blacklist.ip_cached_ko() then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
if use_blacklist_reverse and blacklist.reverse_cached_ko() then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
-- check if already in dnsbl cache
|
||||
if use_dnsbl and dnsbl.cached_ko() then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
-- check if IP is whitelisted (only if not in cache)
|
||||
if use_whitelist_ip and not whitelist.ip_cached() then
|
||||
if whitelist.check_ip(whitelist_ip_list) then
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if reverse is whitelisted (only if not in cache)
|
||||
if use_whitelist_reverse and not whitelist.reverse_cached() then
|
||||
if whitelist.check_reverse(whitelist_reverse_list) then
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if URI is whitelisted
|
||||
for k, v in pairs(whitelist_uri) do
|
||||
if ngx.var.request_uri == v then
|
||||
logger.log(ngx.NOTICE, "WHITELIST", "URI " .. v .. " is whitelisted")
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if it's certbot
|
||||
if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
|
||||
logger.log(ngx.INFO, "LETSENCRYPT", "got a visit from Let's Encrypt")
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
|
||||
-- check if IP is blacklisted (only if not in cache)
|
||||
if use_blacklist_ip and not blacklist.ip_cached() then
|
||||
if blacklist.check_ip(blacklist_ip_list) then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if reverse is blacklisted (only if not in cache)
|
||||
if use_blacklist_reverse and not blacklist.reverse_cached() then
|
||||
if blacklist.check_reverse(blacklist_reverse_list, dns_resolvers) then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if IP is banned because of "bad behavior"
|
||||
if use_bad_behavior and behavior.is_banned() then
|
||||
logger.log(ngx.WARN, "BEHAVIOR", "IP " .. ngx.var.remote_addr .. " is banned because of bad behavior")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
-- check if IP is in proxies list
|
||||
if use_proxies then
|
||||
local value, flags = ngx.shared.proxies_data:get(iputils.ip2bin(ngx.var.remote_addr))
|
||||
if value ~= nil then
|
||||
logger.log(ngx.WARN, "PROXIES", "IP " .. ngx.var.remote_addr .. " is in proxies list")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if IP is in abusers list
|
||||
if use_abusers then
|
||||
local value, flags = ngx.shared.abusers_data:get(iputils.ip2bin(ngx.var.remote_addr))
|
||||
if value ~= nil then
|
||||
logger.log(ngx.WARN, "ABUSERS", "IP " .. ngx.var.remote_addr .. " is in abusers list")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if IP is in TOR exit nodes list
|
||||
if use_tor_exit_nodes then
|
||||
local value, flags = ngx.shared.tor_exit_nodes_data:get(iputils.ip2bin(ngx.var.remote_addr))
|
||||
if value ~= nil then
|
||||
logger.log(ngx.WARN, "TOR", "IP " .. ngx.var.remote_addr .. " is in TOR exit nodes list")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if user-agent is allowed
|
||||
if use_user_agents and ngx.var.http_user_agent ~= nil then
|
||||
local whitelisted = false
|
||||
for k, v in pairs(whitelist_user_agent) do
|
||||
if string.match(ngx.var.http_user_agent, v) then
|
||||
logger.log(ngx.NOTICE, "WHITELIST", "User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
|
||||
whitelisted = true
|
||||
break
|
||||
end
|
||||
end
|
||||
if not whitelisted then
|
||||
local value, flags = ngx.shared.user_agents_cache:get(ngx.var.http_user_agent)
|
||||
if value == nil then
|
||||
local patterns = ngx.shared.user_agents_data:get_keys(0)
|
||||
for i, pattern in ipairs(patterns) do
|
||||
if string.match(ngx.var.http_user_agent, pattern) then
|
||||
value = "ko"
|
||||
ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ko", 86400)
|
||||
break
|
||||
end
|
||||
end
|
||||
if value == nil then
|
||||
value = "ok"
|
||||
ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ok", 86400)
|
||||
end
|
||||
end
|
||||
if value == "ko" then
|
||||
logger.log(ngx.WARN, "USER-AGENT", "User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- check if referrer is allowed
|
||||
if use_referrer and ngx.var.http_referer ~= nil then
|
||||
local value, flags = ngx.shared.referrers_cache:get(ngx.var.http_referer)
|
||||
if value == nil then
|
||||
local patterns = ngx.shared.referrers_data:get_keys(0)
|
||||
for i, pattern in ipairs(patterns) do
|
||||
if string.match(ngx.var.http_referer, pattern) then
|
||||
value = "ko"
|
||||
ngx.shared.referrers_cache:set(ngx.var.http_referer, "ko", 86400)
|
||||
break
|
||||
end
|
||||
end
|
||||
if value == nil then
|
||||
value = "ok"
|
||||
ngx.shared.referrers_cache:set(ngx.var.http_referer, "ok", 86400)
|
||||
end
|
||||
end
|
||||
if value == "ko" then
|
||||
logger.log(ngx.WARN, "REFERRER", "Referrer " .. ngx.var.http_referer .. " is blacklisted")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if country is allowed
|
||||
if use_country and ngx.var.allowed_country == "no" then
|
||||
logger.log(ngx.WARN, "COUNTRY", "Country of " .. ngx.var.remote_addr .. " is blacklisted")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
-- check if IP is in DNSBLs (only if not in cache)
|
||||
if use_dnsbl and not dnsbl.cached() then
|
||||
if dnsbl.check(dnsbl_list, dns_resolvers) then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if IP is in CrowdSec DB
|
||||
if use_crowdsec then
|
||||
local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
|
||||
if ok == nil then
|
||||
logger.log(ngx.ERR, "CROWDSEC", err)
|
||||
end
|
||||
if not ok then
|
||||
logger.log(ngx.WARN, "CROWDSEC", "denied " .. ngx.var.remote_addr)
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- cookie check
|
||||
if use_antibot_cookie and ngx.var.uri ~= "/favicon.ico" then
|
||||
if not cookie.is_set("uri") then
|
||||
if ngx.var.request_uri ~= antibot_uri then
|
||||
cookie.set({uri = ngx.var.request_uri})
|
||||
return ngx.redirect(antibot_uri)
|
||||
end
|
||||
logger.log(ngx.WARN, "ANTIBOT", "cookie fail for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
else
|
||||
if ngx.var.request_uri == antibot_uri then
|
||||
return ngx.redirect(cookie.get("uri"))
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- javascript check
|
||||
if use_antibot_javascript and ngx.var.uri ~= "/favicon.ico" then
|
||||
if not cookie.is_set("javascript") then
|
||||
if ngx.var.request_uri ~= antibot_uri then
|
||||
cookie.set({uri = ngx.var.request_uri, challenge = javascript.get_challenge()})
|
||||
return ngx.redirect(antibot_uri)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- captcha check
|
||||
if use_antibot_captcha and ngx.var.uri ~= "/favicon.ico" then
|
||||
if not cookie.is_set("captcha") then
|
||||
if ngx.var.request_uri ~= antibot_uri then
|
||||
cookie.set({uri = ngx.var.request_uri})
|
||||
return ngx.redirect(antibot_uri)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- recaptcha check
|
||||
if use_antibot_recaptcha and ngx.var.uri ~= "/favicon.ico" then
|
||||
if not cookie.is_set("recaptcha") then
|
||||
if ngx.var.request_uri ~= antibot_uri then
|
||||
cookie.set({uri = ngx.var.request_uri})
|
||||
return ngx.redirect(antibot_uri)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
ngx.exit(ngx.OK)
|
||||
|
||||
}
|
||||
|
||||
%INCLUDE_ANTIBOT_JAVASCRIPT%
|
||||
|
||||
%INCLUDE_ANTIBOT_CAPTCHA%
|
||||
|
||||
%INCLUDE_ANTIBOT_RECAPTCHA%
|
|
@ -0,0 +1,4 @@
|
|||
SecUploadDir /tmp
|
||||
SecUploadKeepFiles On
|
||||
SecRule FILES_TMPNAMES "@inspectFile /opt/scripts/clamav.sh" \
|
||||
"phase:2,t:none,deny,msg:'Virus found in uploaded file',id:'399999'"
|
|
@ -0,0 +1,65 @@
|
|||
# process rules with disruptive actions
|
||||
SecRuleEngine On
|
||||
|
||||
# allow body checks
|
||||
SecRequestBodyAccess On
|
||||
|
||||
# enable XML parsing
|
||||
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
|
||||
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
||||
|
||||
# enable JSON parsing
|
||||
SecRule REQUEST_HEADERS:Content-Type "application/json" \
|
||||
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
|
||||
|
||||
# maximum data size
|
||||
SecRequestBodyLimit 13107200
|
||||
SecRequestBodyNoFilesLimit 131072
|
||||
|
||||
# reject requests if bigger than max data size
|
||||
SecRequestBodyLimitAction Reject
|
||||
|
||||
# reject if we can't process the body
|
||||
SecRule REQBODY_ERROR "!@eq 0" \
|
||||
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
|
||||
|
||||
# be strict with multipart/form-data body
|
||||
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
||||
"id:'200003',phase:2,t:none,log,deny,status:400, \
|
||||
msg:'Multipart request body failed strict validation: \
|
||||
PE %{REQBODY_PROCESSOR_ERROR}, \
|
||||
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
||||
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
||||
DB %{MULTIPART_DATA_BEFORE}, \
|
||||
DA %{MULTIPART_DATA_AFTER}, \
|
||||
HF %{MULTIPART_HEADER_FOLDING}, \
|
||||
LF %{MULTIPART_LF_LINE}, \
|
||||
SM %{MULTIPART_MISSING_SEMICOLON}, \
|
||||
IQ %{MULTIPART_INVALID_QUOTING}, \
|
||||
IP %{MULTIPART_INVALID_PART}, \
|
||||
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
||||
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
||||
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
|
||||
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
|
||||
|
||||
# enable response body checks
|
||||
SecResponseBodyAccess On
|
||||
SecResponseBodyMimeType text/plain text/html text/xml application/json
|
||||
SecResponseBodyLimit 524288
|
||||
SecResponseBodyLimitAction ProcessPartial
|
||||
|
||||
# log usefull stuff
|
||||
SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE%
|
||||
SecAuditLogType Serial
|
||||
SecAuditLog /var/log/nginx/modsec_audit.log
|
||||
|
||||
# scan uploaded files with clamv
|
||||
%USE_CLAMAV_UPLOAD%
|
||||
|
||||
# include OWASP CRS rules
|
||||
%MODSECURITY_INCLUDE_CRS%
|
||||
%MODSECURITY_INCLUDE_CUSTOM_CRS%
|
||||
%MODSECURITY_INCLUDE_CRS_RULES%
|
||||
|
||||
# include custom rules
|
||||
%MODSECURITY_INCLUDE_CUSTOM_RULES%
|
|
@ -0,0 +1,2 @@
|
|||
modsecurity on;
|
||||
modsecurity_rules_file %MODSEC_RULES_FILE%;
|
|
@ -0,0 +1,4 @@
|
|||
open_file_cache %OPEN_FILE_CACHE%;
|
||||
open_file_cache_errors %OPEN_FILE_CACHE_ERRORS%;
|
||||
open_file_cache_min_uses %OPEN_FILE_CACHE_MIN_USES%;
|
||||
open_file_cache_valid %OPEN_FILE_CACHE_VALID%;
|
|
@ -0,0 +1 @@
|
|||
more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%";
|
|
@ -0,0 +1,4 @@
|
|||
location ~ \.php$ {
|
||||
fastcgi_pass %REMOTE_PHP%:9000;
|
||||
fastcgi_index index.php;
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
proxy_cache proxycache;
|
||||
proxy_cache_methods %PROXY_CACHE_METHODS%;
|
||||
proxy_cache_min_uses %PROXY_CACHE_MIN_USES%;
|
||||
proxy_cache_key %PROXY_CACHE_KEY%;
|
||||
proxy_no_cache %PROXY_NO_CACHE%;
|
||||
proxy_cache_bypass %PROXY_CACHE_BYPASS%;
|
||||
%PROXY_CACHE_VALID%
|
|
@ -0,0 +1,4 @@
|
|||
%PROXY_REAL_IP_FROM%
|
||||
real_ip_header %PROXY_REAL_IP_HEADER%;
|
||||
real_ip_recursive %PROXY_REAL_IP_RECURSIVE%;
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
if ($scheme = http) {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
more_set_headers "Referrer-Policy: %REFERRER_POLICY%";
|
|
@ -0,0 +1,6 @@
|
|||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
@ -0,0 +1,7 @@
|
|||
location %REVERSE_PROXY_URL% {
|
||||
etag off;
|
||||
proxy_pass %REVERSE_PROXY_HOST%;
|
||||
%REVERSE_PROXY_HEADERS%
|
||||
%REVERSE_PROXY_WS%
|
||||
%REVERSE_PROXY_CUSTOM_HEADERS%
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
root %ROOT_FOLDER%;
|
||||
index index.html index.php;
|
||||
try_files $uri $uri/ =404;
|
|
@ -0,0 +1,41 @@
|
|||
%PRE_SERVER_CONF%
|
||||
|
||||
server {
|
||||
%FASTCGI_PATH%
|
||||
%SERVER_CONF%
|
||||
%PROXY_REAL_IP%
|
||||
%INCLUDE_LUA%
|
||||
%USE_MODSECURITY%
|
||||
%LISTEN_HTTP%
|
||||
%USE_HTTPS%
|
||||
%REDIRECT_HTTP_TO_HTTPS%
|
||||
server_name %SERVER_NAME%;
|
||||
%DISABLE_DEFAULT_SERVER%
|
||||
%SERVE_FILES%
|
||||
if ($request_method !~ ^(%ALLOWED_METHODS%)$)
|
||||
{
|
||||
return 405;
|
||||
}
|
||||
%LIMIT_REQ%
|
||||
%LIMIT_CONN%
|
||||
%AUTH_BASIC%
|
||||
%REMOVE_HEADERS%
|
||||
%X_FRAME_OPTIONS%
|
||||
%X_XSS_PROTECTION%
|
||||
%X_CONTENT_TYPE_OPTIONS%
|
||||
%CONTENT_SECURITY_POLICY%
|
||||
%REFERRER_POLICY%
|
||||
%FEATURE_POLICY%
|
||||
%PERMISSIONS_POLICY%
|
||||
%COOKIE_FLAGS%
|
||||
%ERRORS%
|
||||
%USE_CLIENT_CACHE%
|
||||
%USE_GZIP%
|
||||
%USE_BROTLI%
|
||||
client_max_body_size %MAX_CLIENT_SIZE%;
|
||||
server_tokens %SERVER_TOKENS%;
|
||||
%USE_OPEN_FILE_CACHE%
|
||||
%USE_PROXY_CACHE%
|
||||
%USE_REVERSE_PROXY%
|
||||
%USE_PHP%
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
more_set_headers "X-Content-Type-Options: %X_CONTENT_TYPE_OPTIONS%";
|
|
@ -0,0 +1 @@
|
|||
more_set_headers "X-Frame-Options: %X_FRAME_OPTIONS%";
|
|
@ -0,0 +1 @@
|
|||
more_set_headers "X-XSS-Protection: %X_XSS_PROTECTION%";
|
|
@ -1,6 +1,6 @@
|
|||
import json, re
|
||||
|
||||
class Settings :
|
||||
class Configurator :
|
||||
|
||||
def __init__(self) :
|
||||
self.__settings = {}
|
|
@ -1,6 +1,6 @@
|
|||
import jinja2, glob, os, pathlib
|
||||
import jinja2, glob, os, pathlib, copy
|
||||
|
||||
class Templates :
|
||||
class Templator :
|
||||
|
||||
def __init__(self, config, input_path) :
|
||||
self.__config = config
|
||||
|
@ -14,11 +14,14 @@ class Templates :
|
|||
return self.__render("site", output_path, server_name)
|
||||
|
||||
def __render(self, type, output_path, server_name=None) :
|
||||
real_config = copy.deepcopy(self.__config)
|
||||
if server_name != None :
|
||||
real_config["SERVER_NAME"] = server_name
|
||||
for filename in glob.iglob(self.__input_path + "/" + type + "**/**", recursive=True) :
|
||||
if os.path.isfile(filename) :
|
||||
relative_filename = filename.replace(self.__input_path, "").replace(type + "/", "")
|
||||
template = self.__template_env.get_template(type + "/" + relative_filename)
|
||||
output = template.render(self.__config)
|
||||
output = template.render(real_config)
|
||||
if "/" in relative_filename :
|
||||
directory = relative_filename.replace(relative_filename.split("/")[-1], "")
|
||||
pathlib.Path(output_path + "/" + directory).mkdir(parents=True, exist_ok=True)
|
75
gen/main.py
75
gen/main.py
|
@ -1,18 +1,67 @@
|
|||
#!/usr/bin/python3
|
||||
|
||||
from Settings import Settings
|
||||
from Templates import Templates
|
||||
import argparse, os, sys
|
||||
|
||||
import utils
|
||||
from Configurator import Configurator
|
||||
from Templator import Templator
|
||||
|
||||
if __name__ == "__main__" :
|
||||
|
||||
my_settings = Settings()
|
||||
my_settings.load_settings("../settings.json")
|
||||
variables = {}
|
||||
variables["MULTISITE"] = "yes"
|
||||
variables["BLOCK_PROXIES"] = "no"
|
||||
variables["omg"] = "lol"
|
||||
variables["www.toto.com_BLOCK_PROXIES"] = "yes"
|
||||
my_settings.load_variables(variables)
|
||||
print(my_settings.get_config())
|
||||
my_templates = Templates(my_settings.get_config(), "/tmp/input")
|
||||
my_templates.render_global("/tmp/output")
|
||||
# Parse arguments
|
||||
parser = argparse.ArgumentParser(description="bunkerized-nginx config generator v1.0")
|
||||
parser.add_argument("--settings", default="/opt/settings.json", type=str, help="path to the files containing the default settings")
|
||||
parser.add_argument("--templates", default="/opt/confs", type=str, help="directory containing the templates files")
|
||||
parser.add_argument("--output", default="/etc/nginx", type=str, help="where to write the rendered files")
|
||||
parser.add_argument("--variables", default="/opt/variables.env", type=str, help="path to the file containing environment variables")
|
||||
args = parser.parse_args()
|
||||
|
||||
# Check existences and permissions
|
||||
if not os.path.exists(args.settings) :
|
||||
print("[!] Missing settings file : " + args.settings)
|
||||
sys.exit(1)
|
||||
if not os.access(args.settings, os.R_OK) :
|
||||
print("[!] Can't read settings file : " + args.settings)
|
||||
sys.exit(2)
|
||||
if not os.path.isdir(args.templates) :
|
||||
print("[!] Missing templates directory : " + args.templates)
|
||||
sys.exit(1)
|
||||
if not os.access(args.templates, os.R_OK | os.X_OK) :
|
||||
print("[!] Can't read the templates directory : " + args.templates)
|
||||
sys.exit(2)
|
||||
if not os.path.isdir(args.output) :
|
||||
print("[!] Missing output directory : " + args.output)
|
||||
sys.exit(1)
|
||||
if not os.access(args.output, os.W_OK | os.X_OK) :
|
||||
print("[!] Can't write to the templates directory : " + args.output)
|
||||
sys.exit(2)
|
||||
if not os.path.exists(args.variables) :
|
||||
print("[!] Missing variables file : " + args.variables)
|
||||
sys.exit(1)
|
||||
if not os.access(args.variables, os.R_OK) :
|
||||
print("[!] Can't read variables file : " + args.variables)
|
||||
sys.exit(2)
|
||||
|
||||
# Compute the final config
|
||||
configurator = Configurator()
|
||||
configurator.load_settings(args.settings)
|
||||
variables = utils.load_variables(args.variables)
|
||||
configurator.load_variables(variables)
|
||||
config = configurator.get_config()
|
||||
print(config)
|
||||
|
||||
# Generate the files from templates and config
|
||||
templator = Templator(config, args.templates)
|
||||
templator.render_global(args.output)
|
||||
if config["MULTISITE"] == "no" :
|
||||
templator.render_site(args.output, config["SERVER_NAME"])
|
||||
else :
|
||||
for server_name in config["SERVER_NAME"].split(" ") :
|
||||
real_server_name = server_name
|
||||
if server_name + "_SERVER_NAME" in variables :
|
||||
real_server_name = variables[server_name + "_SERVER_NAME"]
|
||||
templator.render_site(args.output, real_server_name)
|
||||
|
||||
# We're done
|
||||
print("[*] Generation done !")
|
||||
sys.exit(0)
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
./main.py --settings /opt/work/bunkerized-nginx/settings.json --templates /opt/work/bunkerized-nginx/confs2 --output /tmp/debug --variables /tmp/variables.env
|
|
@ -0,0 +1,10 @@
|
|||
def load_variables(path) :
|
||||
variables = {}
|
||||
with open(path) as f :
|
||||
lines = f.read().splitlines()
|
||||
for line in lines :
|
||||
var = line.split("=")[0]
|
||||
value = line[len(var)+1:]
|
||||
variables[var] = value
|
||||
return variables
|
||||
|
Loading…
Reference in New Issue