mirror of
https://github.com/bunkerity/bunkerized-nginx
synced 2023-12-13 21:30:18 +01:00
crowdsec - move as external plugin
This commit is contained in:
parent
b926b0db62
commit
82548378ae
7 changed files with 22 additions and 79 deletions
3
.gitmodules
vendored
Normal file
3
.gitmodules
vendored
Normal file
|
@ -0,0 +1,3 @@
|
|||
[submodule "bunkerized-nginx-crowdsec"]
|
||||
path = examples/crowdsec/bunkerized-nginx-crowdsec
|
||||
url = https://github.com/bunkerity/bunkerized-nginx-crowdsec
|
|
@ -9,7 +9,6 @@ local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}fal
|
|||
local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif +%}
|
||||
local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif +%}
|
||||
local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif +%}
|
||||
local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif +%}
|
||||
|
||||
if use_proxies then
|
||||
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
|
||||
|
@ -31,16 +30,6 @@ if use_referrers then
|
|||
dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
|
||||
end
|
||||
|
||||
if use_crowdsec then
|
||||
local cs = require "crowdsec.CrowdSec"
|
||||
local ok, err = cs.init("/etc/nginx/crowdsec.conf")
|
||||
if ok == nil then
|
||||
logger.log(ngx.ERR, "CROWDSEC", err)
|
||||
error()
|
||||
end
|
||||
logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done")
|
||||
end
|
||||
|
||||
-- Load plugins
|
||||
ngx.shared.plugins_data:safe_set("plugins", nil, 0)
|
||||
local p = io.popen("find /opt/bunkerized-nginx/plugins -maxdepth 1 -type d ! -path /opt/bunkerized-nginx/plugins")
|
||||
|
@ -54,14 +43,24 @@ for dir in p:lines() do
|
|||
ngx.shared.plugins_data:safe_set(data.id .. "_" .. k, v, 0)
|
||||
end
|
||||
file:close()
|
||||
-- store plugin
|
||||
local plugins, flags = ngx.shared.plugins_data:get("plugins")
|
||||
if plugins == nil then
|
||||
ngx.shared.plugins_data:safe_set("plugins", data.id, 0)
|
||||
else
|
||||
ngx.shared.plugins_data:safe_set("plugins", plugins .. " " .. data.id, 0)
|
||||
-- call init
|
||||
local plugin = require(data.id .. "/" .. data.id)
|
||||
local init = true
|
||||
if plugin["init"] ~= nil then
|
||||
init = plugin.init()
|
||||
end
|
||||
-- store plugin
|
||||
if init then
|
||||
local plugins, flags = ngx.shared.plugins_data:get("plugins")
|
||||
if plugins == nil then
|
||||
ngx.shared.plugins_data:safe_set("plugins", data.id, 0)
|
||||
else
|
||||
ngx.shared.plugins_data:safe_set("plugins", plugins .. " " .. data.id, 0)
|
||||
end
|
||||
logger.log(ngx.ERR, "PLUGINS", "*NOT AN ERROR* plugin " .. data.name .. "/" .. data.version .. " has been loaded")
|
||||
else
|
||||
logger.log(ngx.ERR, "PLUGINS", "init failed for plugin " .. data.name .. "/" .. data.version)
|
||||
end
|
||||
logger.log(ngx.ERR, "PLUGINS", "*NOT AN ERROR* plugin " .. data.name .. "/" .. data.version .. " has been loaded")
|
||||
else
|
||||
logger.log(ngx.ERR, "PLUGINS", "Can't load " .. dir .. "/plugin.json")
|
||||
end
|
||||
|
|
|
@ -25,9 +25,6 @@ local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% end
|
|||
-- countries
|
||||
local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif +%}
|
||||
|
||||
-- crowdsec
|
||||
local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif +%}
|
||||
|
||||
-- antibot
|
||||
local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif +%}
|
||||
local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif +%}
|
||||
|
@ -238,18 +235,6 @@ if use_dnsbl and not dnsbl.cached() then
|
|||
end
|
||||
end
|
||||
|
||||
-- check if IP is in CrowdSec DB
|
||||
if use_crowdsec then
|
||||
local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
|
||||
if ok == nil then
|
||||
logger.log(ngx.ERR, "CROWDSEC", err)
|
||||
end
|
||||
if not ok then
|
||||
logger.log(ngx.WARN, "CROWDSEC", "denied " .. ngx.var.remote_addr)
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- cookie check
|
||||
if use_antibot_cookie and ngx.var.uri ~= "/favicon.ico" then
|
||||
if not cookie.is_set("uri") then
|
||||
|
|
1
examples/crowdsec/bunkerized-nginx-crowdsec
Submodule
1
examples/crowdsec/bunkerized-nginx-crowdsec
Submodule
|
@ -0,0 +1 @@
|
|||
Subproject commit 6dadb32c011971789d0cb02ec6cce6ad6dda90c0
|
|
@ -23,6 +23,7 @@ services:
|
|||
volumes:
|
||||
- ./web-files:/www:ro
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
- ./bunkerized-nginx-crowdsec:/plugins/crowdsec # edit plugin.json
|
||||
environment:
|
||||
- SERVER_NAME=app1.example.com app2.example.com # replace with your domains
|
||||
- MULTISITE=yes
|
||||
|
@ -31,9 +32,6 @@ services:
|
|||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_CROWDSEC=yes
|
||||
- CROWDSEC_HOST=http://mycrowdsec:8080
|
||||
- CROWDSEC_KEY= # you need to generate it (see bouncer_key.sh)
|
||||
- app1.example.com_REMOTE_PHP=myapp1
|
||||
- app1.example.com_REMOTE_PHP_PATH=/app
|
||||
- app2.example.com_REMOTE_PHP=myapp2
|
||||
|
|
|
@ -586,17 +586,6 @@ CHANGE_DIR="/tmp/bunkerized-nginx/luasec" do_and_check_cmd make INC_PATH=-I/opt/
|
|||
echo "[*] Install luasec"
|
||||
CHANGE_DIR="/tmp/bunkerized-nginx/luasec" do_and_check_cmd make LUACPATH=/opt/bunkerized-nginx/deps/lib/lua LUAPATH=/opt/bunkerized-nginx/deps/lib/lua install
|
||||
|
||||
# Download and install lua-cs-bouncer
|
||||
echo "[*] Clone crowdsecurity/lua-cs-bouncer"
|
||||
git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc453dcf51a391bc9e9a36ca77958b0
|
||||
echo "[*] Install lua-cs-bouncer"
|
||||
if [ ! -d /opt/bunkerized-nginx/deps/lib/lua/crowdsec ] ; then
|
||||
do_and_check_cmd mkdir /opt/bunkerized-nginx/deps/lib/lua/crowdsec
|
||||
fi
|
||||
do_and_check_cmd cp -r /tmp/bunkerized-nginx/lua-cs-bouncer/lib/* /opt/bunkerized-nginx/deps/lib/lua/crowdsec
|
||||
do_and_check_cmd sed -i 's/require "lrucache"/require "resty.lrucache"/' /opt/bunkerized-nginx/deps/lib/lua/crowdsec/CrowdSec.lua
|
||||
do_and_check_cmd sed -i 's/require "config"/require "crowdsec.config"/' /opt/bunkerized-nginx/deps/lib/lua/crowdsec/CrowdSec.lua
|
||||
|
||||
# Download and install lua-resty-iputils
|
||||
echo "[*] Clone hamishforbes/lua-resty-iputils"
|
||||
git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485e830421266eee5c0f386c32c835dba4
|
||||
|
|
|
@ -493,38 +493,6 @@
|
|||
}
|
||||
]
|
||||
},
|
||||
"CrowdSec": {
|
||||
"id": "use-crowdsec",
|
||||
"params": [
|
||||
{
|
||||
"context": "multisite",
|
||||
"default": "no",
|
||||
"env": "USE_CROWDSEC",
|
||||
"id": "use-crowdsec",
|
||||
"label": "Use crowdsec",
|
||||
"regex": "^(yes|no)$",
|
||||
"type": "checkbox"
|
||||
},
|
||||
{
|
||||
"context": "global",
|
||||
"default": "",
|
||||
"env": "CROWDSEC_HOST",
|
||||
"id": "crowdsec-host",
|
||||
"label": "CrowdSec host",
|
||||
"regex": "^(https?://[\\S]+:?\\d*)?$",
|
||||
"type": "text"
|
||||
},
|
||||
{
|
||||
"context": "global",
|
||||
"default": "",
|
||||
"env": "CROWDSEC_KEY",
|
||||
"id": "crowdsec-key",
|
||||
"label": "CrowdSec key",
|
||||
"regex": "^([\\S])*$",
|
||||
"type": "text"
|
||||
}
|
||||
]
|
||||
},
|
||||
"DNSBL": {
|
||||
"id": "dnsbl",
|
||||
"params": [
|
||||
|
|
Loading…
Reference in a new issue