fixed some fedora bugs, support LOCAL_PHP and LOCAL_PHP_PATH and sample variables.env

confs/global/nginx.conf

@@ -6,7 +6,7 @@ load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
-load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
+#load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
 

confs/site/fastcgi.conf

@@ -1,4 +1,10 @@
+{% if REMOTE_PHP != "" +%}
 fastcgi_param  SCRIPT_FILENAME    {{ REMOTE_PHP_PATH }}/$fastcgi_script_name;
+{% elif LOCAL_PHP != "" +%}
+fastcgi_param  SCRIPT_FILENAME    {{ LOCAL_PHP_PATH }}/$fastcgi_script_name;
+{% else +%}
+fastcgi_param  SCRIPT_FILENAME    $fastcgi_script_name;
+{% endif %}
 fastcgi_param  QUERY_STRING       $query_string;
 fastcgi_param  REQUEST_METHOD     $request_method;
 fastcgi_param  CONTENT_TYPE       $content_type;

confs/site/php.conf

@@ -1,4 +1,8 @@
 location ~ \.php$ {
-	fastcgi_pass      {{ REMOTE_PHP }}:9000;
-	fastcgi_index     index.php;
+{% if REMOTE_PHP != "" +%}
+	fastcgi_pass	{{ REMOTE_PHP }}:9000;
+{% elif LOCAL_PHP != "" +%}
+	fastcgi_pass	unix:{{ LOCAL_PHP }};
+{% endif %}
+	fastcgi_index	index.php;
 }

confs/site/server.conf

@@ -7,7 +7,7 @@ include /opt/bunkerized-nginx/pre-server-confs/{{ FIRST_SERVER }}/*.conf;
 server {
 
 	# FastCGI variables
-{% if REMOTE_PHP != "" +%}
+{% if REMOTE_PHP != "" or LOCAL_PHP != "" +%}
 	include {{ NGINX_PREFIX }}fastcgi.conf;
 {% endif %}
 
@@ -181,7 +181,7 @@ server {
 {% endif %}
 
 	# remote PHP
-{% if REMOTE_PHP != "" +%}
+{% if REMOTE_PHP != "" or LOCAL_PHP != "" +%}
 	include {{ NGINX_PREFIX }}php.conf;
 {% endif %}
 

helpers/install.sh

@@ -373,7 +373,7 @@ elif [ "$OS" = "centos" ] ; then
 	CENTOS_DEPS="git autoconf pkg-config pcre-devel automake libtool gcc-c++ make lua-devel gd-devel lua openssl-devel wget brotli-devel gnupg"
 	do_and_check_cmd yum install -y $CENTOS_DEPS
 elif [ "$OS" = "fedora" ] ; then
-	FEDORA_DEPS="git autoconf pkg-config pcre-devel automake libtool gcc-c++ make lua-devel gd-devel lua openssl-devel wget brotli-devel gnupg libxslt-devel"
+	FEDORA_DEPS="git autoconf pkg-config pcre-devel automake libtool gcc-c++ make lua-devel gd-devel lua openssl-devel wget brotli-devel gnupg libxslt-devel perl-ExtUtils-Embed gperftools-devel"
 	do_and_check_cmd dnf install -y $FEDORA_DEPS
 elif [ "$OS" = "alpine" ] ; then
 	ALPINE_DEPS="git build autoconf libtool automake git geoip-dev yajl-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev lua-dev gd-dev gnupg brotli-dev openssl-dev"
@@ -574,6 +574,7 @@ echo "./configure $CONFARGS --add-dynamic-module=/tmp/bunkerized-nginx/ModSecuri
 do_and_check_cmd chmod +x "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}/configure-fix.sh"
 CHANGE_DIR="/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}" LUAJIT_LIB="/opt/bunkerized-nginx/deps/lib -Wl,-rpath,/opt/bunkerized-nginx/deps/lib" LUAJIT_INC="/opt/bunkerized-nginx/deps/include/luajit-2.1" MODSECURITY_LIB="/opt/bunkerized-nginx/deps/lib" MODSECURITY_INC="/opt/bunkerized-nginx/deps/include" do_and_check_cmd ./configure-fix.sh
 CHANGE_DIR="/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}" do_and_check_cmd make -j $NTASK modules
+# TODO : move modules to /opt/bunkerized-nginx/modules
 if [ ! -d "/usr/lib/nginx/modules" ] ; then
 	do_and_check_cmd mkdir -p /usr/lib/nginx/modules
 fi
@@ -603,8 +604,10 @@ elif [ "$OS" = "centos" ] ; then
 	CENTOS_DEPS="git crontabs curl python3 python3-pip procps"
 	do_and_check_cmd yum install -y $CENTOS_DEPS
 elif [ "$OS" = "fedora" ] ; then
-	FEDORA_DEPS="git crontabs curl python3 python3-pip procps"
+	FEDORA_DEPS="git crontabs curl python3 python3-pip procps nginx-mod-stream"
 	do_and_check_cmd dnf install -y $FEDORA_DEPS
+	# Temp fix
+	do_and_check_cmd cp /usr/lib64/nginx/modules/ngx_stream_module.so /usr/lib/nginx/modules/ngx_stream_module.so
 elif [ "$OS" = "alpine" ] ; then
 	ALPINE_DEPS="certbot bash libmaxminddb libgcc lua yajl libstdc++ openssl py3-pip git"
 	do_and_check_cmd apk add --no-cache $ALPINE_DEPS
@@ -658,6 +661,10 @@ do_and_check_cmd cp -r /tmp/bunkerized-nginx/defaults /opt/bunkerized-nginx
 echo "[*] Copy settings"
 do_and_check_cmd cp /tmp/bunkerized-nginx/settings.json /opt/bunkerized-nginx
 
+# Copy sample variables.env
+echo "[*] Copy sample variables.env"
+do_and_check_cmd cp /tmp/bunkerized-nginx/misc/variables.env /opt/bunkerized-nginx
+
 # Copy UI
 if [ "$OS" != "alpine" ] ; then
 	echo "[*] Copy UI"

misc/set2conf.py

@@ -0,0 +1,19 @@
+#!/usr/bin/python3
+
+import json
+
+with open("settings.json") as f :
+	data = json.loads(f.read())
+
+output = ""
+for cat in data :
+	output += "# " + cat + "\n"
+	for param in data[cat]["params"] :
+		if param["type"] == "multiple" :
+			params = param["params"]
+		else :
+			params = [param]
+		for true_param in params :
+			output += "#" + true_param["env"] + "=" + true_param["default"] + "\n"
+	output += "\n"
+print(output)

misc/variables.env

@@ -0,0 +1,185 @@
+# List of environment variables for bunkerized-nginx.
+# Manual : https://bunkerized-nginx.readthedocs.io/en/latest/
+
+# Antibot
+#USE_ANTIBOT=no
+#ANTIBOT_URI=/challenge
+#ANTIBOT_SESSION_SECRET=random
+#ANTIBOT_RECAPTCHA_SITEKEY=
+#ANTIBOT_RECAPTCHA_SECRET=
+#ANTIBOT_RECAPTCHA_SCORE=0.7
+
+# Authelia
+#USE_AUTHELIA=no
+#AUTHELIA_BACKEND=
+#AUTHELIA_UPSTREAM=
+#AUTHELIA_MODE=portal
+
+# Basic auth
+#USE_AUTH_BASIC=no
+#AUTH_BASIC_LOCATION=sitewide
+#AUTH_BASIC_USER=changeme
+#AUTH_BASIC_PASSWORD=changeme
+#AUTH_BASIC_TEXT=Restricted area
+
+# Blacklist
+#USE_BLACKLIST_IP=yes
+#BLACKLIST_IP_LIST=
+#USE_BLACKLIST_REVERSE=yes
+#BLACKLIST_REVERSE_LIST=.shodan.io
+#BLACKLIST_COUNTRY=
+
+# Block
+#BLOCK_USER_AGENT=yes
+#BLOCK_TOR_EXIT_NODE=yes
+#BLOCK_PROXIES=yes
+#BLOCK_ABUSERS=yes
+#BLOCK_REFERRER=yes
+
+# Cache
+#USE_CLIENT_CACHE=no
+#CLIENT_CACHE_EXTENSIONS=jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2
+#CLIENT_CACHE_CONTROL=public, max-age=15552000
+#CLIENT_CACHE_ETAG=on
+#USE_OPEN_FILE_CACHE=no
+#OPEN_FILE_CACHE=max=1000 inactive=20s
+#OPEN_FILE_CACHE_ERRORS=on
+#OPEN_FILE_CACHE_MIN_USES=2
+#OPEN_FILE_CACHE_VALID=30s
+#USE_PROXY_CACHE=no
+#PROXY_CACHE_PATH_ZONE_SIZE=10m
+#PROXY_CACHE_PATH_PARAMS=max_size=100m
+#PROXY_CACHE_METHODS=GET HEAD
+#PROXY_CACHE_MIN_USES=2
+#PROXY_CACHE_KEY=\$scheme\$host\$request_uri
+#PROXY_CACHE_VALID=200=10m 301=10m 302=1h
+#PROXY_NO_CACHE=\$http_authorization
+#PROXY_CACHE_BYPASS=\$http_authorization
+
+# Compression
+#USE_GZIP=no
+#GZIP_COMP_LEVEL=5
+#GZIP_MIN_LENGTH=1000
+#GZIP_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml
+#USE_BROTLI=no
+#BROTLI_COMP_LEVEL=6
+#BROTLI_MIN_LENGTH=1000
+#BROTLI_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml
+
+# CrowdSec
+#USE_CROWDSEC=no
+#CROWDSEC_HOST=
+#CROWDSEC_KEY=
+
+# DNSBL
+#USE_DNSBL=yes
+#DNSBL_LIST=bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org
+
+# HTTPS
+#AUTO_LETS_ENCRYPT=no
+#EMAIL_LETS_ENCRYPT=
+#REDIRECT_HTTP_TO_HTTPS=no
+#HTTP2=yes
+#HTTPS_PROTOCOLS=TLSv1.2 TLSv1.3
+#LISTEN_HTTP=yes
+#USE_CUSTOM_HTTPS=no
+#CUSTOM_HTTPS_CERT=
+#CUSTOM_HTTPS_KEY=
+#GENERATE_SELF_SIGNED_SSL=no
+#SELF_SIGNED_SSL_EXPIRY=365
+#SELF_SIGNED_SSL_COUNTRY=CH
+#SELF_SIGNED_SSL_STATE=Switzerland
+#SELF_SIGNED_SSL_CITY=Bern
+#SELF_SIGNED_SSL_OU=IT
+#SELF_SIGNED_SSL_ORG=Acme Inc
+#SELF_SIGNED_SSL_CN=bunkerized
+
+# Headers
+#X_FRAME_OPTIONS=DENY
+#X_XSS_PROTECTION=1; mode=block
+#X_CONTENT_TYPE_OPTIONS=nosniff
+#REFERRER_POLICY=no-referrer
+#FEATURE_POLICY=accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'
+#PERMISSIONS_POLICY=accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()
+#COOKIE_FLAGS=* HttpOnly SameSite=Lax
+#COOKIE_AUTO_SECURE_FLAG=yes
+#STRICT_TRANSPORT_SECURITY=max-age=31536000
+#CONTENT_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-downloads; base-uri 'self';
+
+# Info leak
+#REMOVE_HEADERS=Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version
+#DISABLE_DEFAULT_SERVER=no
+#ERRORS=
+
+# Limit conn
+#USE_LIMIT_CONN=yes
+#LIMIT_CONN_MAX=50
+#LIMIT_CONN_CACHE=10m
+
+# Limit req
+#USE_LIMIT_REQ=yes
+#LIMIT_REQ_RATE=1r/s
+#LIMIT_REQ_BURST=2
+#LIMIT_REQ_CACHE=10m
+
+# Misc
+#SERVER_NAME=www.bunkerity.com
+#MAX_CLIENT_SIZE=10m
+#ALLOWED_METHODS=GET|POST|HEAD
+#SERVE_FILES=yes
+#INJECT_BODY=
+
+# ModSecurity
+#USE_MODSECURITY=yes
+#USE_MODSECURITY_CRS=yes
+#MODSECURITY_SEC_AUDIT_ENGINE=RelevantOnly
+
+# PHP
+#REMOTE_PHP=
+#REMOTE_PHP_PATH=/app
+
+# Reverse proxy
+#USE_REVERSE_PROXY=no
+#REVERSE_PROXY_URL=
+#REVERSE_PROXY_HOST=
+#REVERSE_PROXY_WS=no
+#REVERSE_PROXY_HEADERS=
+#PROXY_REAL_IP=no
+#PROXY_REAL_IP_FROM=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
+#PROXY_REAL_IP_HEADER=X-Forwarded-For
+#PROXY_REAL_IP_RECURSIVE=on
+
+# Bad behavior
+#USE_BAD_BEHAVIOR=yes
+#BAD_BEHAVIOR_BAN_TIME=86400
+#BAD_BEHAVIOR_COUNT_TIME=60
+#BAD_BEHAVIOR_STATUS_CODES=400 401 403 404 405 429 444
+#BAD_BEHAVIOR_THRESHOLD=10
+
+# API
+#USE_API=no
+#API_WHITELIST_IP=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
+#API_URI=random
+#SWARM_MODE=no
+
+# nginx
+#MULTISITE=no
+#DNS_RESOLVERS=127.0.0.11
+#LOG_FORMAT=$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
+#LOG_LEVEL=info
+#ROOT_FOLDER=/opt/bunkerized-nginx/www
+#ROOT_SITE_SUBFOLDER=
+#SERVER_TOKENS=off
+#HTTP_PORT=8080
+#HTTPS_PORT=8443
+#WORKER_RLIMIT_NOFILE=2048
+#WORKER_CONNECTIONS=1024
+
+# Whitelist
+#USE_WHITELIST_IP=yes
+#WHITELIST_IP_LIST=23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8
+#USE_WHITELIST_REVERSE=yes
+#WHITELIST_REVERSE_LIST=.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net
+#WHITELIST_COUNTRY=
+#WHITELIST_USER_AGENT=
+#WHITELIST_URI=

settings.json

@@ -911,7 +911,7 @@
         "params": [
             {
                 "context": "multisite",
-                "default": "www.bunkerity.com",
+                "default": "www.example.com",
                 "env": "SERVER_NAME",
                 "id": "server-name",
                 "label": "Server name",