librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

Reduce memory usage : set cron tasks at different hours.

This commit is contained in:
thelittlefireman 2021-03-03 13:02:56 +01:00
parent d5d699252c
commit 92cc705b92
3 changed files with 83 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
README.md
View File

@ -700,6 +700,12 @@ Context : *global*, *multisite*
If set to yes, automatic certificate generation and renewal will be setup through Let's Encrypt. This will enable HTTPS on your website for free.
You will need to redirect the 80 port to 8080 port inside container and also set the `SERVER_NAME` environment variable.
`AUTO_LETS_ENCRYPT_CRON`
Values : *\<cron expression\>*
Default value : 0 2 * * *
Context : *global*
Cron expression of how often lets encrypt is asking for being renewed.
`EMAIL_LETS_ENCRYPT`
Values : *contact@yourdomain.com*
Default value : *contact@yourdomain.com*
@ -947,11 +953,17 @@ The secret given by Google when `USE_ANTIBOT` is set to *recaptcha*.
`BLOCK_USER_AGENT`
Values : *yes* | *no*
Default value : *yes*
Default value : *yes*
Context : *global*, *multisite*
If set to yes, block clients with "bad" user agent.
Blacklist can be found [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list) and [here](https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt).
`BLOCK_USER_AGENT_CRON`
Values : *\<cron expression\>*
Default value : 5 0 * * * *
Context : *global*
Cron expression of how often blocklist user agent is updated.
`BLOCK_TOR_EXIT_NODE`
Values : *yes* | *no*
Default value : *yes*
@ -959,6 +971,12 @@ Context : *global*, *multisite*
Is set to yes, will block known TOR exit nodes.
Blacklist can be found [here](https://iplists.firehol.org/?ipset=tor_exits).
`BLOCK_TOR_EXIT_NODE_CRON`
Values : *\<cron expression\>*
Default value : 15 0 * * * *
Context : *global*
Cron expression of how often blocklist tor exit node is updated.
`BLOCK_PROXIES`
Values : *yes* | *no*
Default value : *yes*
@ -966,6 +984,12 @@ Context : *global*, *multisite*
Is set to yes, will block known proxies.
Blacklist can be found [here](https://iplists.firehol.org/?ipset=firehol_proxies).
`BLOCK_PROXIES_CRON`
Values : *\<cron expression\>*
Default value : 20 0 * * * *
Context : *global*
Cron expression of how often blocklist proxies is updated.
`BLOCK_ABUSERS`
Values : *yes* | *no*
Default value : *yes*
@ -973,6 +997,12 @@ Context : *global*, *multisite*
Is set to yes, will block known abusers.
Blacklist can be found [here](https://iplists.firehol.org/?ipset=firehol_abusers_30d).
`BLOCK_ABUSERS_CRON`
Values : *\<cron expression\>*
Default value : 30 0 * * * *
Context : *global*
Cron expression of how often blocklist abusers is updated.
`BLOCK_REFERRER`
Values : *yes* | *no*
Default value : *yes*
@ -980,6 +1010,12 @@ Context : *global*, *multisite*
Is set to yes, will block known bad referrer header.
Blacklist can be found [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list).
`BLOCK_REFERRER_CRON`
Values : *\<cron expression\>*
Default value : 10 0 * * * *
Context : *global*
Cron expression of how often blocklist referrer is updated.
### DNSBL
`USE_DNSBL`
@ -1107,6 +1143,12 @@ Default value :
Context : *global*, *multisite*
Only allow specific countries accessing your website. Use 2 letters country code separated with space.
`GEOIP_CRON`
Values : *\<cron expression\>*
Default value : 30 2 2 * *
Context : *global*
Cron expression of how often geoip will update its database.
## PHP
`REMOTE_PHP`
@ -1167,7 +1209,7 @@ IPs or subnet which should never be ban by fail2ban.
Values : *yes* | *no*
Default value : *yes*
Context : *global*, *multisite*
If set to yes, ClamAV will scan every file uploads and block the upload if the file is detected.
If set to yes, ClamAV will scan every file uploads and block the upload if the file is detected.
`USE_CLAMAV_SCAN`
Values : *yes* | *no*
@ -1175,12 +1217,24 @@ Default value : *yes*
Context : *global*
If set to yes, ClamAV will scan all the files inside the container every day.
`USE_CLAMAV_SCAN_CRON`
Values : *\<cron expression\>*
Default value : 40 */1 * * *
Context : *global*
Cron expression of how often ClamAV will scan all the files inside the container.
`CLAMAV_SCAN_REMOVE`
Values : *yes* | *no*
Default value : *yes*
Context : *global*
If set to yes, ClamAV will automatically remove the detected files.
`CLAMAV_UPDATE_CRON`
Values : *\<cron expression\>*
Default value : 0 3 * * *
Context : *global*
Cron expression of how often ClamAV will update its database.
## Misc
`ADDITIONAL_MODULES`
@ -1201,6 +1255,12 @@ Default value : 7
Context : *global*
The number of days before rotated files are deleted.
`LOGROTATE_CRON`
Values : *\<cron expression\>*
Default value : 0 4 * * *
Context : *global*
Cron expression of how often Logrotate will rotate files.
# Include custom configurations
Custom configurations files (ending with .conf suffix) can be added in some directory inside the container :
- /http-confs : http context

10
entrypoint/defaults.sh
View File

@ -45,11 +45,17 @@ DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
BLOCK_USER_AGENT_CRON="${BLOCK_USER_AGENT_CRON-5 0 * * *}"
BLOCK_REFERRER="${BLOCK_REFERRER-yes}"
BLOCK_REFERRER_CRON="${BLOCK_REFERRER_CRON-10 0 * * *}"
BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
BLOCK_TOR_EXIT_NODE_CRON="${BLOCK_TOR_EXIT_NODE_CRON-15 * * * *}"
BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
BLOCK_PROXIES_CRON="${BLOCK_PROXIES_CRON-20 0 * * *}"
BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
BLOCK_ABUSERS_CRON="${BLOCK_ABUSERS_CRON-30 0 * * *}"
AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
AUTO_LETS_ENCRYPT_CRON="${AUTO_LETS_ENCRYPT_CRON-0 2 * * *}"
HTTP2="${HTTP2-yes}"
HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
@ -70,6 +76,8 @@ FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
FAIL2BAN_IGNOREIP="${FAIL2BAN_IGNOREIP-127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
USE_CLAMAV_SCAN_CRON="${USE_CLAMAV_SCAN_CRON-40 */1 * * *}"
CLAMAV_UPDATE_CRON="${CLAMAV_UPDATE_CRON-0 3 * * *}"
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
@ -80,6 +88,7 @@ USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
ROOT_FOLDER="${ROOT_FOLDER-/www}"
LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
LOGROTATE_CRON="${LOGROTATE_CRON-0 4 * * *}"
DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11}"
USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
WHITELIST_IP_LIST="${WHITELIST_IP_LIST-127.0.0.1 23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
@ -99,6 +108,7 @@ PROXY_REAL_IP="${PROXY_REAL_IP-no}"
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
GEOIP_CRON="${GEOIP_CRON-30 2 2 * *}"
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"

22
entrypoint/global-config.sh
View File

@ -100,7 +100,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
/opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT"
fi
fi
echo "0 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
fi
# self-signed certificate
@ -119,7 +119,7 @@ if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes"
replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;"
fi
echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/root
if [ -f "/cache/geoip.mmdb" ] ; then
echo "[*] Copying cached geoip.mmdb ..."
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
@ -134,7 +134,7 @@ fi
# block bad UA
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/root
if [ -f "/cache/map-user-agent.conf" ] ; then
echo "[*] Copying cached map-user-agent.conf ..."
cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
@ -149,7 +149,7 @@ fi
# block bad refferer
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;"
echo "0 0 * * * /opt/scripts/referrers.sh" >> /etc/crontabs/root
echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/root
if [ -f "/cache/map-referrer.conf" ] ; then
echo "[*] Copying cached map-referrer.conf ..."
cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
@ -163,7 +163,7 @@ fi
# block TOR exit nodes
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
if [ -f "/cache/block-tor-exit-node.conf" ] ; then
echo "[*] Copying cached block-tor-exit-node.conf ..."
cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
@ -175,7 +175,7 @@ fi
# block proxies
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/root
if [ -f "/cache/block-proxies.conf" ] ; then
echo "[*] Copying cached block-proxies.conf ..."
cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
@ -187,7 +187,7 @@ fi
# block abusers
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/root
if [ -f "/cache/block-abusers.conf" ] ; then
echo "[*] Copying cached block-abusers.conf ..."
cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf
@ -279,13 +279,13 @@ fi
if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
echo "[*] Updating clamav (in background) ..."
freshclam > /dev/null 2>&1 &
echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
fi
if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
else
echo "0 */1 * * * /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
fi
fi
@ -305,4 +305,4 @@ touch /var/log/error.log
# setup logrotate
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
echo "0 0 * * * /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root