remove ClamAV because of GPL and started work on read-only filesystem
This commit is contained in:
parent
a8bc17e836
commit
a991b262ef
|
@ -18,6 +18,7 @@ COPY scripts/ /opt/scripts
|
|||
COPY lua/ /usr/local/lib/lua
|
||||
COPY antibot/ /antibot
|
||||
COPY settings.json /opt
|
||||
COPY misc/cron /etc/crontabs/nginx
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
|
|
|
@ -18,6 +18,7 @@ COPY scripts/ /opt/scripts
|
|||
COPY lua/ /usr/local/lib/lua
|
||||
COPY antibot/ /antibot
|
||||
COPY settings.json /opt
|
||||
COPY misc/cron /etc/crontabs/nginx
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
|
|
|
@ -25,6 +25,7 @@ COPY scripts/ /opt/scripts
|
|||
COPY lua/ /usr/local/lib/lua
|
||||
COPY antibot/ /antibot
|
||||
COPY settings.json /opt
|
||||
COPY misc/cron /etc/crontabs/nginx
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
|
|
|
@ -25,6 +25,7 @@ COPY scripts/ /opt/scripts
|
|||
COPY lua/ /usr/local/lib/lua
|
||||
COPY antibot/ /antibot
|
||||
COPY settings.json /opt
|
||||
COPY misc/cron /etc/crontabs/nginx
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
|
|
|
@ -18,6 +18,7 @@ COPY scripts/ /opt/scripts
|
|||
COPY lua/ /usr/local/lib/lua
|
||||
COPY antibot/ /antibot
|
||||
COPY settings.json /opt
|
||||
COPY misc/cron /etc/crontabs/nginx
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
SecUploadDir /tmp
|
||||
SecUploadKeepFiles On
|
||||
SecRule FILES_TMPNAMES "@inspectFile /opt/scripts/clamav.sh" \
|
||||
"phase:2,t:none,deny,msg:'Virus found in uploaded file',id:'399999'"
|
|
@ -53,11 +53,6 @@ SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }}
|
|||
SecAuditLogType Serial
|
||||
SecAuditLog /var/log/nginx/modsec_audit.log
|
||||
|
||||
# scan uploaded files with clamv
|
||||
{% if USE_CLAMAV_UPLOAD == "yes" %}
|
||||
include {{ NGINX_PREFIX }}modsecurity-clamav.conf
|
||||
{% endif %}
|
||||
|
||||
# include OWASP CRS configuration
|
||||
{% if USE_MODSECURITY_CRS == "yes" %}
|
||||
include /opt/owasp/crs.conf
|
||||
|
|
|
@ -144,8 +144,8 @@ server {
|
|||
{% endif %}
|
||||
|
||||
# brotli compression
|
||||
{% if USE_GZIP == "yes" %}
|
||||
include {{ NGINX_PREFIX }}gzip.conf;
|
||||
{% if USE_BROTLI == "yes" %}
|
||||
include {{ NGINX_PREFIX }}brotli.conf;
|
||||
{% endif %}
|
||||
|
||||
# maximum body size
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
# install dependencies
|
||||
apk add clamav certbot bash libmaxminddb libgcc lua yajl libstdc++ apache2-utils py3-pip
|
||||
apk add certbot bash libmaxminddb libgcc lua yajl libstdc++ apache2-utils py3-pip
|
||||
pip3 install jinja2
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# clamav setup
|
||||
if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
|
||||
echo "[*] Updating clamav (in background) ..."
|
||||
freshclam > /dev/null 2>&1 &
|
||||
echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/nginx
|
||||
fi
|
||||
if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
|
||||
if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
|
||||
echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
|
||||
else
|
||||
echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
|
||||
fi
|
||||
fi
|
|
@ -17,6 +17,7 @@ function trap_reload() {
|
|||
echo "[*] Catched reload operation"
|
||||
if [ "$MULTISITE" = "yes" ] && [ "$SWARM_MODE" != "yes" ] ; then
|
||||
/opt/entrypoint/certbot.sh
|
||||
/opt/entrypoint/jobs.sh
|
||||
fi
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
echo "[*] Reloading nginx ..."
|
||||
|
@ -33,7 +34,7 @@ function trap_reload() {
|
|||
trap "trap_reload" HUP
|
||||
|
||||
# do the configuration magic if needed
|
||||
if [ ! -f "/opt/installed" ] ; then
|
||||
if [ ! -f "/etc/nginx/global.env" ] ; then
|
||||
|
||||
echo "[*] Configuring bunkerized-nginx ..."
|
||||
|
||||
|
@ -47,9 +48,6 @@ if [ ! -f "/opt/installed" ] ; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
# clamav config
|
||||
/opt/entrypoint/clamav.sh
|
||||
|
||||
# start temp nginx to solve Let's Encrypt challenges if needed
|
||||
/opt/entrypoint/nginx-temp.sh
|
||||
|
||||
|
@ -67,8 +65,6 @@ if [ ! -f "/opt/installed" ] ; then
|
|||
# certbot
|
||||
/opt/entrypoint/certbot.sh
|
||||
fi
|
||||
|
||||
touch /opt/installed
|
||||
else
|
||||
echo "[*] Skipping configuration process"
|
||||
fi
|
||||
|
@ -98,7 +94,7 @@ pid="$!"
|
|||
if [ "$1" == "test" ] ; then
|
||||
sleep 10
|
||||
echo -n "autotest" > /www/index.html
|
||||
check=$(curl "http://localhost:${HTTP_PORT}" 2> /dev/null)
|
||||
check=$(curl "http://localhost:8080")
|
||||
if [ "$check" == "autotest" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# GeoIP
|
||||
if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
|
||||
if [ "$(has_value BLACKLIST_COUNTRY .+)" != "" ] || [ "$(has_value WHITELIST_COUNTRY .+)" != "" ] ; then
|
||||
if [ -f "/cache/geoip.mmdb" ] ; then
|
||||
echo "[*] Copying cached geoip.mmdb ..."
|
||||
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
|
||||
|
|
|
@ -24,20 +24,13 @@ function spaces_to_lua() {
|
|||
|
||||
# check if at least one env var (global or multisite) has a specific value
|
||||
function has_value() {
|
||||
if [ -f "/etc/nginx/site.env" ] ; then
|
||||
if [ $(grep "^${1}=${2}$" /etc/nginx/site.env) != "" ] ; then
|
||||
envs=$(find /etc/nginx -name "*.env")
|
||||
for file in $envs ; do
|
||||
if [ "$(grep "^${1}=${2}$" $file)" != "" ] ; then
|
||||
echo "ok"
|
||||
return 0
|
||||
fi
|
||||
else
|
||||
servers=$(find /etc/nginx -name "site.env" | cut -d '/' -f 4)
|
||||
for server in $servers ; do
|
||||
if [ $(grep "^${1}=${2}$" /etc/nginx/$server/site.env) != "" ] ; then
|
||||
echo "ok"
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# log to jobs.log
|
||||
|
|
|
@ -10,6 +10,10 @@ services:
|
|||
# disable setuid/setgid
|
||||
security_opt:
|
||||
- no-new-privileges
|
||||
# read-only file system
|
||||
read_only: true
|
||||
tmpfs:
|
||||
- /tmp
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
|
@ -17,6 +21,7 @@ services:
|
|||
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
|
||||
# don't forget to edit the permissions of the files and folders accordingly
|
||||
volumes:
|
||||
- cache:/cache
|
||||
- nginx_conf:/etc/nginx
|
||||
- ./web-files:/www:ro
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
|
@ -38,3 +43,4 @@ services:
|
|||
|
||||
volumes:
|
||||
nginx_conf:
|
||||
cache:
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
15 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1
|
||||
30 0 * * * /opt/scripts/user-agents.sh > /dev/null 2>&1
|
||||
45 0 * * * /opt/scripts/referrers.sh > /dev/null 2>&1
|
||||
0 1 * * * /opt/scripts/abusers.sh > /dev/null 2>&1
|
||||
0 2 * * * /opt/scripts/proxies.sh > /dev/null 2>&1
|
||||
0 */1 * * * /opt/scripts/exit-nodes.sh > /dev/null 2>&1
|
||||
0 3 2 * * /opt/scripts/geoip.sh > /dev/null 2>&1
|
17
prepare.sh
17
prepare.sh
|
@ -15,6 +15,11 @@ chmod 770 /opt
|
|||
chmod 440 /opt/settings.json
|
||||
|
||||
# prepare /etc/nginx
|
||||
for file in $(ls /etc/nginx) ; do
|
||||
if [ -f /etc/nginx/$file ] && [ ! -f /opt/confs/global/$file ] ; then
|
||||
cp /etc/nginx/$file /opt/confs/global
|
||||
fi
|
||||
done
|
||||
chown -R root:nginx /etc/nginx
|
||||
chmod -R 770 /etc/nginx
|
||||
|
||||
|
@ -27,14 +32,9 @@ ln -s /proc/1/fd/2 /var/log/nginx/modsec_audit.log
|
|||
ln -s /proc/1/fd/1 /var/log/access.log
|
||||
ln -s /proc/1/fd/2 /var/log/error.log
|
||||
ln -s /proc/1/fd/1 /var/log/jobs.log
|
||||
ln -s /proc/1/fd/1 /var/log/clamav.log
|
||||
mkdir /var/log/letsencrypt
|
||||
chown nginx:nginx /var/log/letsencrypt
|
||||
chmod 770 /var/log/letsencrypt
|
||||
rm -rf /var/log/clamav/*
|
||||
chown root:nginx /var/log/clamav
|
||||
chmod 770 /var/log/clamav
|
||||
ln -s /proc/1/fd/1 /var/log/freshclam.log
|
||||
|
||||
# prepare /acme-challenge
|
||||
mkdir /acme-challenge
|
||||
|
@ -63,10 +63,5 @@ chown root:nginx /cache
|
|||
chmod 770 /cache
|
||||
|
||||
# prepare /etc/crontabs/nginx
|
||||
touch /etc/crontabs/nginx
|
||||
chown root:nginx /etc/crontabs/nginx
|
||||
chmod 660 /etc/crontabs/nginx
|
||||
|
||||
# prepare /var/lib/clamav
|
||||
chown root:nginx /var/lib/clamav
|
||||
chmod 770 /var/lib/clamav
|
||||
chmod 440 /etc/crontabs/nginx
|
||||
|
|
|
@ -3,6 +3,14 @@
|
|||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value BLOCK_ABUSERS yes)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# copy old conf to cache
|
||||
cp /etc/nginx/abusers.list /cache
|
||||
|
||||
|
|
|
@ -3,6 +3,14 @@
|
|||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# ask new certificates if needed
|
||||
certbot renew --deploy-hook /opt/scripts/certbot-renew-hook.sh
|
||||
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
output=$(clamscan -i --no-summary $1 2> /dev/null)
|
||||
rm -f $1
|
||||
if echo "$output" | grep -q ".* FOUND$" ; then
|
||||
echo "0 clamscan: $output"
|
||||
else
|
||||
echo "1 clamscan: ok"
|
||||
fi
|
|
@ -3,6 +3,14 @@
|
|||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# copy old conf to cache
|
||||
cp /etc/nginx/tor-exit-nodes.list /cache
|
||||
|
||||
|
|
|
@ -3,6 +3,14 @@
|
|||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value BLACKLIST_COUNTRY .+)" = "" ] && [ "$(has_value WHITELIST_COUNTRY .+)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# if we are running nginx
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
RELOAD="/usr/sbin/nginx -s reload"
|
||||
|
|
|
@ -3,6 +3,14 @@
|
|||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value BLOCK_PROXIES yes)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# copy old conf to cache
|
||||
cp /etc/nginx/proxies.list /cache
|
||||
|
||||
|
|
|
@ -3,6 +3,14 @@
|
|||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value BLOCK_REFERRER yes)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# save old conf
|
||||
cp /etc/nginx/referrers.list /cache
|
||||
|
||||
|
|
|
@ -3,6 +3,14 @@
|
|||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value BLOCK_USER_AGENT yes)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# save old conf
|
||||
cp /etc/nginx/user-agents.list /cache
|
||||
|
||||
|
|
Loading…
Reference in New Issue