remove ClamAV because of GPL and started work on read-only filesystem

2021-05-26 17:18:49 +02:00 · 2021-05-26 17:18:49 +02:00 · a991b262ef
parent a8bc17e836
commit a991b262ef
24 changed files with 91 additions and 69 deletions
--- a/1
+++ b/1
@ -18,6 +18,7 @@ COPY scripts/ /opt/scripts
 COPY lua/ /usr/local/lib/lua
 COPY antibot/ /antibot
 COPY settings.json /opt
+COPY misc/cron /etc/crontabs/nginx

 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \
--- a/1
+++ b/1
@ -18,6 +18,7 @@ COPY scripts/ /opt/scripts
 COPY lua/ /usr/local/lib/lua
 COPY antibot/ /antibot
 COPY settings.json /opt
+COPY misc/cron /etc/crontabs/nginx

 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \
--- a/1
+++ b/1
@ -25,6 +25,7 @@ COPY scripts/ /opt/scripts
 COPY lua/ /usr/local/lib/lua
 COPY antibot/ /antibot
 COPY settings.json /opt
+COPY misc/cron /etc/crontabs/nginx

 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \
--- a/1
+++ b/1
@ -25,6 +25,7 @@ COPY scripts/ /opt/scripts
 COPY lua/ /usr/local/lib/lua
 COPY antibot/ /antibot
 COPY settings.json /opt
+COPY misc/cron /etc/crontabs/nginx

 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \
--- a/1
+++ b/1
@ -18,6 +18,7 @@ COPY scripts/ /opt/scripts
 COPY lua/ /usr/local/lib/lua
 COPY antibot/ /antibot
 COPY settings.json /opt
+COPY misc/cron /etc/crontabs/nginx

 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \
--- a/confs/site/modsecurity-clamav.conf
+++ b/confs/site/modsecurity-clamav.conf
@ -1,4 +0,0 @@
-SecUploadDir /tmp
-SecUploadKeepFiles On
-SecRule FILES_TMPNAMES "@inspectFile /opt/scripts/clamav.sh" \
-"phase:2,t:none,deny,msg:'Virus found in uploaded file',id:'399999'"
--- a/confs/site/modsecurity-rules.conf
+++ b/confs/site/modsecurity-rules.conf
@ -53,11 +53,6 @@ SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }}
 SecAuditLogType Serial
 SecAuditLog /var/log/nginx/modsec_audit.log

-# scan uploaded files with clamv
-{% if USE_CLAMAV_UPLOAD == "yes" %}
-include {{ NGINX_PREFIX }}modsecurity-clamav.conf
-{% endif %}
-
 # include OWASP CRS configuration
 {% if USE_MODSECURITY_CRS == "yes" %}
 include /opt/owasp/crs.conf
--- a/confs/site/server.conf
+++ b/confs/site/server.conf
@ -144,8 +144,8 @@ server {
 {% endif %}

 	# brotli compression
-{% if USE_GZIP == "yes" %}
-	include {{ NGINX_PREFIX }}gzip.conf;
+{% if USE_BROTLI == "yes" %}
+	include {{ NGINX_PREFIX }}brotli.conf;
 {% endif %}

 	# maximum body size
--- a/dependencies.sh
+++ b/dependencies.sh
@ -1,5 +1,5 @@
 #!/bin/sh

 # install dependencies
-apk add clamav certbot bash libmaxminddb libgcc lua yajl libstdc++ apache2-utils py3-pip
+apk add certbot bash libmaxminddb libgcc lua yajl libstdc++ apache2-utils py3-pip
 pip3 install jinja2
--- a/entrypoint/clamav.sh
+++ b/entrypoint/clamav.sh
@ -1,18 +0,0 @@
-#!/bin/bash
-
-# load some functions
-. /opt/entrypoint/utils.sh
-
-# clamav setup
-if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
-	echo "[*] Updating clamav (in background) ..."
-	freshclam > /dev/null 2>&1 &
-	echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/nginx
-fi
-if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
-	if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
-        	echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
-        else
-		echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
-        fi
-fi
--- a/entrypoint/entrypoint.sh
+++ b/entrypoint/entrypoint.sh
@ -17,6 +17,7 @@ function trap_reload() {
 	echo "[*] Catched reload operation"
 	if [ "$MULTISITE" = "yes" ] && [ "$SWARM_MODE" != "yes" ] ; then
 		/opt/entrypoint/certbot.sh
+		/opt/entrypoint/jobs.sh
 	fi
 	if [ -f /tmp/nginx.pid ] ; then
 		echo "[*] Reloading nginx ..."
@ -33,7 +34,7 @@ function trap_reload() {
 trap "trap_reload" HUP

 # do the configuration magic if needed
-if [ ! -f "/opt/installed" ] ; then
+if [ ! -f "/etc/nginx/global.env" ] ; then

 	echo "[*] Configuring bunkerized-nginx ..."

@ -47,9 +48,6 @@ if [ ! -f "/opt/installed" ] ; then
 		exit 1
 	fi

-	# clamav config
-	/opt/entrypoint/clamav.sh
-
 	# start temp nginx to solve Let's Encrypt challenges if needed
 	/opt/entrypoint/nginx-temp.sh

@ -67,8 +65,6 @@ if [ ! -f "/opt/installed" ] ; then
 		# certbot
 		/opt/entrypoint/certbot.sh
 	fi
-
-	touch /opt/installed
 else
 	echo "[*] Skipping configuration process"
 fi
@ -98,7 +94,7 @@ pid="$!"
 if [ "$1" == "test" ] ; then
 	sleep 10
 	echo -n "autotest" > /www/index.html
-	check=$(curl "http://localhost:${HTTP_PORT}" 2> /dev/null)
+	check=$(curl "http://localhost:8080")
 	if [ "$check" == "autotest" ] ; then
 		exit 0
 	fi
--- a/entrypoint/jobs.sh
+++ b/entrypoint/jobs.sh
@ -4,7 +4,7 @@
 . /opt/entrypoint/utils.sh

 # GeoIP
-if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
+if [ "$(has_value BLACKLIST_COUNTRY .+)" != "" ] || [ "$(has_value WHITELIST_COUNTRY .+)" != "" ] ; then
 	if [ -f "/cache/geoip.mmdb" ] ; then
 		echo "[*] Copying cached geoip.mmdb ..."
 		cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
--- a/entrypoint/utils.sh
+++ b/entrypoint/utils.sh
@ -24,20 +24,13 @@ function spaces_to_lua() {

 # check if at least one env var (global or multisite) has a specific value
 function has_value() {
-	if [ -f "/etc/nginx/site.env" ] ; then
-		if [ $(grep "^${1}=${2}$" /etc/nginx/site.env) != "" ] ; then
+	envs=$(find /etc/nginx -name "*.env")
+	for file in $envs ; do
+		if [ "$(grep "^${1}=${2}$" $file)" != "" ] ; then
 			echo "ok"
 			return 0
 		fi
-	else
-		servers=$(find /etc/nginx -name "site.env" | cut -d '/' -f 4)
-		for server in $servers ; do
-			if [ $(grep "^${1}=${2}$" /etc/nginx/$server/site.env) != "" ] ; then
-				echo "ok"
-				return 0
-			fi
-		done
-	fi
+	done
 }

 # log to jobs.log
--- a/examples/hardened/docker-compose.yml
+++ b/examples/hardened/docker-compose.yml
@ -10,6 +10,10 @@ services:
    # disable setuid/setgid
    security_opt:
      - no-new-privileges
+    # read-only file system
+    read_only: true
+    tmpfs:
+      - /tmp
    restart: always
    ports:
      - 80:8080
@ -17,6 +21,7 @@ services:
    # bunkerized-nginx runs as an unprivileged user with UID/GID 101
    # don't forget to edit the permissions of the files and folders accordingly
    volumes:
+      - cache:/cache
      - nginx_conf:/etc/nginx
      - ./web-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
@ -38,3 +43,4 @@ services:

 volumes:
  nginx_conf:
+  cache:
--- a/misc/cron
+++ b/misc/cron
@ -0,0 +1,7 @@
+15 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1
+30 0 * * * /opt/scripts/user-agents.sh > /dev/null 2>&1
+45 0 * * * /opt/scripts/referrers.sh > /dev/null 2>&1
+0 1 * * * /opt/scripts/abusers.sh > /dev/null 2>&1
+0 2 * * * /opt/scripts/proxies.sh > /dev/null 2>&1
+0 */1 * * * /opt/scripts/exit-nodes.sh > /dev/null 2>&1
+0 3 2 * * /opt/scripts/geoip.sh > /dev/null 2>&1
--- a/prepare.sh
+++ b/prepare.sh
@ -15,6 +15,11 @@ chmod 770 /opt
 chmod 440 /opt/settings.json

 # prepare /etc/nginx
+for file in $(ls /etc/nginx) ; do
+	if [ -f /etc/nginx/$file ] && [ ! -f /opt/confs/global/$file ] ; then
+		cp /etc/nginx/$file /opt/confs/global
+	fi
+done
 chown -R root:nginx /etc/nginx
 chmod -R 770 /etc/nginx

@ -27,14 +32,9 @@ ln -s /proc/1/fd/2 /var/log/nginx/modsec_audit.log
 ln -s /proc/1/fd/1 /var/log/access.log
 ln -s /proc/1/fd/2 /var/log/error.log
 ln -s /proc/1/fd/1 /var/log/jobs.log
-ln -s /proc/1/fd/1 /var/log/clamav.log
 mkdir /var/log/letsencrypt
 chown nginx:nginx /var/log/letsencrypt
 chmod 770 /var/log/letsencrypt
-rm -rf /var/log/clamav/*
-chown root:nginx /var/log/clamav
-chmod 770 /var/log/clamav
-ln -s /proc/1/fd/1 /var/log/freshclam.log

 # prepare /acme-challenge
 mkdir /acme-challenge
@ -63,10 +63,5 @@ chown root:nginx /cache
 chmod 770 /cache

 # prepare /etc/crontabs/nginx
-touch /etc/crontabs/nginx
 chown root:nginx /etc/crontabs/nginx
-chmod 660 /etc/crontabs/nginx
-
-# prepare /var/lib/clamav
-chown root:nginx /var/lib/clamav
-chmod 770 /var/lib/clamav
+chmod 440 /etc/crontabs/nginx
--- a/scripts/abusers.sh
+++ b/scripts/abusers.sh
@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh

+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value BLOCK_ABUSERS yes)" = "" ] ; then
+	exit 0
+fi
+
 # copy old conf to cache
 cp /etc/nginx/abusers.list /cache

--- a/scripts/certbot-renew.sh
+++ b/scripts/certbot-renew.sh
@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh

+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value AUTO_LETS_ENCRYPT yes)" = "" ] ; then
+	exit 0
+fi
+
 # ask new certificates if needed
 certbot renew --deploy-hook /opt/scripts/certbot-renew-hook.sh

--- a/scripts/clamav.sh
+++ b/scripts/clamav.sh
@ -1,9 +0,0 @@
-#!/bin/sh
-
-output=$(clamscan -i --no-summary $1 2> /dev/null)
-rm -f $1
-if echo "$output" | grep -q ".* FOUND$" ; then
-	echo "0 clamscan: $output"
-else
-	echo "1 clamscan: ok"
-fi
--- a/scripts/exit-nodes.sh
+++ b/scripts/exit-nodes.sh
@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh

+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" = "" ] ; then
+	exit 0
+fi
+
 # copy old conf to cache
 cp /etc/nginx/tor-exit-nodes.list /cache

--- a/scripts/geoip.sh
+++ b/scripts/geoip.sh
@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh

+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value BLACKLIST_COUNTRY .+)" = "" ] && [ "$(has_value WHITELIST_COUNTRY .+)" = "" ] ; then
+	exit 0
+fi
+
 # if we are running nginx
 if [ -f /tmp/nginx.pid ] ; then
 	RELOAD="/usr/sbin/nginx -s reload"
--- a/scripts/proxies.sh
+++ b/scripts/proxies.sh
@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh

+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value BLOCK_PROXIES yes)" = "" ] ; then
+	exit 0
+fi
+
 # copy old conf to cache
 cp /etc/nginx/proxies.list /cache

--- a/scripts/referrers.sh
+++ b/scripts/referrers.sh
@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh

+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value BLOCK_REFERRER yes)" = "" ] ; then
+	exit 0
+fi
+
 # save old conf
 cp /etc/nginx/referrers.list /cache

--- a/scripts/user-agents.sh
+++ b/scripts/user-agents.sh
@ -3,6 +3,14 @@
 # load some functions
 . /opt/entrypoint/utils.sh

+if [ $(grep "^SWARM_MODE=yes$" /etc/nginx/global.env) != "" ] && [ -f /usr/sbin/nginx ] ; then
+	exit 0
+fi
+
+if [ "$(has_value BLOCK_USER_AGENT yes)" = "" ] ; then
+	exit 0
+fi
+
 # save old conf
 cp /etc/nginx/user-agents.list /cache