road to v1.2.3 - fixing bugs
This commit is contained in:
parent
c40fb33175
commit
afc6678855
|
@ -1083,11 +1083,11 @@ Default value : *.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .c
|
|||
Context : *global*
|
||||
The list of reverse DNS suffixes to whitelist when `USE_WHITELIST_REVERSE` is set to *yes*. The default list contains suffixes of major search engines.
|
||||
|
||||
`WHITELIST_USERAGENT_LIST`
|
||||
Values : *"useragent1", "^[user]agent2"*
|
||||
Default value : **
|
||||
`WHITELIST_USER_AGENT`
|
||||
Values : *\<list of regexes separated with spaces\>*
|
||||
Default value :
|
||||
Context : *global*, *multisite*
|
||||
Whitelist user agent from be blocked by `BLOCK_USER_AGENT`
|
||||
Whitelist user agent from being blocked by `BLOCK_USER_AGENT`.
|
||||
|
||||
### Custom blacklisting
|
||||
|
||||
|
|
|
@ -28,6 +28,7 @@ class Config :
|
|||
started = True
|
||||
break
|
||||
i = i + 1
|
||||
utils.log("[!] Waiting " + str(i) + " seconds before retrying to contact nginx instances")
|
||||
time.sleep(i)
|
||||
if started :
|
||||
proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/jobs.sh", "nginx"], env=vars, capture_output=True)
|
||||
|
|
|
@ -23,8 +23,11 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
|
|||
chmod 770 /cache && \
|
||||
touch /var/log/jobs.log && \
|
||||
chown root:nginx /var/log/jobs.log && \
|
||||
chmod 770 /var/log/jobs.log
|
||||
chmod 770 /var/log/jobs.log && \
|
||||
chown -R root:nginx /opt/confs/nginx && \
|
||||
chmod -R 770 /opt/confs/nginx
|
||||
|
||||
COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
|
||||
COPY scripts/* /opt/scripts/
|
||||
COPY confs/site/ /opt/confs/site
|
||||
COPY confs/global/ /opt/confs/global
|
||||
|
|
|
@ -2,7 +2,9 @@
|
|||
|
||||
echo "[*] Starting autoconf ..."
|
||||
|
||||
cp -r /opt/confs/nginx/* /etc/nginx
|
||||
if [ "$SWARM_MODE" = "yes" ] ; then
|
||||
cp -r /opt/confs/nginx/* /etc/nginx
|
||||
fi
|
||||
|
||||
# trap SIGTERM and SIGINT
|
||||
function trap_exit() {
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
/var/log/*.log /var/log/letsencrypt/*.log {
|
||||
# compress old files using gzip
|
||||
compress
|
||||
|
||||
# rotate everyday
|
||||
daily
|
||||
|
||||
# remove old logs after X days
|
||||
maxage 7
|
||||
rotate 7
|
||||
|
||||
# no errors if a file is missing
|
||||
missingok
|
||||
|
||||
# disable mailing
|
||||
nomail
|
||||
|
||||
# mininum size of a logfile before rotating
|
||||
minsize 10M
|
||||
|
||||
# make a copy and truncate the files
|
||||
copytruncate
|
||||
}
|
|
@ -30,7 +30,7 @@ local recaptcha = require "recaptcha"
|
|||
|
||||
-- user variables
|
||||
local antibot_uri = "%ANTIBOT_URI%"
|
||||
local whitelist_useragent_list = {%WHITELIST_USERAGENT_LIST%}
|
||||
local whitelist_user_agent = {%WHITELIST_USER_AGENT%}
|
||||
|
||||
-- check if it's let's encrypt bot
|
||||
if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
|
||||
|
@ -90,16 +90,16 @@ end
|
|||
if use_user_agent and ngx.var.bad_user_agent == "yes" then
|
||||
local headers = ngx.req.get_headers()
|
||||
local ua = headers["User-Agent"]
|
||||
if not whitelist_useragent_list ~= "" then
|
||||
local k_ua_white, v_ua_white = next(whitelist_useragent_list, nil)
|
||||
while v_ua_white do
|
||||
local rst_whitelist = string.match(ua, v_ua_white)
|
||||
if rst_whitelist ~= nil and rst_whitelist ~= "" then
|
||||
ngx.log(ngx.WARN, "[ALLOW] User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
k_ua_white, v_ua_white = next(whitelist_useragent_list, k_ua_white)
|
||||
end
|
||||
if not whitelist_user_agent ~= "" then
|
||||
local k_ua_white, v_ua_white = next(whitelist_user_agent, nil)
|
||||
while v_ua_white do
|
||||
local rst_whitelist = string.match(ua, v_ua_white)
|
||||
if rst_whitelist ~= nil and rst_whitelist ~= "" then
|
||||
ngx.log(ngx.WARN, "[ALLOW] User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
k_ua_white, v_ua_white = next(whitelist_user_agent, k_ua_white)
|
||||
end
|
||||
end
|
||||
ngx.log(ngx.WARN, "[BLOCK] User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
|
|
|
@ -45,7 +45,7 @@ DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
|
|||
SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
|
||||
ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
|
||||
BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
|
||||
WHITELIST_USERAGENT_LIST="${WHITELIST_USERAGENT_LIST-}"
|
||||
WHITELIST_USER_AGENT="${WHITELIST_USER_AGENT-}"
|
||||
BLOCK_USER_AGENT_CRON="${BLOCK_USER_AGENT_CRON-5 0 * * *}"
|
||||
BLOCK_REFERRER="${BLOCK_REFERRER-yes}"
|
||||
BLOCK_REFERRER_CRON="${BLOCK_REFERRER_CRON-10 0 * * *}"
|
||||
|
|
|
@ -24,12 +24,12 @@ if [ "$MULTISITE" = "yes" ] ; then
|
|||
sed -i "/^${server}_.*=.*/d" "${NGINX_PREFIX}nginx.env"
|
||||
fi
|
||||
done
|
||||
for var in $(compgen -e) ; do
|
||||
for var in $(cut -d '=' -f 1 "${NGINX_PREFIX}nginx.env") ; do
|
||||
name=$(echo "$var")
|
||||
check=$(echo "$name" | grep "^$1_")
|
||||
if [ "$check" != "" ] ; then
|
||||
repl_name=$(echo "$name" | sed "s~${1}_~~")
|
||||
repl_value=$(echo "${!var}")
|
||||
repl_value=$(env | grep -E "^${name}=" | sed "s~^${name}=~~")
|
||||
read -r "$repl_name" <<< $repl_value
|
||||
sed -i "/^${repl_name}=.*/d" "${NGINX_PREFIX}nginx.env"
|
||||
sed -i "/^${name}=.*/d" "${NGINX_PREFIX}nginx.env"
|
||||
|
@ -76,10 +76,13 @@ if [ "$USE_REVERSE_PROXY" = "yes" ] ; then
|
|||
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$value"
|
||||
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value"
|
||||
if [ "$custom_headers_value" != "" ] ; then
|
||||
IFS=';' ;for header_value in $(echo "$custom_headers_value") ; do
|
||||
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "more_set_headers $header_value;\n%REVERSE_PROXY_CUSTOM_HEADERS%"
|
||||
done
|
||||
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" ""
|
||||
IFS_=$IFS
|
||||
IFS=';'
|
||||
for header_value in $(echo "$custom_headers_value") ; do
|
||||
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "more_set_headers $header_value;\n%REVERSE_PROXY_CUSTOM_HEADERS%"
|
||||
done
|
||||
IFS=$IFS_
|
||||
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" ""
|
||||
fi
|
||||
replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HEADERS%" "include ${NGINX_PREFIX}reverse-proxy-headers.conf;"
|
||||
if [ "$ws_value" = "yes" ] ; then
|
||||
|
@ -284,13 +287,15 @@ fi
|
|||
# block bad UA
|
||||
if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "true"
|
||||
if [ "$WHITELIST_USERAGENT_LIST" != "" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USERAGENT_LIST%" "$WHITELIST_USERAGENT_LIST"
|
||||
if [ "$WHITELIST_USER_AGENT" != "" ] ; then
|
||||
list=$(spaces_to_lua "$WHITELIST_USER_AGENT")
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" "$list"
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USERAGENT_LIST%" ""
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" ""
|
||||
fi
|
||||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" ""
|
||||
fi
|
||||
|
||||
# block bad referrer
|
||||
|
|
|
@ -28,13 +28,19 @@ function has_value() {
|
|||
echo "ok"
|
||||
return 0
|
||||
fi
|
||||
for var in $(compgen -e) ; do
|
||||
for var in $(env | grep -E "^.*_${1}=") ; do
|
||||
domain=$(echo "$var" | cut -d '_' -f 1)
|
||||
name=$(echo "$var" | cut -d '=' -f 1 | sed "s~${domain}_~~")
|
||||
value=$(echo "${!var}")
|
||||
if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then
|
||||
value=$(echo "$var" | sed "s~^${domain}_${1}=~~")
|
||||
if [ "$value" == "$2" ] ; then
|
||||
echo "ok"
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# log to jobs.log
|
||||
function job_log() {
|
||||
when="$(date '+[%Y-%m-%d %H:%M:%S]')"
|
||||
what="$1"
|
||||
echo "$when $what" >> /var/log/jobs.log
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/var/log/*.log /var/log/clamav/*.log /var/log/nginx/*.log {
|
||||
/var/log/*.log /var/log/clamav/*.log /var/log/nginx/*.log /var/log/letsencrypt/*.log {
|
||||
# compress old files using gzip
|
||||
compress
|
||||
|
||||
|
|
14
prepare.sh
14
prepare.sh
|
@ -3,6 +3,9 @@
|
|||
# install dependencies
|
||||
apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli
|
||||
|
||||
# temp fix ?
|
||||
chmod 644 /usr/lib/python3.8/site-packages/fail2ban-*/*
|
||||
|
||||
# custom entrypoint
|
||||
mkdir /opt/entrypoint.d
|
||||
|
||||
|
@ -34,6 +37,9 @@ chmod 770 /var/log/*.log
|
|||
mkdir /var/log/letsencrypt
|
||||
chown nginx:nginx /var/log/letsencrypt
|
||||
chmod 770 /var/log/letsencrypt
|
||||
touch /var/log/clamav.log
|
||||
chown root:nginx /var/log/clamav.log
|
||||
chmod 770 /var/log/clamav.log
|
||||
|
||||
# prepare /acme-challenge
|
||||
mkdir /acme-challenge
|
||||
|
@ -78,3 +84,11 @@ chown root:nginx /etc/rsyslog.conf
|
|||
touch /etc/crontabs/nginx
|
||||
chown root:nginx /etc/crontabs/nginx
|
||||
chmod 660 /etc/crontabs/nginx
|
||||
|
||||
# prepare /var/log/clamav
|
||||
chown root:nginx /var/log/clamav
|
||||
chmod 770 /var/log/clamav
|
||||
|
||||
# prepare /var/lib/clamav
|
||||
chown root:nginx /var/lib/clamav
|
||||
chmod 770 /var/lib/clamav
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/scripts/utils.sh
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# copy old conf to cache
|
||||
cp /etc/nginx/block-abusers.conf /cache
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/scripts/utils.sh
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
job_log "[CERTBOT] certificates have been renewed"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/scripts/utils.sh
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# ask new certificates if needed
|
||||
certbot renew --deploy-hook /opt/scripts/certbot-renew-hook.sh
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/scripts/utils.sh
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# copy old conf to cache
|
||||
cp /etc/nginx/block-tor-exit-node.conf /cache
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/scripts/utils.sh
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# if we are running nginx
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/scripts/utils.sh
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
logrotate -f /etc/logrotate.conf > /dev/null 2>&1
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/scripts/utils.sh
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# copy old conf to cache
|
||||
cp /etc/nginx/block-proxies.conf /cache
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/scripts/utils.sh
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# save old conf
|
||||
cp /etc/nginx/map-referrer.conf /cache
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# load some functions
|
||||
. /opt/scripts/utils.sh
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# save old conf
|
||||
cp /etc/nginx/map-user-agent.conf /cache
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
function job_log() {
|
||||
when="$(date '+[%d/%m/%Y %H:%M:%S]')"
|
||||
what="$1"
|
||||
echo "$when $what" >> /var/log/jobs.log
|
||||
}
|
||||
|
|
@ -687,10 +687,10 @@
|
|||
},
|
||||
{
|
||||
"type":"text",
|
||||
"label":"Whitelist user agent list",
|
||||
"env":"WHITELIST_USERAGENT_LIST",
|
||||
"label":"Whitelist user agent",
|
||||
"env":"WHITELIST_USER_AGENT",
|
||||
"regex":".*",
|
||||
"id":"whitelist-user-agent-list",
|
||||
"id":"whitelist-user-agent",
|
||||
"default":""
|
||||
}
|
||||
]
|
||||
|
|
Loading…
Reference in New Issue