road to v1.2.3 - fixing bugs

2021-03-17 17:55:56 +01:00 · 2021-03-17 17:55:56 +01:00 · afc6678855
parent c40fb33175
commit afc6678855
22 changed files with 98 additions and 52 deletions
--- a/README.md
+++ b/README.md
@ -1083,11 +1083,11 @@ Default value : *.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .c
 Context : *global*  
 The list of reverse DNS suffixes to whitelist when `USE_WHITELIST_REVERSE` is set to *yes*. The default list contains suffixes of major search engines.

-`WHITELIST_USERAGENT_LIST`
-Values : *"useragent1", "^[user]agent2"*
-Default value : **
+`WHITELIST_USER_AGENT`  
+Values : *\<list of regexes separated with spaces\>*  
+Default value :  
 Context : *global*, *multisite*  
-Whitelist user agent from be blocked by `BLOCK_USER_AGENT`
+Whitelist user agent from being blocked by `BLOCK_USER_AGENT`.

 ### Custom blacklisting

--- a/autoconf/Config.py
+++ b/autoconf/Config.py
@ -28,6 +28,7 @@ class Config :
 						started = True
 						break
 					i = i + 1
+					utils.log("[!] Waiting " + str(i) + " seconds before retrying to contact nginx instances")
 					time.sleep(i)
 				if started :
 					proc = subprocess.run(["/bin/su", "-s", "/opt/entrypoint/jobs.sh", "nginx"], env=vars, capture_output=True)
--- a/autoconf/Dockerfile
+++ b/autoconf/Dockerfile
@ -23,8 +23,11 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
    chmod 770 /cache && \
    touch /var/log/jobs.log && \
    chown root:nginx /var/log/jobs.log && \
-    chmod 770 /var/log/jobs.log
+    chmod 770 /var/log/jobs.log && \
+    chown -R root:nginx /opt/confs/nginx && \
+    chmod -R 770 /opt/confs/nginx

+COPY autoconf/misc/logrotate.conf /etc/logrotate.conf
 COPY scripts/* /opt/scripts/
 COPY confs/site/ /opt/confs/site
 COPY confs/global/ /opt/confs/global
--- a/autoconf/entrypoint.sh
+++ b/autoconf/entrypoint.sh
@ -2,7 +2,9 @@

 echo "[*] Starting autoconf ..."

-cp -r /opt/confs/nginx/* /etc/nginx
+if [ "$SWARM_MODE" = "yes" ] ; then
+	cp -r /opt/confs/nginx/* /etc/nginx
+fi

 # trap SIGTERM and SIGINT
 function trap_exit() {
--- a/autoconf/misc/logrotate.conf
+++ b/autoconf/misc/logrotate.conf
@ -0,0 +1,23 @@
+/var/log/*.log /var/log/letsencrypt/*.log {
+	# compress old files using gzip
+	compress
+
+	# rotate everyday
+	daily
+
+	# remove old logs after X days
+	maxage 7
+	rotate 7
+
+	# no errors if a file is missing
+	missingok
+
+	# disable mailing
+	nomail
+
+	# mininum size of a logfile before rotating
+	minsize 10M
+
+	# make a copy and truncate the files
+	copytruncate
+}
--- a/confs/site/main-lua.conf
+++ b/confs/site/main-lua.conf
@ -30,7 +30,7 @@ local recaptcha		= require "recaptcha"

 -- user variables
 local antibot_uri		= "%ANTIBOT_URI%"
-local whitelist_useragent_list	= {%WHITELIST_USERAGENT_LIST%}
+local whitelist_user_agent	= {%WHITELIST_USER_AGENT%}

 -- check if it's let's encrypt bot
 if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
@ -90,16 +90,16 @@ end
 if use_user_agent and ngx.var.bad_user_agent == "yes" then
 	local headers = ngx.req.get_headers()
 	local ua = headers["User-Agent"]
-	if not whitelist_useragent_list ~= "" then
-		local k_ua_white, v_ua_white = next(whitelist_useragent_list, nil)
-    	while v_ua_white do
-    		local rst_whitelist = string.match(ua, v_ua_white)
-      		if rst_whitelist ~= nil and rst_whitelist ~= "" then
-      			ngx.log(ngx.WARN, "[ALLOW] User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
-      			ngx.exit(ngx.OK)
-      		end
-      		k_ua_white, v_ua_white = next(whitelist_useragent_list, k_ua_white)
-    	end
+	if not whitelist_user_agent ~= "" then
+		local k_ua_white, v_ua_white = next(whitelist_user_agent, nil)
+		while v_ua_white do
+			local rst_whitelist = string.match(ua, v_ua_white)
+			if rst_whitelist ~= nil and rst_whitelist ~= "" then
+				ngx.log(ngx.WARN, "[ALLOW] User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
+				ngx.exit(ngx.OK)
+			end
+			k_ua_white, v_ua_white = next(whitelist_user_agent, k_ua_white)
+		end
 	end
 	ngx.log(ngx.WARN, "[BLOCK] User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
 	ngx.exit(ngx.HTTP_FORBIDDEN)
--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@ -45,7 +45,7 @@ DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
 SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
 ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
 BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
-WHITELIST_USERAGENT_LIST="${WHITELIST_USERAGENT_LIST-}"
+WHITELIST_USER_AGENT="${WHITELIST_USER_AGENT-}"
 BLOCK_USER_AGENT_CRON="${BLOCK_USER_AGENT_CRON-5 0 * * *}"
 BLOCK_REFERRER="${BLOCK_REFERRER-yes}"
 BLOCK_REFERRER_CRON="${BLOCK_REFERRER_CRON-10 0 * * *}"
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@ -24,12 +24,12 @@ if [ "$MULTISITE" = "yes" ] ; then
 			sed -i "/^${server}_.*=.*/d" "${NGINX_PREFIX}nginx.env"
 		fi
 	done
-	for var in $(compgen -e) ; do
+	for var in $(cut -d '=' -f 1 "${NGINX_PREFIX}nginx.env") ; do
 		name=$(echo "$var")
 		check=$(echo "$name" | grep "^$1_")
 		if [ "$check" != "" ] ; then
 			repl_name=$(echo "$name" | sed "s~${1}_~~")
-			repl_value=$(echo "${!var}")
+			repl_value=$(env | grep -E "^${name}=" | sed "s~^${name}=~~")
 			read -r "$repl_name" <<< $repl_value
 			sed -i "/^${repl_name}=.*/d" "${NGINX_PREFIX}nginx.env"
 			sed -i "/^${name}=.*/d" "${NGINX_PREFIX}nginx.env"
@ -76,10 +76,13 @@ if [ "$USE_REVERSE_PROXY" = "yes" ] ; then
 			replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$value"
 			replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value"
 			if [ "$custom_headers_value" != "" ] ; then
-			  IFS=';' ;for header_value in $(echo "$custom_headers_value") ; do
-			    replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "more_set_headers $header_value;\n%REVERSE_PROXY_CUSTOM_HEADERS%"
-			  done
-			  replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" ""
+			  	IFS_=$IFS
+				IFS=';'
+				for header_value in $(echo "$custom_headers_value") ; do
+					replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "more_set_headers $header_value;\n%REVERSE_PROXY_CUSTOM_HEADERS%"
+				done
+				IFS=$IFS_
+				replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" ""
 			fi
 			replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HEADERS%" "include ${NGINX_PREFIX}reverse-proxy-headers.conf;"
 			if [ "$ws_value" = "yes" ] ; then
@ -284,13 +287,15 @@ fi
 # block bad UA
 if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "true"
-	if [ "$WHITELIST_USERAGENT_LIST" != "" ] ; then
-		replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USERAGENT_LIST%" "$WHITELIST_USERAGENT_LIST"
+	if [ "$WHITELIST_USER_AGENT" != "" ] ; then
+		list=$(spaces_to_lua "$WHITELIST_USER_AGENT")
+		replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" "$list"
 	else
-		replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USERAGENT_LIST%" ""
+		replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" ""
 	fi
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "false"
+	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" ""
 fi

 # block bad referrer
--- a/entrypoint/utils.sh
+++ b/entrypoint/utils.sh
@ -28,13 +28,19 @@ function has_value() {
 		echo "ok"
 		return 0
 	fi
-	for var in $(compgen -e) ; do
+	for var in $(env | grep -E "^.*_${1}=") ; do
 		domain=$(echo "$var" | cut -d '_' -f 1)
-		name=$(echo "$var" | cut -d '=' -f 1 | sed "s~${domain}_~~")
-		value=$(echo "${!var}")
-		if [ "$name" == "$1" ] && [ "$value" == "$2" ] ; then
+		value=$(echo "$var" | sed "s~^${domain}_${1}=~~")
+		if [ "$value" == "$2" ] ; then
 			echo "ok"
 			return 0
 		fi
 	done
 }
+
+# log to jobs.log
+function job_log() {
+	when="$(date '+[%Y-%m-%d %H:%M:%S]')"
+	what="$1"
+	echo "$when $what" >> /var/log/jobs.log
+}
--- a/logs/logrotate.conf
+++ b/logs/logrotate.conf
@ -1,4 +1,4 @@
-/var/log/*.log /var/log/clamav/*.log /var/log/nginx/*.log {
+/var/log/*.log /var/log/clamav/*.log /var/log/nginx/*.log /var/log/letsencrypt/*.log {
 	# compress old files using gzip
 	compress

--- a/prepare.sh
+++ b/prepare.sh
@ -3,6 +3,9 @@
 # install dependencies
 apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli

+# temp fix ?
+chmod 644 /usr/lib/python3.8/site-packages/fail2ban-*/*
+
 # custom entrypoint
 mkdir /opt/entrypoint.d

@ -34,6 +37,9 @@ chmod 770 /var/log/*.log
 mkdir /var/log/letsencrypt
 chown nginx:nginx /var/log/letsencrypt
 chmod 770 /var/log/letsencrypt
+touch /var/log/clamav.log
+chown root:nginx /var/log/clamav.log
+chmod 770 /var/log/clamav.log

 # prepare /acme-challenge
 mkdir /acme-challenge
@ -78,3 +84,11 @@ chown root:nginx /etc/rsyslog.conf
 touch /etc/crontabs/nginx
 chown root:nginx /etc/crontabs/nginx
 chmod 660 /etc/crontabs/nginx
+
+# prepare /var/log/clamav
+chown root:nginx /var/log/clamav
+chmod 770 /var/log/clamav
+
+# prepare /var/lib/clamav
+chown root:nginx /var/lib/clamav
+chmod 770 /var/lib/clamav
--- a/scripts/abusers.sh
+++ b/scripts/abusers.sh
@ -1,7 +1,7 @@
 #!/bin/sh

 # load some functions
-. /opt/scripts/utils.sh
+. /opt/entrypoint/utils.sh

 # copy old conf to cache
 cp /etc/nginx/block-abusers.conf /cache
--- a/scripts/certbot-renew-hook.sh
+++ b/scripts/certbot-renew-hook.sh
@ -1,7 +1,7 @@
 #!/bin/sh

 # load some functions
-. /opt/scripts/utils.sh
+. /opt/entrypoint/utils.sh

 job_log "[CERTBOT] certificates have been renewed"

--- a/scripts/certbot-renew.sh
+++ b/scripts/certbot-renew.sh
@ -1,7 +1,7 @@
 #!/bin/sh

 # load some functions
-. /opt/scripts/utils.sh
+. /opt/entrypoint/utils.sh

 # ask new certificates if needed
 certbot renew --deploy-hook /opt/scripts/certbot-renew-hook.sh
--- a/scripts/exit-nodes.sh
+++ b/scripts/exit-nodes.sh
@ -1,7 +1,7 @@
 #!/bin/sh

 # load some functions
-. /opt/scripts/utils.sh
+. /opt/entrypoint/utils.sh

 # copy old conf to cache
 cp /etc/nginx/block-tor-exit-node.conf /cache
--- a/scripts/geoip.sh
+++ b/scripts/geoip.sh
@ -1,7 +1,7 @@
 #!/bin/sh

 # load some functions
-. /opt/scripts/utils.sh
+. /opt/entrypoint/utils.sh

 # if we are running nginx
 if [ -f /tmp/nginx.pid ] ; then
--- a/scripts/logrotate.sh
+++ b/scripts/logrotate.sh
@ -1,7 +1,7 @@
 #!/bin/sh

 # load some functions
-. /opt/scripts/utils.sh
+. /opt/entrypoint/utils.sh

 logrotate -f /etc/logrotate.conf > /dev/null 2>&1

--- a/scripts/proxies.sh
+++ b/scripts/proxies.sh
@ -1,7 +1,7 @@
 #!/bin/sh

 # load some functions
-. /opt/scripts/utils.sh
+. /opt/entrypoint/utils.sh

 # copy old conf to cache
 cp /etc/nginx/block-proxies.conf /cache
--- a/scripts/referrers.sh
+++ b/scripts/referrers.sh
@ -1,7 +1,7 @@
 #!/bin/sh

 # load some functions
-. /opt/scripts/utils.sh
+. /opt/entrypoint/utils.sh

 # save old conf
 cp /etc/nginx/map-referrer.conf /cache
--- a/scripts/user-agents.sh
+++ b/scripts/user-agents.sh
@ -1,7 +1,7 @@
 #!/bin/sh

 # load some functions
-. /opt/scripts/utils.sh
+. /opt/entrypoint/utils.sh

 # save old conf
 cp /etc/nginx/map-user-agent.conf /cache
--- a/scripts/utils.sh
+++ b/scripts/utils.sh
@ -1,8 +0,0 @@
-#!/bin/sh
-
-function job_log() {
-	when="$(date '+[%d/%m/%Y %H:%M:%S]')"
-	what="$1"
-	echo "$when $what" >> /var/log/jobs.log
-}
-
--- a/ui/config.json
+++ b/ui/config.json
@ -687,10 +687,10 @@
         },
         {
            "type":"text",
-            "label":"Whitelist user agent list",
-            "env":"WHITELIST_USERAGENT_LIST",
+            "label":"Whitelist user agent",
+            "env":"WHITELIST_USER_AGENT",
            "regex":".*",
-            "id":"whitelist-user-agent-list",
+            "id":"whitelist-user-agent",
            "default":""
         }
      ]