librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

ignore CVE-2021-36159 and redirect job logs as root when using autoconf

This commit is contained in:
bunkerity 2021-08-02 10:41:46 +02:00
parent 652614f41b
commit bc01427def
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
6 changed files with 20 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.github/workflows/build-bunkerized-nginx.yml vendored
View File

@ -16,6 +16,11 @@ jobs:
# so we need to build the image the traditional way
- name: Temp build to check security issues
run: docker build -t bunkerized-nginx .
# Temp ignore CVE-2021-36159
- name: Temp add .trivyignore
run: |
echo "CVE-2021-36159" > .trivyignore
- name: Run Trivy security scanner
uses: aquasecurity/trivy-action@master
@ -26,6 +31,10 @@ jobs:
ignore-unfixed: true
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
- name: Temp remove .trivyignore
run: |
rm -f .trivyignore
- name: Run autotest
run: docker run bunkerized-nginx test

5
Dockerfile
View File

@ -12,9 +12,10 @@ RUN chmod +x /tmp/docker.sh && \
/tmp/docker.sh && \
rm -f /tmp/docker.sh
# Fix CVE-2021-22901, CVE-2021-22898, CVE-2021-22897, CVE-2021-33560 and CVE-2021-36159
# Fix CVE-2021-22901, CVE-2021-22898, CVE-2021-22897 and CVE-2021-33560
RUN apk add "curl>=7.77.0-r0" "libgcrypt>=1.8.8-r0"
RUN apk add "apk-tools>=2.12.6-r0"
# Temp : can't fix CVE-2021-36159 because fixed version is not available on alpine arm/v7
# RUN apk add "apk-tools>=2.12.6-r0"
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins

2
autoconf/Dockerfile
View File

@ -6,7 +6,7 @@ COPY confs/global/ /opt/bunkerized-nginx/confs/global
COPY confs/site/ /opt/bunkerized-nginx/confs/site
COPY jobs/ /opt/bunkerized-nginx/jobs
COPY settings.json /opt/bunkerized-nginx/
COPY misc/cron /etc/crontabs/nginx
COPY misc/cron-autoconf /etc/crontabs/root
COPY autoconf/entrypoint.sh /opt/bunkerized-nginx/entrypoint/
COPY autoconf/requirements.txt /opt/bunkerized-nginx/entrypoint/
COPY autoconf/src/* /opt/bunkerized-nginx/entrypoint/

5
autoconf/entrypoint.sh
View File

@ -8,11 +8,6 @@ if [ "$?" -ne 0 ] ; then
exit 1
fi
#if [ "$SWARM_MODE" = "yes" ] ; then
# chown -R root:nginx /etc/nginx
# chmod -R 770 /etc/nginx
#fi
# trap SIGTERM and SIGINT
function trap_exit() {
echo "[*] Catched stop operation"

4
autoconf/prepare.sh
View File

@ -61,7 +61,3 @@ ln -s /modsec-crs-confs /opt/bunkerized-nginx/modsec-crs-confs
mkdir /modsec-crs-confs
chown root:nginx /modsec-crs-confs
chmod 770 /modsec-crs-confs
# prepare /etc/crontabs/nginx
chown root:nginx /etc/crontabs/nginx
chmod 440 /etc/crontabs/nginx

7
misc/cron-autoconf Normal file
View File

@ -0,0 +1,7 @@
15 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew" nginx >> /var/log/nginx/jobs.log 2>&1
30 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name user-agents" nginx >> /var/log/nginx/jobs.log 2>&1
45 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name referrers" nginx >> /var/log/nginx/jobs.log 2>&1
0 1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name abusers" nginx >> /var/log/nginx/jobs.log 2>&1
0 2 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name proxies" nginx >> /var/log/nginx/jobs.log 2>&1
0 */1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes" nginx >> /var/log/nginx/jobs.log 2>&1
0 3 2 * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name geoip" nginx >> /var/log/nginx/jobs.log 2>&1