ignore CVE-2021-36159 and redirect job logs as root when using autoconf
This commit is contained in:
parent
652614f41b
commit
bc01427def
|
@ -16,6 +16,11 @@ jobs:
|
|||
# so we need to build the image the traditional way
|
||||
- name: Temp build to check security issues
|
||||
run: docker build -t bunkerized-nginx .
|
||||
|
||||
# Temp ignore CVE-2021-36159
|
||||
- name: Temp add .trivyignore
|
||||
run: |
|
||||
echo "CVE-2021-36159" > .trivyignore
|
||||
|
||||
- name: Run Trivy security scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
|
@ -26,6 +31,10 @@ jobs:
|
|||
ignore-unfixed: true
|
||||
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
|
||||
|
||||
- name: Temp remove .trivyignore
|
||||
run: |
|
||||
rm -f .trivyignore
|
||||
|
||||
- name: Run autotest
|
||||
run: docker run bunkerized-nginx test
|
||||
|
||||
|
|
|
@ -12,9 +12,10 @@ RUN chmod +x /tmp/docker.sh && \
|
|||
/tmp/docker.sh && \
|
||||
rm -f /tmp/docker.sh
|
||||
|
||||
# Fix CVE-2021-22901, CVE-2021-22898, CVE-2021-22897, CVE-2021-33560 and CVE-2021-36159
|
||||
# Fix CVE-2021-22901, CVE-2021-22898, CVE-2021-22897 and CVE-2021-33560
|
||||
RUN apk add "curl>=7.77.0-r0" "libgcrypt>=1.8.8-r0"
|
||||
RUN apk add "apk-tools>=2.12.6-r0"
|
||||
# Temp : can't fix CVE-2021-36159 because fixed version is not available on alpine arm/v7
|
||||
# RUN apk add "apk-tools>=2.12.6-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ COPY confs/global/ /opt/bunkerized-nginx/confs/global
|
|||
COPY confs/site/ /opt/bunkerized-nginx/confs/site
|
||||
COPY jobs/ /opt/bunkerized-nginx/jobs
|
||||
COPY settings.json /opt/bunkerized-nginx/
|
||||
COPY misc/cron /etc/crontabs/nginx
|
||||
COPY misc/cron-autoconf /etc/crontabs/root
|
||||
COPY autoconf/entrypoint.sh /opt/bunkerized-nginx/entrypoint/
|
||||
COPY autoconf/requirements.txt /opt/bunkerized-nginx/entrypoint/
|
||||
COPY autoconf/src/* /opt/bunkerized-nginx/entrypoint/
|
||||
|
|
|
@ -8,11 +8,6 @@ if [ "$?" -ne 0 ] ; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
#if [ "$SWARM_MODE" = "yes" ] ; then
|
||||
# chown -R root:nginx /etc/nginx
|
||||
# chmod -R 770 /etc/nginx
|
||||
#fi
|
||||
|
||||
# trap SIGTERM and SIGINT
|
||||
function trap_exit() {
|
||||
echo "[*] Catched stop operation"
|
||||
|
|
|
@ -61,7 +61,3 @@ ln -s /modsec-crs-confs /opt/bunkerized-nginx/modsec-crs-confs
|
|||
mkdir /modsec-crs-confs
|
||||
chown root:nginx /modsec-crs-confs
|
||||
chmod 770 /modsec-crs-confs
|
||||
|
||||
# prepare /etc/crontabs/nginx
|
||||
chown root:nginx /etc/crontabs/nginx
|
||||
chmod 440 /etc/crontabs/nginx
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
15 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew" nginx >> /var/log/nginx/jobs.log 2>&1
|
||||
30 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name user-agents" nginx >> /var/log/nginx/jobs.log 2>&1
|
||||
45 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name referrers" nginx >> /var/log/nginx/jobs.log 2>&1
|
||||
0 1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name abusers" nginx >> /var/log/nginx/jobs.log 2>&1
|
||||
0 2 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name proxies" nginx >> /var/log/nginx/jobs.log 2>&1
|
||||
0 */1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes" nginx >> /var/log/nginx/jobs.log 2>&1
|
||||
0 3 2 * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name geoip" nginx >> /var/log/nginx/jobs.log 2>&1
|
Loading…
Reference in New Issue