various bug fixes related to HTTPS
This commit is contained in:
bunkerity
parent
dfce0c06dd
commit
c7b81cfc10
|
|
@ -25,6 +25,9 @@ RUN chmod +x /tmp/prepare.sh && \
|
|||
/tmp/prepare.sh && \
|
||||
rm -f /tmp/prepare.sh
|
||||
|
||||
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
|
||||
RUN apk add "curl>=7.77.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
|
|
|||
|
|
@ -25,6 +25,9 @@ RUN chmod +x /tmp/prepare.sh && \
|
|||
/tmp/prepare.sh && \
|
||||
rm -f /tmp/prepare.sh
|
||||
|
||||
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
|
||||
RUN apk add "curl>=7.77.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
|
|
|||
|
|
@ -32,6 +32,9 @@ RUN chmod +x /tmp/prepare.sh && \
|
|||
/tmp/prepare.sh && \
|
||||
rm -f /tmp/prepare.sh
|
||||
|
||||
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
|
||||
RUN apk add "curl>=7.77.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
|
|
|||
|
|
@ -32,6 +32,9 @@ RUN chmod +x /tmp/prepare.sh && \
|
|||
/tmp/prepare.sh && \
|
||||
rm -f /tmp/prepare.sh
|
||||
|
||||
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
|
||||
RUN apk add "curl>=7.77.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
|
|
|||
|
|
@ -25,6 +25,9 @@ RUN chmod +x /tmp/prepare.sh && \
|
|||
/tmp/prepare.sh && \
|
||||
rm -f /tmp/prepare.sh
|
||||
|
||||
# Fix CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897
|
||||
RUN apk add "curl>=7.77.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
|
|
|||
|
|
@ -27,9 +27,11 @@ class Config :
|
|||
stdout = proc.stdout.decode("ascii")
|
||||
stderr = proc.stderr.decode("ascii")
|
||||
if stdout != "" :
|
||||
utils.log("[*] Jobs output : " + stdout)
|
||||
for line in stdout.split("\n") :
|
||||
utils.log("[*] Jobs output : " + stdout)
|
||||
if stderr != "" :
|
||||
utils.log("[!] Jobs error : " + stderr)
|
||||
for line in stderr.split("\n") :
|
||||
utils.log("[!] Jobs error : " + stderr)
|
||||
return proc.returncode == 0
|
||||
else :
|
||||
utils.log("[!] bunkerized-nginx tasks are not started")
|
||||
|
|
@ -51,14 +53,16 @@ class Config :
|
|||
stdout = proc.stdout.decode("ascii")
|
||||
stderr = proc.stderr.decode("ascii")
|
||||
if stdout != "":
|
||||
utils.log("[*] Generator output : " + stdout)
|
||||
for line in stdout.split("\n") :
|
||||
utils.log("[*] Generator output : " + stdout)
|
||||
if stderr != "" :
|
||||
utils.log("[*] Generator error : " + stderr)
|
||||
for line in stderr.split("\n") :
|
||||
utils.log("[*] Generator error : " + stderr)
|
||||
|
||||
# We're done
|
||||
if proc.returncode == 0 :
|
||||
return True
|
||||
utils.log("[!] Error while generating site config for " + vars["SERVER_NAME"] + " : return code = " + str(proc.returncode))
|
||||
utils.log("[!] Error while generating site config for " + env["SERVER_NAME"] + " : return code = " + str(proc.returncode))
|
||||
|
||||
except Exception as e :
|
||||
utils.log("[!] Exception while generating site config : " + str(e))
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
# install dependencies
|
||||
apk add py3-pip bash certbot curl logrotate openssl
|
||||
apk add py3-pip bash certbot curl openssl
|
||||
pip3 install docker requests jinja2
|
||||
|
|
|
|||
|
|
@ -1,6 +1,22 @@
|
|||
listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %};
|
||||
ssl_certificate {{ HTTPS_CERT }};
|
||||
ssl_certificate_key {{ HTTPS_KEY }};
|
||||
{% set paths = {"cert": "", "key": ""} %}
|
||||
{% if AUTO_LETS_ENCRYPT == "yes" %}
|
||||
{% set x = paths.update({"cert": "/etc/letsencrypt/live/" + FIRST_SERVER + "/fullchain.pem"}) %}
|
||||
{% set x = paths.update({"key": "/etc/letsencrypt/live/" + FIRST_SERVER + "/privkey.pem"}) %}
|
||||
{% elif USE_CUSTOM_HTTPS == "yes" %}
|
||||
{% set x = paths.update({"cert": CUSTOM_HTTPS_CERT}) %}
|
||||
{% set x = paths.update({"key": CUSTOM_HTTPS_KEY}) %}
|
||||
{% elif GENERATE_SELF_SIGNED_HTTPS == "yes" %}
|
||||
{% if MULTISITE == "yes" %}
|
||||
{% set x = paths.update({"cert": "/etc/nginx/" + FIRST_SERVER + "/self-cert.pem"}) %}
|
||||
{% set x = paths.update({"key": "/etc/nginx/" + FIRST_SERVER + "/self-key.pem"}) %}
|
||||
{% else %}
|
||||
{% set x = paths.update({"cert": "/etc/nginx/self-cert.pem"}) %}
|
||||
{% set x = paths.update({"key": "/etc/nginx/self-key.pem"}) %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
ssl_certificate {{ paths["cert"] }};
|
||||
ssl_certificate_key {{ paths["key"] }};
|
||||
ssl_protocols {{ HTTPS_PROTOCOLS }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_tickets off;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
# install dependencies
|
||||
apk add certbot bash libmaxminddb libgcc lua yajl libstdc++ apache2-utils py3-pip
|
||||
apk add certbot bash libmaxminddb libgcc lua yajl libstdc++ openssl py3-pip
|
||||
pip3 install jinja2
|
||||
|
|
|
|||
|
|
@ -15,8 +15,7 @@ trap "trap_exit" TERM INT QUIT
|
|||
# trap SIGHUP
|
||||
function trap_reload() {
|
||||
echo "[*] Catched reload operation"
|
||||
if [ "$MULTISITE" = "yes" ] && [ "$SWARM_MODE" != "yes" ] ; then
|
||||
/opt/entrypoint/certbot.sh
|
||||
if [ "$SWARM_MODE" != "yes" ] ; then
|
||||
/opt/entrypoint/jobs.sh
|
||||
fi
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
|
|
@ -59,11 +58,8 @@ if [ ! -f "/etc/nginx/global.env" ] ; then
|
|||
# call the generator
|
||||
/opt/gen/main.py --settings /opt/settings.json --templates /opt/confs --output /etc/nginx --variables /tmp/variables.env
|
||||
|
||||
# background jobs
|
||||
# external jobs
|
||||
/opt/entrypoint/jobs.sh
|
||||
|
||||
# certbot
|
||||
/opt/entrypoint/certbot.sh
|
||||
fi
|
||||
else
|
||||
echo "[*] Skipping configuration process"
|
||||
|
|
|
|||
|
|
@ -68,3 +68,50 @@ if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
|
|||
/opt/scripts/abusers.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
fi
|
||||
|
||||
# self signed certs for sites
|
||||
files=$(has_value GENERATE_SELF_SIGNED_SSL yes)
|
||||
if [ "$files" != " " ] ; then
|
||||
for file in $files ; do
|
||||
site=$(echo $file | cut -f 4 -d '/')
|
||||
dest="/etc/nginx/"
|
||||
if [ "$site" != "site.env" ] ; then
|
||||
dest="${dest}/${site}/"
|
||||
fi
|
||||
SELF_SIGNED_SSL_EXPIRY="$(sed -nE 's/^SELF_SIGNED_SSL_EXPIRY=(.*)$/\1/p' $file)"
|
||||
SELF_SIGNED_SSL_COUNTRY="$(sed -nE 's/^SELF_SIGNED_SSL_COUNTRY=(.*)$/\1/p' $file)"
|
||||
SELF_SIGNED_SSL_STATE="$(sed -nE 's/^SELF_SIGNED_SSL_STATE=(.*)$/\1/p' $file)"
|
||||
SELF_SIGNED_SSL_CITY="$(sed -nE 's/^SELF_SIGNED_SSL_CITY=(.*)$/\1/p' $file)"
|
||||
SELF_SIGNED_SSL_ORG="$(sed -nE 's/^SELF_SIGNED_SSL_ORG=(.*)$/\1/p' $file)"
|
||||
SELF_SIGNED_SSL_OU="$(sed -nE 's/^SELF_SIGNED_SSL_OU=(.*)$/\1/p' $file)"
|
||||
SELF_SIGNED_SSL_CN="$(sed -nE 's/^SELF_SIGNED_SSL_CN=(.*)$/\1/p' $file)"
|
||||
openssl req -nodes -x509 -newkey rsa:4096 -keyout ${dest}self-key.pem -out ${dest}self-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
|
||||
done
|
||||
fi
|
||||
|
||||
# self signed cert for default server
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] ; then
|
||||
SELF_SIGNED_SSL_EXPIRY="999"
|
||||
SELF_SIGNED_SSL_COUNTRY="US"
|
||||
SELF_SIGNED_SSL_STATE="Utah"
|
||||
SELF_SIGNED_SSL_CITY="Lehi"
|
||||
SELF_SIGNED_SSL_ORG="Your Company, Inc."
|
||||
SELF_SIGNED_SSL_OU="IT"
|
||||
SELF_SIGNED_SSL_CN="www.yourdomain.com"
|
||||
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
|
||||
fi
|
||||
|
||||
# certbot
|
||||
files=$(has_value AUTO_LETS_ENCRYPT yes)
|
||||
if [ "$files" != " " ] ; then
|
||||
for file in $files ; do
|
||||
SERVER_NAME="$(sed -nE 's/^SERVER_NAME=(.*)$/\1/p' $file)"
|
||||
FIRST_SERVER="$(echo $SERVER_NAME | cut -d ' ' -f 1)"
|
||||
EMAIL_LETS_ENCRYPT="$(sed -nE 's/^EMAIL_LETS_ENCRYPT=(.*)$/\1/p' $file)"
|
||||
if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
|
||||
EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}"
|
||||
fi
|
||||
/opt/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT"
|
||||
|
||||
done
|
||||
fi
|
||||
|
|
@ -27,7 +27,7 @@ function has_value() {
|
|||
envs=$(find /etc/nginx -name "*.env")
|
||||
for file in $envs ; do
|
||||
if [ "$(grep "^${1}=${2}$" $file)" != "" ] ; then
|
||||
echo "ok"
|
||||
echo "$file"
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
|
|
@ -38,4 +38,4 @@ function job_log() {
|
|||
when="$(date '+[%Y-%m-%d %H:%M:%S]')"
|
||||
what="$1"
|
||||
echo "$when $what" >> /var/log/jobs.log
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue