librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

jobs - various bugs fixed and old files removed

This commit is contained in:
bunkerity 2021-07-21 11:55:14 +02:00
parent 366e39f591
commit d12369c900
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
31 changed files with 303 additions and 628 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
confs/global/init-lua.conf
View File

@ -4,30 +4,34 @@ local dataloader = require "dataloader"
local logger = require "logger"
local cjson = require "cjson"
local use_redis = {% if USE_REDIS == "yes" %}true{% else %}false{% endif +%}
local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif +%}
local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif +%}
local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif +%}
local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif +%}
local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif +%}
if use_proxies then
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
end
if not use_redis then
if use_proxies then
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
end
if use_abusers then
dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data)
end
if use_abusers then
dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data)
end
if use_tor_exit_nodes then
dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data)
end
if use_tor_exit_nodes then
dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data)
end
if use_user_agents then
dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data)
end
if use_user_agents then
dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data)
end
if use_referrers then
dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
if use_referrers then
dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
end
end
-- Load plugins

4
confs/global/nginx.conf
View File

@ -6,13 +6,9 @@ load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
#load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
# run in foreground
# daemon off;
# PID file
pid /tmp/nginx.pid;

16
confs/site/main-lua.conf
View File

@ -15,6 +15,10 @@ end
-- let's encrypt
local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif +%}
-- redis
local use_redis = {% if USE_REDIS == "yes" %}true{% else %}false{% endif +%}
local redis_host = "{{ REDIS_HOST }}"
-- external blacklists
local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif +%}
local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif +%}
@ -64,6 +68,7 @@ local recaptcha = require "recaptcha"
local iputils = require "resty.iputils"
local behavior = require "behavior"
local logger = require "logger"
local redis = require "resty.redis"
-- user variables
local antibot_uri = "{{ ANTIBOT_URI }}"
@ -139,6 +144,17 @@ if use_bad_behavior and behavior.is_banned() then
ngx.exit(ngx.HTTP_FORBIDDEN)
end
-- our redis client
local redis_client = nil
if use_redis then
redis_client = redis:new()
local ok, err = redis_client:connect(redis_host, 6379)
if not ok then
redis_client = nil
logger.log(ngx.ERR, "REDIS", "Can't connect to the Redis service " .. redis_host)
end
end
-- check if IP is in proxies list
if use_proxies then
local value, flags = ngx.shared.proxies_data:get(iputils.ip2bin(ngx.var.remote_addr))

28
entrypoint/certbot.sh
View File

@ -1,28 +0,0 @@
#!/bin/bash
# load some functions
. /opt/bunkerized-nginx/entrypoint/utils.sh
if [ "$MULTISITE" != "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
first_server_name=$(echo "$SERVER_NAME" | cut -d " " -f 1)
domains_lets_encrypt=$(echo "$SERVER_NAME" | sed "s/ /,/g")
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server_name}"
if [ ! -f /etc/letsencrypt/live/${first_server_name}/fullchain.pem ] ; then
echo "[*] Performing Let's Encrypt challenge for $domains_lets_encrypt ..."
/opt/bunkerized-nginx/scripts/certbot-new.sh "$domains_lets_encrypt" "$EMAIL_LETS_ENCRYPT"
fi
elif [ "$MULTISITE" = "yes" ] ; then
servers=$(find /etc/nginx -name "site.env" | cut -d '/' -f 4)
for server in $servers ; do
lets_encrypt=$(grep "^AUTO_LETS_ENCRYPT=yes$" /etc/nginx/${server}/site.env)
if [ "$lets_encrypt" != "" ] && [ ! -f /etc/letsencrypt/live/${server}/fullchain.pem ] ; then
server_name=$(grep "^SERVER_NAME=.*$" /etc/nginx/${server}/site.env | sed "s/SERVER_NAME=//" | sed "s/ /,/g")
echo "[*] Performing Let's Encrypt challenge for $server_name ..."
EMAIL_LETS_ENCRYPT=$(grep "^EMAIL_LETS_ENCRYPT=.*$" /etc/nginx/${server}/site.env | sed "s/EMAIL_LETS_ENCRYPT=//")
if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
EMAIL_LETS_ENCRYPT="contact@${server}"
fi
/opt/bunkerized-nginx/scripts/certbot-new.sh "$domains" "EMAIL_LETS_ENCRYPT"
fi
done
fi

7
entrypoint/entrypoint.sh
View File

@ -16,16 +16,13 @@ trap "trap_exit" TERM INT QUIT
function trap_reload() {
echo "[*] Catched reload operation"
if [ "$SWARM_MODE" != "yes" ] ; then
/opt/bunkerized-nginx/entrypoint/pre-jobs.sh
/opt/bunkerized-nginx/entrypoint/jobs.sh
fi
if [ -f /tmp/nginx.pid ] ; then
echo "[*] Reloading nginx ..."
nginx -s reload
if [ $? -eq 0 ] ; then
echo "[*] Reload successfull"
if [ "$SWARM_MODE" != "yes" ] ; then
/opt/bunkerized-nginx/entrypoint/post-jobs.sh
fi
else
echo "[!] Reload failed"
fi
@ -61,7 +58,7 @@ if [ ! -f "/etc/nginx/global.env" ] ; then
# call the generator
/opt/bunkerized-nginx/gen/main.py --settings /opt/bunkerized-nginx/settings.json --templates /opt/bunkerized-nginx/confs --output /etc/nginx --variables /tmp/variables.env
# jobs
# call jobs
/opt/bunkerized-nginx/entrypoint/jobs.sh
fi
else

35
entrypoint/jobs.sh
View File

@ -58,7 +58,7 @@ if [ "$files" != "" ] ; then
if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}"
fi
certbot_output=$(/opt/bunkerized-nginx/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1)
/opt/bunkerized-nginx/jobs/main.py --name certbot-new --domain "$(echo -n $SERVER_NAME | sed 's/ /,/g')" --email "$EMAIL_LETS_ENCRYPT"
if [ $? -eq 0 ] ; then
echo "[*] Certbot new successfully executed for domain(s) $(echo -n $SERVER_NAME | sed 's/ /,/g')"
else
@ -70,11 +70,30 @@ fi
# GeoIP
if [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ; then
if [ -f "/opt/bunkerized-nginx/cache/geoip.mmdb" ] ; then
echo "[*] Copying cached geoip.mmdb ..."
cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb
elif [ "$(ps aux | grep "geoip\.sh")" = "" ] ; then
echo "[*] Downloading GeoIP database ..."
/opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1
fi
/opt/bunkerized-nginx/jobs/main.py --name geoip
fi
# User-Agents
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
/opt/bunkerized-nginx/jobs/main.py --name user-agents
fi
# Referrers
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
/opt/bunkerized-nginx/jobs/main.py --name referrers
fi
# exit nodes
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
/opt/bunkerized-nginx/jobs/main.py --name exit-nodes
fi
# proxies
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
/opt/bunkerized-nginx/jobs/main.py --name proxies
fi
# abusers
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
/opt/bunkerized-nginx/jobs/main.py --name abusers
fi

59
entrypoint/post-jobs.sh
View File

@ -1,59 +0,0 @@
#!/bin/bash
# load some functions
. /opt/bunkerized-nginx/entrypoint/utils.sh
# User-Agents
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
if [ -f "/cache/user-agents.list" ] && [ "$(wc -l /cache/user-agents.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached user-agents.list ..."
cp /opt/bunkerized-nginx/cache/user-agents.list /etc/nginx/user-agents.list
elif [ "$(ps aux | grep "user-agents\.sh")" = "" ] ; then
echo "[*] Downloading bad user-agent list (in background) ..."
/opt/bunkerized-nginx/scripts/user-agents.sh > /dev/null 2>&1 &
fi
fi
# Referrers
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
if [ -f "/cache/referrers.list" ] && [ "$(wc -l /cache/referrers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached referrers.list ..."
cp /opt/bunkerized-nginx/cache/referrers.list /etc/nginx/referrers.list
elif [ "$(ps aux | grep "referrers\.sh")" = "" ] ; then
echo "[*] Downloading bad referrer list (in background) ..."
/opt/bunkerized-nginx/scripts/referrers.sh > /dev/null 2>&1 &
fi
fi
# exit nodes
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
if [ -f "/cache/tor-exit-nodes.list" ] && [ "$(wc -l /cache/tor-exit-nodes.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached tor-exit-nodes.list ..."
cp /opt/bunkerized-nginx/cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
elif [ "$(ps aux | grep "exit-nodes\.sh")" = "" ] ; then
echo "[*] Downloading tor exit nodes list (in background) ..."
/opt/bunkerized-nginx/scripts/exit-nodes.sh > /dev/null 2>&1 &
fi
fi
# proxies
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
if [ -f "/cache/proxies.list" ] && [ "$(wc -l /cache/proxies.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached proxies.list ..."
cp /opt/bunkerized-nginx/cache/proxies.list /etc/nginx/proxies.list
elif [ "$(ps aux | grep "proxies\.sh")" = "" ] ; then
echo "[*] Downloading proxies list (in background) ..."
/opt/bunkerized-nginx/scripts/proxies.sh > /dev/null 2>&1 &
fi
fi
# abusers
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
if [ -f "/cache/abusers.list" ] && [ "$(wc -l /cache/abusers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
echo "[*] Copying cached abusers.list ..."
cp /opt/bunkerized-nginx/cache/abusers.list /etc/nginx/abusers.list
elif [ "$(ps aux | grep "abusers\.sh")" = "" ] ; then
echo "[*] Downloading abusers list (in background) ..."
/opt/bunkerized-nginx/scripts/abusers.sh > /dev/null 2>&1 &
fi
fi

80
entrypoint/pre-jobs.sh
View File

@ -1,80 +0,0 @@
#!/bin/bash
# load some functions
. /opt/bunkerized-nginx/entrypoint/utils.sh
# self signed certs for sites
files=$(has_value GENERATE_SELF_SIGNED_SSL yes)
if [ "$files" != "" ] ; then
for file in $files ; do
site=$(echo $file | cut -f 4 -d '/')
dest="/etc/nginx/"
if [ "$site" != "site.env" ] ; then
dest="${dest}/${site}/"
fi
SELF_SIGNED_SSL_EXPIRY="$(sed -nE 's/^SELF_SIGNED_SSL_EXPIRY=(.*)$/\1/p' $file)"
SELF_SIGNED_SSL_COUNTRY="$(sed -nE 's/^SELF_SIGNED_SSL_COUNTRY=(.*)$/\1/p' $file)"
SELF_SIGNED_SSL_STATE="$(sed -nE 's/^SELF_SIGNED_SSL_STATE=(.*)$/\1/p' $file)"
SELF_SIGNED_SSL_CITY="$(sed -nE 's/^SELF_SIGNED_SSL_CITY=(.*)$/\1/p' $file)"
SELF_SIGNED_SSL_ORG="$(sed -nE 's/^SELF_SIGNED_SSL_ORG=(.*)$/\1/p' $file)"
SELF_SIGNED_SSL_OU="$(sed -nE 's/^SELF_SIGNED_SSL_OU=(.*)$/\1/p' $file)"
SELF_SIGNED_SSL_CN="$(sed -nE 's/^SELF_SIGNED_SSL_CN=(.*)$/\1/p' $file)"
openssl_output=$(openssl req -nodes -x509 -newkey rsa:4096 -keyout ${dest}self-key.pem -out ${dest}self-cert.pem -days "$SELF_SIGNED_SSL_EXPIRY" -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" 2>&1)
if [ $? -eq 0 ] ; then
echo "[*] Generated self-signed certificate ${dest}self-cert.pem with key ${dest}self-key.pem"
else
echo "[!] Error while generating self-signed certificate : $openssl_output"
fi
done
fi
# self signed cert for default server
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] ; then
SELF_SIGNED_SSL_EXPIRY="999"
SELF_SIGNED_SSL_COUNTRY="US"
SELF_SIGNED_SSL_STATE="Utah"
SELF_SIGNED_SSL_CITY="Lehi"
SELF_SIGNED_SSL_ORG="Your Company, Inc."
SELF_SIGNED_SSL_OU="IT"
SELF_SIGNED_SSL_CN="www.yourdomain.com"
openssl_output=$(openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" 2>&1)
if [ $? -eq 0 ] ; then
echo "[*] Generated self-signed certificate for default server"
else
echo "[!] Error while generating self-signed certificate for default server : $openssl_output"
fi
fi
# certbot
files=$(has_value AUTO_LETS_ENCRYPT yes)
if [ "$files" != "" ] ; then
for file in $files ; do
if [ "$(echo "$file" | grep 'site.env$')" = "" ] ; then
continue
fi
SERVER_NAME="$(sed -nE 's/^SERVER_NAME=(.*)$/\1/p' $file)"
FIRST_SERVER="$(echo $SERVER_NAME | cut -d ' ' -f 1)"
EMAIL_LETS_ENCRYPT="$(sed -nE 's/^EMAIL_LETS_ENCRYPT=(.*)$/\1/p' $file)"
if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}"
fi
certbot_output=$(/opt/bunkerized-nginx/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1)
if [ $? -eq 0 ] ; then
echo "[*] Certbot new successfully executed for domain(s) $(echo -n $SERVER_NAME | sed 's/ /,/g')"
else
echo "[*] Error while executing certbot new : $certbot_output"
fi
done
fi
# GeoIP
if [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ; then
if [ -f "/opt/bunkerized-nginx/cache/geoip.mmdb" ] ; then
echo "[*] Copying cached geoip.mmdb ..."
cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb
elif [ "$(ps aux | grep "geoip\.sh")" = "" ] ; then
echo "[*] Downloading GeoIP database ..."
/opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1
fi
fi

38
examples/swarm-redis/1-config.yml Normal file
View File

@ -0,0 +1,38 @@
version: '3.8'
services:
autoconf:
image: bunkerity/bunkerized-nginx-autoconf
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /shared/confs:/etc/nginx
- /shared/letsencrypt:/etc/letsencrypt
- /shared/acme-challenge:/acme-challenge
- /shared/cache:/cache
environment:
- SWARM_MODE=yes
- API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from nginx
networks:
- net_config
deploy:
replicas: 1
placement:
constraints:
- "node.role==manager"
redis:
image: redis:alpine
networks:
- net_config
deploy:
replicas: 1
placement:
constraints:
- "node.role==worker"
networks:
net_config:
external: true

51
examples/swarm-redis/2-nginx.yml Normal file
View File

@ -0,0 +1,51 @@
version: '3.8'
services:
nginx:
image: bunkerity/bunkerized-nginx
ports:
- published: 80
target: 8080
mode: host
protocol: tcp
- published: 443
target: 8443
mode: host
protocol: tcp
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
volumes:
- /shared/confs:/etc/nginx:ro
- /shared/letsencrypt:/etc/letsencrypt:ro
- /shared/acme-challenge:/acme-challenge:ro
- /shared/www:/www:ro
- /shared/cache:/cache:ro
environment:
- SWARM_MODE=yes
- USE_API=yes
- API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from autoconf
- MULTISITE=yes
- SERVER_NAME=
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_REDIS=yes
- REDIS_HOST=redis
networks:
- net_config
- net_services
deploy:
mode: global
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerized-nginx.AUTOCONF"
networks:
net_config:
external: true
net_services:
external: true

42
examples/swarm-redis/3-services.yml Normal file
View File

@ -0,0 +1,42 @@
version: '3.8'
services:
app1:
image: php:fpm-alpine
volumes:
- /shared/www/app1.example.com:/www
networks:
- net_services
deploy:
replicas: 1
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerized-nginx.SERVER_NAME=app1.example.com"
- "bunkerized-nginx.REMOTE_PHP=app1"
- "bunkerized-nginx.REMOTE_PHP_PATH=/www"
app2:
image: phpmyadmin:apache
environment:
- PMA_ARBITRARY=1
- PMA_ABSOLUTE_URI=https://app2.example.com
networks:
- net_services
deploy:
replicas: 1
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerized-nginx.SERVER_NAME=app2.example.com"
- "bunkerized-nginx.USE_PROXY_CACHE=yes"
- "bunkerized-nginx.USE_REVERSE_PROXY=yes"
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://app2"
networks:
net_services:
external: true

22
helpers/install.sh
View File

@ -592,6 +592,12 @@ git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485
echo "[*] Install lua-resty-iputils"
CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-iputils" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps LUA_LIB_DIR=/opt/bunkerized-nginx/deps/lib/lua install
# Download and install lua-resty-redis
echo "[*] Clone openresty/lua-resty-redis"
git_secure_clone https://github.com/openresty/lua-resty-redis.git 91585affcd9a8da65cb664a5b1e926dde428095a
echo "[*] Install lua-resty-redis"
CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-redis" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps LUA_LIB_DIR=/opt/bunkerized-nginx/deps/lib/lua install
# Download nginx and decompress sources
echo "[*] Download nginx-${NGINX_VERSION}.tar.gz"
do_and_check_cmd wget -O "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz" "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz"
@ -659,21 +665,25 @@ elif [ "$OS" = "alpine" ] ; then
fi
# Clone the repo
if [ "$OS" != "alpine" ] ; then
if [ "$OS" != "alpine" ] && [ ! -d "/tmp/bunkerized-nginx-test" ] ; then
echo "[*] Clone bunkerity/bunkerized-nginx"
#CHANGE_DIR="/tmp" do_and_check_cmd git_secure_clone https://github.com/bunkerity/bunkerized-nginx.git 09a2a4f9e531b93684b0916a5146091a818501d3
# TODO : do a secure clone
CHANGE_DIR="/tmp" do_and_check_cmd git clone https://github.com/bunkerity/bunkerized-nginx.git
CHANGE_DIR="/tmp/bunkerized-nginx" do_and_check_cmd git checkout dev
# Docker build case : simply rename the sources
else
elif [ "$OS" == "alpine" ] ; then
do_and_check_cmd mv /tmp/bunkerized-nginx-docker /tmp/bunkerized-nginx
# Tests case
else
do_and_check_cmd mv /tmp/bunkerized-nginx-test /tmp/bunkerized-nginx
fi
# Install Python dependencies
echo "[*] Install python dependencies"
do_and_check_cmd pip3 install --upgrade pip
do_and_check_cmd pip3 install -r /tmp/bunkerized-nginx/gen/requirements.txt
do_and_check_cmd pip3 install -r /tmp/bunkerized-nginx/jobs/requirements.txt
if [ "$OS" != "alpine" ] ; then
do_and_check_cmd pip3 install -r /tmp/bunkerized-nginx/ui/requirements.txt
fi
@ -691,11 +701,7 @@ do_and_check_cmd cp -r /tmp/bunkerized-nginx/entrypoint /opt/bunkerized-nginx
echo "[*] Copy configs"
do_and_check_cmd cp -r /tmp/bunkerized-nginx/confs /opt/bunkerized-nginx
# Copy scripts
echo "[*] Copy scripts"
do_and_check_cmd cp -r /tmp/bunkerized-nginx/scripts /opt/bunkerized-nginx
# Copy scripts
# Copy jobs
echo "[*] Copy jobs"
do_and_check_cmd cp -r /tmp/bunkerized-nginx/jobs /opt/bunkerized-nginx
@ -797,10 +803,10 @@ do_and_check_cmd find /opt/bunkerized-nginx -type f -exec chmod 0740 {} \;
do_and_check_cmd find /opt/bunkerized-nginx -type d -exec chmod 0750 {} \;
do_and_check_cmd chmod 770 /opt/bunkerized-nginx/cache
do_and_check_cmd chmod 770 /opt/bunkerized-nginx/acme-challenge
do_and_check_cmd chmod 750 /opt/bunkerized-nginx/scripts/*
do_and_check_cmd chmod 750 /opt/bunkerized-nginx/entrypoint/*
do_and_check_cmd chmod 750 /opt/bunkerized-nginx/gen/main.py
do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/main.py
do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/reload.py
# Set permissions for /usr/local/bin/bunkerized-nginx
do_and_check_cmd chown root:root /usr/local/bin/bunkerized-nginx
do_and_check_cmd chmod 750 /usr/local/bin/bunkerized-nginx

2
jobs/CertbotNew.py
View File

@ -1,6 +1,6 @@
from Job import Job
class CertbotRenew(Job) :
class CertbotNew(Job) :
def __init__(self, redis_host=None, copy_cache=False, domain="", email="") :
name = "certbot-new"

2
jobs/GeoIP.py
View File

@ -15,7 +15,7 @@ class GeoIP(Job) :
super().run()
count = 0
with gzip.open("/etc/nginx/geoip.mmdb.gz", "rb") as f :
with open("/tmp/geoip.mmdb", "w") as f2
with open("/tmp/geoip.mmdb", "w") as f2 :
while True :
chunk = f.read(8192)
if not chunk :

10
jobs/Job.py
View File

@ -1,4 +1,4 @@
import abc, requests, redis, os, datetime, traceback
import abc, requests, redis, os, datetime, traceback, re, shutil
class Job(abc.ABC) :
@ -41,7 +41,7 @@ class Job(abc.ABC) :
if self.__redis == None :
if os.path.isfile("/tmp/" + self.__filename) :
os.remove("/tmp/" + self.__filename)
file = open("/tmp/" + self.__filename, "a")
file = open("/tmp/" + self.__filename, "ab")
elif self.__redis != None :
pipe = self.__redis.pipeline()
@ -50,7 +50,7 @@ class Job(abc.ABC) :
for url in self.__data :
data = self.__download_data(url)
for chunk in data :
if self.__type == "line" and not re.match(self.__regex, chunk) :
if self.__type == "line" and not re.match(self.__regex, chunk.decode("utf-8")) :
continue
count += 1
if self.__redis == None :
@ -67,7 +67,7 @@ class Job(abc.ABC) :
os.remove("/tmp/" + self.__filename)
elif self.__redis != None and count > 0 :
self.__redis.del(self.__redis.keys(self.__name + "_*"))
self.__redis.delete(self.__redis.keys(self.__name + "_*"))
pipe.execute()
def __download_data(self, url) :
@ -95,7 +95,7 @@ class Job(abc.ABC) :
if self.__redis == None or self.__type == "file" :
shutil.copyfile("/opt/bunkerized-nginx/cache/" + self.__filename, "/etc/nginx/" + self.__filename)
elif self.__redis != None and self.__type == "line" :
self.__redis.del(self.__redis.keys(self.__name + "_*"))
self.__redis.delete(self.__redis.keys(self.__name + "_*"))
with open("/opt/bunkerized-nginx/cache/" + self.__filename) as f :
pipe = self.__redis.pipeline()
while True :

2
jobs/Proxies.py
View File

@ -8,4 +8,4 @@ class Proxies(Job) :
filename = "proxies.list"
type = "line"
regex = r"^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$"
super().__init__(name, data, filename, redis_host=redis_host, type=type, regex=regex; copy_cache=copy_cache)
super().__init__(name, data, filename, redis_host=redis_host, type=type, regex=regex, copy_cache=copy_cache)

25
jobs/main.py
View File

@ -1,9 +1,13 @@
#!/usr/bin/python3
import argparse, sys
sys.path.append("/opt/bunkerized-nginx/jobs")
import Abusers, CertbotNew, CertbotRenew, ExitNodes, GeoIP, Proxies, Referrers, SelfSignedCert, UserAgents
from reload import reload
JOBS = {
"abusers": Abusers.Abusers,
"certbot-new": CertbotNew.CertbotNew,
@ -33,10 +37,12 @@ if __name__ == "__main__" :
# Check job name
if not args.name in JOBS :
print("[!] unknown job " + args.job)
print("[!] unknown job " + args.name)
sys.exit(1)
job = args.name
# Run job
print("[*] Executing job " + job)
ret = 0
if job == "certbot-new" :
instance = JOBS[job](redis_host=args.redis, copy_cache=args.cache, domain=args.domain, email=args.email)
@ -45,9 +51,18 @@ if __name__ == "__main__" :
else :
instance = JOBS[job](redis_host=args.redis, copy_cache=args.cache)
if not instance.run() :
print("[!] error while running job " + job)
print("[!] Error while running job " + job)
sys.exit(1)
print("[*] job " + job + " successfully executed")
sys.exit(0)
print("[*] Job " + job + " successfully executed")
# TODO : reload
# Reload
# TODO : only reload if needed
do_reload = True
if do_reload :
if not reload() :
print("[!] Error while doing reload operation")
sys.exit(1)
print("[*] Reload operation successfully executed")
# Done
sys.exit(0)

34
jobs/reload.py
View File

@ -1,27 +1,41 @@
import docker, subprocess, os, stat, sys
import docker, subprocess, os, stat, sys, traceback
if __name__ == "__main__" :
def reload() :
# Linux or single Docker use case
if os.path.isfile("/usr/sbin/nginx") :
if os.path.isfile("/usr/sbin/nginx") and os.path.isfile("/tmp/nginx.pid") :
proc = subprocess.run(["/usr/sbin/nginx", "-s", "reload"], capture_output=True)
if proc.returncode != 0 :
print("[!] can't reload nginx (status code = " + str(proc.returncode) + ")"
print("[!] Can't reload nginx (status code = " + str(proc.returncode) + ")")
if len(proc.stdout.decode("ascii")) > 1 :
print(proc.stdout.decode("ascii"))
if len(proc.stderr.decode("ascii")) > 1 :
print(proc.stderr.decode("ascii"))
sys.exit(1)
return False
return True
# Autoconf case (Docker, Swarm and Ingress)
mode = os.stat("/tmp/autoconf.sock")
elif stat.S_ISSOCK(mode) :
if os.path.exists("/tmp/autoconf.sock") and stat.S_ISSOCK(os.stat("/tmp/autoconf.sock")) :
client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
client.connect("/tmp/autoconf.sock")
client.send("reload".encode("utf-8"))
data = client.recv(512)
client.close()
if not data or data.decode("utf-8") != "ok" :
sys.exit(2)
if not data or data.decode("utf-8") != "ok" :
print("[!] Can't reload nginx (data not ok)")
return False
return True
sys.exit(0)
return False
if __name__ == "__main__" :
try :
print("[*] Starting reload operation ...")
if not reload() :
sys.exit(1)
print("[*] Reload operation successfully executed")
sys.exit(0)
except :
print("[!] Can't reload nginx (exception)")
print(traceback.format_exc())
sys.exit(2)

1
jobs/requirements.txt
View File

@ -1,2 +1,3 @@
requests
redis
docker

14
misc/cron
View File

@ -1,7 +1,7 @@
15 0 * * * /opt/bunkerized-nginx/scripts/certbot-renew.sh > /dev/null 2>&1
30 0 * * * /opt/bunkerized-nginx/scripts/user-agents.sh > /dev/null 2>&1
45 0 * * * /opt/bunkerized-nginx/scripts/referrers.sh > /dev/null 2>&1
0 1 * * * /opt/bunkerized-nginx/scripts/abusers.sh > /dev/null 2>&1
0 2 * * * /opt/bunkerized-nginx/scripts/proxies.sh > /dev/null 2>&1
0 */1 * * * /opt/bunkerized-nginx/scripts/exit-nodes.sh > /dev/null 2>&1
0 3 2 * * /opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1
15 0 * * * /opt/bunkerized-nginx/jobs/main.py --name certbot-renew >> /var/log/nginx/jobs.log 2>&1
30 0 * * * /opt/bunkerized-nginx/jobs/main.py --name user-agents >> /var/log/nginx/jobs.log 2>&1
45 0 * * * /opt/bunkerized-nginx/jobs/main.py --name referrers >> /var/log/nginx/jobs.log 2>&1
0 1 * * * /opt/bunkerized-nginx/jobs/main.py --name abusers >> /var/log/nginx/jobs.log 2>&1
0 2 * * * /opt/bunkerized-nginx/jobs/main.py --name proxies >> /var/log/nginx/jobs.log 2>&1
0 */1 * * * /opt/bunkerized-nginx/jobs/main.py --name exit-nodes >> /var/log/nginx/jobs.log 2>&1
0 3 2 * * /opt/bunkerized-nginx/jobs/main.py --name geoip >> /var/log/nginx/jobs.log 2>&1

55
scripts/abusers.sh
View File

@ -1,55 +0,0 @@
#!/bin/bash
# load some functions
. /opt/bunkerized-nginx/entrypoint/utils.sh
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi
if [ "$(has_value BLOCK_ABUSERS yes)" = "" ] ; then
exit 0
fi
# copy old conf to cache
cp /etc/nginx/abusers.list /tmp/abusers.list.bak
# generate the new conf
curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | \
grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$" > /tmp/abusers.list
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# check if we have at least 1 line
lines="$(wc -l /tmp/abusers.list | cut -d ' ' -f 1)"
if [ "$lines" -gt 1 ] ; then
job_log "[BLACKLIST] abusers list updated ($lines entries)"
# reload nginx with the new config
cp /tmp/abusers.list /etc/nginx/abusers.list
if [ "$RELOAD" != "" ] ; then
$RELOAD > /dev/null 2>&1
# new config is ok : save it in the cache
if [ "$?" -eq 0 ] ; then
cp /tmp/abusers.list /opt/bunkerized-nginx/cache
job_log "[NGINX] successfull nginx reload after abusers list update"
else
job_log "[NGINX] failed nginx reload after abusers list update fallback to old list"
#cp /tmp/abusers.list.bak /etc/nginx
$RELOAD > /dev/null 2>&1
fi
else
cp /tmp/abusers.list /opt/bunkerized-nginx/cache
fi
else
job_log "[BLACKLIST] can't update abusers list"
fi
rm -f /tmp/abusers.list 2> /dev/null
rm -f /tmp/abusers.list.bak 2> /dev/null

9
scripts/certbot-new.sh
View File

@ -1,9 +0,0 @@
#!/bin/bash
# generate certificate
certbot certonly --webroot -w /opt/bunkerized-nginx/acme-challenge -n -d "$1" --email "$2" --agree-tos
if [ "$?" -ne 0 ] ; then
exit 1
fi
exit 0

24
scripts/certbot-renew-hook.sh
View File

@ -1,24 +0,0 @@
#!/bin/bash
# load some functions
. /opt/bunkerized-nginx/entrypoint/utils.sh
job_log "[CERTBOT] certificates have been renewed"
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# reload nginx
if [ "$RELOAD" != "" ] ; then
$RELOAD > /dev/null 2>&1
if [ "$?" -eq 0 ] ; then
job_log "[NGINX] successfull nginx reload after certbot renew"
else
job_log "[NGINX] failed nginx reload after certbot renew"
fi
fi

21
scripts/certbot-renew.sh
View File

@ -1,21 +0,0 @@
#!/bin/bash
# load some functions
. /opt/bunkerized-nginx/entrypoint/utils.sh
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" = "" ] ; then
exit 0
fi
# ask new certificates if needed
certbot renew --deploy-hook /opt/bunkerized-nginx/scripts/certbot-renew-hook.sh
if [ "$?" -eq 0 ] ; then
job_log "[CERTBOT] renew operation done"
else
job_log "[CERTBOT] renew operation failed"
fi

54
scripts/exit-nodes.sh
View File

@ -1,54 +0,0 @@
#!/bin/bash
# load some functions
. /opt/bunkerized-nginx/entrypoint/utils.sh
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" = "" ] ; then
exit 0
fi
# copy old conf to cache
cp /etc/nginx/tor-exit-nodes.list /tmp/tor-exit-nodes.list.bak
# generate the new conf
curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | \
grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$" > /tmp/tor-exit-nodes.list
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# check if we have at least 1 line
lines="$(wc -l /tmp/tor-exit-nodes.list | cut -d ' ' -f 1)"
if [ "$lines" -gt 1 ] ; then
job_log "[BLACKLIST] TOR exit node list updated ($lines entries)"
# reload nginx with the new config
cp /tmp/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
if [ "$RELOAD" != "" ] ; then
$RELOAD > /dev/null 2>&1
# new config is ok : save it in the cache
if [ "$?" -eq 0 ] ; then
cp /tmp/tor-exit-nodes.list /opt/bunkerized-nginx/cache
job_log "[NGINX] successfull nginx reload after TOR exit node list update"
else
job_log "[NGINX] failed nginx reload after TOR exit node list update fallback to old list"
#cp /tmp/tor-exit-nodes.list.bak /etc/nginx/tor-exit-nodes.list
$RELOAD > /dev/null 2>&1
fi
else
cp /tmp/tor-exit-nodes.list /opt/bunkerized-nginx/cache
fi
else
job_log "[BLACKLIST] can't update TOR exit node list"
fi
rm -f /tmp/tor-exit-nodes.list 2> /dev/null
rm -f /tmp/tor-exit-nodes.list.bak 2> /dev/null

51
scripts/geoip.sh
View File

@ -1,51 +0,0 @@
#!/bin/bash
# load some functions
. /opt/bunkerized-nginx/entrypoint/utils.sh
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi
if [ "$(has_value BLACKLIST_COUNTRY ".\+")" = "" ] && [ "$(has_value WHITELIST_COUNTRY ".\+")" = "" ] ; then
exit 0
fi
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# MMDB from https://db-ip.com/db/download/ip-to-country-lite
URL="https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).mmdb.gz"
wget -O /tmp/geoip.mmdb.gz "$URL" > /dev/null 2>&1
if [ "$?" -eq 0 ] && [ -f /tmp/geoip.mmdb.gz ] ; then
gunzip -f /tmp/geoip.mmdb.gz > /dev/null 2>&1
if [ "$?" -ne 0 ] ; then
job_log "[GEOIP] can't extract DB from $URL"
exit 1
fi
mv /tmp/geoip.mmdb /etc/nginx
if [ "$RELOAD" != "" ] ; then
$RELOAD > /dev/null 2>&1
if [ "$?" -eq 0 ] ; then
cp /etc/nginx/geoip.mmdb /opt/bunkerized-nginx/cache
job_log "[NGINX] successfull nginx reload after GeoIP DB update"
else
job_log "[NGINX] failed nginx reload after GeoIP DB update"
if [ -f /opt/bunkerized-nginx/cache/geoip.mmdb ] ; then
cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb
$RELOAD > /dev/null 2>&1
fi
fi
else
cp /etc/nginx/geoip.mmdb /opt/bunkerized-nginx/cache
fi
else
job_log "[GEOIP] can't download DB from $URL"
fi
rm -f /tmp/geoip* 2> /dev/null

55
scripts/proxies.sh
View File

@ -1,55 +0,0 @@
#!/bin/bash
# load some functions
. /opt/bunkerized-nginx/entrypoint/utils.sh
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi
if [ "$(has_value BLOCK_PROXIES yes)" = "" ] ; then
exit 0
fi
# copy old conf to cache
cp /etc/nginx/proxies.list /tmp/proxies.list.bak
# generate the new conf
curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | \
grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$" > /tmp/proxies.list
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# check if we have at least 1 line
lines="$(wc -l /tmp/proxies.list | cut -d ' ' -f 1)"
if [ "$lines" -gt 1 ] ; then
job_log "[BLACKLIST] proxies list updated ($lines entries)"
# reload nginx with the new config
cp /tmp/proxies.list /etc/nginx/proxies.list
if [ "$RELOAD" != "" ] ; then
$RELOAD > /dev/null 2>&1
# new config is ok : save it in the cache
if [ "$?" -eq 0 ] ; then
cp /tmp/proxies.list /opt/bunkerized-nginx/cache
job_log "[NGINX] successfull nginx reload after proxies list update"
else
job_log "[NGINX] failed nginx reload after proxies list update fallback to old list"
#cp /tmp/proxies.list.bak /etc/nginx
$RELOAD > /dev/null 2>&1
fi
else
cp /tmp/proxies.list /opt/bunkerized-nginx/cache
fi
else
job_log "[BLACKLIST] can't update proxies list"
fi
rm -f /tmp/proxies.list 2> /dev/null
rm -f /tmp/proxies.list.bak 2> /dev/null

57
scripts/referrers.sh
View File

@ -1,57 +0,0 @@
#!/bin/bash
# load some functions
. /opt/bunkerized-nginx/entrypoint/utils.sh
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi
if [ "$(has_value BLOCK_REFERRER yes)" = "" ] ; then
exit 0
fi
# save old conf
cp /etc/nginx/referrers.list /tmp/referrers.list.bak
# generate new conf
BLACKLIST="$(curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list | sed 's:\.:%\.:g;s:\-:%\-:g')"
if [ "$?" -ne 0 ] ; then
job_log "[BLACKLIST] can't update referrers list"
echo -n "" > /tmp/referrers.list
else
echo -e "$BLACKLIST" > /tmp/referrers.list
fi
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# check number of lines
lines="$(wc -l /tmp/referrers.list | cut -d ' ' -f 1)"
if [ "$lines" -gt 1 ] ; then
cp /tmp/referrers.list /etc/nginx/referrers.list
job_log "[BLACKLIST] referrers list updated ($lines entries)"
if [ "$RELOAD" != "" ] ; then
$RELOAD > /dev/null 2>&1
if [ "$?" -eq 0 ] ; then
cp /tmp/referrers.list /opt/bunkerized-nginx/cache
job_log "[NGINX] successfull nginx reload after referrers list update"
else
#cp /tmp/referrers.list.bak /etc/nginx
job_log "[NGINX] failed nginx reload after referrers list update fallback to old list"
$RELOAD > /dev/null 2>&1
fi
else
cp /tmp/referrers.list /opt/bunkerized-nginx/cache
fi
else
job_log "[BLACKLIST] can't update referrers list"
fi
rm -f /tmp/referrers.list 2> /dev/null
rm -f /tmp/referrers.list.bak 2> /dev/null

57
scripts/user-agents.sh
View File

@ -1,57 +0,0 @@
#!/bin/bash
# load some functions
. /opt/bunkerized-nginx/entrypoint/utils.sh
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
exit 0
fi
if [ "$(has_value BLOCK_USER_AGENT yes)" = "" ] ; then
exit 0
fi
# save old conf
cp /etc/nginx/user-agents.list /tmp/user-agents.list.bak
# generate new conf
BLACKLIST="$( (curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list ; curl -s https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt) | sort -u | sed 's:\\ : :g;s:\\\.:%\.:g;s:\\\\:\\:g;s:\\/:/:g;s:\-:%\-:g')"
if [ "$?" -ne 0 ] ; then
job_log "[BLACKLIST] can't update user-agent list"
echo -n "" > /tmp/user-agents.list
else
echo -e "$BLACKLIST" > /tmp/user-agents.list
fi
# if we are running nginx
if [ -f /tmp/nginx.pid ] ; then
RELOAD="/usr/sbin/nginx -s reload"
# if we are in autoconf
elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then
RELOAD="/opt/entrypoint/reload.py"
fi
# check number of lines
lines="$(wc -l /tmp/user-agents.list | cut -d ' ' -f 1)"
if [ "$lines" -gt 1 ] ; then
cp /tmp/user-agents.list /etc/nginx/user-agents.list
job_log "[BLACKLIST] user-agent list updated ($lines entries)"
if [ "$RELOAD" != "" ] ; then
$RELOAD > /dev/null 2>&1
if [ "$?" -eq 0 ] ; then
cp /tmp/user-agents.list /opt/bunkerized-nginx/cache
job_log "[NGINX] successfull nginx reload after user-agent list update"
else
#cp /tmp/user-agents.list.bak /etc/nginx
job_log "[NGINX] failed nginx reload after user-agent list update fallback to old list"
$RELOAD > /dev/null 2>&1
fi
else
cp /tmp/user-agents.list /opt/bunkerized-nginx/cache
fi
else
job_log "[BLACKLIST] can't update user-agent list"
fi
rm -f /tmp/user-agents.list 2> /dev/null
rm -f /tmp/user-agents.list.bak 2> /dev/null

22
settings.json
View File

@ -1153,8 +1153,8 @@
}
]
},
"API": {
"id": "api",
"Internal": {
"id": "internal",
"params": [
{
"context": "global",
@ -1191,6 +1191,24 @@
"label": "Swarm mode",
"regex": "^(yes|no)$",
"type": "checkbox"
},
{
"context": "global",
"default": "no",
"env": "USE_REDIS",
"id": "use-redis",
"label": "Use external redis when coupled with autoconf",
"regex": "^(yes|no)$",
"type": "checkbox"
},
{
"context": "global",
"default": "",
"env": "REDIS_HOST",
"id": "redis-host",
"label": "Hostname/IP of the Redis service",
"regex": "^[A-Za-z0-9\\-\\.\\_]+$",
"type": "text"
}
]
},

22
tests/linux.sh
View File

@ -19,7 +19,15 @@ docker cp helpers/install.sh "$id:/tmp"
if [ $? -ne 0 ] ; then
echo "[!] docker cp failed"
cleanup "$id"
exit 4
exit 2
fi
echo "[*] Copy bunkerized-nginx"
docker cp . "$id:/tmp/bunkerized-nginx-test"
if [ $? -ne 0 ] ; then
echo "[!] docker cp failed"
cleanup "$id"
exit 3
fi
echo "[*] Exec install.sh"
@ -27,7 +35,7 @@ docker exec "$id" /bin/bash -c 'chmod +x /tmp/install.sh && /tmp/install.sh'
if [ $? -ne 0 ] ; then
echo "[!] docker exec failed"
cleanup "$id"
exit 5
exit 4
fi
echo "[*] Exec nginx -V"
@ -35,7 +43,7 @@ docker exec "$id" nginx -V
if [ $? -ne 0 ] ; then
echo "[!] docker exec failed"
cleanup "$id"
exit 6
exit 5
fi
echo "[*] Copy variables.env"
@ -43,7 +51,7 @@ docker cp "tests/variables.env" "$id:/opt/bunkerized-nginx"
if [ $? -ne 0 ] ; then
echo "[!] docker cp failed"
cleanup "$id"
exit 7
exit 6
fi
echo "[*] Copy index.html"
@ -51,7 +59,7 @@ docker cp "tests/index.html" "$id:/opt/bunkerized-nginx/www"
if [ $? -ne 0 ] ; then
echo "[!] docker cp failed"
cleanup "$id"
exit 8
exit 7
fi
echo "[*] Exec bunkerized-nginx"
@ -59,7 +67,7 @@ docker exec "$id" bunkerized-nginx
if [ $? -ne 0 ] ; then
echo "[!] docker exec failed"
cleanup "$id"
exit 9
exit 8
fi
echo "[*] Exec curl"
@ -67,7 +75,7 @@ res="$(curl -s -H "User-Agent: LegitOne" http://localhost/)"
if [ $? -ne 0 ] || [ "$res" != "ok" ] ; then
echo "[!] curl failed"
cleanup "$id"
exit 10
exit 9
fi
cleanup "$id"