jobs - various bugs fixed and old files removed
This commit is contained in:
parent
366e39f591
commit
d12369c900
|
@ -4,30 +4,34 @@ local dataloader = require "dataloader"
|
|||
local logger = require "logger"
|
||||
local cjson = require "cjson"
|
||||
|
||||
local use_redis = {% if USE_REDIS == "yes" %}true{% else %}false{% endif +%}
|
||||
|
||||
local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif +%}
|
||||
local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif +%}
|
||||
local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif +%}
|
||||
local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif +%}
|
||||
local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif +%}
|
||||
|
||||
if use_proxies then
|
||||
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
|
||||
end
|
||||
if not use_redis then
|
||||
if use_proxies then
|
||||
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
|
||||
end
|
||||
|
||||
if use_abusers then
|
||||
dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data)
|
||||
end
|
||||
if use_abusers then
|
||||
dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data)
|
||||
end
|
||||
|
||||
if use_tor_exit_nodes then
|
||||
dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data)
|
||||
end
|
||||
if use_tor_exit_nodes then
|
||||
dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data)
|
||||
end
|
||||
|
||||
if use_user_agents then
|
||||
dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data)
|
||||
end
|
||||
if use_user_agents then
|
||||
dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data)
|
||||
end
|
||||
|
||||
if use_referrers then
|
||||
dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
|
||||
if use_referrers then
|
||||
dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
|
||||
end
|
||||
end
|
||||
|
||||
-- Load plugins
|
||||
|
|
|
@ -6,13 +6,9 @@ load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
|
|||
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
||||
#load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
|
||||
|
||||
# run in foreground
|
||||
# daemon off;
|
||||
|
||||
# PID file
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
|
|
|
@ -15,6 +15,10 @@ end
|
|||
-- let's encrypt
|
||||
local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif +%}
|
||||
|
||||
-- redis
|
||||
local use_redis = {% if USE_REDIS == "yes" %}true{% else %}false{% endif +%}
|
||||
local redis_host = "{{ REDIS_HOST }}"
|
||||
|
||||
-- external blacklists
|
||||
local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif +%}
|
||||
local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif +%}
|
||||
|
@ -64,6 +68,7 @@ local recaptcha = require "recaptcha"
|
|||
local iputils = require "resty.iputils"
|
||||
local behavior = require "behavior"
|
||||
local logger = require "logger"
|
||||
local redis = require "resty.redis"
|
||||
|
||||
-- user variables
|
||||
local antibot_uri = "{{ ANTIBOT_URI }}"
|
||||
|
@ -139,6 +144,17 @@ if use_bad_behavior and behavior.is_banned() then
|
|||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
-- our redis client
|
||||
local redis_client = nil
|
||||
if use_redis then
|
||||
redis_client = redis:new()
|
||||
local ok, err = redis_client:connect(redis_host, 6379)
|
||||
if not ok then
|
||||
redis_client = nil
|
||||
logger.log(ngx.ERR, "REDIS", "Can't connect to the Redis service " .. redis_host)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if IP is in proxies list
|
||||
if use_proxies then
|
||||
local value, flags = ngx.shared.proxies_data:get(iputils.ip2bin(ngx.var.remote_addr))
|
||||
|
|
|
@ -1,28 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$MULTISITE" != "yes" ] && [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
first_server_name=$(echo "$SERVER_NAME" | cut -d " " -f 1)
|
||||
domains_lets_encrypt=$(echo "$SERVER_NAME" | sed "s/ /,/g")
|
||||
EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server_name}"
|
||||
if [ ! -f /etc/letsencrypt/live/${first_server_name}/fullchain.pem ] ; then
|
||||
echo "[*] Performing Let's Encrypt challenge for $domains_lets_encrypt ..."
|
||||
/opt/bunkerized-nginx/scripts/certbot-new.sh "$domains_lets_encrypt" "$EMAIL_LETS_ENCRYPT"
|
||||
fi
|
||||
elif [ "$MULTISITE" = "yes" ] ; then
|
||||
servers=$(find /etc/nginx -name "site.env" | cut -d '/' -f 4)
|
||||
for server in $servers ; do
|
||||
lets_encrypt=$(grep "^AUTO_LETS_ENCRYPT=yes$" /etc/nginx/${server}/site.env)
|
||||
if [ "$lets_encrypt" != "" ] && [ ! -f /etc/letsencrypt/live/${server}/fullchain.pem ] ; then
|
||||
server_name=$(grep "^SERVER_NAME=.*$" /etc/nginx/${server}/site.env | sed "s/SERVER_NAME=//" | sed "s/ /,/g")
|
||||
echo "[*] Performing Let's Encrypt challenge for $server_name ..."
|
||||
EMAIL_LETS_ENCRYPT=$(grep "^EMAIL_LETS_ENCRYPT=.*$" /etc/nginx/${server}/site.env | sed "s/EMAIL_LETS_ENCRYPT=//")
|
||||
if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
|
||||
EMAIL_LETS_ENCRYPT="contact@${server}"
|
||||
fi
|
||||
/opt/bunkerized-nginx/scripts/certbot-new.sh "$domains" "EMAIL_LETS_ENCRYPT"
|
||||
fi
|
||||
done
|
||||
fi
|
|
@ -16,16 +16,13 @@ trap "trap_exit" TERM INT QUIT
|
|||
function trap_reload() {
|
||||
echo "[*] Catched reload operation"
|
||||
if [ "$SWARM_MODE" != "yes" ] ; then
|
||||
/opt/bunkerized-nginx/entrypoint/pre-jobs.sh
|
||||
/opt/bunkerized-nginx/entrypoint/jobs.sh
|
||||
fi
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
echo "[*] Reloading nginx ..."
|
||||
nginx -s reload
|
||||
if [ $? -eq 0 ] ; then
|
||||
echo "[*] Reload successfull"
|
||||
if [ "$SWARM_MODE" != "yes" ] ; then
|
||||
/opt/bunkerized-nginx/entrypoint/post-jobs.sh
|
||||
fi
|
||||
else
|
||||
echo "[!] Reload failed"
|
||||
fi
|
||||
|
@ -61,7 +58,7 @@ if [ ! -f "/etc/nginx/global.env" ] ; then
|
|||
# call the generator
|
||||
/opt/bunkerized-nginx/gen/main.py --settings /opt/bunkerized-nginx/settings.json --templates /opt/bunkerized-nginx/confs --output /etc/nginx --variables /tmp/variables.env
|
||||
|
||||
# jobs
|
||||
# call jobs
|
||||
/opt/bunkerized-nginx/entrypoint/jobs.sh
|
||||
fi
|
||||
else
|
||||
|
|
|
@ -58,7 +58,7 @@ if [ "$files" != "" ] ; then
|
|||
if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
|
||||
EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}"
|
||||
fi
|
||||
certbot_output=$(/opt/bunkerized-nginx/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1)
|
||||
/opt/bunkerized-nginx/jobs/main.py --name certbot-new --domain "$(echo -n $SERVER_NAME | sed 's/ /,/g')" --email "$EMAIL_LETS_ENCRYPT"
|
||||
if [ $? -eq 0 ] ; then
|
||||
echo "[*] Certbot new successfully executed for domain(s) $(echo -n $SERVER_NAME | sed 's/ /,/g')"
|
||||
else
|
||||
|
@ -70,11 +70,30 @@ fi
|
|||
|
||||
# GeoIP
|
||||
if [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ; then
|
||||
if [ -f "/opt/bunkerized-nginx/cache/geoip.mmdb" ] ; then
|
||||
echo "[*] Copying cached geoip.mmdb ..."
|
||||
cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb
|
||||
elif [ "$(ps aux | grep "geoip\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading GeoIP database ..."
|
||||
/opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1
|
||||
fi
|
||||
/opt/bunkerized-nginx/jobs/main.py --name geoip
|
||||
fi
|
||||
|
||||
# User-Agents
|
||||
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
|
||||
/opt/bunkerized-nginx/jobs/main.py --name user-agents
|
||||
fi
|
||||
|
||||
# Referrers
|
||||
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
|
||||
/opt/bunkerized-nginx/jobs/main.py --name referrers
|
||||
fi
|
||||
|
||||
# exit nodes
|
||||
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
|
||||
/opt/bunkerized-nginx/jobs/main.py --name exit-nodes
|
||||
fi
|
||||
|
||||
# proxies
|
||||
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
|
||||
/opt/bunkerized-nginx/jobs/main.py --name proxies
|
||||
fi
|
||||
|
||||
# abusers
|
||||
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
|
||||
/opt/bunkerized-nginx/jobs/main.py --name abusers
|
||||
fi
|
||||
|
|
|
@ -1,59 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
# User-Agents
|
||||
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
|
||||
if [ -f "/cache/user-agents.list" ] && [ "$(wc -l /cache/user-agents.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached user-agents.list ..."
|
||||
cp /opt/bunkerized-nginx/cache/user-agents.list /etc/nginx/user-agents.list
|
||||
elif [ "$(ps aux | grep "user-agents\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading bad user-agent list (in background) ..."
|
||||
/opt/bunkerized-nginx/scripts/user-agents.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
fi
|
||||
|
||||
# Referrers
|
||||
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
|
||||
if [ -f "/cache/referrers.list" ] && [ "$(wc -l /cache/referrers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached referrers.list ..."
|
||||
cp /opt/bunkerized-nginx/cache/referrers.list /etc/nginx/referrers.list
|
||||
elif [ "$(ps aux | grep "referrers\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading bad referrer list (in background) ..."
|
||||
/opt/bunkerized-nginx/scripts/referrers.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
fi
|
||||
|
||||
# exit nodes
|
||||
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
|
||||
if [ -f "/cache/tor-exit-nodes.list" ] && [ "$(wc -l /cache/tor-exit-nodes.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached tor-exit-nodes.list ..."
|
||||
cp /opt/bunkerized-nginx/cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
|
||||
elif [ "$(ps aux | grep "exit-nodes\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading tor exit nodes list (in background) ..."
|
||||
/opt/bunkerized-nginx/scripts/exit-nodes.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
fi
|
||||
|
||||
# proxies
|
||||
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
|
||||
if [ -f "/cache/proxies.list" ] && [ "$(wc -l /cache/proxies.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached proxies.list ..."
|
||||
cp /opt/bunkerized-nginx/cache/proxies.list /etc/nginx/proxies.list
|
||||
elif [ "$(ps aux | grep "proxies\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading proxies list (in background) ..."
|
||||
/opt/bunkerized-nginx/scripts/proxies.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
fi
|
||||
|
||||
# abusers
|
||||
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
|
||||
if [ -f "/cache/abusers.list" ] && [ "$(wc -l /cache/abusers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached abusers.list ..."
|
||||
cp /opt/bunkerized-nginx/cache/abusers.list /etc/nginx/abusers.list
|
||||
elif [ "$(ps aux | grep "abusers\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading abusers list (in background) ..."
|
||||
/opt/bunkerized-nginx/scripts/abusers.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
fi
|
|
@ -1,80 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
# self signed certs for sites
|
||||
files=$(has_value GENERATE_SELF_SIGNED_SSL yes)
|
||||
if [ "$files" != "" ] ; then
|
||||
for file in $files ; do
|
||||
site=$(echo $file | cut -f 4 -d '/')
|
||||
dest="/etc/nginx/"
|
||||
if [ "$site" != "site.env" ] ; then
|
||||
dest="${dest}/${site}/"
|
||||
fi
|
||||
SELF_SIGNED_SSL_EXPIRY="$(sed -nE 's/^SELF_SIGNED_SSL_EXPIRY=(.*)$/\1/p' $file)"
|
||||
SELF_SIGNED_SSL_COUNTRY="$(sed -nE 's/^SELF_SIGNED_SSL_COUNTRY=(.*)$/\1/p' $file)"
|
||||
SELF_SIGNED_SSL_STATE="$(sed -nE 's/^SELF_SIGNED_SSL_STATE=(.*)$/\1/p' $file)"
|
||||
SELF_SIGNED_SSL_CITY="$(sed -nE 's/^SELF_SIGNED_SSL_CITY=(.*)$/\1/p' $file)"
|
||||
SELF_SIGNED_SSL_ORG="$(sed -nE 's/^SELF_SIGNED_SSL_ORG=(.*)$/\1/p' $file)"
|
||||
SELF_SIGNED_SSL_OU="$(sed -nE 's/^SELF_SIGNED_SSL_OU=(.*)$/\1/p' $file)"
|
||||
SELF_SIGNED_SSL_CN="$(sed -nE 's/^SELF_SIGNED_SSL_CN=(.*)$/\1/p' $file)"
|
||||
openssl_output=$(openssl req -nodes -x509 -newkey rsa:4096 -keyout ${dest}self-key.pem -out ${dest}self-cert.pem -days "$SELF_SIGNED_SSL_EXPIRY" -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" 2>&1)
|
||||
if [ $? -eq 0 ] ; then
|
||||
echo "[*] Generated self-signed certificate ${dest}self-cert.pem with key ${dest}self-key.pem"
|
||||
else
|
||||
echo "[!] Error while generating self-signed certificate : $openssl_output"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# self signed cert for default server
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] ; then
|
||||
SELF_SIGNED_SSL_EXPIRY="999"
|
||||
SELF_SIGNED_SSL_COUNTRY="US"
|
||||
SELF_SIGNED_SSL_STATE="Utah"
|
||||
SELF_SIGNED_SSL_CITY="Lehi"
|
||||
SELF_SIGNED_SSL_ORG="Your Company, Inc."
|
||||
SELF_SIGNED_SSL_OU="IT"
|
||||
SELF_SIGNED_SSL_CN="www.yourdomain.com"
|
||||
openssl_output=$(openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" 2>&1)
|
||||
if [ $? -eq 0 ] ; then
|
||||
echo "[*] Generated self-signed certificate for default server"
|
||||
else
|
||||
echo "[!] Error while generating self-signed certificate for default server : $openssl_output"
|
||||
fi
|
||||
fi
|
||||
|
||||
# certbot
|
||||
files=$(has_value AUTO_LETS_ENCRYPT yes)
|
||||
if [ "$files" != "" ] ; then
|
||||
for file in $files ; do
|
||||
if [ "$(echo "$file" | grep 'site.env$')" = "" ] ; then
|
||||
continue
|
||||
fi
|
||||
SERVER_NAME="$(sed -nE 's/^SERVER_NAME=(.*)$/\1/p' $file)"
|
||||
FIRST_SERVER="$(echo $SERVER_NAME | cut -d ' ' -f 1)"
|
||||
EMAIL_LETS_ENCRYPT="$(sed -nE 's/^EMAIL_LETS_ENCRYPT=(.*)$/\1/p' $file)"
|
||||
if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
|
||||
EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}"
|
||||
fi
|
||||
certbot_output=$(/opt/bunkerized-nginx/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT" 2>&1)
|
||||
if [ $? -eq 0 ] ; then
|
||||
echo "[*] Certbot new successfully executed for domain(s) $(echo -n $SERVER_NAME | sed 's/ /,/g')"
|
||||
else
|
||||
echo "[*] Error while executing certbot new : $certbot_output"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
# GeoIP
|
||||
if [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ; then
|
||||
if [ -f "/opt/bunkerized-nginx/cache/geoip.mmdb" ] ; then
|
||||
echo "[*] Copying cached geoip.mmdb ..."
|
||||
cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb
|
||||
elif [ "$(ps aux | grep "geoip\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading GeoIP database ..."
|
||||
/opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1
|
||||
fi
|
||||
fi
|
|
@ -0,0 +1,38 @@
|
|||
version: '3.8'
|
||||
|
||||
services:
|
||||
|
||||
autoconf:
|
||||
image: bunkerity/bunkerized-nginx-autoconf
|
||||
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
|
||||
# don't forget to edit the permissions of the files and folders accordingly
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- /shared/confs:/etc/nginx
|
||||
- /shared/letsencrypt:/etc/letsencrypt
|
||||
- /shared/acme-challenge:/acme-challenge
|
||||
- /shared/cache:/cache
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from nginx
|
||||
networks:
|
||||
- net_config
|
||||
deploy:
|
||||
replicas: 1
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role==manager"
|
||||
|
||||
redis:
|
||||
image: redis:alpine
|
||||
networks:
|
||||
- net_config
|
||||
deploy:
|
||||
replicas: 1
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role==worker"
|
||||
|
||||
networks:
|
||||
net_config:
|
||||
external: true
|
|
@ -0,0 +1,51 @@
|
|||
version: '3.8'
|
||||
|
||||
services:
|
||||
|
||||
nginx:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
ports:
|
||||
- published: 80
|
||||
target: 8080
|
||||
mode: host
|
||||
protocol: tcp
|
||||
- published: 443
|
||||
target: 8443
|
||||
mode: host
|
||||
protocol: tcp
|
||||
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
|
||||
# don't forget to edit the permissions of the files and folders accordingly
|
||||
volumes:
|
||||
- /shared/confs:/etc/nginx:ro
|
||||
- /shared/letsencrypt:/etc/letsencrypt:ro
|
||||
- /shared/acme-challenge:/acme-challenge:ro
|
||||
- /shared/www:/www:ro
|
||||
- /shared/cache:/cache:ro
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- USE_API=yes
|
||||
- API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from autoconf
|
||||
- MULTISITE=yes
|
||||
- SERVER_NAME=
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_REDIS=yes
|
||||
- REDIS_HOST=redis
|
||||
networks:
|
||||
- net_config
|
||||
- net_services
|
||||
deploy:
|
||||
mode: global
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role==worker"
|
||||
labels:
|
||||
- "bunkerized-nginx.AUTOCONF"
|
||||
|
||||
networks:
|
||||
net_config:
|
||||
external: true
|
||||
net_services:
|
||||
external: true
|
|
@ -0,0 +1,42 @@
|
|||
version: '3.8'
|
||||
|
||||
services:
|
||||
|
||||
app1:
|
||||
image: php:fpm-alpine
|
||||
volumes:
|
||||
- /shared/www/app1.example.com:/www
|
||||
networks:
|
||||
- net_services
|
||||
deploy:
|
||||
replicas: 1
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role==worker"
|
||||
labels:
|
||||
- "bunkerized-nginx.SERVER_NAME=app1.example.com"
|
||||
- "bunkerized-nginx.REMOTE_PHP=app1"
|
||||
- "bunkerized-nginx.REMOTE_PHP_PATH=/www"
|
||||
|
||||
app2:
|
||||
image: phpmyadmin:apache
|
||||
environment:
|
||||
- PMA_ARBITRARY=1
|
||||
- PMA_ABSOLUTE_URI=https://app2.example.com
|
||||
networks:
|
||||
- net_services
|
||||
deploy:
|
||||
replicas: 1
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role==worker"
|
||||
labels:
|
||||
- "bunkerized-nginx.SERVER_NAME=app2.example.com"
|
||||
- "bunkerized-nginx.USE_PROXY_CACHE=yes"
|
||||
- "bunkerized-nginx.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
|
||||
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://app2"
|
||||
|
||||
networks:
|
||||
net_services:
|
||||
external: true
|
|
@ -592,6 +592,12 @@ git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485
|
|||
echo "[*] Install lua-resty-iputils"
|
||||
CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-iputils" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps LUA_LIB_DIR=/opt/bunkerized-nginx/deps/lib/lua install
|
||||
|
||||
# Download and install lua-resty-redis
|
||||
echo "[*] Clone openresty/lua-resty-redis"
|
||||
git_secure_clone https://github.com/openresty/lua-resty-redis.git 91585affcd9a8da65cb664a5b1e926dde428095a
|
||||
echo "[*] Install lua-resty-redis"
|
||||
CHANGE_DIR="/tmp/bunkerized-nginx/lua-resty-redis" do_and_check_cmd make PREFIX=/opt/bunkerized-nginx/deps LUA_LIB_DIR=/opt/bunkerized-nginx/deps/lib/lua install
|
||||
|
||||
# Download nginx and decompress sources
|
||||
echo "[*] Download nginx-${NGINX_VERSION}.tar.gz"
|
||||
do_and_check_cmd wget -O "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz" "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz"
|
||||
|
@ -659,21 +665,25 @@ elif [ "$OS" = "alpine" ] ; then
|
|||
fi
|
||||
|
||||
# Clone the repo
|
||||
if [ "$OS" != "alpine" ] ; then
|
||||
if [ "$OS" != "alpine" ] && [ ! -d "/tmp/bunkerized-nginx-test" ] ; then
|
||||
echo "[*] Clone bunkerity/bunkerized-nginx"
|
||||
#CHANGE_DIR="/tmp" do_and_check_cmd git_secure_clone https://github.com/bunkerity/bunkerized-nginx.git 09a2a4f9e531b93684b0916a5146091a818501d3
|
||||
# TODO : do a secure clone
|
||||
CHANGE_DIR="/tmp" do_and_check_cmd git clone https://github.com/bunkerity/bunkerized-nginx.git
|
||||
CHANGE_DIR="/tmp/bunkerized-nginx" do_and_check_cmd git checkout dev
|
||||
# Docker build case : simply rename the sources
|
||||
else
|
||||
elif [ "$OS" == "alpine" ] ; then
|
||||
do_and_check_cmd mv /tmp/bunkerized-nginx-docker /tmp/bunkerized-nginx
|
||||
# Tests case
|
||||
else
|
||||
do_and_check_cmd mv /tmp/bunkerized-nginx-test /tmp/bunkerized-nginx
|
||||
fi
|
||||
|
||||
# Install Python dependencies
|
||||
echo "[*] Install python dependencies"
|
||||
do_and_check_cmd pip3 install --upgrade pip
|
||||
do_and_check_cmd pip3 install -r /tmp/bunkerized-nginx/gen/requirements.txt
|
||||
do_and_check_cmd pip3 install -r /tmp/bunkerized-nginx/jobs/requirements.txt
|
||||
if [ "$OS" != "alpine" ] ; then
|
||||
do_and_check_cmd pip3 install -r /tmp/bunkerized-nginx/ui/requirements.txt
|
||||
fi
|
||||
|
@ -691,11 +701,7 @@ do_and_check_cmd cp -r /tmp/bunkerized-nginx/entrypoint /opt/bunkerized-nginx
|
|||
echo "[*] Copy configs"
|
||||
do_and_check_cmd cp -r /tmp/bunkerized-nginx/confs /opt/bunkerized-nginx
|
||||
|
||||
# Copy scripts
|
||||
echo "[*] Copy scripts"
|
||||
do_and_check_cmd cp -r /tmp/bunkerized-nginx/scripts /opt/bunkerized-nginx
|
||||
|
||||
# Copy scripts
|
||||
# Copy jobs
|
||||
echo "[*] Copy jobs"
|
||||
do_and_check_cmd cp -r /tmp/bunkerized-nginx/jobs /opt/bunkerized-nginx
|
||||
|
||||
|
@ -797,10 +803,10 @@ do_and_check_cmd find /opt/bunkerized-nginx -type f -exec chmod 0740 {} \;
|
|||
do_and_check_cmd find /opt/bunkerized-nginx -type d -exec chmod 0750 {} \;
|
||||
do_and_check_cmd chmod 770 /opt/bunkerized-nginx/cache
|
||||
do_and_check_cmd chmod 770 /opt/bunkerized-nginx/acme-challenge
|
||||
do_and_check_cmd chmod 750 /opt/bunkerized-nginx/scripts/*
|
||||
do_and_check_cmd chmod 750 /opt/bunkerized-nginx/entrypoint/*
|
||||
do_and_check_cmd chmod 750 /opt/bunkerized-nginx/gen/main.py
|
||||
do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/main.py
|
||||
do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/reload.py
|
||||
# Set permissions for /usr/local/bin/bunkerized-nginx
|
||||
do_and_check_cmd chown root:root /usr/local/bin/bunkerized-nginx
|
||||
do_and_check_cmd chmod 750 /usr/local/bin/bunkerized-nginx
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
from Job import Job
|
||||
|
||||
class CertbotRenew(Job) :
|
||||
class CertbotNew(Job) :
|
||||
|
||||
def __init__(self, redis_host=None, copy_cache=False, domain="", email="") :
|
||||
name = "certbot-new"
|
||||
|
|
|
@ -15,7 +15,7 @@ class GeoIP(Job) :
|
|||
super().run()
|
||||
count = 0
|
||||
with gzip.open("/etc/nginx/geoip.mmdb.gz", "rb") as f :
|
||||
with open("/tmp/geoip.mmdb", "w") as f2
|
||||
with open("/tmp/geoip.mmdb", "w") as f2 :
|
||||
while True :
|
||||
chunk = f.read(8192)
|
||||
if not chunk :
|
||||
|
|
10
jobs/Job.py
10
jobs/Job.py
|
@ -1,4 +1,4 @@
|
|||
import abc, requests, redis, os, datetime, traceback
|
||||
import abc, requests, redis, os, datetime, traceback, re, shutil
|
||||
|
||||
class Job(abc.ABC) :
|
||||
|
||||
|
@ -41,7 +41,7 @@ class Job(abc.ABC) :
|
|||
if self.__redis == None :
|
||||
if os.path.isfile("/tmp/" + self.__filename) :
|
||||
os.remove("/tmp/" + self.__filename)
|
||||
file = open("/tmp/" + self.__filename, "a")
|
||||
file = open("/tmp/" + self.__filename, "ab")
|
||||
|
||||
elif self.__redis != None :
|
||||
pipe = self.__redis.pipeline()
|
||||
|
@ -50,7 +50,7 @@ class Job(abc.ABC) :
|
|||
for url in self.__data :
|
||||
data = self.__download_data(url)
|
||||
for chunk in data :
|
||||
if self.__type == "line" and not re.match(self.__regex, chunk) :
|
||||
if self.__type == "line" and not re.match(self.__regex, chunk.decode("utf-8")) :
|
||||
continue
|
||||
count += 1
|
||||
if self.__redis == None :
|
||||
|
@ -67,7 +67,7 @@ class Job(abc.ABC) :
|
|||
os.remove("/tmp/" + self.__filename)
|
||||
|
||||
elif self.__redis != None and count > 0 :
|
||||
self.__redis.del(self.__redis.keys(self.__name + "_*"))
|
||||
self.__redis.delete(self.__redis.keys(self.__name + "_*"))
|
||||
pipe.execute()
|
||||
|
||||
def __download_data(self, url) :
|
||||
|
@ -95,7 +95,7 @@ class Job(abc.ABC) :
|
|||
if self.__redis == None or self.__type == "file" :
|
||||
shutil.copyfile("/opt/bunkerized-nginx/cache/" + self.__filename, "/etc/nginx/" + self.__filename)
|
||||
elif self.__redis != None and self.__type == "line" :
|
||||
self.__redis.del(self.__redis.keys(self.__name + "_*"))
|
||||
self.__redis.delete(self.__redis.keys(self.__name + "_*"))
|
||||
with open("/opt/bunkerized-nginx/cache/" + self.__filename) as f :
|
||||
pipe = self.__redis.pipeline()
|
||||
while True :
|
||||
|
|
|
@ -8,4 +8,4 @@ class Proxies(Job) :
|
|||
filename = "proxies.list"
|
||||
type = "line"
|
||||
regex = r"^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$"
|
||||
super().__init__(name, data, filename, redis_host=redis_host, type=type, regex=regex; copy_cache=copy_cache)
|
||||
super().__init__(name, data, filename, redis_host=redis_host, type=type, regex=regex, copy_cache=copy_cache)
|
||||
|
|
25
jobs/main.py
25
jobs/main.py
|
@ -1,9 +1,13 @@
|
|||
#!/usr/bin/python3
|
||||
|
||||
import argparse, sys
|
||||
|
||||
sys.path.append("/opt/bunkerized-nginx/jobs")
|
||||
|
||||
import Abusers, CertbotNew, CertbotRenew, ExitNodes, GeoIP, Proxies, Referrers, SelfSignedCert, UserAgents
|
||||
|
||||
from reload import reload
|
||||
|
||||
JOBS = {
|
||||
"abusers": Abusers.Abusers,
|
||||
"certbot-new": CertbotNew.CertbotNew,
|
||||
|
@ -33,10 +37,12 @@ if __name__ == "__main__" :
|
|||
|
||||
# Check job name
|
||||
if not args.name in JOBS :
|
||||
print("[!] unknown job " + args.job)
|
||||
print("[!] unknown job " + args.name)
|
||||
sys.exit(1)
|
||||
job = args.name
|
||||
|
||||
# Run job
|
||||
print("[*] Executing job " + job)
|
||||
ret = 0
|
||||
if job == "certbot-new" :
|
||||
instance = JOBS[job](redis_host=args.redis, copy_cache=args.cache, domain=args.domain, email=args.email)
|
||||
|
@ -45,9 +51,18 @@ if __name__ == "__main__" :
|
|||
else :
|
||||
instance = JOBS[job](redis_host=args.redis, copy_cache=args.cache)
|
||||
if not instance.run() :
|
||||
print("[!] error while running job " + job)
|
||||
print("[!] Error while running job " + job)
|
||||
sys.exit(1)
|
||||
print("[*] job " + job + " successfully executed")
|
||||
sys.exit(0)
|
||||
print("[*] Job " + job + " successfully executed")
|
||||
|
||||
# TODO : reload
|
||||
# Reload
|
||||
# TODO : only reload if needed
|
||||
do_reload = True
|
||||
if do_reload :
|
||||
if not reload() :
|
||||
print("[!] Error while doing reload operation")
|
||||
sys.exit(1)
|
||||
print("[*] Reload operation successfully executed")
|
||||
|
||||
# Done
|
||||
sys.exit(0)
|
||||
|
|
|
@ -1,27 +1,41 @@
|
|||
import docker, subprocess, os, stat, sys
|
||||
import docker, subprocess, os, stat, sys, traceback
|
||||
|
||||
if __name__ == "__main__" :
|
||||
def reload() :
|
||||
|
||||
# Linux or single Docker use case
|
||||
if os.path.isfile("/usr/sbin/nginx") :
|
||||
if os.path.isfile("/usr/sbin/nginx") and os.path.isfile("/tmp/nginx.pid") :
|
||||
proc = subprocess.run(["/usr/sbin/nginx", "-s", "reload"], capture_output=True)
|
||||
if proc.returncode != 0 :
|
||||
print("[!] can't reload nginx (status code = " + str(proc.returncode) + ")"
|
||||
print("[!] Can't reload nginx (status code = " + str(proc.returncode) + ")")
|
||||
if len(proc.stdout.decode("ascii")) > 1 :
|
||||
print(proc.stdout.decode("ascii"))
|
||||
if len(proc.stderr.decode("ascii")) > 1 :
|
||||
print(proc.stderr.decode("ascii"))
|
||||
sys.exit(1)
|
||||
return False
|
||||
return True
|
||||
|
||||
# Autoconf case (Docker, Swarm and Ingress)
|
||||
mode = os.stat("/tmp/autoconf.sock")
|
||||
elif stat.S_ISSOCK(mode) :
|
||||
if os.path.exists("/tmp/autoconf.sock") and stat.S_ISSOCK(os.stat("/tmp/autoconf.sock")) :
|
||||
client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
||||
client.connect("/tmp/autoconf.sock")
|
||||
client.send("reload".encode("utf-8"))
|
||||
data = client.recv(512)
|
||||
client.close()
|
||||
if not data or data.decode("utf-8") != "ok" :
|
||||
sys.exit(2)
|
||||
if not data or data.decode("utf-8") != "ok" :
|
||||
print("[!] Can't reload nginx (data not ok)")
|
||||
return False
|
||||
return True
|
||||
|
||||
sys.exit(0)
|
||||
return False
|
||||
|
||||
if __name__ == "__main__" :
|
||||
try :
|
||||
print("[*] Starting reload operation ...")
|
||||
if not reload() :
|
||||
sys.exit(1)
|
||||
print("[*] Reload operation successfully executed")
|
||||
sys.exit(0)
|
||||
except :
|
||||
print("[!] Can't reload nginx (exception)")
|
||||
print(traceback.format_exc())
|
||||
sys.exit(2)
|
||||
|
|
|
@ -1,2 +1,3 @@
|
|||
requests
|
||||
redis
|
||||
docker
|
||||
|
|
14
misc/cron
14
misc/cron
|
@ -1,7 +1,7 @@
|
|||
15 0 * * * /opt/bunkerized-nginx/scripts/certbot-renew.sh > /dev/null 2>&1
|
||||
30 0 * * * /opt/bunkerized-nginx/scripts/user-agents.sh > /dev/null 2>&1
|
||||
45 0 * * * /opt/bunkerized-nginx/scripts/referrers.sh > /dev/null 2>&1
|
||||
0 1 * * * /opt/bunkerized-nginx/scripts/abusers.sh > /dev/null 2>&1
|
||||
0 2 * * * /opt/bunkerized-nginx/scripts/proxies.sh > /dev/null 2>&1
|
||||
0 */1 * * * /opt/bunkerized-nginx/scripts/exit-nodes.sh > /dev/null 2>&1
|
||||
0 3 2 * * /opt/bunkerized-nginx/scripts/geoip.sh > /dev/null 2>&1
|
||||
15 0 * * * /opt/bunkerized-nginx/jobs/main.py --name certbot-renew >> /var/log/nginx/jobs.log 2>&1
|
||||
30 0 * * * /opt/bunkerized-nginx/jobs/main.py --name user-agents >> /var/log/nginx/jobs.log 2>&1
|
||||
45 0 * * * /opt/bunkerized-nginx/jobs/main.py --name referrers >> /var/log/nginx/jobs.log 2>&1
|
||||
0 1 * * * /opt/bunkerized-nginx/jobs/main.py --name abusers >> /var/log/nginx/jobs.log 2>&1
|
||||
0 2 * * * /opt/bunkerized-nginx/jobs/main.py --name proxies >> /var/log/nginx/jobs.log 2>&1
|
||||
0 */1 * * * /opt/bunkerized-nginx/jobs/main.py --name exit-nodes >> /var/log/nginx/jobs.log 2>&1
|
||||
0 3 2 * * /opt/bunkerized-nginx/jobs/main.py --name geoip >> /var/log/nginx/jobs.log 2>&1
|
||||
|
|
|
@ -1,55 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value BLOCK_ABUSERS yes)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# copy old conf to cache
|
||||
cp /etc/nginx/abusers.list /tmp/abusers.list.bak
|
||||
|
||||
# generate the new conf
|
||||
curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | \
|
||||
grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$" > /tmp/abusers.list
|
||||
|
||||
# if we are running nginx
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
RELOAD="/usr/sbin/nginx -s reload"
|
||||
# if we are in autoconf
|
||||
elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then
|
||||
RELOAD="/opt/entrypoint/reload.py"
|
||||
fi
|
||||
|
||||
# check if we have at least 1 line
|
||||
lines="$(wc -l /tmp/abusers.list | cut -d ' ' -f 1)"
|
||||
if [ "$lines" -gt 1 ] ; then
|
||||
job_log "[BLACKLIST] abusers list updated ($lines entries)"
|
||||
# reload nginx with the new config
|
||||
cp /tmp/abusers.list /etc/nginx/abusers.list
|
||||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
# new config is ok : save it in the cache
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /tmp/abusers.list /opt/bunkerized-nginx/cache
|
||||
job_log "[NGINX] successfull nginx reload after abusers list update"
|
||||
else
|
||||
job_log "[NGINX] failed nginx reload after abusers list update fallback to old list"
|
||||
#cp /tmp/abusers.list.bak /etc/nginx
|
||||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /tmp/abusers.list /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update abusers list"
|
||||
fi
|
||||
|
||||
rm -f /tmp/abusers.list 2> /dev/null
|
||||
rm -f /tmp/abusers.list.bak 2> /dev/null
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# generate certificate
|
||||
certbot certonly --webroot -w /opt/bunkerized-nginx/acme-challenge -n -d "$1" --email "$2" --agree-tos
|
||||
if [ "$?" -ne 0 ] ; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
exit 0
|
|
@ -1,24 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
job_log "[CERTBOT] certificates have been renewed"
|
||||
|
||||
# if we are running nginx
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
RELOAD="/usr/sbin/nginx -s reload"
|
||||
# if we are in autoconf
|
||||
elif [ -S /tmp/autoconf.sock ] ; then
|
||||
RELOAD="/opt/entrypoint/reload.py"
|
||||
fi
|
||||
|
||||
# reload nginx
|
||||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
job_log "[NGINX] successfull nginx reload after certbot renew"
|
||||
else
|
||||
job_log "[NGINX] failed nginx reload after certbot renew"
|
||||
fi
|
||||
fi
|
|
@ -1,21 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value AUTO_LETS_ENCRYPT yes)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# ask new certificates if needed
|
||||
certbot renew --deploy-hook /opt/bunkerized-nginx/scripts/certbot-renew-hook.sh
|
||||
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
job_log "[CERTBOT] renew operation done"
|
||||
else
|
||||
job_log "[CERTBOT] renew operation failed"
|
||||
fi
|
|
@ -1,54 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# copy old conf to cache
|
||||
cp /etc/nginx/tor-exit-nodes.list /tmp/tor-exit-nodes.list.bak
|
||||
|
||||
# generate the new conf
|
||||
curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | \
|
||||
grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$" > /tmp/tor-exit-nodes.list
|
||||
|
||||
# if we are running nginx
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
RELOAD="/usr/sbin/nginx -s reload"
|
||||
# if we are in autoconf
|
||||
elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then
|
||||
RELOAD="/opt/entrypoint/reload.py"
|
||||
fi
|
||||
|
||||
# check if we have at least 1 line
|
||||
lines="$(wc -l /tmp/tor-exit-nodes.list | cut -d ' ' -f 1)"
|
||||
if [ "$lines" -gt 1 ] ; then
|
||||
job_log "[BLACKLIST] TOR exit node list updated ($lines entries)"
|
||||
# reload nginx with the new config
|
||||
cp /tmp/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
|
||||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
# new config is ok : save it in the cache
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /tmp/tor-exit-nodes.list /opt/bunkerized-nginx/cache
|
||||
job_log "[NGINX] successfull nginx reload after TOR exit node list update"
|
||||
else
|
||||
job_log "[NGINX] failed nginx reload after TOR exit node list update fallback to old list"
|
||||
#cp /tmp/tor-exit-nodes.list.bak /etc/nginx/tor-exit-nodes.list
|
||||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /tmp/tor-exit-nodes.list /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update TOR exit node list"
|
||||
fi
|
||||
|
||||
rm -f /tmp/tor-exit-nodes.list 2> /dev/null
|
||||
rm -f /tmp/tor-exit-nodes.list.bak 2> /dev/null
|
|
@ -1,51 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value BLACKLIST_COUNTRY ".\+")" = "" ] && [ "$(has_value WHITELIST_COUNTRY ".\+")" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# if we are running nginx
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
RELOAD="/usr/sbin/nginx -s reload"
|
||||
# if we are in autoconf
|
||||
elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then
|
||||
RELOAD="/opt/entrypoint/reload.py"
|
||||
fi
|
||||
|
||||
# MMDB from https://db-ip.com/db/download/ip-to-country-lite
|
||||
URL="https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).mmdb.gz"
|
||||
wget -O /tmp/geoip.mmdb.gz "$URL" > /dev/null 2>&1
|
||||
if [ "$?" -eq 0 ] && [ -f /tmp/geoip.mmdb.gz ] ; then
|
||||
gunzip -f /tmp/geoip.mmdb.gz > /dev/null 2>&1
|
||||
if [ "$?" -ne 0 ] ; then
|
||||
job_log "[GEOIP] can't extract DB from $URL"
|
||||
exit 1
|
||||
fi
|
||||
mv /tmp/geoip.mmdb /etc/nginx
|
||||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /etc/nginx/geoip.mmdb /opt/bunkerized-nginx/cache
|
||||
job_log "[NGINX] successfull nginx reload after GeoIP DB update"
|
||||
else
|
||||
job_log "[NGINX] failed nginx reload after GeoIP DB update"
|
||||
if [ -f /opt/bunkerized-nginx/cache/geoip.mmdb ] ; then
|
||||
cp /opt/bunkerized-nginx/cache/geoip.mmdb /etc/nginx/geoip.mmdb
|
||||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
fi
|
||||
else
|
||||
cp /etc/nginx/geoip.mmdb /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
else
|
||||
job_log "[GEOIP] can't download DB from $URL"
|
||||
fi
|
||||
|
||||
rm -f /tmp/geoip* 2> /dev/null
|
|
@ -1,55 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value BLOCK_PROXIES yes)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# copy old conf to cache
|
||||
cp /etc/nginx/proxies.list /tmp/proxies.list.bak
|
||||
|
||||
# generate the new conf
|
||||
curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | \
|
||||
grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/?[0-9]*$" > /tmp/proxies.list
|
||||
|
||||
# if we are running nginx
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
RELOAD="/usr/sbin/nginx -s reload"
|
||||
# if we are in autoconf
|
||||
elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then
|
||||
RELOAD="/opt/entrypoint/reload.py"
|
||||
fi
|
||||
|
||||
# check if we have at least 1 line
|
||||
lines="$(wc -l /tmp/proxies.list | cut -d ' ' -f 1)"
|
||||
if [ "$lines" -gt 1 ] ; then
|
||||
job_log "[BLACKLIST] proxies list updated ($lines entries)"
|
||||
# reload nginx with the new config
|
||||
cp /tmp/proxies.list /etc/nginx/proxies.list
|
||||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
# new config is ok : save it in the cache
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /tmp/proxies.list /opt/bunkerized-nginx/cache
|
||||
job_log "[NGINX] successfull nginx reload after proxies list update"
|
||||
else
|
||||
job_log "[NGINX] failed nginx reload after proxies list update fallback to old list"
|
||||
#cp /tmp/proxies.list.bak /etc/nginx
|
||||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /tmp/proxies.list /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update proxies list"
|
||||
fi
|
||||
|
||||
rm -f /tmp/proxies.list 2> /dev/null
|
||||
rm -f /tmp/proxies.list.bak 2> /dev/null
|
||||
|
|
@ -1,57 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value BLOCK_REFERRER yes)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# save old conf
|
||||
cp /etc/nginx/referrers.list /tmp/referrers.list.bak
|
||||
|
||||
# generate new conf
|
||||
BLACKLIST="$(curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list | sed 's:\.:%\.:g;s:\-:%\-:g')"
|
||||
if [ "$?" -ne 0 ] ; then
|
||||
job_log "[BLACKLIST] can't update referrers list"
|
||||
echo -n "" > /tmp/referrers.list
|
||||
else
|
||||
echo -e "$BLACKLIST" > /tmp/referrers.list
|
||||
fi
|
||||
|
||||
# if we are running nginx
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
RELOAD="/usr/sbin/nginx -s reload"
|
||||
# if we are in autoconf
|
||||
elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then
|
||||
RELOAD="/opt/entrypoint/reload.py"
|
||||
fi
|
||||
|
||||
# check number of lines
|
||||
lines="$(wc -l /tmp/referrers.list | cut -d ' ' -f 1)"
|
||||
if [ "$lines" -gt 1 ] ; then
|
||||
cp /tmp/referrers.list /etc/nginx/referrers.list
|
||||
job_log "[BLACKLIST] referrers list updated ($lines entries)"
|
||||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /tmp/referrers.list /opt/bunkerized-nginx/cache
|
||||
job_log "[NGINX] successfull nginx reload after referrers list update"
|
||||
else
|
||||
#cp /tmp/referrers.list.bak /etc/nginx
|
||||
job_log "[NGINX] failed nginx reload after referrers list update fallback to old list"
|
||||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /tmp/referrers.list /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update referrers list"
|
||||
fi
|
||||
|
||||
rm -f /tmp/referrers.list 2> /dev/null
|
||||
rm -f /tmp/referrers.list.bak 2> /dev/null
|
|
@ -1,57 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load some functions
|
||||
. /opt/bunkerized-nginx/entrypoint/utils.sh
|
||||
|
||||
if [ "$(grep "^SWARM_MODE=yes$" /etc/nginx/global.env)" != "" ] && [ -f /usr/sbin/nginx ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$(has_value BLOCK_USER_AGENT yes)" = "" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# save old conf
|
||||
cp /etc/nginx/user-agents.list /tmp/user-agents.list.bak
|
||||
|
||||
# generate new conf
|
||||
BLACKLIST="$( (curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list ; curl -s https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt) | sort -u | sed 's:\\ : :g;s:\\\.:%\.:g;s:\\\\:\\:g;s:\\/:/:g;s:\-:%\-:g')"
|
||||
if [ "$?" -ne 0 ] ; then
|
||||
job_log "[BLACKLIST] can't update user-agent list"
|
||||
echo -n "" > /tmp/user-agents.list
|
||||
else
|
||||
echo -e "$BLACKLIST" > /tmp/user-agents.list
|
||||
fi
|
||||
|
||||
# if we are running nginx
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
RELOAD="/usr/sbin/nginx -s reload"
|
||||
# if we are in autoconf
|
||||
elif [ -S /tmp/autoconf.sock ] && [ -f "/etc/nginx/autoconf" ] ; then
|
||||
RELOAD="/opt/entrypoint/reload.py"
|
||||
fi
|
||||
|
||||
# check number of lines
|
||||
lines="$(wc -l /tmp/user-agents.list | cut -d ' ' -f 1)"
|
||||
if [ "$lines" -gt 1 ] ; then
|
||||
cp /tmp/user-agents.list /etc/nginx/user-agents.list
|
||||
job_log "[BLACKLIST] user-agent list updated ($lines entries)"
|
||||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /tmp/user-agents.list /opt/bunkerized-nginx/cache
|
||||
job_log "[NGINX] successfull nginx reload after user-agent list update"
|
||||
else
|
||||
#cp /tmp/user-agents.list.bak /etc/nginx
|
||||
job_log "[NGINX] failed nginx reload after user-agent list update fallback to old list"
|
||||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /tmp/user-agents.list /opt/bunkerized-nginx/cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update user-agent list"
|
||||
fi
|
||||
|
||||
rm -f /tmp/user-agents.list 2> /dev/null
|
||||
rm -f /tmp/user-agents.list.bak 2> /dev/null
|
|
@ -1153,8 +1153,8 @@
|
|||
}
|
||||
]
|
||||
},
|
||||
"API": {
|
||||
"id": "api",
|
||||
"Internal": {
|
||||
"id": "internal",
|
||||
"params": [
|
||||
{
|
||||
"context": "global",
|
||||
|
@ -1191,6 +1191,24 @@
|
|||
"label": "Swarm mode",
|
||||
"regex": "^(yes|no)$",
|
||||
"type": "checkbox"
|
||||
},
|
||||
{
|
||||
"context": "global",
|
||||
"default": "no",
|
||||
"env": "USE_REDIS",
|
||||
"id": "use-redis",
|
||||
"label": "Use external redis when coupled with autoconf",
|
||||
"regex": "^(yes|no)$",
|
||||
"type": "checkbox"
|
||||
},
|
||||
{
|
||||
"context": "global",
|
||||
"default": "",
|
||||
"env": "REDIS_HOST",
|
||||
"id": "redis-host",
|
||||
"label": "Hostname/IP of the Redis service",
|
||||
"regex": "^[A-Za-z0-9\\-\\.\\_]+$",
|
||||
"type": "text"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
|
|
@ -19,7 +19,15 @@ docker cp helpers/install.sh "$id:/tmp"
|
|||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker cp failed"
|
||||
cleanup "$id"
|
||||
exit 4
|
||||
exit 2
|
||||
fi
|
||||
|
||||
echo "[*] Copy bunkerized-nginx"
|
||||
docker cp . "$id:/tmp/bunkerized-nginx-test"
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker cp failed"
|
||||
cleanup "$id"
|
||||
exit 3
|
||||
fi
|
||||
|
||||
echo "[*] Exec install.sh"
|
||||
|
@ -27,7 +35,7 @@ docker exec "$id" /bin/bash -c 'chmod +x /tmp/install.sh && /tmp/install.sh'
|
|||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker exec failed"
|
||||
cleanup "$id"
|
||||
exit 5
|
||||
exit 4
|
||||
fi
|
||||
|
||||
echo "[*] Exec nginx -V"
|
||||
|
@ -35,7 +43,7 @@ docker exec "$id" nginx -V
|
|||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker exec failed"
|
||||
cleanup "$id"
|
||||
exit 6
|
||||
exit 5
|
||||
fi
|
||||
|
||||
echo "[*] Copy variables.env"
|
||||
|
@ -43,7 +51,7 @@ docker cp "tests/variables.env" "$id:/opt/bunkerized-nginx"
|
|||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker cp failed"
|
||||
cleanup "$id"
|
||||
exit 7
|
||||
exit 6
|
||||
fi
|
||||
|
||||
echo "[*] Copy index.html"
|
||||
|
@ -51,7 +59,7 @@ docker cp "tests/index.html" "$id:/opt/bunkerized-nginx/www"
|
|||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker cp failed"
|
||||
cleanup "$id"
|
||||
exit 8
|
||||
exit 7
|
||||
fi
|
||||
|
||||
echo "[*] Exec bunkerized-nginx"
|
||||
|
@ -59,7 +67,7 @@ docker exec "$id" bunkerized-nginx
|
|||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker exec failed"
|
||||
cleanup "$id"
|
||||
exit 9
|
||||
exit 8
|
||||
fi
|
||||
|
||||
echo "[*] Exec curl"
|
||||
|
@ -67,7 +75,7 @@ res="$(curl -s -H "User-Agent: LegitOne" http://localhost/)"
|
|||
if [ $? -ne 0 ] || [ "$res" != "ok" ] ; then
|
||||
echo "[!] curl failed"
|
||||
cleanup "$id"
|
||||
exit 10
|
||||
exit 9
|
||||
fi
|
||||
|
||||
cleanup "$id"
|
||||
|
|
Loading…
Reference in New Issue