run master nginx process as non-root user
This commit is contained in:
parent
7a8795883b
commit
e19a7c693d
|
@ -15,10 +15,13 @@ COPY lua/ /opt/lua
|
|||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
chown root:nginx /var/log/nginx && \
|
||||
chmod 770 /var/log/nginx
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
|
||||
|
||||
EXPOSE 80/tcp 443/tcp
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint.sh"]
|
||||
|
|
|
@ -15,10 +15,14 @@ COPY lua/ /opt/lua
|
|||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
chown root:nginx /var/log/nginx && \
|
||||
chmod 770 /var/log/nginx
|
||||
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
|
||||
|
||||
EXPOSE 80/tcp 443/tcp
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint.sh"]
|
||||
|
|
|
@ -22,10 +22,13 @@ COPY lua/ /opt/lua
|
|||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
chown root:nginx /var/log/nginx && \
|
||||
chmod 770 /var/log/nginx
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
|
||||
|
||||
EXPOSE 80/tcp 443/tcp
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint.sh"]
|
||||
|
|
|
@ -22,10 +22,13 @@ COPY lua/ /opt/lua
|
|||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
chown root:nginx /var/log/nginx && \
|
||||
chmod 770 /var/log/nginx
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
|
||||
|
||||
EXPOSE 80/tcp 443/tcp
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint.sh"]
|
||||
|
|
|
@ -15,10 +15,13 @@ COPY lua/ /opt/lua
|
|||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
chown root:nginx /var/log/nginx && \
|
||||
chmod 770 /var/log/nginx
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
|
||||
|
||||
EXPOSE 80/tcp 443/tcp
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint.sh"]
|
||||
|
|
|
@ -122,7 +122,7 @@ CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')
|
|||
CONFARGS=${CONFARGS/-Os -fomit-frame-pointer/-Os}
|
||||
./configure $CONFARGS --add-dynamic-module=/tmp/ModSecurity-nginx --add-dynamic-module=/tmp/headers-more-nginx-module --add-dynamic-module=/tmp/ngx_http_geoip2_module --add-dynamic-module=/tmp/nginx_cookie_flag_module --add-dynamic-module=/tmp/lua-nginx-module
|
||||
make -j $NTASK modules
|
||||
cp ./objs/*.so /usr/local/nginx/modules/
|
||||
cp ./objs/*.so /usr/lib/nginx/modules
|
||||
|
||||
# remove build dependencies
|
||||
apk del build
|
||||
|
|
|
@ -1,7 +0,0 @@
|
|||
listen 0.0.0.0:443 ssl %HTTP2%;
|
||||
ssl_certificate /etc/letsencrypt/live/%FIRST_SERVER_NAME%/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/%FIRST_SERVER_NAME%/privkey.pem;
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
%STRICT_TRANSPORT_SECURITY%
|
|
@ -1,4 +1,4 @@
|
|||
listen 0.0.0.0:443 ssl %HTTP2%;
|
||||
listen 0.0.0.0:8443 ssl %HTTP2%;
|
||||
ssl_certificate %HTTPS_CERT%;
|
||||
ssl_certificate_key %HTTPS_KEY%;
|
||||
ssl_protocols TLSv1.3;
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
# /etc/nginx/nginx.conf
|
||||
|
||||
# load dynamic modules
|
||||
load_module /usr/local/nginx/modules/ngx_http_cookie_flag_filter_module.so;
|
||||
load_module /usr/local/nginx/modules/ngx_http_geoip2_module.so;
|
||||
load_module /usr/local/nginx/modules/ngx_http_headers_more_filter_module.so;
|
||||
load_module /usr/local/nginx/modules/ngx_http_lua_module.so;
|
||||
load_module /usr/local/nginx/modules/ngx_http_modsecurity_module.so;
|
||||
load_module /usr/local/nginx/modules/ngx_stream_geoip2_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
|
||||
|
||||
# run as daemon
|
||||
daemon on;
|
||||
|
||||
# do NOT run as root
|
||||
user nginx;
|
||||
# PID file
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
# worker number = CPU core(s)
|
||||
worker_processes auto;
|
||||
|
@ -51,6 +51,17 @@ http {
|
|||
# maximum request body size
|
||||
client_max_body_size %MAX_CLIENT_SIZE%;
|
||||
|
||||
# write logs to local syslog
|
||||
access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined;
|
||||
error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
|
||||
|
||||
# temp paths
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
# load caching custom config
|
||||
include /etc/nginx/cache.conf;
|
||||
|
||||
|
@ -72,10 +83,6 @@ http {
|
|||
# get real IP address if behind a reverse proxy
|
||||
%PROXY_REAL_IP%
|
||||
|
||||
# write logs to local syslog
|
||||
access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined;
|
||||
error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
|
||||
|
||||
# lua path and dicts
|
||||
lua_package_path "/usr/local/lib/lua/?.lua;;";
|
||||
%WHITELIST_IP_CACHE%
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
server {
|
||||
include /server-confs/*.conf;
|
||||
set $session_secret %ANTIBOT_SESSION_SECRET%;
|
||||
include /etc/nginx/main-lua.conf;
|
||||
%LISTEN_HTTP%
|
||||
%USE_HTTPS%
|
||||
|
|
|
@ -323,7 +323,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
|
|||
if [ -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
|
||||
/opt/scripts/certbot-renew.sh
|
||||
else
|
||||
certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos
|
||||
certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port 8080
|
||||
fi
|
||||
echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
|
||||
elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
|
||||
|
@ -340,7 +340,7 @@ else
|
|||
fi
|
||||
|
||||
if [ "$LISTEN_HTTP" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;"
|
||||
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:8080;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
|
||||
fi
|
||||
|
@ -621,8 +621,6 @@ fi
|
|||
crond
|
||||
|
||||
# start nginx
|
||||
echo "[*] Running nginx ..."
|
||||
/usr/sbin/nginx
|
||||
if [ ! -f "/var/log/access.log" ] ; then
|
||||
touch /var/log/access.log
|
||||
fi
|
||||
|
@ -633,6 +631,31 @@ if [ ! -f "/var/log/php.log" ] && [ "$USE_PHP" = "yes" ] ; then
|
|||
touch /var/log/php.log
|
||||
fi
|
||||
|
||||
# modsec logs
|
||||
touch /var/log/modsec_audit.log
|
||||
chown root:nginx /var/log/modsec_audit.log
|
||||
chmod 760 /var/log/modsec_audit.log
|
||||
|
||||
# nginx default error log
|
||||
touch /var/log/nginx/error.log
|
||||
chown root:nginx /var/log/nginx/error.log
|
||||
chmod 760 /var/log/nginx/error.log
|
||||
|
||||
# nginx configs (and modules through the symlink)
|
||||
chown -R root:nginx /etc/nginx/
|
||||
chmod -R 740 /etc/nginx/
|
||||
find /etc/nginx -type d -exec chmod 750 {} \;
|
||||
|
||||
# let's encrypt
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
chown -R root:nginx /etc/letsencrypt
|
||||
chmod -R 740 /etc/letsencrypt
|
||||
find /etc/letsencrypt -type d -exec chmod 750 {} \;
|
||||
fi
|
||||
|
||||
echo "[*] Running nginx ..."
|
||||
su -s "/usr/sbin/nginx" nginx
|
||||
|
||||
# start fail2ban
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
fail2ban-server > /dev/null
|
||||
|
|
|
@ -5,6 +5,6 @@ curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | grep -v
|
|||
while read entry ; do
|
||||
echo "deny ${entry};" >> /etc/nginx/block-abusers.conf
|
||||
done
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
fi
|
||||
|
|
|
@ -9,9 +9,9 @@ function replace_in_file() {
|
|||
|
||||
# check if HTTP enabled
|
||||
# and disable it temporarily if needed
|
||||
if grep -q "listen 0.0.0.0:80;" "/etc/nginx/server.conf" ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "listen 0.0.0.0:80;" "#listen 0.0.0.0:80;"
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
if grep -q "listen 0.0.0.0:8080;" "/etc/nginx/server.conf" ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "listen 0.0.0.0:8080;" "#listen 0.0.0.0:8080;"
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
sleep 10
|
||||
fi
|
||||
|
@ -21,11 +21,15 @@ fi
|
|||
certbot renew
|
||||
|
||||
# enable HTTP again if needed
|
||||
if grep -q "#listen 0.0.0.0:80;" "/etc/nginx/server.conf" ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "#listen 0.0.0.0:80;" "listen 0.0.0.0:80;"
|
||||
if grep -q "#listen 0.0.0.0:8080;" "/etc/nginx/server.conf" ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "#listen 0.0.0.0:8080;" "listen 0.0.0.0:8080;"
|
||||
fi
|
||||
|
||||
chown -R root:nginx /etc/letsencrypt
|
||||
chmod -R 740 /etc/letsencrypt
|
||||
find /etc/letsencrypt -type d -exec chmod 750 {} \;
|
||||
|
||||
# reload nginx
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
fi
|
||||
|
|
|
@ -5,6 +5,6 @@ curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | grep -v "^\#.*" |
|
|||
while read entry ; do
|
||||
echo "deny ${entry};" >> /etc/nginx/block-tor-exit-node.conf
|
||||
done
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
fi
|
||||
|
|
|
@ -5,7 +5,7 @@ URL="https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).mmdb.gz"
|
|||
wget -O /etc/nginx/geoip.mmdb.gz "$URL" > /dev/null 2>&1
|
||||
if [ -f /etc/nginx/geoip.mmdb.gz ] ; then
|
||||
gunzip -f /etc/nginx/geoip.mmdb.gz
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -5,6 +5,6 @@ curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | grep -v "^\
|
|||
while read entry ; do
|
||||
echo "deny ${entry};" >> /etc/nginx/block-proxies.conf
|
||||
done
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
fi
|
||||
|
|
|
@ -20,6 +20,6 @@ DATA_ESCAPED=$(echo "$DATA" | sed 's: :\\\\ :g' | sed 's:\\\\ yes;: yes;:g' | se
|
|||
cp /opt/confs/map-user-agent.conf /etc/nginx/map-user-agent.conf
|
||||
replace_in_file "/etc/nginx/map-user-agent.conf" "%BLOCK_USER_AGENT%" "$DATA_ESCAPED"
|
||||
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
if [ -f /tmp/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue