librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

custom conf - docker

This commit is contained in:
florian 2022-07-01 13:34:17 +02:00
parent a5457a164c
commit e25babe3d2
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
4 changed files with 59 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/integrations.md
View File

@ -93,7 +93,11 @@ volumes:
!!! warning
BunkerWeb runs as an **unprivileged user with UID 101 and GID 101** inside the container. The reason behind this is the security : in case a vulnerability is exploited, the attacker won't have full root (UID/GID 0) privileges.
But there is a downside : if you use a **local folder for the persistent data**, you will need to **set the correct permissions** so the unprivileged user can write data to it. Something like that should do the trick :
`shell mkdir bw-data && \ chown root:101 bw-data && \ chmod 770 bw-data `
```shell
mkdir bw-data && \
chown root:101 bw-data && \
chmod 770 bw-data
```
Alternatively, if the folder already exists :

44
docs/quickstart-guide.md
View File

@ -1140,7 +1140,35 @@ Some integrations offer a more convenient way of applying configurations for exa
=== "Docker"
When using the [Docker integration](/1.4/integrations/#docker), custom configurations must be written to the volume mounted on /data.
When using the [Docker integration](/1.4/integrations/#docker), you have two choices for adding custom configurations :
- Using specific settings `*_CUSTOM_CONF_*` as environment variable (easiest)
- Writing .conf files to the volume mounted on /data
**Using settings**
The custom setting to use must follow the pattern `<SITE>_CUSTOM_CONF_<TYPE>_<NAME>` :
- `<SITE>` : optional primary server name if multisite mode is enabled and the config must be applied to a specific service
- `<TYPE>` : the type of config, accepted values are `HTTP`, `DEFAULT_SERVER_HTTP`, `SERVER_HTTP`, `MODSEC` and `MODSEC_CRS`
- `<NAME>` : the name of your config without the .conf suffix
Here is a dummy example using a docker-compose file :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.2
environment:
- |
CUSTOM_CONF_SERVER_HTTP_test=
location /hello {
default_type 'text/plain';
content_by_lua_block {
ngx.say('world')
}
...
```
**Using files**
The first thing to do is to create the folders :
```shell
@ -1200,25 +1228,19 @@ Some integrations offer a more convenient way of applying configurations for exa
}" > ./bw-data/configs/server-http/hello-world.conf
```
Because BunkerWeb runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
```shell
chown -R root:101 bw-data && \
chmod -R 770 bw-data
```
When starting the BunkerWeb container, you will need to mount the folder on /data :
When starting the BunkerWeb autoconf container, you will need to mount the folder on /data :
```shell
docker run \
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.2
bunkerity/bunkerweb-autoconf:1.4.2
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.2
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.2
volumes:
- ./bw-data:/data
...

20
helpers/entrypoint.sh
View File

@ -46,24 +46,28 @@ fi
if [ "$SWARM_MODE" != "yes" ] && [ "$KUBERNETES_MODE" != "yes" ] && [ "$AUTOCONF_MODE" != "yes" ] ; then
# extract and drop configs
for var_name in $(compgen -v) ; do
extracted=$(echo "$var_name" | | sed -r 's/^([a-z\.\-]*)_?CUSTOM_CONF_(HTTP|DEFAULT_SERVER_HTTP|SERVER_HTTP|MODSEC|MODSEC_CRS)_(.*)$/\1 \2 \3/g')
for var_name in $(compgen -e) ; do
extracted=$(echo "$var_name" | sed -r 's/^([a-z\.\-]*)_?CUSTOM_CONF_(HTTP|DEFAULT_SERVER_HTTP|SERVER_HTTP|MODSEC|MODSEC_CRS)_(.*)$/\1 \2 \3/g')
site=$(echo "$extracted" | cut -d ' ' -f 1)
type=$(echo "$extracted" | cut -d ' ' -f 2 | tr '[:upper:]' '[:lower:]' | sed 's/_/-/')
type=$(echo "$extracted" | cut -d ' ' -f 2 | grep -E '(HTTP|DEFAULT_SERVER_HTTP|SERVER_HTTP|MODSEC|MODSEC_CRS)' | tr '[:upper:]' '[:lower:]' | sed 's/_/-/')
name=$(echo "$extracted" | cut -d ' ' -f 3)
if [ "$type" = "" ] ; then
if [ "$type" = "" ] || [ "$name" = "" ] ; then
continue
fi
target="/data/configs/${type}/"
if [ "$site" != "" ] && [ ! -d "/data/configs/${type}/${site}" ] ; then
mkdir "/data/configs/${type}/${site}"
target="${target}/${site}/"
mkdir "$target"
fi
echo "${!var_name}" > "/data/configs/${type}/${site}/${name}.conf"
target="${target}${name}.conf"
log "ENTRYPOINT" "" "Saving custom config to $target ..."
echo "${!var_name}" > "$target"
done
# execute temp nginx with no server
export TEMP_NGINX="yes"
log "ENTRYPOINT" "" "Generating configuration for temp nginx ..."
env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "/tmp/variables.env"
get_env > "/tmp/variables.env"
/opt/bunkerweb/gen/main.py --settings /opt/bunkerweb/settings.json --templates /opt/bunkerweb/confs --output /etc/nginx --variables /tmp/variables.env
if [ "$?" -ne 0 ] ; then
log "ENTRYPOINT" "❌" "Generator failed"
@ -95,7 +99,7 @@ log "ENTRYPOINT" "" "Generating configuration ..."
if [ "$SWARM_MODE" = "yes" ] || [ "$KUBERNETES_MODE" = "yes" ] || [ "$AUTOCONF_MODE" = "yes" ] ; then
export SERVER_NAME=
fi
env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "/tmp/variables.env"
get_env > "/tmp/variables.env"
/opt/bunkerweb/gen/main.py --settings /opt/bunkerweb/settings.json --templates /opt/bunkerweb/confs --output /etc/nginx --variables /tmp/variables.env
if [ "$?" -ne 0 ] ; then
log "ENTRYPOINT" "❌" "Generator failed"

9
helpers/utils.sh
View File

@ -51,3 +51,12 @@ function log() {
echo "$when $category - $severity - $message"
}
# get only interesting env (var=value)
function get_env() {
for var_name in $(compgen -e) ; do
filter=$(echo -n "$var_name" | sed -r 's/^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME|([a-z\.\-]*)_?CUSTOM_CONF_(HTTP|DEFAULT_SERVER_HTTP|SERVER_HTTP|MODSEC|MODSEC_CRS)_(.*))$//g')
if [ "$filter" != "" ] ; then
echo "${var_name}=${!var_name}"
fi
done
}