various fixes and lua logging
This commit is contained in:
parent
fc3d911ff7
commit
f27d80e0d5
|
@ -12,7 +12,7 @@ COPY fail2ban/ /opt/fail2ban
|
|||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
|
@ -12,7 +12,7 @@ COPY fail2ban/ /opt/fail2ban
|
|||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
|
@ -19,7 +19,7 @@ COPY fail2ban/ /opt/fail2ban
|
|||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
|
@ -19,7 +19,7 @@ COPY fail2ban/ /opt/fail2ban
|
|||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
|
@ -12,7 +12,7 @@ COPY fail2ban/ /opt/fail2ban
|
|||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
|
@ -4,7 +4,7 @@ local use_whitelist_ip = %USE_WHITELIST_IP%
|
|||
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
|
||||
local use_blacklist_ip = %USE_BLACKLIST_IP%
|
||||
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
|
||||
local use_dnsbl = %USE_DNS%
|
||||
local use_dnsbl = %USE_DNSBL%
|
||||
|
||||
-- include LUA code
|
||||
local whitelist = require "whitelist"
|
||||
|
|
|
@ -22,6 +22,8 @@ function trap_exit() {
|
|||
fi
|
||||
echo "[*] Stopping nginx ..."
|
||||
/usr/sbin/nginx -s stop
|
||||
echo "[*] Stopping rsyslogd ..."
|
||||
pkill -TERM rsyslogd
|
||||
pkill -TERM tail
|
||||
}
|
||||
trap "trap_exit" TERM INT
|
||||
|
@ -111,7 +113,7 @@ USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
|
|||
FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
|
||||
FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
|
||||
FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
|
||||
FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-20}"
|
||||
FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
|
||||
USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
|
||||
USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
|
||||
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
|
||||
|
@ -143,9 +145,9 @@ PROXY_REAL_IP="${PROXY_REAL_IP-no}"
|
|||
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
|
||||
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
|
||||
PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
|
||||
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no"}"
|
||||
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
|
||||
SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
|
||||
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-Switzerland}"
|
||||
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
|
||||
SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}"
|
||||
SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
|
||||
SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
|
||||
|
@ -369,7 +371,7 @@ else
|
|||
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
|
||||
fi
|
||||
if [ "$PROXY_REAL_IP" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
|
||||
froms=""
|
||||
for from in $PROXY_REAL_IP_FROM ; do
|
||||
froms="${froms}set_real_ip_from ${from};\n"
|
||||
|
@ -378,7 +380,7 @@ if [ "$PROXY_REAL_IP" = "yes" ] ; then
|
|||
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
|
||||
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" ""
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" ""
|
||||
fi
|
||||
|
||||
|
||||
|
|
|
@ -1,28 +1,30 @@
|
|||
local M = {}
|
||||
local dns = require "dns"
|
||||
local ip_list = {%BLACKLIST_IP_LIST%}
|
||||
local reverse_list = {%BLACKLIST_REVERSE_LIST%}
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
function ip_cached_ko ()
|
||||
function M.ip_cached_ko ()
|
||||
return ngx.shared.blacklist_ip_cache:get(ip) == "ko"
|
||||
end
|
||||
|
||||
function reverse_cached_ko ()
|
||||
function M.reverse_cached_ko ()
|
||||
return ngx.shared.blacklist_reverse_cache:get(ip) == "ko"
|
||||
end
|
||||
|
||||
function ip_cached ()
|
||||
function M.ip_cached ()
|
||||
return ngx.shared.blacklist_ip_cache:get(ip) ~= nil
|
||||
end
|
||||
|
||||
function reverse_cached ()
|
||||
function M.reverse_cached ()
|
||||
return ngx.shared.blacklist_reverse_cache:get(ip) ~= nil
|
||||
end
|
||||
|
||||
function check_ip ()
|
||||
function M.check_ip ()
|
||||
for k, v in ipairs(ip_list) do
|
||||
if v == ip then
|
||||
ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
|
||||
ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist")
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
@ -30,12 +32,13 @@ function check_ip ()
|
|||
return false
|
||||
end
|
||||
|
||||
function check_reverse ()
|
||||
function M.check_reverse ()
|
||||
local rdns = dns.get_reverse()
|
||||
if rdns ~= "" then
|
||||
for k, v in ipairs(reverse_list) do
|
||||
if rdns:sub(-#v) == v then
|
||||
ngx.shared.blacklist_reverse_cache:set(ip, "ko", 86400)
|
||||
ngx.log(ngx.WARN, "reverse " .. rdns .. " is in blacklist")
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
@ -43,3 +46,5 @@ function check_reverse ()
|
|||
ngx.shared.blacklist_reverse_cache:set(ip, "ok", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
return M
|
||||
|
|
|
@ -1,8 +1,9 @@
|
|||
local M = {}
|
||||
local resolver = require "resty.dns.resolver"
|
||||
local resolvers = {%DNS_RESOLVERS%}
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
function get_reverse()
|
||||
function M.get_reverse()
|
||||
local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
|
||||
if not r then
|
||||
return ""
|
||||
|
@ -20,7 +21,7 @@ function get_reverse()
|
|||
return rdns
|
||||
end
|
||||
|
||||
function get_ips(fqdn)
|
||||
function M.get_ips(fqdn)
|
||||
local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
|
||||
if not r then
|
||||
return ""
|
||||
|
@ -35,6 +36,8 @@ function get_ips(fqdn)
|
|||
return ips
|
||||
end
|
||||
|
||||
function ip_to_arpa()
|
||||
function M.ip_to_arpa()
|
||||
return resolver.arpa_str(ip):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "")
|
||||
end
|
||||
|
||||
return M
|
||||
|
|
|
@ -1,24 +1,26 @@
|
|||
local M = {}
|
||||
local dns = require "dns"
|
||||
local dnsbls = {%DNSBL_LIST%}
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
function cached_ko ()
|
||||
function M.cached_ko ()
|
||||
return ngx.shared.dnsbl_cache:get(ip) == "ko"
|
||||
end
|
||||
|
||||
function cached ()
|
||||
function M.cached ()
|
||||
return ngx.shared.dnsbl_cache:get(ip) ~= nil
|
||||
end
|
||||
|
||||
function check ()
|
||||
function M.check ()
|
||||
local rip = dns.ip_to_arpa()
|
||||
for k, v in ipairs(dnsbls) do
|
||||
local req = rip .. "." .. v
|
||||
local ips = dns.get_ips(req)
|
||||
for k2, v2 in ipairs(ips) do
|
||||
a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
|
||||
local a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
|
||||
if a == "127" then
|
||||
ngx.shared.dnsbl_cache:set(ip, "ko", 86400)
|
||||
ngx.log(ngx.WARN, "ip " .. ip .. " is in DNSBL " .. v)
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
@ -26,3 +28,5 @@ function check ()
|
|||
ngx.shared.dnsbl_cache:set(ip, "ok", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
return M
|
||||
|
|
|
@ -1,28 +1,30 @@
|
|||
local M = {}
|
||||
local dns = require "dns"
|
||||
local ip_list = {%WHITELIST_IP_LIST%}
|
||||
local reverse_list = {%WHITELIST_REVERSE_LIST%}
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
function ip_cached_ok ()
|
||||
function M.ip_cached_ok ()
|
||||
return ngx.shared.whitelist_ip_cache:get(ip) == "ok"
|
||||
end
|
||||
|
||||
function reverse_cached_ok ()
|
||||
function M.reverse_cached_ok ()
|
||||
return ngx.shared.whitelist_reverse_cache:get(ip) == "ok"
|
||||
end
|
||||
|
||||
function ip_cached ()
|
||||
function M.ip_cached ()
|
||||
return ngx.shared.whitelist_ip_cache:get(ip) ~= nil
|
||||
end
|
||||
|
||||
function reverse_cached ()
|
||||
function M.reverse_cached ()
|
||||
return ngx.shared.whitelist_reverse_cache:get(ip) ~= nil
|
||||
end
|
||||
|
||||
function check_ip ()
|
||||
function M.check_ip ()
|
||||
for k, v in ipairs(ip_list) do
|
||||
if v == ip then
|
||||
ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
|
||||
ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
@ -30,7 +32,7 @@ function check_ip ()
|
|||
return false
|
||||
end
|
||||
|
||||
function check_reverse ()
|
||||
function M.check_reverse ()
|
||||
local rdns = dns.get_reverse()
|
||||
if rdns ~= "" then
|
||||
local whitelisted = false
|
||||
|
@ -45,6 +47,7 @@ function check_reverse ()
|
|||
for k, v in ipairs(ips) do
|
||||
if v == ip then
|
||||
ngx.shared.whitelist_reverse_cache:set(ip, "ok", 86400)
|
||||
ngx.log(ngx.WARN, "reverse " .. rdns .. " is in whitelist")
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
@ -53,3 +56,5 @@ function check_reverse ()
|
|||
ngx.shared.whitelist_reverse_cache:set(ip, "ko", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
return M
|
||||
|
|
Loading…
Reference in New Issue