librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

sitewide auth basic

This commit is contained in:
bunkerity 2020-09-29 23:01:26 +02:00
parent b56e4e765a
commit f3721a50db
3 changed files with 33 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@ -10,8 +10,9 @@ Non-exhaustive list of features :
- Integrated ModSecurity WAF with the OWASP Core Rule Set
- Automatic ban of strange behaviors with fail2ban
- Block TOR users, bad user-agents, countries, ...
- Perform automatic DNSBL checks
- Detect bad files with ClamAV
- Based on alpine and compiled from source
- Based on alpine
- Easy to configure with environment variables
# Table of contents
@ -291,6 +292,26 @@ Values : *yes* | *no*
Default value : *no*
Is set to yes, will block TOR clients.
`USE_DNSBL`
Values : *yes* | *no*
Default value : *yes*
If set to yes, DNSBL checks will be performed to the servers specified in the `DNSBL_LIST` environment variable.
`DNSBL_LIST`
Values : *\<list of DNS zones separated with spaces\>*
Default value : *bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org*
The list of DNSBL zones to query when `USE_DNSBL` is set to *yes*.
`DNSBL_RESOLVERS`
Values : *\<two IP addresses separated with a space\>*
Default value : *8.8.8.8 8.8.4.4*
The IP addresses of the DNS resolvers to use when `USE_DNSBL` is set to *yes*.
`DNSBL_CACHE`
Values : *\< \>*
Default value : *10m*
The size of the cache used to keep DNSBL responses.
## PHP
`REMOTE_PHP`
Values : *\<any valid IP/hostname\>*

2
confs/auth-basic-sitewide.conf Normal file
View File

@ -0,0 +1,2 @@
auth_basic "%AUTH_BASIC_TEXT%";
auth_basic_user_file /etc/nginx/.htpasswd;

13
entrypoint.sh
View File

@ -113,7 +113,7 @@ USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-/}"
AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}"
AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
USE_HTTPS_CUSTOM="${USE_HTTPS_CUSTOM-no}"
@ -370,9 +370,14 @@ else
replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
fi
if [ "$USE_AUTH_BASIC" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;"
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic-sitewide.conf;"
replace_in_file "/etc/nginx/auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
else
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;"
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
fi
htpasswd -b -B -c /etc/nginx/.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
else
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" ""