various bug fixes related to Swarm

CHANGELOG.md

@@ -0,0 +1,26 @@
+# Changelog
+
+## v1.2.6 - 2021/06/06
+
+- Move from "ghetto-style" shell scripts to generic jinja2 templating
+- Init work on a basic plugins system
+- Move ClamAV to external plugin
+- Reduce image size by removing unnecessary dependencies
+- Fix CrowdSec example
+- Change some global variables to multisite
+- Add LOG_LEVEL environment variable
+- Read-only container support
+- Improved antibot javascript with a basic proof of work
+- Update nginx to 1.20.1
+- Support of docker-socket-proxy with web UI
+- Add certbot-cloudflare example
+- Disable DNSBL checks when IP is local
+
+## v1.2.5 - 2021/05/14
+
+- Performance improvement : move some nginx security checks to LUA and external blacklist parsing enhancement
+- Init work on official documentation on readthedocs
+- Fix default value for CONTENT_SECURITY_POLICY to allow file downloads
+- Add ROOT_SITE_SUBFOLDER environment variable
+
+## TODO - retrospective changelog

autoconf/AutoConf.py

@@ -1,4 +1,3 @@
-# TODO : hard tests, jobs if swarm mode, check state when generating env, ...
 from Config import Config
 import utils
 import os
@@ -94,13 +93,9 @@ class AutoConf :
 			if self.__swarm and len(self.__instances) == 1 :
 				if self.__config.generate(self.__env) :
 					utils.log("[*] Initial config succeeded")
-					with open("/etc/nginx/autoconf", "w") as f :
-						f.write("ok")
 					if not self.__config.swarm_wait(self.__instances) :
 						utils.log("[!] Removing bunkerized-nginx instances from list")
 						del self.__instances[id]
-						os.remove("/etc/nginx/autoconf")
-
 				else :
 					utils.log("[!] Initial config failed")
 			utils.log("[*] bunkerized-nginx instance created : " + name + " / " + id)
@@ -118,11 +113,6 @@ class AutoConf :
 		elif event == "destroy" or event == "remove" :
 			del self.__instances[id]
 			self.__gen_env()
-			if self.__swarm and len(self.__instances) == 0 :
-				with open("/etc/crontabs/nginx", "w") as f :
-					f.write("")
-				if os.path.exists("/etc/nginx/autoconf") :
-					os.remove("/etc/nginx/autoconf")
 			utils.log("[*] bunkerized-nginx instance removed : " + name + " / " + id)
 
 	def __process_server(self, instance, event, id, name, labels) :

autoconf/Config.py

@@ -9,8 +9,26 @@ class Config :
 		self.__swarm = swarm
 		self.__api = api
 
+	def __jobs(self) :
+		utils.log("[*] Starting jobs ...")
+		proc = subprocess.run(["/bin/su", "-c", "/opt/entrypoint/jobs.sh", "nginx"], capture_output=True)
+		stdout = proc.stdout.decode("ascii")
+		stderr = proc.stderr.decode("ascii")
+		if stdout != "" :
+			utils.log("[*] Jobs stdout :")
+			utils.log(stdout)
+		if stderr != "" :
+			utils.log("[!] Jobs stderr :")
+			utils.log(stderr)
+		if proc.returncode != 0 :
+			utils.log("[!] Jobs error : return code != 0")
+			return False
+		return True
+
 	def swarm_wait(self, instances) :
 		try :
+			with open("/etc/nginx/autoconf", "w") as f :
+				f.write("ok")
 			utils.log("[*] Waiting for bunkerized-nginx tasks ...")
 			i = 1
 			started = False
@@ -23,16 +41,7 @@ class Config :
 				utils.log("[!] Waiting " + str(i) + " seconds before retrying to contact bunkerized-nginx tasks")
 			if started :
 				utils.log("[*] bunkerized-nginx tasks started")
-				proc = subprocess.run(["/bin/su", "-c", "/opt/entrypoint/jobs.sh", "nginx"], capture_output=True)
-				stdout = proc.stdout.decode("ascii")
-				stderr = proc.stderr.decode("ascii")
-				if stdout != "" :
-					for line in stdout.split("\n") :
-						utils.log("[*] Jobs output : " + stdout)
-				if stderr != "" :
-					for line in stderr.split("\n") :
-						utils.log("[!] Jobs error : " + stderr)
-				return proc.returncode == 0
+				return True
 			else :
 				utils.log("[!] bunkerized-nginx tasks are not started")
 		except Exception as e :
@@ -52,15 +61,17 @@ class Config :
 			# Print stdout/stderr
 			stdout = proc.stdout.decode("ascii")
 			stderr = proc.stderr.decode("ascii")
-			if stdout != "":
-				for line in stdout.split("\n") :
-					utils.log("[*] Generator output : " + stdout)
+			if stdout != "" :
+				utils.log("[*] Generator output :")
+				utils.log(stdout)
 			if stderr != "" :
-				for line in stderr.split("\n") :
-					utils.log("[*] Generator error : " + stderr)
+				utils.log("[*] Generator error :")
+				utils.log(error)
 
 			# We're done
 			if proc.returncode == 0 :
+				if self.__swarm :
+					return self.__jobs()
 				return True
 			utils.log("[!] Error while generating site config for " + env["SERVER_NAME"] + " : return code = " + str(proc.returncode))
 

autoconf/entrypoint.sh

@@ -9,7 +9,6 @@ if [ "$?" -ne 0 ] ; then
 fi
 
 if [ "$SWARM_MODE" = "yes" ] ; then
-	cp -r /opt/confs/nginx/* /etc/nginx
 	chown -R root:nginx /etc/nginx
 	chmod -R 770 /etc/nginx
 fi

confs/global/fastcgi.conf

@@ -0,0 +1,25 @@
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

confs/global/multisite-default-server.conf

@@ -2,5 +2,10 @@ server {
 	{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %};
 	server_name _;
 	{% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %}
+	{% if USE_API == "yes" %}
+	location ^~ {{ API_URI }} {
+		include /etc/nginx/api.conf;
+	}
+	{% endif %}
 	{% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %}
 }

docs/environment_variables.md

@@ -14,7 +14,7 @@ Any environment variable tagged as *multisite* context can be used for a specifi
 `SERVER_NAME`  
 Values : *<first name> <second name> ...*  
 Default value : *www.bunkerity.com*  
-Context : *global*  
+Context : *global*, *multisite*  
 Sets the host names of the webserver separated with spaces. This must match the Host header sent by clients.  
 Useful when used with `MULTISITE=yes` and/or `AUTO_LETSENCRYPT=yes` and/or `DISABLE_DEFAULT_SERVER=yes`.
 
@@ -55,7 +55,7 @@ The IP addresses of the DNS resolvers to use when performing DNS lookups.
 Values : *\<any valid path to web files\>*  
 Default value : */www*  
 Context : *global*  
-The default folder where nginx will search for web files. Don't change it unless you want to make your own image.
+The default folder where nginx will search for web files. Don't change it unless you know what you are doing.
 
 `ROOT_SITE_SUBFOLDER`  
 Values : *\<any valid directory name\>*  
@@ -115,12 +115,12 @@ List of header to remove when sending responses to clients.
 
 ### Custom error pages
 
-`ERROR_XXX`  
-Values : *\<relative path to the error page\>*  
+`ERRORS`  
+Values : *\<error1=/page1 error2=/page2\>*  
 Default value :  
 Context : *global*, *multisite*  
-Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code.  
-For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder.
+Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace errorX with HTTP code.  
+Example : `ERRORS=404=/404.html 403=/403.html` the /404.html page will be displayed when 404 code is generated (same for 403 and /403.html page). The path is relative to the root web folder.
 
 ### HTTP basic authentication
 
@@ -431,55 +431,55 @@ Full path of the key file to use when `USE_CUSTOM_HTTPS` is set to yes.
 `GENERATE_SELF_SIGNED_SSL`  
 Values : *yes* | *no*  
 Default value : *no*  
-Context : *global*  
+Context : *global*, *multisite*  
 If set to yes, HTTPS will be enabled with a container generated self-signed certificate.
 
 `SELF_SIGNED_SSL_EXPIRY`  
 Values : *integer*  
 Default value : *365* (1 year)  
-Context : *global*  
+Context : *global*, *multisite*  
 Needs `GENERATE_SELF_SIGNED_SSL` to work.
 Sets the expiry date for the self generated certificate.
 
 `SELF_SIGNED_SSL_COUNTRY`  
 Values : *text*  
 Default value : *Switzerland*  
-Context : *global*  
+Context : *global*, *multisite*  
 Needs `GENERATE_SELF_SIGNED_SSL` to work.
 Sets the country for the self generated certificate.
 
 `SELF_SIGNED_SSL_STATE`  
-Values : *text*  
+Values : *text*, *multisite*  
 Default value : *Switzerland*  
-Context : *global*  
+Context : *global*, *multisite*  
 Needs `GENERATE_SELF_SIGNED_SSL` to work.
 Sets the state for the self generated certificate.
 
 `SELF_SIGNED_SSL_CITY`  
 Values : *text*  
 Default value : *Bern*  
-Context : *global*  
+Context : *global*, *multisite*  
 Needs `GENERATE_SELF_SIGNED_SSL` to work.
 Sets the city for the self generated certificate.
 
 `SELF_SIGNED_SSL_ORG`  
 Values : *text*  
 Default value : *AcmeInc*  
-Context : *global*  
+Context : *global*, *multisite*  
 Needs `GENERATE_SELF_SIGNED_SSL` to work.
 Sets the organisation name for the self generated certificate.
 
 `SELF_SIGNED_SSL_OU`  
 Values : *text*  
 Default value : *IT*  
-Context : *global*  
+Context : *global*, *multisite*  
 Needs `GENERATE_SELF_SIGNED_SSL` to work.
 Sets the organisitional unit for the self generated certificate.
 
 `SELF_SIGNED_SSL_CN`  
 Values : *text*  
 Default value : *bunkerity-nginx*  
-Context : *global*  
+Context : *global*, *multisite*  
 Needs `GENERATE_SELF_SIGNED_SSL` to work.
 Sets the CN server name for the self generated certificate.
 
@@ -625,13 +625,13 @@ The minimum score required when `USE_ANTIBOT` is set to *recaptcha*.
 `ANTIBOT_RECAPTCHA_SITEKEY`  
 Values : *\<public key given by Google\>*  
 Default value :  
-Context : *global*  
+Context : *global*, *multisite*  
 The sitekey given by Google when `USE_ANTIBOT` is set to *recaptcha*.
 
 `ANTIBOT_RECAPTCHA_SECRET`  
 Values : *\<private key given by Google\>*  
 Default value :  
-Context : *global*  
+Context : *global*, *multisite*  
 The secret given by Google when `USE_ANTIBOT` is set to *recaptcha*.
 
 ### External blacklists
@@ -682,7 +682,7 @@ If set to *yes*, DNSBL checks will be performed to the servers specified in the
 `DNSBL_LIST`  
 Values : *\<list of DNS zones separated with spaces\>*  
 Default value : *bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org*  
-Context : *global*  
+Context : *global*, *multisite*  
 The list of DNSBL zones to query when `USE_DNSBL` is set to *yes*.
 
 ### CrowdSec
@@ -716,7 +716,7 @@ If set to *yes*, lets you define custom IP addresses to be whitelisted through t
 `WHITELIST_IP_LIST`  
 Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*  
 Default value : *23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8*  
-Context : *global*  
+Context : *global*, *multisite*  
 The list of IP addresses and/or network CIDR blocks to whitelist when `USE_WHITELIST_IP` is set to *yes*. The default list contains IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/).
 
 `USE_WHITELIST_REVERSE`  
@@ -728,7 +728,7 @@ If set to *yes*, lets you define custom reverse DNS suffixes to be whitelisted t
 `WHITELIST_REVERSE_LIST`  
 Values : *\<list of reverse DNS suffixes separated with spaces\>*  
 Default value : *.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net*  
-Context : *global*  
+Context : *global*, *multisite*  
 The list of reverse DNS suffixes to whitelist when `USE_WHITELIST_REVERSE` is set to *yes*. The default list contains suffixes of major search engines.
 
 `WHITELIST_USER_AGENT`  
@@ -754,7 +754,7 @@ If set to *yes*, lets you define custom IP addresses to be blacklisted through t
 `BLACKLIST_IP_LIST`  
 Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*  
 Default value :  
-Context : *global*  
+Context : *global*, *multisite*  
 The list of IP addresses and/or network CIDR blocks to blacklist when `USE_BLACKLIST_IP` is set to *yes*.
 
 `USE_BLACKLIST_REVERSE`  
@@ -766,7 +766,7 @@ If set to *yes*, lets you define custom reverse DNS suffixes to be blacklisted t
 `BLACKLIST_REVERSE_LIST`  
 Values : *\<list of reverse DNS suffixes separated with spaces\>*  
 Default value : *.shodan.io*  
-Context : *global*  
+Context : *global*, *multisite*  
 The list of reverse DNS suffixes to blacklist when `USE_BLACKLIST_REVERSE` is set to *yes*.
 
 ### Requests limiting
@@ -856,25 +856,25 @@ If set to yes, bunkerized-nginx will block users getting too much "suspicious" H
 `BAD_BEHAVIOR_STATUS_CODES`   
 Values : *\<HTTP status codes separated with space\>*  
 Default value : *400 401 403 404 405 429 444*  
-Context : *global*  
+Context : *global*, *multisite*  
 List of HTTP status codes considered as "suspicious".   
 
 `BAD_BEHAVIOR_THRESHOLD`  
 Values : *<any positive integer>*  
 Default value : *10*  
-Context : *global*  
+Context : *global*, *multisite*  
 The number of "suspicious" HTTP status code before the corresponding IP is banned.
 
 `BAD_BEHAVIOR_BAN_TIME`  
 Values : *<any positive integer>*  
 Default value : *86400*  
-Context : *global*  
+Context : *global*, *multisite*  
 The duration time (in seconds) of a ban when the corresponding IP has reached the `BAD_BEHAVIOR_THRESHOLD`.
 
 `BAD_BEHAVIOR_COUNT_TIME`  
 Values : *<any positive integer>*  
 Default value : *60*  
-Context : *global*  
+Context : *global*, *multisite*  
 The duration time (in seconds) before the counter of "suspicious" HTTP is reset.
 
 ## misc

entrypoint/jobs.sh

@@ -8,18 +8,18 @@ if [ "$(has_value BLACKLIST_COUNTRY .+)" != "" ] || [ "$(has_value WHITELIST_COU
 	if [ -f "/cache/geoip.mmdb" ] ; then
 		echo "[*] Copying cached geoip.mmdb ..."
 		cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
-	else
-		echo "[*] Downloading GeoIP database (in background) ..."
-		/opt/scripts/geoip.sh > /dev/null 2>&1 &
+	elif [ "$(ps aux | grep "geoip\.sh")" = "" ] ; then
+		echo "[*] Downloading GeoIP database ..."
+		/opt/scripts/geoip.sh > /dev/null 2>&1
 	fi
 fi
 
 # User-Agents
 if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
-	if [ -f "/cache/user-agents.list" ] ; then
+	if [ -f "/cache/user-agents.list" ] && [ "$(wc -l /cache/user-agents.list | cut -d ' ' -f 1)" -gt 1 ] ; then
 		echo "[*] Copying cached user-agents.list ..."
 		cp /cache/user-agents.list /etc/nginx/user-agents.list
-	else
+	elif [ "$(ps aux | grep "user-agents\.sh")" = "" ] ; then
 		echo "[*] Downloading bad user-agent list (in background) ..."
 		/opt/scripts/user-agents.sh > /dev/null 2>&1 &
 	fi
@@ -27,10 +27,10 @@ fi
 
 # Referrers
 if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
-	if [ -f "/cache/referrers.list" ] ; then
+	if [ -f "/cache/referrers.list" ] && [ "$(wc -l /cache/referrers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
 		echo "[*] Copying cached referrers.list ..."
 		cp /cache/referrers.list /etc/nginx/referrers.list
-	else
+	elif [ "$(ps aux | grep "referrers\.sh")" = "" ] ; then
 		echo "[*] Downloading bad referrer list (in background) ..."
 		/opt/scripts/referrers.sh > /dev/null 2>&1 &
 	fi
@@ -38,10 +38,10 @@ fi
 
 # exit nodes
 if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
-	if [ -f "/cache/tor-exit-nodes.list" ] ; then
+	if [ -f "/cache/tor-exit-nodes.list" ] && [ "$(wc -l /cache/tor-exit-nodes.list | cut -d ' ' -f 1)" -gt 1 ] ; then
 		echo "[*] Copying cached tor-exit-nodes.list ..."
 		cp /cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
-	else
+	elif [ "$(ps aux | grep "exit-nodes\.sh")" = "" ] ; then
 		echo "[*] Downloading tor exit nodes list (in background) ..."
 		/opt/scripts/exit-nodes.sh > /dev/null 2>&1 &
 	fi
@@ -49,10 +49,10 @@ fi
 
 # proxies
 if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
-	if [ -f "/cache/proxies.list" ] ; then
+	if [ -f "/cache/proxies.list" ] && [ "$(wc -l /cache/proxies.list | cut -d ' ' -f 1)" -gt 1 ] ; then
 		echo "[*] Copying cached proxies.list ..."
 		cp /cache/proxies.list /etc/nginx/proxies.list
-	else
+	elif [ "$(ps aux | grep "proxies\.sh")" = "" ] ; then
 		echo "[*] Downloading proxies list (in background) ..."
 		/opt/scripts/proxies.sh > /dev/null 2>&1 &
 	fi
@@ -60,10 +60,10 @@ fi
 
 # abusers
 if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
-	if [ -f "/cache/abusers.list" ] ; then
+	if [ -f "/cache/abusers.list" ] && [ "$(wc -l /cache/abusers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
 		echo "[*] Copying cached abusers.list ..."
 		cp /cache/abusers.list /etc/nginx/abusers.list
-	else
+	elif [ "$(ps aux | grep "abusers\.sh")" = "" ] ; then
 		echo "[*] Downloading abusers list (in background) ..."
 		/opt/scripts/abusers.sh > /dev/null 2>&1 &
 	fi
@@ -105,6 +105,9 @@ fi
 files=$(has_value AUTO_LETS_ENCRYPT yes)
 if [ "$files" != " " ] ; then
 	for file in $files ; do
+		if [ "$(echo "$file" | grep 'site.env$')" = "" ] ; then
+			continue
+		fi
 		SERVER_NAME="$(sed -nE 's/^SERVER_NAME=(.*)$/\1/p' $file)"
 		FIRST_SERVER="$(echo $SERVER_NAME | cut -d ' ' -f 1)"
 		EMAIL_LETS_ENCRYPT="$(sed -nE 's/^EMAIL_LETS_ENCRYPT=(.*)$/\1/p' $file)"
@@ -112,6 +115,5 @@ if [ "$files" != " " ] ; then
 			EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}"
 		fi
 		/opt/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT"
-
 	done
-fi
+fi

examples/certbot-cloudflare/certbot-new.sh

@@ -3,8 +3,8 @@
 # you need to run it before starting bunkerized-nginx to get the first certificate
 
 # edit according to your values
-DOMAINS="kakou-corp.fr,*.kakou-corp.fr"
-EMAIL="contact@kakou-corp.fr"
+DOMAINS="website.com,*.website.com"
+EMAIL="contact@website.com"
 SERVICE="mywww"
 
 # ask for the certificate

examples/swarm/stack.yml

@@ -11,6 +11,7 @@ services:
       - /shared/confs:/etc/nginx
       - /shared/letsencrypt:/etc/letsencrypt
       - /shared/acme-challenge:/acme-challenge
+      - /shared/cache:/cache
     environment:
       - SWARM_MODE=yes
       - API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from nginx
@@ -36,10 +37,11 @@ services:
     # bunkerized-nginx runs as an unprivileged user with UID/GID 101
     # don't forget to edit the permissions of the files and folders accordingly
     volumes:
-      - /shared/confs:/etc/nginx
+      - /shared/confs:/etc/nginx:ro
       - /shared/letsencrypt:/etc/letsencrypt:ro
       - /shared/acme-challenge:/acme-challenge:ro
       - /shared/www:/www:ro
+      - /shared/cache:/cache:ro
     environment:
       - SWARM_MODE=yes
       - USE_API=yes

gen/main.py

@@ -49,7 +49,7 @@ if __name__ == "__main__" :
 	variables = utils.load_variables(args.variables)
 	configurator.load_variables(variables)
 	config = configurator.get_config()
-	print(config)
+	#print(config)
 
 	# Remove old config
 	for filename in os.listdir(args.output):

scripts/abusers.sh

@@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_ABUSERS yes)" = "" ] ; then
 fi
 
 # copy old conf to cache
-cp /etc/nginx/abusers.list /cache
+cp /etc/nginx/abusers.list /tmp/abusers.list.bak
 
 # generate the new conf
 curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | \
@@ -31,24 +31,25 @@ lines="$(wc -l /tmp/abusers.list | cut -d ' ' -f 1)"
 if [ "$lines" -gt 1 ] ; then
 	job_log "[BLACKLIST] abusers list updated ($lines entries)"
 	# reload nginx with the new config
-	mv /tmp/abusers.list /etc/nginx/abusers.list
+	cp /tmp/abusers.list /etc/nginx/abusers.list
 	if [ "$RELOAD" != "" ] ; then
 		$RELOAD > /dev/null 2>&1
 		# new config is ok : save it in the cache
 		if [ "$?" -eq 0 ] ; then
-			cp /etc/nginx/abusers.list /cache
+			cp /tmp/abusers.list /cache
 			job_log "[NGINX] successfull nginx reload after abusers list update"
 		else
 			job_log "[NGINX] failed nginx reload after abusers list update fallback to old list"
-			cp /cache/abusers.list /etc/nginx
+			#cp /tmp/abusers.list.bak /etc/nginx
 			$RELOAD > /dev/null 2>&1
 		fi
 	else
-		cp /etc/nginx/abusers.list /cache
+		cp /tmp/abusers.list /cache
 	fi
 else
 	job_log "[BLACKLIST] can't update abusers list"
 fi
 
 rm -f /tmp/abusers.list 2> /dev/null
+rm -f /tmp/abusers.list.bak 2> /dev/null
 

scripts/exit-nodes.sh

@@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" = "" ] ; then
 fi
 
 # copy old conf to cache
-cp /etc/nginx/tor-exit-nodes.list /cache
+cp /etc/nginx/tor-exit-nodes.list /tmp/tor-exit-nodes.list.bak
 
 # generate the new conf
 curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | \
@@ -31,23 +31,24 @@ lines="$(wc -l /tmp/tor-exit-nodes.list | cut -d ' ' -f 1)"
 if [ "$lines" -gt 1 ] ; then
 	job_log "[BLACKLIST] TOR exit node list updated ($lines entries)"
 	# reload nginx with the new config
-	mv /tmp/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
+	cp /tmp/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
 	if [ "$RELOAD" != "" ] ; then
 		$RELOAD > /dev/null 2>&1
 		# new config is ok : save it in the cache
 		if [ "$?" -eq 0 ] ; then
-			cp /etc/nginx/tor-exit-nodes.list /cache
+			cp /tmp/tor-exit-nodes.list /cache
 			job_log "[NGINX] successfull nginx reload after TOR exit node list update"
 		else
 			job_log "[NGINX] failed nginx reload after TOR exit node list update fallback to old list"
-			cp /cache/tor-exit-nodes.list /etc/nginx
+			#cp /tmp/tor-exit-nodes.list.bak /etc/nginx/tor-exit-nodes.list
 			$RELOAD > /dev/null 2>&1
 		fi
 	else
-		cp /etc/nginx/tor-exit-nodes.list /cache
+		cp /tmp/tor-exit-nodes.list /cache
 	fi
 else
 	job_log "[BLACKLIST] can't update TOR exit node list"
 fi
 
 rm -f /tmp/tor-exit-nodes.list 2> /dev/null
+rm -f /tmp/tor-exit-nodes.list.bak 2> /dev/null

scripts/proxies.sh

@@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_PROXIES yes)" = "" ] ; then
 fi
 
 # copy old conf to cache
-cp /etc/nginx/proxies.list /cache
+cp /etc/nginx/proxies.list /tmp/proxies.list.bak
 
 # generate the new conf
 curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | \
@@ -31,24 +31,25 @@ lines="$(wc -l /tmp/proxies.list | cut -d ' ' -f 1)"
 if [ "$lines" -gt 1 ] ; then
 	job_log "[BLACKLIST] proxies list updated ($lines entries)"
 	# reload nginx with the new config
-	mv /tmp/proxies.list /etc/nginx/proxies.list
+	cp /tmp/proxies.list /etc/nginx/proxies.list
 	if [ "$RELOAD" != "" ] ; then
 		$RELOAD > /dev/null 2>&1
 		# new config is ok : save it in the cache
 		if [ "$?" -eq 0 ] ; then
-			cp /etc/nginx/proxies.list /cache
+			cp /tmp/proxies.list /cache
 			job_log "[NGINX] successfull nginx reload after proxies list update"
 		else
 			job_log "[NGINX] failed nginx reload after proxies list update fallback to old list"
-			cp /cache/proxies.list /etc/nginx
+			#cp /tmp/proxies.list.bak /etc/nginx
 			$RELOAD > /dev/null 2>&1
 		fi
 	else
-		cp /etc/nginx/proxies.list /cache
+		cp /tmp/proxies.list /cache
 	fi
 else
 	job_log "[BLACKLIST] can't update proxies list"
 fi
 
 rm -f /tmp/proxies.list 2> /dev/null
+rm -f /tmp/proxies.list.bak 2> /dev/null
 

scripts/referrers.sh

@@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_REFERRER yes)" = "" ] ; then
 fi
 
 # save old conf
-cp /etc/nginx/referrers.list /cache
+cp /etc/nginx/referrers.list /tmp/referrers.list.bak
 
 # generate new conf
 BLACKLIST="$(curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list | sed 's:\.:%\.:g;s:\-:%\-:g')"
@@ -34,23 +34,24 @@ fi
 # check number of lines
 lines="$(wc -l /tmp/referrers.list | cut -d ' ' -f 1)"
 if [ "$lines" -gt 1 ] ; then
-	mv /tmp/referrers.list /etc/nginx/referrers.list
+	cp /tmp/referrers.list /etc/nginx/referrers.list
 	job_log "[BLACKLIST] referrers list updated ($lines entries)"
 	if [ "$RELOAD" != "" ] ; then
 		$RELOAD > /dev/null 2>&1
 		if [ "$?" -eq 0 ] ; then
-			cp /etc/nginx/referrers.list /cache
+			cp /tmp/referrers.list /cache
 			job_log "[NGINX] successfull nginx reload after referrers list update"
 		else
-			cp /cache/referrers.list /etc/nginx
+			#cp /tmp/referrers.list.bak /etc/nginx
 			job_log "[NGINX] failed nginx reload after referrers list update fallback to old list"
 			$RELOAD > /dev/null 2>&1
 		fi
 	else
-		cp /etc/nginx/referrers.list /cache
+		cp /tmp/referrers.list /cache
 	fi
 else
 	job_log "[BLACKLIST] can't update referrers list"
 fi
 
 rm -f /tmp/referrers.list 2> /dev/null
+rm -f /tmp/referrers.list.bak 2> /dev/null

scripts/user-agents.sh

@@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_USER_AGENT yes)" = "" ] ; then
 fi
 
 # save old conf
-cp /etc/nginx/user-agents.list /cache
+cp /etc/nginx/user-agents.list /tmp/user-agents.list.bak
 
 # generate new conf
 BLACKLIST="$( (curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list ; curl -s https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt) | sort -u | sed 's:\\ : :g;s:\\\.:%\.:g;s:\\\\:\\:g;s:\\/:/:g;s:\-:%\-:g')"
@@ -34,23 +34,24 @@ fi
 # check number of lines
 lines="$(wc -l /tmp/user-agents.list | cut -d ' ' -f 1)"
 if [ "$lines" -gt 1 ] ; then
-	mv /tmp/user-agents.list /etc/nginx/user-agents.list
+	cp /tmp/user-agents.list /etc/nginx/user-agents.list
 	job_log "[BLACKLIST] user-agent list updated ($lines entries)"
 	if [ "$RELOAD" != "" ] ; then
 		$RELOAD > /dev/null 2>&1
 		if [ "$?" -eq 0 ] ; then
-			cp /etc/nginx/user-agents.list /cache
+			cp /tmp/user-agents.list /cache
 			job_log "[NGINX] successfull nginx reload after user-agent list update"
 		else
-			cp /cache/user-agents.list /etc/nginx
+			#cp /tmp/user-agents.list.bak /etc/nginx
 			job_log "[NGINX] failed nginx reload after user-agent list update fallback to old list"
 			$RELOAD > /dev/null 2>&1
 		fi
 	else
-		cp /etc/nginx/user-agents.list /cache
+		cp /tmp/user-agents.list /cache
 	fi
 else
 	job_log "[BLACKLIST] can't update user-agent list"
 fi
 
 rm -f /tmp/user-agents.list 2> /dev/null
+rm -f /tmp/user-agents.list.bak 2> /dev/null

settings.json

@@ -884,7 +884,7 @@
                 "env": "REMOTE_PHP",
                 "id": "remote-php",
                 "label": "Remote php",
-                "regex": "^([a-z\\-0-9]+\\.?)*$",
+                "regex": "^([a-z\\-0-9\\_]+\\.?)*$",
                 "type": "text"
             },
             {