various bug fixes related to Swarm
This commit is contained in:
parent
678ad70b01
commit
fcc6b3b5e4
|
@ -0,0 +1,26 @@
|
|||
# Changelog
|
||||
|
||||
## v1.2.6 - 2021/06/06
|
||||
|
||||
- Move from "ghetto-style" shell scripts to generic jinja2 templating
|
||||
- Init work on a basic plugins system
|
||||
- Move ClamAV to external plugin
|
||||
- Reduce image size by removing unnecessary dependencies
|
||||
- Fix CrowdSec example
|
||||
- Change some global variables to multisite
|
||||
- Add LOG_LEVEL environment variable
|
||||
- Read-only container support
|
||||
- Improved antibot javascript with a basic proof of work
|
||||
- Update nginx to 1.20.1
|
||||
- Support of docker-socket-proxy with web UI
|
||||
- Add certbot-cloudflare example
|
||||
- Disable DNSBL checks when IP is local
|
||||
|
||||
## v1.2.5 - 2021/05/14
|
||||
|
||||
- Performance improvement : move some nginx security checks to LUA and external blacklist parsing enhancement
|
||||
- Init work on official documentation on readthedocs
|
||||
- Fix default value for CONTENT_SECURITY_POLICY to allow file downloads
|
||||
- Add ROOT_SITE_SUBFOLDER environment variable
|
||||
|
||||
## TODO - retrospective changelog
|
|
@ -1,4 +1,3 @@
|
|||
# TODO : hard tests, jobs if swarm mode, check state when generating env, ...
|
||||
from Config import Config
|
||||
import utils
|
||||
import os
|
||||
|
@ -94,13 +93,9 @@ class AutoConf :
|
|||
if self.__swarm and len(self.__instances) == 1 :
|
||||
if self.__config.generate(self.__env) :
|
||||
utils.log("[*] Initial config succeeded")
|
||||
with open("/etc/nginx/autoconf", "w") as f :
|
||||
f.write("ok")
|
||||
if not self.__config.swarm_wait(self.__instances) :
|
||||
utils.log("[!] Removing bunkerized-nginx instances from list")
|
||||
del self.__instances[id]
|
||||
os.remove("/etc/nginx/autoconf")
|
||||
|
||||
else :
|
||||
utils.log("[!] Initial config failed")
|
||||
utils.log("[*] bunkerized-nginx instance created : " + name + " / " + id)
|
||||
|
@ -118,11 +113,6 @@ class AutoConf :
|
|||
elif event == "destroy" or event == "remove" :
|
||||
del self.__instances[id]
|
||||
self.__gen_env()
|
||||
if self.__swarm and len(self.__instances) == 0 :
|
||||
with open("/etc/crontabs/nginx", "w") as f :
|
||||
f.write("")
|
||||
if os.path.exists("/etc/nginx/autoconf") :
|
||||
os.remove("/etc/nginx/autoconf")
|
||||
utils.log("[*] bunkerized-nginx instance removed : " + name + " / " + id)
|
||||
|
||||
def __process_server(self, instance, event, id, name, labels) :
|
||||
|
|
|
@ -9,8 +9,26 @@ class Config :
|
|||
self.__swarm = swarm
|
||||
self.__api = api
|
||||
|
||||
def __jobs(self) :
|
||||
utils.log("[*] Starting jobs ...")
|
||||
proc = subprocess.run(["/bin/su", "-c", "/opt/entrypoint/jobs.sh", "nginx"], capture_output=True)
|
||||
stdout = proc.stdout.decode("ascii")
|
||||
stderr = proc.stderr.decode("ascii")
|
||||
if stdout != "" :
|
||||
utils.log("[*] Jobs stdout :")
|
||||
utils.log(stdout)
|
||||
if stderr != "" :
|
||||
utils.log("[!] Jobs stderr :")
|
||||
utils.log(stderr)
|
||||
if proc.returncode != 0 :
|
||||
utils.log("[!] Jobs error : return code != 0")
|
||||
return False
|
||||
return True
|
||||
|
||||
def swarm_wait(self, instances) :
|
||||
try :
|
||||
with open("/etc/nginx/autoconf", "w") as f :
|
||||
f.write("ok")
|
||||
utils.log("[*] Waiting for bunkerized-nginx tasks ...")
|
||||
i = 1
|
||||
started = False
|
||||
|
@ -23,16 +41,7 @@ class Config :
|
|||
utils.log("[!] Waiting " + str(i) + " seconds before retrying to contact bunkerized-nginx tasks")
|
||||
if started :
|
||||
utils.log("[*] bunkerized-nginx tasks started")
|
||||
proc = subprocess.run(["/bin/su", "-c", "/opt/entrypoint/jobs.sh", "nginx"], capture_output=True)
|
||||
stdout = proc.stdout.decode("ascii")
|
||||
stderr = proc.stderr.decode("ascii")
|
||||
if stdout != "" :
|
||||
for line in stdout.split("\n") :
|
||||
utils.log("[*] Jobs output : " + stdout)
|
||||
if stderr != "" :
|
||||
for line in stderr.split("\n") :
|
||||
utils.log("[!] Jobs error : " + stderr)
|
||||
return proc.returncode == 0
|
||||
return True
|
||||
else :
|
||||
utils.log("[!] bunkerized-nginx tasks are not started")
|
||||
except Exception as e :
|
||||
|
@ -52,15 +61,17 @@ class Config :
|
|||
# Print stdout/stderr
|
||||
stdout = proc.stdout.decode("ascii")
|
||||
stderr = proc.stderr.decode("ascii")
|
||||
if stdout != "":
|
||||
for line in stdout.split("\n") :
|
||||
utils.log("[*] Generator output : " + stdout)
|
||||
if stdout != "" :
|
||||
utils.log("[*] Generator output :")
|
||||
utils.log(stdout)
|
||||
if stderr != "" :
|
||||
for line in stderr.split("\n") :
|
||||
utils.log("[*] Generator error : " + stderr)
|
||||
utils.log("[*] Generator error :")
|
||||
utils.log(error)
|
||||
|
||||
# We're done
|
||||
if proc.returncode == 0 :
|
||||
if self.__swarm :
|
||||
return self.__jobs()
|
||||
return True
|
||||
utils.log("[!] Error while generating site config for " + env["SERVER_NAME"] + " : return code = " + str(proc.returncode))
|
||||
|
||||
|
|
|
@ -9,7 +9,6 @@ if [ "$?" -ne 0 ] ; then
|
|||
fi
|
||||
|
||||
if [ "$SWARM_MODE" = "yes" ] ; then
|
||||
cp -r /opt/confs/nginx/* /etc/nginx
|
||||
chown -R root:nginx /etc/nginx
|
||||
chmod -R 770 /etc/nginx
|
||||
fi
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param REQUEST_METHOD $request_method;
|
||||
fastcgi_param CONTENT_TYPE $content_type;
|
||||
fastcgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
fastcgi_param REQUEST_URI $request_uri;
|
||||
fastcgi_param DOCUMENT_URI $document_uri;
|
||||
fastcgi_param DOCUMENT_ROOT $document_root;
|
||||
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||||
fastcgi_param REQUEST_SCHEME $scheme;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
|
@ -2,5 +2,10 @@ server {
|
|||
{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %};
|
||||
server_name _;
|
||||
{% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %}
|
||||
{% if USE_API == "yes" %}
|
||||
location ^~ {{ API_URI }} {
|
||||
include /etc/nginx/api.conf;
|
||||
}
|
||||
{% endif %}
|
||||
{% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %}
|
||||
}
|
||||
|
|
|
@ -14,7 +14,7 @@ Any environment variable tagged as *multisite* context can be used for a specifi
|
|||
`SERVER_NAME`
|
||||
Values : *<first name> <second name> ...*
|
||||
Default value : *www.bunkerity.com*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
Sets the host names of the webserver separated with spaces. This must match the Host header sent by clients.
|
||||
Useful when used with `MULTISITE=yes` and/or `AUTO_LETSENCRYPT=yes` and/or `DISABLE_DEFAULT_SERVER=yes`.
|
||||
|
||||
|
@ -55,7 +55,7 @@ The IP addresses of the DNS resolvers to use when performing DNS lookups.
|
|||
Values : *\<any valid path to web files\>*
|
||||
Default value : */www*
|
||||
Context : *global*
|
||||
The default folder where nginx will search for web files. Don't change it unless you want to make your own image.
|
||||
The default folder where nginx will search for web files. Don't change it unless you know what you are doing.
|
||||
|
||||
`ROOT_SITE_SUBFOLDER`
|
||||
Values : *\<any valid directory name\>*
|
||||
|
@ -115,12 +115,12 @@ List of header to remove when sending responses to clients.
|
|||
|
||||
### Custom error pages
|
||||
|
||||
`ERROR_XXX`
|
||||
Values : *\<relative path to the error page\>*
|
||||
`ERRORS`
|
||||
Values : *\<error1=/page1 error2=/page2\>*
|
||||
Default value :
|
||||
Context : *global*, *multisite*
|
||||
Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code.
|
||||
For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder.
|
||||
Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace errorX with HTTP code.
|
||||
Example : `ERRORS=404=/404.html 403=/403.html` the /404.html page will be displayed when 404 code is generated (same for 403 and /403.html page). The path is relative to the root web folder.
|
||||
|
||||
### HTTP basic authentication
|
||||
|
||||
|
@ -431,55 +431,55 @@ Full path of the key file to use when `USE_CUSTOM_HTTPS` is set to yes.
|
|||
`GENERATE_SELF_SIGNED_SSL`
|
||||
Values : *yes* | *no*
|
||||
Default value : *no*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
If set to yes, HTTPS will be enabled with a container generated self-signed certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_EXPIRY`
|
||||
Values : *integer*
|
||||
Default value : *365* (1 year)
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the expiry date for the self generated certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_COUNTRY`
|
||||
Values : *text*
|
||||
Default value : *Switzerland*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the country for the self generated certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_STATE`
|
||||
Values : *text*
|
||||
Values : *text*, *multisite*
|
||||
Default value : *Switzerland*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the state for the self generated certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_CITY`
|
||||
Values : *text*
|
||||
Default value : *Bern*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the city for the self generated certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_ORG`
|
||||
Values : *text*
|
||||
Default value : *AcmeInc*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the organisation name for the self generated certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_OU`
|
||||
Values : *text*
|
||||
Default value : *IT*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the organisitional unit for the self generated certificate.
|
||||
|
||||
`SELF_SIGNED_SSL_CN`
|
||||
Values : *text*
|
||||
Default value : *bunkerity-nginx*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
Needs `GENERATE_SELF_SIGNED_SSL` to work.
|
||||
Sets the CN server name for the self generated certificate.
|
||||
|
||||
|
@ -625,13 +625,13 @@ The minimum score required when `USE_ANTIBOT` is set to *recaptcha*.
|
|||
`ANTIBOT_RECAPTCHA_SITEKEY`
|
||||
Values : *\<public key given by Google\>*
|
||||
Default value :
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
The sitekey given by Google when `USE_ANTIBOT` is set to *recaptcha*.
|
||||
|
||||
`ANTIBOT_RECAPTCHA_SECRET`
|
||||
Values : *\<private key given by Google\>*
|
||||
Default value :
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
The secret given by Google when `USE_ANTIBOT` is set to *recaptcha*.
|
||||
|
||||
### External blacklists
|
||||
|
@ -682,7 +682,7 @@ If set to *yes*, DNSBL checks will be performed to the servers specified in the
|
|||
`DNSBL_LIST`
|
||||
Values : *\<list of DNS zones separated with spaces\>*
|
||||
Default value : *bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
The list of DNSBL zones to query when `USE_DNSBL` is set to *yes*.
|
||||
|
||||
### CrowdSec
|
||||
|
@ -716,7 +716,7 @@ If set to *yes*, lets you define custom IP addresses to be whitelisted through t
|
|||
`WHITELIST_IP_LIST`
|
||||
Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*
|
||||
Default value : *23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
The list of IP addresses and/or network CIDR blocks to whitelist when `USE_WHITELIST_IP` is set to *yes*. The default list contains IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/).
|
||||
|
||||
`USE_WHITELIST_REVERSE`
|
||||
|
@ -728,7 +728,7 @@ If set to *yes*, lets you define custom reverse DNS suffixes to be whitelisted t
|
|||
`WHITELIST_REVERSE_LIST`
|
||||
Values : *\<list of reverse DNS suffixes separated with spaces\>*
|
||||
Default value : *.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
The list of reverse DNS suffixes to whitelist when `USE_WHITELIST_REVERSE` is set to *yes*. The default list contains suffixes of major search engines.
|
||||
|
||||
`WHITELIST_USER_AGENT`
|
||||
|
@ -754,7 +754,7 @@ If set to *yes*, lets you define custom IP addresses to be blacklisted through t
|
|||
`BLACKLIST_IP_LIST`
|
||||
Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*
|
||||
Default value :
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
The list of IP addresses and/or network CIDR blocks to blacklist when `USE_BLACKLIST_IP` is set to *yes*.
|
||||
|
||||
`USE_BLACKLIST_REVERSE`
|
||||
|
@ -766,7 +766,7 @@ If set to *yes*, lets you define custom reverse DNS suffixes to be blacklisted t
|
|||
`BLACKLIST_REVERSE_LIST`
|
||||
Values : *\<list of reverse DNS suffixes separated with spaces\>*
|
||||
Default value : *.shodan.io*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
The list of reverse DNS suffixes to blacklist when `USE_BLACKLIST_REVERSE` is set to *yes*.
|
||||
|
||||
### Requests limiting
|
||||
|
@ -856,25 +856,25 @@ If set to yes, bunkerized-nginx will block users getting too much "suspicious" H
|
|||
`BAD_BEHAVIOR_STATUS_CODES`
|
||||
Values : *\<HTTP status codes separated with space\>*
|
||||
Default value : *400 401 403 404 405 429 444*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
List of HTTP status codes considered as "suspicious".
|
||||
|
||||
`BAD_BEHAVIOR_THRESHOLD`
|
||||
Values : *<any positive integer>*
|
||||
Default value : *10*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
The number of "suspicious" HTTP status code before the corresponding IP is banned.
|
||||
|
||||
`BAD_BEHAVIOR_BAN_TIME`
|
||||
Values : *<any positive integer>*
|
||||
Default value : *86400*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
The duration time (in seconds) of a ban when the corresponding IP has reached the `BAD_BEHAVIOR_THRESHOLD`.
|
||||
|
||||
`BAD_BEHAVIOR_COUNT_TIME`
|
||||
Values : *<any positive integer>*
|
||||
Default value : *60*
|
||||
Context : *global*
|
||||
Context : *global*, *multisite*
|
||||
The duration time (in seconds) before the counter of "suspicious" HTTP is reset.
|
||||
|
||||
## misc
|
||||
|
|
|
@ -8,18 +8,18 @@ if [ "$(has_value BLACKLIST_COUNTRY .+)" != "" ] || [ "$(has_value WHITELIST_COU
|
|||
if [ -f "/cache/geoip.mmdb" ] ; then
|
||||
echo "[*] Copying cached geoip.mmdb ..."
|
||||
cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
|
||||
else
|
||||
echo "[*] Downloading GeoIP database (in background) ..."
|
||||
/opt/scripts/geoip.sh > /dev/null 2>&1 &
|
||||
elif [ "$(ps aux | grep "geoip\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading GeoIP database ..."
|
||||
/opt/scripts/geoip.sh > /dev/null 2>&1
|
||||
fi
|
||||
fi
|
||||
|
||||
# User-Agents
|
||||
if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
|
||||
if [ -f "/cache/user-agents.list" ] ; then
|
||||
if [ -f "/cache/user-agents.list" ] && [ "$(wc -l /cache/user-agents.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached user-agents.list ..."
|
||||
cp /cache/user-agents.list /etc/nginx/user-agents.list
|
||||
else
|
||||
elif [ "$(ps aux | grep "user-agents\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading bad user-agent list (in background) ..."
|
||||
/opt/scripts/user-agents.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
|
@ -27,10 +27,10 @@ fi
|
|||
|
||||
# Referrers
|
||||
if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
|
||||
if [ -f "/cache/referrers.list" ] ; then
|
||||
if [ -f "/cache/referrers.list" ] && [ "$(wc -l /cache/referrers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached referrers.list ..."
|
||||
cp /cache/referrers.list /etc/nginx/referrers.list
|
||||
else
|
||||
elif [ "$(ps aux | grep "referrers\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading bad referrer list (in background) ..."
|
||||
/opt/scripts/referrers.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
|
@ -38,10 +38,10 @@ fi
|
|||
|
||||
# exit nodes
|
||||
if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
|
||||
if [ -f "/cache/tor-exit-nodes.list" ] ; then
|
||||
if [ -f "/cache/tor-exit-nodes.list" ] && [ "$(wc -l /cache/tor-exit-nodes.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached tor-exit-nodes.list ..."
|
||||
cp /cache/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
|
||||
else
|
||||
elif [ "$(ps aux | grep "exit-nodes\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading tor exit nodes list (in background) ..."
|
||||
/opt/scripts/exit-nodes.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
|
@ -49,10 +49,10 @@ fi
|
|||
|
||||
# proxies
|
||||
if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
|
||||
if [ -f "/cache/proxies.list" ] ; then
|
||||
if [ -f "/cache/proxies.list" ] && [ "$(wc -l /cache/proxies.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached proxies.list ..."
|
||||
cp /cache/proxies.list /etc/nginx/proxies.list
|
||||
else
|
||||
elif [ "$(ps aux | grep "proxies\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading proxies list (in background) ..."
|
||||
/opt/scripts/proxies.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
|
@ -60,10 +60,10 @@ fi
|
|||
|
||||
# abusers
|
||||
if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
|
||||
if [ -f "/cache/abusers.list" ] ; then
|
||||
if [ -f "/cache/abusers.list" ] && [ "$(wc -l /cache/abusers.list | cut -d ' ' -f 1)" -gt 1 ] ; then
|
||||
echo "[*] Copying cached abusers.list ..."
|
||||
cp /cache/abusers.list /etc/nginx/abusers.list
|
||||
else
|
||||
elif [ "$(ps aux | grep "abusers\.sh")" = "" ] ; then
|
||||
echo "[*] Downloading abusers list (in background) ..."
|
||||
/opt/scripts/abusers.sh > /dev/null 2>&1 &
|
||||
fi
|
||||
|
@ -105,6 +105,9 @@ fi
|
|||
files=$(has_value AUTO_LETS_ENCRYPT yes)
|
||||
if [ "$files" != " " ] ; then
|
||||
for file in $files ; do
|
||||
if [ "$(echo "$file" | grep 'site.env$')" = "" ] ; then
|
||||
continue
|
||||
fi
|
||||
SERVER_NAME="$(sed -nE 's/^SERVER_NAME=(.*)$/\1/p' $file)"
|
||||
FIRST_SERVER="$(echo $SERVER_NAME | cut -d ' ' -f 1)"
|
||||
EMAIL_LETS_ENCRYPT="$(sed -nE 's/^EMAIL_LETS_ENCRYPT=(.*)$/\1/p' $file)"
|
||||
|
@ -112,6 +115,5 @@ if [ "$files" != " " ] ; then
|
|||
EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}"
|
||||
fi
|
||||
/opt/scripts/certbot-new.sh "$(echo -n $SERVER_NAME | sed 's/ /,/g')" "$EMAIL_LETS_ENCRYPT"
|
||||
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# you need to run it before starting bunkerized-nginx to get the first certificate
|
||||
|
||||
# edit according to your values
|
||||
DOMAINS="kakou-corp.fr,*.kakou-corp.fr"
|
||||
EMAIL="contact@kakou-corp.fr"
|
||||
DOMAINS="website.com,*.website.com"
|
||||
EMAIL="contact@website.com"
|
||||
SERVICE="mywww"
|
||||
|
||||
# ask for the certificate
|
||||
|
|
|
@ -11,6 +11,7 @@ services:
|
|||
- /shared/confs:/etc/nginx
|
||||
- /shared/letsencrypt:/etc/letsencrypt
|
||||
- /shared/acme-challenge:/acme-challenge
|
||||
- /shared/cache:/cache
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from nginx
|
||||
|
@ -36,10 +37,11 @@ services:
|
|||
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
|
||||
# don't forget to edit the permissions of the files and folders accordingly
|
||||
volumes:
|
||||
- /shared/confs:/etc/nginx
|
||||
- /shared/confs:/etc/nginx:ro
|
||||
- /shared/letsencrypt:/etc/letsencrypt:ro
|
||||
- /shared/acme-challenge:/acme-challenge:ro
|
||||
- /shared/www:/www:ro
|
||||
- /shared/cache:/cache:ro
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- USE_API=yes
|
||||
|
|
|
@ -49,7 +49,7 @@ if __name__ == "__main__" :
|
|||
variables = utils.load_variables(args.variables)
|
||||
configurator.load_variables(variables)
|
||||
config = configurator.get_config()
|
||||
print(config)
|
||||
#print(config)
|
||||
|
||||
# Remove old config
|
||||
for filename in os.listdir(args.output):
|
||||
|
|
|
@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_ABUSERS yes)" = "" ] ; then
|
|||
fi
|
||||
|
||||
# copy old conf to cache
|
||||
cp /etc/nginx/abusers.list /cache
|
||||
cp /etc/nginx/abusers.list /tmp/abusers.list.bak
|
||||
|
||||
# generate the new conf
|
||||
curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | \
|
||||
|
@ -31,24 +31,25 @@ lines="$(wc -l /tmp/abusers.list | cut -d ' ' -f 1)"
|
|||
if [ "$lines" -gt 1 ] ; then
|
||||
job_log "[BLACKLIST] abusers list updated ($lines entries)"
|
||||
# reload nginx with the new config
|
||||
mv /tmp/abusers.list /etc/nginx/abusers.list
|
||||
cp /tmp/abusers.list /etc/nginx/abusers.list
|
||||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
# new config is ok : save it in the cache
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /etc/nginx/abusers.list /cache
|
||||
cp /tmp/abusers.list /cache
|
||||
job_log "[NGINX] successfull nginx reload after abusers list update"
|
||||
else
|
||||
job_log "[NGINX] failed nginx reload after abusers list update fallback to old list"
|
||||
cp /cache/abusers.list /etc/nginx
|
||||
#cp /tmp/abusers.list.bak /etc/nginx
|
||||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /etc/nginx/abusers.list /cache
|
||||
cp /tmp/abusers.list /cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update abusers list"
|
||||
fi
|
||||
|
||||
rm -f /tmp/abusers.list 2> /dev/null
|
||||
rm -f /tmp/abusers.list.bak 2> /dev/null
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" = "" ] ; then
|
|||
fi
|
||||
|
||||
# copy old conf to cache
|
||||
cp /etc/nginx/tor-exit-nodes.list /cache
|
||||
cp /etc/nginx/tor-exit-nodes.list /tmp/tor-exit-nodes.list.bak
|
||||
|
||||
# generate the new conf
|
||||
curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | \
|
||||
|
@ -31,23 +31,24 @@ lines="$(wc -l /tmp/tor-exit-nodes.list | cut -d ' ' -f 1)"
|
|||
if [ "$lines" -gt 1 ] ; then
|
||||
job_log "[BLACKLIST] TOR exit node list updated ($lines entries)"
|
||||
# reload nginx with the new config
|
||||
mv /tmp/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
|
||||
cp /tmp/tor-exit-nodes.list /etc/nginx/tor-exit-nodes.list
|
||||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
# new config is ok : save it in the cache
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /etc/nginx/tor-exit-nodes.list /cache
|
||||
cp /tmp/tor-exit-nodes.list /cache
|
||||
job_log "[NGINX] successfull nginx reload after TOR exit node list update"
|
||||
else
|
||||
job_log "[NGINX] failed nginx reload after TOR exit node list update fallback to old list"
|
||||
cp /cache/tor-exit-nodes.list /etc/nginx
|
||||
#cp /tmp/tor-exit-nodes.list.bak /etc/nginx/tor-exit-nodes.list
|
||||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /etc/nginx/tor-exit-nodes.list /cache
|
||||
cp /tmp/tor-exit-nodes.list /cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update TOR exit node list"
|
||||
fi
|
||||
|
||||
rm -f /tmp/tor-exit-nodes.list 2> /dev/null
|
||||
rm -f /tmp/tor-exit-nodes.list.bak 2> /dev/null
|
||||
|
|
|
@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_PROXIES yes)" = "" ] ; then
|
|||
fi
|
||||
|
||||
# copy old conf to cache
|
||||
cp /etc/nginx/proxies.list /cache
|
||||
cp /etc/nginx/proxies.list /tmp/proxies.list.bak
|
||||
|
||||
# generate the new conf
|
||||
curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | \
|
||||
|
@ -31,24 +31,25 @@ lines="$(wc -l /tmp/proxies.list | cut -d ' ' -f 1)"
|
|||
if [ "$lines" -gt 1 ] ; then
|
||||
job_log "[BLACKLIST] proxies list updated ($lines entries)"
|
||||
# reload nginx with the new config
|
||||
mv /tmp/proxies.list /etc/nginx/proxies.list
|
||||
cp /tmp/proxies.list /etc/nginx/proxies.list
|
||||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
# new config is ok : save it in the cache
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /etc/nginx/proxies.list /cache
|
||||
cp /tmp/proxies.list /cache
|
||||
job_log "[NGINX] successfull nginx reload after proxies list update"
|
||||
else
|
||||
job_log "[NGINX] failed nginx reload after proxies list update fallback to old list"
|
||||
cp /cache/proxies.list /etc/nginx
|
||||
#cp /tmp/proxies.list.bak /etc/nginx
|
||||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /etc/nginx/proxies.list /cache
|
||||
cp /tmp/proxies.list /cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update proxies list"
|
||||
fi
|
||||
|
||||
rm -f /tmp/proxies.list 2> /dev/null
|
||||
rm -f /tmp/proxies.list.bak 2> /dev/null
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_REFERRER yes)" = "" ] ; then
|
|||
fi
|
||||
|
||||
# save old conf
|
||||
cp /etc/nginx/referrers.list /cache
|
||||
cp /etc/nginx/referrers.list /tmp/referrers.list.bak
|
||||
|
||||
# generate new conf
|
||||
BLACKLIST="$(curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list | sed 's:\.:%\.:g;s:\-:%\-:g')"
|
||||
|
@ -34,23 +34,24 @@ fi
|
|||
# check number of lines
|
||||
lines="$(wc -l /tmp/referrers.list | cut -d ' ' -f 1)"
|
||||
if [ "$lines" -gt 1 ] ; then
|
||||
mv /tmp/referrers.list /etc/nginx/referrers.list
|
||||
cp /tmp/referrers.list /etc/nginx/referrers.list
|
||||
job_log "[BLACKLIST] referrers list updated ($lines entries)"
|
||||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /etc/nginx/referrers.list /cache
|
||||
cp /tmp/referrers.list /cache
|
||||
job_log "[NGINX] successfull nginx reload after referrers list update"
|
||||
else
|
||||
cp /cache/referrers.list /etc/nginx
|
||||
#cp /tmp/referrers.list.bak /etc/nginx
|
||||
job_log "[NGINX] failed nginx reload after referrers list update fallback to old list"
|
||||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /etc/nginx/referrers.list /cache
|
||||
cp /tmp/referrers.list /cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update referrers list"
|
||||
fi
|
||||
|
||||
rm -f /tmp/referrers.list 2> /dev/null
|
||||
rm -f /tmp/referrers.list.bak 2> /dev/null
|
||||
|
|
|
@ -12,7 +12,7 @@ if [ "$(has_value BLOCK_USER_AGENT yes)" = "" ] ; then
|
|||
fi
|
||||
|
||||
# save old conf
|
||||
cp /etc/nginx/user-agents.list /cache
|
||||
cp /etc/nginx/user-agents.list /tmp/user-agents.list.bak
|
||||
|
||||
# generate new conf
|
||||
BLACKLIST="$( (curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list ; curl -s https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt) | sort -u | sed 's:\\ : :g;s:\\\.:%\.:g;s:\\\\:\\:g;s:\\/:/:g;s:\-:%\-:g')"
|
||||
|
@ -34,23 +34,24 @@ fi
|
|||
# check number of lines
|
||||
lines="$(wc -l /tmp/user-agents.list | cut -d ' ' -f 1)"
|
||||
if [ "$lines" -gt 1 ] ; then
|
||||
mv /tmp/user-agents.list /etc/nginx/user-agents.list
|
||||
cp /tmp/user-agents.list /etc/nginx/user-agents.list
|
||||
job_log "[BLACKLIST] user-agent list updated ($lines entries)"
|
||||
if [ "$RELOAD" != "" ] ; then
|
||||
$RELOAD > /dev/null 2>&1
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
cp /etc/nginx/user-agents.list /cache
|
||||
cp /tmp/user-agents.list /cache
|
||||
job_log "[NGINX] successfull nginx reload after user-agent list update"
|
||||
else
|
||||
cp /cache/user-agents.list /etc/nginx
|
||||
#cp /tmp/user-agents.list.bak /etc/nginx
|
||||
job_log "[NGINX] failed nginx reload after user-agent list update fallback to old list"
|
||||
$RELOAD > /dev/null 2>&1
|
||||
fi
|
||||
else
|
||||
cp /etc/nginx/user-agents.list /cache
|
||||
cp /tmp/user-agents.list /cache
|
||||
fi
|
||||
else
|
||||
job_log "[BLACKLIST] can't update user-agent list"
|
||||
fi
|
||||
|
||||
rm -f /tmp/user-agents.list 2> /dev/null
|
||||
rm -f /tmp/user-agents.list.bak 2> /dev/null
|
||||
|
|
|
@ -884,7 +884,7 @@
|
|||
"env": "REMOTE_PHP",
|
||||
"id": "remote-php",
|
||||
"label": "Remote php",
|
||||
"regex": "^([a-z\\-0-9]+\\.?)*$",
|
||||
"regex": "^([a-z\\-0-9\\_]+\\.?)*$",
|
||||
"type": "text"
|
||||
},
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue