mirror of
https://github.com/bunkerity/bunkerized-nginx
synced 2023-12-13 21:30:18 +01:00
148 lines
4.4 KiB
Plaintext
148 lines
4.4 KiB
Plaintext
init_by_lua_block {
|
|
|
|
local dataloader = require "dataloader"
|
|
local logger = require "logger"
|
|
local cjson = require "cjson"
|
|
local remoteapi = require "remoteapi"
|
|
local iputils = require "resty.iputils"
|
|
|
|
local use_redis = {% if USE_REDIS == "yes" %}true{% else %}false{% endif +%}
|
|
|
|
local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif +%}
|
|
local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif +%}
|
|
local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif +%}
|
|
local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif +%}
|
|
local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif +%}
|
|
|
|
local use_remote_api = {% if has_value("USE_REMOTE_API", "yes") %}true{% else %}false{% endif +%}
|
|
|
|
|
|
-- Load reserved IPs
|
|
local reserved_ips = {
|
|
"0.0.0.0/8",
|
|
"10.0.0.0/8",
|
|
"100.64.0.0/10",
|
|
"127.0.0.0/8",
|
|
"169.254.0.0/16",
|
|
"172.16.0.0/12",
|
|
"192.0.0.0/24",
|
|
"192.0.2.0/24",
|
|
"192.88.99.0/24",
|
|
"192.168.0.0/16",
|
|
"198.18.0.0/15",
|
|
"198.51.100.0/24",
|
|
"203.0.113.0/24",
|
|
"224.0.0.0/4",
|
|
"233.252.0.0/24",
|
|
"240.0.0.0/4",
|
|
"255.255.255.255/32"
|
|
}
|
|
local success, err, forcible = ngx.shared.reserved_ips:set("data", cjson.encode(iputils.parse_cidrs(reserved_ips)), 0)
|
|
if not success then
|
|
logger.log(ngx.ERR, "INIT", "Can't load reserved IPs : " .. err)
|
|
end
|
|
|
|
-- Load blacklists
|
|
if not use_redis then
|
|
if use_proxies then
|
|
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
|
|
end
|
|
|
|
if use_abusers then
|
|
dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data)
|
|
end
|
|
|
|
if use_tor_exit_nodes then
|
|
dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data)
|
|
end
|
|
|
|
if use_user_agents then
|
|
dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data)
|
|
end
|
|
|
|
if use_referrers then
|
|
dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
|
|
end
|
|
end
|
|
|
|
-- Load plugins
|
|
ngx.shared.plugins_data:safe_set("plugins", nil, 0)
|
|
local p = io.popen("find /opt/bunkerized-nginx/plugins -maxdepth 1 -type d ! -path /opt/bunkerized-nginx/plugins")
|
|
for dir in p:lines() do
|
|
-- read JSON
|
|
local file = io.open(dir .. "/plugin.json")
|
|
if file then
|
|
-- store settings
|
|
local data = cjson.decode(file:read("*a"))
|
|
for k, v in pairs(data.settings) do
|
|
ngx.shared.plugins_data:safe_set(data.id .. "_" .. k, v, 0)
|
|
end
|
|
file:close()
|
|
-- call init
|
|
local plugin = require(data.id .. "/" .. data.id)
|
|
local init = true
|
|
if plugin["init"] ~= nil then
|
|
init = plugin.init()
|
|
end
|
|
-- store plugin
|
|
if init then
|
|
local plugins, flags = ngx.shared.plugins_data:get("plugins")
|
|
if plugins == nil then
|
|
ngx.shared.plugins_data:safe_set("plugins", data.id, 0)
|
|
else
|
|
ngx.shared.plugins_data:safe_set("plugins", plugins .. " " .. data.id, 0)
|
|
end
|
|
logger.log(ngx.ERR, "PLUGINS", "*NOT AN ERROR* plugin " .. data.name .. "/" .. data.version .. " has been loaded")
|
|
else
|
|
logger.log(ngx.ERR, "PLUGINS", "init failed for plugin " .. data.name .. "/" .. data.version)
|
|
end
|
|
else
|
|
logger.log(ngx.ERR, "PLUGINS", "Can't load " .. dir .. "/plugin.json")
|
|
end
|
|
|
|
end
|
|
p:close()
|
|
|
|
-- Remote API
|
|
if use_remote_api then
|
|
|
|
-- Save server
|
|
ngx.shared.remote_api:set("server", "{{ REMOTE_API_SERVER }}", 0)
|
|
|
|
-- Save version
|
|
local f = io.open("/opt/bunkerized-nginx/VERSION", "r")
|
|
ngx.shared.remote_api:set("version", f:read("*all"):gsub("[\r\n]", ""), 0)
|
|
f:close()
|
|
|
|
-- Save machine ID
|
|
local id = "empty"
|
|
local f = io.open("/etc/nginx/machine.id", "r")
|
|
if f == nil then
|
|
logger.log(ngx.ERR, "REMOTE API", "USE_REMOTE_API is set to yes but machine ID is not generated - communication with {{ REMOTE_API_SERVER }} won't work")
|
|
else
|
|
id = f:read("*all"):gsub("[\r\n]", "")
|
|
logger.log(ngx.ERR, "REMOTE API", "*NOT AN ERROR* Using existing machine ID (" .. id .. ")")
|
|
f:close()
|
|
end
|
|
ngx.shared.remote_api:set("id", id, 0)
|
|
|
|
-- Ping the remote API
|
|
local ping = "ko"
|
|
if id ~= "empty" then
|
|
if remoteapi.ping2() then
|
|
ping = "ok"
|
|
logger.log(ngx.ERR, "REMOTE API", "*NOT AN ERROR* Successfully requested the remote API")
|
|
else
|
|
logger.log(ngx.ERR, "REMOTE API", "Can't contact the remote API, feature will be disabled")
|
|
end
|
|
end
|
|
ngx.shared.remote_api:set("ping", ping, 0)
|
|
|
|
-- Load the database
|
|
if ping ~= "ko" then
|
|
dataloader.load_ip("/etc/nginx/remote-api.db", ngx.shared.remote_api_db)
|
|
end
|
|
end
|
|
|
|
}
|