From 870cd4bd93225ab93b8bdc7c087aaebd97c13437 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 27 Apr 2021 09:30:41 -0500 Subject: [PATCH 01/10] Rework nginx.conf to be inline with alpine upstream and relocate lines from other files --- README.md | 1 + readme-vars.yml | 1 + root/defaults/default | 4 +- root/defaults/nginx.conf | 102 +++++++++++++++++++++++++-------------- root/defaults/proxy.conf | 3 +- root/defaults/ssl.conf | 5 +- 6 files changed, 73 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index a17c9cb..3449417 100644 --- a/README.md +++ b/README.md @@ -330,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **27.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. * **21.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method. * **12.04.21:** - Add php7-gmp and php7-pecl-mailparse. * **12.04.21:** - Add support for vultr dns validation. diff --git a/readme-vars.yml b/readme-vars.yml index 4566de8..ea57427 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -151,6 +151,7 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: + - { date: "27.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files." } - { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." } - { date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse." } - { date: "12.04.21:", desc: "Add support for vultr dns validation." } diff --git a/root/defaults/default b/root/defaults/default index 6d76de6..a40ca08 100644 --- a/root/defaults/default +++ b/root/defaults/default @@ -1,4 +1,4 @@ -## Version 2021/01/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default +## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default error_page 502 /502.html; @@ -151,5 +151,3 @@ server { # enable subdomain method reverse proxy confs include /config/nginx/proxy-confs/*.subdomain.conf; -# enable proxy cache for auth -proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index a47a405..9497c0b 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -1,53 +1,97 @@ -## Version 2021/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf +## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf user abc; -worker_processes 4; -pid /run/nginx.pid; + +# Set number of worker processes automatically based on number of CPU cores. +worker_processes auto; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /config/log/nginx/error.log warn; + +# Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; events { - worker_connections 768; + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; # multi_accept on; } http { + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + resolver 127.0.0.11 valid=30s; # Docker DNS Server + + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 0; + + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; + + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + # Specifies the main log format. + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log main; + + # Includes virtual hosts configs. + include /etc/nginx/http.d/*.conf; + include /config/nginx/site-confs/*; + #Removed lua. Do not remove this comment + + # WARNING: Don't use this directory for virtual hosts anymore. + # This include will be moved to the root context in Alpine 3.14. + #include /etc/nginx/conf.d/*.conf; + ## # Basic Settings ## client_body_buffer_size 128k; - client_max_body_size 0; keepalive_timeout 65; large_client_header_buffers 4 16k; send_timeout 5m; - sendfile on; tcp_nodelay on; - tcp_nopush on; types_hash_max_size 2048; variables_hash_max_size 2048; - - # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # Logging Settings - ## - - access_log /config/log/nginx/access.log; - error_log /config/log/nginx/error.log; - ## # Gzip Settings ## gzip on; gzip_disable "msie6"; - # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; @@ -72,21 +116,6 @@ http { #passenger_root /usr; #passenger_ruby /usr/bin/ruby; - ## - # WebSocket proxying - ## - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - ## - # Virtual Host Configs - ## - include /etc/nginx/conf.d/*.conf; - include /config/nginx/site-confs/*; - #Removed lua. Do not remove this comment - ## # Geoip2 config ## @@ -96,6 +125,8 @@ http { #include /config/nginx/geoip2.conf; } +# TIP: Uncomment if you use stream module. +#include /etc/nginx/stream.conf; #mail { # # See sample authentication script at: @@ -118,3 +149,4 @@ http { # } #} daemon off; +pid /run/nginx.pid; diff --git a/root/defaults/proxy.conf b/root/defaults/proxy.conf index d1a383c..921fad4 100644 --- a/root/defaults/proxy.conf +++ b/root/defaults/proxy.conf @@ -1,4 +1,4 @@ -## Version 2020/10/04 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf +## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; @@ -15,6 +15,7 @@ proxy_send_timeout 240; # Proxy Cache and Cookie Settings proxy_cache_bypass $cookie_session; +proxy_cache_path cache/ keys_zone=auth_cache:10m; #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps proxy_no_cache $cookie_session; diff --git a/root/defaults/ssl.conf b/root/defaults/ssl.conf index 654c512..d2747f1 100644 --- a/root/defaults/ssl.conf +++ b/root/defaults/ssl.conf @@ -1,4 +1,4 @@ -## Version 2020/10/29 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf +## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf ### Mozilla Recommendations # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration @@ -29,9 +29,6 @@ ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem; # Diffie-Hellman Parameters ssl_dhparam /config/nginx/dhparams.pem; -# Resolver -resolver 127.0.0.11 valid=30s; # Docker DNS Server - # Enable TLS 1.3 early data ssl_early_data on; From e2e39b9f89c44a489987eb4f538e5cf37fcfbade Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 27 Apr 2021 10:08:22 -0500 Subject: [PATCH 02/10] Format files --- Dockerfile | 284 +++++++++++++------------- Dockerfile.aarch64 | 284 +++++++++++++------------- Dockerfile.armhf | 284 +++++++++++++------------- root/defaults/502.html | 2 +- root/defaults/dns-conf/cloudflare.ini | 2 +- root/defaults/dns-conf/cpanel.ini | 2 +- root/defaults/dns-conf/domeneshop.ini | 2 +- root/defaults/dns-conf/google.json | 2 +- root/defaults/dns-conf/hetzner.ini | 2 +- root/defaults/index.html | 2 +- root/etc/cont-init.d/60-renew | 2 +- 11 files changed, 434 insertions(+), 434 deletions(-) diff --git a/Dockerfile b/Dockerfile index a9ae80b..05554f9 100755 --- a/Dockerfile +++ b/Dockerfile @@ -12,148 +12,148 @@ ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53. ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 RUN \ - echo "**** install build packages ****" && \ - apk add --no-cache --virtual=build-dependencies \ - cargo \ - g++ \ - gcc \ - libffi-dev \ - openssl-dev \ - python3-dev && \ - echo "**** install runtime packages ****" && \ - apk add --no-cache --upgrade \ - curl \ - fail2ban \ - gnupg \ - memcached \ - nginx \ - nginx-mod-http-brotli \ - nginx-mod-http-dav-ext \ - nginx-mod-http-echo \ - nginx-mod-http-fancyindex \ - nginx-mod-http-geoip2 \ - nginx-mod-http-headers-more \ - nginx-mod-http-image-filter \ - nginx-mod-http-nchan \ - nginx-mod-http-perl \ - nginx-mod-http-redis2 \ - nginx-mod-http-set-misc \ - nginx-mod-http-upload-progress \ - nginx-mod-http-xslt-filter \ - nginx-mod-mail \ - nginx-mod-rtmp \ - nginx-mod-stream \ - nginx-mod-stream-geoip2 \ - nginx-vim \ - php7-bcmath \ - php7-bz2 \ - php7-ctype \ - php7-curl \ - php7-dom \ - php7-exif \ - php7-ftp \ - php7-gd \ - php7-gmp \ - php7-iconv \ - php7-imap \ - php7-intl \ - php7-ldap \ - php7-mcrypt \ - php7-memcached \ - php7-mysqli \ - php7-mysqlnd \ - php7-opcache \ - php7-pdo_mysql \ - php7-pdo_odbc \ - php7-pdo_pgsql \ - php7-pdo_sqlite \ - php7-pear \ - php7-pecl-apcu \ - php7-pecl-mailparse \ - php7-pecl-redis \ - php7-pgsql \ - php7-phar \ - php7-posix \ - php7-soap \ - php7-sockets \ - php7-sodium \ - php7-sqlite3 \ - php7-tokenizer \ - php7-xml \ - php7-xmlreader \ - php7-xmlrpc \ - php7-xsl \ - php7-zip \ - py3-cryptography \ - py3-future \ - py3-pip \ - whois && \ - echo "**** install certbot plugins ****" && \ - if [ -z ${CERTBOT_VERSION+x} ]; then \ - CERTBOT="certbot"; \ - else \ - CERTBOT="certbot==${CERTBOT_VERSION}"; \ - fi && \ - pip3 install -U \ - pip && \ - pip3 install -U \ - ${CERTBOT} \ - certbot-dns-aliyun \ - certbot-dns-cloudflare \ - certbot-dns-cloudxns \ - certbot-dns-cpanel \ - certbot-dns-digitalocean \ - certbot-dns-directadmin \ - certbot-dns-dnsimple \ - certbot-dns-dnsmadeeasy \ - certbot-dns-domeneshop \ - certbot-dns-google \ - certbot-dns-hetzner \ - certbot-dns-inwx \ - certbot-dns-linode \ - certbot-dns-luadns \ - certbot-dns-netcup \ - certbot-dns-njalla \ - certbot-dns-nsone \ - certbot-dns-ovh \ - certbot-dns-rfc2136 \ - certbot-dns-route53 \ - certbot-dns-transip \ - certbot-dns-vultr \ - certbot-plugin-gandi \ - cryptography \ - requests && \ - echo "**** remove unnecessary fail2ban filters ****" && \ - rm \ - /etc/fail2ban/jail.d/alpine-ssh.conf && \ - echo "**** copy fail2ban default action and filter to /default ****" && \ - mkdir -p /defaults/fail2ban && \ - mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ - mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ - echo "**** copy proxy confs to /default ****" && \ - mkdir -p /defaults/proxy-confs && \ - curl -o \ - /tmp/proxy.tar.gz -L \ - "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ - tar xf \ - /tmp/proxy.tar.gz -C \ - /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ - echo "**** configure nginx ****" && \ - rm -f /etc/nginx/conf.d/default.conf && \ - curl -o \ - /defaults/dhparams.pem -L \ - "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ - echo "**** cleanup ****" && \ - apk del --purge \ - build-dependencies && \ - for cleanfiles in *.pyc *.pyo; \ - do \ - find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ - ; done && \ - rm -rf \ - /tmp/* \ - /root/.cache \ - /root/.cargo + echo "**** install build packages ****" && \ + apk add --no-cache --virtual=build-dependencies \ + cargo \ + g++ \ + gcc \ + libffi-dev \ + openssl-dev \ + python3-dev && \ + echo "**** install runtime packages ****" && \ + apk add --no-cache --upgrade \ + curl \ + fail2ban \ + gnupg \ + memcached \ + nginx \ + nginx-mod-http-brotli \ + nginx-mod-http-dav-ext \ + nginx-mod-http-echo \ + nginx-mod-http-fancyindex \ + nginx-mod-http-geoip2 \ + nginx-mod-http-headers-more \ + nginx-mod-http-image-filter \ + nginx-mod-http-nchan \ + nginx-mod-http-perl \ + nginx-mod-http-redis2 \ + nginx-mod-http-set-misc \ + nginx-mod-http-upload-progress \ + nginx-mod-http-xslt-filter \ + nginx-mod-mail \ + nginx-mod-rtmp \ + nginx-mod-stream \ + nginx-mod-stream-geoip2 \ + nginx-vim \ + php7-bcmath \ + php7-bz2 \ + php7-ctype \ + php7-curl \ + php7-dom \ + php7-exif \ + php7-ftp \ + php7-gd \ + php7-gmp \ + php7-iconv \ + php7-imap \ + php7-intl \ + php7-ldap \ + php7-mcrypt \ + php7-memcached \ + php7-mysqli \ + php7-mysqlnd \ + php7-opcache \ + php7-pdo_mysql \ + php7-pdo_odbc \ + php7-pdo_pgsql \ + php7-pdo_sqlite \ + php7-pear \ + php7-pecl-apcu \ + php7-pecl-mailparse \ + php7-pecl-redis \ + php7-pgsql \ + php7-phar \ + php7-posix \ + php7-soap \ + php7-sockets \ + php7-sodium \ + php7-sqlite3 \ + php7-tokenizer \ + php7-xml \ + php7-xmlreader \ + php7-xmlrpc \ + php7-xsl \ + php7-zip \ + py3-cryptography \ + py3-future \ + py3-pip \ + whois && \ + echo "**** install certbot plugins ****" && \ + if [ -z ${CERTBOT_VERSION+x} ]; then \ + CERTBOT="certbot"; \ + else \ + CERTBOT="certbot==${CERTBOT_VERSION}"; \ + fi && \ + pip3 install -U \ + pip && \ + pip3 install -U \ + ${CERTBOT} \ + certbot-dns-aliyun \ + certbot-dns-cloudflare \ + certbot-dns-cloudxns \ + certbot-dns-cpanel \ + certbot-dns-digitalocean \ + certbot-dns-directadmin \ + certbot-dns-dnsimple \ + certbot-dns-dnsmadeeasy \ + certbot-dns-domeneshop \ + certbot-dns-google \ + certbot-dns-hetzner \ + certbot-dns-inwx \ + certbot-dns-linode \ + certbot-dns-luadns \ + certbot-dns-netcup \ + certbot-dns-njalla \ + certbot-dns-nsone \ + certbot-dns-ovh \ + certbot-dns-rfc2136 \ + certbot-dns-route53 \ + certbot-dns-transip \ + certbot-dns-vultr \ + certbot-plugin-gandi \ + cryptography \ + requests && \ + echo "**** remove unnecessary fail2ban filters ****" && \ + rm \ + /etc/fail2ban/jail.d/alpine-ssh.conf && \ + echo "**** copy fail2ban default action and filter to /default ****" && \ + mkdir -p /defaults/fail2ban && \ + mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ + mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ + echo "**** copy proxy confs to /default ****" && \ + mkdir -p /defaults/proxy-confs && \ + curl -o \ + /tmp/proxy.tar.gz -L \ + "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ + tar xf \ + /tmp/proxy.tar.gz -C \ + /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ + echo "**** configure nginx ****" && \ + rm -f /etc/nginx/conf.d/default.conf && \ + curl -o \ + /defaults/dhparams.pem -L \ + "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ + echo "**** cleanup ****" && \ + apk del --purge \ + build-dependencies && \ + for cleanfiles in *.pyc *.pyo; \ + do \ + find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ + ; done && \ + rm -rf \ + /tmp/* \ + /root/.cache \ + /root/.cargo # add local files COPY root/ / diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 4e24add..5733dd4 100755 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -12,148 +12,148 @@ ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53. ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 RUN \ - echo "**** install build packages ****" && \ - apk add --no-cache --virtual=build-dependencies \ - cargo \ - g++ \ - gcc \ - libffi-dev \ - openssl-dev \ - python3-dev && \ - echo "**** install runtime packages ****" && \ - apk add --no-cache --upgrade \ - curl \ - fail2ban \ - gnupg \ - memcached \ - nginx \ - nginx-mod-http-brotli \ - nginx-mod-http-dav-ext \ - nginx-mod-http-echo \ - nginx-mod-http-fancyindex \ - nginx-mod-http-geoip2 \ - nginx-mod-http-headers-more \ - nginx-mod-http-image-filter \ - nginx-mod-http-nchan \ - nginx-mod-http-perl \ - nginx-mod-http-redis2 \ - nginx-mod-http-set-misc \ - nginx-mod-http-upload-progress \ - nginx-mod-http-xslt-filter \ - nginx-mod-mail \ - nginx-mod-rtmp \ - nginx-mod-stream \ - nginx-mod-stream-geoip2 \ - nginx-vim \ - php7-bcmath \ - php7-bz2 \ - php7-ctype \ - php7-curl \ - php7-dom \ - php7-exif \ - php7-ftp \ - php7-gd \ - php7-gmp \ - php7-iconv \ - php7-imap \ - php7-intl \ - php7-ldap \ - php7-mcrypt \ - php7-memcached \ - php7-mysqli \ - php7-mysqlnd \ - php7-opcache \ - php7-pdo_mysql \ - php7-pdo_odbc \ - php7-pdo_pgsql \ - php7-pdo_sqlite \ - php7-pear \ - php7-pecl-apcu \ - php7-pecl-mailparse \ - php7-pecl-redis \ - php7-pgsql \ - php7-phar \ - php7-posix \ - php7-soap \ - php7-sockets \ - php7-sodium \ - php7-sqlite3 \ - php7-tokenizer \ - php7-xml \ - php7-xmlreader \ - php7-xmlrpc \ - php7-xsl \ - php7-zip \ - py3-cryptography \ - py3-future \ - py3-pip \ - whois && \ - echo "**** install certbot plugins ****" && \ - if [ -z ${CERTBOT_VERSION+x} ]; then \ - CERTBOT="certbot"; \ - else \ - CERTBOT="certbot==${CERTBOT_VERSION}"; \ - fi && \ - pip3 install -U \ - pip && \ - pip3 install -U \ - ${CERTBOT} \ - certbot-dns-aliyun \ - certbot-dns-cloudflare \ - certbot-dns-cloudxns \ - certbot-dns-cpanel \ - certbot-dns-digitalocean \ - certbot-dns-directadmin \ - certbot-dns-dnsimple \ - certbot-dns-dnsmadeeasy \ - certbot-dns-domeneshop \ - certbot-dns-google \ - certbot-dns-hetzner \ - certbot-dns-inwx \ - certbot-dns-linode \ - certbot-dns-luadns \ - certbot-dns-netcup \ - certbot-dns-njalla \ - certbot-dns-nsone \ - certbot-dns-ovh \ - certbot-dns-rfc2136 \ - certbot-dns-route53 \ - certbot-dns-transip \ - certbot-dns-vultr \ - certbot-plugin-gandi \ - cryptography \ - requests && \ - echo "**** remove unnecessary fail2ban filters ****" && \ - rm \ - /etc/fail2ban/jail.d/alpine-ssh.conf && \ - echo "**** copy fail2ban default action and filter to /default ****" && \ - mkdir -p /defaults/fail2ban && \ - mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ - mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ - echo "**** copy proxy confs to /default ****" && \ - mkdir -p /defaults/proxy-confs && \ - curl -o \ - /tmp/proxy.tar.gz -L \ - "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ - tar xf \ - /tmp/proxy.tar.gz -C \ - /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ - echo "**** configure nginx ****" && \ - rm -f /etc/nginx/conf.d/default.conf && \ - curl -o \ - /defaults/dhparams.pem -L \ - "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ - echo "**** cleanup ****" && \ - apk del --purge \ - build-dependencies && \ - for cleanfiles in *.pyc *.pyo; \ - do \ - find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ - ; done && \ - rm -rf \ - /tmp/* \ - /root/.cache \ - /root/.cargo + echo "**** install build packages ****" && \ + apk add --no-cache --virtual=build-dependencies \ + cargo \ + g++ \ + gcc \ + libffi-dev \ + openssl-dev \ + python3-dev && \ + echo "**** install runtime packages ****" && \ + apk add --no-cache --upgrade \ + curl \ + fail2ban \ + gnupg \ + memcached \ + nginx \ + nginx-mod-http-brotli \ + nginx-mod-http-dav-ext \ + nginx-mod-http-echo \ + nginx-mod-http-fancyindex \ + nginx-mod-http-geoip2 \ + nginx-mod-http-headers-more \ + nginx-mod-http-image-filter \ + nginx-mod-http-nchan \ + nginx-mod-http-perl \ + nginx-mod-http-redis2 \ + nginx-mod-http-set-misc \ + nginx-mod-http-upload-progress \ + nginx-mod-http-xslt-filter \ + nginx-mod-mail \ + nginx-mod-rtmp \ + nginx-mod-stream \ + nginx-mod-stream-geoip2 \ + nginx-vim \ + php7-bcmath \ + php7-bz2 \ + php7-ctype \ + php7-curl \ + php7-dom \ + php7-exif \ + php7-ftp \ + php7-gd \ + php7-gmp \ + php7-iconv \ + php7-imap \ + php7-intl \ + php7-ldap \ + php7-mcrypt \ + php7-memcached \ + php7-mysqli \ + php7-mysqlnd \ + php7-opcache \ + php7-pdo_mysql \ + php7-pdo_odbc \ + php7-pdo_pgsql \ + php7-pdo_sqlite \ + php7-pear \ + php7-pecl-apcu \ + php7-pecl-mailparse \ + php7-pecl-redis \ + php7-pgsql \ + php7-phar \ + php7-posix \ + php7-soap \ + php7-sockets \ + php7-sodium \ + php7-sqlite3 \ + php7-tokenizer \ + php7-xml \ + php7-xmlreader \ + php7-xmlrpc \ + php7-xsl \ + php7-zip \ + py3-cryptography \ + py3-future \ + py3-pip \ + whois && \ + echo "**** install certbot plugins ****" && \ + if [ -z ${CERTBOT_VERSION+x} ]; then \ + CERTBOT="certbot"; \ + else \ + CERTBOT="certbot==${CERTBOT_VERSION}"; \ + fi && \ + pip3 install -U \ + pip && \ + pip3 install -U \ + ${CERTBOT} \ + certbot-dns-aliyun \ + certbot-dns-cloudflare \ + certbot-dns-cloudxns \ + certbot-dns-cpanel \ + certbot-dns-digitalocean \ + certbot-dns-directadmin \ + certbot-dns-dnsimple \ + certbot-dns-dnsmadeeasy \ + certbot-dns-domeneshop \ + certbot-dns-google \ + certbot-dns-hetzner \ + certbot-dns-inwx \ + certbot-dns-linode \ + certbot-dns-luadns \ + certbot-dns-netcup \ + certbot-dns-njalla \ + certbot-dns-nsone \ + certbot-dns-ovh \ + certbot-dns-rfc2136 \ + certbot-dns-route53 \ + certbot-dns-transip \ + certbot-dns-vultr \ + certbot-plugin-gandi \ + cryptography \ + requests && \ + echo "**** remove unnecessary fail2ban filters ****" && \ + rm \ + /etc/fail2ban/jail.d/alpine-ssh.conf && \ + echo "**** copy fail2ban default action and filter to /default ****" && \ + mkdir -p /defaults/fail2ban && \ + mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ + mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ + echo "**** copy proxy confs to /default ****" && \ + mkdir -p /defaults/proxy-confs && \ + curl -o \ + /tmp/proxy.tar.gz -L \ + "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ + tar xf \ + /tmp/proxy.tar.gz -C \ + /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ + echo "**** configure nginx ****" && \ + rm -f /etc/nginx/conf.d/default.conf && \ + curl -o \ + /defaults/dhparams.pem -L \ + "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ + echo "**** cleanup ****" && \ + apk del --purge \ + build-dependencies && \ + for cleanfiles in *.pyc *.pyo; \ + do \ + find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ + ; done && \ + rm -rf \ + /tmp/* \ + /root/.cache \ + /root/.cargo # add local files COPY root/ / diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 0083a0f..a4f8789 100755 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -12,148 +12,148 @@ ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53. ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 RUN \ - echo "**** install build packages ****" && \ - apk add --no-cache --virtual=build-dependencies \ - cargo \ - g++ \ - gcc \ - libffi-dev \ - openssl-dev \ - python3-dev && \ - echo "**** install runtime packages ****" && \ - apk add --no-cache --upgrade \ - curl \ - fail2ban \ - gnupg \ - memcached \ - nginx \ - nginx-mod-http-brotli \ - nginx-mod-http-dav-ext \ - nginx-mod-http-echo \ - nginx-mod-http-fancyindex \ - nginx-mod-http-geoip2 \ - nginx-mod-http-headers-more \ - nginx-mod-http-image-filter \ - nginx-mod-http-nchan \ - nginx-mod-http-perl \ - nginx-mod-http-redis2 \ - nginx-mod-http-set-misc \ - nginx-mod-http-upload-progress \ - nginx-mod-http-xslt-filter \ - nginx-mod-mail \ - nginx-mod-rtmp \ - nginx-mod-stream \ - nginx-mod-stream-geoip2 \ - nginx-vim \ - php7-bcmath \ - php7-bz2 \ - php7-ctype \ - php7-curl \ - php7-dom \ - php7-exif \ - php7-ftp \ - php7-gd \ - php7-gmp \ - php7-iconv \ - php7-imap \ - php7-intl \ - php7-ldap \ - php7-mcrypt \ - php7-memcached \ - php7-mysqli \ - php7-mysqlnd \ - php7-opcache \ - php7-pdo_mysql \ - php7-pdo_odbc \ - php7-pdo_pgsql \ - php7-pdo_sqlite \ - php7-pear \ - php7-pecl-apcu \ - php7-pecl-mailparse \ - php7-pecl-redis \ - php7-pgsql \ - php7-phar \ - php7-posix \ - php7-soap \ - php7-sockets \ - php7-sodium \ - php7-sqlite3 \ - php7-tokenizer \ - php7-xml \ - php7-xmlreader \ - php7-xmlrpc \ - php7-xsl \ - php7-zip \ - py3-cryptography \ - py3-future \ - py3-pip \ - whois && \ - echo "**** install certbot plugins ****" && \ - if [ -z ${CERTBOT_VERSION+x} ]; then \ - CERTBOT="certbot"; \ - else \ - CERTBOT="certbot==${CERTBOT_VERSION}"; \ - fi && \ - pip3 install -U \ - pip && \ - pip3 install -U \ - ${CERTBOT} \ - certbot-dns-aliyun \ - certbot-dns-cloudflare \ - certbot-dns-cloudxns \ - certbot-dns-cpanel \ - certbot-dns-digitalocean \ - certbot-dns-directadmin \ - certbot-dns-dnsimple \ - certbot-dns-dnsmadeeasy \ - certbot-dns-domeneshop \ - certbot-dns-google \ - certbot-dns-hetzner \ - certbot-dns-inwx \ - certbot-dns-linode \ - certbot-dns-luadns \ - certbot-dns-netcup \ - certbot-dns-njalla \ - certbot-dns-nsone \ - certbot-dns-ovh \ - certbot-dns-rfc2136 \ - certbot-dns-route53 \ - certbot-dns-transip \ - certbot-dns-vultr \ - certbot-plugin-gandi \ - cryptography \ - requests && \ - echo "**** remove unnecessary fail2ban filters ****" && \ - rm \ - /etc/fail2ban/jail.d/alpine-ssh.conf && \ - echo "**** copy fail2ban default action and filter to /default ****" && \ - mkdir -p /defaults/fail2ban && \ - mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ - mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ - echo "**** copy proxy confs to /default ****" && \ - mkdir -p /defaults/proxy-confs && \ - curl -o \ - /tmp/proxy.tar.gz -L \ - "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ - tar xf \ - /tmp/proxy.tar.gz -C \ - /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ - echo "**** configure nginx ****" && \ - rm -f /etc/nginx/conf.d/default.conf && \ - curl -o \ - /defaults/dhparams.pem -L \ - "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ - echo "**** cleanup ****" && \ - apk del --purge \ - build-dependencies && \ - for cleanfiles in *.pyc *.pyo; \ - do \ - find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ - ; done && \ - rm -rf \ - /tmp/* \ - /root/.cache \ - /root/.cargo + echo "**** install build packages ****" && \ + apk add --no-cache --virtual=build-dependencies \ + cargo \ + g++ \ + gcc \ + libffi-dev \ + openssl-dev \ + python3-dev && \ + echo "**** install runtime packages ****" && \ + apk add --no-cache --upgrade \ + curl \ + fail2ban \ + gnupg \ + memcached \ + nginx \ + nginx-mod-http-brotli \ + nginx-mod-http-dav-ext \ + nginx-mod-http-echo \ + nginx-mod-http-fancyindex \ + nginx-mod-http-geoip2 \ + nginx-mod-http-headers-more \ + nginx-mod-http-image-filter \ + nginx-mod-http-nchan \ + nginx-mod-http-perl \ + nginx-mod-http-redis2 \ + nginx-mod-http-set-misc \ + nginx-mod-http-upload-progress \ + nginx-mod-http-xslt-filter \ + nginx-mod-mail \ + nginx-mod-rtmp \ + nginx-mod-stream \ + nginx-mod-stream-geoip2 \ + nginx-vim \ + php7-bcmath \ + php7-bz2 \ + php7-ctype \ + php7-curl \ + php7-dom \ + php7-exif \ + php7-ftp \ + php7-gd \ + php7-gmp \ + php7-iconv \ + php7-imap \ + php7-intl \ + php7-ldap \ + php7-mcrypt \ + php7-memcached \ + php7-mysqli \ + php7-mysqlnd \ + php7-opcache \ + php7-pdo_mysql \ + php7-pdo_odbc \ + php7-pdo_pgsql \ + php7-pdo_sqlite \ + php7-pear \ + php7-pecl-apcu \ + php7-pecl-mailparse \ + php7-pecl-redis \ + php7-pgsql \ + php7-phar \ + php7-posix \ + php7-soap \ + php7-sockets \ + php7-sodium \ + php7-sqlite3 \ + php7-tokenizer \ + php7-xml \ + php7-xmlreader \ + php7-xmlrpc \ + php7-xsl \ + php7-zip \ + py3-cryptography \ + py3-future \ + py3-pip \ + whois && \ + echo "**** install certbot plugins ****" && \ + if [ -z ${CERTBOT_VERSION+x} ]; then \ + CERTBOT="certbot"; \ + else \ + CERTBOT="certbot==${CERTBOT_VERSION}"; \ + fi && \ + pip3 install -U \ + pip && \ + pip3 install -U \ + ${CERTBOT} \ + certbot-dns-aliyun \ + certbot-dns-cloudflare \ + certbot-dns-cloudxns \ + certbot-dns-cpanel \ + certbot-dns-digitalocean \ + certbot-dns-directadmin \ + certbot-dns-dnsimple \ + certbot-dns-dnsmadeeasy \ + certbot-dns-domeneshop \ + certbot-dns-google \ + certbot-dns-hetzner \ + certbot-dns-inwx \ + certbot-dns-linode \ + certbot-dns-luadns \ + certbot-dns-netcup \ + certbot-dns-njalla \ + certbot-dns-nsone \ + certbot-dns-ovh \ + certbot-dns-rfc2136 \ + certbot-dns-route53 \ + certbot-dns-transip \ + certbot-dns-vultr \ + certbot-plugin-gandi \ + cryptography \ + requests && \ + echo "**** remove unnecessary fail2ban filters ****" && \ + rm \ + /etc/fail2ban/jail.d/alpine-ssh.conf && \ + echo "**** copy fail2ban default action and filter to /default ****" && \ + mkdir -p /defaults/fail2ban && \ + mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ + mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ + echo "**** copy proxy confs to /default ****" && \ + mkdir -p /defaults/proxy-confs && \ + curl -o \ + /tmp/proxy.tar.gz -L \ + "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ + tar xf \ + /tmp/proxy.tar.gz -C \ + /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ + echo "**** configure nginx ****" && \ + rm -f /etc/nginx/conf.d/default.conf && \ + curl -o \ + /defaults/dhparams.pem -L \ + "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ + echo "**** cleanup ****" && \ + apk del --purge \ + build-dependencies && \ + for cleanfiles in *.pyc *.pyo; \ + do \ + find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ + ; done && \ + rm -rf \ + /tmp/* \ + /root/.cache \ + /root/.cargo # add local files COPY root/ / diff --git a/root/defaults/502.html b/root/defaults/502.html index ff7d8fc..6e33c60 100644 --- a/root/defaults/502.html +++ b/root/defaults/502.html @@ -41,4 +41,4 @@

For help and support, please visit: linuxserver.io/support

- \ No newline at end of file + diff --git a/root/defaults/dns-conf/cloudflare.ini b/root/defaults/dns-conf/cloudflare.ini index 5cd3c0a..af7194b 100644 --- a/root/defaults/dns-conf/cloudflare.ini +++ b/root/defaults/dns-conf/cloudflare.ini @@ -6,4 +6,4 @@ dns_cloudflare_email = cloudflare@example.com dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 # With token (comment out both lines above and uncomment below): -#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567 \ No newline at end of file +#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567 diff --git a/root/defaults/dns-conf/cpanel.ini b/root/defaults/dns-conf/cpanel.ini index 28b6953..2c2742b 100644 --- a/root/defaults/dns-conf/cpanel.ini +++ b/root/defaults/dns-conf/cpanel.ini @@ -3,4 +3,4 @@ # include the scheme and the port number (usually 2083 for https) certbot_dns_cpanel:cpanel_url = https://cpanel.example.com:2083 certbot_dns_cpanel:cpanel_username = username -certbot_dns_cpanel:cpanel_password = 1234567890abcdef \ No newline at end of file +certbot_dns_cpanel:cpanel_password = 1234567890abcdef diff --git a/root/defaults/dns-conf/domeneshop.ini b/root/defaults/dns-conf/domeneshop.ini index 569c713..0bd1d0d 100644 --- a/root/defaults/dns-conf/domeneshop.ini +++ b/root/defaults/dns-conf/domeneshop.ini @@ -1,4 +1,4 @@ # Instructions: https://github.com/domeneshop/certbot-dns-domeneshop#credentials # Replace with your values dns_domeneshop_client_token=1234567890abcdef -dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs \ No newline at end of file +dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs diff --git a/root/defaults/dns-conf/google.json b/root/defaults/dns-conf/google.json index c5a59cf..67f0050 100644 --- a/root/defaults/dns-conf/google.json +++ b/root/defaults/dns-conf/google.json @@ -3,4 +3,4 @@ "_comment": "Replace with your values", "type": "service_account", "rest": "..." -} \ No newline at end of file +} diff --git a/root/defaults/dns-conf/hetzner.ini b/root/defaults/dns-conf/hetzner.ini index f616823..23be699 100644 --- a/root/defaults/dns-conf/hetzner.ini +++ b/root/defaults/dns-conf/hetzner.ini @@ -1,3 +1,3 @@ # Instructions: https://github.com/ctrlaltcoop/certbot-dns-hetzner # Replace with your values -dns_hetzner_api_token = nohnah4zoo9Kiejee9aGh0thoopee2sa \ No newline at end of file +dns_hetzner_api_token = nohnah4zoo9Kiejee9aGh0thoopee2sa diff --git a/root/defaults/index.html b/root/defaults/index.html index 352d1af..5bc81ff 100644 --- a/root/defaults/index.html +++ b/root/defaults/index.html @@ -36,4 +36,4 @@

For help and support, please visit: linuxserver.io/support

- \ No newline at end of file + diff --git a/root/etc/cont-init.d/60-renew b/root/etc/cont-init.d/60-renew index 975c73a..0bc3daa 100644 --- a/root/etc/cont-init.d/60-renew +++ b/root/etc/cont-init.d/60-renew @@ -7,4 +7,4 @@ else echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes." /app/le-renew.sh sleep 1 -fi \ No newline at end of file +fi From d77a64aab84cea6cab32847e8e4f91cf3e54906b Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 27 Apr 2021 14:23:35 -0500 Subject: [PATCH 03/10] Use default log format, set resolver and worker_processes dynamically --- root/defaults/nginx.conf | 28 +++++++++++++--------------- root/etc/cont-init.d/50-config | 16 +++++++++++++++- 2 files changed, 28 insertions(+), 16 deletions(-) diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index 9497c0b..b56a5c7 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -3,13 +3,13 @@ user abc; # Set number of worker processes automatically based on number of CPU cores. -worker_processes auto; +include /config/nginx/worker_processes.conf # Enables the use of JIT for regular expressions to speed-up their processing. pcre_jit on; # Configures default error logger. -error_log /config/log/nginx/error.log warn; +error_log /config/log/nginx/error.log; # Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; @@ -29,7 +29,8 @@ http { # Name servers used to resolve names of upstream servers into addresses. # It's also needed when using tcpsocket and udpsocket in Lua modules. - resolver 127.0.0.11 valid=30s; # Docker DNS Server + #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf # Don't tell nginx version to the clients. Default is 'on'. server_tokens off; @@ -54,18 +55,11 @@ http { '' close; } - # Specifies the main log format. - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - # Sets the path, format, and configuration for a buffered log write. - access_log /config/log/nginx/access.log main; + access_log /config/log/nginx/access.log; # Includes virtual hosts configs. - include /etc/nginx/http.d/*.conf; - include /config/nginx/site-confs/*; - #Removed lua. Do not remove this comment + #include /etc/nginx/http.d/*.conf; # WARNING: Don't use this directory for virtual hosts anymore. # This include will be moved to the root context in Alpine 3.14. @@ -116,6 +110,12 @@ http { #passenger_root /usr; #passenger_ruby /usr/bin/ruby; + ## + # Virtual Host Configs + ## + include /config/nginx/site-confs/*; + #Removed lua. Do not remove this comment + ## # Geoip2 config ## @@ -125,9 +125,6 @@ http { #include /config/nginx/geoip2.conf; } -# TIP: Uncomment if you use stream module. -#include /etc/nginx/stream.conf; - #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript @@ -148,5 +145,6 @@ http { # proxy on; # } #} + daemon off; pid /run/nginx.pid; diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index ceb22f4..eb842cb 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -81,8 +81,22 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local [[ ! -f /config/www/502.html ]] && cp /defaults/502.html /config/www/502.html +# Set resolver +if ! grep -q 'resolver' /config/nginx/resolver.conf; then + RESOLVER=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) + echo "Setting resolver to ${RESOLVER}" + echo "resolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf +fi + +# Set worker_processes +if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then + WORKER_PROCESSES=$(wc -w < /sys/fs/cgroup/cpuacct/cpuacct.usage_percpu) + echo "Setting worker_processes to ${WORKER_PROCESSES}" + echo "worker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf +fi + # remove lua bits from nginx.conf if not done before -if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then +if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then echo "Removing lua specific info from nginx.conf" sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf fi From b1ae12189fa02ce5ad4410968b5997abc9c3449c Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 27 Apr 2021 14:32:41 -0500 Subject: [PATCH 04/10] Fix indentation --- root/defaults/default | 176 ++++++++-------- root/defaults/geoip2.conf | 32 +-- root/defaults/nginx.conf | 198 ++++++++--------- root/etc/cont-init.d/50-config | 352 +++++++++++++++---------------- root/etc/logrotate.d/lerotate | 18 +- root/etc/services.d/fail2ban/run | 4 +- 6 files changed, 390 insertions(+), 390 deletions(-) diff --git a/root/defaults/default b/root/defaults/default index a40ca08..9ffee51 100644 --- a/root/defaults/default +++ b/root/defaults/default @@ -4,149 +4,149 @@ error_page 502 /502.html; # redirect all traffic to https server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - return 301 https://$host$request_uri; + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + return 301 https://$host$request_uri; } # main server block server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; - root /config/www; - index index.html index.htm index.php; + root /config/www; + index index.html index.htm index.php; - server_name _; + server_name _; - # enable subfolder method reverse proxy confs - include /config/nginx/proxy-confs/*.subfolder.conf; + # enable subfolder method reverse proxy confs + include /config/nginx/proxy-confs/*.subfolder.conf; - # all ssl related config moved to ssl.conf - include /config/nginx/ssl.conf; + # all ssl related config moved to ssl.conf + include /config/nginx/ssl.conf; - # enable for ldap auth - #include /config/nginx/ldap.conf; + # enable for ldap auth + #include /config/nginx/ldap.conf; - # enable for Authelia - #include /config/nginx/authelia-server.conf; + # enable for Authelia + #include /config/nginx/authelia-server.conf; - # enable for geo blocking - # See /config/nginx/geoip2.conf for more information. - #if ($allowed_country = no) { - #return 444; - #} + # enable for geo blocking + # See /config/nginx/geoip2.conf for more information. + #if ($allowed_country = no) { + #return 444; + #} - client_max_body_size 0; + client_max_body_size 0; - location / { - try_files $uri $uri/ /index.html /index.php?$args =404; - } + location / { + try_files $uri $uri/ /index.html /index.php?$args =404; + } - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include /etc/nginx/fastcgi_params; - } + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp" # notice this is within the same server block as the base # don't forget to generate the .htpasswd file as described on docker hub -# location ^~ /cp { -# auth_basic "Restricted"; -# auth_basic_user_file /config/nginx/.htpasswd; -# include /config/nginx/proxy.conf; -# proxy_pass http://192.168.1.50:5050/cp; -# } +# location ^~ /cp { +# auth_basic "Restricted"; +# auth_basic_user_file /config/nginx/.htpasswd; +# include /config/nginx/proxy.conf; +# proxy_pass http://192.168.1.50:5050/cp; +# } } # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above # notice this is a new server block, you need a new server block for each subdomain #server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; +# listen 443 ssl http2; +# listen [::]:443 ssl http2; # -# root /config/www; -# index index.html index.htm index.php; +# root /config/www; +# index index.html index.htm index.php; # -# server_name cp.*; +# server_name cp.*; # -# include /config/nginx/ssl.conf; +# include /config/nginx/ssl.conf; # -# client_max_body_size 0; +# client_max_body_size 0; # -# location / { -# auth_basic "Restricted"; -# auth_basic_user_file /config/nginx/.htpasswd; -# include /config/nginx/proxy.conf; -# proxy_pass http://192.168.1.50:5050; -# } +# location / { +# auth_basic "Restricted"; +# auth_basic_user_file /config/nginx/.htpasswd; +# include /config/nginx/proxy.conf; +# proxy_pass http://192.168.1.50:5050; +# } #} # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info # notice this is a new server block, you need a new server block for each subdomain #server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; +# listen 443 ssl http2; +# listen [::]:443 ssl http2; # -# root /config/www; -# index index.html index.htm index.php; +# root /config/www; +# index index.html index.htm index.php; # -# server_name heimdall.*; +# server_name heimdall.*; # -# include /config/nginx/ssl.conf; +# include /config/nginx/ssl.conf; # -# include /config/nginx/ldap.conf; +# include /config/nginx/ldap.conf; # -# client_max_body_size 0; +# client_max_body_size 0; # -# location / { -# # the next two lines will enable ldap auth along with the included ldap.conf in the server block -# auth_request /auth; -# error_page 401 =200 /ldaplogin; +# location / { +# # the next two lines will enable ldap auth along with the included ldap.conf in the server block +# auth_request /auth; +# error_page 401 =200 /ldaplogin; # -# include /config/nginx/proxy.conf; -# resolver 127.0.0.11 valid=30s; -# set $upstream_app heimdall; -# set $upstream_port 443; -# set $upstream_proto https; -# proxy_pass $upstream_proto://$upstream_app:$upstream_port; -# } +# include /config/nginx/proxy.conf; +# resolver 127.0.0.11 valid=30s; +# set $upstream_app heimdall; +# set $upstream_port 443; +# set $upstream_proto https; +# proxy_pass $upstream_proto://$upstream_app:$upstream_port; +# } #} # sample reverse proxy config for "heimdall" via subdomain, with Authelia # Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml # notice this is a new server block, you need a new server block for each subdomain #server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; +# listen 443 ssl http2; +# listen [::]:443 ssl http2; # -# root /config/www; -# index index.html index.htm index.php; +# root /config/www; +# index index.html index.htm index.php; # -# server_name heimdall.*; +# server_name heimdall.*; # -# include /config/nginx/ssl.conf; +# include /config/nginx/ssl.conf; # -# include /config/nginx/authelia-server.conf; +# include /config/nginx/authelia-server.conf; # -# client_max_body_size 0; +# client_max_body_size 0; # -# location / { -# # the next line will enable Authelia along with the included authelia-server.conf in the server block -# include /config/nginx/authelia-location.conf; +# location / { +# # the next line will enable Authelia along with the included authelia-server.conf in the server block +# include /config/nginx/authelia-location.conf; # -# include /config/nginx/proxy.conf; -# resolver 127.0.0.11 valid=30s; -# set $upstream_app heimdall; -# set $upstream_port 443; -# set $upstream_proto https; -# proxy_pass $upstream_proto://$upstream_app:$upstream_port; -# } +# include /config/nginx/proxy.conf; +# resolver 127.0.0.11 valid=30s; +# set $upstream_app heimdall; +# set $upstream_port 443; +# set $upstream_proto https; +# proxy_pass $upstream_proto://$upstream_app:$upstream_port; +# } #} # enable subdomain method reverse proxy confs diff --git a/root/defaults/geoip2.conf b/root/defaults/geoip2.conf index 702c4dc..846c5b5 100644 --- a/root/defaults/geoip2.conf +++ b/root/defaults/geoip2.conf @@ -51,22 +51,22 @@ geo $allow_list { # Add the following if statements inside any server context where you want to geo block countries. ######################################## -# if ($allow_list = yes) { -# set $allowed_country yes; -# } -# if ($allowed_country = no) { -# return 444; -# } +# if ($allow_list = yes) { +# set $allowed_country yes; +# } +# if ($allowed_country = no) { +# return 444; +# } ######################################### # Add the following if statements inside any server context where you want to geo block cities. ######################################## -# if ($allow_list = yes) { -# set $allowed_country yes; -# } -# if ($allowed_city = no) { -# return 444; -# } +# if ($allow_list = yes) { +# set $allowed_country yes; +# } +# if ($allowed_city = no) { +# return 444; +# } ######################################### # Example using a config from proxy-confs @@ -90,12 +90,12 @@ geo $allow_list { # # Allow lan access if default is set to no # if ($allow_list = yes) { -# set $allowed_country yes; +# set $allowed_country yes; # } -# # Country geo block -# if ($allowed_country = no) { +# # Country geo block +# if ($allowed_country = no) { # return 444; -# } +# } # diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index b56a5c7..b5f7f8d 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -15,135 +15,135 @@ error_log /config/log/nginx/error.log; include /etc/nginx/modules/*.conf; events { - # The maximum number of simultaneous connections that can be opened by - # a worker process. - worker_connections 1024; - # multi_accept on; + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; + # multi_accept on; } http { - # Includes mapping of file name extensions to MIME types of responses - # and defines the default type. - include /etc/nginx/mime.types; - default_type application/octet-stream; + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; - # Name servers used to resolve names of upstream servers into addresses. - # It's also needed when using tcpsocket and udpsocket in Lua modules. - #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; - include /config/nginx/resolver.conf + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf - # Don't tell nginx version to the clients. Default is 'on'. - server_tokens off; + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; - # Specifies the maximum accepted body size of a client request, as - # indicated by the request header Content-Length. If the stated content - # length is greater than this size, then the client receives the HTTP - # error code 413. Set to 0 to disable. Default is '1m'. - client_max_body_size 0; + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 0; - # Sendfile copies data between one FD and other from within the kernel, - # which is more efficient than read() + write(). Default is off. - sendfile on; + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; - # Causes nginx to attempt to send its HTTP response head in one packet, - # instead of using partial frames. Default is 'off'. - tcp_nopush on; + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; - # Helper variable for proxying websockets. - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } - # Sets the path, format, and configuration for a buffered log write. - access_log /config/log/nginx/access.log; + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log; - # Includes virtual hosts configs. - #include /etc/nginx/http.d/*.conf; + # Includes virtual hosts configs. + #include /etc/nginx/http.d/*.conf; - # WARNING: Don't use this directory for virtual hosts anymore. - # This include will be moved to the root context in Alpine 3.14. - #include /etc/nginx/conf.d/*.conf; + # WARNING: Don't use this directory for virtual hosts anymore. + # This include will be moved to the root context in Alpine 3.14. + #include /etc/nginx/conf.d/*.conf; - ## - # Basic Settings - ## + ## + # Basic Settings + ## - client_body_buffer_size 128k; - keepalive_timeout 65; - large_client_header_buffers 4 16k; - send_timeout 5m; - tcp_nodelay on; - types_hash_max_size 2048; - variables_hash_max_size 2048; - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; + client_body_buffer_size 128k; + keepalive_timeout 65; + large_client_header_buffers 4 16k; + send_timeout 5m; + tcp_nodelay on; + types_hash_max_size 2048; + variables_hash_max_size 2048; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; - ## - # Gzip Settings - ## + ## + # Gzip Settings + ## - gzip on; - gzip_disable "msie6"; - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + gzip on; + gzip_disable "msie6"; + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - ## - # nginx-naxsi config - ## - # Uncomment it if you installed nginx-naxsi - ## + ## + # nginx-naxsi config + ## + # Uncomment it if you installed nginx-naxsi + ## - #include /etc/nginx/naxsi_core.rules; + #include /etc/nginx/naxsi_core.rules; - ## - # nginx-passenger config - ## - # Uncomment it if you installed nginx-passenger - ## + ## + # nginx-passenger config + ## + # Uncomment it if you installed nginx-passenger + ## - #passenger_root /usr; - #passenger_ruby /usr/bin/ruby; + #passenger_root /usr; + #passenger_ruby /usr/bin/ruby; - ## - # Virtual Host Configs - ## - include /config/nginx/site-confs/*; - #Removed lua. Do not remove this comment + ## + # Virtual Host Configs + ## + include /config/nginx/site-confs/*; + #Removed lua. Do not remove this comment - ## - # Geoip2 config - ## - # Uncomment to add the Geoip2 configs needed to geo block countries/cities. - ## + ## + # Geoip2 config + ## + # Uncomment to add the Geoip2 configs needed to geo block countries/cities. + ## - #include /config/nginx/geoip2.conf; + #include /config/nginx/geoip2.conf; } #mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; # -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } # -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } #} daemon off; diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index eb842cb..c75a25a 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -17,26 +17,26 @@ STAGING=${STAGING}\\n" # Echo init finish for test runs if [ -n "${TEST_RUN}" ]; then - echo '[services.d] done.' + echo '[services.d] done.' fi # Sanitize variables SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER ) for i in "${SANED_VARS[@]}" do - export echo "$i"="${!i//\"/}" - export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" + export echo "$i"="${!i//\"/}" + export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" done # check to make sure that the required variables are set [[ -z "$URL" ]] && \ - echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \ - sleep infinity + echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \ + sleep infinity # make our folders and links mkdir -p \ - /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \ - /var/run/fail2ban + /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \ + /var/run/fail2ban rm -rf /etc/letsencrypt ln -s /config/etc/letsencrypt /etc/letsencrypt @@ -52,12 +52,12 @@ cp -R /defaults/fail2ban/filter.d /config/fail2ban/ cp -R /defaults/fail2ban/action.d /config/fail2ban/ # if jail.local is missing in /config, copy default [[ ! -f /config/fail2ban/jail.local ]] && \ - cp /defaults/jail.local /config/fail2ban/jail.local + cp /defaults/jail.local /config/fail2ban/jail.local # Replace fail2ban config with user config [[ -d /etc/fail2ban/filter.d ]] && \ - rm -rf /etc/fail2ban/filter.d + rm -rf /etc/fail2ban/filter.d [[ -d /etc/fail2ban/action.d ]] && \ - rm -rf /etc/fail2ban/action.d + rm -rf /etc/fail2ban/action.d cp -R /config/fail2ban/filter.d /etc/fail2ban/ cp -R /config/fail2ban/action.d /etc/fail2ban/ cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/ @@ -65,21 +65,21 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local # copy crontab and proxy defaults if needed [[ ! -f /config/crontabs/root ]] && \ - cp /etc/crontabs/root /config/crontabs/ + cp /etc/crontabs/root /config/crontabs/ [[ ! -f /config/nginx/proxy.conf ]] && \ - cp /defaults/proxy.conf /config/nginx/proxy.conf + cp /defaults/proxy.conf /config/nginx/proxy.conf [[ ! -f /config/nginx/ssl.conf ]] && \ - cp /defaults/ssl.conf /config/nginx/ssl.conf + cp /defaults/ssl.conf /config/nginx/ssl.conf [[ ! -f /config/nginx/ldap.conf ]] && \ - cp /defaults/ldap.conf /config/nginx/ldap.conf + cp /defaults/ldap.conf /config/nginx/ldap.conf [[ ! -f /config/nginx/authelia-server.conf ]] && \ - cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf + cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf [[ ! -f /config/nginx/authelia-location.conf ]] && \ - cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf + cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf [[ ! -f /config/nginx/geoip2.conf ]] && \ - cp /defaults/geoip2.conf /config/nginx/geoip2.conf + cp /defaults/geoip2.conf /config/nginx/geoip2.conf [[ ! -f /config/www/502.html ]] && - cp /defaults/502.html /config/www/502.html + cp /defaults/502.html /config/www/502.html # Set resolver if ! grep -q 'resolver' /config/nginx/resolver.conf; then @@ -97,25 +97,25 @@ fi # remove lua bits from nginx.conf if not done before if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then - echo "Removing lua specific info from nginx.conf" - sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf + echo "Removing lua specific info from nginx.conf" + sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf fi # copy pre-generated dhparams or generate if needed [[ ! -f /config/nginx/dhparams.pem ]] && \ - cp /defaults/dhparams.pem /config/nginx/dhparams.pem + cp /defaults/dhparams.pem /config/nginx/dhparams.pem if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then - curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" + curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" fi if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then - echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed." - openssl dhparam -out /config/nginx/dhparams.pem 4096 + echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed." + openssl dhparam -out /config/nginx/dhparams.pem 4096 fi # check to make sure DNSPLUGIN is selected if dns validation is used [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|directadmin|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|hetzner|inwx|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip|vultr)$ ]] && \ - echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \ - sleep infinity + echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \ + sleep infinity # import user crontabs rm /etc/crontabs/* @@ -123,11 +123,11 @@ cp /config/crontabs/* /etc/crontabs/ # create original config file if it doesn't exist, move non-hidden legacy file to hidden if [ -f "/config/donoteditthisfile.conf" ]; then - mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf + mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf fi if [ ! -f "/config/.donoteditthisfile.conf" ]; then - echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf - echo "Created .donoteditthisfile.conf" + echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf + echo "Created .donoteditthisfile.conf" fi # load original config settings @@ -136,75 +136,75 @@ fi # set default validation to http if [ -z "$VALIDATION" ]; then - VALIDATION="http" - echo "VALIDATION parameter not set; setting it to http" + VALIDATION="http" + echo "VALIDATION parameter not set; setting it to http" fi # if zerossl is selected or staging is set to true, use the relevant server if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then - echo "ZeroSSL does not support staging mode, ignoring STAGING variable" + echo "ZeroSSL does not support staging mode, ignoring STAGING variable" fi if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then - echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL" - ACMESERVER="https://acme.zerossl.com/v2/DV90" + echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL" + ACMESERVER="https://acme.zerossl.com/v2/DV90" elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then - echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable" - sleep infinity + echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable" + sleep infinity elif [ "$STAGING" = "true" ]; then - echo "NOTICE: Staging is active" - echo "Using Let's Encrypt as the cert provider" - ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" + echo "NOTICE: Staging is active" + echo "Using Let's Encrypt as the cert provider" + ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" else - echo "Using Let's Encrypt as the cert provider" - ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" + echo "Using Let's Encrypt as the cert provider" + ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" fi # figuring out url only vs url & subdomains vs subdomains only if [ -n "$SUBDOMAINS" ]; then - echo "SUBDOMAINS entered, processing" - if [ "$SUBDOMAINS" = "wildcard" ]; then - if [ "$ONLY_SUBDOMAINS" = true ]; then - export URL_REAL="-d *.${URL}" - echo "Wildcard cert for only the subdomains of $URL will be requested" - else - export URL_REAL="-d *.${URL} -d ${URL}" - echo "Wildcard cert for $URL will be requested" - fi - else echo "SUBDOMAINS entered, processing" - for job in $(echo "$SUBDOMAINS" | tr "," " "); do - export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}" - done - if [ "$ONLY_SUBDOMAINS" = true ]; then - URL_REAL="$SUBDOMAINS_REAL" - echo "Only subdomains, no URL in cert" + if [ "$SUBDOMAINS" = "wildcard" ]; then + if [ "$ONLY_SUBDOMAINS" = true ]; then + export URL_REAL="-d *.${URL}" + echo "Wildcard cert for only the subdomains of $URL will be requested" + else + export URL_REAL="-d *.${URL} -d ${URL}" + echo "Wildcard cert for $URL will be requested" + fi else - URL_REAL="-d ${URL}${SUBDOMAINS_REAL}" + echo "SUBDOMAINS entered, processing" + for job in $(echo "$SUBDOMAINS" | tr "," " "); do + export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}" + done + if [ "$ONLY_SUBDOMAINS" = true ]; then + URL_REAL="$SUBDOMAINS_REAL" + echo "Only subdomains, no URL in cert" + else + URL_REAL="-d ${URL}${SUBDOMAINS_REAL}" + fi + echo "Sub-domains processed are: $SUBDOMAINS_REAL" fi - echo "Sub-domains processed are: $SUBDOMAINS_REAL" - fi else - echo "No subdomains defined" - URL_REAL="-d $URL" + echo "No subdomains defined" + URL_REAL="-d $URL" fi # add extra domains if [ -n "$EXTRA_DOMAINS" ]; then - echo "EXTRA_DOMAINS entered, processing" - for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do - export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}" - done - echo "Extra domains processed are: $EXTRA_DOMAINS_REAL" - URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL" + echo "EXTRA_DOMAINS entered, processing" + for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do + export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}" + done + echo "Extra domains processed are: $EXTRA_DOMAINS_REAL" + URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL" fi # figuring out whether to use e-mail and which if [[ $EMAIL == *@* ]]; then - echo "E-mail address entered: ${EMAIL}" - EMAILPARAM="-m ${EMAIL} --no-eff-email" + echo "E-mail address entered: ${EMAIL}" + EMAILPARAM="-m ${EMAIL} --no-eff-email" else - echo "No e-mail address entered or address invalid" - EMAILPARAM="--register-unsafely-without-email" + echo "No e-mail address entered or address invalid" + EMAILPARAM="--register-unsafely-without-email" fi # update plugin names in dns conf inis @@ -215,82 +215,82 @@ sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini # setting the validation method to use if [ "$VALIDATION" = "dns" ]; then - if [ "$DNSPLUGIN" = "route53" ]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then - if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi - PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini" - elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - else - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - fi - echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" + if [ "$DNSPLUGIN" = "route53" ]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}" + elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" + elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then + if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi + PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini" + elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" + elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" + elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" + else + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" + fi + echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" elif [ "$VALIDATION" = "tls-sni" ]; then - PREFCHAL="--non-interactive --standalone --preferred-challenges http" - echo "*****tls-sni validation has been deprecated, attempting http validation instead" + PREFCHAL="--non-interactive --standalone --preferred-challenges http" + echo "*****tls-sni validation has been deprecated, attempting http validation instead" elif [ "$VALIDATION" = "duckdns" ]; then - PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt" - chmod +x /app/duckdns-txt - echo "duckdns validation is selected" - if [ "$SUBDOMAINS" = "wildcard" ]; then - echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" - export URL_REAL="-d *.${URL}" - else - echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org" - export URL_REAL="-d ${URL}" - fi + PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt" + chmod +x /app/duckdns-txt + echo "duckdns validation is selected" + if [ "$SUBDOMAINS" = "wildcard" ]; then + echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" + export URL_REAL="-d *.${URL}" + else + echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org" + export URL_REAL="-d ${URL}" + fi else - PREFCHAL="--non-interactive --standalone --preferred-challenges http" - echo "http validation is selected" + PREFCHAL="--non-interactive --standalone --preferred-challenges http" + echo "http validation is selected" fi # setting the symlink for key location rm -rf /config/keys/letsencrypt if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then - DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}" - ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt + DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}" + ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt else - ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt + ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt fi # checking for changes in cert variables, revoking certs if necessary if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then - echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" - if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then - ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" - else - ORIGDOMAIN="$ORIGURL" - fi - if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then - REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL") - REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") - REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") - if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then - echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." - sleep infinity + echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" + if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then + ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" + else + ORIGDOMAIN="$ORIGURL" fi - REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" - elif [ "$ORIGSTAGING" = "true" ]; then - REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" - else - REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" - fi - [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER - rm -rf /config/etc/letsencrypt - mkdir -p /config/etc/letsencrypt + if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then + REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL") + REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") + REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") + if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then + echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." + sleep infinity + fi + REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" + elif [ "$ORIGSTAGING" = "true" ]; then + REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" + else + REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" + fi + [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER + rm -rf /config/etc/letsencrypt + mkdir -p /config/etc/letsencrypt fi # saving new variables @@ -298,74 +298,74 @@ echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ # alter extension for error message if [ "$DNSPLUGIN" = "google" ]; then - FILENAME="$DNSPLUGIN.json" + FILENAME="$DNSPLUGIN.json" else - FILENAME="$DNSPLUGIN.ini" + FILENAME="$DNSPLUGIN.ini" fi # generating certs if necessary if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then - if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then - echo "Retrieving EAB from ZeroSSL" - EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL") - ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") - ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") - if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then - echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." - sleep infinity + if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then + echo "Retrieving EAB from ZeroSSL" + EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL") + ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") + ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") + if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then + echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." + sleep infinity + fi + ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}" fi - ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}" - fi - echo "Generating new certificate" - # shellcheck disable=SC2086 - certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL - if [ -d /config/keys/letsencrypt ]; then - cd /config/keys/letsencrypt || exit - else - if [ "$VALIDATION" = "dns" ]; then - echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file." - elif [ "$VALIDATION" = "duckdns" ]; then - echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct." + echo "Generating new certificate" + # shellcheck disable=SC2086 + certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL + if [ -d /config/keys/letsencrypt ]; then + cd /config/keys/letsencrypt || exit else - echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" + if [ "$VALIDATION" = "dns" ]; then + echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file." + elif [ "$VALIDATION" = "duckdns" ]; then + echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct." + else + echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" + fi + sleep infinity fi - sleep infinity - fi - openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: - sleep 1 - cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem - echo "New certificate generated; starting nginx" + openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: + sleep 1 + cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem + echo "New certificate generated; starting nginx" else - echo "Certificate exists; parameters unchanged; starting nginx" + echo "Certificate exists; parameters unchanged; starting nginx" fi # create GeoIP2 folder symlink [[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \ - rm -rf /var/lib/libmaxminddb + rm -rf /var/lib/libmaxminddb [[ ! -d /var/lib/libmaxminddb ]] && \ - ln -s /config/geoip2db /var/lib/libmaxminddb + ln -s /config/geoip2db /var/lib/libmaxminddb # check GeoIP2 database if [ -n "$MAXMINDDB_LICENSE_KEY" ]; then - sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb - if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then - echo "Downloading GeoIP2 City database." - /etc/periodic/weekly/libmaxminddb - fi + sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb + if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then + echo "Downloading GeoIP2 City database." + /etc/periodic/weekly/libmaxminddb + fi elif [ -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then - echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." + echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." else - echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." + echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." fi # logfiles needed by fail2ban [[ ! -f /config/log/nginx/error.log ]] && \ - touch /config/log/nginx/error.log + touch /config/log/nginx/error.log [[ ! -f /config/log/nginx/access.log ]] && \ - touch /config/log/nginx/access.log + touch /config/log/nginx/access.log # permissions chown -R abc:abc \ - /config + /config chmod -R 0644 /etc/logrotate.d chmod -R +r /config/log chmod +x /app/le-renew.sh diff --git a/root/etc/logrotate.d/lerotate b/root/etc/logrotate.d/lerotate index 28a38a7..ab87d1e 100644 --- a/root/etc/logrotate.d/lerotate +++ b/root/etc/logrotate.d/lerotate @@ -1,11 +1,11 @@ /config/log/letsencrypt/*.log { - weekly - rotate 52 - compress - delaycompress - nodateext - missingok - notifempty - sharedscripts - su abc abc + weekly + rotate 52 + compress + delaycompress + nodateext + missingok + notifempty + sharedscripts + su abc abc } diff --git a/root/etc/services.d/fail2ban/run b/root/etc/services.d/fail2ban/run index c023109..6f7f3af 100644 --- a/root/etc/services.d/fail2ban/run +++ b/root/etc/services.d/fail2ban/run @@ -1,4 +1,4 @@ #!/usr/bin/with-contenv bash - exec \ - fail2ban-client -x -f start +exec \ + fail2ban-client -x -f start From 24c5e9f24334b67d6abf8de0e0d6efd552c4a27b Mon Sep 17 00:00:00 2001 From: aptalca Date: Fri, 14 May 2021 10:43:47 -0400 Subject: [PATCH 05/10] use lsio wheel index, use ffdhe4096 per rfc7919 --- Dockerfile | 5 +---- Dockerfile.aarch64 | 5 +---- Dockerfile.armhf | 5 +---- root/defaults/dhparams.pem | 13 +++++++++++++ root/etc/cont-init.d/50-config | 6 +----- 5 files changed, 17 insertions(+), 17 deletions(-) create mode 100644 root/defaults/dhparams.pem diff --git a/Dockerfile b/Dockerfile index 05554f9..69ec5dc 100755 --- a/Dockerfile +++ b/Dockerfile @@ -96,7 +96,7 @@ RUN \ fi && \ pip3 install -U \ pip && \ - pip3 install -U \ + pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \ ${CERTBOT} \ certbot-dns-aliyun \ certbot-dns-cloudflare \ @@ -140,9 +140,6 @@ RUN \ /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ echo "**** configure nginx ****" && \ rm -f /etc/nginx/conf.d/default.conf && \ - curl -o \ - /defaults/dhparams.pem -L \ - "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ echo "**** cleanup ****" && \ apk del --purge \ build-dependencies && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 5733dd4..89a51ac 100755 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -96,7 +96,7 @@ RUN \ fi && \ pip3 install -U \ pip && \ - pip3 install -U \ + pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \ ${CERTBOT} \ certbot-dns-aliyun \ certbot-dns-cloudflare \ @@ -140,9 +140,6 @@ RUN \ /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ echo "**** configure nginx ****" && \ rm -f /etc/nginx/conf.d/default.conf && \ - curl -o \ - /defaults/dhparams.pem -L \ - "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ echo "**** cleanup ****" && \ apk del --purge \ build-dependencies && \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index a4f8789..0047bf6 100755 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -96,7 +96,7 @@ RUN \ fi && \ pip3 install -U \ pip && \ - pip3 install -U \ + pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \ ${CERTBOT} \ certbot-dns-aliyun \ certbot-dns-cloudflare \ @@ -140,9 +140,6 @@ RUN \ /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ echo "**** configure nginx ****" && \ rm -f /etc/nginx/conf.d/default.conf && \ - curl -o \ - /defaults/dhparams.pem -L \ - "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ echo "**** cleanup ****" && \ apk del --purge \ build-dependencies && \ diff --git a/root/defaults/dhparams.pem b/root/defaults/dhparams.pem new file mode 100644 index 0000000..eed4c41 --- /dev/null +++ b/root/defaults/dhparams.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index c75a25a..2faab78 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -105,11 +105,7 @@ fi [[ ! -f /config/nginx/dhparams.pem ]] && \ cp /defaults/dhparams.pem /config/nginx/dhparams.pem if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then - curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" -fi -if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then - echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed." - openssl dhparam -out /config/nginx/dhparams.pem 4096 + curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt" fi # check to make sure DNSPLUGIN is selected if dns validation is used From 49bd204b51d4f059106eea503fe37dd0f224380e Mon Sep 17 00:00:00 2001 From: aptalca Date: Fri, 14 May 2021 11:08:24 -0400 Subject: [PATCH 06/10] add comments to resolver.conf and worker_processes --- README.md | 4 ++-- readme-vars.yml | 4 ++-- root/etc/cont-init.d/50-config | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 3449417..401ba30 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ The architectures supported by this image are: * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances. ### Security and password protection * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start. -* The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time +* Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`. * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd ` * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server. @@ -330,7 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions -* **27.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. +* **14.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later. * **21.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method. * **12.04.21:** - Add php7-gmp and php7-pecl-mailparse. * **12.04.21:** - Add support for vultr dns validation. diff --git a/readme-vars.yml b/readme-vars.yml index ea57427..c800944 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -101,7 +101,7 @@ app_setup_block: | * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances. ### Security and password protection * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start. - * The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time + * Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`. * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd ` * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server. @@ -151,7 +151,7 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: - - { date: "27.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files." } + - { date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later." } - { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." } - { date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse." } - { date: "12.04.21:", desc: "Add support for vultr dns validation." } diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index 2faab78..a83fb02 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -85,14 +85,14 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local if ! grep -q 'resolver' /config/nginx/resolver.conf; then RESOLVER=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) echo "Setting resolver to ${RESOLVER}" - echo "resolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf + echo "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf fi # Set worker_processes if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then WORKER_PROCESSES=$(wc -w < /sys/fs/cgroup/cpuacct/cpuacct.usage_percpu) echo "Setting worker_processes to ${WORKER_PROCESSES}" - echo "worker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf + echo "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf fi # remove lua bits from nginx.conf if not done before From 2ea807dd0284af16ce1f05526fb1d6f8ad707b39 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Fri, 14 May 2021 13:25:47 -0500 Subject: [PATCH 07/10] Use nproc to detect available cpus --- root/etc/cont-init.d/50-config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index a83fb02..8faf2b2 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -90,7 +90,7 @@ fi # Set worker_processes if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then - WORKER_PROCESSES=$(wc -w < /sys/fs/cgroup/cpuacct/cpuacct.usage_percpu) + WORKER_PROCESSES=$(nproc) echo "Setting worker_processes to ${WORKER_PROCESSES}" echo "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf fi From fcd004dfdc47516f16ed0f852c066edf9c217e60 Mon Sep 17 00:00:00 2001 From: aptalca Date: Fri, 14 May 2021 16:22:32 -0400 Subject: [PATCH 08/10] fix typos and formatting --- root/etc/cont-init.d/50-config | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index 8faf2b2..a0f54b1 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -259,7 +259,7 @@ if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}" ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt else - ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt + ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt fi # checking for changes in cert variables, revoking certs if necessary @@ -275,8 +275,8 @@ if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! " REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then - echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." - sleep infinity + echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." + sleep infinity fi REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" elif [ "$ORIGSTAGING" = "true" ]; then @@ -307,8 +307,8 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then - echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." - sleep infinity + echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." + sleep infinity fi ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}" fi @@ -319,11 +319,11 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then cd /config/keys/letsencrypt || exit else if [ "$VALIDATION" = "dns" ]; then - echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file." + echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file." elif [ "$VALIDATION" = "duckdns" ]; then - echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct." + echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct." else - echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" + echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" fi sleep infinity fi From 12386fbfc7f2edccc8c0e181f63b8a8aa64fdc80 Mon Sep 17 00:00:00 2001 From: aptalca Date: Fri, 14 May 2021 17:07:21 -0400 Subject: [PATCH 09/10] fix typos --- root/defaults/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index b5f7f8d..ea2830c 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -3,7 +3,7 @@ user abc; # Set number of worker processes automatically based on number of CPU cores. -include /config/nginx/worker_processes.conf +include /config/nginx/worker_processes.conf; # Enables the use of JIT for regular expressions to speed-up their processing. pcre_jit on; @@ -30,7 +30,7 @@ http { # Name servers used to resolve names of upstream servers into addresses. # It's also needed when using tcpsocket and udpsocket in Lua modules. #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; - include /config/nginx/resolver.conf + include /config/nginx/resolver.conf; # Don't tell nginx version to the clients. Default is 'on'. server_tokens off; From 1cc2e4d395b99512ce9be1350c1327265d40b3ea Mon Sep 17 00:00:00 2001 From: aptalca Date: Tue, 18 May 2021 10:27:25 -0400 Subject: [PATCH 10/10] fix typo --- root/etc/cont-init.d/50-config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index a0f54b1..6e92bda 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -85,14 +85,14 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local if ! grep -q 'resolver' /config/nginx/resolver.conf; then RESOLVER=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) echo "Setting resolver to ${RESOLVER}" - echo "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf + echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf fi # Set worker_processes if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then WORKER_PROCESSES=$(nproc) echo "Setting worker_processes to ${WORKER_PROCESSES}" - echo "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf + echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf fi # remove lua bits from nginx.conf if not done before