diff --git a/Dockerfile b/Dockerfile index 70cb662..3e44ac6 100755 --- a/Dockerfile +++ b/Dockerfile @@ -132,6 +132,11 @@ RUN \ certbot-plugin-gandi \ cryptography \ requests && \ + echo "**** correct ip6tables legacy issue ****" && \ + rm \ + /sbin/ip6tables && \ + ln -s \ + /sbin/ip6tables-nft /sbin/ip6tables && \ echo "**** remove unnecessary fail2ban filters ****" && \ rm \ /etc/fail2ban/jail.d/alpine-ssh.conf && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 863dedd..3abf173 100755 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -132,6 +132,11 @@ RUN \ certbot-plugin-gandi \ cryptography \ requests && \ + echo "**** correct ip6tables legacy issue ****" && \ + rm \ + /sbin/ip6tables && \ + ln -s \ + /sbin/ip6tables-nft /sbin/ip6tables && \ echo "**** remove unnecessary fail2ban filters ****" && \ rm \ /etc/fail2ban/jail.d/alpine-ssh.conf && \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 5a7be78..24fe767 100755 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -131,6 +131,11 @@ RUN \ certbot-plugin-gandi \ cryptography \ requests && \ + echo "**** correct ip6tables legacy issue ****" && \ + rm \ + /sbin/ip6tables && \ + ln -s \ + /sbin/ip6tables-nft /sbin/ip6tables && \ echo "**** remove unnecessary fail2ban filters ****" && \ rm \ /etc/fail2ban/jail.d/alpine-ssh.conf && \ diff --git a/Jenkinsfile b/Jenkinsfile index 937dba0..505ffe9 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -118,12 +118,11 @@ pipeline { script: '''echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g' ''', returnStdout: true).trim() - env.SEMVER = (new Date()).format('YYYY.MM.dd') - def semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)\.(\d+)$/ + def semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)\.(\d+)/ if (semver.find()) { env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}" } else { - semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)(?:\.(\d+))?(.*)$/ + semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)(?:\.(\d+))?(.*)/ if (semver.find()) { if (semver[0][3]) { env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}" @@ -133,7 +132,15 @@ pipeline { } } - println("SEMVER: ${env.SEMVER}") + if (env.SEMVER != null) { + if (BRANCH_NAME != "master" && BRANCH_NAME != "main") { + env.SEMVER = "${env.SEMVER}-${BRANCH_NAME}" + } + println("SEMVER: ${env.SEMVER}") + } else { + println("No SEMVER detected") + } + } } } @@ -402,10 +409,10 @@ pipeline { steps{ sh '''#! /bin/bash set -e - PACKAGE_UUID=$(curl -X GET -H "Authorization: Bearer ${SCARF_TOKEN}" https://scarf.sh/api/v1/packages | jq -r '.[] | select(.name=="linuxserver/swag") | .uuid') + PACKAGE_UUID=$(curl -X GET -H "Authorization: Bearer ${SCARF_TOKEN}" https://scarf.sh/api/v1/organizations/linuxserver-ci/packages | jq -r '.[] | select(.name=="linuxserver/swag") | .uuid') if [ -z "${PACKAGE_UUID}" ]; then echo "Adding package to Scarf.sh" - PACKAGE_UUID=$(curl -sX POST https://scarf.sh/api/v1/packages \ + curl -sX POST https://scarf.sh/api/v1/organizations/linuxserver-ci/packages \ -H "Authorization: Bearer ${SCARF_TOKEN}" \ -H "Content-Type: application/json" \ -d '{"name":"linuxserver/swag",\ @@ -413,22 +420,10 @@ pipeline { "libraryType":"docker",\ "website":"https://github.com/linuxserver/docker-swag",\ "backendUrl":"https://ghcr.io/linuxserver/swag",\ - "publicUrl":"https://lscr.io/linuxserver/swag"}' \ - | jq -r .uuid) + "publicUrl":"https://lscr.io/linuxserver/swag"}' || : else echo "Package already exists on Scarf.sh" fi - echo "Setting permissions on Scarf.sh for package ${PACKAGE_UUID}" - curl -X POST https://scarf.sh/api/v1/packages/${PACKAGE_UUID}/permissions \ - -H "Authorization: Bearer ${SCARF_TOKEN}" \ - -H "Content-Type: application/json" \ - -d '[{"userQuery":"Spad","permissionLevel":"admin"},\ - {"userQuery":"roxedus","permissionLevel":"admin"},\ - {"userQuery":"nemchik","permissionLevel":"admin"},\ - {"userQuery":"driz","permissionLevel":"admin"},\ - {"userQuery":"aptalca","permissionLevel":"admin"},\ - {"userQuery":"saarg","permissionLevel":"admin"},\ - {"userQuery":"Stark","permissionLevel":"admin"}]' ''' } } @@ -752,11 +747,15 @@ pipeline { docker tag ${IMAGE}:${META_TAG} ${PUSHIMAGE}:${META_TAG} docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:latest docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${EXT_RELEASE_TAG} - docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${SEMVER} + if [ -n "${SEMVER}" ]; then + docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${SEMVER} + fi docker push ${PUSHIMAGE}:latest docker push ${PUSHIMAGE}:${META_TAG} docker push ${PUSHIMAGE}:${EXT_RELEASE_TAG} - docker push ${PUSHIMAGE}:${SEMVER} + if [ -n "${SEMVER}" ]; then + docker push ${PUSHIMAGE}:${SEMVER} + fi done ''' } @@ -765,8 +764,10 @@ pipeline { docker rmi \ ${DELETEIMAGE}:${META_TAG} \ ${DELETEIMAGE}:${EXT_RELEASE_TAG} \ - ${DELETEIMAGE}:latest \ - ${DELETEIMAGE}:${SEMVER} || : + ${DELETEIMAGE}:latest || : + if [ -n "${SEMVER}" ]; then + docker rmi ${DELETEIMAGE}:${SEMVER} || : + fi done ''' } @@ -816,9 +817,11 @@ pipeline { docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} - docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER} - docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${SEMVER} - docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER} + if [ -n "${SEMVER}" ]; then + docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER} + docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${SEMVER} + docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER} + fi docker push ${MANIFESTIMAGE}:amd64-${META_TAG} docker push ${MANIFESTIMAGE}:arm32v7-${META_TAG} docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG} @@ -828,9 +831,11 @@ pipeline { docker push ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} docker push ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} docker push ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} - docker push ${MANIFESTIMAGE}:amd64-${SEMVER} - docker push ${MANIFESTIMAGE}:arm32v7-${SEMVER} - docker push ${MANIFESTIMAGE}:arm64v8-${SEMVER} + if [ -n "${SEMVER}" ]; then + docker push ${MANIFESTIMAGE}:amd64-${SEMVER} + docker push ${MANIFESTIMAGE}:arm32v7-${SEMVER} + docker push ${MANIFESTIMAGE}:arm64v8-${SEMVER} + fi docker manifest push --purge ${MANIFESTIMAGE}:latest || : docker manifest create ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm32v7-latest ${MANIFESTIMAGE}:arm64v8-latest docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm32v7-latest --os linux --arch arm @@ -843,14 +848,18 @@ pipeline { docker manifest create ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} --os linux --arch arm docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} --os linux --arch arm64 --variant v8 - docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} || : - docker manifest create ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} - docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} --os linux --arch arm - docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} --os linux --arch arm64 --variant v8 + if [ -n "${SEMVER}" ]; then + docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} || : + docker manifest create ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} + docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} --os linux --arch arm + docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} --os linux --arch arm64 --variant v8 + fi docker manifest push --purge ${MANIFESTIMAGE}:latest docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} - docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} + if [ -n "${SEMVER}" ]; then + docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} + fi done ''' } @@ -860,15 +869,18 @@ pipeline { ${DELETEIMAGE}:amd64-${META_TAG} \ ${DELETEIMAGE}:amd64-latest \ ${DELETEIMAGE}:amd64-${EXT_RELEASE_TAG} \ - ${DELETEIMAGE}:amd64-${SEMVER} \ ${DELETEIMAGE}:arm32v7-${META_TAG} \ ${DELETEIMAGE}:arm32v7-latest \ ${DELETEIMAGE}:arm32v7-${EXT_RELEASE_TAG} \ - ${DELETEIMAGE}:arm32v7-${SEMVER} \ ${DELETEIMAGE}:arm64v8-${META_TAG} \ ${DELETEIMAGE}:arm64v8-latest \ - ${DELETEIMAGE}:arm64v8-${EXT_RELEASE_TAG} \ - ${DELETEIMAGE}:arm64v8-${SEMVER} || : + ${DELETEIMAGE}:arm64v8-${EXT_RELEASE_TAG} || : + if [ -n "${SEMVER}" ]; then + docker rmi \ + ${DELETEIMAGE}:amd64-${SEMVER} \ + ${DELETEIMAGE}:arm32v7-${SEMVER} \ + ${DELETEIMAGE}:arm64v8-${SEMVER} || : + fi done docker rmi \ ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} \ diff --git a/README.md b/README.md index 3b1c3b0..dcd7ccd 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ Find us at: # [linuxserver/swag](https://github.com/linuxserver/docker-swag) +[![Scarf.io pulls](https://scarf.sh/installs-badge/linuxserver-ci/linuxserver%2Fswag?color=94398d&label-color=555555&logo-color=ffffff&style=for-the-badge&package-type=docker)](https://scarf.sh/gateway/linuxserver-ci/docker/linuxserver%2Fswag) [![GitHub Stars](https://img.shields.io/github/stars/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag) [![GitHub Release](https://img.shields.io/github/release/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag/releases) [![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub%20Package&logo=github)](https://github.com/linuxserver/docker-swag/packages) @@ -102,11 +103,12 @@ This will *ask* Google et al not to index and list your site. Be careful with th ### Using fail2ban -* This container includes fail2ban set up with 4 jails by default: +* This container includes fail2ban set up with 5 jails by default: 1. nginx-http-auth 2. nginx-badbots 3. nginx-botsearch 4. nginx-deny + 5. nginx-unauthorized * To enable or disable other jails, modify the file `/config/fail2ban/jail.local` * To modify filters and actions, instead of editing the `.conf` files, create `.local` files with the same name and edit those because .conf files get overwritten when the actions and filters are updated. `.local` files will append whatever's in the `.conf` files (ie. `nginx-http-auth.conf` --> `nginx-http-auth.local`) * You can check which jails are active via `docker exec -it swag fail2ban-client status` @@ -329,6 +331,9 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **28.03.22:** - created a logfile for fail2ban nginx-unauthorized in /etc/cont-init.d/50-config +* **09.01.22:** - Added a fail2ban jail for nginx unauthorized +* **21.12.21:** - Fixed issue with iptables not working as expected * **30.11.21:** - Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind) * **22.11.21:** - Added support for Infomaniak DNS for certificate generation. * **20.11.21:** - Added support for dnspod validation. diff --git a/package_versions.txt b/package_versions.txt index 42a4a9e..db2145c 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -1,26 +1,26 @@ alpine-baselayout-3.2.0-r16 alpine-keys-2.4-r0 -apache2-utils-2.4.51-r0 +apache2-utils-2.4.53-r0 apk-tools-2.12.7-r0 apr-1.7.0-r0 apr-util-1.6.1-r7 argon2-libs-20190702-r1 -bash-5.1.4-r0 +bash-5.1.16-r0 brotli-libs-1.0.9-r5 -busybox-1.33.1-r6 +busybox-1.33.1-r7 c-client-2007f-r11 -ca-certificates-20191127-r5 -ca-certificates-bundle-20191127-r5 +ca-certificates-20211220-r0 +ca-certificates-bundle-20211220-r0 coreutils-8.32-r2 curl-7.79.1-r0 -expat-2.4.1-r0 +expat-2.4.7-r0 fail2ban-0.11.2-r0 freetype-2.10.4-r1 gdbm-1.19-r0 git-2.32.0-r0 git-perl-2.32.0-r0 glib-2.68.3-r0 -gmp-6.2.1-r0 +gmp-6.2.1-r1 gnupg-2.2.31-r0 gnutls-3.7.1-r0 icu-libs-67.1-r2 @@ -29,12 +29,12 @@ iptables-1.8.7-r1 libacl-2.2.53-r0 libassuan-2.5.5-r0 libattr-2.5.1-r0 -libblkid-2.37.2-r0 +libblkid-2.37.4-r0 libbsd-0.11.3-r0 libbz2-1.0.8-r1 libc-utils-0.7.2-r3 libcap-2.50-r0 -libcrypto1.1-1.1.1l-r0 +libcrypto1.1-1.1.1n-r0 libcurl-7.79.1-r0 libedit-20210216.3.1-r0 libevent-2.1.12-r2 @@ -55,37 +55,37 @@ libmcrypt-2.5.8-r9 libmd-1.0.3-r0 libmemcached-libs-1.0.18-r4 libmnl-1.0.4-r1 -libmount-2.37.2-r0 +libmount-2.37.4-r0 libnftnl-libs-1.2.0-r0 libpng-1.6.37-r1 -libpq-13.5-r0 +libpq-13.6-r0 libproc-3.3.17-r0 -libressl3.3-libcrypto-3.3.3-r0 -libressl3.3-libssl-3.3.3-r0 -libretls-3.3.3p1-r2 -libsasl-2.1.27-r12 +libressl3.3-libcrypto-3.3.6-r0 +libressl3.3-libssl-3.3.6-r0 +libretls-3.3.3p1-r3 +libsasl-2.1.28-r0 libseccomp-2.5.1-r2 libsecret-0.20.4-r1 libsm-1.2.3-r0 libsodium-1.0.18-r0 -libssl1.1-1.1.1l-r0 +libssl1.1-1.1.1n-r0 libstdc++-10.3.1_git20210424-r2 libtasn1-4.17.0-r0 libunistring-0.9.10-r1 -libuuid-2.37.2-r0 +libuuid-2.37.4-r0 libwebp-1.2.0-r2 libx11-1.7.2-r0 libxau-1.0.9-r0 libxcb-1.14-r2 libxdmcp-1.1.3-r0 libxext-1.3.4-r0 -libxml2-2.9.12-r1 +libxml2-2.9.13-r0 libxpm-3.5.13-r0 -libxslt-1.1.34-r1 +libxslt-1.1.35-r0 libxt-1.2.1-r0 libzip-1.7.3-r2 linux-pam-1.5.1-r1 -logrotate-3.18.1-r0 +logrotate-3.18.1-r1 lz4-libs-1.9.3-r1 memcached-1.6.9-r0 mpdecimal-2.5.1-r1 @@ -118,7 +118,7 @@ nginx-mod-stream-geoip2-1.20.2-r0 nginx-vim-1.20.2-r0 npth-1.6-r0 oniguruma-6.9.7.1-r0 -openssl-1.1.1l-r0 +openssl-1.1.1n-r0 p11-kit-0.23.22-r0 pcre-8.44-r0 pcre2-10.36-r0 @@ -216,12 +216,12 @@ scanelf-1.3.2-r0 shadow-4.8.1-r0 skalibs-2.10.0.3-r0 sqlite-libs-3.35.5-r0 -ssl_client-1.33.1-r6 -tzdata-2021e-r0 +ssl_client-1.33.1-r7 +tzdata-2022a-r0 unixodbc-2.3.9-r1 utmps-0.1.0.2-r0 whois-5.5.10-r0 xz-5.2.5-r0 xz-libs-5.2.5-r0 -zlib-1.2.11-r3 +zlib-1.2.12-r0 zstd-libs-1.4.9-r1 diff --git a/readme-vars.yml b/readme-vars.yml index d574b83..057b71e 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -120,11 +120,12 @@ app_setup_block: | ### Using fail2ban - * This container includes fail2ban set up with 4 jails by default: + * This container includes fail2ban set up with 5 jails by default: 1. nginx-http-auth 2. nginx-badbots 3. nginx-botsearch 4. nginx-deny + 5. nginx-unauthorized * To enable or disable other jails, modify the file `/config/fail2ban/jail.local` * To modify filters and actions, instead of editing the `.conf` files, create `.local` files with the same name and edit those because .conf files get overwritten when the actions and filters are updated. `.local` files will append whatever's in the `.conf` files (ie. `nginx-http-auth.conf` --> `nginx-http-auth.local`) * You can check which jails are active via `docker exec -it swag fail2ban-client status` @@ -155,6 +156,9 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: - { date: "05.04.22:", desc: "Added support for standalone DNS validation." } + - { date: "28.03.22:", desc: "created a logfile for fail2ban nginx-unauthorized in /etc/cont-init.d/50-config" } + - { date: "09.01.22:", desc: "Added a fail2ban jail for nginx unauthorized" } + - { date: "21.12.21:", desc: "Fixed issue with iptables not working as expected" } - { date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)" } - { date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation." } - { date: "20.11.21:", desc: "Added support for dnspod validation." } diff --git a/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf b/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf new file mode 100644 index 0000000..fbe6988 --- /dev/null +++ b/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf @@ -0,0 +1,7 @@ +# A fail2ban filter for unauthorized log messages + +[Definition] + +failregex = ^(?!.*?(?i)plex).*"(GET|POST|HEAD).*" 401 .*$ + +ignoreregex = diff --git a/root/defaults/jail.local b/root/defaults/jail.local index 9b8673c..ebac564 100644 --- a/root/defaults/jail.local +++ b/root/defaults/jail.local @@ -1,10 +1,14 @@ -## Version 2020/05/10 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local +## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local # This is the custom version of the jail.conf for fail2ban # Feel free to modify this and add additional filters # Then you can drop the new filter conf files into the fail2ban-filters # folder and restart the container [DEFAULT] +# Prevents banning LAN subnets +ignoreip = 10.0.0.0/8 + 192.168.0.0/16 + 172.16.0.0/12 # Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports". banaction = iptables-allports @@ -21,37 +25,35 @@ maxretry = 5 [ssh] - enabled = false - [nginx-http-auth] - enabled = true filter = nginx-http-auth port = http,https logpath = /config/log/nginx/error.log - [nginx-badbots] - enabled = true port = http,https filter = nginx-badbots logpath = /config/log/nginx/access.log maxretry = 2 - [nginx-botsearch] - enabled = true port = http,https filter = nginx-botsearch logpath = /config/log/nginx/access.log [nginx-deny] - enabled = true port = http,https filter = nginx-deny logpath = /config/log/nginx/error.log + +[nginx-unauthorized] +enabled = true +port = http,https +filter = nginx-unauthorized +logpath = /config/log/nginx/unauthorized.log diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index ae21a63..c6a7504 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -1,4 +1,4 @@ -## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf +## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf user abc; @@ -55,6 +55,13 @@ http { '' close; } + # Saves unauthorized log messages to a separate log file + map $status $unauthorized { + default 0; + ~^401 1; + } + access_log /config/log/nginx/unauthorized.log combined if=$unauthorized; + # Sets the path, format, and configuration for a buffered log write. access_log /config/log/nginx/access.log; diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index 5d6e87b..69f6610 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -369,6 +369,8 @@ fi touch /config/log/nginx/error.log [[ ! -f /config/log/nginx/access.log ]] && \ touch /config/log/nginx/access.log +[[ ! -f /config/log/nginx/unauthorized.log ]] && \ + touch /config/log/nginx/unauthorized.log # permissions chown -R abc:abc \