init

Signed-off-by: Zoey <zoey@z0ey.de>
2025-08-03 07:53:39 +00:00 · 2022-12-16 09:05:58 +01:00
parent fd30cfe98b
commit 19a304d9ce
169 changed files with 2074 additions and 27536 deletions
--- a/rootfs/usr/local/bin/check-health
+++ b/rootfs/usr/local/bin/check-health
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+OK=$(wget -q --no-check-certificate https://127.0.0.1:81/api -O - | jq --raw-output '.status')
+
+if [ "$OK" == "OK" ]; then
+	echo "OK"
+	exit 0
+else
+	echo "NOT OK"
+	exit 1
+fi
--- a/rootfs/usr/local/bin/start
+++ b/rootfs/usr/local/bin/start
@@ -0,0 +1,78 @@
+#!/bin/sh
+
+if [ -f /data/nginx/default_host/site.conf ]; then
+mv /data/nginx/default_host/site.conf /data/nginx/default.conf || exit 1
+fi
+
+mkdir -p /tmp/letsencrypt-acme-challenge \
+         /data/letsencrypt \
+         /data/custom_ssl \
+         /data/access \
+         /data/nginx/redirection_host \
+         /data/nginx/proxy_host \
+         /data/nginx/dead_host \
+         /data/nginx/stream \
+         /data/nginx/custom || exit 1
+
+rm -rf /data/letsencrypt-acme-challenge \
+       /data/nginx/default_host \
+       /data/nginx/default_www \
+       /data/nginx/streams \
+       /data/nginx/temp \
+       /data/logs \
+       /data/error.log \
+       /data/nginx/error.log || exit 1
+
+if [ -e /etc/letsencrypt/live ]; then
+mv /etc/letsencrypt/* /data/letsencrypt || exit 1
+fi
+
+find /data/nginx -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/letsencrypt|g" {} \; || exit 1
+find /data/letsencrypt -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/letsencrypt|g" {} \; || exit 1
+
+find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/assets.conf;||g" {} \; || exit 1
+find /data/nginx -type f -name '*.conf' -exec sed -i "s/# Asset Caching//g" {} \; || exit 1
+
+find /data/nginx -type f -name '*.conf' -exec sed -i "s/proxy_http_version.*//g" {} \; || exit 1
+find /data/nginx -type f -name '*.conf' -exec sed -i "s/access_log.*//g" {} \; || exit 1
+
+touch /data/nginx/custom/root.conf \
+      /data/nginx/custom/events.conf \
+      /data/nginx/custom/http.conf \
+      /data/nginx/custom/http_top.conf \
+      /data/nginx/custom/server_proxy.conf \
+      /data/nginx/custom/server_redirect.conf \
+      /data/nginx/custom/stream.conf \
+      /data/nginx/custom/server_stream.conf \
+      /data/nginx/custom/server_stream_tcp.conf \
+      /data/nginx/custom/server_stream_udp.conf \
+      /usr/local/nginx/conf/conf.d/include/ip_ranges.conf || exit 1
+
+if [ ! -f /data/nginx/dummycert.pem ] || [ ! -f /data/nginx/dummykey.pem ]; then
+openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/nginx/dummykey.pem -out /data/nginx/dummycert.pem || exit 1
+fi
+
+if [ "$NPM_LISTEN_LOCALHOST" == "true" ]; then
+sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/production.conf || exit 1
+sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/production.conf || exit 1
+fi
+
+if [ "$NGINX_LOG_NOT_FOUND" == "true" ]; then
+sed -i "s/log_not_found off;/log_not_found on;/g" /usr/local/nginx/conf/nginx.conf || exit 1
+fi
+
+if ! nginx -t 2> /dev/null; then
+nginx -T || exit 1
+sleep inf || exit 1
+fi
+
+while nginx -t 2> /dev/null; do
+nginx || exit 1 &
+node --abort_on_uncaught_exception --max_old_space_size=250 index.js || exit 1 &
+wait
+done
+
+if ! nginx -t 2> /dev/null; then
+nginx -T || exit 1
+sleep inf || exit 1
+fi
--- a/rootfs/usr/local/nginx/conf/conf.d/default.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/default.conf
@@ -0,0 +1,34 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name nginxproxymanager-default;
+    
+    include conf.d/include/force-ssl.conf;
+    include conf.d/include/block-exploits.conf;
+    include conf.d/include/letsencrypt-acme-challenge.conf;
+}
+
+# First 443 Host, which is the default if another default doesn't exist
+server {
+    listen 443 ssl http2;
+    listen 443 http3;
+    listen [::]:443 ssl http2;
+    listen [::]:443 http3;
+
+    add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
+
+    server_name nginxproxymanager-default;
+    
+    ssl_certificate /data/nginx/dummycert.pem;
+    ssl_certificate_key /data/nginx/dummykey.pem;
+    
+    include conf.d/include/ssl-ciphers.conf;
+    include conf.d/include/block-exploits.conf;
+    include conf.d/include/letsencrypt-acme-challenge.conf;
+
+    location / {
+        include conf.d/include/letsencrypt-acme-challenge.conf;
+        root /var/www/html;
+    }
+}
--- a/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf
@@ -0,0 +1,136 @@
+## Block SQL injections
+set $block_sql_injections 0;
+
+if ($query_string ~ "union.*select.*\(") {
+    set $block_sql_injections 1;
+}
+
+if ($query_string ~ "union.*all.*select.*") {
+    set $block_sql_injections 1;
+}
+
+if ($query_string ~ "concat.*\(") {
+    set $block_sql_injections 1;
+}
+
+if ($block_sql_injections = 1) {
+    return 403;
+}
+
+## Block file injections
+set $block_file_injections 0;
+
+if ($query_string ~ "[a-zA-Z0-9_]=http://") {
+    set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
+    set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
+    set $block_file_injections 1;
+}
+
+if ($block_file_injections = 1) {
+    return 403;
+}
+
+## Block common exploits
+set $block_common_exploits 0;
+
+if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "proc/self/environ") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "base64_(en|de)code\(.*\)") {
+    set $block_common_exploits 1;
+}
+
+if ($block_common_exploits = 1) {
+    return 403;
+}
+
+## Block spam
+set $block_spam 0;
+
+if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
+    set $block_spam 1;
+}
+
+if ($block_spam = 1) {
+    return 403;
+}
+
+## Block user agents
+set $block_user_agents 0;
+
+# Disable Akeeba Remote Control 2.5 and earlier
+if ($http_user_agent ~ "Indy Library") {
+    set $block_user_agents 1;
+}
+
+# Common bandwidth hoggers and hacking tools.
+if ($http_user_agent ~ "libwww-perl") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetRight") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetWeb!") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go!Zilla") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Download Demon") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go-Ahead-Got-It") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "TurnitinBot") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GrabNet") {
+    set $block_user_agents 1;
+}
+
+if ($block_user_agents = 1) {
+    return 403;
+}
--- a/rootfs/usr/local/nginx/conf/conf.d/include/force-ssl.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/force-ssl.conf
@@ -0,0 +1,3 @@
+if ($scheme = "http") {
+    return 301 https://$host$request_uri;
+}
--- a/rootfs/usr/local/nginx/conf/conf.d/include/letsencrypt-acme-challenge.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/letsencrypt-acme-challenge.conf
@@ -0,0 +1,18 @@
+location ^~ /.well-known/acme-challenge/ {
+    auth_basic off;
+    auth_request off;
+    allow all;
+    root /tmp/letsencrypt-acme-challenge;
+}
+
+location = /.well-known/acme-challenge/ {
+    return 404;
+}
+
+location = /nftd {
+    return 301 /nftd/;
+}
+
+location ^~ /nftd/ {
+    alias /nftd/;
+}
--- a/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
@@ -0,0 +1,11 @@
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-Scheme $scheme;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header Accept-Encoding "";
+proxy_set_header Host $host:$server_port;
+
+proxy_http_version 1.1;
+proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2;
+proxy_pass $forward_scheme://$server:$port$request_uri;
--- a/rootfs/usr/local/nginx/conf/conf.d/include/ssl-ciphers.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/ssl-ciphers.conf
@@ -0,0 +1,9 @@
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ssl_session_tickets off;
+ssl_dhparam /etc/ssl/dhparam;
+
+# intermediate configuration. tweak to your needs.
+ssl_protocols TLSv1.3 TLSv1.2;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
--- a/rootfs/usr/local/nginx/conf/conf.d/production.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/production.conf
@@ -0,0 +1,45 @@
+# Admin Interface
+server {
+    listen 81 ssl http2 default_server;
+    listen 81 http3 default_server;
+    listen [::]:81 ssl http2 default_server;
+    listen [::]:81 http3 default_server;
+
+    server_name nginxproxymanager;
+    ssl_certificate /data/nginx/dummycert.pem;
+    ssl_certificate_key /data/nginx/dummykey.pem;
+    include conf.d/include/ssl-ciphers.conf;
+    include conf.d/include/block-exploits.conf;
+    include conf.d/include/letsencrypt-acme-challenge.conf;
+    add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
+
+    location /api {
+        return 301 /api/;
+    }
+
+    location /api/ {
+        proxy_pass http://127.0.0.1:48693/;
+        
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Accept-Encoding "";
+        proxy_set_header Host $host:$server_port;
+        
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_read_timeout 15m;
+        proxy_send_timeout 15m;
+    }
+
+    location / {
+        root /app/frontend;
+        if ($request_uri ~ ^/(.*)\.html$) {
+            return 302 /$1;
+        }
+        try_files $uri $uri.html $uri/ /index.html;
+    }
+}
--- a/rootfs/usr/local/nginx/conf/letsencrypt.ini
+++ b/rootfs/usr/local/nginx/conf/letsencrypt.ini
@@ -0,0 +1,7 @@
+text = True
+non-interactive = True
+webroot-path = /tmp/letsencrypt-acme-challenge
+rsa-key-size = 4096
+key-type = ecdsa
+elliptic-curve = secp384r1
+preferred-chain = ISRG Root X1
--- a/rootfs/usr/local/nginx/conf/nginx.conf
+++ b/rootfs/usr/local/nginx/conf/nginx.conf
@@ -0,0 +1,102 @@
+user root;
+daemon off;
+pcre_jit on;
+worker_processes auto;
+error_log stderr;
+
+# Custom
+include /data/nginx/custom/root.conf;
+
+events {
+    use epoll;
+
+    # Custom
+    include /data/nginx/custom/events.conf;
+}
+
+http {
+    log_not_found off;
+    access_log /dev/null;
+    
+    include mime.types;
+    default_type text/plain;
+    
+    server_tokens build;
+    aio threads;
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    client_max_body_size 0;
+
+    gzip on;
+    gunzip on;
+    gzip_vary on;
+    gzip_types *;
+    gzip_proxied any;
+    gzip_comp_level 9;
+
+    resolver localhost;
+    index index.html Index.html;
+    
+    error_page 404 =307 $scheme://$host:$server_port;
+    error_page 497 =301 https://$host:$server_port$request_uri;
+
+    # Default upstream scheme
+    map $host $forward_scheme {
+        default http;
+    }
+
+    # Websocket
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    # Fancy Index
+    fancyindex on;
+    fancyindex_localtime on;
+    fancyindex_show_path on;
+    fancyindex_exact_size off;
+    fancyindex_default_sort name;
+    fancyindex_show_dotfiles off;
+    fancyindex_hide_symlinks off;
+    fancyindex_hide_parent_dir off;
+    fancyindex_directories_first on;
+    fancyindex_time_format "%d-%m-%Y %T";
+    fancyindex_ignore "nft";
+    fancyindex_header "/nftd/header.html";
+    fancyindex_footer "/nftd/footer.html";
+
+    # Real IP Determination
+    real_ip_recursive on;
+    set_real_ip_from 10.0.0.0/8;
+    set_real_ip_from 172.16.0.0/12;
+    set_real_ip_from 192.168.0.0/16;
+    set_real_ip_from 169.254.0.0/16;
+    set_real_ip_from fc00::/7;
+    set_real_ip_from fec0::/10;
+
+    include conf.d/include/ip_ranges.conf;
+    
+    include /data/nginx/default.conf;
+    include conf.d/*.conf;
+
+    # Custom
+    include /data/nginx/custom/http_top.conf;
+
+    # Files generated by NPM
+    include /data/nginx/proxy_host/*.conf;
+    include /data/nginx/redirection_host/*.conf;
+    include /data/nginx/dead_host/*.conf;
+
+    # Custom
+    include /data/nginx/custom/http.conf;
+}
+
+stream {
+    # Files generated by NPM
+    include /data/nginx/stream/*.conf;
+
+    # Custom
+    include /data/nginx/custom/stream.conf;
+}