From 77057284d30e14f01b3895d90fbc7828a1a70010 Mon Sep 17 00:00:00 2001 From: LePresidente Date: Wed, 26 Apr 2023 13:04:02 +0200 Subject: [PATCH 1/8] Added crowdsec to Nginx-Proxy-Manager --- .../dependencies.d/prepare | 0 .../s6-rc.d/cs-crowdsec-bouncer/script.sh | 33 +++++++++++++ .../s6-rc.d/cs-crowdsec-bouncer/type | 1 + .../s6-overlay/s6-rc.d/cs-crowdsec-bouncer/up | 2 + .../nginx/dependencies.d/cs-crowdsec-bouncer | 0 docker/rootfs/etc/services.d/nginx/run | 49 +++++++++++++++++++ 6 files changed, 85 insertions(+) create mode 100644 docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/dependencies.d/prepare create mode 100644 docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh create mode 100644 docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/type create mode 100644 docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/up create mode 100644 docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/dependencies.d/cs-crowdsec-bouncer create mode 100644 docker/rootfs/etc/services.d/nginx/run diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/dependencies.d/prepare b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/dependencies.d/prepare new file mode 100644 index 00000000..e69de29b diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh new file mode 100644 index 00000000..e31ea21e --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh @@ -0,0 +1,33 @@ +#!/command/with-contenv bash + +set -e # Exit immediately if a command exits with a non-zero status. + +mkdir -p /data/crowdsec/templates +echo "Deploy Crowdsec Openresty Bouncer.." +sed -i 's|/defaults/crowdsec|/data/crowdsec|' /etc/nginx/conf.d/crowdsec_openresty.conf + +if [ -f /data/crowdsec/crowdsec-openresty-bouncer.conf ]; then + echo "Patch crowdsec-openresty-bouncer.conf .." + sed "s/=.*//g" /data/crowdsec/crowdsec-openresty-bouncer.conf > /tmp/crowdsec.conf.raw + sed "s/=.*//g" /defaults/crowdsec/crowdsec-openresty-bouncer.conf > /tmp/crowdsec-openresty-bouncer.conf.raw + if grep -vf /tmp/crowdsec.conf.raw /tmp/crowdsec-openresty-bouncer.conf.raw ; then + grep -vf /tmp/crowdsec.conf.raw /tmp/crowdsec-openresty-bouncer.conf.raw > /tmp/config.newvals + cp /data/crowdsec/crowdsec-openresty-bouncer.conf /data/crowdsec/crowdsec-openresty-bouncer.conf.bak + grep -f /tmp/config.newvals /defaults/crowdsec/crowdsec-openresty-bouncer.conf >> /data/crowdsec/crowdsec-openresty-bouncer.conf + fi +else + echo "Deploy new crowdsec-openresty-bouncer.conf .." + cp /defaults/crowdsec/crowdsec-openresty-bouncer.conf /data/crowdsec/crowdsec-openresty-bouncer.conf +fi +#Make sure the config location is where we get the config from instead of /default/ +sed -i 's|/defaults/crowdsec|/data/crowdsec|' /data/crowdsec/crowdsec-openresty-bouncer.conf +echo "Deploy Crowdsec Templates .." +#Make sure we only copy files that don't exist in /data/crowdsec. +cd /defaults/crowdsec/templates/ +for file in *.html +do + if [ ! -e "/data/crowdsec/templates/${file}" ] + then + cp -r "/defaults/crowdsec/templates/${file}" "/data/crowdsec/templates/" + fi +done \ No newline at end of file diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/type b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/type new file mode 100644 index 00000000..bdd22a18 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/type @@ -0,0 +1 @@ +oneshot diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/up b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/up new file mode 100644 index 00000000..f11a5a44 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/up @@ -0,0 +1,2 @@ +# shellcheck shell=bash +/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/dependencies.d/cs-crowdsec-bouncer b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/dependencies.d/cs-crowdsec-bouncer new file mode 100644 index 00000000..e69de29b diff --git a/docker/rootfs/etc/services.d/nginx/run b/docker/rootfs/etc/services.d/nginx/run new file mode 100644 index 00000000..47ea60f9 --- /dev/null +++ b/docker/rootfs/etc/services.d/nginx/run @@ -0,0 +1,49 @@ +#!/usr/bin/with-contenv bash + +# Create required folders +mkdir -p /tmp/nginx/body \ + /run/nginx \ + /var/log/nginx \ + /data/nginx \ + /data/custom_ssl \ + /data/logs \ + /data/access \ + /data/nginx/default_host \ + /data/nginx/default_www \ + /data/nginx/proxy_host \ + /data/nginx/redirection_host \ + /data/nginx/stream \ + /data/nginx/dead_host \ + /data/nginx/temp \ + /var/lib/nginx/cache/public \ + /var/lib/nginx/cache/private \ + /var/cache/nginx/proxy_temp + +touch /var/log/nginx/error.log && chmod 777 /var/log/nginx/error.log && chmod -R 777 /var/cache/nginx +chown root /tmp/nginx + +# Dynamically generate resolvers file, if resolver is IPv6, enclose in `[]` +# thanks @tfmm +echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) ipv6=off valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf + +# Generate dummy self-signed certificate. +if [ ! -f /data/nginx/dummycert.pem ] || [ ! -f /data/nginx/dummykey.pem ] +then + echo "Generating dummy SSL certificate..." + openssl req \ + -new \ + -newkey rsa:2048 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj '/O=localhost/OU=localhost/CN=localhost' \ + -keyout /data/nginx/dummykey.pem \ + -out /data/nginx/dummycert.pem + echo "Complete" +fi + +# Handle IPV6 settings +/bin/handle-ipv6-setting /etc/nginx/conf.d +/bin/handle-ipv6-setting /data/nginx + +exec nginx From 6a035eaeab37bc183ad97102ae543120ce388a80 Mon Sep 17 00:00:00 2001 From: LePresidente Date: Wed, 26 Apr 2023 13:08:27 +0200 Subject: [PATCH 2/8] Removed file not required. --- docker/rootfs/etc/services.d/nginx/run | 49 -------------------------- 1 file changed, 49 deletions(-) delete mode 100644 docker/rootfs/etc/services.d/nginx/run diff --git a/docker/rootfs/etc/services.d/nginx/run b/docker/rootfs/etc/services.d/nginx/run deleted file mode 100644 index 47ea60f9..00000000 --- a/docker/rootfs/etc/services.d/nginx/run +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/with-contenv bash - -# Create required folders -mkdir -p /tmp/nginx/body \ - /run/nginx \ - /var/log/nginx \ - /data/nginx \ - /data/custom_ssl \ - /data/logs \ - /data/access \ - /data/nginx/default_host \ - /data/nginx/default_www \ - /data/nginx/proxy_host \ - /data/nginx/redirection_host \ - /data/nginx/stream \ - /data/nginx/dead_host \ - /data/nginx/temp \ - /var/lib/nginx/cache/public \ - /var/lib/nginx/cache/private \ - /var/cache/nginx/proxy_temp - -touch /var/log/nginx/error.log && chmod 777 /var/log/nginx/error.log && chmod -R 777 /var/cache/nginx -chown root /tmp/nginx - -# Dynamically generate resolvers file, if resolver is IPv6, enclose in `[]` -# thanks @tfmm -echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) ipv6=off valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf - -# Generate dummy self-signed certificate. -if [ ! -f /data/nginx/dummycert.pem ] || [ ! -f /data/nginx/dummykey.pem ] -then - echo "Generating dummy SSL certificate..." - openssl req \ - -new \ - -newkey rsa:2048 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj '/O=localhost/OU=localhost/CN=localhost' \ - -keyout /data/nginx/dummykey.pem \ - -out /data/nginx/dummycert.pem - echo "Complete" -fi - -# Handle IPV6 settings -/bin/handle-ipv6-setting /etc/nginx/conf.d -/bin/handle-ipv6-setting /data/nginx - -exec nginx From 4245e6231ce0b3ddc48cd6d79d860b95ce92085f Mon Sep 17 00:00:00 2001 From: lepresidente Date: Sun, 30 Apr 2023 17:16:12 +0200 Subject: [PATCH 3/8] made script executable. --- .../rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh old mode 100644 new mode 100755 From cd882b07d0cce2a7aa47762d827b572029d87707 Mon Sep 17 00:00:00 2001 From: lepresidente Date: Wed, 17 May 2023 10:17:26 +0200 Subject: [PATCH 4/8] Changed permissions on script.sh --- .../rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh old mode 100755 new mode 100644 From 58ae5a1559607e39be595d93a92f8a422dcb6b7c Mon Sep 17 00:00:00 2001 From: LePresidente Date: Sat, 27 Jan 2024 08:05:33 +0200 Subject: [PATCH 5/8] Make sure script.sh is set to be executable. --- .../rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh old mode 100644 new mode 100755 From c56e64bce2a82b28cdd9efc299ef8d14e1e7b6a6 Mon Sep 17 00:00:00 2001 From: LePresidente Date: Thu, 29 Feb 2024 18:10:02 +0200 Subject: [PATCH 6/8] added support to use environment variables instead of set file in data drive. --- .../s6-rc.d/cs-crowdsec-bouncer/script.sh | 50 +++++++++++++------ 1 file changed, 34 insertions(+), 16 deletions(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh index e31ea21e..2f610613 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh @@ -2,25 +2,43 @@ set -e # Exit immediately if a command exits with a non-zero status. -mkdir -p /data/crowdsec/templates -echo "Deploy Crowdsec Openresty Bouncer.." -sed -i 's|/defaults/crowdsec|/data/crowdsec|' /etc/nginx/conf.d/crowdsec_openresty.conf +function set_properties() { + sed -i "s/^$1=.*/$1=$2/" "${3}" +} -if [ -f /data/crowdsec/crowdsec-openresty-bouncer.conf ]; then - echo "Patch crowdsec-openresty-bouncer.conf .." - sed "s/=.*//g" /data/crowdsec/crowdsec-openresty-bouncer.conf > /tmp/crowdsec.conf.raw - sed "s/=.*//g" /defaults/crowdsec/crowdsec-openresty-bouncer.conf > /tmp/crowdsec-openresty-bouncer.conf.raw - if grep -vf /tmp/crowdsec.conf.raw /tmp/crowdsec-openresty-bouncer.conf.raw ; then - grep -vf /tmp/crowdsec.conf.raw /tmp/crowdsec-openresty-bouncer.conf.raw > /tmp/config.newvals - cp /data/crowdsec/crowdsec-openresty-bouncer.conf /data/crowdsec/crowdsec-openresty-bouncer.conf.bak - grep -f /tmp/config.newvals /defaults/crowdsec/crowdsec-openresty-bouncer.conf >> /data/crowdsec/crowdsec-openresty-bouncer.conf - fi +echo "Deploy Crowdsec Openresty Bouncer.." +if [ -n "${CROWDSEC_OPENRESTY_BOUNCER}" ]; then + while IFS= read -r line + do + if ! [[ "$line" != "^#" ]] || [[ "$line" != "^\n" ]]; then + name=$(echo "$line" | cut -d "=" -f1) + value=$(echo "$line" | cut -d "=" -f2) + if grep -q "${name}" /defaults/crowdsec/crowdsec-openresty-bouncer.conf ; then + set_properties "${name}" "${value}" "/defaults/crowdsec/crowdsec-openresty-bouncer.conf" + fi + fi + done <<< "${CROWDSEC_OPENRESTY_BOUNCER}" else - echo "Deploy new crowdsec-openresty-bouncer.conf .." - cp /defaults/crowdsec/crowdsec-openresty-bouncer.conf /data/crowdsec/crowdsec-openresty-bouncer.conf + mkdir -p /data/crowdsec/templates + sed -i 's|/defaults/crowdsec|/data/crowdsec|' /etc/nginx/conf.d/crowdsec_openresty.conf + + if [ -f /data/crowdsec/crowdsec-openresty-bouncer.conf ]; then + echo "Patch crowdsec-openresty-bouncer.conf .." + sed "s/=.*//g" /data/crowdsec/crowdsec-openresty-bouncer.conf > /tmp/crowdsec.conf.raw + sed "s/=.*//g" /defaults/crowdsec/crowdsec-openresty-bouncer.conf > /tmp/crowdsec-openresty-bouncer.conf.raw + if grep -vf /tmp/crowdsec.conf.raw /tmp/crowdsec-openresty-bouncer.conf.raw ; then + grep -vf /tmp/crowdsec.conf.raw /tmp/crowdsec-openresty-bouncer.conf.raw > /tmp/config.newvals + cp /data/crowdsec/crowdsec-openresty-bouncer.conf /data/crowdsec/crowdsec-openresty-bouncer.conf.bak + grep -f /tmp/config.newvals /defaults/crowdsec/crowdsec-openresty-bouncer.conf >> /data/crowdsec/crowdsec-openresty-bouncer.conf + fi + else + echo "Deploy new crowdsec-openresty-bouncer.conf .." + cp /defaults/crowdsec/crowdsec-openresty-bouncer.conf /data/crowdsec/crowdsec-openresty-bouncer.conf + fi + #Make sure the config location is where we get the config from instead of /default/ + sed -i 's|/defaults/crowdsec|/data/crowdsec|' /data/crowdsec/crowdsec-openresty-bouncer.conf fi -#Make sure the config location is where we get the config from instead of /default/ -sed -i 's|/defaults/crowdsec|/data/crowdsec|' /data/crowdsec/crowdsec-openresty-bouncer.conf + echo "Deploy Crowdsec Templates .." #Make sure we only copy files that don't exist in /data/crowdsec. cd /defaults/crowdsec/templates/ From 3a22a0c09cdf6cbc92a7183c8277f175fee2f6eb Mon Sep 17 00:00:00 2001 From: LePresidente Date: Thu, 9 May 2024 19:09:49 +0200 Subject: [PATCH 7/8] Fix environment variable for setting crowdsec bouncer, was broken due to slashes in path. --- .../rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh index 2f610613..da5e9000 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh @@ -3,7 +3,7 @@ set -e # Exit immediately if a command exits with a non-zero status. function set_properties() { - sed -i "s/^$1=.*/$1=$2/" "${3}" + sed -i "s,^$1=.*,$1=$2,g" "${3}" } echo "Deploy Crowdsec Openresty Bouncer.." From e1698a903cca00d1bdc786d0af27987c4db7e7b4 Mon Sep 17 00:00:00 2001 From: LePresidente Date: Fri, 10 May 2024 09:07:52 +0200 Subject: [PATCH 8/8] Don't try copy templates if we are using environment variables for the configuration. --- .../s6-rc.d/cs-crowdsec-bouncer/script.sh | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh index da5e9000..06563810 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/cs-crowdsec-bouncer/script.sh @@ -39,13 +39,16 @@ else sed -i 's|/defaults/crowdsec|/data/crowdsec|' /data/crowdsec/crowdsec-openresty-bouncer.conf fi -echo "Deploy Crowdsec Templates .." + #Make sure we only copy files that don't exist in /data/crowdsec. -cd /defaults/crowdsec/templates/ -for file in *.html -do - if [ ! -e "/data/crowdsec/templates/${file}" ] - then - cp -r "/defaults/crowdsec/templates/${file}" "/data/crowdsec/templates/" - fi -done \ No newline at end of file +if [ -d "/data/crowdsec/templates" ]; then + echo "Deploy Crowdsec Templates .." + cd /defaults/crowdsec/templates/ + for file in *.html + do + if [ ! -e "/data/crowdsec/templates/${file}" ] + then + cp -r "/defaults/crowdsec/templates/${file}" "/data/crowdsec/templates/" + fi + done +fi \ No newline at end of file