mirror of
https://github.com/NginxProxyManager/nginx-proxy-manager.git
synced 2025-08-03 07:53:39 +00:00
Zoey
8
rootfs/usr/local/bin/aio.sh
Executable file
8
rootfs/usr/local/bin/aio.sh
Executable file
@@ -0,0 +1,8 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ "$NC_AIO" = "true" ] && [ ! -f /data/etc/aio.lock ]; then
|
||||
while [ "$(healthcheck.sh)" != "OK" ]; do sleep 10s; done
|
||||
curl -POST http://127.0.0.1:48693/nginx/proxy-hosts -sH 'Content-Type: application/json' -d '{"domain_names":["'"$NC_DOMAIN"'"],"forward_scheme":"http","forward_host":"127.0.0.1","forward_port":11000,"allow_websocket_upgrade":true,"access_list_id":"0","certificate_id":"new","ssl_forced":true,"http2_support":true,"hsts_enabled":true,"hsts_subdomains":true,"meta":{"letsencrypt_email":"","letsencrypt_agree":true,"dns_challenge":false},"advanced_config":"","locations":[],"block_exploits":false,"caching_enabled":false}' -H "Authorization: Bearer $(curl -POST http://127.0.0.1:48693/tokens -sH 'Content-Type: application/json' -d '{"identity":"admin@example.com","secret":"iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi"}' | jq -r .token)"
|
||||
touch /data/etc/aio.lock
|
||||
echo "The default config for AIO should now be created. Please check the log for any errors and try to resolve them, then delete the aio.lock file and retry."
|
||||
fi
|
||||
90
rootfs/usr/local/bin/certbot-cleaner.sh
Executable file
90
rootfs/usr/local/bin/certbot-cleaner.sh
Executable file
@@ -0,0 +1,90 @@
|
||||
#!/bin/sh
|
||||
|
||||
# based on https://github.com/jlesage/docker-nginx-proxy-manager/blob/796734a/rootfs/opt/nginx-proxy-manager/bin/lecleaner
|
||||
|
||||
BASE="/data/tls/certbot"
|
||||
live_dir="$BASE/live"
|
||||
archive_dir="$BASE/archive"
|
||||
csr_dir="$BASE/csr"
|
||||
key_dir="$BASE/keys"
|
||||
|
||||
# Set of certificate paths actively used.
|
||||
in_use=""
|
||||
|
||||
keep_count=0
|
||||
delete_count=0
|
||||
error_count=0
|
||||
|
||||
remove_file() {
|
||||
f="$1"
|
||||
if rm -f "$f"; then
|
||||
return 0
|
||||
else
|
||||
echo "ERROR: Could not remove $f." >&2
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Build the set of certificates in use.
|
||||
for domain_dir in "$live_dir"/*; do
|
||||
[ -e "$domain_dir" ] || continue
|
||||
if [ ! -d "$domain_dir" ]; then
|
||||
continue
|
||||
fi
|
||||
for certlink in "$domain_dir"/*; do
|
||||
[ -e "$certlink" ] || continue
|
||||
if [ ! -L "$certlink" ]; then
|
||||
continue
|
||||
fi
|
||||
target=$(readlink -f "$certlink")
|
||||
in_use="$in_use $target"
|
||||
done
|
||||
done
|
||||
|
||||
echo "----------------------------------------------------------"
|
||||
echo "Let's Encrypt certificates cleanup - $(date +"%Y/%m/%d %H:%M:%S")"
|
||||
echo "----------------------------------------------------------"
|
||||
|
||||
# Remove all unused certificates from the archive directory.
|
||||
for domain_dir in "$archive_dir"/*; do
|
||||
[ -e "$domain_dir" ] || continue
|
||||
if [ ! -d "$domain_dir" ]; then
|
||||
continue
|
||||
fi
|
||||
for certfile in "$domain_dir"/*; do
|
||||
[ -e "$certlink" ] || continue
|
||||
if echo "$in_use" | grep -q "$certfile"; then
|
||||
echo "Keeping $certfile."
|
||||
keep_count=$((keep_count+1))
|
||||
else
|
||||
echo "Deleting $certfile."
|
||||
if remove_file "$certfile"; then
|
||||
delete_count=$((delete_count+1))
|
||||
else
|
||||
error_count=$((error_count+1))
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# Remove all files from the csr and key directories.
|
||||
for dir in "$csr_dir" "$key_dir"; do
|
||||
for file in "$dir"/*; do
|
||||
[ -e "$file" ] || continue
|
||||
if [ ! -f "$file" ]; then
|
||||
continue
|
||||
fi
|
||||
echo "Deleting $file."
|
||||
if remove_file "$file"; then
|
||||
delete_count=$((delete_count+1))
|
||||
else
|
||||
error_count=$((error_count+1))
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
echo "$keep_count file(s) kept."
|
||||
echo "$delete_count file(s) deleted."
|
||||
if [ "$error_count" -gt 0 ]; then
|
||||
echo "$error_count file(s) failed to be deleted."
|
||||
fi
|
||||
25
rootfs/usr/local/bin/healthcheck.sh
Executable file
25
rootfs/usr/local/bin/healthcheck.sh
Executable file
@@ -0,0 +1,25 @@
|
||||
#!/bin/sh
|
||||
|
||||
export HC_IP="localhost"
|
||||
|
||||
if [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then
|
||||
export NPM_IPV4_BINDING="127.0.0.1"
|
||||
export NPM_IPV6_BINDING="[::1]"
|
||||
fi
|
||||
|
||||
if [ "$NPM_IPV6_BINDING" != "[::]" ] && [ "$NPM_IPV4_BINDING" != "0.0.0.0" ]; then
|
||||
if [ "$NPM_IPV6_BINDING" != "[::]" ] && [ "$DISABLE_IPV6" = "false" ]; then
|
||||
export HC_IP="$NPM_IPV6_BINDING"
|
||||
fi
|
||||
if [ "$NPM_IPV4_BINDING" != "0.0.0.0" ]; then
|
||||
export HC_IP="$NPM_IPV4_BINDING"
|
||||
fi
|
||||
fi
|
||||
|
||||
if (if [ "$PHP81" = true ]; then cgi-fcgi -bind -connect /dev/php81.sock > /dev/null 2>&1; fi && if [ "$PHP82" = true ]; then cgi-fcgi -bind -connect /dev/php82.sock > /dev/null 2>&1; fi && if [ "$PHP83" = true ]; then cgi-fcgi -bind -connect /dev/php83.sock > /dev/null 2>&1; fi && [ "$(curl -sk https://"$HC_IP":"$NPM_PORT"/api/ | jq --raw-output .status)" = "OK" ]); then
|
||||
echo "OK"
|
||||
exit 0
|
||||
else
|
||||
echo "NOT OK"
|
||||
exit 1
|
||||
fi
|
||||
50
rootfs/usr/local/bin/launch.sh
Executable file
50
rootfs/usr/local/bin/launch.sh
Executable file
@@ -0,0 +1,50 @@
|
||||
#!/bin/sh
|
||||
|
||||
echo "
|
||||
-------------------------------------
|
||||
_ _ ___ __ __ _
|
||||
| \ || . \| \ \ ___ | | _ _ ___
|
||||
| || _/| || . \| || | |[_-[
|
||||
|_\_||_| |_|_|_|| _/|_| \__|/__/
|
||||
|_|
|
||||
-------------------------------------
|
||||
Version: $(jq -r .version /app/package.json)
|
||||
Date: $(date)
|
||||
User: $(whoami)
|
||||
PUID: $PUID
|
||||
User ID: $(id -u)
|
||||
PGID: $PGID
|
||||
Group ID: $(id -g)
|
||||
-------------------------------------
|
||||
"
|
||||
|
||||
if ! nginx -tq; then
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if [ "$PHP81" = "true" ]; then
|
||||
if ! PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt > /dev/null 2>&1; then
|
||||
PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt
|
||||
sleep inf
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$PHP82" = "true" ]; then
|
||||
if ! PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt > /dev/null 2>&1; then
|
||||
PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt
|
||||
sleep inf
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$PHP83" = "true" ]; then
|
||||
if ! PHP_INI_SCAN_DIR=/data/php/83/conf.d php-fpm83 -c /data/php/83 -y /data/php/83/php-fpm.conf -FORt > /dev/null 2>&1; then
|
||||
PHP_INI_SCAN_DIR=/data/php/83/conf.d php-fpm83 -c /data/php/83 -y /data/php/83/php-fpm.conf -FORt
|
||||
sleep inf
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$PHP81" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR; fi &
|
||||
if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi &
|
||||
if [ "$PHP83" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/83/conf.d php-fpm83 -c /data/php/83 -y /data/php/83/php-fpm.conf -FOR; fi &
|
||||
aio.sh &
|
||||
index.js
|
||||
734
rootfs/usr/local/bin/start.sh
Executable file
734
rootfs/usr/local/bin/start.sh
Executable file
@@ -0,0 +1,734 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ "$(whoami)" != "root" ] || [ "$(id -u)" != "0" ] || [ "$(id -g)" != "0" ]; then
|
||||
echo '--------------------------------------'
|
||||
echo "This docker container must be run as root, do not specify a user."
|
||||
echo '--------------------------------------'
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if [ ! -d /data ]; then
|
||||
echo '--------------------------------------'
|
||||
echo "/data is not mounted! Check your docker configuration."
|
||||
echo '--------------------------------------'
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
|
||||
touch /data/.env
|
||||
. /data/.env
|
||||
|
||||
|
||||
if [ -z "$TZ" ] || ! echo "$TZ" | grep -q "^[A-Za-z/]\+$"; then
|
||||
echo "TZ is unset or invalid."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$PUID" | grep -q "^[0-9]\+$"; then
|
||||
echo "PUID needs to be a number."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$PGID" | grep -q "^[0-9]\+$"; then
|
||||
echo "PGID needs to be a number."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$NIBEP" | grep -q "^[0-9]\+$"; then
|
||||
echo "NIBEP needs to be a number."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$NPM_PORT" | grep -q "^[0-9]\+$"; then
|
||||
echo "NPM_PORT needs to be a number."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then
|
||||
echo "IPV4_BINDING needs to be a IPv4-Address."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$NPM_IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then
|
||||
echo "NPM_IPV4_BINDING needs to be a IPv4-Address."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then
|
||||
echo "IPV6_BINDING needs to be a IPv6-Address inside []."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$NPM_IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then
|
||||
echo "NPM_IPV6_BINDING needs to be a IPv6-Address inside []."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$DISABLE_IPV6" | grep -q "^true$\|^false$"; then
|
||||
echo "DISABLE_IPV6 needs to be true or false."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$NPM_DISABLE_IPV6" | grep -q "^true$\|^false$"; then
|
||||
echo "NPM_DISABLE_IPV6 needs to be true or false."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$NPM_LISTEN_LOCALHOST" | grep -q "^true$\|^false$"; then
|
||||
echo "NPM_LISTEN_LOCALHOST needs to be true or false."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$NPM_CERT_ID" | grep -q "^[0-9]\+$"; then
|
||||
echo "NPM_CERT_ID needs to be a number."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$DISABLE_HTTP" | grep -q "^true$\|^false$"; then
|
||||
echo "DISABLE_HTTP needs to be true or false."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$NGINX_LOG_NOT_FOUND" | grep -q "^true$\|^false$"; then
|
||||
echo "NGINX_LOG_NOT_FOUND needs to be true or false."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$CLEAN" | grep -q "^true$\|^false$"; then
|
||||
echo "CLEAN needs to be true or false."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$FULLCLEAN" | grep -q "^true$\|^false$"; then
|
||||
echo "FULLCLEAN needs to be true or false."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$PHP81" | grep -q "^true$\|^false$"; then
|
||||
echo "PHP81 needs to be true or false."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if [ -n "$PHP81_APKS" ] && ! echo "$PHP81_APKS" | grep -q "^[a-z0-9 _-]\+$"; then
|
||||
echo "PHP81_APKS can consist of lower letters a-z, numbers 0-9, spaces, underscores and hyphens."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if ! echo "$PHP82" | grep -q "^true$\|^false$"; then
|
||||
echo "PHP82 needs to be true or false."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if [ -n "$PHP82_APKS" ] && ! echo "$PHP82_APKS" | grep -q "^[a-z0-9 _-]\+$"; then
|
||||
echo "PHP82_APKS can consist of lower letters a-z, numbers 0-9, spaces, underscores and hyphens."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
|
||||
if [ -n "$NC_AIO" ] && ! echo "$NC_AIO" | grep -q "^true$\|^false$"; then
|
||||
echo "NC_AIO needs to be true or false."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
if [ -n "$NC_AIO" ] && ! echo "$NC_DOMAIN" | grep -q "^[a-z0-9.]\+$"; then
|
||||
echo "NC_DOMAIN can consist of lower letters a-z, numbers 0-9 and dots and is required in AIO mode."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
|
||||
if [ "$PGID" != "0" ] && [ "$PUID" = "0" ]; then
|
||||
echo "You've set PGID but not PUID. Running resetting PGID to 0."
|
||||
export PGID="0"
|
||||
fi
|
||||
|
||||
|
||||
if [ "$NC_AIO" = "true" ]; then
|
||||
export DISABLE_HTTP="true"
|
||||
fi
|
||||
|
||||
if [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then
|
||||
export NPM_IPV4_BINDING="127.0.0.1"
|
||||
export NPM_IPV6_BINDING="[::1]"
|
||||
fi
|
||||
|
||||
|
||||
if [ "$PHP81" = "true" ]; then
|
||||
|
||||
apk add --no-cache php81-fpm
|
||||
|
||||
# From https://github.com/nextcloud/all-in-one/pull/1377/files
|
||||
if [ -n "$PHP81_APKS" ]; then
|
||||
for apk in $(echo "$PHP81_APKS" | tr " " "\n"); do
|
||||
|
||||
if ! echo "$apk" | grep -q "^php81-.*$"; then
|
||||
echo "$apk is a non allowed value."
|
||||
echo "It needs to start with \"php81-\"."
|
||||
echo "It is set to \"$apk\"."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
echo "Installing $apk via apk..."
|
||||
if ! apk add --no-cache "$apk" > /dev/null 2>&1; then
|
||||
echo "The apk \"$apk\" was not installed!"
|
||||
fi
|
||||
|
||||
done
|
||||
fi
|
||||
|
||||
mkdir -vp /data/php
|
||||
cp -vrnT /etc/php81 /data/php/81
|
||||
sed -i "s|listen =.*|listen = /run/php81.sock|" /data/php/81/php-fpm.d/www.conf
|
||||
sed -i "s|include=.*|include=/data/php/81/php-fpm.d/*.conf|g" /data/php/81/php-fpm.conf
|
||||
|
||||
elif [ "$FULLCLEAN" = "true" ]; then
|
||||
rm -vrf /data/php/81
|
||||
fi
|
||||
|
||||
if [ "$PHP82" = "true" ]; then
|
||||
|
||||
apk add --no-cache php82-fpm
|
||||
|
||||
# From https://github.com/nextcloud/all-in-one/pull/1377/files
|
||||
if [ -n "$PHP82_APKS" ]; then
|
||||
for apk in $(echo "$PHP82_APKS" | tr " " "\n"); do
|
||||
|
||||
if ! echo "$apk" | grep -q "^php82-.*$"; then
|
||||
echo "$apk is a non allowed value."
|
||||
echo "It needs to start with \"php82-\"."
|
||||
echo "It is set to \"$apk\"."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
echo "Installing $apk via apk..."
|
||||
if ! apk add --no-cache "$apk" > /dev/null 2>&1; then
|
||||
echo "The apk \"$apk\" was not installed!"
|
||||
fi
|
||||
|
||||
done
|
||||
fi
|
||||
|
||||
mkdir -vp /data/php
|
||||
cp -vrnT /etc/php82 /data/php/82
|
||||
sed -i "s|listen =.*|listen = /run/php82.sock|" /data/php/82/php-fpm.d/www.conf
|
||||
sed -i "s|include=.*|include=/data/php/82/php-fpm.d/*.conf|g" /data/php/82/php-fpm.conf
|
||||
|
||||
elif [ "$FULLCLEAN" = "true" ]; then
|
||||
rm -vrf /data/php/82
|
||||
fi
|
||||
|
||||
if [ "$PHP83" = "true" ]; then
|
||||
|
||||
apk add --no-cache php83-fpm
|
||||
|
||||
# From https://github.com/nextcloud/all-in-one/pull/1377/files
|
||||
if [ -n "$PHP83_APKS" ]; then
|
||||
for apk in $(echo "$PHP83_APKS" | tr " " "\n"); do
|
||||
|
||||
if ! echo "$apk" | grep -q "^php83-.*$"; then
|
||||
echo "$apk is a non allowed value."
|
||||
echo "It needs to start with \"php83-\"."
|
||||
echo "It is set to \"$apk\"."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
echo "Installing $apk via apk..."
|
||||
if ! apk add --no-cache "$apk" > /dev/null 2>&1; then
|
||||
echo "The apk \"$apk\" was not installed!"
|
||||
fi
|
||||
|
||||
done
|
||||
fi
|
||||
|
||||
mkdir -vp /data/php
|
||||
cp -vrnT /etc/php83 /data/php/83
|
||||
sed -i "s|listen =.*|listen = /run/php83.sock|" /data/php/83/php-fpm.d/www.conf
|
||||
sed -i "s|include=.*|include=/data/php/83/php-fpm.d/*.conf|g" /data/php/83/php-fpm.conf
|
||||
|
||||
elif [ "$FULLCLEAN" = "true" ]; then
|
||||
rm -vrf /data/php/83
|
||||
fi
|
||||
|
||||
if [ "$PHP81" = "true" ] || [ "$PHP82" = "true" ] || [ "$PHP83" = "true" ]; then
|
||||
|
||||
apk add --no-cache fcgi
|
||||
|
||||
# From https://github.com/nextcloud/all-in-one/pull/1377/files
|
||||
if [ -n "$PHP_APKS" ]; then
|
||||
for apk in $(echo "$PHP_APKS" | tr " " "\n"); do
|
||||
|
||||
if ! echo "$apk" | grep -q "^php-.*$"; then
|
||||
echo "$apk is a non allowed value."
|
||||
echo "It needs to start with \"php-\"."
|
||||
echo "It is set to \"$apk\"."
|
||||
sleep inf
|
||||
fi
|
||||
|
||||
echo "Installing $apk via apk..."
|
||||
if ! apk add --no-cache "$apk" > /dev/null 2>&1; then
|
||||
echo "The apk \"$apk\" was not installed!"
|
||||
fi
|
||||
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
mkdir -p /tmp/acme-challenge \
|
||||
/tmp/certbot-work \
|
||||
/tmp/certbot-log \
|
||||
/tmp/npmhome
|
||||
|
||||
mkdir -vp /data/tls/certbot/credentials \
|
||||
/data/tls/certbot/renewal \
|
||||
/data/tls/custom \
|
||||
/data/etc/npm \
|
||||
/data/etc/html \
|
||||
/data/etc/access \
|
||||
/data/etc/crowdsec \
|
||||
/data/etc/modsecurity \
|
||||
/data/nginx/redirection_host \
|
||||
/data/nginx/proxy_host \
|
||||
/data/nginx/dead_host \
|
||||
/data/nginx/stream \
|
||||
/data/nginx/custom
|
||||
|
||||
if [ -s /data/database.sqlite ] && [ "$DB_SQLITE_FILE" != "/data/database.sqlite" ]; then
|
||||
mv -vn /data/database.sqlite "$DB_SQLITE_FILE"
|
||||
fi
|
||||
|
||||
if [ -s /data/keys.json ]; then
|
||||
mv -vn /data/keys.json /data/etc/npm/keys.json
|
||||
fi
|
||||
|
||||
if [ -s /data/nginx/default_host/site.conf ]; then
|
||||
mv -vn /data/nginx/default_host/site.conf /data/nginx/default.conf
|
||||
fi
|
||||
|
||||
if [ -s /data/nginx/default_www/index.html ]; then
|
||||
mv -vn /data/nginx/default_www/index.html /data/nginx/html/index.html
|
||||
fi
|
||||
|
||||
if [ -s /data/nginx/dummycert.pem ]; then
|
||||
mv -vn /data/nginx/dummycert.pem /data/tls/dummycert.pem
|
||||
fi
|
||||
|
||||
if [ -s /data/nginx/dummykey.pem ]; then
|
||||
mv -vn /data/nginx/dummykey.pem /data/tls/dummykey.pem
|
||||
fi
|
||||
|
||||
if [ -n "$(ls -A /data/nginx/html 2> /dev/null)" ]; then
|
||||
mv -vn /data/nginx/html/* /data/etc/html
|
||||
fi
|
||||
|
||||
if [ -n "$(ls -A /data/access 2> /dev/null)" ]; then
|
||||
mv -vn /data/access/* /data/etc/access
|
||||
fi
|
||||
|
||||
if [ -n "$(ls -A /data/nginx/access 2> /dev/null)" ]; then
|
||||
mv -vn /data/nginx/access/* /data/etc/access
|
||||
fi
|
||||
|
||||
if [ -n "$(ls -A /etc/letsencrypt 2> /dev/null)" ]; then
|
||||
mv -v /etc/letsencrypt/* /data/tls/certbot
|
||||
fi
|
||||
|
||||
if [ -n "$(ls -A /data/letsencrypt 2> /dev/null)" ]; then
|
||||
mv -vn /data/letsencrypt/* /data/tls/certbot
|
||||
fi
|
||||
|
||||
if [ -n "$(ls -A /data/custom_ssl 2> /dev/null)" ]; then
|
||||
mv -vn /data/custom_ssl/* /data/tls/custom
|
||||
fi
|
||||
|
||||
if [ -n "$(ls -A /data/ssl 2> /dev/null)" ]; then
|
||||
mv -vn /data/ssl/* /data/tls
|
||||
fi
|
||||
|
||||
if [ "$CLEAN" = "true" ]; then
|
||||
rm -vrf /data/letsencrypt-acme-challenge \
|
||||
/data/nginx/dummycert.pem \
|
||||
/data/nginx/dummykey.pem \
|
||||
/data/nginx/default_host \
|
||||
/data/nginx/default_www \
|
||||
/data/nginx/streams \
|
||||
/data/nginx/access \
|
||||
/data/nginx/temp \
|
||||
/data/nginx/html \
|
||||
/data/index.html \
|
||||
/data/letsencrypt \
|
||||
/data/custom_ssl \
|
||||
/data/certbot \
|
||||
/data/access \
|
||||
/data/php/8 \
|
||||
/data/php/7 \
|
||||
/data/ssl \
|
||||
/data/logs \
|
||||
/data/error.log \
|
||||
/data/nginx/error.log
|
||||
certbot-cleaner.sh
|
||||
fi
|
||||
|
||||
if [ -s "$DB_SQLITE_FILE" ]; then
|
||||
sqlite-vaccum.js
|
||||
fi
|
||||
|
||||
if [ "$FULLCLEAN" = "true" ]; then
|
||||
if [ "$PHP81" != "true" ] && [ "$PHP82" != "true" ] && [ "$PHP83" != "true" ]; then
|
||||
rm -vrf /data/php
|
||||
fi
|
||||
fi
|
||||
|
||||
touch /data/etc/html/index.html \
|
||||
/data/nginx/ip_ranges.conf \
|
||||
/data/nginx/custom/root.conf \
|
||||
/data/nginx/custom/events.conf \
|
||||
/data/nginx/custom/http.conf \
|
||||
/data/nginx/custom/http_top.conf \
|
||||
/data/nginx/custom/server_dead.conf \
|
||||
/data/nginx/custom/server_proxy.conf \
|
||||
/data/nginx/custom/server_redirect.conf \
|
||||
/data/nginx/custom/stream.conf \
|
||||
/data/nginx/custom/stream_top.conf \
|
||||
/data/nginx/custom/server_stream.conf \
|
||||
/data/nginx/custom/server_stream_tcp.conf \
|
||||
/data/nginx/custom/server_stream_udp.conf \
|
||||
/data/etc/modsecurity/modsecurity-extra.conf
|
||||
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s| http2||g" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|\(listen .*\) http3|\1 quic|g" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|quic reuseport;|quic;|g" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|security_headers on;|include conf.d/include/hsts.conf;|g" {} \;
|
||||
sed -i "s|quic default_server|quic reuseport default_server|g" /data/nginx/default.conf
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|more_set_headers \"Alt-Svc: h3=':443'; ma=86400\";|more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';|g" {} \;
|
||||
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/access|/data/nginx/access|g" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/nginx/access|/data/etc/access|g" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/nginx/html/|/data/etc/html/|g" {} \;
|
||||
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/custom_ssl|/data/tls/custom|g" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/letsencrypt|/data/tls/certbot|g" {} \;
|
||||
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/ssl|/data/tls|g" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|ssl_certificate_key /data/nginx/dummykey.pem;|ssl_certificate_key /data/tls/dummykey.pem;|g" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|ssl_certificate /data/nginx/dummycert.pem;|ssl_certificate /data/tls/dummycert.pem;|g" {} \;
|
||||
|
||||
find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/ssl|/data/tls|g" {} \;
|
||||
find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \;
|
||||
find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/tls/certbot|g" {} \;
|
||||
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|include conf.d/include/force-ssl.conf;|include conf.d/include/force-tls.conf;|g" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|include conf.d/include/ssl-ciphers.conf;|include conf.d/include/tls-ciphers.conf;|g" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/acme-challenge.conf;|g" {} \;
|
||||
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/http3/d" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/Asset Caching/d" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/assets.conf/d" {} \;
|
||||
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/error_log/d" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/access_log/d" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/proxy_http_version/d" {} \;
|
||||
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling/d" {} \;
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling_verify/d" {} \;
|
||||
|
||||
if [ ! -s /data/etc/modsecurity/modsecurity-default.conf ]; then
|
||||
cp -vn /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf
|
||||
fi
|
||||
cp /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf.example
|
||||
|
||||
if [ -s /data/etc/modsecurity/modsecurity.conf ]; then
|
||||
mv -v /data/etc/modsecurity/modsecurity.conf /data/etc/modsecurity/modsecurity-extra.conf
|
||||
fi
|
||||
|
||||
if [ ! -s /data/etc/modsecurity/crs-setup.conf ]; then
|
||||
cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf
|
||||
fi
|
||||
cp /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example
|
||||
|
||||
if [ ! -s /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example ]; then
|
||||
cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
|
||||
fi
|
||||
cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
|
||||
|
||||
if [ ! -s /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example ]; then
|
||||
cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
|
||||
fi
|
||||
cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
|
||||
|
||||
if [ "$NPM_CERT_ID" = "0" ]; then
|
||||
export NPM_CERT=/data/tls/dummycert.pem
|
||||
export NPM_KEY=/data/tls/dummykey.pem
|
||||
echo "no NPM_CERT_ID set, using dummycerts for npm and default hosts."
|
||||
else
|
||||
if [ -d "/data/tls/certbot/live/npm-$NPM_CERT_ID" ]; then
|
||||
if [ ! -s /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem ]; then
|
||||
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem does not exist"
|
||||
export NPM_CERT=/data/tls/dummycert.pem
|
||||
export NPM_KEY=/data/tls/dummykey.pem
|
||||
echo "using dummycerts for npm and default hosts."
|
||||
else
|
||||
export NPM_CERT=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem
|
||||
echo "NPM_CERT set to /data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem"
|
||||
|
||||
if [ ! -s /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem ]; then
|
||||
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem does not exist"
|
||||
export NPM_CERT=/data/tls/dummycert.pem
|
||||
export NPM_KEY=/data/tls/dummykey.pem
|
||||
echo "using dummycerts for npm and default hosts."
|
||||
else
|
||||
export NPM_KEY=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem
|
||||
echo "NPM_KEY set to /data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem"
|
||||
|
||||
if [ ! -s /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem ]; then
|
||||
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem does not exist, running without it"
|
||||
else
|
||||
export NPM_CHAIN=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem
|
||||
echo "NPM_CHAIN set to /data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
elif [ -d "/data/tls/custom/npm-$NPM_CERT_ID" ]; then
|
||||
if [ ! -s /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem ]; then
|
||||
echo "/data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem does not exist"
|
||||
export NPM_CERT=/data/tls/dummycert.pem
|
||||
export NPM_KEY=/data/tls/dummykey.pem
|
||||
echo "using dummycerts for npm and default hosts."
|
||||
else
|
||||
export NPM_CERT=/data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem
|
||||
echo "NPM_CERT set to /data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem"
|
||||
|
||||
if [ ! -s /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem ]; then
|
||||
echo "/data/tls/custom/npm-$NPM_CERT_ID/privkey.pem does not exist"
|
||||
export NPM_CERT=/data/tls/dummycert.pem
|
||||
export NPM_KEY=/data/tls/dummykey.pem
|
||||
echo "using dummycerts for npm and default hosts."
|
||||
else
|
||||
export NPM_KEY=/data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem
|
||||
echo "NPM_KEY set to /data/tls/custom/npm-$NPM_CERT_ID/privkey.pem"
|
||||
|
||||
if [ ! -s /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem ]; then
|
||||
echo "/data/tls/custom/npm-$NPM_CERT_ID/chain.pem does not exist, running without it"
|
||||
else
|
||||
export NPM_CHAIN=/data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem
|
||||
echo "NPM_CHAIN set to /data/tls/custom/npm-$NPM_CERT_ID/chain.pem"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
else
|
||||
export NPM_CERT=/data/tls/dummycert.pem
|
||||
export NPM_KEY=/data/tls/dummykey.pem
|
||||
echo "cert with ID $NPM_CERT_ID does not exist, using dummycerts for npm and default hosts."
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$NPM_CERT" = "/data/tls/dummycert.pem" ] && [ "$NPM_KEY" != "/data/tls/dummykey.pem" ]; then
|
||||
export NPM_CERT=/data/tls/dummycert.pem
|
||||
export NPM_KEY=/data/tls/dummykey.pem
|
||||
echo "something went wrong, using dummycerts for npm and default hosts."
|
||||
fi
|
||||
if [ "$NPM_CERT" != "/data/tls/dummycert.pem" ] && [ "$NPM_KEY" = "/data/tls/dummykey.pem" ]; then
|
||||
export NPM_CERT=/data/tls/dummycert.pem
|
||||
export NPM_KEY=/data/tls/dummykey.pem
|
||||
echo "something went wrong, using dummycerts for npm and default hosts."
|
||||
fi
|
||||
|
||||
if [ "$NPM_CERT" = "/data/tls/dummycert.pem" ] || [ "$NPM_KEY" = "/data/tls/dummykey.pem" ]; then
|
||||
if [ ! -s /data/tls/dummycert.pem ] || [ ! -s /data/tls/dummykey.pem ]; then
|
||||
rm -vrf /data/tls/dummycert.pem \
|
||||
/data/tls/dummykey.pem
|
||||
openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/tls/dummykey.pem -out /data/tls/dummycert.pem
|
||||
fi
|
||||
else
|
||||
rm -vrf /data/tls/dummycert.pem \
|
||||
/data/tls/dummykey.pem
|
||||
fi
|
||||
|
||||
if [ "$DISABLE_IPV6" = "true" ]; then
|
||||
sed -i "s|#\?resolver .*|resolver local=on valid=10s ipv6=off;|g" /usr/local/nginx/conf/nginx.conf
|
||||
else
|
||||
sed -i "s|#\?resolver .*|resolver local=on valid=10s;|g" /usr/local/nginx/conf/nginx.conf
|
||||
fi
|
||||
|
||||
sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf
|
||||
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf
|
||||
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/default.conf; fi
|
||||
|
||||
sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
|
||||
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
|
||||
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf; fi
|
||||
|
||||
sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
|
||||
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
|
||||
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf; fi
|
||||
|
||||
sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf
|
||||
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf
|
||||
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm.conf; fi
|
||||
|
||||
sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /app/templates/default.conf
|
||||
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /app/templates/default.conf
|
||||
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /app/templates/default.conf; fi
|
||||
|
||||
sed -i "s|48693|$NIBEP|g" /app/index.js
|
||||
sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf
|
||||
|
||||
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf
|
||||
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
|
||||
find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
|
||||
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
|
||||
|
||||
if [ "$DISABLE_IPV6" = "true" ]; then
|
||||
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/#listen \[\1\]:\2/g" /app/templates/stream.conf
|
||||
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \;
|
||||
find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \;
|
||||
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \;
|
||||
else
|
||||
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/listen $IPV6_BINDING:\2/g" /app/templates/stream.conf
|
||||
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \;
|
||||
find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \;
|
||||
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \;
|
||||
fi
|
||||
|
||||
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_IPV4_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf
|
||||
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_IPV4_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
|
||||
|
||||
if [ "$NPM_DISABLE_IPV6" = "true" ]; then
|
||||
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/npm.conf
|
||||
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
|
||||
else
|
||||
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $NPM_IPV6_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf
|
||||
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $NPM_IPV6_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
|
||||
fi
|
||||
|
||||
if [ "$DISABLE_HTTP" = "true" ]; then
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
|
||||
find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
|
||||
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
|
||||
else
|
||||
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \;
|
||||
find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \;
|
||||
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \;
|
||||
fi
|
||||
|
||||
if [ "$NGINX_LOG_NOT_FOUND" = "true" ]; then
|
||||
sed -i "s|log_not_found off;|log_not_found on;|g" /usr/local/nginx/conf/nginx.conf
|
||||
fi
|
||||
|
||||
if [ ! -s /data/nginx/default.conf ]; then
|
||||
cp -vn /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf
|
||||
fi
|
||||
|
||||
if [ ! -s /data/tls/certbot/config.ini ]; then
|
||||
cp -vn /etc/tls/certbot.ini /data/tls/certbot/config.ini
|
||||
fi
|
||||
cp /etc/tls/certbot.ini /data/tls/certbot/config.ini.example
|
||||
|
||||
if [ ! -s /data/etc/crowdsec/ban.html ]; then
|
||||
cp -vn /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html
|
||||
fi
|
||||
cp /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html.example
|
||||
|
||||
if [ ! -s /data/etc/crowdsec/captcha.html ]; then
|
||||
cp -vn /usr/local/nginx/conf/conf.d/include/captcha.html /data/etc/crowdsec/captcha.html
|
||||
fi
|
||||
cp /usr/local/nginx/conf/conf.d/include/captcha.html /data/etc/crowdsec/captcha.html.example
|
||||
|
||||
if [ ! -s /data/etc/crowdsec/crowdsec.conf ]; then
|
||||
cp -vn /usr/local/nginx/conf/conf.d/include/crowdsec.conf /data/etc/crowdsec/crowdsec.conf
|
||||
fi
|
||||
cp /usr/local/nginx/conf/conf.d/include/crowdsec.conf /data/etc/crowdsec/crowdsec.conf.example
|
||||
sed -i "s|crowdsec.conf|captcha.html|g" /data/etc/crowdsec/crowdsec.conf
|
||||
|
||||
if grep -iq "^ENABLED[ ]*=[ ]*true$" /data/etc/crowdsec/crowdsec.conf; then
|
||||
if [ ! -s /usr/local/nginx/conf/conf.d/crowdsec.conf ]; then
|
||||
cp -vn /usr/local/nginx/conf/conf.d/include/crowdsec_nginx.conf /usr/local/nginx/conf/conf.d/crowdsec.conf
|
||||
fi
|
||||
else
|
||||
rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf
|
||||
fi
|
||||
|
||||
sed -i "s|ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /data/nginx/default.conf
|
||||
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /data/nginx/default.conf
|
||||
if [ -n "$NPM_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /data/nginx/default.conf; fi
|
||||
|
||||
nginxbeautifier -s 4 -r /data/nginx
|
||||
|
||||
#find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|add_header alt-svc 'h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400';|add_header Alt-Svc 'h3=\":443\"; ma=86400';|g" {} \;
|
||||
#find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|add_header alt-svc 'h3=\":443\";|add_header Alt-Svc 'h3=\":443\"; ma=86400';|g" {} \;
|
||||
#find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ma=86400, h3-29=\":443\";/d" {} \;
|
||||
#find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/^[[:space:]]*ma=86400';[[:space:]]*$/d" {} \;
|
||||
|
||||
rm -vf /usr/local/nginx/logs/nginx.pid
|
||||
rm -vf /run/*.sock
|
||||
|
||||
chmod -R 770 /data/tls \
|
||||
/data/etc/npm \
|
||||
/data/etc/access
|
||||
|
||||
if [ "$PUID" != "0" ]; then
|
||||
if id -u npm > /dev/null 2>&1; then
|
||||
usermod -u "$PUID" npm
|
||||
else
|
||||
useradd -o -u "$PUID" -U -d /tmp/npmhome -s /sbin/nologin npm
|
||||
fi
|
||||
if [ -z "$(getent group npm | cut -d: -f3)" ]; then
|
||||
groupadd -f -g "$PGID" npm
|
||||
else
|
||||
groupmod -o -g "$PGID" npm
|
||||
fi
|
||||
groupmod -o -g "$PGID" npm
|
||||
if [ "$(getent group npm | cut -d: -f3)" != "$PGID" ]; then
|
||||
echo "ERROR: Unable to set group id properly"
|
||||
sleep inf
|
||||
fi
|
||||
usermod -G "$PGID" npm
|
||||
if [ "$(id -g npm)" != "$PGID" ] ; then
|
||||
echo "ERROR: Unable to set group against the user properly"
|
||||
sleep inf
|
||||
fi
|
||||
chown -R "$PUID:$PGID" /usr/local/certbot \
|
||||
/usr/local/nginx \
|
||||
/data \
|
||||
/run \
|
||||
/tmp
|
||||
if [ "$PHP81" = "true" ]; then
|
||||
sed -i "s|user =.*|;user = root|" /data/php/81/php-fpm.d/www.conf
|
||||
sed -i "s|group =.*|;group = root|" /data/php/81/php-fpm.d/www.conf
|
||||
fi
|
||||
if [ "$PHP82" = "true" ]; then
|
||||
sed -i "s|user =.*|;user = root|" /data/php/82/php-fpm.d/www.conf
|
||||
sed -i "s|group =.*|;group = root|" /data/php/82/php-fpm.d/www.conf
|
||||
fi
|
||||
if [ "$PHP83" = "true" ]; then
|
||||
sed -i "s|user =.*|;user = root|" /data/php/83/php-fpm.d/www.conf
|
||||
sed -i "s|group =.*|;group = root|" /data/php/83/php-fpm.d/www.conf
|
||||
fi
|
||||
sed -i "s|user root;|#user root;|g" /usr/local/nginx/conf/nginx.conf
|
||||
sudo -Eu npm launch.sh
|
||||
else
|
||||
chown -R 0:0 /usr/local/certbot \
|
||||
/usr/local/nginx \
|
||||
/data \
|
||||
/run \
|
||||
/tmp
|
||||
if [ "$PHP81" = "true" ]; then
|
||||
sed -i "s|;user =.*|user = root|" /data/php/81/php-fpm.d/www.conf
|
||||
sed -i "s|;group =.*|group = root|" /data/php/81/php-fpm.d/www.conf
|
||||
fi
|
||||
if [ "$PHP82" = "true" ]; then
|
||||
sed -i "s|;user =.*|user = root|" /data/php/82/php-fpm.d/www.conf
|
||||
sed -i "s|;group =.*|group = root|" /data/php/82/php-fpm.d/www.conf
|
||||
fi
|
||||
if [ "$PHP83" = "true" ]; then
|
||||
sed -i "s|;user =.*|user = root|" /data/php/83/php-fpm.d/www.conf
|
||||
sed -i "s|;group =.*|group = root|" /data/php/83/php-fpm.d/www.conf
|
||||
fi
|
||||
sed -i "s|#user root;|user root;|g" /usr/local/nginx/conf/nginx.conf
|
||||
launch.sh
|
||||
fi
|
||||
@@ -4,4 +4,8 @@ more_set_headers "X-Content-Type-Options: nosniff";
|
||||
more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
|
||||
more_set_headers "Content-Security-Policy: $content_security_policy";
|
||||
|
||||
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubDomains; preload";
|
||||
}
|
||||
|
||||
more_set_headers "Strict-Transport-Security: $hsts_header";
|
||||
|
||||
Reference in New Issue
Block a user