ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2025-08-06 09:23:38 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Modsecurity is working!

Browse Source
This commit is contained in:
baudneo
2022-02-21 23:17:12 -07:00
parent 49f52c8473
commit 479cbe3a51
9 changed files with 86 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docker/Dockerfile
View File

@@ -3,7 +3,7 @@
# This file assumes that the frontend has been built using ./scripts/frontend-build # This file assumes that the frontend has been built using ./scripts/frontend-build
FROM nginxproxymanager/nginx-full:certbot-node FROM baudneo/nginx-full:certbot-node
ARG TARGETPLATFORM ARG TARGETPLATFORM
ARG BUILD_VERSION ARG BUILD_VERSION
@@ -17,7 +17,10 @@ ENV SUPPRESS_NO_CONFIG_WARNING=1 \
NPM_BUILD_VERSION="${BUILD_VERSION}" \ NPM_BUILD_VERSION="${BUILD_VERSION}" \
NPM_BUILD_COMMIT="${BUILD_COMMIT}" \ NPM_BUILD_COMMIT="${BUILD_COMMIT}" \
NPM_BUILD_DATE="${BUILD_DATE}" \ NPM_BUILD_DATE="${BUILD_DATE}" \
OPENRESTY_DEBUG="0" OPENRESTY_DEBUG="0" \
MODSEC_CREATE="0" \
MODSEC_ENABLE="0" \
MODSEC_ADMIN_PANEL="0"
RUN echo "fs.file-max = 65535" > /etc/sysctl.conf \ RUN echo "fs.file-max = 65535" > /etc/sysctl.conf \
&& apt-get update \ && apt-get update \

39
docker/rootfs/etc/cont-init.d/97_modsecurity.sh Executable file
View File

@@ -0,0 +1,39 @@
#!/usr/bin/with-contenv bash
# shellcheck shell=bash
set -e # Exit immediately if a command exits with a non-zero status.
set -u # Treat unset variables as an error.
log() {
echo "[cont-init.d] $(basename "$0"): $*"
}
mkdir -p /data/modsec/ruleset
ln -s /data/modsec/ /etc/nginx
[ ! -f /data/modsec/main.conf ] && MODSEC_CREATE="1"
if [ "${MODSEC_CREATE}" == "1" ] || [ "${MODSEC_CREATE}" -eq 1 ]; then
log "Setting up modsecurity persistent data"
cp /usr/local/modsecurity/templates/main.conf /data/modsec/main.conf
cp /usr/local/modsecurity/templates/modsecurity.conf /data/modsec/modsecurity.conf
cp /usr/local/modsecurity/templates/unicode.mapping /data/modsec/unicode.mapping
cp -r /usr/local/modsecurity/templates/* /data/modsec/
cp -r /usr/local/modsecurity/templates/ruleset/* /data/modsec/ruleset/
mv /data/modsec/ruleset/crs-setup.conf.example /data/modsec/ruleset/crs-setup.conf
fi
# Enable modsecurity in the server block of :80 and :443
# Can disable this (default) and add the modsec directives in each location block
if [ "${MODSEC_ENABLE}" == "1" ] || [ "${MODSEC_ENABLE}" -eq 1 ]; then
log "Enabling modsecurity in server block of port 80 and 443"
sed-patch "s|#<MODSEC_ON>|modsecurity on;|g" /etc/nginx/conf.d/default.conf
sed-patch "s|#<MODSEC_RULES>|modsecurity_rules_file /etc/nginx/modsec/main.conf;|g" /etc/nginx/conf.d/default.conf
fi
# Enabled modsecurity in the server block of :81 (admin dashboard)
if [ "${MODSEC_ADMIN_PANEL}" == "1" ] || [ "${MODSEC_ADMIN_PANEL}" -eq 1 ]; then
log "Enabling modsecurity in server block of admin dashboard port 81"
sed-patch "s|#<MODSEC_ON>|modsecurity on;|g" /etc/nginx/conf.d/production.conf
sed-patch "s|#<MODSEC_RULES>|modsecurity_rules_file /etc/nginx/modsec/main.conf;|g" /etc/nginx/conf.d/production.conf
fi

16
docker/rootfs/etc/cont-init.d/98_logging-options.sh
View File

@@ -4,26 +4,26 @@
set -e # Exit immediately if a command exits with a non-zero status. set -e # Exit immediately if a command exits with a non-zero status.
set -u # Treat unset variables as an error. set -u # Treat unset variables as an error.
log() {
echo "[cont-init.d] $(basename "$0"): $*"
}
# Redirect admin panel logs from /dev/null to log files if enabled # Redirect admin panel logs from /dev/null to log files if enabled
if [[ ${ADMIN_PANEL_LOG} == "1" ]] || [[ ${ADMIN_PANEL_LOG} -eq 1 ]]; then if [[ ${ADMIN_PANEL_LOG} == "1" ]] || [[ ${ADMIN_PANEL_LOG} -eq 1 ]]; then
echo "Enabling admin dashboard logging" log "Enabling admin dashboard logging"
echo "ADMIN_PANEL_LOG = $ADMIN_PANEL_LOG"
sed-patch 's|<ADMIN_ACCESS_LOG>|/data/logs/admin-panel_access.log standard|' /etc/nginx/conf.d/production.conf sed-patch 's|<ADMIN_ACCESS_LOG>|/data/logs/admin-panel_access.log standard|' /etc/nginx/conf.d/production.conf
sed-patch 's|<ADMIN_ERROR_LOG>|/data/logs/admin-panel_error.log warn|' /etc/nginx/conf.d/production.conf sed-patch 's|<ADMIN_ERROR_LOG>|/data/logs/admin-panel_error.log warn|' /etc/nginx/conf.d/production.conf
else else
echo "Leaving admin dashboard logging off (default behavior)" log "Leaving admin dashboard logging off (default behavior)"
echo "ADMIN_PANEL_LOG = $ADMIN_PANEL_LOG"
sed-patch 's|<ADMIN_ACCESS_LOG>|/dev/null|' /etc/nginx/conf.d/production.conf sed-patch 's|<ADMIN_ACCESS_LOG>|/dev/null|' /etc/nginx/conf.d/production.conf
sed-patch 's|<ADMIN_ERROR_LOG>|/dev/null|' /etc/nginx/conf.d/production.conf sed-patch 's|<ADMIN_ERROR_LOG>|/dev/null|' /etc/nginx/conf.d/production.conf
fi fi
if [[ ${OPENRESTY_DEBUG} == "1" ]] || [[ ${OPENRESTY_DEBUG} -eq 1 ]]; then if [[ ${OPENRESTY_DEBUG} == "1" ]] || [[ ${OPENRESTY_DEBUG} -eq 1 ]]; then
echo "Changing OpenResty ERROR (fallback_error.log) logging to level: DEBUG" log "Changing OpenResty ERROR (fallback_error.log) logging to level: DEBUG"
echo "OPENRESTY_DEBUG = $OPENRESTY_DEBUG"
sed-patch 's|<ERROR_LOG_LEVEL>|debug|' /etc/nginx/nginx.conf sed-patch 's|<ERROR_LOG_LEVEL>|debug|' /etc/nginx/nginx.conf
else else
echo "Leaving OpenResty ERROR (fallback_error.log) logging at level: WARN (default behavior)" log "Leaving OpenResty ERROR (fallback_error.log) logging at level: WARN (default behavior)"
echo "OPENRESTY_DEBUG = $OPENRESTY_DEBUG"
sed-patch 's|<ERROR_LOG_LEVEL>|warn|' /etc/nginx/nginx.conf sed-patch 's|<ERROR_LOG_LEVEL>|warn|' /etc/nginx/nginx.conf
fi fi

7
docker/rootfs/etc/cont-init.d/99_crowdsec-openresty-bouncer.sh
View File

@@ -9,9 +9,14 @@ log() {
} }
if [ "${CROWDSEC_BOUNCER}" == "1" ] || [ "${CROWDSEC_BOUNCER}" -eq 1 ]; then if [ "${CROWDSEC_BOUNCER}" == "1" ] || [ "${CROWDSEC_BOUNCER}" -eq 1 ]; then
log "Enabling CrowdSec Bouncer"
mkdir -p /data/crowdsec mkdir -p /data/crowdsec
#Install Crowdsec Bouncer Config. #Install Crowdsec Bouncer Config.
[ -f /data/crowdsec/crowdsec-openresty-bouncer.conf ] || cp /crowdsec/crowdsec-openresty-bouncer.conf /data/crowdsec/crowdsec-openresty-bouncer.conf if [ -f /data/crowdsec/crowdsec-openresty-bouncer.conf ]; then
cp /crowdsec/crowdsec-openresty-bouncer.conf /data/crowdsec/crowdsec-openresty-bouncer.conf
log "Crowdsec Bouncer Config copied to /data/crowdsec/crowdsec-openresty-bouncer.conf"
fi
mkdir -p /etc/nginx/lualib/plugins/crowdsec/ mkdir -p /etc/nginx/lualib/plugins/crowdsec/
cp /crowdsec/lua/* /etc/nginx/lualib/plugins/crowdsec/ cp /crowdsec/lua/* /etc/nginx/lualib/plugins/crowdsec/
cp /crowdsec/crowdsec_openresty.conf /etc/nginx/conf.d/ cp /crowdsec/crowdsec_openresty.conf /etc/nginx/conf.d/

15
docker/rootfs/etc/logrotate.d/modsecurity Normal file
View File

@@ -0,0 +1,15 @@
/data/logs/modsec_audit.log {
create 0644 root root
daily
rotate 14
missingok
notifempty
compress
maxsize 500M
minsize 500M
sharedscripts
postrotate
/bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
endscript
}

7
docker/rootfs/etc/nginx/conf.d/default.conf
View File

@@ -3,6 +3,9 @@ server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
#<MODSEC_ON>
#<MODSEC_RULES>
set $forward_scheme "http"; set $forward_scheme "http";
set $server "127.0.0.1"; set $server "127.0.0.1";
set $port "80"; set $port "80";
@@ -25,6 +28,10 @@ server {
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
#<MODSEC_ON>
#<MODSEC_RULES>
set $forward_scheme "https"; set $forward_scheme "https";
set $server "127.0.0.1"; set $server "127.0.0.1";
set $port "443"; set $port "443";

2
docker/rootfs/etc/nginx/conf.d/production.conf
View File

@@ -8,6 +8,8 @@ server {
# Replaced with /dev/null by default unless ADMIN_PANEL_LOG is set to '1' # Replaced with /dev/null by default unless ADMIN_PANEL_LOG is set to '1'
access_log <ADMIN_ACCESS_LOG>; access_log <ADMIN_ACCESS_LOG>;
error_log <ADMIN_ERROR_LOG>; error_log <ADMIN_ERROR_LOG>;
#<MODSEC_ON>
#<MODSEC_RULES>
location /api { location /api {
return 302 /api/; return 302 /api/;

6
scripts/buildx
View File

@@ -3,7 +3,7 @@
DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
. "$DIR/.common.sh" . "$DIR/.common.sh"
echo -e "${BLUE} ${CYAN}Building docker multiarch: ${YELLOW}${*}${RESET}" echo -e "${BLUE} ${CYAN}Building docker multi-arch: ${YELLOW}${*}${RESET}"
DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cd "${DIR}/.." || exit 1 cd "${DIR}/.." || exit 1
@@ -27,10 +27,10 @@ docker buildx build \
--progress plain \ --progress plain \
--pull \ --pull \
-f docker/Dockerfile \ -f docker/Dockerfile \
$@ \ "$@" \
. .
rc=$? rc=$?
docker buildx rm "${BUILDX_NAME:-npm}" docker buildx rm "${BUILDX_NAME:-npm}"
echo -e "${BLUE} ${GREEN}Multiarch build Complete${RESET}" echo -e "${BLUE} ${GREEN}Multi-arch build Complete${RESET}"
exit $rc exit $rc

2
scripts/frontend-build
View File

@@ -3,7 +3,7 @@
DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
. "$DIR/.common.sh" . "$DIR/.common.sh"
DOCKER_IMAGE=nginxproxymanager/nginx-full:certbot-node DOCKER_IMAGE=baudneo/nginx-full:certbot-node
# Ensure docker exists # Ensure docker exists
if hash docker 2>/dev/null; then if hash docker 2>/dev/null; then