From 6548a7aea6ee99b5f3e2a06a8a7c158454e43dd5 Mon Sep 17 00:00:00 2001 From: Zoey Date: Sun, 29 Oct 2023 11:29:55 +0100 Subject: [PATCH] fix stream/allow editing modsec conf/readme changes/dep updates Signed-off-by: Zoey --- Dockerfile | 34 ++--------- README.md | 60 ++++--------------- backend/package.json | 6 +- backend/templates/_hsts.conf | 4 +- compose.crowdsec.yaml | 13 ++++ frontend/package.json | 2 +- rootfs/bin/start.sh | 36 +++++++---- .../local/nginx/conf/conf.d/include/hsts.conf | 4 +- .../conf/conf.d/include/modsecurity-crs.conf | 4 ++ .../conf/conf.d/include/modsecurity.conf | 2 + rootfs/usr/local/nginx/conf/nginx.conf | 6 +- 11 files changed, 71 insertions(+), 100 deletions(-) create mode 100644 compose.crowdsec.yaml create mode 100644 rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf create mode 100644 rootfs/usr/local/nginx/conf/conf.d/include/modsecurity.conf diff --git a/Dockerfile b/Dockerfile index 8228c3b7..f32d493d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -45,7 +45,7 @@ RUN apk add --no-cache ca-certificates git build-base && \ sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf -FROM zoeyvid/certbot-docker:12 as certbot +FROM zoeyvid/certbot-docker:13 as certbot FROM zoeyvid/nginx-quic:211 SHELL ["/bin/ash", "-eo", "pipefail", "-c"] @@ -56,38 +56,14 @@ RUN apk add --no-cache ca-certificates tzdata tini \ openssl apache2-utils \ coreutils grep jq curl shadow sudo \ luarocks5.1 wget lua5.1-dev build-base git yarn && \ - wget -q https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -O /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \ + wget -q https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -O /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example && \ wget -q https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping -O /usr/local/nginx/conf/conf.d/include/unicode.mapping && \ - sed -i "s|SecRuleEngine .*|SecRuleEngine On|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \ - echo "Include /data/etc/modsecurity/modsecurity.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \ - cp /usr/local/nginx/conf/conf.d/include/modsecurity.conf /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \ - echo "Include /data/etc/modsecurity/crs-setup.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \ - echo "Include /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \ - echo "#Include /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/*-config.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \ - echo "#Include /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/*-before.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \ - echo "Include /usr/local/nginx/conf/conf.d/include/coreruleset/rules/*.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \ - echo "#Include /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/*-after.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \ + sed -i "s|SecRuleEngine.*|SecRuleEngine On|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example && \ + sed -i "s|unicode.mapping|/usr/local/nginx/conf/conf.d/include/unicode.mapping|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example && \ git clone https://github.com/coreruleset/coreruleset /tmp/coreruleset && \ mkdir /usr/local/nginx/conf/conf.d/include/coreruleset && \ - cp /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \ - sed -i '/#/!d' /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \ - mv /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf && \ + mv -v /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \ mv /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \ - #git clone --recursive https://github.com/coreruleset/phpmyadmin-rule-exclusions-plugin /tmp/phpmyadmin-rule-exclusions-plugin && \ - #git clone --recursive https://github.com/coreruleset/nextcloud-rule-exclusions-plugin /tmp/nextcloud-rule-exclusions-plugin && \ - #git clone --recursive https://github.com/coreruleset/wordpress-rule-exclusions-plugin /tmp/wordpress-rule-exclusions-plugin && \ - #git clone --recursive https://github.com/coreruleset/cpanel-rule-exclusions-plugin /tmp/cpanel-rule-exclusions-plugin && \ - #git clone --recursive https://github.com/coreruleset/body-decompress-plugin /tmp/body-decompress-plugin && \ - #git clone --recursive https://github.com/coreruleset/auto-decoding-plugin /tmp/auto-decoding-plugin && \ - #git clone --recursive https://github.com/coreruleset/google-oauth2-plugin /tmp/google-oauth2-plugin && \ - mv /tmp/coreruleset/plugins /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ - #mv /tmp/phpmyadmin-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ - #mv /tmp/nextcloud-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ - #mv /tmp/wordpress-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ - #mv /tmp/cpanel-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ - #mv /tmp/body-decompress-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ - #mv /tmp/auto-decoding-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ - #mv /tmp/google-oauth2-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ rm -r /tmp/* && \ luarocks-5.1 install lua-resty-http && \ luarocks-5.1 install lua-cjson && \ diff --git a/README.md b/README.md index 79f95fc0..5aad684c 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,8 @@ running at home or otherwise, including free TLS, without having to know too muc **Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).**
**Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!**
**Note: Don't forget to open Port 80 (tcp) and 443 (tcp AND udp, http3/quic needs udp) in your firewall (because of network mode host, you also need to open this ports in ufw, if you use ufw).**
+**Note: ModSecurity overblocking (403 Error)? Please see `/data/etc/modsecurity/modsecurity-default.conf` and `/opt/npm/etc/modsecurity/crs-setup.conf`.**
+**Note: Internal Instance? Please disable `must-staple` in `/opt/npm/tls/certbot/config.ini`.**
## Project Goal @@ -46,7 +48,7 @@ so that the barrier for entry here is low. - Supports HTTP/3 (QUIC) protocol. - Supports CrowdSec IPS. Please see [here](https://github.com/ZoeyVid/NPMplus#crowdsec) to enable it. - Supports ModSecurity, with coreruleset as an option. You can configure ModSecurity/coreruleset by editing the files in the `/opt/npm/etc/modsecurity` folder. - - If the core ruleset blocks valid requests, please check the `/data/etc/modsecurity/crs-setup.conf` file. + - If the core ruleset blocks valid requests, please check the `/opt/npm/etc/modsecurity/crs-setup.conf` file. - Try to whitelist the Content-Type you are sending (for example, `application/activity+json` for Mastodon and `application/dns-message` for DoH). - Try to whitelist the HTTP request method you are using (for example, `PUT` is blocked by default, which also affects NPM). - Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283. @@ -95,17 +97,15 @@ so that the barrier for entry here is low. - since this fork has dependency on `network_mode: host`, please don't forget to open port 80 and 443 (and maybe 81) in your firewall # Crowdsec -1. Install crowdsec: https://doc.crowdsec.net/docs/getting_started/install_crowdsec +1. Install crowdsec using this compose file: https://github.com/ZoeyVid/NPMplus/blob/develop/compose.crowdsec.yaml 2. make sure to use `network_mode: host` in your compose file -3. run `cscli bouncers add npm -o raw` and save the output -4. run `cscli config show --key "Config.API.Client.Credentials.URL"` and save the output -5. open `/data/etc/crowdsec/crowdsec.conf` -6. set `ENABLED` to `true` -7. use the output of step 4 as `API_KEY` -8. use the output of step 5 as `API_URL` - But remove the `/` at the end (correct: `http://127.0.0.1:8080` - incorrect: `http://127.0.0.1:8080/`) -9. make your changes -10. save the file -11. restart the npm +3. run `docker exec crowdsec cscli bouncers add npmplus -o raw` and save the output +4. open `/data/etc/crowdsec/crowdsec.conf` +5. set `ENABLED` to `true` +6. use the output of step 4 as `API_KEY` +7. make sure `API_URL` is set to `http://127.0.0.1:8080` +9. save the file +10. restart the npm # Use as webserver @@ -153,43 +153,7 @@ location / { - [Docker Install documentation](https://docs.docker.com/engine) - [Docker Compose Install documentation](https://docs.docker.com/compose/install/linux) -2. Create a compose.yaml file similar to this (or use it as a portainer stack): - -```yml -version: "3" -services: - npmplus: - container_name: npmplus - image: zoeyvid/npmplus - restart: always - network_mode: host - volumes: - - "/opt/npm:/data" -# - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php -# - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork - environment: - - "TZ=Europe/Berlin" # set timezone, required -# - "PUID=1000" # set group id, default 0 (root) -# - "PGID=1000" # set user id, default 0 (root) -# - "NIBEP=48694" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host -# - "NPM_PORT=82" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host -# - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all -# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all -# - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all -# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all -# - "DISABLE_IPV6=true" # disable IPv6, overrides with IPV6_BINDING, default false -# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, overrides with NPM_IPV6_BINDING, default false, overrides NPM_LISTEN_LOCALHOST -# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, overrides with NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false -# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts -# - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false -# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false -# - "CLEAN=false" # Clean folders, default true -# - "FULLCLEAN=true" # Clean unused config folders, default false -# - "PHP81=true" # Activate PHP81, default false -# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php81-*, default none -# - "PHP82=true" # Activate PHP82, default false -# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php82-*, default none -``` +2. Create a compose.yaml file similar to [this](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml) (or use it as a portainer stack):ยด 3. Bring up your stack by running (or deploy your portainer stack) ```bash diff --git a/backend/package.json b/backend/package.json index d11e690c..f6943fa7 100644 --- a/backend/package.json +++ b/backend/package.json @@ -12,11 +12,11 @@ "body-parser": "1.20.2", "compression": "1.7.4", "express": "4.18.2", - "express-fileupload": "1.4.1", + "express-fileupload": "1.4.2", "gravatar": "1.8.2", "jsonwebtoken": "9.0.2", "knex": "3.0.1", - "liquidjs": "10.9.3", + "liquidjs": "10.9.4", "lodash": "4.17.21", "moment": "2.29.4", "mysql": "2.18.1", @@ -29,7 +29,7 @@ "author": "Jamie Curnow and ZoeyVid ", "license": "MIT", "devDependencies": { - "eslint": "8.52.0", + "eslint": "8.53.0", "eslint-plugin-align-assignments": "1.1.2" } } diff --git a/backend/templates/_hsts.conf b/backend/templates/_hsts.conf index a794e638..c0a743ed 100644 --- a/backend/templates/_hsts.conf +++ b/backend/templates/_hsts.conf @@ -10,10 +10,8 @@ {% unless certificate and certificate_id > 0 -%} {% unless ssl_forced == 1 or ssl_forced == true %} {% unless hsts_enabled == 1 or hsts_enabled == true %} - more_clear_headers "Content-Security-Policy"; - more_clear_headers "Expect-CT"; more_clear_headers "Strict-Transport-Security"; {% endunless %} {% endunless %} -{% endunless %} \ No newline at end of file +{% endunless %} diff --git a/compose.crowdsec.yaml b/compose.crowdsec.yaml new file mode 100644 index 00000000..52c9a6ba --- /dev/null +++ b/compose.crowdsec.yaml @@ -0,0 +1,13 @@ +services: + crowdsec: + container_name: crowdsec + image: crowdsecurity/crowdsec + restart: always + network_mode: bridge + ports: + - "127.0.0.1:8080:8080" + environment: + - "TZ=Europe/Berlin" + volumes: + - "/opt/crowdsec/conf:/etc/crowdsec" + - "/opt/crowdsec/data:/var/lib/crowdsec/data" diff --git a/frontend/package.json b/frontend/package.json index 94ea1c69..5538a527 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -4,7 +4,7 @@ "description": "A beautiful interface for creating Nginx endpoints", "main": "js/index.js", "dependencies": { - "@babel/core": "7.23.2", + "@babel/core": "7.23.3", "babel-core": "6.26.3", "babel-loader": "8.3.0", "babel-preset-env": "1.7.0", diff --git a/rootfs/bin/start.sh b/rootfs/bin/start.sh index d8f089c5..9bd41dea 100755 --- a/rootfs/bin/start.sh +++ b/rootfs/bin/start.sh @@ -359,7 +359,6 @@ find /data/nginx -type f -name '*.conf' -exec sed -i "/ssl_stapling/d" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "/ssl_stapling_verify/d" {} \; touch /data/etc/html/index.html \ - /data/etc/modsecurity/modsecurity.conf \ /data/nginx/default.conf \ /data/nginx/ip_ranges.conf \ /data/nginx/custom/root.conf \ @@ -372,9 +371,21 @@ touch /data/etc/html/index.html \ /data/nginx/custom/stream.conf \ /data/nginx/custom/server_stream.conf \ /data/nginx/custom/server_stream_tcp.conf \ - /data/nginx/custom/server_stream_udp.conf + /data/nginx/custom/server_stream_udp.conf \ + /data/etc/modsecurity/modsecurity-extra.conf -cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf +if [ ! -f /data/etc/modsecurity/modsecurity-default.conf ]; then + cp -vn /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf +fi +cp /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf.example + +if [ ! -f /data/etc/modsecurity/modsecurity.conf ]; then + mv -v /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/modsecurity-extra.conf +fi + +if [ ! -f /data/etc/modsecurity/crs-setup.conf ]; then + cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf +fi cp /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example if [ "$NPM_CERT_ID" = "0" ]; then @@ -499,20 +510,20 @@ sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \; -find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \; +find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \; if [ "$DISABLE_IPV6" = "true" ]; then sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/#listen \[\1\]:\2/g" /app/templates/stream.conf sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \; - find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \; + find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \; else sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/listen $IPV6_BINDING:\2/g" /app/templates/stream.conf sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \; - find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \; + find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \; fi @@ -529,11 +540,11 @@ fi if [ "$DISABLE_HTTP" = "true" ]; then find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \; - find /app/templates -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \; + find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \; else find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \; - find /app/templates -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \; + find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \; fi @@ -548,22 +559,25 @@ fi if [ ! -f /data/tls/certbot/config.ini ]; then cp -vn /etc/tls/certbot.ini /data/tls/certbot/config.ini fi +cp /etc/tls/certbot.ini /data/tls/certbot/config.ini.example if [ ! -f /data/etc/crowdsec/ban.html ]; then cp -vn /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html fi +cp /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html.example if [ ! -f /data/etc/crowdsec/captcha.html ]; then cp -vn /usr/local/nginx/conf/conf.d/include/captcha.html /data/etc/crowdsec/captcha.html fi +cp /usr/local/nginx/conf/conf.d/include/captcha.html /data/etc/crowdsec/captcha.html.example if [ ! -f /data/etc/crowdsec/crowdsec.conf ]; then cp -vn /usr/local/nginx/conf/conf.d/include/crowdsec.conf /data/etc/crowdsec/crowdsec.conf -else - sed -i "s|crowdsec.conf|captcha.html|g" /data/etc/crowdsec/crowdsec.conf fi +cp /usr/local/nginx/conf/conf.d/include/crowdsec.conf /data/etc/crowdsec/crowdsec.conf.example +sed -i "s|crowdsec.conf|captcha.html|g" /data/etc/crowdsec/crowdsec.conf -if grep -iq "^ENABLED[ ]\+\?=[ ]\+\?true$" /data/etc/crowdsec/crowdsec.conf; then +if grep -iq "^ENABLED[ ]*=[ ]*true$" /data/etc/crowdsec/crowdsec.conf; then cp -vn /usr/local/nginx/conf/conf.d/include/crowdsec_nginx.conf /usr/local/nginx/conf/conf.d/crowdsec.conf else rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf index 11de7076..6149d805 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf @@ -2,6 +2,6 @@ more_set_headers "X-XSS-Protection: 0"; more_set_headers "X-Frame-Options: SAMEORIGIN"; more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; -more_set_headers "Content-Security-Policy: upgrade-insecure-requests"; +more_set_headers "Content-Security-Policy: $content_security_policy"; -more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"; \ No newline at end of file +more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"; diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf new file mode 100644 index 00000000..257c7b40 --- /dev/null +++ b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf @@ -0,0 +1,4 @@ +Include /data/etc/modsecurity/modsecurity-default.conf +Include /data/etc/modsecurity/modsecurity-extra.conf +Include /data/etc/modsecurity/crs-setup.conf +Include /usr/local/nginx/conf/conf.d/include/coreruleset/rules/*.conf diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity.conf b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity.conf new file mode 100644 index 00000000..e67510fe --- /dev/null +++ b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity.conf @@ -0,0 +1,2 @@ +Include /data/etc/modsecurity/modsecurity-default.conf +Include /data/etc/modsecurity/modsecurity-extra.conf diff --git a/rootfs/usr/local/nginx/conf/nginx.conf b/rootfs/usr/local/nginx/conf/nginx.conf index 463d0810..e3a180b0 100644 --- a/rootfs/usr/local/nginx/conf/nginx.conf +++ b/rootfs/usr/local/nginx/conf/nginx.conf @@ -62,9 +62,9 @@ http { limit_req_zone $binary_remote_addr zone=one:10m rate=180r/s; limit_req zone=one burst=1800; - # Default upstream scheme - map $host $forward_scheme { - default http; + map $upstream_http_content_security_policy $content_security_policy { + default $upstream_http_content_security_policy; + '' "upgrade-insecure-requests"; } # Websocket