ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2025-08-02 15:33:32 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

add goaccess

Browse Source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
Zoey
2024-01-13 09:04:59 +01:00
parent f96a4d32a3
commit a6797c9f6b
17 changed files with 361 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/docker.yml vendored
View File

@@ -99,3 +99,4 @@ jobs:
with:
message: "The Docker Image can now be found here: `ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ steps.pr.outputs.pr }}`"
repo-token: ${{ github.token }}
refresh-message-position: true

6
.github/workflows/js.yml → .github/workflows/update-and-lint.yml vendored
View File

@@ -1,11 +1,11 @@
name: js
name: update-and-lint
on:
push:
schedule:
- cron: "0 */6 * * *"
workflow_dispatch:
jobs:
js:
update-and-lint:
runs-on: ubuntu-latest
steps:
- name: Checkout
@@ -36,5 +36,5 @@ jobs:
git add -A
git config user.name "GitHub"
git config user.email "noreply@github.com"
git diff-index --quiet HEAD || git commit -sm "js"
git diff-index --quiet HEAD || git commit -sm "update and lint"
git push

15
Dockerfile
View File

@@ -48,7 +48,7 @@ RUN apk add --no-cache ca-certificates git build-base && \
sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
FROM zoeyvid/nginx-quic:240
FROM zoeyvid/nginx-quic:241
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
ARG CRS_VER=v4.0/dev
@@ -92,19 +92,30 @@ ENV NODE_ENV=production \
ENV PUID=0 \
PGID=0 \
NIBEP=48693 \
GOAIWSP=48683 \
NPM_PORT=81 \
GOA_PORT=91 \
IPV4_BINDING=0.0.0.0 \
NPM_IPV4_BINDING=0.0.0.0 \
GOA_IPV4_BINDING=0.0.0.0 \
IPV6_BINDING=[::] \
NPM_IPV6_BINDING=[::] \
GOA_IPV6_BINDING=[::] \
DISABLE_IPV6=false \
NPM_DISABLE_IPV6=false \
GOA_DISABLE_IPV6=false \
NPM_LISTEN_LOCALHOST=false \
NPM_CERT_ID=0 \
GOA_LISTEN_LOCALHOST=false \
DEFAULT_CERT_ID=0 \
DISABLE_HTTP=false \
NGINX_ACCESS_LOG=false \
NGINX_LOG_NOT_FOUND=false \
CLEAN=true \
FULLCLEAN=false \
LOGROTATE=false \
LOGROTATIONS=3 \
GOA=false \
GOACLA="--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string" \
PHP81=false \
PHP82=false \
PHP83=false

8
README.md
View File

@@ -18,8 +18,9 @@ running at home or otherwise, including free TLS, without having to know too muc
**Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!** <br>
**Note: Don't forget to open Port 80 (tcp) and 443 (tcp AND udp, http3/quic needs udp) in your firewall (because of network mode host, you also need to open this ports in ufw, if you use ufw).** <br>
**Note: ModSecurity overblocking (403 Error)? Please see `/opt/npm/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).** <br>
**Note: Internal Instance? Please disable `must-staple` in `/opt/npm/tls/certbot/config.ini`.** <br>
**Note: Internal/LAN Instance? Please disable `must-staple` in `/opt/npm/tls/certbot/config.ini`.** <br>
**Note: Other Databases like MariaDB may work, but are unsupported.** <br>
**Note: access.log, logrotate and goaccess are NOT enabled by default bceuase of GDPR.** <br>
## Project Goal
@@ -49,6 +50,7 @@ so that the barrier for entry here is low.
- Supports HTTP/3 (QUIC) protocol.
- Supports CrowdSec IPS. Please see [here](https://github.com/ZoeyVid/NPMplus#crowdsec) to enable it.
- goaccess included, see compose.yaml (nginx config from [here](https://github.com/xavier-hernandez/goaccess-for-nginxproxymanager/blob/main/resources/nginx/nginx.conf))
- Supports ModSecurity, with coreruleset as an option. You can configure ModSecurity/coreruleset by editing the files in the `/opt/npm/etc/modsecurity` folder.
- If the core ruleset blocks valid requests, please check the `/opt/npm/etc/modsecurity/crs-setup.conf` file.
- Try to whitelist the Content-Type you are sending (for example, `application/activity+json` for Mastodon and `application/dns-message` for DoH).
@@ -70,7 +72,7 @@ so that the barrier for entry here is low.
- Uses [fancyindex](https://gitHub.com/Naereen/Nginx-Fancyindex-Theme) if used as webserver
- Exposes INTERNAL backend api only to localhost
- Basic security headers are added if you enable HSTS (HSTS has always subdomains and preload enabled)
- Access Log disabled
- access.log is disabled by default, unified and moved to `/opt/npm/nginx/access.log`
- Error Log written to console
- `Server` response header hidden
- PHP 8.1/8.2/8.3 optional, with option to add extensions; available packages can added using envs in the compose file
@@ -159,7 +161,7 @@ location / {
- [Docker Install documentation](https://docs.docker.com/engine)
- [Docker Compose Install documentation](https://docs.docker.com/compose/install/linux)
2. Create a compose.yaml file similar to [this](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml) (or use it as a portainer stack):´
2. Create a compose.yaml file similar to [this](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml) (or use it as a portainer stack):
3. Bring up your stack by running (or deploy your portainer stack)
```bash

3
backend/templates/dead_host.conf
View File

@@ -13,8 +13,9 @@ server {
include conf.d/include/block-exploits.conf;
{% if use_default_location %}
location / {
alias /html/404/;
include conf.d/include/acme-challenge.conf;
root /html/404;
try_files $uri /index.html;
}
{% endif %}

10
backend/templates/default.conf
View File

@@ -26,7 +26,9 @@ server {
{%- if value == "404" %}
location / {
alias /html/404/;
include conf.d/include/acme-challenge.conf;
root /html/404;
try_files $uri /index.html;
}
{%- endif %}
@@ -44,14 +46,16 @@ server {
{%- if value == "congratulations" %}
location / {
include conf.d/include/acme-challenge.conf;
alias /html/default/;
root /html/default;
try_files $uri /index.html;
}
{%- endif %}
{%- if value == "html" %}
location / {
include conf.d/include/acme-challenge.conf;
alias /data/etc/html/;
root /data/etc/html;
try_files $uri /index.html;
}
{%- endif %}
}

14
compose.geoip.yaml Normal file
View File

@@ -0,0 +1,14 @@
services:
geoipupdate:
container_name: npmplus-geoipupdate
image: maxmindinc/geoipupdate
restart: always
network_mode: bridge
environment:
- "TZ=Europe/Berlin"
- "GEOIPUPDATE_EDITION_IDS=GeoLite2-Country GeoLite2-City GeoLite2-ASN"
- "GEOIPUPDATE_ACCOUNT_ID=<your-account-id>"
- "GEOIPUPDATE_LICENSE_KEY=<your-license-key>"
- "GEOIPUPDATE_FREQUENCY=24"
volumes:
- "/opt/npm/etc/goaccess/geoip:/usr/share/GeoIP"

24
compose.yaml
View File

@@ -13,20 +13,30 @@ services:
- "TZ=Europe/Berlin" # set timezone, required
# - "PUID=1000" # set group id, default 0 (root)
# - "PGID=1000" # set user id, default 0 (root)
# - "NIBEP=48694" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host
# - "NPM_PORT=82" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
# - "NIBEP=48694" # internal port of the NOMplus API, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host
# - "GOAIWSP=48684" # internal port of goaccess, always bound to 127.0.0.1, default 48683, you need to change it, if you want to run multiple npm with goaccess instances in network mode host
# - "NPM_PORT=82" # Port the NPM UI should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
# - "NPM_PORT=92" # Port the goaccess should be bound to, default 91, you need to change it, if you want to run multiple npm with goaccess instances in network mode host
# - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all
# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all
# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM UI, defaults to all
# - "GOA_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the goaccess, defaults to all
# - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all
# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all
# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM UI, defaults to all
# - "GOA_IPV6_BINDING=[::1]" # IPv6 address to bind for goaccess, defaults to all
# - "DISABLE_IPV6=true" # disable IPv6, overrides with IPV6_BINDING, default false
# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, overrides with NPM_IPV6_BINDING, default false, overrides NPM_LISTEN_LOCALHOST
# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, overrides with NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts
# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM UI, overrides NPM_IPV6_BINDING, default false
# - "GOA_DISABLE_IPV6=true" # disable IPv6 for goaccess, overrides GOA_IPV6_BINDING, default false
# - "NPM_LISTEN_LOCALHOST=true" # Binds the NPM UI only to localhost, overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
# - "GOA_LISTEN_LOCALHOST=true" # Binds goaccess only to localhost, overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
# - "DEFAULT_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts
# - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false
# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false
# - "CLEAN=false" # Clean folders, default true
# - "FULLCLEAN=true" # Clean unused config folders, default false
# - "LOGROTATE=true" # Enables writing http access logs to /opt/npm/nginx/access.log and daily logrotation, default false
# - "LOGROTATIONS=7" # Set how often the access.log should be rotated until it is deleted, default 3
# - "GOA=true" # Enables goaccess, overrides LOGROTATE, default false --- if you download the GeoLite2-Country.mmdb, GeoLite2-City.mmdb AND GeoLite2-ASN.mmdb file from MaxMind and place them in /opt/npm/etc/goaccess/geoip it will automatically enable GeoIP in goaccess after restarting NPMplus (no need to change GOACLA below), you may also use the compose.geoip.yaml
# - "GOACLA=--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=2 --keep-last=7 --with-output-resolver --no-query-string" # Arguments that should be passed to goaccess, default: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/bin/launch.sh#L50 and: --agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string
# - "PHP81=true" # Activate PHP81, default false
# - "PHP81_APKS=php81-curl php81-openssl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.19&repo=community&arch=x86_64&name=php81-*, default none
# - "PHP82=true" # Activate PHP82, default false

11
rootfs/etc/logrotate Normal file
View File

@@ -0,0 +1,11 @@
/data/nginx/access.log {
daily
rotate 3
missingok
notifempty
compress
sharedscripts
postrotate
nginx -s reload
endscript
}

2
rootfs/usr/local/bin/healthcheck.sh
View File

@@ -16,7 +16,7 @@ if [ "$NPM_IPV6_BINDING" != "[::]" ] && [ "$NPM_IPV4_BINDING" != "0.0.0.0" ]; th
fi
fi
if (if [ "$PHP81" = true ]; then cgi-fcgi -bind -connect /dev/php81.sock > /dev/null 2>&1; fi && if [ "$PHP82" = true ]; then cgi-fcgi -bind -connect /dev/php82.sock > /dev/null 2>&1; fi && if [ "$PHP83" = true ]; then cgi-fcgi -bind -connect /dev/php83.sock > /dev/null 2>&1; fi && [ "$(curl -sk https://"$HC_IP":"$NPM_PORT"/api/ | jq --raw-output .status)" = "OK" ]); then
if (if [ "$GOA" = "true" ]; then [ -f /tmp/goa/index.html ]; fi && if [ "$PHP81" = true ]; then cgi-fcgi -bind -connect /dev/php81.sock > /dev/null 2>&1; fi && if [ "$PHP82" = true ]; then cgi-fcgi -bind -connect /dev/php82.sock > /dev/null 2>&1; fi && if [ "$PHP83" = true ]; then cgi-fcgi -bind -connect /dev/php83.sock > /dev/null 2>&1; fi && [ "$(curl -sk https://"$HC_IP":"$NPM_PORT"/api/ | jq --raw-output .status)" = "OK" ]); then
echo "OK"
exit 0
else

4
rootfs/usr/local/bin/launch.sh
View File

@@ -46,5 +46,9 @@ fi
if [ "$PHP81" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR; fi &
if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi &
if [ "$PHP83" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/83/conf.d php-fpm83 -c /data/php/83 -y /data/php/83/php-fpm.conf -FOR; fi &
if [ "$LOGROTATE" = "true" ]; then logrotate --state /data/etc/logrotate.status /etc/logrotate; fi &
# shellcheck disable=SC2086
if [ "$GOA" = "true" ]; then goaccess --no-global-config --num-tests=0 --tz="$TZ" --date-format="%d/%b/%Y" --time-format="%H:%M:%S" --log-format='[%d:%t %^] %v %h %T "%r" %s %b %b %R %u' --no-ip-validation --addr=127.0.0.1 --port="$GOAIWSP" \
-f /data/nginx/access.log --real-time-html -o /tmp/goa/index.html --persist --restore --db-path=/data/etc/goaccess/data -b /etc/goaccess/browsers.list -b /etc/goaccess/podcast.list $GOACLA; fi &
aio.sh &
index.js

315
rootfs/usr/local/bin/start.sh
View File

@@ -18,6 +18,15 @@ fi
touch /data/.env
. /data/.env
if [ -z "$NPM_CERT_ID" ] && ! echo "$NPM_CERT_ID" | grep -q "^[0-9]\+$"; then
echo "NPM_CERT_ID needs to be a number."
sleep inf
fi
if [ -z "$NPM_CERT_ID" ]; then
echo "NPM_CERT_ID is deprecated, please change it to DEFAULT_CERT_ID"
export DEFAULT_CERT_ID="$NPM_CERT_ID"
fi
if [ -z "$TZ" ] || ! echo "$TZ" | grep -q "^[A-Za-z/]\+$"; then
echo "TZ is unset or invalid."
@@ -39,11 +48,21 @@ if ! echo "$NIBEP" | grep -q "^[0-9]\+$"; then
sleep inf
fi
if ! echo "$GOAIWSP" | grep -q "^[0-9]\+$"; then
echo "GOAIWSP needs to be a number."
sleep inf
fi
if ! echo "$NPM_PORT" | grep -q "^[0-9]\+$"; then
echo "NPM_PORT needs to be a number."
sleep inf
fi
if ! echo "$GOA_PORT" | grep -q "^[0-9]\+$"; then
echo "GOA_PORT needs to be a number."
sleep inf
fi
if ! echo "$IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then
echo "IPV4_BINDING needs to be a IPv4-Address."
sleep inf
@@ -54,6 +73,11 @@ if ! echo "$NPM_IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$";
sleep inf
fi
if ! echo "$GOA_IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then
echo "GOA_IPV4_BINDING needs to be a IPv4-Address."
sleep inf
fi
if ! echo "$IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then
echo "IPV6_BINDING needs to be a IPv6-Address inside []."
sleep inf
@@ -64,6 +88,11 @@ if ! echo "$NPM_IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then
sleep inf
fi
if ! echo "$GOA_IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then
echo "GOA_IPV6_BINDING needs to be a IPv6-Address inside []."
sleep inf
fi
if ! echo "$DISABLE_IPV6" | grep -q "^true$\|^false$"; then
echo "DISABLE_IPV6 needs to be true or false."
sleep inf
@@ -74,13 +103,23 @@ if ! echo "$NPM_DISABLE_IPV6" | grep -q "^true$\|^false$"; then
sleep inf
fi
if ! echo "$GOA_DISABLE_IPV6" | grep -q "^true$\|^false$"; then
echo "GOA_DISABLE_IPV6 needs to be true or false."
sleep inf
fi
if ! echo "$NPM_LISTEN_LOCALHOST" | grep -q "^true$\|^false$"; then
echo "NPM_LISTEN_LOCALHOST needs to be true or false."
sleep inf
fi
if ! echo "$NPM_CERT_ID" | grep -q "^[0-9]\+$"; then
echo "NPM_CERT_ID needs to be a number."
if ! echo "$GOA_LISTEN_LOCALHOST" | grep -q "^true$\|^false$"; then
echo "GOA_LISTEN_LOCALHOST needs to be true or false."
sleep inf
fi
if ! echo "$DEFAULT_CERT_ID" | grep -q "^[0-9]\+$"; then
echo "DEFAULT_CERT_ID needs to be a number."
sleep inf
fi
@@ -104,6 +143,26 @@ if ! echo "$FULLCLEAN" | grep -q "^true$\|^false$"; then
sleep inf
fi
if ! echo "$LOGROTATE" | grep -q "^true$\|^false$"; then
echo "LOGROTATE needs to be true or false."
sleep inf
fi
if [ -n "$LOGROTATE" ] && ! echo "$LOGROTATIONS" | grep -q "^[0-9]\+$"; then
echo "LOGROTATIONS needs to be a number."
sleep inf
fi
if ! echo "$GOA" | grep -q "^true$\|^false$"; then
echo "GOA needs to be true or false."
sleep inf
fi
if [ -n "$GOACLA" ] && ! echo "$GOACLA" | grep -q "^-[a-zA-Z0-9 =/_.-]\+$"; then
echo "GOACLA must start with a hyphen and can consist of lower and upper letters a-z A-Z, numbers 0-9, spaces, equals signs, slashes, underscores, dots and hyphens."
sleep inf
fi
if ! echo "$PHP81" | grep -q "^true$\|^false$"; then
echo "PHP81 needs to be true or false."
sleep inf
@@ -137,10 +196,14 @@ fi
if [ "$PGID" != "0" ] && [ "$PUID" = "0" ]; then
echo "You've set PGID but not PUID. Running resetting PGID to 0."
echo "You've set PGID but not PUID. Resetting PGID to 0."
export PGID="0"
fi
if [ "$GOA" = "true" ] && [ "$LOGROTATE" = "false" ]; then
echo "You've enabled GOA but not LOGROTATE. Enabling LOGROTATE."
export LOGROTATE="true"
fi
if [ "$NC_AIO" = "true" ]; then
export DISABLE_HTTP="true"
@@ -151,6 +214,40 @@ if [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then
export NPM_IPV6_BINDING="[::1]"
fi
if [ "$GOA_LISTEN_LOCALHOST" = "true" ]; then
export GOA_IPV4_BINDING="127.0.0.1"
export GOA_IPV6_BINDING="[::1]"
fi
if [ -s /data/etc/goaccess/geoip/GeoLite2-Country.mmdb ] && [ -s /data/etc/goaccess/geoip/GeoLite2-City.mmdb ] && [ -s /data/etc/goaccess/geoip/GeoLite2-ASN.mmdb ] && echo "$GOACLA" | grep -vq "geoip-database"; then
export GOACLA="$GOACLA --geoip-database=/data/etc/goaccess/geoip/GeoLite2-Country.mmdb --geoip-database=/data/etc/goaccess/geoip/GeoLite2-City.mmdb --geoip-database=/data/etc/goaccess/geoip/GeoLite2-ASN.mmdb"
fi
if [ "$PHP81" = "true" ] || [ "$PHP82" = "true" ] || [ "$PHP83" = "true" ]; then
apk add --no-cache fcgi
# From https://github.com/nextcloud/all-in-one/pull/1377/files
if [ -n "$PHP_APKS" ]; then
for apk in $(echo "$PHP_APKS" | tr " " "\n"); do
if ! echo "$apk" | grep -q "^php-.*$"; then
echo "$apk is a non allowed value."
echo "It needs to start with \"php-\"."
echo "It is set to \"$apk\"."
sleep inf
fi
echo "Installing $apk via apk..."
if ! apk add --no-cache "$apk" > /dev/null 2>&1; then
echo "The apk \"$apk\" was not installed!"
fi
done
fi
fi
if [ "$PHP81" = "true" ]; then
@@ -248,35 +345,28 @@ elif [ "$FULLCLEAN" = "true" ]; then
rm -vrf /data/php/83
fi
if [ "$PHP81" = "true" ] || [ "$PHP82" = "true" ] || [ "$PHP83" = "true" ]; then
apk add --no-cache fcgi
# From https://github.com/nextcloud/all-in-one/pull/1377/files
if [ -n "$PHP_APKS" ]; then
for apk in $(echo "$PHP_APKS" | tr " " "\n"); do
if ! echo "$apk" | grep -q "^php-.*$"; then
echo "$apk is a non allowed value."
echo "It needs to start with \"php-\"."
echo "It is set to \"$apk\"."
sleep inf
if [ "$GOA" = "true" ]; then
apk add --no-cache goaccess
mkdir -vp /data/etc/goaccess/data \
/data/etc/goaccess/geoip
elif [ "$FULLCLEAN" = "true" ]; then
rm -vrf /data/etc/goaccess
fi
echo "Installing $apk via apk..."
if ! apk add --no-cache "$apk" > /dev/null 2>&1; then
echo "The apk \"$apk\" was not installed!"
if [ "$LOGROTATE" = "true" ]; then
apk add --no-cache logrotate
sed -i "s|rotate [0-9]\+|rotate $LOGROTATIONS|g" /etc/logrotate
elif [ "$FULLCLEAN" = "true" ]; then
rm -vrf /data/etc/logrotate.status \
/data/nginx/access.log.*
fi
done
fi
fi
mkdir -p /tmp/acme-challenge \
/tmp/certbot-work \
/tmp/certbot-log \
/tmp/npmhome
/tmp/npmhome \
/tmp/goa
mkdir -vp /data/tls/certbot/credentials \
/data/tls/certbot/renewal \
@@ -398,7 +488,6 @@ find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|\(listen .*\) http3|\1 quic|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|quic reuseport;|quic;|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|security_headers on;|include conf.d/include/hsts.conf;|g" {} \;
sed -i "s|quic default_server|quic reuseport default_server|g" /data/nginx/default.conf
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|more_set_headers \"Alt-Svc: h3=':443'; ma=86400\";|more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/access|/data/nginx/access|g" {} \;
@@ -456,86 +545,87 @@ if [ ! -s /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.exam
fi
cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
if [ "$NPM_CERT_ID" = "0" ]; then
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "no NPM_CERT_ID set, using dummycerts for npm and default hosts."
if [ "$DEFAULT_CERT_ID" = "0" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "no DEFAULT_CERT_ID set, using dummycerts for npm and default hosts."
else
if [ -d "/data/tls/certbot/live/npm-$NPM_CERT_ID" ]; then
if [ ! -s /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem does not exist"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
if [ -d "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID" ]; then
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts."
else
export NPM_CERT=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem
echo "NPM_CERT set to /data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem"
export DEFAULT_CERT=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem
echo "DEFAULT_CERT set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem"
if [ ! -s /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem ]; then
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem does not exist"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts."
else
export NPM_KEY=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem
echo "NPM_KEY set to /data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem"
export DEFAULT_KEY=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem
echo "DEFAULT_KEY set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem"
if [ ! -s /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem ]; then
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem does not exist, running without it"
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/chain.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/chain.pem does not exist, running without it"
else
export NPM_CHAIN=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem
echo "NPM_CHAIN set to /data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem"
export DEFAULT_CHAIN=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/chain.pem
echo "DEFAULT_CHAIN set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/chain.pem"
fi
fi
fi
elif [ -d "/data/tls/custom/npm-$NPM_CERT_ID" ]; then
if [ ! -s /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem does not exist"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
elif [ -d "/data/tls/custom/npm-$DEFAULT_CERT_ID" ]; then
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts."
else
export NPM_CERT=/data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem
echo "NPM_CERT set to /data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem"
export DEFAULT_CERT=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem
echo "DEFAULT_CERT set to /data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem"
if [ ! -s /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem ]; then
echo "/data/tls/custom/npm-$NPM_CERT_ID/privkey.pem does not exist"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts."
else
export NPM_KEY=/data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem
echo "NPM_KEY set to /data/tls/custom/npm-$NPM_CERT_ID/privkey.pem"
export DEFAULT_KEY=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem
echo "DEFAULT_KEY set to /data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem"
if [ ! -s /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem ]; then
echo "/data/tls/custom/npm-$NPM_CERT_ID/chain.pem does not exist, running without it"
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/chain.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/chain.pem does not exist, running without it"
else
export NPM_CHAIN=/data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem
echo "NPM_CHAIN set to /data/tls/custom/npm-$NPM_CERT_ID/chain.pem"
export DEFAULT_CHAIN=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/chain.pem
echo "DEFAULT_CHAIN set to /data/tls/custom/npm-$DEFAULT_CERT_ID/chain.pem"
fi
fi
fi
else
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "cert with ID $NPM_CERT_ID does not exist, using dummycerts for npm and default hosts."
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "cert with ID $DEFAULT_CERT_ID does not exist, using dummycerts for npm and default hosts."
fi
fi
if [ "$NPM_CERT" = "/data/tls/dummycert.pem" ] && [ "$NPM_KEY" != "/data/tls/dummykey.pem" ]; then
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" != "/data/tls/dummykey.pem" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts for npm and default hosts."
fi
if [ "$NPM_CERT" != "/data/tls/dummycert.pem" ] && [ "$NPM_KEY" = "/data/tls/dummykey.pem" ]; then
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
if [ "$DEFAULT_CERT" != "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts for npm and default hosts."
fi
if [ "$NPM_CERT" = "/data/tls/dummycert.pem" ] || [ "$NPM_KEY" = "/data/tls/dummykey.pem" ]; then
if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] || [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
if [ ! -s /data/tls/dummycert.pem ] || [ ! -s /data/tls/dummykey.pem ]; then
rm -vrf /data/tls/dummycert.pem \
/data/tls/dummykey.pem
@@ -546,35 +636,46 @@ else
/data/tls/dummykey.pem
fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /app/templates/default.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /app/templates/default.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /app/templates/default.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/default.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/goaccess.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/goaccess.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/goaccess.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf; fi
if [ "$DISABLE_IPV6" = "true" ]; then
sed -i "s|#\?resolver .*|resolver local=on valid=10s ipv6=off;|g" /usr/local/nginx/conf/nginx.conf
else
sed -i "s|#\?resolver .*|resolver local=on valid=10s;|g" /usr/local/nginx/conf/nginx.conf
fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/default.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /app/templates/default.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /app/templates/default.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /app/templates/default.conf; fi
sed -i "s|48693|$NIBEP|g" /app/index.js
sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s|48683|$GOAIWSP|g" /usr/local/nginx/conf/conf.d/goaccess.conf
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
@@ -606,6 +707,17 @@ else
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $NPM_IPV6_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
fi
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $GOA_IPV4_BINDING:$GOA_PORT/g" /usr/local/nginx/conf/conf.d/goaccess.conf
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $GOA_IPV4_BINDING:$GOA_PORT/g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
if [ "$GOA_DISABLE_IPV6" = "true" ]; then
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/goaccess.conf
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
else
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $GOA_IPV6_BINDING:$GOA_PORT/g" /usr/local/nginx/conf/conf.d/goaccess.conf
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $GOA_IPV6_BINDING:$GOA_PORT/g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
fi
if [ "$DISABLE_HTTP" = "true" ]; then
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
@@ -617,12 +729,21 @@ else
fi
if [ "$NGINX_LOG_NOT_FOUND" = "true" ]; then
sed -i "s|log_not_found off;|log_not_found on;|g" /usr/local/nginx/conf/nginx.conf
sed -i "s|log_not_found.*|log_not_found on;|g" /usr/local/nginx/conf/nginx.conf
else
sed -i "s|log_not_found.*|log_not_found off;|g" /usr/local/nginx/conf/nginx.conf
fi
if [ "$LOGROTATE" = "true" ]; then
sed -i "s|access_log.*|access_log /data/nginx/access.log log;|g" /usr/local/nginx/conf/nginx.conf
else
sed -i "s|access_log.*|access_log off;|g" /usr/local/nginx/conf/nginx.conf
fi
if [ ! -s /data/nginx/default.conf ]; then
cp -vn /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf
fi
sed -i "s|quic default_server|quic reuseport default_server|g" /data/nginx/default.conf
if [ ! -s /data/tls/certbot/config.ini ]; then
cp -vn /etc/tls/certbot.ini /data/tls/certbot/config.ini
@@ -653,9 +774,9 @@ else
rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /data/nginx/default.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /data/nginx/default.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /data/nginx/default.conf; fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /data/nginx/default.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /data/nginx/default.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /data/nginx/default.conf; fi
nginxbeautifier -s 4 -r /data/nginx

17
rootfs/usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf Normal file
View File

@@ -0,0 +1,17 @@
server {
http3 off;
listen 82 ssl;
listen [::]:82 ssl;
server_name "";
return 444;
include conf.d/include/brotli.conf;
include conf.d/include/force-tls.conf;
include conf.d/include/tls-ciphers.conf;
include conf.d/include/block-exploits.conf;
#ssl_certificate ;
#ssl_certificate_key ;
#ssl_trusted_certificate ;
}

33
rootfs/usr/local/nginx/conf/conf.d/goaccess.conf Normal file
View File

@@ -0,0 +1,33 @@
server {
http3 off;
listen 91 ssl default_server;
listen [::]:91 ssl default_server;
server_name _;
include conf.d/include/brotli.conf;
include conf.d/include/force-tls.conf;
include conf.d/include/tls-ciphers.conf;
include conf.d/include/block-exploits.conf;
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf;
#ssl_certificate ;
#ssl_certificate_key ;
#ssl_trusted_certificate ;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
include conf.d/include/proxy-location.conf;
if ($goaccess = "socket") {
proxy_pass http://127.0.0.1:48683$request_uri;
}
root /tmp/goa;
try_files $uri /index.html;
sub_filter 'WebSocket(str)' 'WebSocket(window.location.origin.split("#")[0].replace(window.location.protocol, window.location.protocol == "https:" ? "wss:" : "ws:"))';
sub_filter_once on;
}
}

3
rootfs/usr/local/nginx/conf/conf.d/include/default.conf
View File

@@ -26,6 +26,7 @@ server {
location / {
include conf.d/include/acme-challenge.conf;
alias /html/default/;
root /html/default;
try_files $uri /index.html;
}
}

21
rootfs/usr/local/nginx/conf/conf.d/npm.conf
View File

@@ -17,24 +17,13 @@ server {
#ssl_trusted_certificate ;
location /api {
return 301 /api/;
}
location /api/ {
proxy_pass http://127.0.0.1:48693/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
include conf.d/include/proxy-location.conf;
rewrite ^/api(/.*)$ $1 break;
proxy_pass http://127.0.0.1:48693;
}
location / {

8
rootfs/usr/local/nginx/conf/nginx.conf
View File

@@ -15,8 +15,9 @@ events {
}
http {
log_not_found off;
log_format log '[$time_local] $host $remote_addr $request_time "$request" $status $body_bytes_sent $bytes_sent $http_referer $http_user_agent';
access_log off;
log_not_found off;
include mime.types;
default_type text/plain;
@@ -77,6 +78,11 @@ http {
'' close;
}
map $http_upgrade $goaccess {
default "web";
websocket "socket";
}
upstream php81 {
server unix:/run/php81.sock;
}