Commit f27d80e0 authored by bunkerity's avatar bunkerity
Browse files

various fixes and lua logging

parent fc3d911f
......@@ -12,7 +12,7 @@ COPY fail2ban/ /opt/fail2ban
COPY logs/ /opt/logs
COPY lua/ /opt/lua
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
mkdir /opt/entrypoint.d && \
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
......
......@@ -12,7 +12,7 @@ COPY fail2ban/ /opt/fail2ban
COPY logs/ /opt/logs
COPY lua/ /opt/lua
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
mkdir /opt/entrypoint.d && \
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
......
......@@ -19,7 +19,7 @@ COPY fail2ban/ /opt/fail2ban
COPY logs/ /opt/logs
COPY lua/ /opt/lua
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
mkdir /opt/entrypoint.d && \
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
......
......@@ -19,7 +19,7 @@ COPY fail2ban/ /opt/fail2ban
COPY logs/ /opt/logs
COPY lua/ /opt/lua
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
mkdir /opt/entrypoint.d && \
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
......
......@@ -12,7 +12,7 @@ COPY fail2ban/ /opt/fail2ban
COPY logs/ /opt/logs
COPY lua/ /opt/lua
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog && \
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
mkdir /opt/entrypoint.d && \
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
......
......@@ -4,7 +4,7 @@ local use_whitelist_ip = %USE_WHITELIST_IP%
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
local use_blacklist_ip = %USE_BLACKLIST_IP%
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
local use_dnsbl = %USE_DNS%
local use_dnsbl = %USE_DNSBL%
-- include LUA code
local whitelist = require "whitelist"
......
......@@ -22,6 +22,8 @@ function trap_exit() {
fi
echo "[*] Stopping nginx ..."
/usr/sbin/nginx -s stop
echo "[*] Stopping rsyslogd ..."
pkill -TERM rsyslogd
pkill -TERM tail
}
trap "trap_exit" TERM INT
......@@ -111,7 +113,7 @@ USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-20}"
FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-15}"
USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
......@@ -143,9 +145,9 @@ PROXY_REAL_IP="${PROXY_REAL_IP-no}"
PROXY_REAL_IP_FROM="${PROXY_REAL_IP_FROM-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
PROXY_REAL_IP_HEADER="${PROXY_REAL_IP_HEADER-X-Forwarded-For}"
PROXY_REAL_IP_RECURSIVE="${PROXY_REAL_IP_RECURSIVE-on}"
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no"}"
GENERATE_SELF_SIGNED_SSL="${GENERATE_SELF_SIGNED_SSL-no}"
SELF_SIGNED_SSL_EXPIRY="${SELF_SIGNED_SSL_EXPIRY-365}"
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-Switzerland}"
SELF_SIGNED_SSL_COUNTRY="${SELF_SIGNED_SSL_COUNTRY-CH}"
SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}"
SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
......@@ -369,7 +371,7 @@ else
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
fi
if [ "$PROXY_REAL_IP" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
froms=""
for from in $PROXY_REAL_IP_FROM ; do
froms="${froms}set_real_ip_from ${from};\n"
......@@ -378,7 +380,7 @@ if [ "$PROXY_REAL_IP" = "yes" ] ; then
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_HEADER%" "$PROXY_REAL_IP_HEADER"
replace_in_file "/etc/nginx/proxy-real-ip.conf" "%PROXY_REAL_IP_RECURSIVE%" "$PROXY_REAL_IP_RECURSIVE"
else
replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" ""
replace_in_file "/etc/nginx/nginx.conf" "%PROXY_REAL_IP%" ""
fi
......
local M = {}
local dns = require "dns"
local ip_list = {%BLACKLIST_IP_LIST%}
local reverse_list = {%BLACKLIST_REVERSE_LIST%}
local ip = ngx.var.remote_addr
function ip_cached_ko ()
function M.ip_cached_ko ()
return ngx.shared.blacklist_ip_cache:get(ip) == "ko"
end
function reverse_cached_ko ()
function M.reverse_cached_ko ()
return ngx.shared.blacklist_reverse_cache:get(ip) == "ko"
end
function ip_cached ()
function M.ip_cached ()
return ngx.shared.blacklist_ip_cache:get(ip) ~= nil
end
function reverse_cached ()
function M.reverse_cached ()
return ngx.shared.blacklist_reverse_cache:get(ip) ~= nil
end
function check_ip ()
function M.check_ip ()
for k, v in ipairs(ip_list) do
if v == ip then
ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist")
return true
end
end
......@@ -30,12 +32,13 @@ function check_ip ()
return false
end
function check_reverse ()
function M.check_reverse ()
local rdns = dns.get_reverse()
if rdns ~= "" then
for k, v in ipairs(reverse_list) do
if rdns:sub(-#v) == v then
ngx.shared.blacklist_reverse_cache:set(ip, "ko", 86400)
ngx.log(ngx.WARN, "reverse " .. rdns .. " is in blacklist")
return true
end
end
......@@ -43,3 +46,5 @@ function check_reverse ()
ngx.shared.blacklist_reverse_cache:set(ip, "ok", 86400)
return false
end
return M
local M = {}
local resolver = require "resty.dns.resolver"
local resolvers = {%DNS_RESOLVERS%}
local ip = ngx.var.remote_addr
function get_reverse()
function M.get_reverse()
local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
if not r then
return ""
......@@ -20,7 +21,7 @@ function get_reverse()
return rdns
end
function get_ips(fqdn)
function M.get_ips(fqdn)
local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
if not r then
return ""
......@@ -35,6 +36,8 @@ function get_ips(fqdn)
return ips
end
function ip_to_arpa()
function M.ip_to_arpa()
return resolver.arpa_str(ip):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "")
end
return M
local M = {}
local dns = require "dns"
local dnsbls = {%DNSBL_LIST%}
local ip = ngx.var.remote_addr
function cached_ko ()
function M.cached_ko ()
return ngx.shared.dnsbl_cache:get(ip) == "ko"
end
function cached ()
function M.cached ()
return ngx.shared.dnsbl_cache:get(ip) ~= nil
end
function check ()
function M.check ()
local rip = dns.ip_to_arpa()
for k, v in ipairs(dnsbls) do
local req = rip .. "." .. v
local ips = dns.get_ips(req)
for k2, v2 in ipairs(ips) do
a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
local a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
if a == "127" then
ngx.shared.dnsbl_cache:set(ip, "ko", 86400)
ngx.log(ngx.WARN, "ip " .. ip .. " is in DNSBL " .. v)
return true
end
end
......@@ -26,3 +28,5 @@ function check ()
ngx.shared.dnsbl_cache:set(ip, "ok", 86400)
return false
end
return M
local M = {}
local dns = require "dns"
local ip_list = {%WHITELIST_IP_LIST%}
local reverse_list = {%WHITELIST_REVERSE_LIST%}
local ip = ngx.var.remote_addr
function ip_cached_ok ()
function M.ip_cached_ok ()
return ngx.shared.whitelist_ip_cache:get(ip) == "ok"
end
function reverse_cached_ok ()
function M.reverse_cached_ok ()
return ngx.shared.whitelist_reverse_cache:get(ip) == "ok"
end
function ip_cached ()
function M.ip_cached ()
return ngx.shared.whitelist_ip_cache:get(ip) ~= nil
end
function reverse_cached ()
function M.reverse_cached ()
return ngx.shared.whitelist_reverse_cache:get(ip) ~= nil
end
function check_ip ()
function M.check_ip ()
for k, v in ipairs(ip_list) do
if v == ip then
ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")
return true
end
end
......@@ -30,7 +32,7 @@ function check_ip ()
return false
end
function check_reverse ()
function M.check_reverse ()
local rdns = dns.get_reverse()
if rdns ~= "" then
local whitelisted = false
......@@ -45,6 +47,7 @@ function check_reverse ()
for k, v in ipairs(ips) do
if v == ip then
ngx.shared.whitelist_reverse_cache:set(ip, "ok", 86400)
ngx.log(ngx.WARN, "reverse " .. rdns .. " is in whitelist")
return true
end
end
......@@ -53,3 +56,5 @@ function check_reverse ()
ngx.shared.whitelist_reverse_cache:set(ip, "ko", 86400)
return false
end
return M
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment