diff --git a/Dockerfile b/Dockerfile index a9ae80b..69ec5dc 100755 --- a/Dockerfile +++ b/Dockerfile @@ -12,148 +12,145 @@ ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53. ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 RUN \ - echo "**** install build packages ****" && \ - apk add --no-cache --virtual=build-dependencies \ - cargo \ - g++ \ - gcc \ - libffi-dev \ - openssl-dev \ - python3-dev && \ - echo "**** install runtime packages ****" && \ - apk add --no-cache --upgrade \ - curl \ - fail2ban \ - gnupg \ - memcached \ - nginx \ - nginx-mod-http-brotli \ - nginx-mod-http-dav-ext \ - nginx-mod-http-echo \ - nginx-mod-http-fancyindex \ - nginx-mod-http-geoip2 \ - nginx-mod-http-headers-more \ - nginx-mod-http-image-filter \ - nginx-mod-http-nchan \ - nginx-mod-http-perl \ - nginx-mod-http-redis2 \ - nginx-mod-http-set-misc \ - nginx-mod-http-upload-progress \ - nginx-mod-http-xslt-filter \ - nginx-mod-mail \ - nginx-mod-rtmp \ - nginx-mod-stream \ - nginx-mod-stream-geoip2 \ - nginx-vim \ - php7-bcmath \ - php7-bz2 \ - php7-ctype \ - php7-curl \ - php7-dom \ - php7-exif \ - php7-ftp \ - php7-gd \ - php7-gmp \ - php7-iconv \ - php7-imap \ - php7-intl \ - php7-ldap \ - php7-mcrypt \ - php7-memcached \ - php7-mysqli \ - php7-mysqlnd \ - php7-opcache \ - php7-pdo_mysql \ - php7-pdo_odbc \ - php7-pdo_pgsql \ - php7-pdo_sqlite \ - php7-pear \ - php7-pecl-apcu \ - php7-pecl-mailparse \ - php7-pecl-redis \ - php7-pgsql \ - php7-phar \ - php7-posix \ - php7-soap \ - php7-sockets \ - php7-sodium \ - php7-sqlite3 \ - php7-tokenizer \ - php7-xml \ - php7-xmlreader \ - php7-xmlrpc \ - php7-xsl \ - php7-zip \ - py3-cryptography \ - py3-future \ - py3-pip \ - whois && \ - echo "**** install certbot plugins ****" && \ - if [ -z ${CERTBOT_VERSION+x} ]; then \ - CERTBOT="certbot"; \ - else \ - CERTBOT="certbot==${CERTBOT_VERSION}"; \ - fi && \ - pip3 install -U \ - pip && \ - pip3 install -U \ - ${CERTBOT} \ - certbot-dns-aliyun \ - certbot-dns-cloudflare \ - certbot-dns-cloudxns \ - certbot-dns-cpanel \ - certbot-dns-digitalocean \ - certbot-dns-directadmin \ - certbot-dns-dnsimple \ - certbot-dns-dnsmadeeasy \ - certbot-dns-domeneshop \ - certbot-dns-google \ - certbot-dns-hetzner \ - certbot-dns-inwx \ - certbot-dns-linode \ - certbot-dns-luadns \ - certbot-dns-netcup \ - certbot-dns-njalla \ - certbot-dns-nsone \ - certbot-dns-ovh \ - certbot-dns-rfc2136 \ - certbot-dns-route53 \ - certbot-dns-transip \ - certbot-dns-vultr \ - certbot-plugin-gandi \ - cryptography \ - requests && \ - echo "**** remove unnecessary fail2ban filters ****" && \ - rm \ - /etc/fail2ban/jail.d/alpine-ssh.conf && \ - echo "**** copy fail2ban default action and filter to /default ****" && \ - mkdir -p /defaults/fail2ban && \ - mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ - mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ - echo "**** copy proxy confs to /default ****" && \ - mkdir -p /defaults/proxy-confs && \ - curl -o \ - /tmp/proxy.tar.gz -L \ - "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ - tar xf \ - /tmp/proxy.tar.gz -C \ - /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ - echo "**** configure nginx ****" && \ - rm -f /etc/nginx/conf.d/default.conf && \ - curl -o \ - /defaults/dhparams.pem -L \ - "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ - echo "**** cleanup ****" && \ - apk del --purge \ - build-dependencies && \ - for cleanfiles in *.pyc *.pyo; \ - do \ - find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ - ; done && \ - rm -rf \ - /tmp/* \ - /root/.cache \ - /root/.cargo + echo "**** install build packages ****" && \ + apk add --no-cache --virtual=build-dependencies \ + cargo \ + g++ \ + gcc \ + libffi-dev \ + openssl-dev \ + python3-dev && \ + echo "**** install runtime packages ****" && \ + apk add --no-cache --upgrade \ + curl \ + fail2ban \ + gnupg \ + memcached \ + nginx \ + nginx-mod-http-brotli \ + nginx-mod-http-dav-ext \ + nginx-mod-http-echo \ + nginx-mod-http-fancyindex \ + nginx-mod-http-geoip2 \ + nginx-mod-http-headers-more \ + nginx-mod-http-image-filter \ + nginx-mod-http-nchan \ + nginx-mod-http-perl \ + nginx-mod-http-redis2 \ + nginx-mod-http-set-misc \ + nginx-mod-http-upload-progress \ + nginx-mod-http-xslt-filter \ + nginx-mod-mail \ + nginx-mod-rtmp \ + nginx-mod-stream \ + nginx-mod-stream-geoip2 \ + nginx-vim \ + php7-bcmath \ + php7-bz2 \ + php7-ctype \ + php7-curl \ + php7-dom \ + php7-exif \ + php7-ftp \ + php7-gd \ + php7-gmp \ + php7-iconv \ + php7-imap \ + php7-intl \ + php7-ldap \ + php7-mcrypt \ + php7-memcached \ + php7-mysqli \ + php7-mysqlnd \ + php7-opcache \ + php7-pdo_mysql \ + php7-pdo_odbc \ + php7-pdo_pgsql \ + php7-pdo_sqlite \ + php7-pear \ + php7-pecl-apcu \ + php7-pecl-mailparse \ + php7-pecl-redis \ + php7-pgsql \ + php7-phar \ + php7-posix \ + php7-soap \ + php7-sockets \ + php7-sodium \ + php7-sqlite3 \ + php7-tokenizer \ + php7-xml \ + php7-xmlreader \ + php7-xmlrpc \ + php7-xsl \ + php7-zip \ + py3-cryptography \ + py3-future \ + py3-pip \ + whois && \ + echo "**** install certbot plugins ****" && \ + if [ -z ${CERTBOT_VERSION+x} ]; then \ + CERTBOT="certbot"; \ + else \ + CERTBOT="certbot==${CERTBOT_VERSION}"; \ + fi && \ + pip3 install -U \ + pip && \ + pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \ + ${CERTBOT} \ + certbot-dns-aliyun \ + certbot-dns-cloudflare \ + certbot-dns-cloudxns \ + certbot-dns-cpanel \ + certbot-dns-digitalocean \ + certbot-dns-directadmin \ + certbot-dns-dnsimple \ + certbot-dns-dnsmadeeasy \ + certbot-dns-domeneshop \ + certbot-dns-google \ + certbot-dns-hetzner \ + certbot-dns-inwx \ + certbot-dns-linode \ + certbot-dns-luadns \ + certbot-dns-netcup \ + certbot-dns-njalla \ + certbot-dns-nsone \ + certbot-dns-ovh \ + certbot-dns-rfc2136 \ + certbot-dns-route53 \ + certbot-dns-transip \ + certbot-dns-vultr \ + certbot-plugin-gandi \ + cryptography \ + requests && \ + echo "**** remove unnecessary fail2ban filters ****" && \ + rm \ + /etc/fail2ban/jail.d/alpine-ssh.conf && \ + echo "**** copy fail2ban default action and filter to /default ****" && \ + mkdir -p /defaults/fail2ban && \ + mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ + mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ + echo "**** copy proxy confs to /default ****" && \ + mkdir -p /defaults/proxy-confs && \ + curl -o \ + /tmp/proxy.tar.gz -L \ + "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ + tar xf \ + /tmp/proxy.tar.gz -C \ + /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ + echo "**** configure nginx ****" && \ + rm -f /etc/nginx/conf.d/default.conf && \ + echo "**** cleanup ****" && \ + apk del --purge \ + build-dependencies && \ + for cleanfiles in *.pyc *.pyo; \ + do \ + find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ + ; done && \ + rm -rf \ + /tmp/* \ + /root/.cache \ + /root/.cargo # add local files COPY root/ / diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 4e24add..89a51ac 100755 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -12,148 +12,145 @@ ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53. ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 RUN \ - echo "**** install build packages ****" && \ - apk add --no-cache --virtual=build-dependencies \ - cargo \ - g++ \ - gcc \ - libffi-dev \ - openssl-dev \ - python3-dev && \ - echo "**** install runtime packages ****" && \ - apk add --no-cache --upgrade \ - curl \ - fail2ban \ - gnupg \ - memcached \ - nginx \ - nginx-mod-http-brotli \ - nginx-mod-http-dav-ext \ - nginx-mod-http-echo \ - nginx-mod-http-fancyindex \ - nginx-mod-http-geoip2 \ - nginx-mod-http-headers-more \ - nginx-mod-http-image-filter \ - nginx-mod-http-nchan \ - nginx-mod-http-perl \ - nginx-mod-http-redis2 \ - nginx-mod-http-set-misc \ - nginx-mod-http-upload-progress \ - nginx-mod-http-xslt-filter \ - nginx-mod-mail \ - nginx-mod-rtmp \ - nginx-mod-stream \ - nginx-mod-stream-geoip2 \ - nginx-vim \ - php7-bcmath \ - php7-bz2 \ - php7-ctype \ - php7-curl \ - php7-dom \ - php7-exif \ - php7-ftp \ - php7-gd \ - php7-gmp \ - php7-iconv \ - php7-imap \ - php7-intl \ - php7-ldap \ - php7-mcrypt \ - php7-memcached \ - php7-mysqli \ - php7-mysqlnd \ - php7-opcache \ - php7-pdo_mysql \ - php7-pdo_odbc \ - php7-pdo_pgsql \ - php7-pdo_sqlite \ - php7-pear \ - php7-pecl-apcu \ - php7-pecl-mailparse \ - php7-pecl-redis \ - php7-pgsql \ - php7-phar \ - php7-posix \ - php7-soap \ - php7-sockets \ - php7-sodium \ - php7-sqlite3 \ - php7-tokenizer \ - php7-xml \ - php7-xmlreader \ - php7-xmlrpc \ - php7-xsl \ - php7-zip \ - py3-cryptography \ - py3-future \ - py3-pip \ - whois && \ - echo "**** install certbot plugins ****" && \ - if [ -z ${CERTBOT_VERSION+x} ]; then \ - CERTBOT="certbot"; \ - else \ - CERTBOT="certbot==${CERTBOT_VERSION}"; \ - fi && \ - pip3 install -U \ - pip && \ - pip3 install -U \ - ${CERTBOT} \ - certbot-dns-aliyun \ - certbot-dns-cloudflare \ - certbot-dns-cloudxns \ - certbot-dns-cpanel \ - certbot-dns-digitalocean \ - certbot-dns-directadmin \ - certbot-dns-dnsimple \ - certbot-dns-dnsmadeeasy \ - certbot-dns-domeneshop \ - certbot-dns-google \ - certbot-dns-hetzner \ - certbot-dns-inwx \ - certbot-dns-linode \ - certbot-dns-luadns \ - certbot-dns-netcup \ - certbot-dns-njalla \ - certbot-dns-nsone \ - certbot-dns-ovh \ - certbot-dns-rfc2136 \ - certbot-dns-route53 \ - certbot-dns-transip \ - certbot-dns-vultr \ - certbot-plugin-gandi \ - cryptography \ - requests && \ - echo "**** remove unnecessary fail2ban filters ****" && \ - rm \ - /etc/fail2ban/jail.d/alpine-ssh.conf && \ - echo "**** copy fail2ban default action and filter to /default ****" && \ - mkdir -p /defaults/fail2ban && \ - mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ - mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ - echo "**** copy proxy confs to /default ****" && \ - mkdir -p /defaults/proxy-confs && \ - curl -o \ - /tmp/proxy.tar.gz -L \ - "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ - tar xf \ - /tmp/proxy.tar.gz -C \ - /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ - echo "**** configure nginx ****" && \ - rm -f /etc/nginx/conf.d/default.conf && \ - curl -o \ - /defaults/dhparams.pem -L \ - "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ - echo "**** cleanup ****" && \ - apk del --purge \ - build-dependencies && \ - for cleanfiles in *.pyc *.pyo; \ - do \ - find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ - ; done && \ - rm -rf \ - /tmp/* \ - /root/.cache \ - /root/.cargo + echo "**** install build packages ****" && \ + apk add --no-cache --virtual=build-dependencies \ + cargo \ + g++ \ + gcc \ + libffi-dev \ + openssl-dev \ + python3-dev && \ + echo "**** install runtime packages ****" && \ + apk add --no-cache --upgrade \ + curl \ + fail2ban \ + gnupg \ + memcached \ + nginx \ + nginx-mod-http-brotli \ + nginx-mod-http-dav-ext \ + nginx-mod-http-echo \ + nginx-mod-http-fancyindex \ + nginx-mod-http-geoip2 \ + nginx-mod-http-headers-more \ + nginx-mod-http-image-filter \ + nginx-mod-http-nchan \ + nginx-mod-http-perl \ + nginx-mod-http-redis2 \ + nginx-mod-http-set-misc \ + nginx-mod-http-upload-progress \ + nginx-mod-http-xslt-filter \ + nginx-mod-mail \ + nginx-mod-rtmp \ + nginx-mod-stream \ + nginx-mod-stream-geoip2 \ + nginx-vim \ + php7-bcmath \ + php7-bz2 \ + php7-ctype \ + php7-curl \ + php7-dom \ + php7-exif \ + php7-ftp \ + php7-gd \ + php7-gmp \ + php7-iconv \ + php7-imap \ + php7-intl \ + php7-ldap \ + php7-mcrypt \ + php7-memcached \ + php7-mysqli \ + php7-mysqlnd \ + php7-opcache \ + php7-pdo_mysql \ + php7-pdo_odbc \ + php7-pdo_pgsql \ + php7-pdo_sqlite \ + php7-pear \ + php7-pecl-apcu \ + php7-pecl-mailparse \ + php7-pecl-redis \ + php7-pgsql \ + php7-phar \ + php7-posix \ + php7-soap \ + php7-sockets \ + php7-sodium \ + php7-sqlite3 \ + php7-tokenizer \ + php7-xml \ + php7-xmlreader \ + php7-xmlrpc \ + php7-xsl \ + php7-zip \ + py3-cryptography \ + py3-future \ + py3-pip \ + whois && \ + echo "**** install certbot plugins ****" && \ + if [ -z ${CERTBOT_VERSION+x} ]; then \ + CERTBOT="certbot"; \ + else \ + CERTBOT="certbot==${CERTBOT_VERSION}"; \ + fi && \ + pip3 install -U \ + pip && \ + pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \ + ${CERTBOT} \ + certbot-dns-aliyun \ + certbot-dns-cloudflare \ + certbot-dns-cloudxns \ + certbot-dns-cpanel \ + certbot-dns-digitalocean \ + certbot-dns-directadmin \ + certbot-dns-dnsimple \ + certbot-dns-dnsmadeeasy \ + certbot-dns-domeneshop \ + certbot-dns-google \ + certbot-dns-hetzner \ + certbot-dns-inwx \ + certbot-dns-linode \ + certbot-dns-luadns \ + certbot-dns-netcup \ + certbot-dns-njalla \ + certbot-dns-nsone \ + certbot-dns-ovh \ + certbot-dns-rfc2136 \ + certbot-dns-route53 \ + certbot-dns-transip \ + certbot-dns-vultr \ + certbot-plugin-gandi \ + cryptography \ + requests && \ + echo "**** remove unnecessary fail2ban filters ****" && \ + rm \ + /etc/fail2ban/jail.d/alpine-ssh.conf && \ + echo "**** copy fail2ban default action and filter to /default ****" && \ + mkdir -p /defaults/fail2ban && \ + mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ + mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ + echo "**** copy proxy confs to /default ****" && \ + mkdir -p /defaults/proxy-confs && \ + curl -o \ + /tmp/proxy.tar.gz -L \ + "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ + tar xf \ + /tmp/proxy.tar.gz -C \ + /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ + echo "**** configure nginx ****" && \ + rm -f /etc/nginx/conf.d/default.conf && \ + echo "**** cleanup ****" && \ + apk del --purge \ + build-dependencies && \ + for cleanfiles in *.pyc *.pyo; \ + do \ + find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ + ; done && \ + rm -rf \ + /tmp/* \ + /root/.cache \ + /root/.cargo # add local files COPY root/ / diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 0083a0f..0047bf6 100755 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -12,148 +12,145 @@ ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53. ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 RUN \ - echo "**** install build packages ****" && \ - apk add --no-cache --virtual=build-dependencies \ - cargo \ - g++ \ - gcc \ - libffi-dev \ - openssl-dev \ - python3-dev && \ - echo "**** install runtime packages ****" && \ - apk add --no-cache --upgrade \ - curl \ - fail2ban \ - gnupg \ - memcached \ - nginx \ - nginx-mod-http-brotli \ - nginx-mod-http-dav-ext \ - nginx-mod-http-echo \ - nginx-mod-http-fancyindex \ - nginx-mod-http-geoip2 \ - nginx-mod-http-headers-more \ - nginx-mod-http-image-filter \ - nginx-mod-http-nchan \ - nginx-mod-http-perl \ - nginx-mod-http-redis2 \ - nginx-mod-http-set-misc \ - nginx-mod-http-upload-progress \ - nginx-mod-http-xslt-filter \ - nginx-mod-mail \ - nginx-mod-rtmp \ - nginx-mod-stream \ - nginx-mod-stream-geoip2 \ - nginx-vim \ - php7-bcmath \ - php7-bz2 \ - php7-ctype \ - php7-curl \ - php7-dom \ - php7-exif \ - php7-ftp \ - php7-gd \ - php7-gmp \ - php7-iconv \ - php7-imap \ - php7-intl \ - php7-ldap \ - php7-mcrypt \ - php7-memcached \ - php7-mysqli \ - php7-mysqlnd \ - php7-opcache \ - php7-pdo_mysql \ - php7-pdo_odbc \ - php7-pdo_pgsql \ - php7-pdo_sqlite \ - php7-pear \ - php7-pecl-apcu \ - php7-pecl-mailparse \ - php7-pecl-redis \ - php7-pgsql \ - php7-phar \ - php7-posix \ - php7-soap \ - php7-sockets \ - php7-sodium \ - php7-sqlite3 \ - php7-tokenizer \ - php7-xml \ - php7-xmlreader \ - php7-xmlrpc \ - php7-xsl \ - php7-zip \ - py3-cryptography \ - py3-future \ - py3-pip \ - whois && \ - echo "**** install certbot plugins ****" && \ - if [ -z ${CERTBOT_VERSION+x} ]; then \ - CERTBOT="certbot"; \ - else \ - CERTBOT="certbot==${CERTBOT_VERSION}"; \ - fi && \ - pip3 install -U \ - pip && \ - pip3 install -U \ - ${CERTBOT} \ - certbot-dns-aliyun \ - certbot-dns-cloudflare \ - certbot-dns-cloudxns \ - certbot-dns-cpanel \ - certbot-dns-digitalocean \ - certbot-dns-directadmin \ - certbot-dns-dnsimple \ - certbot-dns-dnsmadeeasy \ - certbot-dns-domeneshop \ - certbot-dns-google \ - certbot-dns-hetzner \ - certbot-dns-inwx \ - certbot-dns-linode \ - certbot-dns-luadns \ - certbot-dns-netcup \ - certbot-dns-njalla \ - certbot-dns-nsone \ - certbot-dns-ovh \ - certbot-dns-rfc2136 \ - certbot-dns-route53 \ - certbot-dns-transip \ - certbot-dns-vultr \ - certbot-plugin-gandi \ - cryptography \ - requests && \ - echo "**** remove unnecessary fail2ban filters ****" && \ - rm \ - /etc/fail2ban/jail.d/alpine-ssh.conf && \ - echo "**** copy fail2ban default action and filter to /default ****" && \ - mkdir -p /defaults/fail2ban && \ - mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ - mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ - echo "**** copy proxy confs to /default ****" && \ - mkdir -p /defaults/proxy-confs && \ - curl -o \ - /tmp/proxy.tar.gz -L \ - "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ - tar xf \ - /tmp/proxy.tar.gz -C \ - /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ - echo "**** configure nginx ****" && \ - rm -f /etc/nginx/conf.d/default.conf && \ - curl -o \ - /defaults/dhparams.pem -L \ - "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ - echo "**** cleanup ****" && \ - apk del --purge \ - build-dependencies && \ - for cleanfiles in *.pyc *.pyo; \ - do \ - find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ - ; done && \ - rm -rf \ - /tmp/* \ - /root/.cache \ - /root/.cargo + echo "**** install build packages ****" && \ + apk add --no-cache --virtual=build-dependencies \ + cargo \ + g++ \ + gcc \ + libffi-dev \ + openssl-dev \ + python3-dev && \ + echo "**** install runtime packages ****" && \ + apk add --no-cache --upgrade \ + curl \ + fail2ban \ + gnupg \ + memcached \ + nginx \ + nginx-mod-http-brotli \ + nginx-mod-http-dav-ext \ + nginx-mod-http-echo \ + nginx-mod-http-fancyindex \ + nginx-mod-http-geoip2 \ + nginx-mod-http-headers-more \ + nginx-mod-http-image-filter \ + nginx-mod-http-nchan \ + nginx-mod-http-perl \ + nginx-mod-http-redis2 \ + nginx-mod-http-set-misc \ + nginx-mod-http-upload-progress \ + nginx-mod-http-xslt-filter \ + nginx-mod-mail \ + nginx-mod-rtmp \ + nginx-mod-stream \ + nginx-mod-stream-geoip2 \ + nginx-vim \ + php7-bcmath \ + php7-bz2 \ + php7-ctype \ + php7-curl \ + php7-dom \ + php7-exif \ + php7-ftp \ + php7-gd \ + php7-gmp \ + php7-iconv \ + php7-imap \ + php7-intl \ + php7-ldap \ + php7-mcrypt \ + php7-memcached \ + php7-mysqli \ + php7-mysqlnd \ + php7-opcache \ + php7-pdo_mysql \ + php7-pdo_odbc \ + php7-pdo_pgsql \ + php7-pdo_sqlite \ + php7-pear \ + php7-pecl-apcu \ + php7-pecl-mailparse \ + php7-pecl-redis \ + php7-pgsql \ + php7-phar \ + php7-posix \ + php7-soap \ + php7-sockets \ + php7-sodium \ + php7-sqlite3 \ + php7-tokenizer \ + php7-xml \ + php7-xmlreader \ + php7-xmlrpc \ + php7-xsl \ + php7-zip \ + py3-cryptography \ + py3-future \ + py3-pip \ + whois && \ + echo "**** install certbot plugins ****" && \ + if [ -z ${CERTBOT_VERSION+x} ]; then \ + CERTBOT="certbot"; \ + else \ + CERTBOT="certbot==${CERTBOT_VERSION}"; \ + fi && \ + pip3 install -U \ + pip && \ + pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \ + ${CERTBOT} \ + certbot-dns-aliyun \ + certbot-dns-cloudflare \ + certbot-dns-cloudxns \ + certbot-dns-cpanel \ + certbot-dns-digitalocean \ + certbot-dns-directadmin \ + certbot-dns-dnsimple \ + certbot-dns-dnsmadeeasy \ + certbot-dns-domeneshop \ + certbot-dns-google \ + certbot-dns-hetzner \ + certbot-dns-inwx \ + certbot-dns-linode \ + certbot-dns-luadns \ + certbot-dns-netcup \ + certbot-dns-njalla \ + certbot-dns-nsone \ + certbot-dns-ovh \ + certbot-dns-rfc2136 \ + certbot-dns-route53 \ + certbot-dns-transip \ + certbot-dns-vultr \ + certbot-plugin-gandi \ + cryptography \ + requests && \ + echo "**** remove unnecessary fail2ban filters ****" && \ + rm \ + /etc/fail2ban/jail.d/alpine-ssh.conf && \ + echo "**** copy fail2ban default action and filter to /default ****" && \ + mkdir -p /defaults/fail2ban && \ + mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ + mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ + echo "**** copy proxy confs to /default ****" && \ + mkdir -p /defaults/proxy-confs && \ + curl -o \ + /tmp/proxy.tar.gz -L \ + "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ + tar xf \ + /tmp/proxy.tar.gz -C \ + /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ + echo "**** configure nginx ****" && \ + rm -f /etc/nginx/conf.d/default.conf && \ + echo "**** cleanup ****" && \ + apk del --purge \ + build-dependencies && \ + for cleanfiles in *.pyc *.pyo; \ + do \ + find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ + ; done && \ + rm -rf \ + /tmp/* \ + /root/.cache \ + /root/.cargo # add local files COPY root/ / diff --git a/README.md b/README.md index a17c9cb..401ba30 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ The architectures supported by this image are: * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances. ### Security and password protection * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start. -* The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time +* Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`. * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd ` * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server. @@ -330,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **14.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later. * **21.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method. * **12.04.21:** - Add php7-gmp and php7-pecl-mailparse. * **12.04.21:** - Add support for vultr dns validation. diff --git a/readme-vars.yml b/readme-vars.yml index 4566de8..c800944 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -101,7 +101,7 @@ app_setup_block: | * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances. ### Security and password protection * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start. - * The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time + * Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`. * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd ` * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server. @@ -151,6 +151,7 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: + - { date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later." } - { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." } - { date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse." } - { date: "12.04.21:", desc: "Add support for vultr dns validation." } diff --git a/root/defaults/502.html b/root/defaults/502.html index ff7d8fc..6e33c60 100644 --- a/root/defaults/502.html +++ b/root/defaults/502.html @@ -41,4 +41,4 @@

For help and support, please visit: linuxserver.io/support

- \ No newline at end of file + diff --git a/root/defaults/default b/root/defaults/default index 6d76de6..9ffee51 100644 --- a/root/defaults/default +++ b/root/defaults/default @@ -1,155 +1,153 @@ -## Version 2021/01/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default +## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default error_page 502 /502.html; # redirect all traffic to https server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - return 301 https://$host$request_uri; + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + return 301 https://$host$request_uri; } # main server block server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; - root /config/www; - index index.html index.htm index.php; + root /config/www; + index index.html index.htm index.php; - server_name _; + server_name _; - # enable subfolder method reverse proxy confs - include /config/nginx/proxy-confs/*.subfolder.conf; + # enable subfolder method reverse proxy confs + include /config/nginx/proxy-confs/*.subfolder.conf; - # all ssl related config moved to ssl.conf - include /config/nginx/ssl.conf; + # all ssl related config moved to ssl.conf + include /config/nginx/ssl.conf; - # enable for ldap auth - #include /config/nginx/ldap.conf; + # enable for ldap auth + #include /config/nginx/ldap.conf; - # enable for Authelia - #include /config/nginx/authelia-server.conf; + # enable for Authelia + #include /config/nginx/authelia-server.conf; - # enable for geo blocking - # See /config/nginx/geoip2.conf for more information. - #if ($allowed_country = no) { - #return 444; - #} + # enable for geo blocking + # See /config/nginx/geoip2.conf for more information. + #if ($allowed_country = no) { + #return 444; + #} - client_max_body_size 0; + client_max_body_size 0; - location / { - try_files $uri $uri/ /index.html /index.php?$args =404; - } + location / { + try_files $uri $uri/ /index.html /index.php?$args =404; + } - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include /etc/nginx/fastcgi_params; - } + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp" # notice this is within the same server block as the base # don't forget to generate the .htpasswd file as described on docker hub -# location ^~ /cp { -# auth_basic "Restricted"; -# auth_basic_user_file /config/nginx/.htpasswd; -# include /config/nginx/proxy.conf; -# proxy_pass http://192.168.1.50:5050/cp; -# } +# location ^~ /cp { +# auth_basic "Restricted"; +# auth_basic_user_file /config/nginx/.htpasswd; +# include /config/nginx/proxy.conf; +# proxy_pass http://192.168.1.50:5050/cp; +# } } # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above # notice this is a new server block, you need a new server block for each subdomain #server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; +# listen 443 ssl http2; +# listen [::]:443 ssl http2; # -# root /config/www; -# index index.html index.htm index.php; +# root /config/www; +# index index.html index.htm index.php; # -# server_name cp.*; +# server_name cp.*; # -# include /config/nginx/ssl.conf; +# include /config/nginx/ssl.conf; # -# client_max_body_size 0; +# client_max_body_size 0; # -# location / { -# auth_basic "Restricted"; -# auth_basic_user_file /config/nginx/.htpasswd; -# include /config/nginx/proxy.conf; -# proxy_pass http://192.168.1.50:5050; -# } +# location / { +# auth_basic "Restricted"; +# auth_basic_user_file /config/nginx/.htpasswd; +# include /config/nginx/proxy.conf; +# proxy_pass http://192.168.1.50:5050; +# } #} # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info # notice this is a new server block, you need a new server block for each subdomain #server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; +# listen 443 ssl http2; +# listen [::]:443 ssl http2; # -# root /config/www; -# index index.html index.htm index.php; +# root /config/www; +# index index.html index.htm index.php; # -# server_name heimdall.*; +# server_name heimdall.*; # -# include /config/nginx/ssl.conf; +# include /config/nginx/ssl.conf; # -# include /config/nginx/ldap.conf; +# include /config/nginx/ldap.conf; # -# client_max_body_size 0; +# client_max_body_size 0; # -# location / { -# # the next two lines will enable ldap auth along with the included ldap.conf in the server block -# auth_request /auth; -# error_page 401 =200 /ldaplogin; +# location / { +# # the next two lines will enable ldap auth along with the included ldap.conf in the server block +# auth_request /auth; +# error_page 401 =200 /ldaplogin; # -# include /config/nginx/proxy.conf; -# resolver 127.0.0.11 valid=30s; -# set $upstream_app heimdall; -# set $upstream_port 443; -# set $upstream_proto https; -# proxy_pass $upstream_proto://$upstream_app:$upstream_port; -# } +# include /config/nginx/proxy.conf; +# resolver 127.0.0.11 valid=30s; +# set $upstream_app heimdall; +# set $upstream_port 443; +# set $upstream_proto https; +# proxy_pass $upstream_proto://$upstream_app:$upstream_port; +# } #} # sample reverse proxy config for "heimdall" via subdomain, with Authelia # Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml # notice this is a new server block, you need a new server block for each subdomain #server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; +# listen 443 ssl http2; +# listen [::]:443 ssl http2; # -# root /config/www; -# index index.html index.htm index.php; +# root /config/www; +# index index.html index.htm index.php; # -# server_name heimdall.*; +# server_name heimdall.*; # -# include /config/nginx/ssl.conf; +# include /config/nginx/ssl.conf; # -# include /config/nginx/authelia-server.conf; +# include /config/nginx/authelia-server.conf; # -# client_max_body_size 0; +# client_max_body_size 0; # -# location / { -# # the next line will enable Authelia along with the included authelia-server.conf in the server block -# include /config/nginx/authelia-location.conf; +# location / { +# # the next line will enable Authelia along with the included authelia-server.conf in the server block +# include /config/nginx/authelia-location.conf; # -# include /config/nginx/proxy.conf; -# resolver 127.0.0.11 valid=30s; -# set $upstream_app heimdall; -# set $upstream_port 443; -# set $upstream_proto https; -# proxy_pass $upstream_proto://$upstream_app:$upstream_port; -# } +# include /config/nginx/proxy.conf; +# resolver 127.0.0.11 valid=30s; +# set $upstream_app heimdall; +# set $upstream_port 443; +# set $upstream_proto https; +# proxy_pass $upstream_proto://$upstream_app:$upstream_port; +# } #} # enable subdomain method reverse proxy confs include /config/nginx/proxy-confs/*.subdomain.conf; -# enable proxy cache for auth -proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/root/defaults/dhparams.pem b/root/defaults/dhparams.pem new file mode 100644 index 0000000..eed4c41 --- /dev/null +++ b/root/defaults/dhparams.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/root/defaults/dns-conf/cloudflare.ini b/root/defaults/dns-conf/cloudflare.ini index 5cd3c0a..af7194b 100644 --- a/root/defaults/dns-conf/cloudflare.ini +++ b/root/defaults/dns-conf/cloudflare.ini @@ -6,4 +6,4 @@ dns_cloudflare_email = cloudflare@example.com dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 # With token (comment out both lines above and uncomment below): -#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567 \ No newline at end of file +#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567 diff --git a/root/defaults/dns-conf/cpanel.ini b/root/defaults/dns-conf/cpanel.ini index 28b6953..2c2742b 100644 --- a/root/defaults/dns-conf/cpanel.ini +++ b/root/defaults/dns-conf/cpanel.ini @@ -3,4 +3,4 @@ # include the scheme and the port number (usually 2083 for https) certbot_dns_cpanel:cpanel_url = https://cpanel.example.com:2083 certbot_dns_cpanel:cpanel_username = username -certbot_dns_cpanel:cpanel_password = 1234567890abcdef \ No newline at end of file +certbot_dns_cpanel:cpanel_password = 1234567890abcdef diff --git a/root/defaults/dns-conf/domeneshop.ini b/root/defaults/dns-conf/domeneshop.ini index 569c713..0bd1d0d 100644 --- a/root/defaults/dns-conf/domeneshop.ini +++ b/root/defaults/dns-conf/domeneshop.ini @@ -1,4 +1,4 @@ # Instructions: https://github.com/domeneshop/certbot-dns-domeneshop#credentials # Replace with your values dns_domeneshop_client_token=1234567890abcdef -dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs \ No newline at end of file +dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs diff --git a/root/defaults/dns-conf/google.json b/root/defaults/dns-conf/google.json index c5a59cf..67f0050 100644 --- a/root/defaults/dns-conf/google.json +++ b/root/defaults/dns-conf/google.json @@ -3,4 +3,4 @@ "_comment": "Replace with your values", "type": "service_account", "rest": "..." -} \ No newline at end of file +} diff --git a/root/defaults/dns-conf/hetzner.ini b/root/defaults/dns-conf/hetzner.ini index f616823..23be699 100644 --- a/root/defaults/dns-conf/hetzner.ini +++ b/root/defaults/dns-conf/hetzner.ini @@ -1,3 +1,3 @@ # Instructions: https://github.com/ctrlaltcoop/certbot-dns-hetzner # Replace with your values -dns_hetzner_api_token = nohnah4zoo9Kiejee9aGh0thoopee2sa \ No newline at end of file +dns_hetzner_api_token = nohnah4zoo9Kiejee9aGh0thoopee2sa diff --git a/root/defaults/geoip2.conf b/root/defaults/geoip2.conf index 702c4dc..846c5b5 100644 --- a/root/defaults/geoip2.conf +++ b/root/defaults/geoip2.conf @@ -51,22 +51,22 @@ geo $allow_list { # Add the following if statements inside any server context where you want to geo block countries. ######################################## -# if ($allow_list = yes) { -# set $allowed_country yes; -# } -# if ($allowed_country = no) { -# return 444; -# } +# if ($allow_list = yes) { +# set $allowed_country yes; +# } +# if ($allowed_country = no) { +# return 444; +# } ######################################### # Add the following if statements inside any server context where you want to geo block cities. ######################################## -# if ($allow_list = yes) { -# set $allowed_country yes; -# } -# if ($allowed_city = no) { -# return 444; -# } +# if ($allow_list = yes) { +# set $allowed_country yes; +# } +# if ($allowed_city = no) { +# return 444; +# } ######################################### # Example using a config from proxy-confs @@ -90,12 +90,12 @@ geo $allow_list { # # Allow lan access if default is set to no # if ($allow_list = yes) { -# set $allowed_country yes; +# set $allowed_country yes; # } -# # Country geo block -# if ($allowed_country = no) { +# # Country geo block +# if ($allowed_country = no) { # return 444; -# } +# } # diff --git a/root/defaults/index.html b/root/defaults/index.html index 352d1af..5bc81ff 100644 --- a/root/defaults/index.html +++ b/root/defaults/index.html @@ -36,4 +36,4 @@

For help and support, please visit: linuxserver.io/support

- \ No newline at end of file + diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index a47a405..ea2830c 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -1,120 +1,150 @@ -## Version 2021/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf +## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf user abc; -worker_processes 4; -pid /run/nginx.pid; + +# Set number of worker processes automatically based on number of CPU cores. +include /config/nginx/worker_processes.conf; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /config/log/nginx/error.log; + +# Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; events { - worker_connections 768; - # multi_accept on; + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; + # multi_accept on; } http { + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; - ## - # Basic Settings - ## + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf; - client_body_buffer_size 128k; - client_max_body_size 0; - keepalive_timeout 65; - large_client_header_buffers 4 16k; - send_timeout 5m; - sendfile on; - tcp_nodelay on; - tcp_nopush on; - types_hash_max_size 2048; - variables_hash_max_size 2048; + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; - # server_tokens off; - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 0; - include /etc/nginx/mime.types; - default_type application/octet-stream; + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; - ## - # Logging Settings - ## + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; - access_log /config/log/nginx/access.log; - error_log /config/log/nginx/error.log; + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } - ## - # Gzip Settings - ## + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log; - gzip on; - gzip_disable "msie6"; + # Includes virtual hosts configs. + #include /etc/nginx/http.d/*.conf; - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + # WARNING: Don't use this directory for virtual hosts anymore. + # This include will be moved to the root context in Alpine 3.14. + #include /etc/nginx/conf.d/*.conf; - ## - # nginx-naxsi config - ## - # Uncomment it if you installed nginx-naxsi - ## - #include /etc/nginx/naxsi_core.rules; + ## + # Basic Settings + ## - ## - # nginx-passenger config - ## - # Uncomment it if you installed nginx-passenger - ## + client_body_buffer_size 128k; + keepalive_timeout 65; + large_client_header_buffers 4 16k; + send_timeout 5m; + tcp_nodelay on; + types_hash_max_size 2048; + variables_hash_max_size 2048; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; - #passenger_root /usr; - #passenger_ruby /usr/bin/ruby; + ## + # Gzip Settings + ## - ## - # WebSocket proxying - ## - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } + gzip on; + gzip_disable "msie6"; + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - ## - # Virtual Host Configs - ## - include /etc/nginx/conf.d/*.conf; - include /config/nginx/site-confs/*; - #Removed lua. Do not remove this comment + ## + # nginx-naxsi config + ## + # Uncomment it if you installed nginx-naxsi + ## - ## - # Geoip2 config - ## - # Uncomment to add the Geoip2 configs needed to geo block countries/cities. - ## + #include /etc/nginx/naxsi_core.rules; - #include /config/nginx/geoip2.conf; + ## + # nginx-passenger config + ## + # Uncomment it if you installed nginx-passenger + ## + + #passenger_root /usr; + #passenger_ruby /usr/bin/ruby; + + ## + # Virtual Host Configs + ## + include /config/nginx/site-confs/*; + #Removed lua. Do not remove this comment + + ## + # Geoip2 config + ## + # Uncomment to add the Geoip2 configs needed to geo block countries/cities. + ## + + #include /config/nginx/geoip2.conf; } - #mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; # -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } # -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } #} + daemon off; +pid /run/nginx.pid; diff --git a/root/defaults/proxy.conf b/root/defaults/proxy.conf index d1a383c..921fad4 100644 --- a/root/defaults/proxy.conf +++ b/root/defaults/proxy.conf @@ -1,4 +1,4 @@ -## Version 2020/10/04 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf +## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; @@ -15,6 +15,7 @@ proxy_send_timeout 240; # Proxy Cache and Cookie Settings proxy_cache_bypass $cookie_session; +proxy_cache_path cache/ keys_zone=auth_cache:10m; #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps proxy_no_cache $cookie_session; diff --git a/root/defaults/ssl.conf b/root/defaults/ssl.conf index 654c512..d2747f1 100644 --- a/root/defaults/ssl.conf +++ b/root/defaults/ssl.conf @@ -1,4 +1,4 @@ -## Version 2020/10/29 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf +## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf ### Mozilla Recommendations # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration @@ -29,9 +29,6 @@ ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem; # Diffie-Hellman Parameters ssl_dhparam /config/nginx/dhparams.pem; -# Resolver -resolver 127.0.0.11 valid=30s; # Docker DNS Server - # Enable TLS 1.3 early data ssl_early_data on; diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index ceb22f4..6e92bda 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -17,26 +17,26 @@ STAGING=${STAGING}\\n" # Echo init finish for test runs if [ -n "${TEST_RUN}" ]; then - echo '[services.d] done.' + echo '[services.d] done.' fi # Sanitize variables SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER ) for i in "${SANED_VARS[@]}" do - export echo "$i"="${!i//\"/}" - export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" + export echo "$i"="${!i//\"/}" + export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" done # check to make sure that the required variables are set [[ -z "$URL" ]] && \ - echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \ - sleep infinity + echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \ + sleep infinity # make our folders and links mkdir -p \ - /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \ - /var/run/fail2ban + /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \ + /var/run/fail2ban rm -rf /etc/letsencrypt ln -s /config/etc/letsencrypt /etc/letsencrypt @@ -52,12 +52,12 @@ cp -R /defaults/fail2ban/filter.d /config/fail2ban/ cp -R /defaults/fail2ban/action.d /config/fail2ban/ # if jail.local is missing in /config, copy default [[ ! -f /config/fail2ban/jail.local ]] && \ - cp /defaults/jail.local /config/fail2ban/jail.local + cp /defaults/jail.local /config/fail2ban/jail.local # Replace fail2ban config with user config [[ -d /etc/fail2ban/filter.d ]] && \ - rm -rf /etc/fail2ban/filter.d + rm -rf /etc/fail2ban/filter.d [[ -d /etc/fail2ban/action.d ]] && \ - rm -rf /etc/fail2ban/action.d + rm -rf /etc/fail2ban/action.d cp -R /config/fail2ban/filter.d /etc/fail2ban/ cp -R /config/fail2ban/action.d /etc/fail2ban/ cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/ @@ -65,43 +65,53 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local # copy crontab and proxy defaults if needed [[ ! -f /config/crontabs/root ]] && \ - cp /etc/crontabs/root /config/crontabs/ + cp /etc/crontabs/root /config/crontabs/ [[ ! -f /config/nginx/proxy.conf ]] && \ - cp /defaults/proxy.conf /config/nginx/proxy.conf + cp /defaults/proxy.conf /config/nginx/proxy.conf [[ ! -f /config/nginx/ssl.conf ]] && \ - cp /defaults/ssl.conf /config/nginx/ssl.conf + cp /defaults/ssl.conf /config/nginx/ssl.conf [[ ! -f /config/nginx/ldap.conf ]] && \ - cp /defaults/ldap.conf /config/nginx/ldap.conf + cp /defaults/ldap.conf /config/nginx/ldap.conf [[ ! -f /config/nginx/authelia-server.conf ]] && \ - cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf + cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf [[ ! -f /config/nginx/authelia-location.conf ]] && \ - cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf + cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf [[ ! -f /config/nginx/geoip2.conf ]] && \ - cp /defaults/geoip2.conf /config/nginx/geoip2.conf + cp /defaults/geoip2.conf /config/nginx/geoip2.conf [[ ! -f /config/www/502.html ]] && - cp /defaults/502.html /config/www/502.html + cp /defaults/502.html /config/www/502.html + +# Set resolver +if ! grep -q 'resolver' /config/nginx/resolver.conf; then + RESOLVER=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) + echo "Setting resolver to ${RESOLVER}" + echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf +fi + +# Set worker_processes +if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then + WORKER_PROCESSES=$(nproc) + echo "Setting worker_processes to ${WORKER_PROCESSES}" + echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf +fi # remove lua bits from nginx.conf if not done before -if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then - echo "Removing lua specific info from nginx.conf" - sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf +if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then + echo "Removing lua specific info from nginx.conf" + sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf fi # copy pre-generated dhparams or generate if needed [[ ! -f /config/nginx/dhparams.pem ]] && \ - cp /defaults/dhparams.pem /config/nginx/dhparams.pem + cp /defaults/dhparams.pem /config/nginx/dhparams.pem if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then - curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" -fi -if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then - echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed." - openssl dhparam -out /config/nginx/dhparams.pem 4096 + curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt" fi # check to make sure DNSPLUGIN is selected if dns validation is used [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|directadmin|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|hetzner|inwx|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip|vultr)$ ]] && \ - echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \ - sleep infinity + echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \ + sleep infinity # import user crontabs rm /etc/crontabs/* @@ -109,11 +119,11 @@ cp /config/crontabs/* /etc/crontabs/ # create original config file if it doesn't exist, move non-hidden legacy file to hidden if [ -f "/config/donoteditthisfile.conf" ]; then - mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf + mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf fi if [ ! -f "/config/.donoteditthisfile.conf" ]; then - echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf - echo "Created .donoteditthisfile.conf" + echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf + echo "Created .donoteditthisfile.conf" fi # load original config settings @@ -122,75 +132,75 @@ fi # set default validation to http if [ -z "$VALIDATION" ]; then - VALIDATION="http" - echo "VALIDATION parameter not set; setting it to http" + VALIDATION="http" + echo "VALIDATION parameter not set; setting it to http" fi # if zerossl is selected or staging is set to true, use the relevant server if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then - echo "ZeroSSL does not support staging mode, ignoring STAGING variable" + echo "ZeroSSL does not support staging mode, ignoring STAGING variable" fi if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then - echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL" - ACMESERVER="https://acme.zerossl.com/v2/DV90" + echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL" + ACMESERVER="https://acme.zerossl.com/v2/DV90" elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then - echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable" - sleep infinity + echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable" + sleep infinity elif [ "$STAGING" = "true" ]; then - echo "NOTICE: Staging is active" - echo "Using Let's Encrypt as the cert provider" - ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" + echo "NOTICE: Staging is active" + echo "Using Let's Encrypt as the cert provider" + ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" else - echo "Using Let's Encrypt as the cert provider" - ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" + echo "Using Let's Encrypt as the cert provider" + ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" fi # figuring out url only vs url & subdomains vs subdomains only if [ -n "$SUBDOMAINS" ]; then - echo "SUBDOMAINS entered, processing" - if [ "$SUBDOMAINS" = "wildcard" ]; then - if [ "$ONLY_SUBDOMAINS" = true ]; then - export URL_REAL="-d *.${URL}" - echo "Wildcard cert for only the subdomains of $URL will be requested" - else - export URL_REAL="-d *.${URL} -d ${URL}" - echo "Wildcard cert for $URL will be requested" - fi - else echo "SUBDOMAINS entered, processing" - for job in $(echo "$SUBDOMAINS" | tr "," " "); do - export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}" - done - if [ "$ONLY_SUBDOMAINS" = true ]; then - URL_REAL="$SUBDOMAINS_REAL" - echo "Only subdomains, no URL in cert" + if [ "$SUBDOMAINS" = "wildcard" ]; then + if [ "$ONLY_SUBDOMAINS" = true ]; then + export URL_REAL="-d *.${URL}" + echo "Wildcard cert for only the subdomains of $URL will be requested" + else + export URL_REAL="-d *.${URL} -d ${URL}" + echo "Wildcard cert for $URL will be requested" + fi else - URL_REAL="-d ${URL}${SUBDOMAINS_REAL}" + echo "SUBDOMAINS entered, processing" + for job in $(echo "$SUBDOMAINS" | tr "," " "); do + export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}" + done + if [ "$ONLY_SUBDOMAINS" = true ]; then + URL_REAL="$SUBDOMAINS_REAL" + echo "Only subdomains, no URL in cert" + else + URL_REAL="-d ${URL}${SUBDOMAINS_REAL}" + fi + echo "Sub-domains processed are: $SUBDOMAINS_REAL" fi - echo "Sub-domains processed are: $SUBDOMAINS_REAL" - fi else - echo "No subdomains defined" - URL_REAL="-d $URL" + echo "No subdomains defined" + URL_REAL="-d $URL" fi # add extra domains if [ -n "$EXTRA_DOMAINS" ]; then - echo "EXTRA_DOMAINS entered, processing" - for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do - export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}" - done - echo "Extra domains processed are: $EXTRA_DOMAINS_REAL" - URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL" + echo "EXTRA_DOMAINS entered, processing" + for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do + export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}" + done + echo "Extra domains processed are: $EXTRA_DOMAINS_REAL" + URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL" fi # figuring out whether to use e-mail and which if [[ $EMAIL == *@* ]]; then - echo "E-mail address entered: ${EMAIL}" - EMAILPARAM="-m ${EMAIL} --no-eff-email" + echo "E-mail address entered: ${EMAIL}" + EMAILPARAM="-m ${EMAIL} --no-eff-email" else - echo "No e-mail address entered or address invalid" - EMAILPARAM="--register-unsafely-without-email" + echo "No e-mail address entered or address invalid" + EMAILPARAM="--register-unsafely-without-email" fi # update plugin names in dns conf inis @@ -201,82 +211,82 @@ sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini # setting the validation method to use if [ "$VALIDATION" = "dns" ]; then - if [ "$DNSPLUGIN" = "route53" ]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then - if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi - PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini" - elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - else - if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi - PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - fi - echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" + if [ "$DNSPLUGIN" = "route53" ]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}" + elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" + elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then + if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi + PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini" + elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" + elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" + elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" + else + if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" + fi + echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" elif [ "$VALIDATION" = "tls-sni" ]; then - PREFCHAL="--non-interactive --standalone --preferred-challenges http" - echo "*****tls-sni validation has been deprecated, attempting http validation instead" + PREFCHAL="--non-interactive --standalone --preferred-challenges http" + echo "*****tls-sni validation has been deprecated, attempting http validation instead" elif [ "$VALIDATION" = "duckdns" ]; then - PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt" - chmod +x /app/duckdns-txt - echo "duckdns validation is selected" - if [ "$SUBDOMAINS" = "wildcard" ]; then - echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" - export URL_REAL="-d *.${URL}" - else - echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org" - export URL_REAL="-d ${URL}" - fi + PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt" + chmod +x /app/duckdns-txt + echo "duckdns validation is selected" + if [ "$SUBDOMAINS" = "wildcard" ]; then + echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" + export URL_REAL="-d *.${URL}" + else + echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org" + export URL_REAL="-d ${URL}" + fi else - PREFCHAL="--non-interactive --standalone --preferred-challenges http" - echo "http validation is selected" + PREFCHAL="--non-interactive --standalone --preferred-challenges http" + echo "http validation is selected" fi # setting the symlink for key location rm -rf /config/keys/letsencrypt if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then - DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}" - ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt + DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}" + ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt else - ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt + ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt fi # checking for changes in cert variables, revoking certs if necessary if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then - echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" - if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then - ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" - else - ORIGDOMAIN="$ORIGURL" - fi - if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then - REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL") - REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") - REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") - if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then - echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." - sleep infinity + echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" + if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then + ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" + else + ORIGDOMAIN="$ORIGURL" fi - REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" - elif [ "$ORIGSTAGING" = "true" ]; then - REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" - else - REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" - fi - [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER - rm -rf /config/etc/letsencrypt - mkdir -p /config/etc/letsencrypt + if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then + REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL") + REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") + REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") + if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then + echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." + sleep infinity + fi + REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" + elif [ "$ORIGSTAGING" = "true" ]; then + REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" + else + REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" + fi + [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER + rm -rf /config/etc/letsencrypt + mkdir -p /config/etc/letsencrypt fi # saving new variables @@ -284,74 +294,74 @@ echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ # alter extension for error message if [ "$DNSPLUGIN" = "google" ]; then - FILENAME="$DNSPLUGIN.json" + FILENAME="$DNSPLUGIN.json" else - FILENAME="$DNSPLUGIN.ini" + FILENAME="$DNSPLUGIN.ini" fi # generating certs if necessary if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then - if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then - echo "Retrieving EAB from ZeroSSL" - EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL") - ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") - ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") - if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then - echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." - sleep infinity + if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then + echo "Retrieving EAB from ZeroSSL" + EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL") + ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") + ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") + if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then + echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." + sleep infinity + fi + ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}" fi - ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}" - fi - echo "Generating new certificate" - # shellcheck disable=SC2086 - certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL - if [ -d /config/keys/letsencrypt ]; then - cd /config/keys/letsencrypt || exit - else - if [ "$VALIDATION" = "dns" ]; then - echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file." - elif [ "$VALIDATION" = "duckdns" ]; then - echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct." + echo "Generating new certificate" + # shellcheck disable=SC2086 + certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL + if [ -d /config/keys/letsencrypt ]; then + cd /config/keys/letsencrypt || exit else - echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" + if [ "$VALIDATION" = "dns" ]; then + echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file." + elif [ "$VALIDATION" = "duckdns" ]; then + echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct." + else + echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" + fi + sleep infinity fi - sleep infinity - fi - openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: - sleep 1 - cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem - echo "New certificate generated; starting nginx" + openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: + sleep 1 + cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem + echo "New certificate generated; starting nginx" else - echo "Certificate exists; parameters unchanged; starting nginx" + echo "Certificate exists; parameters unchanged; starting nginx" fi # create GeoIP2 folder symlink [[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \ - rm -rf /var/lib/libmaxminddb + rm -rf /var/lib/libmaxminddb [[ ! -d /var/lib/libmaxminddb ]] && \ - ln -s /config/geoip2db /var/lib/libmaxminddb + ln -s /config/geoip2db /var/lib/libmaxminddb # check GeoIP2 database if [ -n "$MAXMINDDB_LICENSE_KEY" ]; then - sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb - if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then - echo "Downloading GeoIP2 City database." - /etc/periodic/weekly/libmaxminddb - fi + sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb + if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then + echo "Downloading GeoIP2 City database." + /etc/periodic/weekly/libmaxminddb + fi elif [ -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then - echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." + echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." else - echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." + echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." fi # logfiles needed by fail2ban [[ ! -f /config/log/nginx/error.log ]] && \ - touch /config/log/nginx/error.log + touch /config/log/nginx/error.log [[ ! -f /config/log/nginx/access.log ]] && \ - touch /config/log/nginx/access.log + touch /config/log/nginx/access.log # permissions chown -R abc:abc \ - /config + /config chmod -R 0644 /etc/logrotate.d chmod -R +r /config/log chmod +x /app/le-renew.sh diff --git a/root/etc/cont-init.d/60-renew b/root/etc/cont-init.d/60-renew index 975c73a..0bc3daa 100644 --- a/root/etc/cont-init.d/60-renew +++ b/root/etc/cont-init.d/60-renew @@ -7,4 +7,4 @@ else echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes." /app/le-renew.sh sleep 1 -fi \ No newline at end of file +fi diff --git a/root/etc/logrotate.d/lerotate b/root/etc/logrotate.d/lerotate index 28a38a7..ab87d1e 100644 --- a/root/etc/logrotate.d/lerotate +++ b/root/etc/logrotate.d/lerotate @@ -1,11 +1,11 @@ /config/log/letsencrypt/*.log { - weekly - rotate 52 - compress - delaycompress - nodateext - missingok - notifempty - sharedscripts - su abc abc + weekly + rotate 52 + compress + delaycompress + nodateext + missingok + notifempty + sharedscripts + su abc abc } diff --git a/root/etc/services.d/fail2ban/run b/root/etc/services.d/fail2ban/run index c023109..6f7f3af 100644 --- a/root/etc/services.d/fail2ban/run +++ b/root/etc/services.d/fail2ban/run @@ -1,4 +1,4 @@ #!/usr/bin/with-contenv bash - exec \ - fail2ban-client -x -f start +exec \ + fail2ban-client -x -f start