linuxserver/docker-swag
1
0
Fork 0
mirror of https://github.com/linuxserver/docker-swag.git synced 2025-11-01 05:27:42 +09:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #115 from linuxserver/upstream-defaults

Browse Source 
Rework nginx.conf to be inline with alpine upstream and relocate line…
This commit is contained in:
aptalca
2021-05-18 10:53:05 -04:00
committed by GitHub
parent c48705cbc4 1cc2e4d395
commit 27e727eede
22 changed files with 867 additions and 825 deletions
Download Patch File Download Diff File Expand all files Collapse all files

281
Dockerfile
View File

@@ -12,148 +12,145 @@ ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.
ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
RUN \ RUN \
echo "**** install build packages ****" && \ echo "**** install build packages ****" && \
apk add --no-cache --virtual=build-dependencies \ apk add --no-cache --virtual=build-dependencies \
cargo \ cargo \
g++ \ g++ \
gcc \ gcc \
libffi-dev \ libffi-dev \
openssl-dev \ openssl-dev \
python3-dev && \ python3-dev && \
echo "**** install runtime packages ****" && \ echo "**** install runtime packages ****" && \
apk add --no-cache --upgrade \ apk add --no-cache --upgrade \
curl \ curl \
fail2ban \ fail2ban \
gnupg \ gnupg \
memcached \ memcached \
nginx \ nginx \
nginx-mod-http-brotli \ nginx-mod-http-brotli \
nginx-mod-http-dav-ext \ nginx-mod-http-dav-ext \
nginx-mod-http-echo \ nginx-mod-http-echo \
nginx-mod-http-fancyindex \ nginx-mod-http-fancyindex \
nginx-mod-http-geoip2 \ nginx-mod-http-geoip2 \
nginx-mod-http-headers-more \ nginx-mod-http-headers-more \
nginx-mod-http-image-filter \ nginx-mod-http-image-filter \
nginx-mod-http-nchan \ nginx-mod-http-nchan \
nginx-mod-http-perl \ nginx-mod-http-perl \
nginx-mod-http-redis2 \ nginx-mod-http-redis2 \
nginx-mod-http-set-misc \ nginx-mod-http-set-misc \
nginx-mod-http-upload-progress \ nginx-mod-http-upload-progress \
nginx-mod-http-xslt-filter \ nginx-mod-http-xslt-filter \
nginx-mod-mail \ nginx-mod-mail \
nginx-mod-rtmp \ nginx-mod-rtmp \
nginx-mod-stream \ nginx-mod-stream \
nginx-mod-stream-geoip2 \ nginx-mod-stream-geoip2 \
nginx-vim \ nginx-vim \
php7-bcmath \ php7-bcmath \
php7-bz2 \ php7-bz2 \
php7-ctype \ php7-ctype \
php7-curl \ php7-curl \
php7-dom \ php7-dom \
php7-exif \ php7-exif \
php7-ftp \ php7-ftp \
php7-gd \ php7-gd \
php7-gmp \ php7-gmp \
php7-iconv \ php7-iconv \
php7-imap \ php7-imap \
php7-intl \ php7-intl \
php7-ldap \ php7-ldap \
php7-mcrypt \ php7-mcrypt \
php7-memcached \ php7-memcached \
php7-mysqli \ php7-mysqli \
php7-mysqlnd \ php7-mysqlnd \
php7-opcache \ php7-opcache \
php7-pdo_mysql \ php7-pdo_mysql \
php7-pdo_odbc \ php7-pdo_odbc \
php7-pdo_pgsql \ php7-pdo_pgsql \
php7-pdo_sqlite \ php7-pdo_sqlite \
php7-pear \ php7-pear \
php7-pecl-apcu \ php7-pecl-apcu \
php7-pecl-mailparse \ php7-pecl-mailparse \
php7-pecl-redis \ php7-pecl-redis \
php7-pgsql \ php7-pgsql \
php7-phar \ php7-phar \
php7-posix \ php7-posix \
php7-soap \ php7-soap \
php7-sockets \ php7-sockets \
php7-sodium \ php7-sodium \
php7-sqlite3 \ php7-sqlite3 \
php7-tokenizer \ php7-tokenizer \
php7-xml \ php7-xml \
php7-xmlreader \ php7-xmlreader \
php7-xmlrpc \ php7-xmlrpc \
php7-xsl \ php7-xsl \
php7-zip \ php7-zip \
py3-cryptography \ py3-cryptography \
py3-future \ py3-future \
py3-pip \ py3-pip \
whois && \ whois && \
echo "**** install certbot plugins ****" && \ echo "**** install certbot plugins ****" && \
if [ -z ${CERTBOT_VERSION+x} ]; then \ if [ -z ${CERTBOT_VERSION+x} ]; then \
CERTBOT="certbot"; \ CERTBOT="certbot"; \
else \ else \
CERTBOT="certbot==${CERTBOT_VERSION}"; \ CERTBOT="certbot==${CERTBOT_VERSION}"; \
fi && \ fi && \
pip3 install -U \ pip3 install -U \
pip && \ pip && \
pip3 install -U \ pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \
${CERTBOT} \ ${CERTBOT} \
certbot-dns-aliyun \ certbot-dns-aliyun \
certbot-dns-cloudflare \ certbot-dns-cloudflare \
certbot-dns-cloudxns \ certbot-dns-cloudxns \
certbot-dns-cpanel \ certbot-dns-cpanel \
certbot-dns-digitalocean \ certbot-dns-digitalocean \
certbot-dns-directadmin \ certbot-dns-directadmin \
certbot-dns-dnsimple \ certbot-dns-dnsimple \
certbot-dns-dnsmadeeasy \ certbot-dns-dnsmadeeasy \
certbot-dns-domeneshop \ certbot-dns-domeneshop \
certbot-dns-google \ certbot-dns-google \
certbot-dns-hetzner \ certbot-dns-hetzner \
certbot-dns-inwx \ certbot-dns-inwx \
certbot-dns-linode \ certbot-dns-linode \
certbot-dns-luadns \ certbot-dns-luadns \
certbot-dns-netcup \ certbot-dns-netcup \
certbot-dns-njalla \ certbot-dns-njalla \
certbot-dns-nsone \ certbot-dns-nsone \
certbot-dns-ovh \ certbot-dns-ovh \
certbot-dns-rfc2136 \ certbot-dns-rfc2136 \
certbot-dns-route53 \ certbot-dns-route53 \
certbot-dns-transip \ certbot-dns-transip \
certbot-dns-vultr \ certbot-dns-vultr \
certbot-plugin-gandi \ certbot-plugin-gandi \
cryptography \ cryptography \
requests && \ requests && \
echo "**** remove unnecessary fail2ban filters ****" && \ echo "**** remove unnecessary fail2ban filters ****" && \
rm \ rm \
/etc/fail2ban/jail.d/alpine-ssh.conf && \ /etc/fail2ban/jail.d/alpine-ssh.conf && \
echo "**** copy fail2ban default action and filter to /default ****" && \ echo "**** copy fail2ban default action and filter to /default ****" && \
mkdir -p /defaults/fail2ban && \ mkdir -p /defaults/fail2ban && \
mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
echo "**** copy proxy confs to /default ****" && \ echo "**** copy proxy confs to /default ****" && \
mkdir -p /defaults/proxy-confs && \ mkdir -p /defaults/proxy-confs && \
curl -o \ curl -o \
/tmp/proxy.tar.gz -L \ /tmp/proxy.tar.gz -L \
"https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
tar xf \ tar xf \
/tmp/proxy.tar.gz -C \ /tmp/proxy.tar.gz -C \
/defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
echo "**** configure nginx ****" && \ echo "**** configure nginx ****" && \
rm -f /etc/nginx/conf.d/default.conf && \ rm -f /etc/nginx/conf.d/default.conf && \
curl -o \ echo "**** cleanup ****" && \
/defaults/dhparams.pem -L \ apk del --purge \
"https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ build-dependencies && \
echo "**** cleanup ****" && \ for cleanfiles in *.pyc *.pyo; \
apk del --purge \ do \
build-dependencies && \ find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \
for cleanfiles in *.pyc *.pyo; \ ; done && \
do \ rm -rf \
find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ /tmp/* \
; done && \ /root/.cache \
rm -rf \ /root/.cargo
/tmp/* \
/root/.cache \
/root/.cargo
# add local files # add local files
COPY root/ / COPY root/ /

281
Dockerfile.aarch64
View File

@@ -12,148 +12,145 @@ ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.
ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
RUN \ RUN \
echo "**** install build packages ****" && \ echo "**** install build packages ****" && \
apk add --no-cache --virtual=build-dependencies \ apk add --no-cache --virtual=build-dependencies \
cargo \ cargo \
g++ \ g++ \
gcc \ gcc \
libffi-dev \ libffi-dev \
openssl-dev \ openssl-dev \
python3-dev && \ python3-dev && \
echo "**** install runtime packages ****" && \ echo "**** install runtime packages ****" && \
apk add --no-cache --upgrade \ apk add --no-cache --upgrade \
curl \ curl \
fail2ban \ fail2ban \
gnupg \ gnupg \
memcached \ memcached \
nginx \ nginx \
nginx-mod-http-brotli \ nginx-mod-http-brotli \
nginx-mod-http-dav-ext \ nginx-mod-http-dav-ext \
nginx-mod-http-echo \ nginx-mod-http-echo \
nginx-mod-http-fancyindex \ nginx-mod-http-fancyindex \
nginx-mod-http-geoip2 \ nginx-mod-http-geoip2 \
nginx-mod-http-headers-more \ nginx-mod-http-headers-more \
nginx-mod-http-image-filter \ nginx-mod-http-image-filter \
nginx-mod-http-nchan \ nginx-mod-http-nchan \
nginx-mod-http-perl \ nginx-mod-http-perl \
nginx-mod-http-redis2 \ nginx-mod-http-redis2 \
nginx-mod-http-set-misc \ nginx-mod-http-set-misc \
nginx-mod-http-upload-progress \ nginx-mod-http-upload-progress \
nginx-mod-http-xslt-filter \ nginx-mod-http-xslt-filter \
nginx-mod-mail \ nginx-mod-mail \
nginx-mod-rtmp \ nginx-mod-rtmp \
nginx-mod-stream \ nginx-mod-stream \
nginx-mod-stream-geoip2 \ nginx-mod-stream-geoip2 \
nginx-vim \ nginx-vim \
php7-bcmath \ php7-bcmath \
php7-bz2 \ php7-bz2 \
php7-ctype \ php7-ctype \
php7-curl \ php7-curl \
php7-dom \ php7-dom \
php7-exif \ php7-exif \
php7-ftp \ php7-ftp \
php7-gd \ php7-gd \
php7-gmp \ php7-gmp \
php7-iconv \ php7-iconv \
php7-imap \ php7-imap \
php7-intl \ php7-intl \
php7-ldap \ php7-ldap \
php7-mcrypt \ php7-mcrypt \
php7-memcached \ php7-memcached \
php7-mysqli \ php7-mysqli \
php7-mysqlnd \ php7-mysqlnd \
php7-opcache \ php7-opcache \
php7-pdo_mysql \ php7-pdo_mysql \
php7-pdo_odbc \ php7-pdo_odbc \
php7-pdo_pgsql \ php7-pdo_pgsql \
php7-pdo_sqlite \ php7-pdo_sqlite \
php7-pear \ php7-pear \
php7-pecl-apcu \ php7-pecl-apcu \
php7-pecl-mailparse \ php7-pecl-mailparse \
php7-pecl-redis \ php7-pecl-redis \
php7-pgsql \ php7-pgsql \
php7-phar \ php7-phar \
php7-posix \ php7-posix \
php7-soap \ php7-soap \
php7-sockets \ php7-sockets \
php7-sodium \ php7-sodium \
php7-sqlite3 \ php7-sqlite3 \
php7-tokenizer \ php7-tokenizer \
php7-xml \ php7-xml \
php7-xmlreader \ php7-xmlreader \
php7-xmlrpc \ php7-xmlrpc \
php7-xsl \ php7-xsl \
php7-zip \ php7-zip \
py3-cryptography \ py3-cryptography \
py3-future \ py3-future \
py3-pip \ py3-pip \
whois && \ whois && \
echo "**** install certbot plugins ****" && \ echo "**** install certbot plugins ****" && \
if [ -z ${CERTBOT_VERSION+x} ]; then \ if [ -z ${CERTBOT_VERSION+x} ]; then \
CERTBOT="certbot"; \ CERTBOT="certbot"; \
else \ else \
CERTBOT="certbot==${CERTBOT_VERSION}"; \ CERTBOT="certbot==${CERTBOT_VERSION}"; \
fi && \ fi && \
pip3 install -U \ pip3 install -U \
pip && \ pip && \
pip3 install -U \ pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \
${CERTBOT} \ ${CERTBOT} \
certbot-dns-aliyun \ certbot-dns-aliyun \
certbot-dns-cloudflare \ certbot-dns-cloudflare \
certbot-dns-cloudxns \ certbot-dns-cloudxns \
certbot-dns-cpanel \ certbot-dns-cpanel \
certbot-dns-digitalocean \ certbot-dns-digitalocean \
certbot-dns-directadmin \ certbot-dns-directadmin \
certbot-dns-dnsimple \ certbot-dns-dnsimple \
certbot-dns-dnsmadeeasy \ certbot-dns-dnsmadeeasy \
certbot-dns-domeneshop \ certbot-dns-domeneshop \
certbot-dns-google \ certbot-dns-google \
certbot-dns-hetzner \ certbot-dns-hetzner \
certbot-dns-inwx \ certbot-dns-inwx \
certbot-dns-linode \ certbot-dns-linode \
certbot-dns-luadns \ certbot-dns-luadns \
certbot-dns-netcup \ certbot-dns-netcup \
certbot-dns-njalla \ certbot-dns-njalla \
certbot-dns-nsone \ certbot-dns-nsone \
certbot-dns-ovh \ certbot-dns-ovh \
certbot-dns-rfc2136 \ certbot-dns-rfc2136 \
certbot-dns-route53 \ certbot-dns-route53 \
certbot-dns-transip \ certbot-dns-transip \
certbot-dns-vultr \ certbot-dns-vultr \
certbot-plugin-gandi \ certbot-plugin-gandi \
cryptography \ cryptography \
requests && \ requests && \
echo "**** remove unnecessary fail2ban filters ****" && \ echo "**** remove unnecessary fail2ban filters ****" && \
rm \ rm \
/etc/fail2ban/jail.d/alpine-ssh.conf && \ /etc/fail2ban/jail.d/alpine-ssh.conf && \
echo "**** copy fail2ban default action and filter to /default ****" && \ echo "**** copy fail2ban default action and filter to /default ****" && \
mkdir -p /defaults/fail2ban && \ mkdir -p /defaults/fail2ban && \
mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
echo "**** copy proxy confs to /default ****" && \ echo "**** copy proxy confs to /default ****" && \
mkdir -p /defaults/proxy-confs && \ mkdir -p /defaults/proxy-confs && \
curl -o \ curl -o \
/tmp/proxy.tar.gz -L \ /tmp/proxy.tar.gz -L \
"https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
tar xf \ tar xf \
/tmp/proxy.tar.gz -C \ /tmp/proxy.tar.gz -C \
/defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
echo "**** configure nginx ****" && \ echo "**** configure nginx ****" && \
rm -f /etc/nginx/conf.d/default.conf && \ rm -f /etc/nginx/conf.d/default.conf && \
curl -o \ echo "**** cleanup ****" && \
/defaults/dhparams.pem -L \ apk del --purge \
"https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ build-dependencies && \
echo "**** cleanup ****" && \ for cleanfiles in *.pyc *.pyo; \
apk del --purge \ do \
build-dependencies && \ find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \
for cleanfiles in *.pyc *.pyo; \ ; done && \
do \ rm -rf \
find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ /tmp/* \
; done && \ /root/.cache \
rm -rf \ /root/.cargo
/tmp/* \
/root/.cache \
/root/.cargo
# add local files # add local files
COPY root/ / COPY root/ /

281
Dockerfile.armhf
View File

@@ -12,148 +12,145 @@ ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.
ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
RUN \ RUN \
echo "**** install build packages ****" && \ echo "**** install build packages ****" && \
apk add --no-cache --virtual=build-dependencies \ apk add --no-cache --virtual=build-dependencies \
cargo \ cargo \
g++ \ g++ \
gcc \ gcc \
libffi-dev \ libffi-dev \
openssl-dev \ openssl-dev \
python3-dev && \ python3-dev && \
echo "**** install runtime packages ****" && \ echo "**** install runtime packages ****" && \
apk add --no-cache --upgrade \ apk add --no-cache --upgrade \
curl \ curl \
fail2ban \ fail2ban \
gnupg \ gnupg \
memcached \ memcached \
nginx \ nginx \
nginx-mod-http-brotli \ nginx-mod-http-brotli \
nginx-mod-http-dav-ext \ nginx-mod-http-dav-ext \
nginx-mod-http-echo \ nginx-mod-http-echo \
nginx-mod-http-fancyindex \ nginx-mod-http-fancyindex \
nginx-mod-http-geoip2 \ nginx-mod-http-geoip2 \
nginx-mod-http-headers-more \ nginx-mod-http-headers-more \
nginx-mod-http-image-filter \ nginx-mod-http-image-filter \
nginx-mod-http-nchan \ nginx-mod-http-nchan \
nginx-mod-http-perl \ nginx-mod-http-perl \
nginx-mod-http-redis2 \ nginx-mod-http-redis2 \
nginx-mod-http-set-misc \ nginx-mod-http-set-misc \
nginx-mod-http-upload-progress \ nginx-mod-http-upload-progress \
nginx-mod-http-xslt-filter \ nginx-mod-http-xslt-filter \
nginx-mod-mail \ nginx-mod-mail \
nginx-mod-rtmp \ nginx-mod-rtmp \
nginx-mod-stream \ nginx-mod-stream \
nginx-mod-stream-geoip2 \ nginx-mod-stream-geoip2 \
nginx-vim \ nginx-vim \
php7-bcmath \ php7-bcmath \
php7-bz2 \ php7-bz2 \
php7-ctype \ php7-ctype \
php7-curl \ php7-curl \
php7-dom \ php7-dom \
php7-exif \ php7-exif \
php7-ftp \ php7-ftp \
php7-gd \ php7-gd \
php7-gmp \ php7-gmp \
php7-iconv \ php7-iconv \
php7-imap \ php7-imap \
php7-intl \ php7-intl \
php7-ldap \ php7-ldap \
php7-mcrypt \ php7-mcrypt \
php7-memcached \ php7-memcached \
php7-mysqli \ php7-mysqli \
php7-mysqlnd \ php7-mysqlnd \
php7-opcache \ php7-opcache \
php7-pdo_mysql \ php7-pdo_mysql \
php7-pdo_odbc \ php7-pdo_odbc \
php7-pdo_pgsql \ php7-pdo_pgsql \
php7-pdo_sqlite \ php7-pdo_sqlite \
php7-pear \ php7-pear \
php7-pecl-apcu \ php7-pecl-apcu \
php7-pecl-mailparse \ php7-pecl-mailparse \
php7-pecl-redis \ php7-pecl-redis \
php7-pgsql \ php7-pgsql \
php7-phar \ php7-phar \
php7-posix \ php7-posix \
php7-soap \ php7-soap \
php7-sockets \ php7-sockets \
php7-sodium \ php7-sodium \
php7-sqlite3 \ php7-sqlite3 \
php7-tokenizer \ php7-tokenizer \
php7-xml \ php7-xml \
php7-xmlreader \ php7-xmlreader \
php7-xmlrpc \ php7-xmlrpc \
php7-xsl \ php7-xsl \
php7-zip \ php7-zip \
py3-cryptography \ py3-cryptography \
py3-future \ py3-future \
py3-pip \ py3-pip \
whois && \ whois && \
echo "**** install certbot plugins ****" && \ echo "**** install certbot plugins ****" && \
if [ -z ${CERTBOT_VERSION+x} ]; then \ if [ -z ${CERTBOT_VERSION+x} ]; then \
CERTBOT="certbot"; \ CERTBOT="certbot"; \
else \ else \
CERTBOT="certbot==${CERTBOT_VERSION}"; \ CERTBOT="certbot==${CERTBOT_VERSION}"; \
fi && \ fi && \
pip3 install -U \ pip3 install -U \
pip && \ pip && \
pip3 install -U \ pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \
${CERTBOT} \ ${CERTBOT} \
certbot-dns-aliyun \ certbot-dns-aliyun \
certbot-dns-cloudflare \ certbot-dns-cloudflare \
certbot-dns-cloudxns \ certbot-dns-cloudxns \
certbot-dns-cpanel \ certbot-dns-cpanel \
certbot-dns-digitalocean \ certbot-dns-digitalocean \
certbot-dns-directadmin \ certbot-dns-directadmin \
certbot-dns-dnsimple \ certbot-dns-dnsimple \
certbot-dns-dnsmadeeasy \ certbot-dns-dnsmadeeasy \
certbot-dns-domeneshop \ certbot-dns-domeneshop \
certbot-dns-google \ certbot-dns-google \
certbot-dns-hetzner \ certbot-dns-hetzner \
certbot-dns-inwx \ certbot-dns-inwx \
certbot-dns-linode \ certbot-dns-linode \
certbot-dns-luadns \ certbot-dns-luadns \
certbot-dns-netcup \ certbot-dns-netcup \
certbot-dns-njalla \ certbot-dns-njalla \
certbot-dns-nsone \ certbot-dns-nsone \
certbot-dns-ovh \ certbot-dns-ovh \
certbot-dns-rfc2136 \ certbot-dns-rfc2136 \
certbot-dns-route53 \ certbot-dns-route53 \
certbot-dns-transip \ certbot-dns-transip \
certbot-dns-vultr \ certbot-dns-vultr \
certbot-plugin-gandi \ certbot-plugin-gandi \
cryptography \ cryptography \
requests && \ requests && \
echo "**** remove unnecessary fail2ban filters ****" && \ echo "**** remove unnecessary fail2ban filters ****" && \
rm \ rm \
/etc/fail2ban/jail.d/alpine-ssh.conf && \ /etc/fail2ban/jail.d/alpine-ssh.conf && \
echo "**** copy fail2ban default action and filter to /default ****" && \ echo "**** copy fail2ban default action and filter to /default ****" && \
mkdir -p /defaults/fail2ban && \ mkdir -p /defaults/fail2ban && \
mv /etc/fail2ban/action.d /defaults/fail2ban/ && \ mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \ mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
echo "**** copy proxy confs to /default ****" && \ echo "**** copy proxy confs to /default ****" && \
mkdir -p /defaults/proxy-confs && \ mkdir -p /defaults/proxy-confs && \
curl -o \ curl -o \
/tmp/proxy.tar.gz -L \ /tmp/proxy.tar.gz -L \
"https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
tar xf \ tar xf \
/tmp/proxy.tar.gz -C \ /tmp/proxy.tar.gz -C \
/defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \ /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
echo "**** configure nginx ****" && \ echo "**** configure nginx ****" && \
rm -f /etc/nginx/conf.d/default.conf && \ rm -f /etc/nginx/conf.d/default.conf && \
curl -o \ echo "**** cleanup ****" && \
/defaults/dhparams.pem -L \ apk del --purge \
"https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \ build-dependencies && \
echo "**** cleanup ****" && \ for cleanfiles in *.pyc *.pyo; \
apk del --purge \ do \
build-dependencies && \ find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \
for cleanfiles in *.pyc *.pyo; \ ; done && \
do \ rm -rf \
find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \ /tmp/* \
; done && \ /root/.cache \
rm -rf \ /root/.cargo
/tmp/* \
/root/.cache \
/root/.cargo
# add local files # add local files
COPY root/ / COPY root/ /

3
README.md
View File

@@ -82,7 +82,7 @@ The architectures supported by this image are:
* Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances. * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
### Security and password protection ### Security and password protection
* The container detects changes to url and subdomains, revokes existing certs and generates new ones during start. * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
* The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time * Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`.
* If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>` * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>`
* You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one
* You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server. * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server.
@@ -330,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
## Versions ## Versions
* **14.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later.
* **21.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method. * **21.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method.
* **12.04.21:** - Add php7-gmp and php7-pecl-mailparse. * **12.04.21:** - Add php7-gmp and php7-pecl-mailparse.
* **12.04.21:** - Add support for vultr dns validation. * **12.04.21:** - Add support for vultr dns validation.

3
readme-vars.yml
View File

@@ -101,7 +101,7 @@ app_setup_block: |
* Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances. * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
### Security and password protection ### Security and password protection
* The container detects changes to url and subdomains, revokes existing certs and generates new ones during start. * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
* The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time * Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`.
* If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>` * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>`
* You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one
* You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server. * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server.
@@ -151,6 +151,7 @@ app_setup_nginx_reverse_proxy_block: ""
# changelog # changelog
changelogs: changelogs:
- { date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later." }
- { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." } - { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." }
- { date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse." } - { date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse." }
- { date: "12.04.21:", desc: "Add support for vultr dns validation." } - { date: "12.04.21:", desc: "Add support for vultr dns validation." }

180
root/defaults/default
View File

@@ -1,155 +1,153 @@
## Version 2021/01/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default ## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default
error_page 502 /502.html; error_page 502 /502.html;
# redirect all traffic to https # redirect all traffic to https
server { server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
server_name _; server_name _;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
# main server block # main server block
server { server {
listen 443 ssl http2 default_server; listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl http2 default_server;
root /config/www; root /config/www;
index index.html index.htm index.php; index index.html index.htm index.php;
server_name _; server_name _;
# enable subfolder method reverse proxy confs # enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf; include /config/nginx/proxy-confs/*.subfolder.conf;
# all ssl related config moved to ssl.conf # all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf; include /config/nginx/ssl.conf;
# enable for ldap auth # enable for ldap auth
#include /config/nginx/ldap.conf; #include /config/nginx/ldap.conf;
# enable for Authelia # enable for Authelia
#include /config/nginx/authelia-server.conf; #include /config/nginx/authelia-server.conf;
# enable for geo blocking # enable for geo blocking
# See /config/nginx/geoip2.conf for more information. # See /config/nginx/geoip2.conf for more information.
#if ($allowed_country = no) { #if ($allowed_country = no) {
#return 444; #return 444;
#} #}
client_max_body_size 0; client_max_body_size 0;
location / { location / {
try_files $uri $uri/ /index.html /index.php?$args =404; try_files $uri $uri/ /index.html /index.php?$args =404;
} }
location ~ \.php$ { location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000; fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php; fastcgi_index index.php;
include /etc/nginx/fastcgi_params; include /etc/nginx/fastcgi_params;
} }
# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp" # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base # notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub # don't forget to generate the .htpasswd file as described on docker hub
# location ^~ /cp { # location ^~ /cp {
# auth_basic "Restricted"; # auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd; # auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf; # include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050/cp; # proxy_pass http://192.168.1.50:5050/cp;
# } # }
} }
# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain # notice this is a new server block, you need a new server block for each subdomain
#server { #server {
# listen 443 ssl http2; # listen 443 ssl http2;
# listen [::]:443 ssl http2; # listen [::]:443 ssl http2;
# #
# root /config/www; # root /config/www;
# index index.html index.htm index.php; # index index.html index.htm index.php;
# #
# server_name cp.*; # server_name cp.*;
# #
# include /config/nginx/ssl.conf; # include /config/nginx/ssl.conf;
# #
# client_max_body_size 0; # client_max_body_size 0;
# #
# location / { # location / {
# auth_basic "Restricted"; # auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd; # auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf; # include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050; # proxy_pass http://192.168.1.50:5050;
# } # }
#} #}
# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain # notice this is a new server block, you need a new server block for each subdomain
#server { #server {
# listen 443 ssl http2; # listen 443 ssl http2;
# listen [::]:443 ssl http2; # listen [::]:443 ssl http2;
# #
# root /config/www; # root /config/www;
# index index.html index.htm index.php; # index index.html index.htm index.php;
# #
# server_name heimdall.*; # server_name heimdall.*;
# #
# include /config/nginx/ssl.conf; # include /config/nginx/ssl.conf;
# #
# include /config/nginx/ldap.conf; # include /config/nginx/ldap.conf;
# #
# client_max_body_size 0; # client_max_body_size 0;
# #
# location / { # location / {
# # the next two lines will enable ldap auth along with the included ldap.conf in the server block # # the next two lines will enable ldap auth along with the included ldap.conf in the server block
# auth_request /auth; # auth_request /auth;
# error_page 401 =200 /ldaplogin; # error_page 401 =200 /ldaplogin;
# #
# include /config/nginx/proxy.conf; # include /config/nginx/proxy.conf;
# resolver 127.0.0.11 valid=30s; # resolver 127.0.0.11 valid=30s;
# set $upstream_app heimdall; # set $upstream_app heimdall;
# set $upstream_port 443; # set $upstream_port 443;
# set $upstream_proto https; # set $upstream_proto https;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port; # proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# } # }
#} #}
# sample reverse proxy config for "heimdall" via subdomain, with Authelia # sample reverse proxy config for "heimdall" via subdomain, with Authelia
# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml # Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
# notice this is a new server block, you need a new server block for each subdomain # notice this is a new server block, you need a new server block for each subdomain
#server { #server {
# listen 443 ssl http2; # listen 443 ssl http2;
# listen [::]:443 ssl http2; # listen [::]:443 ssl http2;
# #
# root /config/www; # root /config/www;
# index index.html index.htm index.php; # index index.html index.htm index.php;
# #
# server_name heimdall.*; # server_name heimdall.*;
# #
# include /config/nginx/ssl.conf; # include /config/nginx/ssl.conf;
# #
# include /config/nginx/authelia-server.conf; # include /config/nginx/authelia-server.conf;
# #
# client_max_body_size 0; # client_max_body_size 0;
# #
# location / { # location / {
# # the next line will enable Authelia along with the included authelia-server.conf in the server block # # the next line will enable Authelia along with the included authelia-server.conf in the server block
# include /config/nginx/authelia-location.conf; # include /config/nginx/authelia-location.conf;
# #
# include /config/nginx/proxy.conf; # include /config/nginx/proxy.conf;
# resolver 127.0.0.11 valid=30s; # resolver 127.0.0.11 valid=30s;
# set $upstream_app heimdall; # set $upstream_app heimdall;
# set $upstream_port 443; # set $upstream_port 443;
# set $upstream_proto https; # set $upstream_proto https;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port; # proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# } # }
#} #}
# enable subdomain method reverse proxy confs # enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf; include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

13
root/defaults/dhparams.pem Normal file
View File

@@ -0,0 +1,13 @@
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
-----END DH PARAMETERS-----

32
root/defaults/geoip2.conf
View File

@@ -51,22 +51,22 @@ geo $allow_list {
# Add the following if statements inside any server context where you want to geo block countries. # Add the following if statements inside any server context where you want to geo block countries.
######################################## ########################################
# if ($allow_list = yes) { # if ($allow_list = yes) {
# set $allowed_country yes; # set $allowed_country yes;
# } # }
# if ($allowed_country = no) { # if ($allowed_country = no) {
# return 444; # return 444;
# } # }
######################################### #########################################
# Add the following if statements inside any server context where you want to geo block cities. # Add the following if statements inside any server context where you want to geo block cities.
######################################## ########################################
# if ($allow_list = yes) { # if ($allow_list = yes) {
# set $allowed_country yes; # set $allowed_country yes;
# } # }
# if ($allowed_city = no) { # if ($allowed_city = no) {
# return 444; # return 444;
# } # }
######################################### #########################################
# Example using a config from proxy-confs # Example using a config from proxy-confs
@@ -90,12 +90,12 @@ geo $allow_list {
# # Allow lan access if default is set to no # # Allow lan access if default is set to no
# if ($allow_list = yes) { # if ($allow_list = yes) {
# set $allowed_country yes; # set $allowed_country yes;
# } # }
# # Country geo block # # Country geo block
# if ($allowed_country = no) { # if ($allowed_country = no) {
# return 444; # return 444;
# } # }
# #

204
root/defaults/nginx.conf
View File

@@ -1,120 +1,150 @@
## Version 2021/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf ## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
user abc; user abc;
worker_processes 4;
pid /run/nginx.pid; # Set number of worker processes automatically based on number of CPU cores.
include /config/nginx/worker_processes.conf;
# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;
# Configures default error logger.
error_log /config/log/nginx/error.log;
# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf; include /etc/nginx/modules/*.conf;
events { events {
worker_connections 768; # The maximum number of simultaneous connections that can be opened by
# multi_accept on; # a worker process.
worker_connections 1024;
# multi_accept on;
} }
http { http {
# Includes mapping of file name extensions to MIME types of responses
# and defines the default type.
include /etc/nginx/mime.types;
default_type application/octet-stream;
## # Name servers used to resolve names of upstream servers into addresses.
# Basic Settings # It's also needed when using tcpsocket and udpsocket in Lua modules.
## #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
include /config/nginx/resolver.conf;
client_body_buffer_size 128k; # Don't tell nginx version to the clients. Default is 'on'.
client_max_body_size 0; server_tokens off;
keepalive_timeout 65;
large_client_header_buffers 4 16k;
send_timeout 5m;
sendfile on;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
variables_hash_max_size 2048;
# server_tokens off; # Specifies the maximum accepted body size of a client request, as
# server_names_hash_bucket_size 64; # indicated by the request header Content-Length. If the stated content
# server_name_in_redirect off; # length is greater than this size, then the client receives the HTTP
# error code 413. Set to 0 to disable. Default is '1m'.
client_max_body_size 0;
include /etc/nginx/mime.types; # Sendfile copies data between one FD and other from within the kernel,
default_type application/octet-stream; # which is more efficient than read() + write(). Default is off.
sendfile on;
## # Causes nginx to attempt to send its HTTP response head in one packet,
# Logging Settings # instead of using partial frames. Default is 'off'.
## tcp_nopush on;
access_log /config/log/nginx/access.log; # Helper variable for proxying websockets.
error_log /config/log/nginx/error.log; map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
## # Sets the path, format, and configuration for a buffered log write.
# Gzip Settings access_log /config/log/nginx/access.log;
##
gzip on; # Includes virtual hosts configs.
gzip_disable "msie6"; #include /etc/nginx/http.d/*.conf;
# gzip_vary on; # WARNING: Don't use this directory for virtual hosts anymore.
# gzip_proxied any; # This include will be moved to the root context in Alpine 3.14.
# gzip_comp_level 6; #include /etc/nginx/conf.d/*.conf;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules; ##
# Basic Settings
##
## client_body_buffer_size 128k;
# nginx-passenger config keepalive_timeout 65;
## large_client_header_buffers 4 16k;
# Uncomment it if you installed nginx-passenger send_timeout 5m;
## tcp_nodelay on;
types_hash_max_size 2048;
variables_hash_max_size 2048;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
#passenger_root /usr; ##
#passenger_ruby /usr/bin/ruby; # Gzip Settings
##
## gzip on;
# WebSocket proxying gzip_disable "msie6";
## # gzip_vary on;
map $http_upgrade $connection_upgrade { # gzip_proxied any;
default upgrade; # gzip_comp_level 6;
'' close; # gzip_buffers 16 8k;
} # gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
## ##
# Virtual Host Configs # nginx-naxsi config
## ##
include /etc/nginx/conf.d/*.conf; # Uncomment it if you installed nginx-naxsi
include /config/nginx/site-confs/*; ##
#Removed lua. Do not remove this comment
## #include /etc/nginx/naxsi_core.rules;
# Geoip2 config
##
# Uncomment to add the Geoip2 configs needed to geo block countries/cities.
##
#include /config/nginx/geoip2.conf; ##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /config/nginx/site-confs/*;
#Removed lua. Do not remove this comment
##
# Geoip2 config
##
# Uncomment to add the Geoip2 configs needed to geo block countries/cities.
##
#include /config/nginx/geoip2.conf;
} }
#mail { #mail {
# # See sample authentication script at: # # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# #
# # auth_http localhost/auth.php; # # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER"; # # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # imap_capabilities "IMAP4rev1" "UIDPLUS";
# #
# server { # server {
# listen localhost:110; # listen localhost:110;
# protocol pop3; # protocol pop3;
# proxy on; # proxy on;
# } # }
# #
# server { # server {
# listen localhost:143; # listen localhost:143;
# protocol imap; # protocol imap;
# proxy on; # proxy on;
# } # }
#} #}
daemon off; daemon off;
pid /run/nginx.pid;

3
root/defaults/proxy.conf
View File

@@ -1,4 +1,4 @@
## Version 2020/10/04 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf ## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
# Timeout if the real server is dead # Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@@ -15,6 +15,7 @@ proxy_send_timeout 240;
# Proxy Cache and Cookie Settings # Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session; proxy_cache_bypass $cookie_session;
proxy_cache_path cache/ keys_zone=auth_cache:10m;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session; proxy_no_cache $cookie_session;

5
root/defaults/ssl.conf
View File

@@ -1,4 +1,4 @@
## Version 2020/10/29 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf ## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
### Mozilla Recommendations ### Mozilla Recommendations
# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
@@ -29,9 +29,6 @@ ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
# Diffie-Hellman Parameters # Diffie-Hellman Parameters
ssl_dhparam /config/nginx/dhparams.pem; ssl_dhparam /config/nginx/dhparams.pem;
# Resolver
resolver 127.0.0.11 valid=30s; # Docker DNS Server
# Enable TLS 1.3 early data # Enable TLS 1.3 early data
ssl_early_data on; ssl_early_data on;

366
root/etc/cont-init.d/50-config
View File

@@ -17,26 +17,26 @@ STAGING=${STAGING}\\n"
# Echo init finish for test runs # Echo init finish for test runs
if [ -n "${TEST_RUN}" ]; then if [ -n "${TEST_RUN}" ]; then
echo '[services.d] done.' echo '[services.d] done.'
fi fi
# Sanitize variables # Sanitize variables
SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER ) SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER )
for i in "${SANED_VARS[@]}" for i in "${SANED_VARS[@]}"
do do
export echo "$i"="${!i//\"/}" export echo "$i"="${!i//\"/}"
export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
done done
# check to make sure that the required variables are set # check to make sure that the required variables are set
[[ -z "$URL" ]] && \ [[ -z "$URL" ]] && \
echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \ echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \
sleep infinity sleep infinity
# make our folders and links # make our folders and links
mkdir -p \ mkdir -p \
/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \ /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \
/var/run/fail2ban /var/run/fail2ban
rm -rf /etc/letsencrypt rm -rf /etc/letsencrypt
ln -s /config/etc/letsencrypt /etc/letsencrypt ln -s /config/etc/letsencrypt /etc/letsencrypt
@@ -52,12 +52,12 @@ cp -R /defaults/fail2ban/filter.d /config/fail2ban/
cp -R /defaults/fail2ban/action.d /config/fail2ban/ cp -R /defaults/fail2ban/action.d /config/fail2ban/
# if jail.local is missing in /config, copy default # if jail.local is missing in /config, copy default
[[ ! -f /config/fail2ban/jail.local ]] && \ [[ ! -f /config/fail2ban/jail.local ]] && \
cp /defaults/jail.local /config/fail2ban/jail.local cp /defaults/jail.local /config/fail2ban/jail.local
# Replace fail2ban config with user config # Replace fail2ban config with user config
[[ -d /etc/fail2ban/filter.d ]] && \ [[ -d /etc/fail2ban/filter.d ]] && \
rm -rf /etc/fail2ban/filter.d rm -rf /etc/fail2ban/filter.d
[[ -d /etc/fail2ban/action.d ]] && \ [[ -d /etc/fail2ban/action.d ]] && \
rm -rf /etc/fail2ban/action.d rm -rf /etc/fail2ban/action.d
cp -R /config/fail2ban/filter.d /etc/fail2ban/ cp -R /config/fail2ban/filter.d /etc/fail2ban/
cp -R /config/fail2ban/action.d /etc/fail2ban/ cp -R /config/fail2ban/action.d /etc/fail2ban/
cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/ cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
@@ -65,43 +65,53 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
# copy crontab and proxy defaults if needed # copy crontab and proxy defaults if needed
[[ ! -f /config/crontabs/root ]] && \ [[ ! -f /config/crontabs/root ]] && \
cp /etc/crontabs/root /config/crontabs/ cp /etc/crontabs/root /config/crontabs/
[[ ! -f /config/nginx/proxy.conf ]] && \ [[ ! -f /config/nginx/proxy.conf ]] && \
cp /defaults/proxy.conf /config/nginx/proxy.conf cp /defaults/proxy.conf /config/nginx/proxy.conf
[[ ! -f /config/nginx/ssl.conf ]] && \ [[ ! -f /config/nginx/ssl.conf ]] && \
cp /defaults/ssl.conf /config/nginx/ssl.conf cp /defaults/ssl.conf /config/nginx/ssl.conf
[[ ! -f /config/nginx/ldap.conf ]] && \ [[ ! -f /config/nginx/ldap.conf ]] && \
cp /defaults/ldap.conf /config/nginx/ldap.conf cp /defaults/ldap.conf /config/nginx/ldap.conf
[[ ! -f /config/nginx/authelia-server.conf ]] && \ [[ ! -f /config/nginx/authelia-server.conf ]] && \
cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
[[ ! -f /config/nginx/authelia-location.conf ]] && \ [[ ! -f /config/nginx/authelia-location.conf ]] && \
cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
[[ ! -f /config/nginx/geoip2.conf ]] && \ [[ ! -f /config/nginx/geoip2.conf ]] && \
cp /defaults/geoip2.conf /config/nginx/geoip2.conf cp /defaults/geoip2.conf /config/nginx/geoip2.conf
[[ ! -f /config/www/502.html ]] && [[ ! -f /config/www/502.html ]] &&
cp /defaults/502.html /config/www/502.html cp /defaults/502.html /config/www/502.html
# Set resolver
if ! grep -q 'resolver' /config/nginx/resolver.conf; then
RESOLVER=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf)
echo "Setting resolver to ${RESOLVER}"
echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf
fi
# Set worker_processes
if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then
WORKER_PROCESSES=$(nproc)
echo "Setting worker_processes to ${WORKER_PROCESSES}"
echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf
fi
# remove lua bits from nginx.conf if not done before # remove lua bits from nginx.conf if not done before
if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
echo "Removing lua specific info from nginx.conf" echo "Removing lua specific info from nginx.conf"
sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf
fi fi
# copy pre-generated dhparams or generate if needed # copy pre-generated dhparams or generate if needed
[[ ! -f /config/nginx/dhparams.pem ]] && \ [[ ! -f /config/nginx/dhparams.pem ]] && \
cp /defaults/dhparams.pem /config/nginx/dhparams.pem cp /defaults/dhparams.pem /config/nginx/dhparams.pem
if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt"
fi
if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed."
openssl dhparam -out /config/nginx/dhparams.pem 4096
fi fi
# check to make sure DNSPLUGIN is selected if dns validation is used # check to make sure DNSPLUGIN is selected if dns validation is used
[[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|directadmin|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|hetzner|inwx|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip|vultr)$ ]] && \ [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|directadmin|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|hetzner|inwx|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip|vultr)$ ]] && \
echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \ echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \
sleep infinity sleep infinity
# import user crontabs # import user crontabs
rm /etc/crontabs/* rm /etc/crontabs/*
@@ -109,11 +119,11 @@ cp /config/crontabs/* /etc/crontabs/
# create original config file if it doesn't exist, move non-hidden legacy file to hidden # create original config file if it doesn't exist, move non-hidden legacy file to hidden
if [ -f "/config/donoteditthisfile.conf" ]; then if [ -f "/config/donoteditthisfile.conf" ]; then
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
fi fi
if [ ! -f "/config/.donoteditthisfile.conf" ]; then if [ ! -f "/config/.donoteditthisfile.conf" ]; then
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf
echo "Created .donoteditthisfile.conf" echo "Created .donoteditthisfile.conf"
fi fi
# load original config settings # load original config settings
@@ -122,75 +132,75 @@ fi
# set default validation to http # set default validation to http
if [ -z "$VALIDATION" ]; then if [ -z "$VALIDATION" ]; then
VALIDATION="http" VALIDATION="http"
echo "VALIDATION parameter not set; setting it to http" echo "VALIDATION parameter not set; setting it to http"
fi fi
# if zerossl is selected or staging is set to true, use the relevant server # if zerossl is selected or staging is set to true, use the relevant server
if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then
echo "ZeroSSL does not support staging mode, ignoring STAGING variable" echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
fi fi
if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL" echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL"
ACMESERVER="https://acme.zerossl.com/v2/DV90" ACMESERVER="https://acme.zerossl.com/v2/DV90"
elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then
echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable" echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
sleep infinity sleep infinity
elif [ "$STAGING" = "true" ]; then elif [ "$STAGING" = "true" ]; then
echo "NOTICE: Staging is active" echo "NOTICE: Staging is active"
echo "Using Let's Encrypt as the cert provider" echo "Using Let's Encrypt as the cert provider"
ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
else else
echo "Using Let's Encrypt as the cert provider" echo "Using Let's Encrypt as the cert provider"
ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
fi fi
# figuring out url only vs url & subdomains vs subdomains only # figuring out url only vs url & subdomains vs subdomains only
if [ -n "$SUBDOMAINS" ]; then if [ -n "$SUBDOMAINS" ]; then
echo "SUBDOMAINS entered, processing"
if [ "$SUBDOMAINS" = "wildcard" ]; then
if [ "$ONLY_SUBDOMAINS" = true ]; then
export URL_REAL="-d *.${URL}"
echo "Wildcard cert for only the subdomains of $URL will be requested"
else
export URL_REAL="-d *.${URL} -d ${URL}"
echo "Wildcard cert for $URL will be requested"
fi
else
echo "SUBDOMAINS entered, processing" echo "SUBDOMAINS entered, processing"
for job in $(echo "$SUBDOMAINS" | tr "," " "); do if [ "$SUBDOMAINS" = "wildcard" ]; then
export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}" if [ "$ONLY_SUBDOMAINS" = true ]; then
done export URL_REAL="-d *.${URL}"
if [ "$ONLY_SUBDOMAINS" = true ]; then echo "Wildcard cert for only the subdomains of $URL will be requested"
URL_REAL="$SUBDOMAINS_REAL" else
echo "Only subdomains, no URL in cert" export URL_REAL="-d *.${URL} -d ${URL}"
echo "Wildcard cert for $URL will be requested"
fi
else else
URL_REAL="-d ${URL}${SUBDOMAINS_REAL}" echo "SUBDOMAINS entered, processing"
for job in $(echo "$SUBDOMAINS" | tr "," " "); do
export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}"
done
if [ "$ONLY_SUBDOMAINS" = true ]; then
URL_REAL="$SUBDOMAINS_REAL"
echo "Only subdomains, no URL in cert"
else
URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
fi
echo "Sub-domains processed are: $SUBDOMAINS_REAL"
fi fi
echo "Sub-domains processed are: $SUBDOMAINS_REAL"
fi
else else
echo "No subdomains defined" echo "No subdomains defined"
URL_REAL="-d $URL" URL_REAL="-d $URL"
fi fi
# add extra domains # add extra domains
if [ -n "$EXTRA_DOMAINS" ]; then if [ -n "$EXTRA_DOMAINS" ]; then
echo "EXTRA_DOMAINS entered, processing" echo "EXTRA_DOMAINS entered, processing"
for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do
export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}" export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}"
done done
echo "Extra domains processed are: $EXTRA_DOMAINS_REAL" echo "Extra domains processed are: $EXTRA_DOMAINS_REAL"
URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL" URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL"
fi fi
# figuring out whether to use e-mail and which # figuring out whether to use e-mail and which
if [[ $EMAIL == *@* ]]; then if [[ $EMAIL == *@* ]]; then
echo "E-mail address entered: ${EMAIL}" echo "E-mail address entered: ${EMAIL}"
EMAILPARAM="-m ${EMAIL} --no-eff-email" EMAILPARAM="-m ${EMAIL} --no-eff-email"
else else
echo "No e-mail address entered or address invalid" echo "No e-mail address entered or address invalid"
EMAILPARAM="--register-unsafely-without-email" EMAILPARAM="--register-unsafely-without-email"
fi fi
# update plugin names in dns conf inis # update plugin names in dns conf inis
@@ -201,82 +211,82 @@ sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini
# setting the validation method to use # setting the validation method to use
if [ "$VALIDATION" = "dns" ]; then if [ "$VALIDATION" = "dns" ]; then
if [ "$DNSPLUGIN" = "route53" ]; then if [ "$DNSPLUGIN" = "route53" ]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}" PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then
if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi
PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini" PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini"
elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
else else
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
fi fi
echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
elif [ "$VALIDATION" = "tls-sni" ]; then elif [ "$VALIDATION" = "tls-sni" ]; then
PREFCHAL="--non-interactive --standalone --preferred-challenges http" PREFCHAL="--non-interactive --standalone --preferred-challenges http"
echo "*****tls-sni validation has been deprecated, attempting http validation instead" echo "*****tls-sni validation has been deprecated, attempting http validation instead"
elif [ "$VALIDATION" = "duckdns" ]; then elif [ "$VALIDATION" = "duckdns" ]; then
PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt" PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt"
chmod +x /app/duckdns-txt chmod +x /app/duckdns-txt
echo "duckdns validation is selected" echo "duckdns validation is selected"
if [ "$SUBDOMAINS" = "wildcard" ]; then if [ "$SUBDOMAINS" = "wildcard" ]; then
echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
export URL_REAL="-d *.${URL}" export URL_REAL="-d *.${URL}"
else else
echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org" echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
export URL_REAL="-d ${URL}" export URL_REAL="-d ${URL}"
fi fi
else else
PREFCHAL="--non-interactive --standalone --preferred-challenges http" PREFCHAL="--non-interactive --standalone --preferred-challenges http"
echo "http validation is selected" echo "http validation is selected"
fi fi
# setting the symlink for key location # setting the symlink for key location
rm -rf /config/keys/letsencrypt rm -rf /config/keys/letsencrypt
if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then
DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}" DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
else else
ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
fi fi
# checking for changes in cert variables, revoking certs if necessary # checking for changes in cert variables, revoking certs if necessary
if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then
ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
else else
ORIGDOMAIN="$ORIGURL" ORIGDOMAIN="$ORIGURL"
fi
if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then
REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL")
REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
sleep infinity
fi fi
REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then
elif [ "$ORIGSTAGING" = "true" ]; then REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL")
REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
else REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then
fi echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
[[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER sleep infinity
rm -rf /config/etc/letsencrypt fi
mkdir -p /config/etc/letsencrypt REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
elif [ "$ORIGSTAGING" = "true" ]; then
REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
else
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
fi
[[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
rm -rf /config/etc/letsencrypt
mkdir -p /config/etc/letsencrypt
fi fi
# saving new variables # saving new variables
@@ -284,74 +294,74 @@ echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$
# alter extension for error message # alter extension for error message
if [ "$DNSPLUGIN" = "google" ]; then if [ "$DNSPLUGIN" = "google" ]; then
FILENAME="$DNSPLUGIN.json" FILENAME="$DNSPLUGIN.json"
else else
FILENAME="$DNSPLUGIN.ini" FILENAME="$DNSPLUGIN.ini"
fi fi
# generating certs if necessary # generating certs if necessary
if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
echo "Retrieving EAB from ZeroSSL" echo "Retrieving EAB from ZeroSSL"
EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL") EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL")
ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
sleep infinity sleep infinity
fi
ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
fi fi
ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}" echo "Generating new certificate"
fi # shellcheck disable=SC2086
echo "Generating new certificate" certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
# shellcheck disable=SC2086 if [ -d /config/keys/letsencrypt ]; then
certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL cd /config/keys/letsencrypt || exit
if [ -d /config/keys/letsencrypt ]; then
cd /config/keys/letsencrypt || exit
else
if [ "$VALIDATION" = "dns" ]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
elif [ "$VALIDATION" = "duckdns" ]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct."
else else
echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" if [ "$VALIDATION" = "dns" ]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
elif [ "$VALIDATION" = "duckdns" ]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct."
else
echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
fi
sleep infinity
fi fi
sleep infinity openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
fi sleep 1
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
sleep 1 echo "New certificate generated; starting nginx"
cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
echo "New certificate generated; starting nginx"
else else
echo "Certificate exists; parameters unchanged; starting nginx" echo "Certificate exists; parameters unchanged; starting nginx"
fi fi
# create GeoIP2 folder symlink # create GeoIP2 folder symlink
[[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \ [[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \
rm -rf /var/lib/libmaxminddb rm -rf /var/lib/libmaxminddb
[[ ! -d /var/lib/libmaxminddb ]] && \ [[ ! -d /var/lib/libmaxminddb ]] && \
ln -s /config/geoip2db /var/lib/libmaxminddb ln -s /config/geoip2db /var/lib/libmaxminddb
# check GeoIP2 database # check GeoIP2 database
if [ -n "$MAXMINDDB_LICENSE_KEY" ]; then if [ -n "$MAXMINDDB_LICENSE_KEY" ]; then
sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb
if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
echo "Downloading GeoIP2 City database." echo "Downloading GeoIP2 City database."
/etc/periodic/weekly/libmaxminddb /etc/periodic/weekly/libmaxminddb
fi fi
elif [ -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then elif [ -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
else else
echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
fi fi
# logfiles needed by fail2ban # logfiles needed by fail2ban
[[ ! -f /config/log/nginx/error.log ]] && \ [[ ! -f /config/log/nginx/error.log ]] && \
touch /config/log/nginx/error.log touch /config/log/nginx/error.log
[[ ! -f /config/log/nginx/access.log ]] && \ [[ ! -f /config/log/nginx/access.log ]] && \
touch /config/log/nginx/access.log touch /config/log/nginx/access.log
# permissions # permissions
chown -R abc:abc \ chown -R abc:abc \
/config /config
chmod -R 0644 /etc/logrotate.d chmod -R 0644 /etc/logrotate.d
chmod -R +r /config/log chmod -R +r /config/log
chmod +x /app/le-renew.sh chmod +x /app/le-renew.sh

18
root/etc/logrotate.d/lerotate
View File

@@ -1,11 +1,11 @@
/config/log/letsencrypt/*.log { /config/log/letsencrypt/*.log {
weekly weekly
rotate 52 rotate 52
compress compress
delaycompress delaycompress
nodateext nodateext
missingok missingok
notifempty notifempty
sharedscripts sharedscripts
su abc abc su abc abc
} }

4
root/etc/services.d/fail2ban/run
View File

@@ -1,4 +1,4 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
exec \ exec \
fail2ban-client -x -f start fail2ban-client -x -f start