linuxserver/docker-swag
1
0
Fork 0
mirror of https://github.com/linuxserver/docker-swag.git synced 2026-02-09 14:34:14 +09:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

initial release

Browse Source
This commit is contained in:
aptalca
2020-08-03 11:00:14 -04:00
parent f3754ece52
commit 9352a59250
53 changed files with 3525 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
root/app/duckdns-txt Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
. /config/donoteditthisfile.conf
curl https://www.duckdns.org/update?domains=${CERTBOT_DOMAIN}\&token=${ORIGDUCKDNSTOKEN}\&txt=${CERTBOT_VALIDATION}
echo "sleeping 60"
sleep 60

27
root/app/le-renew.sh Normal file
View File

@@ -0,0 +1,27 @@
#!/usr/bin/with-contenv bash
. /config/donoteditthisfile.conf
echo "<------------------------------------------------->"
echo
echo "<------------------------------------------------->"
echo "cronjob running on "$(date)
echo "Running certbot renew"
if [ "$ORIGVALIDATION" = "dns" ] || [ "$ORIGVALIDATION" = "duckdns" ]; then
certbot -n renew \
--post-hook "if ps aux | grep [n]ginx: > /dev/null; then s6-svc -h /var/run/s6/services/nginx; fi; \
cd /config/keys/letsencrypt && \
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && \
sleep 1 && \
cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem && \
chown -R abc:abc /config/etc/letsencrypt"
else
certbot -n renew \
--pre-hook "if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi" \
--post-hook "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; \
cd /config/keys/letsencrypt && \
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && \
sleep 1 && \
cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem && \
chown -R abc:abc /config/etc/letsencrypt"
fi

11
root/defaults/authelia-location.conf Normal file
View File

@@ -0,0 +1,11 @@
## Version 2020/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/authelia-location.conf
# Make sure that your authelia container is in the same user defined bridge network and is named authelia
# Make sure that the authelia configuration.yml has 'path: "authelia"' defined
auth_request /authelia/api/verify;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://$http_host/authelia/?rd=$target_url;

48
root/defaults/authelia-server.conf Normal file
View File

@@ -0,0 +1,48 @@
## Version 2020/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/authelia-server.conf
# Make sure that your authelia container is in the same user defined bridge network and is named authelia
location ^~ /authelia {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9091;
}
location = /authelia/api/verify {
internal;
resolver 127.0.0.11 valid=30s;
set $upstream_authelia authelia;
proxy_pass_request_body off;
proxy_pass http://$upstream_authelia:9091;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# [REQUIRED] Needed by Authelia to check authorizations of the resource.
# Provide either X-Original-URL and X-Forwarded-Proto or
# X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
# Those headers will be used by Authelia to deduce the target url of the user.
# Basic Proxy Config
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}

147
root/defaults/default Normal file
View File

@@ -0,0 +1,147 @@
## Version 2020/05/23 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# main server block
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /config/www;
index index.html index.htm index.php;
server_name _;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf;
# enable for ldap auth
#include /config/nginx/ldap.conf;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
client_max_body_size 0;
location / {
try_files $uri $uri/ /index.html /index.php?$args =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
# location ^~ /cp {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050/cp;
# }
}
# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
#
# root /config/www;
# index index.html index.htm index.php;
#
# server_name cp.*;
#
# include /config/nginx/ssl.conf;
#
# client_max_body_size 0;
#
# location / {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050;
# }
#}
# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
#
# root /config/www;
# index index.html index.htm index.php;
#
# server_name heimdall.*;
#
# include /config/nginx/ssl.conf;
#
# include /config/nginx/ldap.conf;
#
# client_max_body_size 0;
#
# location / {
# # the next two lines will enable ldap auth along with the included ldap.conf in the server block
# auth_request /auth;
# error_page 401 =200 /ldaplogin;
#
# include /config/nginx/proxy.conf;
# resolver 127.0.0.11 valid=30s;
# set $upstream_app heimdall;
# set $upstream_port 443;
# set $upstream_proto https;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# }
#}
# sample reverse proxy config for "heimdall" via subdomain, with Authelia
# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
# notice this is a new server block, you need a new server block for each subdomain
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
#
# root /config/www;
# index index.html index.htm index.php;
#
# server_name heimdall.*;
#
# include /config/nginx/ssl.conf;
#
# include /config/nginx/authelia-server.conf;
#
# client_max_body_size 0;
#
# location / {
# # the next line will enable Authelia along with the included authelia-server.conf in the server block
# include /config/nginx/authelia-location.conf;
#
# include /config/nginx/proxy.conf;
# resolver 127.0.0.11 valid=30s;
# set $upstream_app heimdall;
# set $upstream_port 443;
# set $upstream_proto https;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# }
#}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

6
root/defaults/dns-conf/aliyun.ini Normal file
View File

@@ -0,0 +1,6 @@
# Obtain Aliyun RAM AccessKey
# https://ram.console.aliyun.com/
# And ensure your RAM account has AliyunDNSFullAccess permission.
certbot_dns_aliyun:dns_aliyun_access_key = 12345678
certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef

9
root/defaults/dns-conf/cloudflare.ini Normal file
View File

@@ -0,0 +1,9 @@
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20
# Replace with your values
# With global api key:
dns_cloudflare_email = cloudflare@example.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567
# With token (comment out both lines above and uncomment below):
#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

4
root/defaults/dns-conf/cloudxns.ini Normal file
View File

@@ -0,0 +1,4 @@
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudxns/certbot_dns_cloudxns/__init__.py#L20
# Replace with your values
dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef
dns_cloudxns_secret_key = 1122334455667788

6
root/defaults/dns-conf/cpanel.ini Normal file
View File

@@ -0,0 +1,6 @@
# Instructions: https://github.com/badjware/certbot-dns-cpanel#credentials
# Replace with your values
# include the scheme and the port number (usually 2083 for https)
certbot_dns_cpanel:cpanel_url = https://cpanel.example.com:2083
certbot_dns_cpanel:cpanel_username = username
certbot_dns_cpanel:cpanel_password = 1234567890abcdef

3
root/defaults/dns-conf/digitalocean.ini Normal file
View File

@@ -0,0 +1,3 @@
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-digitalocean/certbot_dns_digitalocean/__init__.py#L21
# Replace with your value
dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff

3
root/defaults/dns-conf/dnsimple.ini Normal file
View File

@@ -0,0 +1,3 @@
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-dnsimple/certbot_dns_dnsimple/__init__.py#L20
# Replace with your value
dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw

4
root/defaults/dns-conf/dnsmadeeasy.ini Normal file
View File

@@ -0,0 +1,4 @@
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-dnsmadeeasy/certbot_dns_dnsmadeeasy/__init__.py#L20
# Replace with your values
dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a
dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55

4
root/defaults/dns-conf/domeneshop.ini Normal file
View File

@@ -0,0 +1,4 @@
# Instructions: https://github.com/domeneshop/certbot-dns-domeneshop#credentials
# Replace with your values
certbot_dns_domeneshop:dns_domeneshop_client_token=1234567890abcdef
certbot_dns_domeneshop:dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs

3
root/defaults/dns-conf/gandi.ini Normal file
View File

@@ -0,0 +1,3 @@
# Instructions: https://github.com/obynio/certbot-plugin-gandi#usage
# Replace with your value
certbot_plugin_gandi:dns_api_key=APIKEY

6
root/defaults/dns-conf/google.json Normal file
View File

@@ -0,0 +1,6 @@
{
"instructions": "https://github.com/certbot/certbot/blob/master/certbot-dns-google/certbot_dns_google/__init__.py",
"_comment": "Replace with your values",
"type": "service_account",
"rest": "..."
}

6
root/defaults/dns-conf/inwx.ini Normal file
View File

@@ -0,0 +1,6 @@
# Instructions: https://github.com/oGGy990/certbot-dns-inwx
# Replace with your values
certbot_dns_inwx:dns_inwx_url = https://api.domrobot.com/xmlrpc/
certbot_dns_inwx:dns_inwx_username = your_username
certbot_dns_inwx:dns_inwx_password = your_password
certbot_dns_inwx:dns_inwx_shared_secret = your_shared_secret optional

3
root/defaults/dns-conf/linode.ini Normal file
View File

@@ -0,0 +1,3 @@
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-linode/certbot_dns_linode/__init__.py#L25
# Replace with your values
dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64

4
root/defaults/dns-conf/luadns.ini Normal file
View File

@@ -0,0 +1,4 @@
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-luadns/certbot_dns_luadns/__init__.py#L20
# Replace with your values
dns_luadns_email = user@example.com
dns_luadns_token = 0123456789abcdef0123456789abcdef

3
root/defaults/dns-conf/nsone.ini Normal file
View File

@@ -0,0 +1,3 @@
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-nsone/certbot_dns_nsone/__init__.py#L20
# Replace with your value
dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw

6
root/defaults/dns-conf/ovh.ini Normal file
View File

@@ -0,0 +1,6 @@
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-ovh/certbot_dns_ovh/__init__.py#L20
# Replace with your values
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw

11
root/defaults/dns-conf/rfc2136.ini Normal file
View File

@@ -0,0 +1,11 @@
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py#L20
# Replace with your values
# Target DNS server
dns_rfc2136_server = 192.0.2.1
# TSIG key name
dns_rfc2136_name = keyname.
# TSIG key secret
dns_rfc2136_secret = 4q4wM/2I180UXoMyN4INVhJNi8V9BCV+jMw2mXgZw/CSuxUT8C7NKKFs \
AmKd7ak51vWKgSl12ib86oQRPkpDjg==
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512

5
root/defaults/dns-conf/route53.ini Normal file
View File

@@ -0,0 +1,5 @@
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-route53/certbot_dns_route53/__init__.py#L18
# Replace with your values
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

6
root/defaults/dns-conf/transip.ini Normal file
View File

@@ -0,0 +1,6 @@
# Instructions: https://readthedocs.org/projects/certbot-dns-transip/
# Convert the key to an RSA key (openssl rsa -in transip.key -out transip-rsa.key)
# Place .key-file in the same directory as this file. Location "/config/dns-conf" is from within the container
certbot_dns_transip:dns_transip_username = <transip_username>
certbot_dns_transip:dns_transip_key_file = /config/dns-conf/transip-rsa.key

4
root/defaults/fail2ban/fail2ban.local Normal file
View File

@@ -0,0 +1,4 @@
[Definition]
logtarget = /config/log/fail2ban/fail2ban.log
dbfile = /config/fail2ban/fail2ban.sqlite3

21
root/defaults/fail2ban/filter.d/nginx-badbots.conf Normal file
View File

@@ -0,0 +1,21 @@
# Fail2Ban configuration file
#
# Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# above mentioned bots.
[Definition]
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
ignoreregex =
# DEV Notes:
# List of bad bots fetched from http://www.user-agents.org
# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots.
#
# Author: Yaroslav Halchenko

15
root/defaults/fail2ban/filter.d/nginx-deny.conf Normal file
View File

@@ -0,0 +1,15 @@
# fail2ban filter configuration for nginx
[Definition]
failregex = ^ \[error\] \d+#\d+: \*\d+ (access forbidden by rule), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP\/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
ignoreregex =
datepattern = {^LN-BEG}
# DEV NOTES:
#
# Author: Will L (driz@linuxserver.io)

57
root/defaults/jail.local Normal file
View File

@@ -0,0 +1,57 @@
## Version 2020/05/10 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/jail.local
# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container
[DEFAULT]
# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
banaction = iptables-allports
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
[ssh]
enabled = false
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /config/log/nginx/error.log
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /config/log/nginx/access.log
maxretry = 2
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /config/log/nginx/access.log
[nginx-deny]
enabled = true
port = http,https
filter = nginx-deny
logpath = /config/log/nginx/error.log

92
root/defaults/ldap.conf Normal file
View File

@@ -0,0 +1,92 @@
## Version 2020/06/02 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ldap.conf
## this conf is meant to be used in conjunction with our ldap-auth image: https://github.com/linuxserver/docker-ldap-auth
## see the heimdall example in the default site config for info on enabling ldap auth
## for further instructions on this conf, see https://github.com/nginxinc/nginx-ldap-auth
location /ldaplogin {
resolver 127.0.0.11 valid=30s;
set $upstream_auth_app ldap-auth;
set $upstream_auth_port 9000;
set $upstream_auth_proto http;
proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
proxy_set_header X-Target $request_uri;
}
location = /auth {
resolver 127.0.0.11 valid=30s;
set $upstream_auth_app ldap-auth;
set $upstream_auth_port 8888;
set $upstream_auth_proto http;
proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
#Before enabling the below caching options, make sure you have the line "proxy_cache_path cache/ keys_zone=auth_cache:10m;" at the bottom your default site config
#proxy_cache auth_cache;
#proxy_cache_valid 200 10m;
#proxy_cache_key "$http_authorization$cookie_nginxauth";
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
# communicates with a LDAP server, passing in the following
# parameters to specify which user account to authenticate. To
# eliminate the need to modify the Python code, this file contains
# 'proxy_set_header' directives that set the values of the
# parameters. Set or change them as instructed in the comments.
#
# Parameter Proxy header
# ----------- ----------------
# url X-Ldap-URL
# starttls X-Ldap-Starttls
# basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass
# cookiename X-CookieName
# realm X-Ldap-Realm
# template X-Ldap-Template
# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com'.
# Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL "ldap://example.com";
# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";
# (Required) Set the Base DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local";
# (Required) Set the Bind DN, by replacing the value enclosed in
# double quotes.
# If AD, use "root@test.local"
proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local";
# (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "secret";
# (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic
# authentication.
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
# (Required if using Microsoft Active Directory as the LDAP server)
# Set the LDAP template by uncommenting the following directive.
#proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
# template by uncommenting the following directive and replacing
# '(cn=%(username)s)' which is the default set in
# nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Template "(cn=%(username)s)";
# (Optional) Set the realm name, by uncommenting the following
# directive and replacing 'Restricted' which is the default set
# in nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Realm "Restricted";
}

105
root/defaults/nginx.conf Normal file
View File

@@ -0,0 +1,105 @@
## Version 2019/12/19 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf
user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
variables_hash_max_size 2048;
large_client_header_buffers 4 16k;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
client_max_body_size 0;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /config/log/nginx/access.log;
error_log /config/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /config/nginx/site-confs/*;
lua_load_resty_core off;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
daemon off;

32
root/defaults/proxy.conf Normal file
View File

@@ -0,0 +1,32 @@
## Version 2019/10/23 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/proxy.conf
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
# TLS 1.3 early data
proxy_set_header Early-Data $ssl_early_data;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
#proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;

48
root/defaults/ssl.conf Normal file
View File

@@ -0,0 +1,48 @@
## Version 2020/06/17 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ssl.conf
### Mozilla Recommendations
# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
### Linuxserver.io Defaults
# Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
# Diffie-Hellman Parameters
ssl_dhparam /config/nginx/dhparams.pem;
# Resolver
resolver 127.0.0.11 valid=30s; # Docker DNS Server
# Enable TLS 1.3 early data
ssl_early_data on;
# HSTS, remove # from the line below to enable HSTS
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Optional additional headers
#add_header Content-Security-Policy "upgrade-insecure-requests";
#add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-XSS-Protection "1; mode=block" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-UA-Compatible "IE=Edge" always;
#add_header Cache-Control "no-transform" always;
#add_header Referrer-Policy "same-origin" always;

1
root/donate.txt Normal file
View File

@@ -0,0 +1 @@
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

302
root/etc/cont-init.d/50-config Normal file
View File

@@ -0,0 +1,302 @@
#!/usr/bin/with-contenv bash
# Display variables for troubleshooting
echo -e "Variables set:\\n\
PUID=${PUID}\\n\
PGID=${PGID}\\n\
TZ=${TZ}\\n\
URL=${URL}\\n\
SUBDOMAINS=${SUBDOMAINS}\\n\
EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
VALIDATION=${VALIDATION}\\n\
DNSPLUGIN=${DNSPLUGIN}\\n\
EMAIL=${EMAIL}\\n\
STAGING=${STAGING}\\n"
# Echo init finish for test runs
if [ -n "${TEST_RUN}" ]; then
echo '[services.d] done.'
fi
# Sanitize variables
SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION )
for i in "${SANED_VARS[@]}"
do
export echo "$i"="${!i//\"/}"
export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
done
# check to make sure that the required variables are set
[[ -z "$URL" ]] && \
echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \
sleep infinity
# make our folders and links
mkdir -p \
/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \
/var/run/fail2ban
rm -rf /etc/letsencrypt
ln -s /config/etc/letsencrypt /etc/letsencrypt
# copy dns default configs
cp -n /defaults/dns-conf/* /config/dns-conf/
chown -R abc:abc /config/dns-conf
# copy reverse proxy configs
cp -R /defaults/proxy-confs /config/nginx/
# remove outdated files (remove this action after 2020/10/17)
rm -f /config/nginx/proxy-confs/seafile.subdomain.config.sample /config/nginx/proxy-confs/librespeed.subdomain.com.sample
# copy/update the fail2ban config defaults to/in /config
cp -R /defaults/fail2ban/filter.d /config/fail2ban/
cp -R /defaults/fail2ban/action.d /config/fail2ban/
# if jail.local is missing in /config, copy default
[[ ! -f /config/fail2ban/jail.local ]] && \
cp /defaults/jail.local /config/fail2ban/jail.local
# Replace fail2ban config with user config
[[ -d /etc/fail2ban/filter.d ]] && \
rm -rf /etc/fail2ban/filter.d
[[ -d /etc/fail2ban/action.d ]] && \
rm -rf /etc/fail2ban/action.d
cp -R /config/fail2ban/filter.d /etc/fail2ban/
cp -R /config/fail2ban/action.d /etc/fail2ban/
cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
# copy crontab and proxy defaults if needed
[[ ! -f /config/crontabs/root ]] && \
cp /etc/crontabs/root /config/crontabs/
[[ ! -f /config/nginx/proxy.conf ]] && \
cp /defaults/proxy.conf /config/nginx/proxy.conf
[[ ! -f /config/nginx/ssl.conf ]] && \
cp /defaults/ssl.conf /config/nginx/ssl.conf
[[ ! -f /config/nginx/ldap.conf ]] && \
cp /defaults/ldap.conf /config/nginx/ldap.conf
[[ ! -f /config/nginx/authelia-server.conf ]] && \
cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
[[ ! -f /config/nginx/authelia-location.conf ]] && \
cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
# copy pre-generated dhparams or generate if needed
[[ ! -f /config/nginx/dhparams.pem ]] && \
cp /defaults/dhparams.pem /config/nginx/dhparams.pem
if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem"
fi
if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed."
openssl dhparam -out /config/nginx/dhparams.pem 4096
fi
# check to make sure DNSPLUGIN is selected if dns validation is used
[[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|dnsimple|dnsmadeeasy|domeneshop|gandi|google|inwx|linode|luadns|nsone|ovh|rfc2136|route53|transip)$ ]] && \
echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \
sleep infinity
# import user crontabs
rm /etc/crontabs/*
cp /config/crontabs/* /etc/crontabs/
# create original config file if it doesn't exist
if [ ! -f "/config/donoteditthisfile.conf" ]; then
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\"" > /config/donoteditthisfile.conf
echo "Created donoteditthisfile.conf"
fi
# load original config settings
# shellcheck disable=SC1091
. /config/donoteditthisfile.conf
# set default validation to http
if [ -z "$VALIDATION" ]; then
VALIDATION="http"
echo "VALIDATION parameter not set; setting it to http"
fi
# if staging is set to true, use the staging server
if [ "$STAGING" = "true" ]; then
echo "NOTICE: Staging is active"
ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
else
ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
fi
# figuring out url only vs url & subdomains vs subdomains only
if [ -n "$SUBDOMAINS" ]; then
echo "SUBDOMAINS entered, processing"
if [ "$SUBDOMAINS" = "wildcard" ]; then
if [ "$ONLY_SUBDOMAINS" = true ]; then
export URL_REAL="-d *.${URL}"
echo "Wildcard cert for only the subdomains of $URL will be requested"
else
export URL_REAL="-d *.${URL} -d ${URL}"
echo "Wildcard cert for $URL will be requested"
fi
else
echo "SUBDOMAINS entered, processing"
for job in $(echo "$SUBDOMAINS" | tr "," " "); do
export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}"
done
if [ "$ONLY_SUBDOMAINS" = true ]; then
URL_REAL="$SUBDOMAINS_REAL"
echo "Only subdomains, no URL in cert"
else
URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
fi
echo "Sub-domains processed are: $SUBDOMAINS_REAL"
fi
else
echo "No subdomains defined"
URL_REAL="-d $URL"
fi
# add extra domains
if [ -n "$EXTRA_DOMAINS" ]; then
echo "EXTRA_DOMAINS entered, processing"
for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do
export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}"
done
echo "Extra domains processed are: $EXTRA_DOMAINS_REAL"
URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL"
fi
# figuring out whether to use e-mail and which
if [[ $EMAIL == *@* ]]; then
echo "E-mail address entered: ${EMAIL}"
EMAILPARAM="-m ${EMAIL} --no-eff-email"
else
echo "No e-mail address entered or address invalid"
EMAILPARAM="--register-unsafely-without-email"
fi
# setting the validation method to use
if [ "$VALIDATION" = "dns" ]; then
if [ "$DNSPLUGIN" = "route53" ]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM} --manual-public-ip-logging-ok"
elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM} --manual-public-ip-logging-ok"
elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then
if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi
PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini --manual-public-ip-logging-ok"
elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM} --manual-public-ip-logging-ok"
elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|inwx|transip)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a certbot-dns-${DNSPLUGIN}:dns-${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM} --manual-public-ip-logging-ok"
else
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM} --manual-public-ip-logging-ok"
fi
echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
elif [ "$VALIDATION" = "tls-sni" ]; then
PREFCHAL="--non-interactive --standalone --preferred-challenges http"
echo "*****tls-sni validation has been deprecated, attempting http validation instead"
elif [ "$VALIDATION" = "duckdns" ]; then
PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-public-ip-logging-ok --manual-auth-hook /app/duckdns-txt"
chmod +x /app/duckdns-txt
echo "duckdns validation is selected"
if [ "$SUBDOMAINS" = "wildcard" ]; then
echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
export URL_REAL="-d *.${URL}"
else
echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
export URL_REAL="-d ${URL}"
fi
else
PREFCHAL="--non-interactive --standalone --preferred-challenges http"
echo "http validation is selected"
fi
# setting the symlink for key location
rm -rf /config/keys/letsencrypt
if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then
DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
else
ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
fi
# checking for changes in cert variables, revoking certs if necessary
if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ]; then
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then
ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
[[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem
else
[[ -f /config/etc/letsencrypt/live/"$ORIGURL"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGURL"/fullchain.pem
fi
rm -rf /config/etc/letsencrypt
mkdir -p /config/etc/letsencrypt
fi
# saving new variables
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\"" > /config/donoteditthisfile.conf
# alter extension for error message
if [ "$DNSPLUGIN" = "google" ]; then
FILENAME="$DNSPLUGIN.json"
else
FILENAME="$DNSPLUGIN.ini"
fi
# generating certs if necessary
if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
echo "Generating new certificate"
# shellcheck disable=SC2086
certbot certonly --renew-by-default --server $ACMESERVER $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
if [ -d /config/keys/letsencrypt ]; then
cd /config/keys/letsencrypt || exit
else
if [ "$VALIDATION" = "dns" ]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
elif [ "$VALIDATION" = "duckdns" ]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct."
else
echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
fi
sleep infinity
fi
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
sleep 1
cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
echo "New certificate generated; starting nginx"
else
echo "Certificate exists; parameters unchanged; starting nginx"
fi
# create GeoIP2 folder symlink
[[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \
rm -rf /var/lib/libmaxminddb
[[ ! -d /var/lib/libmaxminddb ]] && \
ln -s /config/geoip2db /var/lib/libmaxminddb
# check GeoIP2 database
if [ -n "$MAXMINDDB_LICENSE_KEY" ]; then
sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb
if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
echo "Downloading GeoIP2 City database."
/etc/periodic/weekly/libmaxminddb
fi
elif [ -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
else
echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
fi
# logfiles needed by fail2ban
[[ ! -f /config/log/nginx/error.log ]] && \
touch /config/log/nginx/error.log
[[ ! -f /config/log/nginx/access.log ]] && \
touch /config/log/nginx/access.log
# permissions
chown -R abc:abc \
/config
chmod -R 0644 /etc/logrotate.d
chmod -R +r /config/log
chmod +x /app/le-renew.sh
chmod 700 /defaults/dns-conf
chmod 600 /defaults/dns-conf/*

10
root/etc/cont-init.d/60-renew Normal file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/with-contenv bash
# Check if the cert is expired or expires within a day, if so, renew
if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then
echo "The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)."
else
echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes."
/app/le-renew.sh
sleep 1
fi

9
root/etc/crontabs/root Normal file
View File

@@ -0,0 +1,9 @@
# do daily/weekly/monthly maintenance
# min hour day month weekday command
*/15 * * * * run-parts /etc/periodic/15min
0 * * * * run-parts /etc/periodic/hourly
0 2 * * * run-parts /etc/periodic/daily
0 3 * * 6 run-parts /etc/periodic/weekly
0 5 1 * * run-parts /etc/periodic/monthly
# renew letsencrypt certs
8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1

12
root/etc/logrotate.d/fail2ban Normal file
View File

@@ -0,0 +1,12 @@
/config/log/fail2ban/fail2ban.log {
weekly
rotate 7
missingok
compress
delaycompress
nodateext
postrotate
/usr/bin/fail2ban-client flushlogs 1>/dev/null || true
endscript
su abc abc
}

11
root/etc/logrotate.d/lerotate Normal file
View File

@@ -0,0 +1,11 @@
/config/log/letsencrypt/*.log {
weekly
rotate 52
compress
delaycompress
nodateext
missingok
notifempty
sharedscripts
su abc abc
}

4
root/etc/services.d/fail2ban/run Normal file
View File

@@ -0,0 +1,4 @@
#!/usr/bin/with-contenv bash
exec \
fail2ban-client -x -f start