diff --git a/readme-vars.yml b/readme-vars.yml index 3b86a01..7f7bfd4 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -57,6 +57,7 @@ opt_param_env_vars: - { env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`" } - { env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org`" } - { env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes." } + - { env_var: "MAXMINDDB_LICENSE_KEY", env_value: "". desc: "Add your MaxmindDB license key to automatically download the GeoLite2-City.mmdb database. Download location is /config/geoip2db. The database is updated weekly."} opt_param_usage_include_vols: false opt_param_volumes: - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Configuration files." } @@ -148,6 +149,7 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: + - { date: "20.09.20:", desc: "Update nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme."} - { date: "08.09.20:", desc: "Add php7-xsl." } - { date: "01.09.20:", desc: "Update nginx.conf and proxy.conf (and various proxy samples) to better handle websockets." } - { date: "03.08.20:", desc: "Initial release." } diff --git a/root/defaults/default b/root/defaults/default index 384a60e..c4b27ae 100644 --- a/root/defaults/default +++ b/root/defaults/default @@ -30,6 +30,12 @@ server { # enable for Authelia #include /config/nginx/authelia-server.conf; + # enable for geo blocking + # See /config/nginx/geoip2.conf for more information. + #if ($allowed_country = no) { + #return 444; + #} + client_max_body_size 0; location / { diff --git a/root/defaults/geoip2.conf b/root/defaults/geoip2.conf new file mode 100644 index 0000000..67dd348 --- /dev/null +++ b/root/defaults/geoip2.conf @@ -0,0 +1,115 @@ +## Version 2020/09/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/geoip2.conf +# To enable, uncommment the Geoip2 config line in nginx.conf +# Add the -e MAXMINDDB_LICENSE_KEY= to automatically download the Geolite2 database. +# A Maxmind license key can be acquired here: https://www.maxmind.com/en/geolite2/signup + +geoip2 /config/geoip2db/GeoLite2-City.mmdb { + auto_reload 1w; + $geoip2_data_city_name city names en; + $geoip2_data_postal_code postal code; + $geoip2_data_latitude location latitude; + $geoip2_data_longitude location longitude; + $geoip2_data_state_name subdivisions 0 names en; + $geoip2_data_state_code subdivisions 0 iso_code; + $geoip2_data_continent_code continent code; + $geoip2_data_country_iso_code country iso_code; +} + +# GEOIP2 COUNTRY CONFIG +map $geoip2_data_country_iso_code $allowed_country { + # default must be yes or no + default yes; + + # Below you will setup conditions with yes or no + # ex: ; + # If your default is set to yes you can setup conditions that would set it to no (and vice versa) + # Conditions are either network address (CIDR notation) or country code + + # allow United Kingdom. + #GB yes; + + # allow local access. + #192.168.1.0/24 yes; +} + +# GEOIP2 CITY CONFIG +map $geoip2_data_city_name $allowed_city { + # default must be yes or no + default yes; + + # Below you will setup conditions with yes or no + # ex: ; + # If your default is set to yes you can setup conditions that would set it to no (and vice versa) + # Conditions are either network address (CIDR notation) or city name + + # allow Inverness. + #Inverness yes; + + # allow local access. + #192.168.1.0/24 yes; +} + +# Server config example: +# Add the following if statement inside any server context where you want to geo block countries. + +######################################## +# if ($allowed_country = no) { +# return 444; +# } +######################################### + +# Add the following if statement inside any server context where you want to geo block cities. +######################################## +# if ($allowed_city = no) { +# return 444; +# } +######################################### + +# Example using a config from proxy-confs + +#server { +# listen 443 ssl; +# listen [::]:443 ssl; +# +# server_name unifi.*; +# +# include /config/nginx/ssl.conf; +# +# client_max_body_size 0; +# +# # enable for ldap auth, fill in ldap details in ldap.conf +# #include /config/nginx/ldap.conf; +# +# # enable for Authelia +# #include /config/nginx/authelia-server.conf; + + +# # Country geo block +# if ($allowed_country = no) { +# return 444; +# } + + +# +# location / { +# # enable the next two lines for http auth +# #auth_basic "Restricted"; +# #auth_basic_user_file /config/nginx/.htpasswd; +# +# # enable the next two lines for ldap auth +# #auth_request /auth; +# #error_page 401 =200 /ldaplogin; +# +# # enable for Authelia +# #include /config/nginx/authelia-location.conf; +# +# include /config/nginx/proxy.conf; +# resolver 127.0.0.11 valid=30s; +# set $upstream_app unifi-controller; +# set $upstream_port 8443; +# set $upstream_proto https; +# proxy_pass $upstream_proto://$upstream_app:$upstream_port; +# +# proxy_buffering off; +# } +#} diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index 10b56d8..a291517 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -1,4 +1,4 @@ -## Version 2020/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf +## Version 2020/09/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf user abc; worker_processes 4; @@ -87,6 +87,13 @@ http { include /config/nginx/site-confs/*; lua_load_resty_core off; + ## + # Geoip2 config + ## + # Uncomment to add the Geoip2 configs needed to geo block countries/cities. + ## + + #include /config/nginx/geoip2.conf; } diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index 8ef1feb..bc63fcb 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -77,6 +77,8 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf [[ ! -f /config/nginx/authelia-location.conf ]] && \ cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf +[[ ! -f /config/nginx/geoip2.conf ]] && \ + cp /defaults/geoip2.conf /config/nginx/geoip2.conf # copy pre-generated dhparams or generate if needed [[ ! -f /config/nginx/dhparams.pem ]] && \