From 57b70d654b0f5ae74cd627faad6ccca2deffa9fe Mon Sep 17 00:00:00 2001 From: gilbN Date: Sun, 20 Sep 2020 23:30:06 +0200 Subject: [PATCH 1/7] added geoip2 configs --- readme-vars.yml | 2 + root/defaults/geoip2.conf | 83 +++++++++++++++++++++++++++++++++++++++ root/defaults/nginx.conf | 7 ++++ 3 files changed, 92 insertions(+) create mode 100644 root/defaults/geoip2.conf diff --git a/readme-vars.yml b/readme-vars.yml index 3b86a01..7f7bfd4 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -57,6 +57,7 @@ opt_param_env_vars: - { env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`" } - { env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org`" } - { env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes." } + - { env_var: "MAXMINDDB_LICENSE_KEY", env_value: "". desc: "Add your MaxmindDB license key to automatically download the GeoLite2-City.mmdb database. Download location is /config/geoip2db. The database is updated weekly."} opt_param_usage_include_vols: false opt_param_volumes: - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Configuration files." } @@ -148,6 +149,7 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: + - { date: "20.09.20:", desc: "Update nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme."} - { date: "08.09.20:", desc: "Add php7-xsl." } - { date: "01.09.20:", desc: "Update nginx.conf and proxy.conf (and various proxy samples) to better handle websockets." } - { date: "03.08.20:", desc: "Initial release." } diff --git a/root/defaults/geoip2.conf b/root/defaults/geoip2.conf new file mode 100644 index 0000000..3b348ac --- /dev/null +++ b/root/defaults/geoip2.conf @@ -0,0 +1,83 @@ +## Version 2020/09/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/geoip2.conf +# To enable, uncommment the Geoip2 config line in nginx.conf +# Add the -e MAXMINDDB_LICENSE_KEY= to automatically download the Geolite2 database. +# A Maxmind lisence key can be aqiured here: https://www.maxmind.com/en/geolite2/signup +# The below config is for geoblocking any country/city you add. The default config is blocking all countries/cities except the ones you set to "yes". +# If you want to do the opposite, set default to "yes", and the countries/cities to "no". +# As the default config blocks all IP's except the ones in the GeoLite2-City.mmdb database set to yes, you will need to allow your lan ip for local access. + + +geoip2 /config/geoip2db/GeoLite2-City.mmdb { + auto_reload 5m; + $geoip2_data_country_code country iso_code; + $geoip2_data_city_name city names en; +} + +# GEOIP2 COUNTRY CONFIG +map $geoip2_data_country_code $allowed_country { + default no; + yes; # e.g GB yes; for United Kingdom + IP/CIDR yes; # e.g. 192.168.1.0/24 yes; for local access. +} + +#(Optional) +# GEOIP2 CITY CONFIG +# map $geoip2_data_city_name $allowed_city { +# default no; +# yes; # e.g Inverness yes; +# IP/CIDR yes; # e.g. 192.168.1.0/24 yes; for local access. +# } + + +# Server config example: +# Add the following if statement inside any server context you want to geo block. + +# COUNTRY GEO BLOCK +# if ($allowed_country = no) { +# return 444; +# } + +# Full example: + +# sample config for "default" with the geo block added +#server { +# listen 443 ssl http2 default_server; +# listen [::]:443 ssl http2 default_server; +# +# root /config/www; +# index index.html index.htm index.php; +# +# server_name _; + + +# COUNTRY GEO BLOCK +# if ($allowed_country = no) { +# return 444; +# } + + +# # enable subfolder method reverse proxy confs +# include /config/nginx/proxy-confs/*.subfolder.conf; +# +# # all ssl related config moved to ssl.conf +# include /config/nginx/ssl.conf; +# +# # enable for ldap auth +# #include /config/nginx/ldap.conf; +# +# # enable for Authelia +# #include /config/nginx/authelia-server.conf; +# +# client_max_body_size 0; +# +# location / { +# try_files $uri $uri/ /index.html /index.php?$args =404; +# } +# +# location ~ \.php$ { +# fastcgi_split_path_info ^(.+\.php)(/.+)$; +# fastcgi_pass 127.0.0.1:9000; +# fastcgi_index index.php; +# include /etc/nginx/fastcgi_params; +# } +#} diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index 10b56d8..25bec0d 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -87,6 +87,13 @@ http { include /config/nginx/site-confs/*; lua_load_resty_core off; + ## + # Geoip2 config + ## + # Uncomment to add the Geoip2 configs needed to geo block countries/cities. + ## + + #include /config/nginx/geoip2.conf; } From 9299466506817f7b18a02739df1c167a349be7b4 Mon Sep 17 00:00:00 2001 From: gilbN Date: Sun, 20 Sep 2020 23:52:36 +0200 Subject: [PATCH 2/7] added geoip2 cp in 50-config --- root/etc/cont-init.d/50-config | 2 ++ 1 file changed, 2 insertions(+) diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index 8ef1feb..bc63fcb 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -77,6 +77,8 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf [[ ! -f /config/nginx/authelia-location.conf ]] && \ cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf +[[ ! -f /config/nginx/geoip2.conf ]] && \ + cp /defaults/geoip2.conf /config/nginx/geoip2.conf # copy pre-generated dhparams or generate if needed [[ ! -f /config/nginx/dhparams.pem ]] && \ From b3af27456ab16862f49b19444677c7d54b7b9098 Mon Sep 17 00:00:00 2001 From: gilbN Date: Mon, 21 Sep 2020 00:01:15 +0200 Subject: [PATCH 3/7] nginx.conf version update --- root/defaults/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index 25bec0d..a291517 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -1,4 +1,4 @@ -## Version 2020/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf +## Version 2020/09/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf user abc; worker_processes 4; From 3ac3035efd103aaa0f13187c0e7c2bcd54c49b5a Mon Sep 17 00:00:00 2001 From: gilbN Date: Mon, 21 Sep 2020 00:39:13 +0200 Subject: [PATCH 4/7] typo --- root/defaults/geoip2.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/defaults/geoip2.conf b/root/defaults/geoip2.conf index 3b348ac..818938f 100644 --- a/root/defaults/geoip2.conf +++ b/root/defaults/geoip2.conf @@ -1,7 +1,7 @@ ## Version 2020/09/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/geoip2.conf # To enable, uncommment the Geoip2 config line in nginx.conf # Add the -e MAXMINDDB_LICENSE_KEY= to automatically download the Geolite2 database. -# A Maxmind lisence key can be aqiured here: https://www.maxmind.com/en/geolite2/signup +# A Maxmind license key can be acquired here: https://www.maxmind.com/en/geolite2/signup # The below config is for geoblocking any country/city you add. The default config is blocking all countries/cities except the ones you set to "yes". # If you want to do the opposite, set default to "yes", and the countries/cities to "no". # As the default config blocks all IP's except the ones in the GeoLite2-City.mmdb database set to yes, you will need to allow your lan ip for local access. From 891aa6bc717b982ee5587b1f1ea5c2f8c6d06daa Mon Sep 17 00:00:00 2001 From: Marius Date: Tue, 22 Sep 2020 17:16:01 +0200 Subject: [PATCH 5/7] added suggested changes --- root/defaults/default | 6 ++++ root/defaults/geoip2.conf | 76 ++++++++++++++++++++++----------------- 2 files changed, 50 insertions(+), 32 deletions(-) diff --git a/root/defaults/default b/root/defaults/default index 384a60e..e290c6e 100644 --- a/root/defaults/default +++ b/root/defaults/default @@ -30,6 +30,12 @@ server { # enable for Authelia #include /config/nginx/authelia-server.conf; + # enable for geo blocking + # See /config/nginx/geoip2.conf for more information. + #if ($allowed_country = no) { + #return 444; + #} + client_max_body_size 0; location / { diff --git a/root/defaults/geoip2.conf b/root/defaults/geoip2.conf index 818938f..4d63bdc 100644 --- a/root/defaults/geoip2.conf +++ b/root/defaults/geoip2.conf @@ -30,54 +30,66 @@ map $geoip2_data_country_code $allowed_country { # Server config example: -# Add the following if statement inside any server context you want to geo block. +# Add the following if statement inside any server context where you want to geo block countries. -# COUNTRY GEO BLOCK +######################################## # if ($allowed_country = no) { # return 444; # } +######################################### -# Full example: +# Add the following if statement inside any server context where you want to geo block cities. +######################################## +# if ($allowed_city = no) { +# return 444; +# } +######################################### + +# Example using a config from proxy-confs -# sample config for "default" with the geo block added #server { -# listen 443 ssl http2 default_server; -# listen [::]:443 ssl http2 default_server; +# listen 443 ssl; +# listen [::]:443 ssl; # -# root /config/www; -# index index.html index.htm index.php; +# server_name unifi.*; # -# server_name _; +# include /config/nginx/ssl.conf; +# +# client_max_body_size 0; +# +# # enable for ldap auth, fill in ldap details in ldap.conf +# #include /config/nginx/ldap.conf; +# +# # enable for Authelia +# #include /config/nginx/authelia-server.conf; -# COUNTRY GEO BLOCK -# if ($allowed_country = no) { -# return 444; -# } +# # Country geo block +# if ($allowed_country = no) { +# return 444; +# } -# # enable subfolder method reverse proxy confs -# include /config/nginx/proxy-confs/*.subfolder.conf; # -# # all ssl related config moved to ssl.conf -# include /config/nginx/ssl.conf; +# location / { +# # enable the next two lines for http auth +# #auth_basic "Restricted"; +# #auth_basic_user_file /config/nginx/.htpasswd; # -# # enable for ldap auth -# #include /config/nginx/ldap.conf; +# # enable the next two lines for ldap auth +# #auth_request /auth; +# #error_page 401 =200 /ldaplogin; # -# # enable for Authelia -# #include /config/nginx/authelia-server.conf; +# # enable for Authelia +# #include /config/nginx/authelia-location.conf; # -# client_max_body_size 0; +# include /config/nginx/proxy.conf; +# resolver 127.0.0.11 valid=30s; +# set $upstream_app unifi-controller; +# set $upstream_port 8443; +# set $upstream_proto https; +# proxy_pass $upstream_proto://$upstream_app:$upstream_port; # -# location / { -# try_files $uri $uri/ /index.html /index.php?$args =404; -# } -# -# location ~ \.php$ { -# fastcgi_split_path_info ^(.+\.php)(/.+)$; -# fastcgi_pass 127.0.0.1:9000; -# fastcgi_index index.php; -# include /etc/nginx/fastcgi_params; -# } +# proxy_buffering off; +# } #} From b58ee45818f160a10359e523911f0c811b469f95 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 22 Sep 2020 19:53:40 -0500 Subject: [PATCH 6/7] Adjust geoip2 instructions --- root/defaults/default | 2 +- root/defaults/geoip2.conf | 58 ++++++++++++++++++++++++++------------- 2 files changed, 40 insertions(+), 20 deletions(-) diff --git a/root/defaults/default b/root/defaults/default index e290c6e..c4b27ae 100644 --- a/root/defaults/default +++ b/root/defaults/default @@ -31,7 +31,7 @@ server { #include /config/nginx/authelia-server.conf; # enable for geo blocking - # See /config/nginx/geoip2.conf for more information. + # See /config/nginx/geoip2.conf for more information. #if ($allowed_country = no) { #return 444; #} diff --git a/root/defaults/geoip2.conf b/root/defaults/geoip2.conf index 4d63bdc..68ce8cd 100644 --- a/root/defaults/geoip2.conf +++ b/root/defaults/geoip2.conf @@ -2,32 +2,52 @@ # To enable, uncommment the Geoip2 config line in nginx.conf # Add the -e MAXMINDDB_LICENSE_KEY= to automatically download the Geolite2 database. # A Maxmind license key can be acquired here: https://www.maxmind.com/en/geolite2/signup -# The below config is for geoblocking any country/city you add. The default config is blocking all countries/cities except the ones you set to "yes". -# If you want to do the opposite, set default to "yes", and the countries/cities to "no". -# As the default config blocks all IP's except the ones in the GeoLite2-City.mmdb database set to yes, you will need to allow your lan ip for local access. - -geoip2 /config/geoip2db/GeoLite2-City.mmdb { - auto_reload 5m; - $geoip2_data_country_code country iso_code; - $geoip2_data_city_name city names en; +geoip2 /config/geoip2db//GeoLite2-City.mmdb { + auto_reload 1w; + $geoip2_data_city_name city names en; + $geoip2_data_postal_code postal code; + $geoip2_data_latitude location latitude; + $geoip2_data_longitude location longitude; + $geoip2_data_state_name subdivisions 0 names en; + $geoip2_data_state_code subdivisions 0 iso_code; + $geoip2_data_continent_code continent code; + $geoip2_data_country_iso_code country iso_code; } # GEOIP2 COUNTRY CONFIG -map $geoip2_data_country_code $allowed_country { - default no; - yes; # e.g GB yes; for United Kingdom - IP/CIDR yes; # e.g. 192.168.1.0/24 yes; for local access. +map $geoip2_data_country_iso_code $allowed_country { + # default must be yes or no + default yes; + + # Below you will setup conditions with yes or no + # ex: ; + # If your default is set to yes you can setup conditions that would set it to no (and vice versa) + # Conditions are either network address (CIDR notation) or country code + + # allow United Kingdom. + #GB yes; + + # allow local access. + #192.168.1.0/24 yes; } -#(Optional) # GEOIP2 CITY CONFIG -# map $geoip2_data_city_name $allowed_city { -# default no; -# yes; # e.g Inverness yes; -# IP/CIDR yes; # e.g. 192.168.1.0/24 yes; for local access. -# } +map $geoip2_data_city_name $allowed_city { + # default must be yes or no + default yes; + # Below you will setup conditions with yes or no + # ex: ; + # If your default is set to yes you can setup conditions that would set it to no (and vice versa) + # Conditions are either network address (CIDR notation) or city name + + # allow Inverness. + #Inverness yes; + + # allow local access. + #192.168.1.0/24 yes; +} # Server config example: # Add the following if statement inside any server context where you want to geo block countries. @@ -64,7 +84,7 @@ map $geoip2_data_country_code $allowed_country { # #include /config/nginx/authelia-server.conf; -# # Country geo block +# # Country geo block # if ($allowed_country = no) { # return 444; # } From f626c5f0d4bec845d62eedce82dfb84b8ad0603c Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 22 Sep 2020 20:08:00 -0500 Subject: [PATCH 7/7] Update geoip2.conf --- root/defaults/geoip2.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/defaults/geoip2.conf b/root/defaults/geoip2.conf index 68ce8cd..67dd348 100644 --- a/root/defaults/geoip2.conf +++ b/root/defaults/geoip2.conf @@ -3,7 +3,7 @@ # Add the -e MAXMINDDB_LICENSE_KEY= to automatically download the Geolite2 database. # A Maxmind license key can be acquired here: https://www.maxmind.com/en/geolite2/signup -geoip2 /config/geoip2db//GeoLite2-City.mmdb { +geoip2 /config/geoip2db/GeoLite2-City.mmdb { auto_reload 1w; $geoip2_data_city_name city names en; $geoip2_data_postal_code postal code;