linuxserver/docker-swag
1
0
Fork 0
mirror of https://github.com/linuxserver/docker-swag.git synced 2025-11-04 06:52:37 +09:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into standalone-dns-validation

Browse Source
This commit is contained in:
aptalca
2022-04-05 19:08:28 -04:00
committed by GitHub
parent a29f2da10e a9e53d5fc8
commit eb7df9d9fc
11 changed files with 128 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Dockerfile
View File

@@ -132,6 +132,11 @@ RUN \
certbot-plugin-gandi \ certbot-plugin-gandi \
cryptography \ cryptography \
requests && \ requests && \
echo "**** correct ip6tables legacy issue ****" && \
rm \
/sbin/ip6tables && \
ln -s \
/sbin/ip6tables-nft /sbin/ip6tables && \
echo "**** remove unnecessary fail2ban filters ****" && \ echo "**** remove unnecessary fail2ban filters ****" && \
rm \ rm \
/etc/fail2ban/jail.d/alpine-ssh.conf && \ /etc/fail2ban/jail.d/alpine-ssh.conf && \

5
Dockerfile.aarch64
View File

@@ -132,6 +132,11 @@ RUN \
certbot-plugin-gandi \ certbot-plugin-gandi \
cryptography \ cryptography \
requests && \ requests && \
echo "**** correct ip6tables legacy issue ****" && \
rm \
/sbin/ip6tables && \
ln -s \
/sbin/ip6tables-nft /sbin/ip6tables && \
echo "**** remove unnecessary fail2ban filters ****" && \ echo "**** remove unnecessary fail2ban filters ****" && \
rm \ rm \
/etc/fail2ban/jail.d/alpine-ssh.conf && \ /etc/fail2ban/jail.d/alpine-ssh.conf && \

5
Dockerfile.armhf
View File

@@ -131,6 +131,11 @@ RUN \
certbot-plugin-gandi \ certbot-plugin-gandi \
cryptography \ cryptography \
requests && \ requests && \
echo "**** correct ip6tables legacy issue ****" && \
rm \
/sbin/ip6tables && \
ln -s \
/sbin/ip6tables-nft /sbin/ip6tables && \
echo "**** remove unnecessary fail2ban filters ****" && \ echo "**** remove unnecessary fail2ban filters ****" && \
rm \ rm \
/etc/fail2ban/jail.d/alpine-ssh.conf && \ /etc/fail2ban/jail.d/alpine-ssh.conf && \

58
Jenkinsfile vendored
View File

@@ -118,12 +118,11 @@ pipeline {
script: '''echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g' ''', script: '''echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g' ''',
returnStdout: true).trim() returnStdout: true).trim()
env.SEMVER = (new Date()).format('YYYY.MM.dd') def semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)\.(\d+)/
def semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)\.(\d+)$/
if (semver.find()) { if (semver.find()) {
env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}" env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}"
} else { } else {
semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)(?:\.(\d+))?(.*)$/ semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)(?:\.(\d+))?(.*)/
if (semver.find()) { if (semver.find()) {
if (semver[0][3]) { if (semver[0][3]) {
env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}" env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}"
@@ -133,7 +132,15 @@ pipeline {
} }
} }
if (env.SEMVER != null) {
if (BRANCH_NAME != "master" && BRANCH_NAME != "main") {
env.SEMVER = "${env.SEMVER}-${BRANCH_NAME}"
}
println("SEMVER: ${env.SEMVER}") println("SEMVER: ${env.SEMVER}")
} else {
println("No SEMVER detected")
}
} }
} }
} }
@@ -402,10 +409,10 @@ pipeline {
steps{ steps{
sh '''#! /bin/bash sh '''#! /bin/bash
set -e set -e
PACKAGE_UUID=$(curl -X GET -H "Authorization: Bearer ${SCARF_TOKEN}" https://scarf.sh/api/v1/packages | jq -r '.[] | select(.name=="linuxserver/swag") | .uuid') PACKAGE_UUID=$(curl -X GET -H "Authorization: Bearer ${SCARF_TOKEN}" https://scarf.sh/api/v1/organizations/linuxserver-ci/packages | jq -r '.[] | select(.name=="linuxserver/swag") | .uuid')
if [ -z "${PACKAGE_UUID}" ]; then if [ -z "${PACKAGE_UUID}" ]; then
echo "Adding package to Scarf.sh" echo "Adding package to Scarf.sh"
PACKAGE_UUID=$(curl -sX POST https://scarf.sh/api/v1/packages \ curl -sX POST https://scarf.sh/api/v1/organizations/linuxserver-ci/packages \
-H "Authorization: Bearer ${SCARF_TOKEN}" \ -H "Authorization: Bearer ${SCARF_TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d '{"name":"linuxserver/swag",\ -d '{"name":"linuxserver/swag",\
@@ -413,22 +420,10 @@ pipeline {
"libraryType":"docker",\ "libraryType":"docker",\
"website":"https://github.com/linuxserver/docker-swag",\ "website":"https://github.com/linuxserver/docker-swag",\
"backendUrl":"https://ghcr.io/linuxserver/swag",\ "backendUrl":"https://ghcr.io/linuxserver/swag",\
"publicUrl":"https://lscr.io/linuxserver/swag"}' \ "publicUrl":"https://lscr.io/linuxserver/swag"}' || :
| jq -r .uuid)
else else
echo "Package already exists on Scarf.sh" echo "Package already exists on Scarf.sh"
fi fi
echo "Setting permissions on Scarf.sh for package ${PACKAGE_UUID}"
curl -X POST https://scarf.sh/api/v1/packages/${PACKAGE_UUID}/permissions \
-H "Authorization: Bearer ${SCARF_TOKEN}" \
-H "Content-Type: application/json" \
-d '[{"userQuery":"Spad","permissionLevel":"admin"},\
{"userQuery":"roxedus","permissionLevel":"admin"},\
{"userQuery":"nemchik","permissionLevel":"admin"},\
{"userQuery":"driz","permissionLevel":"admin"},\
{"userQuery":"aptalca","permissionLevel":"admin"},\
{"userQuery":"saarg","permissionLevel":"admin"},\
{"userQuery":"Stark","permissionLevel":"admin"}]'
''' '''
} }
} }
@@ -752,11 +747,15 @@ pipeline {
docker tag ${IMAGE}:${META_TAG} ${PUSHIMAGE}:${META_TAG} docker tag ${IMAGE}:${META_TAG} ${PUSHIMAGE}:${META_TAG}
docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:latest docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:latest
docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${EXT_RELEASE_TAG} docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${EXT_RELEASE_TAG}
if [ -n "${SEMVER}" ]; then
docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${SEMVER} docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${SEMVER}
fi
docker push ${PUSHIMAGE}:latest docker push ${PUSHIMAGE}:latest
docker push ${PUSHIMAGE}:${META_TAG} docker push ${PUSHIMAGE}:${META_TAG}
docker push ${PUSHIMAGE}:${EXT_RELEASE_TAG} docker push ${PUSHIMAGE}:${EXT_RELEASE_TAG}
if [ -n "${SEMVER}" ]; then
docker push ${PUSHIMAGE}:${SEMVER} docker push ${PUSHIMAGE}:${SEMVER}
fi
done done
''' '''
} }
@@ -765,8 +764,10 @@ pipeline {
docker rmi \ docker rmi \
${DELETEIMAGE}:${META_TAG} \ ${DELETEIMAGE}:${META_TAG} \
${DELETEIMAGE}:${EXT_RELEASE_TAG} \ ${DELETEIMAGE}:${EXT_RELEASE_TAG} \
${DELETEIMAGE}:latest \ ${DELETEIMAGE}:latest || :
${DELETEIMAGE}:${SEMVER} || : if [ -n "${SEMVER}" ]; then
docker rmi ${DELETEIMAGE}:${SEMVER} || :
fi
done done
''' '''
} }
@@ -816,9 +817,11 @@ pipeline {
docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG}
docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG}
docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
if [ -n "${SEMVER}" ]; then
docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER} docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER}
docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${SEMVER} docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${SEMVER}
docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER} docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER}
fi
docker push ${MANIFESTIMAGE}:amd64-${META_TAG} docker push ${MANIFESTIMAGE}:amd64-${META_TAG}
docker push ${MANIFESTIMAGE}:arm32v7-${META_TAG} docker push ${MANIFESTIMAGE}:arm32v7-${META_TAG}
docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG} docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG}
@@ -828,9 +831,11 @@ pipeline {
docker push ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} docker push ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG}
docker push ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} docker push ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG}
docker push ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} docker push ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
if [ -n "${SEMVER}" ]; then
docker push ${MANIFESTIMAGE}:amd64-${SEMVER} docker push ${MANIFESTIMAGE}:amd64-${SEMVER}
docker push ${MANIFESTIMAGE}:arm32v7-${SEMVER} docker push ${MANIFESTIMAGE}:arm32v7-${SEMVER}
docker push ${MANIFESTIMAGE}:arm64v8-${SEMVER} docker push ${MANIFESTIMAGE}:arm64v8-${SEMVER}
fi
docker manifest push --purge ${MANIFESTIMAGE}:latest || : docker manifest push --purge ${MANIFESTIMAGE}:latest || :
docker manifest create ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm32v7-latest ${MANIFESTIMAGE}:arm64v8-latest docker manifest create ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm32v7-latest ${MANIFESTIMAGE}:arm64v8-latest
docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm32v7-latest --os linux --arch arm docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm32v7-latest --os linux --arch arm
@@ -843,14 +848,18 @@ pipeline {
docker manifest create ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} docker manifest create ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} --os linux --arch arm docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} --os linux --arch arm
docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} --os linux --arch arm64 --variant v8 docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} --os linux --arch arm64 --variant v8
if [ -n "${SEMVER}" ]; then
docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} || : docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} || :
docker manifest create ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} docker manifest create ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER}
docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} --os linux --arch arm docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} --os linux --arch arm
docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} --os linux --arch arm64 --variant v8 docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} --os linux --arch arm64 --variant v8
fi
docker manifest push --purge ${MANIFESTIMAGE}:latest docker manifest push --purge ${MANIFESTIMAGE}:latest
docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG}
docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG}
if [ -n "${SEMVER}" ]; then
docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER}
fi
done done
''' '''
} }
@@ -860,15 +869,18 @@ pipeline {
${DELETEIMAGE}:amd64-${META_TAG} \ ${DELETEIMAGE}:amd64-${META_TAG} \
${DELETEIMAGE}:amd64-latest \ ${DELETEIMAGE}:amd64-latest \
${DELETEIMAGE}:amd64-${EXT_RELEASE_TAG} \ ${DELETEIMAGE}:amd64-${EXT_RELEASE_TAG} \
${DELETEIMAGE}:amd64-${SEMVER} \
${DELETEIMAGE}:arm32v7-${META_TAG} \ ${DELETEIMAGE}:arm32v7-${META_TAG} \
${DELETEIMAGE}:arm32v7-latest \ ${DELETEIMAGE}:arm32v7-latest \
${DELETEIMAGE}:arm32v7-${EXT_RELEASE_TAG} \ ${DELETEIMAGE}:arm32v7-${EXT_RELEASE_TAG} \
${DELETEIMAGE}:arm32v7-${SEMVER} \
${DELETEIMAGE}:arm64v8-${META_TAG} \ ${DELETEIMAGE}:arm64v8-${META_TAG} \
${DELETEIMAGE}:arm64v8-latest \ ${DELETEIMAGE}:arm64v8-latest \
${DELETEIMAGE}:arm64v8-${EXT_RELEASE_TAG} \ ${DELETEIMAGE}:arm64v8-${EXT_RELEASE_TAG} || :
if [ -n "${SEMVER}" ]; then
docker rmi \
${DELETEIMAGE}:amd64-${SEMVER} \
${DELETEIMAGE}:arm32v7-${SEMVER} \
${DELETEIMAGE}:arm64v8-${SEMVER} || : ${DELETEIMAGE}:arm64v8-${SEMVER} || :
fi
done done
docker rmi \ docker rmi \
ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} \ ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} \

7
README.md
View File

@@ -29,6 +29,7 @@ Find us at:
# [linuxserver/swag](https://github.com/linuxserver/docker-swag) # [linuxserver/swag](https://github.com/linuxserver/docker-swag)
[![Scarf.io pulls](https://scarf.sh/installs-badge/linuxserver-ci/linuxserver%2Fswag?color=94398d&label-color=555555&logo-color=ffffff&style=for-the-badge&package-type=docker)](https://scarf.sh/gateway/linuxserver-ci/docker/linuxserver%2Fswag)
[![GitHub Stars](https://img.shields.io/github/stars/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag) [![GitHub Stars](https://img.shields.io/github/stars/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag)
[![GitHub Release](https://img.shields.io/github/release/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag/releases) [![GitHub Release](https://img.shields.io/github/release/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag/releases)
[![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub%20Package&logo=github)](https://github.com/linuxserver/docker-swag/packages) [![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub%20Package&logo=github)](https://github.com/linuxserver/docker-swag/packages)
@@ -102,11 +103,12 @@ This will *ask* Google et al not to index and list your site. Be careful with th
### Using fail2ban ### Using fail2ban
* This container includes fail2ban set up with 4 jails by default: * This container includes fail2ban set up with 5 jails by default:
1. nginx-http-auth 1. nginx-http-auth
2. nginx-badbots 2. nginx-badbots
3. nginx-botsearch 3. nginx-botsearch
4. nginx-deny 4. nginx-deny
5. nginx-unauthorized
* To enable or disable other jails, modify the file `/config/fail2ban/jail.local` * To enable or disable other jails, modify the file `/config/fail2ban/jail.local`
* To modify filters and actions, instead of editing the `.conf` files, create `.local` files with the same name and edit those because .conf files get overwritten when the actions and filters are updated. `.local` files will append whatever's in the `.conf` files (ie. `nginx-http-auth.conf` --> `nginx-http-auth.local`) * To modify filters and actions, instead of editing the `.conf` files, create `.local` files with the same name and edit those because .conf files get overwritten when the actions and filters are updated. `.local` files will append whatever's in the `.conf` files (ie. `nginx-http-auth.conf` --> `nginx-http-auth.local`)
* You can check which jails are active via `docker exec -it swag fail2ban-client status` * You can check which jails are active via `docker exec -it swag fail2ban-client status`
@@ -329,6 +331,9 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
## Versions ## Versions
* **28.03.22:** - created a logfile for fail2ban nginx-unauthorized in /etc/cont-init.d/50-config
* **09.01.22:** - Added a fail2ban jail for nginx unauthorized
* **21.12.21:** - Fixed issue with iptables not working as expected
* **30.11.21:** - Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind) * **30.11.21:** - Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)
* **22.11.21:** - Added support for Infomaniak DNS for certificate generation. * **22.11.21:** - Added support for Infomaniak DNS for certificate generation.
* **20.11.21:** - Added support for dnspod validation. * **20.11.21:** - Added support for dnspod validation.

48
package_versions.txt
View File

@@ -1,26 +1,26 @@
alpine-baselayout-3.2.0-r16 alpine-baselayout-3.2.0-r16
alpine-keys-2.4-r0 alpine-keys-2.4-r0
apache2-utils-2.4.51-r0 apache2-utils-2.4.53-r0
apk-tools-2.12.7-r0 apk-tools-2.12.7-r0
apr-1.7.0-r0 apr-1.7.0-r0
apr-util-1.6.1-r7 apr-util-1.6.1-r7
argon2-libs-20190702-r1 argon2-libs-20190702-r1
bash-5.1.4-r0 bash-5.1.16-r0
brotli-libs-1.0.9-r5 brotli-libs-1.0.9-r5
busybox-1.33.1-r6 busybox-1.33.1-r7
c-client-2007f-r11 c-client-2007f-r11
ca-certificates-20191127-r5 ca-certificates-20211220-r0
ca-certificates-bundle-20191127-r5 ca-certificates-bundle-20211220-r0
coreutils-8.32-r2 coreutils-8.32-r2
curl-7.79.1-r0 curl-7.79.1-r0
expat-2.4.1-r0 expat-2.4.7-r0
fail2ban-0.11.2-r0 fail2ban-0.11.2-r0
freetype-2.10.4-r1 freetype-2.10.4-r1
gdbm-1.19-r0 gdbm-1.19-r0
git-2.32.0-r0 git-2.32.0-r0
git-perl-2.32.0-r0 git-perl-2.32.0-r0
glib-2.68.3-r0 glib-2.68.3-r0
gmp-6.2.1-r0 gmp-6.2.1-r1
gnupg-2.2.31-r0 gnupg-2.2.31-r0
gnutls-3.7.1-r0 gnutls-3.7.1-r0
icu-libs-67.1-r2 icu-libs-67.1-r2
@@ -29,12 +29,12 @@ iptables-1.8.7-r1
libacl-2.2.53-r0 libacl-2.2.53-r0
libassuan-2.5.5-r0 libassuan-2.5.5-r0
libattr-2.5.1-r0 libattr-2.5.1-r0
libblkid-2.37.2-r0 libblkid-2.37.4-r0
libbsd-0.11.3-r0 libbsd-0.11.3-r0
libbz2-1.0.8-r1 libbz2-1.0.8-r1
libc-utils-0.7.2-r3 libc-utils-0.7.2-r3
libcap-2.50-r0 libcap-2.50-r0
libcrypto1.1-1.1.1l-r0 libcrypto1.1-1.1.1n-r0
libcurl-7.79.1-r0 libcurl-7.79.1-r0
libedit-20210216.3.1-r0 libedit-20210216.3.1-r0
libevent-2.1.12-r2 libevent-2.1.12-r2
@@ -55,37 +55,37 @@ libmcrypt-2.5.8-r9
libmd-1.0.3-r0 libmd-1.0.3-r0
libmemcached-libs-1.0.18-r4 libmemcached-libs-1.0.18-r4
libmnl-1.0.4-r1 libmnl-1.0.4-r1
libmount-2.37.2-r0 libmount-2.37.4-r0
libnftnl-libs-1.2.0-r0 libnftnl-libs-1.2.0-r0
libpng-1.6.37-r1 libpng-1.6.37-r1
libpq-13.5-r0 libpq-13.6-r0
libproc-3.3.17-r0 libproc-3.3.17-r0
libressl3.3-libcrypto-3.3.3-r0 libressl3.3-libcrypto-3.3.6-r0
libressl3.3-libssl-3.3.3-r0 libressl3.3-libssl-3.3.6-r0
libretls-3.3.3p1-r2 libretls-3.3.3p1-r3
libsasl-2.1.27-r12 libsasl-2.1.28-r0
libseccomp-2.5.1-r2 libseccomp-2.5.1-r2
libsecret-0.20.4-r1 libsecret-0.20.4-r1
libsm-1.2.3-r0 libsm-1.2.3-r0
libsodium-1.0.18-r0 libsodium-1.0.18-r0
libssl1.1-1.1.1l-r0 libssl1.1-1.1.1n-r0
libstdc++-10.3.1_git20210424-r2 libstdc++-10.3.1_git20210424-r2
libtasn1-4.17.0-r0 libtasn1-4.17.0-r0
libunistring-0.9.10-r1 libunistring-0.9.10-r1
libuuid-2.37.2-r0 libuuid-2.37.4-r0
libwebp-1.2.0-r2 libwebp-1.2.0-r2
libx11-1.7.2-r0 libx11-1.7.2-r0
libxau-1.0.9-r0 libxau-1.0.9-r0
libxcb-1.14-r2 libxcb-1.14-r2
libxdmcp-1.1.3-r0 libxdmcp-1.1.3-r0
libxext-1.3.4-r0 libxext-1.3.4-r0
libxml2-2.9.12-r1 libxml2-2.9.13-r0
libxpm-3.5.13-r0 libxpm-3.5.13-r0
libxslt-1.1.34-r1 libxslt-1.1.35-r0
libxt-1.2.1-r0 libxt-1.2.1-r0
libzip-1.7.3-r2 libzip-1.7.3-r2
linux-pam-1.5.1-r1 linux-pam-1.5.1-r1
logrotate-3.18.1-r0 logrotate-3.18.1-r1
lz4-libs-1.9.3-r1 lz4-libs-1.9.3-r1
memcached-1.6.9-r0 memcached-1.6.9-r0
mpdecimal-2.5.1-r1 mpdecimal-2.5.1-r1
@@ -118,7 +118,7 @@ nginx-mod-stream-geoip2-1.20.2-r0
nginx-vim-1.20.2-r0 nginx-vim-1.20.2-r0
npth-1.6-r0 npth-1.6-r0
oniguruma-6.9.7.1-r0 oniguruma-6.9.7.1-r0
openssl-1.1.1l-r0 openssl-1.1.1n-r0
p11-kit-0.23.22-r0 p11-kit-0.23.22-r0
pcre-8.44-r0 pcre-8.44-r0
pcre2-10.36-r0 pcre2-10.36-r0
@@ -216,12 +216,12 @@ scanelf-1.3.2-r0
shadow-4.8.1-r0 shadow-4.8.1-r0
skalibs-2.10.0.3-r0 skalibs-2.10.0.3-r0
sqlite-libs-3.35.5-r0 sqlite-libs-3.35.5-r0
ssl_client-1.33.1-r6 ssl_client-1.33.1-r7
tzdata-2021e-r0 tzdata-2022a-r0
unixodbc-2.3.9-r1 unixodbc-2.3.9-r1
utmps-0.1.0.2-r0 utmps-0.1.0.2-r0
whois-5.5.10-r0 whois-5.5.10-r0
xz-5.2.5-r0 xz-5.2.5-r0
xz-libs-5.2.5-r0 xz-libs-5.2.5-r0
zlib-1.2.11-r3 zlib-1.2.12-r0
zstd-libs-1.4.9-r1 zstd-libs-1.4.9-r1

6
readme-vars.yml
View File

@@ -120,11 +120,12 @@ app_setup_block: |
### Using fail2ban ### Using fail2ban
* This container includes fail2ban set up with 4 jails by default: * This container includes fail2ban set up with 5 jails by default:
1. nginx-http-auth 1. nginx-http-auth
2. nginx-badbots 2. nginx-badbots
3. nginx-botsearch 3. nginx-botsearch
4. nginx-deny 4. nginx-deny
5. nginx-unauthorized
* To enable or disable other jails, modify the file `/config/fail2ban/jail.local` * To enable or disable other jails, modify the file `/config/fail2ban/jail.local`
* To modify filters and actions, instead of editing the `.conf` files, create `.local` files with the same name and edit those because .conf files get overwritten when the actions and filters are updated. `.local` files will append whatever's in the `.conf` files (ie. `nginx-http-auth.conf` --> `nginx-http-auth.local`) * To modify filters and actions, instead of editing the `.conf` files, create `.local` files with the same name and edit those because .conf files get overwritten when the actions and filters are updated. `.local` files will append whatever's in the `.conf` files (ie. `nginx-http-auth.conf` --> `nginx-http-auth.local`)
* You can check which jails are active via `docker exec -it swag fail2ban-client status` * You can check which jails are active via `docker exec -it swag fail2ban-client status`
@@ -155,6 +156,9 @@ app_setup_nginx_reverse_proxy_block: ""
# changelog # changelog
changelogs: changelogs:
- { date: "05.04.22:", desc: "Added support for standalone DNS validation." } - { date: "05.04.22:", desc: "Added support for standalone DNS validation." }
- { date: "28.03.22:", desc: "created a logfile for fail2ban nginx-unauthorized in /etc/cont-init.d/50-config" }
- { date: "09.01.22:", desc: "Added a fail2ban jail for nginx unauthorized" }
- { date: "21.12.21:", desc: "Fixed issue with iptables not working as expected" }
- { date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)" } - { date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)" }
- { date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation." } - { date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation." }
- { date: "20.11.21:", desc: "Added support for dnspod validation." } - { date: "20.11.21:", desc: "Added support for dnspod validation." }

7
root/defaults/fail2ban/filter.d/nginx-unauthorized.conf Normal file
View File

@@ -0,0 +1,7 @@
# A fail2ban filter for unauthorized log messages
[Definition]
failregex = ^(?!.*?(?i)plex)<HOST>.*"(GET|POST|HEAD).*" 401 .*$
ignoreregex =

20
root/defaults/jail.local
View File

@@ -1,10 +1,14 @@
## Version 2020/05/10 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local ## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local
# This is the custom version of the jail.conf for fail2ban # This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters # Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters # Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container # folder and restart the container
[DEFAULT] [DEFAULT]
# Prevents banning LAN subnets
ignoreip = 10.0.0.0/8
192.168.0.0/16
172.16.0.0/12
# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports". # Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
banaction = iptables-allports banaction = iptables-allports
@@ -21,37 +25,35 @@ maxretry = 5
[ssh] [ssh]
enabled = false enabled = false
[nginx-http-auth] [nginx-http-auth]
enabled = true enabled = true
filter = nginx-http-auth filter = nginx-http-auth
port = http,https port = http,https
logpath = /config/log/nginx/error.log logpath = /config/log/nginx/error.log
[nginx-badbots] [nginx-badbots]
enabled = true enabled = true
port = http,https port = http,https
filter = nginx-badbots filter = nginx-badbots
logpath = /config/log/nginx/access.log logpath = /config/log/nginx/access.log
maxretry = 2 maxretry = 2
[nginx-botsearch] [nginx-botsearch]
enabled = true enabled = true
port = http,https port = http,https
filter = nginx-botsearch filter = nginx-botsearch
logpath = /config/log/nginx/access.log logpath = /config/log/nginx/access.log
[nginx-deny] [nginx-deny]
enabled = true enabled = true
port = http,https port = http,https
filter = nginx-deny filter = nginx-deny
logpath = /config/log/nginx/error.log logpath = /config/log/nginx/error.log
[nginx-unauthorized]
enabled = true
port = http,https
filter = nginx-unauthorized
logpath = /config/log/nginx/unauthorized.log

9
root/defaults/nginx.conf
View File

@@ -1,4 +1,4 @@
## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf ## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
user abc; user abc;
@@ -55,6 +55,13 @@ http {
'' close; '' close;
} }
# Saves unauthorized log messages to a separate log file
map $status $unauthorized {
default 0;
~^401 1;
}
access_log /config/log/nginx/unauthorized.log combined if=$unauthorized;
# Sets the path, format, and configuration for a buffered log write. # Sets the path, format, and configuration for a buffered log write.
access_log /config/log/nginx/access.log; access_log /config/log/nginx/access.log;

2
root/etc/cont-init.d/50-config
View File

@@ -369,6 +369,8 @@ fi
touch /config/log/nginx/error.log touch /config/log/nginx/error.log
[[ ! -f /config/log/nginx/access.log ]] && \ [[ ! -f /config/log/nginx/access.log ]] && \
touch /config/log/nginx/access.log touch /config/log/nginx/access.log
[[ ! -f /config/log/nginx/unauthorized.log ]] && \
touch /config/log/nginx/unauthorized.log
# permissions # permissions
chown -R abc:abc \ chown -R abc:abc \