Compare commits
2 commits
antifascis
...
args-defau
| Author | SHA1 | Date | |
|---|---|---|---|
| 33a62a9f82 | |||
| 932627b941 |
8 changed files with 15 additions and 61 deletions
|
|
@ -1,4 +1,4 @@
|
||||||
steps:
|
pipeline:
|
||||||
publish:
|
publish:
|
||||||
image: "docker.io/woodpeckerci/plugin-docker-buildx"
|
image: "docker.io/woodpeckerci/plugin-docker-buildx"
|
||||||
settings:
|
settings:
|
||||||
|
|
@ -11,17 +11,15 @@ steps:
|
||||||
build_args:
|
build_args:
|
||||||
- "ALPINE_VERSION=${ALPINE_VERSION}"
|
- "ALPINE_VERSION=${ALPINE_VERSION}"
|
||||||
- "ACCESS_LOG_VERSION=${ACCESS_LOG_VERSION}"
|
- "ACCESS_LOG_VERSION=${ACCESS_LOG_VERSION}"
|
||||||
- "NGINX_VERSION=${NGINX_VERSION}"
|
|
||||||
- "BASE_IMAGE=gitea.nulo.in/sutty/monit"
|
- "BASE_IMAGE=gitea.nulo.in/sutty/monit"
|
||||||
- "EXTRA_PACKAGES=${EXTRA_PACKAGES}"
|
secrets:
|
||||||
password:
|
- "DOCKER_PASSWORD"
|
||||||
from_secret: "DOCKER_PASSWORD"
|
|
||||||
when:
|
when:
|
||||||
branch: "antifascista"
|
branch: "antifascista"
|
||||||
event: "push"
|
event: "push"
|
||||||
matrix:
|
matrix:
|
||||||
include:
|
ALPINE_VERSION:
|
||||||
- ALPINE_VERSION: "3.20.3"
|
- "3.18.3"
|
||||||
ACCESS_LOG_VERSION: "0.5.9"
|
- "3.17.5"
|
||||||
NGINX_VERSION: "1.26.2-r0"
|
ACCESS_LOG_VERSION:
|
||||||
EXTRA_PACKAGES: "nginx-mod-http-modsecurity coreruleset"
|
- "0.5.5"
|
||||||
|
|
|
||||||
14
Dockerfile
14
Dockerfile
|
|
@ -1,17 +1,15 @@
|
||||||
ARG ALPINE_VERSION=3.18.3
|
ARG ALPINE_VERSION=3.18.3
|
||||||
ARG BASE_IMAGE=gitea.nulo.in/sutty/monit
|
ARG BASE_IMAGE=gitea.nulo.in/sutty/monit
|
||||||
FROM ${BASE_IMAGE}:${ALPINE_VERSION}
|
FROM ${BASE_IMAGE}:${ALPINE_VERSION}
|
||||||
LABEL org.opencontainers.image.authors="f@sutty.nl"
|
MAINTAINER "f <f@sutty.nl>"
|
||||||
|
|
||||||
ARG NGINX_VERSION="1.24.0-r7"
|
|
||||||
ARG ACCESS_LOGS_FLAGS="--database=sqlite3:///var/log/access_log.sqlite3 -c /usr/share/crawler-user-agents/crawler-user-agents.json"
|
ARG ACCESS_LOGS_FLAGS="--database=sqlite3:///var/log/access_log.sqlite3 -c /usr/share/crawler-user-agents/crawler-user-agents.json"
|
||||||
ARG ACCESS_LOG_VERSION="0.5.6"
|
ARG ACCESS_LOG_VERSION="0.5.5"
|
||||||
ARG EXTRA_PACKAGES
|
|
||||||
|
|
||||||
ENV ACCESS_LOGS_FLAGS=${ACCESS_LOGS_FLAGS}
|
ENV ACCESS_LOGS_FLAGS=${ACCESS_LOGS_FLAGS}
|
||||||
|
|
||||||
# Install nginx and remove default config
|
# Install nginx and remove default config
|
||||||
RUN apk add --no-cache nginx~${NGINX_VERSION} daemonize access_log~${ACCESS_LOG_VERSION} nginx-prometheus-exporter geoip2-database-country geoip2-database-city crawler-user-agents \
|
RUN apk add --no-cache nginx daemonize access_log~${ACCESS_LOG_VERSION} nginx-prometheus-exporter geoip2-database-country geoip2-database-city crawler-user-agents \
|
||||||
&& rm -rf /etc/nginx
|
&& rm -rf /etc/nginx
|
||||||
|
|
||||||
# Add ssl group so nginx has access to certificates
|
# Add ssl group so nginx has access to certificates
|
||||||
|
|
@ -21,14 +19,15 @@ RUN addgroup nginx ssl
|
||||||
COPY ./monit.conf /etc/monit.d/nginx.conf
|
COPY ./monit.conf /etc/monit.d/nginx.conf
|
||||||
COPY ./prometheusd.sh /usr/local/bin/prometheusd
|
COPY ./prometheusd.sh /usr/local/bin/prometheusd
|
||||||
COPY ./access_logd.sh /usr/bin/access_logd
|
COPY ./access_logd.sh /usr/bin/access_logd
|
||||||
COPY --chown=nginx:nginx ./nginx /etc/nginx
|
COPY ./nginx /etc/nginx
|
||||||
COPY ./access_log.sqlite3 /var/lib/access_log.sqlite3
|
COPY ./access_log.sqlite3 /var/lib/access_log.sqlite3
|
||||||
|
|
||||||
# Install modules after rewriting /etc/nginx
|
# Install modules after rewriting /etc/nginx
|
||||||
RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-geoip2 ${EXTRA_PACKAGES}
|
RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-geoip2
|
||||||
|
|
||||||
# Add support for request_uri parsing if access_log >= 0.3.0
|
# Add support for request_uri parsing if access_log >= 0.3.0
|
||||||
RUN mv /etc/nginx/access_logd_`access_log -v`.conf /etc/nginx/access_logd.conf
|
RUN mv /etc/nginx/access_logd_`access_log -v`.conf /etc/nginx/access_logd.conf
|
||||||
|
RUN chown -R nginx:nginx /etc/nginx
|
||||||
RUN nginx -t
|
RUN nginx -t
|
||||||
|
|
||||||
RUN chown nginx:nginx /var/lib/access_log.sqlite3
|
RUN chown nginx:nginx /var/lib/access_log.sqlite3
|
||||||
|
|
@ -37,7 +36,6 @@ RUN chown nginx:nginx /var/lib/access_log.sqlite3
|
||||||
VOLUME /etc/nginx/sites
|
VOLUME /etc/nginx/sites
|
||||||
VOLUME /etc/letsencrypt
|
VOLUME /etc/letsencrypt
|
||||||
VOLUME /var/lib/letsencrypt
|
VOLUME /var/lib/letsencrypt
|
||||||
VOLUME /var/log
|
|
||||||
|
|
||||||
EXPOSE 80
|
EXPOSE 80
|
||||||
EXPOSE 443
|
EXPOSE 443
|
||||||
|
|
|
||||||
|
|
@ -10,8 +10,6 @@ pid=/run/access_logd.pid
|
||||||
|
|
||||||
case $1 in
|
case $1 in
|
||||||
start)
|
start)
|
||||||
test -f $pid && exit 0
|
|
||||||
|
|
||||||
# Copy default database
|
# Copy default database
|
||||||
install -m 640 -o nobody /var/lib/access_log.sqlite3 /var/log/access_log.sqlite3
|
install -m 640 -o nobody /var/lib/access_log.sqlite3 /var/log/access_log.sqlite3
|
||||||
|
|
||||||
|
|
@ -19,7 +17,7 @@ case $1 in
|
||||||
rm -f /tmp/access_log.socket
|
rm -f /tmp/access_log.socket
|
||||||
|
|
||||||
# Read from fifo and load into database
|
# Read from fifo and load into database
|
||||||
daemonize -p $pid -u nginx /usr/local/bin/syslogize /usr/bin/access_log $ACCESS_LOGS_FLAGS
|
daemonize -p /run/access_logd.pid -u nginx /usr/local/bin/syslogize /usr/bin/access_log $ACCESS_LOGS_FLAGS
|
||||||
;;
|
;;
|
||||||
stop)
|
stop)
|
||||||
test -f $pid || exit 0
|
test -f $pid || exit 0
|
||||||
|
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
||||||
log_format access_logd escape=json '{"host":"$host","msec":$msec,"server_protocol":"$server_protocol","request_method":"$request_method","request_completion":"$request_completion","uri":"$uri","query_string":"$query_string","status":$status,"sent_http_content_type":"$sent_http_content_type","sent_http_content_encoding":"$sent_http_content_encoding","sent_http_etag":"$sent_http_etag","sent_http_last_modified":"$sent_http_last_modified","http_accept":"$http_accept","http_accept_encoding":"$http_accept_encoding","http_accept_language":"$http_accept_language","http_pragma":"$http_pragma","http_cache_control":"$http_cache_control","http_if_none_match":"$http_if_none_match","http_dnt":"$http_dnt","http_user_agent":"$http_user_agent","http_origin":"$http_origin","http_referer":{"origin":"$http_origin","referrer":"$http_referer","policy":"origin-when-cross-origin"},"request_time":$request_time,"bytes_sent":$bytes_sent,"body_bytes_sent":$body_bytes_sent,"request_length":$request_length,"http_connection":"$http_connection","pipe":"$pipe","connection_requests":$connection_requests,"geoip2_data_country_name":"$geoip2_data_country_name","geoip2_data_country_iso_code":"$geoip2_data_country_iso_code","geoip2_data_city_name":"$geoip2_data_city_name","ssl_server_name":"$ssl_server_name","ssl_protocol":"$ssl_protocol","ssl_early_data":"$ssl_early_data","ssl_session_reused":"$ssl_session_reused","ssl_curves":"$ssl_curves","ssl_ciphers":"$ssl_ciphers","ssl_cipher":"$ssl_cipher","sent_http_x_xss_protection":"$sent_http_x_xss_protection","sent_http_x_frame_options":"$sent_http_x_frame_options","sent_http_x_content_type_options":"$sent_http_x_content_type_options","sent_http_strict_transport_security":"$sent_http_strict_transport_security","nginx_version":"$nginx_version","pid":"$pid","remote_user":"$remote_user","request_uri":"$request_uri"}';
|
|
||||||
|
|
||||||
access_log syslog:server=unix:/tmp/access_log.socket,nohostname access_logd;
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
||||||
log_format access_logd escape=json '{"host":"$host","msec":$msec,"server_protocol":"$server_protocol","request_method":"$request_method","request_completion":"$request_completion","uri":"$uri","query_string":"$query_string","status":$status,"sent_http_content_type":"$sent_http_content_type","sent_http_content_encoding":"$sent_http_content_encoding","sent_http_etag":"$sent_http_etag","sent_http_last_modified":"$sent_http_last_modified","http_accept":"$http_accept","http_accept_encoding":"$http_accept_encoding","http_accept_language":"$http_accept_language","http_pragma":"$http_pragma","http_cache_control":"$http_cache_control","http_if_none_match":"$http_if_none_match","http_dnt":"$http_dnt","http_user_agent":"$http_user_agent","http_origin":"$http_origin","http_referer":{"origin":"$http_origin","referrer":"$http_referer","policy":"origin-when-cross-origin"},"request_time":$request_time,"bytes_sent":$bytes_sent,"body_bytes_sent":$body_bytes_sent,"request_length":$request_length,"http_connection":"$http_connection","pipe":"$pipe","connection_requests":$connection_requests,"geoip2_data_country_name":"$geoip2_data_country_name","geoip2_data_country_iso_code":"$geoip2_data_country_iso_code","geoip2_data_city_name":"$geoip2_data_city_name","ssl_server_name":"$ssl_server_name","ssl_protocol":"$ssl_protocol","ssl_early_data":"$ssl_early_data","ssl_session_reused":"$ssl_session_reused","ssl_curves":"$ssl_curves","ssl_ciphers":"$ssl_ciphers","ssl_cipher":"$ssl_cipher","sent_http_x_xss_protection":"$sent_http_x_xss_protection","sent_http_x_frame_options":"$sent_http_x_frame_options","sent_http_x_content_type_options":"$sent_http_x_content_type_options","sent_http_strict_transport_security":"$sent_http_strict_transport_security","nginx_version":"$nginx_version","pid":"$pid","remote_user":"$remote_user","request_uri":"$request_uri"}';
|
|
||||||
|
|
||||||
access_log syslog:server=unix:/tmp/access_log.socket,nohostname access_logd;
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
||||||
log_format access_logd escape=json '{"host":"$host","msec":$msec,"server_protocol":"$server_protocol","request_method":"$request_method","request_completion":"$request_completion","uri":"$uri","query_string":"$query_string","status":$status,"sent_http_content_type":"$sent_http_content_type","sent_http_content_encoding":"$sent_http_content_encoding","sent_http_etag":"$sent_http_etag","sent_http_last_modified":"$sent_http_last_modified","http_accept":"$http_accept","http_accept_encoding":"$http_accept_encoding","http_accept_language":"$http_accept_language","http_pragma":"$http_pragma","http_cache_control":"$http_cache_control","http_if_none_match":"$http_if_none_match","http_dnt":"$http_dnt","http_user_agent":"$http_user_agent","http_origin":"$http_origin","http_referer":{"origin":"$http_origin","referrer":"$http_referer","policy":"origin-when-cross-origin"},"request_time":$request_time,"bytes_sent":$bytes_sent,"body_bytes_sent":$body_bytes_sent,"request_length":$request_length,"http_connection":"$http_connection","pipe":"$pipe","connection_requests":$connection_requests,"geoip2_data_country_name":"$geoip2_data_country_name","geoip2_data_country_iso_code":"$geoip2_data_country_iso_code","geoip2_data_city_name":"$geoip2_data_city_name","ssl_server_name":"$ssl_server_name","ssl_protocol":"$ssl_protocol","ssl_early_data":"$ssl_early_data","ssl_session_reused":"$ssl_session_reused","ssl_curves":"$ssl_curves","ssl_ciphers":"$ssl_ciphers","ssl_cipher":"$ssl_cipher","sent_http_x_xss_protection":"$sent_http_x_xss_protection","sent_http_x_frame_options":"$sent_http_x_frame_options","sent_http_x_content_type_options":"$sent_http_x_content_type_options","sent_http_strict_transport_security":"$sent_http_strict_transport_security","nginx_version":"$nginx_version","pid":"$pid","remote_user":"$remote_user","request_uri":"$request_uri"}';
|
|
||||||
|
|
||||||
access_log syslog:server=unix:/tmp/access_log.socket,nohostname access_logd;
|
|
||||||
|
|
@ -39,7 +39,6 @@ http {
|
||||||
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
|
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
|
||||||
$geoip2_data_country_name country names en;
|
$geoip2_data_country_name country names en;
|
||||||
$geoip2_data_country_iso_code country iso_code;
|
$geoip2_data_country_iso_code country iso_code;
|
||||||
$geoip2_data_continent_code country continent_code;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
|
geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
|
||||||
|
|
|
||||||
|
|
@ -1,30 +0,0 @@
|
||||||
modsecurity on;
|
|
||||||
modsecurity_rules 'SecRuleEngine On';
|
|
||||||
modsecurity_rules 'SecAuditLogFormat JSON';
|
|
||||||
modsecurity_rules_file /etc/modsecurity/modsecurity.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/crs-setup.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-901-INITIALIZATION.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-913-SCANNER-DETECTION.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-921-PROTOCOL-ATTACK.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-922-MULTIPART-ATTACK.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/REQUEST-949-BLOCKING-EVALUATION.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/RESPONSE-950-DATA-LEAKAGES.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/RESPONSE-955-WEB-SHELLS.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf;
|
|
||||||
modsecurity_rules_file /etc/crs4/rules/RESPONSE-980-CORRELATION.conf;
|
|
||||||
Loading…
Reference in a new issue