Compare commits
43 commits
args-defau
...
antifascis
Author | SHA1 | Date | |
---|---|---|---|
|
d2d9351503 | ||
|
48737be655 | ||
|
2d1be6a3b2 | ||
|
abc9bfd869 | ||
|
f7ec863b05 | ||
|
a051c85237 | ||
|
062e13bda0 | ||
|
66e10a7635 | ||
|
0e8b6ac71a | ||
|
fc1a12e592 | ||
|
000ac53f39 | ||
|
aa2641fbcc | ||
|
41354bbc95 | ||
|
c0e6b8150b | ||
|
f7da597784 | ||
|
9e2d56e182 | ||
|
758066d768 | ||
|
d6db26865d | ||
|
b99a8111d8 | ||
|
aa086a76af | ||
|
3956f7fa70 | ||
|
7fa87d8e64 | ||
|
399208b01e | ||
|
4c1bf069a9 | ||
|
b4e5996ee6 | ||
|
59c7ea652c | ||
|
74e4a85bf9 | ||
|
2a72840be0 | ||
|
397dff920a | ||
|
68758ba4c0 | ||
|
e66b364db7 | ||
|
b921379aa0 | ||
|
8dd7d4605a | ||
|
d11e588f03 | ||
|
f6ba800908 | ||
|
53b1edf291 | ||
|
ddb5c152b2 | ||
|
22ab55417e | ||
|
630885cdfd | ||
|
5085c7e8df | ||
|
1233c89aff | ||
f9316429c8 | |||
748edeb81f |
8 changed files with 63 additions and 17 deletions
|
@ -1,4 +1,4 @@
|
||||||
pipeline:
|
steps:
|
||||||
publish:
|
publish:
|
||||||
image: "docker.io/woodpeckerci/plugin-docker-buildx"
|
image: "docker.io/woodpeckerci/plugin-docker-buildx"
|
||||||
settings:
|
settings:
|
||||||
|
@ -11,15 +11,17 @@ pipeline:
|
||||||
build_args:
|
build_args:
|
||||||
- "ALPINE_VERSION=${ALPINE_VERSION}"
|
- "ALPINE_VERSION=${ALPINE_VERSION}"
|
||||||
- "ACCESS_LOG_VERSION=${ACCESS_LOG_VERSION}"
|
- "ACCESS_LOG_VERSION=${ACCESS_LOG_VERSION}"
|
||||||
|
- "NGINX_VERSION=${NGINX_VERSION}"
|
||||||
- "BASE_IMAGE=gitea.nulo.in/sutty/monit"
|
- "BASE_IMAGE=gitea.nulo.in/sutty/monit"
|
||||||
secrets:
|
- "EXTRA_PACKAGES=${EXTRA_PACKAGES}"
|
||||||
- "DOCKER_PASSWORD"
|
password:
|
||||||
|
from_secret: "DOCKER_PASSWORD"
|
||||||
when:
|
when:
|
||||||
branch: "antifascista"
|
branch: "antifascista"
|
||||||
event: "push"
|
event: "push"
|
||||||
matrix:
|
matrix:
|
||||||
ALPINE_VERSION:
|
include:
|
||||||
- "3.18.3"
|
- ALPINE_VERSION: "3.20.3"
|
||||||
- "3.17.5"
|
ACCESS_LOG_VERSION: "0.5.9"
|
||||||
ACCESS_LOG_VERSION:
|
NGINX_VERSION: "1.26.2-r0"
|
||||||
- "0.5.5"
|
EXTRA_PACKAGES: "nginx-mod-http-modsecurity coreruleset"
|
||||||
|
|
18
Dockerfile
18
Dockerfile
|
@ -1,15 +1,17 @@
|
||||||
ARG ALPINE_VERSION=3.13.6
|
ARG ALPINE_VERSION=3.18.3
|
||||||
ARG BASE_IMAGE=sutty/monit
|
ARG BASE_IMAGE=gitea.nulo.in/sutty/monit
|
||||||
FROM ${BASE_IMAGE}:${ALPINE_VERSION}
|
FROM ${BASE_IMAGE}:${ALPINE_VERSION}
|
||||||
MAINTAINER "f <f@sutty.nl>"
|
LABEL org.opencontainers.image.authors="f@sutty.nl"
|
||||||
|
|
||||||
|
ARG NGINX_VERSION="1.24.0-r7"
|
||||||
ARG ACCESS_LOGS_FLAGS="--database=sqlite3:///var/log/access_log.sqlite3 -c /usr/share/crawler-user-agents/crawler-user-agents.json"
|
ARG ACCESS_LOGS_FLAGS="--database=sqlite3:///var/log/access_log.sqlite3 -c /usr/share/crawler-user-agents/crawler-user-agents.json"
|
||||||
ARG ACCESS_LOG_VERSION="0.5.1"
|
ARG ACCESS_LOG_VERSION="0.5.6"
|
||||||
|
ARG EXTRA_PACKAGES
|
||||||
|
|
||||||
ENV ACCESS_LOGS_FLAGS=${ACCESS_LOGS_FLAGS}
|
ENV ACCESS_LOGS_FLAGS=${ACCESS_LOGS_FLAGS}
|
||||||
|
|
||||||
# Install nginx and remove default config
|
# Install nginx and remove default config
|
||||||
RUN apk add --no-cache nginx daemonize access_log~${ACCESS_LOG_VERSION} nginx-prometheus-exporter geoip2-database-country geoip2-database-city crawler-user-agents \
|
RUN apk add --no-cache nginx~${NGINX_VERSION} daemonize access_log~${ACCESS_LOG_VERSION} nginx-prometheus-exporter geoip2-database-country geoip2-database-city crawler-user-agents \
|
||||||
&& rm -rf /etc/nginx
|
&& rm -rf /etc/nginx
|
||||||
|
|
||||||
# Add ssl group so nginx has access to certificates
|
# Add ssl group so nginx has access to certificates
|
||||||
|
@ -19,15 +21,14 @@ RUN addgroup nginx ssl
|
||||||
COPY ./monit.conf /etc/monit.d/nginx.conf
|
COPY ./monit.conf /etc/monit.d/nginx.conf
|
||||||
COPY ./prometheusd.sh /usr/local/bin/prometheusd
|
COPY ./prometheusd.sh /usr/local/bin/prometheusd
|
||||||
COPY ./access_logd.sh /usr/bin/access_logd
|
COPY ./access_logd.sh /usr/bin/access_logd
|
||||||
COPY ./nginx /etc/nginx
|
COPY --chown=nginx:nginx ./nginx /etc/nginx
|
||||||
COPY ./access_log.sqlite3 /var/lib/access_log.sqlite3
|
COPY ./access_log.sqlite3 /var/lib/access_log.sqlite3
|
||||||
|
|
||||||
# Install modules after rewriting /etc/nginx
|
# Install modules after rewriting /etc/nginx
|
||||||
RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-geoip2
|
RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-geoip2 ${EXTRA_PACKAGES}
|
||||||
|
|
||||||
# Add support for request_uri parsing if access_log >= 0.3.0
|
# Add support for request_uri parsing if access_log >= 0.3.0
|
||||||
RUN mv /etc/nginx/access_logd_`access_log -v`.conf /etc/nginx/access_logd.conf
|
RUN mv /etc/nginx/access_logd_`access_log -v`.conf /etc/nginx/access_logd.conf
|
||||||
RUN chown -R nginx:nginx /etc/nginx
|
|
||||||
RUN nginx -t
|
RUN nginx -t
|
||||||
|
|
||||||
RUN chown nginx:nginx /var/lib/access_log.sqlite3
|
RUN chown nginx:nginx /var/lib/access_log.sqlite3
|
||||||
|
@ -36,6 +37,7 @@ RUN chown nginx:nginx /var/lib/access_log.sqlite3
|
||||||
VOLUME /etc/nginx/sites
|
VOLUME /etc/nginx/sites
|
||||||
VOLUME /etc/letsencrypt
|
VOLUME /etc/letsencrypt
|
||||||
VOLUME /var/lib/letsencrypt
|
VOLUME /var/lib/letsencrypt
|
||||||
|
VOLUME /var/log
|
||||||
|
|
||||||
EXPOSE 80
|
EXPOSE 80
|
||||||
EXPOSE 443
|
EXPOSE 443
|
||||||
|
|
|
@ -10,6 +10,8 @@ pid=/run/access_logd.pid
|
||||||
|
|
||||||
case $1 in
|
case $1 in
|
||||||
start)
|
start)
|
||||||
|
test -f $pid && exit 0
|
||||||
|
|
||||||
# Copy default database
|
# Copy default database
|
||||||
install -m 640 -o nobody /var/lib/access_log.sqlite3 /var/log/access_log.sqlite3
|
install -m 640 -o nobody /var/lib/access_log.sqlite3 /var/log/access_log.sqlite3
|
||||||
|
|
||||||
|
@ -17,7 +19,7 @@ case $1 in
|
||||||
rm -f /tmp/access_log.socket
|
rm -f /tmp/access_log.socket
|
||||||
|
|
||||||
# Read from fifo and load into database
|
# Read from fifo and load into database
|
||||||
daemonize -p /run/access_logd.pid -u nginx /usr/local/bin/syslogize /usr/bin/access_log $ACCESS_LOGS_FLAGS
|
daemonize -p $pid -u nginx /usr/local/bin/syslogize /usr/bin/access_log $ACCESS_LOGS_FLAGS
|
||||||
;;
|
;;
|
||||||
stop)
|
stop)
|
||||||
test -f $pid || exit 0
|
test -f $pid || exit 0
|
||||||
|
|
3
nginx/access_logd_0.5.6.conf
Normal file
3
nginx/access_logd_0.5.6.conf
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
log_format access_logd escape=json '{"host":"$host","msec":$msec,"server_protocol":"$server_protocol","request_method":"$request_method","request_completion":"$request_completion","uri":"$uri","query_string":"$query_string","status":$status,"sent_http_content_type":"$sent_http_content_type","sent_http_content_encoding":"$sent_http_content_encoding","sent_http_etag":"$sent_http_etag","sent_http_last_modified":"$sent_http_last_modified","http_accept":"$http_accept","http_accept_encoding":"$http_accept_encoding","http_accept_language":"$http_accept_language","http_pragma":"$http_pragma","http_cache_control":"$http_cache_control","http_if_none_match":"$http_if_none_match","http_dnt":"$http_dnt","http_user_agent":"$http_user_agent","http_origin":"$http_origin","http_referer":{"origin":"$http_origin","referrer":"$http_referer","policy":"origin-when-cross-origin"},"request_time":$request_time,"bytes_sent":$bytes_sent,"body_bytes_sent":$body_bytes_sent,"request_length":$request_length,"http_connection":"$http_connection","pipe":"$pipe","connection_requests":$connection_requests,"geoip2_data_country_name":"$geoip2_data_country_name","geoip2_data_country_iso_code":"$geoip2_data_country_iso_code","geoip2_data_city_name":"$geoip2_data_city_name","ssl_server_name":"$ssl_server_name","ssl_protocol":"$ssl_protocol","ssl_early_data":"$ssl_early_data","ssl_session_reused":"$ssl_session_reused","ssl_curves":"$ssl_curves","ssl_ciphers":"$ssl_ciphers","ssl_cipher":"$ssl_cipher","sent_http_x_xss_protection":"$sent_http_x_xss_protection","sent_http_x_frame_options":"$sent_http_x_frame_options","sent_http_x_content_type_options":"$sent_http_x_content_type_options","sent_http_strict_transport_security":"$sent_http_strict_transport_security","nginx_version":"$nginx_version","pid":"$pid","remote_user":"$remote_user","request_uri":"$request_uri"}';
|
||||||
|
|
||||||
|
access_log syslog:server=unix:/tmp/access_log.socket,nohostname access_logd;
|
3
nginx/access_logd_0.5.7.conf
Normal file
3
nginx/access_logd_0.5.7.conf
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
log_format access_logd escape=json '{"host":"$host","msec":$msec,"server_protocol":"$server_protocol","request_method":"$request_method","request_completion":"$request_completion","uri":"$uri","query_string":"$query_string","status":$status,"sent_http_content_type":"$sent_http_content_type","sent_http_content_encoding":"$sent_http_content_encoding","sent_http_etag":"$sent_http_etag","sent_http_last_modified":"$sent_http_last_modified","http_accept":"$http_accept","http_accept_encoding":"$http_accept_encoding","http_accept_language":"$http_accept_language","http_pragma":"$http_pragma","http_cache_control":"$http_cache_control","http_if_none_match":"$http_if_none_match","http_dnt":"$http_dnt","http_user_agent":"$http_user_agent","http_origin":"$http_origin","http_referer":{"origin":"$http_origin","referrer":"$http_referer","policy":"origin-when-cross-origin"},"request_time":$request_time,"bytes_sent":$bytes_sent,"body_bytes_sent":$body_bytes_sent,"request_length":$request_length,"http_connection":"$http_connection","pipe":"$pipe","connection_requests":$connection_requests,"geoip2_data_country_name":"$geoip2_data_country_name","geoip2_data_country_iso_code":"$geoip2_data_country_iso_code","geoip2_data_city_name":"$geoip2_data_city_name","ssl_server_name":"$ssl_server_name","ssl_protocol":"$ssl_protocol","ssl_early_data":"$ssl_early_data","ssl_session_reused":"$ssl_session_reused","ssl_curves":"$ssl_curves","ssl_ciphers":"$ssl_ciphers","ssl_cipher":"$ssl_cipher","sent_http_x_xss_protection":"$sent_http_x_xss_protection","sent_http_x_frame_options":"$sent_http_x_frame_options","sent_http_x_content_type_options":"$sent_http_x_content_type_options","sent_http_strict_transport_security":"$sent_http_strict_transport_security","nginx_version":"$nginx_version","pid":"$pid","remote_user":"$remote_user","request_uri":"$request_uri"}';
|
||||||
|
|
||||||
|
access_log syslog:server=unix:/tmp/access_log.socket,nohostname access_logd;
|
3
nginx/access_logd_0.5.8.conf
Normal file
3
nginx/access_logd_0.5.8.conf
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
log_format access_logd escape=json '{"host":"$host","msec":$msec,"server_protocol":"$server_protocol","request_method":"$request_method","request_completion":"$request_completion","uri":"$uri","query_string":"$query_string","status":$status,"sent_http_content_type":"$sent_http_content_type","sent_http_content_encoding":"$sent_http_content_encoding","sent_http_etag":"$sent_http_etag","sent_http_last_modified":"$sent_http_last_modified","http_accept":"$http_accept","http_accept_encoding":"$http_accept_encoding","http_accept_language":"$http_accept_language","http_pragma":"$http_pragma","http_cache_control":"$http_cache_control","http_if_none_match":"$http_if_none_match","http_dnt":"$http_dnt","http_user_agent":"$http_user_agent","http_origin":"$http_origin","http_referer":{"origin":"$http_origin","referrer":"$http_referer","policy":"origin-when-cross-origin"},"request_time":$request_time,"bytes_sent":$bytes_sent,"body_bytes_sent":$body_bytes_sent,"request_length":$request_length,"http_connection":"$http_connection","pipe":"$pipe","connection_requests":$connection_requests,"geoip2_data_country_name":"$geoip2_data_country_name","geoip2_data_country_iso_code":"$geoip2_data_country_iso_code","geoip2_data_city_name":"$geoip2_data_city_name","ssl_server_name":"$ssl_server_name","ssl_protocol":"$ssl_protocol","ssl_early_data":"$ssl_early_data","ssl_session_reused":"$ssl_session_reused","ssl_curves":"$ssl_curves","ssl_ciphers":"$ssl_ciphers","ssl_cipher":"$ssl_cipher","sent_http_x_xss_protection":"$sent_http_x_xss_protection","sent_http_x_frame_options":"$sent_http_x_frame_options","sent_http_x_content_type_options":"$sent_http_x_content_type_options","sent_http_strict_transport_security":"$sent_http_strict_transport_security","nginx_version":"$nginx_version","pid":"$pid","remote_user":"$remote_user","request_uri":"$request_uri"}';
|
||||||
|
|
||||||
|
access_log syslog:server=unix:/tmp/access_log.socket,nohostname access_logd;
|
|
@ -39,6 +39,7 @@ http {
|
||||||
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
|
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
|
||||||
$geoip2_data_country_name country names en;
|
$geoip2_data_country_name country names en;
|
||||||
$geoip2_data_country_iso_code country iso_code;
|
$geoip2_data_country_iso_code country iso_code;
|
||||||
|
$geoip2_data_continent_code country continent_code;
|
||||||
}
|
}
|
||||||
|
|
||||||
geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
|
geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
|
||||||
|
|
30
nginx/snippets/modsecurity.conf
Normal file
30
nginx/snippets/modsecurity.conf
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
modsecurity on;
|
||||||
|
modsecurity_rules 'SecRuleEngine On';
|
||||||
|
modsecurity_rules 'SecAuditLogFormat JSON';
|
||||||
|
modsecurity_rules_file /etc/modsecurity/modsecurity.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/crs-setup.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-901-INITIALIZATION.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-913-SCANNER-DETECTION.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-921-PROTOCOL-ATTACK.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-922-MULTIPART-ATTACK.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/REQUEST-949-BLOCKING-EVALUATION.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/RESPONSE-950-DATA-LEAKAGES.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/RESPONSE-955-WEB-SHELLS.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf;
|
||||||
|
modsecurity_rules_file /etc/crs4/rules/RESPONSE-980-CORRELATION.conf;
|
Loading…
Reference in a new issue