init. version

Author: Antonio Cheong

Dockerfile

@@ -0,0 +1,9 @@
+FROM nginx:latest
+
+COPY rootfs/ /
+
+RUN mkdir -p /tmp/nginx/body /var/lib/nginx/cache /data/logs \
+ && mkdir -p /etc/letsencrypt/live/placeholder /data/nginx/placeholder /data/custom_ssl/placeholder \
+ && find /etc/nginx -type d -exec chmod 755 {} \; \
+ && find /etc/nginx -type f -exec chmod 644 {} \; \
+ && chmod 755 /docker-entrypoint.d/99-dynamic_resolvers.sh /bin/nginx_auto_reload.sh

README.md

@@ -1,2 +1,64 @@
-# nginx4npm
+# nginx
+
 nginx prepare for working with Nginx Proxy Manager (NPM) together.
+
+
+## Stack config
+
+```yml
+version: "3.7"
+
+volumes:
+
+  data:
+
+  letsencrypt:
+
+networks:
+
+  host:
+    external:
+      name: "host"
+
+services:
+
+  manager:
+    image: jc21/nginx-proxy-manager:latest
+    ports:
+     - '81:81'
+    environment:
+      TZ: Asia/Hong_Kong
+    volumes:
+      - data:/data
+      - letsencrypt:/etc/letsencrypt
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: on-failure
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  worker:
+    image: windoac/nginx-npm:latest
+    networks:
+      - host
+    environment:
+      TZ: Asia/Hong_Kong
+    volumes:
+      - data:/data
+      - letsencrypt:/etc/letsencrypt
+    deploy:
+      #mode: global
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: on-failure
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+```

rootfs/bin/nginx_auto_reload.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# setting
+checkinterval_min=1
+
+echo "$0 - Start monitoring"
+
+timesleep=$(($checkinterval_min*60))
+
+while true
+do
+    sleep $timesleep
+    if [[ `find /data/nginx /data/nginx/* /data/custom_ssl /data/custom_ssl/* /etc/letsencrypt/live /etc/letsencrypt/live/* -type f ! -name "*.swp" -mmin -1 | wc -l` != 0 ]]
+    then
+        echo "$0 - Detected Nginx Configuration Change."
+        # timetosleep=$(( $RANDOM % 6 + 5 ))
+        # echo "$0 - sleep 5 - 10 sec randomly. this time sleep $timetosleep sec..."
+        # sleep $timetosleep
+        nginx -t
+        if [ $? -eq 0 ]
+        then
+            echo "$0 - Executing: nginx -s reload"
+            nginx -s reload
+        else
+            echo "$0 - found error in config check. skiped the auto reload."
+        fi
+    fi
+done
+
+echo "$0 - monitor stoped"

rootfs/docker-entrypoint.d/99-dynamic_resolvers.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+
+# log_info 'Dynamic resolvers ...'
+
+DISABLE_IPV6=$(echo "${DISABLE_IPV6:-}" | tr '[:upper:]' '[:lower:]')
+
+# Dynamically generate resolvers file, if resolver is IPv6, enclose in `[]`
+# thanks @tfmm
+if [ "$DISABLE_IPV6" == "true" ] || [ "$DISABLE_IPV6" == "on" ] || [ "$DISABLE_IPV6" == "1" ] || [ "$DISABLE_IPV6" == "yes" ];
+then
+	echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) ipv6=off valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf
+else
+	echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf
+fi

rootfs/docker-entrypoint.sh

@@ -0,0 +1,58 @@
+#!/bin/sh
+# vim:sw=4:ts=4:et
+
+set -e
+
+entrypoint_log() {
+    if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
+        echo "$@"
+    fi
+}
+
+_exitpoint() {
+  kill -TERM $child
+  #pkill nginx
+}
+
+
+if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
+    if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
+        entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
+
+        entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
+        find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
+            case "$f" in
+                *.envsh)
+                    if [ -x "$f" ]; then
+                        entrypoint_log "$0: Sourcing $f";
+                        . "$f"
+                    else
+                        # warn on shell scripts without exec bit
+                        entrypoint_log "$0: Ignoring $f, not executable";
+                    fi
+                    ;;
+                *.sh)
+                    if [ -x "$f" ]; then
+                        entrypoint_log "$0: Launching $f";
+                        "$f"
+                    else
+                        # warn on shell scripts without exec bit
+                        entrypoint_log "$0: Ignoring $f, not executable";
+                    fi
+                    ;;
+                *) entrypoint_log "$0: Ignoring $f";;
+            esac
+        done
+
+        entrypoint_log "$0: Configuration complete; ready for start up"
+    else
+        entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
+    fi
+fi
+
+trap _exitpoint TERM EXIT INT
+
+nginx_auto_reload.sh &
+child=$!
+
+exec "$@"

rootfs/etc/nginx/conf.d/default.conf

@@ -0,0 +1,38 @@
+# "You are not configured" page, which is the default if another default doesn't exist
+server {
+	listen 80;
+	listen [::]:80;
+
+	set $forward_scheme "http";
+	set $server "127.0.0.1";
+	set $port "80";
+
+	server_name localhost-nginx-proxy-manager;
+	access_log /data/logs/fallback_access.log standard;
+	error_log /data/logs/fallback_error.log warn;
+	include conf.d/include/assets.conf;
+	include conf.d/include/block-exploits.conf;
+	include conf.d/include/letsencrypt-acme-challenge.conf;
+
+	location / {
+		index index.html;
+		root /var/www/html;
+	}
+}
+
+# First 443 Host, which is the default if another default doesn't exist
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+
+	set $forward_scheme "https";
+	set $server "127.0.0.1";
+	set $port "443";
+
+	server_name localhost;
+	access_log /data/logs/fallback_access.log standard;
+	error_log /dev/null crit;
+	ssl_reject_handshake on;
+
+	return 444;
+}

rootfs/etc/nginx/conf.d/include/.gitignore

@@ -0,0 +1 @@
+resolvers.conf

rootfs/etc/nginx/conf.d/include/assets.conf

@@ -0,0 +1,31 @@
+location ~* ^.*\.(css|js|jpe?g|gif|png|webp|woff|eot|ttf|svg|ico|css\.map|js\.map)$ {
+	if_modified_since off;
+
+	# use the public cache
+	proxy_cache public-cache;
+	proxy_cache_key $host$request_uri;
+
+	# ignore these headers for media
+	proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;
+
+	# cache 200s and also 404s (not ideal but there are a few 404 images for some reason)
+	proxy_cache_valid any 30m;
+	proxy_cache_valid 404 1m;
+
+	# strip this header to avoid If-Modified-Since requests
+	proxy_hide_header Last-Modified;
+	proxy_hide_header Cache-Control;
+	proxy_hide_header Vary;
+
+	proxy_cache_bypass 0;
+	proxy_no_cache 0;
+
+	proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_404;
+	proxy_connect_timeout 5s;
+	proxy_read_timeout 45s;
+
+	expires @30m;
+	access_log  off;
+
+	include conf.d/include/proxy.conf;
+}

rootfs/etc/nginx/conf.d/include/block-exploits.conf

@@ -0,0 +1,136 @@
+## Block SQL injections
+set $block_sql_injections 0;
+
+if ($query_string ~ "union.*select.*\(") {
+	set $block_sql_injections 1;
+}
+
+if ($query_string ~ "union.*all.*select.*") {
+	set $block_sql_injections 1;
+}
+
+if ($query_string ~ "concat.*\(") {
+	set $block_sql_injections 1;
+}
+
+if ($block_sql_injections = 1) {
+	return 403;
+}
+
+## Block file injections
+set $block_file_injections 0;
+
+if ($query_string ~ "[a-zA-Z0-9_]=http://") {
+	set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
+	set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
+	set $block_file_injections 1;
+}
+
+if ($block_file_injections = 1) {
+	return 403;
+}
+
+## Block common exploits
+set $block_common_exploits 0;
+
+if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
+	set $block_common_exploits 1;
+}
+
+if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
+	set $block_common_exploits 1;
+}
+
+if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
+	set $block_common_exploits 1;
+}
+
+if ($query_string ~ "proc/self/environ") {
+	set $block_common_exploits 1;
+}
+
+if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
+	set $block_common_exploits 1;
+}
+
+if ($query_string ~ "base64_(en|de)code\(.*\)") {
+	set $block_common_exploits 1;
+}
+
+if ($block_common_exploits = 1) {
+	return 403;
+}
+
+## Block spam
+set $block_spam 0;
+
+if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
+	set $block_spam 1;
+}
+
+if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
+	set $block_spam 1;
+}
+
+if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
+	set $block_spam 1;
+}
+
+if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
+	set $block_spam 1;
+}
+
+if ($block_spam = 1) {
+	return 403;
+}
+
+## Block user agents
+set $block_user_agents 0;
+
+# Disable Akeeba Remote Control 2.5 and earlier
+if ($http_user_agent ~ "Indy Library") {
+	set $block_user_agents 1;
+}
+
+# Common bandwidth hoggers and hacking tools.
+if ($http_user_agent ~ "libwww-perl") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetRight") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetWeb!") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go!Zilla") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Download Demon") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go-Ahead-Got-It") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "TurnitinBot") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GrabNet") {
+	set $block_user_agents 1;
+}
+
+if ($block_user_agents = 1) {
+	return 403;
+}

rootfs/etc/nginx/conf.d/include/force-ssl.conf

@@ -0,0 +1,3 @@
+if ($scheme = "http") {
+	return 301 https://$host$request_uri;
+}