Skip to content

Commit

Permalink
use common logging conventions
Browse files Browse the repository at this point in the history
  • Loading branch information
@kx1t
kx1t committed Feb 13, 2024
1 parent 4086e98 commit 8ca8628
Show file tree
Hide file tree
Showing 13 changed files with 198 additions and 180 deletions.
88 changes: 49 additions & 39 deletions rootfs/etc/s6-overlay/scripts/10-ssl
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
#!/command/with-contenv bash
#shellcheck shell=bash disable=SC2145,SC2076
#shellcheck shell=bash disable=SC2145,SC2076,SC1091,SC2154,SC2015

APPNAME="$(hostname)/10-ssl"
echo "[$APPNAME][$(date)] Started SSL initialization"
source /scripts/common

"${s6wrap[@]}" echo "Started SSL initialization"

rm -f /run/.ssl-enabled

# If SSL is not ENABLED, stop forevah
if [[ "${SSL^^}" != "ENABLED" ]]
then
echo "[$APPNAME][$(date)] SSL disabled. No initialization needed."
if ! chk_enabled "${SSL}"; then
"${s6wrap[@]}" echo "SSL disabled. No initialization needed."
exit 0
fi

Expand All @@ -27,14 +27,14 @@ then
[[ -z "$lastforced" ]] && lastforced=0 || true
(( mustforce - lastforced > 0 )) && forceinstall="true" || true
date +%s > /run/nginx/.letsencrypt/.force-reinstall.lastforced
echo -n "[$APPNAME][$(date)] Checking if SSL certificates must be reinstalled: Must reinstall if last install was before $(date -d "@$mustforce"). Last reinstall was at $(date -d "@$lastforced"). Will "
"${s6wrap[@]}" echo "Checking if SSL certificates must be reinstalled: Must reinstall if last install was before $(date -d "@$mustforce"). Last reinstall was at $(date -d "@$lastforced"). Will "
[[ "$forceinstall" == "true" ]] && echo "reinstall certificates." || echo "not reinstall certificates."
fi

# if there is a backup and $forceinstall is not true, restore it
if [[ -f /run/nginx/.letsencrypt/letsencrypt.tgz ]] && [[ "$forceinstall" != "true" ]]
then
echo "[$APPNAME][$(date)] Backup of certificates found. Restoring..."
"${s6wrap[@]}" echo "Backup of certificates found. Restoring..."
tar --overwrite -xzf /run/nginx/.letsencrypt/letsencrypt.tgz -C / >/dev/null 2>&1
elif [[ -d /etc/letsencrypt ]]
then
Expand All @@ -51,40 +51,41 @@ fi
touch /run/nginx/locations.conf

# Do some checks to ensure that there is enough info to request domains:
# shellcheck disable=SC2153
if (( ${#SSL_DOMAIN[@]} == 0 ))
then
# No domains in environment files. Complain and stop trying to install certificates:
echo "[$APPNAME][$(date)] --------------------------------------------------"
echo "[$APPNAME][$(date)] | WARNING ! NGINX SSL configuration problem |"
echo "[$APPNAME][$(date)] | You must define at least 1 SSL_DOMAIN in your |"
echo "[$APPNAME][$(date)] | docker-compose.yml file. Go check and fix it! |"
echo "[$APPNAME][$(date)] | The container will continue without SSL. |"
echo "[$APPNAME][$(date)] --------------------------------------------------"
"${s6wrap[@]}" echo "--------------------------------------------------"
"${s6wrap[@]}" echo "| WARNING ! NGINX SSL configuration problem |"
"${s6wrap[@]}" echo "| You must define at least 1 SSL_DOMAIN in your |"
"${s6wrap[@]}" echo "| docker-compose.yml file. Go check and fix it! |"
"${s6wrap[@]}" echo "| The container will continue without SSL. |"
"${s6wrap[@]}" echo "--------------------------------------------------"
exit 0
fi

if ! grep -E "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" <<< "$SSL_EMAIL" >/dev/null
then
# No domains in environment files. Complain and stop trying to install certificates:
echo "[$APPNAME][$(date)] --------------------------------------------------------"
echo "[$APPNAME][$(date)] | WARNING ! NGINX SSL configuration problem |"
echo "[$APPNAME][$(date)] | You must provide a valid email in SSL_EMAIL in your |"
echo "[$APPNAME][$(date)] | docker-compose.yml file. Go check and fix it! |"
echo "[$APPNAME][$(date)] | The container will continue without SSL. |"
echo "[$APPNAME][$(date)] --------------------------------------------------------"
"${s6wrap[@]}" echo "--------------------------------------------------------"
"${s6wrap[@]}" echo "| WARNING ! NGINX SSL configuration problem |"
"${s6wrap[@]}" echo "| You must provide a valid email in SSL_EMAIL in your |"
"${s6wrap[@]}" echo "| docker-compose.yml file. Go check and fix it! |"
"${s6wrap[@]}" echo "| The container will continue without SSL. |"
"${s6wrap[@]}" echo "--------------------------------------------------------"
exit 0
fi

if [[ "${SSL_TOS,,}" != "accept" ]]
then
# No domains in environment files. Complain and stop trying to install certificates:
echo "[$APPNAME][$(date)] --------------------------------------------------------------------------"
echo "[$APPNAME][$(date)] | WARNING ! NGINX SSL configuration problem |"
echo "[$APPNAME][$(date)] | You must accept the ACME Account TOS found at |"
echo "[$APPNAME][$(date)] | https://letsencrypt.org/repository/#let-s-encrypt-subscriber-agreement |"
echo "[$APPNAME][$(date)] | and set SSL_TOS=ACCEPT in your docker-compose.yml file. |"
echo "[$APPNAME][$(date)] | Go check and fix it! The container will continue without SSL. |"
echo "[$APPNAME][$(date)] --------------------------------------------------------------------------"
"${s6wrap[@]}" echo "--------------------------------------------------------------------------"
"${s6wrap[@]}" echo "| WARNING ! NGINX SSL configuration problem |"
"${s6wrap[@]}" echo "| You must accept the ACME Account TOS found at |"
"${s6wrap[@]}" echo "| https://letsencrypt.org/repository/#let-s-encrypt-subscriber-agreement |"
"${s6wrap[@]}" echo "| and set SSL_TOS=ACCEPT in your docker-compose.yml file. |"
"${s6wrap[@]}" echo "| Go check and fix it! The container will continue without SSL. |"
"${s6wrap[@]}" echo "--------------------------------------------------------------------------"
exit 0
else
agree_tos="--agree-tos"
Expand All @@ -97,16 +98,25 @@ newdomains=()
#shellcheck disable=SC2207
domains=($(/usr/bin/certbot certificates 2>/dev/null | awk '/Domains:/ { $1=""; print substr($0,2) }'))

# shellcheck disable=SC2086
IFS="," read -ra SSL_DOMAINS <<< "$(echo $SSL_DOMAIN|tr -d '[:blank:]')"
for (( i=0; i<${#SSL_DOMAINS[@]}; i++ ))
do
[[ ! " ${domains[*]} " =~ " ${SSL_DOMAINS[i]} " ]] && newdomains+=("${SSL_DOMAINS[i]}")
done

# Figure out if we want to redirect all queries to SSL?
[[ "${SSL_REDIRECT,,}" == "enabled" ]] && redirect="--redirect" || redirect=""
if chk_enabled "${SSL_REDIRECT}"; then
redirect="--redirect"
else
redirect=""
fi

(( ${#newdomains[@]} > 0 )) && echo "[$APPNAME][$(date)] New domains detected - attempting to get certificates for ${newdomains[@]}" || echo "[$APPNAME][$(date)] No new domains detected"
if (( ${#newdomains[@]} > 0 )); then
"${s6wrap[@]}" echo "New domains detected - attempting to get certificates for ${newdomains[@]}"
else
"${s6wrap[@]}" echo "No new domains detected"
fi

# prepend "-d " before each domain name:
newdomains=( "${newdomains[@]/#/-d }" )
Expand All @@ -118,17 +128,17 @@ then
# Something went wrong
echo Error in:
echo "/usr/bin/certbot run --quiet --nginx ${agree_tos} ${redirect} -m \"${SSL_EMAIL}\" ${newdomains[@]}"
echo "[$APPNAME][$(date)] --------------------------------------------------"
echo "[$APPNAME][$(date)] | STOP ! NGINX CertBot SSL installation problem |"
echo "[$APPNAME][$(date)] | Please see the error message above. |"
echo "[$APPNAME][$(date)] | |"
echo "[$APPNAME][$(date)] | The container will continue without SSL. |"
echo "[$APPNAME][$(date)] --------------------------------------------------"
"${s6wrap[@]}" echo "--------------------------------------------------"
"${s6wrap[@]}" echo "| STOP ! NGINX CertBot SSL installation problem |"
"${s6wrap[@]}" echo "| Please see the error message above. |"
"${s6wrap[@]}" echo "| |"
"${s6wrap[@]}" echo "| The container will continue without SSL. |"
"${s6wrap[@]}" echo "--------------------------------------------------"
exit 0
else
echo "[$APPNAME][$(date)] SSL Certificates installed for these domains:"
"${s6wrap[@]}" echo "SSL Certificates installed for these domains:"
/usr/bin/certbot certificates
[[ "${SSL_REDIRECT,,}" == "enabled" ]] && echo "[$APPNAME][$(date)] All web traffic will be redirected to SSL."
[[ "${SSL_REDIRECT,,}" == "enabled" ]] && "${s6wrap[@]}" echo "All web traffic will be redirected to SSL."

# back things up again, keep a copy of the previous TGZ if there was one:
mkdir -p /run/nginx/.letsencrypt
Expand All @@ -143,6 +153,6 @@ else

touch /run/.ssl-enabled

echo "[$APPNAME][$(date)] Nginx will start with SSL enabled."
echo "[$APPNAME][$(date)] The container will check every 24 hours to see if the certificates need renewal."
"${s6wrap[@]}" echo "Nginx will start with SSL enabled."
"${s6wrap[@]}" echo "The container will check every 24 hours to see if the certificates need renewal."
fi
72 changes: 37 additions & 35 deletions rootfs/etc/s6-overlay/scripts/20-webproxy
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
#!/command/with-contenv bash
#shellcheck shell=bash disable=SC2174
#shellcheck shell=bash disable=SC2174,SC1091,SC2154,SC2015

APPNAME="$(hostname)/20-webproxy"
echo "[$APPNAME][$(date)] Initial setup -- installing NXINX web service"
source /scripts/common

"${s6wrap[@]}" echo "Initial setup -- installing NXINX web service"

# create run directory. This is where the locations.conf file will be located.
# Create the correct ownership and permissions for the /var/log/nginx directory:
Expand All @@ -27,9 +28,8 @@ touch /var/log/nginx/error.log
chmod a+rw /var/log/nginx/access.log /var/log/nginx/error.log

# auto-create the locations.conf file if $AUTOGENERATE is set to yes
if [[ "$AUTOGENERATE" == "ON" ]]
then
echo "[$APPNAME][$(date)] Auto-generating locations.conf file"
if chk_enabled "$AUTOGENERATE"; then
"${s6wrap[@]}" echo "Auto-generating locations.conf file"
# back up any existing locations.conf file:
[[ -f /run/nginx/locations.conf ]] && mv -f /run/nginx/locations.conf "/run/nginx/locations.conf.bkup-$(date +%y%m%d%H%M%S)"

Expand Down Expand Up @@ -60,13 +60,13 @@ then

if [[ -z "$location" ]] || [[ -z "$destination" ]]
then
echo "[$APPNAME][$(date)] WARNING: Skipping empty location or destination for REDIRECT $location:$destination"
"${s6wrap[@]}" echo "WARNING: Skipping empty location or destination for REDIRECT $location:$destination"
continue;
fi

if [[ -n "$creds" ]]
then
echo "[$APPNAME][$(date)] WARNING: Auth credentials not supported REDIRECT ($location:$destination). Implemented without authentications"
"${s6wrap[@]}" echo "WARNING: Auth credentials not supported REDIRECT ($location:$destination). Implemented without authentications"
fi

# fix prefixes and suffixes if necessary:
Expand All @@ -76,9 +76,10 @@ then
[[ "${location:0:2}" == "/=" ]] && location="= ${location:2}" || true

# Now print the location entry:
printf "location %s {\n" "$location" >> /run/nginx/locations.conf
printf " return 301 %s;\n" "$destination" >> /run/nginx/locations.conf
printf "}\n\n" >> /run/nginx/locations.conf
{ printf "location %s {\n" "$location"
printf " return 301 %s;\n" "$destination"
printf "}\n\n"
} >> /run/nginx/locations.conf

done

Expand All @@ -99,7 +100,7 @@ then

if [[ -z "$location" ]] || [[ -z "$destination" ]]
then
echo "[$APPNAME][$(date)] WARNING: Skipping empty location or destination for REDIRECT $location:$destination"
"${s6wrap[@]}" echo "WARNING: Skipping empty location or destination for REDIRECT $location:$destination"
continue;
fi

Expand All @@ -119,19 +120,20 @@ then
[[ "${destination: -1}" != "/" ]] && destination="$destination/"

# Now print the location entry:
printf "location %s {\n" "/$location/" >> /run/nginx/locations.conf
printf " auth_basic %s;\n" "$basic_auth" >> /run/nginx/locations.conf
printf " %s /run/nginx/.htaccess/.htpasswd-%s;\n" "$abuf" "${location///}" >> /run/nginx/locations.conf
printf " proxy_pass %s;\n" "$destination" >> /run/nginx/locations.conf
printf " proxy_http_version 1.1;\n" >> /run/nginx/locations.conf

# Additional line to catch redirects; suggested by @wiedehopf:
# removed again after discussions
# printf " proxy_redirect ~^(/|http://[^/]*/)(.*) %s\$2;\n" "$location" >> /run/nginx/locations.conf
printf " proxy_redirect / /%s/;\n" "$location" >> /run/nginx/locations.conf
# close off the location entry:
printf "}\n\n" >> /run/nginx/locations.conf
touch /run/nginx/.htaccess/.htpasswd-${location///} # make sure that the passwd file exists even if it's empty or not used
{ printf "location %s {\n" "/$location/"
printf " auth_basic %s;\n" "$basic_auth"
printf " %s /run/nginx/.htaccess/.htpasswd-%s;\n" "$abuf" "${location///}"
printf " proxy_pass %s;\n" "$destination"
printf " proxy_http_version 1.1;\n"

# Additional line to catch redirects; suggested by @wiedehopf:
# removed again after discussions
# printf " proxy_redirect ~^(/|http://[^/]*/)(.*) %s\$2;\n" "$location" >> /run/nginx/locations.conf
printf " proxy_redirect / /%s/;\n" "$location"
# close off the location entry:
printf "}\n\n"
} >> /run/nginx/locations.conf
touch "/run/nginx/.htaccess/.htpasswd-${location///}" # make sure that the passwd file exists even if it's empty or not used
done

# Finally add the default index files to this configuration:
Expand All @@ -142,16 +144,16 @@ then
elif [[ ! -f /run/nginx/locations.conf ]]
then
# No locations.conf is found, and none is generated either. Complain and stop the container:
echo "-------------------------------------------------"
echo "| STOP ! You must either: |"
echo "| set AUTOGENERATE=ON in docker-compose.yml |"
echo "| or provide a well-formed locations.conf file |"
echo "| Please do so and then restart the container. |"
echo "-------------------------------------------------"
"${s6wrap[@]}" echo "-------------------------------------------------"
"${s6wrap[@]}" echo "| STOP ! You must either: |"
"${s6wrap[@]}" echo "| set AUTOGENERATE=ON in docker-compose.yml |"
"${s6wrap[@]}" echo "| or provide a well-formed locations.conf file |"
"${s6wrap[@]}" echo "| Please do so and then restart the container. |"
"${s6wrap[@]}" echo "-------------------------------------------------"

[[ -z "$DEBUG" ]] && exit 1 || sleep infinity
else
echo "[$APPNAME][$(date)] Using user-provided locations.conf file"
"${s6wrap[@]}" echo "Using user-provided locations.conf file"
fi

# now enable default:
Expand All @@ -160,16 +162,16 @@ ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
# set logging to what VERBOSELOG says. Default is off, "ON" means to stdout, "FILE" means to access.log/error.log file in external volume
if [[ "${VERBOSELOG,,}" == "on" ]] || [[ "${VERBOSELOG,,}" == "true" ]]
then
echo "[$APPNAME][$(date)] Enabled HTTP logging to container logs"
"${s6wrap[@]}" echo "Enabled HTTP logging to container logs"
sed -i 's|\(^\s*access_log \).*|\1/dev/stdout ;|' /etc/nginx/nginx.conf
sed -i 's|\(^\s*error_log \).*|\1/dev/stdout ;|' /etc/nginx/nginx.conf
elif [[ "${VERBOSELOG,,}" == "file" ]]
then
echo "[$APPNAME][$(date)] Enabled HTTP logging to files in shared volume"
"${s6wrap[@]}" echo "Enabled HTTP logging to files in shared volume"
sed -i 's|\(^\s*access_log \).*|\1/run/nginx/access.log ;|' /etc/nginx/nginx.conf
sed -i 's|\(^\s*error_log \).*|\1/run/nginx/error.log ;|' /etc/nginx/nginx.conf
else
echo "[$APPNAME][$(date)] HTTP logging is disabled"
"${s6wrap[@]}" echo "HTTP logging is disabled"
fi


Expand Down
28 changes: 16 additions & 12 deletions rootfs/etc/s6-overlay/scripts/30-blockbot
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,25 @@
#!/command/with-contenv bash
#shellcheck shell=bash
#shellcheck shell=bash disable=SC2154,SC1091

APPNAME="$(hostname)/30-blockbot"
echo "[$APPNAME][$(date)] Initial setup -- installing BLOCKBOT service"
source /scripts/common

"${s6wrap[@]}" echo "Initial setup -- installing BLOCKBOT service"

mv -f /root/blockstats /usr/local/bin >/dev/null 2>&1
mv -f /root/ipmap /usr/local/bin >/dev/null 2>&1

if [[ -n "$BLOCKBOT" ]]
then
BLOCKLIST="$(sed 's/,/|/g' <<< "$BLOCKBOT")"
echo "[$APPNAME][$(date)] Blocking these bots: $BLOCKBOT"
printf "map \$http_user_agent \$limit_bots {\n" >/etc/nginx/blockbot.conf
printf " default 0;\n" >>/etc/nginx/blockbot.conf
printf " ~*(%s) 1;\n" "${BLOCKLIST// /}" >>/etc/nginx/blockbot.conf
printf "}\n" >>/etc/nginx/blockbot.conf
# shellcheck disable=SC2001
{ BLOCKLIST="$(sed 's/,/|/g' <<< "$BLOCKBOT")"
"${s6wrap[@]}" echo "Blocking these bots: $BLOCKBOT"
printf "map \$http_user_agent \$limit_bots {\n"
printf " default 0;\n"
printf " ~*(%s) 1;\n" "${BLOCKLIST// /}"
printf "}\n"
} >/etc/nginx/blockbot.conf
else
echo "[$APPNAME][$(date)] Bot blocking disabled"
"${s6wrap[@]}" echo "Bot blocking disabled"
cp -f /etc/nginx/blockbot.conf.org /etc/nginx/blockbot.conf
exit 0
fi
Expand All @@ -30,9 +33,10 @@ fi

if [[ "$BLOCKBOT_RESPONSECODE" -lt 100 ]] || [[ "$BLOCKBOT_RESPONSECODE" -gt 999 ]]
then
echo "[$APPNAME][$(date)] Response code value for blocked bots \"$BLOCKBOT_RESPONSECODE\" is invalid. Defaulting to \"403\"."
"${s6wrap[@]}" echo "Response code value for blocked bots \"$BLOCKBOT_RESPONSECODE\" is invalid. Defaulting to \"403\"."
BLOCKBOT_RESPONSECODE="403"
else
echo "[$APPNAME][$(date)] Setting response code for blocked bots to $BLOCKBOT_RESPONSECODE."
"${s6wrap[@]}" echo "Setting response code for blocked bots to $BLOCKBOT_RESPONSECODE."
fi
# shellcheck disable=SC2016
sed -i '/\s*if ($limit_bots = 1)/{$!{N;s/\(\s*if ($limit_bots = 1) {\s*\n\s*return \)[0-9]*\(.*\)/\1'"$BLOCKBOT_RESPONSECODE"'\2/;ty;P;D;:y}}' /etc/nginx/sites-available/default >/dev/null 2>&1
Loading

0 comments on commit 8ca8628

Please sign in to comment.