From 8ca8628a4340900f57faeba744abc5ef92323627 Mon Sep 17 00:00:00 2001 From: kx1t Date: Tue, 13 Feb 2024 13:56:55 -0500 Subject: [PATCH] use common logging conventions --- rootfs/etc/s6-overlay/scripts/10-ssl | 88 +++++++++++-------- rootfs/etc/s6-overlay/scripts/20-webproxy | 72 +++++++-------- rootfs/etc/s6-overlay/scripts/30-blockbot | 28 +++--- rootfs/etc/s6-overlay/scripts/40-geoip | 59 +++++-------- rootfs/etc/s6-overlay/scripts/50-check-ipv6 | 9 +- rootfs/etc/s6-overlay/scripts/60-block-ips | 20 +++-- .../scripts/70-basic-authentication | 12 +-- rootfs/etc/s6-overlay/scripts/80-set-cors | 3 +- .../etc/s6-overlay/scripts/99-test-webproxy | 26 +++--- rootfs/etc/s6-overlay/scripts/block-ips | 20 +++-- rootfs/etc/s6-overlay/scripts/nginx-logrotate | 12 +-- rootfs/etc/s6-overlay/scripts/ssl | 15 ++-- rootfs/etc/s6-overlay/scripts/webproxy | 14 +-- 13 files changed, 198 insertions(+), 180 deletions(-) diff --git a/rootfs/etc/s6-overlay/scripts/10-ssl b/rootfs/etc/s6-overlay/scripts/10-ssl index 29a30c7..136c805 100755 --- a/rootfs/etc/s6-overlay/scripts/10-ssl +++ b/rootfs/etc/s6-overlay/scripts/10-ssl @@ -1,15 +1,15 @@ #!/command/with-contenv bash -#shellcheck shell=bash disable=SC2145,SC2076 +#shellcheck shell=bash disable=SC2145,SC2076,SC1091,SC2154,SC2015 -APPNAME="$(hostname)/10-ssl" -echo "[$APPNAME][$(date)] Started SSL initialization" +source /scripts/common + +"${s6wrap[@]}" echo "Started SSL initialization" rm -f /run/.ssl-enabled # If SSL is not ENABLED, stop forevah -if [[ "${SSL^^}" != "ENABLED" ]] -then - echo "[$APPNAME][$(date)] SSL disabled. No initialization needed." +if ! chk_enabled "${SSL}"; then + "${s6wrap[@]}" echo "SSL disabled. No initialization needed." exit 0 fi @@ -27,14 +27,14 @@ then [[ -z "$lastforced" ]] && lastforced=0 || true (( mustforce - lastforced > 0 )) && forceinstall="true" || true date +%s > /run/nginx/.letsencrypt/.force-reinstall.lastforced - echo -n "[$APPNAME][$(date)] Checking if SSL certificates must be reinstalled: Must reinstall if last install was before $(date -d "@$mustforce"). Last reinstall was at $(date -d "@$lastforced"). Will " + "${s6wrap[@]}" echo "Checking if SSL certificates must be reinstalled: Must reinstall if last install was before $(date -d "@$mustforce"). Last reinstall was at $(date -d "@$lastforced"). Will " [[ "$forceinstall" == "true" ]] && echo "reinstall certificates." || echo "not reinstall certificates." fi # if there is a backup and $forceinstall is not true, restore it if [[ -f /run/nginx/.letsencrypt/letsencrypt.tgz ]] && [[ "$forceinstall" != "true" ]] then - echo "[$APPNAME][$(date)] Backup of certificates found. Restoring..." + "${s6wrap[@]}" echo "Backup of certificates found. Restoring..." tar --overwrite -xzf /run/nginx/.letsencrypt/letsencrypt.tgz -C / >/dev/null 2>&1 elif [[ -d /etc/letsencrypt ]] then @@ -51,40 +51,41 @@ fi touch /run/nginx/locations.conf # Do some checks to ensure that there is enough info to request domains: +# shellcheck disable=SC2153 if (( ${#SSL_DOMAIN[@]} == 0 )) then # No domains in environment files. Complain and stop trying to install certificates: - echo "[$APPNAME][$(date)] --------------------------------------------------" - echo "[$APPNAME][$(date)] | WARNING ! NGINX SSL configuration problem |" - echo "[$APPNAME][$(date)] | You must define at least 1 SSL_DOMAIN in your |" - echo "[$APPNAME][$(date)] | docker-compose.yml file. Go check and fix it! |" - echo "[$APPNAME][$(date)] | The container will continue without SSL. |" - echo "[$APPNAME][$(date)] --------------------------------------------------" + "${s6wrap[@]}" echo "--------------------------------------------------" + "${s6wrap[@]}" echo "| WARNING ! NGINX SSL configuration problem |" + "${s6wrap[@]}" echo "| You must define at least 1 SSL_DOMAIN in your |" + "${s6wrap[@]}" echo "| docker-compose.yml file. Go check and fix it! |" + "${s6wrap[@]}" echo "| The container will continue without SSL. |" + "${s6wrap[@]}" echo "--------------------------------------------------" exit 0 fi if ! grep -E "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" <<< "$SSL_EMAIL" >/dev/null then # No domains in environment files. Complain and stop trying to install certificates: - echo "[$APPNAME][$(date)] --------------------------------------------------------" - echo "[$APPNAME][$(date)] | WARNING ! NGINX SSL configuration problem |" - echo "[$APPNAME][$(date)] | You must provide a valid email in SSL_EMAIL in your |" - echo "[$APPNAME][$(date)] | docker-compose.yml file. Go check and fix it! |" - echo "[$APPNAME][$(date)] | The container will continue without SSL. |" - echo "[$APPNAME][$(date)] --------------------------------------------------------" + "${s6wrap[@]}" echo "--------------------------------------------------------" + "${s6wrap[@]}" echo "| WARNING ! NGINX SSL configuration problem |" + "${s6wrap[@]}" echo "| You must provide a valid email in SSL_EMAIL in your |" + "${s6wrap[@]}" echo "| docker-compose.yml file. Go check and fix it! |" + "${s6wrap[@]}" echo "| The container will continue without SSL. |" + "${s6wrap[@]}" echo "--------------------------------------------------------" exit 0 fi if [[ "${SSL_TOS,,}" != "accept" ]] then # No domains in environment files. Complain and stop trying to install certificates: - echo "[$APPNAME][$(date)] --------------------------------------------------------------------------" - echo "[$APPNAME][$(date)] | WARNING ! NGINX SSL configuration problem |" - echo "[$APPNAME][$(date)] | You must accept the ACME Account TOS found at |" - echo "[$APPNAME][$(date)] | https://letsencrypt.org/repository/#let-s-encrypt-subscriber-agreement |" - echo "[$APPNAME][$(date)] | and set SSL_TOS=ACCEPT in your docker-compose.yml file. |" - echo "[$APPNAME][$(date)] | Go check and fix it! The container will continue without SSL. |" - echo "[$APPNAME][$(date)] --------------------------------------------------------------------------" + "${s6wrap[@]}" echo "--------------------------------------------------------------------------" + "${s6wrap[@]}" echo "| WARNING ! NGINX SSL configuration problem |" + "${s6wrap[@]}" echo "| You must accept the ACME Account TOS found at |" + "${s6wrap[@]}" echo "| https://letsencrypt.org/repository/#let-s-encrypt-subscriber-agreement |" + "${s6wrap[@]}" echo "| and set SSL_TOS=ACCEPT in your docker-compose.yml file. |" + "${s6wrap[@]}" echo "| Go check and fix it! The container will continue without SSL. |" + "${s6wrap[@]}" echo "--------------------------------------------------------------------------" exit 0 else agree_tos="--agree-tos" @@ -97,6 +98,7 @@ newdomains=() #shellcheck disable=SC2207 domains=($(/usr/bin/certbot certificates 2>/dev/null | awk '/Domains:/ { $1=""; print substr($0,2) }')) +# shellcheck disable=SC2086 IFS="," read -ra SSL_DOMAINS <<< "$(echo $SSL_DOMAIN|tr -d '[:blank:]')" for (( i=0; i<${#SSL_DOMAINS[@]}; i++ )) do @@ -104,9 +106,17 @@ do done # Figure out if we want to redirect all queries to SSL? -[[ "${SSL_REDIRECT,,}" == "enabled" ]] && redirect="--redirect" || redirect="" +if chk_enabled "${SSL_REDIRECT}"; then + redirect="--redirect" +else + redirect="" +fi -(( ${#newdomains[@]} > 0 )) && echo "[$APPNAME][$(date)] New domains detected - attempting to get certificates for ${newdomains[@]}" || echo "[$APPNAME][$(date)] No new domains detected" +if (( ${#newdomains[@]} > 0 )); then + "${s6wrap[@]}" echo "New domains detected - attempting to get certificates for ${newdomains[@]}" +else + "${s6wrap[@]}" echo "No new domains detected" +fi # prepend "-d " before each domain name: newdomains=( "${newdomains[@]/#/-d }" ) @@ -118,17 +128,17 @@ then # Something went wrong echo Error in: echo "/usr/bin/certbot run --quiet --nginx ${agree_tos} ${redirect} -m \"${SSL_EMAIL}\" ${newdomains[@]}" - echo "[$APPNAME][$(date)] --------------------------------------------------" - echo "[$APPNAME][$(date)] | STOP ! NGINX CertBot SSL installation problem |" - echo "[$APPNAME][$(date)] | Please see the error message above. |" - echo "[$APPNAME][$(date)] | |" - echo "[$APPNAME][$(date)] | The container will continue without SSL. |" - echo "[$APPNAME][$(date)] --------------------------------------------------" + "${s6wrap[@]}" echo "--------------------------------------------------" + "${s6wrap[@]}" echo "| STOP ! NGINX CertBot SSL installation problem |" + "${s6wrap[@]}" echo "| Please see the error message above. |" + "${s6wrap[@]}" echo "| |" + "${s6wrap[@]}" echo "| The container will continue without SSL. |" + "${s6wrap[@]}" echo "--------------------------------------------------" exit 0 else - echo "[$APPNAME][$(date)] SSL Certificates installed for these domains:" + "${s6wrap[@]}" echo "SSL Certificates installed for these domains:" /usr/bin/certbot certificates - [[ "${SSL_REDIRECT,,}" == "enabled" ]] && echo "[$APPNAME][$(date)] All web traffic will be redirected to SSL." + [[ "${SSL_REDIRECT,,}" == "enabled" ]] && "${s6wrap[@]}" echo "All web traffic will be redirected to SSL." # back things up again, keep a copy of the previous TGZ if there was one: mkdir -p /run/nginx/.letsencrypt @@ -143,6 +153,6 @@ else touch /run/.ssl-enabled - echo "[$APPNAME][$(date)] Nginx will start with SSL enabled." - echo "[$APPNAME][$(date)] The container will check every 24 hours to see if the certificates need renewal." + "${s6wrap[@]}" echo "Nginx will start with SSL enabled." + "${s6wrap[@]}" echo "The container will check every 24 hours to see if the certificates need renewal." fi diff --git a/rootfs/etc/s6-overlay/scripts/20-webproxy b/rootfs/etc/s6-overlay/scripts/20-webproxy index 340cb9e..7407e57 100755 --- a/rootfs/etc/s6-overlay/scripts/20-webproxy +++ b/rootfs/etc/s6-overlay/scripts/20-webproxy @@ -1,8 +1,9 @@ #!/command/with-contenv bash -#shellcheck shell=bash disable=SC2174 +#shellcheck shell=bash disable=SC2174,SC1091,SC2154,SC2015 -APPNAME="$(hostname)/20-webproxy" -echo "[$APPNAME][$(date)] Initial setup -- installing NXINX web service" +source /scripts/common + +"${s6wrap[@]}" echo "Initial setup -- installing NXINX web service" # create run directory. This is where the locations.conf file will be located. # Create the correct ownership and permissions for the /var/log/nginx directory: @@ -27,9 +28,8 @@ touch /var/log/nginx/error.log chmod a+rw /var/log/nginx/access.log /var/log/nginx/error.log # auto-create the locations.conf file if $AUTOGENERATE is set to yes -if [[ "$AUTOGENERATE" == "ON" ]] -then - echo "[$APPNAME][$(date)] Auto-generating locations.conf file" +if chk_enabled "$AUTOGENERATE"; then + "${s6wrap[@]}" echo "Auto-generating locations.conf file" # back up any existing locations.conf file: [[ -f /run/nginx/locations.conf ]] && mv -f /run/nginx/locations.conf "/run/nginx/locations.conf.bkup-$(date +%y%m%d%H%M%S)" @@ -60,13 +60,13 @@ then if [[ -z "$location" ]] || [[ -z "$destination" ]] then - echo "[$APPNAME][$(date)] WARNING: Skipping empty location or destination for REDIRECT $location:$destination" + "${s6wrap[@]}" echo "WARNING: Skipping empty location or destination for REDIRECT $location:$destination" continue; fi if [[ -n "$creds" ]] then - echo "[$APPNAME][$(date)] WARNING: Auth credentials not supported REDIRECT ($location:$destination). Implemented without authentications" + "${s6wrap[@]}" echo "WARNING: Auth credentials not supported REDIRECT ($location:$destination). Implemented without authentications" fi # fix prefixes and suffixes if necessary: @@ -76,9 +76,10 @@ then [[ "${location:0:2}" == "/=" ]] && location="= ${location:2}" || true # Now print the location entry: - printf "location %s {\n" "$location" >> /run/nginx/locations.conf - printf " return 301 %s;\n" "$destination" >> /run/nginx/locations.conf - printf "}\n\n" >> /run/nginx/locations.conf + { printf "location %s {\n" "$location" + printf " return 301 %s;\n" "$destination" + printf "}\n\n" + } >> /run/nginx/locations.conf done @@ -99,7 +100,7 @@ then if [[ -z "$location" ]] || [[ -z "$destination" ]] then - echo "[$APPNAME][$(date)] WARNING: Skipping empty location or destination for REDIRECT $location:$destination" + "${s6wrap[@]}" echo "WARNING: Skipping empty location or destination for REDIRECT $location:$destination" continue; fi @@ -119,19 +120,20 @@ then [[ "${destination: -1}" != "/" ]] && destination="$destination/" # Now print the location entry: - printf "location %s {\n" "/$location/" >> /run/nginx/locations.conf - printf " auth_basic %s;\n" "$basic_auth" >> /run/nginx/locations.conf - printf " %s /run/nginx/.htaccess/.htpasswd-%s;\n" "$abuf" "${location///}" >> /run/nginx/locations.conf - printf " proxy_pass %s;\n" "$destination" >> /run/nginx/locations.conf - printf " proxy_http_version 1.1;\n" >> /run/nginx/locations.conf - - # Additional line to catch redirects; suggested by @wiedehopf: - # removed again after discussions - # printf " proxy_redirect ~^(/|http://[^/]*/)(.*) %s\$2;\n" "$location" >> /run/nginx/locations.conf - printf " proxy_redirect / /%s/;\n" "$location" >> /run/nginx/locations.conf - # close off the location entry: - printf "}\n\n" >> /run/nginx/locations.conf - touch /run/nginx/.htaccess/.htpasswd-${location///} # make sure that the passwd file exists even if it's empty or not used + { printf "location %s {\n" "/$location/" + printf " auth_basic %s;\n" "$basic_auth" + printf " %s /run/nginx/.htaccess/.htpasswd-%s;\n" "$abuf" "${location///}" + printf " proxy_pass %s;\n" "$destination" + printf " proxy_http_version 1.1;\n" + + # Additional line to catch redirects; suggested by @wiedehopf: + # removed again after discussions + # printf " proxy_redirect ~^(/|http://[^/]*/)(.*) %s\$2;\n" "$location" >> /run/nginx/locations.conf + printf " proxy_redirect / /%s/;\n" "$location" + # close off the location entry: + printf "}\n\n" + } >> /run/nginx/locations.conf + touch "/run/nginx/.htaccess/.htpasswd-${location///}" # make sure that the passwd file exists even if it's empty or not used done # Finally add the default index files to this configuration: @@ -142,16 +144,16 @@ then elif [[ ! -f /run/nginx/locations.conf ]] then # No locations.conf is found, and none is generated either. Complain and stop the container: - echo "-------------------------------------------------" - echo "| STOP ! You must either: |" - echo "| set AUTOGENERATE=ON in docker-compose.yml |" - echo "| or provide a well-formed locations.conf file |" - echo "| Please do so and then restart the container. |" - echo "-------------------------------------------------" + "${s6wrap[@]}" echo "-------------------------------------------------" + "${s6wrap[@]}" echo "| STOP ! You must either: |" + "${s6wrap[@]}" echo "| set AUTOGENERATE=ON in docker-compose.yml |" + "${s6wrap[@]}" echo "| or provide a well-formed locations.conf file |" + "${s6wrap[@]}" echo "| Please do so and then restart the container. |" + "${s6wrap[@]}" echo "-------------------------------------------------" [[ -z "$DEBUG" ]] && exit 1 || sleep infinity else - echo "[$APPNAME][$(date)] Using user-provided locations.conf file" + "${s6wrap[@]}" echo "Using user-provided locations.conf file" fi # now enable default: @@ -160,16 +162,16 @@ ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default # set logging to what VERBOSELOG says. Default is off, "ON" means to stdout, "FILE" means to access.log/error.log file in external volume if [[ "${VERBOSELOG,,}" == "on" ]] || [[ "${VERBOSELOG,,}" == "true" ]] then - echo "[$APPNAME][$(date)] Enabled HTTP logging to container logs" + "${s6wrap[@]}" echo "Enabled HTTP logging to container logs" sed -i 's|\(^\s*access_log \).*|\1/dev/stdout ;|' /etc/nginx/nginx.conf sed -i 's|\(^\s*error_log \).*|\1/dev/stdout ;|' /etc/nginx/nginx.conf elif [[ "${VERBOSELOG,,}" == "file" ]] then - echo "[$APPNAME][$(date)] Enabled HTTP logging to files in shared volume" + "${s6wrap[@]}" echo "Enabled HTTP logging to files in shared volume" sed -i 's|\(^\s*access_log \).*|\1/run/nginx/access.log ;|' /etc/nginx/nginx.conf sed -i 's|\(^\s*error_log \).*|\1/run/nginx/error.log ;|' /etc/nginx/nginx.conf else - echo "[$APPNAME][$(date)] HTTP logging is disabled" + "${s6wrap[@]}" echo "HTTP logging is disabled" fi diff --git a/rootfs/etc/s6-overlay/scripts/30-blockbot b/rootfs/etc/s6-overlay/scripts/30-blockbot index 1176ecd..8fbd8ff 100755 --- a/rootfs/etc/s6-overlay/scripts/30-blockbot +++ b/rootfs/etc/s6-overlay/scripts/30-blockbot @@ -1,22 +1,25 @@ #!/command/with-contenv bash -#shellcheck shell=bash +#shellcheck shell=bash disable=SC2154,SC1091 -APPNAME="$(hostname)/30-blockbot" -echo "[$APPNAME][$(date)] Initial setup -- installing BLOCKBOT service" +source /scripts/common + +"${s6wrap[@]}" echo "Initial setup -- installing BLOCKBOT service" mv -f /root/blockstats /usr/local/bin >/dev/null 2>&1 mv -f /root/ipmap /usr/local/bin >/dev/null 2>&1 if [[ -n "$BLOCKBOT" ]] then - BLOCKLIST="$(sed 's/,/|/g' <<< "$BLOCKBOT")" - echo "[$APPNAME][$(date)] Blocking these bots: $BLOCKBOT" - printf "map \$http_user_agent \$limit_bots {\n" >/etc/nginx/blockbot.conf - printf " default 0;\n" >>/etc/nginx/blockbot.conf - printf " ~*(%s) 1;\n" "${BLOCKLIST// /}" >>/etc/nginx/blockbot.conf - printf "}\n" >>/etc/nginx/blockbot.conf + # shellcheck disable=SC2001 + { BLOCKLIST="$(sed 's/,/|/g' <<< "$BLOCKBOT")" + "${s6wrap[@]}" echo "Blocking these bots: $BLOCKBOT" + printf "map \$http_user_agent \$limit_bots {\n" + printf " default 0;\n" + printf " ~*(%s) 1;\n" "${BLOCKLIST// /}" + printf "}\n" + } >/etc/nginx/blockbot.conf else - echo "[$APPNAME][$(date)] Bot blocking disabled" + "${s6wrap[@]}" echo "Bot blocking disabled" cp -f /etc/nginx/blockbot.conf.org /etc/nginx/blockbot.conf exit 0 fi @@ -30,9 +33,10 @@ fi if [[ "$BLOCKBOT_RESPONSECODE" -lt 100 ]] || [[ "$BLOCKBOT_RESPONSECODE" -gt 999 ]] then - echo "[$APPNAME][$(date)] Response code value for blocked bots \"$BLOCKBOT_RESPONSECODE\" is invalid. Defaulting to \"403\"." + "${s6wrap[@]}" echo "Response code value for blocked bots \"$BLOCKBOT_RESPONSECODE\" is invalid. Defaulting to \"403\"." BLOCKBOT_RESPONSECODE="403" else - echo "[$APPNAME][$(date)] Setting response code for blocked bots to $BLOCKBOT_RESPONSECODE." + "${s6wrap[@]}" echo "Setting response code for blocked bots to $BLOCKBOT_RESPONSECODE." fi +# shellcheck disable=SC2016 sed -i '/\s*if ($limit_bots = 1)/{$!{N;s/\(\s*if ($limit_bots = 1) {\s*\n\s*return \)[0-9]*\(.*\)/\1'"$BLOCKBOT_RESPONSECODE"'\2/;ty;P;D;:y}}' /etc/nginx/sites-available/default >/dev/null 2>&1 diff --git a/rootfs/etc/s6-overlay/scripts/40-geoip b/rootfs/etc/s6-overlay/scripts/40-geoip index 27e0fcc..1cc03d1 100755 --- a/rootfs/etc/s6-overlay/scripts/40-geoip +++ b/rootfs/etc/s6-overlay/scripts/40-geoip @@ -1,21 +1,21 @@ #!/command/with-contenv bash -#shellcheck shell=bash disable=SC2145 +#shellcheck shell=bash disable=SC2145,SC1091,SC2154,SC2015 + +source /scripts/common -APPNAME="$(hostname)/40-geoip" GEOIPDIR="/usr/share/GeoIP" NGINXGEOIPCNF="/etc/nginx/geoip_countries.conf" -echo "[$APPNAME][$(date)] Set up of GeoIP Database and corresponding nginx configuration" +"${s6wrap[@]}" echo "Set up of GeoIP Database and corresponding nginx configuration" #Moving geoip_countries.conf to the right place -echo "[$APPNAME][$(date)] Copy geoip_countries.conf to the right place, delete old version first" +"${s6wrap[@]}" echo "Copy geoip_countries.conf to the right place, delete old version first" rm -f /etc/nginx/geoip_countries.conf cp -f /root/geoip_countries.conf /etc/nginx/geoip_countries.conf #Nothing set up in the docker-compose.yml? Then set default yes and abort the rest of the script -if ! [[ -n "$GEOIP_DEFAULT" ]] -then - echo "[$APPNAME][$(date)] GEOIP_DEFAULT not set, aborting further GeoIP setup." +if [[ -z "$GEOIP_DEFAULT" ]]; then + "${s6wrap[@]}" echo "GEOIP_DEFAULT not set, aborting further GeoIP setup." sed -i '/^#defaultsetting.*/a default yes;' $NGINXGEOIPCNF exit 0 fi @@ -31,7 +31,7 @@ if [[ -f /run/nginx/.geoip/GeoIP.bckup ]]; then if [ "$(( $(date +"%s") - $(stat -c "%Y" /run/nginx/.geoip/GeoIP.bckup) ))" -gt "90000" ] then - echo "[$APPNAME][$(date)] Found DB Backup which is older than 3 hours. Deleting" + "${s6wrap[@]}" echo "Found DB Backup which is older than 3 hours. Deleting" rm -f /run/nginx/.geoip/*.gz rm -f /run/nginx/.geoip/GeoIP.bckup fi @@ -41,11 +41,11 @@ fi if [[ -f /run/nginx/.geoip/GeoIP.dat.gz && -f /run/nginx/.geoip/GeoIPv6.dat.gz ]] then backupworks=true - echo "[$APPNAME][$(date)] Found a Backup, installing" + "${s6wrap[@]}" echo "Found a Backup, installing" [[ -f /run/nginx/.geoip/GeoIP.dat.gz ]] && cp /run/nginx/.geoip/GeoIP.dat.gz /"$GEOIPDIR" [[ -f /run/nginx/.geoip/GeoIPv6.dat.gz ]] && cp /run/nginx/.geoip/GeoIPv6.dat.gz /"$GEOIPDIR" else backupworks=false - echo "[$APPNAME][$(date)] No Backup found, continue" + "${s6wrap[@]}" echo "No Backup found, continue" fi @@ -57,57 +57,43 @@ if [[ "$backupworks" == "false" ]] ! curl --fail -sL -o "$GEOIPDIR"/GeoIPv6.dat.gz https://mailfud.org/geoip-legacy/GeoIPv6.dat.gz && geoipfail=true || true if [[ "$geoipfail" == "false" ]] then - echo "[$APPNAME][$(date)] Successfully downloaded DB from mailfud.org" + "${s6wrap[@]}" echo "Successfully downloaded DB from mailfud.org" fi fi #as there is a download limit from mailfud, backup the files to /run/nginx/.geoip/ and create a file as timestamp for further processing if [[ "$backupworks" == "false" ]] && [[ "$geoipfail" == "false" ]] then -echo "[$APPNAME][$(date)] Backup mailfud GeoIP DB to /run/nginx/.geoip" +"${s6wrap[@]}" echo "Backup mailfud GeoIP DB to /run/nginx/.geoip" cp "$GEOIPDIR"/GeoIP.dat.gz /run/nginx/.geoip cp "$GEOIPDIR"/GeoIPv6.dat.gz /run/nginx/.geoip touch /run/nginx/.geoip/GeoIP.bckup fi -#If the mailfud download fails, lets see if we have a backup and try to copy it into the right place. -#if [[ "$geoipfail" == "true" ]] && [[ "$backupworks" == "false" ]] -#then -# if [[ -f /run/nginx/.geoip/GeoIP.dat.gz && -f /run/nginx/.geoip/GeoIPv6.dat.gz ]]; -# then -# backupfail=false -# echo "[$APPNAME][$(date)] Using backuped DB" -# [[ -f /run/nginx/.geoip/GeoIP.dat.gz ]] && cp /run/nginx/.geoip/GeoIP.dat.gz /"$GEOIPDIR" -# [[ -f /run/nginx/.geoip/GeoIPv6.dat.gz ]] && cp /run/nginx/.geoip/GeoIPv6.dat.gz /"$GEOIPDIR" -# else backupfail=true -# echo "[$APPNAME][$(date)] Nothing to backup, Download from mailfud seemingly didn't work" -# fi -#fi - # if we couldn't get the mailfud DB and the backup is not working either, let's fall back to another database: if [[ "$geoipfail" == "true" ]] && [[ "$backupworks" == "false" ]] then centminfail=false - echo "[$APPNAME][$(date)] Couldn't download the mailfud GeoIP DB or use a backup. Now trying centminmod" + "${s6wrap[@]}" echo "Couldn't download the mailfud GeoIP DB or use a backup. Now trying centminmod" ! curl --fail -sL -o "$GEOIPDIR"/GeoIP.dat.gz https://centminmod.com/centminmodparts/geoip-legacy/GeoIP.dat.gz && centminfail=true || true ! curl --fail -sL -o "$GEOIPDIR"/GeoIPv6.dat.gz https://centminmod.com/centminmodparts/geoip-legacy/GeoIPv6.dat.gz && centminfail=true || true fi if [[ "$geoipfail" == "true" ]] && [[ "$backupworks" == "false" ]] && [[ "$centminfail" == "false" ]] then - echo "[$APPNAME][$(date)] Successfully downloaded DB from centminmod.com" + "${s6wrap[@]}" echo "Successfully downloaded DB from centminmod.com" fi #If nothing of the above did work out, we just use what we got through apt install if [[ "$geoipfail" == "true" ]] && [[ "$backupworks" == "false" ]] && [[ "$centminfail" == "true" ]] then - echo "[$APPNAME][$(date)] Couldn't retrieve any newer GeoIP databases. Your database may be out of date." + "${s6wrap[@]}" echo "Couldn't retrieve any newer GeoIP databases. Your database may be out of date." else - echo "[$APPNAME][$(date)] DB successfully installed" + "${s6wrap[@]}" echo "DB successfully installed" fi #Now we need to unzip what we got - if we got any -echo "[$APPNAME][$(date)] Unpacking downloaded DB" +"${s6wrap[@]}" echo "Unpacking downloaded DB" [[ -f "$GEOIPDIR"/GeoIP.dat.gz ]] && gunzip -f "$GEOIPDIR"/GeoIP.dat.gz [[ -f "$GEOIPDIR"/GeoIPv6.dat.gz ]] && gunzip -f "$GEOIPDIR"/GeoIPv6.dat.gz @@ -117,7 +103,7 @@ IFS=',' read -ra include_list <<< "$GEOIP_COUNTRIES" #set the default GeoIP in /etc/nginx/nginx.conf - if the variable was set up in docker-compose but with unexpected content, fall back to default yes case "$GEOIP_DEFAULT" in allow|ALLOW) - echo "[$APPNAME][$(date)] Default is set to allow every country but block these: ${include_list[@]}" + "${s6wrap[@]}" echo "Default is set to allow every country but block these: ${include_list[@]}" sed -i '/^#defaultsetting.*/a default yes;' $NGINXGEOIPCNF for a in "${include_list[@]}" do @@ -126,7 +112,7 @@ case "$GEOIP_DEFAULT" in ;; block|BLOCK) - echo "[$APPNAME][$(date)] Default is set to block every country and only allow these: ${include_list[@]}" + "${s6wrap[@]}" echo "Default is set to block every country and only allow these: ${include_list[@]}" sed -i '/^#defaultsetting.*/a default no;' $NGINXGEOIPCNF for a in "${include_list[@]}" do @@ -134,7 +120,7 @@ case "$GEOIP_DEFAULT" in done ;; *) - echo "[$APPNAME][$(date)] Configuration not set or has a wrong value (use only allow or block). Defaulting to allow all" + "${s6wrap[@]}" echo "Configuration not set or has a wrong value (use only allow or block). Defaulting to allow all" sed -i '/^#defaultsetting.*/a default yes;' $NGINXGEOIPCNF ;; @@ -146,10 +132,11 @@ esac # 503 (service unavailable), etc - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Status if [[ -n "$GEOIP_RESPONSECODE" ]] && [[ "$GEOIP_RESPONSECODE" -ge 100 ]] && [[ "$GEOIP_RESPONSECODE" -le 999 ]] then - echo "[$APPNAME][$(date)] Setting response code for blocked bots to $GEOIP_RESPONSECODE" + "${s6wrap[@]}" echo "Setting response code for blocked bots to $GEOIP_RESPONSECODE" + # shellcheck disable=SC2016 sed -i '/\s*if ($allowed_country = no)/{$!{N;s/\(\s*if ($allowed_country = no) {\s*\n\s*return \)[0-9]*\(.*\)/\1'"$GEOIP_RESPONSECODE"'\2/;ty;P;D;:y}}' /etc/nginx/sites-available/default >/dev/null 2>&1 fi -echo "[$APPNAME][$(date)] Finished setting up GeoIP" +"${s6wrap[@]}" echo "Finished setting up GeoIP" exit diff --git a/rootfs/etc/s6-overlay/scripts/50-check-ipv6 b/rootfs/etc/s6-overlay/scripts/50-check-ipv6 index 86677f5..7b024e9 100755 --- a/rootfs/etc/s6-overlay/scripts/50-check-ipv6 +++ b/rootfs/etc/s6-overlay/scripts/50-check-ipv6 @@ -1,11 +1,11 @@ #!/command/with-contenv bash -#shellcheck shell=bash +#shellcheck shell=bash disable=SC1091 # # This init script disables IPV6 if the IPV6 env variable is set to "disabled" or "off" # This is necessary to deal with systems that have IPV6 switched off - if we don't do this, # the nginx test run in 99-test-webproxy will fail. -APPNAME="$(hostname)/50-check-ipv6" +source /scripts/common IPV6="${IPV6,,}" IPV6="${IPV6:0:3}" @@ -13,9 +13,10 @@ if [[ "$IPV6" == "dis" ]] || [[ "$IPV6" == "off" ]] then sed -i 's/\(\s*listen \[::\]:80\)/#\1/g' /etc/nginx/sites-available/default sed -i 's/\(\s*listen \[::\]:443\)/#\1/g' /etc/nginx/sites-available/default - echo "[$APPNAME][$(date)] IPV6 disabled" + # shellcheck disable=SC2154 + "${s6wrap[@]}" echo "IPV6 disabled" else sed -i 's/#\(\s*listen \[::\]:80\)/\1/g' /etc/nginx/sites-available/default sed -i 's/#\(\s*listen \[::\]:443\)/\1/g' /etc/nginx/sites-available/default - echo "[$APPNAME][$(date)] IPV6 enabled (default)" + "${s6wrap[@]}" echo "IPV6 enabled (default)" fi diff --git a/rootfs/etc/s6-overlay/scripts/60-block-ips b/rootfs/etc/s6-overlay/scripts/60-block-ips index 2dca7f2..3d9ec87 100755 --- a/rootfs/etc/s6-overlay/scripts/60-block-ips +++ b/rootfs/etc/s6-overlay/scripts/60-block-ips @@ -5,7 +5,8 @@ # This is necessary to deal with systems that have IPV6 switched off - if we don't do this, # the nginx test run in 99-test-webproxy will fail. -APPNAME="$(hostname)/60-block-ips" +# shellcheck disable=SC1091 +source /scripts/common IPTABLES_BLOCK="${IPTABLES_BLOCK,,}" IPTABLES_BLOCK="${IPTABLES_BLOCK:0:3}" @@ -14,13 +15,14 @@ cp -f /root/manage_ipblock /usr/local/bin >/dev/null 2>&1 if [[ "$IPTABLES_BLOCK" != "ena" ]] && [[ "$IPTABLES_BLOCK" != "on" ]] then - echo "[$APPNAME][$(date)] Bot blocking is disabled. Continuing..." + # shellcheck disable=SC2154 + "${s6wrap[@]}" echo "Bot blocking is disabled. Continuing..." exit 0 fi if [[ -z "$BLOCKBOT" ]] then - echo "[$APPNAME][$(date)] Bot blocking is disabled. Continuing..." + "${s6wrap[@]}" echo "Bot blocking is disabled. Continuing..." exit 0 fi @@ -57,7 +59,7 @@ function conv_blocklist () { echo "${line[*]}" >> /tmp/ip-blocklist done < /run/nginx/ip-blocklist mv -f /tmp/ip-blocklist /run/nginx/ip-blocklist - echo "[$APPNAME][$(date)] ip-blocklist file has been converted to the new format." + "${s6wrap[@]}" echo "ip-blocklist file has been converted to the new format." return 0 } # enable logging: @@ -73,14 +75,14 @@ if [[ -f /run/nginx/ip-blocklist ]] then while read -ra line do - if [[ -n "${line[0]}" ]] && [[ "${line[0]:0:1}" != "#" ]] && ! grep -f /run/nginx/ip-allowlist >/dev/null 2>&1 <<< "${line[0]}" && ! iptables -C INPUT -s ${line[0]} -j DROP >/dev/null 2>&1 + if [[ -n "${line[0]}" ]] && [[ "${line[0]:0:1}" != "#" ]] && ! grep -f /run/nginx/ip-allowlist >/dev/null 2>&1 <<< "${line[0]}" && ! iptables -C INPUT -s "${line[0]}" -j DROP >/dev/null 2>&1 then # add the IP from the first field of the line to the iptables block list if... # - the line isn't empty # - the first field of the line doesn't start with "#" (in which case it's a comment) # - the IP isn't in the ip-allowlist (if that file exists) # - the IP isn't already in the iptables block list - iptables -I INPUT -s ${line[0]} -j DROP >/dev/null 2>&1 + iptables -I INPUT -s "${line[0]}" -j DROP >/dev/null 2>&1 blocktable+=("${line[0]}") fi done < /run/nginx/ip-blocklist @@ -91,8 +93,8 @@ fi if (( ${#blocktable[@]} > 0 )) then - echo "[$APPNAME][$(date)] These ${#blocktable[@]} IPs were blocked previously and have been added to the iptables block list:" - echo "[$APPNAME][$(date)] ${blocktable[@]}" + "${s6wrap[@]}" echo "These ${#blocktable[@]} IPs were blocked previously and have been added to the iptables block list:" + "${s6wrap[@]}" echo "${blocktable[@]}" else - echo "[$APPNAME][$(date)] No previous iptables block list found. Continuing..." + "${s6wrap[@]}" echo "No previous iptables block list found. Continuing..." fi diff --git a/rootfs/etc/s6-overlay/scripts/70-basic-authentication b/rootfs/etc/s6-overlay/scripts/70-basic-authentication index 86a527b..ab15178 100755 --- a/rootfs/etc/s6-overlay/scripts/70-basic-authentication +++ b/rootfs/etc/s6-overlay/scripts/70-basic-authentication @@ -1,11 +1,13 @@ #!/command/with-contenv bash #shellcheck shell=bash disable=SC2174 -APPNAME="$(hostname)/70-basic-authentication" +# shellcheck disable=SC1091 +source /scripts/common if [[ "${AUTH,,}" != "on" ]] then - echo "[$APPNAME][$(date)] Basic Authentication is not enabled. Continuing." + # shellcheck disable=SC2154 + "${s6wrap[@]}" echo "Basic Authentication is not enabled. Continuing." exit 0 fi @@ -28,11 +30,11 @@ then password="${cred##*|}" if [[ -z "$username" ]] || [[ -z "$password" ]] then - echo "[$APPNAME][$(date)] WARNING: Entry $n of CREDENTIALS variable is wrongly formatted. Skipping..." + "${s6wrap[@]}" echo "WARNING: Entry $n of CREDENTIALS variable is wrongly formatted. Skipping..." (( errors++ )) continue fi - printf "%s:%s\n" "$username" "$(openssl passwd -5 $password)" >> /run/nginx/.htaccess/.htpasswd_global + printf "%s:%s\n" "$username" "$(openssl passwd -5 "$password")" >> /run/nginx/.htaccess/.htpasswd_global done # Make sure that the default file is correctly set up: @@ -80,7 +82,7 @@ do creds="${creds#*|}" # now there's only the next user|pass|user|pass etc left # note - if there is no more username|pass, then $creds will contain the last password but no '|' # write credentials to password file: - printf "%s:%s\n" "$username" "$(openssl passwd -5 $password)" >> "/run/nginx/.htaccess/.htpasswd-${location}" + printf "%s:%s\n" "$username" "$(openssl passwd -5 "$password")" >> "/run/nginx/.htaccess/.htpasswd-${location}" done fi done diff --git a/rootfs/etc/s6-overlay/scripts/80-set-cors b/rootfs/etc/s6-overlay/scripts/80-set-cors index 8552a15..a73f10e 100755 --- a/rootfs/etc/s6-overlay/scripts/80-set-cors +++ b/rootfs/etc/s6-overlay/scripts/80-set-cors @@ -1,7 +1,8 @@ #!/command/with-contenv bash #shellcheck shell=bash disable=SC2174 -APPNAME="$(hostname)/80-set-cors" +# shellcheck disable=SC1091 +source /scripts/common if [[ -z "${CORSHOSTS}" ]] then diff --git a/rootfs/etc/s6-overlay/scripts/99-test-webproxy b/rootfs/etc/s6-overlay/scripts/99-test-webproxy index b61fdc2..f360b29 100755 --- a/rootfs/etc/s6-overlay/scripts/99-test-webproxy +++ b/rootfs/etc/s6-overlay/scripts/99-test-webproxy @@ -1,22 +1,28 @@ #!/command/with-contenv bash #shellcheck shell=bash -APPNAME="$(hostname)/test-proxy-init" -echo "[$APPNAME][$(date)] Final test of nginx before deployment" +# shellcheck disable=SC1091 +source /scripts/common +# shellcheck disable=SC2154 +"${s6wrap[@]}" echo "Final test of nginx before deployment" # now test the nginx configuration if ! /usr/sbin/nginx -g 'daemon off;' -t -q then # nginx config problem. Complain and stop the container: - echo "--------------------------------------------------" - echo "| STOP ! NGINX configuration problem |" - echo "| This is probably caused by a mal-formed |" - echo "| locations.conf file or by syntax errors in the |" - echo "| definition of REVPROXY or REDIRECT in your |" - echo "| docker-compose.yml file. Go check and fix them!|" - echo "--------------------------------------------------" + "${s6wrap[@]}" echo "--------------------------------------------------" + "${s6wrap[@]}" echo "| STOP ! NGINX configuration problem |" + "${s6wrap[@]}" echo "| This is probably caused by a mal-formed |" + "${s6wrap[@]}" echo "| locations.conf file or by syntax errors in the |" + "${s6wrap[@]}" echo "| definition of REVPROXY or REDIRECT in your |" + "${s6wrap[@]}" echo "| docker-compose.yml file. Go check and fix them!|" + "${s6wrap[@]}" echo "--------------------------------------------------" - [[ -z "$DEBUG" ]] && exit 1 || sleep infinity + if [[ -z "$DEBUG" ]]; then + exit 1 + else + exec sleep infinity + fi fi exit 0 diff --git a/rootfs/etc/s6-overlay/scripts/block-ips b/rootfs/etc/s6-overlay/scripts/block-ips index 77d6a8b..6839e37 100755 --- a/rootfs/etc/s6-overlay/scripts/block-ips +++ b/rootfs/etc/s6-overlay/scripts/block-ips @@ -1,7 +1,9 @@ #!/command/with-contenv bash -#shellcheck shell=bash disable=SC2145 +#shellcheck shell=bash disable=SC2145,SC2154 + +# shellcheck disable=SC1091 +source /scripts/common -APPNAME="$(hostname)/block-ips" SLEEPTIME=60 # check if the IPTABLES_BLOCK is disabled and if so, stop execution of this service: @@ -9,17 +11,17 @@ IPTABLES_BLOCK="${IPTABLES_BLOCK,,}" IPTABLES_BLOCK="${IPTABLES_BLOCK:0:3}" if [[ "$IPTABLES_BLOCK" != "ena" ]] && [[ "$IPTABLES_BLOCK" != "on" ]] then - echo "[$APPNAME][$(date)] Bot blocking is disabled" + "${s6wrap[@]}" echo "Bot blocking is disabled" sleep infinity fi if [[ -z "$BLOCKBOT" ]] then - echo "[$APPNAME][$(date)] Bot blocking is disabled" + "${s6wrap[@]}" echo "Bot blocking is disabled" sleep infinity fi -echo "[$APPNAME][$(date)] Started as an s6 service" +"${s6wrap[@]}" echo "Started as an s6 service" while true do @@ -47,7 +49,7 @@ do then while read -ra line do - if [[ -n "${line[0]}" ]] && [[ "${line[0]:0:1}" != "#" ]] && ! grep -f /run/nginx/ip-allowlist >/dev/null 2>&1 <<< "${line[0]}" && ! iptables -C INPUT -s ${line[0]} -j DROP >/dev/null 2>&1 + if [[ -n "${line[0]}" ]] && [[ "${line[0]:0:1}" != "#" ]] && ! grep -f /run/nginx/ip-allowlist >/dev/null 2>&1 <<< "${line[0]}" && ! iptables -C INPUT -s "${line[0]}" -j DROP >/dev/null 2>&1 then iptables -I INPUT -s "${line[0]}" -j DROP >/dev/null 2>&1 blocktable+=("${line[0]}") @@ -58,7 +60,7 @@ do # Notify the logs of any additions to the blocklist: if (( ${#blocktable[@]} > 0 )) then - echo "[$APPNAME][$(date)] These ${#blocktable[@]} IP(s) have been added to the iptables Block List: ${blocktable[@]}. Currently, there are $(sed -e '/^$/d ; /^#/d' /run/nginx/ip-blocklist |wc -l) blocked IP addresses." + "${s6wrap[@]}" echo "These ${#blocktable[@]} IP(s) have been added to the iptables Block List: ${blocktable[@]}. Currently, there are $(sed -e '/^$/d ; /^#/d' /run/nginx/ip-blocklist |wc -l) blocked IP addresses." fi # Go through the blocklist and determine if any entries have timed out: @@ -71,14 +73,14 @@ do if [[ -n "${line[2]}" ]] && [[ "${line[0]:0:1}" != "#" ]] && (( line[2] > 0 )) && (( line[2] + IPJAILTIME < $(date +%s) )) || grep -f /run/nginx/ip-allowlist >/dev/null 2>&1 <<< "${line[0]}" then sed -i '/^'"${line[0]}"'/d' /run/nginx/ip-blocklist - iptables -D INPUT -s ${line[0]} -j DROP >/dev/null 2>&1 + iptables -D INPUT -s "${line[0]}" -j DROP >/dev/null 2>&1 deletes+=("${line[0]}") fi done < /tmp/ip-blocklist rm -f /tmp/ip-blocklist if [[ "${#deletes[*]}" -gt 0 ]] then - echo "[$APPNAME][$(date)] These ${#deletes[@]} IP(s) have timed out and have been removed from the Block List: ${deletes[@]}. Currently, there are $(sed -e '/^$/d ; /^#/d' /run/nginx/ip-blocklist |wc -l) blocked IP addresses." + "${s6wrap[@]}" echo "These ${#deletes[@]} IP(s) have timed out and have been removed from the Block List: ${deletes[@]}. Currently, there are $(sed -e '/^$/d ; /^#/d' /run/nginx/ip-blocklist |wc -l) blocked IP addresses." fi fi diff --git a/rootfs/etc/s6-overlay/scripts/nginx-logrotate b/rootfs/etc/s6-overlay/scripts/nginx-logrotate index 394dbac..03e0cb3 100755 --- a/rootfs/etc/s6-overlay/scripts/nginx-logrotate +++ b/rootfs/etc/s6-overlay/scripts/nginx-logrotate @@ -1,7 +1,7 @@ #!/command/with-contenv bash -#shellcheck shell=bash +#shellcheck shell=bash disable=SC2154,SC1091 -APPNAME="$(hostname)/nginx-logrotate" +source /scripts/common if [[ -z "$LOGROTATE_INTERVAL" ]] then @@ -13,7 +13,7 @@ then LOGROTATE_MAXBACKUPS=24 fi -echo "[$APPNAME][$(date)] Started as an s6 service; nginx logs are rotated every $LOGROTATE_INTERVAL seconds; up to $LOGROTATE_MAXBACKUPS are kept." +"${s6wrap[@]}" echo "Started as an s6 service; nginx logs are rotated every $LOGROTATE_INTERVAL seconds; up to $LOGROTATE_MAXBACKUPS are kept." # Sleep for 30 seconds to allow nginx to start and be fully up and running. # After that, send USR1 signal to nginx so it updates the file ownership and permissions for the log files @@ -22,7 +22,7 @@ echo "[$APPNAME][$(date)] Started as an s6 service; nginx logs are rotated every while true do - sleep $LOGROTATE_INTERVAL + sleep "$LOGROTATE_INTERVAL" if [[ -f /var/log/nginx/access.log ]] then @@ -32,7 +32,7 @@ do mv -f /var/log/nginx/access.log.$((count-1)) /var/log/nginx/access.log.$count >/dev/null 2>&1 done mv -f /var/log/nginx/access.log /var/log/nginx/access.log.0 - echo "[$APPNAME][$(date)] nginx access logs have been rotated. Next rotation at $(date -d "+$LOGROTATE_INTERVAL seconds")." + "${s6wrap[@]}" echo "nginx access logs have been rotated. Next rotation at $(date -d "+$LOGROTATE_INTERVAL seconds")." fi if [[ -f /var/log/nginx/error.log ]] @@ -43,7 +43,7 @@ do mv -f /var/log/nginx/error.log.$((count-1)) /var/log/nginx/error.log.$count >/dev/null 2>&1 done mv -f /var/log/nginx/error.log /var/log/nginx/error.log.0 - echo "[$APPNAME][$(date)] nginx error logs have been rotated. Next rotation at $(date -d "+$LOGROTATE_INTERVAL seconds")." + "${s6wrap[@]}" echo "nginx error logs have been rotated. Next rotation at $(date -d "+$LOGROTATE_INTERVAL seconds")." fi kill -USR1 "$(