-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathentrypoint.sh
267 lines (222 loc) · 10.6 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
#!/bin/ash
# shellcheck shell=dash
set -e
# Input defaults and text to lower case
DEBUG=${DEBUG:-"false"} && DEBUG=$(echo "$DEBUG" | tr "[:upper:]" "[:lower:]")
REDIRECT_TYPE=${REDIRECT_TYPE:-"http"} && REDIRECT_TYPE=$(echo "$REDIRECT_TYPE" | tr "[:upper:]" "[:lower:]")
ROOT_DOMAIN=${ROOT_DOMAIN:-"the.gate"} && ROOT_DOMAIN=$(echo "$ROOT_DOMAIN" | tr "[:upper:]" "[:lower:]")
ROOT_DOMAIN_PATH=${ROOT_DOMAIN_PATH:-""}
NGINX_ACCESS_LOG=${NGINX_ACCESS_LOG:-"false"} && NGINX_ACCESS_LOG=$(echo "$NGINX_ACCESS_LOG" | tr "[:upper:]" "[:lower:]")
NGINX_ERROR_LOG=${NGINX_ERROR_LOG:-"false"} && NGINX_ERROR_LOG=$(echo "$NGINX_ERROR_LOG" | tr "[:upper:]" "[:lower:]")
NGINX_ERROR_LOG_LEVEL=${NGINX_ERROR_LOG_LEVEL:-"warn"} && NGINX_ERROR_LOG_LEVEL=$(echo "$NGINX_ERROR_LOG_LEVEL" | tr "[:upper:]" "[:lower:]")
TLS=${TLS:-"self"} && TLS=$(echo "$TLS" | tr "[:upper:]" "[:lower:]")
CF_IP_CORRECTION=${CF_IP_CORRECTION:-"false"} && CF_IP_CORRECTION=$(echo "$CF_IP_CORRECTION" | tr "[:upper:]" "[:lower:]")
CF_STRICT=${CF_STRICT:-"false"} && CF_STRICT=$(echo "$CF_STRICT" | tr "[:upper:]" "[:lower:]")
OCSP_STAPLING=${OCSP_STAPLING:-"false"} && OCSP_STAPLING=$(echo "$OCSP_STAPLING" | tr "[:upper:]" "[:lower:]")
SEVER_HASH_BUCKET_SIZE_OVERRIDE=${SEVER_HASH_BUCKET_SIZE_OVERRIDE:-"false"} && SEVER_HASH_BUCKET_SIZE_OVERRIDE=$(echo "$SEVER_HASH_BUCKET_SIZE_OVERRIDE" | tr "[:upper:]" "[:lower:]")
# Input validation
if [ "$DEBUG" != "true" ] && [ "$DEBUG" != "false" ]; then
echo "[!] Invalid option for DEBUG, expected \"true\" or \"false\""
exit 1
fi
if ! echo "$ROOT_DOMAIN" | grep -E "^[a-z0-9-]+(\.[a-z0-9]+)+$" > /dev/null 2>&1; then
echo "[!] Invalid option for ROOT_DOMAIN, invalid domain name used"
exit 1
fi
if [ "$NGINX_ACCESS_LOG" != "true" ] && [ "$NGINX_ACCESS_LOG" != "false" ]; then
echo "[!] Invalid option for NGINX_ACCESS_LOG, expected \"true\" or \"false\""
exit 1
fi
if [ "$NGINX_ERROR_LOG" != "true" ] && [ "$NGINX_ERROR_LOG" != "false" ]; then
echo "[!] Invalid option for NGINX_ERROR_LOG, expected \"true\" or \"false\""
exit 1
fi
if [ "$NGINX_ERROR_LOG_LEVEL" != "debug" ] && [ "$NGINX_ERROR_LOG_LEVEL" != "info" ] && [ "$NGINX_ERROR_LOG_LEVEL" != "notice" ] && [ "$NGINX_ERROR_LOG_LEVEL" != "warn" ] && [ "$NGINX_ERROR_LOG_LEVEL" != "error" ] && [ "$NGINX_ERROR_LOG_LEVEL" != "crit" ] && [ "$NGINX_ERROR_LOG_LEVEL" != "alert" ] && [ "$NGINX_ERROR_LOG_LEVEL" != "emerg" ]; then
echo "[!] Invalid option for NGINX_ERROR_LOG_LEVEL, expected \"debug\", \"info\", \"notice\", \"warn\", \"error\", \"crit\", \"alert\", or \"emerg\""
exit 1
fi
if [ "$SEVER_HASH_BUCKET_SIZE_OVERRIDE" != "true" ] && [ "$SEVER_HASH_BUCKET_SIZE_OVERRIDE" != "false" ]; then
echo "[!] Invalid option for SEVER_HASH_BUCKET_SIZE_OVERRIDE, expected \"true\" or \"false\""
exit 1
fi
if [ "$REDIRECT_TYPE" != "http" ] && [ "$REDIRECT_TYPE" != "https" ]; then
echo "[!] Invalid option for REDIRECT_TYPE, expected \"http\" or \"https\""
exit 1
fi
if [ "$TLS" != "self" ] && [ "$TLS" != "letsencrypt" ] && [ "$TLS" != "mount" ]; then
echo "[!] Invalid option for TLS, expected \"self\", \"letsencrypt\", \"mount\""
exit 1
fi
if [ "$TLS" = "letsencrypt" ]; then
if [ -z "$CERTBOT_EMAIL" ]; then
echo "[!] CERTBOT_EMAIL not set for Let's Encrypt certificates"
exit 1
elif ! echo "$CERTBOT_EMAIL" | grep -E "^.+@.+\..+$" > /dev/null 2>&1; then
echo "[!] Invalid option for CERTBOT_EMAIL, invalid eMail address used"
exit 1
fi
fi
if [ "$CF_IP_CORRECTION" != "true" ] && [ "$CF_IP_CORRECTION" != "false" ]; then
echo "[!] Invalid option for CF_IP_CORRECTION, expected \"true\" or \"false\""
exit 1
fi
if [ "$CF_STRICT" != "true" ] && [ "$CF_STRICT" != "false" ]; then
echo "[!] Invalid option for CF_STRICT, expected \"true\" or \"false\""
exit 1
fi
if [ "$OCSP_STAPLING" != "true" ] && [ "$OCSP_STAPLING" != "false" ]; then
echo "[!] Invalid option for OCSP_STAPLING, expected \"true\" or \"false\""
exit 1
fi
if [ "$DEBUG" = "true" ]; then
echo "=== DEBUG ====================================================="
echo "REDIRECT_TYPE » $REDIRECT_TYPE"
echo "ROOT_DOMAIN » $ROOT_DOMAIN"
echo "ROOT_DOMAIN_PATH » $ROOT_DOMAIN_PATH"
echo "NGINX_ACCESS_LOG » $NGINX_ACCESS_LOG"
echo "NGINX_ERROR_LOG » $NGINX_ERROR_LOG"
echo "NGINX_ERROR_LOG_LEVEL » $NGINX_ERROR_LOG_LEVEL"
echo "SEVER_HASH_BUCKET_SIZE_OVERRIDE » $SEVER_HASH_BUCKET_SIZE_OVERRIDE"
echo "TLS » $TLS"
if [ -n "$CERTBOT_EMAIL" ]; then
echo "CERTBOT_EMAIL » $CERTBOT_EMAIL"
fi
echo "CF_IP_CORRECTION » $CF_IP_CORRECTION"
echo "CF_STRICT » $CF_STRICT"
echo "OCSP_STAPLING » $OCSP_STAPLING"
echo "==============================================================="
fi
# Set environmental variables
if [ -n "$REDIRECT_TYPE" ]; then
export REDIRECT_TYPE=$REDIRECT_TYPE
fi
if [ -n "$ROOT_DOMAIN_PATH" ]; then
export ROOT_DOMAIN_PATH=$ROOT_DOMAIN_PATH
fi
# Delete all files in sites-available and sites-enabled. In case this isn't fresh instance
rm -rf /etc/nginx/sites-available/* 2> /dev/null || true
rm -rf /etc/nginx/sites-enabled/* 2> /dev/null || true
# Copy (while overwriting files) from /etc/nginx/templates into /etc/nginx/
cp -rf /etc/nginx/templates/* /etc/nginx
echo "[-] Using \"$REDIRECT_TYPE://$ROOT_DOMAIN$ROOT_DOMAIN_PATH\" as host"
# Setup Cloudflare IP correction
if [ "$CF_IP_CORRECTION" = "false" ]; then
echo "[-] Skipping Cloudflare IP correction"
else
echo "[-] Enabling Cloudflare IP correction"
CF_IPV4=""
# TODO: Throw errors for and halt execution for CURL issues
for i in $(curl -s https://www.cloudflare.com/ips-v4); do
CF_IPV4="$CF_IPV4 set_real_ip_from $i;\n"
done
sed -i "s,#{{CF_IPV4}},$CF_IPV4,g" /etc/nginx/nginx.conf
CF_IPV6=""
# TODO: Throw errors for and halt execution for CURL issues
for i in $(curl -s https://www.cloudflare.com/ips-v6); do
CF_IPV6="$CF_IPV6 set_real_ip_from $i;\n"
done
sed -i "s,#{{CF_IPV6}},$CF_IPV6,g" /etc/nginx/nginx.conf
sed -i "s/#{{CF_IP}}/real_ip_header CF-Connecting-IP;/g" /etc/nginx/nginx.conf
fi
# Rename ROOT_DOMAIN
if [ -f /etc/nginx/sites-available/ROOT_DOMAIN ]; then
mv /etc/nginx/sites-available/ROOT_DOMAIN "/etc/nginx/sites-available/$ROOT_DOMAIN"
fi
# Setup the logging options in nginx.conf
echo "[-] Configuring logging settings..."
if [ "$NGINX_ACCESS_LOG" = "true" ]; then
sed -i "s/access_log off; #/access_log/g" "/etc/nginx/nginx.conf"
fi
if [ "$NGINX_ERROR_LOG" = "true" ]; then
sed -i "s/error_log \/dev\/null; #/error_log/g" "/etc/nginx/nginx.conf"
fi
sed -i "s/{{NGINX_ERROR_LOG_LEVEL}}/$NGINX_ERROR_LOG_LEVEL/g" "/etc/nginx/nginx.conf"
# Toggle server_names_hash_bucket_size override
if [ "$SEVER_HASH_BUCKET_SIZE_OVERRIDE" = "true" ]; then
echo "[-] Enabling server_names_hash_bucket_size override..."
sed -i "s/#{{SERVER_NAME_HASH_BUCKET_SIZE}}/server_names_hash_bucket_size 64;/g" "/etc/nginx/nginx.conf"
fi
# Enable all modules currently in modules
echo "[-} Enabling all modules in /etc/nginx/modules directory..."
for file in /etc/nginx/modules/*; do
ln -sf "$file" "/etc/nginx/modules-enabled/"
done
# Replace variables in the files in the `/etc/nginx/sites-available/` directory
echo "[-] Replacing variables in vHost files..."
for file in /etc/nginx/sites-available/*; do
sed -i "s/{{ROOT_DOMAIN}}/$ROOT_DOMAIN/g" "$file"
# TODO: Bind to IPv4 interface if it's available
# Bind to IPv6 interface if it's available
if [ "$(ip -6 addr)" != "" ]; then
sed -i "s/#{{IPV6}} //g" "$file"
fi
if [ "$file" = "/etc/nginx/sites-available/$ROOT_DOMAIN" ]; then
# Strict TLS settings for Cloudflare
if [ "$CF_STRICT" = "false" ]; then
echo "[-] Skipping strict Cloudflare TLS"
else
echo "[-] Enabling strict Cloudflare TLS"
sed -i "s/#CF_STRICT //g" "$file"
# TODO: Throw errors for and halt execution for CURL issues
curl -L https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem -o /etc/nginx/certs/origin-pull-ca.pem
chmod 644 /etc/nginx/certs/origin-pull-ca.pem
fi
# Use Let's Encrypt TLS certificates
if [ "$TLS" = "letsencrypt" ]; then
echo "[-] Using Let's Encrypt for TLS certificates"
echo "[-] Running certbot to get TLS certificates for $ROOT_DOMAIN"
nginx
certbot certonly -n --agree-tos --no-eff-email --email "$CERTBOT_EMAIL" --webroot --webroot-path /var/www/themes/default -d "$ROOT_DOMAIN" --post-hook "nginx -s reload"
nginx -s stop
sed -i "s/#{{LETSENCRYPT}} //g" "$file"
fi
# Use self signed TLS certificates
if [ "$TLS" = "self" ]; then
echo "[-] Using self signed TLS certificates"
sed -i "s/#{{SELF}} //g" "$file"
fi
# Use mounted TLS certificates
if [ "$TLS" = "mount" ]; then
echo "[-] Expecting Docker mounts for TLS. Map your certificates to the following locations:"
echo "/etc/nginx/certs/fullchain.pem"
echo "/etc/nginx/certs/private/privkey.pem"
echo "/etc/nginx/certs/chain.pem"
sed -i "s/#{{MOUNT}} //g" "$file"
fi
# OCSP Stapling
if [ "$OCSP_STAPLING" = "false" ]; then
echo "[-] Skipping OCSP Stapling"
else
echo "[-] Enabling OCSP Stapling"
sed -i "s/#{{OCSP_STAPLING}} //g" "$file"
fi
fi
done
# Generate snakeoil certs for domains found in hijacked domains (Up to 8 sections for the domain)
LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1 FAKETIME="@1969-12-31 23:59:59" openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/certs/private/snakeoil.key -out /etc/nginx/certs/snakeoil.crt -days 36500 -subj '/CN=*/CN=*.*/CN=*.*.*/CN=*.*.*.*/CN=*.*.*.*.*/CN=*.*.*.*.*.*/CN=*.*.*.*.*.*.*/CN=*.*.*.*.*.*.*.*' > /dev/null 2>&1
chmod 644 /etc/nginx/certs/snakeoil.crt
chmod 640 /etc/nginx/certs/private/snakeoil.key
# Enable all vHosts in site-available
echo "[-} Enabling all vHosts in /etc/nginx/sites-available directory..."
for file in /etc/nginx/sites-available/*; do
ln -sf "$file" "/etc/nginx/sites-enabled/"
done
# Make network test files if they don't exist, fails silently
mkdir -p /var/www/ps-net-tests || true
if [ ! -f /var/www/ps-net-tests/get_2m ] || [ ! -f /var/www/ps-net-tests/get_6m ]; then
echo "[-] Generating binary files for network tests..."
truncate -s 2M /var/www/ps-net-tests/get_2m || true
truncate -s 6M /var/www/ps-net-tests/get_6m || true
fi
# Move system update meta files if they don't exist in the correct location, fails silently
mkdir -p /var/www/ps-sys-updates || true
if [ -z "$(ls -A /var/www/ps-sys-updates)" ]; then
cp -r /srv/ps-sys-updates /var/www || true
fi
# Make PUP file directory if it doesn't exist, fails silently
mkdir -p /var/www/PUPs || true
if [ -z "$(ls -A /var/www/PUPs)" ]; then
cp -r /srv/PUPs /var/www || true
fi
echo "[-] Starting NGINX..."
exec "$@"