diff --git a/Dockerfile b/Dockerfile index b7656eb..ee7230c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,9 +13,11 @@ ARG NGINX_PROXY_MANAGER_VERSION=2.12.1 ARG NGINX_HTTP_GEOIP2_MODULE_VERSION=3.3 ARG LIBMAXMINDDB_VERSION=1.5.0 ARG BCRYPT_TOOL_VERSION=1.1.2 +ARG CROWDSEC_OPENRESTY_BOUNCER_VERSION=1.0.5 # Define software download URLs. ARG OPENRESTY_URL=https://openresty.org/download/openresty-${OPENRESTY_VERSION}.tar.gz +ARG CROWDSEC_OPENRESTY_BOUNCER_URL=https://github.com/crowdsecurity/cs-openresty-bouncer/releases/download/v${CROWDSEC_OPENRESTY_BOUNCER_VERSION}/crowdsec-openresty-bouncer.tgz ARG NGINX_PROXY_MANAGER_URL=https://github.com/jc21/nginx-proxy-manager/archive/v${NGINX_PROXY_MANAGER_VERSION}.tar.gz ARG NGINX_HTTP_GEOIP2_MODULE_URL=https://github.com/leev/ngx_http_geoip2_module/archive/${NGINX_HTTP_GEOIP2_MODULE_VERSION}.tar.gz ARG LIBMAXMINDDB_URL=https://github.com/maxmind/libmaxminddb/releases/download/${LIBMAXMINDDB_VERSION}/libmaxminddb-${LIBMAXMINDDB_VERSION}.tar.gz @@ -78,6 +80,14 @@ RUN \ find /tmp/certbot-install/usr/lib/python3.10/site-packages -type f -name "*.exe" -delete && \ find /tmp/certbot-install/usr/lib/python3.10/site-packages -type d -name tests -print0 | xargs -0 rm -r +# Build cs-openresty-boucner. +FROM alpine:3.16 AS cs-openresty-bouncer +ARG TARGETPLATFORM +ARG CROWDSEC_OPENRESTY_BOUNCER_URL +COPY --from=xx / / +COPY src/cs-openresty-bouncer /build +RUN /build/build.sh "$CROWDSEC_OPENRESTY_BOUNCER_URL" + # Pull base image. FROM jlesage/baseimage:alpine-3.16-v3.6.4 @@ -117,6 +127,7 @@ COPY --from=nginx /tmp/openresty-install/ / COPY --from=npm /tmp/nginx-proxy-manager-install/ / COPY --from=bcrypt-tool /tmp/go/bin/bcrypt-tool /usr/bin/ COPY --from=certbot /tmp/certbot-install/ / +COPY --from=cs-openresty-bouncer /tmp/crowdsec-openresty-bouncer-install/ / # Set internal environment variables. RUN \ diff --git a/README.md b/README.md index f32ed5e..5067df9 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,39 @@ +## Note + +This is a drop in replacement for [jlesage/nginx-proxy-manager](https://hub.docker.com/r/jlesage/nginx-proxy-manager) + +This fork includes the [OpenResty Crowdsec Bouncer](https://github.com/crowdsecurity/cs-openresty-bouncer) + +Please see the [crowdsec_support](https://github.com/LePresidente/docker-nginx-proxy-manager/tree/crowdsec_support) branch for the changes as + +Docker images hosted on dockerhub. + +https://hub.docker.com/r/lepresidente/nginx-proxy-manager + +| TAG | cs-openresty-bouncer version| +|-----------|-----------------------------| +| latest | 0.1.10 (PreRelease) | + + +Instructions to use: +Starting the container at this point will start Nginx-Proxy-Manager as before but will create a new file in /config/crowdsec/ called crowdsec-openresty-bouncer.conf + +You will need to edit this file with at least the following changes then restart the container. + +``` +ENABLED=true +API_URL=http://:8080 +API_KEY= +``` + +the crowdsec api key can be generated on the crowdsec instance using the following command + +``` +cscli bouncers add npm-proxy +``` + +Currently this is a side project and I will try keep this up to date + # Docker container for Nginx Proxy Manager [![Release](https://img.shields.io/github/release/jlesage/docker-nginx-proxy-manager.svg?logo=github&style=for-the-badge)](https://github.com/jlesage/docker-nginx-proxy-manager/releases/latest) [![Docker Image Size](https://img.shields.io/docker/image-size/jlesage/nginx-proxy-manager/latest?logo=docker&style=for-the-badge)](https://hub.docker.com/r/jlesage/nginx-proxy-manager/tags) diff --git a/rootfs/etc/cont-init.d/99_crowdsec-openresty-bouncer.sh b/rootfs/etc/cont-init.d/99_crowdsec-openresty-bouncer.sh new file mode 100755 index 0000000..3500598 --- /dev/null +++ b/rootfs/etc/cont-init.d/99_crowdsec-openresty-bouncer.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +set -e # Exit immediately if a command exits with a non-zero status. + +set_properties() { + sed -i "s,^$1=.*,$1=$2,g" "${3}" +} + +echo "Deploy Crowdsec Openresty Bouncer.." +if [ -n "${CROWDSEC_OPENRESTY_BOUNCER}" ]; then + while IFS= read -r line + do + if ! [[ "$line" != "^#" ]] || [[ "$line" != "^\n" ]]; then + name=$(echo "$line" | cut -d "=" -f1) + value=$(echo "$line" | cut -d "=" -f2) + if grep -q "${name}" /defaults/crowdsec/crowdsec-openresty-bouncer.conf ; then + set_properties "${name}" "${value}" "/defaults/crowdsec/crowdsec-openresty-bouncer.conf" + fi + fi + done <<< "${CROWDSEC_OPENRESTY_BOUNCER}" +else + mkdir -p /config/crowdsec/templates + sed -i 's|/defaults/crowdsec|/config/crowdsec|' /etc/nginx/conf.d/crowdsec_openresty.conf + + if [ -f /data/crowdsec/crowdsec-openresty-bouncer.conf ]; then + echo "Patch crowdsec-openresty-bouncer.conf .." + sed "s/=.*//g" /config/crowdsec/crowdsec-openresty-bouncer.conf > /tmp/crowdsec.conf.raw + sed "s/=.*//g" /defaults/crowdsec/crowdsec-openresty-bouncer.conf > /tmp/crowdsec-openresty-bouncer.conf.raw + if grep -vf /tmp/crowdsec.conf.raw /tmp/crowdsec-openresty-bouncer.conf.raw ; then + grep -vf /tmp/crowdsec.conf.raw /tmp/crowdsec-openresty-bouncer.conf.raw > /tmp/config.newvals + cp /config/crowdsec/crowdsec-openresty-bouncer.conf /config/crowdsec/crowdsec-openresty-bouncer.conf.bak + grep -f /tmp/config.newvals /defaults/crowdsec/crowdsec-openresty-bouncer.conf >> /config/crowdsec/crowdsec-openresty-bouncer.conf + fi + else + echo "Deploy new crowdsec-openresty-bouncer.conf .." + cp /defaults/crowdsec/crowdsec-openresty-bouncer.conf /config/crowdsec/crowdsec-openresty-bouncer.conf + fi + #Make sure the config location is where we get the config from instead of /default/ + sed -i 's|/defaults/crowdsec|/data/crowdsec|' /data/crowdsec/crowdsec-openresty-bouncer.conf +fi + + +#Make sure we only copy files that don't exist in /data/crowdsec. +if [ -d "/data/crowdsec/templates" ]; then + echo "Deploy Crowdsec Templates .." + cd /defaults/crowdsec/templates/ + for file in *.html + do + if [ ! -e "/config/crowdsec/templates/${file}" ] + then + cp -r "/defaults/crowdsec/templates/${file}" "/config/crowdsec/templates/" + fi + done +fi \ No newline at end of file diff --git a/src/cs-openresty-bouncer/build.sh b/src/cs-openresty-bouncer/build.sh new file mode 100755 index 0000000..d4a7d95 --- /dev/null +++ b/src/cs-openresty-bouncer/build.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e # Exit immediately if a command exits with a non-zero status. +set -u # Treat unset variables as an error. + +log() { + echo ">>> $*" +} + +CROWDSEC_OPENRESTY_BOUNCER_URL="${1:-}" + +ROOTFS=/tmp/crowdsec-openresty-bouncer-install + +if [ -z "$CROWDSEC_OPENRESTY_BOUNCER_URL" ]; then + log "ERROR: bcrypt tool version missing." + exit 1 +fi + +# +# Install required packages. +# + +apk --no-cache add \ + build-base \ + gettext \ + curl \ + bash \ + +# +# Build. +# + +log "Downloading Crowdsec Openresty Bouncer package..." +mkdir /tmp/crowdsec-openresty-bouncer +curl -# -L "${CROWDSEC_OPENRESTY_BOUNCER_URL}" | tar xz --strip 1 -C /tmp/crowdsec-openresty-bouncer +log "Deploy Crowdsec Openresty Bouncer..." +cd /tmp/crowdsec-openresty-bouncer +bash ./install.sh --NGINX_CONF_DIR=${ROOTFS}/etc/nginx/conf.d --LIB_PATH=${ROOTFS}/var/lib/nginx/lualib --CONFIG_PATH=${ROOTFS}/defaults/crowdsec/ --DATA_PATH=${ROOTFS}/defaults/crowdsec/ --SSL_CERTS_PATH=/etc/ssl/certs/ca-cert-GTS_Root_R1.pem --docker +sed -i 's|/tmp/crowdsec-openresty-bouncer-install||g' ${ROOTFS}/etc/nginx/conf.d/crowdsec_openresty.conf +sed -i 's|ENABLED=.*|ENABLED=false|' ${ROOTFS}/defaults/crowdsec/crowdsec-openresty-bouncer.conf diff --git a/src/openresty/build.sh b/src/openresty/build.sh index 155806f..4fa5463 100755 --- a/src/openresty/build.sh +++ b/src/openresty/build.sh @@ -180,6 +180,9 @@ make -C /tmp/openresty -j$(nproc) log "Installing OpenResty..." make DESTDIR=/tmp/openresty-install -C /tmp/openresty install +#Install lua-resty-http required for Crowdsec OpenResty Bouncer +/tmp/openresty-install/var/lib/nginx/bin/opm --install-dir="/tmp/openresty-install/var/lib/nginx/site/" get pintsized/lua-resty-http + rm -r \ /tmp/openresty-install/etc/nginx/*.default \ /tmp/openresty-install/var/lib/nginx/bin/opm \ @@ -189,5 +192,4 @@ rm -r \ /tmp/openresty-install/var/lib/nginx/bin/md2pod.pl \ /tmp/openresty-install/var/lib/nginx/pod \ /tmp/openresty-install/var/lib/nginx/resty.index \ - /tmp/openresty-install/var/lib/nginx/site \ /tmp/openresty-install/var/run \