Crowdsec Openresty Bouncer Support

Dockerfile

@@ -13,9 +13,11 @@ ARG NGINX_PROXY_MANAGER_VERSION=2.12.1
 ARG NGINX_HTTP_GEOIP2_MODULE_VERSION=3.3
 ARG LIBMAXMINDDB_VERSION=1.5.0
 ARG BCRYPT_TOOL_VERSION=1.1.2
+ARG CROWDSEC_OPENRESTY_BOUNCER_VERSION=1.0.5
 
 # Define software download URLs.
 ARG OPENRESTY_URL=https://openresty.org/download/openresty-${OPENRESTY_VERSION}.tar.gz
+ARG CROWDSEC_OPENRESTY_BOUNCER_URL=https://github.com/crowdsecurity/cs-openresty-bouncer/releases/download/v${CROWDSEC_OPENRESTY_BOUNCER_VERSION}/crowdsec-openresty-bouncer.tgz
 ARG NGINX_PROXY_MANAGER_URL=https://github.com/jc21/nginx-proxy-manager/archive/v${NGINX_PROXY_MANAGER_VERSION}.tar.gz
 ARG NGINX_HTTP_GEOIP2_MODULE_URL=https://github.com/leev/ngx_http_geoip2_module/archive/${NGINX_HTTP_GEOIP2_MODULE_VERSION}.tar.gz
 ARG LIBMAXMINDDB_URL=https://github.com/maxmind/libmaxminddb/releases/download/${LIBMAXMINDDB_VERSION}/libmaxminddb-${LIBMAXMINDDB_VERSION}.tar.gz
@@ -78,6 +80,14 @@ RUN \
     find /tmp/certbot-install/usr/lib/python3.10/site-packages -type f -name "*.exe" -delete && \
     find /tmp/certbot-install/usr/lib/python3.10/site-packages -type d -name tests -print0 | xargs -0 rm -r
 
+# Build cs-openresty-boucner.
+FROM alpine:3.16 AS cs-openresty-bouncer
+ARG TARGETPLATFORM
+ARG CROWDSEC_OPENRESTY_BOUNCER_URL
+COPY --from=xx / /
+COPY src/cs-openresty-bouncer /build
+RUN /build/build.sh "$CROWDSEC_OPENRESTY_BOUNCER_URL"
+
 # Pull base image.
 FROM jlesage/baseimage:alpine-3.16-v3.6.4
 
@@ -117,6 +127,7 @@ COPY --from=nginx /tmp/openresty-install/ /
 COPY --from=npm /tmp/nginx-proxy-manager-install/ /
 COPY --from=bcrypt-tool /tmp/go/bin/bcrypt-tool /usr/bin/
 COPY --from=certbot /tmp/certbot-install/ /
+COPY --from=cs-openresty-bouncer /tmp/crowdsec-openresty-bouncer-install/ /
 
 # Set internal environment variables.
 RUN \

README.md

@@ -1,3 +1,39 @@
+## Note
+
+This is a drop in replacement for [jlesage/nginx-proxy-manager](https://hub.docker.com/r/jlesage/nginx-proxy-manager)
+
+This fork includes the [OpenResty Crowdsec Bouncer](https://github.com/crowdsecurity/cs-openresty-bouncer)
+
+Please see the [crowdsec_support](https://github.com/LePresidente/docker-nginx-proxy-manager/tree/crowdsec_support) branch for the changes as 
+
+Docker images hosted on dockerhub.
+
+https://hub.docker.com/r/lepresidente/nginx-proxy-manager
+
+| TAG       | cs-openresty-bouncer version|
+|-----------|-----------------------------|
+| latest    | 0.1.10 (PreRelease)          |
+
+
+Instructions to use:
+Starting the container at this point will start Nginx-Proxy-Manager as before but will create a new file in /config/crowdsec/ called crowdsec-openresty-bouncer.conf
+
+You will need to edit this file with at least the following changes then restart the container.
+
+```
+ENABLED=true
+API_URL=http://<crowdsecserver>:8080
+API_KEY=<APIKEY>
+```
+
+the crowdsec api key can be generated on the crowdsec instance using the following command 
+
+```
+cscli bouncers add npm-proxy
+```
+
+Currently this is a side project and I will try keep this up to date
+
 # Docker container for Nginx Proxy Manager
 [![Release](https://img.shields.io/github/release/jlesage/docker-nginx-proxy-manager.svg?logo=github&style=for-the-badge)](https://github.com/jlesage/docker-nginx-proxy-manager/releases/latest)
 [![Docker Image Size](https://img.shields.io/docker/image-size/jlesage/nginx-proxy-manager/latest?logo=docker&style=for-the-badge)](https://hub.docker.com/r/jlesage/nginx-proxy-manager/tags)

rootfs/etc/cont-init.d/99_crowdsec-openresty-bouncer.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+set -e # Exit immediately if a command exits with a non-zero status.
+
+set_properties() {
+  sed -i "s,^$1=.*,$1=$2,g" "${3}"
+}
+
+echo "Deploy Crowdsec Openresty Bouncer.." 
+if [ -n "${CROWDSEC_OPENRESTY_BOUNCER}" ]; then
+   while IFS= read -r line
+   do 
+      if ! [[ "$line" != "^#" ]] || [[ "$line" != "^\n" ]]; then
+        name=$(echo "$line" | cut -d "=" -f1)
+        value=$(echo "$line" | cut -d "=" -f2)
+        if grep -q "${name}" /defaults/crowdsec/crowdsec-openresty-bouncer.conf ; then
+          set_properties "${name}" "${value}" "/defaults/crowdsec/crowdsec-openresty-bouncer.conf"
+        fi
+      fi
+   done <<< "${CROWDSEC_OPENRESTY_BOUNCER}"
+else
+	mkdir -p /config/crowdsec/templates
+	sed -i 's|/defaults/crowdsec|/config/crowdsec|' /etc/nginx/conf.d/crowdsec_openresty.conf
+
+	if [ -f /data/crowdsec/crowdsec-openresty-bouncer.conf ]; then
+		echo "Patch crowdsec-openresty-bouncer.conf .." 
+		sed "s/=.*//g" /config/crowdsec/crowdsec-openresty-bouncer.conf > /tmp/crowdsec.conf.raw
+		sed "s/=.*//g" /defaults/crowdsec/crowdsec-openresty-bouncer.conf > /tmp/crowdsec-openresty-bouncer.conf.raw
+		if grep -vf /tmp/crowdsec.conf.raw /tmp/crowdsec-openresty-bouncer.conf.raw ; then
+			grep -vf /tmp/crowdsec.conf.raw /tmp/crowdsec-openresty-bouncer.conf.raw > /tmp/config.newvals
+			cp /config/crowdsec/crowdsec-openresty-bouncer.conf /config/crowdsec/crowdsec-openresty-bouncer.conf.bak
+			grep -f /tmp/config.newvals /defaults/crowdsec/crowdsec-openresty-bouncer.conf >> /config/crowdsec/crowdsec-openresty-bouncer.conf
+		fi
+	else
+		echo "Deploy new crowdsec-openresty-bouncer.conf .." 
+		cp /defaults/crowdsec/crowdsec-openresty-bouncer.conf /config/crowdsec/crowdsec-openresty-bouncer.conf    
+	fi
+	#Make sure the config location is where we get the config from instead of /default/
+	sed -i 's|/defaults/crowdsec|/data/crowdsec|' /data/crowdsec/crowdsec-openresty-bouncer.conf
+fi
+
+
+#Make sure we only copy files that don't exist in /data/crowdsec.
+if [ -d "/data/crowdsec/templates" ]; then
+    echo "Deploy Crowdsec Templates .."
+    cd /defaults/crowdsec/templates/
+    for file in *.html
+    do
+        if [ ! -e "/config/crowdsec/templates/${file}" ]
+        then
+            cp -r "/defaults/crowdsec/templates/${file}" "/config/crowdsec/templates/"
+        fi
+    done
+fi

src/cs-openresty-bouncer/build.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e # Exit immediately if a command exits with a non-zero status.
+set -u # Treat unset variables as an error.
+
+log() {
+    echo ">>> $*"
+}
+
+CROWDSEC_OPENRESTY_BOUNCER_URL="${1:-}"
+
+ROOTFS=/tmp/crowdsec-openresty-bouncer-install
+
+if [ -z "$CROWDSEC_OPENRESTY_BOUNCER_URL" ]; then
+    log "ERROR: bcrypt tool version missing."
+    exit 1
+fi
+
+#
+# Install required packages.
+#
+
+apk --no-cache add \
+    build-base \
+    gettext \
+    curl \
+    bash \
+
+#
+# Build.
+#
+
+log "Downloading Crowdsec Openresty Bouncer package..."
+mkdir /tmp/crowdsec-openresty-bouncer
+curl -# -L "${CROWDSEC_OPENRESTY_BOUNCER_URL}" | tar xz --strip 1 -C /tmp/crowdsec-openresty-bouncer
+log "Deploy Crowdsec Openresty Bouncer..."
+cd /tmp/crowdsec-openresty-bouncer
+bash ./install.sh --NGINX_CONF_DIR=${ROOTFS}/etc/nginx/conf.d --LIB_PATH=${ROOTFS}/var/lib/nginx/lualib --CONFIG_PATH=${ROOTFS}/defaults/crowdsec/ --DATA_PATH=${ROOTFS}/defaults/crowdsec/ --SSL_CERTS_PATH=/etc/ssl/certs/ca-cert-GTS_Root_R1.pem --docker
+sed -i 's|/tmp/crowdsec-openresty-bouncer-install||g' ${ROOTFS}/etc/nginx/conf.d/crowdsec_openresty.conf
+sed -i 's|ENABLED=.*|ENABLED=false|' ${ROOTFS}/defaults/crowdsec/crowdsec-openresty-bouncer.conf 

src/openresty/build.sh

@@ -180,6 +180,9 @@ make -C /tmp/openresty -j$(nproc)
 log "Installing OpenResty..."
 make DESTDIR=/tmp/openresty-install -C /tmp/openresty install
 
+#Install lua-resty-http required for Crowdsec OpenResty Bouncer 
+/tmp/openresty-install/var/lib/nginx/bin/opm --install-dir="/tmp/openresty-install/var/lib/nginx/site/" get pintsized/lua-resty-http
+
 rm -r \
     /tmp/openresty-install/etc/nginx/*.default \
     /tmp/openresty-install/var/lib/nginx/bin/opm \
@@ -189,5 +192,4 @@ rm -r \
     /tmp/openresty-install/var/lib/nginx/bin/md2pod.pl \
     /tmp/openresty-install/var/lib/nginx/pod \
     /tmp/openresty-install/var/lib/nginx/resty.index \
-    /tmp/openresty-install/var/lib/nginx/site \
     /tmp/openresty-install/var/run \