diff --git a/Dockerfile b/Dockerfile
index 0eb34d33e..72c67d8a7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -48,7 +48,7 @@ RUN apk add --no-cache ca-certificates git build-base && \
sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
-FROM zoeyvid/nginx-quic:240
+FROM zoeyvid/nginx-quic:241
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
ARG CRS_VER=v4.0/dev
@@ -92,19 +92,30 @@ ENV NODE_ENV=production \
ENV PUID=0 \
PGID=0 \
NIBEP=48693 \
+ GOAIWSP=48683 \
NPM_PORT=81 \
+ GOA_PORT=91 \
IPV4_BINDING=0.0.0.0 \
NPM_IPV4_BINDING=0.0.0.0 \
+ GOA_IPV4_BINDING=0.0.0.0 \
IPV6_BINDING=[::] \
NPM_IPV6_BINDING=[::] \
+ GOA_IPV6_BINDING=[::] \
DISABLE_IPV6=false \
NPM_DISABLE_IPV6=false \
+ GOA_DISABLE_IPV6=false \
NPM_LISTEN_LOCALHOST=false \
- NPM_CERT_ID=0 \
+ GOA_LISTEN_LOCALHOST=false \
+ DEFAULT_CERT_ID=0 \
DISABLE_HTTP=false \
+ NGINX_ACCESS_LOG=false \
NGINX_LOG_NOT_FOUND=false \
CLEAN=true \
FULLCLEAN=false \
+ LOGROTATE=false \
+ LOGROTATIONS=3 \
+ GOA=false \
+ GOACLA="--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string" \
PHP81=false \
PHP82=false \
PHP83=false
diff --git a/README.md b/README.md
index 2c9fce50b..49a09daea 100644
--- a/README.md
+++ b/README.md
@@ -18,8 +18,9 @@ running at home or otherwise, including free TLS, without having to know too muc
**Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!**
**Note: Don't forget to open Port 80 (tcp) and 443 (tcp AND udp, http3/quic needs udp) in your firewall (because of network mode host, you also need to open this ports in ufw, if you use ufw).**
**Note: ModSecurity overblocking (403 Error)? Please see `/opt/npm/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).**
-**Note: Internal Instance? Please disable `must-staple` in `/opt/npm/tls/certbot/config.ini`.**
+**Note: Internal/LAN Instance? Please disable `must-staple` in `/opt/npm/tls/certbot/config.ini`.**
**Note: Other Databases like MariaDB may work, but are unsupported.**
+**Note: access.log, logrotate and goaccess are NOT enabled by default.**
## Project Goal
@@ -49,6 +50,7 @@ so that the barrier for entry here is low.
- Supports HTTP/3 (QUIC) protocol.
- Supports CrowdSec IPS. Please see [here](https://github.com/ZoeyVid/NPMplus#crowdsec) to enable it.
+- goaccess included, see compose.yaml (nginx config from [here](https://github.com/xavier-hernandez/goaccess-for-nginxproxymanager/blob/main/resources/nginx/nginx.conf))
- Supports ModSecurity, with coreruleset as an option. You can configure ModSecurity/coreruleset by editing the files in the `/opt/npm/etc/modsecurity` folder.
- If the core ruleset blocks valid requests, please check the `/opt/npm/etc/modsecurity/crs-setup.conf` file.
- Try to whitelist the Content-Type you are sending (for example, `application/activity+json` for Mastodon and `application/dns-message` for DoH).
@@ -70,7 +72,7 @@ so that the barrier for entry here is low.
- Uses [fancyindex](https://gitHub.com/Naereen/Nginx-Fancyindex-Theme) if used as webserver
- Exposes INTERNAL backend api only to localhost
- Basic security headers are added if you enable HSTS (HSTS has always subdomains and preload enabled)
-- Access Log disabled
+- access.log is disabled by default, unified and moved to `/opt/npm/nginx/access.log`
- Error Log written to console
- `Server` response header hidden
- PHP 8.1/8.2/8.3 optional, with option to add extensions; available packages can added using envs in the compose file
diff --git a/backend/templates/dead_host.conf b/backend/templates/dead_host.conf
index 28bf68c5e..16193fc77 100644
--- a/backend/templates/dead_host.conf
+++ b/backend/templates/dead_host.conf
@@ -13,8 +13,9 @@ server {
include conf.d/include/block-exploits.conf;
{% if use_default_location %}
location / {
- alias /html/404/;
include conf.d/include/acme-challenge.conf;
+ root /html/404;
+ try_files $uri /index.html;
}
{% endif %}
diff --git a/backend/templates/default.conf b/backend/templates/default.conf
index 87970bad0..5dd753ff4 100644
--- a/backend/templates/default.conf
+++ b/backend/templates/default.conf
@@ -26,7 +26,9 @@ server {
{%- if value == "404" %}
location / {
- alias /html/404/;
+ include conf.d/include/acme-challenge.conf;
+ root /html/404;
+ try_files $uri /index.html;
}
{%- endif %}
@@ -44,14 +46,16 @@ server {
{%- if value == "congratulations" %}
location / {
include conf.d/include/acme-challenge.conf;
- alias /html/default/;
+ root /html/default;
+ try_files $uri /index.html;
}
{%- endif %}
{%- if value == "html" %}
location / {
include conf.d/include/acme-challenge.conf;
- alias /data/etc/html/;
+ root /data/etc/html;
+ try_files $uri /index.html;
}
{%- endif %}
}
diff --git a/compose.yaml b/compose.yaml
index 333a0e45e..f9fa9b150 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -13,20 +13,31 @@ services:
- "TZ=Europe/Berlin" # set timezone, required
# - "PUID=1000" # set group id, default 0 (root)
# - "PGID=1000" # set user id, default 0 (root)
-# - "NIBEP=48694" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host
-# - "NPM_PORT=82" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
+# - "NIBEP=48694" # internal port of the NOMplus API, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host
+# - "GOAIWSP=48684" # internal port of goaccess, always bound to 127.0.0.1, default 48683, you need to change it, if you want to run multiple npm with goaccess instances in network mode host
+# - "NPM_PORT=82" # Port the NPM UI should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
+# - "NPM_PORT=92" # Port the goaccess should be bound to, default 91, you need to change it, if you want to run multiple npm with goaccess instances in network mode host
# - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all
-# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all
+# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM UI, defaults to all
+# - "GOA_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the goaccess, defaults to all
# - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all
-# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all
+# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM UI, defaults to all
+# - "GOA_IPV6_BINDING=[::1]" # IPv6 address to bind for goaccess, defaults to all
# - "DISABLE_IPV6=true" # disable IPv6, overrides with IPV6_BINDING, default false
-# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, overrides with NPM_IPV6_BINDING, default false, overrides NPM_LISTEN_LOCALHOST
-# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, overrides with NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
-# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts
+# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM UI, overrides NPM_IPV6_BINDING, default false
+# - "GOA_DISABLE_IPV6=true" # disable IPv6 for goaccess, overrides GOA_IPV6_BINDING, default false
+# - "NPM_LISTEN_LOCALHOST=true" # Binds the NPM UI only to localhost, overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
+# - "GOA_LISTEN_LOCALHOST=true" # Binds goaccess only to localhost, overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
+# - "DEFAULT_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts
# - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false
+# - "NGINX_ACCESS_LOG=true" # enables writing http access logs to /opt/npm/nginx/access.log, default false --- it is recommended to also enable LOGROTATE
# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false
# - "CLEAN=false" # Clean folders, default true
# - "FULLCLEAN=true" # Clean unused config folders, default false
+# - "LOGROTATE=true" # Enables daily logrotation, overrides NGINX_ACCESS_LOG, default false
+# - "LOGROTATIONS=7" # Set how often the access.log should be rotated until it is deleted, default 3
+# - "GOA=true" # Enables goaccess, overrides NGINX_ACCESS_LOG, default false --- if you download the GeoLite2-Country.mmdb AND GeoLite2-City.mmdb file from MaxMind and place them in /opt/npm/etc/goaccess/geoip it will automatically enable GeoIP in goaccess after restarting NPMplus (no need to change GOACLA below)
+# - "GOACLA=--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=2 --keep-last=7 --with-output-resolver --no-query-string" # Arguments that should be passed to goaccess, default: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/bin/launch.sh#L50 and: --agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string
# - "PHP81=true" # Activate PHP81, default false
# - "PHP81_APKS=php81-curl php81-openssl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.19&repo=community&arch=x86_64&name=php81-*, default none
# - "PHP82=true" # Activate PHP82, default false
diff --git a/rootfs/etc/logrotate b/rootfs/etc/logrotate
new file mode 100644
index 000000000..77cc0bad9
--- /dev/null
+++ b/rootfs/etc/logrotate
@@ -0,0 +1,11 @@
+/data/nginx/access.log {
+ daily
+ rotate 3
+ missingok
+ notifempty
+ compress
+ sharedscripts
+ postrotate
+ nginx -s reload
+ endscript
+}
diff --git a/rootfs/usr/local/bin/healthcheck.sh b/rootfs/usr/local/bin/healthcheck.sh
index d016318dd..02e4a2c1e 100755
--- a/rootfs/usr/local/bin/healthcheck.sh
+++ b/rootfs/usr/local/bin/healthcheck.sh
@@ -16,7 +16,7 @@ if [ "$NPM_IPV6_BINDING" != "[::]" ] && [ "$NPM_IPV4_BINDING" != "0.0.0.0" ]; th
fi
fi
-if (if [ "$PHP81" = true ]; then cgi-fcgi -bind -connect /dev/php81.sock > /dev/null 2>&1; fi && if [ "$PHP82" = true ]; then cgi-fcgi -bind -connect /dev/php82.sock > /dev/null 2>&1; fi && if [ "$PHP83" = true ]; then cgi-fcgi -bind -connect /dev/php83.sock > /dev/null 2>&1; fi && [ "$(curl -sk https://"$HC_IP":"$NPM_PORT"/api/ | jq --raw-output .status)" = "OK" ]); then
+if (if [ "$GOA" = "true" ]; then [ -f /tmp/goa/index.html ]; fi && if [ "$PHP81" = true ]; then cgi-fcgi -bind -connect /dev/php81.sock > /dev/null 2>&1; fi && if [ "$PHP82" = true ]; then cgi-fcgi -bind -connect /dev/php82.sock > /dev/null 2>&1; fi && if [ "$PHP83" = true ]; then cgi-fcgi -bind -connect /dev/php83.sock > /dev/null 2>&1; fi && [ "$(curl -sk https://"$HC_IP":"$NPM_PORT"/api/ | jq --raw-output .status)" = "OK" ]); then
echo "OK"
exit 0
else
diff --git a/rootfs/usr/local/bin/launch.sh b/rootfs/usr/local/bin/launch.sh
index fd677989c..9ffea3848 100755
--- a/rootfs/usr/local/bin/launch.sh
+++ b/rootfs/usr/local/bin/launch.sh
@@ -46,5 +46,8 @@ fi
if [ "$PHP81" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR; fi &
if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi &
if [ "$PHP83" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/83/conf.d php-fpm83 -c /data/php/83 -y /data/php/83/php-fpm.conf -FOR; fi &
+if [ "$LOGROTATE" = "true" ]; then logrotate /etc/logrotate; fi &
+if [ "$GOA" = "true" ]; then goaccess --no-global-config --num-tests=0 --tz="$TZ" --date-format="%d/%b/%Y" --time-format="%H:%M:%S" --log-format='[%d:%t %^] %v %h %T "%r" %s %b %b %R %u' --no-ip-validation --addr=127.0.0.1 --port="$GOAIWSP" \
+ -f /data/nginx/access.log --real-time-html -o /tmp/goa/index.html --persist --restore --db-path=/data/etc/goaccess/data -b /etc/goaccess/browsers.list -b /etc/goaccess/podcast.list "$GOACLA"; fi &
aio.sh &
index.js
diff --git a/rootfs/usr/local/bin/start.sh b/rootfs/usr/local/bin/start.sh
index d826c17a6..593ff7276 100755
--- a/rootfs/usr/local/bin/start.sh
+++ b/rootfs/usr/local/bin/start.sh
@@ -18,6 +18,15 @@ fi
touch /data/.env
. /data/.env
+if [ -z "$NPM_CERT_ID" ] || ! echo "$NPM_CERT_ID" | grep -q "^[0-9]\+$"; then
+ echo "NPM_CERT_ID needs to be a number."
+ sleep inf
+fi
+
+if [ -z "$NPM_CERT_ID" ]; then
+ echo "NPM_CERT_ID is deprecated, please change it to DEFAULT_CERT_ID"
+ export DEFAULT_CERT_ID="$NPM_CERT_ID"
+fi
if [ -z "$TZ" ] || ! echo "$TZ" | grep -q "^[A-Za-z/]\+$"; then
echo "TZ is unset or invalid."
@@ -39,11 +48,21 @@ if ! echo "$NIBEP" | grep -q "^[0-9]\+$"; then
sleep inf
fi
+if ! echo "$GOAIWSP" | grep -q "^[0-9]\+$"; then
+ echo "GOAIWSP needs to be a number."
+ sleep inf
+fi
+
if ! echo "$NPM_PORT" | grep -q "^[0-9]\+$"; then
echo "NPM_PORT needs to be a number."
sleep inf
fi
+if ! echo "$GOA_PORT" | grep -q "^[0-9]\+$"; then
+ echo "GOA_PORT needs to be a number."
+ sleep inf
+fi
+
if ! echo "$IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then
echo "IPV4_BINDING needs to be a IPv4-Address."
sleep inf
@@ -54,6 +73,11 @@ if ! echo "$NPM_IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$";
sleep inf
fi
+if ! echo "$GOA_IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then
+ echo "GOA_IPV4_BINDING needs to be a IPv4-Address."
+ sleep inf
+fi
+
if ! echo "$IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then
echo "IPV6_BINDING needs to be a IPv6-Address inside []."
sleep inf
@@ -64,6 +88,11 @@ if ! echo "$NPM_IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then
sleep inf
fi
+if ! echo "$GOA_IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then
+ echo "GOA_IPV6_BINDING needs to be a IPv6-Address inside []."
+ sleep inf
+fi
+
if ! echo "$DISABLE_IPV6" | grep -q "^true$\|^false$"; then
echo "DISABLE_IPV6 needs to be true or false."
sleep inf
@@ -74,13 +103,28 @@ if ! echo "$NPM_DISABLE_IPV6" | grep -q "^true$\|^false$"; then
sleep inf
fi
+if ! echo "$GOA_DISABLE_IPV6" | grep -q "^true$\|^false$"; then
+ echo "GOA_DISABLE_IPV6 needs to be true or false."
+ sleep inf
+fi
+
if ! echo "$NPM_LISTEN_LOCALHOST" | grep -q "^true$\|^false$"; then
echo "NPM_LISTEN_LOCALHOST needs to be true or false."
sleep inf
fi
-if ! echo "$NPM_CERT_ID" | grep -q "^[0-9]\+$"; then
- echo "NPM_CERT_ID needs to be a number."
+if ! echo "$GOA_LISTEN_LOCALHOST" | grep -q "^true$\|^false$"; then
+ echo "GOA_LISTEN_LOCALHOST needs to be true or false."
+ sleep inf
+fi
+
+if ! echo "$DEFAULT_CERT_ID" | grep -q "^[0-9]\+$"; then
+ echo "DEFAULT_CERT_ID needs to be a number."
+ sleep inf
+fi
+
+if ! echo "$NGINX_ACCESS_LOG" | grep -q "^true$\|^false$"; then
+ echo "NGINX_ACCESS_LOG needs to be true or false."
sleep inf
fi
@@ -104,6 +148,26 @@ if ! echo "$FULLCLEAN" | grep -q "^true$\|^false$"; then
sleep inf
fi
+if ! echo "$LOGROTATE" | grep -q "^true$\|^false$"; then
+ echo "LOGROTATE needs to be true or false."
+ sleep inf
+fi
+
+if [ -n "$LOGROTATE" ] && ! echo "$LOGROTATIONS" | grep -q "^[0-9]\+$"; then
+ echo "LOGROTATIONS needs to be a number."
+ sleep inf
+fi
+
+if ! echo "$GOA" | grep -q "^true$\|^false$"; then
+ echo "GOA needs to be true or false."
+ sleep inf
+fi
+
+if [ -n "$GOACLA" ] && ! echo "$GOACLA" | grep -q "^-[a-zA-Z0-9 =/_.-]\+$"; then
+ echo "GOACLA must start with a hyphen and can consist of lower and upper letters a-z A-Z, numbers 0-9, spaces, equals signs, slahes, underscores, dots and hyphens."
+ sleep inf
+fi
+
if ! echo "$PHP81" | grep -q "^true$\|^false$"; then
echo "PHP81 needs to be true or false."
sleep inf
@@ -137,10 +201,19 @@ fi
if [ "$PGID" != "0" ] && [ "$PUID" = "0" ]; then
- echo "You've set PGID but not PUID. Running resetting PGID to 0."
+ echo "You've set PGID but not PUID. Resetting PGID to 0."
export PGID="0"
fi
+if [ "$GOA" = "true" ] && [ "$NGINX_ACCESS_LOG" = "false" ]; then
+ echo "You've enabled GOA but not NGINX_ACCESS_LOG. Enabling NGINX_ACCESS_LOG."
+ export NGINX_ACCESS_LOG="true"
+fi
+
+if [ "$LOGROTATE" = "true" ] && [ "$NGINX_ACCESS_LOG" = "false" ]; then
+ echo "You've enabled LOGROTATE but not NGINX_ACCESS_LOG. Enabling NGINX_ACCESS_LOG."
+ export NGINX_ACCESS_LOG="true"
+fi
if [ "$NC_AIO" = "true" ]; then
export DISABLE_HTTP="true"
@@ -151,6 +224,40 @@ if [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then
export NPM_IPV6_BINDING="[::1]"
fi
+if [ "$GOA_LISTEN_LOCALHOST" = "true" ]; then
+ export GOA_IPV4_BINDING="127.0.0.1"
+ export GOA_IPV6_BINDING="[::1]"
+fi
+
+
+if [ -s /data/etc/goaccess/geoip/GeoLite2-Country.mmdb ] && [ -s /data/etc/goaccess/geoip/GeoLite2-City.mmdb ] && echo "$GOACLA" | grep -vq "geoip-database"; then
+ export GOACLA="$GOACLA --geoip-database=/data/etc/goaccess/geoip/GeoLite2-Country.mmdb --geoip-database=/data/etc/goaccess/geoip/GeoLite2-City.mmdb"
+fi
+
+
+if [ "$PHP81" = "true" ] || [ "$PHP82" = "true" ] || [ "$PHP83" = "true" ]; then
+
+ apk add --no-cache fcgi
+
+ # From https://github.com/nextcloud/all-in-one/pull/1377/files
+ if [ -n "$PHP_APKS" ]; then
+ for apk in $(echo "$PHP_APKS" | tr " " "\n"); do
+
+ if ! echo "$apk" | grep -q "^php-.*$"; then
+ echo "$apk is a non allowed value."
+ echo "It needs to start with \"php-\"."
+ echo "It is set to \"$apk\"."
+ sleep inf
+ fi
+
+ echo "Installing $apk via apk..."
+ if ! apk add --no-cache "$apk" > /dev/null 2>&1; then
+ echo "The apk \"$apk\" was not installed!"
+ fi
+
+ done
+ fi
+fi
if [ "$PHP81" = "true" ]; then
@@ -248,35 +355,25 @@ elif [ "$FULLCLEAN" = "true" ]; then
rm -vrf /data/php/83
fi
-if [ "$PHP81" = "true" ] || [ "$PHP82" = "true" ] || [ "$PHP83" = "true" ]; then
-
- apk add --no-cache fcgi
-
- # From https://github.com/nextcloud/all-in-one/pull/1377/files
- if [ -n "$PHP_APKS" ]; then
- for apk in $(echo "$PHP_APKS" | tr " " "\n"); do
-
- if ! echo "$apk" | grep -q "^php-.*$"; then
- echo "$apk is a non allowed value."
- echo "It needs to start with \"php-\"."
- echo "It is set to \"$apk\"."
- sleep inf
- fi
-
- echo "Installing $apk via apk..."
- if ! apk add --no-cache "$apk" > /dev/null 2>&1; then
- echo "The apk \"$apk\" was not installed!"
- fi
- done
- fi
+if [ "$GOA" = "true" ]; then
+ apk add --no-cache goaccess
+ mkdir -vp /data/etc/goaccess/data \
+ /data/etc/goaccess/geoip
+elif [ "$FULLCLEAN" = "true" ]; then
+ rm -vrf /data/etc/goaccess
fi
+if [ "$LOGROTATE" = "true" ]; then
+ apk add --no-cache logrotate
+ sed -i "s|rotate [0-9]\+|rotate $LOGROTATIONS|g" /etc/logrotate
+fi
mkdir -p /tmp/acme-challenge \
/tmp/certbot-work \
/tmp/certbot-log \
- /tmp/npmhome
+ /tmp/npmhome \
+ /tmp/goa
mkdir -vp /data/tls/certbot/credentials \
/data/tls/certbot/renewal \
@@ -456,86 +553,87 @@ if [ ! -s /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.exam
fi
cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
-if [ "$NPM_CERT_ID" = "0" ]; then
- export NPM_CERT=/data/tls/dummycert.pem
- export NPM_KEY=/data/tls/dummykey.pem
- echo "no NPM_CERT_ID set, using dummycerts for npm and default hosts."
+
+if [ "$DEFAULT_CERT_ID" = "0" ]; then
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
+ echo "no DEFAULT_CERT_ID set, using dummycerts for npm and default hosts."
else
- if [ -d "/data/tls/certbot/live/npm-$NPM_CERT_ID" ]; then
- if [ ! -s /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem ]; then
- echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem does not exist"
- export NPM_CERT=/data/tls/dummycert.pem
- export NPM_KEY=/data/tls/dummykey.pem
+ if [ -d "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID" ]; then
+ if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
+ echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts."
else
- export NPM_CERT=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem
- echo "NPM_CERT set to /data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem"
+ export DEFAULT_CERT=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem
+ echo "DEFAULT_CERT set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem"
- if [ ! -s /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem ]; then
- echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem does not exist"
- export NPM_CERT=/data/tls/dummycert.pem
- export NPM_KEY=/data/tls/dummykey.pem
+ if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
+ echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts."
else
- export NPM_KEY=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem
- echo "NPM_KEY set to /data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem"
+ export DEFAULT_KEY=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem
+ echo "DEFAULT_KEY set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem"
- if [ ! -s /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem ]; then
- echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem does not exist, running without it"
+ if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/chain.pem ]; then
+ echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/chain.pem does not exist, running without it"
else
- export NPM_CHAIN=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem
- echo "NPM_CHAIN set to /data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem"
+ export DEFAULT_CHAIN=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/chain.pem
+ echo "DEFAULT_CHAIN set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/chain.pem"
fi
fi
fi
- elif [ -d "/data/tls/custom/npm-$NPM_CERT_ID" ]; then
- if [ ! -s /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem ]; then
- echo "/data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem does not exist"
- export NPM_CERT=/data/tls/dummycert.pem
- export NPM_KEY=/data/tls/dummykey.pem
+ elif [ -d "/data/tls/custom/npm-$DEFAULT_CERT_ID" ]; then
+ if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
+ echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts."
else
- export NPM_CERT=/data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem
- echo "NPM_CERT set to /data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem"
+ export DEFAULT_CERT=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem
+ echo "DEFAULT_CERT set to /data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem"
- if [ ! -s /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem ]; then
- echo "/data/tls/custom/npm-$NPM_CERT_ID/privkey.pem does not exist"
- export NPM_CERT=/data/tls/dummycert.pem
- export NPM_KEY=/data/tls/dummykey.pem
+ if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
+ echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts."
else
- export NPM_KEY=/data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem
- echo "NPM_KEY set to /data/tls/custom/npm-$NPM_CERT_ID/privkey.pem"
+ export DEFAULT_KEY=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem
+ echo "DEFAULT_KEY set to /data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem"
- if [ ! -s /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem ]; then
- echo "/data/tls/custom/npm-$NPM_CERT_ID/chain.pem does not exist, running without it"
+ if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/chain.pem ]; then
+ echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/chain.pem does not exist, running without it"
else
- export NPM_CHAIN=/data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem
- echo "NPM_CHAIN set to /data/tls/custom/npm-$NPM_CERT_ID/chain.pem"
+ export DEFAULT_CHAIN=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/chain.pem
+ echo "DEFAULT_CHAIN set to /data/tls/custom/npm-$DEFAULT_CERT_ID/chain.pem"
fi
fi
fi
else
- export NPM_CERT=/data/tls/dummycert.pem
- export NPM_KEY=/data/tls/dummykey.pem
- echo "cert with ID $NPM_CERT_ID does not exist, using dummycerts for npm and default hosts."
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
+ echo "cert with ID $DEFAULT_CERT_ID does not exist, using dummycerts for npm and default hosts."
fi
fi
-if [ "$NPM_CERT" = "/data/tls/dummycert.pem" ] && [ "$NPM_KEY" != "/data/tls/dummykey.pem" ]; then
- export NPM_CERT=/data/tls/dummycert.pem
- export NPM_KEY=/data/tls/dummykey.pem
+if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" != "/data/tls/dummykey.pem" ]; then
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts for npm and default hosts."
fi
-if [ "$NPM_CERT" != "/data/tls/dummycert.pem" ] && [ "$NPM_KEY" = "/data/tls/dummykey.pem" ]; then
- export NPM_CERT=/data/tls/dummycert.pem
- export NPM_KEY=/data/tls/dummykey.pem
+if [ "$DEFAULT_CERT" != "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts for npm and default hosts."
fi
-if [ "$NPM_CERT" = "/data/tls/dummycert.pem" ] || [ "$NPM_KEY" = "/data/tls/dummykey.pem" ]; then
+if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] || [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
if [ ! -s /data/tls/dummycert.pem ] || [ ! -s /data/tls/dummykey.pem ]; then
rm -vrf /data/tls/dummycert.pem \
/data/tls/dummykey.pem
@@ -546,35 +644,46 @@ else
/data/tls/dummykey.pem
fi
-if [ "$DISABLE_IPV6" = "true" ]; then
- sed -i "s|#\?resolver .*|resolver local=on valid=10s ipv6=off;|g" /usr/local/nginx/conf/nginx.conf
-else
- sed -i "s|#\?resolver .*|resolver local=on valid=10s;|g" /usr/local/nginx/conf/nginx.conf
-fi
+sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /app/templates/default.conf
+sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /app/templates/default.conf
+if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /app/templates/default.conf; fi
-sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf
-sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf
-if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/default.conf; fi
+sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf
+sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf
+if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/default.conf; fi
-sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
-sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
-if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf; fi
+sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
+sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
+if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf; fi
-sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
-sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
-if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf; fi
+sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf
+sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf
+if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm.conf; fi
-sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf
-sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf
-if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm.conf; fi
+sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
+sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
+if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf; fi
-sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /app/templates/default.conf
-sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /app/templates/default.conf
-if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /app/templates/default.conf; fi
+sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/goaccess.conf
+sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/goaccess.conf
+if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/goaccess.conf; fi
+
+sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
+sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
+if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf; fi
+
+
+if [ "$DISABLE_IPV6" = "true" ]; then
+ sed -i "s|#\?resolver .*|resolver local=on valid=10s ipv6=off;|g" /usr/local/nginx/conf/nginx.conf
+else
+ sed -i "s|#\?resolver .*|resolver local=on valid=10s;|g" /usr/local/nginx/conf/nginx.conf
+fi
sed -i "s|48693|$NIBEP|g" /app/index.js
sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf
+sed -i "s|48683|$GOAIWSP|g" /usr/local/nginx/conf/conf.d/goaccess.conf
+
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
@@ -606,6 +715,17 @@ else
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $NPM_IPV6_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
fi
+sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $GOA_IPV4_BINDING:$GOA_PORT/g" /usr/local/nginx/conf/conf.d/goaccess.conf
+sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $GOA_IPV4_BINDING:$GOA_PORT/g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
+
+if [ "$GOA_DISABLE_IPV6" = "true" ]; then
+ sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/goaccess.conf
+ sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
+else
+ sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $GOA_IPV6_BINDING:$GOA_PORT/g" /usr/local/nginx/conf/conf.d/goaccess.conf
+ sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $GOA_IPV6_BINDING:$GOA_PORT/g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
+fi
+
if [ "$DISABLE_HTTP" = "true" ]; then
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
@@ -617,7 +737,15 @@ else
fi
if [ "$NGINX_LOG_NOT_FOUND" = "true" ]; then
- sed -i "s|log_not_found off;|log_not_found on;|g" /usr/local/nginx/conf/nginx.conf
+ sed -i "s|log_not_found.*|log_not_found on;|g" /usr/local/nginx/conf/nginx.conf
+else
+ sed -i "s|log_not_found.*|log_not_found off;|g" /usr/local/nginx/conf/nginx.conf
+fi
+
+if [ "$NGINX_ACCESS_LOG" = "true" ]; then
+ sed -i "s|access_log.*|access_log /data/nginx/access.log log;|g" /usr/local/nginx/conf/nginx.conf
+else
+ sed -i "s|access_log.*|access_log off;|g" /usr/local/nginx/conf/nginx.conf
fi
if [ ! -s /data/nginx/default.conf ]; then
@@ -653,9 +781,9 @@ else
rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf
fi
-sed -i "s|ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /data/nginx/default.conf
-sed -i "s|ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /data/nginx/default.conf
-if [ -n "$NPM_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /data/nginx/default.conf; fi
+sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /data/nginx/default.conf
+sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /data/nginx/default.conf
+if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /data/nginx/default.conf; fi
nginxbeautifier -s 4 -r /data/nginx
diff --git a/rootfs/usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf b/rootfs/usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
new file mode 100644
index 000000000..0a24692e4
--- /dev/null
+++ b/rootfs/usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
@@ -0,0 +1,17 @@
+server {
+ http3 off;
+ listen 82 ssl;
+ listen [::]:82 ssl;
+
+ server_name "";
+ return 444;
+
+ include conf.d/include/brotli.conf;
+ include conf.d/include/force-tls.conf;
+ include conf.d/include/tls-ciphers.conf;
+ include conf.d/include/block-exploits.conf;
+
+ #ssl_certificate ;
+ #ssl_certificate_key ;
+ #ssl_trusted_certificate ;
+}
diff --git a/rootfs/usr/local/nginx/conf/conf.d/goaccess.conf b/rootfs/usr/local/nginx/conf/conf.d/goaccess.conf
new file mode 100644
index 000000000..4f23df4d2
--- /dev/null
+++ b/rootfs/usr/local/nginx/conf/conf.d/goaccess.conf
@@ -0,0 +1,35 @@
+server {
+ http3 off;
+ listen 91 ssl default_server;
+ listen [::]:91 ssl default_server;
+
+ server_name _;
+ include conf.d/include/brotli.conf;
+ include conf.d/include/force-tls.conf;
+ include conf.d/include/tls-ciphers.conf;
+ include conf.d/include/block-exploits.conf;
+
+ modsecurity on;
+ modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf;
+
+ #ssl_certificate ;
+ #ssl_certificate_key ;
+ #ssl_trusted_certificate ;
+
+ location / {
+ if ($goaccess = "web") {
+ root /tmp/goa;
+ sub_filter 'WebSocket(str)' 'WebSocket(window.location.href.split("#")[0].replace(window.location.protocol, window.location.protocol == "https:" ? "wss:" : "ws:"))';
+ sub_filter_once on;
+ try_files /index.html;
+ }
+
+ if ($goaccess = "socket") {
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
+
+ include conf.d/include/proxy-location.conf;
+ proxy_pass http://127.0.0.1:48683$request_uri;
+ }
+ }
+}
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf
index 7d630de78..a347dbe07 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf
@@ -26,6 +26,7 @@ server {
location / {
include conf.d/include/acme-challenge.conf;
- alias /html/default/;
+ root /html/default;
+ try_files $uri /index.html;
}
}
diff --git a/rootfs/usr/local/nginx/conf/conf.d/npm.conf b/rootfs/usr/local/nginx/conf/conf.d/npm.conf
index a78a595dd..788736719 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/npm.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/npm.conf
@@ -17,24 +17,13 @@ server {
#ssl_trusted_certificate ;
location /api {
- return 301 /api/;
- }
-
- location /api/ {
- proxy_pass http://127.0.0.1:48693/;
-
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Port $server_port;
- proxy_set_header Early-Data $ssl_early_data;
- proxy_set_header X-Forwarded-Scheme $scheme;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header Accept-Encoding "";
- proxy_set_header Host $host;
-
- proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
+
+ include conf.d/include/proxy-location.conf;
+
+ rewrite ^/api(/.*)$ $1 break;
+ proxy_pass http://127.0.0.1:48693;
}
location / {
diff --git a/rootfs/usr/local/nginx/conf/nginx.conf b/rootfs/usr/local/nginx/conf/nginx.conf
index 109226d59..41ba8a247 100644
--- a/rootfs/usr/local/nginx/conf/nginx.conf
+++ b/rootfs/usr/local/nginx/conf/nginx.conf
@@ -15,8 +15,9 @@ events {
}
http {
- log_not_found off;
+ log_format log '[$time_local] $host $remote_addr $request_time "$request" $status $body_bytes_sent $bytes_sent $http_referer $http_user_agent';
access_log off;
+ log_not_found off;
include mime.types;
default_type text/plain;
@@ -77,6 +78,11 @@ http {
'' close;
}
+ map $http_upgrade $goaccess {
+ default "web";
+ websocket "socket";
+ }
+
upstream php81 {
server unix:/run/php81.sock;
}