From 8f2bce1b1e7684d48a8b95b4a761489bad6e2a4e Mon Sep 17 00:00:00 2001 From: Zoey Date: Sat, 13 Jan 2024 21:48:11 +0100 Subject: [PATCH] add goaccess Signed-off-by: Zoey --- Dockerfile | 15 +- README.md | 6 +- backend/templates/dead_host.conf | 3 +- backend/templates/default.conf | 10 +- compose.yaml | 25 +- rootfs/etc/logrotate | 11 + rootfs/usr/local/bin/healthcheck.sh | 2 +- rootfs/usr/local/bin/launch.sh | 3 + rootfs/usr/local/bin/start.sh | 322 ++++++++++++------ .../conf/conf.d/goaccess-no-server-name.conf | 17 + .../usr/local/nginx/conf/conf.d/goaccess.conf | 35 ++ .../nginx/conf/conf.d/include/default.conf | 3 +- rootfs/usr/local/nginx/conf/conf.d/npm.conf | 21 +- rootfs/usr/local/nginx/conf/nginx.conf | 8 +- 14 files changed, 350 insertions(+), 131 deletions(-) create mode 100644 rootfs/etc/logrotate create mode 100644 rootfs/usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf create mode 100644 rootfs/usr/local/nginx/conf/conf.d/goaccess.conf diff --git a/Dockerfile b/Dockerfile index 0eb34d33e..72c67d8a7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -48,7 +48,7 @@ RUN apk add --no-cache ca-certificates git build-base && \ sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf -FROM zoeyvid/nginx-quic:240 +FROM zoeyvid/nginx-quic:241 SHELL ["/bin/ash", "-eo", "pipefail", "-c"] ARG CRS_VER=v4.0/dev @@ -92,19 +92,30 @@ ENV NODE_ENV=production \ ENV PUID=0 \ PGID=0 \ NIBEP=48693 \ + GOAIWSP=48683 \ NPM_PORT=81 \ + GOA_PORT=91 \ IPV4_BINDING=0.0.0.0 \ NPM_IPV4_BINDING=0.0.0.0 \ + GOA_IPV4_BINDING=0.0.0.0 \ IPV6_BINDING=[::] \ NPM_IPV6_BINDING=[::] \ + GOA_IPV6_BINDING=[::] \ DISABLE_IPV6=false \ NPM_DISABLE_IPV6=false \ + GOA_DISABLE_IPV6=false \ NPM_LISTEN_LOCALHOST=false \ - NPM_CERT_ID=0 \ + GOA_LISTEN_LOCALHOST=false \ + DEFAULT_CERT_ID=0 \ DISABLE_HTTP=false \ + NGINX_ACCESS_LOG=false \ NGINX_LOG_NOT_FOUND=false \ CLEAN=true \ FULLCLEAN=false \ + LOGROTATE=false \ + LOGROTATIONS=3 \ + GOA=false \ + GOACLA="--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string" \ PHP81=false \ PHP82=false \ PHP83=false diff --git a/README.md b/README.md index 2c9fce50b..49a09daea 100644 --- a/README.md +++ b/README.md @@ -18,8 +18,9 @@ running at home or otherwise, including free TLS, without having to know too muc **Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!**
**Note: Don't forget to open Port 80 (tcp) and 443 (tcp AND udp, http3/quic needs udp) in your firewall (because of network mode host, you also need to open this ports in ufw, if you use ufw).**
**Note: ModSecurity overblocking (403 Error)? Please see `/opt/npm/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).**
-**Note: Internal Instance? Please disable `must-staple` in `/opt/npm/tls/certbot/config.ini`.**
+**Note: Internal/LAN Instance? Please disable `must-staple` in `/opt/npm/tls/certbot/config.ini`.**
**Note: Other Databases like MariaDB may work, but are unsupported.**
+**Note: access.log, logrotate and goaccess are NOT enabled by default.**
## Project Goal @@ -49,6 +50,7 @@ so that the barrier for entry here is low. - Supports HTTP/3 (QUIC) protocol. - Supports CrowdSec IPS. Please see [here](https://github.com/ZoeyVid/NPMplus#crowdsec) to enable it. +- goaccess included, see compose.yaml (nginx config from [here](https://github.com/xavier-hernandez/goaccess-for-nginxproxymanager/blob/main/resources/nginx/nginx.conf)) - Supports ModSecurity, with coreruleset as an option. You can configure ModSecurity/coreruleset by editing the files in the `/opt/npm/etc/modsecurity` folder. - If the core ruleset blocks valid requests, please check the `/opt/npm/etc/modsecurity/crs-setup.conf` file. - Try to whitelist the Content-Type you are sending (for example, `application/activity+json` for Mastodon and `application/dns-message` for DoH). @@ -70,7 +72,7 @@ so that the barrier for entry here is low. - Uses [fancyindex](https://gitHub.com/Naereen/Nginx-Fancyindex-Theme) if used as webserver - Exposes INTERNAL backend api only to localhost - Basic security headers are added if you enable HSTS (HSTS has always subdomains and preload enabled) -- Access Log disabled +- access.log is disabled by default, unified and moved to `/opt/npm/nginx/access.log` - Error Log written to console - `Server` response header hidden - PHP 8.1/8.2/8.3 optional, with option to add extensions; available packages can added using envs in the compose file diff --git a/backend/templates/dead_host.conf b/backend/templates/dead_host.conf index 28bf68c5e..16193fc77 100644 --- a/backend/templates/dead_host.conf +++ b/backend/templates/dead_host.conf @@ -13,8 +13,9 @@ server { include conf.d/include/block-exploits.conf; {% if use_default_location %} location / { - alias /html/404/; include conf.d/include/acme-challenge.conf; + root /html/404; + try_files $uri /index.html; } {% endif %} diff --git a/backend/templates/default.conf b/backend/templates/default.conf index 87970bad0..5dd753ff4 100644 --- a/backend/templates/default.conf +++ b/backend/templates/default.conf @@ -26,7 +26,9 @@ server { {%- if value == "404" %} location / { - alias /html/404/; + include conf.d/include/acme-challenge.conf; + root /html/404; + try_files $uri /index.html; } {%- endif %} @@ -44,14 +46,16 @@ server { {%- if value == "congratulations" %} location / { include conf.d/include/acme-challenge.conf; - alias /html/default/; + root /html/default; + try_files $uri /index.html; } {%- endif %} {%- if value == "html" %} location / { include conf.d/include/acme-challenge.conf; - alias /data/etc/html/; + root /data/etc/html; + try_files $uri /index.html; } {%- endif %} } diff --git a/compose.yaml b/compose.yaml index 333a0e45e..f9fa9b150 100644 --- a/compose.yaml +++ b/compose.yaml @@ -13,20 +13,31 @@ services: - "TZ=Europe/Berlin" # set timezone, required # - "PUID=1000" # set group id, default 0 (root) # - "PGID=1000" # set user id, default 0 (root) -# - "NIBEP=48694" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host -# - "NPM_PORT=82" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host +# - "NIBEP=48694" # internal port of the NOMplus API, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host +# - "GOAIWSP=48684" # internal port of goaccess, always bound to 127.0.0.1, default 48683, you need to change it, if you want to run multiple npm with goaccess instances in network mode host +# - "NPM_PORT=82" # Port the NPM UI should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host +# - "NPM_PORT=92" # Port the goaccess should be bound to, default 91, you need to change it, if you want to run multiple npm with goaccess instances in network mode host # - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all -# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all +# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM UI, defaults to all +# - "GOA_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the goaccess, defaults to all # - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all -# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all +# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM UI, defaults to all +# - "GOA_IPV6_BINDING=[::1]" # IPv6 address to bind for goaccess, defaults to all # - "DISABLE_IPV6=true" # disable IPv6, overrides with IPV6_BINDING, default false -# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, overrides with NPM_IPV6_BINDING, default false, overrides NPM_LISTEN_LOCALHOST -# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, overrides with NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false -# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts +# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM UI, overrides NPM_IPV6_BINDING, default false +# - "GOA_DISABLE_IPV6=true" # disable IPv6 for goaccess, overrides GOA_IPV6_BINDING, default false +# - "NPM_LISTEN_LOCALHOST=true" # Binds the NPM UI only to localhost, overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false +# - "GOA_LISTEN_LOCALHOST=true" # Binds goaccess only to localhost, overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false +# - "DEFAULT_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts # - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false +# - "NGINX_ACCESS_LOG=true" # enables writing http access logs to /opt/npm/nginx/access.log, default false --- it is recommended to also enable LOGROTATE # - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false # - "CLEAN=false" # Clean folders, default true # - "FULLCLEAN=true" # Clean unused config folders, default false +# - "LOGROTATE=true" # Enables daily logrotation, overrides NGINX_ACCESS_LOG, default false +# - "LOGROTATIONS=7" # Set how often the access.log should be rotated until it is deleted, default 3 +# - "GOA=true" # Enables goaccess, overrides NGINX_ACCESS_LOG, default false --- if you download the GeoLite2-Country.mmdb AND GeoLite2-City.mmdb file from MaxMind and place them in /opt/npm/etc/goaccess/geoip it will automatically enable GeoIP in goaccess after restarting NPMplus (no need to change GOACLA below) +# - "GOACLA=--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=2 --keep-last=7 --with-output-resolver --no-query-string" # Arguments that should be passed to goaccess, default: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/bin/launch.sh#L50 and: --agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string # - "PHP81=true" # Activate PHP81, default false # - "PHP81_APKS=php81-curl php81-openssl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.19&repo=community&arch=x86_64&name=php81-*, default none # - "PHP82=true" # Activate PHP82, default false diff --git a/rootfs/etc/logrotate b/rootfs/etc/logrotate new file mode 100644 index 000000000..77cc0bad9 --- /dev/null +++ b/rootfs/etc/logrotate @@ -0,0 +1,11 @@ +/data/nginx/access.log { + daily + rotate 3 + missingok + notifempty + compress + sharedscripts + postrotate + nginx -s reload + endscript +} diff --git a/rootfs/usr/local/bin/healthcheck.sh b/rootfs/usr/local/bin/healthcheck.sh index d016318dd..02e4a2c1e 100755 --- a/rootfs/usr/local/bin/healthcheck.sh +++ b/rootfs/usr/local/bin/healthcheck.sh @@ -16,7 +16,7 @@ if [ "$NPM_IPV6_BINDING" != "[::]" ] && [ "$NPM_IPV4_BINDING" != "0.0.0.0" ]; th fi fi -if (if [ "$PHP81" = true ]; then cgi-fcgi -bind -connect /dev/php81.sock > /dev/null 2>&1; fi && if [ "$PHP82" = true ]; then cgi-fcgi -bind -connect /dev/php82.sock > /dev/null 2>&1; fi && if [ "$PHP83" = true ]; then cgi-fcgi -bind -connect /dev/php83.sock > /dev/null 2>&1; fi && [ "$(curl -sk https://"$HC_IP":"$NPM_PORT"/api/ | jq --raw-output .status)" = "OK" ]); then +if (if [ "$GOA" = "true" ]; then [ -f /tmp/goa/index.html ]; fi && if [ "$PHP81" = true ]; then cgi-fcgi -bind -connect /dev/php81.sock > /dev/null 2>&1; fi && if [ "$PHP82" = true ]; then cgi-fcgi -bind -connect /dev/php82.sock > /dev/null 2>&1; fi && if [ "$PHP83" = true ]; then cgi-fcgi -bind -connect /dev/php83.sock > /dev/null 2>&1; fi && [ "$(curl -sk https://"$HC_IP":"$NPM_PORT"/api/ | jq --raw-output .status)" = "OK" ]); then echo "OK" exit 0 else diff --git a/rootfs/usr/local/bin/launch.sh b/rootfs/usr/local/bin/launch.sh index fd677989c..9ffea3848 100755 --- a/rootfs/usr/local/bin/launch.sh +++ b/rootfs/usr/local/bin/launch.sh @@ -46,5 +46,8 @@ fi if [ "$PHP81" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR; fi & if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi & if [ "$PHP83" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/83/conf.d php-fpm83 -c /data/php/83 -y /data/php/83/php-fpm.conf -FOR; fi & +if [ "$LOGROTATE" = "true" ]; then logrotate /etc/logrotate; fi & +if [ "$GOA" = "true" ]; then goaccess --no-global-config --num-tests=0 --tz="$TZ" --date-format="%d/%b/%Y" --time-format="%H:%M:%S" --log-format='[%d:%t %^] %v %h %T "%r" %s %b %b %R %u' --no-ip-validation --addr=127.0.0.1 --port="$GOAIWSP" \ + -f /data/nginx/access.log --real-time-html -o /tmp/goa/index.html --persist --restore --db-path=/data/etc/goaccess/data -b /etc/goaccess/browsers.list -b /etc/goaccess/podcast.list "$GOACLA"; fi & aio.sh & index.js diff --git a/rootfs/usr/local/bin/start.sh b/rootfs/usr/local/bin/start.sh index d826c17a6..593ff7276 100755 --- a/rootfs/usr/local/bin/start.sh +++ b/rootfs/usr/local/bin/start.sh @@ -18,6 +18,15 @@ fi touch /data/.env . /data/.env +if [ -z "$NPM_CERT_ID" ] || ! echo "$NPM_CERT_ID" | grep -q "^[0-9]\+$"; then + echo "NPM_CERT_ID needs to be a number." + sleep inf +fi + +if [ -z "$NPM_CERT_ID" ]; then + echo "NPM_CERT_ID is deprecated, please change it to DEFAULT_CERT_ID" + export DEFAULT_CERT_ID="$NPM_CERT_ID" +fi if [ -z "$TZ" ] || ! echo "$TZ" | grep -q "^[A-Za-z/]\+$"; then echo "TZ is unset or invalid." @@ -39,11 +48,21 @@ if ! echo "$NIBEP" | grep -q "^[0-9]\+$"; then sleep inf fi +if ! echo "$GOAIWSP" | grep -q "^[0-9]\+$"; then + echo "GOAIWSP needs to be a number." + sleep inf +fi + if ! echo "$NPM_PORT" | grep -q "^[0-9]\+$"; then echo "NPM_PORT needs to be a number." sleep inf fi +if ! echo "$GOA_PORT" | grep -q "^[0-9]\+$"; then + echo "GOA_PORT needs to be a number." + sleep inf +fi + if ! echo "$IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then echo "IPV4_BINDING needs to be a IPv4-Address." sleep inf @@ -54,6 +73,11 @@ if ! echo "$NPM_IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; sleep inf fi +if ! echo "$GOA_IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then + echo "GOA_IPV4_BINDING needs to be a IPv4-Address." + sleep inf +fi + if ! echo "$IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then echo "IPV6_BINDING needs to be a IPv6-Address inside []." sleep inf @@ -64,6 +88,11 @@ if ! echo "$NPM_IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then sleep inf fi +if ! echo "$GOA_IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then + echo "GOA_IPV6_BINDING needs to be a IPv6-Address inside []." + sleep inf +fi + if ! echo "$DISABLE_IPV6" | grep -q "^true$\|^false$"; then echo "DISABLE_IPV6 needs to be true or false." sleep inf @@ -74,13 +103,28 @@ if ! echo "$NPM_DISABLE_IPV6" | grep -q "^true$\|^false$"; then sleep inf fi +if ! echo "$GOA_DISABLE_IPV6" | grep -q "^true$\|^false$"; then + echo "GOA_DISABLE_IPV6 needs to be true or false." + sleep inf +fi + if ! echo "$NPM_LISTEN_LOCALHOST" | grep -q "^true$\|^false$"; then echo "NPM_LISTEN_LOCALHOST needs to be true or false." sleep inf fi -if ! echo "$NPM_CERT_ID" | grep -q "^[0-9]\+$"; then - echo "NPM_CERT_ID needs to be a number." +if ! echo "$GOA_LISTEN_LOCALHOST" | grep -q "^true$\|^false$"; then + echo "GOA_LISTEN_LOCALHOST needs to be true or false." + sleep inf +fi + +if ! echo "$DEFAULT_CERT_ID" | grep -q "^[0-9]\+$"; then + echo "DEFAULT_CERT_ID needs to be a number." + sleep inf +fi + +if ! echo "$NGINX_ACCESS_LOG" | grep -q "^true$\|^false$"; then + echo "NGINX_ACCESS_LOG needs to be true or false." sleep inf fi @@ -104,6 +148,26 @@ if ! echo "$FULLCLEAN" | grep -q "^true$\|^false$"; then sleep inf fi +if ! echo "$LOGROTATE" | grep -q "^true$\|^false$"; then + echo "LOGROTATE needs to be true or false." + sleep inf +fi + +if [ -n "$LOGROTATE" ] && ! echo "$LOGROTATIONS" | grep -q "^[0-9]\+$"; then + echo "LOGROTATIONS needs to be a number." + sleep inf +fi + +if ! echo "$GOA" | grep -q "^true$\|^false$"; then + echo "GOA needs to be true or false." + sleep inf +fi + +if [ -n "$GOACLA" ] && ! echo "$GOACLA" | grep -q "^-[a-zA-Z0-9 =/_.-]\+$"; then + echo "GOACLA must start with a hyphen and can consist of lower and upper letters a-z A-Z, numbers 0-9, spaces, equals signs, slahes, underscores, dots and hyphens." + sleep inf +fi + if ! echo "$PHP81" | grep -q "^true$\|^false$"; then echo "PHP81 needs to be true or false." sleep inf @@ -137,10 +201,19 @@ fi if [ "$PGID" != "0" ] && [ "$PUID" = "0" ]; then - echo "You've set PGID but not PUID. Running resetting PGID to 0." + echo "You've set PGID but not PUID. Resetting PGID to 0." export PGID="0" fi +if [ "$GOA" = "true" ] && [ "$NGINX_ACCESS_LOG" = "false" ]; then + echo "You've enabled GOA but not NGINX_ACCESS_LOG. Enabling NGINX_ACCESS_LOG." + export NGINX_ACCESS_LOG="true" +fi + +if [ "$LOGROTATE" = "true" ] && [ "$NGINX_ACCESS_LOG" = "false" ]; then + echo "You've enabled LOGROTATE but not NGINX_ACCESS_LOG. Enabling NGINX_ACCESS_LOG." + export NGINX_ACCESS_LOG="true" +fi if [ "$NC_AIO" = "true" ]; then export DISABLE_HTTP="true" @@ -151,6 +224,40 @@ if [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then export NPM_IPV6_BINDING="[::1]" fi +if [ "$GOA_LISTEN_LOCALHOST" = "true" ]; then + export GOA_IPV4_BINDING="127.0.0.1" + export GOA_IPV6_BINDING="[::1]" +fi + + +if [ -s /data/etc/goaccess/geoip/GeoLite2-Country.mmdb ] && [ -s /data/etc/goaccess/geoip/GeoLite2-City.mmdb ] && echo "$GOACLA" | grep -vq "geoip-database"; then + export GOACLA="$GOACLA --geoip-database=/data/etc/goaccess/geoip/GeoLite2-Country.mmdb --geoip-database=/data/etc/goaccess/geoip/GeoLite2-City.mmdb" +fi + + +if [ "$PHP81" = "true" ] || [ "$PHP82" = "true" ] || [ "$PHP83" = "true" ]; then + + apk add --no-cache fcgi + + # From https://github.com/nextcloud/all-in-one/pull/1377/files + if [ -n "$PHP_APKS" ]; then + for apk in $(echo "$PHP_APKS" | tr " " "\n"); do + + if ! echo "$apk" | grep -q "^php-.*$"; then + echo "$apk is a non allowed value." + echo "It needs to start with \"php-\"." + echo "It is set to \"$apk\"." + sleep inf + fi + + echo "Installing $apk via apk..." + if ! apk add --no-cache "$apk" > /dev/null 2>&1; then + echo "The apk \"$apk\" was not installed!" + fi + + done + fi +fi if [ "$PHP81" = "true" ]; then @@ -248,35 +355,25 @@ elif [ "$FULLCLEAN" = "true" ]; then rm -vrf /data/php/83 fi -if [ "$PHP81" = "true" ] || [ "$PHP82" = "true" ] || [ "$PHP83" = "true" ]; then - - apk add --no-cache fcgi - - # From https://github.com/nextcloud/all-in-one/pull/1377/files - if [ -n "$PHP_APKS" ]; then - for apk in $(echo "$PHP_APKS" | tr " " "\n"); do - - if ! echo "$apk" | grep -q "^php-.*$"; then - echo "$apk is a non allowed value." - echo "It needs to start with \"php-\"." - echo "It is set to \"$apk\"." - sleep inf - fi - - echo "Installing $apk via apk..." - if ! apk add --no-cache "$apk" > /dev/null 2>&1; then - echo "The apk \"$apk\" was not installed!" - fi - done - fi +if [ "$GOA" = "true" ]; then + apk add --no-cache goaccess + mkdir -vp /data/etc/goaccess/data \ + /data/etc/goaccess/geoip +elif [ "$FULLCLEAN" = "true" ]; then + rm -vrf /data/etc/goaccess fi +if [ "$LOGROTATE" = "true" ]; then + apk add --no-cache logrotate + sed -i "s|rotate [0-9]\+|rotate $LOGROTATIONS|g" /etc/logrotate +fi mkdir -p /tmp/acme-challenge \ /tmp/certbot-work \ /tmp/certbot-log \ - /tmp/npmhome + /tmp/npmhome \ + /tmp/goa mkdir -vp /data/tls/certbot/credentials \ /data/tls/certbot/renewal \ @@ -456,86 +553,87 @@ if [ ! -s /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.exam fi cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example -if [ "$NPM_CERT_ID" = "0" ]; then - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "no NPM_CERT_ID set, using dummycerts for npm and default hosts." + +if [ "$DEFAULT_CERT_ID" = "0" ]; then + export DEFAULT_CERT=/data/tls/dummycert.pem + export DEFAULT_KEY=/data/tls/dummykey.pem + echo "no DEFAULT_CERT_ID set, using dummycerts for npm and default hosts." else - if [ -d "/data/tls/certbot/live/npm-$NPM_CERT_ID" ]; then - if [ ! -s /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem ]; then - echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem does not exist" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem + if [ -d "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID" ]; then + if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then + echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist" + export DEFAULT_CERT=/data/tls/dummycert.pem + export DEFAULT_KEY=/data/tls/dummykey.pem echo "using dummycerts for npm and default hosts." else - export NPM_CERT=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem - echo "NPM_CERT set to /data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem" + export DEFAULT_CERT=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem + echo "DEFAULT_CERT set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem" - if [ ! -s /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem ]; then - echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem does not exist" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem + if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then + echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem does not exist" + export DEFAULT_CERT=/data/tls/dummycert.pem + export DEFAULT_KEY=/data/tls/dummykey.pem echo "using dummycerts for npm and default hosts." else - export NPM_KEY=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem - echo "NPM_KEY set to /data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem" + export DEFAULT_KEY=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem + echo "DEFAULT_KEY set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem" - if [ ! -s /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem ]; then - echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem does not exist, running without it" + if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/chain.pem ]; then + echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/chain.pem does not exist, running without it" else - export NPM_CHAIN=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem - echo "NPM_CHAIN set to /data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem" + export DEFAULT_CHAIN=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/chain.pem + echo "DEFAULT_CHAIN set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/chain.pem" fi fi fi - elif [ -d "/data/tls/custom/npm-$NPM_CERT_ID" ]; then - if [ ! -s /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem ]; then - echo "/data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem does not exist" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem + elif [ -d "/data/tls/custom/npm-$DEFAULT_CERT_ID" ]; then + if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then + echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist" + export DEFAULT_CERT=/data/tls/dummycert.pem + export DEFAULT_KEY=/data/tls/dummykey.pem echo "using dummycerts for npm and default hosts." else - export NPM_CERT=/data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem - echo "NPM_CERT set to /data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem" + export DEFAULT_CERT=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem + echo "DEFAULT_CERT set to /data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem" - if [ ! -s /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem ]; then - echo "/data/tls/custom/npm-$NPM_CERT_ID/privkey.pem does not exist" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem + if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then + echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem does not exist" + export DEFAULT_CERT=/data/tls/dummycert.pem + export DEFAULT_KEY=/data/tls/dummykey.pem echo "using dummycerts for npm and default hosts." else - export NPM_KEY=/data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem - echo "NPM_KEY set to /data/tls/custom/npm-$NPM_CERT_ID/privkey.pem" + export DEFAULT_KEY=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem + echo "DEFAULT_KEY set to /data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem" - if [ ! -s /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem ]; then - echo "/data/tls/custom/npm-$NPM_CERT_ID/chain.pem does not exist, running without it" + if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/chain.pem ]; then + echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/chain.pem does not exist, running without it" else - export NPM_CHAIN=/data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem - echo "NPM_CHAIN set to /data/tls/custom/npm-$NPM_CERT_ID/chain.pem" + export DEFAULT_CHAIN=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/chain.pem + echo "DEFAULT_CHAIN set to /data/tls/custom/npm-$DEFAULT_CERT_ID/chain.pem" fi fi fi else - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "cert with ID $NPM_CERT_ID does not exist, using dummycerts for npm and default hosts." + export DEFAULT_CERT=/data/tls/dummycert.pem + export DEFAULT_KEY=/data/tls/dummykey.pem + echo "cert with ID $DEFAULT_CERT_ID does not exist, using dummycerts for npm and default hosts." fi fi -if [ "$NPM_CERT" = "/data/tls/dummycert.pem" ] && [ "$NPM_KEY" != "/data/tls/dummykey.pem" ]; then - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem +if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" != "/data/tls/dummykey.pem" ]; then + export DEFAULT_CERT=/data/tls/dummycert.pem + export DEFAULT_KEY=/data/tls/dummykey.pem echo "something went wrong, using dummycerts for npm and default hosts." fi -if [ "$NPM_CERT" != "/data/tls/dummycert.pem" ] && [ "$NPM_KEY" = "/data/tls/dummykey.pem" ]; then - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem +if [ "$DEFAULT_CERT" != "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then + export DEFAULT_CERT=/data/tls/dummycert.pem + export DEFAULT_KEY=/data/tls/dummykey.pem echo "something went wrong, using dummycerts for npm and default hosts." fi -if [ "$NPM_CERT" = "/data/tls/dummycert.pem" ] || [ "$NPM_KEY" = "/data/tls/dummykey.pem" ]; then +if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] || [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then if [ ! -s /data/tls/dummycert.pem ] || [ ! -s /data/tls/dummykey.pem ]; then rm -vrf /data/tls/dummycert.pem \ /data/tls/dummykey.pem @@ -546,35 +644,46 @@ else /data/tls/dummykey.pem fi -if [ "$DISABLE_IPV6" = "true" ]; then - sed -i "s|#\?resolver .*|resolver local=on valid=10s ipv6=off;|g" /usr/local/nginx/conf/nginx.conf -else - sed -i "s|#\?resolver .*|resolver local=on valid=10s;|g" /usr/local/nginx/conf/nginx.conf -fi +sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /app/templates/default.conf +sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /app/templates/default.conf +if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /app/templates/default.conf; fi -sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf -sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf -if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/default.conf; fi +sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf +sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf +if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/default.conf; fi -sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf -sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf -if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf; fi +sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf +sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf +if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf; fi -sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf -sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf -if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf; fi +sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf +sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf +if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm.conf; fi -sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf -sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf -if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm.conf; fi +sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf +sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf +if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf; fi -sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /app/templates/default.conf -sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /app/templates/default.conf -if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /app/templates/default.conf; fi +sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/goaccess.conf +sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/goaccess.conf +if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/goaccess.conf; fi + +sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf +sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf +if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf; fi + + +if [ "$DISABLE_IPV6" = "true" ]; then + sed -i "s|#\?resolver .*|resolver local=on valid=10s ipv6=off;|g" /usr/local/nginx/conf/nginx.conf +else + sed -i "s|#\?resolver .*|resolver local=on valid=10s;|g" /usr/local/nginx/conf/nginx.conf +fi sed -i "s|48693|$NIBEP|g" /app/index.js sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf +sed -i "s|48683|$GOAIWSP|g" /usr/local/nginx/conf/conf.d/goaccess.conf + sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \; @@ -606,6 +715,17 @@ else sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $NPM_IPV6_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf fi +sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $GOA_IPV4_BINDING:$GOA_PORT/g" /usr/local/nginx/conf/conf.d/goaccess.conf +sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $GOA_IPV4_BINDING:$GOA_PORT/g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf + +if [ "$GOA_DISABLE_IPV6" = "true" ]; then + sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/goaccess.conf + sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf +else + sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $GOA_IPV6_BINDING:$GOA_PORT/g" /usr/local/nginx/conf/conf.d/goaccess.conf + sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $GOA_IPV6_BINDING:$GOA_PORT/g" /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf +fi + if [ "$DISABLE_HTTP" = "true" ]; then find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \; find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \; @@ -617,7 +737,15 @@ else fi if [ "$NGINX_LOG_NOT_FOUND" = "true" ]; then - sed -i "s|log_not_found off;|log_not_found on;|g" /usr/local/nginx/conf/nginx.conf + sed -i "s|log_not_found.*|log_not_found on;|g" /usr/local/nginx/conf/nginx.conf +else + sed -i "s|log_not_found.*|log_not_found off;|g" /usr/local/nginx/conf/nginx.conf +fi + +if [ "$NGINX_ACCESS_LOG" = "true" ]; then + sed -i "s|access_log.*|access_log /data/nginx/access.log log;|g" /usr/local/nginx/conf/nginx.conf +else + sed -i "s|access_log.*|access_log off;|g" /usr/local/nginx/conf/nginx.conf fi if [ ! -s /data/nginx/default.conf ]; then @@ -653,9 +781,9 @@ else rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf fi -sed -i "s|ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /data/nginx/default.conf -sed -i "s|ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /data/nginx/default.conf -if [ -n "$NPM_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /data/nginx/default.conf; fi +sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /data/nginx/default.conf +sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /data/nginx/default.conf +if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /data/nginx/default.conf; fi nginxbeautifier -s 4 -r /data/nginx diff --git a/rootfs/usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf b/rootfs/usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf new file mode 100644 index 000000000..0a24692e4 --- /dev/null +++ b/rootfs/usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf @@ -0,0 +1,17 @@ +server { + http3 off; + listen 82 ssl; + listen [::]:82 ssl; + + server_name ""; + return 444; + + include conf.d/include/brotli.conf; + include conf.d/include/force-tls.conf; + include conf.d/include/tls-ciphers.conf; + include conf.d/include/block-exploits.conf; + + #ssl_certificate ; + #ssl_certificate_key ; + #ssl_trusted_certificate ; +} diff --git a/rootfs/usr/local/nginx/conf/conf.d/goaccess.conf b/rootfs/usr/local/nginx/conf/conf.d/goaccess.conf new file mode 100644 index 000000000..4f23df4d2 --- /dev/null +++ b/rootfs/usr/local/nginx/conf/conf.d/goaccess.conf @@ -0,0 +1,35 @@ +server { + http3 off; + listen 91 ssl default_server; + listen [::]:91 ssl default_server; + + server_name _; + include conf.d/include/brotli.conf; + include conf.d/include/force-tls.conf; + include conf.d/include/tls-ciphers.conf; + include conf.d/include/block-exploits.conf; + + modsecurity on; + modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf; + + #ssl_certificate ; + #ssl_certificate_key ; + #ssl_trusted_certificate ; + + location / { + if ($goaccess = "web") { + root /tmp/goa; + sub_filter 'WebSocket(str)' 'WebSocket(window.location.href.split("#")[0].replace(window.location.protocol, window.location.protocol == "https:" ? "wss:" : "ws:"))'; + sub_filter_once on; + try_files /index.html; + } + + if ($goaccess = "socket") { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + include conf.d/include/proxy-location.conf; + proxy_pass http://127.0.0.1:48683$request_uri; + } + } +} diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf index 7d630de78..a347dbe07 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf @@ -26,6 +26,7 @@ server { location / { include conf.d/include/acme-challenge.conf; - alias /html/default/; + root /html/default; + try_files $uri /index.html; } } diff --git a/rootfs/usr/local/nginx/conf/conf.d/npm.conf b/rootfs/usr/local/nginx/conf/conf.d/npm.conf index a78a595dd..e877ac8fd 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/npm.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/npm.conf @@ -17,24 +17,13 @@ server { #ssl_trusted_certificate ; location /api { - return 301 /api/; - } - - location /api/ { - proxy_pass http://127.0.0.1:48693/; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header Early-Data $ssl_early_data; - proxy_set_header X-Forwarded-Scheme $scheme; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Accept-Encoding ""; - proxy_set_header Host $host; - - proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; + + include conf.d/include/proxy-location.conf; + + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://127.0.0.1:48693; } location / { diff --git a/rootfs/usr/local/nginx/conf/nginx.conf b/rootfs/usr/local/nginx/conf/nginx.conf index 109226d59..41ba8a247 100644 --- a/rootfs/usr/local/nginx/conf/nginx.conf +++ b/rootfs/usr/local/nginx/conf/nginx.conf @@ -15,8 +15,9 @@ events { } http { - log_not_found off; + log_format log '[$time_local] $host $remote_addr $request_time "$request" $status $body_bytes_sent $bytes_sent $http_referer $http_user_agent'; access_log off; + log_not_found off; include mime.types; default_type text/plain; @@ -77,6 +78,11 @@ http { '' close; } + map $http_upgrade $goaccess { + default "web"; + websocket "socket"; + } + upstream php81 { server unix:/run/php81.sock; }