├── .dictionary.txt ├── .github ├── dependabot.yml └── workflows │ ├── cancel_dupes.yml │ ├── deploy.yml │ └── pre-commit-updates.yaml ├── .gitignore ├── .markdownlint.json ├── .pre-commit-config.yaml ├── Dockerfile ├── LICENSE ├── README.md ├── blockbot-list ├── buildnow.sh ├── docker-compose.yml └── rootfs ├── etc ├── nginx │ ├── blockbot.conf │ ├── blockbot.conf.org │ ├── conf.d │ │ └── geoip.conf │ ├── geoip_countries.conf │ ├── nginx.conf │ └── sites-available │ │ ├── default │ │ └── default.org └── s6-overlay │ ├── s6-rc.d │ ├── 10-ssl │ │ ├── dependencies.d │ │ │ └── base │ │ ├── type │ │ └── up │ ├── 20-webproxy │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ └── base │ │ ├── type │ │ └── up │ ├── 30-blockbot │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ └── base │ │ ├── type │ │ └── up │ ├── 40-geoip │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ └── base │ │ ├── type │ │ └── up │ ├── 50-check-ipv6 │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ └── base │ │ ├── type │ │ └── up │ ├── 60-block-ips │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ ├── 50-check-ipv6 │ │ │ └── base │ │ ├── type │ │ └── up │ ├── 70-basic-authentication │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ ├── 50-check-ipv6 │ │ │ ├── 60-block-ips │ │ │ └── base │ │ ├── type │ │ └── up │ ├── 80-set-cors │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ ├── 50-check-ipv6 │ │ │ ├── 60-block-ips │ │ │ ├── 70-basic-authentication │ │ │ └── base │ │ ├── type │ │ └── up │ ├── 99-test-webproxy │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ ├── 50-check-ipv6 │ │ │ ├── 60-block-ips │ │ │ ├── 70-basic-authentication │ │ │ ├── 80-set-cors │ │ │ └── base │ │ ├── type │ │ └── up │ ├── block-ips │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ ├── 50-check-ipv6 │ │ │ ├── 60-block-ips │ │ │ ├── 70-basic-authentication │ │ │ ├── 80-set-cors │ │ │ └── 99-test-webproxy │ │ ├── run │ │ └── type │ ├── check-blockbotlist │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ ├── 50-check-ipv6 │ │ │ ├── 60-block-ips │ │ │ ├── 70-basic-authentication │ │ │ ├── 80-set-cors │ │ │ └── 99-test-webproxy │ │ ├── run │ │ └── type │ ├── create-ipmaps │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ ├── 50-check-ipv6 │ │ │ ├── 60-block-ips │ │ │ ├── 70-basic-authentication │ │ │ ├── 80-set-cors │ │ │ ├── 99-test-webproxy │ │ │ └── webproxy │ │ ├── run │ │ └── type │ ├── goaccess │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ ├── 50-check-ipv6 │ │ │ ├── 60-block-ips │ │ │ ├── 70-basic-authentication │ │ │ ├── 80-set-cors │ │ │ └── 99-test-webproxy │ │ ├── run │ │ └── type │ ├── nginx-log-to-console │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ ├── 50-check-ipv6 │ │ │ ├── 60-block-ips │ │ │ ├── 70-basic-authentication │ │ │ ├── 80-set-cors │ │ │ ├── 99-test-webproxy │ │ │ └── webproxy │ │ ├── run │ │ └── type │ ├── nginx-logrotate │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ ├── 50-check-ipv6 │ │ │ ├── 60-block-ips │ │ │ ├── 70-basic-authentication │ │ │ ├── 80-set-cors │ │ │ └── 99-test-webproxy │ │ ├── run │ │ └── type │ ├── ssl │ │ ├── dependencies.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ ├── 50-check-ipv6 │ │ │ ├── 60-block-ips │ │ │ ├── 70-basic-authentication │ │ │ ├── 80-set-cors │ │ │ └── 99-test-webproxy │ │ ├── run │ │ └── type │ ├── user │ │ └── contents.d │ │ │ ├── 10-ssl │ │ │ ├── 20-webproxy │ │ │ ├── 30-blockbot │ │ │ ├── 40-geoip │ │ │ ├── 50-check-ipv6 │ │ │ ├── 60-block-ips │ │ │ ├── 70-basic-authentication │ │ │ ├── 80-set-cors │ │ │ ├── 99-test-webproxy │ │ │ ├── block-ips │ │ │ ├── check-blockbotlist │ │ │ ├── create-ipmaps │ │ │ ├── goaccess │ │ │ ├── nginx-log-to-console │ │ │ ├── nginx-logrotate │ │ │ ├── ssl │ │ │ └── webproxy │ └── webproxy │ │ ├── dependencies.d │ │ ├── 10-ssl │ │ ├── 20-webproxy │ │ ├── 30-blockbot │ │ ├── 40-geoip │ │ ├── 50-check-ipv6 │ │ ├── 60-block-ips │ │ ├── 70-basic-authentication │ │ ├── 80-set-cors │ │ └── 99-test-webproxy │ │ ├── run │ │ └── type │ └── scripts │ ├── 10-ssl │ ├── 20-webproxy │ ├── 30-blockbot │ ├── 40-geoip │ ├── 50-check-ipv6 │ ├── 60-block-ips │ ├── 70-basic-authentication │ ├── 80-set-cors │ ├── 99-test-webproxy │ ├── block-ips │ ├── check-blockbotlist │ ├── create-ipmaps │ ├── goaccess │ ├── nginx-log-to-console │ ├── nginx-logrotate │ ├── ssl │ └── webproxy └── root ├── blockstats ├── default ├── geoip_countries.conf ├── index.html ├── ip-blocklist-template ├── ipmap ├── letsencrypt-force-reinstall ├── locations.conf.example ├── manage_ipblock └── nginx.conf /.dictionary.txt: -------------------------------------------------------------------------------- 1 | crate 2 | foto 3 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates 5 | 6 | version: 2 7 | updates: 8 | - package-ecosystem: "docker" # See documentation for possible values 9 | directory: "/" # Location of package manifests 10 | target-branch: "dev" 11 | schedule: 12 | interval: "weekly" 13 | day: "saturday" 14 | time: "00:00" 15 | timezone: "Etc/UTC" 16 | 17 | # Maintain dependencies for GitHub Actions 18 | - package-ecosystem: "github-actions" 19 | directory: "/" 20 | schedule: 21 | interval: "weekly" 22 | day: "saturday" 23 | time: "00:00" 24 | timezone: "Etc/UTC" 25 | assignees: 26 | - "fredclausen" 27 | -------------------------------------------------------------------------------- /.github/workflows/cancel_dupes.yml: -------------------------------------------------------------------------------- 1 | name: Cancelling Duplicates 2 | on: 3 | workflow_run: 4 | workflows: 5 | - "Deploy to Docker Hub" 6 | - "Check Linting" 7 | - "Tests" 8 | types: ["requested"] 9 | 10 | jobs: 11 | cancel-duplicate-workflow-runs: 12 | name: "Cancel duplicate workflow runs" 13 | runs-on: ubuntu-18.04 14 | steps: 15 | - uses: potiuk/cancel-workflow-runs@master 16 | name: "Cancel duplicate workflow runs" 17 | with: 18 | cancelMode: allDuplicates 19 | token: ${{ secrets.GITHUB_TOKEN }} 20 | sourceRunId: ${{ github.event.workflow_run.id }} 21 | -------------------------------------------------------------------------------- /.github/workflows/deploy.yml: -------------------------------------------------------------------------------- 1 | name: Deploy to GHCR 2 | 3 | on: 4 | # Build and deploy the image on pushes to main branch 5 | workflow_dispatch: 6 | inputs: 7 | reason: 8 | required: true 9 | description: "Reason for running this workflow" 10 | use_test_image: 11 | required: false 12 | type: boolean 13 | description: "Use base image testpr" 14 | default: false 15 | # Build and deploy the image on pushes to master branch 16 | push: 17 | branches: 18 | - main 19 | paths: 20 | - "rust/**" 21 | - "Dockerfile**" 22 | - "rootfs/**" 23 | 24 | env: 25 | REGISTRY: ghcr.io 26 | IMAGE_NAME: webproxy 27 | REPO: sdr-enthusiasts 28 | IMAGE: docker-reversewebproxy 29 | 30 | jobs: 31 | workflow-dispatch: 32 | name: Triggered via Workflow Dispatch? 33 | # only run this step if workflow dispatch triggered 34 | # log the reason the workflow dispatch was triggered 35 | if: | 36 | github.event_name == 'workflow_dispatch' && 37 | github.event.inputs.reason != '' 38 | runs-on: ubuntu-22.04 39 | steps: 40 | - name: Log dispatch reason 41 | env: 42 | INPUTS_REASON: ${{ github.event.inputs.reason }} 43 | INPUTS_USE_TEST_IMAGE: ${{ github.event.inputs.use_test_image }} 44 | run: | 45 | echo "Workflow dispatch reason: $INPUTS_REASON" 46 | echo "Use test image: $INPUTS_USE_TEST_IMAGE" 47 | 48 | build_and_push: 49 | name: Image Build & Push 50 | uses: sdr-enthusiasts/common-github-workflows/.github/workflows/build_and_push_image.yml@main 51 | with: 52 | push_enabled: true 53 | push_destinations: ghcr.io 54 | ghcr_repo_owner: ${{ github.repository_owner }} 55 | ghcr_repo: sdr-enthusiasts/webproxy 56 | platform_linux_arm32v6_enabled: false 57 | platform_linux_i386_enabled: false 58 | # set build_latest to true if github.event.inputs.use_test_image is false 59 | build_latest: ${{ github.event.inputs.use_test_image == 'false' || github.event.inputs.use_test_image == '' }} 60 | build_baseimage_test: ${{ github.event.inputs.use_test_image == 'true' }} 61 | # only build the entire stack if we are not using the test image 62 | build_version_specific: false 63 | build_platform_specific: false 64 | build_nohealthcheck: false 65 | build_baseimage_url: :python/:python-test-pr 66 | secrets: 67 | ghcr_token: ${{ secrets.GITHUB_TOKEN }} 68 | 69 | build_and_push_too: 70 | name: Image Build & Push - secondary container target 71 | uses: sdr-enthusiasts/common-github-workflows/.github/workflows/build_and_push_image.yml@main 72 | with: 73 | push_enabled: true 74 | push_destinations: ghcr.io 75 | ghcr_repo_owner: ${{ github.repository_owner }} 76 | ghcr_repo: sdr-enthusiasts/docker-reversewebproxy 77 | platform_linux_arm32v6_enabled: false 78 | platform_linux_i386_enabled: false 79 | # set build_latest to true if github.event.inputs.use_test_image is false 80 | build_latest: ${{ github.event.inputs.use_test_image == 'false' || github.event.inputs.use_test_image == '' }} 81 | build_baseimage_test: ${{ github.event.inputs.use_test_image == 'true' }} 82 | # only build the entire stack if we are not using the test image 83 | build_version_specific: false 84 | build_platform_specific: false 85 | build_nohealthcheck: false 86 | build_baseimage_url: :python/:python-test-pr 87 | secrets: 88 | ghcr_token: ${{ secrets.GITHUB_TOKEN }} 89 | -------------------------------------------------------------------------------- /.github/workflows/pre-commit-updates.yaml: -------------------------------------------------------------------------------- 1 | name: Update pre-commit hooks 2 | 3 | on: 4 | workflow_dispatch: 5 | schedule: 6 | - cron: 0 0 * * * 7 | 8 | jobs: 9 | pre-commit-update: 10 | runs-on: ubuntu-latest 11 | name: Updates 12 | steps: 13 | - name: Checkout 14 | uses: actions/checkout@v4.2.2 15 | - name: Update pre-commit hooks 16 | uses: brokenpip3/action-pre-commit-update@0.0.2 17 | with: 18 | github-token: ${{ secrets.GITHUB_TOKEN }} 19 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /.markdownlint.json: -------------------------------------------------------------------------------- 1 | { 2 | "default": true, 3 | "MD013": false, 4 | "MD033": false, 5 | "MD045": false 6 | } -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | # lint yaml, line and whitespace 3 | - repo: https://github.com/pre-commit/pre-commit-hooks 4 | rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b # frozen: v5.0.0 5 | hooks: 6 | - id: check-yaml 7 | - id: end-of-file-fixer 8 | - id: trailing-whitespace 9 | - id: requirements-txt-fixer 10 | - id: mixed-line-ending 11 | - id: check-executables-have-shebangs 12 | - id: check-shebang-scripts-are-executable 13 | 14 | # lint the dockerfiles 15 | - repo: https://github.com/hadolint/hadolint 16 | rev: c3dc18df7a501f02a560a2cc7ba3c69a85ca01d3 # frozen: v2.13.1-beta 17 | hooks: 18 | - id: hadolint 19 | 20 | # prettier 21 | - repo: https://github.com/pre-commit/mirrors-prettier 22 | rev: "f12edd9c7be1c20cfa42420fd0e6df71e42b51ea" # frozen: v4.0.0-alpha.8 23 | hooks: 24 | - id: prettier 25 | types_or: [file, bash, sh, javascript, jsx, ts, tsx] 26 | additional_dependencies: 27 | - prettier@2.5.1 28 | exclude: ^(Dockerfile*) 29 | 30 | - repo: https://github.com/codespell-project/codespell.git 31 | rev: "63c8f8312b7559622c0d82815639671ae42132ac" # frozen: v2.4.1 32 | hooks: 33 | - id: codespell 34 | types: [text] 35 | args: [--ignore-words=.dictionary.txt] 36 | exclude: ^(Dockerfile*) 37 | 38 | - repo: https://github.com/shellcheck-py/shellcheck-py 39 | rev: a23f6b85d0fdd5bb9d564e2579e678033debbdff # frozen: v0.10.0.1 40 | hooks: 41 | - id: shellcheck 42 | 43 | - repo: https://github.com/sirosen/check-jsonschema 44 | rev: 06e4cc849d03f3a59ca223a4046f4bb5bb2aba6d # frozen: 0.33.0 45 | hooks: 46 | - id: check-github-actions 47 | - id: check-github-workflows 48 | 49 | - repo: https://github.com/doublify/pre-commit-rust 50 | rev: eeee35a89e69d5772bdee97db1a6a898467b686e # frozen: v1.0 51 | hooks: 52 | - id: fmt 53 | - id: cargo-check 54 | 55 | # lint python formatting 56 | - repo: https://github.com/psf/black 57 | rev: 8a737e727ac5ab2f1d4cf5876720ed276dc8dc4b # frozen: 25.1.0 58 | hooks: 59 | - id: black 60 | 61 | - repo: https://github.com/pycqa/flake8 62 | rev: "4b5e89b4b108a6c1a000c591d334a99a80d34c7b" # frozen: 7.2.0 63 | hooks: 64 | - id: flake8 65 | args: ["--extend-ignore=W503,W504,E501"] 66 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ghcr.io/sdr-enthusiasts/docker-baseimage:base 2 | 3 | ENV GEOIP_RESPONSECODE=403 4 | ENV BLOCKBOT_RESPONSECODE=403 5 | ENV LOGROTATE_INTERVAL=3600 6 | ENV LOGROTATE_MAXBACKUPS=24 7 | ENV IPTABLES_JAILTIME=0 8 | 9 | LABEL org.opencontainers.image.source = "https://github.com/sdr-enthusiasts/docker-reversewebproxy" 10 | 11 | #hadolint ignore=DL3008,SC3054 12 | RUN set -x && \ 13 | # define packages needed for installation and general management of the container: 14 | TEMP_PACKAGES=() && \ 15 | KEPT_PACKAGES=() && \ 16 | KEPT_PACKAGES+=(nginx) && \ 17 | KEPT_PACKAGES+=(python3-certbot-nginx) && \ 18 | KEPT_PACKAGES+=(psmisc) && \ 19 | KEPT_PACKAGES+=(libnginx-mod-http-geoip) && \ 20 | KEPT_PACKAGES+=(geoip-database) && \ 21 | KEPT_PACKAGES+=(iptables) && \ 22 | KEPT_PACKAGES+=(jq) && \ 23 | TEMP_PACKAGES+=(gpg) && \ 24 | # added for debugging 25 | KEPT_PACKAGES+=(procps nano netcat-openbsd libnginx-mod-http-echo) && \ 26 | # 27 | # Install all these packages: 28 | apt-get update && \ 29 | apt-get install -o APT::Autoremove::RecommendsImportant=0 -o APT::Autoremove::SuggestsImportant=0 -o Dpkg::Options::="--force-confold" --force-yes -y --no-install-recommends --no-install-suggests\ 30 | ${KEPT_PACKAGES[@]} \ 31 | ${TEMP_PACKAGES[@]} && \ 32 | # Added for GoAccess server report - see https://goaccess.io/ 33 | mkdir -p /usr/share/keyrings && \ 34 | curl -sSL https://deb.goaccess.io/gnugpg.key | gpg --dearmor > /usr/share/keyrings/goaccess.gpg && \ 35 | echo "deb [signed-by=/usr/share/keyrings/goaccess.gpg arch=$(dpkg --print-architecture)] https://deb.goaccess.io/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/goaccess.list && \ 36 | apt-get update && \ 37 | apt-get install -o APT::Autoremove::RecommendsImportant=0 -o APT::Autoremove::SuggestsImportant=0 -o Dpkg::Options::="--force-confold" --force-yes -y --no-install-recommends --no-install-suggests\ 38 | goaccess && \ 39 | # 40 | # Clean up: 41 | apt-get remove -y ${TEMP_PACKAGES[@]} && \ 42 | apt-get autoremove -o APT::Autoremove::RecommendsImportant=0 -o APT::Autoremove::SuggestsImportant=0 -y && \ 43 | apt-get clean -y && \ 44 | rm -rf /src/* /tmp/* /var/lib/apt/lists/* /usr/share/keyrings/goaccess.gpg && \ 45 | # remove pycache 46 | { find /usr | grep -E "/__pycache__$" | xargs rm -rf || true; } && \ 47 | bash /scripts/clean-build.sh && \ 48 | # 49 | # Do some other stuff 50 | echo "alias dir=\"ls -alsv\"" >> /root/.bashrc && \ 51 | echo "alias nano=\"nano -l\"" >> /root/.bashrc && \ 52 | echo "PATH=/root:\$PATH" >> /root/.bashrc 53 | 54 | # Copy the rootfs into place: 55 | # 56 | COPY rootfs/ / 57 | 58 | EXPOSE 80 59 | EXPOSE 443 60 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Docker-ReverseWebProxy 2 | 3 | 4 | 5 | ## Table of Contents 6 | 7 | - [Docker-ReverseWebProxy](#docker-reversewebproxy) 8 | - [Table of Contents](#table-of-contents) 9 | - [What is it?](#what-is-it) 10 | - [How do I get it?](#how-do-i-get-it) 11 | - [How do I configure it?](#how-do-i-configure-it) 12 | - [General parameters](#general-parameters) 13 | - [Configuration of the Webproxy](#configuration-of-the-webproxy) 14 | - [Configuration of SSL](#configuration-of-ssl) 15 | - [GeoIP Filtering](#geoip-filtering) 16 | - [BlockBot Filtering](#blockbot-filtering) 17 | - [`iptables` blocking](#iptables-blocking) 18 | - [Basic Authentication](#basic-authentication) 19 | - [Advanced Setup](#advanced-setup) 20 | - [Host your own web pages](#host-your-own-web-pages) 21 | - [Access Report Page using `goaccess`](#access-report-page-using-goaccess) 22 | - [Automatic creation of web pages with geographic map of visitors](#automatic-creation-of-web-pages-with-geographic-map-of-visitors) 23 | - [Extras](#extras) 24 | - [Troubleshooting](#troubleshooting) 25 | - [Acknowledgements](#acknowledgements) 26 | - [License](#license) 27 | 28 | ## What is it? 29 | 30 | This application, further referred to as "Webproxy", enables to show a single website for multiple web services running on different machines and/or different ports. 31 | 32 | The need for a solution is age-old, but what triggered the creation of this project was the deployment of Dockerized web services for a ADSB Feeder station. These web services are distributed over 1 or more Raspberry Pi's, and each of them provides a web interface on a different TCP port. As a result, the user has to remember a collection of seemingly random IP addresses and port numbers to get to these web services, which creates an awful user experience. 33 | 34 | The Webproxy allows the user to map these web services to a single URL, differentiating them by assigning a virtual directory name for each. 35 | 36 | The following example highlights this: 37 | 38 | | Web Service | Original address | New Address with Webproxy | 39 | | ----------- | ----------------------------- | ------------------------- | 40 | | readsb | | | 41 | | piaware | | | 42 | | tar1090 | | | 43 | | planefence | | | 44 | | planefinder | | | 45 | | graphs | | | 46 | | radar | | | 47 | | acarshub | | | 48 | 49 | ## How do I get it? 50 | 51 | Prerequisite for this to work, is that you have a working `Docker` and `Docker-compose` setup. 52 | This is less than 5 minutes of work -- use [this script](https://github.com/sdr-enthusiasts/docker-install) or follow all 3 steps of the "Setting up the Host System" section at [this GitBook](https://sdr-enthusiasts.gitbook.io/ads-b/setting-up-the-host-system/install-docker). 53 | 54 | Once this is done, create a working directory and download the `docker-compose.yml` file: 55 | 56 | ```bash 57 | sudo mkdir -p -m 777 /opt/webproxy && cd /opt/webproxy 58 | wget https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/main/docker-compose.yml 59 | ``` 60 | 61 | You should EDIT the `docker-compose.yml` file included in this repository and configure it to your liking. See below for options. 62 | (Note - CAREFUL. YML is based on indentation levels, so make sure you keep each line at the correct indent level!) 63 | 64 | Now, you can either run it as-is, or, if you already have another `docker-compose.yml`, you can copy the data of the `services:` section to your existing `docker-compose.yml`. 65 | 66 | With that, you are ready to run the proxy! 67 | 68 | ## How do I configure it? 69 | 70 | The Webproxy can be entirely configured in the `docker-compose.yml`, or, optionally, you can create a more advanced setup manually. You can also start with the `docker-compose.yml` configuration and then add to this manually in the future. Here's how: 71 | 72 | ### General parameters 73 | 74 | | Parameter | Values | Description | 75 | |-----------|--------|-------------| 76 | | `AUTOGENERATE` | `ON`, `OFF` | Determines if the system will use the `REVPROXY` and `REDIRECT` settings of the `docker-compose.yml` file (`ON`), or a manually generated `locations.conf` file (`OFF`). | 77 | | `VERBOSELOG` | `ON`, `OFF` | Determines if the internal web service Access and Error logs will be written to the Docker log (accessible with `docker logs webproxy`) (`ON`), or that logging will be switched `OFF` | 78 | | `CORSHOSTS` | hostname(s), or `_`, or empty | Set CORS* via the `Access-Control-Allow-Origin` header. If using a single hostname, only that hostname will be set. If using multiple comma-separated hostnames, the header will be set for "`*`" all hosts, not just those listed. If using "`_`", CORS will be hard-disabled | 79 | | `PROXY_READ_TIMEOUT` | time (secs) or `ON` | This parameter controls the `proxy_read_timeout` parameter for `nginx`. This parameter is an inactivity timeout for reverse-proxied websites. This is needed if you want to keep a connection going with a proxied website, even if this website doesn't send any information for some period of time. An example of this is the [Portainer Container Console](https://github.com/portainer/portainer/issues/2953). If set to a value, it will use this value (in seconds) for timeout. If set to `ON` or `true`, the timeout is set to `3600` seconds (1 hour). If omitted, the default timeout value of 60 secs is used. | 80 | 81 | * CORS prevents third-party websites from including linked data (API calls, images, etc.) from your own websites. This is implemented by the browser to prevent theft of your IP or properties. Sometimes, it is desirable to allow specific (or all, or no) third-party websites to access data from your sites, for example when adding the RainViewer API to VRS. 82 | Note - for VRS, if you are instructed to add CORS exceptions to your VRS Admin, please add those also to the `CORSHOSTS` parameter of the webproxy container. 83 | 84 | You may have to adjust your `port:` and your `volumes:` mapping to your liking, especially if you are not running on the Raspberry Pi standard `pi` account. 85 | 86 | ### Configuration of the Webproxy 87 | 88 | If `AUTOGENERATE=ON`, the system will build a Webproxy based on the `REVPROXY` and `REDIRECT` parameter values. 89 | 90 | `REVPROXY` defines the proxy-pairs to serve the `destination` target when the user browses to `urltarget`. The user's browser will never be redirected to an internal IP address for service, all web pages are being served from the Webproxy. As such, the process of going to the correct website/port to get the web page is completely hidden from the user. 91 | 92 | `REVPROXY` has the following format: `urltarget|destination[|user1|pass1[|user2|pass2[|...|...]]]` 93 | For example, for REVPROXY=readsb|, a user browsing to will be proxied to a service located at . The user's browser will _never_ see the internal IP address. 94 | Note - both the `urltarget` and the `destination` must be URLs or directories, and cannot be a file name. 95 | You can provide a comma separated list of `urltarget|destination` pairs, similar to the example in the default `docker-compose.yml`. 96 | The optional `|user1|pass1|user2|pass2|...|...` addons define the allowed username/password combination for this specific revproxy. 97 | 98 | `REDIRECT` redirects the user's browser to a specific address. In contrast to `REVPROXY`, the Webproxy does NOT "front" the rendering of the website. This can be useful if there is information that you want to be available within your own subnet, but not to the outside world. 99 | The format for `REDIRECT` is similar to that of `REVPROXY`: `urltarget|redirection` 100 | For example, for `REDIRECT=/planefinder/setup.html|http://10.0.0.191:8086/setup.html` 101 | Note - for `REDIRECT`, both the urltarget and the redirection MAY BE a URL or a file names. 102 | Similar to `REVPROXY`, `REDIRECT` can contain comma separated entries. See example in the default `docker-compose.yml`. 103 | 104 | ### Configuration of SSL 105 | 106 | SSL can only be enabled if you have a domain name (a real one or a Dynamic DNS name) that currently points at your WebProxy instance. This means that your WebProxy must be accessible from the internet (forward of port 80 and port 443 required if behind a router). 107 | 108 | The following settings will enable SSL to be part of the reverse proxy. 109 | SSL certificates are provided by Lets Encrypt. 110 | 111 | A "_" means that this is the default value 112 | | Parameter | Values | Description | 113 | |-----------|--------|-------------| 114 | | `SSL` | `DISABLED`_, `ENABLED` | Enable the installation of SSL certificates | 115 | | `SSL_EMAIL` | your email address | A valid email address is needed to get a certificate | 116 | | `SSL_DOMAIN` | A list of web domains | We will enabled SSL for these. Note - they must be reachable domains at this container for the SSL certificate to be successfully installed! | 117 | | `SSL_TOS` | `REJECT`_, `ACCEPT` | Indicates your acceptance of the T&S's for the SSL certificateset forth at | 118 | | `SSL_REDIRECT` | `DISABLED`, `ENABLED` | When set to ENABLED, all incoming non-SSL traffic is redirected to use SSL | 119 | 120 | Note: your SSL certificates are valid for 90 days. The container will check daily if they need renewing, and will do so of there's less than a month before the expiration date. 121 | **LetsEncrypt will start sending you emails about the pending expiration about 45 days before the deadline. Sometimes, the expiration date in this email doesn't correspond to the real expiration date of the certificates. You can safely ignore these emails as long as your container is running.** 122 | If you want to check the official expiration date of your certificates, this command will show you: 123 | 124 | ```bash 125 | docker exec -it webproxy certbot certificates 126 | ``` 127 | 128 | ### GeoIP Filtering 129 | 130 | The Reverse Webproxy can filter incoming requests by originating IP. It uses an external GeoIP database that maps IP addresses to countries. This database is updated regularly with the latest mappings. Note - this GeoIP IP to Location mapping is not perfect, and users with a VPN can circumvent GeoIP filtering without much problems. 131 | 132 | | Parameter | Values | Description | 133 | | -------------------- | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 134 | | `GEOIP_DEFAULT` | \\*, `ALLOW`, `BLOCK` | Empty: GeoIP filtering is disabled; `ALLOW`: ***allow** all* except for the listed countries in `GEOIP_COUNTRIES`, which are blocked; `BLOCK`: ***block** all* except for the listed countries in `GEOIP_COUNTRIES`, which are allowed. | 135 | | `GEOIP_COUNTRIES` | | Comma-separated list of 2-letter country abbreviations, for example `RU,CN,BY,RS` (which means Russia, China, Bielorus, Serbia). | 136 | | `GEOIP_RESPONSECODE` | 3-digit HTTP response code | Default if omitted: `403` ("Forbidden"). Other codes that may be useful: `402` (payment required), `404` (doesn't exist), `418` (I am a teapot - used to tell requesters to go away), `410` (Gone), `500` (Internal Server Error), `503` (service unavailable). See | 137 | 138 | ### BlockBot Filtering 139 | 140 | The BlockBot feature filters out HTTP requests based on a fuzzy match of the HTTP User Agent field against a list of potential matches. This can be used to somewhat effectively filter out bots that are trying to scrape your website. The `BLOCKBOT` parameter included `docker-compose.yml` file has an example of a bot filter. 141 | 142 | | Parameter | Values | Description | 143 | | ----------------------- | ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 144 | | `BLOCKBOT` | string snippets of User Agent fields | Comma-separated strings, for example `google,bing,yandex,msnbot`. If the element is a URL (starting with `http`), it will try to download a list from that URL. You can mix UA snippets and URLs to your liking. If this parameter is empty, the BlockBot functionality is disabled. | 145 | | `BLOCKBOT_RESPONSECODE` | 3-digit HTTP response code | Default if omitted: `403` ("Forbidden"). Other codes that may be useful: `402` (payment required), `404` (doesn't exist), `418` (I am a teapot - used to tell requesters to go away), `410` (Gone), `500` (Internal Server Error), `503` (service unavailable). See | 146 | | `BLOCKBOT_UPDATETIME` | Time (in secs) | Time (in secs) between checks to see if (URL-based) remote lists of `BLOCKBOT` user agent snippets have been updated. Default value is `21600` (secs = 6 hours) | 147 | 148 | ### `iptables` blocking 149 | 150 | As an option, the system can use `iptables` to block any IP match of GeoIp or BlockBot. If a request comes from an ip address that is blocked via `iptables`, the server will simply not respond at all to the request - as if the tcp/ip address simply wasn't available. This decreases the load on the system, and mostly slows down or prevents DDOS attacks. 151 | 152 | The system will scan the logs for any BlockBot or GeoIP filtered request, and adds any IP address for which a return value of `$BLOCKBOT_RESPONSECODE` or `$GEOIP_RESPONSECODE` to the `iptables` blocked list, unless the IP is part of a value or range specified in the `ip-allowlist` (see below). The `iptables` blocker is updated in batches every 60 seconds. 153 | To enable this behavior, set `IPTABLES_BLOCK` to `ENABLED` or `ON`. You can also specify the time an IP address should stay on the `iptables` block list with the `IPTABLES_JAILTIME` parameter. Additionally, you must add the `NET_ADMIN` capacity to the container; see the [`docker-compose.yml`](docker-compose.yml) for an example. 154 | 155 | ```yaml 156 | cap_add: 157 | - NET_ADMIN 158 | ``` 159 | 160 | Note that it will block all IP address that received a response code of `GEOIP_RESPONSECODE` or `BLOCKBOT_RESPONSECODE`. If you are concerned that this may include occasional IP addresses that incidentally received any of this response codes but were not GeoIP or Bot restricted, then either use unique response codes for GeoIP/Bots or don't enable this feature. 161 | 162 | As long as the `/run/nginx` volume is mapped (see example in [`docker-compose.yml'](docker-compose.yml)), the blocked IP list is persistent across restarts and recreation of the container. 163 | 164 | If you want to remove IP addresses from the blocked list, you can do so manually by removing them with a text editor from the file `ip-blocklist` in the mapped volume. Alternatively, you can use a simple utility to do this while running the container: 165 | 166 | ```bash 167 | docker exec -it webproxy manage_ipblock 168 | ``` 169 | 170 | Note that the `IPTABLES_BLOCK` feature enables logging to disk (specifically, `/var/log/nginx/access.log`). You may want to map this directory to a `tmpfs` volume \(see example in [`docker-compose.yml`](docker-compose.yml)\). Log rotation keeps 24 files of 1 hour each around; the 1 hour log rotation intervals and number of retained backups are configurable with the`LOGROTATE_INTERVAL` and `LOGROTATE_MAXBACKUPS` docker environment variable. 171 | 172 | | Parameter | Values | Description | 173 | | ---------------------- | ------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 174 | | `IPTABLES_BLOCK` | `ON`/`ENABLED` or `OFF`/`DISABLED`/blank | If enabled, any IP address match to `GEOIP_RESPONSECODE` or `BLOCKBOT_RESPONSECODE` will be blocked using `iptables`. If disabled or omitted, `iptables` blocking won't be used | 175 | | `IPTABLES_BLOCK_NO_USERAGENT` | `ON`/`ENABLED` or `OFF`/`DISABLED`/blank | If enabled, requests from IP addresses that don't contain a User Agent will be blocked | 176 | | `IPTABLES_JAILTIME` | time in seconds; `0` (default) means forever | The time that an IP Address will remain blocked. If omitted or set to `0`, blocked IP addresses will be blocked in perpetuity, or at least until the IP address is manually removed from the IP Block List | 177 | | `LOGROTATE_INTERVAL` | time in seconds; default value `3600` | The time between each run of of log rotation for `/var/log/nginx/access.log` and `/var/log/nginx/error.lo`g | 178 | | `LOGROTATE_MAXBACKUPS` | integer between `0` and `100`; default value `24` | The number of backup files for `/var/log/nginx/access.log` and `/var/log/nginx/error.log` | 179 | 180 | ### Basic Authentication 181 | 182 | The container supports a "basic" implementation of Basic Authentication. This is not inherently super-secure, and it exposes the usernames/passwords in clear text to the host system. We are planning to make this more secure in the future, but for now, please use with caution. 183 | 184 | The container supports basic authentication for the local web page through the `LOCAL_CREDS` variable, as well as credentials for each of the `REVPROXY`d entries via the `REVPROXY` variable. 185 | 186 | | Parameter | Values | Description | 187 | | ------------- | --------------------- | -------------- | 188 | | `AUTH` | `on`/`1`/`enabled`/`true` or anything else | If set to `on`, Basic Authentication is enabled. If set to anything else or omitted, Basic Authentication is disabled. | 189 | | `LOCAL_CREDS` | | A list of credentials in the format `username1\|password1,username2\|password2,...` | 190 | | `LOCAL_CREDS_ALL_REVPROXIES` | `on`/`1`/`enabled`/`true` or anything else | If set to `on`, the local creds will also be assigned to all of the reverse proxy addresses defined with the `REVPROXY` parameter. Note - if the same username is defined for a `REVPROXY` parameter as for `LOCAL_CREDS`, only the password in `REVPROXY` will be used.| 191 | | `REVPROXY` | | A comma separated list in this format: | 192 | 193 | ```yaml 194 | REVPROXY=origin1|http://destination1|username1|password1|username2|password2, 195 | origin2|http://destination2|username3|password3|username4|password4|username5|password5, 196 | origin3|http://destination3, 197 | ... 198 | ``` 199 | 200 | ### Advanced Setup 201 | 202 | After you run the container the first time, it will create a directory named `~/.webproxy`. If `AUTOGENERATE=ON`, there will be a `locations.conf` file. There will also be a `locations.conf.example` file that contains setup examples. If you know how to write a `nginx` configuration file, feel free to edit the `locations.conf` and add any options to your liking. 203 | 204 | BEFORE restarting the container (important!!) edit `docker-compose.yml` and set `AUTOGENERATE=OFF`. If you don't do this, your newly created `locations.conf` file will be overwritten by the auto-generated one based on the `REVPROXY` and `REDIRECT` settings. (There will be a time-stamped backup file of your `locations.conf` file, so not everything is lost!) 205 | 206 | In some systems where IPV6 is disabled or not available, you may have to add this environment parameter: `IPV6=DISABLED`. 207 | 208 | ### Host your own web pages 209 | 210 | You can place HTML and other web files in `~/.webproxy/html`. An example `index.html` is already provided, and can be reached by browsing to the root URL of your system. 211 | At this time, features like `php` are not enabled. If you are interested in this, please file a feature request at [issues](https://github.com/sdr-enthusiasts/docker-reversewebproxy/issues). 212 | Note -- the web server inside the container does NOT run as `root`, so you must make sure that there are read permissions for "all" (`chmod a+r`) for any files you place in the `html` directory. 213 | Feel free to create additional subdirectories if needed for your project. 214 | Also note -- the website may not be reachable if you redirected or proxied `/` to some other service. 215 | 216 | #### Access Report Page using `goaccess` 217 | 218 | The container can create a publicly available Access Report, controlled by the following parameter: 219 | | Parameter | Values | Description | 220 | | ------------- | --------------------- | -------------- | 221 | | `ACCESS_REPORT_PAGE` | `on`/`1`/`true`/`yes`
`off`/`0`/`false`/`no`/
`pagename.html` | If set to `on` or an equivalent value, an Access Report will be generated at `http(s)://myservername/access-report.html`. If set to a page name, an Access Report will be generated at `http(s)://myservername/pagename.html`. If set to `off` or an equivalent value (or if left empty (default)), then no Access Reports will be generated. | 222 | | `ACCESS_REPORT_FREQUENCY` | `300` (secs, default) | Value, in seconds, of refresh frequency of the Access Report. To reduce CPU effort and Disk IO, it's recommended not to set this to less than 60 secs | 223 | | `ACCESS_REPORT_RESOLVE` | `on`/`1`/`true`/`yes`/
`off`/`0`/`false`/`no` | If left blank (default) or set to `on` or an equivalent value, the Access Report will attempt to resolve any external IP addresses to a domain name. If set to `off` or an equivalent value, the Access Report will not try to resolve any IP addresses. If you have a busy webserver and run on a machine that is either not too fast, or has a slow DNS resolver, you may see that your Access Report page refreshes very slowly or not at all. In this case, please set this parameter to `off` | 224 | 225 | This access report is created using a tool called [GoAccess](https://goaccess.io/) 226 | 227 | #### Automatic creation of web pages with geographic map of visitors 228 | 229 | If you set `IPMAPS=true`, the container will try to automatically create IP maps of the visitors to your website. This includes any visit that goes to a URL that is handled by the WebProxy, regardless if it's rendering a local page, being sent to a reverse proxy address, or being redirected somewhere else. The website will automatically generate the following pages that are updated every 15 minutes. You can change the defaults by defining the parameters below. 230 | 231 | The system uses to create these maps from the webserver's access logs. 232 | 233 | If `IPMAPS` is not enabled, the pages will not exist. Any previously generated map redirects will be deleted. 234 | 235 | | URL | Map Type | 236 | | --- | -------- | 237 | | `/ipmap-all.html` | Redirection to a map with **all** visitors | 238 | | `/ipmap-filtered.html` | Redirection to a map with only visitors who were denied access due to Geo-IP block or BotBlock | 239 | | `/ipmap-accepted.html` | Redirection to a map with only those visitors that passed the filtering and that were allowed to browse to the resource they tried to access | 240 | 241 | The following related parameters can be set: 242 | 243 | | Parameter | Values | Description | 244 | | --------- | ------ | ---------------- | 245 | | `IPMAPS` | `on`/`enabled`/`true`/`1` or
`off`/`disabled`/`false`/`0`
or empty | If enabled, IPMAPS will be generated as described above. If disabled or empty (default), maps aren't generated | 246 | | `IPMAPS_INTERVAL` | value in secs or empty | Interval of generation of the IP Maps. Default if omitted is `900` seconds | 247 | | `IPMAPS_BASENAME` | partial file name | Base file name of the map URL. Default value is `ipmap-`, which would correspond to `http://ip_addr/ipmap-all.html` / `http://ip_addr/ipmap-filtered.html` / `http://ip_addr/ipmap-allowed.html` | 248 | 249 | ### Extras 250 | 251 | - Get a URL to a geographic map of all IPs that hit your WebProxy by typing: 252 | 253 | ```bash 254 | docker exec -it webproxy ipmap 255 | ``` 256 | 257 | (Prerequisites: either of these parameters must be set: `IPTABLES_BLOCK=ENABLED` (recommended) or `VERBOSELOG=file` (works but not recommended) 258 | 259 | ## Troubleshooting 260 | 261 | - Issue: the container log (`docker logs webproxy`) shows error messages like this: `sleep: cannot read realtime clock: Operation not permitted` 262 | - Solution: you must upgrade `libseccomp2` on your host system to version 2.4 or later. If you are using a Raspberry Pi with Buster based OS, [here](https://github.com/fredclausen/Buster-Docker-Fixes) is a repo with a script that can automatically fix this for you 263 | - Issue: `docker-compose up -d` exits with an error 264 | - Solution: you probably have a typo in `docker-compose.yml`. Make sure that all lines are at the exact indentation level, and that the last entry in the `REVPROXY` and `REDIRECT` lists do not end on a comma 265 | - Issue: The container complaints about port mappings during start-up 266 | - Solution: you probably are already running another service on the same port on your host machine. The port exposed to the world is the first `80` in `- PORTS: 80:80` in `docker-compose.yml`. You can do one of two things: scour your system for other web services on that port (another container? `lighttpd`? `nginx`?) and disable that service (or put it on another port), or change the first `80` to some other port number. For `docker` containers, you can check the ports that are used by each container with this command: `docker ps` 267 | - Issue: Everything starts up fine, but the website doesn't render any pages 268 | - Solution: Please take a look at the container log (`docker logs webproxy`) to see if there are any errors. The log will be explicit about some of the more obvious issues 269 | - Issue: I have troubles getting the Webproxy to work with VRS (Virtual Radar Server) 270 | - Solution: in VRS, make sure to configure this: VRS Options -> Website -> Website Customisation -> Proxy Type = Reverse 271 | - Issue: Planefinder doesn't work correctly 272 | - Solution: make sure that you have added the following to the `REVPROXY` variable (replace ip address and port with whatever is appropriate for your system): 273 | 274 | ```yaml 275 | planefinder|http://10.0.0.191:8086, 276 | ajax|http://10.0.0.191:8086/ajax, 277 | assets|http://10.0.0.191:8086/assets, 278 | ``` 279 | 280 | - Issue: The docker logs show an error like this on start up: 281 | 282 | ```text 283 | nginx: [emerg] socket() [::]:80 failed (97: Address family not supported) 284 | nginx: configuration file /etc/nginx/nginx.conf test failed 285 | ``` 286 | 287 | - Solution: Your system doesn't support IPV6 while the container expects this. Solve it by adding this parameter to your `docker-compose.yml`: `IPV6=DISABLED` 288 | - Issue: with `IPTABLES_BLOCK` switched on, it looks like the webproxy is trying to block large lists of ip addresses, even though none (or few) of these addresses have hit the system in the last 60 seconds 289 | - Solution: You probably didn't add the `NET_ADMIN` capacity to the container. You need to do this in your `docker-compose.yml` file and then recreate the container. See above and see [`docker-compose.yml`](docker-compose.yml) for an example. 290 | - Issue: I'm getting emails from `letsencrypt.com` about the pending expiration of my SSL certificates 291 | - Solution: ignore them. As long as the container is running and SSL is enabled, the certificates are checked daily for pending expiration and will be renewed 1 month before that date. Sometimes, letsencrypt.com gets confused about the expiration dates and thinks it's earlier than is really the case. You can always check this for yourself by looking at the container logs, or by running this command: `docker exec -it certbot certificates` 292 | - Issue: when adding new URLs to a system that deployment has SSL certifications, the logs show messages that requesting a certificate for the new URL failed because the user should indicate which of (multiple) accounts should be used. 293 | - Solution: This is caused by certificates that have been added to `webproxy` at different points in time. To fix it, back up any web pages that are directly served by the container, and recreate the entire setup. Please note that doing this more than 5 times in a week will lock you out and prevent you from recreating existing certificates for up to a week, so USE THIS SOLUTION SPARINGLY. The solution assumes that the container name is `webproxy` and that its mapped working volume is `/opt/webproxy/webproxy` . If this is different, you may have to adapt the commands accordingly. It's preferable to feed the script line by line rather than all at once, so you can monitor the outcome. 294 | 295 | ```bash 296 | cd /top/webproxy # go to the home directory 297 | docker stop webproxy # stop the webproxy container 298 | 299 | # Back up the web pages and any custom configuration. Sudo is used to ensure also closed directories are backed up 300 | # Only of the backup is successful, delete the working directory 301 | sudo tar zcvf web-backup.tgz webproxy/html webproxy/locations.conf && sudo rm -rf webproxy 302 | 303 | # Recreate the webproxy. Adapt the location of your "docker-compose.yml" as needed 304 | docker compose up -d --force-recreate webproxy 305 | 306 | # Check in the logs that the issue is fixed: 307 | sleep 30 && docker logs webproxy 308 | 309 | # Restore the files and restart the container once more to ensure the locations.conf file is applied 310 | sudo tar zxvf web-backup.tgz 311 | docker restart webproxy 312 | 313 | # You can now remove the "web-backup.tgz" file, or save it as a backup of your website. 314 | ``` 315 | 316 | ## Acknowledgements 317 | 318 | - @Mikenye for encouraging me to look into Docker, and to suggest we need a Reverse Web Proxy to solve our web service issues. He also wrote the Github Actions scripts and taught me how to work with the `s6` service layer. 319 | - @Wiedehopf for helping me get my initial installation of nginx configured and working. Without his help, everything would have taken many weeks (!) instead of a few hours. 320 | 321 | ## License 322 | 323 | The software packages and OS layers included in this project are used with permission under license terms that are distributed with these packages. 324 | 325 | The combination of these packages and any additional software written to combine and configure the Webproxy are Copyright 2021-2024 by Ramon F. Kolb (kx1t), and licensed under the GNU General Public License, version 3 or later. If you desire to use this software with a different license, please contact the author. 326 | 327 | Summary of License Terms 328 | This program is free software: you can redistribute it and/or modify it under the terms of 329 | the GNU General Public License as published by the Free Software Foundation, either version 3 330 | of the License, or (at your option) any later version. 331 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; 332 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 333 | See the GNU General Public License for more details. 334 | 335 | You should have received a copy of the GNU General Public License along with this program. 336 | If not, see . 337 | -------------------------------------------------------------------------------- /blockbot-list: -------------------------------------------------------------------------------- 1 | adsbot 2 | Akkoma 3 | AltaVista 4 | aws 5 | axios 6 | Barkrowler 7 | bing 8 | BlackWidow 9 | Bytespider 10 | bot 11 | CensysInspect 12 | ChinaClaw 13 | Client 14 | Collector 15 | Custo 16 | dataminr 17 | Dazzle 18 | Demon 19 | DISCo 20 | Download 21 | Downloader 22 | eCatch 23 | EirGrabber 24 | email 25 | EmailSiphon 26 | EmailWolf 27 | evcrawler 28 | Expanse 29 | Express 30 | eXtractor 31 | ExtractorPro 32 | EyeNetIE 33 | facebookexternalhit 34 | Firefox/45 35 | FlashGet 36 | FlipboardProxy 37 | Foto 38 | Friendica 39 | FROMURL 40 | GenomeCrawlerd 41 | GetRight 42 | GetWeb! 43 | Go-Ahead-Got-It 44 | Go-http-client 45 | google 46 | Google-Read-Aloud 47 | Googlebot 48 | GoogleOther 49 | Go!Zilla 50 | GrabNet 51 | Grafula 52 | Guzzle 53 | HappyWing 54 | HMView 55 | htmlparser 56 | HTTrack 57 | Indy 58 | InterGET 59 | InternetMeasurement 60 | JetCar 61 | jsonlite 62 | larbin 63 | LeechFTP 64 | libwww 65 | LieBaoFast 66 | LivelapBot 67 | Mb2345Browser 68 | MQQBrowser 69 | msnbot 70 | Navroad 71 | NearSite 72 | Nessus 73 | NetAnts 74 | Netcraft 75 | NetSpider 76 | NetSystemsResearch 77 | NetZIP 78 | Nexgate 79 | Ninja 80 | Octopus 81 | Offline 82 | PageGrabber 83 | pavuk 84 | pcBrowser 85 | perl 86 | PetalBot 87 | Pleroma 88 | PycURL 89 | PyQ 90 | Pyth 91 | Python 92 | Python-Requests 93 | Quester 94 | r00ts3c 95 | rafula 96 | RealDownload 97 | ReGet 98 | Ruby 99 | rv:45.0 100 | Semrushbot 101 | scan 102 | scoop.it 103 | scpitspi-rs 104 | sindresorhus 105 | SiteSnagger 106 | Slurp 107 | SmartDownload 108 | Spider 109 | Stripper 110 | Sucker 111 | SummalyBot 112 | SummerGo 113 | SuperBot 114 | SuperHTTP 115 | Surfbot 116 | Symfony 117 | tAkeOut 118 | Teleport 119 | tool 120 | Twengabot 121 | Twitterbot 122 | ubermetrics 123 | UCBrowser 124 | urllib 125 | Vampire 126 | Vert.x-WebClient 127 | VoidEYE 128 | WebAuto 129 | WebCollector 130 | WebCopier 131 | WebCopy 132 | webcraw 133 | WebFetch 134 | WebGo 135 | WebLeacher 136 | WebPictures 137 | WebReaper 138 | WebSauger 139 | WebSpider 140 | WebStripper 141 | WebWhacker 142 | WebZIP 143 | WhatsApp 144 | Widow 145 | wp-includes 146 | wp-login.php 147 | WWWOFFLE 148 | yandex 149 | Zeus 150 | zgrab 151 | zgrab2 152 | -------------------------------------------------------------------------------- /buildnow.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | set -x 4 | 5 | [[ "$1" != "" ]] && BRANCH="$1" || BRANCH=main 6 | [[ "$BRANCH" == "main" ]] && TAG="latest" || TAG="$BRANCH" 7 | [[ "$ARCHS" == "" ]] && ARCHS="linux/armhf,linux/arm64,linux/amd64" 8 | 9 | BASETARGET1=ghcr.io/sdr-enthusiasts 10 | #BASETARGET2=kx1t 11 | 12 | IMAGE1="$BASETARGET1/docker-reversewebproxy:$TAG" 13 | #IMAGE2="$BASETARGET2/$(pwd | sed -n 's|.*/docker-\(.*\)|\1|p'):$TAG" 14 | 15 | echo "press enter to start building $IMAGE1 from $BRANCH" 16 | read -r 17 | 18 | starttime="$(date +%s)" 19 | # rebuild the container 20 | git checkout "$BRANCH" || exit 2 21 | git pull -a 22 | docker buildx build --compress --push --platform "$ARCHS" --tag "$IMAGE1" . 23 | #docker buildx build --compress --push "$2" --platform "$ARCHS" --tag "$IMAGE2" . 24 | echo "Total build time: $(( $(date +%s) - starttime )) seconds" 25 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | webproxy: 3 | image: ghcr.io/sdr-enthusiasts/docker-reversewebproxy:latest 4 | container_name: webproxy 5 | hostname: webproxy 6 | restart: always 7 | ports: 8 | - 80:80 9 | - 443:443 10 | environment: 11 | # ---------------------------------------------------------------------------------------- 12 | # if AUTOGENERATE is set to ON, it will automatically create a config based on the REVPROXY and REDIRECT parameters below 13 | # if it is set to OFF, you should map the volume as shown in the "volumes" section below, and you can edit the "locations.conf" file in that directory. 14 | # 15 | # If you want to have the system auto-generate a locations.conf file that you will subsequently edit, you can set 16 | # AUTOGENERATE=ON, then start the container once, stop the container again, and edit the system generated 17 | # locations.conf file. Then, before restarting, please make sure to set AUTOGENERATE=OFF below. 18 | - AUTOGENERATE=ON 19 | # ---------------------------------------------------------------------------------------- 20 | # VERBOSELOG indicates if the web server logs are written to the Docker Container logs 21 | # (accessible with `docker logs webproxy`) or that they are discarded. Values are ON (default) or OFF 22 | - VERBOSELOG=ON 23 | # ---------------------------------------------------------------------------------------- 24 | # REVPROXY has the following format: 25 | # urltarget,destination 26 | # For example, for REVPROXY=readsb|http://10.0.0.191:8080, 27 | # a user browsing to http://mydomain/readsb will be proxied to http://10.0.0.191:8080 28 | # The user's browser will *never* see the internal IP address. 29 | # Note - both the urltarget and the destination must be URLs or directories, and cannot be 30 | # a file name 31 | # Optionally, you can add Basic Authentication username(s)/password(s) as well. If the AUTH parameter is set to ON, 32 | # any REVPROXY entries that have one or more username/password combinations will only be proxied after the web browser 33 | # furnishes the correct credentials. If AUTH is not set to ON, these credentials will be ignored. 34 | # Usernames and passwords should not contain any field separators or special characters like ,'"|; or whitespace characters 35 | # For example: REVPROXY=readsb|http://10.0.0.191:8080|username1;password1|username2;password2, 36 | - REVPROXY= 37 | readsb|http://10.0.0.191:8080, 38 | piaware|http://10.0.0.191:8081, 39 | tar1090|http://10.0.0.191:8082, 40 | planefence|http://10.0.0.191:8083, 41 | planefinder|http://10.0.0.191:8086, 42 | ajax|http://10.0.0.191:8086/ajax, 43 | assets|http://10.0.0.191:8086/assets, 44 | graphs|http://10.0.0.191:8080/graphs, 45 | radar|http://10.0.0.191:8080/radar, 46 | acarshub|http://10.0.0.188:80 47 | # ---------------------------------------------------------------------------------------- 48 | # REDIRECT has the following format: 49 | # urltarget|redirection 50 | # For example, for REDIRECT=/planefinder/setup.html|http://10.0.0.191:8086/setup.html, 51 | # a user browsing to http://mydomain/planefinder/setup.html will be redirected to http://10.0.0.191:8086/setup.html 52 | # The user's browser will show the redirection address and try to reach it. If the destination is not reachable (for example 53 | # because it is on a isolated subnet), the browser won't be able to render the page. 54 | # This can be useful if you want to protect certain pages from view outside your internal network, while exposing 55 | # others. See for example the planefinder setup in REVPROXY and REDIRECT. 56 | # Note - both the urltarget and the redirection MAY BE a URL or a file names. 57 | - REDIRECT= 58 | /planefinder/setup.html|http://10.0.0.191:8086/setup.html, 59 | /planefinder/logs.html|http://10.0.0.191:8086/logs.html 60 | # 61 | # ---------------------------------------------------------------------------------------- 62 | # The following settings will enable SSL to be part of the reverse proxy. 63 | # 64 | # SSL: enable SSL. Accepted values: [ENABLED|DISABLED]. Default: DISABLED 65 | # SSL_EMAIL is used to request an SSL certificate from Let's Encrypt. The container 66 | # will automatically renew them before the expire as long as you keep the container running. 67 | # 68 | # Change SSL_TOS=REJECT to SSL_TOS=ACCEPT to indicate you accept the T&S's for the SSL certificate 69 | # set forth at https://letsencrypt.org/repository/#let-s-encrypt-subscriber-agreement 70 | # 71 | # If SSL_REDIRECT=ENABLED then all incoming non-SSL requests will automatically be redirected to a https:// request 72 | # 73 | # Put 1 or more domain names in SSL_DOMAIN. Note that *ALL OF THESE DOMAINS* must be reachable from the internet 74 | # and render a website that is served from the container upon the start of the container, 75 | # otherwise the request to get a certificate for them will fail! 76 | # 77 | # Also note that more than 5 (failed) requests will cause you to be locked out from getting new certificates for 78 | # 1 week. We, nor LetsEncrypt, can "unlock" you. More info: https://letsencrypt.org/docs/rate-limits/ 79 | # 80 | - SSL=ENABLED 81 | - SSL_EMAIL=your@email.com 82 | - SSL_DOMAIN= 83 | my.domain.com, 84 | my.second.domain.com, 85 | my.third.domain.com 86 | - SSL_TOS=REJECT 87 | - SSL_REDIRECT=ENABLED 88 | # 89 | # These settings will enable GeoIP inclusion or exclusion of requests based on country. 90 | # Country names are two-letter abbreviations corresponding to the country suffix used in domain names. 91 | # GEOIP_DEFAULT is "allow" (allow all except for country list) 92 | # "block" (block all except for country list) 93 | # no GeoIP blocking 94 | # GEOIP_RESPONSECODE indicates which HTTP response is sent when a bot is blocked. 95 | # Default code if omitted is 403 (Forbidden). Other codes that may be useful: 96 | # 402 (payment required, hehe), 404 (doesn't exist), 418 (I am a teapot - used to tell requesters to go away), 410 (Gone), 500 (Internal Server Error), 97 | # 503 (service unavailable), etc - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Status 98 | - GEOIP_RESPONSECODE=418 99 | - GEOIP_DEFAULT=allow 100 | - GEOIP_COUNTRIES=cn,ru 101 | # 102 | # AUTH -- a basic mechanism to use basic authentication 103 | # 104 | # Although it's possible to put the usernames and passwords here, we strongly advice to put them in a variable in a `.env` file 105 | # AUTH=ON -- Basic Authentication is enabled 106 | # AUTH=OFF or not defined or empty -- Basic Authentication is disabled 107 | # 108 | # Add credentials usernames for the local web serverlike this: (note -- this parameter structure is not yet future proof and may change when we add per-website authentication) 109 | # LOCA_CREDS=|,|,... 110 | # Local Credentials work only for the local website. If you want to define a credential for a specific 111 | # REVPROXY destination, you can do so with the REVPROXY parameter (see above). 112 | # You cannot use Basic Authentication for a REDIRECT entry; this should be implemented by the target website instead. 113 | # 114 | # 115 | - AUTH=OFF 116 | - LOCAL_CREDS= 117 | # 118 | # BLOCKBOT blocks bots of which the User Agent contains all or part of these comma-separated strings. You can also read a comma-separated list from a URL: 119 | - BLOCKBOT=https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/main/blockbot-list 120 | # 121 | # BLOCKBOT_RESPONSECODE indicates which HTTP response is sent when a bot is blocked. 122 | # Default code if omitted is 403 (Forbidden). Other codes that may be useful: 123 | # 402 (payment required, hehe), 404 (doesn't exist), 418 (I am a teapot - used to tell requesters to go away), 410 (Gone), 500 (Internal Server Error), 124 | # 503 (service unavailable), etc - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Status 125 | - BLOCKBOT_RESPONSECODE=403 126 | # 127 | # IPV6 indicates if IPV6 is enabled or disabled on the host and/or docker system. 128 | # If you disable IPV6 on your system, you may see a container error if you don't set this parameter to "OFF" or "DISABLED" (case insensitive). 129 | # If the parameter is omitted, the system will assume that IPV6 is enabled. 130 | - IPV6=ENABLED 131 | # 132 | # IPTABLES_BLOCK switches `iptables` based blocking of IP addresses on or off. Default when omitted = off. 133 | # See README.md for more explanation. Note -- in order for this to work, you MUST add the NET_ADMIN capacity to the container as shown below. 134 | - IPTABLES_BLOCK=ENABLED 135 | - IPTABLES_BLOCK_NO_USERAGENT=ENABLED 136 | - IPJAILTIME=21600 137 | cap_add: 138 | - NET_ADMIN 139 | tmpfs: 140 | - /tmp:rw,nosuid,nodev,noexec,relatime,size=128M 141 | - /var/log/nginx:rw,nosuid,nodev,noexec,relatime,size=128M 142 | volumes: 143 | - /opt/webproxy/webproxy:/run/nginx 144 | - "/etc/localtime:/etc/localtime:ro" 145 | - "/etc/timezone:/etc/timezone:ro" 146 | -------------------------------------------------------------------------------- /rootfs/etc/nginx/blockbot.conf: -------------------------------------------------------------------------------- 1 | #blocklist for bots disabled 2 | map $http_user_agent $limit_bots { 3 | default 0; 4 | } 5 | -------------------------------------------------------------------------------- /rootfs/etc/nginx/blockbot.conf.org: -------------------------------------------------------------------------------- 1 | #blocklist for bots disabled 2 | map $http_user_agent $limit_bots { 3 | default 0; 4 | } 5 | -------------------------------------------------------------------------------- /rootfs/etc/nginx/conf.d/geoip.conf: -------------------------------------------------------------------------------- 1 | # GeoIP database path 2 | # 3 | 4 | geoip_country /usr/share/GeoIP/GeoIP.dat; 5 | -------------------------------------------------------------------------------- /rootfs/etc/nginx/geoip_countries.conf: -------------------------------------------------------------------------------- 1 | ##config-to-be-added 2 | map $geoip_country_code $allowed_country { 3 | #defaultsetting 4 | #countrylist 5 | } 6 | -------------------------------------------------------------------------------- /rootfs/etc/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | user www-data; 2 | worker_processes auto; 3 | pid /run/nginx.pid; 4 | include /etc/nginx/modules-enabled/*.conf; 5 | 6 | #load_module /path/to/modules/ndk_http_module.so; # assuming NDK is built as a dynamic module too 7 | #load_module /path/to/modules/ngx_http_lua_module.so; 8 | 9 | events { 10 | worker_connections 768; 11 | # multi_accept on; 12 | } 13 | 14 | http { 15 | 16 | sendfile on; 17 | tcp_nopush on; 18 | tcp_nodelay on; 19 | keepalive_timeout 65; 20 | types_hash_max_size 2048; 21 | # server_tokens off; 22 | 23 | server_names_hash_bucket_size 64; 24 | # server_name_in_redirect off; 25 | 26 | include /etc/nginx/conf.d/*.conf; 27 | include /etc/nginx/sites-enabled/*; 28 | 29 | include /etc/nginx/mime.types; 30 | default_type application/octet-stream; 31 | 32 | #include geoip config 33 | include /etc/nginx/geoip_countries.conf; 34 | 35 | #include blockbot config 36 | include /etc/nginx/blockbot.conf; 37 | 38 | ## 39 | # Logging Settings 40 | ## 41 | 42 | access_log /dev/stdout ; 43 | error_log /dev/stdout ; 44 | 45 | # This entry is to enable iptables blocking. The ### will be removed if enabled upon start of the container: 46 | ### iptables log entry here 47 | 48 | } 49 | -------------------------------------------------------------------------------- /rootfs/etc/nginx/sites-available/default: -------------------------------------------------------------------------------- 1 | # Default server configuration 2 | # 3 | server { 4 | #geoip config related 5 | if ($allowed_country = no) { 6 | return 403; 7 | } 8 | # check if it's a bot that needs filtering 9 | if ($limit_bots = 1) { 10 | return 403; 11 | } 12 | 13 | listen 80 default_server; 14 | listen [::]:80 default_server; 15 | 16 | root /run/nginx/html; 17 | 18 | # Add index.php to the list if you are using PHP 19 | index index.html index.htm index.nginx-debian.html; 20 | 21 | server_name _; 22 | 23 | absolute_redirect off; 24 | 25 | ### proxy_read_timeout tttt; 26 | 27 | location / { 28 | # headers added to resolve issues with websocket connections: 29 | proxy_set_header Upgrade $http_upgrade; 30 | proxy_set_header Connection $http_connection; 31 | proxy_set_header Host $http_host; 32 | proxy_set_header X-Real-IP $remote_addr; 33 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 34 | proxy_http_version 1.1; 35 | #proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; 36 | 37 | # First attempt to serve request as file, then 38 | # as directory, then fall back to displaying a 404. 39 | try_files $uri $uri/ =404; 40 | 41 | # auth_basic off; 42 | # auth_basic_user_file /file/here; 43 | 44 | include /run/nginx/locations.conf; 45 | include /run/nginx/cors_headers.conf; 46 | 47 | } 48 | 49 | } 50 | -------------------------------------------------------------------------------- /rootfs/etc/nginx/sites-available/default.org: -------------------------------------------------------------------------------- 1 | # Default server configuration 2 | # 3 | server { 4 | #geoip config related 5 | if ($allowed_country = no) { 6 | return 403; 7 | } 8 | # check if it's a bot that needs filtering 9 | if ($limit_bots = 1) { 10 | return 403; 11 | } 12 | 13 | listen 80 default_server; 14 | listen [::]:80 default_server; 15 | 16 | root /run/nginx/html; 17 | 18 | # Add index.php to the list if you are using PHP 19 | index index.html index.htm index.nginx-debian.html; 20 | 21 | server_name _; 22 | 23 | location / { 24 | # headers added to resolve issues with websocket connections: 25 | proxy_set_header Upgrade $http_upgrade; 26 | proxy_set_header Connection $http_connection; 27 | proxy_set_header Host $http_host; 28 | proxy_set_header X-Real-IP $remote_addr; 29 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 30 | #proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; 31 | 32 | # First attempt to serve request as file, then 33 | # as directory, then fall back to displaying a 404. 34 | try_files $uri $uri/ =404; 35 | 36 | } 37 | include /run/nginx/locations.conf; 38 | 39 | } 40 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/10-ssl/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/10-ssl/dependencies.d/base -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/10-ssl/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/10-ssl/up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/10-ssl 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/20-webproxy/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/20-webproxy/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/20-webproxy/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/20-webproxy/dependencies.d/base -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/20-webproxy/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/20-webproxy/up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/20-webproxy 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/30-blockbot/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/30-blockbot/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/30-blockbot/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/30-blockbot/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/30-blockbot/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/30-blockbot/dependencies.d/base -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/30-blockbot/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/30-blockbot/up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/30-blockbot 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/40-geoip/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/40-geoip/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/40-geoip/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/40-geoip/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/40-geoip/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/40-geoip/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/40-geoip/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/40-geoip/dependencies.d/base -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/40-geoip/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/40-geoip/up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/40-geoip 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/50-check-ipv6/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/50-check-ipv6/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/50-check-ipv6/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/50-check-ipv6/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/50-check-ipv6/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/50-check-ipv6/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/50-check-ipv6/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/50-check-ipv6/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/50-check-ipv6/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/50-check-ipv6/dependencies.d/base -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/50-check-ipv6/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/50-check-ipv6/up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/50-check-ipv6 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/dependencies.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/dependencies.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/dependencies.d/base -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/60-block-ips/up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/60-block-ips 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/60-block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/60-block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/dependencies.d/base -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/70-basic-authentication/up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/70-basic-authentication 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/60-block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/60-block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/70-basic-authentication: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/70-basic-authentication -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/dependencies.d/base -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/80-set-cors/up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/80-set-cors 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/60-block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/60-block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/70-basic-authentication: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/70-basic-authentication -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/80-set-cors: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/80-set-cors -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/dependencies.d/base -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/99-test-webproxy/up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/99-test-webproxy 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/60-block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/60-block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/70-basic-authentication: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/70-basic-authentication -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/80-set-cors: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/80-set-cors -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/99-test-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/block-ips/dependencies.d/99-test-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/block-ips/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/block-ips 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/block-ips/type: -------------------------------------------------------------------------------- 1 | longrun 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/60-block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/60-block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/70-basic-authentication: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/70-basic-authentication -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/80-set-cors: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/80-set-cors -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/99-test-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/dependencies.d/99-test-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/check-blockbotlist 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/check-blockbotlist/type: -------------------------------------------------------------------------------- 1 | longrun 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/60-block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/60-block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/70-basic-authentication: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/70-basic-authentication -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/80-set-cors: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/80-set-cors -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/99-test-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/99-test-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/dependencies.d/webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/create-ipmaps 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/create-ipmaps/type: -------------------------------------------------------------------------------- 1 | longrun 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/60-block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/60-block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/70-basic-authentication: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/70-basic-authentication -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/80-set-cors: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/80-set-cors -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/99-test-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/goaccess/dependencies.d/99-test-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/goaccess/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/goaccess 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/goaccess/type: -------------------------------------------------------------------------------- 1 | longrun 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/60-block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/60-block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/70-basic-authentication: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/70-basic-authentication -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/80-set-cors: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/80-set-cors -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/99-test-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/99-test-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/dependencies.d/webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/nginx-log-to-console 3 | 4 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-log-to-console/type: -------------------------------------------------------------------------------- 1 | longrun 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/60-block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/60-block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/70-basic-authentication: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/70-basic-authentication -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/80-set-cors: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/80-set-cors -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/99-test-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/dependencies.d/99-test-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/nginx-logrotate 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/nginx-logrotate/type: -------------------------------------------------------------------------------- 1 | longrun 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/60-block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/60-block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/70-basic-authentication: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/70-basic-authentication -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/80-set-cors: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/80-set-cors -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/99-test-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/ssl/dependencies.d/99-test-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/ssl/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/ssl 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/ssl/type: -------------------------------------------------------------------------------- 1 | longrun 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/60-block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/60-block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/70-basic-authentication: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/70-basic-authentication -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/80-set-cors: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/80-set-cors -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/99-test-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/99-test-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/check-blockbotlist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/check-blockbotlist -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/create-ipmaps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/create-ipmaps -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/goaccess: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/goaccess -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/nginx-log-to-console: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/nginx-log-to-console -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/nginx-logrotate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/nginx-logrotate -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/10-ssl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/10-ssl -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/20-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/20-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/30-blockbot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/30-blockbot -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/40-geoip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/40-geoip -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/50-check-ipv6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/50-check-ipv6 -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/60-block-ips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/60-block-ips -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/70-basic-authentication: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/70-basic-authentication -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/80-set-cors: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/80-set-cors -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/99-test-webproxy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sdr-enthusiasts/docker-reversewebproxy/7d91a4ed5132fca58956ac2203573fb56647c8ef/rootfs/etc/s6-overlay/s6-rc.d/webproxy/dependencies.d/99-test-webproxy -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/webproxy/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec /etc/s6-overlay/scripts/webproxy 3 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/s6-rc.d/webproxy/type: -------------------------------------------------------------------------------- 1 | longrun 2 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/10-ssl: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2145,SC2076,SC1091,SC2154,SC2015 3 | 4 | source /scripts/common 5 | 6 | "${s6wrap[@]}" echo "Started SSL initialization" 7 | 8 | rm -f /run/.ssl-enabled 9 | 10 | # If SSL is not ENABLED, stop forevah 11 | if ! chk_enabled "${SSL}"; then 12 | "${s6wrap[@]}" echo "SSL disabled. No initialization needed." 13 | exit 0 14 | fi 15 | 16 | # First let's check if there's a backup. This backup contains the latest, so let's make sure it's installed 17 | # If /root/letsencrypt-force-reinstall exists, then there were some BREAKING changing to the container that 18 | # necesitate a container update. This file will contain a date (secs since epoch). If the last forced reinstall was 19 | # earlier than this date, then don't restore any backups 20 | 21 | forceinstall="false" 22 | [[ -f /run/nginx/.letsencrypt/.force-reinstall.lastforced ]] && read -r lastforced < /run/nginx/.letsencrypt/.force-reinstall.lastforced || lastforced=0 23 | if [[ -f /root/letsencrypt-force-reinstall ]] 24 | then 25 | read -r mustforce < /root/letsencrypt-force-reinstall 26 | [[ -z "$mustforce" ]] && mustforce=0 || true 27 | [[ -z "$lastforced" ]] && lastforced=0 || true 28 | (( mustforce - lastforced > 0 )) && forceinstall="true" || true 29 | date +%s > /run/nginx/.letsencrypt/.force-reinstall.lastforced 30 | "${s6wrap[@]}" echo "Checking if SSL certificates must be reinstalled: Must reinstall if last install was before $(date -d "@$mustforce")." 31 | "${s6wrap[@]}" echo "Last reinstall was at $(date -d "@$lastforced"). Will $(if [[ "$forceinstall" != "true" ]]; then printf "not "; fi)reinstall certificates." 32 | fi 33 | 34 | # if there is a backup and $forceinstall is not true, restore it 35 | if [[ -f /run/nginx/.letsencrypt/letsencrypt.tgz ]] && [[ "$forceinstall" != "true" ]] 36 | then 37 | "${s6wrap[@]}" echo "Backup of certificates found. Restoring..." 38 | tar --overwrite -xzf /run/nginx/.letsencrypt/letsencrypt.tgz -C / >/dev/null 2>&1 39 | elif [[ -d /etc/letsencrypt ]] 40 | then 41 | # If there's no backup but there is /etc/letsencrypt, then let's make sure it's backed up before we do anything else 42 | mkdir -p /run/nginx/.letsencrypt 43 | chmod u=rwx,go= /run/nginx/.letsencrypt 44 | find /etc/letsencrypt /var/lib/letsencrypt /etc/nginx/sites-available/default* -print > /tmp/tarlist 2>/dev/null | true 45 | tar -czf /run/nginx/.letsencrypt/letsencrypt.tgz -T /tmp/tarlist >/dev/null 2>&1 46 | rm /tmp/tarlist 47 | chmod u=rx,go= /run/nginx/.letsencrypt 48 | fi 49 | 50 | # Just make sure that this file exists so `nginx -t` won't complain later on: 51 | touch /run/nginx/locations.conf 52 | 53 | # Do some checks to ensure that there is enough info to request domains: 54 | # shellcheck disable=SC2153 55 | if (( ${#SSL_DOMAIN[@]} == 0 )) 56 | then 57 | # No domains in environment files. Complain and stop trying to install certificates: 58 | "${s6wrap[@]}" echo "--------------------------------------------------" 59 | "${s6wrap[@]}" echo "| WARNING ! NGINX SSL configuration problem |" 60 | "${s6wrap[@]}" echo "| You must define at least 1 SSL_DOMAIN in your |" 61 | "${s6wrap[@]}" echo "| docker-compose.yml file. Go check and fix it! |" 62 | "${s6wrap[@]}" echo "| The container will continue without SSL. |" 63 | "${s6wrap[@]}" echo "--------------------------------------------------" 64 | exit 0 65 | fi 66 | 67 | if ! grep -E "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" <<< "$SSL_EMAIL" >/dev/null 68 | then 69 | # No domains in environment files. Complain and stop trying to install certificates: 70 | "${s6wrap[@]}" echo "--------------------------------------------------------" 71 | "${s6wrap[@]}" echo "| WARNING ! NGINX SSL configuration problem |" 72 | "${s6wrap[@]}" echo "| You must provide a valid email in SSL_EMAIL in your |" 73 | "${s6wrap[@]}" echo "| docker-compose.yml file. Go check and fix it! |" 74 | "${s6wrap[@]}" echo "| The container will continue without SSL. |" 75 | "${s6wrap[@]}" echo "--------------------------------------------------------" 76 | exit 0 77 | fi 78 | 79 | if [[ "${SSL_TOS,,}" != "accept" ]] 80 | then 81 | # No domains in environment files. Complain and stop trying to install certificates: 82 | "${s6wrap[@]}" echo "--------------------------------------------------------------------------" 83 | "${s6wrap[@]}" echo "| WARNING ! NGINX SSL configuration problem |" 84 | "${s6wrap[@]}" echo "| You must accept the ACME Account TOS found at |" 85 | "${s6wrap[@]}" echo "| https://letsencrypt.org/repository/#let-s-encrypt-subscriber-agreement |" 86 | "${s6wrap[@]}" echo "| and set SSL_TOS=ACCEPT in your docker-compose.yml file. |" 87 | "${s6wrap[@]}" echo "| Go check and fix it! The container will continue without SSL. |" 88 | "${s6wrap[@]}" echo "--------------------------------------------------------------------------" 89 | exit 0 90 | else 91 | agree_tos="--agree-tos" 92 | fi 93 | 94 | #[[ "${SSL_TEST}" != "" ]] && staging="--test-cert" || staging="" 95 | 96 | # Load up ${newdomains[@]} with any domain names there's not yet a certificate for 97 | newdomains=() 98 | #shellcheck disable=SC2207 99 | domains=($(/usr/bin/certbot certificates 2>/dev/null | awk '/Domains:/ { $1=""; print substr($0,2) }')) 100 | 101 | # shellcheck disable=SC2086 102 | IFS="," read -ra SSL_DOMAINS <<< "$(echo $SSL_DOMAIN|tr -d '[:blank:]')" 103 | for (( i=0; i<${#SSL_DOMAINS[@]}; i++ )) 104 | do 105 | [[ ! " ${domains[*]} " =~ " ${SSL_DOMAINS[i]} " ]] && newdomains+=("${SSL_DOMAINS[i]}") 106 | done 107 | 108 | # Figure out if we want to redirect all queries to SSL? 109 | if chk_enabled "${SSL_REDIRECT}"; then 110 | redirect="--redirect" 111 | else 112 | redirect="" 113 | fi 114 | 115 | if (( ${#newdomains[@]} > 0 )); then 116 | "${s6wrap[@]}" echo "New domains detected - attempting to get certificates for ${newdomains[@]}" 117 | else 118 | "${s6wrap[@]}" echo "No new domains detected" 119 | fi 120 | 121 | # prepend "-d " before each domain name: 122 | newdomains=( "${newdomains[@]/#/-d }" ) 123 | 124 | # Now get new certs for these newdomains: 125 | #shellcheck disable=SC2068 126 | if (( ${#newdomains[@]} > 0 )) && ! /usr/bin/certbot run --quiet --nginx ${agree_tos} ${redirect} -m "${SSL_EMAIL}" ${newdomains[@]} 127 | then 128 | # Something went wrong 129 | echo Error in: 130 | echo "/usr/bin/certbot run --quiet --nginx ${agree_tos} ${redirect} -m \"${SSL_EMAIL}\" ${newdomains[@]}" 131 | "${s6wrap[@]}" echo "--------------------------------------------------" 132 | "${s6wrap[@]}" echo "| STOP ! NGINX CertBot SSL installation problem |" 133 | "${s6wrap[@]}" echo "| Please see the error message above. |" 134 | "${s6wrap[@]}" echo "| |" 135 | "${s6wrap[@]}" echo "| The container will continue without SSL. |" 136 | "${s6wrap[@]}" echo "--------------------------------------------------" 137 | exit 0 138 | else 139 | "${s6wrap[@]}" echo "SSL Certificates installed for these domains:" 140 | /usr/bin/certbot certificates 141 | [[ "${SSL_REDIRECT,,}" == "enabled" ]] && "${s6wrap[@]}" echo "All web traffic will be redirected to SSL." 142 | 143 | # back things up again, keep a copy of the previous TGZ if there was one: 144 | mkdir -p /run/nginx/.letsencrypt 145 | chmod u=rwx,go= /run/nginx/.letsencrypt 146 | 147 | [[ -f /run/nginx/.letsencrypt/letsencrypt.tgz ]] && mv -f /run/nginx/.letsencrypt/letsencrypt.tgz /run/nginx/.letsencrypt/letsencrypt-backup.tgz 148 | 149 | find /etc/letsencrypt /var/lib/letsencrypt /etc/nginx/sites-available/default* -print > /tmp/tarlist 2>/dev/null 150 | tar -czf /run/nginx/.letsencrypt/letsencrypt.tgz -T /tmp/tarlist >/dev/null 2>&1 151 | rm /tmp/tarlist 152 | chmod u=rx,go= /run/nginx/.letsencrypt 153 | 154 | touch /run/.ssl-enabled 155 | 156 | "${s6wrap[@]}" echo "Nginx will start with SSL enabled." 157 | "${s6wrap[@]}" echo "The container will check every 24 hours to see if the certificates need renewal." 158 | fi 159 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/20-webproxy: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2174,SC1091,SC2154,SC2015 3 | 4 | source /scripts/common 5 | 6 | "${s6wrap[@]}" echo "Initial setup -- installing NXINX web service" 7 | 8 | # create run directory. This is where the locations.conf file will be located. 9 | # Create the correct ownership and permissions for the /var/log/nginx directory: 10 | adduser -U www-data >/dev/null 2>&1 || true 11 | mkdir -p /var/log/nginx 12 | mkdir -p /run/nginx/html 13 | mkdir -p /run/nginx/.htaccess 14 | chmod a+rwx /var/log/nginx 15 | chown www-data:www-data /var/log/nginx 16 | cp -n /root/locations.conf.example /run/nginx 17 | cp -n /root/index.html /run/nginx/html 18 | chmod a+rwx /run/nginx /run/nginx/html 19 | chmod a+rw /run/nginx/* 20 | chmod a+rw /run/nginx/html/* 21 | chmod go-rwx /run/nginx/.htaccess 22 | chown www-data:www-data /run/nginx/.htaccess 23 | 24 | # create the logging directory if it doesn't already exist 25 | mkdir -p -m 777 /var/log/nginx 26 | touch /var/log/nginx/access.log 27 | touch /var/log/nginx/error.log 28 | chmod a+rw /var/log/nginx/access.log /var/log/nginx/error.log 29 | 30 | # auto-create the locations.conf file if $AUTOGENERATE is set to yes 31 | if chk_enabled "$AUTOGENERATE"; then 32 | "${s6wrap[@]}" echo "Auto-generating locations.conf file" 33 | # back up any existing locations.conf file: 34 | [[ -f /run/nginx/locations.conf ]] && mv -f /run/nginx/locations.conf "/run/nginx/locations.conf.bkup-$(date +%y%m%d%H%M%S)" 35 | 36 | # keep only the newest 10 backups: 37 | org="$(shopt -p nullglob)" || true # save current nullglob setting 38 | shopt -s nullglob # set nullglob to avoid ls errors when no backups are present 39 | # shellcheck disable=SC2010 40 | ls -tp /run/nginx/locations.conf.bkup-* | grep -v '/$' | tail -n +11 | xargs -d '\n' -r rm -- # remove any backups older than the newest 10 41 | if [[ -n "$org" ]]; then $org; fi # restore the original shopt nullglob setting 42 | 43 | # configure the locations.conf file: 44 | # first read the REVPROXY and REDIRECT environment variables into an array: 45 | 46 | readarray -d ',' -t proxy_array <<< "$REVPROXY" 47 | readarray -d ',' -t redir_array <<< "$REDIRECT" 48 | # 49 | # Loop through each of the entries in $redir_array: 50 | for proxy in "${redir_array[@]}"; do 51 | location="${proxy%%|*}" # all chars up to the first "|" 52 | location="${location//[[:space:]]}" # strip any spaces 53 | proxy="${proxy#*|}" # all chars after the first "|" 54 | destination="${proxy%%|*}" # all chars up to the (now) first "|" 55 | destination="${destination//[[:space:]]}" # strip any spaces 56 | creds="${proxy#*|}" # now there's only user1|pass1|user2|pass2 etc left 57 | grep '|' <<< "$creds" >/dev/null 2>&1 || creds="" # If there are no '|' in the string, there is no user/pass 58 | #debug: echo "Loc: ${location#* } - Proxy: $destination - Creds: $creds" 59 | 60 | if [[ -z "$location" ]] || [[ -z "$destination" ]]; then 61 | "${s6wrap[@]}" echo "WARNING: Skipping empty location or destination for REDIRECT $location:$destination" 62 | continue; 63 | fi 64 | 65 | if [[ -n "$creds" ]]; then 66 | "${s6wrap[@]}" echo "WARNING: Auth credentials not supported REDIRECT ($location:$destination). Implemented without authentications" 67 | fi 68 | 69 | # fix prefixes and suffixes if necessary: 70 | [[ "${location:0:1}" != "/" ]] && location="/$location" || true 71 | [[ "${destination:0:2}" == "//" ]] && destination="http:$destination" || true 72 | [[ "${destination:0:4}" != "http" ]] && destination="http://$destination" || true 73 | [[ "${location:0:2}" == "/=" ]] && location="= ${location:2}" || true 74 | 75 | # Now print the location entry: 76 | { printf "location %s {\n" "$location" 77 | printf " return 301 %s;\n" "$destination" 78 | printf "}\n\n" 79 | } >> /run/nginx/locations.conf 80 | 81 | done 82 | 83 | # now loop through the Proxy array and create location elements for each entry: 84 | for proxy in "${proxy_array[@]}"; do 85 | location="${proxy%%|*}" # all chars up to the first "|" 86 | location="${location//[[:space:]]}" # strip any spaces 87 | while [[ "${location:0:1}" == "/" ]]; do location="${location:1}"; done # strip any / from the front 88 | while [[ "${location: -1}" == "/" ]]; do location="${location:0: -1}"; done # strip any / from the back 89 | # location="${location///}" <-- wayyy too aggressive - screws up the locations.conf entry # strip any '/' 90 | proxy="${proxy#*|}" # all chars after the first "|" 91 | destination="${proxy%%|*}" # all chars up to the (now) first "|" 92 | destination="${destination//[[:space:]]}" # strip any spaces 93 | creds="${proxy#*|}" # now there's only user1|pass1|user2|pass2 etc left 94 | grep '|' <<< "$creds" >/dev/null 2>&1 || creds="" # If there are no '|' in the string, there is no user/pass 95 | #debug: echo "Loc: ${location#* } - Proxy: $destination - Creds: $creds" 96 | 97 | if [[ -z "$location" ]] || [[ -z "$destination" ]]; then 98 | "${s6wrap[@]}" echo "WARNING: Skipping empty location or destination for REDIRECT $location:$destination" 99 | continue; 100 | fi 101 | 102 | # If there are creds and AUTH=ON, then set `auth_basic` to a string. If not, it's `off`. 103 | if [[ -n "$creds" ]] || ( chk_enabled "${LOCAL_CREDS_ALL_REVPROXIES}" && [[ -n "${LOCAL_CREDS}" ]] ) && [[ "${AUTH,,}" == "on" ]]; then 104 | basic_auth="\"Authorization Required\"" 105 | abuf="auth_basic_user_file" 106 | else 107 | basic_auth="off" 108 | abuf="# auth_basic_user_file" 109 | fi 110 | 111 | # fix prefixes and suffixes if necessary: 112 | [[ "${destination:0:4}" != "http" ]] && destination="http://$destination" 113 | [[ "${destination:0:2}" == "//" ]] && destination="http:$destination" 114 | [[ "${destination: -1}" != "/" ]] && destination="$destination/" 115 | 116 | # Now print the location entry: 117 | { printf "location %s {\n" "/$location/" 118 | printf " auth_basic %s;\n" "$basic_auth" 119 | printf " %s /run/nginx/.htaccess/.htpasswd-%s;\n" "$abuf" "${location///}" 120 | printf " proxy_pass %s;\n" "$destination" 121 | printf " proxy_set_header Upgrade \$http_upgrade;\n" 122 | printf " proxy_set_header Connection \$http_connection;\n" 123 | printf " proxy_http_version 1.1;\n" 124 | printf " proxy_set_header Host \$http_host;\n" 125 | 126 | # Additional line to catch redirects; suggested by @wiedehopf: 127 | # removed again after discussions 128 | # printf " proxy_redirect ~^(/|http://[^/]*/)(.*) %s\$2;\n" "$location" >> /run/nginx/locations.conf 129 | printf " proxy_redirect / /%s/;\n" "$location" 130 | printf " proxy_set_header X-Forwarded-Prefix /%s;\n" "${location}" 131 | 132 | # close off the location entry: 133 | printf "}\n\n" 134 | } >> /run/nginx/locations.conf 135 | touch "/run/nginx/.htaccess/.htpasswd-${location///}" # make sure that the passwd file exists even if it's empty or not used 136 | done 137 | 138 | # Finally add the default index files to this configuration: 139 | # Add index.php to the list if you are using PHP 140 | printf "index index.html index.htm index.php index.nginx-debian.html;\n" >> /run/nginx/locations.conf 141 | chmod a+r /run/nginx/locations.conf 142 | 143 | elif [[ ! -f /run/nginx/locations.conf ]]; then 144 | # No locations.conf is found, and none is generated either. Complain and stop the container: 145 | "${s6wrap[@]}" echo "-------------------------------------------------" 146 | "${s6wrap[@]}" echo "| STOP ! You must either: |" 147 | "${s6wrap[@]}" echo "| set AUTOGENERATE=ON in docker-compose.yml |" 148 | "${s6wrap[@]}" echo "| or provide a well-formed locations.conf file |" 149 | "${s6wrap[@]}" echo "| Please do so and then restart the container. |" 150 | "${s6wrap[@]}" echo "-------------------------------------------------" 151 | 152 | [[ -z "$DEBUG" ]] && exit 1 || sleep infinity 153 | else 154 | "${s6wrap[@]}" echo "Using user-provided locations.conf file" 155 | fi 156 | 157 | # Handle proxy_read_timeout: 158 | if [[ -n "$PROXY_READ_TIMEOUT" ]]; then 159 | if chk_enabled "$PROXY_READ_TIMEOUT"; then PROXY_READ_TIMEOUT="3600"; fi 160 | sed -i 's|^\(\s*\)### \(proxy_read_timeout\s\+\)tttt\(;\s*\)|\1\2'"$PROXY_READ_TIMEOUT"'\3|g' /etc/nginx/sites-available/default 161 | fi 162 | 163 | # now enable default: 164 | ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default 165 | 166 | # set logging to what VERBOSELOG says. Default is off, "ON" means to stdout, "FILE" means to access.log/error.log file in external volume 167 | if chk_enabled "${VERBOSELOG}" \ 168 | || [[ "${VERBOSELOG,,}" == "file" ]] \ 169 | || chk_enabled "$IPMAPS" \ 170 | || chk_enabled "$IPTABLES_BLOCK" \ 171 | || ( [[ -n "$ACCESS_REPORT_PAGE" ]] \ 172 | && ! chk_disabled "$ACCESS_REPORT_PAGE" ); then 173 | "${s6wrap[@]}" echo "Enabled HTTP logging" 174 | sed -i 's|\(^\s*access_log\).*|\1 /var/log/nginx/access.log ;|' /etc/nginx/nginx.conf 175 | sed -i 's|\(^\s*error_log\).*|\1 /var/log/nginx/error.log ;|' /etc/nginx/nginx.conf 176 | else 177 | "${s6wrap[@]}" echo "HTTP logging is disabled" 178 | fi 179 | 180 | exit 0 181 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/30-blockbot: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2154,SC1091 3 | 4 | source /scripts/common 5 | 6 | "${s6wrap[@]}" echo "Initial setup -- installing BLOCKBOT service" 7 | 8 | mv -f /root/blockstats /usr/local/bin >/dev/null 2>&1 || true 9 | mv -f /root/ipmap /usr/local/bin >/dev/null 2>&1 || true 10 | 11 | if [[ -n "$BLOCKBOT" ]] 12 | then 13 | # shellcheck disable=SC2001 14 | 15 | readarray -t -d ',' BLIST_ARR <<< "$BLOCKBOT" 16 | for index in "${!BLIST_ARR[@]}"; do 17 | BLIST_ARR[index]="${BLIST_ARR[index]//$'\n'/}" 18 | #while [[ "${BLIST_ARR[index]: -1}" == "," ]]; do BLIST_ARR[index]="${BLIST_ARR[index]::-1}"; done 19 | while [[ "${BLIST_ARR[index]:0:1}" == "," ]] || [[ "${BLIST_ARR[index]:0:1}" == " " ]]; do BLIST_ARR[index]="${BLIST_ARR[index]:1}"; done 20 | if [[ "${BLIST_ARR[index]:0:4}" == "http" ]]; then 21 | # replace any entry that starts with http by content of the equivalent URL 22 | if extra_args="$(curl -sSLf "${BLIST_ARR[index]}" 2>/dev/null)" && [[ "${extra_args:0:1}" != "<" ]]; then 23 | extra_args="${extra_args//$'\n'/,}" 24 | readarray -t -d ',' extra_args_arr <<< "$extra_args" 25 | "${s6wrap[@]}" echo "Loaded additional BOTBLOCK terms from ${BLIST_ARR[index]}" 26 | BLIST_ARR+=( "${extra_args_arr[@]}" ) 27 | else 28 | "${s6wrap[@]}" echo "Skipping bad URL in BOTBLOCK list: \"${BLIST_ARR[index]}\" (\"$extra_args\")" 29 | fi 30 | unset "BLIST_ARR[index]" 31 | fi 32 | done 33 | 34 | BLOCKLIST="$(printf "%s|" "${BLIST_ARR[@]}")" # print BLIST_ARR with OR separator to BLOCKLIST 35 | BLOCKLIST="${BLOCKLIST//$'\n'/|}" # replace any newlines that may have sneaked in with a OR separator 36 | BLOCKLIST="${BLOCKLIST//||/|}" # replace any double OR separators with a single OR 37 | while [[ "${BLOCKLIST: -1}" == "|" ]]; do BLOCKLIST="${BLOCKLIST::-1}"; done # remove any left-over OR separators from the end of the string 38 | 39 | "${s6wrap[@]}" echo "Blocking these bots: $BLOCKLIST" 40 | { printf "map \$http_user_agent \$limit_bots {\n" 41 | printf " default 0;\n" 42 | printf " ~*(%s) 1;\n" "${BLOCKLIST// /}" 43 | printf "}\n" 44 | } >/etc/nginx/blockbot.conf 45 | else 46 | "${s6wrap[@]}" echo "Bot blocking disabled" 47 | cp -f /etc/nginx/blockbot.conf.org /etc/nginx/blockbot.conf 48 | exit 0 49 | fi 50 | 51 | # If there is a BLOCKBOT_RESPONSECODE, then substitute it. 52 | # Default code if omitted is 403 (Forbidden). Other codes that may be useful: 53 | # 402 (payment required, hehe), 404 (doesn't exist), 418 (I am a teapot - used to tell requesters to go away), 410 (Gone), 500 (Internal Server Error), 54 | # 503 (service unavailable), etc - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Status 55 | 56 | [[ -z "$BLOCKBOT_RESPONSECODE" ]] && BLOCKBOT_RESPONSECODE="403" 57 | 58 | if [[ "$BLOCKBOT_RESPONSECODE" -lt 100 ]] || [[ "$BLOCKBOT_RESPONSECODE" -gt 999 ]] 59 | then 60 | "${s6wrap[@]}" echo "Response code value for blocked bots \"$BLOCKBOT_RESPONSECODE\" is invalid. Defaulting to \"403\"." 61 | BLOCKBOT_RESPONSECODE="403" 62 | else 63 | "${s6wrap[@]}" echo "Setting response code for blocked bots to $BLOCKBOT_RESPONSECODE." 64 | fi 65 | # shellcheck disable=SC2016 66 | sed -i '/\s*if ($limit_bots = 1)/{$!{N;s/\(\s*if ($limit_bots = 1) {\s*\n\s*return \)[0-9]*\(.*\)/\1'"$BLOCKBOT_RESPONSECODE"'\2/;ty;P;D;:y}}' /etc/nginx/sites-available/default >/dev/null 2>&1 67 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/40-geoip: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2145,SC1091,SC2154,SC2015 3 | 4 | source /scripts/common 5 | 6 | GEOIPDIR="/usr/share/GeoIP" 7 | NGINXGEOIPCNF="/etc/nginx/geoip_countries.conf" 8 | 9 | "${s6wrap[@]}" echo "Set up of GeoIP Database and corresponding nginx configuration" 10 | 11 | #Moving geoip_countries.conf to the right place 12 | "${s6wrap[@]}" echo "Copy geoip_countries.conf to the right place, delete old version first" 13 | rm -f /etc/nginx/geoip_countries.conf 14 | cp -f /root/geoip_countries.conf /etc/nginx/geoip_countries.conf 15 | 16 | #Nothing set up in the docker-compose.yml? Then set default yes and abort the rest of the script 17 | if [[ -z "$GEOIP_DEFAULT" ]]; then 18 | "${s6wrap[@]}" echo "GEOIP_DEFAULT not set, aborting further GeoIP setup." 19 | sed -i '/^#defaultsetting.*/a default yes;' $NGINXGEOIPCNF 20 | exit 0 21 | fi 22 | 23 | # create GeoIP directory 24 | mkdir -p $GEOIPDIR 25 | 26 | #create persistent backup directory 27 | mkdir -p /run/nginx/.geoip 28 | 29 | #delete old cached files 30 | if [[ -f /run/nginx/.geoip/GeoIP.bckup ]] && (( $(date +"%s") - $(stat -c "%Y" /run/nginx/.geoip/GeoIP.bckup)> 90000 )); then 31 | "${s6wrap[@]}" echo "Found DB Backup which is older than 3 hours. Deleting" 32 | rm -f /run/nginx/.geoip/*.gz /run/nginx/.geoip/GeoIP.bckup 33 | fi 34 | 35 | #Do we still have a usable backup after deletion? Then use it 36 | if [[ -f /run/nginx/.geoip/GeoIP.dat.gz && -f /run/nginx/.geoip/GeoIPv6.dat.gz ]]; then 37 | backupworks=true 38 | "${s6wrap[@]}" echo "Found a Backup, installing" 39 | [[ -f /run/nginx/.geoip/GeoIP.dat.gz ]] && cp /run/nginx/.geoip/GeoIP.dat.gz /"$GEOIPDIR" 40 | [[ -f /run/nginx/.geoip/GeoIPv6.dat.gz ]] && cp /run/nginx/.geoip/GeoIPv6.dat.gz /"$GEOIPDIR" 41 | else 42 | backupworks=false 43 | "${s6wrap[@]}" echo "No Backup found, continue" 44 | fi 45 | 46 | 47 | # get the GeoIP databases from mailfud 48 | if [[ "$backupworks" == "false" ]] && \ 49 | ! curl --fail --max-time 60 -sSL -o "$GEOIPDIR"/GeoIP.dat.gz https://mailfud.org/geoip-legacy/GeoIP.dat.gz &&\ 50 | ! curl --fail --max-time 60 -sSL -o "$GEOIPDIR"/GeoIPv6.dat.gz https://mailfud.org/geoip-legacy/GeoIPv6.dat.gz 51 | then 52 | "${s6wrap[@]}" echo "Successfully downloaded DB from mailfud.org" 53 | geoipfail=false 54 | else 55 | geoipfail=true 56 | fi 57 | 58 | #as there is a download limit from mailfud, backup the files to /run/nginx/.geoip/ and create a file as timestamp for further processing 59 | if [[ "$backupworks" == "false" ]] && [[ "$geoipfail" == "false" ]] 60 | then 61 | "${s6wrap[@]}" echo "Backup mailfud GeoIP DB to /run/nginx/.geoip" 62 | cp "$GEOIPDIR"/GeoIP.dat.gz /run/nginx/.geoip 63 | cp "$GEOIPDIR"/GeoIPv6.dat.gz /run/nginx/.geoip 64 | touch /run/nginx/.geoip/GeoIP.bckup 65 | fi 66 | 67 | # if we couldn't get the mailfud DB and the backup is not working either, let's fall back to another database: 68 | if [[ "$geoipfail" == "true" ]] && [[ "$backupworks" == "false" ]] 69 | then 70 | centminfail=false 71 | "${s6wrap[@]}" echo "Couldn't download the mailfud GeoIP DB or use a backup. Now trying centminmod" 72 | ! curl --fail --max-time 60 -sSL -o "$GEOIPDIR"/GeoIP.dat.gz https://centminmod.com/centminmodparts/geoip-legacy/GeoIP.dat.gz && centminfail=true || true 73 | ! curl --fail --max-time 60 -sSL -o "$GEOIPDIR"/GeoIPv6.dat.gz https://centminmod.com/centminmodparts/geoip-legacy/GeoIPv6.dat.gz && centminfail=true || true 74 | fi 75 | 76 | if [[ "$geoipfail" == "true" ]] && [[ "$backupworks" == "false" ]] && [[ "$centminfail" == "false" ]] 77 | then 78 | "${s6wrap[@]}" echo "Successfully downloaded DB from centminmod.com" 79 | fi 80 | 81 | #If nothing of the above did work out, we just use what we got through apt install 82 | if [[ "$geoipfail" == "true" ]] && [[ "$backupworks" == "false" ]] && [[ "$centminfail" == "true" ]] 83 | then 84 | "${s6wrap[@]}" echo "Couldn't retrieve any newer GeoIP databases. Your database may be out of date." 85 | else 86 | "${s6wrap[@]}" echo "DB successfully installed" 87 | fi 88 | 89 | #Now we need to unzip what we got - if we got any 90 | "${s6wrap[@]}" echo "Unpacking downloaded DB" 91 | [[ -f "$GEOIPDIR"/GeoIP.dat.gz ]] && gunzip -f "$GEOIPDIR"/GeoIP.dat.gz 92 | [[ -f "$GEOIPDIR"/GeoIPv6.dat.gz ]] && gunzip -f "$GEOIPDIR"/GeoIPv6.dat.gz 93 | 94 | #read country codes from the variable 95 | IFS=',' read -ra include_list <<< "$GEOIP_COUNTRIES" 96 | 97 | #set the default GeoIP in /etc/nginx/nginx.conf - if the variable was set up in docker-compose but with unexpected content, fall back to default yes 98 | case "$GEOIP_DEFAULT" in 99 | allow|ALLOW) 100 | "${s6wrap[@]}" echo "Default is set to allow every country but block these: ${include_list[@]}" 101 | sed -i '/^#defaultsetting.*/a default yes;' $NGINXGEOIPCNF 102 | for a in "${include_list[@]}" 103 | do 104 | sed -i "/^#countrylist.*/a $a no;" $NGINXGEOIPCNF 105 | done 106 | ;; 107 | 108 | block|BLOCK) 109 | "${s6wrap[@]}" echo "Default is set to block every country and only allow these: ${include_list[@]}" 110 | sed -i '/^#defaultsetting.*/a default no;' $NGINXGEOIPCNF 111 | for a in "${include_list[@]}" 112 | do 113 | sed -i "/^#countrylist.*/a $a yes;" $NGINXGEOIPCNF 114 | done 115 | ;; 116 | *) 117 | "${s6wrap[@]}" echo "Configuration not set or has a wrong value (use only allow or block). Defaulting to allow all" 118 | sed -i '/^#defaultsetting.*/a default yes;' $NGINXGEOIPCNF 119 | 120 | ;; 121 | esac 122 | 123 | # If there is a GEOIP_RESPONSECODE, then substitute it. 124 | # Default code if omitted is 403 (Forbidden). Other codes that may be useful: 125 | # 402 (payment required, hehe), 404 (doesn't exist), 418 (I am a teapot - used to tell requesters to go away), 410 (Gone), 500 (Internal Server Error), 126 | # 503 (service unavailable), etc - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Status 127 | if [[ -n "$GEOIP_RESPONSECODE" ]] && [[ "$GEOIP_RESPONSECODE" -ge 100 ]] && [[ "$GEOIP_RESPONSECODE" -le 999 ]] 128 | then 129 | "${s6wrap[@]}" echo "Setting response code for blocked bots to $GEOIP_RESPONSECODE" 130 | # shellcheck disable=SC2016 131 | sed -i '/\s*if ($allowed_country = no)/{$!{N;s/\(\s*if ($allowed_country = no) {\s*\n\s*return \)[0-9]*\(.*\)/\1'"$GEOIP_RESPONSECODE"'\2/;ty;P;D;:y}}' /etc/nginx/sites-available/default >/dev/null 2>&1 132 | fi 133 | 134 | "${s6wrap[@]}" echo "Finished setting up GeoIP" 135 | 136 | exit 137 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/50-check-ipv6: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC1091 3 | # 4 | # This init script disables IPV6 if the IPV6 env variable is set to "disabled" or "off" 5 | # This is necessary to deal with systems that have IPV6 switched off - if we don't do this, 6 | # the nginx test run in 99-test-webproxy will fail. 7 | 8 | source /scripts/common 9 | 10 | IPV6="${IPV6,,}" 11 | IPV6="${IPV6:0:3}" 12 | if [[ "$IPV6" == "dis" ]] || [[ "$IPV6" == "off" ]] 13 | then 14 | sed -i 's/\(\s*listen \[::\]:80\)/#\1/g' /etc/nginx/sites-available/default 15 | sed -i 's/\(\s*listen \[::\]:443\)/#\1/g' /etc/nginx/sites-available/default 16 | # shellcheck disable=SC2154 17 | "${s6wrap[@]}" echo "IPV6 disabled" 18 | else 19 | sed -i 's/#\(\s*listen \[::\]:80\)/\1/g' /etc/nginx/sites-available/default 20 | sed -i 's/#\(\s*listen \[::\]:443\)/\1/g' /etc/nginx/sites-available/default 21 | "${s6wrap[@]}" echo "IPV6 enabled (default)" 22 | fi 23 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/60-block-ips: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2145 3 | # 4 | # This init script disables IPV6 if the IPV6 env variable is set to "disabled" or "off" 5 | # This is necessary to deal with systems that have IPV6 switched off - if we don't do this, 6 | # the nginx test run in 99-test-webproxy will fail. 7 | 8 | # shellcheck disable=SC1091 9 | source /scripts/common 10 | 11 | cp -f /root/manage_ipblock /usr/local/bin >/dev/null 2>&1 12 | 13 | if ! chk_enabled "$IPTABLES_BLOCK" || [[ -z "$BLOCKBOT" ]]; then 14 | # shellcheck disable=SC2154 15 | "${s6wrap[@]}" echo "Bot blocking is not enabled. Continuing..." 16 | exit 0 17 | fi 18 | 19 | function conv_blocklist () { 20 | # This function converts the ip-blocklist from an older format and ensures it's homogenized 21 | 22 | if [[ ! -f /run/nginx/ip-blocklist ]] 23 | then 24 | # Nothing to convert 25 | return 0 26 | fi 27 | 28 | read -r firstline < /run/nginx/ip-blocklist 29 | if [[ "$firstline" == "# IP Blocklist for the docker-reversewebproxy container" ]] 30 | then 31 | # the ip-blocklist file was already converted; no need to do it again 32 | return 0 33 | fi 34 | 35 | # Copy the template into place: 36 | cp /root/ip-blocklist-template /tmp/ip-blocklist 37 | 38 | while read -ra line 39 | do 40 | [[ -z "${line[*]}" ]] && continue 41 | if [[ "${line[0]:0:1}" == "#" ]] 42 | then 43 | echo "${line[*]}" >> /tmp/ip-blocklist 44 | continue 45 | fi 46 | [[ -z "${line[1]}" ]] && line[1]="converted" 47 | [[ -z "${line[2]}" ]] && line[2]="$(date +%s)" 48 | [[ "${line[2]:0:4}" == "2022" ]] && line[2]="$(date -d "${line[2]:0:4}/${line[2]:4:2}/${line[2]:6:2} ${line[2]:9:2}:${line[2]:11:2}:${line[2]:13:2} ${line[2]:16:3}" +%s)" 49 | echo "${line[*]}" >> /tmp/ip-blocklist 50 | done < /run/nginx/ip-blocklist 51 | mv -f /tmp/ip-blocklist /run/nginx/ip-blocklist 52 | "${s6wrap[@]}" echo "ip-blocklist file has been converted to the new format." 53 | return 0 54 | } 55 | # enable logging: 56 | 57 | sed -i 's|\(^\s*access_log\).*|\1 /var/log/nginx/access.log ;|' /etc/nginx/nginx.conf 58 | sed -i 's|\(^\s*error_log\).*|\1 /var/log/nginx/error.log ;|' /etc/nginx/nginx.conf 59 | 60 | # no longer needed: # Convert old format blocklist file if needed: 61 | # conv_blocklist 62 | 63 | # add external IP to allow list: 64 | extip="$(curl -sSL ipinfo.io/ip)" 65 | if [[ -n "$extip" ]]; then 66 | if [[ -f /run/nginx/ip-allowlist ]] && grep -q "#external-ip" /run/nginx/ip-allowlist; then 67 | sed -i 's/^.*\(\s\+#external-ip\)$/'"$extip"'\1/g' /run/nginx/ip-allowlist 68 | else 69 | echo "$extip #external-ip" >> /run/nginx/ip-allowlist 70 | fi 71 | fi 72 | 73 | # read and add any blocked IPs. This can all be done in the background so we don't hold up the process when the list is long: 74 | { 75 | blocktable=() 76 | if [[ -f /run/nginx/ip-blocklist ]] 77 | then 78 | list_len="$(wc -l < /run/nginx/ip-blocklist)" 79 | counter=0 80 | dsp="$((list_len / 10 + 1))" 81 | if [[ -f /run/nginx/ip-allowlist ]]; then allowlist="$( 500 )) && ! (( counter++ % dsp )); then 85 | "${s6wrap[@]}" echo "Processed $(( (counter*100)/list_len ))% of the ip-blocklist" 86 | fi 87 | if [[ -n "${line[0]}" ]] && [[ "${line[0]:0:1}" != "#" ]] && ! [[ $allowlist =~ ${line[0]} ]] 88 | then 89 | # add the IP from the first field of the line to the iptables block list if... 90 | # - the line isn't empty 91 | # - the first field of the line doesn't start with "#" (in which case it's a comment) 92 | # - the IP isn't in the ip-allowlist (if that file exists) 93 | # - the IP isn't already in the iptables block list 94 | if [[ ${line[0]} =~ ^[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+$ ]]; then line[0]="${line[0]}/24" 95 | elif [[ ${line[0]} =~ ^[[:digit:]]+\.[[:digit:]]+$ ]]; then line[0]="${line[0]}/16" 96 | elif [[ ${line[0]} =~ ^[[:digit:]]+$ ]]; then line[0]="${line[0]}/8" 97 | fi 98 | iptables -I INPUT -s "${line[0]}" -j DROP >/dev/null 2>&1 99 | blocktable+=("${line[0]}") 100 | fi 101 | done < /run/nginx/ip-blocklist 102 | else 103 | # There's no blocklist. Let's copy the template into place: 104 | cp /root/ip-blocklist-template /run/nginx/ip-blocklist 105 | fi 106 | 107 | if (( ${#blocktable[@]} > 0 )) 108 | then 109 | "${s6wrap[@]}" echo "These ${#blocktable[@]} IPs were blocked previously and have been added to the iptables block list:" 110 | "${s6wrap[@]}" echo "${blocktable[@]}" 111 | else 112 | "${s6wrap[@]}" echo "No previous iptables block list found. Continuing..." 113 | fi 114 | } & -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/70-basic-authentication: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2174,SC2154,SC1091 3 | 4 | source /scripts/common 5 | 6 | # First clean out the existing files 7 | rm -f /run/nginx/.htaccess/.htpasswd* 8 | 9 | if ! chk_enabled "${AUTH}"; then 10 | # Global Authorization is not enabled, let's ensure that it's set to off 11 | sed -i 's|^\s*#*\s*auth_basic .*$| auth_basic off;|g' /etc/nginx/sites-available/default 12 | sed -i 's|^\s*#*\s*auth_basic_user_file .*$| # auth_basic_user_file /file/here;|g' /etc/nginx/sites-available/default 13 | 14 | "${s6wrap[@]}" echo "Basic Authentication is not enabled. Continuing." 15 | exit 0 16 | fi 17 | 18 | # ----------------------------------------------------------------------------------------- 19 | # Implement localized credentials for each of the REVPROXY entries 20 | # ----------------------------------------------------------------------------------------- 21 | # Get the REVPROXY array and put each entry into am array element 22 | readarray -d ',' -t revproxy_array <<< "$REVPROXY" 23 | # 24 | # Loop through each of the entries in $revproxy_array: 25 | # Note -- enabling each entry in the locations.conf file was already done in 20-webproxy 26 | for proxy in "${revproxy_array[@]}" 27 | do 28 | location="${proxy%%|*}" # all chars up to the first "|" 29 | location="${location//[[:space:]]}" # strip any spaces 30 | location="${location///}" # strip any '/' 31 | proxy="${proxy#*|}" # all chars after the first "|" 32 | destination="${proxy%%|*}" # all chars up to the (now) first "|" 33 | destination="${destination//[[:space:]]}" # strip any spaces 34 | creds="${proxy#*|}" # now there's only user1|pass1|user2|pass2 etc left 35 | if ! grep -q '|' <<< "$creds"; then creds=""; fi # If there are no '|' in the string, there is no user/pass 36 | #debug: echo "Loc: ${location#* } - Proxy: $destination - Creds: $creds" 37 | if [[ -n "${location}" ]]; then touch "/run/nginx/.htaccess/.htpasswd-${location}"; fi 38 | 39 | if [[ -n "$creds" ]] 40 | then 41 | # Now loop through the credentials, create the password file: 42 | while grep '|' <<< "$creds" >/dev/null 2>&1 43 | do 44 | username="${creds%%|*}" # all chars up to the first "|" 45 | username=${username//[[:space:]]} # strip any spaces 46 | creds="${creds#*|}" # all chars after the first "|" 47 | password="${creds%%|*}" # all chars up to the (now) first "|" 48 | password="${password//[[:space:]]}" # strip any spaces 49 | creds="${creds#*|}" # now there's only the next user|pass|user|pass etc left 50 | # note - if there is no more username|pass, then $creds will contain the last password but no '|' 51 | # write credentials to password file: 52 | printf "%s:%s\n" "$username" "$(openssl passwd -5 "$password")" >> "/run/nginx/.htaccess/.htpasswd-${location}" 53 | done 54 | fi 55 | done 56 | 57 | # ----------------------------------------------------------------------------------------- 58 | # Implement global credentials 59 | 60 | if [[ -n "${LOCAL_CREDS}" ]] 61 | then 62 | readarray -d ',' -t creds_array <<< "${LOCAL_CREDS}" 63 | n=1 64 | errors=0 65 | # Add global credentials to the file if they exist: 66 | for cred in "${creds_array[@]}" 67 | do 68 | username="${cred%%|*}" 69 | password="${cred##*|}" 70 | if [[ -z "$username" ]] || [[ -z "$password" ]] 71 | then 72 | "${s6wrap[@]}" echo "WARNING: Entry $n of CREDENTIALS variable is wrongly formatted. Skipping..." 73 | (( errors++ )) || true 74 | continue 75 | fi 76 | printf "%s:%s\n" "$username" "$(openssl passwd -5 "$password")" >> /run/nginx/.htaccess/.htpasswd_global 77 | if chk_enabled "${LOCAL_CREDS_ALL_REVPROXIES}"; then 78 | for f in /run/nginx/.htaccess/.htpasswd-*; do 79 | if ! grep -q "$username" "$f"; then 80 | printf "%s:%s\n" "$username" "$(openssl passwd -5 "$password")" >> "$f" 81 | fi 82 | done 83 | fi 84 | done 85 | 86 | # delete any empty left-over files 87 | find /run/nginx/.htaccess/ -maxdepth 1 -type f -empty -delete 88 | 89 | # Make sure that the default file is correctly set up: 90 | sed -i 's|^\s*#*\s*auth_basic .*$| auth_basic "authorization required";|g' /etc/nginx/sites-available/default 91 | sed -i 's|^\s*#*\s*auth_basic_user_file .*$| auth_basic_user_file /run/nginx/.htaccess/.htpasswd_global;|g' /etc/nginx/sites-available/default 92 | else 93 | # Global Authorization is not enabled, let's ensure that it's set to off 94 | sed -i 's|^\s*#*\s*auth_basic .*$| auth_basic off;|g' /etc/nginx/sites-available/default 95 | sed -i 's|^\s*#*\s*auth_basic_user_file .*$| # auth_basic_user_file /file/here;|g' /etc/nginx/sites-available/default 96 | fi 97 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/80-set-cors: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2174 3 | 4 | # shellcheck disable=SC1091,SC2016,SC2049,SC2076,SC2154 5 | source /scripts/common 6 | 7 | if [[ -z "${CORSHOSTS}" ]] 8 | then 9 | { echo "# This file would normally contain the CORS exception headers, but none are defined." 10 | echo "# You can define these headers with the Docker environment variable CORSHOSTS" 11 | } > /run/nginx/cors_headers.conf 12 | exit 0 13 | fi 14 | 15 | # Make sure the user doesn't have both "*" and "_" in CORSHOSTS as they conflict: 16 | if [[ $CORSHOSTS =~ "*" ]] && [[ $CORSHOSTS =~ "_" ]]; then 17 | "${s6wrap[@]}" echo "[FATAL] CORSHOST=$CORSHOSTS - however it cannot contain both \"*\" and \"_\"" 18 | "${s6wrap[@]}" echo " Container halted - Please fix this issue and then restart the container." 19 | exec sleep infinity 20 | fi 21 | 22 | # Add cors exceptions to the config file if they exist: 23 | { echo "# This file contains automatically generated CORS exception headers." 24 | echo "# These are overwritten automatically at container start. If you want to" 25 | echo "# set or delete these headers, do this with the Docker environment variable CORSHOSTS" 26 | echo "" 27 | echo "proxy_hide_header Access-Control-Allow-Origin;" 28 | if [[ $CORSHOSTS =~ "_" ]]; then 29 | echo 'add_header Access-Control-Allow-Origin _;' 30 | elif [[ $CORSHOSTS =~ "*"|, ]]; then 31 | echo 'add_header Access-Control-Allow-Origin *;' 32 | else 33 | echo 'add_header Access-Control-Allow-Origin '"${CORSHOSTS//$'\n'/}"';' 34 | fi 35 | } > /run/nginx/cors_headers.conf 36 | 37 | "${s6wrap[@]}" echo "Added CORS exception for ${CORSHOSTS}" 38 | 39 | exit 0 40 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/99-test-webproxy: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash 3 | 4 | # shellcheck disable=SC1091 5 | source /scripts/common 6 | # shellcheck disable=SC2154 7 | "${s6wrap[@]}" echo "Final test of nginx before deployment" 8 | 9 | # now test the nginx configuration 10 | if ! /usr/sbin/nginx -g 'daemon off;' -t -q 11 | then 12 | # nginx config problem. Complain and stop the container: 13 | "${s6wrap[@]}" echo "--------------------------------------------------" 14 | "${s6wrap[@]}" echo "| STOP ! NGINX configuration problem |" 15 | "${s6wrap[@]}" echo "| This is probably caused by a mal-formed |" 16 | "${s6wrap[@]}" echo "| locations.conf file or by syntax errors in the |" 17 | "${s6wrap[@]}" echo "| definition of REVPROXY or REDIRECT in your |" 18 | "${s6wrap[@]}" echo "| docker-compose.yml file. Go check and fix them!|" 19 | "${s6wrap[@]}" echo "--------------------------------------------------" 20 | 21 | if [[ -z "$DEBUG" ]]; then 22 | exit 1 23 | else 24 | exec sleep infinity 25 | fi 26 | fi 27 | 28 | exit 0 29 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/block-ips: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2145,SC2154 3 | 4 | # shellcheck disable=SC1091 5 | source /scripts/common 6 | 7 | SLEEPTIME=60 8 | CHECK_EXT_IP_IVAL=1500 9 | last_ext_ip_check="$(date +%s)" 10 | 11 | # check if the IPTABLES_BLOCK is not enabled and if so, stop execution of this service: 12 | if ! chk_enabled "$IPTABLES_BLOCK" || [[ -z "$BLOCKBOT" ]]; then 13 | "${s6wrap[@]}" echo "Bot blocking is disabled" 14 | sleep infinity 15 | fi 16 | 17 | "${s6wrap[@]}" echo "Started as an s6 service" 18 | 19 | while true; do 20 | 21 | # Sleep a while before checking everything: 22 | sleep $SLEEPTIME 23 | "${s6wrap[@]}" echo "Starting block-ip check" 24 | # Once every $CHECK_EXT_IP_IVAL secs, check if the external IP address is still the same, and add it to the allow-list if needed 25 | if (( $(date +%s) > last_ext_ip_check + CHECK_EXT_IP_IVAL )); then 26 | extip="$(curl -sSL ipinfo.io/ip)" 27 | if [[ -n "$extip" ]]; then 28 | last_ext_ip_check="$(date +%s)" 29 | if [[ -f /run/nginx/ip-allowlist ]] && grep -q "#external-ip" /run/nginx/ip-allowlist; then 30 | sed -i 's/^.*\(\s\+#external-ip\)$/'"$extip"'\1/g' /run/nginx/ip-allowlist 31 | else 32 | echo "$extip #external-ip" >> /run/nginx/ip-allowlist 33 | fi 34 | fi 35 | fi 36 | 37 | # Do stuff if the access log file exists. Sometimes, it doesn't exist if there isn't much traffic 38 | if [[ -f /var/log/nginx/access.log ]]; then 39 | old_blocklist="$(> /run/nginx/ip-blocklist 42 | 43 | # Remove IPs that don't have user agents: 44 | if chk_enabled "$IPTABLES_BLOCK_NO_USERAGENT"; then 45 | awk -v "d=$(date +%s)" 'BEGIN {FS="[[:space:]]*[][\"][[:space:]]*"; OFS = ","}{if ($8 == "" || $8 == "-") {sub(" - -","",$1); print $1 " no_user_agent " d}}' /var/log/nginx/access.log | sort -u >> /run/nginx/ip-blocklist 46 | fi 47 | 48 | # Read $BLOCKBOT into an array and remove all leading/trailing spaces: 49 | readarray -d "," -t BOT_ARRAY <<< "$BLOCKBOT" 50 | for ((n=0; n<${#BOT_ARRAY[*]}; n++)) 51 | do 52 | # this is slightly inefficient as it iterates through the entire array. 53 | # However, all-at-once solutions like "y=($(printf '%s\n' "${x[@]}"|xargs))" appear to split each element at any internal whitespace :( 54 | BOT_ARRAY[n]="$(xargs <<< "${BOT_ARRAY[n]}")" 55 | done 56 | # Parse through the log files and to the blocklist. 57 | # It's OK to add duplicates; `sort -u` will only keep the first (oldest) occurrence 58 | grep -i -h -w -f <(printf '%s\n' "${BOT_ARRAY[@]}") /var/log/nginx/access.log 2>/dev/null | awk -v "d=$(date +%s)" '{print $1 " logs_crawler " d}' >> /run/nginx/ip-blocklist 59 | 60 | sort -u -k 1,1 /run/nginx/ip-blocklist | sort -n > /tmp/ip-blocklist 61 | mv -f /tmp/ip-blocklist /run/nginx/ip-blocklist 62 | 63 | # Re-process the blocklist and add them to the IP tables for DROPping: 64 | blocktable=() 65 | if [[ -f /run/nginx/ip-blocklist ]] 66 | then 67 | while read -ra line 68 | do 69 | if [[ -n "${line[0]}" ]] && [[ "${line[0]:0:1}" != "#" ]] && ! [[ $old_blocklist =~ ${line[0]} ]]; then 70 | if [[ ${line[0]} =~ ^[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+$ ]]; then line[0]="${line[0]}/24" 71 | elif [[ ${line[0]} =~ ^[[:digit:]]+\.[[:digit:]]+$ ]]; then line[0]="${line[0]}/16" 72 | elif [[ ${line[0]} =~ ^[[:digit:]]+$ ]]; then line[0]="${line[0]}/8" 73 | fi 74 | iptables -I INPUT -s "${line[0]}" -j DROP >/dev/null 2>&1 75 | blocktable+=("${line[0]}") 76 | fi 77 | done < /run/nginx/ip-blocklist 78 | fi 79 | 80 | # Notify the logs of any additions to the blocklist: 81 | if (( ${#blocktable[@]} > 0 )) 82 | then 83 | "${s6wrap[@]}" echo "These ${#blocktable[@]} IP(s) have been added to the iptables Block List: ${blocktable[@]}. Currently, there are $(sed -e '/^$/d ; /^#/d' /run/nginx/ip-blocklist |wc -l) blocked IP addresses." 84 | fi 85 | 86 | # Go through the blocklist and determine if any entries have timed out: 87 | if (( IPJAILTIME > 0 )) 88 | then 89 | deletes=() 90 | cp /run/nginx/ip-blocklist /tmp 91 | allowlist="$( 0 )) \ 99 | && (( line[2] + IPJAILTIME < $(date +%s) )) \ 100 | || { [[ -n "${line[0]}" ]] && [[ "${line[0]:0:1}" != "#" ]] && [[ $allowlist =~ ${line[0]} ]]; } 101 | then 102 | sed -i '/^'"${line[0]}"'/d' /run/nginx/ip-blocklist 103 | if [[ ${line[0]} =~ ^[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+$ ]]; then line[0]="${line[0]}/24" 104 | elif [[ ${line[0]} =~ ^[[:digit:]]+\.[[:digit:]]+$ ]]; then line[0]="${line[0]}/16" 105 | elif [[ ${line[0]} =~ ^[[:digit:]]+$ ]]; then line[0]="${line[0]}/8" 106 | fi 107 | iptables -D INPUT -s "${line[0]}" -j DROP >/dev/null 2>&1 108 | deletes+=("${line[0]}") 109 | fi 110 | done < /tmp/ip-blocklist 111 | rm -f /tmp/ip-blocklist 112 | if [[ "${#deletes[*]}" -gt 0 ]]; then 113 | "${s6wrap[@]}" echo "These ${#deletes[@]} IP(s) have timed out and have been removed from the Block List: ${deletes[@]}. Currently, there are $(sed -e '/^$/d ; /^#/d' /run/nginx/ip-blocklist |wc -l) blocked IP addresses." 114 | fi 115 | fi 116 | fi 117 | "${s6wrap[@]}" echo "Done. Next check will start at $(date -d @$(( $(date +%s) + SLEEPTIME )))" 118 | done 119 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/check-blockbotlist: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2154 3 | 4 | # shellcheck disable=SC1091 5 | source /scripts/common 6 | 7 | if [[ -z "$BLOCKBOT" ]]; then 8 | exec sleep infinity 9 | fi 10 | 11 | BLOCKBOT_UPDATETIME="${BLOCKBOT_UPDATETIME:-21600}" # default update time = 21600 secs = 6 hours 12 | 13 | "${s6wrap[@]}" echo "Starting blockbot-list update service. Next check at $(date -d @$(( $(date +%s) + BLOCKBOT_UPDATETIME )))" 14 | 15 | old_remotebots="" 16 | new_remotebots="" 17 | 18 | READ_REMOTE_BOTLIST () { 19 | local remotebots 20 | readarray -t -d ',' BLIST_ARR <<< "$BLOCKBOT" 21 | for index in "${!BLIST_ARR[@]}"; do 22 | BLIST_ARR[index]="${BLIST_ARR[index]//$'\n'/}" 23 | while [[ "${BLIST_ARR[index]:0:1}" == "," ]] || [[ "${BLIST_ARR[index]:0:1}" == " " ]]; do BLIST_ARR[index]="${BLIST_ARR[index]:1}"; done 24 | if [[ "${BLIST_ARR[index]:0:4}" == "http" ]]; then 25 | # replace any entry that starts with http by content of the equivalent URL 26 | if extra_args="$(curl -sSLf -H 'Cache-Control: no-cache' "${BLIST_ARR[index]}" 2>/dev/null)" && [[ "${extra_args:0:1}" != "<" ]] ; then 27 | remotebots="${remotebots}${extra_args//$'\n'/,}" 28 | fi 29 | fi 30 | done 31 | echo "${remotebots}" 32 | } 33 | 34 | old_remotebots="$(READ_REMOTE_BOTLIST)" 35 | 36 | while :; do 37 | sleep "${BLOCKBOT_UPDATETIME}" & wait $! 38 | new_remotebots="$(READ_REMOTE_BOTLIST)" 39 | 40 | if [[ "$old_remotebots" != "$new_remotebots" ]]; then 41 | readarray -t -d ',' BLIST_ARR <<< "$BLOCKBOT" 42 | for index in "${!BLIST_ARR[@]}"; do 43 | BLIST_ARR[index]="${BLIST_ARR[index]//$'\n'/}" 44 | while [[ "${BLIST_ARR[index]:0:1}" == "," ]] || [[ "${BLIST_ARR[index]:0:1}" == " " ]]; do BLIST_ARR[index]="${BLIST_ARR[index]:1}"; done 45 | if [[ "${BLIST_ARR[index]:0:4}" == "http" ]]; then 46 | unset "BLIST_ARR[index]" 47 | fi 48 | done 49 | BLOCKLIST="$(printf "%s|" "${BLIST_ARR[@]}")" # print BLIST_ARR with OR separator to BLOCKLIST 50 | BLOCKLIST="$BLOCKLIST|${new_remotebots//,/|}" 51 | BLOCKLIST="${BLOCKLIST//$'\n'/|}" # replace any newlines that may have sneaked in with a OR separator 52 | BLOCKLIST="${BLOCKLIST//||/|}" # replace any double OR separators with a single OR 53 | while [[ "${BLOCKLIST: -1}" == "|" ]]; do BLOCKLIST="${BLOCKLIST::-1}"; done # remove any left-over OR separators from the end of the string 54 | 55 | { printf "map \$http_user_agent \$limit_bots {\n" 56 | printf " default 0;\n" 57 | printf " ~*(%s) 1;\n" "${BLOCKLIST// /}" 58 | printf "}\n" 59 | } >/etc/nginx/blockbot.conf 60 | old_remotebots="$new_remotebots" 61 | kill -HUP "$(cat /run/nginx.pid)" 62 | "${s6wrap[@]}" echo "Incorporating new remote botblocklist: $BLOCKLIST" 63 | else 64 | "${s6wrap[@]}" echo "Remote botblocklist has not been changed since last check" 65 | fi 66 | "${s6wrap[@]}" echo "Next update at $(date -d @$(( $(date +%s) + BLOCKBOT_UPDATETIME )))" 67 | done 68 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/create-ipmaps: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2154,SC2089 3 | 4 | # shellcheck disable=SC1091 5 | source /scripts/common 6 | 7 | # Advise to keep IPMAPS_INTERVAL < about 900 secs - this corresponds to 2920 requests 8 | # per month, well below the maximum of 4000 requests from a single IP address for the 9 | # free API of https://ipinfo.io/ 10 | 11 | IPMAPS_INTERVAL="${IPMAPS_INTERVAL:-900}" 12 | IPMAPS_BASENAME="${IPMAPS_BASENAME:-ipmap-}" 13 | HTMLDIR="/run/nginx/html" 14 | 15 | notavail_template='

Map Currently Unavailable

This map is currently not available; please try again later. Last update: ##TIME##' 16 | redir_template='' 17 | 18 | if ! chk_enabled "$IPMAPS"; then 19 | rm -f "${HTMLDIR}/${IPMAPS_BASENAME}"*.html 20 | exec sleep infinity 21 | fi 22 | 23 | while :; do 24 | 25 | ipmap_all="$(/usr/local/bin/ipmap -l 2>/dev/null| tail -1)" || true 26 | ipmap_filtered="$(/usr/local/bin/ipmap -f 2>/dev/null| tail -1)" || true 27 | ipmap_accepted="$(/usr/local/bin/ipmap -v 2>/dev/null| tail -1)" || true 28 | 29 | "${s6wrap[@]}" echo "Updating ${IPMAPS_BASENAME}all.html --> $ipmap_all" 30 | { if [[ "${ipmap_all:0:4}" == "http" ]]; then 31 | echo "${redir_template//##REDIRURL##/$ipmap_all}" 32 | else 33 | echo "${notavail_template//##TIME##/$(date)}" 34 | fi 35 | } > "${HTMLDIR}/${IPMAPS_BASENAME}all.html" 36 | 37 | "${s6wrap[@]}" echo "Updating ${IPMAPS_BASENAME}filtered.html --> $ipmap_filtered" 38 | { if [[ "${ipmap_filtered:0:4}" == "http" ]]; then 39 | echo "${redir_template//##REDIRURL##/$ipmap_filtered}" 40 | else 41 | echo "${notavail_template//##TIME##/$(date)}" 42 | fi 43 | } > "${HTMLDIR}/${IPMAPS_BASENAME}filtered.html" 44 | 45 | "${s6wrap[@]}" echo "Updating ${IPMAPS_BASENAME}accepted.html --> $ipmap_accepted" 46 | { if [[ "${ipmap_accepted:0:4}" == "http" ]]; then 47 | echo "${redir_template//##REDIRURL##/$ipmap_accepted}" 48 | else 49 | echo "${notavail_template//##TIME##/$(date)}" 50 | fi 51 | } > "${HTMLDIR}/${IPMAPS_BASENAME}accepted.html" 52 | 53 | sleep "$IPMAPS_INTERVAL" 54 | 55 | done -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/goaccess: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2154,SC1091 3 | 4 | source /scripts/common 5 | 6 | "${s6wrap[@]}" echo "Started as an s6 service" 7 | ACCESS_REPORT_FREQUENCY="${ACCESS_REPORT_FREQUENCY:-60}" 8 | ACCESSLOG="/var/log/nginx/access.log" 9 | DBDIR="/run/nginx/.goaccess" 10 | 11 | if [[ -z "$ACCESS_REPORT_PAGE" ]] || chk_disabled "$ACCESS_REPORT_PAGE"; then 12 | "${s6wrap[@]}" echo "ACCESS_REPORT_PAGE not enabled - continuing without it" 13 | exec sleep infinity 14 | fi 15 | 16 | mkdir -p "$DBDIR" 17 | if compgen -G "$DBDIR/*.db" > /dev/null; then 18 | BACKUP_AVAIL=true 19 | else 20 | unset BACKUP_AVAIL 21 | fi 22 | 23 | if ! chk_enabled "$ACCESS_REPORT_PAGE"; then 24 | REPORTFILE="$ACCESS_REPORT_PAGE" 25 | else 26 | REPORTFILE="access-report.html" 27 | fi 28 | 29 | if chk_disabled "$ACCESS_REPORT_RESOLVE"; then 30 | RESOLVE="" 31 | else 32 | RESOLVE="-d" 33 | fi 34 | 35 | # wait until the access log is available 36 | while [[ ! -f "$ACCESSLOG" ]]; do 37 | sleep 1 38 | done 39 | 40 | "${s6wrap[@]}" echo "Access Reporting Service started. Your report is available at /$REPORTFILE and is updated every $ACCESS_REPORT_FREQUENCY secs." 41 | 42 | while true 43 | do 44 | # shellcheck disable=SC2046 45 | "${s6wrap[@]}" echo "Updating GoAccess Reports Page at /$REPORTFILE" 46 | # shellcheck disable=SC2046 47 | "${s6wrap[@]}" nice -n 19 goaccess $(echo "$ACCESSLOG -o /run/nginx/html/$REPORTFILE --no-parsing-spinner --log-format=COMBINED $RESOLVE --db-path=$DBDIR --persist ${BACKUP_AVAIL:+--restore}"|xargs) 48 | "${s6wrap[@]}" echo "Done - next update at $(date -d @$(( $(date +%s) + ACCESS_REPORT_FREQUENCY )))" 49 | sleep "$ACCESS_REPORT_FREQUENCY" & wait $! 50 | done 51 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/nginx-log-to-console: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2154,SC1091 3 | 4 | source /scripts/common 5 | 6 | if ! chk_enabled "${VERBOSELOG}"; then 7 | "${s6wrap[@]}" echo "Logging to console is disabled. Set \"VERBOSELOG=on\" if you want to see the nginx access and error logs" 8 | sleep infinity 9 | fi 10 | 11 | # tail the log files to console: 12 | 13 | { "${s6wrap[@]}" tail -F /var/log/nginx/access.log; } & 14 | accesspid="$!" 15 | 16 | { "${s6wrap[@]}" tail -F /var/log/nginx/error.log; } & 17 | errorpid="$!" 18 | 19 | # Wait until any of them exits for any reason 20 | wait -n 21 | 22 | # kill both processes before exiting, so the restart of the service is done cleanly 23 | kill $accesspid >/dev/null 2>&1 || true 24 | kill $errorpid >/dev/null 2>&1 || true 25 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/nginx-logrotate: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2154,SC1091 3 | 4 | source /scripts/common 5 | 6 | LOGROTATE_INTERVAL="${LOGROTATE_INTERVAL:-3600}" 7 | LOGROTATE_MAXBACKUPS="${LOGROTATE_MAXBACKUPS:-24}" 8 | 9 | "${s6wrap[@]}" echo "Started as an s6 service; nginx logs are rotated every $LOGROTATE_INTERVAL seconds; up to $LOGROTATE_MAXBACKUPS are kept." 10 | 11 | # Sleep for 30 seconds to allow nginx to start and be fully up and running. 12 | # After that, send USR1 signal to nginx so it updates the file ownership and permissions for the log files 13 | # Run this in the background so it doesn't interfere with the log rotation sequence 14 | { sleep 30 && kill -USR1 "$( 0 )) 24 | do 25 | mv -f /var/log/nginx/access.log.$((count-1)) /var/log/nginx/access.log.$count >/dev/null 2>&1 || true 26 | done 27 | mv -f /var/log/nginx/access.log /var/log/nginx/access.log.0 || true 28 | "${s6wrap[@]}" echo "nginx access logs have been rotated. Next rotation at $(date -d "+$LOGROTATE_INTERVAL seconds")." 29 | fi 30 | 31 | if [[ -f /var/log/nginx/error.log ]] 32 | then 33 | count=$LOGROTATE_MAXBACKUPS 34 | while (( --count > 0 )) 35 | do 36 | mv -f /var/log/nginx/error.log.$((count-1)) /var/log/nginx/error.log.$count >/dev/null 2>&1 || true 37 | done 38 | mv -f /var/log/nginx/error.log /var/log/nginx/error.log.0 || true 39 | "${s6wrap[@]}" echo "nginx error logs have been rotated. Next rotation at $(date -d "+$LOGROTATE_INTERVAL seconds")." 40 | fi 41 | 42 | kill -USR1 "$( /tmp/tarlist 20 | tar -czf /run/nginx/.letsencrypt/letsencrypt.tgz -T /tmp/tarlist >/dev/null 2>&1 21 | rm /tmp/tarlist 22 | chmod u=rx,go= /run/nginx/.letsencrypt 23 | done 24 | else 25 | "${s6wrap[@]}" echo "SSL is disabled. No checks will be performed." 26 | sleep infinity 27 | fi 28 | -------------------------------------------------------------------------------- /rootfs/etc/s6-overlay/scripts/webproxy: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash disable=SC2154,SC1091 3 | 4 | source /scripts/common 5 | 6 | "${s6wrap[@]}" echo "Started as an s6 service" 7 | "${s6wrap[@]}" echo "Starting the NGINX service..." 8 | 9 | while true 10 | do 11 | touch /tmp/nginx.up 12 | "${s6wrap[@]}" /usr/sbin/nginx -g 'daemon off;' 13 | rm -f /tmp/nginx.up 14 | "${s6wrap[@]}" echo "NGINX Service has exited." 15 | sleep 10 16 | "${s6wrap[@]}" echo "Restarting NGINX Service now..." 17 | done 18 | -------------------------------------------------------------------------------- /rootfs/root/blockstats: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash 3 | 4 | # BASH script to print stats from the block list 5 | 6 | if [[ "$1" == "-h" ]] || [[ "$1" == "--help" ]] || [[ "$1" == "-?" ]] 7 | then 8 | echo "Usage:" 9 | exit 0 10 | fi 11 | 12 | 13 | 14 | if [[ ! -f /var/log/nginx/access.log ]] || [[ -z "$BLOCKBOT" ]] 15 | then 16 | echo "No Webserver access logs found, or IPTABLES_BLOCK not enabled. Exiting." 17 | exit 1 18 | fi 19 | 20 | IFS="," read -ra blocks <<< "$BLOCKBOT" 21 | 22 | # clean up ${blocks[*]}: 23 | printf "Cleaning up the blockbot list... " 24 | for ((i=0; i<"${#blocks[*]}"; i++)) 25 | do 26 | blocks[i]="$(sed 's/^ *//g; s/ *$//g' <<< "${blocks[i]}")" 27 | done 28 | 29 | # shellcheck disable=SC2207 30 | IFS=$'\n' blocksclean=($(sort -fu <<<"${blocks[*]}")) 31 | 32 | printf "Parsing logs... " 33 | declare -A hits=() 34 | declare -A ips=() 35 | for a in "${blocksclean[@]}" 36 | do 37 | hits+=(["$a"]="$(grep -h -i "$a" /var/log/nginx/* |wc -l)") 38 | ips+=(["$a"]="$(readarray x <<< "$(grep -h -i "$a" /var/log/nginx/* | awk '{print $1}' | sort -u)";echo "${x[@]}")") 39 | done 40 | 41 | printf "Results:\n Bot name - number of total hits - related ip addresses:\n" 42 | for a in "${blocksclean[@]}" 43 | do 44 | b="${ips["$a"]//$'\n'/ }" 45 | (( hits["$a"] > 0)) && printf "%s - %s - %s\n" "$a" "${hits["$a"]}" "$b" 46 | done 47 | -------------------------------------------------------------------------------- /rootfs/root/default: -------------------------------------------------------------------------------- 1 | # Default server configuration 2 | # 3 | server { 4 | listen 80 default_server; 5 | listen [::]:80 default_server; 6 | 7 | root /run/nginx/html; 8 | 9 | # Add index.php to the list if you are using PHP 10 | index index.html index.htm index.nginx-debian.html; 11 | 12 | server_name _; 13 | 14 | location / { 15 | # headers added to resolve issues with websocket connections: 16 | proxy_set_header Upgrade $http_upgrade; 17 | proxy_set_header Connection $http_connection; 18 | proxy_set_header Host $http_host; 19 | proxy_set_header X-Real-IP $remote_addr; 20 | proxy_set_header X-Forwarded-For $remote_addr; 21 | 22 | # First attempt to serve request as file, then 23 | # as directory, then fall back to displaying a 404. 24 | try_files $uri $uri/ =404; 25 | 26 | include /run/nginx/locations.conf; 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /rootfs/root/geoip_countries.conf: -------------------------------------------------------------------------------- 1 | ##config-to-be-added 2 | map $geoip_country_code $allowed_country { 3 | #defaultsetting 4 | #countrylist 5 | } 6 | -------------------------------------------------------------------------------- /rootfs/root/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Welcome to kx1t's reverse web proxy! 5 | 12 | 13 | 14 | 15 |

Welcome to kx1t's reverse web proxy!

16 |

17 | This proxy uses nginx and is deployed as a docker container. If you see 18 | this page, the nginx web server is successfully installed and working. 19 | However, further configuration is required as this website is a simple 20 | placeholder. 21 |

22 |

23 | If you want to run your own version of this reverse web proxy, please see 24 | our 25 | GitHub page. 26 |

27 |

28 | You can download this container in a docker-enabled environment by 29 | downloading and adapting 30 | this docker-compose.yml 34 | file. 35 |

36 | 37 |

38 | © 2021 by kx1t. Available as open source at the GitHub repository 40 | linked above under the Gnu Public License version 3. 42 |

43 | . Support is available on the #Planefence channel of the SDR Enthusiasts 44 | Discord Server. Click the icon to join: 45 | discord 50 | 51 | 52 | -------------------------------------------------------------------------------- /rootfs/root/ip-blocklist-template: -------------------------------------------------------------------------------- 1 | # IP Blocklist for the docker-reversewebproxy container 2 | # (C) 2022, kx1t; licensed under GPLv3 3 | # See https://github.com/sdr-enthusiasts/docker-reversewebproxy for more info 4 | # 5 | # This file may be edited manually, or by using the "manage_ipblock" program that is included in this container. 6 | # You can invoke this utility by using "docker exec", e.g., "docker exec -it webproxy manage_ipblock" 7 | # 8 | # Format of the file: 9 | # ipaddress reason timestamp 10 | # "Reason" is a single word without any quotes or clearspaces. Often, the reason will be the HTTP return code that caused the block. 11 | # "Timestamp" is the date the item was added to the IP Block List, in seconds since epoch ("date +%s") 12 | # Any lines starting with # will be ignored 13 | -------------------------------------------------------------------------------- /rootfs/root/ipmap: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash 3 | 4 | # BASH script to create an IP map URL that can be displayed in your browser 5 | 6 | if [[ ! -f /var/log/nginx/access.log ]] 7 | then 8 | echo "Access Logs not enabled. Please set either of these parameters to enable Access Logs in this container:" 9 | echo "IPTABLES_BLOCK=ENABLED ... or ..." 10 | echo "VERBOSELOG=file" 11 | exit 1 12 | fi 13 | 14 | # build argv -- second letter of lowercase of $1 15 | argv="$1" 16 | argv=${argv,,} 17 | if [[ "${argv:0:1}" == "-" ]] 18 | then 19 | argv="${argv:1:1}" 20 | else 21 | argv="${argv:0:1}" 22 | fi 23 | [[ -z "$argv" ]] && argv="l" || true 24 | 25 | # Read $BLOCKBOT into an array and remove all leading/trailing spaces: 26 | readarray -d "," -t BOT_ARRAY <<< "$BLOCKBOT" 27 | for ((n=0; n<${#BOT_ARRAY[*]}; n++)) 28 | do 29 | # this is slightly inefficient as it iterates through the entire array. 30 | # However, all-at-once solutions like "y=($(printf '%s\n' "${x[@]}"|xargs))" appear to split each element at any internal whitespace :( 31 | BOT_ARRAY[n]="$(xargs <<< "${BOT_ARRAY[n]}")" 32 | done 33 | 34 | FILTERED_IPS="$(grep -i -h -w -f <(printf '%s\n' "${BOT_ARRAY[@]}") /var/log/nginx/* 2>/dev/null | awk '{print $1}' | sort -u)" 35 | ALL_IPS="$(awk '{print $1}' /var/log/nginx/* | sort -u)" 36 | VALID_IPS="$(comm -23 <(IFS=" " printf "%s\n" "$ALL_IPS") <(IFS=" " printf "%s\n" "$FILTERED_IPS"))" 37 | 38 | case $argv in 39 | "?" | "h") 40 | echo "Print a URL to a map with all IPs that are in the current web server logs" 41 | echo "" 42 | echo "Usage:" 43 | echo "-h -? Print this help message" 44 | echo "-l Print URL for all log entries" 45 | echo "-f Print URL for only those entries that were filtered out (Botblock or GeoIP block)" 46 | echo "-v Print URL for map entries that were not filtered (the complement of -f)" 47 | echo "If no argument is provided, \"-l\" is assumed." 48 | ;; 49 | 50 | l) 51 | echo "Map URL for all IP addresses (from container-start or up to a maximum of $((LOGROTATE_INTERVAL * LOGROTATE_MAXBACKUPS / 60)) minutes):" 52 | echo "$ALL_IPS" \ 53 | | curl -Ls -XPOST --data-binary @- "https://ipinfo.io/tools/map?cli=1" \ 54 | | jq '.reportUrl' \ 55 | | tr -d '\"' 56 | ;; 57 | 58 | f) 59 | echo "Map URL for FILTERED (blocked) IP Addresses (from container-start or up to a maximum of $((LOGROTATE_INTERVAL * LOGROTATE_MAXBACKUPS / 60)) minutes):" 60 | echo "$FILTERED_IPS" \ 61 | | curl -Ls -XPOST --data-binary @- "https://ipinfo.io/tools/map?cli=1" \ 62 | | jq '.reportUrl' \ 63 | | tr -d '\"' 64 | ;; 65 | 66 | v) 67 | echo "Map URL for UNFILTERED IP Addresses (from container-start or up to a maximum of $((LOGROTATE_INTERVAL * LOGROTATE_MAXBACKUPS / 60)) minutes):" 68 | echo "$VALID_IPS" \ 69 | | curl -Ls -XPOST --data-binary @- "https://ipinfo.io/tools/map?cli=1" \ 70 | | jq '.reportUrl' \ 71 | | tr -d '\"' 72 | ;; 73 | 74 | esac 75 | -------------------------------------------------------------------------------- /rootfs/root/letsencrypt-force-reinstall: -------------------------------------------------------------------------------- 1 | 1718122011 2 | -------------------------------------------------------------------------------- /rootfs/root/locations.conf.example: -------------------------------------------------------------------------------- 1 | # Locations file 2 | # 3 | # Use this as an example of how to create a locations.conf file 4 | # "location /" tries to redirect to different home directories based on the hostname used 5 | # the following location entries reverse-proxy the request to the internal URL servicing the request 6 | 7 | location / { 8 | if ($host = mydomain-1.com) { 9 | return 301 https://mydomain-1.com/mydomain-1; 10 | } 11 | 12 | if ($host = mydomain-2.com) { 13 | return 301 https://mydomain-2.com/mydomain-3; 14 | } 15 | 16 | if ($host = mydomain-3.net) { 17 | return 301 https://mydomain-3.net/index.html; 18 | } 19 | # if none of the redirects matched, then try to load the URL as-is. If it fails, return a 404-not found: 20 | try_files $uri $uri/ =404; 21 | } 22 | 23 | # Not withstanding the "location /" definition above, if the file requested is "my-query", then go get that file: 24 | location /my-query { 25 | try_files $uri $uri/ =404; 26 | } 27 | 28 | # Here are a bunch of reverse proxy definitions. This is what you'd normally want for your container: 29 | location /readsb/ { 30 | proxy_pass http://10.0.0.191:8080/; 31 | } 32 | 33 | location /piaware/ { 34 | proxy_pass http://10.0.0.191:8081/; 35 | } 36 | 37 | location /tar1090/ { 38 | proxy_pass http://10.0.0.191:8082/; 39 | } 40 | 41 | location /adsb/ { 42 | proxy_pass http://10.0.0.191:8082/; 43 | } 44 | 45 | location /planefence/ { 46 | proxy_pass http://10.0.0.191:8083/; 47 | } 48 | 49 | location /plane-alert/ { 50 | proxy_pass http://10.0.0.191:8083/plane-alert/; 51 | } 52 | 53 | location /planefence-dev/ { 54 | proxy_pass http://10.0.0.191:8084/; 55 | } 56 | 57 | location /planefinns/ { 58 | proxy_pass http://10.0.0.191:8085/; 59 | } 60 | 61 | location /planefinder/ { 62 | proxy_pass http://10.0.0.191:8086/; 63 | } 64 | 65 | location /pf-test/ { 66 | proxy_pass http://10.0.0.191:8086/; 67 | } 68 | 69 | 70 | location /planefinder/setup.html { 71 | # this is only allowed from within the intranet 72 | return 301 http://10.0.0.191:8086/setup.html; 73 | } 74 | 75 | location /planefinder/logs.html { 76 | # this is only allowed from within the intranet 77 | return 301 http://10.0.0.191:8086/logs.html; 78 | } 79 | 80 | location /ajax/ { 81 | # sloppy programming - planefinder makes a call to the root that we need to rewrite 82 | proxy_pass http://10.0.0.191:8086/ajax/; 83 | } 84 | 85 | location /stats/ { 86 | proxy_pass http://10.0.0.191:8080/graphs/; 87 | } 88 | 89 | location /graphs/ { 90 | proxy_pass http://10.0.0.191:8080/graphs/; 91 | } 92 | location /radar/ { 93 | proxy_pass http://10.0.0.191:8080/radar/; 94 | # this is needed because of URL issues with the graphs package in readsb 95 | } 96 | 97 | # acarshub makes a number of live database calls that need the "proxy_set_header" arguments as below: 98 | location /acarshub/ { 99 | proxy_pass http://10.0.0.188:80/; 100 | proxy_set_header Upgrade $http_upgrade; 101 | proxy_set_header Connection $http_connection; 102 | proxy_set_header Host $http_host; 103 | } 104 | 105 | location /acarsdb/ { 106 | proxy_pass http://10.0.0.188:8080/acarsdb/; 107 | } 108 | 109 | location /noise/ { 110 | proxy_pass http://10.0.0.191:30088/; 111 | } 112 | 113 | location /noisecapt/ { 114 | proxy_pass http://10.0.0.191:30088/; 115 | } 116 | 117 | location /portainer/ { 118 | proxy_pass http://127.0.0.1:9000/; 119 | } 120 | 121 | # last, let's define the order of index files that the proxy tries to get if we're trying to get the local web server: 122 | index index.html index.htm index.nginx-debian.html; 123 | -------------------------------------------------------------------------------- /rootfs/root/manage_ipblock: -------------------------------------------------------------------------------- 1 | #!/command/with-contenv bash 2 | #shellcheck shell=bash 3 | 4 | # BASH script to manage the iptables block list 5 | 6 | if [[ "$1" == "-h" ]] || [[ "$1" == "--help" ]] || [[ "$1" == "-?" ]] 7 | then 8 | echo "Usage:" 9 | echo "$0 -? -h --help : show this help message" 10 | echo "$0 (without args): edit your IP Block List" 11 | echo "$0 with any other argument will execute \"iptables\" passing those arguments For example:" 12 | echo "$0 -L : list the current iptable ruleset" 13 | echo "$0 -L -n : list the current iptable ruleset (no name resolution for ip addresses" 14 | exit 0 15 | fi 16 | 17 | if [[ -n "$1" ]] 18 | then 19 | iptables $1 $2 $3 $4 $5 $6 $7 $8 $9 20 | exit 0 21 | fi 22 | 23 | [[ ! -f /run/nginx/ip-blocklist ]] && touch /run/nginx/ip-blocklist || true 24 | [[ ! -f /run/nginx/ip-allowlist ]] && touch /run/nginx/ip-allowlist || true 25 | 26 | cp /run/nginx/ip-blocklist /tmp/ip-blocklist.edit 27 | sort -u -k 1,1 /tmp/ip-blocklist.edit > /tmp/ip-blocklist.org 28 | 29 | cp /run/nginx/ip-allowlist /tmp/ip-allowlist.edit 30 | sort -u -k 1,1 /tmp/ip-allowlist.edit > /tmp/ip-allowlist.org 31 | 32 | echo "Currently, there are $(wc -l /tmp/ip-blocklist.org) IP addresses in the IP Block List." 33 | echo "Currently, there are $(wc -l /tmp/ip-allowlist.org) IP patterns in the IP Allow List." 34 | read -n 1 -p "Do you want to edit the (b)lock list or the (a)llow list? (b/a) " a 35 | a=${a,,} 36 | 37 | if [[ "$a" == "b" ]] 38 | then 39 | echo "" 40 | echo "Editing the IP Block List." 41 | echo "If you want to manually add additional IP addresses to the list, simply put an IP address by itself on a new line." 42 | echo "No need to add any additional information to it." 43 | echo "" 44 | read -p "Press ENTER to start editing the IP Block List using the nano editor" 45 | 46 | nano -l /tmp/ip-blocklist.edit 47 | sort -u -k 1,1 /tmp/ip-blocklist.edit > /tmp/ip-blocklist.edit2 48 | 49 | readarray -t adds < <(comm -23 /tmp/ip-blocklist.edit2 /tmp/ip-blocklist.org) 50 | readarray -t deletes < <(comm -13 /tmp/ip-blocklist.edit2 /tmp/ip-blocklist.org) 51 | 52 | # now add the adds to the file and add to the iptables: 53 | for (( i=0; i<${#adds[*]}; i++ )) 54 | do 55 | s="${adds[i]}" 56 | s="${s%% *}" 57 | if [[ -n "$s" ]] && [[ "${s:0:1}" != "#" ]] && ! grep -f /run/nginx/ip-allowlist >/dev/null 2>&1 <<< "$s" && ! iptables -C INPUT -s $s -j DROP >/dev/null 2>&1 58 | then 59 | echo "$s manual_add $(date +%s)" >> /run/nginx/ip-blocklist 60 | iptables -I INPUT -s $s -j DROP >/dev/null 2>&1 61 | echo "$s added to the IP Block List" 62 | else 63 | echo "$s: error -- add failed: this IP was already blocked. Skipping..." 64 | fi 65 | done 66 | 67 | # and remove the duplicate lines: 68 | for (( i=0; i<${#deletes[*]}; i++ )) 69 | do 70 | s="${deletes[i]}" 71 | s="${s%% *}" 72 | if [[ -n "$s" ]] && [[ "${s:0:1}" != "#" ]] && grep "$s" /run/nginx/ip-blocklist >/dev/null 2>&1 73 | then 74 | sed -i '/^'"$s"'/d' /run/nginx/ip-blocklist 75 | iptables -D INPUT -s $s -j DROP >/dev/null 2>&1 76 | echo "$s deleted from the IP Block List" 77 | else 78 | echo "$s: error -- delete failed: this IP was not in the block list. Skipping..." 79 | fi 80 | done 81 | elif [[ "$a" == "a" ]] 82 | then 83 | echo "" 84 | echo "Editing the IP Allow List." 85 | echo "The IP Allow List contains \"grep\" patterns of IP addresses that won't be excluded, even if they contain BOT or GeoIP restricted info. " 86 | echo "For example, to exclude all IP addresses in the range 192.168.xx.xx, simply add \"192.168\" to the list." 87 | echo "You can use \"^\" to indicate the beginning of an IP address." 88 | echo "Example: \"^192.168\" will allow all 192.168.xx.xx addresses, but it will not exclude \"10.0.192.168\"." 89 | echo "" 90 | read -p "Press ENTER to start editing the IP Allow List using the nano editor" 91 | 92 | nano -l /tmp/ip-allowlist.edit 93 | sort -u -k 1,1 /tmp/ip-allowlist.edit > /run/nginx/ip-allowlist 94 | 95 | readarray -t adds < <(comm -23 /run/nginx/ip-allowlist /tmp/ip-allowlist.org) 96 | readarray -t deletes < <(comm -13 /run/nginx/ip-allowlist /tmp/ip-allowlist.org) 97 | echo "" 98 | echo "You added ${#adds[*]} and deleted ${#deletes[*]} entries from the IP Allow List". 99 | if (( ${#adds[*]} + ${#deletes[*]} > 0 )) 100 | then 101 | echo "If you want your changes to be in effect immediately, you should restart the container." 102 | echo "If you don't restart the container, the updated IP Allow List will only be used for future log entries and any currently blocked entries will stay in place until they $( [[ "$IPTABLES_JAILTIME" -gt 0 ]] && echo "time out after $IPTABLES_JAILTIME seconds" || echo "are manually removed")." 103 | fi 104 | fi 105 | 106 | # cleaning up 107 | rm -f /tmp/ip-blocklist* /tmp/ip-allowlist* >/dev/null 2>&1 108 | echo "Done!" 109 | -------------------------------------------------------------------------------- /rootfs/root/nginx.conf: -------------------------------------------------------------------------------- 1 | user www-data; 2 | worker_processes auto; 3 | pid /run/nginx.pid; 4 | include /etc/nginx/modules-enabled/*.conf; 5 | 6 | #load_module /path/to/modules/ndk_http_module.so; # assuming NDK is built as a dynamic module too 7 | #load_module /path/to/modules/ngx_http_lua_module.so; 8 | 9 | events { 10 | worker_connections 768; 11 | # multi_accept on; 12 | } 13 | 14 | http { 15 | 16 | ## 17 | # Basic Settings 18 | ## 19 | 20 | sendfile on; 21 | tcp_nopush on; 22 | tcp_nodelay on; 23 | keepalive_timeout 65; 24 | types_hash_max_size 2048; 25 | # server_tokens off; 26 | 27 | # server_names_hash_bucket_size 64; 28 | # server_name_in_redirect off; 29 | 30 | include /etc/nginx/mime.types; 31 | default_type application/octet-stream; 32 | 33 | #include geoip config 34 | include /etc/nginx/geoip_countries.conf; 35 | 36 | ## 37 | # SSL Settings 38 | # SSL will be enabled in a future version of this container 39 | ## 40 | 41 | # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE 42 | # ssl_prefer_server_ciphers on; 43 | 44 | ## 45 | # Logging Settings 46 | ## 47 | 48 | #access_log /var/log/nginx/access.log; 49 | #error_log /var/log/nginx/error.log; 50 | 51 | access_log /dev/stdout; 52 | error_log /dev/stdout; 53 | 54 | ## 55 | # Gzip Settings 56 | ## 57 | 58 | # gzip on; 59 | 60 | # gzip_vary on; 61 | # gzip_proxied any; 62 | # gzip_comp_level 6; 63 | # gzip_buffers 16 8k; 64 | # gzip_http_version 1.1; 65 | # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; 66 | 67 | ## 68 | # Virtual Host Configs 69 | ## 70 | 71 | include /etc/nginx/conf.d/*.conf; 72 | include /etc/nginx/sites-enabled/*; 73 | 74 | 75 | } 76 | 77 | 78 | #mail { 79 | # # See sample authentication script at: 80 | # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript 81 | # 82 | # # auth_http localhost/auth.php; 83 | # # pop3_capabilities "TOP" "USER"; 84 | # # imap_capabilities "IMAP4rev1" "UIDPLUS"; 85 | # 86 | # server { 87 | # listen localhost:110; 88 | # protocol pop3; 89 | # proxy on; 90 | # } 91 | # 92 | # server { 93 | # listen localhost:143; 94 | # protocol imap; 95 | # proxy on; 96 | # } 97 | #} 98 | --------------------------------------------------------------------------------