diff --git a/root/defaults/nginx/dhparams.pem b/root/defaults/nginx/dhparams.pem new file mode 100644 index 00000000..eed4c41e --- /dev/null +++ b/root/defaults/nginx/dhparams.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/root/defaults/nginx/nginx.conf.sample b/root/defaults/nginx/nginx.conf.sample new file mode 100644 index 00000000..913d191c --- /dev/null +++ b/root/defaults/nginx/nginx.conf.sample @@ -0,0 +1,91 @@ +# # +# @project TVApp2 +# @usage Automatic m3u and xml guide updater for TheTvApp, TVPass, and MoveOnJoy utilized within your IPTV client. +# @file nginx.conf.sample +# @repo.1 https://github.com/TheBinaryNinja/tvapp2 +# @repo.2 https://git.binaryninja.net/BinaryNinja/tvapp2 +# @repo.3 https://github.com/aetherinox/docker-base-alpine +# # + +user dockerx; + +# Set number of worker processes automatically based on number of CPU cores. +include /config/nginx/worker_processes.conf; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /config/log/nginx/error.log; + +# Includes files with directives to load dynamic modules. +include /etc/nginx/modules/*.conf; + +# Include files with config snippets into the root context. +include /etc/nginx/conf.d/*.conf; + +events +{ + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; +} + +http +{ + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + # resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf; + + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 0; + + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; + + # all ssl related config moved to ssl.conf + # included in server blocks where listen 443 is defined + + # Enable gzipping of responses. + # gzip on; + + # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. + gzip_vary on; + + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade + { + default upgrade; + '' close; + } + + # Enable http2 by default for all servers + http2 on; + + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log; + + # Includes virtual hosts configs. + include /etc/nginx/http.d/*.conf; + include /config/nginx/site-confs/*.conf; +} + +daemon off; +pid /run/nginx.pid; diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample new file mode 100644 index 00000000..3349e53d --- /dev/null +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -0,0 +1,82 @@ +# # +# @project TVApp2 +# @usage Automatic m3u and xml guide updater for TheTvApp, TVPass, and MoveOnJoy utilized within your IPTV client. +# @file default.conf.sample +# @repo.1 https://github.com/TheBinaryNinja/tvapp2 +# @repo.2 https://git.binaryninja.net/BinaryNinja/tvapp2 +# @repo.3 https://github.com/aetherinox/docker-base-alpine +# # + +server +{ + listen 80 default_server; + listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name _; + + include /config/nginx/ssl.conf; + + set $root /app/www/public; + if (!-d /app/www/public) + { + set $root /config/www; + } + + root $root; + index index.html index.htm index.php; + + location / + { + # enable for basic auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # index > fancy + fancyindex on; + fancyindex_header "/theme/header.html"; + fancyindex_footer "/theme/footer.html"; + fancyindex_ignore "theme"; + fancyindex_time_format "%m-%d-%Y %T"; + fancyindex_name_length 255; + fancyindex_show_dotfiles off; + fancyindex_hide_symlinks on; + fancyindex_default_sort name; + + # index > auto + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + + gzip on; + gzip_vary on; + gzip_types text/css text/javascript text/xml application/atom+xml application/rss+xml text/markdown text/mathml text/plain text/vnd.sun.j2me.app-descriptor text/vnd.wap.wml text/x-component application/json application/xhtml+xml application/xspf+xml font/woff font/woff2 image/avif image/bmp image/png image/svg+xml image/tiff image/vnd.wap.wbmp image/webp image/x-icon image/x-jng audio/midi audio/mpeg audio/ogg audio/x-m4a audio/x-realaudio; + gzip_proxied any; + gzip_comp_level 1; + gzip_http_version 1.0; + gunzip on; + gzip_static on; + + try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args; + } + + location ~ ^(.+\.php)(.*)$ + { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + fastcgi_split_path_info ^(.+\.php)(.*)$; + if (!-f $document_root$fastcgi_script_name) { return 404; } + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + + # deny access to .htaccess/.htpasswd files + location ~ /\.ht + { + deny all; + } +} diff --git a/root/defaults/nginx/ssl.conf.sample b/root/defaults/nginx/ssl.conf.sample new file mode 100644 index 00000000..4dbb5c3f --- /dev/null +++ b/root/defaults/nginx/ssl.conf.sample @@ -0,0 +1,66 @@ +# # +# @project TVApp2 +# @usage Automatic m3u and xml guide updater for TheTvApp, TVPass, and MoveOnJoy utilized within your IPTV client. +# @file nginx.conf.sample +# @repo.1 https://github.com/TheBinaryNinja/tvapp2 +# @repo.2 https://git.binaryninja.net/BinaryNinja/tvapp2 +# @repo.3 https://github.com/aetherinox/docker-base-alpine +# # + +# # +# generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=intermediate&openssl=3.1.1&guideline=5.7 +# # + +ssl_certificate /config/keys/cert.crt; +ssl_certificate_key /config/keys/cert.key; +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# # +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam +# # + +ssl_dhparam /config/nginx/dhparams.pem; + +# # +# intermediate configuration +# # + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256; +ssl_prefer_server_ciphers on; + +# # +# OCSP stapling +# # + +# ssl_stapling on; +# ssl_stapling_verify on; + +# # +# verify chain of trust of OCSP response using Root CA and Intermediate certs +# # + +# ssl_trusted_certificate /config/keys/cert.crt; + +# # +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +# # + +add_header X-Content-Type-Options nosniff; +add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always; + +# # +# Optional additional headers +# # + +# add_header Cache-Control "no-transform" always; +# add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always; +# add_header Permissions-Policy "interest-cohort=()" always; +# add_header Referrer-Policy "same-origin" always; +# add_header X-Content-Type-Options "nosniff" always; +# add_header X-Frame-Options "SAMEORIGIN" always; +# add_header X-UA-Compatible "IE=Edge" always; +# add_header X-XSS-Protection "1; mode=block" always; diff --git a/root/etc/logrotate.d/nginx b/root/etc/logrotate.d/nginx new file mode 100644 index 00000000..4f2c085c --- /dev/null +++ b/root/etc/logrotate.d/nginx @@ -0,0 +1,14 @@ +/config/log/nginx/*.log { + weekly + rotate 14 + compress + delaycompress + nodateext + notifempty + missingok + sharedscripts + postrotate + s6-svc -1 /run/service/svc-nginx + endscript + su dockerx dockerx +} diff --git a/root/etc/logrotate.d/php-fpm b/root/etc/logrotate.d/php-fpm new file mode 100644 index 00000000..33b92029 --- /dev/null +++ b/root/etc/logrotate.d/php-fpm @@ -0,0 +1,14 @@ +/config/log/php/*.log { + rotate 7 + weekly + missingok + notifempty + delaycompress + compress + nodateext + sharedscripts + postrotate + s6-svc -t /run/service/svc-php-fpm + endscript + su dockerx dockerx +} diff --git a/root/etc/nginx/nginx.conf b/root/etc/nginx/nginx.conf new file mode 100644 index 00000000..76d93e00 --- /dev/null +++ b/root/etc/nginx/nginx.conf @@ -0,0 +1 @@ +include /config/nginx/nginx.conf; diff --git a/root/etc/s6-overlay/s6-rc.d/init-folders/run b/root/etc/s6-overlay/s6-rc.d/init-folders/run index 971c81e8..bcdfe61a 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-folders/run +++ b/root/etc/s6-overlay/s6-rc.d/init-folders/run @@ -4,4 +4,8 @@ # make folders mkdir -p \ /config/{keys,php,www} \ - /run + /config/log/{nginx,php} \ + /config/nginx/site-confs \ + /run \ + /var/lib/nginx/tmp/client_body \ + /var/tmp/nginx diff --git a/root/etc/s6-overlay/s6-rc.d/init-nginx/up b/root/etc/s6-overlay/s6-rc.d/init-nginx/up index 01399789..b3b5b494 100644 --- a/root/etc/s6-overlay/s6-rc.d/init-nginx/up +++ b/root/etc/s6-overlay/s6-rc.d/init-nginx/up @@ -1,2 +1 @@ -# this file allows you to load an nginx webserver -# /etc/s6-overlay/s6-rc.d/init-nginx/run +/etc/s6-overlay/s6-rc.d/init-nginx/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-permissions/run b/root/etc/s6-overlay/s6-rc.d/init-permissions/run index d3d8186d..8f718719 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-permissions/run +++ b/root/etc/s6-overlay/s6-rc.d/init-permissions/run @@ -2,13 +2,22 @@ # shellcheck shell=bash # permissions +aetherxown -R dockerx:dockerx \ + /var/lib/nginx \ + /var/tmp/nginx + aetherxown -R dockerx:dockerx \ /config/keys \ /config/log \ + /config/nginx \ + /config/php aetherxown dockerx:dockerx \ /config/www +chmod -R g+w \ + /config/nginx + chmod -R 644 /etc/logrotate.d if [[ -f "/config/log/logrotate.status" ]]; then diff --git a/root/etc/s6-overlay/s6-rc.d/init-version-checks/run b/root/etc/s6-overlay/s6-rc.d/init-version-checks/run index c3f66072..c7dae0d8 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-version-checks/run +++ b/root/etc/s6-overlay/s6-rc.d/init-version-checks/run @@ -2,23 +2,23 @@ # shellcheck shell=bash # detect nginx configs with dates not matching the provided sample files -# active_confs=$(find /config/nginx/ -name "*.conf" -type f 2>/dev/null) +active_confs=$(find /config/nginx/ -name "*.conf" -type f 2>/dev/null) -# for i in ${active_confs}; do -# if [ -f "${i}.sample" ]; then -# if [ "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}")" != "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}.sample")" ]; then -# active_confs_changed="│ $(printf '%10s' "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}" | tr / -)") │ $(printf '%10s' "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}.sample" | tr / -)") │ $(printf '%-70s' "${i}") │\n${active_confs_changed}" -# fi -# fi -# done +for i in ${active_confs}; do + if [ -f "${i}.sample" ]; then + if [ "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}")" != "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}.sample")" ]; then + active_confs_changed="│ $(printf '%10s' "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}" | tr / -)") │ $(printf '%10s' "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}.sample" | tr / -)") │ $(printf '%-70s' "${i}") │\n${active_confs_changed}" + fi + fi +done # detect site-confs with wrong extension -# site_confs_wrong_ext=$(find /config/nginx/site-confs/ -type f -not -name "*.conf" -not -name "*.conf.sample" 2>/dev/null) +site_confs_wrong_ext=$(find /config/nginx/site-confs/ -type f -not -name "*.conf" -not -name "*.conf.sample" 2>/dev/null) -# if [ -n "${site_confs_wrong_ext}" ]; then -# echo "**** The following site-confs have extensions other than .conf ****" -# echo "**** This may be due to user customization. ****" -# echo "**** You should review the files and rename them to use the .conf extension or remove them. ****" -# echo "**** nginx.conf will only include site-confs with the .conf extension. ****" -# echo -e "${site_confs_wrong_ext}" -# fi +if [ -n "${site_confs_wrong_ext}" ]; then + echo "**** The following site-confs have extensions other than .conf ****" + echo "**** This may be due to user customization. ****" + echo "**** You should review the files and rename them to use the .conf extension or remove them. ****" + echo "**** nginx.conf will only include site-confs with the .conf extension. ****" + echo -e "${site_confs_wrong_ext}" +fi diff --git a/root/etc/s6-overlay/s6-rc.d/svc-nginx/run b/root/etc/s6-overlay/s6-rc.d/svc-nginx/run index 6c5002f3..007cec5b 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-nginx/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-nginx/run @@ -1,3 +1,16 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash + +if pgrep -f "[n]ginx:" >/dev/null; then + echo "Zombie nginx processes detected, sending SIGTERM" + pkill -ef [n]ginx: + sleep 1 +fi + +if pgrep -f "[n]ginx:" >/dev/null; then + echo "Zombie nginx processes still active, sending SIGKILL" + pkill -9 -ef [n]ginx: + sleep 1 +fi + # exec /usr/sbin/nginx