v7.0.0 (#155)

Major updates
* All init / request / regenerate executables now support single domains - use `-d XXXXXX`
* Adding support for NAXSI web application firewall - use `PROXY_ENABLE_NAXSI=1`

Minor updates
* Using latest base image
* Renaming `PROXY_URI` to `PROXY_DOMAIN` (if you don't rename you'll get a warning in logs but it will still work)
* Adding more debug output

Documentation updates
* Adding new arguments to README

Author: bfren

Dockerfile

@@ -9,12 +9,14 @@ ARG BF_VERSION
 EXPOSE 443
 
 ENV \
-    # the base URI of the proxy server (will be used when SSL bindings fail)
-    PROXY_URI= \
+    # the base domain of the proxy server (will be used when SSL bindings fail)
+    PROXY_DOMAIN= \
     # clean all config and certificates before doing anything else
     PROXY_CLEAN_INSTALL=0 \
     # enable automatic certificate updating
     PROXY_ENABLE_AUTO_UPDATE=1 \
+    # enable NAXSI web application firewall
+    PROXY_ENABLE_NAXSI=0 \
     # use hardened mode (remove old / insecure ciphers and protocols)
     PROXY_HARDEN=0 \
     # used for renewal notification emails

README.md

@@ -4,7 +4,7 @@
 
 [Docker Repository](https://hub.docker.com/r/bfren/nginx-proxy) - [bfren ecosystem](https://github.com/bfren/docker)
 
-Nginx Proxy which uses [getssl](https://github.com/srvrco/getssl) to automate requesting and renewing SSL certificates via Let's Encrypt.  Certificates are checked for renewal every day - the last check can be viewed in the `/ssl` volume.
+Nginx Proxy which uses [getssl](https://github.com/srvrco/getssl) to automate requesting and renewing SSL certificates via Let's Encrypt.  Certificates are checked for renewal every day - the last check can be viewed in the `/ssl` volume.  Also includes [NAXSI](https://github.com/nbs-system/naxsi), a web application firewall.
 
 As of v4, configuration is handled via a JSON file - see ssl-conf-sample.json for an example and ssl-conf-schema.json for the full file definition.
 
@@ -36,33 +36,34 @@ For SSL certificate requests to work correctly, ports 80 and 443 need mapping fr
 
 | Variable                              | Values                | Description                                                                                                                                   | Default               |
 | ------------------------------------- | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
-| `PROXY_URI`                           | URI                   | The base URI of the proxy server - will be used to handle unbound requests.                                                                   | *None* - **required** |
+| `PROXY_AUTO_PRIMARY`                  | URI                   | If set (along with PROXY_AUTO_UPSTREAM) SSL config will be generated on first startup.                                                        | *None*                |
+| `PROXY_AUTO_UPSTREAM`                 | URI                   | If set (along with PROXY_AUTO_PRIMARY) SSL config will be generated on first startup.                                                         | *None*                |
+| `PROXY_AUTO_ALIASES`                  | string of URIs        | Add aliases to the auto-generated conf.json on first startup.                                                                                 | *None*                |
+| `PROXY_AUTO_CUSTOM`                   | 0 or 1                | Mark the auto-generated SSL config to 'custom' so the Nginx configuration is not regenerated on startup.                                      | 0                     |
 | `PROXY_CLEAN_INSTALL`                 | 0 or 1                | If 1, all Nginx and SSL configuration and certificates will be deleted and regenerated.                                                       | 0                     |
+| `PROXY_DOMAIN`                        | URI                   | The base domain of the proxy server - will be used to handle unbound requests.                                                                | *None* - **required** |
+| `PROXY_ENABLE_NAXSI`                  | 0 or 1                | If 1, NAXSI web application firewall will be enabled for all sites.                                                                           | 0                     |
+| `PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK`  | true or false         | Set to true to enable `getssl`'s [skip HTTP token check](https://github.com/srvrco/getssl/wiki/Config-variables#skip_http_token_checkfalse).  | false                 |
 | `PROXY_HARDEN`                        | 0 or 1                | If 1, only modern SSL ciphers and protocols will be enabled (some older devices may not be able to access it).                                | 0                     |
 | `PROXY_LETS_ENCRYPT_EMAIL`            | A valid email address | Used by Lets Encrypt for notification emails.                                                                                                 | *None* - **required** |
 | `PROXY_LETS_ENCRYPT_LIVE`             | 0 or 1                | Only set to 1 (to request live certificates) when your config is correct - Lets Encrypt rate limit certificate requests.                      | 0                     |
+| `PROXY_MAINTENANCE_REFRESH_SECONDS`   | A valid integer       | The number of seconds to count down before the maintenance page auto-refreshes.                                                               | 6                     |
 | `PROXY_SSL_DHPARAM_BITS`              | A valid integer       | The size of your DHPARAM variables - adjust down only if you have limited processing resources.                                               | 4096                  |
 | `PROXY_SSL_REDIRECT_TO_CANONICAL`     | 0 or 1                | If 1, all requests will be redirected to the primary domain (defined in `conf.json`).                                                         | 0                     |
-| `PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK`  | true or false         | Set to true to enable `getssl`'s [skip HTTP token check](https://github.com/srvrco/getssl/wiki/Config-variables#skip_http_token_checkfalse).  | false                 |
-| `PROXY_AUTO_PRIMARY`                  | URI                   | If set (along with PROXY_AUTO_UPSTREAM) SSL config will be generated on first startup.                                                        | *None*                |
-| `PROXY_AUTO_UPSTREAM`                 | URI                   | If set (along with PROXY_AUTO_PRIMARY) SSL config will be generated on first startup.                                                         | *None*                |
-| `PROXY_AUTO_ALIASES`                  | string of URIs        | Add aliases to the auto-generated conf.json on first startup.                                                                                 | *None*                |
-| `PROXY_AUTO_CUSTOM`                   | 0 or 1                | Mark the auto-generated SSL config to 'custom' so the Nginx configuration is not regenerated on startup.                                      | 0                     |
 | `PROXY_UPSTREAM_DNS_RESOLVER`         | IP address            | Upstream DNS resolver - set to Docker's by default.                                                                                           | 127.0.0.11            |
-| `PROXY_MAINTENANCE_REFRESH_SECONDS`   | A valid integer       | The number of seconds to count down before the maintenance page auto-refreshes.                                                               | 6                     |
 
 ## Helper Functions
 
-| Function              | Arguments                 | Description                                                                                                                   |
-| --------------------- | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
-| `nginx-adduser`       | 0: username, 1: password  | Add a user to enable basic HTTP auth.                                                                                         |
-| `nginx-regenerate`    | -f: force                 | Removes non-custom Nginx configuration files (in `/sites`) and regenerates based on `conf.json` (with force, removes all).    |
-| `ssl-cleanup`         | -m: mode                  | Removes SSL and Nginx configuration files and directories not defined in `conf.json` (mode 0 = dry run, 1 = live).            |
-| `ssl-init`            | *None*                    | Initialises SSL configuration based on `conf.json`.                                                                           |
-| `ssl-regenerate`      | *None*                    | Removes SSL configuration files (in `/ssl/certs`) and regenerates based on `conf.json`.                                       |
-| `ssl-regenerate-full` | *None*                    | Removes SSL configuration files (in `/ssl/certs`), as well as DH parameters, and regenerates based on `conf.json`.            |
-| `ssl-request`         | *None*                    | Requests SSL certificates from Lets Encrypt.                                                                                  |
-| `ssl-update`          | *None*                    | Attempts to update SSL certificates manually.                                                                                 |
+| Function              | Arguments                                                 | Description                                                                                                                   |
+| --------------------- | --------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
+| `nginx-adduser`       | 0: username, 1: password                                  | Add a user to enable basic HTTP auth.                                                                                         |
+| `nginx-regenerate`    | -a: all domains, -d XXXXXX: only domain XXXXXX, -f: force | Removes non-custom Nginx configuration files (in `/sites`) and regenerates based on `conf.json` (with force, removes all).    |
+| `ssl-cleanup`         | -m: mode                                                  | Removes SSL and Nginx configuration files and directories not defined in `conf.json` (mode 0 = dry run, 1 = live).            |
+| `ssl-init`            | -a: all domains, -d XXXXXX: only domain XXXXXX            | Initialises SSL configuration based on `conf.json`.                                                                           |
+| `ssl-regenerate`      | -a: all domains, -d XXXXXX: only domain XXXXXX            | Removes SSL configuration files (in `/ssl/certs`) and regenerates based on `conf.json`.                                       |
+| `ssl-regenerate-full` | *None*                                                    | Removes SSL configuration files (in `/ssl/certs`), as well as DH parameters, and regenerates based on `conf.json`.            |
+| `ssl-request`         | -a: all domains, -d XXXXXX: only domain XXXXXX            | Requests SSL certificates from Lets Encrypt.                                                                                  |
+| `ssl-update`          | -a: all domains, -d XXXXXX: only domain XXXXXX            | Attempts to update SSL certificates manually.                                                                                 |
 
 ## Nginx Configuration Helpers
 

VERSION

@@ -1 +1 @@
-6.1.7
+7.0.0

VERSION_MAJOR

@@ -1 +1 @@
-6
+7

VERSION_MINOR

@@ -1 +1 @@
-6.1
+7.0

overlay/etc/bf/ch.d/20-proxy

@@ -1,3 +1,4 @@
+/etc/naxsi www:www 0640 0750
 /etc/nginx/sites www:www 0640 0750
 /etc/ssl/certs www:www 0640 0750
 /sites www:www 0640 0750

overlay/etc/bf/init.d/20-env

@@ -36,3 +36,8 @@ if [ "${PROXY_GETSSL_DEBUG-}" = "1" ] ; then
 else
     bf-env "PROXY_GETSSL_FLAGS" "-U"
 fi
+
+if [ -n "${PROXY_URI-}" ] ; then
+    bf-notok "Please rename your PROXY_URI environment variable to PROXY_DOMAIN."
+    bf-env "PROXY_DOMAIN" "${PROXY_URI}"
+fi

overlay/etc/bf/init.d/22-ssl-init

@@ -38,7 +38,7 @@ fi
 
 
 #======================================================================================================================
-# Run initialisation script.
+# Run initialisation script for the proxy domain.
 #======================================================================================================================
 
-ssl-init
+ssl-init -d "proxy"

overlay/etc/bf/init.d/23-naxsi

@@ -0,0 +1,13 @@
+#!/command/with-contenv bash
+
+set -euo pipefail
+export BF_E=`basename ${0}`
+
+
+#======================================================================================================================
+# Generate NAXSI configuration.
+#======================================================================================================================
+
+bf-echo "Generating NAXSI files."
+bf-esh ${BF_TEMPLATES}/naxsi.conf.esh /etc/nginx/helpers/naxsi.conf
+bf-done