Mirrored_Repos/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/jc21/nginx-proxy-manager.git synced 2024-08-30 18:22:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updates to user/group determination after recent changes to v2 branch

Browse Source
This commit is contained in:
Jamie Curnow 2023-04-11 09:12:48 +10:00
parent fe46da3355
commit c0c89e5d15
No known key found for this signature in database
GPG Key ID: FFBB624C43388E9E
18 changed files with 267 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docker/dev/Dockerfile
View File

@ -29,7 +29,7 @@ RUN curl -fsSL https://deb.nodesource.com/setup_16.x | bash - \
&& npm install --location=global yarn \ && npm install --location=global yarn \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* /etc/fail2ban \ && rm -rf /var/lib/apt/lists/* /etc/fail2ban \
&& go install github.com/xo/usql@master && go install github.com/xo/usql@v0.13.12
# Task # Task
RUN cd /usr \ RUN cd /usr \

47
docker/rootfs/bin/common.sh Normal file
View File

@ -0,0 +1,47 @@
#!/bin/bash
set -e
CYAN='\E[1;36m'
BLUE='\E[1;34m'
YELLOW='\E[1;33m'
RED='\E[1;31m'
RESET='\E[0m'
export CYAN BLUE YELLOW RED RESET
PUID=${PUID:-0}
PGID=${PGID:-0}
if [[ "$PUID" -ne '0' ]] && [ "$PGID" = '0' ]; then
# set group id to same as user id,
# the user probably forgot to specify the group id and
# it would be rediculous to intentionally use the root group
# for a non-root user
PGID=$PUID
fi
export PUID PGID
log_info () {
echo -e "${BLUE} ${CYAN}$1${RESET}"
}
log_error () {
echo -e "${RED} $1${RESET}"
}
log_fatal () {
echo -e "${RED}--------------------------------------${RESET}"
echo -e "${RED}ERROR: $1${RESET}"
echo -e "${RED}--------------------------------------${RESET}"
/run/s6/basedir/bin/halt
exit 1
}
disable_ipv6 () {
if [ "$DISABLE_IPV6" == 'true' ] || [ "$DISABLE_IPV6" == 'on' ] || [ "$DISABLE_IPV6" == '1' ] || [ "$DISABLE_IPV6" == 'yes' ]; then
echo '1'
else
echo '0'
fi
}

2
docker/rootfs/etc/nginx/conf.d/include/ip_ranges.conf Normal file
View File

@ -0,0 +1,2 @@
# This should be left blank is it is populated programatically
# by the application backend.

39
docker/rootfs/etc/nginx/nginx.conf
View File

@ -1,7 +1,7 @@
# run nginx in foreground # run nginx in foreground
daemon off; daemon off;
#user npmuser;
pid /run/nginx/nginx.pid; pid /run/nginx/nginx.pid;
user npmuser;
# Set number of worker processes automatically based on number of CPU cores. # Set number of worker processes automatically based on number of CPU cores.
worker_processes auto; worker_processes auto;
@ -9,7 +9,7 @@ worker_processes auto;
# Enables the use of JIT for regular expressions to speed-up their processing. # Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on; pcre_jit on;
error_log /data/logs/error.log warn; error_log /data/logs/fallback_error.log warn;
# Includes files with directives to load dynamic modules. # Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf; include /etc/nginx/modules/*.conf;
@ -41,7 +41,12 @@ http {
proxy_cache_path /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m; proxy_cache_path /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m;
log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"'; log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"';
access_log /data/logs/default.log proxy; log_format standard '[$time_local] $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"';
access_log /data/logs/fallback_access.log proxy;
# Dynamically generated resolvers file
include /etc/nginx/conf.d/include/resolvers.conf;
# Default upstream scheme # Default upstream scheme
map $host $forward_scheme { map $host $forward_scheme {
@ -49,18 +54,38 @@ http {
} }
# Real IP Determination # Real IP Determination
# Docker subnet:
set_real_ip_from 172.0.0.0/8; # Local subnets:
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12; # Includes Docker subnet
set_real_ip_from 192.168.0.0/16;
# NPM generated CDN ip ranges: # NPM generated CDN ip ranges:
#include conf.d/include/ip_ranges.conf; include conf.d/include/ip_ranges.conf;
# always put the following 2 lines after ip subnets: # always put the following 2 lines after ip subnets:
real_ip_header X-Forwarded-For; real_ip_header X-Real-IP;
real_ip_recursive on; real_ip_recursive on;
# Custom
include /data/nginx/custom/http_top[.]conf;
# Files generated by NPM # Files generated by NPM
include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.d/*.conf;
include /data/nginx/default_host/*.conf; include /data/nginx/default_host/*.conf;
include /data/nginx/upstreams/*.conf; include /data/nginx/upstreams/*.conf;
include /data/nginx/hosts/*.conf; include /data/nginx/hosts/*.conf;
include /data/nginx/streams/*.conf; include /data/nginx/streams/*.conf;
# Custom
include /data/nginx/custom/http[.]conf;
} }
stream {
# Files generated by NPM
include /data/nginx/stream/*.conf;
# Custom
include /data/nginx/custom/stream[.]conf;
}
# Custom
include /data/nginx/custom/root[.]conf;

4
docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run
View File

@ -3,7 +3,9 @@
set -e set -e
echo " Starting backend ..." . /bin/common.sh
log_info 'Starting backend ...'
if [ "$DEVELOPMENT" == "true" ]; then if [ "$DEVELOPMENT" == "true" ]; then
HOME=/tmp/npmuserhome HOME=/tmp/npmuserhome

4
docker/rootfs/etc/s6-overlay/s6-rc.d/fail2ban/run
View File

@ -1,5 +1,7 @@
#!/command/with-contenv bash #!/command/with-contenv bash
# shellcheck shell=bash # shellcheck shell=bash
echo " Starting fail2ban ..." . /bin/common.sh
log_info 'Starting fail2ban ...'
exec /usr/bin/fail2ban-client -c /fail2ban -x -vv -f start exec /usr/bin/fail2ban-client -c /fail2ban -x -vv -f start

6
docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run
View File

@ -10,7 +10,13 @@ if [ "$DEVELOPMENT" == "true" ]; then
HOME=/tmp/npmuserhome HOME=/tmp/npmuserhome
export CI export CI
export HOME export HOME
. /bin/common.sh
cd /app/frontend || exit 1 cd /app/frontend || exit 1
HOME=/tmp/npmuserhome
export HOME
log_info 'Starting frontend ...'
s6-setuidgid npmuser yarn install s6-setuidgid npmuser yarn install
exec s6-setuidgid npmuser yarn start exec s6-setuidgid npmuser yarn start
else else

4
docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
View File

@ -3,5 +3,7 @@
set -e set -e
echo " Starting nginx ..." . /bin/common.sh
log_info 'Starting nginx ...'
exec s6-setuidgid npmuser nginx exec s6-setuidgid npmuser nginx

18
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh Executable file
View File

@ -0,0 +1,18 @@
#!/command/with-contenv bash
# shellcheck shell=bash
set -e
. /bin/common.sh
if [ "$(id -u)" != "0" ]; then
log_fatal "This docker container must be run as root, do not specify a user.\nYou can specify PUID and PGID env vars to run processes as that user and group after initialization."
fi
. /etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh
. /etc/s6-overlay/s6-rc.d/prepare/20-paths.sh
. /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
. /etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh
. /etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
. /etc/s6-overlay/s6-rc.d/prepare/60-fail2ban.sh
. /etc/s6-overlay/s6-rc.d/prepare/90-banner.sh

20
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh Executable file
View File

@ -0,0 +1,20 @@
#!/command/with-contenv bash
# shellcheck shell=bash
set -e
log_info 'Configuring npmuser ...'
if id -u npmuser; then
# user already exists
usermod -u "$PUID" npmuser || exit 1
else
# Add npmuser user
useradd -o -u "$PUID" -U -d /tmp/npmuserhome -s /bin/false npmuser || exit 1
fi
usermod -G "$PGID" npmuser || exit 1
groupmod -o -g "$PGID" npmuser || exit 1
# Home for npmuser
mkdir -p /tmp/npmuserhome
chown -R "$PUID:$PGID" /tmp/npmuserhome

24
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh Executable file
View File

@ -0,0 +1,24 @@
#!/command/with-contenv bash
# shellcheck shell=bash
set -e
log_info 'Checking paths ...'
# Ensure /data is mounted
if [ ! -d '/data' ]; then
log_fatal '/data is not mounted! Check your docker configuration.'
fi
# Create required folders
mkdir -p /tmp/nginx/body \
/run/nginx \
/var/log/nginx \
/var/lib/nginx/cache/public \
/var/lib/nginx/cache/private \
/var/cache/nginx/proxy_temp \
/data/logs
touch /var/log/nginx/error.log || true
chmod 777 /var/log/nginx/error.log || true
chmod -R 777 /var/cache/nginx || true

22
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh Executable file
View File

@ -0,0 +1,22 @@
#!/command/with-contenv bash
# shellcheck shell=bash
set -e
log_info 'Setting ownership ...'
# root
chown root /tmp/nginx
# npmuser
chown -R "$PUID:$PGID" /data \
/run/nginx \
/tmp/nginx \
/var/cache/nginx \
/var/lib/nginx \
/var/log/nginx
# Don't chown entire /etc/nginx folder as this causes crashes on some systems
chown -R "$PUID:$PGID" /etc/nginx/nginx \
/etc/nginx/nginx.conf \
/etc/nginx/conf.d

19
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh Executable file
View File

@ -0,0 +1,19 @@
#!/command/with-contenv bash
# shellcheck shell=bash
set -e
log_info 'Dynamic resolvers ...'
DISABLE_IPV6=$(echo "${DISABLE_IPV6:-}" | tr '[:upper:]' '[:lower:]')
# Dynamically generate resolvers file, if resolver is IPv6, enclose in `[]`
# thanks @tfmm
if [ "$(disable_ipv6)" == '1' ]; then
echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) ipv6=off valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf
else
echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf
fi
# Fire off acme.sh wrapper script to "install" itself if required
acme.sh -h > /dev/null 2>&1

36
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh Executable file
View File

@ -0,0 +1,36 @@
#!/bin/bash
# This command reads the `DISABLE_IPV6` env var and will either enable
# or disable ipv6 in all nginx configs based on this setting.
log_info 'IPv6 ...'
# Lowercase
DISABLE_IPV6=$(echo "${DISABLE_IPV6:-}" | tr '[:upper:]' '[:lower:]')
process_folder () {
FILES=$(find "$1" -type f -name "*.conf")
SED_REGEX=
if [ "$(disable_ipv6)" == '1' ]; then
# IPV6 is disabled
echo " Disabling IPV6 in hosts in: $1"
SED_REGEX='s/^([^#]*)listen \[::\]/\1#listen [::]/g'
else
# IPV6 is enabled
echo " Enabling IPV6 in hosts in: $1"
SED_REGEX='s/^(\s*)#listen \[::\]/\1listen [::]/g'
fi
for FILE in $FILES
do
echo " - ${FILE}"
sed -E -i "$SED_REGEX" "$FILE" || true
done
# ensure the files are still owned by the npmuser
chown -R "$PUID:$PGID" "$1"
}
process_folder /etc/nginx/conf.d
process_folder /data/nginx

13
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-fail2ban.sh Executable file
View File

@ -0,0 +1,13 @@
#!/command/with-contenv bash
# shellcheck shell=bash
set -e
log_info 'fail2ban ...'
mkdir -p /fail2ban/{action.d,filter.d,jail.d,log}
chown -R "$PUID:$PGID" /fail2ban
mkdir -p /var/run/fail2ban \
/data/logs/fail2ban
chown nobody:nogroup /data/logs/fail2ban
chmod 02755 /data/logs/fail2ban

17
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh Executable file
View File

@ -0,0 +1,17 @@
#!/command/with-contenv bash
# shellcheck shell=bash
set -e
echo "
-------------------------------------
_ _ ____ __ __
| \ | | _ \| \/ |
| \| | |_) | |\/| |
| |\ | __/| | | |
|_| \_|_| |_| |_|
-------------------------------------
User ID: $PUID
Group ID: $PGID
-------------------------------------
"

71
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/script.sh
View File

@ -1,71 +0,0 @@
#!/command/with-contenv bash
# shellcheck shell=bash
set -e
DATA_PATH=/data
PUID=${PUID:-911}
PGID=${PGID:-911}
# Ensure /data is mounted
if [ ! -d "$DATA_PATH" ]; then
echo '--------------------------------------'
echo "ERROR: $DATA_PATH is not mounted! Check your docker configuration."
echo '--------------------------------------'
/run/s6/basedir/bin/halt
exit 1
fi
echo " Checking folder structure ..."
# Create required folders
mkdir -p /tmp/nginx/body \
/run/nginx \
/var/log/nginx \
/var/lib/nginx/cache/public \
/var/lib/nginx/cache/private \
/var/cache/nginx/proxy_temp \
/data/logs
touch /var/log/nginx/error.log && chmod 777 /var/log/nginx/error.log && chmod -R 777 /var/cache/nginx
# Dynamically generate resolvers file
echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf)" ";" > /etc/nginx/conf.d/include/resolvers.conf
# Fire off acme.sh wrapper script to "install" itself if required
acme.sh -h > /dev/null 2>&1
# Add npmuser user
echo " Creating user ..."
groupmod -g 1000 users || exit 1
useradd -u "${PUID}" -U -d /data -s /bin/false npmuser || exit 1
usermod -G users npmuser || exit 1
groupmod -o -g "$PGID" npmuser || exit 1
chown -R npmuser:npmuser /data
chown -R npmuser:npmuser /run/nginx
chown -R npmuser:npmuser /etc/nginx
chown -R npmuser:npmuser /tmp/nginx
chown -R npmuser:npmuser /var/cache/nginx
chown -R npmuser:npmuser /var/lib/nginx
chown -R npmuser:npmuser /var/log/nginx
# Home for npmuser
mkdir -p /tmp/npmuserhome
chown -R npmuser:npmuser /tmp/npmuserhome
# fail2ban configuration
mkdir -p /fail2ban/{action.d,filter.d,jail.d,log}
chown -R npmuser:npmuser /fail2ban
mkdir -p /var/run/fail2ban
mkdir -p /data/logs/fail2ban
chown nobody:nogroup /data/logs/fail2ban
chmod 02755 /data/logs/fail2ban
echo
echo "-------------------------------------
_ _ ____ __ __
| \ | | _ \| \/ |
| \| | |_) | |\/| |
| |\ | __/| | | |
|_| \_|_| |_| |_|
-------------------------------------
User UID: $(id -u npmuser)
User GID: $(id -g npmuser)
-------------------------------------
"

2
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/up
View File

@ -1,2 +1,2 @@
# shellcheck shell=bash # shellcheck shell=bash
/etc/s6-overlay/s6-rc.d/prepare/script.sh /etc/s6-overlay/s6-rc.d/prepare/00-all.sh