add defaul ssl cert and patch modsec to execute after brotli

src/common/confs/server-http/ssl-certificate-lua.conf

@@ -1,3 +1,22 @@
+ssl_certificate /var/cache/bunkerweb/default-server-cert/cert.pem;
+ssl_certificate_key /var/cache/bunkerweb/default-server-cert/cert.key;
+ssl_protocols {{ SSL_PROTOCOLS }};
+ssl_prefer_server_ciphers on;
+ssl_session_tickets off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+{% if "TLSv1.2" in SSL_PROTOCOLS +%}
+ssl_dhparam /etc/nginx/dhparam;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+{% endif %}
+
+{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_SSL == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %}
+listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
+{% if USE_IPV6 == "yes" +%}
+listen [::]:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
+{% endif %}
+{% endif %}
+
 ssl_certificate_by_lua_block {
 	local class         = require "middleclass"
 	local clogger       = require "bunkerweb.logger"

src/common/core/customcert/confs/server-http/custom-cert.conf

@@ -1,34 +1,34 @@
-{% set os_path = import("os.path") %}
+# {% set os_path = import("os.path") %}
 
-{% if USE_CUSTOM_SSL == "yes" %}
+# {% if USE_CUSTOM_SSL == "yes" %}
 
-# listen on HTTPS PORT
-listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
-{% if USE_IPV6 == "yes" +%}
-listen [::]:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
-{% endif %}
-
-# TLS config
-ssl_certificate /var/cache/bunkerweb/default-server-cert/cert.pem;
-ssl_certificate_key /var/cache/bunkerweb/default-server-cert/cert.key;
-# {% if os_path.isfile("/var/cache/bunkerweb/customcert/" + SERVER_NAME.split(" ")[0] + "/cert.pem") %}
-# ssl_certificate /var/cache/bunkerweb/customcert/{{ SERVER_NAME.split(" ")[0] }}/cert.pem;
-# {% else %}
-# ssl_certificate /var/cache/bunkerweb/customcert/cert.pem;
+# # listen on HTTPS PORT
+# listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
+# {% if USE_IPV6 == "yes" +%}
+# listen [::]:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
 # {% endif %}
-# {% if os_path.isfile("/var/cache/bunkerweb/customcert/" + SERVER_NAME.split(" ")[0] + "/key.pem") %}
-# ssl_certificate_key /var/cache/bunkerweb/customcert/{{ SERVER_NAME.split(" ")[0] }}/key.pem;
-# {% else %}
-# ssl_certificate_key /var/cache/bunkerweb/customcert/key.pem;
-# {% endif %}
-ssl_protocols {{ SSL_PROTOCOLS }};
-ssl_prefer_server_ciphers on;
-ssl_session_tickets off;
-ssl_session_timeout 1d;
-ssl_session_cache shared:MozSSL:10m;
-{% if "TLSv1.2" in SSL_PROTOCOLS +%}
-ssl_dhparam /etc/nginx/dhparam;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-{% endif %}
 
-{% endif %}
+# # TLS config
+# # ssl_certificate /var/cache/bunkerweb/default-server-cert/cert.pem;
+# # ssl_certificate_key /var/cache/bunkerweb/default-server-cert/cert.key;
+# # {% if os_path.isfile("/var/cache/bunkerweb/customcert/" + SERVER_NAME.split(" ")[0] + "/cert.pem") %}
+# # ssl_certificate /var/cache/bunkerweb/customcert/{{ SERVER_NAME.split(" ")[0] }}/cert.pem;
+# # {% else %}
+# # ssl_certificate /var/cache/bunkerweb/customcert/cert.pem;
+# # {% endif %}
+# # {% if os_path.isfile("/var/cache/bunkerweb/customcert/" + SERVER_NAME.split(" ")[0] + "/key.pem") %}
+# # ssl_certificate_key /var/cache/bunkerweb/customcert/{{ SERVER_NAME.split(" ")[0] }}/key.pem;
+# # {% else %}
+# # ssl_certificate_key /var/cache/bunkerweb/customcert/key.pem;
+# # {% endif %}
+# ssl_protocols {{ SSL_PROTOCOLS }};
+# ssl_prefer_server_ciphers on;
+# ssl_session_tickets off;
+# ssl_session_timeout 1d;
+# ssl_session_cache shared:MozSSL:10m;
+# {% if "TLSv1.2" in SSL_PROTOCOLS +%}
+# ssl_dhparam /etc/nginx/dhparam;
+# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+# {% endif %}
+
+# {% endif %}

src/common/core/letsencrypt/confs/server-http/lets-encrypt.conf

@@ -4,27 +4,27 @@ location ~ ^/.well-known/acme-challenge/ {
 	auth_basic off;
 }
 
-{% if AUTO_LETS_ENCRYPT == "yes" %}
+# {% if AUTO_LETS_ENCRYPT == "yes" %}
 
-# listen on HTTPS PORT
-listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
-{% if USE_IPV6 == "yes" +%}
-listen [::]:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
-{% endif %}
+# # listen on HTTPS PORT
+# listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
+# {% if USE_IPV6 == "yes" +%}
+# listen [::]:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
+# {% endif %}
 
-# TLS config
-ssl_certificate /var/cache/bunkerweb/default-server-cert/cert.pem;
-ssl_certificate_key /var/cache/bunkerweb/default-server-cert/cert.key;
-#ssl_certificate /var/cache/bunkerweb/letsencrypt/etc/live/{{ SERVER_NAME.split(" ")[0] }}/fullchain.pem;
-#ssl_certificate_key /var/cache/bunkerweb/letsencrypt/etc/live/{{ SERVER_NAME.split(" ")[0] }}/privkey.pem;
-ssl_protocols {{ SSL_PROTOCOLS }};
-ssl_prefer_server_ciphers on;
-ssl_session_tickets off;
-ssl_session_timeout 1d;
-ssl_session_cache shared:MozSSL:10m;
-{% if "TLSv1.2" in SSL_PROTOCOLS +%}
-ssl_dhparam /etc/nginx/dhparam;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-{% endif %}
+# # TLS config
+# ssl_certificate /var/cache/bunkerweb/default-server-cert/cert.pem;
+# ssl_certificate_key /var/cache/bunkerweb/default-server-cert/cert.key;
+# #ssl_certificate /var/cache/bunkerweb/letsencrypt/etc/live/{{ SERVER_NAME.split(" ")[0] }}/fullchain.pem;
+# #ssl_certificate_key /var/cache/bunkerweb/letsencrypt/etc/live/{{ SERVER_NAME.split(" ")[0] }}/privkey.pem;
+# ssl_protocols {{ SSL_PROTOCOLS }};
+# ssl_prefer_server_ciphers on;
+# ssl_session_tickets off;
+# ssl_session_timeout 1d;
+# ssl_session_cache shared:MozSSL:10m;
+# {% if "TLSv1.2" in SSL_PROTOCOLS +%}
+# ssl_dhparam /etc/nginx/dhparam;
+# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+# {% endif %}
 
-{% endif %}
+# {% endif %}

src/common/core/misc/jobs/default-server-cert.py

@@ -27,35 +27,35 @@ status = 0
 
 try:
     # Check if we need to generate a self-signed default cert for non-SNI "clients"
-    need_default_cert = False
-    if getenv("MULTISITE", "no") == "yes":
-        for first_server in getenv("SERVER_NAME", "").split(" "):
-            for check_var in (
-                "USE_CUSTOM_SSL",
-                "AUTO_LETS_ENCRYPT",
-                "GENERATE_SELF_SIGNED_SSL",
-            ):
-                if getenv(f"{first_server}_{check_var}", getenv(check_var, "no")) == "yes":
-                    need_default_cert = True
-                    break
-            if need_default_cert:
-                break
-    elif getenv("DISABLE_DEFAULT_SERVER", "no") == "yes" and (
-        "yes"
-        in (
-            getenv("USE_CUSTOM_SSL", "no"),
-            getenv("AUTO_LETS_ENCRYPT", "no"),
-            getenv("GENERATE_SELF_SIGNED_SSL", "no"),
-        )
-    ):
-        need_default_cert = True
+    # need_default_cert = False
+    # if getenv("MULTISITE", "no") == "yes":
+    #     for first_server in getenv("SERVER_NAME", "").split(" "):
+    #         for check_var in (
+    #             "USE_CUSTOM_SSL",
+    #             "AUTO_LETS_ENCRYPT",
+    #             "GENERATE_SELF_SIGNED_SSL",
+    #         ):
+    #             if getenv(f"{first_server}_{check_var}", getenv(check_var, "no")) == "yes":
+    #                 need_default_cert = True
+    #                 break
+    #         if need_default_cert:
+    #             break
+    # elif getenv("DISABLE_DEFAULT_SERVER", "no") == "yes" and (
+    #     "yes"
+    #     in (
+    #         getenv("USE_CUSTOM_SSL", "no"),
+    #         getenv("AUTO_LETS_ENCRYPT", "no"),
+    #         getenv("GENERATE_SELF_SIGNED_SSL", "no"),
+    #     )
+    # ):
+    #     need_default_cert = True
 
-    # Generate the self-signed certificate
-    if not need_default_cert:
-        logger.info(
-            "Skipping generation of self-signed certificate for default server (not needed)",
-        )
-        _exit(0)
+    # # Generate the self-signed certificate
+    # if not need_default_cert:
+    #     logger.info(
+    #         "Skipping generation of self-signed certificate for default server (not needed)",
+    #     )
+    #     _exit(0)
 
     cert_path = Path(sep, "var", "cache", "bunkerweb", "default-server-cert")
     cert_path.mkdir(parents=True, exist_ok=True)

src/common/core/selfsigned/confs/server-http/self-signed.conf

@@ -1,24 +1,24 @@
-{% if GENERATE_SELF_SIGNED_SSL == "yes" %}
+# {% if GENERATE_SELF_SIGNED_SSL == "yes" %}
 
-# listen on HTTPS PORT
-listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
-{% if USE_IPV6 == "yes" +%}
-listen [::]:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
-{% endif %}
+# # listen on HTTPS PORT
+# listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
+# {% if USE_IPV6 == "yes" +%}
+# listen [::]:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
+# {% endif %}
 
-# TLS config
-ssl_certificate /var/cache/bunkerweb/default-server-cert/cert.pem;
-ssl_certificate_key /var/cache/bunkerweb/default-server-cert/cert.key;
-# ssl_certificate /var/cache/bunkerweb/selfsigned/{{ SERVER_NAME.split(" ")[0] }}.pem;
-# ssl_certificate_key /var/cache/bunkerweb/selfsigned/{{ SERVER_NAME.split(" ")[0] }}.key;
-ssl_protocols {{ SSL_PROTOCOLS }};
-ssl_prefer_server_ciphers on;
-ssl_session_tickets off;
-ssl_session_timeout 1d;
-ssl_session_cache shared:MozSSL:10m;
-{% if "TLSv1.2" in SSL_PROTOCOLS +%}
-ssl_dhparam /etc/nginx/dhparam;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-{% endif %}
+# # TLS config
+# ssl_certificate /var/cache/bunkerweb/default-server-cert/cert.pem;
+# ssl_certificate_key /var/cache/bunkerweb/default-server-cert/cert.key;
+# # ssl_certificate /var/cache/bunkerweb/selfsigned/{{ SERVER_NAME.split(" ")[0] }}.pem;
+# # ssl_certificate_key /var/cache/bunkerweb/selfsigned/{{ SERVER_NAME.split(" ")[0] }}.key;
+# ssl_protocols {{ SSL_PROTOCOLS }};
+# ssl_prefer_server_ciphers on;
+# ssl_session_tickets off;
+# ssl_session_timeout 1d;
+# ssl_session_cache shared:MozSSL:10m;
+# {% if "TLSv1.2" in SSL_PROTOCOLS +%}
+# ssl_dhparam /etc/nginx/dhparam;
+# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+# {% endif %}
 
-{% endif %}
+# {% endif %}

src/deps/deps.json

@@ -25,7 +25,7 @@
       "name": "ModSecurity-nginx v1.0.3",
       "url": "https://github.com/SpiderLabs/ModSecurity-nginx.git",
       "commit": "d59e4ad121df702751940fd66bcc0b3ecb51a079",
-      "post_install": "patch --forward src/deps/src/modsecurity-nginx/src/ngx_http_modsecurity_log.c src/deps/misc/modsecurity-nginx.patch && patch --forward src/deps/src/modsecurity-nginx/config src/deps/misc/config.patch && patch --forward src/deps/src/modsecurity-nginx/src/ngx_http_modsecurity_common.h src/deps/misc/ngx_http_modsecurity_common.h.patch && patch --forward src/deps/src/modsecurity-nginx/src/ngx_http_modsecurity_module.c src/deps/misc/ngx_http_modsecurity_module.c.patch"
+      "post_install": "patch --forward src/deps/src/modsecurity-nginx/src/ngx_http_modsecurity_log.c src/deps/misc/modsecurity-nginx.patch && patch --forward src/deps/src/modsecurity-nginx/config src/deps/misc/config.patch && patch --forward src/deps/src/modsecurity-nginx/src/ngx_http_modsecurity_common.h src/deps/misc/ngx_http_modsecurity_common.h.patch && patch --forward src/deps/src/modsecurity-nginx/src/ngx_http_modsecurity_module.c src/deps/misc/ngx_http_modsecurity_module.c.patch && patch --forward src/deps/src/modsecurity-nginx/config src/deps/misc/modsecurity-nginx-config.patch"
     },
     {
       "id": "nginx",

src/deps/misc/modsecurity-nginx-config.patch

@@ -0,0 +1,8 @@
+@@ -126,6 +126,7 @@
+                           ngx_http_v2_filter_module \
+                           ngx_http_range_header_filter_module \
+                           ngx_http_gzip_filter_module \
++                          ngx_http_brotli_filter_module \
+                           $ngx_module_name \
+                           $modsecurity_dependency";
+