diff --git a/entrypoint/permissions-swarm.sh b/entrypoint/permissions-swarm.sh index c524d173d..a6ba27828 100644 --- a/entrypoint/permissions-swarm.sh +++ b/entrypoint/permissions-swarm.sh @@ -12,14 +12,36 @@ if [ ! -r "/www" ] || [ ! -x "/www" ] ; then exit 2 fi +# /modsec-confs +if [ ! -r "/modsec-confs" ] || [ ! -x "/modsec-confs" ] ; then + echo "[!] ERROR - wrong permissions on /modsec-confs" + exit 3 +fi +# /modsec-crs-confs +if [ ! -r "/modsec-crs-confs" ] || [ ! -x "/modsec-crs-confs" ] ; then + echo "[!] ERROR - wrong permissions on /modsec-crs-confs" + exit 4 +fi +# /server-confs +if [ ! -r "/server-confs" ] || [ ! -x "/server-confs" ] ; then + echo "[!] ERROR - wrong permissions on /server-confs" + exit 5 +fi +# /http-confs +if [ ! -r "/http-confs" ] || [ ! -x "/http-confs" ] ; then + echo "[!] ERROR - wrong permissions on /http-confs" + exit 6 +fi + # /etc/nginx if [ ! -r "/etc/nginx" ] || [ ! -x "/etc/nginx" ] ; then echo "[!] ERROR - wrong permissions on /etc/nginx" - exit 3 + exit 7 fi # /acme-challenge if [ ! -r "/acme-challenge" ] || [ ! -x "/acme-challenge" ] ; then echo "[!] ERROR - wrong permissions on /acme-challenge" - exit 4 + exit 8 fi + diff --git a/entrypoint/permissions.sh b/entrypoint/permissions.sh index 35aba2f05..54d2771ce 100644 --- a/entrypoint/permissions.sh +++ b/entrypoint/permissions.sh @@ -2,7 +2,7 @@ # /etc/letsencrypt if [ ! -w "/etc/letsencrypt" ] || [ ! -r "/etc/letsencrypt" ] || [ ! -x "/etc/letsencrypt" ] ; then - echo "[!] WARNING - wrong permissions on /etc/letsencrypt" + echo "[!] ERROR - wrong permissions on /etc/letsencrypt" exit 1 fi @@ -12,18 +12,36 @@ if [ -f "/usr/sbin/nginx" ] ; then echo "[!] ERROR - wrong permissions on /www" exit 2 fi - + # /modsec-confs + if [ ! -r "/modsec-confs" ] || [ ! -x "/modsec-confs" ] ; then + echo "[!] ERROR - wrong permissions on /modsec-confs" + exit 3 + fi + # /modsec-crs-confs + if [ ! -r "/modsec-crs-confs" ] || [ ! -x "/modsec-crs-confs" ] ; then + echo "[!] ERROR - wrong permissions on /modsec-crs-confs" + exit 4 + fi + # /server-confs + if [ ! -r "/server-confs" ] || [ ! -x "/server-confs" ] ; then + echo "[!] ERROR - wrong permissions on /server-confs" + exit 5 + fi + # /http-confs + if [ ! -r "/http-confs" ] || [ ! -x "/http-confs" ] ; then + echo "[!] ERROR - wrong permissions on /http-confs" + exit 6 + fi fi # /acme-challenge if [ ! -w "/acme-challenge" ] || [ ! -r "/acme-challenge" ] || [ ! -x "/acme-challenge" ] ; then echo "[!] ERROR - wrong permissions on /acme-challenge" - exit 3 + exit 7 fi # /etc/nginx if [ ! -w "/etc/nginx" ] || [ ! -r "/etc/nginx" ] || [ ! -x "/etc/nginx" ] ; then echo "[!] ERROR - wrong permissions on /etc/nginx" - exit 4 + exit 8 fi - diff --git a/examples/autoconf-php/docker-compose.yml b/examples/autoconf-php/docker-compose.yml index 637ae6e74..f061ded85 100644 --- a/examples/autoconf-php/docker-compose.yml +++ b/examples/autoconf-php/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt - ./web-files:/www:ro diff --git a/examples/autoconf-reverse-proxy/docker-compose.yml b/examples/autoconf-reverse-proxy/docker-compose.yml index 0b75e24d7..6e30c978a 100644 --- a/examples/autoconf-reverse-proxy/docker-compose.yml +++ b/examples/autoconf-reverse-proxy/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt - autoconf:/etc/nginx diff --git a/examples/basic-website-with-php/docker-compose.yml b/examples/basic-website-with-php/docker-compose.yml index 2eefc915f..9ddb0523a 100644 --- a/examples/basic-website-with-php/docker-compose.yml +++ b/examples/basic-website-with-php/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./web-files:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/behind-traefik/docker-compose.yml b/examples/behind-traefik/docker-compose.yml index f9ee4633d..7a1a8bcc3 100644 --- a/examples/behind-traefik/docker-compose.yml +++ b/examples/behind-traefik/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:80 - 443:443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - /var/run/docker.sock:/var/run/docker.sock - ./traefik/traefik.toml:/traefik.toml diff --git a/examples/certbot-wildcard/docker-compose.yml b/examples/certbot-wildcard/docker-compose.yml index 1176c8160..a7e807518 100644 --- a/examples/certbot-wildcard/docker-compose.yml +++ b/examples/certbot-wildcard/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./web-files:/www:ro - ./letsencrypt:/letsencrypt:ro diff --git a/examples/crowdsec/docker-compose.yml b/examples/crowdsec/docker-compose.yml index 56fff616e..b2080d53e 100644 --- a/examples/crowdsec/docker-compose.yml +++ b/examples/crowdsec/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./web-files:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/ghost/docker-compose.yml b/examples/ghost/docker-compose.yml index 25c681233..4b7f2a712 100644 --- a/examples/ghost/docker-compose.yml +++ b/examples/ghost/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt environment: diff --git a/examples/joomla/docker-compose.yml b/examples/joomla/docker-compose.yml index c905c5468..1e7786b4c 100644 --- a/examples/joomla/docker-compose.yml +++ b/examples/joomla/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./joomla-files:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/load-balancer/docker-compose.yml b/examples/load-balancer/docker-compose.yml index 8f575f782..4cfe8ea7b 100644 --- a/examples/load-balancer/docker-compose.yml +++ b/examples/load-balancer/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt - ./http-confs:/http-confs:ro diff --git a/examples/moodle/docker-compose.yml b/examples/moodle/docker-compose.yml index 5c10089d5..d8cca0072 100644 --- a/examples/moodle/docker-compose.yml +++ b/examples/moodle/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt environment: diff --git a/examples/multisite-basic/docker-compose.yml b/examples/multisite-basic/docker-compose.yml index ce8a78468..135c0dc6b 100644 --- a/examples/multisite-basic/docker-compose.yml +++ b/examples/multisite-basic/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./web-files:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/multisite-custom-server-confs/docker-compose.yml b/examples/multisite-custom-server-confs/docker-compose.yml index 4cbe851a8..6c1b080e1 100644 --- a/examples/multisite-custom-server-confs/docker-compose.yml +++ b/examples/multisite-custom-server-confs/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./web-files:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/multisite-custom-subfolders/docker-compose.yml b/examples/multisite-custom-subfolders/docker-compose.yml index 014b87588..b74173045 100644 --- a/examples/multisite-custom-subfolders/docker-compose.yml +++ b/examples/multisite-custom-subfolders/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./apps:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/nextcloud/docker-compose.yml b/examples/nextcloud/docker-compose.yml index a9679bde5..aa2767ecc 100644 --- a/examples/nextcloud/docker-compose.yml +++ b/examples/nextcloud/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./nc-files:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/passbolt/docker-compose.yml b/examples/passbolt/docker-compose.yml index f9966046f..2813a0f49 100644 --- a/examples/passbolt/docker-compose.yml +++ b/examples/passbolt/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt - ./modsec-crs-confs:/modsec-crs-confs:ro # disable some false positive diff --git a/examples/redmine/docker-compose.yml b/examples/redmine/docker-compose.yml index 6cf94ff1f..39ed5332f 100644 --- a/examples/redmine/docker-compose.yml +++ b/examples/redmine/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt environment: diff --git a/examples/reverse-proxy-multisite/docker-compose.yml b/examples/reverse-proxy-multisite/docker-compose.yml index cba11ad72..bc273c7a5 100644 --- a/examples/reverse-proxy-multisite/docker-compose.yml +++ b/examples/reverse-proxy-multisite/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt environment: diff --git a/examples/reverse-proxy-singlesite/docker-compose.yml b/examples/reverse-proxy-singlesite/docker-compose.yml index ffbf8290e..41daf2d55 100644 --- a/examples/reverse-proxy-singlesite/docker-compose.yml +++ b/examples/reverse-proxy-singlesite/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt - ./server-confs:/server-confs:ro # redirect /app1 and /app2 to /app1/ and /app2/ diff --git a/examples/reverse-proxy-websocket/docker-compose.yml b/examples/reverse-proxy-websocket/docker-compose.yml index fb8abbfe5..349d9f953 100644 --- a/examples/reverse-proxy-websocket/docker-compose.yml +++ b/examples/reverse-proxy-websocket/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt environment: diff --git a/examples/swarm/stack.yml b/examples/swarm/stack.yml index 6199dc8a5..f803f622b 100644 --- a/examples/swarm/stack.yml +++ b/examples/swarm/stack.yml @@ -4,6 +4,8 @@ services: autoconf: image: bunkerity/bunkerized-nginx-autoconf + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - /shared/confs:/etc/nginx @@ -31,6 +33,8 @@ services: target: 8443 mode: host protocol: tcp + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - /shared/confs:/etc/nginx - /shared/letsencrypt:/etc/letsencrypt:ro diff --git a/examples/tomcat/docker-compose.yml b/examples/tomcat/docker-compose.yml index 8584f2725..690e6adea 100644 --- a/examples/tomcat/docker-compose.yml +++ b/examples/tomcat/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt environment: diff --git a/examples/tor-hidden-service/docker-compose.yml b/examples/tor-hidden-service/docker-compose.yml index 261e64e8e..1c56fbf87 100644 --- a/examples/tor-hidden-service/docker-compose.yml +++ b/examples/tor-hidden-service/docker-compose.yml @@ -14,6 +14,8 @@ services: mywww: image: bunkerity/bunkerized-nginx restart: always + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./web-files:/www:ro environment: diff --git a/examples/web-ui/docker-compose.yml b/examples/web-ui/docker-compose.yml index 8f9036355..8eda5a7b8 100644 --- a/examples/web-ui/docker-compose.yml +++ b/examples/web-ui/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt - ./web-files:/www:ro diff --git a/examples/wordpress/docker-compose.yml b/examples/wordpress/docker-compose.yml index b8b463ee0..81985d13d 100644 --- a/examples/wordpress/docker-compose.yml +++ b/examples/wordpress/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./wp-files:/www:ro - ./letsencrypt:/etc/letsencrypt