10h30/ols-docker-env
1
0
Fork 0
mirror of https://github.com/10h30/ols-docker-env.git synced 2026-05-12 15:21:24 +09:00
Code Issues Packages Projects Releases Wiki Activity

update sh

Browse Source
This commit is contained in:
Cold-Egg
2020-02-12 14:27:32 -05:00
parent bc1a16c22b
commit e53931f83f
4 changed files with 377 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bin/container/domainctl.sh
+69 -17
View File
@@ -1,11 +1,24 @@
#!/usr/bin/env bash #!/usr/bin/env bash
CK_RESULT='' CK_RESULT=''
HTTPD_CONF='httpd_config.conf' LSDIR='/usr/local/lsws'
LS_HTTPD_CONF="${LSDIR}/conf/httpd_config.xml"
OLS_HTTPD_CONF="${LSDIR}/conf/httpd_config.conf"
help_message(){ help_message(){
echo 'Command [-add|-del] [domain_name]' echo 'Command [-add|-del] [domain_name]'
echo 'Example 1: domain-ctl.sh -add example.com' echo 'Example 1: domainctl.sh -add example.com'
echo 'Example 2: domain-ctl.sh -del example.com' echo 'Example 2: domainctl.sh -del example.com'
}
check_lsv(){
if [ -f ${LSDIR}/bin/openlitespeed ]; then
LSV='openlitespeed'
elif [ -f ${LSDIR}/bin/litespeed ]; then
LSV='lsws'
else
echo 'Version not exist, abort!'
exit 1
fi
} }
dot_escape(){ dot_escape(){
@@ -23,7 +36,7 @@ fst_match_after(){
FIRST_NUM_AFTER=$(tail -n +${1} ${2} | grep -n -m 1 ${3} | awk -F ':' '{print $1}') FIRST_NUM_AFTER=$(tail -n +${1} ${2} | grep -n -m 1 ${3} | awk -F ':' '{print $1}')
} }
lst_match_line(){ lst_match_line(){
fst_match_after ${1} ${2} '}' fst_match_after ${1} ${2} ${3}
LAST_LINE_NUM=$((${FIRST_LINE_NUM}+${FIRST_NUM_AFTER}-1)) LAST_LINE_NUM=$((${FIRST_LINE_NUM}+${FIRST_NUM_AFTER}-1))
} }
@@ -47,34 +60,73 @@ www_domain(){
WWW_DOMAIN=$(echo www.${1}) WWW_DOMAIN=$(echo www.${1})
} }
add_ls_domain(){
fst_match_line 'ccl.xml</templateFile>' ${LS_HTTPD_CONF}
NEWNUM=$((FIRST_LINE_NUM+1))
sed -i "${NEWNUM}i \ \ \ \ \ \ <member>\n \ \ \ \ \ \ \ <vhName>${DOMAIN}</vhName>\n \ \ \ \ \ \ \ <vhDomain>${DOMAIN},${WWW_DOMAIN}</vhDomain>\n \ \ \ \ \ \ </member>" ${LS_HTTPD_CONF}
}
add_ols_domain(){
perl -0777 -p -i -e 's/(vhTemplate centralConfigLog \{[^}]+)\}*(^.*listeners.*$)/\1$2
member '${DOMAIN}' {
vhDomain '${DOMAIN},${WWW_DOMAIN}'
}/gmi' ${OLS_HTTPD_CONF}
}
add_domain(){ add_domain(){
check_lsv
dot_escape ${1} dot_escape ${1}
DOMAIN=${ESCAPE} DOMAIN=${ESCAPE}
www_domain ${1} www_domain ${1}
check_duplicate "member.*${DOMAIN}" ${HTTPD_CONF} if [ "${LSV}" = 'lsws' ]; then
check_duplicate "vhDomain.*${DOMAIN}" ${LS_HTTPD_CONF}
if [ "${CK_RESULT}" != '' ]; then if [ "${CK_RESULT}" != '' ]; then
echo "# It appears the domain already exist! Check the ${HTTPD_CONF} if you believe this is a mistake!" echo "# It appears the domain already exist! Check the ${LS_HTTPD_CONF} if you believe this is a mistake!"
exit 1 exit 1
else
perl -0777 -p -i -e 's/(vhTemplate centralConfigLog \{[^}]+)\}*(^.*listeners.*$)/\1$2
member '${1}' {
vhDomain '${1},${WWW_DOMAIN}'
}/gmi' ${HTTPD_CONF}
fi fi
elif [ "${LSV}" = 'openlitespeed' ]; then
check_duplicate "member.*${DOMAIN}" ${OLS_HTTPD_CONF}
if [ "${CK_RESULT}" != '' ]; then
echo "# It appears the domain already exist! Check the ${OLS_HTTPD_CONF} if you believe this is a mistake!"
exit 1
fi
fi
add_ls_domain
add_ols_domain
}
del_ls_domain(){
fst_match_line "<vhName>*${1}" ${LS_HTTPD_CONF}
FIRST_LINE_NUM=$((FIRST_LINE_NUM-1))
lst_match_line ${FIRST_LINE_NUM} ${LS_HTTPD_CONF} '</member>'
sed -i "${FIRST_LINE_NUM},${LAST_LINE_NUM}d" ${LS_HTTPD_CONF}
}
del_ols_domain(){
fst_match_line ${1} ${OLS_HTTPD_CONF}
lst_match_line ${FIRST_LINE_NUM} ${OLS_HTTPD_CONF} '}'
sed -i "${FIRST_LINE_NUM},${LAST_LINE_NUM}d" ${OLS_HTTPD_CONF}
} }
del_domain(){ del_domain(){
check_lsv
dot_escape ${1} dot_escape ${1}
DOMAIN=${ESCAPE} DOMAIN=${ESCAPE}
check_duplicate "member.*${DOMAIN}" ${HTTPD_CONF} if [ "${LSV}" = 'lsws' ]; then
check_duplicate "vhDomain.*${DOMAIN}" ${LS_HTTPD_CONF}
if [ "${CK_RESULT}" = '' ]; then if [ "${CK_RESULT}" = '' ]; then
echo "# We couldn't find the domain you wanted to remove! Check the ${HTTPD_CONF} if you believe this is a mistake!" echo "# Domain non-exist! Check the ${LS_HTTPD_CONF} if you believe this is a mistake!"
exit 1 exit 1
else
fst_match_line ${1} ${HTTPD_CONF}
lst_match_line ${FIRST_LINE_NUM} ${HTTPD_CONF}
sed -i "${FIRST_LINE_NUM},${LAST_LINE_NUM}d" ${HTTPD_CONF}
fi fi
elif [ "${LSV}" = 'openlitespeed' ]; then
check_duplicate "member.*${DOMAIN}" ${OLS_HTTPD_CONF}
if [ "${CK_RESULT}" = '' ]; then
echo "# Domain non-exist! Check the ${OLS_HTTPD_CONF} if you believe this is a mistake!"
exit 1
fi
fi
del_ls_domain ${1}
del_ols_domain ${1}
} }
check_input ${1} check_input ${1}
bin/container/owaspctl.sh
+73 -11
View File
@@ -2,7 +2,8 @@
LSDIR='/usr/local/lsws' LSDIR='/usr/local/lsws'
OWASP_DIR="${LSDIR}/conf/owasp" OWASP_DIR="${LSDIR}/conf/owasp"
RULE_FILE='modsec_includes.conf' RULE_FILE='modsec_includes.conf'
HTTPD_CONF="${LSDIR}/conf/httpd_config.conf" LS_HTTPD_CONF="${LSDIR}/conf/httpd_config.xml"
OLS_HTTPD_CONF="${LSDIR}/conf/httpd_config.conf"
help_message(){ help_message(){
echo 'Command [-enable|-disable]' echo 'Command [-enable|-disable]'
@@ -11,6 +12,17 @@ help_message(){
exit 0 exit 0
} }
check_lsv(){
if [ -f ${LSDIR}/bin/openlitespeed ]; then
LSV='openlitespeed'
elif [ -f ${LSDIR}/bin/litespeed ]; then
LSV='lsws'
else
echo 'Version not exist, abort!'
exit 1
fi
}
check_input(){ check_input(){
if [ -z "${1}" ]; then if [ -z "${1}" ]; then
help_message help_message
@@ -36,12 +48,12 @@ fst_match_after(){
FIRST_NUM_AFTER=$(tail -n +${1} ${2} | grep -n -m 1 ${3} | awk -F ':' '{print $1}') FIRST_NUM_AFTER=$(tail -n +${1} ${2} | grep -n -m 1 ${3} | awk -F ':' '{print $1}')
} }
lst_match_line(){ lst_match_line(){
fst_match_after ${1} ${2} '}' fst_match_after ${1} ${2} ${3}
LAST_LINE_NUM=$((${FIRST_LINE_NUM}+${FIRST_NUM_AFTER}-1)) LAST_LINE_NUM=$((${FIRST_LINE_NUM}+${FIRST_NUM_AFTER}-1))
} }
enable_modsec(){ enable_ols_modsec(){
grep 'module mod_security {' ${HTTPD_CONF} >/dev/null 2>&1 grep 'module mod_security {' ${OLS_HTTPD_CONF} >/dev/null 2>&1
if [ ${?} -eq 0 ] ; then if [ ${?} -eq 0 ] ; then
echo "Already configured for modsecurity." echo "Already configured for modsecurity."
else else
@@ -49,22 +61,70 @@ enable_modsec(){
sed -i "s=module cache=module mod_security {\nmodsecurity on\ sed -i "s=module cache=module mod_security {\nmodsecurity on\
\nmodsecurity_rules \`\nSecRuleEngine On\n\`\nmodsecurity_rules_file \ \nmodsecurity_rules \`\nSecRuleEngine On\n\`\nmodsecurity_rules_file \
${OWASP_DIR}/${RULE_FILE}\n ls_enabled 1\n}\ ${OWASP_DIR}/${RULE_FILE}\n ls_enabled 1\n}\
\n\nmodule cache=" ${HTTPD_CONF} \n\nmodule cache=" ${OLS_HTTPD_CONF}
fi fi
} }
disable_modesec(){ enable_ls_modsec(){
grep 'module mod_security {' ${HTTPD_CONF} >/dev/null 2>&1 grep '<enableCensorship>1</enableCensorship>' ${LS_HTTPD_CONF} >/dev/null 2>&1
if [ ${?} -eq 0 ] ; then
echo "LSWS already configured for modsecurity"
else
echo 'Enable modsecurity'
sed -i \
"s=<enableCensorship>0</enableCensorship>=<enableCensorship>1</enableCensorship>=" ${LS_HTTPD_CONF}
sed -i \
"s=</censorshipControl>=</censorshipControl>\n\
<censorshipRuleSet>\n\
<name>ModSec</name>\n\
<enabled>1</enabled>\n\
<ruleSet>include ${OWASP_DIR}/modsec_includes.conf</ruleSet>\n\
</censorshipRuleSet>=" ${LS_HTTPD_CONF}
fi
}
enable_modsec(){
if [ "${LSV}" = 'lsws' ]; then
enable_ls_modsec
elif [ "${LSV}" = 'openlitespeed' ]; then
enable_ols_modsec
fi
}
disable_ols_modesec(){
grep 'module mod_security {' ${OLS_HTTPD_CONF} >/dev/null 2>&1
if [ ${?} -eq 0 ] ; then if [ ${?} -eq 0 ] ; then
echo 'Disable modsecurity' echo 'Disable modsecurity'
fst_match_line 'module mod_security' ${HTTPD_CONF} fst_match_line 'module mod_security' ${OLS_HTTPD_CONF}
lst_match_line ${FIRST_LINE_NUM} ${HTTPD_CONF} lst_match_line ${FIRST_LINE_NUM} ${OLS_HTTPD_CONF} '}'
sed -i "${FIRST_LINE_NUM},${LAST_LINE_NUM}d" ${HTTPD_CONF} sed -i "${FIRST_LINE_NUM},${LAST_LINE_NUM}d" ${OLS_HTTPD_CONF}
else else
echo 'Already disabled for modsecurity' echo 'Already disabled for modsecurity'
fi fi
} }
disable_ls_modesec(){
grep '<enableCensorship>0</enableCensorship>' ${LS_HTTPD_CONF}
if [ ${?} -eq 0 ] ; then
echo 'Already disabled for modsecurity'
else
echo 'Disable modsecurity'
sed -i \
"s=<enableCensorship>1</enableCensorship>=<enableCensorship>0</enableCensorship>=" ${LS_HTTPD_CONF}
fst_match_line 'censorshipRuleSet' ${LS_HTTPD_CONF}
lst_match_line ${FIRST_LINE_NUM} ${LS_HTTPD_CONF} '/censorshipRuleSet'
sed -i "${FIRST_LINE_NUM},${LAST_LINE_NUM}d" ${LS_HTTPD_CONF}
fi
}
disable_modsec(){
if [ "${LSV}" = 'lsws' ]; then
disable_ls_modesec
elif [ "${LSV}" = 'openlitespeed' ]; then
disable_ols_modesec
fi
}
install_git(){ install_git(){
if [ ! -f /usr/bin/git ]; then if [ ! -f /usr/bin/git ]; then
echo 'Install git' echo 'Install git'
@@ -145,10 +205,12 @@ while [ ! -z "${1}" ]; do
;; ;;
-enable | -e | -E) -enable | -e | -E)
main_owasp main_owasp
check_lsv
enable_modsec enable_modsec
;; ;;
-disable | -d | -D) -disable | -d | -D)
disable_modesec check_lsv
disable_modsec
;; ;;
*) *)
help_message help_message
bin/webadmin.sh
+3 -1
View File
@@ -39,12 +39,14 @@ mod_secure(){
} }
ls_upgrade(){ ls_upgrade(){
echo 'Upgrade web server to latest stable version.'
docker-compose exec ${CONT_NAME} su -c '/usr/local/lsws/admin/misc/lsup.sh 2>/dev/null' docker-compose exec ${CONT_NAME} su -c '/usr/local/lsws/admin/misc/lsup.sh 2>/dev/null'
} }
set_web_admin(){ set_web_admin(){
echo 'Update web admin password.'
docker-compose exec ${CONT_NAME} su -s /bin/bash lsadm -c \ docker-compose exec ${CONT_NAME} su -s /bin/bash lsadm -c \
'echo "admin:$(/usr/local/lsws/admin/fcgi-bin/admin_php -q /usr/local/lsws/admin/misc/htpasswd.php '${1}')" > /usr/local/lsws/admin/conf/htpasswd'; 'echo "admin:$(/usr/local/lsws/admin/fcgi-bin/admin_php* -q /usr/local/lsws/admin/misc/htpasswd.php '${1}')" > /usr/local/lsws/admin/conf/htpasswd';
} }
main(){ main(){
lsws/httpd_config.xml
+228
View File
@@ -0,0 +1,228 @@
<?xml version="1.0" encoding="UTF-8"?>
<httpServerConfig>
<serverName>$HOSTNAME</serverName>
<workerProcesses>2</workerProcesses>
<user>nobody</user>
<group>nogroup</group>
<priority>0</priority>
<chrootPath>/</chrootPath>
<enableChroot>0</enableChroot>
<inMemBufSize>120M</inMemBufSize>
<swappingDir>/tmp/lshttpd/swap</swappingDir>
<autoFix503>1</autoFix503>
<loadApacheConf>0</loadApacheConf>
<mime>$SERVER_ROOT/conf/mime.properties</mime>
<showVersionNumber>0</showVersionNumber>
<autoUpdateInterval>86400</autoUpdateInterval>
<autoUpdateDownloadPkg>1</autoUpdateDownloadPkg>
<adminEmails>root@localhost</adminEmails>
<logging>
<log>
<fileName>$SERVER_ROOT/logs/error.log</fileName>
<logLevel>DEBUG</logLevel>
<debugLevel>0</debugLevel>
<rollingSize>10M</rollingSize>
<enableStderrLog>1</enableStderrLog>
<enableAioLog>1</enableAioLog>
</log>
<accessLog>
<fileName>$SERVER_ROOT/logs/access.log</fileName>
<rollingSize>10M</rollingSize>
<keepDays>30</keepDays>
<compressArchive>0</compressArchive>
</accessLog>
</logging>
<indexFiles>index.html, index.php</indexFiles>
<htAccess>
<allowOverride>0</allowOverride>
<accessFileName>.htaccess</accessFileName>
</htAccess>
<expires>
<enableExpires>1</enableExpires>
<expiresByType>image/*=A604800, text/css=A604800, application/x-javascript=A604800, application/javascript=A604800,font/*=A604800,application/x-font-ttf=A604800</expiresByType>
</expires>
<tuning>
<maxConnections>10000</maxConnections>
<maxSSLConnections>10000</maxSSLConnections>
<connTimeout>300</connTimeout>
<maxKeepAliveReq>10000</maxKeepAliveReq>
<keepAliveTimeout>5</keepAliveTimeout>
<sndBufSize>0</sndBufSize>
<rcvBufSize>0</rcvBufSize>
<maxReqURLLen>8192</maxReqURLLen>
<maxReqHeaderSize>16380</maxReqHeaderSize>
<maxReqBodySize>500M</maxReqBodySize>
<maxDynRespHeaderSize>8K</maxDynRespHeaderSize>
<maxDynRespSize>500M</maxDynRespSize>
<maxCachedFileSize>4096</maxCachedFileSize>
<totalInMemCacheSize>20M</totalInMemCacheSize>
<maxMMapFileSize>256K</maxMMapFileSize>
<totalMMapCacheSize>40M</totalMMapCacheSize>
<useSendfile>1</useSendfile>
<useAIO>1</useAIO>
<AIOBlockSize>4</AIOBlockSize>
<enableGzipCompress>1</enableGzipCompress>
<compressibleTypes>text/*,application/x-javascript,application/javascript,application/xml,image/svg+xml,application/rss+xml</compressibleTypes>
<enableDynGzipCompress>1</enableDynGzipCompress>
<gzipAutoUpdateStatic>1</gzipAutoUpdateStatic>
</tuning>
<security>
<fileAccessControl>
<followSymbolLink>1</followSymbolLink>
<checkSymbolLink>0</checkSymbolLink>
<requiredPermissionMask>000</requiredPermissionMask>
<restrictedPermissionMask>000</restrictedPermissionMask>
</fileAccessControl>
<perClientConnLimit>
<staticReqPerSec>0</staticReqPerSec>
<dynReqPerSec>0</dynReqPerSec>
<outBandwidth>0</outBandwidth>
<inBandwidth>0</inBandwidth>
<softLimit>10000</softLimit>
<hardLimit>10000</hardLimit>
<gracePeriod>15</gracePeriod>
<banPeriod>300</banPeriod>
</perClientConnLimit>
<CGIRLimit>
<maxCGIInstances>200</maxCGIInstances>
<minUID>11</minUID>
<minGID>10</minGID>
<priority>0</priority>
<CPUSoftLimit>300</CPUSoftLimit>
<CPUHardLimit>600</CPUHardLimit>
<memSoftLimit>1450M</memSoftLimit>
<memHardLimit>1500M</memHardLimit>
<procSoftLimit>1400</procSoftLimit>
<procHardLimit>1450</procHardLimit>
</CGIRLimit>
<censorshipControl>
<enableCensorship>0</enableCensorship>
<logLevel>0</logLevel>
<defaultAction>deny,log,status:403</defaultAction>
<scanPOST>1</scanPOST>
</censorshipControl>
<accessDenyDir>
<dir>/</dir>
<dir>/etc/*</dir>
<dir>/dev/*</dir>
<dir>$SERVER_ROOT/conf/*</dir>
<dir>$SERVER_ROOT/admin/conf/*</dir>
</accessDenyDir>
<accessControl>
<allow>ALL</allow>
</accessControl>
</security>
<extProcessorList>
<extProcessor>
<type>lsapi</type>
<name>lsphp7</name>
<address>uds://tmp/lshttpd/lsphp7.sock</address>
<maxConns>35</maxConns>
<env>PHP_LSAPI_CHILDREN=35</env>
<initTimeout>60</initTimeout>
<retryTimeout>0</retryTimeout>
<persistConn>1</persistConn>
<respBuffer>0</respBuffer>
<autoStart>3</autoStart>
<path>$SERVER_ROOT/lsphp73/bin/lsphp</path>
<backlog>100</backlog>
<instances>1</instances>
<priority>0</priority>
<memSoftLimit>2047M</memSoftLimit>
<memHardLimit>2047M</memHardLimit>
<procSoftLimit>1000</procSoftLimit>
<procHardLimit>1000</procHardLimit>
</extProcessor>
</extProcessorList>
<scriptHandlerList>
<scriptHandler>
<suffix>php</suffix>
<type>lsapi</type>
<handler>lsphp7</handler>
</scriptHandler>
<scriptHandler>
<suffix>php5</suffix>
<type>lsapi</type>
<handler>lsphp7</handler>
</scriptHandler>
</scriptHandlerList>
<phpConfig>
<maxConns>35</maxConns>
<env>PHP_LSAPI_CHILDREN=35</env>
<initTimeout>60</initTimeout>
<retryTimeout>0</retryTimeout>
<pcKeepAliveTimeout>1</pcKeepAliveTimeout>
<respBuffer>0</respBuffer>
<extMaxIdleTime>60</extMaxIdleTime>
<memSoftLimit>2047M</memSoftLimit>
<memHardLimit>2047M</memHardLimit>
<procSoftLimit>400</procSoftLimit>
<procHardLimit>500</procHardLimit>
</phpConfig>
<railsDefaults>
<maxConns>5</maxConns>
<env>LSAPI_MAX_IDLE=60</env>
<initTimeout>180</initTimeout>
<retryTimeout>0</retryTimeout>
<pcKeepAliveTimeout>60</pcKeepAliveTimeout>
<respBuffer>0</respBuffer>
<backlog>50</backlog>
<runOnStartUp>1</runOnStartUp>
<priority>3</priority>
<memSoftLimit>2047M</memSoftLimit>
<memHardLimit>2047M</memHardLimit>
<procSoftLimit>400</procSoftLimit>
<procHardLimit>500</procHardLimit>
</railsDefaults>
<virtualHostList>
<virtualHost>
<name>Example</name>
<vhRoot>$SERVER_ROOT/DEFAULT/</vhRoot>
<configFile>$VH_ROOT/conf/vhconf.xml</configFile>
<allowSymbolLink>1</allowSymbolLink>
<enableScript>1</enableScript>
<restrained>1</restrained>
<setUIDMode>0</setUIDMode>
<chrootMode>0</chrootMode>
</virtualHost>
</virtualHostList>
<listenerList>
<listener>
<name>HTTPS</name>
<address>*:443</address>
<secure>1</secure>
<vhostMapList>
</vhostMapList>
<keyFile>$SERVER_ROOT/admin/conf/webadmin.key</keyFile>
<certFile>$SERVER_ROOT/admin/conf/webadmin.crt</certFile>
</listener>
<listener>
<name>HTTP</name>
<address>*:80</address>
<secure>0</secure>
<vhostMapList>
</vhostMapList>
</listener>
</listenerList>
<vhTemplateList>
<vhTemplate>
<name>centralConfigLog</name>
<templateFile>$SERVER_ROOT/conf/templates/ccl.xml</templateFile>
<listeners>HTTP, HTTPS</listeners>
<member>
<vhName>localhost</vhName>
<vhDomain>localhost, *</vhDomain>
</member>
</vhTemplate>
<vhTemplate>
<name>PHP_SuEXEC</name>
<templateFile>$SERVER_ROOT/conf/templates/phpsuexec.xml</templateFile>
<listeners>HTTP</listeners>
</vhTemplate>
<vhTemplate>
<name>EasyRailsWithSuEXEC</name>
<templateFile>$SERVER_ROOT/conf/templates/rails.xml</templateFile>
<listeners>HTTP</listeners>
</vhTemplate>
</vhTemplateList>
</httpServerConfig>