From ac76802af4c1ad8ee87baf3c4d7428487af8f124 Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Sat, 19 Feb 2022 09:23:06 +0200 Subject: [PATCH 1/9] Added lua-resty-http plugin Required for crowdsec-openresty-bouncer --- scripts/install-openresty | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/install-openresty b/scripts/install-openresty index b0b0679..81d76bf 100755 --- a/scripts/install-openresty +++ b/scripts/install-openresty @@ -19,5 +19,6 @@ echo -e "${BLUE}❯ ${CYAN}Installing OpenResty plugins...${RESET}" cd / luarocks install lua-cjson luarocks install lua-resty-openidc +luarocks install lua-resty-http echo -e "${BLUE}❯ ${GREEN}OpenResty plugins install completed${RESET}" From b4804e6fafcdd52a7ea8767d8745d0b8c2bb222c Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Tue, 22 Feb 2022 08:55:22 +0200 Subject: [PATCH 2/9] Install Crowdsec OpenResty Bouncer directly into the docker image. Config files and templates are saved in /defaults/crowdsec A script in the main docker image will handle deployment. --- README.md | 1 + docker/Dockerfile | 4 +++- local-build.sh | 2 ++ scripts/install-crowdsec_openresty_bouncer | 22 ++++++++++++++++++++++ 4 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 scripts/install-crowdsec_openresty_bouncer diff --git a/README.md b/README.md index 5be88c2..5f34592 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ The following images are built: **latest** - OpenResty - Lua +- [Crowdsec Openresty Bouncer](https://github.com/crowdsecurity/cs-openresty-bouncer) **certbot** - Certbot diff --git a/docker/Dockerfile b/docker/Dockerfile index 0514655..2c6a3f4 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -73,8 +73,10 @@ COPY --from=nginxbuilder /tmp/openresty /tmp/openresty COPY ./scripts/install-openresty /tmp/install-openresty ARG OPENRESTY_VERSION +ARG CROWDSEC_OPENRESTY_BOUNCER_VERSION ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \ - OPENRESTY_VERSION=${OPENRESTY_VERSION} + OPENRESTY_VERSION=${OPENRESTY_VERSION} \ + CROWDSEC_OPENRESTY_BOUNCER_VERSION=${CROWDSEC_OPENRESTY_BOUNCER_VERSION} # Install openresty, lua, then clean up file system RUN apt-get update \ diff --git a/local-build.sh b/local-build.sh index 943a361..0f692e9 100755 --- a/local-build.sh +++ b/local-build.sh @@ -9,6 +9,7 @@ RESET='\E[0m' DOCKER_IMAGE=nginxproxymanager/nginx-full export OPENRESTY_VERSION=1.19.9.1 +export CROWDSEC_OPENRESTY_BOUNCER_VERSION=0.1.1 export LUA_VERSION=5.1.5 export LUAROCKS_VERSION=3.3.1 @@ -18,6 +19,7 @@ echo -e "${BLUE}❯ ${CYAN}Building ${YELLOW}latest ${CYAN}...${RESET}" docker build \ --pull \ --build-arg OPENRESTY_VERSION \ + --build-arg CROWDSEC_OPENRESTY_BOUNCER_VERSION \ --build-arg LUA_VERSION \ --build-arg LUAROCKS_VERSION \ -t ${DOCKER_IMAGE}:latest \ diff --git a/scripts/install-crowdsec_openresty_bouncer b/scripts/install-crowdsec_openresty_bouncer new file mode 100644 index 0000000..0c1b5e1 --- /dev/null +++ b/scripts/install-crowdsec_openresty_bouncer @@ -0,0 +1,22 @@ +#!/bin/bash -e + +BLUE='\E[1;34m' +CYAN='\E[1;36m' +YELLOW='\E[1;33m' +GREEN='\E[1;32m' +RESET='\E[0m' + +echo -e "${BLUE}❯ ${CYAN}Installing Crowdsec OpenResty Bouncer ${YELLOW}${CROWDSEC_OPENRESTY_BOUNCER_VERSION}...${RESET}" + +cd /tmp +#Offical Crowdsec download location is currently blocked due to two pull requests waiting to be added for full support for Docker installs +#weg "https://github.com/crowdsecurity/cs-openresty-bouncer/releases/download/v${CROWDSEC_OPENRESTY_BOUNCER_VERSION}/crowdsec-openresty-bouncer.tgz" +wget "https://github.com/LePresidente/cs-openresty-bouncer/releases/download/v${CROWDSEC_OPENRESTY_BOUNCER_VERSION}/crowdsec-openresty-bouncer.tgz" +mkdir -p /tmp/crowdsec +tar -xzf --strip 1 crowdsec-openresty-bouncer.tgz -C /tmp/crowdsec +cd /tmp/crowdsec + +bash ./install.sh --NGINX_CONF_DIR=/etc/nginx/conf.d --LIB_PATH=/etc/nginx/lualib --CONFIG_PATH=/defaults/crowdsec --DATA_PATH=/defaults/crowdsec --docker +sed-patch 's|ENABLED=.*|ENABLED=false|' /defaults/crowdsec/crowdsec-openresty-bouncer.conf + +echo -e "${BLUE}❯ ${GREEN}OpenResty plugins install completed${RESET}" From c9cb887b4ad79a134d24bb19087d214e9e1b3d95 Mon Sep 17 00:00:00 2001 From: lepresidente Date: Tue, 22 Feb 2022 10:08:16 +0200 Subject: [PATCH 3/9] Fixed build to correctly install crowdsec-openresty-bouncer --- docker/Dockerfile | 7 ++++++- scripts/install-crowdsec_openresty_bouncer | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) mode change 100644 => 100755 scripts/install-crowdsec_openresty_bouncer diff --git a/docker/Dockerfile b/docker/Dockerfile index 2c6a3f4..e51c716 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -57,6 +57,7 @@ RUN apt-get update \ tzdata \ unzip \ zlib1g \ + wget \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* \ && rm -rf /var/cache/* /var/log/* /tmp/* /var/lib/dpkg/status-old @@ -72,6 +73,9 @@ COPY ./scripts/install-lua /tmp/install-lua COPY --from=nginxbuilder /tmp/openresty /tmp/openresty COPY ./scripts/install-openresty /tmp/install-openresty +# Copy crowdsec openresty bouncer install script +COPY ./scripts/install-crowdsec_openresty_bouncer /tmp/install-crowdsec_openresty_bouncer + ARG OPENRESTY_VERSION ARG CROWDSEC_OPENRESTY_BOUNCER_VERSION ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \ @@ -83,7 +87,8 @@ RUN apt-get update \ && apt-get install -y gcc make socat git \ && /tmp/install-lua \ && /tmp/install-openresty \ - && apt-get remove -y make gcc git \ + && /tmp/install-crowdsec_openresty_bouncer \ + && apt-get remove -y make gcc git wget \ && apt-get autoremove -y \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* \ diff --git a/scripts/install-crowdsec_openresty_bouncer b/scripts/install-crowdsec_openresty_bouncer old mode 100644 new mode 100755 index 0c1b5e1..cc7dbfc --- a/scripts/install-crowdsec_openresty_bouncer +++ b/scripts/install-crowdsec_openresty_bouncer @@ -13,10 +13,10 @@ cd /tmp #weg "https://github.com/crowdsecurity/cs-openresty-bouncer/releases/download/v${CROWDSEC_OPENRESTY_BOUNCER_VERSION}/crowdsec-openresty-bouncer.tgz" wget "https://github.com/LePresidente/cs-openresty-bouncer/releases/download/v${CROWDSEC_OPENRESTY_BOUNCER_VERSION}/crowdsec-openresty-bouncer.tgz" mkdir -p /tmp/crowdsec -tar -xzf --strip 1 crowdsec-openresty-bouncer.tgz -C /tmp/crowdsec +tar xzf crowdsec-openresty-bouncer.tgz --strip 1 -C /tmp/crowdsec cd /tmp/crowdsec bash ./install.sh --NGINX_CONF_DIR=/etc/nginx/conf.d --LIB_PATH=/etc/nginx/lualib --CONFIG_PATH=/defaults/crowdsec --DATA_PATH=/defaults/crowdsec --docker -sed-patch 's|ENABLED=.*|ENABLED=false|' /defaults/crowdsec/crowdsec-openresty-bouncer.conf +sed -i 's|ENABLED=.*|ENABLED=false|' /defaults/crowdsec/crowdsec-openresty-bouncer.conf echo -e "${BLUE}❯ ${GREEN}OpenResty plugins install completed${RESET}" From f819b8a87acda69eed02098d55abec25c0a4eb0e Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Mon, 14 Mar 2022 15:11:12 +0200 Subject: [PATCH 4/9] Updated crowdsec openresty bouncer to 0.1.7 --- docker/Dockerfile | 1 + local-build.sh | 2 +- scripts/install-crowdsec_openresty_bouncer | 4 +--- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index e51c716..b17e021 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -57,6 +57,7 @@ RUN apt-get update \ tzdata \ unzip \ zlib1g \ + gettext \ wget \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* \ diff --git a/local-build.sh b/local-build.sh index 0f692e9..b48d767 100755 --- a/local-build.sh +++ b/local-build.sh @@ -9,7 +9,7 @@ RESET='\E[0m' DOCKER_IMAGE=nginxproxymanager/nginx-full export OPENRESTY_VERSION=1.19.9.1 -export CROWDSEC_OPENRESTY_BOUNCER_VERSION=0.1.1 +export CROWDSEC_OPENRESTY_BOUNCER_VERSION=0.1.7 export LUA_VERSION=5.1.5 export LUAROCKS_VERSION=3.3.1 diff --git a/scripts/install-crowdsec_openresty_bouncer b/scripts/install-crowdsec_openresty_bouncer index cc7dbfc..da9e730 100755 --- a/scripts/install-crowdsec_openresty_bouncer +++ b/scripts/install-crowdsec_openresty_bouncer @@ -9,9 +9,7 @@ RESET='\E[0m' echo -e "${BLUE}❯ ${CYAN}Installing Crowdsec OpenResty Bouncer ${YELLOW}${CROWDSEC_OPENRESTY_BOUNCER_VERSION}...${RESET}" cd /tmp -#Offical Crowdsec download location is currently blocked due to two pull requests waiting to be added for full support for Docker installs -#weg "https://github.com/crowdsecurity/cs-openresty-bouncer/releases/download/v${CROWDSEC_OPENRESTY_BOUNCER_VERSION}/crowdsec-openresty-bouncer.tgz" -wget "https://github.com/LePresidente/cs-openresty-bouncer/releases/download/v${CROWDSEC_OPENRESTY_BOUNCER_VERSION}/crowdsec-openresty-bouncer.tgz" +wget "https://github.com/crowdsecurity/cs-openresty-bouncer/releases/download/v${CROWDSEC_OPENRESTY_BOUNCER_VERSION}/crowdsec-openresty-bouncer.tgz" mkdir -p /tmp/crowdsec tar xzf crowdsec-openresty-bouncer.tgz --strip 1 -C /tmp/crowdsec cd /tmp/crowdsec From 48821ea692b6e9cb1eb2a3803378bbada7a620ef Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Tue, 15 Mar 2022 06:31:46 +0200 Subject: [PATCH 5/9] Cleanup crowdsec folder after install. Uninstall gettext since its not required after the crowdsec install. --- docker/Dockerfile | 4 ++-- scripts/install-crowdsec_openresty_bouncer | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index b17e021..e974274 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -88,8 +88,8 @@ RUN apt-get update \ && apt-get install -y gcc make socat git \ && /tmp/install-lua \ && /tmp/install-openresty \ - && /tmp/install-crowdsec_openresty_bouncer \ - && apt-get remove -y make gcc git wget \ + && /tmp/install-crowdsec_openresty_bouncer \ + && apt-get remove -y make gcc git wget gettext \ && apt-get autoremove -y \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* \ diff --git a/scripts/install-crowdsec_openresty_bouncer b/scripts/install-crowdsec_openresty_bouncer index da9e730..76946de 100755 --- a/scripts/install-crowdsec_openresty_bouncer +++ b/scripts/install-crowdsec_openresty_bouncer @@ -16,5 +16,6 @@ cd /tmp/crowdsec bash ./install.sh --NGINX_CONF_DIR=/etc/nginx/conf.d --LIB_PATH=/etc/nginx/lualib --CONFIG_PATH=/defaults/crowdsec --DATA_PATH=/defaults/crowdsec --docker sed -i 's|ENABLED=.*|ENABLED=false|' /defaults/crowdsec/crowdsec-openresty-bouncer.conf +rm /tmp/crowdsec echo -e "${BLUE}❯ ${GREEN}OpenResty plugins install completed${RESET}" From 6f7e8ac26e65854b7536219c739293ebfc279557 Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Tue, 15 Mar 2022 08:04:07 +0200 Subject: [PATCH 6/9] remove the crowdsec install tgz file. --- docker/Dockerfile | 2 +- scripts/install-crowdsec_openresty_bouncer | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index e974274..d47aa17 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -58,7 +58,7 @@ RUN apt-get update \ unzip \ zlib1g \ gettext \ - wget \ + wget \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* \ && rm -rf /var/cache/* /var/log/* /tmp/* /var/lib/dpkg/status-old diff --git a/scripts/install-crowdsec_openresty_bouncer b/scripts/install-crowdsec_openresty_bouncer index 76946de..68a6dc0 100755 --- a/scripts/install-crowdsec_openresty_bouncer +++ b/scripts/install-crowdsec_openresty_bouncer @@ -12,6 +12,7 @@ cd /tmp wget "https://github.com/crowdsecurity/cs-openresty-bouncer/releases/download/v${CROWDSEC_OPENRESTY_BOUNCER_VERSION}/crowdsec-openresty-bouncer.tgz" mkdir -p /tmp/crowdsec tar xzf crowdsec-openresty-bouncer.tgz --strip 1 -C /tmp/crowdsec +rm -rf /tmp/crowdsec-openresty-bouncer.tgz cd /tmp/crowdsec bash ./install.sh --NGINX_CONF_DIR=/etc/nginx/conf.d --LIB_PATH=/etc/nginx/lualib --CONFIG_PATH=/defaults/crowdsec --DATA_PATH=/defaults/crowdsec --docker From 7e6f7c524aa573596d014dca90d88f5bb5c712d4 Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Wed, 16 Mar 2022 06:31:28 +0200 Subject: [PATCH 7/9] added CROWDSEC_OPENRESTY_BOUNCER_VERSION environment version to jenkins script. --- .jenkins/Jenkinsfile | 1 + 1 file changed, 1 insertion(+) diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile index 1883418..7344d80 100644 --- a/.jenkins/Jenkinsfile +++ b/.jenkins/Jenkinsfile @@ -16,6 +16,7 @@ pipeline { BRANCH_LOWER = "${BRANCH_NAME.toLowerCase().replaceAll('/', '-')}" // Software versions; OpenResty does not support Lua >= 5.2 OPENRESTY_VERSION = '1.19.9.1' + CROWDSEC_OPENRESTY_BOUNCER_VERSION = '0.1.7' LUA_VERSION = '5.1.5' LUAROCKS_VERSION = '3.3.1' } From 7793f927d8b31025ed5d5d7d51f0574c0f02b732 Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Wed, 16 Mar 2022 06:39:55 +0200 Subject: [PATCH 8/9] missed one arg in the buildx command. --- scripts/buildx | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/buildx b/scripts/buildx index fc52745..ffebd42 100755 --- a/scripts/buildx +++ b/scripts/buildx @@ -25,6 +25,7 @@ docker buildx build \ --build-arg OPENRESTY_VERSION \ --build-arg LUA_VERSION \ --build-arg LUAROCKS_VERSION \ + --build-arg CROWDSEC_OPENRESTY_BOUNCER_VERSION \ $@ \ . From b98785006cf0c2c2e047e706d8e1ed0c2af911a8 Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Thu, 17 Mar 2022 06:04:51 +0200 Subject: [PATCH 9/9] Add extra check for environment variable Fix rm command for folders. --- scripts/install-crowdsec_openresty_bouncer | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/scripts/install-crowdsec_openresty_bouncer b/scripts/install-crowdsec_openresty_bouncer index 68a6dc0..2448f58 100755 --- a/scripts/install-crowdsec_openresty_bouncer +++ b/scripts/install-crowdsec_openresty_bouncer @@ -4,9 +4,15 @@ BLUE='\E[1;34m' CYAN='\E[1;36m' YELLOW='\E[1;33m' GREEN='\E[1;32m' +RED='\E[1;31m' RESET='\E[0m' -echo -e "${BLUE}❯ ${CYAN}Installing Crowdsec OpenResty Bouncer ${YELLOW}${CROWDSEC_OPENRESTY_BOUNCER_VERSION}...${RESET}" +echo -e "${BLUE}❯ ${CYAN}Installing Crowdsec OpenResty Bouncer ${YELLOW}${CROWDSEC_OPENRESTY_BOUNCER_VERSION:-}...${RESET}" + +if [ "${CROWDSEC_OPENRESTY_BOUNCER_VERSION:-}" = "" ]; then + echo -e "${RED}❯ ERROR: CROWDSEC_OPENRESTY_BOUNCER_VERSION environment variable is not set!${RESET}" + exit 1 +fi cd /tmp wget "https://github.com/crowdsecurity/cs-openresty-bouncer/releases/download/v${CROWDSEC_OPENRESTY_BOUNCER_VERSION}/crowdsec-openresty-bouncer.tgz" @@ -17,6 +23,6 @@ cd /tmp/crowdsec bash ./install.sh --NGINX_CONF_DIR=/etc/nginx/conf.d --LIB_PATH=/etc/nginx/lualib --CONFIG_PATH=/defaults/crowdsec --DATA_PATH=/defaults/crowdsec --docker sed -i 's|ENABLED=.*|ENABLED=false|' /defaults/crowdsec/crowdsec-openresty-bouncer.conf -rm /tmp/crowdsec +rm -rf /tmp/crowdsec echo -e "${BLUE}❯ ${GREEN}OpenResty plugins install completed${RESET}"