From 950e35fbc4ff1849c67bc6c2ed7e95404ca00d6b Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Sun, 20 Feb 2022 11:56:15 +0200 Subject: [PATCH 1/6] Supports overriding the default paths required for custom installs on docker containers. Required for Nginx-Proxy-Manager --- install.sh | 55 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 43 insertions(+), 12 deletions(-) diff --git a/install.sh b/install.sh index e4bb811..8802903 100755 --- a/install.sh +++ b/install.sh @@ -9,6 +9,29 @@ PKG="apt" PACKAGE_LIST="dpkg -l" SSL_CERTS_PATH="/etc/ssl/certs/ca-certificates.crt" +#Accept cmdline arguments to overwrite options. +while [[ $# -gt 0 ]] +do + case $1 in + --NGINX_CONF_DIR=*) + NGINX_CONF_DIR="${1#*=}" + ;; + --LIB_PATH=*) + LIB_PATH="${1#*=}" + ;; + --CONFIG_PATH=*) + CONFIG_PATH="${1#*=}" + ;; + --DATA_PATH=*) + DATA_PATH="${1#*=}" + ;; + --docker) + DOCKER=1 + ;; + esac + shift +done + check_pkg_manager(){ if [ -f /etc/redhat-release ]; then PKG="yum" @@ -35,10 +58,16 @@ requirement() { } gen_config_file() { - SUFFIX=`tr -dc A-Za-z0-9 "${CONFIG_PATH}crowdsec-openresty-bouncer.conf" - echo "New API key generated in config '${CONFIG_PATH}crowdsec-openresty-bouncer.conf'" + if [ -z ${DOCKER} ]; then + SUFFIX=`tr -dc A-Za-z0-9 "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" + # Not sure why couldn't patch the path useing envsubst + sed -i 's|/var/lib/crowdsec/lua|'${DATA_PATH}'|' "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" } check_openresty_dependency() { @@ -87,24 +116,26 @@ check_lua_dependency() { install() { - mkdir -p ${DATA_PATH}templates/ - - cp -r lua/lib/* ${LIB_PATH} - cp templates/* ${DATA_PATH}templates/ + mkdir -p ${DATA_PATH}/templates/ + cp -r lua/lib/* ${LIB_PATH}/ + cp templates/* ${DATA_PATH}/templates/ + #Patch the nginx config file SSL_CERTS_PATH=${SSL_CERTS_PATH} envsubst < openresty/${NGINX_CONF} > "${NGINX_CONF_DIR}/${NGINX_CONF}" + sed -i 's|/etc/crowdsec/bouncers|'${CONFIG_PATH}'|' "${NGINX_CONF_DIR}/${NGINX_CONF}" } -if ! [ $(id -u) = 0 ]; then +if ! [ $(id -u) = 0 ] && [ -z ${DOCKER} ]; then log_err "Please run the install script as root or with sudo" exit 1 fi -check_pkg_manager +#Fix paths +[ -z ${DOCKER} ] && check_pkg_manager requirement -check_openresty_dependency -check_lua_dependency +[ -z ${DOCKER} ] && check_openresty_dependency +[ -z ${DOCKER} ] && check_lua_dependency gen_config_file install echo "crowdsec-openresty-bouncer installed successfully" From 97582fcbc6ab7808e2feb843bcb66468d00d3ea3 Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Sun, 20 Feb 2022 11:56:54 +0200 Subject: [PATCH 2/6] Don't show restart information for docker. --- install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.sh b/install.sh index 8802903..e5bc08c 100755 --- a/install.sh +++ b/install.sh @@ -139,4 +139,4 @@ requirement gen_config_file install echo "crowdsec-openresty-bouncer installed successfully" -echo "Run 'sudo systemctl restart openresty.service' to start openresty-bouncer" \ No newline at end of file +[ -z ${DOCKER} ] && echo "Run 'sudo systemctl restart openresty.service' to start openresty-bouncer" \ No newline at end of file From b28521031fdfc915bda7df9a650122077a7cd9bf Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Mon, 21 Feb 2022 10:52:18 +0200 Subject: [PATCH 3/6] Remove resolver in a patch line, might be required for a clean install but when using on a presetup system this could already be supplied. --- install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/install.sh b/install.sh index e5bc08c..1fb643c 100755 --- a/install.sh +++ b/install.sh @@ -123,6 +123,7 @@ install() { #Patch the nginx config file SSL_CERTS_PATH=${SSL_CERTS_PATH} envsubst < openresty/${NGINX_CONF} > "${NGINX_CONF_DIR}/${NGINX_CONF}" sed -i 's|/etc/crowdsec/bouncers|'${CONFIG_PATH}'|' "${NGINX_CONF_DIR}/${NGINX_CONF}" + [ -z ${DOCKER} ] || sed -i 's|resolver local=on ipv6=off;||' "${NGINX_CONF_DIR}/${NGINX_CONF}" } From 4e21c7a63342ed2f5547630be4aaabfdec9300b5 Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Mon, 21 Feb 2022 13:07:13 +0200 Subject: [PATCH 4/6] Fixed shellcheck issues Support patching an existing config file instead of overwriting it I have sanity tested this on my Nginx-Proxy-Manager fork. Though have not tested the standalone installs. --- install.sh | 95 ++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 60 insertions(+), 35 deletions(-) diff --git a/install.sh b/install.sh index 1fb643c..a62c50e 100755 --- a/install.sh +++ b/install.sh @@ -1,5 +1,5 @@ #!/bin/bash - +echo "Starting Crowdsec Openresty Bouncer install" NGINX_CONF="crowdsec_openresty.conf" NGINX_CONF_DIR="/usr/local/openresty/nginx/conf/conf.d/" LIB_PATH="/usr/local/openresty/lualib/" @@ -26,7 +26,7 @@ do DATA_PATH="${1#*=}" ;; --docker) - DOCKER=1 + DOCKER="1" ;; esac shift @@ -37,7 +37,7 @@ check_pkg_manager(){ PKG="yum" PACKAGE_LIST="yum list installed" SSL_CERTS_PATH="/etc/ssl/certs/ca-bundle.crt" - elif cat /etc/system-release | grep -q "Amazon Linux release 2 (Karoo)"; then + elif grep -q "Amazon Linux release 2 (Karoo)" < /etc/system-release ; then PKG="yum" PACKAGE_LIST="yum list installed" SSL_CERTS_PATH="/etc/ssl/certs/ca-bundle.crt" @@ -58,33 +58,51 @@ requirement() { } gen_config_file() { - if [ -z ${DOCKER} ]; then - SUFFIX=`tr -dc A-Za-z0-9 "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" + echo "New API key generated to be used in '${CONFIG_PATH}/crowdsec-openresty-bouncer.conf'" + else + #Docker doesn't support envsubst by default + API_KEY="1234567890abcdef" + cp config/config_example.conf "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" + sed -i 's|API_KEY=.*|API_KEY='${API_KEY}'|' "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" + sed -i 's|CROWDSEC_LAPI_URL=.*|CROWDSEC_LAPI_URL="http://127.0.0.1:8080"|' "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" + fi else - API_KEY="1234567890abcdef" + #Patch the existing file with new parameters if the need to be added + echo "Patch crowdsec-openresty-bouncer.conf .." + sed "s/=.*//g" "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" > /tmp/crowdsec.conf.raw + sed "s/=.*//g" ./config/config_example.conf > /tmp/config_example.conf.raw + if grep -vf /tmp/crowdsec.conf.raw /tmp/config_example.conf.raw ; then + grep -vf /tmp/crowdsec.conf.raw /tmp/config_example.conf.raw > /tmp/config_example.newvals + cp "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf.bak" + #Make sure we start on a new line. + echo "" >>"${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" + grep -f /tmp/config_example.newvals /tmp/crowdsec/config/config_example.conf >> "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" + fi fi - API_KEY=${API_KEY} CROWDSEC_LAPI_URL="http://127.0.0.1:8080" envsubst < ./config/config_example.conf > "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" - # Not sure why couldn't patch the path useing envsubst - sed -i 's|/var/lib/crowdsec/lua|'${DATA_PATH}'|' "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" + # Not sure why couldn't patch the path using envsubst + sed -i 's|/var/lib/crowdsec/lua|'"${DATA_PATH}"'|' "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" } check_openresty_dependency() { - DEPENDENCY=( - "openresty-opm" - ) - for dep in ${DEPENDENCY[@]}; + DEPENDENCY=( \ + "openresty-opm" \ + ) + for dep in "${DEPENDENCY[@]}"; do - $PACKAGE_LIST | grep ${dep} > /dev/null - if [[ $? != 0 ]]; then + if ! $PACKAGE_LIST | grep "${dep}" > /dev/null; then echo "${dep} not found, do you want to install it (Y/n)? " - read answer + read -r answer if [[ ${answer} == "" ]]; then answer="y" fi if [ "$answer" != "${answer#[Yy]}" ] ;then - "$PKG" install -y -qq ${dep} > /dev/null && echo "${dep} successfully installed" + "$PKG" install -y -qq "${dep}" > /dev/null && echo "${dep} successfully installed" else echo "unable to continue without ${dep}. Exiting" && exit 1 fi @@ -93,20 +111,20 @@ check_openresty_dependency() { } check_lua_dependency() { - DEPENDENCY=( - "pintsized/lua-resty-http" + DEPENDENCY=( \ + "pintsized/lua-resty-http" \ ) - for dep in ${DEPENDENCY[@]}; + for dep in "${DEPENDENCY[@]}"; do - opm list | grep ${dep} > /dev/null - if [[ $? != 0 ]]; then + + if ! opm list | grep "${dep}" > /dev/null; then echo "${dep} not found, do you want to install it (Y/n)? " - read answer + read -r answer if [[ ${answer} == "" ]]; then answer="y" fi if [ "$answer" != "${answer#[Yy]}" ] ;then - opm get ${dep} > /dev/null && echo "${dep} successfully installed" + opm get "${dep}" > /dev/null && echo "${dep} successfully installed" else echo "unable to continue without ${dep}. Exiting" && exit 1 fi @@ -116,23 +134,29 @@ check_lua_dependency() { install() { - mkdir -p ${DATA_PATH}/templates/ + mkdir -p "${DATA_PATH}/templates/" - cp -r lua/lib/* ${LIB_PATH}/ - cp templates/* ${DATA_PATH}/templates/ + cp -r lua/lib/* "${LIB_PATH}/" + cp templates/* "${DATA_PATH}/templates/" #Patch the nginx config file - SSL_CERTS_PATH=${SSL_CERTS_PATH} envsubst < openresty/${NGINX_CONF} > "${NGINX_CONF_DIR}/${NGINX_CONF}" - sed -i 's|/etc/crowdsec/bouncers|'${CONFIG_PATH}'|' "${NGINX_CONF_DIR}/${NGINX_CONF}" + if [ -z ${DOCKER} ]; then + SSL_CERTS_PATH=${SSL_CERTS_PATH} envsubst < openresty/${NGINX_CONF} > "${NGINX_CONF_DIR}/${NGINX_CONF}" + else + cp openresty/${NGINX_CONF} "${NGINX_CONF_DIR}/${NGINX_CONF}" + # shellcheck disable=SC2016 #We need to change the actual variable here + sed -i 's|${SSL_CERTS_PATH}|'${SSL_CERTS_PATH}'|' "${NGINX_CONF_DIR}/${NGINX_CONF}" + fi + sed -i 's|/etc/crowdsec/bouncers|'"${CONFIG_PATH}"'|' "${NGINX_CONF_DIR}/${NGINX_CONF}" + #Some docker images like Nginx Proxy Manager has this defined already. [ -z ${DOCKER} ] || sed -i 's|resolver local=on ipv6=off;||' "${NGINX_CONF_DIR}/${NGINX_CONF}" } -if ! [ $(id -u) = 0 ] && [ -z ${DOCKER} ]; then - log_err "Please run the install script as root or with sudo" +if ! [ "$(id -u)" = 0 ] && [ -z ${DOCKER} ]; then + echo "Please run the install script as root or with sudo" exit 1 fi -#Fix paths [ -z ${DOCKER} ] && check_pkg_manager requirement [ -z ${DOCKER} ] && check_openresty_dependency @@ -140,4 +164,5 @@ requirement gen_config_file install echo "crowdsec-openresty-bouncer installed successfully" -[ -z ${DOCKER} ] && echo "Run 'sudo systemctl restart openresty.service' to start openresty-bouncer" \ No newline at end of file +[ -z ${DOCKER} ] && echo "Run 'sudo systemctl restart openresty.service' to start openresty-bouncer" +exit 0 \ No newline at end of file From e957d044d66eaa56c73b8b45dc020224e913173a Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Tue, 8 Mar 2022 11:28:54 +0200 Subject: [PATCH 5/6] use envsubst where possible, docker image will need this package added to work Fixed formating. Don't try generate APIKEY if cscli is not present, just leave the apikey empty. --- install.sh | 48 ++++++++++++++++++------------------------------ 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/install.sh b/install.sh index a62c50e..ea7243b 100755 --- a/install.sh +++ b/install.sh @@ -13,21 +13,21 @@ SSL_CERTS_PATH="/etc/ssl/certs/ca-certificates.crt" while [[ $# -gt 0 ]] do case $1 in - --NGINX_CONF_DIR=*) - NGINX_CONF_DIR="${1#*=}" - ;; - --LIB_PATH=*) - LIB_PATH="${1#*=}" + --NGINX_CONF_DIR=*) + NGINX_CONF_DIR="${1#*=}" + ;; + --LIB_PATH=*) + LIB_PATH="${1#*=}" + ;; + --CONFIG_PATH=*) + CONFIG_PATH="${1#*=}" ;; - --CONFIG_PATH=*) - CONFIG_PATH="${1#*=}" - ;; --DATA_PATH=*) - DATA_PATH="${1#*=}" - ;; + DATA_PATH="${1#*=}" + ;; --docker) - DOCKER="1" - ;; + DOCKER="1" + ;; esac shift done @@ -60,18 +60,13 @@ requirement() { gen_config_file() { #Don't overwrite the existing file if [ ! -f "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" ]; then - if [ -z ${DOCKER} ]; then + #check if cscli is available, this can be installed on systems without crowdsec installed + if cscli version 2>&1 /dev/null; then SUFFIX=$(tr -dc A-Za-z0-9 "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" - echo "New API key generated to be used in '${CONFIG_PATH}/crowdsec-openresty-bouncer.conf'" - else - #Docker doesn't support envsubst by default - API_KEY="1234567890abcdef" - cp config/config_example.conf "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" - sed -i 's|API_KEY=.*|API_KEY='${API_KEY}'|' "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" - sed -i 's|CROWDSEC_LAPI_URL=.*|CROWDSEC_LAPI_URL="http://127.0.0.1:8080"|' "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" fi + API_KEY=${API_KEY} CROWDSEC_LAPI_URL="http://127.0.0.1:8080" envsubst < ./config/config_example.conf > "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" + echo "New API key generated to be used in '${CONFIG_PATH}/crowdsec-openresty-bouncer.conf'" else #Patch the existing file with new parameters if the need to be added echo "Patch crowdsec-openresty-bouncer.conf .." @@ -81,11 +76,10 @@ gen_config_file() { grep -vf /tmp/crowdsec.conf.raw /tmp/config_example.conf.raw > /tmp/config_example.newvals cp "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf.bak" #Make sure we start on a new line. - echo "" >>"${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" + echo "" >>"${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" grep -f /tmp/config_example.newvals /tmp/crowdsec/config/config_example.conf >> "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" fi fi - # Not sure why couldn't patch the path using envsubst sed -i 's|/var/lib/crowdsec/lua|'"${DATA_PATH}"'|' "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" } @@ -139,13 +133,7 @@ install() { cp -r lua/lib/* "${LIB_PATH}/" cp templates/* "${DATA_PATH}/templates/" #Patch the nginx config file - if [ -z ${DOCKER} ]; then - SSL_CERTS_PATH=${SSL_CERTS_PATH} envsubst < openresty/${NGINX_CONF} > "${NGINX_CONF_DIR}/${NGINX_CONF}" - else - cp openresty/${NGINX_CONF} "${NGINX_CONF_DIR}/${NGINX_CONF}" - # shellcheck disable=SC2016 #We need to change the actual variable here - sed -i 's|${SSL_CERTS_PATH}|'${SSL_CERTS_PATH}'|' "${NGINX_CONF_DIR}/${NGINX_CONF}" - fi + SSL_CERTS_PATH=${SSL_CERTS_PATH} envsubst < openresty/${NGINX_CONF} > "${NGINX_CONF_DIR}/${NGINX_CONF}" sed -i 's|/etc/crowdsec/bouncers|'"${CONFIG_PATH}"'|' "${NGINX_CONF_DIR}/${NGINX_CONF}" #Some docker images like Nginx Proxy Manager has this defined already. [ -z ${DOCKER} ] || sed -i 's|resolver local=on ipv6=off;||' "${NGINX_CONF_DIR}/${NGINX_CONF}" From cd2d569158299d5c4d1ffb50270b1e274f5b8e80 Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Tue, 8 Mar 2022 11:49:02 +0200 Subject: [PATCH 6/6] added if statement to notice about new API key, if cscli is not available don't show it. --- install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.sh b/install.sh index ea7243b..7a9f8f1 100755 --- a/install.sh +++ b/install.sh @@ -66,7 +66,7 @@ gen_config_file() { API_KEY=$(cscli bouncers add "crowdsec-openresty-bouncer-${SUFFIX}" -o raw) fi API_KEY=${API_KEY} CROWDSEC_LAPI_URL="http://127.0.0.1:8080" envsubst < ./config/config_example.conf > "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" - echo "New API key generated to be used in '${CONFIG_PATH}/crowdsec-openresty-bouncer.conf'" + [ -n "${API_KEY}" ] && echo "New API key generated to be used in '${CONFIG_PATH}/crowdsec-openresty-bouncer.conf'" else #Patch the existing file with new parameters if the need to be added echo "Patch crowdsec-openresty-bouncer.conf .."