diff --git a/Dockerfile b/Dockerfile index 5683d8b..fc480a6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,7 @@ RUN apk add --no-cache nginx nginx-mod-http-brotli nginx-mod-http-headers-more b # Copy custom config COPY nginx.conf /etc/nginx/nginx.conf +COPY conf.d/ /etc/nginx/conf.d/ # Copy snippets COPY snippets/ /etc/nginx/snippets/ diff --git a/Dockerfile.fail2ban b/Dockerfile.fail2ban new file mode 100644 index 0000000..a565d91 --- /dev/null +++ b/Dockerfile.fail2ban @@ -0,0 +1,4 @@ +FROM crazymax/fail2ban:latest + +# Copy fail2ban configurations +COPY fail2ban/ /data/ diff --git a/Dockerfile.modsec b/Dockerfile.modsec new file mode 100644 index 0000000..58e5476 --- /dev/null +++ b/Dockerfile.modsec @@ -0,0 +1,7 @@ +FROM owasp/modsecurity-crs:nginx-alpine + +# Copy custom configuration template +COPY modsec.conf.template /etc/nginx/templates/modsecurity.d/modsecurity.conf.template + +# Copy custom rules +COPY modsec_rules/ /etc/nginx/custom_rules/ diff --git a/docker-compose.yml b/docker-compose.yml index 94a2cb1..093c516 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,9 @@ services: # ModSecurity WAF (Frente do NGINX) # ============================================ modsecurity: - image: owasp/modsecurity-crs:nginx-alpine + build: + context: . + dockerfile: Dockerfile.modsec container_name: modsecurity-waf restart: always ports: @@ -15,10 +17,8 @@ services: - ANOMALY_INBOUND=5 - ANOMALY_OUTBOUND=4 volumes: - - ./ssl:/etc/nginx/ssl:ro + - ssl_data:/etc/nginx/ssl:ro - modsec_logs:/var/log/modsecurity - - ./modsec_rules:/etc/nginx/custom_rules - - ./modsec.conf.template:/etc/nginx/templates/modsecurity.d/modsecurity.conf.template depends_on: - nginx-proxy extra_hosts: @@ -47,14 +47,11 @@ services: environment: - HOST_PUBLIC_IP=${HOST_PUBLIC_IP} volumes: - - ./conf.d:/etc/nginx/conf.d - - ./ssl:/etc/nginx/ssl - - ./snippets:/etc/nginx/snippets + - ssl_data:/etc/nginx/ssl - nginx_cache:/var/cache/nginx - nginx_logs:/var/log/nginx - - ./certbot/conf:/etc/letsencrypt - - ./certbot/www:/var/www/certbot - - ./:/opt/repo + - certbot_data_conf:/etc/letsencrypt + - certbot_data_www:/var/www/certbot extra_hosts: - "host.docker.internal:host-gateway" - "server-254:10.10.253.254" @@ -75,7 +72,9 @@ services: # Fail2ban (LĂȘ logs e bane IPs) # ============================================ fail2ban: - image: crazymax/fail2ban:latest + build: + context: . + dockerfile: Dockerfile.fail2ban container_name: fail2ban restart: always network_mode: host @@ -83,7 +82,6 @@ services: - NET_ADMIN - NET_RAW volumes: - - ./fail2ban:/data - nginx_logs:/var/log/nginx:ro - modsec_logs:/var/log/modsecurity:ro @@ -91,3 +89,6 @@ volumes: nginx_cache: nginx_logs: modsec_logs: + ssl_data: + certbot_data_conf: + certbot_data_www: diff --git a/scripts/pre-flight.sh b/scripts/pre-flight.sh index 37a4cba..6cdb6f8 100644 --- a/scripts/pre-flight.sh +++ b/scripts/pre-flight.sh @@ -35,8 +35,8 @@ echo "[Pre-Flight] Running SSL renewal check..." /scripts/renew_ssl.sh # Setup Daily Cron for Renewal (run at 01:00) -# Sync Git Repo every 5 minutes -echo "*/5 * * * * /scripts/git_sync.sh >> /var/log/nginx/git_sync.log 2>&1" >> /etc/crontabs/root +# Setup Daily Cron for Renewal (run at 01:00) +echo "0 1 * * * /scripts/renew_ssl.sh >> /var/log/nginx/ssl_renew.log 2>&1" >> /etc/crontabs/root # Start Crond in background crond -b -l 8