diff --git a/.gitignore b/.gitignore index 6df0d52..c76f78e 100644 --- a/.gitignore +++ b/.gitignore @@ -6,9 +6,14 @@ syncthing/config/* transmission/config/* proxy/nginx/conf.d/default.conf +proxy/nginx/logs/* proxy/ssl/conf/* proxy/ssl/www/* proxy/ddns/domains.txt +proxy/crowdsec/* +!proxy/crowdsec/config +proxy/crowdsec/config/* +!proxy/crowdsec/config/acquis.yaml gitea/data/* gitea/db diff --git a/proxy/.env.example b/proxy/.env.example index ced3f68..955825f 100644 --- a/proxy/.env.example +++ b/proxy/.env.example @@ -1,2 +1,3 @@ REGRU_LOGIN=login REGRU_PASSWORD=password +CROWDSEC_API_KEY=api_key diff --git a/proxy/crowdsec/config/.keep b/proxy/crowdsec/config/.keep new file mode 100644 index 0000000..e69de29 diff --git a/proxy/crowdsec/config/acquis.yaml b/proxy/crowdsec/config/acquis.yaml new file mode 100644 index 0000000..2a21b8b --- /dev/null +++ b/proxy/crowdsec/config/acquis.yaml @@ -0,0 +1,4 @@ +filenames: + - /var/log/nginx/*.log +labels: + type: nginx diff --git a/proxy/docker-compose.yml b/proxy/docker-compose.yml index 9638956..28df8a9 100644 --- a/proxy/docker-compose.yml +++ b/proxy/docker-compose.yml @@ -11,6 +11,8 @@ services: # Папки для SSL сертификатов - ./ssl/conf:/etc/letsencrypt:ro - ./ssl/www:/var/www/certbot:ro + # Логи для канали CrowdSec + - ./nginx/logs:/var/log/nginx # Подхватываем новые ssl сертификаты command: /bin/sh -c "while :; do sleep 24h & wait $${!}; nginx -s reload; done & nginx -g 'daemon off;'" deploy: @@ -26,6 +28,40 @@ services: - cloud_network - matrix_network + crowdsec: + image: crowdsecurity/crowdsec:latest + container_name: crowdsec + restart: always + environment: + # Какие коллекции правил установить сразу + COLLECTIONS: "crowdsecurity/nginx crowdsecurity/http-cve crowdsecurity/whitelist-good-actors" + # Чтобы не захламлять вывод, можно включить только ошибки + # LEVEL_TRACE: "false" + volumes: + # Читаем логи Nginx + - ./nginx/logs:/var/log/nginx:ro + # Конфигурация и база данных + - ./crowdsec/config:/etc/crowdsec + - ./crowdsec/data:/var/lib/crowdsec/data + ports: + - 8081:8080 + deploy: + resources: + limits: + cpus: '0.5' + memory: 256M + + dashboard: + image: crowdsecurity/dashboard + container_name: crowdsec-dashboard + restart: always + environment: + - MB_DB_FILE=/data/metabase.db + volumes: + - ./crowdsec/data:/data + ports: + - 3001:3000 + certbot: image: certbot/certbot container_name: certbot diff --git a/proxy/install-bouncer.sh b/proxy/install-bouncer.sh new file mode 100644 index 0000000..92e0042 --- /dev/null +++ b/proxy/install-bouncer.sh @@ -0,0 +1,12 @@ +curl -s https://api.github.com/repos/crowdsecurity/cs-firewall-bouncer/releases/latest | grep browser_download_url | grep linux-amd64 | cut -d '"' -f 4 | wget -qi - +tar xzvf crowdsec-firewall-bouncer-linux-amd64.tgz +cd crowdsec-firewall-bouncer-v*/ +sudo ./install.sh + +# Получаем API KEY +sudo docker exec crowdsec cscli bouncers add firewall-bouncer + + +# Прописываем ключ в конфиге +# Указваем так же API_URL (см docker-compose.yml, по умолчанию меняем на 8081) +sudo nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml diff --git a/proxy/nginx/conf.d/default.conf.example b/proxy/nginx/conf.d/default.conf.example index f0ae52e..4821177 100644 --- a/proxy/nginx/conf.d/default.conf.example +++ b/proxy/nginx/conf.d/default.conf.example @@ -2,7 +2,10 @@ server { listen 80 default_server; listen [::]:80 default_server; - server_name domain.ru www.domain.ru git.domain.ru disk.domain.ru matrix.domain.ru chat.domain.ru; + server_name domain.ru www.domain.ru git.domain.ru cloud.domain.ru m.domain.ru chat.domain.ru; + + access_log /var/log/nginx/http_access.log main; + error_log /var/log/nginx/http_error.log; location /.well-known/acme-challenge/ { root /var/www/certbot; @@ -23,6 +26,9 @@ server { ssl_certificate /etc/letsencrypt/live/domain.ru/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.ru/privkey.pem; + access_log /var/log/nginx/root_access.log main; + error_log /var/log/nginx/root_error.log; + location / { charset utf-8; default_type text/plain; @@ -38,6 +44,9 @@ server { ssl_certificate /etc/letsencrypt/live/git.domain.ru/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/git.domain.ru/privkey.pem; + access_log /var/log/nginx/git_access.log main; + error_log /var/log/nginx/git_error.log; + location / { proxy_pass http://gitea:3000; proxy_set_header Host $host; @@ -50,10 +59,13 @@ server { # 4. Cloud server { listen 443 ssl; - server_name disk.domain.ru; + server_name cloud.domain.ru; - ssl_certificate /etc/letsencrypt/live/disk.domain.ru/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/disk.domain.ru/privkey.pem; + ssl_certificate /etc/letsencrypt/live/cloud.domain.ru/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cloud.domain.ru/privkey.pem; + + access_log /var/log/nginx/cloud_access.log main; + error_log /var/log/nginx/cloud_error.log; client_max_body_size 0; @@ -69,10 +81,13 @@ server { # 4. Matrix server { listen 443 ssl; - server_name matrix.domain.ru; + server_name m.domain.ru; - ssl_certificate /etc/letsencrypt/live/matrix.domain.ru/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/matrix.domain.ru/privkey.pem; + ssl_certificate /etc/letsencrypt/live/m.domain.ru/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/m.domain.ru/privkey.pem; + + access_log /var/log/nginx/matrix_synapse_access.log main; + error_log /var/log/nginx/matrix_synapse_error.log; location / { proxy_pass http://matrix-synapse:8008; @@ -102,6 +117,9 @@ server { ssl_certificate /etc/letsencrypt/live/chat.domain.ru/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/chat.domain.ru/privkey.pem; + access_log /var/log/nginx/matrix_element_access.log main; + error_log /var/log/nginx/matrix_element_error.log; + location / { proxy_pass http://matrix-element; proxy_set_header Host $host; diff --git a/proxy/nginx/logs/.keep b/proxy/nginx/logs/.keep new file mode 100644 index 0000000..e69de29