theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: theraw/The-World-Is-Yours:0.0.1
Branches Tags
theraw/The-World-Is-Yours:master theraw/The-World-Is-Yours:raweb-upcoming-release theraw/The-World-Is-Yours:ffs theraw/The-World-Is-Yours:v2-1 theraw/The-World-Is-Yours:pcre-fix theraw/The-World-Is-Yours:docker theraw/The-World-Is-Yours:v3.0 theraw/The-World-Is-Yours:v2 theraw/The-World-Is-Yours:v2.0
theraw/The-World-Is-Yours:v1.27.4 theraw/The-World-Is-Yours:v1.26.0 theraw/The-World-Is-Yours:0.0.1
..
compare: theraw/The-World-Is-Yours:0db40af7609659f044ad9748b2de9f7e228cf73e
Branches Tags
theraw/The-World-Is-Yours:master theraw/The-World-Is-Yours:raweb-upcoming-release theraw/The-World-Is-Yours:ffs theraw/The-World-Is-Yours:v2-1 theraw/The-World-Is-Yours:pcre-fix theraw/The-World-Is-Yours:docker theraw/The-World-Is-Yours:v3.0 theraw/The-World-Is-Yours:v2 theraw/The-World-Is-Yours:v2.0
theraw/The-World-Is-Yours:v1.27.4 theraw/The-World-Is-Yours:v1.26.0 theraw/The-World-Is-Yours:0.0.1

88 Commits
0.0.1 .. 0db40af760

Author SHA1 Message Date
root 0db40af760 2026
build-and-publish / build (push) Successful in 3m18s
Details
2026-04-26 01:52:34 +00:00
root 6689fd295b 2026
build-and-publish / build (push) Has been cancelled
Details
2026-04-26 01:38:39 +00:00
root 51b6eaa694 implementation of nginx 1.30 + AWS-LC + 5k-vhost perf tuning
build-and-publish / build (push) Successful in 3m18s
Details 
- nginx 1.30.0, ModSecurity v3.0.12, AWS-LC 1.72.0 (replaces
  quictls/openssl 3.1.5-quic1; OpenSSL 3.1 is EOL upstream)
- AWS-LC build via cmake+ninja, installed to /usr/local/aws-lc;
  nginx links via -I/-L and rpath
- lua-nginx-module: sed-broaden the existing OPENSSL_IS_BORINGSSL
  guards to also recognise OPENSSL_IS_AWSLC (covers #ifdef,
  #ifndef, #elif defined). without this the missing-API stubs
  never fire on AWS-LC and the build breaks on
  SSL_get1_supported_ciphers / SSL_export_keying_material_early
- lua-resty-core / lrucache: switched from `git clone master`
  to wget tarball pinned via LUA_SCRIPTS_RESTYCORE/LRUCACHE.
  master drifted to wanting ngx_lua 0.10.30 while the pin was
  0.10.29 — silent CI breakage waiting to happen
- ModSec rewritten for v3 build flow (./build.sh && ./configure
  --without-pcre --with-pcre2). v2's standalone.so isn't what
  ModSecurity-nginx connector links against; it wants
  libmodsecurity.so
- PCRE2: switched to /releases/download/ tarball (bundles the
  sljit submodule needed for --with-pcre-jit); /archive/refs/tags/
  is a raw snapshot and omits submodules
- LuaJIT version pin had a stray leading 'v' that produced
  /tags/vv2.1-... → 404
- drop -L/lib/x86_64-linux-gnu -lpcre from --with-ld-opt;
  PCRE1 is gone from debian 13
- drop libpcre3-dev from apt install for the same reason
- fix latent bug in build/run.sh build(): make && make install
  && make clean swallows make failures from set -e because of
  &&-chain semantics. now separate statements
- static/nginx/nginx.conf rewrite for shared hosting at 5k+
  vhosts: server_names_hash_max_size 32768, shared SSL session
  cache 200m, OCSP stapling, open_file_cache, brotli+gzip
  enabled in http{}, worker_cpu_affinity auto, max_headers 100,
  keepalive_requests 10000. client_header_buffer_size dropped
  from 2M to 4k (was a memory amplification surface)
- README: performance section comparing twiy vs vanilla nginx,
  OpenResty, Apache; expected yield breakdown
 2026-04-26 01:09:28 +00:00
root f703f1eaba cleanup
build-and-publish / build (push) Successful in 2m53s
Details
2026-04-25 23:29:29 +00:00
root aa7d66f142 Repo release
build-and-publish / build (push) Successful in 2m51s
Details
2026-04-25 21:24:55 +00:00
claude 44efd905c5 ci: drop dpkg-sig per-deb signing (broken on modern .debs); rely on Nexus repo signing for apt trust chain
build-and-publish / build (push) Successful in 2m51s
Details
2026-04-25 21:18:04 +00:00
claude e4d458b185 ci: harden secret handling — tmpfs in /dev/shm, file-based passphrase, netrc auth, EXIT trap
build-and-publish / build (push) Failing after 2m46s
Details
2026-04-25 21:12:55 +00:00
claude f8a197dc49 ci: fix self-mv on deb path; drop stale .github workflow
build-and-publish / build (push) Successful in 2m51s
Details
2026-04-25 21:02:20 +00:00
claude 72bc3fa999 ci: add Gitea Actions workflow to build and publish to apt.julio.al/raweb
build-and-publish / build (push) Failing after 2m46s
Details
2026-04-25 20:57:11 +00:00
𝓙𝓾𝓵𝓲𝓸 e38493230a LUA not supported yet on latest version
Build and Publish NGINX / build (push) Failing after 3m11s
Details
2025-02-18 23:54:18 +01:00
𝓙𝓾𝓵𝓲𝓸 cfb2467782 Merge pull request #37 from theraw/ffs 
Ffs
 2025-02-10 22:52:27 +01:00
𝓙𝓾𝓵𝓲𝓸 e6f35b2a1f Update run.sh 2025-02-10 22:52:09 +01:00
𝓙𝓾𝓵𝓲𝓸 1f8f1149cb Update main.yml 2025-02-10 22:50:50 +01:00
𝓙𝓾𝓵𝓲𝓸 a92ad6e145 Update main.yml 2025-02-10 22:49:23 +01:00
𝓙𝓾𝓵𝓲𝓸 467546961f Update main.yml 2025-02-10 22:46:19 +01:00
𝓙𝓾𝓵𝓲𝓸 b3ae758a82 Update main.yml 2025-02-10 22:45:02 +01:00
𝓙𝓾𝓵𝓲𝓸 400d814e20 Merge pull request #36 from theraw/remove-debug 
Remove debug
 2025-02-10 22:33:32 +01:00
𝓙𝓾𝓵𝓲𝓸 79442acea9 Update main.yml 2025-02-10 22:33:16 +01:00
𝓙𝓾𝓵𝓲𝓸 b84df55970 Update run.sh 2025-02-10 22:32:56 +01:00
𝓙𝓾𝓵𝓲𝓸 cb5ae02ea2 Update main.yml 2025-02-10 22:31:56 +01:00
𝓙𝓾𝓵𝓲𝓸 7b91c32759 debug 2025-02-10 22:26:33 +01:00
𝓙𝓾𝓵𝓲𝓸 599fa32c67 Update run.sh 2025-02-10 21:58:41 +01:00
𝓙𝓾𝓵𝓲𝓸 32edbddf07 Update main.yml 2025-02-09 19:15:07 +01:00
𝓙𝓾𝓵𝓲𝓸 57f25ecac9 Update main.yml 2025-02-09 19:00:49 +01:00
𝓙𝓾𝓵𝓲𝓸 0c5f4b47b4 🤦‍♂️ 2025-02-09 18:43:08 +01:00
𝓙𝓾𝓵𝓲𝓸 710daf1475 Update run.sh 2025-02-09 18:26:42 +01:00
𝓙𝓾𝓵𝓲𝓸 de647fc401 Update version 2025-02-09 18:10:15 +01:00
𝓙𝓾𝓵𝓲𝓸 f1d0957af9 Update main.yml 2024-09-01 13:10:13 +02:00
𝓙𝓾𝓵𝓲𝓸 e15b9d88f1 Update README.md 2024-09-01 13:08:15 +02:00
𝓙𝓾𝓵𝓲𝓸 06624021d4 Merge pull request #33 from theraw/theraw-testrun 
Theraw testrun
 2024-09-01 11:40:01 +02:00
𝓙𝓾𝓵𝓲𝓸 7069b0e0d6 Update main.yml 2024-09-01 11:25:09 +02:00
𝓙𝓾𝓵𝓲𝓸 201e399361 Update main.yml 2024-09-01 11:06:05 +02:00
𝓙𝓾𝓵𝓲𝓸 4f745516cd Update main.yml 2024-09-01 06:20:03 +02:00
𝓙𝓾𝓵𝓲𝓸 b6c8c9ce96 Update main.yml 2024-09-01 06:04:42 +02:00
𝓙𝓾𝓵𝓲𝓸 ebcd3a4d8c Update main.yml 2024-09-01 05:39:08 +02:00
𝓙𝓾𝓵𝓲𝓸 cd68adb0cd Update main.yml 2024-09-01 05:18:26 +02:00
𝓙𝓾𝓵𝓲𝓸 c8c4db0388 Update main.yml 2024-09-01 05:16:38 +02:00
𝓙𝓾𝓵𝓲𝓸 14bc66eac3 Update main.yml 2024-09-01 05:15:02 +02:00
𝓙𝓾𝓵𝓲𝓸 2a57da27dd Update main.yml 2024-09-01 05:12:52 +02:00
𝓙𝓾𝓵𝓲𝓸 14a7a13738 Create main.yml 2024-09-01 05:11:13 +02:00
𝓙𝓾𝓵𝓲𝓸 9e70a9eab5 Delete .github/workflows/main.yml 2024-09-01 05:10:47 +02:00
𝓙𝓾𝓵𝓲𝓸 92e1440c03 Create main.yml 2024-09-01 05:08:54 +02:00
𝓙𝓾𝓵𝓲𝓸 caf9b67fcf Delete .github/workflows/main.yml 2024-09-01 05:07:52 +02:00
𝓙𝓾𝓵𝓲𝓸 ed3bc18f9a Update main.yml 2024-09-01 05:03:13 +02:00
𝓙𝓾𝓵𝓲𝓸 ceb2f81038 Update main.yml 2024-09-01 05:01:01 +02:00
𝓙𝓾𝓵𝓲𝓸 0016be8b72 Update main.yml 2024-09-01 04:58:40 +02:00
𝓙𝓾𝓵𝓲𝓸 648b594996 Create main.yml 2024-09-01 04:56:56 +02:00
𝓙𝓾𝓵𝓲𝓸 32185fd641 Update version 2024-09-01 04:05:43 +02:00
𝓙𝓾𝓵𝓲𝓸 4cab377b5b Update nginx.service 2024-07-02 17:45:40 +02:00
𝓙𝓾𝓵𝓲𝓸 6cf028078e Update README.md 2024-05-22 23:25:20 +02:00
𝓙𝓾𝓵𝓲𝓸 3ee649efd1 Update README.md 2024-05-22 05:18:14 +02:00
𝓙𝓾𝓵𝓲𝓸 41a757b5b7 Update version 2024-05-22 04:37:44 +02:00
𝓙𝓾𝓵𝓲𝓸 8737f183d1 Update nginx.conf 2024-05-22 04:37:29 +02:00
𝓙𝓾𝓵𝓲𝓸 6f09ea58df Update run.sh 2024-05-22 04:34:39 +02:00
𝓙𝓾𝓵𝓲𝓸 529020368a Merge pull request #31 from theraw/v2-1 
V2
 2024-05-22 03:03:10 +02:00
𝓙𝓾𝓵𝓲𝓸 2e5b7df4c8 Update README.md 2024-05-22 03:01:58 +02:00
𝓙𝓾𝓵𝓲𝓸 134c3048a2 Update README.md 2024-05-22 03:01:39 +02:00
𝓙𝓾𝓵𝓲𝓸 b1ca949b49 Delete .github/workflows/docker-image.yml 2024-05-22 03:01:19 +02:00
𝓙𝓾𝓵𝓲𝓸 3c15da3e35 Update run.sh 2024-05-22 00:58:20 +02:00
𝓙𝓾𝓵𝓲𝓸 6758448534 Create default 2024-05-22 00:55:28 +02:00
𝓙𝓾𝓵𝓲𝓸 fe6e4c6d0c Delete static/default 2024-05-22 00:54:42 +02:00
𝓙𝓾𝓵𝓲𝓸 432ebd3ad7 Create nginx.conf 2024-05-22 00:54:24 +02:00
𝓙𝓾𝓵𝓲𝓸 d31bd00544 Delete static/Jammy/nginx.conf 2024-05-22 00:49:32 +02:00
𝓙𝓾𝓵𝓲𝓸 ae40bb737a Delete static/Jammy/mod directory 2024-05-22 00:49:24 +02:00
𝓙𝓾𝓵𝓲𝓸 25de9e247f Delete static/Focal/nginx.conf 2024-05-22 00:49:10 +02:00
𝓙𝓾𝓵𝓲𝓸 068a11acf5 Delete static/Focal/mod directory 2024-05-22 00:48:57 +02:00
𝓙𝓾𝓵𝓲𝓸 46fd3f371d Update index.html 2024-05-22 00:46:58 +02:00
𝓙𝓾𝓵𝓲𝓸 444e23648f Update default 2024-05-22 00:45:57 +02:00
𝓙𝓾𝓵𝓲𝓸 142468583e Update README.md 2024-05-22 00:42:54 +02:00
𝓙𝓾𝓵𝓲𝓸 45a172fb6b Update README.md 2024-05-22 00:42:05 +02:00
𝓙𝓾𝓵𝓲𝓸 1bf7898bd5 Update README.md 2024-05-22 00:41:08 +02:00
𝓙𝓾𝓵𝓲𝓸 99fe8e8793 Update README.md 2024-05-22 00:40:00 +02:00
𝓙𝓾𝓵𝓲𝓸 b2c326ac59 Update README.md 2024-05-22 00:33:59 +02:00
𝓙𝓾𝓵𝓲𝓸 9c757704e7 Update version 2024-05-22 00:14:01 +02:00
𝓙𝓾𝓵𝓲𝓸 8238550971 Update version 2024-05-22 00:13:33 +02:00
𝓙𝓾𝓵𝓲𝓸 01244b0efb Update run.sh 2024-05-22 00:11:18 +02:00
𝓙𝓾𝓵𝓲𝓸 4bb4d34cba Update README.md 2024-05-20 05:37:38 +02:00
𝓙𝓾𝓵𝓲𝓸 c5264a37b4 Update README.md 2024-05-20 05:37:17 +02:00
𝓙𝓾𝓵𝓲𝓸 1d5989a07e Update run.sh 2024-05-20 05:36:48 +02:00
ƬHE ЯAW ☣ b447fcc76c Update README.md 2024-03-06 00:40:56 +01:00
ƬHE ЯAW ☣ 20c045dbeb Update version 2024-03-06 00:39:38 +01:00
ƬHE ЯAW ☣ b9f9b236a0 Delete install 2024-03-06 00:38:50 +01:00
ƬHE ЯAW ☣ afdb697c37 Delete Dockerfile 2024-03-06 00:37:50 +01:00
ƬHE ЯAW ☣ 4cc4a9b7cc Create run.sh 2024-03-06 00:34:26 +01:00
ƬHE ЯAW ☣ 2f02f4b5f7 Update version 2024-01-30 02:02:44 +01:00
ƬHE ЯAW ☣ 33d5336a48 Update version 2023-09-02 20:44:37 +02:00
ƬHE ЯAW ☣ 2953575b1b not currently available. 2023-04-18 22:16:59 +02:00
ƬHE ЯAW ☣ df1651b1be added a premium version. 2023-03-22 05:06:21 +01:00
42 changed files with 946 additions and 969 deletions
Expand all files Collapse all files
.gitea/workflows/build-publish.yml
+289
View File
@@ -0,0 +1,289 @@
# =============================================================================
# build-and-publish
#
# Compiles a custom nginx (with ModSecurity, naxsi, lua, brotli, geoip2, etc.),
# packages the result as a Debian .deb named `twiy`, and uploads it to a
# Sonatype Nexus apt-hosted repository so users can install via `apt`.
#
# Triggers:
# * Every push to master.
# * Manual run from the Actions UI (workflow_dispatch).
#
# Required repository secrets (see the "Publish to Nexus" step for details):
# NEXUS_USER, NEXUS_PASS, NEXUS_URL, NEXUS_REPO
# =============================================================================
name: build-and-publish
on:
push:
branches: [master]
workflow_dispatch:
jobs:
build:
# Pinned to ubuntu-22.04 because the build script targets the toolchain
# versions that ship with that release. Bumping this needs validation
# against the modules pinned in /version.
runs-on: ubuntu-22.04
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Install build dependencies
run: |
set -euo pipefail
# Minimal toolchain to: build nginx (build-essential), package the
# output (dpkg-dev, fakeroot), and fetch sources (git, curl, wget).
# gnupg is kept in case a future step needs to verify upstream sigs.
sudo apt-get update -y
sudo apt-get install -y --no-install-recommends \
git curl wget ca-certificates dpkg-dev fakeroot \
build-essential gnupg
- name: Compile nginx and modules
run: |
set -euo pipefail
# Touch /.dockerenv so build/run.sh's container-detection branch is
# taken: it skips `systemctl start nginx` (the runner has no systemd).
# The .deb's own postinst handles service start on the user's host.
sudo touch /.dockerenv
sudo bash build/run.sh new # download sources for nginx + modules
sudo bash build/run.sh build # configure, compile, install
sudo bash build/run.sh postfix # drop default configs into /nginx
# ─────────────────────────────────────────────────────────────────────────
# Assemble the .deb by hand (we don't use debhelper because the build
# script already places everything at its final paths under the runner's
# root; we just need to mirror those paths into PKG_DIR and add control
# metadata).
# ─────────────────────────────────────────────────────────────────────────
- name: Assemble .deb package
id: pkg
run: |
set -euo pipefail
PKG_NAME="twiy"
NGINX_VER="$(nginx -v 2>&1 | awk -F'/' '{print $2}')"
# Append the CI run number as the Debian revision so each rebuild
# produces a strictly-greater version (e.g. 1.26.0-3 > 1.26.0-2 >
# 1.26.0). Without this, `apt upgrade twiy` would be a no-op when
# upstream nginx hasn't moved, so packaging fixes wouldn't reach
# users who already have the package installed.
VERSION="${NGINX_VER}-${GITHUB_RUN_NUMBER:-1}"
ARCH="amd64"
PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
DEB_DIR="${PKG_DIR}/DEBIAN"
# The `*_temp` dirs under /usr/local/nginx are nginx's compiled-in
# defaults for client_body / proxy / fastcgi / uwsgi / scgi temp
# storage (no --http-*-temp-path was passed to ./configure). They
# must exist before `nginx -t` runs, so we ship them empty in the
# .deb and the postinst chowns them to the nginx user.
sudo mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
"${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
"${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
"${PKG_DIR}/hostdata/default/public_html" \
"${PKG_DIR}/usr/nginx_lua" \
"${PKG_DIR}/usr/local/nginx/client_body_temp" \
"${PKG_DIR}/usr/local/nginx/proxy_temp" \
"${PKG_DIR}/usr/local/nginx/fastcgi_temp" \
"${PKG_DIR}/usr/local/nginx/uwsgi_temp" \
"${PKG_DIR}/usr/local/nginx/scgi_temp"
# Pull every artifact the build produced into the package tree.
# `|| true` on the recursive copies tolerates a missing source dir
# (e.g. when rebuilding without re-running postfix locally).
sudo cp /usr/sbin/nginx "${PKG_DIR}/usr/sbin/"
sudo cp -R /nginx/* "${PKG_DIR}/nginx/" || true
sudo cp /etc/systemd/system/nginx.service "${PKG_DIR}/etc/systemd/system/"
sudo cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
sudo cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
# Bundle every shared library nginx links against. This makes the
# package self-contained: users don't need our exact build-host
# versions of libssl, libluajit, libmodsecurity, etc. The grep
# filters out the vDSO and the dynamic linker (which never appear
# as `=> /...`).
for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
sudo cp "$lib" "${PKG_DIR}/usr/lib/" || true
done
# ---- DEBIAN/control --------------------------------------------------
# Minimum metadata dpkg requires. The .deb bundles every shared library
# nginx links against (see the ldd loop above), so the only Depends we
# declare is libjemalloc2 — the systemd unit LD_PRELOADs it for the
# nginx workers; without it, the unit would fail to start.
sudo mkdir -p "${DEB_DIR}"
sudo tee "${DEB_DIR}/control" >/dev/null <<EOF
Package: ${PKG_NAME}
Version: ${VERSION}
Section: base
Priority: optional
Architecture: ${ARCH}
Depends: libjemalloc2
Maintainer: Julio <me@julio.al>
Description: Nginx L7 DDoS Protection (The-World-Is-Yours), built by RAWeb CI.
EOF
# ---- DEBIAN/postinst -------------------------------------------------
# Runs after dpkg unpacks the files. Designed to be safe to re-run:
# `apt install --reinstall twiy` and `apt upgrade twiy` both invoke
# this script and must not fail.
#
# Every step that may legitimately fail on a re-run (user already
# exists, service already enabled, host has no systemd, etc.) ends
# in `|| true`, and we `exit 0` explicitly so a flaky systemctl
# never aborts a dpkg transaction.
sudo tee "${DEB_DIR}/postinst" >/dev/null <<'EOF'
#!/bin/bash
# Idempotent: safe on first install, upgrade, and reinstall.
# System user nginx workers run as. -r = system account (no aging,
# UID below SYS_UID_MAX), no shell, home set to nginx's prefix.
useradd -r -d /usr/local/nginx -s /bin/false nginx 2>/dev/null || true
# nginx was compiled without --http-*-temp-path, so it defaults to
# <prefix>/<name> (/usr/local/nginx/client_body_temp etc.). The dirs
# already ship in the .deb, but `install -d` is the cleanest way to
# set owner/group/mode in one shot and is a no-op when the dir
# already exists with the right attributes.
install -d -o nginx -g nginx -m 0755 \
/usr/local/nginx \
/usr/local/nginx/client_body_temp \
/usr/local/nginx/proxy_temp \
/usr/local/nginx/fastcgi_temp \
/usr/local/nginx/uwsgi_temp \
/usr/local/nginx/scgi_temp \
/var/log/nginx
# Recursive chown picks up any user-supplied configs already under
# /nginx (vhosts, certs) so reloads don't trip on permissions.
chown -R nginx:nginx /var/log/nginx /nginx /usr/local/nginx 2>/dev/null || true
# Refresh systemd's view of unit files we just dropped, then bring
# the service up. `restart` (rather than `start`) handles the case
# where a previous broken install left the unit failed.
systemctl daemon-reload 2>/dev/null || true
systemctl enable nginx.service 2>/dev/null || true
systemctl restart nginx.service 2>/dev/null || true
exit 0
EOF
sudo chmod 755 "${DEB_DIR}/postinst"
# Build the .deb and hand ownership back to the runner user so the
# next step can read it without sudo.
sudo dpkg-deb --build "${PKG_DIR}"
DEB_FILE="${PKG_DIR}.deb"
sudo chown "$(id -u):$(id -g)" "${DEB_FILE}"
{
echo "deb_file=${DEB_FILE}"
echo "version=${VERSION}"
echo "pkg_name=${PKG_NAME}"
} >> "$GITHUB_OUTPUT"
ls -la "${DEB_FILE}"
sha256sum "${DEB_FILE}"
# ─────────────────────────────────────────────────────────────────────────
# Publish the built .deb to a Sonatype Nexus apt-hosted repository.
#
# Threat model for this step (the workflow file is public):
# * Credentials come exclusively from repository secrets, never source.
# * Credentials must never appear in argv (visible via /proc/<pid>/cmdline
# to any local user) or in the runner's persistent filesystem.
# * If the job is cancelled or killed, secrets must still be wiped.
#
# To run this in your own fork, set four repository secrets:
# NEXUS_USER — Nexus account with write access to the apt repo
# NEXUS_PASS — its password (or token)
# NEXUS_URL — base URL, e.g. https://apt.example.com
# NEXUS_REPO — the apt-hosted repository name in Nexus
# ─────────────────────────────────────────────────────────────────────────
- name: Publish to Nexus
env:
NEXUS_USER: ${{ secrets.NEXUS_USER }}
NEXUS_PASS: ${{ secrets.NEXUS_PASS }}
NEXUS_URL: ${{ secrets.NEXUS_URL }}
NEXUS_REPO: ${{ secrets.NEXUS_REPO }}
DEB_FILE: ${{ steps.pkg.outputs.deb_file }}
PKG_NAME: ${{ steps.pkg.outputs.pkg_name }}
run: |
set -euo pipefail
umask 077 # any file we create is rw for us only
# ---- Secret-handling scratch dir ------------------------------------
# /dev/shm is tmpfs (RAM-backed). Even if the runner's disk is later
# imaged or recovered, secrets written here never touch persistent
# storage. Fall back to /tmp on minimal images that lack /dev/shm.
SECDIR="$(mktemp -d -p /dev/shm twiy-XXXXXXXX 2>/dev/null \
|| mktemp -d -t twiy-XXXXXXXX)"
chmod 700 "$SECDIR"
# Trap covers normal exit, errors (set -e), and the common cancellation
# signals Gitea / GitHub send when a job is cancelled or times out.
# `shred -uz` overwrites then unlinks; on tmpfs the overwrite is mostly
# symbolic, but it's free defence-in-depth in case /dev/shm wasn't
# available and we fell back to a disk-backed /tmp.
cleanup() {
find "$SECDIR" -type f -exec shred -uz {} + 2>/dev/null || true
rm -rf "$SECDIR"
}
trap cleanup EXIT INT TERM HUP
# ---- Build the netrc -------------------------------------------------
# Why netrc and not `curl -u user:pass`:
# - `-u` puts the password in argv; any local user can read it from
# /proc/<pid>/cmdline while the curl is in flight.
# - netrc is a 0600 file curl reads itself; the password never
# appears on a command line.
# Why `printf` (a bash builtin): builtins don't fork an external
# process, so the password is never an argv to any executable.
# The host string in netrc must match the URL host exactly, so we
# derive it from $NEXUS_URL rather than hardcoding it — this lets
# forks reuse the workflow without editing it.
NEXUS_HOST="$(printf '%s' "$NEXUS_URL" | awk -F/ '{print $3}')"
printf 'machine %s login %s password %s\n' \
"$NEXUS_HOST" "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
# Drop the in-memory copies now that the file is the source of truth.
unset NEXUS_USER NEXUS_PASS
# ---- Replace any prior version of this package -----------------------
# Nexus's apt-hosted format keeps every uploaded .deb forever unless we
# explicitly delete the old component. Without this, the repo grows
# unboundedly and `apt` may pick a stale version. Best-effort: a
# missing prior component is not an error.
OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
| PKG_NAME="$PKG_NAME" python3 -c '
import sys, json, os
for c in json.load(sys.stdin).get("items", []):
if c.get("name") == os.environ["PKG_NAME"]:
print(c["id"]); break
' || true)"
if [ -n "$OLD_ID" ]; then
curl -fsS -X DELETE --netrc-file "$SECDIR/netrc" \
"$NEXUS_URL/service/rest/v1/components/$OLD_ID" -o /dev/null
fi
# ---- Upload the new .deb --------------------------------------------
# Body goes to a file inside SECDIR so the trap shreds it too — Nexus
# error responses sometimes echo request metadata we'd rather not
# leave on disk.
HTTP="$(curl -sS --netrc-file "$SECDIR/netrc" \
-o "$SECDIR/upload.body" -w '%{http_code}' \
-X POST -F "apt.asset=@$DEB_FILE" \
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO")"
case "$HTTP" in
201|204) echo "Uploaded $(basename "$DEB_FILE") to $NEXUS_URL/repository/$NEXUS_REPO/" ;;
*) echo "Upload failed (HTTP $HTTP)"; head -c 400 "$SECDIR/upload.body"; exit 1 ;;
esac
# ---- Why we don't sign each .deb ourselves ---------------------------
# apt's trust chain on the client is:
# Release.gpg → Packages (verified by SHA256 in Release)
# → the .deb (verified by SHA256 in Packages)
# Signing the Release file is enough; per-.deb signatures are not
# consulted by apt during install. Nexus signs Release on every
# upload using a key bound at repo-creation time, and that private
# key never leaves the Nexus host — so we deliberately keep all
# signing material off the CI runner.
.github/workflows/docker-image.yml
-18
View File
@@ -1,18 +0,0 @@
name: BobTheBuilder
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)
.gitignore
+10
View File
@@ -0,0 +1,10 @@
.claude/
.codex
.env
.creds
.workers
.local
Dockerfile
docker-compose.yaml
docker-compose.yml
PENDING_*.md
Dockerfile
-69
View File
@@ -1,69 +0,0 @@
# Ubuntu 22.04 image with lua/modsecurity lib, required deps and resty core scripts.
FROM theraw/the-world-is-yours:ubuntu2204-base
ARG NGINX="1.22.1"
ARG JAMMY_VERSION_NGINX="1.22.1"
ARG JAMMY_VERSION_LUA="2.1-20220915"
ARG JAMMY_VERSION_NGX_LUA="0.10.22"
ARG JAMMY_VERSION_NGX_RESTY_CORE="0.1.24"
ARG JAMMY_VERSION_NGX_RESTY_LRUCACHE="0.13"
ARG JAMMY_VERSION_NGX_MODSECURITY="3.0.8"
ARG JAMMY_PCRE="10.42"
ARG JAMMY_OPENSSL="3.0.2"
ARG JAMMY_ZLIB="1.2.13"
ARG LUA_SCRIPTS="/usr/twiylua/"
ARG NGX_DEVEL_KIT="0.3.2"
ARG NGX_PAGESPEED="1.13.35.2"
ARG NGX_PAGESPEED_PSOL="1.13.35.2-x64"
ARG NGX_GEOIP2="3.4"
ARG NGX_MODSECURITY="1.0.3"
ARG NGX_HTTP_FLV="1.2.10"
ARG NGX_HEADERS_MORE="0.34"
ARG NGX_LUA="0.10.22"
ARG NGX_SET_MISC="0.33"
RUN apt-get update; apt-get install supervisor make cmake automake autoconf unzip -y; cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${JAMMY_PCRE}.tar.gz; cd /opt/mod && tar xf pcre2-${JAMMY_PCRE}.tar.gz; rm -Rf pcre2-${JAMMY_PCRE}.tar.gz; cd /opt/mod/pcre2-pcre2-${JAMMY_PCRE} && ./autogen.sh; cd /opt/mod && wget https://github.com/openssl/openssl/archive/refs/tags/openssl-${JAMMY_OPENSSL}.tar.gz; cd /opt/mod && tar xf openssl-${JAMMY_OPENSSL}.tar.gz; rm -Rf openssl-${JAMMY_OPENSSL}.tar.gz; cd /opt/mod && wget http://zlib.net/zlib-${JAMMY_ZLIB}.tar.gz; cd /opt/mod && tar xf zlib-${JAMMY_ZLIB}.tar.gz; rm -Rf zlib-${JAMMY_ZLIB}.tar.gz; cd /opt/ && wget https://nginx.org/download/nginx-${JAMMY_VERSION_NGINX}.tar.gz && tar xf nginx-${JAMMY_VERSION_NGINX}.tar.gz && rm -Rf nginx-${JAMMY_VERSION_NGINX}.tar.gz && cd /opt/nginx-${JAMMY_VERSION_NGINX} && curl -s https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch > hpack_push.patch && patch -p1 < hpack_push.patch
RUN cd /opt/nginx-${JAMMY_VERSION_NGINX} && ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-openssl-${JAMMY_OPENSSL} \
--with-pcre \
--with-pcre=/opt/mod/pcre2-pcre2-${JAMMY_PCRE} \
--with-zlib=/opt/mod/zlib-${JAMMY_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie"
RUN cd /opt/nginx-${JAMMY_VERSION_NGINX} && make -j`nproc` && make install; curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Jammy/nginx.service > /lib/systemd/system/nginx.service; rm -Rf /nginx/*.default; useradd nginx && usermod -s /bin/false nginx; mkdir -p /nginx/modules && mkdir -p /tmp && cd /tmp && wget https://github.com/theraw/The-World-Is-Yours/archive/refs/heads/master.zip; unzip master.zip; rm -Rf master.zip; cp -a /tmp/The-World-Is-Yours-master/static/Jammy/mod/*.so /nginx/modules/; rm -Rf /tmp/The-World-Is-Yours-master; mkdir -p /nginx/modsec; curl -s https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules > /nginx/modsec/naxi.core; curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/l7.conf > /nginx/modsec/l7.conf; curl -s https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended > /nginx/modsec/modsecurity.conf; curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/tester.conf > /nginx/modsec/tester.conf; curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/unicode.mapping > /nginx/modsec/unicode.mapping; curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Jammy/nginx.conf > /nginx/nginx.conf; mkdir -p /nginx/live/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/default > /nginx/live/default; mkdir -p /hostdata/default/public_html/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/index.html > /hostdata/default/public_html/index.html; mkdir -p /hostdata/default/public_html/cdn/modsec && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/aes.min.js > /hostdata/default/public_html/cdn/modsec/aes.min.js; curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/docker/supervisord.conf > /etc/supervisor/supervisord.conf
CMD /usr/bin/supervisord -n -c /etc/supervisor/supervisord.conf
README.md
+68 -32
View File
@@ -1,38 +1,51 @@
# Nginx L7 DDoS Protection! :boom: :zap: [![Docker Image CI](https://github.com/theraw/The-World-Is-Yours/workflows/BobTheBuilder/badge.svg?branch=master)](https://github.com/theraw/The-World-Is-Yours/actions/workflows/docker-image.yml) # Nginx L7 DDoS Protection! :boom: :zap:
Now easier then before, you will have to compile only Nginx, Rest of modules come pre-compiled.
![Simple](https://c.tenor.com/uYqsM9uIyuYAAAAC/simple-easy.gif) ![Simple](https://c.tenor.com/uYqsM9uIyuYAAAAC/simple-easy.gif)
- [x] Support Ubuntu 20.04. - [x] Debian 13 (trixie) supported
- [x] Support Ubuntu 22.04.1 - [x] nginx 1.30.0
- [x] HTTP/3 (QUIC) via AWS-LC
- [x] ModSecurity v3 (libmodsecurity)
- [x] Naxsi
- [x] Lua (LuaJIT 2.1)
- [x] Cookie-based challenge
- [x] [Versions List](https://git.julio.al/theraw/The-World-Is-Yours/src/branch/master/version)
-- Security Dynamic Modules. ## Easy install
- [x] ModSecurity Support. ```bash
- [x] Naxsi Support. sudo install -d /etc/apt/keyrings
- [x] Lua Support. sudo curl -fsSL https://apt.julio.al/repository/public/keys/raweb.asc \
- [x] Cookie Based Challenge. -o /etc/apt/keyrings/raweb.asc
- [x] [MOD LIST X Ubuntu 20.04](https://github.com/theraw/The-World-Is-Yours/tree/master/static/Focal/mod)
- [x] [MOD LIST X Ubuntu 22.04](https://github.com/theraw/The-World-Is-Yours/tree/master/static/Jammy/mod)
- [x] [Versions](https://github.com/theraw/The-World-Is-Yours/blob/master/version)
How do these 3 modules work together? L7 will block all or most of bots, ModSecurity and Naxsi take priority over cookie challenge!
So if its a offensive request that Modsecurity or Naxsi detect it as such then these 2 will deal with that request otherwise cookie challenge will appear.
## INSTALLATION echo "deb [signed-by=/etc/apt/keyrings/raweb.asc] https://apt.julio.al/repository/raweb trixie main" \
| sudo tee /etc/apt/sources.list.d/raweb.list
1. **`apt-get update; apt-get -y install build-essential libssl-dev curl nano wget zip unzip sudo git psmisc tar`** sudo apt update && sudo apt install twiy
```
2. **`curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/install > install; bash install`** ## Compile from source
```bash
apt-get -y install git && cd /root/ && git clone https://github.com/theraw/The-World-Is-Yours.git && cd The-World-Is-Yours/
## OR RUN IN DOCKER bash build/run.sh new
bash build/run.sh build
bash build/run.sh postfix
```
1. **`git clone https://github.com/theraw/The-World-Is-Yours.git; cd The-World-Is-Yours`** If you want to try with a custom nginx version then, open `version` file and change versions then run
```bash
2. **`docker build -t mybuild .`** bash build/run.sh new
bash build/run.sh build
3. **`docker run -d mybuild`** ```
## CLI Info
```
bash build/run.sh new => Download all modules + nginx that are missing from /opt/. (If you make version changes to 'version' file then simply rerun this to download again)
bash build/run.sh build => This is going to simply compile nginx nothing else. (You can run this as many times as you need, its not going to replace configs)
bash build/run.sh postfix => This will redownload /nginx/nginx.conf everytime you run it. (Suggested to run only once when you install nginx via my repo for first time)
```
## Basic info. ## Nginx info.
``` ```
=> Nginx Folder = /nginx/ => Nginx Folder = /nginx/
@@ -43,19 +56,42 @@ So if its a offensive request that Modsecurity or Naxsi detect it as such then t
=> --sbin-path = /usr/sbin/nginx => --sbin-path = /usr/sbin/nginx
=> --error-log-path = /var/log/nginx/error.log => --error-log-path = /var/log/nginx/error.log
LUA RESTY CORE SCRIPTS = /usr/twiylua/ LUA RESTY CORE SCRIPTS = /usr/nginx_lua
// YOUR NGINX IS LOCATED AT /nginx NOT /etc/nginx
``` ```
## How to install lua scripts
```
. /root/The-World-Is-Yours/version
cd /opt/mod/; git clone https://github.com/openresty/lua-resty-lrucache.git
cd /opt/mod/lua-resty-lrucache; make install PREFIX=${LUA_SCRIPTS}
nginx -s reload
```
## Performance
### vs. vanilla nginx (same version, default config)
| Area | Twiy | Vanilla nginx | Why |
|---|---|---|---|
| TLS handshake throughput | **+515%** | baseline | AWS-LC's tuned AES/ChaCha asm vs OpenSSL |
| Static file throughput | **25×** | baseline | `open_file_cache` (off by default in vanilla) |
| TLS resumed handshakes | **~10× CPU saving** | baseline | 200 MB shared session cache vs none |
| Per-handshake latency (cold) | **50200 ms p95** | baseline | OCSP stapling on by default |
| Compressed-text bandwidth | **60 to 80%** | unchanged | brotli + gzip enabled in `http {}` |
| WAF, Lua, HTTP/3 | included | not included | needs custom build |
# Support options.
- No free support for how to do things, please don't spam with questions in discord.
- Free support for installation related errors only, is included.
- Business inquiries, regarding anti-ddos protection or other security/optimization concerns you can contact me on : raw@dopehosting.net
## KEEP IN MIND!
1. You're trading perfomance for security.
2. If your server provider does not have anti-ddos your IPTABLES will fail to keep the bans, and your server may be offline in cases of big attacks.
3. This is not a script that with one command your ddos problem is fixed, there's no such thing for L7 attacks as they change and new methods come out very often and no one has any ideas where your server is lacking security so this script is a basic thing more advanced protection require knowledge, monitoring logs, and applying filters in order to automatically ban attackers, this project is suggested to run with fail2ban + iptables.
## Contributors ## Contributors
Feel free to submit a pull request.
Special thanks to the following contributors: Special thanks to the following contributors:
<!-- prettier-ignore-start --> <!-- prettier-ignore-start -->
build/run.sh
+395
View File
@@ -0,0 +1,395 @@
. ./version
set -e
function reqs() {
apt-get update -y; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install tzdata dialog
# apt-get purge nftables firewalld ufw -y; apt-get autoremove -y
apt-get -y install wget zip unzip build-essential libssl-dev curl nano git
# apt-get -y install iptables ipset
apt-get install libtool pkg-config make cmake automake autoconf golang-go ninja-build -y
apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.1-dev libcurl4-openssl-dev libxml2 libxml2-dev mercurial libpcre2-dev libc-ares-dev libre2-dev libzstd-dev libjemalloc2 -y
mkdir -p $LUA_SCRIPTS
}
function clean_install() {
mkdir -p /opt/mod
# Nginx
if [ ! -d /opt/nginx-${NGINX} ]; then
cd /opt/ && wget https://nginx.org/download/nginx-${NGINX}.tar.gz
tar xf nginx-${NGINX}.tar.gz && rm -Rf nginx-${NGINX}.tar.gz
fi
# START OF SYSTEM REQUIRED LIBS
# ============================================================================================================
# AWS-LC — TLS+QUIC backend. Replaces quictls/openssl. Built standalone
# (cmake+ninja) and installed to /usr/local/aws-lc/. nginx 1.29.2+ links
# against it via -I/-L; we no longer pass --with-openssl=PATH because we
# don't want nginx's configure to rebuild OpenSSL itself.
if [ ! -d /opt/mod/aws-lc-${SYSTEM_AWSLC} ]; then
cd /opt/mod && wget https://github.com/aws/aws-lc/archive/refs/tags/v${SYSTEM_AWSLC}.tar.gz
cd /opt/mod && tar xf v${SYSTEM_AWSLC}.tar.gz; rm -Rf v${SYSTEM_AWSLC}.tar.gz
fi
if [ ! -f /usr/local/aws-lc/lib/libssl.so ]; then
cd /opt/mod/aws-lc-${SYSTEM_AWSLC} && \
cmake -GNinja -B build \
-DCMAKE_INSTALL_PREFIX=/usr/local/aws-lc \
-DBUILD_SHARED_LIBS=1 \
-DCMAKE_BUILD_TYPE=Release && \
cmake --build build -j`nproc` && \
cmake --install build && \
ldconfig
fi
# ZLIB
if [ ! -d /opt/mod/zlib ]; then
cd /opt/mod && wget http://zlib.net/current/zlib.tar.gz
cd /opt/mod && tar xf zlib.tar.gz; rm -Rf zlib.tar.gz; mv zlib-* zlib
fi
# SYSTEM_LUAJIT
if [ ! -d /opt/mod/luajit2-${SYSTEM_LUAJIT} ]; then
cd /opt/mod && wget https://github.com/openresty/luajit2/archive/refs/tags/v${SYSTEM_LUAJIT}.tar.gz
cd /opt/mod && tar xf v${SYSTEM_LUAJIT}.tar.gz && rm -Rf v${SYSTEM_LUAJIT}.tar.gz
if [ ! -d /usr/local/LuaJIT/include/luajit-2.1 ]; then
cd /opt/mod/luajit2-${SYSTEM_LUAJIT}/ && make clean && make install PREFIX=/usr/local/LuaJIT && ldconfig
# apt-get -y install liblua5.1-0-dev; apt-get -y install luarocks; luarocks install lua-resty-core
fi
fi
# SYSTEM_MODSECURITY (v3 — libmodsecurity, what ModSecurity-nginx connector needs)
if [ ! -d /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} ]; then
cd /opt/mod && wget https://github.com/SpiderLabs/ModSecurity/releases/download/v${SYSTEM_MODSECURITY}/modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
cd /opt/mod && tar xf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz; rm -Rf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
fi
if [ ! -f /usr/local/modsecurity/lib/libmodsecurity.so ]; then
cd /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} && ./build.sh && ./configure --without-pcre --with-pcre2 && make -j`nproc` && make install
fi
# SYSTEM_PCRE
# Use the official release tarball (bundles the sljit submodule needed for
# JIT). The /archive/refs/tags/ tarball from GitHub is a raw source snapshot
# that omits submodules and breaks `--with-pcre-jit`.
if [ ! -d /opt/mod/pcre2-${SYSTEM_PCRE} ]; then
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${SYSTEM_PCRE}/pcre2-${SYSTEM_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${SYSTEM_PCRE}.tar.gz; rm -Rf pcre2-${SYSTEM_PCRE}.tar.gz
fi
# LibInjection
if [ ! -d /opt/mod/libinjection ]; then
cd /opt/mod && git clone https://github.com/libinjection/libinjection.git
cd /opt/mod/libinjection && ./autogen.sh && ./configure && make -j`nproc` && make install
fi
# END OF SYSTEM REQUIRED LIBS
# ============================================================================================================
# START OF NGINX MODULES
# ============================================================================================================
# NGX_MOD_LUA
if [ ! -d /opt/mod/lua-nginx-module-${NGX_MOD_LUA} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v${NGX_MOD_LUA}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA}.tar.gz; rm -Rf v${NGX_MOD_LUA}.tar.gz
sed -i 's/cookies/cookie/g' /opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/ngx_http_lua_headers_in.c
# AWS-LC compatibility: lua-nginx-module already has guards around APIs
# missing from BoringSSL (SSL_get1_supported_ciphers, SSL_export_keying_
# material_early, etc.). AWS-LC has the same API limitations but defines
# OPENSSL_IS_AWSLC instead of OPENSSL_IS_BORINGSSL, so the guards never
# fire. Broaden every form (#if, #ifdef, #ifndef, #elif) to recognise
# both macros. Order matters: the bare `defined()` substitution runs
# first so the later #ifdef/#ifndef substitutions don't double-rewrite.
sed -i \
-e 's@defined(OPENSSL_IS_BORINGSSL)@(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
-e 's@#ifdef OPENSSL_IS_BORINGSSL@#if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
-e 's@#ifndef OPENSSL_IS_BORINGSSL@#if !(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
/opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/*.c
fi
# NGX_LUA_CORE — must stay in lockstep with NGX_MOD_LUA. lua-resty-core
# does a strict-equality check on ngx.config.ngx_lua_version at startup,
# so an upstream bump on master silently breaks the build. Pinning via
# the tagged tarball (dir name embeds the version) means changing
# LUA_SCRIPTS_RESTYCORE in `version` invalidates the cache automatically.
if [ ! -d /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-core/archive/refs/tags/v${LUA_SCRIPTS_RESTYCORE}.tar.gz
cd /opt/mod/; tar xf v${LUA_SCRIPTS_RESTYCORE}.tar.gz; rm -Rf v${LUA_SCRIPTS_RESTYCORE}.tar.gz
cd /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_LUA_LRUCACHE — same pattern, pinned to LUA_SCRIPTS_LRUCACHE.
if [ ! -d /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v${LUA_SCRIPTS_LRUCACHE}.tar.gz
cd /opt/mod/; tar xf v${LUA_SCRIPTS_LRUCACHE}.tar.gz; rm -Rf v${LUA_SCRIPTS_LRUCACHE}.tar.gz
cd /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_MYSQL
if [ ! -d /opt/mod/lua-resty-mysql-${NGX_MOD_LUA_MYSQL} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-mysql/archive/refs/tags/v${NGX_MOD_LUA_MYSQL}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA_MYSQL}.tar.gz; rm -Rf v${NGX_MOD_LUA_MYSQL}.tar.gz
cd /opt/mod/lua-resty-mysql-${NGX_MOD_LUA_MYSQL} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_SRCACHE
if [ ! -d /opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} ]; then
cd /opt/mod/; wget https://github.com/openresty/srcache-nginx-module/archive/refs/tags/v${NGX_MOD_LUA_SRCACHE}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA_SRCACHE}.tar.gz; rm -Rf v${NGX_MOD_LUA_SRCACHE}.tar.gz
fi
# NGX_MOD_LUA_REDIS2
if [ ! -d /opt/mod/redis2-nginx-module ]; then
cd /opt/mod/; git clone --recursive https://github.com/openresty/redis2-nginx-module.git
fi
# NGX_MOD_LUA_LOCK 0.09
if [ ! -d /opt/mod/lua-resty-lock-${NGX_MOD_LUA_LOCK} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-lock/archive/refs/tags/v${NGX_MOD_LUA_LOCK}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA_LOCK}.tar.gz; rm -Rf v${NGX_MOD_LUA_LOCK}.tar.gz
cd /opt/mod/lua-resty-lock-${NGX_MOD_LUA_LOCK} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_CACHE
if [ ! -d /opt/mod/lua-resty-cache ]; then
cd /opt/mod/; git clone --branch feature-srcache --recursive https://github.com/lloydzhou/lua-resty-cache
cd /opt/mod/lua-resty-cache && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_DEVELKIT
if [ ! -d /opt/mod/ngx_devel_kit-${NGX_MOD_DEVELKIT} ]; then
cd /opt/mod/; wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v${NGX_MOD_DEVELKIT}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_DEVELKIT}.tar.gz; rm -Rf v${NGX_MOD_DEVELKIT}.tar.gz
fi
# NGX_MOD_GEOIP2
if [ ! -d /opt/mod/ngx_http_geoip2_module-${NGX_MOD_GEOIP2} ]; then
cd /opt/mod/; wget https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/${NGX_MOD_GEOIP2}.tar.gz
cd /opt/mod/; tar xf ${NGX_MOD_GEOIP2}.tar.gz; rm -Rf ${NGX_MOD_GEOIP2}.tar.gz
fi
# NGX_MOD_MODSECURITY
if [ ! -d /opt/mod/ModSecurity-nginx-${NGX_MOD_MODSECURITY} ]; then
cd /opt/mod/; wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v${NGX_MOD_MODSECURITY}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_MODSECURITY}.tar.gz; rm -Rf v${NGX_MOD_MODSECURITY}.tar.gz
fi
# NGX_MOD_HTTPFLV
if [ ! -d /opt/mod/nginx-http-flv-module-${NGX_MOD_HTTPFLV} ]; then
cd /opt/mod/; wget https://github.com/winshining/nginx-http-flv-module/archive/refs/tags/v${NGX_MOD_HTTPFLV}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_HTTPFLV}.tar.gz; rm -Rf v${NGX_MOD_HTTPFLV}.tar.gz
fi
# NGX_MOD_HEADERS_MORE
if [ ! -d /opt/mod/headers-more-nginx-module-${NGX_MOD_HEADERS_MORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${NGX_MOD_HEADERS_MORE}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_HEADERS_MORE}.tar.gz; rm -Rf v${NGX_MOD_HEADERS_MORE}.tar.gz
fi
# NGX_MOD_SETMISC
if [ ! -d /opt/mod/set-misc-nginx-module-${NGX_MOD_SETMISC} ]; then
cd /opt/mod/; wget https://github.com/openresty/set-misc-nginx-module/archive/refs/tags/v${NGX_MOD_SETMISC}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_SETMISC}.tar.gz; rm -Rf v${NGX_MOD_SETMISC}.tar.gz
fi
# Testcookie
if [ ! -d /opt/mod/testcookie ]; then
cd /opt/mod/; git clone https://github.com/kyprizel/testcookie-nginx-module.git testcookie
fi
# Brotli
if [ ! -d /opt/mod/ngx_brotli ]; then
cd /opt/mod/; git clone https://github.com/google/ngx_brotli.git ngx_brotli; cd /opt/mod/ngx_brotli && git submodule update --init
fi
# Naxsi
if [ ! -d /opt/mod/naxsi ]; then
cd /opt/mod/; git clone --recurse-submodules https://github.com/wargio/naxsi.git naxsi
fi
# NGX_MOD_ZSTD — Zstandard compression module from tokers. Pinned via
# NGX_MOD_ZSTD; tarball pattern (dir name embeds version → cache invalidates
# automatically when the pin moves).
if [ ! -d /opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} ]; then
cd /opt/mod/; wget https://github.com/tokers/zstd-nginx-module/archive/refs/tags/${NGX_MOD_ZSTD}.tar.gz
cd /opt/mod/; tar xf ${NGX_MOD_ZSTD}.tar.gz; rm -Rf ${NGX_MOD_ZSTD}.tar.gz
fi
# END OF NGINX MODULES
# ============================================================================================================
}
test_nginx() {
cd /opt/nginx-${NGINX} && LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" CFLAGS=-fPIC CXXFLAGS=-fPIC ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--modules-path=/nginx/modules \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-pcre \
--with-pcre-jit \
--with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE} \
--with-zlib=/opt/mod/zlib \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--add-module=/opt/mod/ngx_devel_kit-${NGX_MOD_DEVELKIT} \
--add-module=/opt/mod/set-misc-nginx-module-${NGX_MOD_SETMISC} \
--add-module=/opt/mod/ngx_http_geoip2_module-${NGX_MOD_GEOIP2} \
--add-module=/opt/mod/headers-more-nginx-module-${NGX_MOD_HEADERS_MORE} \
--add-module=/opt/mod/lua-nginx-module-${NGX_MOD_LUA} \
--add-module=/opt/mod/ModSecurity-nginx-${NGX_MOD_MODSECURITY} \
--add-module=/opt/mod/naxsi/naxsi_src \
--add-module=/opt/mod/nginx-http-flv-module-${NGX_MOD_HTTPFLV} \
--add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} \
--add-module=/opt/mod/redis2-nginx-module \
--add-module=/opt/mod/ngx_brotli \
--add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} \
--add-module=/opt/mod/testcookie \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib"
make clean
}
function build() {
cd /opt/nginx-${NGINX} && LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" CFLAGS=-fPIC CXXFLAGS=-fPIC ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--modules-path=/nginx/modules \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-pcre \
--with-pcre-jit \
--with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE} \
--with-zlib=/opt/mod/zlib \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--add-module=/opt/mod/ngx_devel_kit-${NGX_MOD_DEVELKIT} \
--add-module=/opt/mod/set-misc-nginx-module-${NGX_MOD_SETMISC} \
--add-module=/opt/mod/ngx_http_geoip2_module-${NGX_MOD_GEOIP2} \
--add-module=/opt/mod/headers-more-nginx-module-${NGX_MOD_HEADERS_MORE} \
--add-module=/opt/mod/ModSecurity-nginx-${NGX_MOD_MODSECURITY} \
--add-module=/opt/mod/lua-nginx-module-${NGX_MOD_LUA} \
--add-module=/opt/mod/naxsi/naxsi_src \
--add-module=/opt/mod/nginx-http-flv-module-${NGX_MOD_HTTPFLV} \
--add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} \
--add-module=/opt/mod/redis2-nginx-module \
--add-module=/opt/mod/ngx_brotli \
--add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} \
--add-module=/opt/mod/testcookie \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib"
# NOTE: kept as separate statements (not `make && make install && make clean`)
# so `set -e` actually fires on a make failure. The && chain hides left-side
# failures from set -e, which previously let half-built nginx ship.
cd /opt/nginx-${NGINX} && make -j`nproc`
cd /opt/nginx-${NGINX} && make install
cd /opt/nginx-${NGINX} && make clean
unset NGINX
}
function post_build() {
useradd nginx; unset NGINX; rm -rf /nginx/*.default;
mkdir -p /nginx/live
mkdir -p /nginx/conf.d
mkdir -p /nginx/config
mkdir -p /var/log/nginx
mkdir -p /nginx/modsec; curl -s https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules > /nginx/modsec/naxi.core
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/l7.conf > /nginx/modsec/l7.conf
curl -s https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended > /nginx/modsec/modsecurity.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/tester.conf > /nginx/modsec/tester.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/unicode.mapping > /nginx/modsec/unicode.mapping
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx/nginx.conf > /nginx/nginx.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx/live/default > /nginx/live/default
mkdir -p /hostdata/default/public_html/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/index.html > /hostdata/default/public_html/index.html
mkdir -p /hostdata/default/public_html/cdn/modsec && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/aes.min.js > /hostdata/default/public_html/cdn/modsec/aes.min.js
if [ -f "/run/.containerenv" ] || [ -f "/.dockerenv" ] || [ -f "/home/runner/.dockerenv" ]; then
echo "Skipping systemctl commands on GitHub runner"
mkdir -p /etc/systemd/system/
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Jammy/nginx.service > /etc/systemd/system/nginx.service
else
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Jammy/nginx.service > /etc/systemd/system/nginx.service
systemctl daemon-reload
systemctl start nginx.service
systemctl enable nginx.service
fi
}
# Handling command-line arguments
case "$1" in
new)
reqs
clean_install
;;
test)
test_nginx
;;
build)
build
;;
postfix)
post_build
;;
*)
echo "Invalid option: $1"
echo "Usage: $0 {new|test|build|postfix}"
echo ""
echo " new: will download all modules & nginx (if you change a version from file, simply rerun this to download that)"
echo " test: Test nginx configuration"
echo " build: Build nginx, or Rebuild (mods/configs will not be redownloaded this will only build)"
echo " postfix: After first installation, run this to download nginx configs (it will replace nginx.conf if there already is one)"
exit 1
;;
esac
install
-297
View File
@@ -1,297 +0,0 @@
#!/bin/bash
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/version > /tmp/version; source /tmp/version
case "`grep DISTRIB_CODENAME /etc/*-release | awk -F '=' '{print $2}'`" in
focal)
if [ "$(whoami)" != "root" ]
then
echo "You should Login as root to use this script!";
echo "Maybe you already have access for sudo, but commands aren't designed with sudo! so..";
echo "sudo -i";
exit 1
fi
if [ -d "/nginx/" ]; then
echo "We've detect a folder '/nginx/' which means"
echo "Maybe you have use this script before!"
echo "You can wipe old installation by executing!"
echo "(**THIS WILL DELETE ALL YOUR OLD NGINX CONFIGS MAKE SURE YOU BACKUP BEFORE USING**)"
echo "execute: rm -Rf /nginx; rm -Rf /usr/sbin/nginx; rm -Rf /opt/mod; rm -Rf /opt/nginx*"
echo "then execute again bash install"
exit 1
fi
if [ -d "/etc/nginx" ]; then
echo "We've detect a folder '/etc/nginx' which means you already got nginx up and running!"
exit 1
fi
if [ -d "/opt/nginx/" ]; then
echo "DETECTED '/opt/nginx/'"
echo "Maybe script has already been used you need to start clean!"
echo "(**THIS WILL DELETE ALL YOUR OLD NGINX CONFIGS MAKE SURE YOU BACKUP BEFORE USING**)"
echo "execute: rm -Rf /nginx; rm -Rf /usr/sbin/nginx; rm -Rf /opt/mod; rm -Rf /opt/nginx*"
echo "then execute again bash install"
exit 1
fi
apt-get update -y; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install tzdata
apt-get install libtool pkg-config make cmake automake autoconf -y
apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.2-dev libcurl4-openssl-dev libxml2 libxml2-dev libpcre3-dev -y
mkdir -p /opt/mod/
cd /opt/mod && wget https://github.com/openresty/luajit2/archive/refs/tags/v${FOCAL_VERSION_LUA}.tar.gz
cd /opt/mod && tar xf v${FOCAL_VERSION_LUA}.tar.gz && rm -Rf v${FOCAL_VERSION_LUA}.tar.gz
cd /opt/mod/luajit2-${FOCAL_VERSION_LUA}/ && make install PREFIX=/usr/local/LuaJIT && ldconfig
rm -Rf /opt/mod/luajit2-${FOCAL_VERSION_LUA}/
cd /opt/mod && wget https://github.com/SpiderLabs/ModSecurity/releases/download/v${FOCAL_VERSION_NGX_MODSECURITY}/modsecurity-v${FOCAL_VERSION_NGX_MODSECURITY}.tar.gz
cd /opt/mod && tar xf modsecurity-v${FOCAL_VERSION_NGX_MODSECURITY}.tar.gz; rm -Rf modsecurity-v${FOCAL_VERSION_NGX_MODSECURITY}.tar.gz
cd /opt/mod/modsecurity-v${FOCAL_VERSION_NGX_MODSECURITY} && ./configure && make -j`nproc` && make install
cd /opt/mod && wget https://github.com/openresty/lua-resty-core/archive/refs/tags/v${FOCAL_VERSION_NGX_RESTY_CORE}.tar.gz
cd /opt/mod && tar xf v${FOCAL_VERSION_NGX_RESTY_CORE}.tar.gz && rm -Rf v${FOCAL_VERSION_NGX_RESTY_CORE}.tar.gz
cd /opt/mod/lua-resty-core-${FOCAL_VERSION_NGX_RESTY_CORE} && make install PREFIX=${LUA_SCRIPTS}
cd /opt/mod && wget https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v${FOCAL_VERSION_NGX_RESTY_LRUCACHE}.tar.gz
cd /opt/mod && tar xf v${FOCAL_VERSION_NGX_RESTY_LRUCACHE}.tar.gz && rm -Rf v${FOCAL_VERSION_NGX_RESTY_LRUCACHE}.tar.gz
cd /opt/mod/lua-resty-lrucache-${FOCAL_VERSION_NGX_RESTY_LRUCACHE} && make install PREFIX=${LUA_SCRIPTS}
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${FOCAL_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${FOCAL_PCRE}.tar.gz; rm -Rf pcre2-${FOCAL_PCRE}.tar.gz
cd /opt/mod/pcre2-pcre2-${FOCAL_PCRE} && ./autogen.sh
#cd /opt/mod/pcre2-pcre2-${FOCAL_PCRE} && ./configure --prefix=/usr/local/pcre2_${FOCAL_PCRE} && make -j`nproc` && make install
cd /opt/mod && wget https://github.com/openssl/openssl/archive/refs/tags/OpenSSL_${FOCAL_OPENSSL}.tar.gz
cd /opt/mod && tar xf OpenSSL_${FOCAL_OPENSSL}.tar.gz; rm -Rf OpenSSL_${FOCAL_OPENSSL}.tar.gz
#cd /opt/mod/openssl-OpenSSL_${FOCAL_OPENSSL} && ./config --prefix=/usr/local/openssl_${FOCAL_OPENSSL} && make -j`nproc` && make install
cd /opt/mod && wget http://zlib.net/zlib-${FOCAL_ZLIB}.tar.gz
cd /opt/mod && tar xf zlib-${FOCAL_ZLIB}.tar.gz; rm -Rf zlib-${FOCAL_ZLIB}.tar.gz
#cd /opt/mod/zlib-${FOCAL_ZLIB} && ./configure --prefix=/usr/local/zlib-${FOCAL_ZLIB} && make -j`nproc` && make install
# Nginx
cd /opt/ && wget https://nginx.org/download/nginx-${FOCAL_VERSION_NGINX}.tar.gz && tar xf nginx-${FOCAL_VERSION_NGINX}.tar.gz && rm -Rf nginx-${FOCAL_VERSION_NGINX}.tar.gz
cd /opt/nginx-${FOCAL_VERSION_NGINX} && curl -s https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch > hpack_push.patch && patch -p1 < hpack_push.patch
cd /opt/nginx-${FOCAL_VERSION_NGINX} && ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-OpenSSL_${FOCAL_OPENSSL} \
--with-pcre \
--with-pcre=/opt/mod/pcre2-pcre2-${FOCAL_PCRE} \
--with-zlib=/opt/mod/zlib-${FOCAL_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie"
cd /opt/nginx-${FOCAL_VERSION_NGINX} && make -j`nproc`
cd /opt/nginx-${FOCAL_VERSION_NGINX} && make install
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Focal/nginx.service > /lib/systemd/system/nginx.service
rm -Rf /nginx/*.default
# Download Dynamic Modules
mkdir -p /nginx/modules; mkdir -p /tmp
cd /tmp && wget https://github.com/theraw/The-World-Is-Yours/archive/refs/heads/master.zip; unzip master.zip; rm -Rf master.zip; cp -a /tmp/The-World-Is-Yours-master/static/Focal/mod/*.so /nginx/modules/; rm -Rf /tmp/The-World-Is-Yours-master
# Fixes
mkdir -p /nginx/modsec; curl -s https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules > /nginx/modsec/naxi.core
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/l7.conf > /nginx/modsec/l7.conf
curl -s https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended > /nginx/modsec/modsecurity.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/tester.conf > /nginx/modsec/tester.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/unicode.mapping > /nginx/modsec/unicode.mapping
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Focal/nginx.conf > /nginx/nginx.conf
mkdir -p /nginx/live/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/default > /nginx/live/default
mkdir -p /hostdata/default/public_html/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/index.html > /hostdata/default/public_html/index.html
mkdir -p /hostdata/default/public_html/cdn/modsec && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/aes.min.js > /hostdata/default/public_html/cdn/modsec/aes.min.js
# Start
unset NGINX
killall nginx
useradd nginx && usermod -s /bin/false nginx
systemctl enable nginx
systemctl daemon-reload
systemctl enable nginx
systemctl stop nginx
systemctl start nginx
;;
jammy)
if [ "$(whoami)" != "root" ]
then
echo "You should Login as root to use this script!";
echo "May you already have access for sudo, but commands aren't designed with sudo! so..";
echo "sudo -i";
exit 1
fi
if [ -d "/nginx/" ]; then
echo "We've detect a folder '/nginx/' which means"
echo "Maybe you have use this script before!"
echo "You wipe old installation by executing!"
echo "(**THIS WILL DELETE ALL YOUR OLD NGINX CONFIGS MAKE SURE YOU BACKUP BEFORE USING**)"
echo "execute: rm -Rf /nginx; rm -Rf /usr/sbin/nginx; rm -Rf /opt/mod; rm -Rf /opt/nginx*"
echo "then execute again bash install"
exit 1
fi
if [ -d "/etc/nginx" ]; then
echo "We've detect a folder '/etc/nginx' which means"
echo "Maybe you have use this script before!"
echo "(**THIS WILL DELETE ALL YOUR OLD NGINX CONFIGS MAKE SURE YOU BACKUP BEFORE USING**)"
echo "execute: rm -Rf /nginx; rm -Rf /usr/sbin/nginx; rm -Rf /opt/mod; rm -Rf /opt/nginx*"
echo "then execute again bash install"
exit 1
fi
if [ -d "/opt/nginx/" ]; then
echo "DETECTED '/opt/nginx/'"
echo "Maybe script has already been used you need to start clean!"
echo "(**THIS WILL DELETE ALL YOUR OLD NGINX CONFIGS MAKE SURE YOU BACKUP BEFORE USING**)"
echo "execute: rm -Rf /nginx; rm -Rf /usr/sbin/nginx; rm -Rf /opt/mod; rm -Rf /opt/nginx*"
echo "then execute again bash install"
exit 1
fi
apt-get update -y; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install tzdata
apt-get install libtool pkg-config make cmake automake autoconf -y
apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.2-dev libcurl4-openssl-dev libxml2 libxml2-dev libpcre3-dev -y
mkdir -p /opt/mod/
cd /opt/mod && wget https://github.com/openresty/luajit2/archive/refs/tags/v${JAMMY_VERSION_LUA}.tar.gz
cd /opt/mod && tar xf v${JAMMY_VERSION_LUA}.tar.gz && rm -Rf v${JAMMY_VERSION_LUA}.tar.gz
cd /opt/mod/luajit2-${JAMMY_VERSION_LUA}/ && make install PREFIX=/usr/local/LuaJIT && ldconfig
rm -Rf /opt/mod/luajit2-${JAMMY_VERSION_LUA}/
cd /opt/mod && wget https://github.com/SpiderLabs/ModSecurity/releases/download/v${JAMMY_VERSION_NGX_MODSECURITY}/modsecurity-v${JAMMY_VERSION_NGX_MODSECURITY}.tar.gz
cd /opt/mod && tar xf modsecurity-v${JAMMY_VERSION_NGX_MODSECURITY}.tar.gz; rm -Rf modsecurity-v${JAMMY_VERSION_NGX_MODSECURITY}.tar.gz
cd /opt/mod/modsecurity-v${JAMMY_VERSION_NGX_MODSECURITY} && ./configure && make -j`nproc` && make install
cd /opt/mod && wget https://github.com/openresty/lua-resty-core/archive/refs/tags/v${JAMMY_VERSION_NGX_RESTY_CORE}.tar.gz
cd /opt/mod && tar xf v${JAMMY_VERSION_NGX_RESTY_CORE}.tar.gz && rm -Rf v${JAMMY_VERSION_NGX_RESTY_CORE}.tar.gz
cd /opt/mod/lua-resty-core-${JAMMY_VERSION_NGX_RESTY_CORE} && make install PREFIX=${LUA_SCRIPTS}
cd /opt/mod && wget https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v${JAMMY_VERSION_NGX_RESTY_LRUCACHE}.tar.gz
cd /opt/mod && tar xf v${JAMMY_VERSION_NGX_RESTY_LRUCACHE}.tar.gz && rm -Rf v${JAMMY_VERSION_NGX_RESTY_LRUCACHE}.tar.gz
cd /opt/mod/lua-resty-lrucache-${JAMMY_VERSION_NGX_RESTY_LRUCACHE} && make install PREFIX=${LUA_SCRIPTS}
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${JAMMY_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${JAMMY_PCRE}.tar.gz; rm -Rf pcre2-${JAMMY_PCRE}.tar.gz
cd /opt/mod/pcre2-pcre2-${JAMMY_PCRE} && ./autogen.sh
#cd /opt/mod/pcre2-pcre2-${JAMMY_PCRE} && ./configure --prefix=/usr/local/pcre2_${JAMMY_PCRE} && make -j`nproc` && make install
cd /opt/mod && wget https://github.com/openssl/openssl/archive/refs/tags/openssl-${JAMMY_OPENSSL}.tar.gz
cd /opt/mod && tar xf openssl-${JAMMY_OPENSSL}.tar.gz; rm -Rf openssl-${JAMMY_OPENSSL}.tar.gz
#cd /opt/mod/openssl-OpenSSL_${JAMMY_OPENSSL} && ./config --prefix=/usr/local/openssl_${JAMMY_OPENSSL} && make -j`nproc` && make install
cd /opt/mod && wget http://zlib.net/zlib-${JAMMY_ZLIB}.tar.gz
cd /opt/mod && tar xf zlib-${JAMMY_ZLIB}.tar.gz; rm -Rf zlib-${JAMMY_ZLIB}.tar.gz
#cd /opt/mod/zlib-${JAMMY_ZLIB} && ./configure --prefix=/usr/local/zlib-${JAMMY_ZLIB} && make -j`nproc` && make install
# Nginx
cd /opt/ && wget https://nginx.org/download/nginx-${JAMMY_VERSION_NGINX}.tar.gz && tar xf nginx-${JAMMY_VERSION_NGINX}.tar.gz && rm -Rf nginx-${JAMMY_VERSION_NGINX}.tar.gz
cd /opt/nginx-${JAMMY_VERSION_NGINX} && curl -s https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch > hpack_push.patch && patch -p1 < hpack_push.patch
cd /opt/nginx-${JAMMY_VERSION_NGINX} && ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-openssl-${JAMMY_OPENSSL} \
--with-pcre \
--with-pcre=/opt/mod/pcre2-pcre2-${JAMMY_PCRE} \
--with-zlib=/opt/mod/zlib-${JAMMY_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie"
cd /opt/nginx-${JAMMY_VERSION_NGINX} && make -j`nproc`
cd /opt/nginx-${JAMMY_VERSION_NGINX} && make install
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Jammy/nginx.service > /lib/systemd/system/nginx.service
rm -Rf /nginx/*.default
# Download Dynamic Modules
mkdir -p /nginx/modules; mkdir -p /tmp
cd /tmp && wget https://github.com/theraw/The-World-Is-Yours/archive/refs/heads/master.zip; unzip master.zip; rm -Rf master.zip; cp -a /tmp/The-World-Is-Yours-master/static/Jammy/mod/*.so /nginx/modules/; rm -Rf /tmp/The-World-Is-Yours-master
# Fixes
mkdir -p /nginx/modsec
curl -s https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules > /nginx/modsec/naxi.core
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/l7.conf > /nginx/modsec/l7.conf
curl -s https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended > /nginx/modsec/modsecurity.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/tester.conf > /nginx/modsec/tester.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/unicode.mapping > /nginx/modsec/unicode.mapping
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Jammy/nginx.conf > /nginx/nginx.conf
mkdir -p /nginx/live/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/default > /nginx/live/default
mkdir -p /hostdata/default/public_html/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/index.html > /hostdata/default/public_html/index.html
mkdir -p /hostdata/default/public_html/cdn/modsec && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/aes.min.js > /hostdata/default/public_html/cdn/modsec/aes.min.js
# Start
unset NGINX
killall nginx
useradd nginx && usermod -s /bin/false nginx
systemctl enable nginx
systemctl daemon-reload
systemctl enable nginx
systemctl stop nginx
systemctl start nginx
;;
esac
static/Focal/mod/Builder.sh
-177
View File
@@ -1,177 +0,0 @@
#!/bin/bash
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/version > /tmp/version; source /tmp/version
sudo apt-get install libpcre2-dev mercurial -y; mkdir -p /opt/mod
if [ ! -d /opt/mod/ngx_devel_kit-${NGX_DEVEL_KIT} ]; then
cd /opt/mod/; wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v${NGX_DEVEL_KIT}.tar.gz
cd /opt/mod/; tar xf v${NGX_DEVEL_KIT}.tar.gz; rm -Rf v${NGX_DEVEL_KIT}.tar.gz
fi
if [ ! -d /opt/mod/incubator-pagespeed-ngx-${NGX_PAGESPEED}-stable ]; then
cd /opt/mod/; wget https://github.com/apache/incubator-pagespeed-ngx/archive/refs/tags/v${NGX_PAGESPEED}-stable.tar.gz
cd /opt/mod/; tar xf v${NGX_PAGESPEED}-stable.tar.gz; rm -Rf v${NGX_PAGESPEED}-stable.tar.gz
cd /opt/mod/incubator-pagespeed-ngx-${NGX_PAGESPEED}-stable; wget https://dl.google.com/dl/page-speed/psol/${NGX_PAGESPEED_PSOL}.tar.gz; tar xf ${NGX_PAGESPEED_PSOL}.tar.gz; rm -Rf tar xf ${NGX_PAGESPEED_PSOL}.tar.gz
fi
if [ ! -d /opt/mod/ngx_http_geoip2_module-${NGX_GEOIP2} ]; then
cd /opt/mod/; wget https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/${NGX_GEOIP2}.tar.gz
cd /opt/mod/; tar xf ${NGX_GEOIP2}.tar.gz; rm -Rf ${NGX_GEOIP2}.tar.gz
fi
if [ ! -d /opt/mod/ModSecurity-nginx-${NGX_MODSECURITY} ]; then
cd /opt/mod/; wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v${NGX_MODSECURITY}.tar.gz
cd /opt/mod/; tar xf v${NGX_MODSECURITY}.tar.gz; rm -Rf v${NGX_MODSECURITY}.tar.gz
fi
if [ ! -d /opt/mod/nginx-http-flv-module-${NGX_HTTP_FLV} ]; then
cd /opt/mod/; wget https://github.com/winshining/nginx-http-flv-module/archive/refs/tags/v${NGX_HTTP_FLV}.tar.gz
cd /opt/mod/; tar xf v${NGX_HTTP_FLV}.tar.gz; rm -Rf v${NGX_HTTP_FLV}.tar.gz
fi
if [ ! -d /opt/mod/headers-more-nginx-module-${NGX_HEADERS_MORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${NGX_HEADERS_MORE}.tar.gz
cd /opt/mod/; tar xf v${NGX_HEADERS_MORE}.tar.gz; rm -Rf v${NGX_HEADERS_MORE}.tar.gz
fi
if [ ! -d /opt/mod/lua-nginx-module-${NGX_LUA} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v${NGX_LUA}.tar.gz
cd /opt/mod/; tar xf v${NGX_LUA}.tar.gz; rm -Rf v${NGX_LUA}.tar.gz
fi
if [ ! -d /opt/mod/set-misc-nginx-module-${NGX_SET_MISC} ]; then
cd /opt/mod/; wget https://github.com/openresty/set-misc-nginx-module/archive/refs/tags/v${NGX_SET_MISC}.tar.gz
cd /opt/mod/; tar xf v${NGX_SET_MISC}.tar.gz; rm -Rf v${NGX_SET_MISC}.tar.gz
fi
if [ ! -d /opt/mod/testcookie ]; then
cd /opt/mod/; git clone https://github.com/kyprizel/testcookie-nginx-module.git testcookie
fi
if [ ! -d /opt/mod/ngx_brotli ]; then
cd /opt/mod/; git clone https://github.com/google/ngx_brotli.git ngx_brotli; cd /opt/mod/ngx_brotli && git submodule update --init
fi
if [ ! -d /opt/mod/naxsi ]; then
cd /opt/mod/; git clone --recurse-submodules https://github.com/wargio/naxsi.git naxsi
fi
if [ ! -d /opt/mod/pcre2-pcre2-${FOCAL_PCRE} ]; then
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${FOCAL_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${FOCAL_PCRE}.tar.gz; rm -Rf pcre2-${FOCAL_PCRE}.tar.gz
cd /opt/mod/pcre2-pcre2-${FOCAL_PCRE} && ./autogen.sh
fi
if [ ! -d /opt/mod/openssl-OpenSSL_${FOCAL_OPENSSL} ]; then
cd /opt/mod && wget https://github.com/openssl/openssl/archive/refs/tags/OpenSSL_${FOCAL_OPENSSL}.tar.gz
cd /opt/mod && tar xf OpenSSL_${FOCAL_OPENSSL}.tar.gz; rm -Rf OpenSSL_${FOCAL_OPENSSL}.tar.gz
fi
if [ ! -d /opt/mod/zlib-${FOCAL_ZLIB} ]; then
cd /opt/mod && wget http://zlib.net/zlib-${FOCAL_ZLIB}.tar.gz
cd /opt/mod && tar xf zlib-${FOCAL_ZLIB}.tar.gz; rm -Rf zlib-${FOCAL_ZLIB}.tar.gz
fi
rm -Rf /opt/nginx-${FOCAL_VERSION_NGINX}; cd /opt/; wget https://nginx.org/download/nginx-${FOCAL_VERSION_NGINX}.tar.gz; tar xf nginx-${FOCAL_VERSION_NGINX}.tar.gz; rm -Rf nginx-${FOCAL_VERSION_NGINX}.tar.gz
cd /opt/nginx-${FOCAL_VERSION_NGINX} && curl -s https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch > hpack_push.patch && patch -p1 < hpack_push.patch
cd /opt/nginx-${FOCAL_VERSION_NGINX}/
LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-OpenSSL_${FOCAL_OPENSSL} \
--with-pcre \
--with-pcre=/opt/mod/pcre2-pcre2-${FOCAL_PCRE} \
--with-zlib=/opt/mod/zlib-${FOCAL_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie" \
--add-dynamic-module=/opt/mod/ngx_devel_kit-${NGX_DEVEL_KIT} \
--add-dynamic-module=/opt/mod/ModSecurity-nginx-${NGX_MODSECURITY} \
--add-dynamic-module=/opt/mod/headers-more-nginx-module-${NGX_HEADERS_MORE} \
--add-dynamic-module=/opt/mod/incubator-pagespeed-ngx-${NGX_PAGESPEED}-stable \
--add-dynamic-module=/opt/mod/naxsi/naxsi_src \
--add-dynamic-module=/opt/mod/nginx-http-flv-module-${NGX_HTTP_FLV} \
--add-dynamic-module=/opt/mod/ngx_brotli \
--add-dynamic-module=/opt/mod/ngx_http_geoip2_module-${NGX_GEOIP2} \
--add-dynamic-module=/opt/mod/set-misc-nginx-module-${NGX_SET_MISC} \
--add-dynamic-module=/opt/mod/testcookie
make -j`nproc` modules
rm -Rf /nginx/modules/*.so; cp /opt/nginx-${FOCAL_VERSION_NGINX}/objs/*.so /nginx/modules/
cd /opt/nginx-${FOCAL_VERSION_NGINX}/
LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-OpenSSL_${FOCAL_OPENSSL} \
--with-zlib=/opt/mod/zlib-${FOCAL_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -lpcre" \
--add-dynamic-module=/opt/mod/ngx_devel_kit-${NGX_DEVEL_KIT} \
--add-dynamic-module=/opt/mod/lua-nginx-module-${NGX_LUA}
make -j`nproc` modules
cp /opt/nginx-${FOCAL_VERSION_NGINX}/objs/*.so /nginx/modules/
static/Focal/mod/ndk_http_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_brotli_filter_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_brotli_static_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_flv_live_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_geoip2_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_headers_more_filter_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_lua_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_modsecurity_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_naxsi_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_set_misc_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_testcookie_access_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_pagespeed.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_stream_geoip2_module.so
BIN
View File
Binary file not shown.
static/Focal/nginx.conf
-81
View File
@@ -1,81 +0,0 @@
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
load_module /nginx/modules/ndk_http_module.so;
load_module /nginx/modules/ngx_http_lua_module.so;
load_module /nginx/modules/ngx_http_naxsi_module.so;
load_module /nginx/modules/ngx_http_modsecurity_module.so;
load_module /nginx/modules/ngx_http_testcookie_access_module.so;
events {
multi_accept on;
use epoll;
worker_connections 65535;
}
http {
# ////////////////////////////////////////////////////// #
# =================== LOAD LUA ========================= #
lua_package_path "/usr/twiylua/lib/lua/?.lua;;";
# =================== END LUA ========================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# =================== LOAD L7 ========================== #
include modsec/l7.conf;
# =================== END L7 =========================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ===================== LOGS =========================== #
log_format main '$remote_addr |==| $status |==| $request |==| $time_local';
# =================== END LOGS ========================= #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ==================== GENERAL ========================= #
client_body_buffer_size 2M;
client_header_buffer_size 2M;
client_body_timeout 90s;
client_header_timeout 90s;
client_max_body_size 2M;
keepalive_timeout 15s;
port_in_redirect off;
sendfile on;
server_names_hash_bucket_size 6969;
server_name_in_redirect off;
server_tokens off;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
resolver 8.8.8.8 8.8.4.4;
default_type application/octet-stream;
include /nginx/mime.types;
# =================== END GENERAL ====================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ==================== BACKENDS ======================== #
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Example Of Backend
#upstream varnish {
# zone tcp_servers 64k;
# server 10.10.10.39:80;
#}
# =================== END BACKENDS ===================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ================ LOAD VHOST +CONFIGS ================= #
include live/*;
include modsec/naxi.core;
# =================== END CONFIGS ====================== #
# ////////////////////////////////////////////////////// #
}
static/Jammy/mod/Builder.sh
-177
View File
@@ -1,177 +0,0 @@
#!/bin/bash
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/version > /tmp/version; source /tmp/version
sudo apt-get install libpcre2-dev mercurial -y; mkdir -p /opt/mod
if [ ! -d /opt/mod/ngx_devel_kit-${NGX_DEVEL_KIT} ]; then
cd /opt/mod/; wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v${NGX_DEVEL_KIT}.tar.gz
cd /opt/mod/; tar xf v${NGX_DEVEL_KIT}.tar.gz; rm -Rf v${NGX_DEVEL_KIT}.tar.gz
fi
if [ ! -d /opt/mod/incubator-pagespeed-ngx-${NGX_PAGESPEED}-stable ]; then
cd /opt/mod/; wget https://github.com/apache/incubator-pagespeed-ngx/archive/refs/tags/v${NGX_PAGESPEED}-stable.tar.gz
cd /opt/mod/; tar xf v${NGX_PAGESPEED}-stable.tar.gz; rm -Rf v${NGX_PAGESPEED}-stable.tar.gz
cd /opt/mod/incubator-pagespeed-ngx-${NGX_PAGESPEED}-stable; wget https://dl.google.com/dl/page-speed/psol/${NGX_PAGESPEED_PSOL}.tar.gz; tar xf ${NGX_PAGESPEED_PSOL}.tar.gz; rm -Rf tar xf ${NGX_PAGESPEED_PSOL}.tar.gz
fi
if [ ! -d /opt/mod/ngx_http_geoip2_module-${NGX_GEOIP2} ]; then
cd /opt/mod/; wget https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/${NGX_GEOIP2}.tar.gz
cd /opt/mod/; tar xf ${NGX_GEOIP2}.tar.gz; rm -Rf ${NGX_GEOIP2}.tar.gz
fi
if [ ! -d /opt/mod/ModSecurity-nginx-${NGX_MODSECURITY} ]; then
cd /opt/mod/; wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v${NGX_MODSECURITY}.tar.gz
cd /opt/mod/; tar xf v${NGX_MODSECURITY}.tar.gz; rm -Rf v${NGX_MODSECURITY}.tar.gz
fi
if [ ! -d /opt/mod/nginx-http-flv-module-${NGX_HTTP_FLV} ]; then
cd /opt/mod/; wget https://github.com/winshining/nginx-http-flv-module/archive/refs/tags/v${NGX_HTTP_FLV}.tar.gz
cd /opt/mod/; tar xf v${NGX_HTTP_FLV}.tar.gz; rm -Rf v${NGX_HTTP_FLV}.tar.gz
fi
if [ ! -d /opt/mod/headers-more-nginx-module-${NGX_HEADERS_MORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${NGX_HEADERS_MORE}.tar.gz
cd /opt/mod/; tar xf v${NGX_HEADERS_MORE}.tar.gz; rm -Rf v${NGX_HEADERS_MORE}.tar.gz
fi
if [ ! -d /opt/mod/lua-nginx-module-${NGX_LUA} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v${NGX_LUA}.tar.gz
cd /opt/mod/; tar xf v${NGX_LUA}.tar.gz; rm -Rf v${NGX_LUA}.tar.gz
fi
if [ ! -d /opt/mod/set-misc-nginx-module-${NGX_SET_MISC} ]; then
cd /opt/mod/; wget https://github.com/openresty/set-misc-nginx-module/archive/refs/tags/v${NGX_SET_MISC}.tar.gz
cd /opt/mod/; tar xf v${NGX_SET_MISC}.tar.gz; rm -Rf v${NGX_SET_MISC}.tar.gz
fi
if [ ! -d /opt/mod/testcookie ]; then
cd /opt/mod/; git clone https://github.com/kyprizel/testcookie-nginx-module.git testcookie
fi
if [ ! -d /opt/mod/ngx_brotli ]; then
cd /opt/mod/; git clone https://github.com/google/ngx_brotli.git ngx_brotli; cd /opt/mod/ngx_brotli && git submodule update --init
fi
if [ ! -d /opt/mod/naxsi ]; then
cd /opt/mod/; git clone --recurse-submodules https://github.com/wargio/naxsi.git naxsi
fi
if [ ! -d /opt/mod/pcre2-pcre2-${JAMMY_PCRE} ]; then
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${JAMMY_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${JAMMY_PCRE}.tar.gz; rm -Rf pcre2-${JAMMY_PCRE}.tar.gz
cd /opt/mod/pcre2-pcre2-${JAMMY_PCRE} && ./autogen.sh
fi
if [ ! -d /opt/mod/openssl-openssl-${JAMMY_OPENSSL} ]; then
cd /opt/mod && wget https://github.com/openssl/openssl/archive/refs/tags/openssl-${JAMMY_OPENSSL}.tar.gz
cd /opt/mod && tar xf openssl-${JAMMY_OPENSSL}.tar.gz; rm -Rf openssl-${JAMMY_OPENSSL}.tar.gz
fi
if [ ! -d /opt/mod/zlib-${JAMMY_ZLIB} ]; then
cd /opt/mod && wget http://zlib.net/zlib-${JAMMY_ZLIB}.tar.gz
cd /opt/mod && tar xf zlib-${JAMMY_ZLIB}.tar.gz; rm -Rf zlib-${JAMMY_ZLIB}.tar.gz
fi
rm -Rf /opt/nginx-${JAMMY_VERSION_NGINX}; cd /opt/; wget https://nginx.org/download/nginx-${JAMMY_VERSION_NGINX}.tar.gz; tar xf nginx-${JAMMY_VERSION_NGINX}.tar.gz; rm -Rf nginx-${JAMMY_VERSION_NGINX}.tar.gz
cd /opt/nginx-${JAMMY_VERSION_NGINX} && curl -s https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch > hpack_push.patch && patch -p1 < hpack_push.patch
cd /opt/nginx-${JAMMY_VERSION_NGINX}/
LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-openssl-${JAMMY_OPENSSL} \
--with-pcre \
--with-pcre=/opt/mod/pcre2-pcre2-${JAMMY_PCRE} \
--with-zlib=/opt/mod/zlib-${JAMMY_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie" \
--add-dynamic-module=/opt/mod/ngx_devel_kit-${NGX_DEVEL_KIT} \
--add-dynamic-module=/opt/mod/ModSecurity-nginx-${NGX_MODSECURITY} \
--add-dynamic-module=/opt/mod/headers-more-nginx-module-${NGX_HEADERS_MORE} \
--add-dynamic-module=/opt/mod/incubator-pagespeed-ngx-${NGX_PAGESPEED}-stable \
--add-dynamic-module=/opt/mod/naxsi/naxsi_src \
--add-dynamic-module=/opt/mod/nginx-http-flv-module-${NGX_HTTP_FLV} \
--add-dynamic-module=/opt/mod/ngx_brotli \
--add-dynamic-module=/opt/mod/ngx_http_geoip2_module-${NGX_GEOIP2} \
--add-dynamic-module=/opt/mod/set-misc-nginx-module-${NGX_SET_MISC} \
--add-dynamic-module=/opt/mod/testcookie
make -j`nproc` modules
rm -Rf /nginx/modules/*.so; cp /opt/nginx-${JAMMY_VERSION_NGINX}/objs/*.so /nginx/modules/
cd /opt/nginx-${JAMMY_VERSION_NGINX}/
LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-openssl-${JAMMY_OPENSSL} \
--with-zlib=/opt/mod/zlib-${JAMMY_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -lpcre" \
--add-dynamic-module=/opt/mod/ngx_devel_kit-${NGX_DEVEL_KIT} \
--add-dynamic-module=/opt/mod/lua-nginx-module-${NGX_LUA}
make -j`nproc` modules
cp /opt/nginx-${JAMMY_VERSION_NGINX}/objs/*.so /nginx/modules/
static/Jammy/mod/ndk_http_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_brotli_filter_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_brotli_static_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_flv_live_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_geoip2_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_headers_more_filter_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_lua_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_modsecurity_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_naxsi_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_set_misc_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_testcookie_access_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_pagespeed.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_stream_geoip2_module.so
BIN
View File
Binary file not shown.
static/Jammy/nginx.conf
-81
View File
@@ -1,81 +0,0 @@
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
load_module /nginx/modules/ndk_http_module.so;
load_module /nginx/modules/ngx_http_lua_module.so;
load_module /nginx/modules/ngx_http_naxsi_module.so;
load_module /nginx/modules/ngx_http_modsecurity_module.so;
load_module /nginx/modules/ngx_http_testcookie_access_module.so;
events {
multi_accept on;
use epoll;
worker_connections 65535;
}
http {
# ////////////////////////////////////////////////////// #
# =================== LOAD LUA ========================= #
lua_package_path "/usr/twiylua/lib/lua/?.lua;;";
# =================== END LUA ========================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# =================== LOAD L7 ========================== #
include modsec/l7.conf;
# =================== END L7 =========================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ===================== LOGS =========================== #
log_format main '$remote_addr |==| $status |==| $request |==| $time_local';
# =================== END LOGS ========================= #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ==================== GENERAL ========================= #
client_body_buffer_size 2M;
client_header_buffer_size 2M;
client_body_timeout 90s;
client_header_timeout 90s;
client_max_body_size 2M;
keepalive_timeout 15s;
port_in_redirect off;
sendfile on;
server_names_hash_bucket_size 6969;
server_name_in_redirect off;
server_tokens off;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
resolver 8.8.8.8 8.8.4.4;
default_type application/octet-stream;
include /nginx/mime.types;
# =================== END GENERAL ====================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ==================== BACKENDS ======================== #
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Example Of Backend
#upstream varnish {
# zone tcp_servers 64k;
# server 10.10.10.39:80;
#}
# =================== END BACKENDS ===================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ================ LOAD VHOST +CONFIGS ================= #
include live/*;
include modsec/naxi.core;
# =================== END CONFIGS ====================== #
# ////////////////////////////////////////////////////// #
}
static/Jammy/nginx.service
+9 -4
View File
@@ -1,16 +1,21 @@
[Nginx] [Unit]
Description=A high performance web server and a reverse proxy server Description=A high performance web server and a reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target Wants=network-online.target
[Service] [Service]
Type=forking Type=forking
PIDFile=/var/run/nginx.pid PIDFile=/run/nginx.pid
# jemalloc replaces glibc malloc — better fragmentation/perf under nginx's
# alloc/free churn at scale. Package depends on libjemalloc2 so the .so is
# guaranteed present. Removing this line falls back to glibc malloc cleanly.
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /usr/local/nginx /usr/local/nginx/client_body_temp /usr/local/nginx/proxy_temp /usr/local/nginx/fastcgi_temp /usr/local/nginx/uwsgi_temp /usr/local/nginx/scgi_temp /var/log/nginx
ExecStartPre=/usr/sbin/nginx -t ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true PrivateTmp=true
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
static/index.html
+1 -1
View File
@@ -1,5 +1,5 @@
<html> <html>
<center><h1>NGINX-AS-WEB-FIREWALL Default Page!?</h1></center> <center><h1>Congratulations</h1></center>
<center><h2>If you can see this that means your installation was successful!</h2></center> <center><h2>If you can see this that means your installation was successful!</h2></center>
<center><h2>Thank You For Using This Project, For Issues or suggestion Post them on <a href="https://github.com/theraw/The-World-Is-Yours" target="_blank">(Github)</a></h2></center> <center><h2>Thank You For Using This Project, For Issues or suggestion Post them on <a href="https://github.com/theraw/The-World-Is-Yours" target="_blank">(Github)</a></h2></center>
</html> </html>
static/default → static/nginx/live/default
+9 -1
View File
@@ -22,10 +22,18 @@
index index.html index.htm; index index.html index.htm;
} }
location /lua-test {
default_type 'text/plain';
content_by_lua_block {
ngx.say('Hello, world!')
}
}
location /denied/ { location /denied/ {
return 403; return 403;
} }
#error_page 404 /404.html; #error_page 404 /404.html;
# redirect server error pages to the static page /50x.html # redirect server error pages to the static page /50x.html
static/nginx/nginx.conf
+108
View File
@@ -0,0 +1,108 @@
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
#
# Tuned for shared hosting at 5,000+ vhost scale.
# Per-vhost listen/ssl_certificate directives live in /nginx/live/* — this
# file only contains the global event/http settings.
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
events {
multi_accept on;
use epoll;
worker_connections 65535;
}
http {
# =================== LOAD LUA ========================= #
lua_package_path "/usr/nginx_lua/lib/lua/?.lua;;";
lua_package_cpath "/usr/nginx_lua/lib/lua/5.1/?.so;;";
# =================== END LUA ========================== #
# =================== LOAD L7 ========================== #
include modsec/l7.conf;
# =================== END L7 =========================== #
# ===================== LOGS =========================== #
log_format main 'DATE: $time_local FROM: $remote_addr | STATUS: $status | TO: $request | CACHE: $upstream_cache_status | A: $http_user_agent';
# =================== END LOGS ========================= #
# ==================== GENERAL ========================= #
client_header_buffer_size 4k;
large_client_header_buffers 4 16k;
client_body_buffer_size 16k;
client_max_body_size 2M;
client_body_timeout 30s;
client_header_timeout 30s;
send_timeout 30s;
reset_timedout_connection on;
keepalive_timeout 65s;
keepalive_requests 2000;
max_headers 100;
port_in_redirect off;
sendfile on;
sendfile_max_chunk 1m;
tcp_nodelay on;
tcp_nopush on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_bucket_size 128;
server_names_hash_max_size 32768;
types_hash_max_size 4096;
# File metadata cache — biggest single win for static-heavy shared hosting.
open_file_cache max=200000 inactive=30s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# ===================== TLS ============================ #
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:200m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# ===================== END TLS ======================== #
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
default_type application/octet-stream;
include /nginx/mime.types;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# ==================== COMPRESSION ===================== #
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 4;
gzip_min_length 256;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
brotli on;
brotli_comp_level 4;
brotli_min_length 256;
brotli_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
zstd on;
zstd_comp_level 4;
zstd_min_length 256;
zstd_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
# =================== END COMPRESSION ================== #
# =================== END GENERAL ====================== #
# ================ LOAD VHOST +CONFIGS ================= #
include live/*;
include conf.d/*;
include modsec/naxi.core;
# =================== END CONFIGS ====================== #
}
version
+57 -31
View File
@@ -1,34 +1,60 @@
#!/bin/bash export NGINX="1.30.0"
#unless custom use default
export NGINX="1.22.1"
export LUA_SCRIPTS="/usr/twiylua/"
export FOCAL_VERSION_NGINX="1.22.1" # Lua Path
export FOCAL_VERSION_LUA="2.1-20220915" export LUA_SCRIPTS="/usr/nginx_lua"
export FOCAL_VERSION_NGX_LUA="0.10.22"
export FOCAL_VERSION_NGX_RESTY_CORE="0.1.24"
export FOCAL_VERSION_NGX_RESTY_LRUCACHE="0.13"
export FOCAL_VERSION_NGX_MODSECURITY="3.0.8"
export FOCAL_PCRE="10.42"
export FOCAL_OPENSSL="1_1_1f"
export FOCAL_ZLIB="1.2.13"
export JAMMY_VERSION_NGINX="1.22.1" # https://github.com/openresty/lua-nginx-module/tags
export JAMMY_VERSION_LUA="2.1-20220915" export NGX_MOD_LUA="0.10.29"
export JAMMY_VERSION_NGX_LUA="0.10.22"
export JAMMY_VERSION_NGX_RESTY_CORE="0.1.24"
export JAMMY_VERSION_NGX_RESTY_LRUCACHE="0.13"
export JAMMY_VERSION_NGX_MODSECURITY="3.0.8"
export JAMMY_PCRE="10.42"
export JAMMY_OPENSSL="3.0.2"
export JAMMY_ZLIB="1.2.13"
export NGX_DEVEL_KIT="0.3.2" # https://github.com/vision5/ngx_devel_kit/tags
export NGX_PAGESPEED="1.13.35.2" export NGX_MOD_DEVELKIT="0.3.4"
export NGX_PAGESPEED_PSOL="1.13.35.2-x64"
export NGX_GEOIP2="3.4" # https://github.com/leev/ngx_http_geoip2_module/releases
export NGX_MODSECURITY="1.0.3" export NGX_MOD_GEOIP2="3.4"
export NGX_HTTP_FLV="1.2.10"
export NGX_HEADERS_MORE="0.34" # https://github.com/owasp-modsecurity/ModSecurity-nginx/releases
export NGX_LUA="0.10.22" export NGX_MOD_MODSECURITY="1.0.4"
export NGX_SET_MISC="0.33"
# https://github.com/winshining/nginx-http-flv-module/releases
export NGX_MOD_HTTPFLV="1.2.13"
# https://github.com/openresty/headers-more-nginx-module/tags
export NGX_MOD_HEADERS_MORE="0.39"
# https://github.com/openresty/set-misc-nginx-module/releases
export NGX_MOD_SETMISC="0.33"
# https://github.com/openresty/lua-resty-core/tags
export LUA_SCRIPTS_RESTYCORE="0.1.32"
# https://github.com/openresty/lua-resty-lrucache/tags
export LUA_SCRIPTS_LRUCACHE="0.15"
# https://github.com/openresty/luajit2/tags
export SYSTEM_LUAJIT="2.1-20260311"
# https://github.com/PCRE2Project/pcre2/releases
export SYSTEM_PCRE="10.47"
# https://github.com/aws/aws-lc/tags
# AWS-LC = Amazon's BoringSSL fork. Supported natively in nginx since 1.29.2.
# Picked over quictls (EOL OpenSSL 3.1 base) and over OpenSSL 3.5 native QUIC
# because of better TLS handshake throughput and clean release tagging.
export SYSTEM_AWSLC="1.72.0"
# https://github.com/SpiderLabs/ModSecurity/releases 3.0.12
export SYSTEM_MODSECURITY="3.0.12"
# https://github.com/openresty/lua-resty-mysql/tags
export NGX_MOD_LUA_MYSQL="0.29"
# https://github.com/openresty/lua-resty-lock/tags
export NGX_MOD_LUA_LOCK="0.09"
# https://github.com/openresty/srcache-nginx-module/tags
export NGX_MOD_LUA_SRCACHE="0.33"
# https://github.com/tokers/zstd-nginx-module/tags
# Zstandard compression module. Chrome 123+ and Firefox 126+ send
# `Accept-Encoding: zstd`; older clients fall back to brotli/gzip.
export NGX_MOD_ZSTD="0.1.1"