theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: theraw/The-World-Is-Yours:pcre-fix
Branches Tags
theraw/The-World-Is-Yours:master theraw/The-World-Is-Yours:raweb-upcoming-release theraw/The-World-Is-Yours:ffs theraw/The-World-Is-Yours:v2-1 theraw/The-World-Is-Yours:pcre-fix theraw/The-World-Is-Yours:docker theraw/The-World-Is-Yours:v3.0 theraw/The-World-Is-Yours:v2 theraw/The-World-Is-Yours:v2.0
theraw/The-World-Is-Yours:v1.27.4 theraw/The-World-Is-Yours:v1.26.0 theraw/The-World-Is-Yours:0.0.1
...
compare: theraw/The-World-Is-Yours:198d34766cfab148768a5a7212335922940e06b8
Branches Tags
theraw/The-World-Is-Yours:master theraw/The-World-Is-Yours:raweb-upcoming-release theraw/The-World-Is-Yours:ffs theraw/The-World-Is-Yours:v2-1 theraw/The-World-Is-Yours:pcre-fix theraw/The-World-Is-Yours:docker theraw/The-World-Is-Yours:v3.0 theraw/The-World-Is-Yours:v2 theraw/The-World-Is-Yours:v2.0
theraw/The-World-Is-Yours:v1.27.4 theraw/The-World-Is-Yours:v1.26.0 theraw/The-World-Is-Yours:0.0.1

95 Commits
pcre-fix ... 198d34766c

Author SHA1 Message Date
root 198d34766c Ubuntu 26.04
build-and-publish / build (debian:13, NEXUS_REPO_TRIXIE, trixie) (push) Failing after 5s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_REPO_RACCOON, raccoon) (push) Failing after 5s
Details
2026-04-26 04:16:58 +00:00
root 0888f0ef83 ubuntu 26.04 2026-04-26 04:15:12 +00:00
root 0db40af760 2026
build-and-publish / build (push) Successful in 3m18s
Details
2026-04-26 01:52:34 +00:00
root 6689fd295b 2026
build-and-publish / build (push) Has been cancelled
Details
2026-04-26 01:38:39 +00:00
root 51b6eaa694 implementation of nginx 1.30 + AWS-LC + 5k-vhost perf tuning
build-and-publish / build (push) Successful in 3m18s
Details 
- nginx 1.30.0, ModSecurity v3.0.12, AWS-LC 1.72.0 (replaces
  quictls/openssl 3.1.5-quic1; OpenSSL 3.1 is EOL upstream)
- AWS-LC build via cmake+ninja, installed to /usr/local/aws-lc;
  nginx links via -I/-L and rpath
- lua-nginx-module: sed-broaden the existing OPENSSL_IS_BORINGSSL
  guards to also recognise OPENSSL_IS_AWSLC (covers #ifdef,
  #ifndef, #elif defined). without this the missing-API stubs
  never fire on AWS-LC and the build breaks on
  SSL_get1_supported_ciphers / SSL_export_keying_material_early
- lua-resty-core / lrucache: switched from `git clone master`
  to wget tarball pinned via LUA_SCRIPTS_RESTYCORE/LRUCACHE.
  master drifted to wanting ngx_lua 0.10.30 while the pin was
  0.10.29 — silent CI breakage waiting to happen
- ModSec rewritten for v3 build flow (./build.sh && ./configure
  --without-pcre --with-pcre2). v2's standalone.so isn't what
  ModSecurity-nginx connector links against; it wants
  libmodsecurity.so
- PCRE2: switched to /releases/download/ tarball (bundles the
  sljit submodule needed for --with-pcre-jit); /archive/refs/tags/
  is a raw snapshot and omits submodules
- LuaJIT version pin had a stray leading 'v' that produced
  /tags/vv2.1-... → 404
- drop -L/lib/x86_64-linux-gnu -lpcre from --with-ld-opt;
  PCRE1 is gone from debian 13
- drop libpcre3-dev from apt install for the same reason
- fix latent bug in build/run.sh build(): make && make install
  && make clean swallows make failures from set -e because of
  &&-chain semantics. now separate statements
- static/nginx/nginx.conf rewrite for shared hosting at 5k+
  vhosts: server_names_hash_max_size 32768, shared SSL session
  cache 200m, OCSP stapling, open_file_cache, brotli+gzip
  enabled in http{}, worker_cpu_affinity auto, max_headers 100,
  keepalive_requests 10000. client_header_buffer_size dropped
  from 2M to 4k (was a memory amplification surface)
- README: performance section comparing twiy vs vanilla nginx,
  OpenResty, Apache; expected yield breakdown
 2026-04-26 01:09:28 +00:00
root f703f1eaba cleanup
build-and-publish / build (push) Successful in 2m53s
Details
2026-04-25 23:29:29 +00:00
root aa7d66f142 Repo release
build-and-publish / build (push) Successful in 2m51s
Details
2026-04-25 21:24:55 +00:00
claude 44efd905c5 ci: drop dpkg-sig per-deb signing (broken on modern .debs); rely on Nexus repo signing for apt trust chain
build-and-publish / build (push) Successful in 2m51s
Details
2026-04-25 21:18:04 +00:00
claude e4d458b185 ci: harden secret handling — tmpfs in /dev/shm, file-based passphrase, netrc auth, EXIT trap
build-and-publish / build (push) Failing after 2m46s
Details
2026-04-25 21:12:55 +00:00
claude f8a197dc49 ci: fix self-mv on deb path; drop stale .github workflow
build-and-publish / build (push) Successful in 2m51s
Details
2026-04-25 21:02:20 +00:00
claude 72bc3fa999 ci: add Gitea Actions workflow to build and publish to apt.julio.al/raweb
build-and-publish / build (push) Failing after 2m46s
Details
2026-04-25 20:57:11 +00:00
𝓙𝓾𝓵𝓲𝓸 e38493230a LUA not supported yet on latest version
Build and Publish NGINX / build (push) Failing after 3m11s
Details
2025-02-18 23:54:18 +01:00
𝓙𝓾𝓵𝓲𝓸 cfb2467782 Merge pull request #37 from theraw/ffs 
Ffs
 2025-02-10 22:52:27 +01:00
𝓙𝓾𝓵𝓲𝓸 e6f35b2a1f Update run.sh 2025-02-10 22:52:09 +01:00
𝓙𝓾𝓵𝓲𝓸 1f8f1149cb Update main.yml 2025-02-10 22:50:50 +01:00
𝓙𝓾𝓵𝓲𝓸 a92ad6e145 Update main.yml 2025-02-10 22:49:23 +01:00
𝓙𝓾𝓵𝓲𝓸 467546961f Update main.yml 2025-02-10 22:46:19 +01:00
𝓙𝓾𝓵𝓲𝓸 b3ae758a82 Update main.yml 2025-02-10 22:45:02 +01:00
𝓙𝓾𝓵𝓲𝓸 400d814e20 Merge pull request #36 from theraw/remove-debug 
Remove debug
 2025-02-10 22:33:32 +01:00
𝓙𝓾𝓵𝓲𝓸 79442acea9 Update main.yml 2025-02-10 22:33:16 +01:00
𝓙𝓾𝓵𝓲𝓸 b84df55970 Update run.sh 2025-02-10 22:32:56 +01:00
𝓙𝓾𝓵𝓲𝓸 cb5ae02ea2 Update main.yml 2025-02-10 22:31:56 +01:00
𝓙𝓾𝓵𝓲𝓸 7b91c32759 debug 2025-02-10 22:26:33 +01:00
𝓙𝓾𝓵𝓲𝓸 599fa32c67 Update run.sh 2025-02-10 21:58:41 +01:00
𝓙𝓾𝓵𝓲𝓸 32edbddf07 Update main.yml 2025-02-09 19:15:07 +01:00
𝓙𝓾𝓵𝓲𝓸 57f25ecac9 Update main.yml 2025-02-09 19:00:49 +01:00
𝓙𝓾𝓵𝓲𝓸 0c5f4b47b4 🤦‍♂️ 2025-02-09 18:43:08 +01:00
𝓙𝓾𝓵𝓲𝓸 710daf1475 Update run.sh 2025-02-09 18:26:42 +01:00
𝓙𝓾𝓵𝓲𝓸 de647fc401 Update version 2025-02-09 18:10:15 +01:00
𝓙𝓾𝓵𝓲𝓸 f1d0957af9 Update main.yml 2024-09-01 13:10:13 +02:00
𝓙𝓾𝓵𝓲𝓸 e15b9d88f1 Update README.md 2024-09-01 13:08:15 +02:00
𝓙𝓾𝓵𝓲𝓸 06624021d4 Merge pull request #33 from theraw/theraw-testrun 
Theraw testrun
 2024-09-01 11:40:01 +02:00
𝓙𝓾𝓵𝓲𝓸 7069b0e0d6 Update main.yml 2024-09-01 11:25:09 +02:00
𝓙𝓾𝓵𝓲𝓸 201e399361 Update main.yml 2024-09-01 11:06:05 +02:00
𝓙𝓾𝓵𝓲𝓸 4f745516cd Update main.yml 2024-09-01 06:20:03 +02:00
𝓙𝓾𝓵𝓲𝓸 b6c8c9ce96 Update main.yml 2024-09-01 06:04:42 +02:00
𝓙𝓾𝓵𝓲𝓸 ebcd3a4d8c Update main.yml 2024-09-01 05:39:08 +02:00
𝓙𝓾𝓵𝓲𝓸 cd68adb0cd Update main.yml 2024-09-01 05:18:26 +02:00
𝓙𝓾𝓵𝓲𝓸 c8c4db0388 Update main.yml 2024-09-01 05:16:38 +02:00
𝓙𝓾𝓵𝓲𝓸 14bc66eac3 Update main.yml 2024-09-01 05:15:02 +02:00
𝓙𝓾𝓵𝓲𝓸 2a57da27dd Update main.yml 2024-09-01 05:12:52 +02:00
𝓙𝓾𝓵𝓲𝓸 14a7a13738 Create main.yml 2024-09-01 05:11:13 +02:00
𝓙𝓾𝓵𝓲𝓸 9e70a9eab5 Delete .github/workflows/main.yml 2024-09-01 05:10:47 +02:00
𝓙𝓾𝓵𝓲𝓸 92e1440c03 Create main.yml 2024-09-01 05:08:54 +02:00
𝓙𝓾𝓵𝓲𝓸 caf9b67fcf Delete .github/workflows/main.yml 2024-09-01 05:07:52 +02:00
𝓙𝓾𝓵𝓲𝓸 ed3bc18f9a Update main.yml 2024-09-01 05:03:13 +02:00
𝓙𝓾𝓵𝓲𝓸 ceb2f81038 Update main.yml 2024-09-01 05:01:01 +02:00
𝓙𝓾𝓵𝓲𝓸 0016be8b72 Update main.yml 2024-09-01 04:58:40 +02:00
𝓙𝓾𝓵𝓲𝓸 648b594996 Create main.yml 2024-09-01 04:56:56 +02:00
𝓙𝓾𝓵𝓲𝓸 32185fd641 Update version 2024-09-01 04:05:43 +02:00
𝓙𝓾𝓵𝓲𝓸 4cab377b5b Update nginx.service 2024-07-02 17:45:40 +02:00
𝓙𝓾𝓵𝓲𝓸 6cf028078e Update README.md 2024-05-22 23:25:20 +02:00
𝓙𝓾𝓵𝓲𝓸 3ee649efd1 Update README.md 2024-05-22 05:18:14 +02:00
𝓙𝓾𝓵𝓲𝓸 41a757b5b7 Update version 2024-05-22 04:37:44 +02:00
𝓙𝓾𝓵𝓲𝓸 8737f183d1 Update nginx.conf 2024-05-22 04:37:29 +02:00
𝓙𝓾𝓵𝓲𝓸 6f09ea58df Update run.sh 2024-05-22 04:34:39 +02:00
𝓙𝓾𝓵𝓲𝓸 529020368a Merge pull request #31 from theraw/v2-1 
V2
 2024-05-22 03:03:10 +02:00
𝓙𝓾𝓵𝓲𝓸 2e5b7df4c8 Update README.md 2024-05-22 03:01:58 +02:00
𝓙𝓾𝓵𝓲𝓸 134c3048a2 Update README.md 2024-05-22 03:01:39 +02:00
𝓙𝓾𝓵𝓲𝓸 b1ca949b49 Delete .github/workflows/docker-image.yml 2024-05-22 03:01:19 +02:00
𝓙𝓾𝓵𝓲𝓸 3c15da3e35 Update run.sh 2024-05-22 00:58:20 +02:00
𝓙𝓾𝓵𝓲𝓸 6758448534 Create default 2024-05-22 00:55:28 +02:00
𝓙𝓾𝓵𝓲𝓸 fe6e4c6d0c Delete static/default 2024-05-22 00:54:42 +02:00
𝓙𝓾𝓵𝓲𝓸 432ebd3ad7 Create nginx.conf 2024-05-22 00:54:24 +02:00
𝓙𝓾𝓵𝓲𝓸 d31bd00544 Delete static/Jammy/nginx.conf 2024-05-22 00:49:32 +02:00
𝓙𝓾𝓵𝓲𝓸 ae40bb737a Delete static/Jammy/mod directory 2024-05-22 00:49:24 +02:00
𝓙𝓾𝓵𝓲𝓸 25de9e247f Delete static/Focal/nginx.conf 2024-05-22 00:49:10 +02:00
𝓙𝓾𝓵𝓲𝓸 068a11acf5 Delete static/Focal/mod directory 2024-05-22 00:48:57 +02:00
𝓙𝓾𝓵𝓲𝓸 46fd3f371d Update index.html 2024-05-22 00:46:58 +02:00
𝓙𝓾𝓵𝓲𝓸 444e23648f Update default 2024-05-22 00:45:57 +02:00
𝓙𝓾𝓵𝓲𝓸 142468583e Update README.md 2024-05-22 00:42:54 +02:00
𝓙𝓾𝓵𝓲𝓸 45a172fb6b Update README.md 2024-05-22 00:42:05 +02:00
𝓙𝓾𝓵𝓲𝓸 1bf7898bd5 Update README.md 2024-05-22 00:41:08 +02:00
𝓙𝓾𝓵𝓲𝓸 99fe8e8793 Update README.md 2024-05-22 00:40:00 +02:00
𝓙𝓾𝓵𝓲𝓸 b2c326ac59 Update README.md 2024-05-22 00:33:59 +02:00
𝓙𝓾𝓵𝓲𝓸 9c757704e7 Update version 2024-05-22 00:14:01 +02:00
𝓙𝓾𝓵𝓲𝓸 8238550971 Update version 2024-05-22 00:13:33 +02:00
𝓙𝓾𝓵𝓲𝓸 01244b0efb Update run.sh 2024-05-22 00:11:18 +02:00
𝓙𝓾𝓵𝓲𝓸 4bb4d34cba Update README.md 2024-05-20 05:37:38 +02:00
𝓙𝓾𝓵𝓲𝓸 c5264a37b4 Update README.md 2024-05-20 05:37:17 +02:00
𝓙𝓾𝓵𝓲𝓸 1d5989a07e Update run.sh 2024-05-20 05:36:48 +02:00
ƬHE ЯAW ☣ b447fcc76c Update README.md 2024-03-06 00:40:56 +01:00
ƬHE ЯAW ☣ 20c045dbeb Update version 2024-03-06 00:39:38 +01:00
ƬHE ЯAW ☣ b9f9b236a0 Delete install 2024-03-06 00:38:50 +01:00
ƬHE ЯAW ☣ afdb697c37 Delete Dockerfile 2024-03-06 00:37:50 +01:00
ƬHE ЯAW ☣ 4cc4a9b7cc Create run.sh 2024-03-06 00:34:26 +01:00
ƬHE ЯAW ☣ 2f02f4b5f7 Update version 2024-01-30 02:02:44 +01:00
ƬHE ЯAW ☣ 33d5336a48 Update version 2023-09-02 20:44:37 +02:00
ƬHE ЯAW ☣ 2953575b1b not currently available. 2023-04-18 22:16:59 +02:00
ƬHE ЯAW ☣ df1651b1be added a premium version. 2023-03-22 05:06:21 +01:00
ƬHE ЯAW ☣ f06caa5eed Update install 2023-01-02 19:50:34 +01:00
ƬHE ЯAW ☣ f0ead8ba23 Merge pull request #30 from theraw/pcre-fix 
Pcre fix
 2023-01-02 06:09:19 +01:00
ƬHE ЯAW ☣ e7437e6136 Update version 2023-01-02 05:35:25 +01:00
ƬHE ЯAW ☣ 6877a80789 Update version 2023-01-02 04:46:41 +01:00
ƬHE ЯAW ☣ df1519bcea Update version 2023-01-02 03:44:57 +01:00
46 changed files with 1342 additions and 993 deletions
Expand all files Collapse all files
.gitea/workflows/build-publish.yml
+175
View File
@@ -0,0 +1,175 @@
name: build-and-publish
on:
push:
branches: [master]
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
target: [trixie, raccoon]
include:
- target: trixie
image: debian:13
nexus_repo_secret: NEXUS_REPO_TRIXIE
- target: raccoon
image: ubuntu:26.04
nexus_repo_secret: NEXUS_REPO_RACCOON
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Build nginx and assemble .deb inside ${{ matrix.image }}
id: pkg
env:
TARGET: ${{ matrix.target }}
IMAGE: ${{ matrix.image }}
run: |
set -euo pipefail
mkdir -p dist
sudo docker run --rm \
-v "$PWD:/repo" \
-w /repo \
-e TARGET="$TARGET" \
"$IMAGE" \
bash -euxc '
touch /.dockerenv
bash build/${TARGET}.sh new
bash build/${TARGET}.sh build
bash build/${TARGET}.sh postfix
PKG_NAME="twiy"
NGINX_VER="$(nginx -v 2>&1 | awk -F/ "{print \$2}")"
VERSION="${NGINX_VER}-${GITHUB_RUN_NUMBER:-1}~${TARGET}"
ARCH="amd64"
PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
DEB_DIR="${PKG_DIR}/DEBIAN"
mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
"${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
"${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
"${PKG_DIR}/hostdata/default/public_html" \
"${PKG_DIR}/usr/nginx_lua" \
"${PKG_DIR}/usr/local/nginx/client_body_temp" \
"${PKG_DIR}/usr/local/nginx/proxy_temp" \
"${PKG_DIR}/usr/local/nginx/fastcgi_temp" \
"${PKG_DIR}/usr/local/nginx/uwsgi_temp" \
"${PKG_DIR}/usr/local/nginx/scgi_temp"
cp /usr/sbin/nginx "${PKG_DIR}/usr/sbin/"
cp -R /nginx/* "${PKG_DIR}/nginx/" || true
cp /etc/systemd/system/nginx.service "${PKG_DIR}/etc/systemd/system/"
cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
for lib in $(ldd /usr/sbin/nginx | grep "=> /" | awk "{print \$3}"); do
cp "$lib" "${PKG_DIR}/usr/lib/" || true
done
# ---- DEBIAN/control --------------------------------------------
mkdir -p "${DEB_DIR}"
cat > "${DEB_DIR}/control" <<EOF
Package: ${PKG_NAME}
Version: ${VERSION}
Section: base
Priority: optional
Architecture: ${ARCH}
Depends: libjemalloc2
Maintainer: Julio <me@julio.al>
Description: Nginx L7 DDoS Protection (The-World-Is-Yours), built by RAWeb CI for ${TARGET}.
EOF
# ---- DEBIAN/postinst -------------------------------------------
cat > "${DEB_DIR}/postinst" <<"EOFPOSTINST"
#!/bin/bash
# Idempotent: safe on first install, upgrade, and reinstall.
useradd -r -d /usr/local/nginx -s /bin/false nginx 2>/dev/null || true
install -d -o nginx -g nginx -m 0755 \
/usr/local/nginx \
/usr/local/nginx/client_body_temp \
/usr/local/nginx/proxy_temp \
/usr/local/nginx/fastcgi_temp \
/usr/local/nginx/uwsgi_temp \
/usr/local/nginx/scgi_temp \
/var/log/nginx
chown -R nginx:nginx /var/log/nginx /nginx /usr/local/nginx 2>/dev/null || true
systemctl daemon-reload 2>/dev/null || true
systemctl enable nginx.service 2>/dev/null || true
systemctl restart nginx.service 2>/dev/null || true
exit 0
EOFPOSTINST
chmod 755 "${DEB_DIR}/postinst"
dpkg-deb --build "${PKG_DIR}"
cp "${PKG_DIR}.deb" /repo/dist/
# Hand ownership back to the runner UID so the host job can read.
chown $(stat -c "%u:%g" /repo) /repo/dist/$(basename "${PKG_DIR}.deb")
# Stash version for the publish step.
echo "${PKG_NAME}_${VERSION}_${ARCH}.deb" > /repo/dist/${TARGET}.name
echo "${VERSION}" > /repo/dist/${TARGET}.version
echo "${PKG_NAME}" > /repo/dist/${TARGET}.pkg
'
# Surface the artifact paths for the next step.
DEB_FILE="$PWD/dist/$(cat dist/${TARGET}.name)"
PKG_NAME="$(cat dist/${TARGET}.pkg)"
VERSION="$(cat dist/${TARGET}.version)"
{
echo "deb_file=${DEB_FILE}"
echo "version=${VERSION}"
echo "pkg_name=${PKG_NAME}"
} >> "$GITHUB_OUTPUT"
ls -la "${DEB_FILE}"
sha256sum "${DEB_FILE}"
- name: Publish to Nexus (${{ matrix.target }})
env:
NEXUS_USER: ${{ secrets.NEXUS_USER }}
NEXUS_PASS: ${{ secrets.NEXUS_PASS }}
NEXUS_URL: ${{ secrets.NEXUS_URL }}
NEXUS_REPO: ${{ secrets[matrix.nexus_repo_secret] }}
DEB_FILE: ${{ steps.pkg.outputs.deb_file }}
PKG_NAME: ${{ steps.pkg.outputs.pkg_name }}
TARGET: ${{ matrix.target }}
run: |
set -euo pipefail
umask 077
SECDIR="$(mktemp -d -p /dev/shm twiy-XXXXXXXX 2>/dev/null \
|| mktemp -d -t twiy-XXXXXXXX)"
chmod 700 "$SECDIR"
cleanup() {
find "$SECDIR" -type f -exec shred -uz {} + 2>/dev/null || true
rm -rf "$SECDIR"
}
trap cleanup EXIT INT TERM HUP
NEXUS_HOST="$(printf '%s' "$NEXUS_URL" | awk -F/ '{print $3}')"
printf 'machine %s login %s password %s\n' \
"$NEXUS_HOST" "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
unset NEXUS_USER NEXUS_PASS
OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
| PKG_NAME="$PKG_NAME" python3 -c '
import sys, json, os
for c in json.load(sys.stdin).get("items", []):
if c.get("name") == os.environ["PKG_NAME"]:
print(c["id"]); break
' || true)"
if [ -n "$OLD_ID" ]; then
curl -fsS -X DELETE --netrc-file "$SECDIR/netrc" \
"$NEXUS_URL/service/rest/v1/components/$OLD_ID" -o /dev/null
fi
HTTP="$(curl -sS --netrc-file "$SECDIR/netrc" \
-o "$SECDIR/upload.body" -w '%{http_code}' \
-X POST -F "apt.asset=@$DEB_FILE" \
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO")"
case "$HTTP" in
201|204) echo "[$TARGET] uploaded $(basename "$DEB_FILE") to $NEXUS_URL/repository/$NEXUS_REPO/" ;;
*) echo "[$TARGET] upload failed (HTTP $HTTP)"; head -c 400 "$SECDIR/upload.body"; exit 1 ;;
esac
.github/workflows/docker-image.yml
-18
View File
@@ -1,18 +0,0 @@
name: BobTheBuilder
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)
.gitignore
+10
View File
@@ -0,0 +1,10 @@
.claude/
.codex
.env
.creds
.workers
.local
Dockerfile
docker-compose.yaml
docker-compose.yml
PENDING_*.md
Dockerfile
-69
View File
@@ -1,69 +0,0 @@
# Ubuntu 22.04 image with lua/modsecurity lib, required deps and resty core scripts.
FROM theraw/the-world-is-yours:ubuntu2204-base
ARG NGINX="1.22.1"
ARG JAMMY_VERSION_NGINX="1.22.1"
ARG JAMMY_VERSION_LUA="2.1-20220915"
ARG JAMMY_VERSION_NGX_LUA="0.10.22"
ARG JAMMY_VERSION_NGX_RESTY_CORE="0.1.24"
ARG JAMMY_VERSION_NGX_RESTY_LRUCACHE="0.13"
ARG JAMMY_VERSION_NGX_MODSECURITY="3.0.8"
ARG JAMMY_PCRE="10.42"
ARG JAMMY_OPENSSL="3.0.2"
ARG JAMMY_ZLIB="1.2.13"
ARG LUA_SCRIPTS="/usr/twiylua/"
ARG NGX_DEVEL_KIT="0.3.2"
ARG NGX_PAGESPEED="1.13.35.2"
ARG NGX_PAGESPEED_PSOL="1.13.35.2-x64"
ARG NGX_GEOIP2="3.4"
ARG NGX_MODSECURITY="1.0.3"
ARG NGX_HTTP_FLV="1.2.10"
ARG NGX_HEADERS_MORE="0.34"
ARG NGX_LUA="0.10.22"
ARG NGX_SET_MISC="0.33"
RUN apt-get update; apt-get install supervisor make cmake automake autoconf unzip -y; cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${JAMMY_PCRE}.tar.gz; cd /opt/mod && tar xf pcre2-${JAMMY_PCRE}.tar.gz; rm -Rf pcre2-${JAMMY_PCRE}.tar.gz; cd /opt/mod/pcre2-pcre2-${JAMMY_PCRE} && ./autogen.sh; cd /opt/mod && wget https://github.com/openssl/openssl/archive/refs/tags/openssl-${JAMMY_OPENSSL}.tar.gz; cd /opt/mod && tar xf openssl-${JAMMY_OPENSSL}.tar.gz; rm -Rf openssl-${JAMMY_OPENSSL}.tar.gz; cd /opt/mod && wget http://zlib.net/zlib-${JAMMY_ZLIB}.tar.gz; cd /opt/mod && tar xf zlib-${JAMMY_ZLIB}.tar.gz; rm -Rf zlib-${JAMMY_ZLIB}.tar.gz; cd /opt/ && wget https://nginx.org/download/nginx-${JAMMY_VERSION_NGINX}.tar.gz && tar xf nginx-${JAMMY_VERSION_NGINX}.tar.gz && rm -Rf nginx-${JAMMY_VERSION_NGINX}.tar.gz && cd /opt/nginx-${JAMMY_VERSION_NGINX} && curl -s https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch > hpack_push.patch && patch -p1 < hpack_push.patch
RUN cd /opt/nginx-${JAMMY_VERSION_NGINX} && ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-openssl-${JAMMY_OPENSSL} \
--with-pcre \
--with-pcre=/opt/mod/pcre2-pcre2-${JAMMY_PCRE} \
--with-zlib=/opt/mod/zlib-${JAMMY_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie"
RUN cd /opt/nginx-${JAMMY_VERSION_NGINX} && make -j`nproc` && make install; curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Jammy/nginx.service > /lib/systemd/system/nginx.service; rm -Rf /nginx/*.default; useradd nginx && usermod -s /bin/false nginx; mkdir -p /nginx/modules && mkdir -p /tmp && cd /tmp && wget https://github.com/theraw/The-World-Is-Yours/archive/refs/heads/master.zip; unzip master.zip; rm -Rf master.zip; cp -a /tmp/The-World-Is-Yours-master/static/Jammy/mod/*.so /nginx/modules/; rm -Rf /tmp/The-World-Is-Yours-master; mkdir -p /nginx/modsec; curl -s https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules > /nginx/modsec/naxi.core; curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/l7.conf > /nginx/modsec/l7.conf; curl -s https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended > /nginx/modsec/modsecurity.conf; curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/tester.conf > /nginx/modsec/tester.conf; curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/unicode.mapping > /nginx/modsec/unicode.mapping; curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Jammy/nginx.conf > /nginx/nginx.conf; mkdir -p /nginx/live/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/default > /nginx/live/default; mkdir -p /hostdata/default/public_html/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/index.html > /hostdata/default/public_html/index.html; mkdir -p /hostdata/default/public_html/cdn/modsec && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/aes.min.js > /hostdata/default/public_html/cdn/modsec/aes.min.js; curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/docker/supervisord.conf > /etc/supervisor/supervisord.conf
CMD /usr/bin/supervisord -n -c /etc/supervisor/supervisord.conf
README.md
+78 -30
View File
@@ -1,38 +1,68 @@
# Nginx L7 DDoS Protection! :boom: :zap: [![Docker Image CI](https://github.com/theraw/The-World-Is-Yours/workflows/BobTheBuilder/badge.svg?branch=master)](https://github.com/theraw/The-World-Is-Yours/actions/workflows/docker-image.yml)
Now easier then before, you will have to compile only Nginx, Rest of modules come pre-compiled.
# Nginx L7 DDoS Protection! :boom: :zap:
![Simple](https://c.tenor.com/uYqsM9uIyuYAAAAC/simple-easy.gif)
- [x] Support Ubuntu 20.04.
- [x] Support Ubuntu 22.04.1
- [x] Debian 13 (trixie) and Ubuntu 26.04 LTS (raccoon) supported
- [x] nginx 1.30.0
- [x] HTTP/3 (QUIC) via AWS-LC
- [x] ModSecurity v3 (libmodsecurity)
- [x] Naxsi
- [x] Lua (LuaJIT 2.1)
- [x] Cookie-based challenge
- [x] [Versions List](https://git.julio.al/theraw/The-World-Is-Yours/src/branch/master/version)
-- Security Dynamic Modules.
- [x] ModSecurity Support.
- [x] Naxsi Support.
- [x] Lua Support.
- [x] Cookie Based Challenge.
- [x] [MOD LIST X Ubuntu 20.04](https://github.com/theraw/The-World-Is-Yours/tree/master/static/Focal/mod)
- [x] [MOD LIST X Ubuntu 22.04](https://github.com/theraw/The-World-Is-Yours/tree/master/static/Jammy/mod)
- [x] [Versions](https://github.com/theraw/The-World-Is-Yours/blob/master/version)
How do these 3 modules work together? L7 will block all or most of bots, ModSecurity and Naxsi take priority over cookie challenge!
So if its a offensive request that Modsecurity or Naxsi detect it as such then these 2 will deal with that request otherwise cookie challenge will appear.
## Easy install
## INSTALLATION
### Debian 13 (trixie)
```bash
sudo install -d /etc/apt/keyrings
sudo curl -fsSL https://apt.julio.al/repository/public/keys/raweb.asc -o /etc/apt/keyrings/raweb.asc
echo "deb [signed-by=/etc/apt/keyrings/raweb.asc] https://apt.julio.al/repository/raweb-trixie trixie main" | sudo tee /etc/apt/sources.list.d/raweb.list
sudo apt update && sudo apt install twiy
```
1. **`apt-get update; apt-get -y install build-essential libssl-dev curl nano wget zip unzip sudo git psmisc tar`**
### Ubuntu 26.04 LTS (raccoon)
```bash
sudo install -d /etc/apt/keyrings
sudo curl -fsSL https://apt.julio.al/repository/public/keys/raweb.asc -o /etc/apt/keyrings/raweb.asc
echo "deb [signed-by=/etc/apt/keyrings/raweb.asc] https://apt.julio.al/repository/raweb-raccoon raccoon main" | sudo tee /etc/apt/sources.list.d/raweb.list
sudo apt update && sudo apt install twiy
```
2. **`curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/install > install; bash install`**
## Compile from source
## OR RUN IN DOCKER
Pick the script that matches your OS — they're separate so apt package
divergences (e.g. the t64 ABI transition on Ubuntu 24.04+) stay isolated.
1. **`git clone https://github.com/theraw/The-World-Is-Yours.git; cd The-World-Is-Yours`**
```bash
apt-get -y install git && cd /root/ && git clone https://git.julio.al/theraw/The-World-Is-Yours.git && cd The-World-Is-Yours/
2. **`docker build -t mybuild .`**
# Debian 13
bash build/trixie.sh new
bash build/trixie.sh build
bash build/trixie.sh postfix
3. **`docker run -d mybuild`**
# Ubuntu 26.04 LTS
bash build/raccoon.sh new
bash build/raccoon.sh build
bash build/raccoon.sh postfix
```
To try a different upstream version, edit `version` and re-run `new` then `build`.
## CLI Info
```
bash build/<distro>.sh new => Download all modules + nginx that are missing from /opt/.
(Re-run after changing the `version` file to fetch new versions.)
bash build/<distro>.sh build => Compile nginx. Re-runnable; will not touch your configs.
bash build/<distro>.sh postfix => Drop the default /nginx/nginx.conf, vhost, and systemd unit
into place. Run once on first install; re-running overwrites
/nginx/nginx.conf.
```
where `<distro>` is `trixie` or `raccoon`.
## Basic info.
## Nginx info.
```
=> Nginx Folder = /nginx/
@@ -43,19 +73,37 @@ So if its a offensive request that Modsecurity or Naxsi detect it as such then t
=> --sbin-path = /usr/sbin/nginx
=> --error-log-path = /var/log/nginx/error.log
LUA RESTY CORE SCRIPTS = /usr/twiylua/
// YOUR NGINX IS LOCATED AT /nginx NOT /etc/nginx
LUA RESTY CORE SCRIPTS = /usr/nginx_lua
```
## How to install lua scripts
```
. /root/The-World-Is-Yours/version
cd /opt/mod/; git clone https://github.com/openresty/lua-resty-lrucache.git
cd /opt/mod/lua-resty-lrucache; make install PREFIX=${LUA_SCRIPTS}
nginx -s reload
```
## Performance
### vs. vanilla nginx (same version, default config)
| Area | Twiy | Vanilla nginx | Why |
|---|---|---|---|
| TLS handshake throughput | **+515%** | baseline | AWS-LC's tuned AES/ChaCha asm vs OpenSSL |
| WAF, Lua, HTTP/3 | included | not included | needs custom build |
# Support options.
- No free support for how to do things, please don't spam with questions in discord.
- Free support for installation related errors only, is included.
- Business inquiries, regarding anti-ddos protection or other security/optimization concerns you can contact me on : raw@dopehosting.net
## KEEP IN MIND!
1. You're trading perfomance for security.
2. If your server provider does not have anti-ddos your IPTABLES will fail to keep the bans, and your server may be offline in cases of big attacks.
3. This is not a script that with one command your ddos problem is fixed, there's no such thing for L7 attacks as they change and new methods come out very often and no one has any ideas where your server is lacking security so this script is a basic thing more advanced protection require knowledge, monitoring logs, and applying filters in order to automatically ban attackers, this project is suggested to run with fail2ban + iptables.
## Contributors
Feel free to submit a pull request.
Special thanks to the following contributors:
<!-- prettier-ignore-start -->
build/raccoon.sh
+395
View File
@@ -0,0 +1,395 @@
. ./version
set -e
function reqs() {
apt-get update -y; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install tzdata dialog
# apt-get purge nftables firewalld ufw -y; apt-get autoremove -y
apt-get -y install wget zip unzip build-essential libssl-dev curl nano git
# apt-get -y install iptables ipset
apt-get install libtool pkg-config make cmake automake autoconf golang-go ninja-build -y
apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.1-dev libcurl4-openssl-dev libxml2-dev mercurial libpcre2-dev libc-ares-dev libre2-dev libzstd-dev libjemalloc2 -y
mkdir -p $LUA_SCRIPTS
}
function clean_install() {
mkdir -p /opt/mod
# Nginx
if [ ! -d /opt/nginx-${NGINX} ]; then
cd /opt/ && wget https://nginx.org/download/nginx-${NGINX}.tar.gz
tar xf nginx-${NGINX}.tar.gz && rm -Rf nginx-${NGINX}.tar.gz
fi
# START OF SYSTEM REQUIRED LIBS
# ============================================================================================================
# AWS-LC — TLS+QUIC backend. Replaces quictls/openssl. Built standalone
# (cmake+ninja) and installed to /usr/local/aws-lc/. nginx 1.29.2+ links
# against it via -I/-L; we no longer pass --with-openssl=PATH because we
# don't want nginx's configure to rebuild OpenSSL itself.
if [ ! -d /opt/mod/aws-lc-${SYSTEM_AWSLC} ]; then
cd /opt/mod && wget https://github.com/aws/aws-lc/archive/refs/tags/v${SYSTEM_AWSLC}.tar.gz
cd /opt/mod && tar xf v${SYSTEM_AWSLC}.tar.gz; rm -Rf v${SYSTEM_AWSLC}.tar.gz
fi
if [ ! -f /usr/local/aws-lc/lib/libssl.so ]; then
cd /opt/mod/aws-lc-${SYSTEM_AWSLC} && \
cmake -GNinja -B build \
-DCMAKE_INSTALL_PREFIX=/usr/local/aws-lc \
-DBUILD_SHARED_LIBS=1 \
-DCMAKE_BUILD_TYPE=Release && \
cmake --build build -j`nproc` && \
cmake --install build && \
ldconfig
fi
# ZLIB
if [ ! -d /opt/mod/zlib ]; then
cd /opt/mod && wget http://zlib.net/current/zlib.tar.gz
cd /opt/mod && tar xf zlib.tar.gz; rm -Rf zlib.tar.gz; mv zlib-* zlib
fi
# SYSTEM_LUAJIT
if [ ! -d /opt/mod/luajit2-${SYSTEM_LUAJIT} ]; then
cd /opt/mod && wget https://github.com/openresty/luajit2/archive/refs/tags/v${SYSTEM_LUAJIT}.tar.gz
cd /opt/mod && tar xf v${SYSTEM_LUAJIT}.tar.gz && rm -Rf v${SYSTEM_LUAJIT}.tar.gz
if [ ! -d /usr/local/LuaJIT/include/luajit-2.1 ]; then
cd /opt/mod/luajit2-${SYSTEM_LUAJIT}/ && make clean && make install PREFIX=/usr/local/LuaJIT && ldconfig
# apt-get -y install liblua5.1-0-dev; apt-get -y install luarocks; luarocks install lua-resty-core
fi
fi
# SYSTEM_MODSECURITY (v3 — libmodsecurity, what ModSecurity-nginx connector needs)
if [ ! -d /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} ]; then
cd /opt/mod && wget https://github.com/SpiderLabs/ModSecurity/releases/download/v${SYSTEM_MODSECURITY}/modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
cd /opt/mod && tar xf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz; rm -Rf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
fi
if [ ! -f /usr/local/modsecurity/lib/libmodsecurity.so ]; then
cd /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} && ./build.sh && ./configure --without-pcre --with-pcre2 && make -j`nproc` && make install
fi
# SYSTEM_PCRE
# Use the official release tarball (bundles the sljit submodule needed for
# JIT). The /archive/refs/tags/ tarball from GitHub is a raw source snapshot
# that omits submodules and breaks `--with-pcre-jit`.
if [ ! -d /opt/mod/pcre2-${SYSTEM_PCRE} ]; then
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${SYSTEM_PCRE}/pcre2-${SYSTEM_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${SYSTEM_PCRE}.tar.gz; rm -Rf pcre2-${SYSTEM_PCRE}.tar.gz
fi
# LibInjection
if [ ! -d /opt/mod/libinjection ]; then
cd /opt/mod && git clone https://github.com/libinjection/libinjection.git
cd /opt/mod/libinjection && ./autogen.sh && ./configure && make -j`nproc` && make install
fi
# END OF SYSTEM REQUIRED LIBS
# ============================================================================================================
# START OF NGINX MODULES
# ============================================================================================================
# NGX_MOD_LUA
if [ ! -d /opt/mod/lua-nginx-module-${NGX_MOD_LUA} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v${NGX_MOD_LUA}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA}.tar.gz; rm -Rf v${NGX_MOD_LUA}.tar.gz
sed -i 's/cookies/cookie/g' /opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/ngx_http_lua_headers_in.c
# AWS-LC compatibility: lua-nginx-module already has guards around APIs
# missing from BoringSSL (SSL_get1_supported_ciphers, SSL_export_keying_
# material_early, etc.). AWS-LC has the same API limitations but defines
# OPENSSL_IS_AWSLC instead of OPENSSL_IS_BORINGSSL, so the guards never
# fire. Broaden every form (#if, #ifdef, #ifndef, #elif) to recognise
# both macros. Order matters: the bare `defined()` substitution runs
# first so the later #ifdef/#ifndef substitutions don't double-rewrite.
sed -i \
-e 's@defined(OPENSSL_IS_BORINGSSL)@(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
-e 's@#ifdef OPENSSL_IS_BORINGSSL@#if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
-e 's@#ifndef OPENSSL_IS_BORINGSSL@#if !(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
/opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/*.c
fi
# NGX_LUA_CORE — must stay in lockstep with NGX_MOD_LUA. lua-resty-core
# does a strict-equality check on ngx.config.ngx_lua_version at startup,
# so an upstream bump on master silently breaks the build. Pinning via
# the tagged tarball (dir name embeds the version) means changing
# LUA_SCRIPTS_RESTYCORE in `version` invalidates the cache automatically.
if [ ! -d /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-core/archive/refs/tags/v${LUA_SCRIPTS_RESTYCORE}.tar.gz
cd /opt/mod/; tar xf v${LUA_SCRIPTS_RESTYCORE}.tar.gz; rm -Rf v${LUA_SCRIPTS_RESTYCORE}.tar.gz
cd /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_LUA_LRUCACHE — same pattern, pinned to LUA_SCRIPTS_LRUCACHE.
if [ ! -d /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v${LUA_SCRIPTS_LRUCACHE}.tar.gz
cd /opt/mod/; tar xf v${LUA_SCRIPTS_LRUCACHE}.tar.gz; rm -Rf v${LUA_SCRIPTS_LRUCACHE}.tar.gz
cd /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_MYSQL
if [ ! -d /opt/mod/lua-resty-mysql-${NGX_MOD_LUA_MYSQL} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-mysql/archive/refs/tags/v${NGX_MOD_LUA_MYSQL}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA_MYSQL}.tar.gz; rm -Rf v${NGX_MOD_LUA_MYSQL}.tar.gz
cd /opt/mod/lua-resty-mysql-${NGX_MOD_LUA_MYSQL} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_SRCACHE
if [ ! -d /opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} ]; then
cd /opt/mod/; wget https://github.com/openresty/srcache-nginx-module/archive/refs/tags/v${NGX_MOD_LUA_SRCACHE}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA_SRCACHE}.tar.gz; rm -Rf v${NGX_MOD_LUA_SRCACHE}.tar.gz
fi
# NGX_MOD_LUA_REDIS2
if [ ! -d /opt/mod/redis2-nginx-module ]; then
cd /opt/mod/; git clone --recursive https://github.com/openresty/redis2-nginx-module.git
fi
# NGX_MOD_LUA_LOCK 0.09
if [ ! -d /opt/mod/lua-resty-lock-${NGX_MOD_LUA_LOCK} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-lock/archive/refs/tags/v${NGX_MOD_LUA_LOCK}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA_LOCK}.tar.gz; rm -Rf v${NGX_MOD_LUA_LOCK}.tar.gz
cd /opt/mod/lua-resty-lock-${NGX_MOD_LUA_LOCK} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_CACHE
if [ ! -d /opt/mod/lua-resty-cache ]; then
cd /opt/mod/; git clone --branch feature-srcache --recursive https://github.com/lloydzhou/lua-resty-cache
cd /opt/mod/lua-resty-cache && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_DEVELKIT
if [ ! -d /opt/mod/ngx_devel_kit-${NGX_MOD_DEVELKIT} ]; then
cd /opt/mod/; wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v${NGX_MOD_DEVELKIT}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_DEVELKIT}.tar.gz; rm -Rf v${NGX_MOD_DEVELKIT}.tar.gz
fi
# NGX_MOD_GEOIP2
if [ ! -d /opt/mod/ngx_http_geoip2_module-${NGX_MOD_GEOIP2} ]; then
cd /opt/mod/; wget https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/${NGX_MOD_GEOIP2}.tar.gz
cd /opt/mod/; tar xf ${NGX_MOD_GEOIP2}.tar.gz; rm -Rf ${NGX_MOD_GEOIP2}.tar.gz
fi
# NGX_MOD_MODSECURITY
if [ ! -d /opt/mod/ModSecurity-nginx-${NGX_MOD_MODSECURITY} ]; then
cd /opt/mod/; wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v${NGX_MOD_MODSECURITY}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_MODSECURITY}.tar.gz; rm -Rf v${NGX_MOD_MODSECURITY}.tar.gz
fi
# NGX_MOD_HTTPFLV
if [ ! -d /opt/mod/nginx-http-flv-module-${NGX_MOD_HTTPFLV} ]; then
cd /opt/mod/; wget https://github.com/winshining/nginx-http-flv-module/archive/refs/tags/v${NGX_MOD_HTTPFLV}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_HTTPFLV}.tar.gz; rm -Rf v${NGX_MOD_HTTPFLV}.tar.gz
fi
# NGX_MOD_HEADERS_MORE
if [ ! -d /opt/mod/headers-more-nginx-module-${NGX_MOD_HEADERS_MORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${NGX_MOD_HEADERS_MORE}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_HEADERS_MORE}.tar.gz; rm -Rf v${NGX_MOD_HEADERS_MORE}.tar.gz
fi
# NGX_MOD_SETMISC
if [ ! -d /opt/mod/set-misc-nginx-module-${NGX_MOD_SETMISC} ]; then
cd /opt/mod/; wget https://github.com/openresty/set-misc-nginx-module/archive/refs/tags/v${NGX_MOD_SETMISC}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_SETMISC}.tar.gz; rm -Rf v${NGX_MOD_SETMISC}.tar.gz
fi
# Testcookie
if [ ! -d /opt/mod/testcookie ]; then
cd /opt/mod/; git clone https://github.com/kyprizel/testcookie-nginx-module.git testcookie
fi
# Brotli
if [ ! -d /opt/mod/ngx_brotli ]; then
cd /opt/mod/; git clone https://github.com/google/ngx_brotli.git ngx_brotli; cd /opt/mod/ngx_brotli && git submodule update --init
fi
# Naxsi
if [ ! -d /opt/mod/naxsi ]; then
cd /opt/mod/; git clone --recurse-submodules https://github.com/wargio/naxsi.git naxsi
fi
# NGX_MOD_ZSTD — Zstandard compression module from tokers. Pinned via
# NGX_MOD_ZSTD; tarball pattern (dir name embeds version → cache invalidates
# automatically when the pin moves).
if [ ! -d /opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} ]; then
cd /opt/mod/; wget https://github.com/tokers/zstd-nginx-module/archive/refs/tags/${NGX_MOD_ZSTD}.tar.gz
cd /opt/mod/; tar xf ${NGX_MOD_ZSTD}.tar.gz; rm -Rf ${NGX_MOD_ZSTD}.tar.gz
fi
# END OF NGINX MODULES
# ============================================================================================================
}
test_nginx() {
cd /opt/nginx-${NGINX} && LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" CFLAGS=-fPIC CXXFLAGS=-fPIC ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--modules-path=/nginx/modules \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-pcre \
--with-pcre-jit \
--with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE} \
--with-zlib=/opt/mod/zlib \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--add-module=/opt/mod/ngx_devel_kit-${NGX_MOD_DEVELKIT} \
--add-module=/opt/mod/set-misc-nginx-module-${NGX_MOD_SETMISC} \
--add-module=/opt/mod/ngx_http_geoip2_module-${NGX_MOD_GEOIP2} \
--add-module=/opt/mod/headers-more-nginx-module-${NGX_MOD_HEADERS_MORE} \
--add-module=/opt/mod/lua-nginx-module-${NGX_MOD_LUA} \
--add-module=/opt/mod/ModSecurity-nginx-${NGX_MOD_MODSECURITY} \
--add-module=/opt/mod/naxsi/naxsi_src \
--add-module=/opt/mod/nginx-http-flv-module-${NGX_MOD_HTTPFLV} \
--add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} \
--add-module=/opt/mod/redis2-nginx-module \
--add-module=/opt/mod/ngx_brotli \
--add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} \
--add-module=/opt/mod/testcookie \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib"
make clean
}
function build() {
cd /opt/nginx-${NGINX} && LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" CFLAGS=-fPIC CXXFLAGS=-fPIC ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--modules-path=/nginx/modules \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-pcre \
--with-pcre-jit \
--with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE} \
--with-zlib=/opt/mod/zlib \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--add-module=/opt/mod/ngx_devel_kit-${NGX_MOD_DEVELKIT} \
--add-module=/opt/mod/set-misc-nginx-module-${NGX_MOD_SETMISC} \
--add-module=/opt/mod/ngx_http_geoip2_module-${NGX_MOD_GEOIP2} \
--add-module=/opt/mod/headers-more-nginx-module-${NGX_MOD_HEADERS_MORE} \
--add-module=/opt/mod/ModSecurity-nginx-${NGX_MOD_MODSECURITY} \
--add-module=/opt/mod/lua-nginx-module-${NGX_MOD_LUA} \
--add-module=/opt/mod/naxsi/naxsi_src \
--add-module=/opt/mod/nginx-http-flv-module-${NGX_MOD_HTTPFLV} \
--add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} \
--add-module=/opt/mod/redis2-nginx-module \
--add-module=/opt/mod/ngx_brotli \
--add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} \
--add-module=/opt/mod/testcookie \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib"
# NOTE: kept as separate statements (not `make && make install && make clean`)
# so `set -e` actually fires on a make failure. The && chain hides left-side
# failures from set -e, which previously let half-built nginx ship.
cd /opt/nginx-${NGINX} && make -j`nproc`
cd /opt/nginx-${NGINX} && make install
cd /opt/nginx-${NGINX} && make clean
unset NGINX
}
function post_build() {
useradd nginx; unset NGINX; rm -rf /nginx/*.default;
mkdir -p /nginx/live
mkdir -p /nginx/conf.d
mkdir -p /nginx/config
mkdir -p /var/log/nginx
mkdir -p /nginx/modsec; curl -s https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules > /nginx/modsec/naxi.core
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/l7.conf > /nginx/modsec/l7.conf
curl -s https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended > /nginx/modsec/modsecurity.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/tester.conf > /nginx/modsec/tester.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/unicode.mapping > /nginx/modsec/unicode.mapping
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx/nginx.conf > /nginx/nginx.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx/live/default > /nginx/live/default
mkdir -p /hostdata/default/public_html/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/index.html > /hostdata/default/public_html/index.html
mkdir -p /hostdata/default/public_html/cdn/modsec && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/aes.min.js > /hostdata/default/public_html/cdn/modsec/aes.min.js
if [ -f "/run/.containerenv" ] || [ -f "/.dockerenv" ] || [ -f "/home/runner/.dockerenv" ]; then
echo "Skipping systemctl commands on GitHub runner"
mkdir -p /etc/systemd/system/
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Raccoon/nginx.service > /etc/systemd/system/nginx.service
else
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Raccoon/nginx.service > /etc/systemd/system/nginx.service
systemctl daemon-reload
systemctl start nginx.service
systemctl enable nginx.service
fi
}
# Handling command-line arguments
case "$1" in
new)
reqs
clean_install
;;
test)
test_nginx
;;
build)
build
;;
postfix)
post_build
;;
*)
echo "Invalid option: $1"
echo "Usage: $0 {new|test|build|postfix}"
echo ""
echo " new: will download all modules & nginx (if you change a version from file, simply rerun this to download that)"
echo " test: Test nginx configuration"
echo " build: Build nginx, or Rebuild (mods/configs will not be redownloaded this will only build)"
echo " postfix: After first installation, run this to download nginx configs (it will replace nginx.conf if there already is one)"
exit 1
;;
esac
build/trixie.sh
+395
View File
@@ -0,0 +1,395 @@
. ./version
set -e
function reqs() {
apt-get update -y; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install tzdata dialog
# apt-get purge nftables firewalld ufw -y; apt-get autoremove -y
apt-get -y install wget zip unzip build-essential libssl-dev curl nano git
# apt-get -y install iptables ipset
apt-get install libtool pkg-config make cmake automake autoconf golang-go ninja-build -y
apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.1-dev libcurl4-openssl-dev libxml2 libxml2-dev mercurial libpcre2-dev libc-ares-dev libre2-dev libzstd-dev libjemalloc2 -y
mkdir -p $LUA_SCRIPTS
}
function clean_install() {
mkdir -p /opt/mod
# Nginx
if [ ! -d /opt/nginx-${NGINX} ]; then
cd /opt/ && wget https://nginx.org/download/nginx-${NGINX}.tar.gz
tar xf nginx-${NGINX}.tar.gz && rm -Rf nginx-${NGINX}.tar.gz
fi
# START OF SYSTEM REQUIRED LIBS
# ============================================================================================================
# AWS-LC — TLS+QUIC backend. Replaces quictls/openssl. Built standalone
# (cmake+ninja) and installed to /usr/local/aws-lc/. nginx 1.29.2+ links
# against it via -I/-L; we no longer pass --with-openssl=PATH because we
# don't want nginx's configure to rebuild OpenSSL itself.
if [ ! -d /opt/mod/aws-lc-${SYSTEM_AWSLC} ]; then
cd /opt/mod && wget https://github.com/aws/aws-lc/archive/refs/tags/v${SYSTEM_AWSLC}.tar.gz
cd /opt/mod && tar xf v${SYSTEM_AWSLC}.tar.gz; rm -Rf v${SYSTEM_AWSLC}.tar.gz
fi
if [ ! -f /usr/local/aws-lc/lib/libssl.so ]; then
cd /opt/mod/aws-lc-${SYSTEM_AWSLC} && \
cmake -GNinja -B build \
-DCMAKE_INSTALL_PREFIX=/usr/local/aws-lc \
-DBUILD_SHARED_LIBS=1 \
-DCMAKE_BUILD_TYPE=Release && \
cmake --build build -j`nproc` && \
cmake --install build && \
ldconfig
fi
# ZLIB
if [ ! -d /opt/mod/zlib ]; then
cd /opt/mod && wget http://zlib.net/current/zlib.tar.gz
cd /opt/mod && tar xf zlib.tar.gz; rm -Rf zlib.tar.gz; mv zlib-* zlib
fi
# SYSTEM_LUAJIT
if [ ! -d /opt/mod/luajit2-${SYSTEM_LUAJIT} ]; then
cd /opt/mod && wget https://github.com/openresty/luajit2/archive/refs/tags/v${SYSTEM_LUAJIT}.tar.gz
cd /opt/mod && tar xf v${SYSTEM_LUAJIT}.tar.gz && rm -Rf v${SYSTEM_LUAJIT}.tar.gz
if [ ! -d /usr/local/LuaJIT/include/luajit-2.1 ]; then
cd /opt/mod/luajit2-${SYSTEM_LUAJIT}/ && make clean && make install PREFIX=/usr/local/LuaJIT && ldconfig
# apt-get -y install liblua5.1-0-dev; apt-get -y install luarocks; luarocks install lua-resty-core
fi
fi
# SYSTEM_MODSECURITY (v3 — libmodsecurity, what ModSecurity-nginx connector needs)
if [ ! -d /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} ]; then
cd /opt/mod && wget https://github.com/SpiderLabs/ModSecurity/releases/download/v${SYSTEM_MODSECURITY}/modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
cd /opt/mod && tar xf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz; rm -Rf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
fi
if [ ! -f /usr/local/modsecurity/lib/libmodsecurity.so ]; then
cd /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} && ./build.sh && ./configure --without-pcre --with-pcre2 && make -j`nproc` && make install
fi
# SYSTEM_PCRE
# Use the official release tarball (bundles the sljit submodule needed for
# JIT). The /archive/refs/tags/ tarball from GitHub is a raw source snapshot
# that omits submodules and breaks `--with-pcre-jit`.
if [ ! -d /opt/mod/pcre2-${SYSTEM_PCRE} ]; then
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${SYSTEM_PCRE}/pcre2-${SYSTEM_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${SYSTEM_PCRE}.tar.gz; rm -Rf pcre2-${SYSTEM_PCRE}.tar.gz
fi
# LibInjection
if [ ! -d /opt/mod/libinjection ]; then
cd /opt/mod && git clone https://github.com/libinjection/libinjection.git
cd /opt/mod/libinjection && ./autogen.sh && ./configure && make -j`nproc` && make install
fi
# END OF SYSTEM REQUIRED LIBS
# ============================================================================================================
# START OF NGINX MODULES
# ============================================================================================================
# NGX_MOD_LUA
if [ ! -d /opt/mod/lua-nginx-module-${NGX_MOD_LUA} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v${NGX_MOD_LUA}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA}.tar.gz; rm -Rf v${NGX_MOD_LUA}.tar.gz
sed -i 's/cookies/cookie/g' /opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/ngx_http_lua_headers_in.c
# AWS-LC compatibility: lua-nginx-module already has guards around APIs
# missing from BoringSSL (SSL_get1_supported_ciphers, SSL_export_keying_
# material_early, etc.). AWS-LC has the same API limitations but defines
# OPENSSL_IS_AWSLC instead of OPENSSL_IS_BORINGSSL, so the guards never
# fire. Broaden every form (#if, #ifdef, #ifndef, #elif) to recognise
# both macros. Order matters: the bare `defined()` substitution runs
# first so the later #ifdef/#ifndef substitutions don't double-rewrite.
sed -i \
-e 's@defined(OPENSSL_IS_BORINGSSL)@(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
-e 's@#ifdef OPENSSL_IS_BORINGSSL@#if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
-e 's@#ifndef OPENSSL_IS_BORINGSSL@#if !(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
/opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/*.c
fi
# NGX_LUA_CORE — must stay in lockstep with NGX_MOD_LUA. lua-resty-core
# does a strict-equality check on ngx.config.ngx_lua_version at startup,
# so an upstream bump on master silently breaks the build. Pinning via
# the tagged tarball (dir name embeds the version) means changing
# LUA_SCRIPTS_RESTYCORE in `version` invalidates the cache automatically.
if [ ! -d /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-core/archive/refs/tags/v${LUA_SCRIPTS_RESTYCORE}.tar.gz
cd /opt/mod/; tar xf v${LUA_SCRIPTS_RESTYCORE}.tar.gz; rm -Rf v${LUA_SCRIPTS_RESTYCORE}.tar.gz
cd /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_LUA_LRUCACHE — same pattern, pinned to LUA_SCRIPTS_LRUCACHE.
if [ ! -d /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v${LUA_SCRIPTS_LRUCACHE}.tar.gz
cd /opt/mod/; tar xf v${LUA_SCRIPTS_LRUCACHE}.tar.gz; rm -Rf v${LUA_SCRIPTS_LRUCACHE}.tar.gz
cd /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_MYSQL
if [ ! -d /opt/mod/lua-resty-mysql-${NGX_MOD_LUA_MYSQL} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-mysql/archive/refs/tags/v${NGX_MOD_LUA_MYSQL}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA_MYSQL}.tar.gz; rm -Rf v${NGX_MOD_LUA_MYSQL}.tar.gz
cd /opt/mod/lua-resty-mysql-${NGX_MOD_LUA_MYSQL} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_SRCACHE
if [ ! -d /opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} ]; then
cd /opt/mod/; wget https://github.com/openresty/srcache-nginx-module/archive/refs/tags/v${NGX_MOD_LUA_SRCACHE}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA_SRCACHE}.tar.gz; rm -Rf v${NGX_MOD_LUA_SRCACHE}.tar.gz
fi
# NGX_MOD_LUA_REDIS2
if [ ! -d /opt/mod/redis2-nginx-module ]; then
cd /opt/mod/; git clone --recursive https://github.com/openresty/redis2-nginx-module.git
fi
# NGX_MOD_LUA_LOCK 0.09
if [ ! -d /opt/mod/lua-resty-lock-${NGX_MOD_LUA_LOCK} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-lock/archive/refs/tags/v${NGX_MOD_LUA_LOCK}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA_LOCK}.tar.gz; rm -Rf v${NGX_MOD_LUA_LOCK}.tar.gz
cd /opt/mod/lua-resty-lock-${NGX_MOD_LUA_LOCK} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_CACHE
if [ ! -d /opt/mod/lua-resty-cache ]; then
cd /opt/mod/; git clone --branch feature-srcache --recursive https://github.com/lloydzhou/lua-resty-cache
cd /opt/mod/lua-resty-cache && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_DEVELKIT
if [ ! -d /opt/mod/ngx_devel_kit-${NGX_MOD_DEVELKIT} ]; then
cd /opt/mod/; wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v${NGX_MOD_DEVELKIT}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_DEVELKIT}.tar.gz; rm -Rf v${NGX_MOD_DEVELKIT}.tar.gz
fi
# NGX_MOD_GEOIP2
if [ ! -d /opt/mod/ngx_http_geoip2_module-${NGX_MOD_GEOIP2} ]; then
cd /opt/mod/; wget https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/${NGX_MOD_GEOIP2}.tar.gz
cd /opt/mod/; tar xf ${NGX_MOD_GEOIP2}.tar.gz; rm -Rf ${NGX_MOD_GEOIP2}.tar.gz
fi
# NGX_MOD_MODSECURITY
if [ ! -d /opt/mod/ModSecurity-nginx-${NGX_MOD_MODSECURITY} ]; then
cd /opt/mod/; wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v${NGX_MOD_MODSECURITY}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_MODSECURITY}.tar.gz; rm -Rf v${NGX_MOD_MODSECURITY}.tar.gz
fi
# NGX_MOD_HTTPFLV
if [ ! -d /opt/mod/nginx-http-flv-module-${NGX_MOD_HTTPFLV} ]; then
cd /opt/mod/; wget https://github.com/winshining/nginx-http-flv-module/archive/refs/tags/v${NGX_MOD_HTTPFLV}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_HTTPFLV}.tar.gz; rm -Rf v${NGX_MOD_HTTPFLV}.tar.gz
fi
# NGX_MOD_HEADERS_MORE
if [ ! -d /opt/mod/headers-more-nginx-module-${NGX_MOD_HEADERS_MORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${NGX_MOD_HEADERS_MORE}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_HEADERS_MORE}.tar.gz; rm -Rf v${NGX_MOD_HEADERS_MORE}.tar.gz
fi
# NGX_MOD_SETMISC
if [ ! -d /opt/mod/set-misc-nginx-module-${NGX_MOD_SETMISC} ]; then
cd /opt/mod/; wget https://github.com/openresty/set-misc-nginx-module/archive/refs/tags/v${NGX_MOD_SETMISC}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_SETMISC}.tar.gz; rm -Rf v${NGX_MOD_SETMISC}.tar.gz
fi
# Testcookie
if [ ! -d /opt/mod/testcookie ]; then
cd /opt/mod/; git clone https://github.com/kyprizel/testcookie-nginx-module.git testcookie
fi
# Brotli
if [ ! -d /opt/mod/ngx_brotli ]; then
cd /opt/mod/; git clone https://github.com/google/ngx_brotli.git ngx_brotli; cd /opt/mod/ngx_brotli && git submodule update --init
fi
# Naxsi
if [ ! -d /opt/mod/naxsi ]; then
cd /opt/mod/; git clone --recurse-submodules https://github.com/wargio/naxsi.git naxsi
fi
# NGX_MOD_ZSTD — Zstandard compression module from tokers. Pinned via
# NGX_MOD_ZSTD; tarball pattern (dir name embeds version → cache invalidates
# automatically when the pin moves).
if [ ! -d /opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} ]; then
cd /opt/mod/; wget https://github.com/tokers/zstd-nginx-module/archive/refs/tags/${NGX_MOD_ZSTD}.tar.gz
cd /opt/mod/; tar xf ${NGX_MOD_ZSTD}.tar.gz; rm -Rf ${NGX_MOD_ZSTD}.tar.gz
fi
# END OF NGINX MODULES
# ============================================================================================================
}
test_nginx() {
cd /opt/nginx-${NGINX} && LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" CFLAGS=-fPIC CXXFLAGS=-fPIC ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--modules-path=/nginx/modules \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-pcre \
--with-pcre-jit \
--with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE} \
--with-zlib=/opt/mod/zlib \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--add-module=/opt/mod/ngx_devel_kit-${NGX_MOD_DEVELKIT} \
--add-module=/opt/mod/set-misc-nginx-module-${NGX_MOD_SETMISC} \
--add-module=/opt/mod/ngx_http_geoip2_module-${NGX_MOD_GEOIP2} \
--add-module=/opt/mod/headers-more-nginx-module-${NGX_MOD_HEADERS_MORE} \
--add-module=/opt/mod/lua-nginx-module-${NGX_MOD_LUA} \
--add-module=/opt/mod/ModSecurity-nginx-${NGX_MOD_MODSECURITY} \
--add-module=/opt/mod/naxsi/naxsi_src \
--add-module=/opt/mod/nginx-http-flv-module-${NGX_MOD_HTTPFLV} \
--add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} \
--add-module=/opt/mod/redis2-nginx-module \
--add-module=/opt/mod/ngx_brotli \
--add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} \
--add-module=/opt/mod/testcookie \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib"
make clean
}
function build() {
cd /opt/nginx-${NGINX} && LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" CFLAGS=-fPIC CXXFLAGS=-fPIC ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--modules-path=/nginx/modules \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-pcre \
--with-pcre-jit \
--with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE} \
--with-zlib=/opt/mod/zlib \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--add-module=/opt/mod/ngx_devel_kit-${NGX_MOD_DEVELKIT} \
--add-module=/opt/mod/set-misc-nginx-module-${NGX_MOD_SETMISC} \
--add-module=/opt/mod/ngx_http_geoip2_module-${NGX_MOD_GEOIP2} \
--add-module=/opt/mod/headers-more-nginx-module-${NGX_MOD_HEADERS_MORE} \
--add-module=/opt/mod/ModSecurity-nginx-${NGX_MOD_MODSECURITY} \
--add-module=/opt/mod/lua-nginx-module-${NGX_MOD_LUA} \
--add-module=/opt/mod/naxsi/naxsi_src \
--add-module=/opt/mod/nginx-http-flv-module-${NGX_MOD_HTTPFLV} \
--add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} \
--add-module=/opt/mod/redis2-nginx-module \
--add-module=/opt/mod/ngx_brotli \
--add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} \
--add-module=/opt/mod/testcookie \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib"
# NOTE: kept as separate statements (not `make && make install && make clean`)
# so `set -e` actually fires on a make failure. The && chain hides left-side
# failures from set -e, which previously let half-built nginx ship.
cd /opt/nginx-${NGINX} && make -j`nproc`
cd /opt/nginx-${NGINX} && make install
cd /opt/nginx-${NGINX} && make clean
unset NGINX
}
function post_build() {
useradd nginx; unset NGINX; rm -rf /nginx/*.default;
mkdir -p /nginx/live
mkdir -p /nginx/conf.d
mkdir -p /nginx/config
mkdir -p /var/log/nginx
mkdir -p /nginx/modsec; curl -s https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules > /nginx/modsec/naxi.core
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/l7.conf > /nginx/modsec/l7.conf
curl -s https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended > /nginx/modsec/modsecurity.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/tester.conf > /nginx/modsec/tester.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/unicode.mapping > /nginx/modsec/unicode.mapping
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx/nginx.conf > /nginx/nginx.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx/live/default > /nginx/live/default
mkdir -p /hostdata/default/public_html/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/index.html > /hostdata/default/public_html/index.html
mkdir -p /hostdata/default/public_html/cdn/modsec && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/aes.min.js > /hostdata/default/public_html/cdn/modsec/aes.min.js
if [ -f "/run/.containerenv" ] || [ -f "/.dockerenv" ] || [ -f "/home/runner/.dockerenv" ]; then
echo "Skipping systemctl commands on GitHub runner"
mkdir -p /etc/systemd/system/
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Trixie/nginx.service > /etc/systemd/system/nginx.service
else
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Trixie/nginx.service > /etc/systemd/system/nginx.service
systemctl daemon-reload
systemctl start nginx.service
systemctl enable nginx.service
fi
}
# Handling command-line arguments
case "$1" in
new)
reqs
clean_install
;;
test)
test_nginx
;;
build)
build
;;
postfix)
post_build
;;
*)
echo "Invalid option: $1"
echo "Usage: $0 {new|test|build|postfix}"
echo ""
echo " new: will download all modules & nginx (if you change a version from file, simply rerun this to download that)"
echo " test: Test nginx configuration"
echo " build: Build nginx, or Rebuild (mods/configs will not be redownloaded this will only build)"
echo " postfix: After first installation, run this to download nginx configs (it will replace nginx.conf if there already is one)"
exit 1
;;
esac
install
-301
View File
@@ -1,301 +0,0 @@
#!/bin/bash
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/version > /tmp/version; source /tmp/version
case "`grep DISTRIB_CODENAME /etc/*-release | awk -F '=' '{print $2}'`" in
focal)
if [ "$(whoami)" != "root" ]
then
echo "You should Login as root to use this script!";
echo "Maybe you already have access for sudo, but commands aren't designed with sudo! so..";
echo "sudo -i";
exit 1
fi
if [ -d "/nginx/" ]; then
echo "We've detect a folder '/nginx/' which means"
echo "Maybe you have use this script before!"
echo "You can wipe old installation by executing!"
echo "(**THIS WILL DELETE ALL YOUR OLD NGINX CONFIGS MAKE SURE YOU BACKUP BEFORE USING**)"
echo "execute: rm -Rf /nginx; rm -Rf /usr/sbin/nginx; rm -Rf /opt/mod; rm -Rf /opt/nginx*"
echo "then execute again bash install"
exit 1
fi
if [ -d "/etc/nginx" ]; then
echo "We've detect a folder '/etc/nginx' which means you already got nginx up and running!"
exit 1
fi
if [ -d "/opt/nginx/" ]; then
echo "DETECTED '/opt/nginx/'"
echo "Maybe script has already been used you need to start clean!"
echo "(**THIS WILL DELETE ALL YOUR OLD NGINX CONFIGS MAKE SURE YOU BACKUP BEFORE USING**)"
echo "execute: rm -Rf /nginx; rm -Rf /usr/sbin/nginx; rm -Rf /opt/mod; rm -Rf /opt/nginx*"
echo "then execute again bash install"
exit 1
fi
apt-get update -y; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install tzdata
apt-get install libtool pkg-config make cmake automake autoconf -y
apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.2-dev libcurl4-openssl-dev libxml2 libxml2-dev libpcre3-dev -y
mkdir -p /opt/mod/
cd /opt/mod && wget https://github.com/openresty/luajit2/archive/refs/tags/v${FOCAL_VERSION_LUA}.tar.gz
cd /opt/mod && tar xf v${FOCAL_VERSION_LUA}.tar.gz && rm -Rf v${FOCAL_VERSION_LUA}.tar.gz
cd /opt/mod/luajit2-${FOCAL_VERSION_LUA}/ && make install PREFIX=/usr/local/LuaJIT && ldconfig
rm -Rf /opt/mod/luajit2-${FOCAL_VERSION_LUA}/
cd /opt/mod && wget https://github.com/SpiderLabs/ModSecurity/releases/download/v${FOCAL_VERSION_NGX_MODSECURITY}/modsecurity-v${FOCAL_VERSION_NGX_MODSECURITY}.tar.gz
cd /opt/mod && tar xf modsecurity-v${FOCAL_VERSION_NGX_MODSECURITY}.tar.gz; rm -Rf modsecurity-v${FOCAL_VERSION_NGX_MODSECURITY}.tar.gz
cd /opt/mod/modsecurity-v${FOCAL_VERSION_NGX_MODSECURITY} && ./configure && make -j`nproc` && make install
cd /opt/mod && wget https://github.com/openresty/lua-resty-core/archive/refs/tags/v${FOCAL_VERSION_NGX_RESTY_CORE}.tar.gz
cd /opt/mod && tar xf v${FOCAL_VERSION_NGX_RESTY_CORE}.tar.gz && rm -Rf v${FOCAL_VERSION_NGX_RESTY_CORE}.tar.gz
cd /opt/mod/lua-resty-core-${FOCAL_VERSION_NGX_RESTY_CORE} && make install PREFIX=${LUA_SCRIPTS}
cd /opt/mod && wget https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v${FOCAL_VERSION_NGX_RESTY_LRUCACHE}.tar.gz
cd /opt/mod && tar xf v${FOCAL_VERSION_NGX_RESTY_LRUCACHE}.tar.gz && rm -Rf v${FOCAL_VERSION_NGX_RESTY_LRUCACHE}.tar.gz
cd /opt/mod/lua-resty-lrucache-${FOCAL_VERSION_NGX_RESTY_LRUCACHE} && make install PREFIX=${LUA_SCRIPTS}
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${FOCAL_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${FOCAL_PCRE}.tar.gz; rm -Rf pcre2-${FOCAL_PCRE}.tar.gz
cd /opt/mod/pcre2-pcre2-${FOCAL_PCRE} && ./autogen.sh
#cd /opt/mod/pcre2-pcre2-${FOCAL_PCRE} && ./configure --prefix=/usr/local/pcre2_${FOCAL_PCRE} && make -j`nproc` && make install
cd /opt/mod && wget https://github.com/openssl/openssl/archive/refs/tags/OpenSSL_${FOCAL_OPENSSL}.tar.gz
cd /opt/mod && tar xf OpenSSL_${FOCAL_OPENSSL}.tar.gz; rm -Rf OpenSSL_${FOCAL_OPENSSL}.tar.gz
#cd /opt/mod/openssl-OpenSSL_${FOCAL_OPENSSL} && ./config --prefix=/usr/local/openssl_${FOCAL_OPENSSL} && make -j`nproc` && make install
cd /opt/mod && wget http://zlib.net/zlib-${FOCAL_ZLIB}.tar.gz
cd /opt/mod && tar xf zlib-${FOCAL_ZLIB}.tar.gz; rm -Rf zlib-${FOCAL_ZLIB}.tar.gz
#cd /opt/mod/zlib-${FOCAL_ZLIB} && ./configure --prefix=/usr/local/zlib-${FOCAL_ZLIB} && make -j`nproc` && make install
# Nginx
cd /opt/ && wget https://nginx.org/download/nginx-${FOCAL_VERSION_NGINX}.tar.gz && tar xf nginx-${FOCAL_VERSION_NGINX}.tar.gz && rm -Rf nginx-${FOCAL_VERSION_NGINX}.tar.gz
cd /opt/nginx-${FOCAL_VERSION_NGINX} && curl -s https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch > hpack_push.patch && patch -p1 < hpack_push.patch
cd /opt/nginx-${FOCAL_VERSION_NGINX} && ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-OpenSSL_${FOCAL_OPENSSL} \
--with-pcre \
--with-pcre=/opt/mod/pcre2-pcre2-${FOCAL_PCRE} \
--with-zlib=/opt/mod/zlib-${FOCAL_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie"
cd /opt/nginx-${FOCAL_VERSION_NGINX} && make -j`nproc`
cd /opt/nginx-${FOCAL_VERSION_NGINX} && make install
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Focal/nginx.service > /lib/systemd/system/nginx.service
rm -Rf /nginx/*.default
# Download Dynamic Modules
mkdir -p /nginx/modules; mkdir -p /tmp
cd /tmp && wget https://github.com/theraw/The-World-Is-Yours/archive/refs/tags/0.0.1.tar.gz
cd /tmp && tar xf 0.0.1.tar.gz && rm -Rf 0.0.1.tar.gz && cp -a /tmp/The-World-Is-Yours-0.0.1/static/Focal/mod/*.so /nginx/modules/; rm -Rf /tmp/The-World-Is-Yours-0.0.1
# Fixes
mkdir -p /nginx/modsec; curl -s https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules > /nginx/modsec/naxi.core
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/l7.conf > /nginx/modsec/l7.conf
curl -s https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended > /nginx/modsec/modsecurity.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/tester.conf > /nginx/modsec/tester.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/unicode.mapping > /nginx/modsec/unicode.mapping
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Focal/nginx.conf > /nginx/nginx.conf
mkdir -p /nginx/live/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/default > /nginx/live/default
mkdir -p /hostdata/default/public_html/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/index.html > /hostdata/default/public_html/index.html
mkdir -p /hostdata/default/public_html/cdn/modsec && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/aes.min.js > /hostdata/default/public_html/cdn/modsec/aes.min.js
# Start
unset NGINX
killall nginx
useradd nginx && usermod -s /bin/false nginx
systemctl enable nginx
systemctl daemon-reload
systemctl enable nginx
systemctl stop nginx
systemctl start nginx
;;
jammy)
if [ "$(whoami)" != "root" ]
then
echo "You should Login as root to use this script!";
echo "May you already have access for sudo, but commands aren't designed with sudo! so..";
echo "sudo -i";
exit 1
fi
if [ -d "/nginx/" ]; then
echo "We've detect a folder '/nginx/' which means"
echo "Maybe you have use this script before!"
echo "You wipe old installation by executing!"
echo "(**THIS WILL DELETE ALL YOUR OLD NGINX CONFIGS MAKE SURE YOU BACKUP BEFORE USING**)"
echo "execute: rm -Rf /nginx; rm -Rf /usr/sbin/nginx; rm -Rf /opt/mod; rm -Rf /opt/nginx*"
echo "then execute again bash install"
exit 1
fi
if [ -d "/etc/nginx" ]; then
echo "We've detect a folder '/etc/nginx' which means"
echo "Maybe you have use this script before!"
echo "(**THIS WILL DELETE ALL YOUR OLD NGINX CONFIGS MAKE SURE YOU BACKUP BEFORE USING**)"
echo "execute: rm -Rf /nginx; rm -Rf /usr/sbin/nginx; rm -Rf /opt/mod; rm -Rf /opt/nginx*"
echo "then execute again bash install"
exit 1
fi
if [ -d "/opt/nginx/" ]; then
echo "DETECTED '/opt/nginx/'"
echo "Maybe script has already been used you need to start clean!"
echo "(**THIS WILL DELETE ALL YOUR OLD NGINX CONFIGS MAKE SURE YOU BACKUP BEFORE USING**)"
echo "execute: rm -Rf /nginx; rm -Rf /usr/sbin/nginx; rm -Rf /opt/mod; rm -Rf /opt/nginx*"
echo "then execute again bash install"
exit 1
fi
apt-get update -y; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install tzdata
apt-get install libtool pkg-config make cmake automake autoconf -y
apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.2-dev libcurl4-openssl-dev libxml2 libxml2-dev libpcre3-dev -y
mkdir -p /opt/mod/
cd /opt/mod && wget https://github.com/openresty/luajit2/archive/refs/tags/v${JAMMY_VERSION_LUA}.tar.gz
cd /opt/mod && tar xf v${JAMMY_VERSION_LUA}.tar.gz && rm -Rf v${JAMMY_VERSION_LUA}.tar.gz
cd /opt/mod/luajit2-${JAMMY_VERSION_LUA}/ && make install PREFIX=/usr/local/LuaJIT && ldconfig
rm -Rf /opt/mod/luajit2-${JAMMY_VERSION_LUA}/
cd /opt/mod && wget https://github.com/SpiderLabs/ModSecurity/releases/download/v${JAMMY_VERSION_NGX_MODSECURITY}/modsecurity-v${JAMMY_VERSION_NGX_MODSECURITY}.tar.gz
cd /opt/mod && tar xf modsecurity-v${JAMMY_VERSION_NGX_MODSECURITY}.tar.gz; rm -Rf modsecurity-v${JAMMY_VERSION_NGX_MODSECURITY}.tar.gz
cd /opt/mod/modsecurity-v${JAMMY_VERSION_NGX_MODSECURITY} && ./configure && make -j`nproc` && make install
cd /opt/mod && wget https://github.com/openresty/lua-resty-core/archive/refs/tags/v${JAMMY_VERSION_NGX_RESTY_CORE}.tar.gz
cd /opt/mod && tar xf v${JAMMY_VERSION_NGX_RESTY_CORE}.tar.gz && rm -Rf v${JAMMY_VERSION_NGX_RESTY_CORE}.tar.gz
cd /opt/mod/lua-resty-core-${JAMMY_VERSION_NGX_RESTY_CORE} && make install PREFIX=${LUA_SCRIPTS}
cd /opt/mod && wget https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v${JAMMY_VERSION_NGX_RESTY_LRUCACHE}.tar.gz
cd /opt/mod && tar xf v${JAMMY_VERSION_NGX_RESTY_LRUCACHE}.tar.gz && rm -Rf v${JAMMY_VERSION_NGX_RESTY_LRUCACHE}.tar.gz
cd /opt/mod/lua-resty-lrucache-${JAMMY_VERSION_NGX_RESTY_LRUCACHE} && make install PREFIX=${LUA_SCRIPTS}
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${JAMMY_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${JAMMY_PCRE}.tar.gz; rm -Rf pcre2-${JAMMY_PCRE}.tar.gz
cd /opt/mod/pcre2-pcre2-${JAMMY_PCRE} && ./autogen.sh
#cd /opt/mod/pcre2-pcre2-${JAMMY_PCRE} && ./configure --prefix=/usr/local/pcre2_${JAMMY_PCRE} && make -j`nproc` && make install
cd /opt/mod && wget https://github.com/openssl/openssl/archive/refs/tags/openssl-${JAMMY_OPENSSL}.tar.gz
cd /opt/mod && tar xf openssl-${JAMMY_OPENSSL}.tar.gz; rm -Rf openssl-${JAMMY_OPENSSL}.tar.gz
#cd /opt/mod/openssl-OpenSSL_${JAMMY_OPENSSL} && ./config --prefix=/usr/local/openssl_${JAMMY_OPENSSL} && make -j`nproc` && make install
cd /opt/mod && wget http://zlib.net/zlib-${JAMMY_ZLIB}.tar.gz
cd /opt/mod && tar xf zlib-${JAMMY_ZLIB}.tar.gz; rm -Rf zlib-${JAMMY_ZLIB}.tar.gz
#cd /opt/mod/zlib-${JAMMY_ZLIB} && ./configure --prefix=/usr/local/zlib-${JAMMY_ZLIB} && make -j`nproc` && make install
# Nginx
cd /opt/ && wget https://nginx.org/download/nginx-${JAMMY_VERSION_NGINX}.tar.gz && tar xf nginx-${JAMMY_VERSION_NGINX}.tar.gz && rm -Rf nginx-${JAMMY_VERSION_NGINX}.tar.gz
cd /opt/nginx-${JAMMY_VERSION_NGINX} && curl -s https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch > hpack_push.patch && patch -p1 < hpack_push.patch
cd /opt/nginx-${JAMMY_VERSION_NGINX} && ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-openssl-${JAMMY_OPENSSL} \
--with-pcre \
--with-pcre=/opt/mod/pcre2-pcre2-${JAMMY_PCRE} \
--with-zlib=/opt/mod/zlib-${JAMMY_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie"
cd /opt/nginx-${JAMMY_VERSION_NGINX} && make -j`nproc`
cd /opt/nginx-${JAMMY_VERSION_NGINX} && make install
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Jammy/nginx.service > /lib/systemd/system/nginx.service
rm -Rf /nginx/*.default
# Download Dynamic Modules
mkdir -p /nginx/modules; mkdir -p /tmp
cd /tmp && wget https://github.com/theraw/The-World-Is-Yours/archive/refs/tags/0.0.1.tar.gz
cd /tmp && tar xf 0.0.1.tar.gz && rm -Rf 0.0.1.tar.gz && cp -a /tmp/The-World-Is-Yours-0.0.1/static/Jammy/mod/*.so /nginx/modules/; rm -Rf /tmp/The-World-Is-Yours-0.0.1
# Fixes
mkdir -p /nginx/modsec
curl -s https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules > /nginx/modsec/naxi.core
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/l7.conf > /nginx/modsec/l7.conf
curl -s https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended > /nginx/modsec/modsecurity.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/tester.conf > /nginx/modsec/tester.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/unicode.mapping > /nginx/modsec/unicode.mapping
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Jammy/nginx.conf > /nginx/nginx.conf
mkdir -p /nginx/live/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/default > /nginx/live/default
mkdir -p /hostdata/default/public_html/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/index.html > /hostdata/default/public_html/index.html
mkdir -p /hostdata/default/public_html/cdn/modsec && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/aes.min.js > /hostdata/default/public_html/cdn/modsec/aes.min.js
# Start
unset NGINX
killall nginx
useradd nginx && usermod -s /bin/false nginx
systemctl enable nginx
systemctl daemon-reload
systemctl enable nginx
systemctl stop nginx
systemctl start nginx
;;
esac
static/Focal/mod/Builder.sh
-177
View File
@@ -1,177 +0,0 @@
#!/bin/bash
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/version > /tmp/version; source /tmp/version
sudo apt-get install libpcre2-dev mercurial -y; mkdir -p /opt/mod
if [ ! -d /opt/mod/ngx_devel_kit-${NGX_DEVEL_KIT} ]; then
cd /opt/mod/; wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v${NGX_DEVEL_KIT}.tar.gz
cd /opt/mod/; tar xf v${NGX_DEVEL_KIT}.tar.gz; rm -Rf v${NGX_DEVEL_KIT}.tar.gz
fi
if [ ! -d /opt/mod/incubator-pagespeed-ngx-${NGX_PAGESPEED}-stable ]; then
cd /opt/mod/; wget https://github.com/apache/incubator-pagespeed-ngx/archive/refs/tags/v${NGX_PAGESPEED}-stable.tar.gz
cd /opt/mod/; tar xf v${NGX_PAGESPEED}-stable.tar.gz; rm -Rf v${NGX_PAGESPEED}-stable.tar.gz
cd /opt/mod/incubator-pagespeed-ngx-${NGX_PAGESPEED}-stable; wget https://dl.google.com/dl/page-speed/psol/${NGX_PAGESPEED_PSOL}.tar.gz; tar xf ${NGX_PAGESPEED_PSOL}.tar.gz; rm -Rf tar xf ${NGX_PAGESPEED_PSOL}.tar.gz
fi
if [ ! -d /opt/mod/ngx_http_geoip2_module-${NGX_GEOIP2} ]; then
cd /opt/mod/; wget https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/${NGX_GEOIP2}.tar.gz
cd /opt/mod/; tar xf ${NGX_GEOIP2}.tar.gz; rm -Rf ${NGX_GEOIP2}.tar.gz
fi
if [ ! -d /opt/mod/ModSecurity-nginx-${NGX_MODSECURITY} ]; then
cd /opt/mod/; wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v${NGX_MODSECURITY}.tar.gz
cd /opt/mod/; tar xf v${NGX_MODSECURITY}.tar.gz; rm -Rf v${NGX_MODSECURITY}.tar.gz
fi
if [ ! -d /opt/mod/nginx-http-flv-module-${NGX_HTTP_FLV} ]; then
cd /opt/mod/; wget https://github.com/winshining/nginx-http-flv-module/archive/refs/tags/v${NGX_HTTP_FLV}.tar.gz
cd /opt/mod/; tar xf v${NGX_HTTP_FLV}.tar.gz; rm -Rf v${NGX_HTTP_FLV}.tar.gz
fi
if [ ! -d /opt/mod/headers-more-nginx-module-${NGX_HEADERS_MORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${NGX_HEADERS_MORE}.tar.gz
cd /opt/mod/; tar xf v${NGX_HEADERS_MORE}.tar.gz; rm -Rf v${NGX_HEADERS_MORE}.tar.gz
fi
if [ ! -d /opt/mod/lua-nginx-module-${NGX_LUA} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v${NGX_LUA}.tar.gz
cd /opt/mod/; tar xf v${NGX_LUA}.tar.gz; rm -Rf v${NGX_LUA}.tar.gz
fi
if [ ! -d /opt/mod/set-misc-nginx-module-${NGX_SET_MISC} ]; then
cd /opt/mod/; wget https://github.com/openresty/set-misc-nginx-module/archive/refs/tags/v${NGX_SET_MISC}.tar.gz
cd /opt/mod/; tar xf v${NGX_SET_MISC}.tar.gz; rm -Rf v${NGX_SET_MISC}.tar.gz
fi
if [ ! -d /opt/mod/testcookie ]; then
cd /opt/mod/; git clone https://github.com/kyprizel/testcookie-nginx-module.git testcookie
fi
if [ ! -d /opt/mod/ngx_brotli ]; then
cd /opt/mod/; git clone https://github.com/google/ngx_brotli.git ngx_brotli; cd /opt/mod/ngx_brotli && git submodule update --init
fi
if [ ! -d /opt/mod/naxsi ]; then
cd /opt/mod/; git clone --recurse-submodules https://github.com/wargio/naxsi.git naxsi
fi
if [ ! -d /opt/mod/pcre2-pcre2-${FOCAL_PCRE} ]; then
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${FOCAL_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${FOCAL_PCRE}.tar.gz; rm -Rf pcre2-${FOCAL_PCRE}.tar.gz
cd /opt/mod/pcre2-pcre2-${FOCAL_PCRE} && ./autogen.sh
fi
if [ ! -d /opt/mod/openssl-OpenSSL_${FOCAL_OPENSSL} ]; then
cd /opt/mod && wget https://github.com/openssl/openssl/archive/refs/tags/OpenSSL_${FOCAL_OPENSSL}.tar.gz
cd /opt/mod && tar xf OpenSSL_${FOCAL_OPENSSL}.tar.gz; rm -Rf OpenSSL_${FOCAL_OPENSSL}.tar.gz
fi
if [ ! -d /opt/mod/zlib-${FOCAL_ZLIB} ]; then
cd /opt/mod && wget http://zlib.net/zlib-${FOCAL_ZLIB}.tar.gz
cd /opt/mod && tar xf zlib-${FOCAL_ZLIB}.tar.gz; rm -Rf zlib-${FOCAL_ZLIB}.tar.gz
fi
rm -Rf /opt/nginx-${FOCAL_VERSION_NGINX}; cd /opt/; wget https://nginx.org/download/nginx-${FOCAL_VERSION_NGINX}.tar.gz; tar xf nginx-${FOCAL_VERSION_NGINX}.tar.gz; rm -Rf nginx-${FOCAL_VERSION_NGINX}.tar.gz
cd /opt/nginx-${FOCAL_VERSION_NGINX} && curl -s https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch > hpack_push.patch && patch -p1 < hpack_push.patch
cd /opt/nginx-${FOCAL_VERSION_NGINX}/
LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-OpenSSL_${FOCAL_OPENSSL} \
--with-pcre \
--with-pcre=/opt/mod/pcre2-pcre2-${FOCAL_PCRE} \
--with-zlib=/opt/mod/zlib-${FOCAL_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie" \
--add-dynamic-module=/opt/mod/ngx_devel_kit-${NGX_DEVEL_KIT} \
--add-dynamic-module=/opt/mod/ModSecurity-nginx-${NGX_MODSECURITY} \
--add-dynamic-module=/opt/mod/headers-more-nginx-module-${NGX_HEADERS_MORE} \
--add-dynamic-module=/opt/mod/incubator-pagespeed-ngx-${NGX_PAGESPEED}-stable \
--add-dynamic-module=/opt/mod/naxsi/naxsi_src \
--add-dynamic-module=/opt/mod/nginx-http-flv-module-${NGX_HTTP_FLV} \
--add-dynamic-module=/opt/mod/ngx_brotli \
--add-dynamic-module=/opt/mod/ngx_http_geoip2_module-${NGX_GEOIP2} \
--add-dynamic-module=/opt/mod/set-misc-nginx-module-${NGX_SET_MISC} \
--add-dynamic-module=/opt/mod/testcookie
make -j`nproc` modules
rm -Rf /nginx/modules/*.so; cp /opt/nginx-${FOCAL_VERSION_NGINX}/objs/*.so /nginx/modules/
cd /opt/nginx-${FOCAL_VERSION_NGINX}/
LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-OpenSSL_${FOCAL_OPENSSL} \
--with-zlib=/opt/mod/zlib-${FOCAL_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -lpcre" \
--add-dynamic-module=/opt/mod/ngx_devel_kit-${NGX_DEVEL_KIT} \
--add-dynamic-module=/opt/mod/lua-nginx-module-${NGX_LUA}
make -j`nproc` modules
cp /opt/nginx-${FOCAL_VERSION_NGINX}/objs/*.so /nginx/modules/
static/Focal/mod/ndk_http_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_brotli_filter_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_brotli_static_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_flv_live_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_geoip2_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_headers_more_filter_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_lua_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_modsecurity_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_naxsi_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_set_misc_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_http_testcookie_access_module.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_pagespeed.so
BIN
View File
Binary file not shown.
static/Focal/mod/ngx_stream_geoip2_module.so
BIN
View File
Binary file not shown.
static/Focal/nginx.conf
-81
View File
@@ -1,81 +0,0 @@
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
load_module /nginx/modules/ndk_http_module.so;
load_module /nginx/modules/ngx_http_lua_module.so;
load_module /nginx/modules/ngx_http_naxsi_module.so;
load_module /nginx/modules/ngx_http_modsecurity_module.so;
load_module /nginx/modules/ngx_http_testcookie_access_module.so;
events {
multi_accept on;
use epoll;
worker_connections 65535;
}
http {
# ////////////////////////////////////////////////////// #
# =================== LOAD LUA ========================= #
lua_package_path "/usr/twiylua/lib/lua/?.lua;;";
# =================== END LUA ========================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# =================== LOAD L7 ========================== #
include modsec/l7.conf;
# =================== END L7 =========================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ===================== LOGS =========================== #
log_format main '$remote_addr |==| $status |==| $request |==| $time_local';
# =================== END LOGS ========================= #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ==================== GENERAL ========================= #
client_body_buffer_size 2M;
client_header_buffer_size 2M;
client_body_timeout 90s;
client_header_timeout 90s;
client_max_body_size 2M;
keepalive_timeout 15s;
port_in_redirect off;
sendfile on;
server_names_hash_bucket_size 6969;
server_name_in_redirect off;
server_tokens off;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
resolver 8.8.8.8 8.8.4.4;
default_type application/octet-stream;
include /nginx/mime.types;
# =================== END GENERAL ====================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ==================== BACKENDS ======================== #
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Example Of Backend
#upstream varnish {
# zone tcp_servers 64k;
# server 10.10.10.39:80;
#}
# =================== END BACKENDS ===================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ================ LOAD VHOST +CONFIGS ================= #
include live/*;
include modsec/naxi.core;
# =================== END CONFIGS ====================== #
# ////////////////////////////////////////////////////// #
}
static/Focal/nginx.service
-16
View File
@@ -1,16 +0,0 @@
[Nginx]
Description=A high performance web server and a reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
static/Jammy/mod/Builder.sh
-177
View File
@@ -1,177 +0,0 @@
#!/bin/bash
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/version > /tmp/version; source /tmp/version
sudo apt-get install libpcre2-dev mercurial -y; mkdir -p /opt/mod
if [ ! -d /opt/mod/ngx_devel_kit-${NGX_DEVEL_KIT} ]; then
cd /opt/mod/; wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v${NGX_DEVEL_KIT}.tar.gz
cd /opt/mod/; tar xf v${NGX_DEVEL_KIT}.tar.gz; rm -Rf v${NGX_DEVEL_KIT}.tar.gz
fi
if [ ! -d /opt/mod/incubator-pagespeed-ngx-${NGX_PAGESPEED}-stable ]; then
cd /opt/mod/; wget https://github.com/apache/incubator-pagespeed-ngx/archive/refs/tags/v${NGX_PAGESPEED}-stable.tar.gz
cd /opt/mod/; tar xf v${NGX_PAGESPEED}-stable.tar.gz; rm -Rf v${NGX_PAGESPEED}-stable.tar.gz
cd /opt/mod/incubator-pagespeed-ngx-${NGX_PAGESPEED}-stable; wget https://dl.google.com/dl/page-speed/psol/${NGX_PAGESPEED_PSOL}.tar.gz; tar xf ${NGX_PAGESPEED_PSOL}.tar.gz; rm -Rf tar xf ${NGX_PAGESPEED_PSOL}.tar.gz
fi
if [ ! -d /opt/mod/ngx_http_geoip2_module-${NGX_GEOIP2} ]; then
cd /opt/mod/; wget https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/${NGX_GEOIP2}.tar.gz
cd /opt/mod/; tar xf ${NGX_GEOIP2}.tar.gz; rm -Rf ${NGX_GEOIP2}.tar.gz
fi
if [ ! -d /opt/mod/ModSecurity-nginx-${NGX_MODSECURITY} ]; then
cd /opt/mod/; wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v${NGX_MODSECURITY}.tar.gz
cd /opt/mod/; tar xf v${NGX_MODSECURITY}.tar.gz; rm -Rf v${NGX_MODSECURITY}.tar.gz
fi
if [ ! -d /opt/mod/nginx-http-flv-module-${NGX_HTTP_FLV} ]; then
cd /opt/mod/; wget https://github.com/winshining/nginx-http-flv-module/archive/refs/tags/v${NGX_HTTP_FLV}.tar.gz
cd /opt/mod/; tar xf v${NGX_HTTP_FLV}.tar.gz; rm -Rf v${NGX_HTTP_FLV}.tar.gz
fi
if [ ! -d /opt/mod/headers-more-nginx-module-${NGX_HEADERS_MORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${NGX_HEADERS_MORE}.tar.gz
cd /opt/mod/; tar xf v${NGX_HEADERS_MORE}.tar.gz; rm -Rf v${NGX_HEADERS_MORE}.tar.gz
fi
if [ ! -d /opt/mod/lua-nginx-module-${NGX_LUA} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v${NGX_LUA}.tar.gz
cd /opt/mod/; tar xf v${NGX_LUA}.tar.gz; rm -Rf v${NGX_LUA}.tar.gz
fi
if [ ! -d /opt/mod/set-misc-nginx-module-${NGX_SET_MISC} ]; then
cd /opt/mod/; wget https://github.com/openresty/set-misc-nginx-module/archive/refs/tags/v${NGX_SET_MISC}.tar.gz
cd /opt/mod/; tar xf v${NGX_SET_MISC}.tar.gz; rm -Rf v${NGX_SET_MISC}.tar.gz
fi
if [ ! -d /opt/mod/testcookie ]; then
cd /opt/mod/; git clone https://github.com/kyprizel/testcookie-nginx-module.git testcookie
fi
if [ ! -d /opt/mod/ngx_brotli ]; then
cd /opt/mod/; git clone https://github.com/google/ngx_brotli.git ngx_brotli; cd /opt/mod/ngx_brotli && git submodule update --init
fi
if [ ! -d /opt/mod/naxsi ]; then
cd /opt/mod/; git clone --recurse-submodules https://github.com/wargio/naxsi.git naxsi
fi
if [ ! -d /opt/mod/pcre2-pcre2-${JAMMY_PCRE} ]; then
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${JAMMY_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${JAMMY_PCRE}.tar.gz; rm -Rf pcre2-${JAMMY_PCRE}.tar.gz
cd /opt/mod/pcre2-pcre2-${JAMMY_PCRE} && ./autogen.sh
fi
if [ ! -d /opt/mod/openssl-openssl-${JAMMY_OPENSSL} ]; then
cd /opt/mod && wget https://github.com/openssl/openssl/archive/refs/tags/openssl-${JAMMY_OPENSSL}.tar.gz
cd /opt/mod && tar xf openssl-${JAMMY_OPENSSL}.tar.gz; rm -Rf openssl-${JAMMY_OPENSSL}.tar.gz
fi
if [ ! -d /opt/mod/zlib-${JAMMY_ZLIB} ]; then
cd /opt/mod && wget http://zlib.net/zlib-${JAMMY_ZLIB}.tar.gz
cd /opt/mod && tar xf zlib-${JAMMY_ZLIB}.tar.gz; rm -Rf zlib-${JAMMY_ZLIB}.tar.gz
fi
rm -Rf /opt/nginx-${JAMMY_VERSION_NGINX}; cd /opt/; wget https://nginx.org/download/nginx-${JAMMY_VERSION_NGINX}.tar.gz; tar xf nginx-${JAMMY_VERSION_NGINX}.tar.gz; rm -Rf nginx-${JAMMY_VERSION_NGINX}.tar.gz
cd /opt/nginx-${JAMMY_VERSION_NGINX} && curl -s https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch > hpack_push.patch && patch -p1 < hpack_push.patch
cd /opt/nginx-${JAMMY_VERSION_NGINX}/
LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-openssl-${JAMMY_OPENSSL} \
--with-pcre \
--with-pcre=/opt/mod/pcre2-pcre2-${JAMMY_PCRE} \
--with-zlib=/opt/mod/zlib-${JAMMY_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie" \
--add-dynamic-module=/opt/mod/ngx_devel_kit-${NGX_DEVEL_KIT} \
--add-dynamic-module=/opt/mod/ModSecurity-nginx-${NGX_MODSECURITY} \
--add-dynamic-module=/opt/mod/headers-more-nginx-module-${NGX_HEADERS_MORE} \
--add-dynamic-module=/opt/mod/incubator-pagespeed-ngx-${NGX_PAGESPEED}-stable \
--add-dynamic-module=/opt/mod/naxsi/naxsi_src \
--add-dynamic-module=/opt/mod/nginx-http-flv-module-${NGX_HTTP_FLV} \
--add-dynamic-module=/opt/mod/ngx_brotli \
--add-dynamic-module=/opt/mod/ngx_http_geoip2_module-${NGX_GEOIP2} \
--add-dynamic-module=/opt/mod/set-misc-nginx-module-${NGX_SET_MISC} \
--add-dynamic-module=/opt/mod/testcookie
make -j`nproc` modules
rm -Rf /nginx/modules/*.so; cp /opt/nginx-${JAMMY_VERSION_NGINX}/objs/*.so /nginx/modules/
cd /opt/nginx-${JAMMY_VERSION_NGINX}/
LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-openssl-${JAMMY_OPENSSL} \
--with-zlib=/opt/mod/zlib-${JAMMY_ZLIB} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-http_v2_hpack_enc \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -lpcre" \
--add-dynamic-module=/opt/mod/ngx_devel_kit-${NGX_DEVEL_KIT} \
--add-dynamic-module=/opt/mod/lua-nginx-module-${NGX_LUA}
make -j`nproc` modules
cp /opt/nginx-${JAMMY_VERSION_NGINX}/objs/*.so /nginx/modules/
static/Jammy/mod/ndk_http_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_brotli_filter_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_brotli_static_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_flv_live_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_geoip2_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_headers_more_filter_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_lua_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_modsecurity_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_naxsi_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_set_misc_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_http_testcookie_access_module.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_pagespeed.so
BIN
View File
Binary file not shown.
static/Jammy/mod/ngx_stream_geoip2_module.so
BIN
View File
Binary file not shown.
static/Jammy/nginx.conf
-81
View File
@@ -1,81 +0,0 @@
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
load_module /nginx/modules/ndk_http_module.so;
load_module /nginx/modules/ngx_http_lua_module.so;
load_module /nginx/modules/ngx_http_naxsi_module.so;
load_module /nginx/modules/ngx_http_modsecurity_module.so;
load_module /nginx/modules/ngx_http_testcookie_access_module.so;
events {
multi_accept on;
use epoll;
worker_connections 65535;
}
http {
# ////////////////////////////////////////////////////// #
# =================== LOAD LUA ========================= #
lua_package_path "/usr/twiylua/lib/lua/?.lua;;";
# =================== END LUA ========================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# =================== LOAD L7 ========================== #
include modsec/l7.conf;
# =================== END L7 =========================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ===================== LOGS =========================== #
log_format main '$remote_addr |==| $status |==| $request |==| $time_local';
# =================== END LOGS ========================= #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ==================== GENERAL ========================= #
client_body_buffer_size 2M;
client_header_buffer_size 2M;
client_body_timeout 90s;
client_header_timeout 90s;
client_max_body_size 2M;
keepalive_timeout 15s;
port_in_redirect off;
sendfile on;
server_names_hash_bucket_size 6969;
server_name_in_redirect off;
server_tokens off;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
resolver 8.8.8.8 8.8.4.4;
default_type application/octet-stream;
include /nginx/mime.types;
# =================== END GENERAL ====================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ==================== BACKENDS ======================== #
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Example Of Backend
#upstream varnish {
# zone tcp_servers 64k;
# server 10.10.10.39:80;
#}
# =================== END BACKENDS ===================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ================ LOAD VHOST +CONFIGS ================= #
include live/*;
include modsec/naxi.core;
# =================== END CONFIGS ====================== #
# ////////////////////////////////////////////////////// #
}
static/Jammy/nginx.service
-16
View File
@@ -1,16 +0,0 @@
[Nginx]
Description=A high performance web server and a reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
static/Raccoon/nginx.service
+57
View File
@@ -0,0 +1,57 @@
[Unit]
Description=A high performance web server and a reverse proxy server (twiy)
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
# jemalloc replaces glibc malloc — better fragmentation/perf under nginx's
# alloc/free churn at scale. Package depends on libjemalloc2 so the .so is
# guaranteed present. Removing this line falls back to glibc malloc cleanly.
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
# Self-heal: nginx was compiled without --http-*-temp-path so it expects
# these dirs under /usr/local/nginx; install -d is idempotent and fixes any
# missing/wrong ownership on every restart.
ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /usr/local/nginx /usr/local/nginx/client_body_temp /usr/local/nginx/proxy_temp /usr/local/nginx/fastcgi_temp /usr/local/nginx/uwsgi_temp /usr/local/nginx/scgi_temp /var/log/nginx
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
# ---- systemd hardening (systemd 257+ on Debian 13 / Ubuntu 26.04) ----
# Each line shrinks the worker's blast radius without affecting throughput.
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true
PrivateDevices=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
# Paths nginx legitimately writes to. ProtectSystem=strict makes everything
# else read-only; these carve out the exceptions.
ReadWritePaths=/var/log/nginx /usr/local/nginx /run /nginx /hostdata
# NOTE on MemoryDenyWriteExecute: LuaJIT does runtime JIT compilation and
# therefore needs writable+executable pages — enabling MDWE breaks Lua. Left
# off intentionally.
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
static/Trixie/nginx.service
+57
View File
@@ -0,0 +1,57 @@
[Unit]
Description=A high performance web server and a reverse proxy server (twiy)
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
# jemalloc replaces glibc malloc — better fragmentation/perf under nginx's
# alloc/free churn at scale. Package depends on libjemalloc2 so the .so is
# guaranteed present. Removing this line falls back to glibc malloc cleanly.
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
# Self-heal: nginx was compiled without --http-*-temp-path so it expects
# these dirs under /usr/local/nginx; install -d is idempotent and fixes any
# missing/wrong ownership on every restart.
ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /usr/local/nginx /usr/local/nginx/client_body_temp /usr/local/nginx/proxy_temp /usr/local/nginx/fastcgi_temp /usr/local/nginx/uwsgi_temp /usr/local/nginx/scgi_temp /var/log/nginx
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
# ---- systemd hardening (systemd 257+ on Debian 13 / Ubuntu 26.04) ----
# Each line shrinks the worker's blast radius without affecting throughput.
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true
PrivateDevices=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
# Paths nginx legitimately writes to. ProtectSystem=strict makes everything
# else read-only; these carve out the exceptions.
ReadWritePaths=/var/log/nginx /usr/local/nginx /run /nginx /hostdata
# NOTE on MemoryDenyWriteExecute: LuaJIT does runtime JIT compilation and
# therefore needs writable+executable pages — enabling MDWE breaks Lua. Left
# off intentionally.
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
static/index.html
+1 -1
View File
@@ -1,5 +1,5 @@
<html>
<center><h1>NGINX-AS-WEB-FIREWALL Default Page!?</h1></center>
<center><h1>Congratulations</h1></center>
<center><h2>If you can see this that means your installation was successful!</h2></center>
<center><h2>Thank You For Using This Project, For Issues or suggestion Post them on <a href="https://github.com/theraw/The-World-Is-Yours" target="_blank">(Github)</a></h2></center>
</html>
static/default → static/nginx/live/default
+9 -1
View File
@@ -22,10 +22,18 @@
index index.html index.htm;
}
location /lua-test {
default_type 'text/plain';
content_by_lua_block {
ngx.say('Hello, world!')
}
}
location /denied/ {
return 403;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
static/nginx/nginx.conf
+108
View File
@@ -0,0 +1,108 @@
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
#
# Tuned for shared hosting at 5,000+ vhost scale.
# Per-vhost listen/ssl_certificate directives live in /nginx/live/* — this
# file only contains the global event/http settings.
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
events {
multi_accept on;
use epoll;
worker_connections 65535;
}
http {
# =================== LOAD LUA ========================= #
lua_package_path "/usr/nginx_lua/lib/lua/?.lua;;";
lua_package_cpath "/usr/nginx_lua/lib/lua/5.1/?.so;;";
# =================== END LUA ========================== #
# =================== LOAD L7 ========================== #
include modsec/l7.conf;
# =================== END L7 =========================== #
# ===================== LOGS =========================== #
log_format main 'DATE: $time_local FROM: $remote_addr | STATUS: $status | TO: $request | CACHE: $upstream_cache_status | A: $http_user_agent';
# =================== END LOGS ========================= #
# ==================== GENERAL ========================= #
client_header_buffer_size 4k;
large_client_header_buffers 4 16k;
client_body_buffer_size 16k;
client_max_body_size 2M;
client_body_timeout 30s;
client_header_timeout 30s;
send_timeout 30s;
reset_timedout_connection on;
keepalive_timeout 65s;
keepalive_requests 2000;
max_headers 100;
port_in_redirect off;
sendfile on;
sendfile_max_chunk 1m;
tcp_nodelay on;
tcp_nopush on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_bucket_size 128;
server_names_hash_max_size 32768;
types_hash_max_size 4096;
# File metadata cache — biggest single win for static-heavy shared hosting.
open_file_cache max=200000 inactive=30s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# ===================== TLS ============================ #
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:200m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# ===================== END TLS ======================== #
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
default_type application/octet-stream;
include /nginx/mime.types;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# ==================== COMPRESSION ===================== #
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 4;
gzip_min_length 256;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
brotli on;
brotli_comp_level 4;
brotli_min_length 256;
brotli_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
zstd on;
zstd_comp_level 4;
zstd_min_length 256;
zstd_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
# =================== END COMPRESSION ================== #
# =================== END GENERAL ====================== #
# ================ LOAD VHOST +CONFIGS ================= #
include live/*;
include conf.d/*;
include modsec/naxi.core;
# =================== END CONFIGS ====================== #
}
version
+57 -25
View File
@@ -1,28 +1,60 @@
#!/bin/bash
#unless custom use default
export NGINX="1.22.1"
export NGINX="1.30.0"
export LUA_SCRIPTS="/usr/twiylua/"
export FOCAL_VERSION_NGINX="1.22.1"
export FOCAL_VERSION_LUA="2.1-20220915"
export FOCAL_VERSION_NGX_LUA="0.10.22"
export FOCAL_VERSION_NGX_RESTY_CORE="0.1.24"
export FOCAL_VERSION_NGX_RESTY_LRUCACHE="0.13"
export FOCAL_VERSION_NGX_MODSECURITY="3.0.8"
# Lua Path
export LUA_SCRIPTS="/usr/nginx_lua"
export JAMMY_VERSION_NGINX="1.22.1"
export JAMMY_VERSION_LUA="2.1-20220915"
export JAMMY_VERSION_NGX_LUA="0.10.22"
export JAMMY_VERSION_NGX_RESTY_CORE="0.1.24"
export JAMMY_VERSION_NGX_RESTY_LRUCACHE="0.13"
export JAMMY_VERSION_NGX_MODSECURITY="3.0.8"
# https://github.com/openresty/lua-nginx-module/tags
export NGX_MOD_LUA="0.10.29"
export NGX_DEVEL_KIT="0.3.2"
export NGX_PAGESPEED="1.13.35.2"
export NGX_PAGESPEED_PSOL="1.13.35.2-x64"
export NGX_GEOIP2="3.4"
export NGX_MODSECURITY="1.0.3"
export NGX_HTTP_FLV="1.2.10"
export NGX_HEADERS_MORE="0.34"
export NGX_LUA="0.10.22"
export NGX_SET_MISC="0.33"
# https://github.com/vision5/ngx_devel_kit/tags
export NGX_MOD_DEVELKIT="0.3.4"
# https://github.com/leev/ngx_http_geoip2_module/releases
export NGX_MOD_GEOIP2="3.4"
# https://github.com/owasp-modsecurity/ModSecurity-nginx/releases
export NGX_MOD_MODSECURITY="1.0.4"
# https://github.com/winshining/nginx-http-flv-module/releases
export NGX_MOD_HTTPFLV="1.2.13"
# https://github.com/openresty/headers-more-nginx-module/tags
export NGX_MOD_HEADERS_MORE="0.39"
# https://github.com/openresty/set-misc-nginx-module/releases
export NGX_MOD_SETMISC="0.33"
# https://github.com/openresty/lua-resty-core/tags
export LUA_SCRIPTS_RESTYCORE="0.1.32"
# https://github.com/openresty/lua-resty-lrucache/tags
export LUA_SCRIPTS_LRUCACHE="0.15"
# https://github.com/openresty/luajit2/tags
export SYSTEM_LUAJIT="2.1-20260311"
# https://github.com/PCRE2Project/pcre2/releases
export SYSTEM_PCRE="10.47"
# https://github.com/aws/aws-lc/tags
# AWS-LC = Amazon's BoringSSL fork. Supported natively in nginx since 1.29.2.
# Picked over quictls (EOL OpenSSL 3.1 base) and over OpenSSL 3.5 native QUIC
# because of better TLS handshake throughput and clean release tagging.
export SYSTEM_AWSLC="1.72.0"
# https://github.com/SpiderLabs/ModSecurity/releases 3.0.12
export SYSTEM_MODSECURITY="3.0.14"
# https://github.com/openresty/lua-resty-mysql/tags
export NGX_MOD_LUA_MYSQL="0.29"
# https://github.com/openresty/lua-resty-lock/tags
export NGX_MOD_LUA_LOCK="0.09"
# https://github.com/openresty/srcache-nginx-module/tags
export NGX_MOD_LUA_SRCACHE="0.33"
# https://github.com/tokers/zstd-nginx-module/tags
# Zstandard compression module. Chrome 123+ and Firefox 126+ send
# `Accept-Encoding: zstd`; older clients fall back to brotli/gzip.
export NGX_MOD_ZSTD="0.1.1"