From 044035ef6232bc2f2dc909121d32b6f67165ac0e Mon Sep 17 00:00:00 2001 From: Adam Outler Date: Tue, 30 Sep 2025 01:55:26 +0000 Subject: [PATCH] Devcontainer overlay --- .devcontainer/Dockerfile | 28 +- .devcontainer/devcontainer.json | 7 +- .../resources/devcontainer-Dockerfile | 2 +- .../services/config/nginx/netalertx.conf} | 6 +- .../config/php/php-fpm.d}/99-xdebug.ini | 0 .../services/config/php/php-fpm.d/www.conf | 495 ++++++++++++++++++ .devcontainer/scripts/setup.sh | 19 +- .gitignore | 1 - .vscode/tasks.json | 25 +- Dockerfile | 16 +- .../app/log/plugins/.git-placeholder | 0 .../build/init-php-fpm.sh | 2 +- .../services/config/nginx/netalertx.conf | 2 +- .../services/config/nginx/nginx.conf | 5 +- .../services/config/php/php-fpm.conf | 2 +- .../services/config/php/php-fpm.d/www.conf | 2 +- .../services/start-backend.sh | 2 +- .../services/start-nginx.sh | 13 +- nohup.out | 3 + 19 files changed, 577 insertions(+), 53 deletions(-) rename .devcontainer/resources/{netalertx-devcontainer.conf => devcontainer-overlay/services/config/nginx/netalertx.conf} (84%) rename .devcontainer/resources/{ => devcontainer-overlay/services/config/php/php-fpm.d}/99-xdebug.ini (100%) create mode 100644 .devcontainer/resources/devcontainer-overlay/services/config/php/php-fpm.d/www.conf create mode 100644 install/production-filesystem/app/log/plugins/.git-placeholder create mode 100644 nohup.out diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 0f0b4b1c..1dc48ad4 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -16,6 +16,7 @@ ENV PATH="/opt/venv/bin:$PATH" RUN pip install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag zeroconf git+https://github.com/foreign-sub/aiofreepybox.git +RUN chmod -R u-rwx,g-rwx /opt # second stage is the main runtime stage with just the minimum required to run the application # The runner is used for both devcontainer, and as a base for the hardened stage. @@ -60,6 +61,7 @@ ENV NETALERTX_DB_FILE=${NETALERTX_DB}/app.db ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond +ENV SYSTEM_SERVICES_PHP_RUN=${SYSTEM_SERVICES}/run ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf ENV PYTHONPATH=${NETALERTX_SERVER} @@ -78,14 +80,13 @@ RUN addgroup -g 20211 netalertx && \ adduser -u 20211 -D -h ${NETALERTX_APP} -G netalertx netalertx # Install application, copy files, set permissions -COPY --from=builder /opt/venv /opt/venv +COPY --from=builder --chown=20212:20212 /opt/venv /opt/venv COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/ COPY --chown=netalertx:netalertx install/production-filesystem/ / COPY --chown=netalertx:netalertx --chmod=755 back ${NETALERTX_BACK} COPY --chown=netalertx:netalertx --chmod=755 front ${NETALERTX_FRONT} COPY --chown=netalertx:netalertx --chmod=755 server ${NETALERTX_SERVER} -RUN install -d -o netalertx -g netalertx -m 755 ${NETALERTX_API} && \ - install -d -o netalertx -g netalertx -m 755 ${NETALERTX_LOG} && \ +RUN install -d -o netalertx -g netalertx -m 755 ${NETALERTX_API} ${NETALERTX_LOG} ${SYSTEM_SERVICES_PHP_RUN} && \ sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) \ -exec chmod 750 {} \;" @@ -111,13 +112,13 @@ ENTRYPOINT ["/bin/sh","-c","sleep infinity"] # When complete, if the image is compromised, there's not much that can be done with it. FROM runner AS hardened -# create readonly user and group with no shell access +# create readonly user and group with no shell access. Readonly user marks folders that are created by NetAlertX, but should not be modified. RUN addgroup -g 20212 readonly && \ adduser -u 20212 -G readonly -D -h /app readonly && \ usermod -s /sbin/nologin readonly -# remove netalertx from sudoers +# reduce permissions to minimum necessary for all NetAlertX files and folders RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} ${SYSTEM_SERVICES} && \ chmod -R 004 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} && \ @@ -125,21 +126,16 @@ RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_ chmod -R 005 ${SYSTEM_SERVICES} ${SYSTEM_SERVICES}/* && \ chown -R netalertx:netalertx ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} && \ chmod -R 600 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} && \ - chmod 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} ${NETALERTX_PLUGINS_LOG} && \ - chown readonly:readonly / && \ - chown -R netalertx:netalertx /var/log/nginx /var/lib/nginx /run && \ - find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o \ - -path /run -prune -o -path /var/log -prune -o -path /tmp -prune -o \ - -group 0 -o -user 0 -exec chown readonly:readonly {} + + chmod 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} ${NETALERTX_PLUGINS_LOG} SYSTEM_SERVICES_PHP_RUN&& \ + chown readonly:readonly /entrypoint.sh && \ + install -d -o netalertx -g netalertx -m 700 /services/run && \ + chmod 005 /entrypoint.sh # # remove sudo and alpine installers pacakges RUN apk del sudo libcap apk-tools && \ rm -rf /var/cache/apk/* -# remove all users and groups except readonly and netalertx without userdel/groupdel binaries -# RUN awk -F: '($1 != "readonly" && $1 != "netalertx") {print $1}' /etc/passwd | xargs -r -n 1 deluser -r && \ -# awk -F: '($1 != "readonly" && $1 != "netalertx") {print $1}' /etc/group | xargs -r -n 1 delgroup -# Remove all sudoers +# remove all users and groups except readonly and netalertx & remove all sudoers RUN rm -Rf /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \ /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \ /srv /media && \ @@ -170,7 +166,7 @@ FROM runner AS netalertx-devcontainer ENV INSTALL_DIR=/app ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages -COPY .devcontainer/resources/99-xdebug.ini /etc/php83/conf.d/99-xdebug.ini +COPY .devcontainer/resources/devcontainer-overlay/ / # Install common tools, create user, and set up sudo RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 66079e0d..be3d648c 100755 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -4,9 +4,7 @@ "build": { "dockerfile": "./Dockerfile", "context": "../", - "target": "netalertx-devcontainer", - "pull": true, - "noCache": true + "target": "netalertx-devcontainer" }, "workspaceFolder": "/workspaces/NetAlertX", "runArgs": [ @@ -38,7 +36,8 @@ "ms-python.black-formatter", "jeff-hykin.better-dockerfile-syntax", "GitHub.codespaces", - "ms-azuretools.vscode-containers" + "ms-azuretools.vscode-containers", + "ms-python.vscode-python-envs" ] , "settings": { diff --git a/.devcontainer/resources/devcontainer-Dockerfile b/.devcontainer/resources/devcontainer-Dockerfile index cec4cd1f..e89e3292 100755 --- a/.devcontainer/resources/devcontainer-Dockerfile +++ b/.devcontainer/resources/devcontainer-Dockerfile @@ -8,7 +8,7 @@ FROM runner AS netalertx-devcontainer ENV INSTALL_DIR=/app ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages -COPY .devcontainer/resources/99-xdebug.ini /etc/php83/conf.d/99-xdebug.ini +COPY .devcontainer/resources/devcontainer-overlay/ / # Install common tools, create user, and set up sudo RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov diff --git a/.devcontainer/resources/netalertx-devcontainer.conf b/.devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf similarity index 84% rename from .devcontainer/resources/netalertx-devcontainer.conf rename to .devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf index be8f1cca..bb14e270 100755 --- a/.devcontainer/resources/netalertx-devcontainer.conf +++ b/.devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf @@ -1,8 +1,8 @@ log_format netalertx '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; -access_log /var/log/nginx/access.log netalertx flush=1s; -error_log /var/log/nginx/error.log warn; +access_log /app/log/nginx-access.log netalertx buffer=100k flush=1s; +error_log /app/log/nginx-error.log warn; server { listen 20211 default_server; @@ -14,7 +14,7 @@ server { location ~* \.php$ { add_header Cache-Control "no-store"; - fastcgi_pass 127.0.0.1:9000; + fastcgi_pass 0.0.0.0:9000; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; diff --git a/.devcontainer/resources/99-xdebug.ini b/.devcontainer/resources/devcontainer-overlay/services/config/php/php-fpm.d/99-xdebug.ini similarity index 100% rename from .devcontainer/resources/99-xdebug.ini rename to .devcontainer/resources/devcontainer-overlay/services/config/php/php-fpm.d/99-xdebug.ini diff --git a/.devcontainer/resources/devcontainer-overlay/services/config/php/php-fpm.d/www.conf b/.devcontainer/resources/devcontainer-overlay/services/config/php/php-fpm.d/www.conf new file mode 100644 index 00000000..8dd84845 --- /dev/null +++ b/.devcontainer/resources/devcontainer-overlay/services/config/php/php-fpm.d/www.conf @@ -0,0 +1,495 @@ +; NetAlertX php-fpm www.conf +; +; Commented out user/group +; No further changes + +; Start a new pool named 'www'. +; the variable $pool can be used in any directive and will be replaced by the +; pool name ('www' here) +[www] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of the child processes. This can be used only if the master +; process running user is root. It is set after the child process is created. +; The user and group can be specified either by their name or by their numeric +; IDs. +; Note: If the user is root, the executable needs to be started with +; --allow-to-run-as-root option to work. +; Default Values: The user is set to master process running user by default. +; If the group is not set, the user's group is used. +; user = nobody +; group = nobody + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = 0.0.0.0:9000 + +; Set listen(2) backlog. +; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD) +;listen.backlog = 511 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. The owner +; and group can be specified either by name or by their numeric IDs. +; Default Values: Owner is set to the master process running user. If the group +; is not set, the owner's group is used. Mode is set to 0660. +;listen.owner = nobody +;listen.group = nobody +;listen.mode = 0660 + +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 + +; Set the associated the route table (FIB). FreeBSD only +; Default Value: -1 +;listen.setfib = 1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or +; PROC_TRACE_CTL procctl for FreeBSD) even if the process user +; or group is different than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; pm.max_spawn_rate - the maximum number of rate to spawn child +; processes at once. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 10 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: (min_spare_servers + max_spare_servers) / 2 +pm.start_servers = 2 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 1 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 3 + +; The number of rate to spawn child processes at once. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +; Default Value: 32 +;pm.max_spawn_rate = 32 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +;pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following information: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: /usr/share/php83/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The address on which to accept FastCGI status request. This creates a new +; invisible pool that can handle requests independently. This is useful +; if the main pool is busy with long running requests because it is still possible +; to get the status before finishing the long running requests. +; +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Default Value: value of the listen option +;pm.status_listen = 127.0.0.1:9001 + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/php83/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{milliseconds}d +; - %{milli}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some examples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsulated in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsulated in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%" + +; A list of request_uri values which should be filtered from the access log. +; +; As a security precuation, this setting will be ignored if: +; - the request method is not GET or HEAD; or +; - there is a request body; or +; - there are query parameters; or +; - the response code is outwith the successful range of 200 to 299 +; +; Note: The paths are matched against the output of the access.format tag "%r". +; On common configurations, this may look more like SCRIPT_NAME than the +; expected pre-rewrite URI. +; +; Default Value: not set +;access.suppress_path[] = /ping +;access.suppress_path[] = /health_check.php + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = log/php83/$pool.slow.log + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; The timeout set by 'request_terminate_timeout' ini option is not engaged after +; application calls 'fastcgi_finish_request' or when application has finished and +; shutdown functions are being called (registered via register_shutdown_function). +; This option will enable timeout limit to be applied unconditionally +; even in such cases. +; Default Value: no +;request_terminate_timeout_track_finished = no + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environment, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Decorate worker output with prefix and suffix containing information about +; the child that writes to the log and if stdout or stderr is used as well as +; log level and time. This options is used only if catch_workers_output is yes. +; Settings to "no" will output data as written to the stdout or stderr. +; Default value: yes +;decorate_workers_output = no + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; execute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/php83/$pool.error.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M diff --git a/.devcontainer/scripts/setup.sh b/.devcontainer/scripts/setup.sh index 5f1e923c..8a27acd3 100755 --- a/.devcontainer/scripts/setup.sh +++ b/.devcontainer/scripts/setup.sh @@ -32,7 +32,7 @@ export SOURCE_DIR="/workspaces/NetAlertX" main() { echo "=== NetAlertX Development Container Setup ===" killall php-fpm83 nginx crond python3 2>/dev/null - + sleep 1 echo "Setting up ${SOURCE_DIR}..." sudo chown $(id -u):$(id -g) /workspaces sudo chown 755 /workspaces @@ -65,10 +65,11 @@ isRamDisk() { configure_source() { echo "[1/3] Configuring Source..." echo " -> Cleaning up previous instances" - isRamDisk ${NETALERTX_LOG} && sudo umount "${NETALERTX_LOG}" - isRamDisk ${NETALERTX_API} && sudo umount "${NETALERTX_API}" - sleep 1 - sudo rm -Rf ${NETALERTX_APP}/ + + sudo umount "${NETALERTX_LOG}" 2>/dev/null || true + sudo umount "${NETALERTX_API}" 2>/dev/null || true + sudo rm -Rf ${NETALERTX_APP}/ + ls -al /app echo " -> Linking source to ${NETALERTX_APP}" sudo ln -s ${SOURCE_DIR}/ ${NETALERTX_APP} @@ -100,9 +101,7 @@ configure_source() { # configure_php: configure PHP-FPM and enable dev debug options configure_php() { echo "[2/3] Configuring PHP-FPM..." - sudo chown netalertx:netalertx /run/php/ 2>/dev/null || true - - sudo cp /workspaces/NetAlertX/.devcontainer/resources/99-xdebug.ini ${SYSTEM_SERVICES_PHP_FPM_D}/99-xdebug.ini + sudo chown netalertx:netalertx ${SYSTEM_SERVICES_PHP_RUN} 2>/dev/null || true } @@ -114,7 +113,7 @@ start_services() { setsid nohup /services/start-crond.sh &>/dev/null & echo " -> Starting PHP-FPM" - setsid nohup services/start-php-fpm.sh &>/dev/null & + setsid nohup /services/start-php-fpm.sh &>/dev/null & sudo killall nginx &>/dev/null || true # Wait for the previous nginx processes to exit and for the port to free up @@ -128,7 +127,7 @@ start_services() { echo " -> Starting Nginx" setsid nohup /services/start-nginx.sh &>/dev/null & echo " -> Starting Backend ${APP_DIR}/server..." - /services/start-backend.sh + /services/start-backend.sh & sleep 2 } diff --git a/.gitignore b/.gitignore index 895d8ac8..d9697b65 100755 --- a/.gitignore +++ b/.gitignore @@ -4,7 +4,6 @@ .gitconfig \.*CommandMarker deviceid -.git-placeholder .DS_Store .cache config/* diff --git a/.vscode/tasks.json b/.vscode/tasks.json index 51037982..bc9159e7 100755 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -2,7 +2,7 @@ "version": "2.0.0", "tasks": [ { - "label": "[Any Linux] Generate Dockerfile", + "label": "[Any POSIX] Generate Dockerfile", "type": "shell", "command": "${workspaceFolder:NetAlertX}/.devcontainer/scripts/generate-dockerfile.sh", "presentation": { @@ -24,6 +24,29 @@ "color": "terminal.ansiYellow" } }, + { + "label": "[Any] Docker system and build Prune", + "type": "shell", + "command": "docker system prune -af && docker builder prune -af", + "presentation": { + "echo": true, + "reveal": "always", + "panel": "shared", + "showReuseMessage": false + }, + "problemMatcher": [], + "group": { + "kind": "build", + "isDefault": false + }, + "options": { + "cwd": "${workspaceFolder:NetAlertX}" + }, + "icon": { + "id": "trash", + "color": "terminal.ansiRed" + } + }, { "label": "[Dev Container] Re-Run Startup Script", "type": "shell", diff --git a/Dockerfile b/Dockerfile index 04a6d30f..ae32b1d8 100755 --- a/Dockerfile +++ b/Dockerfile @@ -13,8 +13,7 @@ ENV PATH="/opt/venv/bin:$PATH" RUN pip install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag zeroconf git+https://github.com/foreign-sub/aiofreepybox.git -RUN chown -R 20212:20212 /opt && \ - chmod -R u-rwx,g-rwx /opt +RUN chmod -R u-rwx,g-rwx /opt # second stage is the main runtime stage with just the minimum required to run the application # The runner is used for both devcontainer, and as a base for the hardened stage. @@ -59,6 +58,8 @@ ENV NETALERTX_DB_FILE=${NETALERTX_DB}/app.db ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond +ENV SYSTEM_SERVICES_RUN=${SYSTEM_SERVICES}/run +ENV SYSTEM_SERVICES_RUN_TMP=${SYSTEM_SERVICES_RUN}/tmp ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf ENV PYTHONPATH=${NETALERTX_SERVER} @@ -77,14 +78,13 @@ RUN addgroup -g 20211 netalertx && \ adduser -u 20211 -D -h ${NETALERTX_APP} -G netalertx netalertx # Install application, copy files, set permissions -COPY --from=builder /opt/venv /opt/venv +COPY --from=builder --chown=20212:20212 /opt/venv /opt/venv COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/ COPY --chown=netalertx:netalertx install/production-filesystem/ / COPY --chown=netalertx:netalertx --chmod=755 back ${NETALERTX_BACK} COPY --chown=netalertx:netalertx --chmod=755 front ${NETALERTX_FRONT} COPY --chown=netalertx:netalertx --chmod=755 server ${NETALERTX_SERVER} -RUN install -d -o netalertx -g netalertx -m 755 ${NETALERTX_API} && \ - install -d -o netalertx -g netalertx -m 755 ${NETALERTX_LOG} && \ +RUN install -d -o netalertx -g netalertx -m 755 ${NETALERTX_API} ${NETALERTX_LOG} ${SYSTEM_SERVICES_RUN_TMP} && \ sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) \ -exec chmod 750 {} \;" @@ -116,7 +116,7 @@ RUN addgroup -g 20212 readonly && \ usermod -s /sbin/nologin readonly -# remove netalertx from sudoers +# reduce permissions to minimum necessary for all NetAlertX files and folders RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} ${SYSTEM_SERVICES} && \ chmod -R 004 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} && \ @@ -124,9 +124,9 @@ RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_ chmod -R 005 ${SYSTEM_SERVICES} ${SYSTEM_SERVICES}/* && \ chown -R netalertx:netalertx ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} && \ chmod -R 600 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} && \ - chmod 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} ${NETALERTX_PLUGINS_LOG} && \ - chown -R netalertx:netalertx /var/log/nginx /var/lib/nginx /run && \ + chmod 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} ${NETALERTX_PLUGINS_LOG} ${SYSTEM_SERVICES_RUN_TMP} && \ chown readonly:readonly /entrypoint.sh && \ + install -d -o netalertx -g netalertx -m 700 ${SYSTEM_SERVICES_RUN} ${SYSTEM_SERVICES_RUN_TMP} && \ chmod 005 /entrypoint.sh # diff --git a/install/production-filesystem/app/log/plugins/.git-placeholder b/install/production-filesystem/app/log/plugins/.git-placeholder new file mode 100644 index 00000000..e69de29b diff --git a/install/production-filesystem/build/init-php-fpm.sh b/install/production-filesystem/build/init-php-fpm.sh index 3c1db8d0..99e94156 100644 --- a/install/production-filesystem/build/init-php-fpm.sh +++ b/install/production-filesystem/build/init-php-fpm.sh @@ -1,7 +1,7 @@ #!/bin/bash echo "Initializing php-fpm..." # Set up PHP-FPM directories and socket configuration -install -d -o netalertx -g netalertx /run/php/ +install -d -o netalertx -g netalertx /services/config/run echo "php-fpm initialized." diff --git a/install/production-filesystem/services/config/nginx/netalertx.conf b/install/production-filesystem/services/config/nginx/netalertx.conf index 0b427278..b5d28376 100644 --- a/install/production-filesystem/services/config/nginx/netalertx.conf +++ b/install/production-filesystem/services/config/nginx/netalertx.conf @@ -51,7 +51,7 @@ server { location ~* \.php$ { # Set Cache-Control header to prevent caching on the first load add_header Cache-Control "no-store"; - fastcgi_pass 127.0.0.1:9000; + fastcgi_pass unix:/services/run/php.sock; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; diff --git a/install/production-filesystem/services/config/nginx/nginx.conf b/install/production-filesystem/services/config/nginx/nginx.conf index 862b1b3a..7be14632 100644 --- a/install/production-filesystem/services/config/nginx/nginx.conf +++ b/install/production-filesystem/services/config/nginx/nginx.conf @@ -1,3 +1,4 @@ +pid /services/run/nginx.pid; # Set number of worker processes automatically based on number of CPU cores. worker_processes auto; @@ -6,7 +7,7 @@ worker_processes auto; pcre_jit on; # Configures default error logger. -error_log /var/log/nginx/error.log warn; +error_log /app/log/nginx-error.log warn; # Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; @@ -89,7 +90,7 @@ http { '"$http_user_agent" "$http_x_forwarded_for"'; # Sets the path, format, and configuration for a buffered log write. - access_log /var/log/nginx/access.log main; + access_log /app/log/nginx-access.log main; # Includes virtual hosts configs. diff --git a/install/production-filesystem/services/config/php/php-fpm.conf b/install/production-filesystem/services/config/php/php-fpm.conf index 777304ad..08eb2956 100644 --- a/install/production-filesystem/services/config/php/php-fpm.conf +++ b/install/production-filesystem/services/config/php/php-fpm.conf @@ -7,6 +7,6 @@ ; [global] -pid = /run/php/php8.3-fpm.pid +pid = /services/run/php8.3-fpm.pid error_log = /app/log/app.php_errors.log include=/services/config/php/php-fpm.d/*.conf diff --git a/install/production-filesystem/services/config/php/php-fpm.d/www.conf b/install/production-filesystem/services/config/php/php-fpm.d/www.conf index 67a9369f..d3d0869d 100644 --- a/install/production-filesystem/services/config/php/php-fpm.d/www.conf +++ b/install/production-filesystem/services/config/php/php-fpm.d/www.conf @@ -43,7 +43,7 @@ ; (IPv6 and IPv4-mapped) on a specific port; ; '/path/to/unix/socket' - to listen on a unix socket. ; Note: This value is mandatory. -listen = 127.0.0.1:9000 +listen = /services/run/php.sock ; Set listen(2) backlog. ; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD) diff --git a/install/production-filesystem/services/start-backend.sh b/install/production-filesystem/services/start-backend.sh index b2f6ac0c..4bc85c69 100755 --- a/install/production-filesystem/services/start-backend.sh +++ b/install/production-filesystem/services/start-backend.sh @@ -6,7 +6,7 @@ export PYTHONPATH="${NETALERTX_SERVER}:${NETALERTX_APP}" EXTRA_PARAMS="" if [ -f /services/config/python/backend-extra-launch-parameters ]; then - EXTRA_PARAMS=$(cat /services/config/python-backend-extra-launch-parameters) + EXTRA_PARAMS=$(cat /services/config/python/backend-extra-launch-parameters) fi # Start the backend, teeing stdout and stderr to log files and the container's console diff --git a/install/production-filesystem/services/start-nginx.sh b/install/production-filesystem/services/start-nginx.sh index 65b335a2..ad7113c6 100755 --- a/install/production-filesystem/services/start-nginx.sh +++ b/install/production-filesystem/services/start-nginx.sh @@ -1,5 +1,14 @@ #!/bin/bash -echo "Starting nginx..." +LOG_DIR=${NETALERTX_APP} +RUN_DIR=${SYSTEM_SERVICES_RUN} +TMP_DIR=${SYSTEM_SERVICES_RUN_TMP} +NGINX_CONFIG_FILE=${NGINX_CONFIG_FILE} + +# Create directories if they don't exist +mkdir -p "${LOG_DIR}" "${RUN_DIR}" "${TMP_DIR}" + +# Execute nginx with overrides exec nginx \ + -p "${RUN_DIR}/" \ -c "${NGINX_CONFIG_FILE}" \ - -g "daemon off;" >> "${LOG_APP_FRONT}" 2>&1 + -g "error_log ${LOG_DIR}/nginx.error.log; pid ${RUN_DIR}/nginx.pid; daemon off;" \ No newline at end of file diff --git a/nohup.out b/nohup.out new file mode 100644 index 00000000..1a11fbe0 --- /dev/null +++ b/nohup.out @@ -0,0 +1,3 @@ +nohup: can't execute 'services/start-php-fpm.sh': No such file or directory +Starting php-fpm... +Starting nginx...