From b5d63799c00d80d3b4fe4db067c181b6b6f5b68c Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Fri, 4 Oct 2024 21:07:51 +1000 Subject: [PATCH] Squashed commit of the following: commit 8c90a783b6e35530bc5db2fe5a62528f037f8ae6 Author: Samuel Huang Date: Fri Oct 4 20:37:19 2024 +1000 Trivy compliant commit 05857d2008fa3cb7cb95fd1be8b451f40e69dbf8 Author: Samuel Huang Date: Thu Oct 3 21:44:08 2024 +1000 Add workflow_dispatch to Codacy commit 4d3a971d17d3fda23639ac98fecb580bd8063cea Author: Samuel Huang Date: Thu Oct 3 21:36:40 2024 +1000 Trivy compliant commit a9c25bbf1fc36c86ce765b5987c61265baea73c8 Author: Samuel Huang Date: Thu Oct 3 20:56:44 2024 +1000 Update trivy scanner commit 368a9c36e09fe30b5175f4fc1400e664285a07f9 Author: Samuel Huang Date: Tue Oct 1 08:20:43 2024 +1000 Codacy compliant --- .github/workflows/codacy.yml | 1 + .github/workflows/trivy-scan.yml | 12 ++++---- Dockerfile | 50 ++++++++++++++++---------------- run.sh | 6 ++-- server-lgp.sh | 2 +- server-lgr.sh | 2 +- server-lgt.sh | 2 +- server-lsp.sh | 2 +- server-lst.sh | 2 +- server-ltr.sh | 2 +- server-ltt.sh | 2 +- server-lwp.sh | 2 +- server-lwt.sh | 2 +- server-mtt.sh | 2 +- server-mwp.sh | 2 +- server-mwt.sh | 2 +- server-nginx.sh | 26 ++++++++--------- server-ttt.sh | 2 +- server-twp.sh | 2 +- server-twt.sh | 2 +- 20 files changed, 63 insertions(+), 62 deletions(-) diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index ccadf97..b52c59a 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -14,6 +14,7 @@ name: Codacy Security Scan on: + workflow_dispatch: push: branches: [ "master", "dev" ] pull_request: diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index 8f72322..c1aa9ec 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -1,6 +1,7 @@ name: Trivy-scanning on: + workflow_dispatch: push: branches: - master @@ -12,21 +13,20 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: ref: ${{ github.ref }} - - name: Run Trivy fs vulnerability scanner - uses: anandg112/trivy-action@feat/add-skip-dirs-option + name: Run Trivy fs vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@0.20.0 with: scan-type: 'fs' ignore-unfixed: true - format: 'template' - template: '@/contrib/sarif.tpl' + format: 'sarif' output: 'trivy-results.sarif' #severity: 'CRITICAL' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' diff --git a/Dockerfile b/Dockerfile index 1562dfc..80cf89b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,21 +9,22 @@ RUN git clone https://github.com/XTLS/Xray-core.git . && \ git checkout ${XRAYVER} && \ go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main -RUN cd /tmp; curl -sSLO https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat -RUN cd /tmp; curl -sSLO https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat +RUN curl -sSLO https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat +RUN curl -sSLO https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat FROM nginx:stable-alpine3.20 ARG ACMEVER='2.9.0' -COPY --from=builder /go/src/XTLS/Xray-core/xray /usr/local/bin/ -COPY --from=builder /tmp/geosite.dat /usr/local/bin/ -COPY --from=builder /tmp/geoip.dat /usr/local/bin/ +COPY --from=builder /go/src/XTLS/Xray-core/xray /usr/local/bin/ +COPY --from=builder /go/src/XTLS/Xray-core/geoip.dat /usr/local/bin/ +COPY --from=builder /go/src/XTLS/Xray-core/geosite.dat /usr/local/bin/ +WORKDIR /root RUN apk add --no-cache bash openssl curl socat jq moreutils libcap-setcap -RUN cd /root; curl -sSL "https://github.com/acmesh-official/acme.sh/archive/refs/tags/${ACMEVER}.tar.gz"|tar zxvf - -RUN cd /root; ln -s acme.sh-${ACMEVER} acme.sh; mkdir .acme.sh +RUN curl -sSL "https://github.com/acmesh-official/acme.sh/archive/refs/tags/${ACMEVER}.tar.gz"|tar zxvf - +RUN ln -s acme.sh-${ACMEVER} acme.sh; mkdir .acme.sh RUN setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/nginx COPY nginx-site.tpl /etc/nginx/conf.d/ @@ -31,33 +32,32 @@ COPY nginx-stream.tpl /etc/nginx/conf.d/ COPY nginx-proxy.tpl /etc/nginx/conf.d/ COPY nginx-grpc.tpl /etc/nginx/conf.d/ COPY nginx-ws.tpl /etc/nginx/conf.d/ - COPY proxy-log-fmt.tpl /etc/nginx/conf.d/000-proxy-log-fmt.conf -ADD server-lgp.sh /server-lgp.sh -ADD server-lgr.sh /server-lgr.sh -ADD server-lgt.sh /server-lgt.sh +COPY server-lgp.sh /server-lgp.sh +COPY server-lgr.sh /server-lgr.sh +COPY server-lgt.sh /server-lgt.sh -ADD server-lsp.sh /server-lsp.sh -ADD server-lst.sh /server-lst.sh +COPY server-lsp.sh /server-lsp.sh +COPY server-lst.sh /server-lst.sh -ADD server-ltr.sh /server-ltr.sh -ADD server-ltt.sh /server-ltt.sh +COPY server-ltr.sh /server-ltr.sh +COPY server-ltt.sh /server-ltt.sh -ADD server-lwp.sh /server-lwp.sh -ADD server-lwt.sh /server-lwt.sh +COPY server-lwp.sh /server-lwp.sh +COPY server-lwt.sh /server-lwt.sh -ADD server-mtt.sh /server-mtt.sh -ADD server-mwp.sh /server-mwp.sh -ADD server-mwt.sh /server-mwt.sh +COPY server-mtt.sh /server-mtt.sh +COPY server-mwp.sh /server-mwp.sh +COPY server-mwt.sh /server-mwt.sh -ADD server-twp.sh /server-twp.sh -ADD server-ttt.sh /server-ttt.sh -ADD server-twt.sh /server-twt.sh +COPY server-twp.sh /server-twp.sh +COPY server-ttt.sh /server-ttt.sh +COPY server-twt.sh /server-twt.sh -ADD server-nginx.sh /server-nginx.sh +COPY server-nginx.sh /server-nginx.sh -ADD run.sh /run.sh +COPY run.sh /run.sh RUN chmod 755 /*.sh diff --git a/run.sh b/run.sh index 6a2ab71..1211044 100755 --- a/run.sh +++ b/run.sh @@ -78,13 +78,13 @@ while true ; do ;; --lgp|--lgr|--lgt|--lsp|--lst|--ltr|--ltt|--lwp|--lwt|--mtt|--mwp|--mwt|--ttt|--twp|--twt) # Alias options - SVC=$(echo $1|tr -d '\-\-') + SVC=$(echo "$1"|tr -d "\-\-") SVCMD+=("${DIR}/server-${SVC}.sh $2") shift 2 ;; --ltrx|--lttx) # Alias options - SVC=$(echo $1|tr -d '\-\-'|tr -d x) + SVC=$(echo "$1"|tr -d "\-\-"|tr -d "x") SVCMD+=("${DIR}/server-${SVC}.sh $2,xtls") shift 2 ;; @@ -156,7 +156,7 @@ if [ "${#CERTDOMAIN[@]}" -gt 0 ]; then do echo "Requesting TLS cert for ${DOMAIN} ..." echo "/root/acme.sh/acme.sh --cert-home ${CERTHOME} --issue --standalone -d ${DOMAIN} --debug" - /root/acme.sh/acme.sh --cert-home "${CERTHOME}" --issue --standalone -d ${DOMAIN} --debug + /root/acme.sh/acme.sh --cert-home "${CERTHOME}" --issue --standalone -d "${DOMAIN}" --debug ((TRY++)) if [ "${TRY}" -ge 3 ]; then echo "Requesting TLS cert for ${DOMAIN} failed. Check log please." diff --git a/server-lgp.sh b/server-lgp.sh index c96b246..77af127 100755 --- a/server-lgp.sh +++ b/server-lgp.sh @@ -89,7 +89,7 @@ inbound=$(echo $inbound| jq -c '.streamSettings += {"security":"none"}') # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then >&2 echo -e "Incorrect fallback format: $fb\n"; usage; exit 1; fi diff --git a/server-lgr.sh b/server-lgr.sh index f3503cb..13be555 100755 --- a/server-lgr.sh +++ b/server-lgr.sh @@ -126,7 +126,7 @@ inbound=$(echo $inbound| jq -c --argjson JshortIds "${JshortIds}" '.streamSettin # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then >&2 echo -e "Incorrect fallback format: $fb\n"; usage; exit 1; fi diff --git a/server-lgt.sh b/server-lgt.sh index a2dd55c..fffbcdb 100755 --- a/server-lgt.sh +++ b/server-lgt.sh @@ -107,7 +107,7 @@ inbound=$(echo $inbound| jq -c --arg fullchain "${fullchain}" --arg prvkey "${pr # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then >&2 echo -e "Incorrect fallback format: $fb\n"; usage; exit 1; fi diff --git a/server-lsp.sh b/server-lsp.sh index ccb3dee..03e9271 100755 --- a/server-lsp.sh +++ b/server-lsp.sh @@ -89,7 +89,7 @@ inbound=$(echo $inbound| jq -c '.streamSettings += {"security":"none"}') # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then >&2 echo -e "Incorrect fallback format: $fb\n"; usage; exit 1; fi diff --git a/server-lst.sh b/server-lst.sh index 7434a54..a6eff34 100755 --- a/server-lst.sh +++ b/server-lst.sh @@ -107,7 +107,7 @@ inbound=$(echo $inbound| jq -c --arg fullchain "${fullchain}" --arg prvkey "${pr # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then >&2 echo -e "Incorrect fallback format: $fb\n"; usage; exit 1; fi diff --git a/server-ltr.sh b/server-ltr.sh index 9a007fa..33fb250 100755 --- a/server-ltr.sh +++ b/server-ltr.sh @@ -118,7 +118,7 @@ inbound=$(echo $inbound| jq -c --argjson JshortIds "${JshortIds}" '.streamSettin # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then >&2 echo -e "Incorrect fallback format: $fb\n"; usage; exit 1; fi diff --git a/server-ltt.sh b/server-ltt.sh index 0d20fcb..d8b7a73 100755 --- a/server-ltt.sh +++ b/server-ltt.sh @@ -99,7 +99,7 @@ inbound=$(echo $inbound| jq -c --arg fullchain "${fullchain}" --arg prvkey "${pr # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then >&2 echo -e "Incorrect fallback format: $fb\n"; usage; exit 1; fi diff --git a/server-lwp.sh b/server-lwp.sh index 93920af..1e921c7 100755 --- a/server-lwp.sh +++ b/server-lwp.sh @@ -89,7 +89,7 @@ inbound=$(echo $inbound| jq -c '.streamSettings += {"security":"none"}') # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then >&2 echo -e "Incorrect fallback format: $fb\n"; usage; exit 1; fi diff --git a/server-lwt.sh b/server-lwt.sh index a5e001a..f8d8296 100755 --- a/server-lwt.sh +++ b/server-lwt.sh @@ -107,7 +107,7 @@ inbound=$(echo $inbound| jq -c --arg fullchain "${fullchain}" --arg prvkey "${pr # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then >&2 echo -e "Incorrect fallback format: $fb\n"; usage; exit 1; fi diff --git a/server-mtt.sh b/server-mtt.sh index 190096b..1522b28 100755 --- a/server-mtt.sh +++ b/server-mtt.sh @@ -99,7 +99,7 @@ inbound=$(echo $inbound| jq -c --arg fullchain "${fullchain}" --arg prvkey "${pr # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then >&2 echo -e "Incorrect fallback format: $fb\n"; usage; exit 1; fi diff --git a/server-mwp.sh b/server-mwp.sh index 45e4db2..b093605 100755 --- a/server-mwp.sh +++ b/server-mwp.sh @@ -89,7 +89,7 @@ inbound=$(echo $inbound| jq -c '.streamSettings += {"security":"none"}') # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then diff --git a/server-mwt.sh b/server-mwt.sh index 107672e..3c6a930 100755 --- a/server-mwt.sh +++ b/server-mwt.sh @@ -107,7 +107,7 @@ inbound=$(echo $inbound| jq -c --arg fullchain "${fullchain}" --arg prvkey "${pr # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then diff --git a/server-nginx.sh b/server-nginx.sh index fcebb51..51ed325 100755 --- a/server-nginx.sh +++ b/server-nginx.sh @@ -114,18 +114,18 @@ if [ -n "${STSVR}" ]; then done # Adding map.conf down to #XMAP_TAG tag - sed -i '/#XMAP_TAG/r /tmp/stmap.conf' $NGCONF + sed -i '/#XMAP_TAG/r /tmp/stmap.conf' "$NGCONF" # Adding ups.conf down to #XUPSTREAM_TAG tag - sed -i '/#XUPSTREAM_TAG/r /tmp/stups.conf' $NGCONF - sed -i "s/STPORT/${STPORT}/g" $NGCONF + sed -i '/#XUPSTREAM_TAG/r /tmp/stups.conf' "$NGCONF" + sed -i "s/STPORT/${STPORT}/g" "$NGCONF" # Adding "proxy_protocol=on" down to #STPROXY_PASS_TAG tag if [ -n "${STPROXY_PASS}" ]; then echo " proxy_protocol on;" >/tmp/stproxy.conf - sed -i '/#STPROXY_PASS_TAG/r /tmp/stproxy.conf' $NGCONF + sed -i '/#STPROXY_PASS_TAG/r /tmp/stproxy.conf' "$NGCONF" fi rm -rf /tmp/stmap.conf; rm -rf /tmp/stups.conf; rm -rf /tmp/stproxy.conf echo "Generated $NGCONF ====>" - cat $NGCONF + cat "$NGCONF" fi # Generating Nginx site server configurations. @@ -194,7 +194,7 @@ do sed -i 's/proxy_add_x_forwarded_for/proxy_protocol_addr/g' "${site_domain}.conf" fi echo "Generated /etc/nginx/conf.d/${site_domain}.conf ====>" - cat /etc/nginx/conf.d/${site_domain}.conf + cat "/etc/nginx/conf.d/${site_domain}.conf" done done @@ -239,19 +239,19 @@ do # Add tpl file content down to #LOCATION tag case "${xnetwork}" in ws|websocket) - sed -i '/#XLOCATION_TAG/r nginx-ws.tpl' ${xdomain}.conf + sed -i '/#XLOCATION_TAG/r nginx-ws.tpl' "${xdomain}.conf" ;; grpc) - sed -i '/#XLOCATION_TAG/r nginx-grpc.tpl' ${xdomain}.conf + sed -i '/#XLOCATION_TAG/r nginx-grpc.tpl' "${xdomain}.conf" ;; splt|proxy) - sed -i '/#XLOCATION_TAG/r nginx-proxy.tpl' ${xdomain}.conf + sed -i '/#XLOCATION_TAG/r nginx-proxy.tpl' "${xdomain}.conf" ;; esac ESC_LOCATION=$(printf '%s\n' "${xlocation}" | sed -e 's/[]\/$*.^[]/\\&/g') - sed -i "s/HOST/${xhost}/g" ${xdomain}.conf - sed -i "s/PORT/${xport}/g" ${xdomain}.conf - sed -i "s/WEBPATH/${ESC_LOCATION}/g" ${xdomain}.conf + sed -i "s/HOST/${xhost}/g" "${xdomain}.conf" + sed -i "s/PORT/${xport}/g" "${xdomain}.conf" + sed -i "s/WEBPATH/${ESC_LOCATION}/g" "${xdomain}.conf" # Applying proxy log format instead of main format when --ng-server proxy_pass was set if [ -n "${NGPROTOCOL}" ]; then sed -i '/access_log/s/main/proxy/' "${xdomain}.conf" @@ -259,7 +259,7 @@ do sed -i 's/proxy_add_x_forwarded_for/proxy_protocol_addr/g' "${xdomain}.conf" fi echo "Generated /etc/nginx/conf.d/${xdomain}.conf ====>" - cat /etc/nginx/conf.d/${xdomain}.conf + cat "/etc/nginx/conf.d/${xdomain}.conf" done done exit 0 diff --git a/server-ttt.sh b/server-ttt.sh index df04c1f..58d3451 100755 --- a/server-ttt.sh +++ b/server-ttt.sh @@ -99,7 +99,7 @@ inbound=$(echo $inbound| jq -c --arg fullchain "${fullchain}" --arg prvkey "${pr # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then >&2 echo -e "Incorrect fallback format: $fb\n"; usage; exit 1; fi diff --git a/server-twp.sh b/server-twp.sh index 2f47265..b0dcb96 100755 --- a/server-twp.sh +++ b/server-twp.sh @@ -89,7 +89,7 @@ inbound=$(echo $inbound| jq -c '.streamSettings += {"security":"none"}') # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then diff --git a/server-twt.sh b/server-twt.sh index adda0cf..1140014 100755 --- a/server-twt.sh +++ b/server-twt.sh @@ -107,7 +107,7 @@ inbound=$(echo $inbound| jq -c --arg fullchain "${fullchain}" --arg prvkey "${pr # Fallback settings for fb in "${fallback[@]}" do - IFS=':'; fopt=(${fb}); fopt=(${fopt[@]}) + IFS=':'; fopt=("${fb}"); fopt=("${fopt[@]}") fhost="${fopt[0]}"; fport="${fopt[1]}"; fpath="${fopt[2]}" unset IFS if [ -z "${fport}" ]; then