v-update-firewall-rules: improve nginx configuration handling for deleting rules, as well as for suspended and unsuspended rules

2025-08-21 05:44:08 -07:00 · 2025-07-23 23:34:07 +02:00 · 2025-07-23 23:34:07 +02:00 · 4e8bac8dda
commit 4e8bac8dda
parent 30581ea672
3 changed files with 23 additions and 1 deletions
--- a/bin/v-delete-firewall-rule
+++ b/bin/v-delete-firewall-rule
@ -45,7 +45,7 @@ $BIN/v-update-firewall
 if [ "$WEB_SYSTEM" == 'nginx' ] || [ "$PROXY_SYSTEM" == 'nginx' ]; then
    parse_object_kv_list_non_eval "$oldvalues"
    if [ "$PORT" == "80,443" ] && [ "$ACTION" == "DROP" ]; then
-        sed -i "/$IP/d" /etc/nginx/conf.d/block-firewall.conf
+        sed -i "\#$IP#d" /etc/nginx/conf.d/block-firewall.conf
        systemctl restart nginx
    fi
 fi
--- a/bin/v-suspend-firewall-rule
+++ b/bin/v-suspend-firewall-rule
@ -32,12 +32,21 @@ is_object_unsuspended '../../data/firewall/rules' 'RULE' "$rule"
 #                       Action                             #
 #----------------------------------------------------------#

+oldvalues=$(grep "RULE='$rule'" $VESTA/data/firewall/rules.conf)
+
 # Suspending rule
 update_object_value ../../data/firewall/rules RULE $rule '$SUSPENDED' yes

 # Updating system firewall
 $BIN/v-update-firewall

+if [ "$WEB_SYSTEM" == 'nginx' ] || [ "$PROXY_SYSTEM" == 'nginx' ]; then
+    parse_object_kv_list_non_eval "$oldvalues"
+    if [ "$PORT" == "80,443" ] && [ "$ACTION" == "DROP" ]; then
+        sed -i "\#$IP#d" /etc/nginx/conf.d/block-firewall.conf
+        systemctl restart nginx
+    fi
+fi

 #----------------------------------------------------------#
 #                       Vesta                              #
--- a/bin/v-unsuspend-firewall-rule
+++ b/bin/v-unsuspend-firewall-rule
@ -32,12 +32,25 @@ is_object_suspended '../../data/firewall/rules' 'RULE' "$rule"
 #                       Action                             #
 #----------------------------------------------------------#

+oldvalues=$(grep "RULE='$rule'" $VESTA/data/firewall/rules.conf)
+
 # Suspending rule
 update_object_value ../../data/firewall/rules RULE $rule '$SUSPENDED' no

 # Updating system firewall
 $BIN/v-update-firewall

+if [ "$WEB_SYSTEM" == 'nginx' ] || [ "$PROXY_SYSTEM" == 'nginx' ]; then
+    parse_object_kv_list_non_eval "$oldvalues"
+    if [ "$PORT" == "80,443" ] && [ "$ACTION" == "DROP" ]; then
+        touch /etc/nginx/conf.d/block-firewall.conf
+        if ! grep -q "deny $IP;" /etc/nginx/conf.d/block-firewall.conf; then
+            echo "deny $IP;" >> /etc/nginx/conf.d/block-firewall.conf
+            systemctl restart nginx
+        fi
+    fi
+fi
+

 #----------------------------------------------------------#
 #                       Vesta                              #