From 4e8bac8dda0670066c3b8cd880bfb388cb550a25 Mon Sep 17 00:00:00 2001 From: Peca Date: Wed, 23 Jul 2025 23:34:07 +0200 Subject: [PATCH] v-update-firewall-rules: improve nginx configuration handling for deleting rules, as well as for suspended and unsuspended rules --- bin/v-delete-firewall-rule | 2 +- bin/v-suspend-firewall-rule | 9 +++++++++ bin/v-unsuspend-firewall-rule | 13 +++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/bin/v-delete-firewall-rule b/bin/v-delete-firewall-rule index 61f7602d..10fd0fb9 100755 --- a/bin/v-delete-firewall-rule +++ b/bin/v-delete-firewall-rule @@ -45,7 +45,7 @@ $BIN/v-update-firewall if [ "$WEB_SYSTEM" == 'nginx' ] || [ "$PROXY_SYSTEM" == 'nginx' ]; then parse_object_kv_list_non_eval "$oldvalues" if [ "$PORT" == "80,443" ] && [ "$ACTION" == "DROP" ]; then - sed -i "/$IP/d" /etc/nginx/conf.d/block-firewall.conf + sed -i "\#$IP#d" /etc/nginx/conf.d/block-firewall.conf systemctl restart nginx fi fi diff --git a/bin/v-suspend-firewall-rule b/bin/v-suspend-firewall-rule index 67f14cec..9191fed0 100755 --- a/bin/v-suspend-firewall-rule +++ b/bin/v-suspend-firewall-rule @@ -32,12 +32,21 @@ is_object_unsuspended '../../data/firewall/rules' 'RULE' "$rule" # Action # #----------------------------------------------------------# +oldvalues=$(grep "RULE='$rule'" $VESTA/data/firewall/rules.conf) + # Suspending rule update_object_value ../../data/firewall/rules RULE $rule '$SUSPENDED' yes # Updating system firewall $BIN/v-update-firewall +if [ "$WEB_SYSTEM" == 'nginx' ] || [ "$PROXY_SYSTEM" == 'nginx' ]; then + parse_object_kv_list_non_eval "$oldvalues" + if [ "$PORT" == "80,443" ] && [ "$ACTION" == "DROP" ]; then + sed -i "\#$IP#d" /etc/nginx/conf.d/block-firewall.conf + systemctl restart nginx + fi +fi #----------------------------------------------------------# # Vesta # diff --git a/bin/v-unsuspend-firewall-rule b/bin/v-unsuspend-firewall-rule index be6320d4..f0e00c96 100755 --- a/bin/v-unsuspend-firewall-rule +++ b/bin/v-unsuspend-firewall-rule @@ -32,12 +32,25 @@ is_object_suspended '../../data/firewall/rules' 'RULE' "$rule" # Action # #----------------------------------------------------------# +oldvalues=$(grep "RULE='$rule'" $VESTA/data/firewall/rules.conf) + # Suspending rule update_object_value ../../data/firewall/rules RULE $rule '$SUSPENDED' no # Updating system firewall $BIN/v-update-firewall +if [ "$WEB_SYSTEM" == 'nginx' ] || [ "$PROXY_SYSTEM" == 'nginx' ]; then + parse_object_kv_list_non_eval "$oldvalues" + if [ "$PORT" == "80,443" ] && [ "$ACTION" == "DROP" ]; then + touch /etc/nginx/conf.d/block-firewall.conf + if ! grep -q "deny $IP;" /etc/nginx/conf.d/block-firewall.conf; then + echo "deny $IP;" >> /etc/nginx/conf.d/block-firewall.conf + systemctl restart nginx + fi + fi +fi + #----------------------------------------------------------# # Vesta #