NGINX_PATH=/data/nginx-waf
mkdir -p ${NGINX_PATH}

# 下载配置文件
mkdir -p ${NGINX_PATH} cd ${NGINX_PATH} \
&& mkdir -p ${NGINX_PATH}/html ${NGINX_PATH}/certs ${NGINX_PATH}/conf.d ${NGINX_PATH}/log/nginx
wget -O ${NGINX_PATH}/nginx.conf https://gh.kejilion.pro/raw.githubusercontent.com/kejilion/nginx/main/nginx10.conf
wget -O ${NGINX_PATH}/conf.d/default.conf https://gh.kejilion.pro/raw.githubusercontent.com/kejilion/nginx/main/default10.conf

wget -O ${NGINX_PATH}/html/index.html https://gh.kejilion.pro/github.com/nginx/nginx/raw/refs/heads/master/docs/html/index.html
wget -O ${NGINX_PATH}/html/50x.html https://gh.kejilion.pro/github.com/nginx/nginx/raw/refs/heads/master/docs/html/50x.html

# 开启Waf功能
sed -i 's|# load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;|load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# modsecurity on;|\1modsecurity on;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf;|\1modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1

# 开启 Brotli：去掉注释
sed -i 's|# load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;|load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|# load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;|load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1

sed -i 's|^\(\s*\)# brotli on;|\1brotli on;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# brotli_static on;|\1brotli_static on;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# brotli_comp_level \(.*\);|\1brotli_comp_level \2;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# brotli_buffers \(.*\);|\1brotli_buffers \2;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# brotli_min_length \(.*\);|\1brotli_min_length \2;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# brotli_window \(.*\);|\1brotli_window \2;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# brotli_types \(.*\);|\1brotli_types \2;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i '/brotli_types/,+6 s/^\(\s*\)#\s*/\1/' ${NGINX_PATH}/nginx.conf

# 开启 Zstd：去掉注释
sed -i 's|# load_module /etc/nginx/modules/ngx_http_zstd_filter_module.so;|load_module /etc/nginx/modules/ngx_http_zstd_filter_module.so;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|# load_module /etc/nginx/modules/ngx_http_zstd_static_module.so;|load_module /etc/nginx/modules/ngx_http_zstd_static_module.so;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1

sed -i 's|^\(\s*\)# zstd on;|\1zstd on;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# zstd_static on;|\1zstd_static on;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# zstd_comp_level \(.*\);|\1zstd_comp_level \2;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# zstd_buffers \(.*\);|\1zstd_buffers \2;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# zstd_min_length \(.*\);|\1zstd_min_length \2;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i 's|^\(\s*\)# zstd_types \(.*\);|\1zstd_types \2;|' ${NGINX_PATH}/nginx.conf > /dev/null 2>&1
sed -i '/zstd_types/,+6 s/^\(\s*\)#\s*/\1/' ${NGINX_PATH}/nginx.conf

# 下载自签假证书
curl -o ${NGINX_PATH}/certs/default_server.crt https://gitee.com/white-wolf-vvvk/DK8sDDosFirewall/raw/main/cert.crt
curl -o ${NGINX_PATH}/certs/default_server.key https://gitee.com/white-wolf-vvvk/DK8sDDosFirewall/raw/main/cert.key

# 启动 Nginx 容器 注意80 443 如果不想占用的话就改下端口
docker run -d \
--name nginx-waf \
--restart always \
--network host \
-v "${NGINX_PATH}/nginx.conf:/etc/nginx/nginx.conf" \
-v "${NGINX_PATH}/conf.d:/etc/nginx/conf.d" \
-v "${NGINX_PATH}/certs:/etc/nginx/certs" \
-v "${NGINX_PATH}/html:/var/www/html" \
-v "${NGINX_PATH}/log/nginx:/var/log/nginx" \
--tmpfs /var/cache/nginx:rw,noexec,nosuid,size=2048m \
docker.cnb.cool/minihuber/nginx-docker-waf