init

docker-entrypoint.sh

@@ -0,0 +1,56 @@
+#!/bin/sh
+# proxy-vm/docker-entrypoint.sh
+# Generates nginx config fragments from environment variables at container start.
+set -e
+
+CONF_DIR="/etc/nginx/conf.d"
+mkdir -p "${CONF_DIR}"
+
+# --- 1. Generate IP allowlist (geo block) ---
+ALLOWLIST_FILE="${CONF_DIR}/allowlist.conf"
+
+if [ -z "${ALLOWED_CIDR}" ]; then
+    # Dev mode: allow all IPs
+    cat > "${ALLOWLIST_FILE}" <<'GEO'
+geo $allowed_ip {
+    default 1;
+}
+GEO
+    echo "[entrypoint] ALLOWED_CIDR is empty — allowing all IPs (dev mode)"
+else
+    # Build geo block from comma-separated CIDRs
+    {
+        echo 'geo $allowed_ip {'
+        echo '    default 0;'
+        echo "${ALLOWED_CIDR}" | tr ',' '\n' | while read -r cidr; do
+            cidr=$(echo "${cidr}" | xargs)  # trim whitespace
+            [ -n "${cidr}" ] && echo "    ${cidr} 1;"
+        done
+        echo '}'
+    } > "${ALLOWLIST_FILE}"
+    echo "[entrypoint] IP allowlist configured: ${ALLOWED_CIDR}"
+fi
+
+# --- 2. Generate token auth (map block) ---
+AUTH_FILE="${CONF_DIR}/auth.conf"
+
+if [ -z "${PROXY_SECRET}" ]; then
+    echo "[entrypoint] WARNING: PROXY_SECRET is not set — all requests will be rejected!"
+    cat > "${AUTH_FILE}" <<'MAP'
+map $http_x_proxy_token $auth_ok {
+    default 0;
+}
+MAP
+else
+    cat > "${AUTH_FILE}" <<MAP
+map \$http_x_proxy_token \$auth_ok {
+    default          0;
+    "${PROXY_SECRET}" 1;
+}
+MAP
+    echo "[entrypoint] Token auth configured"
+fi
+
+# --- 3. Start nginx ---
+echo "[entrypoint] Starting nginx..."
+exec nginx -g 'daemon off;'