Add a pre-commit-config file and passed all checks
This commit is contained in:
parent
f3fc69110e
commit
1f90d3668c
|
@ -3,4 +3,4 @@
|
|||
.vscode/
|
||||
__pycache__
|
||||
env
|
||||
node_modules
|
||||
node_modules
|
||||
|
|
|
@ -23,7 +23,7 @@ jobs:
|
|||
cd src/bw/misc/
|
||||
CURL_RETURN_CODE=0
|
||||
CURL_OUTPUT=`curl -w httpcode=%{http_code} -s -o asn.mmdb.gz https://download.db-ip.com/free/dbip-asn-lite-$(date +%Y-%m).mmdb.gz 2> /dev/null` || CURL_RETURN_CODE=$?
|
||||
if [ ${CURL_RETURN_CODE} -ne 0 ]; then
|
||||
if [ ${CURL_RETURN_CODE} -ne 0 ]; then
|
||||
echo "Curl connection failed when downloading asn-lite mmdb file with return code - ${CURL_RETURN_CODE}"
|
||||
exit 1
|
||||
else
|
||||
|
@ -37,7 +37,7 @@ jobs:
|
|||
fi
|
||||
CURL_RETURN_CODE=0
|
||||
CURL_OUTPUT=`curl -w httpcode=%{http_code} -s -o country.mmdb.gz https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).mmdb.gz 2> /dev/null` || CURL_RETURN_CODE=$?
|
||||
if [ ${CURL_RETURN_CODE} -ne 0 ]; then
|
||||
if [ ${CURL_RETURN_CODE} -ne 0 ]; then
|
||||
echo "Curl connection failed when downloading country-lite mmdb file with return code - ${CURL_RETURN_CODE}"
|
||||
exit 1
|
||||
else
|
||||
|
|
|
@ -56,7 +56,7 @@ jobs:
|
|||
body: |
|
||||
Documentation : https://docs.bunkerweb.io/${{ inputs.VERSION }}/
|
||||
|
||||
Docker tags :
|
||||
Docker tags :
|
||||
- BunkerWeb : `bunkerity/bunkerweb:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb:${{ inputs.VERSION }}`
|
||||
- Scheduler : `bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}`
|
||||
- Autoconf : `bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}`
|
||||
|
@ -64,7 +64,7 @@ jobs:
|
|||
|
||||
Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=${{ inputs.VERSION }}&filter=all&dist=
|
||||
|
||||
Changelog :
|
||||
Changelog :
|
||||
${{ steps.getchangelog.outputs.content }}
|
||||
draft: true
|
||||
prerelease: ${{ inputs.PRERELEASE }}
|
||||
|
@ -82,7 +82,7 @@ jobs:
|
|||
|
||||
Documentation : https://docs.bunkerweb.io/${{ inputs.VERSION }}/
|
||||
|
||||
Docker tags :
|
||||
Docker tags :
|
||||
- BunkerWeb : `bunkerity/bunkerweb:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb:${{ inputs.VERSION }}`
|
||||
- Scheduler : `bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}`
|
||||
- Autoconf : `bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}`
|
||||
|
|
|
@ -50,7 +50,7 @@ jobs:
|
|||
if: inputs.TYPE == 'k8s'
|
||||
- run: |
|
||||
echo "$SECRET_KEY" > /tmp/.secret_key
|
||||
openssl enc -d -in /tmp/terraform.tar.enc -aes-256-cbc -pbkdf2 -iter 100000 -md sha256 -pass file:/tmp/.secret_key -out /tmp/terraform.tar
|
||||
openssl enc -d -in /tmp/terraform.tar.enc -aes-256-cbc -pbkdf2 -iter 100000 -md sha256 -pass file:/tmp/.secret_key -out /tmp/terraform.tar
|
||||
rm -f /tmp/.secret_key
|
||||
tar xf /tmp/terraform.tar -C /
|
||||
mkdir /tmp/reg
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
# See https://pre-commit.com for more information
|
||||
# See https://pre-commit.com/hooks.html for more hooks
|
||||
exclude: (^LICENSE.md$|^src/VERSION$|^src/(deps/src/|common/core/modsecurity/files/coreruleset/|ui/static/js/(editor/|utils/purify/|tsparticles\.bundle\.min\.js))|\.(svg|drawio|patch\d?|ascii|pem|tf|tftpl)$)
|
||||
repos:
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v4.4.0
|
||||
hooks:
|
||||
- id: check-case-conflict
|
||||
- id: detect-private-key
|
||||
- id: end-of-file-fixer
|
||||
- id: requirements-txt-fixer
|
||||
- id: trailing-whitespace
|
||||
|
||||
- repo: https://github.com/ambv/black
|
||||
rev: 23.9.1
|
||||
hooks:
|
||||
- id: black
|
||||
language_version: python3.9
|
|
@ -1,6 +1,6 @@
|
|||
# Changelog
|
||||
|
||||
## v1.5.3 -
|
||||
## v1.5.3 -
|
||||
|
||||
- [BUGFIX] Fix BunkerWeb not loading his own settings after a docker restart
|
||||
- [BUGFIX] Fix Custom configs not following the service name after an update on the UI
|
||||
|
|
|
@ -125,4 +125,4 @@ enforcement ladder](https://github.com/mozilla/diversity).
|
|||
|
||||
For answers to common questions about this code of conduct, see the FAQ at
|
||||
https://www.contributor-covenant.org/faq. Translations are available at
|
||||
https://www.contributor-covenant.org/translations.
|
||||
https://www.contributor-covenant.org/translations.
|
||||
|
|
15
README.md
15
README.md
|
@ -19,13 +19,13 @@
|
|||
|
||||
<p align="center">
|
||||
📓 <a href="https://docs.bunkerweb.io">Documentation</a>
|
||||
|
|
||||
|
|
||||
👨💻 <a href="https://demo.bunkerweb.io">Demo</a>
|
||||
|
|
||||
|
|
||||
🛡️ <a href="./examples">Examples</a>
|
||||
|
|
||||
|
|
||||
💬 <a href="https://discord.com/invite/fTf46FmtyD">Chat</a>
|
||||
|
|
||||
|
|
||||
📝 <a href="https://github.com/bunkerity/bunkerweb/discussions">Forum</a>
|
||||
|
|
||||
⚙️ <a href="https://config.bunkerweb.io">Configurator</a>
|
||||
|
@ -142,7 +142,7 @@ Another core component of BunkerWeb is the ModSecurity Web Application Firewall
|
|||
State of the current configuration of BunkerWeb is stored in a backend database which contains the following data :
|
||||
|
||||
- Settings defined for all the services
|
||||
- Custom configurations
|
||||
- Custom configurations
|
||||
- BunkerWeb instances
|
||||
- Metadata about jobs execution
|
||||
- Cached files
|
||||
|
@ -355,3 +355,8 @@ If you would like to contribute to the plugins you can read the [contributing gu
|
|||
# Security policy
|
||||
|
||||
We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](./SECURITY.md) for more information.
|
||||
|
||||
|
||||
# Stargazers over time
|
||||
|
||||
[![Stargazers over time](https://starchart.cc/bunkerity/bunkerweb.svg)](https://starchart.cc/bunkerity/bunkerweb)
|
||||
|
|
|
@ -14,4 +14,4 @@ Here is a non-exhaustive list of issues we consider as high risk :
|
|||
|
||||
## Bounty
|
||||
|
||||
To encourage responsible disclosure, we may reward you with a bounty at the sole discretion of the maintainers.
|
||||
To encourage responsible disclosure, we may reward you with a bounty at the sole discretion of the maintainers.
|
||||
|
|
|
@ -143,4 +143,4 @@ In essence, the scheduler serves as the brain of BunkerWeb, orchestrating variou
|
|||
|
||||
Depending on the integration approach, the execution environment of the scheduler may differ. In container-based integrations, the scheduler is executed within its dedicated container, providing isolation and flexibility. On the other hand, for Linux-based integrations, the scheduler is self-contained within the bunkerweb service, simplifying the deployment and management process.
|
||||
|
||||
By employing the scheduler, BunkerWeb streamlines the automation and coordination of essential tasks, enabling efficient and reliable operation of the entire system.
|
||||
By employing the scheduler, BunkerWeb streamlines the automation and coordination of essential tasks, enabling efficient and reliable operation of the entire system.
|
||||
|
|
|
@ -136,15 +136,15 @@ volumes:
|
|||
```
|
||||
|
||||
For example, if you have a value of **100000**, the mapped UID/GID will be **100100** (100000 + 100) :
|
||||
|
||||
|
||||
```shell
|
||||
mkdir bw-data && \
|
||||
sudo chgrp 100100 bw-data && \
|
||||
chmod 770 bw-data
|
||||
```
|
||||
|
||||
|
||||
Or if the folder already exists :
|
||||
|
||||
|
||||
```shell
|
||||
sudo chgrp -R 100100 bw-data && \
|
||||
chmod -R 770 bw-data
|
||||
|
@ -188,7 +188,7 @@ By default, BunkerWeb container is listening (inside the container) on **8080/tc
|
|||
|
||||
!!! warning "Privileged ports in rootless mode or when using podman"
|
||||
If you are using [Docker in rootless mode](https://docs.docker.com/engine/security/rootless) and want to redirect privileged ports (< 1024) like 80 and 443 to BunkerWeb, please refer to the prerequisites [here](https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports).
|
||||
|
||||
|
||||
If you are using [podman](https://podman.io/) you can lower the minimum number for unprivileged ports :
|
||||
```shell
|
||||
sudo sysctl net.ipv4.ip_unprivileged_port_start=1
|
||||
|
@ -465,7 +465,7 @@ As for the database volume, the documentation does not specify a specific approa
|
|||
|
||||
!!! info "Database backend"
|
||||
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.2/misc/integrations) folder of the repository for more information.
|
||||
|
||||
|
||||
Clustered database backends setup are out-of-the-scope of this documentation.
|
||||
|
||||
Here is the stack boilerplate that you can deploy using `docker stack deploy` :
|
||||
|
@ -638,7 +638,7 @@ Given the presence of multiple BunkerWeb instances, it is necessary to establish
|
|||
|
||||
!!! info "Database backend"
|
||||
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.2/misc/integrations) folder of the repository for more information.
|
||||
|
||||
|
||||
Clustered database backends setup are out-of-the-scope of this documentation.
|
||||
|
||||
Please ensure that both the scheduler and autoconf services have access to the Kubernetes API. It is recommended to utilize [RBAC authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for this purpose.
|
||||
|
@ -985,7 +985,7 @@ To simplify the installation process, Linux package repositories for BunkerWeb a
|
|||
sudo apt update && \
|
||||
sudo apt install -y bunkerweb=1.5.2
|
||||
```
|
||||
|
||||
|
||||
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
|
||||
|
||||
```shell
|
||||
|
@ -1022,7 +1022,7 @@ To simplify the installation process, Linux package repositories for BunkerWeb a
|
|||
sudo apt update && \
|
||||
sudo apt install -y bunkerweb=1.5.2
|
||||
```
|
||||
|
||||
|
||||
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
|
||||
|
||||
```shell
|
||||
|
@ -1188,7 +1188,7 @@ the configuration of BunkerWeb is done by using specific role variables :
|
|||
|
||||
List of supported providers :
|
||||
|
||||
- virtualbox
|
||||
- virtualbox
|
||||
- libvirt
|
||||
|
||||
!!! note "Supported Base Images"
|
||||
|
@ -1253,4 +1253,4 @@ Vagrant.configure("2") do |config|
|
|||
# For libvirt
|
||||
# config.vm.provider "libvirt"
|
||||
end
|
||||
```
|
||||
```
|
||||
|
|
|
@ -38,4 +38,4 @@ See the list of [redis settings](settings.md#redis) and the corresponding docume
|
|||
|
||||
## Default values and new settings
|
||||
|
||||
The default value of some settings have changed and we have added many other settings, we recommend you read the [security tuning](security-tuning.md) and [settings](settings.md) sections of the documentation.
|
||||
The default value of some settings have changed and we have added many other settings, we recommend you read the [security tuning](security-tuning.md) and [settings](settings.md) sections of the documentation.
|
||||
|
|
|
@ -13,7 +13,7 @@ console.log('Saving', url, 'to', pdfPath);
|
|||
// totalPages – total pages in the document
|
||||
headerHtml = `
|
||||
<div style="font-size: 10px; text-align: center; width: 100%;">
|
||||
<span>${title}</span>
|
||||
<span>${title}</span>
|
||||
</div>`;
|
||||
|
||||
footerHtml = `<div style="font-size: 10px; text-align: center; width: 100%;"><span class="pageNumber"></span> / <span class="totalPages"></span></div>`;
|
||||
|
@ -46,4 +46,4 @@ footerHtml = `<div style="font-size: 10px; text-align: center; width: 100%;"><sp
|
|||
});
|
||||
|
||||
await browser.close();
|
||||
})();
|
||||
})();
|
||||
|
|
|
@ -19,4 +19,4 @@
|
|||
data-domain="docs.bunkerweb.io"
|
||||
src="https://data.bunkerity.com/js/script.js"
|
||||
></script>
|
||||
{% endblock %}
|
||||
{% endblock %}
|
||||
|
|
|
@ -218,7 +218,7 @@ The first step is to install the plugin by putting the plugin files inside the c
|
|||
=== "Ansible"
|
||||
|
||||
When using the [Ansible integration](integrations.md#ansible), you can use the `plugins` variable to set a local folder containing your plugins that will be copied to your BunkerWeb instances.
|
||||
|
||||
|
||||
Let's assume that you have plugins inside the `bunkerweb-plugins` folder :
|
||||
|
||||
```shell
|
||||
|
@ -231,7 +231,7 @@ The first step is to install the plugin by putting the plugin files inside the c
|
|||
[mybunkers]
|
||||
192.168.0.42 ... custom_plugins="{{ playbook_dir }}/bunkerweb-plugins"
|
||||
```
|
||||
|
||||
|
||||
Or alternatively, in your playbook file :
|
||||
|
||||
```yaml
|
||||
|
|
|
@ -280,7 +280,7 @@ You will find more settings about reverse proxy in the [settings section](settin
|
|||
[mybunkers]
|
||||
192.168.0.42 variables_env="{{ playbook_dir }}/my_variables.env"
|
||||
```
|
||||
|
||||
|
||||
Or alternatively, in your playbook file :
|
||||
|
||||
```yaml
|
||||
|
@ -355,7 +355,7 @@ You will find more settings about reverse proxy in the [settings section](settin
|
|||
```shell
|
||||
curl -H "Host: app1.example.com" http://ip-or-fqdn-of-server
|
||||
```
|
||||
|
||||
|
||||
If you are using HTTPS, you will need to play with SNI :
|
||||
|
||||
```shell
|
||||
|
@ -716,7 +716,7 @@ You will find more settings about reverse proxy in the [settings section](settin
|
|||
[mybunkers]
|
||||
192.168.0.42 variables_env="{{ playbook_dir }}/my_variables.env"
|
||||
```
|
||||
|
||||
|
||||
Or alternatively, in your playbook file :
|
||||
|
||||
```yaml
|
||||
|
@ -1226,7 +1226,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
|
|||
- 80:8080 # Keep it if you want to use Let's Encrypt automation
|
||||
- 10000:10000 # app1
|
||||
- 20000:20000 # app2
|
||||
|
||||
|
||||
...
|
||||
```
|
||||
|
||||
|
@ -1450,14 +1450,14 @@ Some integrations provide more convenient ways to apply configurations, such as
|
|||
=== "Docker"
|
||||
|
||||
When using the [Docker integration](integrations.md#docker), you have two choices for the addition of custom configurations :
|
||||
|
||||
|
||||
- Using specific settings `*_CUSTOM_CONF_*` as environment variables (recommended)
|
||||
- Writing .conf files to the volume mounted on /data of the scheduler
|
||||
|
||||
|
||||
**Using settings**
|
||||
|
||||
|
||||
The settings to use must follow the pattern `<SITE>_CUSTOM_CONF_<TYPE>_<NAME>` :
|
||||
|
||||
|
||||
- `<SITE>` : optional primary server name if multisite mode is enabled and the config must be applied to a specific service
|
||||
- `<TYPE>` : the type of config, accepted values are `HTTP`, `DEFAULT_SERVER_HTTP`, `SERVER_HTTP`, `MODSEC`, `MODSEC_CRS`, `STREAM` and `SERVER_STREAM`
|
||||
- `<NAME>` : the name of config without the .conf suffix
|
||||
|
@ -1529,9 +1529,9 @@ Some integrations provide more convenient ways to apply configurations, such as
|
|||
When using labels with the Docker autoconf integration, you can only apply custom configurations for the corresponding web service. Applying **http**, **default-server-http**, **stream** or any global configurations (like **server-http** or **server-stream** for all services) is not possible : you will need to mount files for that purpose.
|
||||
|
||||
The labels to use must follow the pattern `bunkerweb.CUSTOM_CONF_<TYPE>_<NAME>` :
|
||||
|
||||
|
||||
- `<TYPE>` : the type of config, accepted values are `SERVER_HTTP`, `MODSEC`, `MODSEC_CRS` and `SERVER_STREAM`
|
||||
- `<NAME>` : the name of config without the .conf suffix
|
||||
- `<NAME>` : the name of config without the .conf suffix
|
||||
|
||||
Here is a dummy example using a docker-compose file :
|
||||
|
||||
|
@ -1553,13 +1553,13 @@ Some integrations provide more convenient ways to apply configurations, such as
|
|||
**Using files**
|
||||
|
||||
The first thing to do is to create the folders :
|
||||
|
||||
|
||||
```shell
|
||||
mkdir -p ./bw-data/configs/server-http
|
||||
```
|
||||
|
||||
You can now write your configurations :
|
||||
|
||||
|
||||
```shell
|
||||
echo "location /hello {
|
||||
default_type 'text/plain';
|
||||
|
@ -1568,7 +1568,7 @@ Some integrations provide more convenient ways to apply configurations, such as
|
|||
}
|
||||
}" > ./bw-data/configs/server-http/hello-world.conf
|
||||
```
|
||||
|
||||
|
||||
Because the scheduler runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
|
||||
|
||||
```shell
|
||||
|
@ -1906,7 +1906,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
|
|||
find ./www -type f -exec chmod 0640 {} \; && \
|
||||
find ./www -type d -exec chmod 0750 {} \;
|
||||
```
|
||||
|
||||
|
||||
When you start the BunkerWeb autoconf stack, mount the `www` folder into `/var/www/html` for the BunkerWeb container :
|
||||
|
||||
```yaml
|
||||
|
@ -2064,7 +2064,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
|
|||
find /shared/www -type f -exec chmod 0640 {} \; && \
|
||||
find /shared/www -type d -exec chmod 0750 {} \;
|
||||
```
|
||||
|
||||
|
||||
When you start the BunkerWeb stack, mount the `/shared/www` folder into `/var/www/html` for the BunkerWeb container :
|
||||
|
||||
```yaml
|
||||
|
@ -2249,14 +2249,14 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
|
|||
app3.example.com_LOCAL_PHP=/run/php/php-fpm.sock
|
||||
app3.example.com_LOCAL_PHP_PATH=/var/www/html/app3.example.com
|
||||
```
|
||||
|
||||
|
||||
The `custom_site` variable can be used to specify a directory containing your application files (e.g : `www`) that will be copied to `/var/www/html` and the `custom_www_owner` variable contains the owner that should be set for the files and folders. Here is an example using the Ansible inventory (replace `www-data` with the user running the PHP-FPM service):
|
||||
|
||||
```ini
|
||||
[mybunkers]
|
||||
192.168.0.42 variables_env="{{ playbook_dir }}/my_variables.env" custom_www="{{ playbook_dir }}/my_app" custom_www_owner="www-data"
|
||||
```
|
||||
|
||||
|
||||
Or alternatively, in your playbook file :
|
||||
|
||||
```yaml
|
||||
|
@ -2354,7 +2354,7 @@ By default, BunkerWeb will only listen on IPv4 adresses and won't use IPv6 for n
|
|||
image: bunkerity/bunkerweb:1.5.2
|
||||
environment:
|
||||
- USE_IPv6=yes
|
||||
|
||||
|
||||
...
|
||||
|
||||
networks:
|
||||
|
@ -2399,7 +2399,7 @@ By default, BunkerWeb will only listen on IPv4 adresses and won't use IPv6 for n
|
|||
image: bunkerity/bunkerweb:1.5.2
|
||||
environment:
|
||||
- USE_IPv6=yes
|
||||
|
||||
|
||||
...
|
||||
|
||||
networks:
|
||||
|
@ -2410,6 +2410,6 @@ By default, BunkerWeb will only listen on IPv4 adresses and won't use IPv6 for n
|
|||
config:
|
||||
- subnet: fd00:13:37::/48
|
||||
gateway: fd00:13:37::1
|
||||
|
||||
|
||||
...
|
||||
```
|
||||
```
|
||||
|
|
|
@ -2,4 +2,4 @@ mkdocs==1.5.3
|
|||
mkdocs-material==9.4.2
|
||||
pytablewriter==1.1.0
|
||||
mike==1.1.2
|
||||
mkdocs-print-site-plugin==2.3.6
|
||||
mkdocs-print-site-plugin==2.3.6
|
||||
|
|
|
@ -431,6 +431,12 @@ regex==2023.8.8 \
|
|||
requests==2.31.0 \
|
||||
--hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \
|
||||
--hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1
|
||||
# via importlib-metadata
|
||||
|
||||
# The following packages are considered to be unsafe in a requirements file:
|
||||
setuptools==68.2.2 \
|
||||
--hash=sha256:4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87 \
|
||||
--hash=sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a
|
||||
# via mkdocs-material
|
||||
six==1.16.0 \
|
||||
--hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
|
||||
|
@ -491,10 +497,4 @@ watchdog==3.0.0 \
|
|||
zipp==3.17.0 \
|
||||
--hash=sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31 \
|
||||
--hash=sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0
|
||||
# via importlib-metadata
|
||||
|
||||
# The following packages are considered to be unsafe in a requirements file:
|
||||
setuptools==68.2.2 \
|
||||
--hash=sha256:4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87 \
|
||||
--hash=sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a
|
||||
# via pytablewriter
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
User-agent: *
|
||||
Allow: /latest/
|
||||
|
||||
Sitemap: https://docs.bunkerweb.io/latest/sitemap.xml
|
||||
Sitemap: https://docs.bunkerweb.io/latest/sitemap.xml
|
||||
|
|
|
@ -539,4 +539,3 @@ Allow access based on internal and external IP/network/rDNS/ASN whitelists.
|
|||
|`WHITELIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to whitelist. |
|
||||
|`WHITELIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to whitelist. |
|
||||
|`WHITELIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to whitelist. |
|
||||
|
||||
|
|
|
@ -273,7 +273,7 @@ You can manually unban an IP which can be useful when doing some tests but it ne
|
|||
```shell
|
||||
sudo bwcli unban 1.2.3.4
|
||||
```
|
||||
|
||||
|
||||
## Whitelisting
|
||||
|
||||
If you have bots that need to access your website, the recommended way to avoid any false positive is to whitelist them using the [whitelisting feature](security-tuning.md#blacklisting-and-whitelisting). We don't recommend using the `WHITELIST_URI*` or `WHITELIST_USER_AGENT*` settings unless they are set to secret and unpredictable values. Common use cases are :
|
||||
|
@ -284,4 +284,4 @@ If you have bots that need to access your website, the recommended way to avoid
|
|||
|
||||
## Timezone
|
||||
|
||||
When using container-based integrations, the timezone of the container may not match the one of the host machine. To resolve that, you can set the `TZ` environment variable to the timezone of your choice on your containers (e.g. `TZ=Europe/Paris`). You will find the list of timezone identifers [here](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List).
|
||||
When using container-based integrations, the timezone of the container may not match the one of the host machine. To resolve that, you can set the `TZ` environment variable to the timezone of your choice on your containers (e.g. `TZ=Europe/Paris`). You will find the list of timezone identifers [here](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List).
|
||||
|
|
|
@ -945,4 +945,4 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
|
||||
```shell
|
||||
systemctl restart bunkerweb
|
||||
```
|
||||
```
|
||||
|
|
|
@ -30,4 +30,4 @@ app2.example.com_REVERSE_PROXY_HOST=http://app2.example.com
|
|||
app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
|
||||
app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$scheme%3A%2F%2F$host$request_uri
|
||||
app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$user $upstream_http_remote_user;$groups $upstream_http_remote_groups;$name $upstream_http_remote_name;$email $upstream_http_remote_email
|
||||
app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $user;Remote-Groups $groups;Remote-Name $name;Remote-Email $email
|
||||
app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $user;Remote-Groups $groups;Remote-Name $name;Remote-Email $email
|
||||
|
|
|
@ -2,4 +2,4 @@ PG_PASS=changeme
|
|||
AUTHENTIK_SECRET_KEY=changeme
|
||||
AUTHENTIK_COOKIE_DOMAIN=example.com
|
||||
AUTHENTIK_BOOTSTRAP_PASSWORD=changeme
|
||||
AUTHENTIK_BOOTSTRAP_TOKEN=changeme
|
||||
AUTHENTIK_BOOTSTRAP_TOKEN=changeme
|
||||
|
|
|
@ -21,4 +21,4 @@ systemctl stop bunkerweb
|
|||
systemctl stop haproxy
|
||||
systemctl start haproxy
|
||||
|
||||
echo "hello" > /var/www/html/index.html
|
||||
echo "hello" > /var/www/html/index.html
|
||||
|
|
|
@ -3,4 +3,4 @@ DNS_RESOLVERS=8.8.8.8 8.8.4.4
|
|||
SERVER_NAME=www.example.com
|
||||
# real IP settings
|
||||
USE_REAL_IP=yes
|
||||
REAL_IP_FROM=127.0.0.0/8
|
||||
REAL_IP_FROM=127.0.0.0/8
|
||||
|
|
|
@ -84,4 +84,4 @@ networks:
|
|||
driver: default
|
||||
config:
|
||||
- subnet: 10.20.30.0/24
|
||||
bw-docker:
|
||||
bw-docker:
|
||||
|
|
|
@ -20,4 +20,4 @@ chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
|
|||
|
||||
echo "Certbot ended, sleeping for 24 hours"
|
||||
|
||||
sleep 86400
|
||||
sleep 86400
|
||||
|
|
|
@ -7,4 +7,4 @@ fi
|
|||
|
||||
chown -R 33:101 ./www
|
||||
find ./www -type f -exec chmod 0640 {} \;
|
||||
find ./www -type d -exec chmod 0750 {} \;
|
||||
find ./www -type d -exec chmod 0750 {} \;
|
||||
|
|
|
@ -7,4 +7,4 @@ fi
|
|||
|
||||
chown -R 33:101 ./www
|
||||
find ./www -type f -exec chmod 0640 {} \;
|
||||
find ./www -type d -exec chmod 0750 {} \;
|
||||
find ./www -type d -exec chmod 0750 {} \;
|
||||
|
|
|
@ -16,4 +16,4 @@ fi
|
|||
cp -r ./www/* /var/www/html
|
||||
chown -R $user:nginx /var/www/html
|
||||
find /var/www/html -type f -exec chmod 0640 {} \;
|
||||
find /var/www/html -type d -exec chmod 0750 {} \;
|
||||
find /var/www/html -type d -exec chmod 0750 {} \;
|
||||
|
|
|
@ -16,4 +16,4 @@ app1.example.com_LOCAL_PHP_PATH=/var/www/html/app1.example.com
|
|||
app2.example.com_LOCAL_PHP=/run/php/php-fpm.sock
|
||||
app2.example.com_LOCAL_PHP_PATH=/var/www/html/app2.example.com
|
||||
app3.example.com_LOCAL_PHP=/run/php/php-fpm.sock
|
||||
app3.example.com_LOCAL_PHP_PATH=/var/www/html/app3.example.com
|
||||
app3.example.com_LOCAL_PHP_PATH=/var/www/html/app3.example.com
|
||||
|
|
|
@ -4,4 +4,4 @@ SecAction \
|
|||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:tx.crs_exclusions_drupal=1"
|
||||
setvar:tx.crs_exclusions_drupal=1"
|
||||
|
|
|
@ -10,4 +10,4 @@
|
|||
docker config rm cfg_drupal_modsec_crs
|
||||
|
||||
# create configs
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_drupal_modsec_crs ./bw-data/configs/modsec-crs/drupal.conf
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_drupal_modsec_crs ./bw-data/configs/modsec-crs/drupal.conf
|
||||
|
|
|
@ -10,4 +10,4 @@ USE_GZIP=yes
|
|||
LIMIT_REQ_URL_1=/core/install.php
|
||||
LIMIT_REQ_RATE_1=5r/s
|
||||
LOCAL_PHP=/run/php/php-fpm.sock
|
||||
LOCAL_PHP_PATH=/var/www/html
|
||||
LOCAL_PHP_PATH=/var/www/html
|
||||
|
|
|
@ -4,4 +4,4 @@ SecAction \
|
|||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
|
||||
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
|
||||
|
|
|
@ -10,4 +10,4 @@
|
|||
docker config rm cfg_gogs_modsec_crs
|
||||
|
||||
# create configs
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_gogs_modsec_crs ./bw-data/configs/modsec-crs/gogs.conf
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_gogs_modsec_crs ./bw-data/configs/modsec-crs/gogs.conf
|
||||
|
|
|
@ -12,4 +12,4 @@ LIMIT_REQ_RATE_1=8r/s
|
|||
LIMIT_REQ_URL_2=/installation/index.php
|
||||
LIMIT_REQ_RATE_2=8r/s
|
||||
LOCAL_PHP=/run/php/php-fpm.sock
|
||||
LOCAL_PHP_PATH=/var/www/html
|
||||
LOCAL_PHP_PATH=/var/www/html
|
||||
|
|
|
@ -10,4 +10,4 @@
|
|||
docker config rm cfg_magento_server_http
|
||||
|
||||
# create configs
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=server-http -l bunkerweb.CONFIG_SITE=www.example.com cfg_magento_server_http ./bw-data/configs/server-http/buffering.conf
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=server-http -l bunkerweb.CONFIG_SITE=www.example.com cfg_magento_server_http ./bw-data/configs/server-http/buffering.conf
|
||||
|
|
|
@ -1 +1 @@
|
|||
SecRule REQUEST_FILENAME "@rx ^/db" "id:1,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=attack-protocol,nolog"
|
||||
SecRule REQUEST_FILENAME "@rx ^/db" "id:1,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=attack-protocol,nolog"
|
||||
|
|
|
@ -10,4 +10,4 @@
|
|||
docker config rm cfg_me_modsec
|
||||
|
||||
# create configs
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=modsec -l bunkerweb.CONFIG_SITE=www.example.com cfg_me_modsec ./bw-data/configs/modsec/mongo-express.conf
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=modsec -l bunkerweb.CONFIG_SITE=www.example.com cfg_me_modsec ./bw-data/configs/modsec/mongo-express.conf
|
||||
|
|
|
@ -1 +1 @@
|
|||
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
|
||||
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
|
||||
|
|
|
@ -12,4 +12,4 @@ docker config rm cfg_nextcloud_modsec_crs
|
|||
|
||||
# create configs
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=modsec -l bunkerweb.CONFIG_SITE=www.example.com cfg_nextcloud_modsec ./bw-data/configs/modsec/nextcloud.conf
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_nextcloud_modsec_crs ./bw-data/configs/modsec-crs/nextcloud.conf
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_nextcloud_modsec_crs ./bw-data/configs/modsec-crs/nextcloud.conf
|
||||
|
|
|
@ -16,4 +16,4 @@ LIMIT_REQ_RATE_1=5r/s
|
|||
LIMIT_REQ_URL_2=/apps/text/session/sync
|
||||
LIMIT_REQ_RATE_2=8r/s
|
||||
LIMIT_REQ_URL_3=/core/preview
|
||||
LIMIT_REQ_RATE_3=5r/s
|
||||
LIMIT_REQ_RATE_3=5r/s
|
||||
|
|
|
@ -17,4 +17,4 @@ fi
|
|||
cp -r ./www/* /var/www/html
|
||||
chown -R $user:nginx /var/www/html
|
||||
find /var/www/html -type f -exec chmod 0640 {} \;
|
||||
find /var/www/html -type d -exec chmod 0750 {} \;
|
||||
find /var/www/html -type d -exec chmod 0750 {} \;
|
||||
|
|
|
@ -17,4 +17,4 @@ if(!isset($_COOKIE[$cookie_name])) {
|
|||
?>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
</html>
|
||||
|
|
|
@ -17,4 +17,4 @@ fi
|
|||
cp -r ./www/* /var/www/html
|
||||
chown -R $user:nginx /var/www/html
|
||||
find /var/www/html -type f -exec chmod 0640 {} \;
|
||||
find /var/www/html -type d -exec chmod 0750 {} \;
|
||||
find /var/www/html -type d -exec chmod 0750 {} \;
|
||||
|
|
|
@ -17,4 +17,4 @@ fi
|
|||
cp -r ./www/* /var/www/html
|
||||
chown -R $user:nginx /var/www/html
|
||||
find /var/www/html -type f -exec chmod 0640 {} \;
|
||||
find /var/www/html -type d -exec chmod 0750 {} \;
|
||||
find /var/www/html -type d -exec chmod 0750 {} \;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
port_in_redirect off;
|
||||
location ~ ^/(app1|app2)$ {
|
||||
rewrite ^(.*)$ $1/ permanent;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,4 +3,4 @@ location /hello {
|
|||
content_by_lua_block {
|
||||
ngx.say("hello")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,4 +3,4 @@ location /app1 {
|
|||
content_by_lua_block {
|
||||
ngx.say("app1")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,4 +3,4 @@ location /app2 {
|
|||
content_by_lua_block {
|
||||
ngx.say("app2")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,4 +3,4 @@ location /app3 {
|
|||
content_by_lua_block {
|
||||
ngx.say("app3")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -16,4 +16,4 @@ docker config rm cfg_app3_server_http
|
|||
docker config create -l bunkerweb.CONFIG_TYPE=server-http cfg_all_server_http ./all-server-http.conf
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=server-http -l bunkerweb.CONFIG_SITE=app1.example.com cfg_app1_server_http ./app1-server-http.conf
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=server-http -l bunkerweb.CONFIG_SITE=app2.example.com cfg_app2_server_http ./app2-server-http.conf
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=server-http -l bunkerweb.CONFIG_SITE=app3.example.com cfg_app3_server_http ./app3-server-http.conf
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=server-http -l bunkerweb.CONFIG_SITE=app3.example.com cfg_app3_server_http ./app3-server-http.conf
|
||||
|
|
|
@ -12,4 +12,4 @@ log {
|
|||
destination {
|
||||
file("/var/log/syslog");
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -10,4 +10,4 @@
|
|||
docker config rm cfg_wordpress_modsec_crs
|
||||
|
||||
# create configs
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_wordpress_modsec_crs ./bw-data/configs/modsec-crs/wordpress.conf
|
||||
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_wordpress_modsec_crs ./bw-data/configs/modsec-crs/wordpress.conf
|
||||
|
|
|
@ -70,4 +70,4 @@ plugins:
|
|||
- search
|
||||
- print-site
|
||||
- mike:
|
||||
canonical_version: latest
|
||||
canonical_version: latest
|
||||
|
|
|
@ -1,12 +1,13 @@
|
|||
[project]
|
||||
name = "BunkerWeb"
|
||||
description = "Make your web services secure by default !"
|
||||
version = "1.4.3"
|
||||
version = "1.5.2"
|
||||
authors = [
|
||||
{ name = "Bunkerity", email = "contact@bunkerity.com" }
|
||||
]
|
||||
|
||||
[tool.black]
|
||||
py39 = true
|
||||
exclude = '''
|
||||
/(
|
||||
| \.git
|
||||
|
@ -14,4 +15,4 @@ exclude = '''
|
|||
| src/common/core/modsecurity
|
||||
| env
|
||||
)/
|
||||
'''
|
||||
'''
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,6 +1,6 @@
|
|||
server {
|
||||
server_name {{ API_SERVER_NAME }};
|
||||
|
||||
|
||||
# HTTP listen
|
||||
listen {{ API_LISTEN_IP }}:{{ API_HTTP_PORT }};
|
||||
{% if API_LISTEN_IP != "127.0.0.1" +%}
|
||||
|
|
|
@ -33,7 +33,7 @@ server {
|
|||
|
||||
# include core and plugins default-server configurations
|
||||
include /etc/nginx/default-server-http/*.conf;
|
||||
|
||||
|
||||
# include custom default-server configurations
|
||||
include /etc/bunkerweb/configs/default-server-http/*.conf;
|
||||
|
||||
|
|
|
@ -5,4 +5,4 @@ MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
|||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
||||
-----END DH PARAMETERS-----
|
||||
|
|
|
@ -14,10 +14,10 @@ server {
|
|||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# disable logging
|
||||
access_log off;
|
||||
|
||||
|
||||
# don't respond to other requests
|
||||
location / {
|
||||
return 444;
|
||||
|
|
|
@ -60,4 +60,4 @@ stream {
|
|||
|
||||
# include custom stream configurations
|
||||
include /etc/bunkerweb/configs/stream/*.conf;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -71,4 +71,4 @@ log_by_lua_block {
|
|||
ngx.ctx = ctx
|
||||
|
||||
logger:log(ngx.INFO, "log phase ended")
|
||||
}
|
||||
}
|
||||
|
|
|
@ -25,7 +25,7 @@ server {
|
|||
include {{ NGINX_PREFIX }}set-lua.conf;
|
||||
include {{ NGINX_PREFIX }}access-lua.conf;
|
||||
include {{ NGINX_PREFIX }}log-lua.conf;
|
||||
|
||||
|
||||
# include config files
|
||||
include {{ NGINX_PREFIX }}server-http/*.conf;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@ server {
|
|||
# include LUA files
|
||||
include {{ NGINX_PREFIX }}preread-stream-lua.conf;
|
||||
include {{ NGINX_PREFIX }}log-stream-lua.conf;
|
||||
|
||||
|
||||
# include config files
|
||||
include {{ NGINX_PREFIX }}server-stream/*.conf;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -81,4 +81,4 @@ upstream {{ SERVER_NAME.split(" ")[0] }} {
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -23,4 +23,4 @@ location {{ ANTIBOT_URI }} {
|
|||
ngx.ctx = ctx
|
||||
}
|
||||
}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -5,7 +5,7 @@ auth_basic_user_file {{ NGINX_PREFIX }}server-http/htpasswd;
|
|||
{% else %}
|
||||
location {{ AUTH_BASIC_LOCATION }} {
|
||||
auth_basic "{{ AUTH_BASIC_TEXT }}";
|
||||
auth_basic_user_file {{ NGINX_PREFIX }}server-http/htpasswd;
|
||||
auth_basic_user_file {{ NGINX_PREFIX }}server-http/htpasswd;
|
||||
}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -3,4 +3,4 @@ brotli on;
|
|||
brotli_types {{ BROTLI_TYPES }};
|
||||
brotli_comp_level {{ BROTLI_COMP_LEVEL }};
|
||||
brotli_min_length {{ BROTLI_MIN_LENGTH }};
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
map $uri $cache_control {
|
||||
default "";
|
||||
"~\.({{ CLIENT_CACHE_EXTENSIONS }})$" "{{ CLIENT_CACHE_CONTROL }}";
|
||||
}
|
||||
}
|
||||
|
|
|
@ -5,4 +5,4 @@ etag on;
|
|||
{% else +%}
|
||||
etag off;
|
||||
{% endif +%}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -31,4 +31,4 @@ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDS
|
|||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -31,4 +31,4 @@ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDS
|
|||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -19,4 +19,4 @@ location {% if intercepted_error_code == "400" %}= /{% else %} @{% endif %}bwerr
|
|||
errors:render_template(tostring(ngx.status))
|
||||
}
|
||||
}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
|
|
@ -38,4 +38,4 @@ location = {{ page }} {
|
|||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -3,4 +3,4 @@ gzip on;
|
|||
gzip_types {{ GZIP_TYPES }};
|
||||
gzip_comp_level {{ GZIP_COMP_LEVEL }};
|
||||
gzip_min_length {{ GZIP_MIN_LENGTH }};
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
map $scheme $header_cookie_secure {
|
||||
default "";
|
||||
"https" "secure";
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,4 +6,4 @@
|
|||
set_cookie_flag {{ v }};
|
||||
{% endif +%}
|
||||
{% endif +%}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
{% if INJECT_BODY != "" +%}
|
||||
sub_filter '</body>' '{{ INJECT_BODY }}</body>';
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -2,4 +2,4 @@
|
|||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /var/tmp/bunkerweb/lets-encrypt;
|
||||
auth_basic off;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,4 +17,4 @@ limit_conn_log_level warn;
|
|||
|
||||
limit_conn_status 429;
|
||||
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -3,4 +3,4 @@
|
|||
limit_conn v1ips {{ LIMIT_CONN_MAX_HTTP1 }};
|
||||
limit_conn v2ips {{ LIMIT_CONN_MAX_HTTP2 }};
|
||||
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -2,4 +2,4 @@
|
|||
|
||||
limit_conn sips {{ LIMIT_CONN_MAX_STREAM }};
|
||||
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -3,4 +3,4 @@
|
|||
limit_conn_zone $binary_remote_addr zone=sips:10m;
|
||||
limit_conn_log_level warn;
|
||||
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -3,4 +3,4 @@ location / {
|
|||
set $reason "default";
|
||||
return {{ DENY_HTTP_STATUS }};
|
||||
}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -3,4 +3,4 @@ root /usr/share/bunkerweb/core/misc/files;
|
|||
location / {
|
||||
try_files /default.html =404;
|
||||
}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -1 +1 @@
|
|||
client_max_body_size {{ MAX_CLIENT_SIZE }};
|
||||
client_max_body_size {{ MAX_CLIENT_SIZE }};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
open_file_cache {{ OPEN_FILE_CACHE }};
|
||||
open_file_cache_errors {% if OPEN_FILE_CACHE_ERRORS == "yes" +%} on {% else +%} off {% endif +%};
|
||||
open_file_cache_min_uses {{ OPEN_FILE_CACHE_MIN_USES }};
|
||||
open_file_cache_valid {{ OPEN_FILE_CACHE_VALID }};
|
||||
open_file_cache_valid {{ OPEN_FILE_CACHE_VALID }};
|
||||
|
|
|
@ -9,4 +9,3 @@ if ($scheme = http) {
|
|||
}
|
||||
{% endif +%}
|
||||
{% endif +%}
|
||||
|
||||
|
|
|
@ -3,4 +3,4 @@
|
|||
try_files $uri $uri/ =404;
|
||||
{% else +%}
|
||||
root /nowhere;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -68,7 +68,7 @@ SecAuditLog /var/log/bunkerweb/modsec_audit.log
|
|||
{% if USE_MODSECURITY_CRS == "yes" %}
|
||||
include /usr/share/bunkerweb/core/modsecurity/files/crs-setup.conf
|
||||
|
||||
# custom CRS configurations before loading rules (e.g. exclusions)
|
||||
# custom CRS configurations before loading rules (e.g. exclusions)
|
||||
{% if is_custom_conf("/etc/bunkerweb/configs/modsec-crs") %}
|
||||
include /etc/bunkerweb/configs/modsec-crs/*.conf
|
||||
{% endif %}
|
||||
|
@ -127,4 +127,4 @@ SecRuleUpdateActionById 959100 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv
|
|||
# let BW manage when method is not allowed (and save up some computing)
|
||||
SecRuleUpdateActionById 911100 "t:none,allow,nolog"
|
||||
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{% if USE_MODSECURITY == "yes" +%}
|
||||
modsecurity on;
|
||||
modsecurity_rules_file {{ NGINX_PREFIX }}server-http/modsecurity-rules.conf.modsec;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -34,4 +34,4 @@ fastcgi_param SERVER_PORT $server_port;
|
|||
fastcgi_param SERVER_NAME $server_name;
|
||||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
||||
|
|
|
@ -12,4 +12,4 @@ location ~ \.php$ {
|
|||
{% endif %}
|
||||
fastcgi_index index.php;
|
||||
}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -13,4 +13,4 @@ real_ip_recursive on;
|
|||
{% else +%}
|
||||
real_ip_recursive off;
|
||||
{% endif +%}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -13,4 +13,4 @@ real_ip_recursive on;
|
|||
{% else +%}
|
||||
real_ip_recursive off;
|
||||
{% endif +%}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -7,4 +7,4 @@ set_real_ip_from {{ element }};
|
|||
set_real_ip_from {{ element }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -4,4 +4,4 @@ return {{ REDIRECT_TO_STATUS_CODE }} {{ REDIRECT_TO }}$request_uri;
|
|||
{% else +%}
|
||||
return {{ REDIRECT_TO_STATUS_CODE }} {{ REDIRECT_TO }};
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue