Merge branch 'dev' of https://github.com/bunkerity/bunkerized-nginx into dev
This commit is contained in:
commit
2b43a9cbf5
|
@ -158,9 +158,141 @@ jobs:
|
|||
cache-from: type=registry,ref=bunkerity/cache:bw-ui-arm-cache
|
||||
cache-to: type=registry,ref=bunkerity/cache:bw-ui-arm-cache,mode=min
|
||||
|
||||
# Build linux ubuntu
|
||||
build-bw-ubuntu:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@v3
|
||||
- name: Setup Buildx
|
||||
uses: docker/setup-buildx-action@v2
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to private repository
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
registry: ${{ secrets.PRIVATE_REGISTRY }}
|
||||
username: registry
|
||||
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
|
||||
|
||||
# Build image
|
||||
- name: Build BW ubuntu
|
||||
uses: docker/build-push-action@v3
|
||||
with:
|
||||
context: .
|
||||
file: linux/Dockerfile-ubuntu
|
||||
platforms: linux/amd64
|
||||
push: true
|
||||
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest
|
||||
cache-from: type=registry,ref=bunkerity/cache:bw-ubuntu-cache
|
||||
cache-to: type=registry,ref=bunkerity/cache:bw-ubuntu-cache,mode=min
|
||||
|
||||
# Build linux debian
|
||||
build-bw-debian:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@v3
|
||||
- name: Setup Buildx
|
||||
uses: docker/setup-buildx-action@v2
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to private repository
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
registry: ${{ secrets.PRIVATE_REGISTRY }}
|
||||
username: registry
|
||||
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
|
||||
|
||||
# Build image
|
||||
- name: Build BW debian
|
||||
uses: docker/build-push-action@v3
|
||||
with:
|
||||
context: .
|
||||
file: linux/Dockerfile-debian
|
||||
platforms: linux/amd64
|
||||
push: true
|
||||
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest
|
||||
cache-from: type=registry,ref=bunkerity/cache:bw-debian-cache
|
||||
cache-to: type=registry,ref=bunkerity/cache:bw-debian-cache,mode=min
|
||||
|
||||
# Build linux centos
|
||||
build-bw-centos:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@v3
|
||||
- name: Setup Buildx
|
||||
uses: docker/setup-buildx-action@v2
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to private repository
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
registry: ${{ secrets.PRIVATE_REGISTRY }}
|
||||
username: registry
|
||||
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
|
||||
|
||||
# Build image
|
||||
- name: Build BW centos
|
||||
uses: docker/build-push-action@v3
|
||||
with:
|
||||
context: .
|
||||
file: linux/Dockerfile-centos
|
||||
platforms: linux/amd64
|
||||
push: true
|
||||
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest
|
||||
cache-from: type=registry,ref=bunkerity/cache:bw-centos-cache
|
||||
cache-to: type=registry,ref=bunkerity/cache:bw-centos-cache,mode=min
|
||||
|
||||
# Build linux fedora
|
||||
build-bw-fedora:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@v3
|
||||
- name: Setup Buildx
|
||||
uses: docker/setup-buildx-action@v2
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to private repository
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
registry: ${{ secrets.PRIVATE_REGISTRY }}
|
||||
username: registry
|
||||
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
|
||||
|
||||
# Build image
|
||||
- name: Build BW fedora
|
||||
uses: docker/build-push-action@v3
|
||||
with:
|
||||
context: .
|
||||
file: linux/Dockerfile-fedora
|
||||
platforms: linux/amd64
|
||||
push: true
|
||||
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest
|
||||
cache-from: type=registry,ref=bunkerity/cache:bw-fedora-cache
|
||||
cache-to: type=registry,ref=bunkerity/cache:bw-fedora-cache,mode=min
|
||||
|
||||
# Run tests
|
||||
tests:
|
||||
needs: build-bw-amd64
|
||||
needs: [build-bw-amd64, build-bw-ubuntu, build-bw-debian, build-bw-centos, build-bw-fedora]
|
||||
runs-on: [self-hosted, X64]
|
||||
steps:
|
||||
|
||||
|
|
|
@ -149,9 +149,133 @@ jobs:
|
|||
tags: bunkerweb-ui-tests-arm:latest
|
||||
cache-to: type=registry,ref=bunkerity/cache:bw-ui-arm-cache,mode=min
|
||||
|
||||
# Build linux ubuntu
|
||||
build-bw-ubuntu:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@v3
|
||||
- name: Setup Buildx
|
||||
uses: docker/setup-buildx-action@v2
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to private repository
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
registry: ${{ secrets.PRIVATE_REGISTRY }}
|
||||
username: registry
|
||||
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
|
||||
|
||||
# Build image
|
||||
- name: Build BW ubuntu
|
||||
uses: docker/build-push-action@v3
|
||||
with:
|
||||
context: .
|
||||
file: linux/Dockerfile-ubuntu
|
||||
platforms: linux/amd64
|
||||
push: true
|
||||
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest
|
||||
|
||||
# Build linux debian
|
||||
build-bw-debian:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@v3
|
||||
- name: Setup Buildx
|
||||
uses: docker/setup-buildx-action@v2
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to private repository
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
registry: ${{ secrets.PRIVATE_REGISTRY }}
|
||||
username: registry
|
||||
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
|
||||
|
||||
# Build image
|
||||
- name: Build BW debian
|
||||
uses: docker/build-push-action@v3
|
||||
with:
|
||||
context: .
|
||||
file: linux/Dockerfile-debian
|
||||
platforms: linux/amd64
|
||||
push: true
|
||||
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest
|
||||
|
||||
# Build linux centos
|
||||
build-bw-centos:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@v3
|
||||
- name: Setup Buildx
|
||||
uses: docker/setup-buildx-action@v2
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to private repository
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
registry: ${{ secrets.PRIVATE_REGISTRY }}
|
||||
username: registry
|
||||
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
|
||||
|
||||
# Build image
|
||||
- name: Build BW centos
|
||||
uses: docker/build-push-action@v3
|
||||
with:
|
||||
context: .
|
||||
file: linux/Dockerfile-centos
|
||||
platforms: linux/amd64
|
||||
push: true
|
||||
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest
|
||||
|
||||
# Build linux fedora
|
||||
build-bw-fedora:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@v3
|
||||
- name: Setup Buildx
|
||||
uses: docker/setup-buildx-action@v2
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to private repository
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
registry: ${{ secrets.PRIVATE_REGISTRY }}
|
||||
username: registry
|
||||
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
|
||||
|
||||
# Build image
|
||||
- name: Build BW fedora
|
||||
uses: docker/build-push-action@v3
|
||||
with:
|
||||
context: .
|
||||
file: linux/Dockerfile-fedora
|
||||
platforms: linux/amd64
|
||||
push: true
|
||||
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest
|
||||
|
||||
# Run tests
|
||||
tests:
|
||||
needs: build-bw-amd64
|
||||
needs: [build-bw-amd64, build-bw-ubuntu, build-bw-debian, build-bw-centos, build-bw-fedora]
|
||||
runs-on: [self-hosted, X64]
|
||||
steps:
|
||||
|
||||
|
@ -185,6 +309,14 @@ jobs:
|
|||
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-amd64:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-amd64:latest 10.20.1.1:5000/bw-autoconf-tests:latest && docker push 10.20.1.1:5000/bw-autoconf-tests:latest
|
||||
- name: Import BW UI image
|
||||
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-amd64:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-amd64:latest 10.20.1.1:5000/bw-ui-tests:latest && docker push 10.20.1.1:5000/bw-ui-tests:latest
|
||||
- name: Import Ubuntu image
|
||||
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest bw-ubuntu-tests:latest
|
||||
- name: Import Debian image
|
||||
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest bw-debian-tests:latest
|
||||
- name: Import Centos image
|
||||
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest bw-centos-tests:latest
|
||||
- name: Import Fedora image
|
||||
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest bw-fedora-tests:latest
|
||||
|
||||
# CVE check on OS
|
||||
- name: Check security vulnerabilities for BW
|
||||
|
|
10
CHANGELOG.md
10
CHANGELOG.md
|
@ -1,6 +1,16 @@
|
|||
# Changelog
|
||||
|
||||
## v1.4.2 -
|
||||
|
||||
- Fix static config (SERVER_NAME not empty) support when using autoconf/swarm/k8s
|
||||
- Fix config files overwrite when using Docker autoconf
|
||||
- Add log_default() plugin hook
|
||||
- Add various certbot-dns examples
|
||||
- Force NGINX version dependencies in Linux packages DEB/RPM
|
||||
- Add Discord to supported plugins
|
||||
|
||||
## v1.4.1 - 2022/16/06
|
||||
|
||||
- Fix sending local IPs to BunkerNet when DISABLE_DEFAULT_SERVER=yes
|
||||
- Fix certbot bug when AUTOCONF_MODE=yes
|
||||
- Fix certbot bug when MULTISITE=no
|
||||
|
|
|
@ -246,6 +246,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
|
|||
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
|
||||
| **ClamAV** | 0.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
|
||||
| **CrowdSec** | 0.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
|
||||
| **Discord** | 0.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
|
||||
| **VirusTotal** | 0.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
|
||||
|
||||
You will find more information in the [plugins section](https://docs.bunkerweb.io/latest/plugins) of the documentation.
|
||||
|
@ -280,7 +281,7 @@ This project is licensed under the terms of the [GNU Affero General Public Licen
|
|||
|
||||
# Contribute
|
||||
|
||||
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/master/LICENSE.md) to get started.
|
||||
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/master/CONTRIBUTING.md) to get started.
|
||||
|
||||
# Security policy
|
||||
|
||||
|
|
|
@ -131,10 +131,11 @@ class Config(ApiCaller, ConfigCaller) :
|
|||
self._set_apis(self.__get_apis())
|
||||
|
||||
# write configs
|
||||
ret = self.__write_configs()
|
||||
if not ret :
|
||||
success = False
|
||||
log("CONFIG", "❌", "saving custom configs failed, configuration will not work as expected...")
|
||||
if configs != None :
|
||||
ret = self.__write_configs()
|
||||
if not ret :
|
||||
success = False
|
||||
log("CONFIG", "❌", "saving custom configs failed, configuration will not work as expected...")
|
||||
|
||||
# get env
|
||||
env = self.__get_full_env()
|
||||
|
|
|
@ -43,7 +43,7 @@ class DockerController(Controller) :
|
|||
raise("get_configs is not supported with DockerController")
|
||||
|
||||
def apply_config(self) :
|
||||
return self._config.apply(self._instances, self._services, configs=self._configs)
|
||||
return self._config.apply(self._instances, self._services)
|
||||
|
||||
def process_events(self) :
|
||||
for event in self.__client.events(decode=True, filters={"type": "container"}) :
|
||||
|
|
|
@ -12,4 +12,50 @@ server {
|
|||
|
||||
# include custom default-server configurations
|
||||
include /opt/bunkerweb/configs/default-server-http/*.conf;
|
||||
|
||||
log_by_lua_block {
|
||||
|
||||
local utils = require "utils"
|
||||
local logger = require "logger"
|
||||
local datastore = require "datastore"
|
||||
local plugins = require "plugins"
|
||||
|
||||
logger.log(ngx.INFO, "LOG", "Log phase started")
|
||||
|
||||
-- List all plugins
|
||||
local list, err = plugins:list()
|
||||
if not list then
|
||||
logger.log(ngx.ERR, "LOG", "Can't list loaded plugins : " .. err)
|
||||
list = {}
|
||||
end
|
||||
|
||||
-- Call log_default method of plugins
|
||||
for i, plugin in ipairs(list) do
|
||||
local ret, plugin_lua = pcall(require, plugin.id .. "/" .. plugin.id)
|
||||
if ret then
|
||||
local plugin_obj = plugin_lua.new()
|
||||
if plugin_obj.log_default ~= nil then
|
||||
logger.log(ngx.INFO, "LOG", "Executing log_default() of " .. plugin.id)
|
||||
local ok, err = plugin_obj:log_default()
|
||||
if not ok then
|
||||
logger.log(ngx.ERR, "LOG", "Error while calling log_default() on plugin " .. plugin.id .. " : " .. err)
|
||||
else
|
||||
logger.log(ngx.INFO, "LOG", "Return value from " .. plugin.id .. ".log_default() is : " .. err)
|
||||
end
|
||||
else
|
||||
logger.log(ngx.INFO, "LOG", "log_default() method not found in " .. plugin.id .. ", skipped execution")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- Display reason at info level
|
||||
local reason = utils.get_reason()
|
||||
if reason then
|
||||
logger.log(ngx.INFO, "LOG", "Client was denied with reason : " .. reason)
|
||||
end
|
||||
|
||||
logger.log(ngx.INFO, "LOG", "Log phase ended")
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -141,11 +141,13 @@ function _M:report(ip, reason, method, url, headers)
|
|||
return self:request("POST", "/report", data)
|
||||
end
|
||||
|
||||
function _M:log()
|
||||
-- Check if BunkerNet is activated
|
||||
local use_bunkernet = utils.get_variable("USE_BUNKERNET")
|
||||
if use_bunkernet ~= "yes" then
|
||||
return true, "bunkernet not activated"
|
||||
function _M:log(bypass_use_bunkernet)
|
||||
if bypass_use_bunkernet then
|
||||
-- Check if BunkerNet is activated
|
||||
local use_bunkernet = utils.get_variable("USE_BUNKERNET")
|
||||
if use_bunkernet ~= "yes" then
|
||||
return true, "bunkernet not activated"
|
||||
end
|
||||
end
|
||||
-- Check if BunkerNet ID is generated
|
||||
if not self.id then
|
||||
|
@ -193,6 +195,27 @@ function _M:log()
|
|||
return true, "created report timer"
|
||||
end
|
||||
|
||||
function _M:log_default()
|
||||
-- Check if bunkernet is activated
|
||||
local check, err = utils.has_variable("USE_BUNKERNET", "yes")
|
||||
if check == nil then
|
||||
return false, "error while checking variable USE_BUNKERNET (" .. err .. ")"
|
||||
end
|
||||
if not check then
|
||||
return true, "bunkernet not enabled"
|
||||
end
|
||||
-- Check if default server is disabled
|
||||
local check, err = utils.get_variable("DISABLE_DEFAULT_SERVER", false)
|
||||
if check == nil then
|
||||
return false, "error while getting variable DISABLE_DEFAULT_SERVER (" .. err .. ")"
|
||||
end
|
||||
if check ~= "yes" then
|
||||
return true, "default server not disabled"
|
||||
end
|
||||
-- Call log method
|
||||
return self:log(true)
|
||||
end
|
||||
|
||||
function _M:access()
|
||||
local use_bunkernet = utils.get_variable("USE_BUNKERNET")
|
||||
if use_bunkernet ~= "yes" then
|
||||
|
|
|
@ -1,59 +0,0 @@
|
|||
log_by_lua_block {
|
||||
local bunkernet = require "bunkernet.bunkernet"
|
||||
local utils = require "utils"
|
||||
local datastore = require "datastore"
|
||||
local logger = require "logger"
|
||||
local disable_default_server = utils.get_variable("DISABLE_DEFAULT_SERVER", false)
|
||||
local use_bunkernet = utils.has_variable("USE_BUNKERNET", "yes")
|
||||
|
||||
if disable_default_server == "yes" and use_bunkernet then
|
||||
-- Instantiate bunkernet
|
||||
local bnet, err = bunkernet.new()
|
||||
if not bnet then
|
||||
ngx.log(ngx.ERR, "BUNKERNET", "can't instantiate bunkernet " .. err)
|
||||
return
|
||||
end
|
||||
-- Check if BunkerNet ID is generated
|
||||
if not bnet.id then
|
||||
return
|
||||
end
|
||||
-- Check if IP has been blocked
|
||||
if ngx.status ~= ngx.HTTP_CLOSE then
|
||||
return
|
||||
end
|
||||
-- Check if IP is global
|
||||
local is_global, err = utils.ip_is_global(ngx.var.remote_addr)
|
||||
if is_global == nil then
|
||||
return
|
||||
end
|
||||
if not is_global then
|
||||
return
|
||||
end
|
||||
-- Only report if it hasn't been reported for the same reason recently
|
||||
local reported = datastore:get("plugin_bunkernet_cache_" .. ngx.var.remote_addr .. "default")
|
||||
if reported then
|
||||
return
|
||||
end
|
||||
-- report callback called in a light thread
|
||||
local function report_callback(premature, obj, ip, reason, method, url, headers)
|
||||
local ok, err, status, data = obj:report(ip, reason, method, url, headers)
|
||||
if not ok then
|
||||
logger.log(ngx.ERR, "BUNKERNET", "Can't report IP : " .. err)
|
||||
elseif status ~= 200 then
|
||||
logger.log(ngx.ERR, "BUNKERNET", "Error from remote server : " .. tostring(status))
|
||||
else
|
||||
logger.log(ngx.NOTICE, "BUNKERNET", "Successfully reported IP " .. ip .. " (reason : " .. reason .. ")")
|
||||
local ok, err = datastore:set("plugin_bunkernet_cache_" .. ip .. reason, true, 3600)
|
||||
if not ok then
|
||||
logger.log(ngx.ERR, "BUNKERNET", "Can't store cached report : " .. err)
|
||||
end
|
||||
end
|
||||
end
|
||||
-- Set a timer at the end of log()
|
||||
local hdr, err = ngx.timer.at(0, report_callback, bnet, ngx.var.remote_addr, "default", ngx.var.request_method, ngx.var.request_uri, ngx.req.get_headers())
|
||||
if not hdr then
|
||||
logger.log(ngx.ERR, "BUNKERNET", "can't create report timer : " .. err)
|
||||
end
|
||||
return
|
||||
end
|
||||
}
|
|
@ -1,5 +1,6 @@
|
|||
{% if DISABLE_DEFAULT_SERVER == "yes" +%}
|
||||
location / {
|
||||
set $reason "default";
|
||||
return 444;
|
||||
}
|
||||
{% endif %}
|
|
@ -10,6 +10,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
|
|||
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
|
||||
| **ClamAV** | 0.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
|
||||
| **CrowdSec** | 0.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
|
||||
| **Discord** | 0.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
|
||||
| **VirusTotal** | 0.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
|
||||
|
||||
## How to use a plugin
|
||||
|
@ -242,16 +243,22 @@ function _M:log()
|
|||
return true, "success"
|
||||
end
|
||||
|
||||
function _M:log_default()
|
||||
logger.log(ngx.NOTICE, "MYPLUGIN", "log_default called")
|
||||
return true, "success"
|
||||
end
|
||||
|
||||
return _M
|
||||
```
|
||||
|
||||
The 3 functions `init`, `access`, and `log` are automatically called during specific contexts. Here are the details of each function :
|
||||
The declared functions are automatically called during specific contexts. Here are the details of each function :
|
||||
|
||||
| Function | Context | Description | Return value |
|
||||
| :------: | :--------------------------------------------------------------------------: | :-------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `init` | [init_by_lua](https://github.com/openresty/lua-nginx-module#init_by_lua) | Called when NGINX just started or received a reload order. the typical use case is to prepare any data that will be used by your plugin. | `ret`, `err`<ul><li>`ret` (boolean) : true if no error else false</li><li>`err` (string) : success or error message</li></ul> |
|
||||
| `access` | [access_by_lua](https://github.com/openresty/lua-nginx-module#access_by_lua) | Called on each request received by the server. The typical use case is to do the security checks here and deny the request if needed. | `ret`, `err`, `return`, `status`<ul><li>`ret` (boolean) : true if no error else false</li><li>`err` (string) : success or error message</li><li>`return` (boolean) : true if you want to stop the access phase and send a status to the client</li><li>`status` (number) : the return value to set if `return` is set to true</li></ul> |
|
||||
| `log` | [log_by_lua](https://github.com/openresty/lua-nginx-module#log_by_lua) | Called when a request has finished (and before it gets logged to the access logs). The typical use case is to make stats or compute counters for example. | `ret`, `err`<ul><li>`ret` (boolean) : true if no error else false</li><li>`err` (string) : success or error message</li></ul> |
|
||||
| `log_default` | [log_by_lua](https://github.com/openresty/lua-nginx-module#log_by_lua) | Same as `log` but only called on the default server. | `ret`, `err`<ul><li>`ret` (boolean) : true if no error else false</li><li>`err` (string) : success or error message</li></ul> |
|
||||
|
||||
#### Libraries
|
||||
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
Please have a look at the [certbot-dns-cloudflare documentation](https://certbot-dns-cloudflare.readthedocs.io/en/stable/) first.
|
||||
|
||||
Procedure :
|
||||
- Edit domains in the compose file
|
||||
- Edit CloudFlare credentials in cloudflare.ini file (generate using https://dash.cloudflare.com/?to=/:account/profile/api-tokens)
|
||||
- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
|
||||
- When certificates are generated, run your services : `docker-compose up -d`
|
|
@ -0,0 +1,5 @@
|
|||
# Cloudflare API token used by Certbot (recommended)
|
||||
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef012345671
|
||||
# Cloudflare API credentials used by Certbot (not recommended)
|
||||
#dns_cloudflare_email = cloudflare@example.com
|
||||
#dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef012341
|
|
@ -0,0 +1,74 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.4.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
# ⚠️ read this if you use local folders for volumes ⚠️
|
||||
# bunkerweb runs as an unprivileged user with UID/GID 101
|
||||
# don't forget to edit the permissions of the files and folders accordingly
|
||||
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
|
||||
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
|
||||
# more info at https://docs.bunkerweb.io
|
||||
volumes:
|
||||
- bw_data:/data
|
||||
- certs:/certs
|
||||
environment:
|
||||
- MULTISITE=yes
|
||||
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
|
||||
- SERVE_FILES=no
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
- USE_CUSTOM_HTTPS=yes
|
||||
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
|
||||
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
|
||||
- app1.example.com_REVERSE_PROXY_URL=/
|
||||
- app1.example.com_REVERSE_PROXY_HOST=http://app1
|
||||
- app2.example.com_REVERSE_PROXY_URL=/
|
||||
- app2.example.com_REVERSE_PROXY_HOST=http://app2
|
||||
- app3.example.com_REVERSE_PROXY_URL=/
|
||||
- app3.example.com_REVERSE_PROXY_HOST=http://app3
|
||||
networks:
|
||||
- net_app1
|
||||
- net_app2
|
||||
- net_app3
|
||||
|
||||
mycertbot:
|
||||
image: certbot/dns-cloudflare
|
||||
environment:
|
||||
- DOMAINS=*.example.com,example.com
|
||||
- EMAIL=contact@example.com
|
||||
volumes:
|
||||
- certs:/etc/letsencrypt
|
||||
- ./cloudflare.ini:/opt/cloudflare.ini
|
||||
- ./entrypoint.sh:/opt/entrypoint.sh
|
||||
entrypoint: /bin/sh /opt/entrypoint.sh
|
||||
|
||||
app1:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app1
|
||||
|
||||
app2:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app2
|
||||
|
||||
app3:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app3
|
||||
|
||||
volumes:
|
||||
bw_data:
|
||||
certs:
|
||||
|
||||
networks:
|
||||
net_app1:
|
||||
net_app2:
|
||||
net_app3:
|
|
@ -0,0 +1,23 @@
|
|||
#!/bin/sh
|
||||
|
||||
echo "Certbot started, domains = $DOMAINS"
|
||||
|
||||
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
|
||||
if [ "$EMAIL" = "" ] ; then
|
||||
EMAIL="contact@${first_domain}"
|
||||
fi
|
||||
|
||||
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
|
||||
echo "Renewing certificates ..."
|
||||
certbot renew
|
||||
else
|
||||
echo "Asking for certificates ..."
|
||||
certbot certonly -n --dns-cloudflare --dns-cloudflare-credentials /opt/cloudflare.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
|
||||
fi
|
||||
|
||||
echo "Fixing permissions ..."
|
||||
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
|
||||
|
||||
echo "Certbot ended, sleeping for 24 hours"
|
||||
|
||||
sleep 86400
|
|
@ -0,0 +1,7 @@
|
|||
Please have a look at the [certbot-dns-digitalocean documentation](https://certbot-dns-digitalocean.readthedocs.io/en/stable/) first.
|
||||
|
||||
Procedure :
|
||||
- Edit domains in the compose file
|
||||
- Edit DigitalOcean credentials in digitalocean.ini file (generate using https://cloud.digitalocean.com/settings/api/tokens)
|
||||
- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
|
||||
- When certificates are generated, run your services : `docker-compose up -d`
|
|
@ -0,0 +1,2 @@
|
|||
# DigitalOcean API credentials used by Certbot
|
||||
dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff
|
|
@ -0,0 +1,74 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.4.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
# ⚠️ read this if you use local folders for volumes ⚠️
|
||||
# bunkerweb runs as an unprivileged user with UID/GID 101
|
||||
# don't forget to edit the permissions of the files and folders accordingly
|
||||
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
|
||||
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
|
||||
# more info at https://docs.bunkerweb.io
|
||||
volumes:
|
||||
- bw_data:/data
|
||||
- certs:/certs
|
||||
environment:
|
||||
- MULTISITE=yes
|
||||
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
|
||||
- SERVE_FILES=no
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
- USE_CUSTOM_HTTPS=yes
|
||||
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
|
||||
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
|
||||
- app1.example.com_REVERSE_PROXY_URL=/
|
||||
- app1.example.com_REVERSE_PROXY_HOST=http://app1
|
||||
- app2.example.com_REVERSE_PROXY_URL=/
|
||||
- app2.example.com_REVERSE_PROXY_HOST=http://app2
|
||||
- app3.example.com_REVERSE_PROXY_URL=/
|
||||
- app3.example.com_REVERSE_PROXY_HOST=http://app3
|
||||
networks:
|
||||
- net_app1
|
||||
- net_app2
|
||||
- net_app3
|
||||
|
||||
mycertbot:
|
||||
image: certbot/dns-digitalocean
|
||||
environment:
|
||||
- DOMAINS=*.example.com,example.com
|
||||
- EMAIL=contact@example.com
|
||||
volumes:
|
||||
- certs:/etc/letsencrypt
|
||||
- ./digitalocean.ini:/opt/digitalocean.ini
|
||||
- ./entrypoint.sh:/opt/entrypoint.sh
|
||||
entrypoint: /bin/sh /opt/entrypoint.sh
|
||||
|
||||
app1:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app1
|
||||
|
||||
app2:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app2
|
||||
|
||||
app3:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app3
|
||||
|
||||
volumes:
|
||||
bw_data:
|
||||
certs:
|
||||
|
||||
networks:
|
||||
net_app1:
|
||||
net_app2:
|
||||
net_app3:
|
|
@ -0,0 +1,23 @@
|
|||
#!/bin/sh
|
||||
|
||||
echo "Certbot started, domains = $DOMAINS"
|
||||
|
||||
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
|
||||
if [ "$EMAIL" = "" ] ; then
|
||||
EMAIL="contact@${first_domain}"
|
||||
fi
|
||||
|
||||
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
|
||||
echo "Renewing certificates ..."
|
||||
certbot renew
|
||||
else
|
||||
echo "Asking for certificates ..."
|
||||
certbot certonly -n --dns-digitalocean --dns-digitalocean-credentials /opt/digitalocean.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
|
||||
fi
|
||||
|
||||
echo "Fixing permissions ..."
|
||||
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
|
||||
|
||||
echo "Certbot ended, sleeping for 24 hours"
|
||||
|
||||
sleep 86400
|
|
@ -0,0 +1,7 @@
|
|||
Please have a look at the [certbot-dns-google documentation](https://certbot-dns-google.readthedocs.io/en/stable/) first.
|
||||
|
||||
Procedure :
|
||||
- Edit domains in the compose file
|
||||
- Edit Google credentials in google.json file (generate using https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount)
|
||||
- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
|
||||
- When certificates are generated, run your services : `docker-compose up -d`
|
|
@ -0,0 +1,74 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.4.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
# ⚠️ read this if you use local folders for volumes ⚠️
|
||||
# bunkerweb runs as an unprivileged user with UID/GID 101
|
||||
# don't forget to edit the permissions of the files and folders accordingly
|
||||
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
|
||||
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
|
||||
# more info at https://docs.bunkerweb.io
|
||||
volumes:
|
||||
- bw_data:/data
|
||||
- certs:/certs
|
||||
environment:
|
||||
- MULTISITE=yes
|
||||
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
|
||||
- SERVE_FILES=no
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
- USE_CUSTOM_HTTPS=yes
|
||||
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
|
||||
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
|
||||
- app1.example.com_REVERSE_PROXY_URL=/
|
||||
- app1.example.com_REVERSE_PROXY_HOST=http://app1
|
||||
- app2.example.com_REVERSE_PROXY_URL=/
|
||||
- app2.example.com_REVERSE_PROXY_HOST=http://app2
|
||||
- app3.example.com_REVERSE_PROXY_URL=/
|
||||
- app3.example.com_REVERSE_PROXY_HOST=http://app3
|
||||
networks:
|
||||
- net_app1
|
||||
- net_app2
|
||||
- net_app3
|
||||
|
||||
mycertbot:
|
||||
image: certbot/dns-google
|
||||
environment:
|
||||
- DOMAINS=*.example.com,example.com
|
||||
- EMAIL=contact@example.com
|
||||
volumes:
|
||||
- certs:/etc/letsencrypt
|
||||
- ./google.json:/opt/google.json
|
||||
- ./entrypoint.sh:/opt/entrypoint.sh
|
||||
entrypoint: /bin/sh /opt/entrypoint.sh
|
||||
|
||||
app1:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app1
|
||||
|
||||
app2:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app2
|
||||
|
||||
app3:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app3
|
||||
|
||||
volumes:
|
||||
bw_data:
|
||||
certs:
|
||||
|
||||
networks:
|
||||
net_app1:
|
||||
net_app2:
|
||||
net_app3:
|
|
@ -0,0 +1,23 @@
|
|||
#!/bin/sh
|
||||
|
||||
echo "Certbot started, domains = $DOMAINS"
|
||||
|
||||
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
|
||||
if [ "$EMAIL" = "" ] ; then
|
||||
EMAIL="contact@${first_domain}"
|
||||
fi
|
||||
|
||||
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
|
||||
echo "Renewing certificates ..."
|
||||
certbot renew
|
||||
else
|
||||
echo "Asking for certificates ..."
|
||||
certbot certonly -n --dns-google --dns-google-credentials /opt/google.json --email "$EMAIL" --agree-tos -d "$DOMAINS"
|
||||
fi
|
||||
|
||||
echo "Fixing permissions ..."
|
||||
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
|
||||
|
||||
echo "Certbot ended, sleeping for 24 hours"
|
||||
|
||||
sleep 86400
|
|
@ -0,0 +1,12 @@
|
|||
{
|
||||
"type": "service_account",
|
||||
"project_id": "...",
|
||||
"private_key_id": "...",
|
||||
"private_key": "...",
|
||||
"client_email": "...",
|
||||
"client_id": "...",
|
||||
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
|
||||
"token_uri": "https://accounts.google.com/o/oauth2/token",
|
||||
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
|
||||
"client_x509_cert_url": "..."
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
Please have a look at the [certbot-dns-ovh documentation](https://certbot-dns-ovh.readthedocs.io/en/stable/) first.
|
||||
|
||||
Procedure :
|
||||
- Edit domains in the compose file
|
||||
- Edit OVH credentials in ovh.ini file (generate using https://eu.api.ovh.com/createToken/)
|
||||
- Run certbot only and wait for certificate to be generated : `docker-compose up -d mycertbot`
|
||||
- When certificates are generated, run your services : `docker-compose up -d`
|
|
@ -0,0 +1,74 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.4.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
# ⚠️ read this if you use local folders for volumes ⚠️
|
||||
# bunkerweb runs as an unprivileged user with UID/GID 101
|
||||
# don't forget to edit the permissions of the files and folders accordingly
|
||||
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
|
||||
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
|
||||
# more info at https://docs.bunkerweb.io
|
||||
volumes:
|
||||
- bw_data:/data
|
||||
- certs:/certs
|
||||
environment:
|
||||
- MULTISITE=yes
|
||||
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
|
||||
- SERVE_FILES=no
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
- USE_CUSTOM_HTTPS=yes
|
||||
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
|
||||
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
|
||||
- app1.example.com_REVERSE_PROXY_URL=/
|
||||
- app1.example.com_REVERSE_PROXY_HOST=http://app1
|
||||
- app2.example.com_REVERSE_PROXY_URL=/
|
||||
- app2.example.com_REVERSE_PROXY_HOST=http://app2
|
||||
- app3.example.com_REVERSE_PROXY_URL=/
|
||||
- app3.example.com_REVERSE_PROXY_HOST=http://app3
|
||||
networks:
|
||||
- net_app1
|
||||
- net_app2
|
||||
- net_app3
|
||||
|
||||
mycertbot:
|
||||
image: certbot/dns-ovh
|
||||
environment:
|
||||
- DOMAINS=*.example.com,example.com
|
||||
- EMAIL=contact@example.com
|
||||
volumes:
|
||||
- certs:/etc/letsencrypt
|
||||
- ./ovh.ini:/opt/ovh.ini
|
||||
- ./entrypoint.sh:/opt/entrypoint.sh
|
||||
entrypoint: /bin/sh /opt/entrypoint.sh
|
||||
|
||||
app1:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app1
|
||||
|
||||
app2:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app2
|
||||
|
||||
app3:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app3
|
||||
|
||||
volumes:
|
||||
bw_data:
|
||||
certs:
|
||||
|
||||
networks:
|
||||
net_app1:
|
||||
net_app2:
|
||||
net_app3:
|
|
@ -0,0 +1,23 @@
|
|||
#!/bin/sh
|
||||
|
||||
echo "Certbot started, domains = $DOMAINS"
|
||||
|
||||
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
|
||||
if [ "$EMAIL" = "" ] ; then
|
||||
EMAIL="contact@${first_domain}"
|
||||
fi
|
||||
|
||||
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
|
||||
echo "Renewing certificates ..."
|
||||
certbot renew
|
||||
else
|
||||
echo "Asking for certificates ..."
|
||||
certbot certonly -n --dns-ovh --dns-ovh-credentials /opt/ovh.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
|
||||
fi
|
||||
|
||||
echo "Fixing permissions ..."
|
||||
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
|
||||
|
||||
echo "Certbot ended, sleeping for 24 hours"
|
||||
|
||||
sleep 86400
|
|
@ -0,0 +1,5 @@
|
|||
# OVH API credentials used by Certbot
|
||||
dns_ovh_endpoint = ovh-eu
|
||||
dns_ovh_application_key = MDAwMDAwMDAwMDAw
|
||||
dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
|
||||
dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
|
|
@ -0,0 +1,7 @@
|
|||
Please have a look at the [certbot-dns-route53 documentation](https://certbot-dns-route53.readthedocs.io/en/stable/) first.
|
||||
|
||||
Procedure :
|
||||
- Edit domains in the compose file
|
||||
- Edit AWS credentials in aws.ini file (generate using https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html)
|
||||
- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
|
||||
- When certificates are generated, run your services : `docker-compose up -d`
|
|
@ -0,0 +1,3 @@
|
|||
[default]
|
||||
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
|
||||
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
|
|
@ -0,0 +1,74 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.4.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
# ⚠️ read this if you use local folders for volumes ⚠️
|
||||
# bunkerweb runs as an unprivileged user with UID/GID 101
|
||||
# don't forget to edit the permissions of the files and folders accordingly
|
||||
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
|
||||
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
|
||||
# more info at https://docs.bunkerweb.io
|
||||
volumes:
|
||||
- bw_data:/data
|
||||
- certs:/certs
|
||||
environment:
|
||||
- MULTISITE=yes
|
||||
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
|
||||
- SERVE_FILES=no
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
- USE_CUSTOM_HTTPS=yes
|
||||
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
|
||||
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
|
||||
- app1.example.com_REVERSE_PROXY_URL=/
|
||||
- app1.example.com_REVERSE_PROXY_HOST=http://app1
|
||||
- app2.example.com_REVERSE_PROXY_URL=/
|
||||
- app2.example.com_REVERSE_PROXY_HOST=http://app2
|
||||
- app3.example.com_REVERSE_PROXY_URL=/
|
||||
- app3.example.com_REVERSE_PROXY_HOST=http://app3
|
||||
networks:
|
||||
- net_app1
|
||||
- net_app2
|
||||
- net_app3
|
||||
|
||||
mycertbot:
|
||||
image: certbot/dns-google
|
||||
environment:
|
||||
- DOMAINS=*.example.com,example.com
|
||||
- EMAIL=contact@example.com
|
||||
volumes:
|
||||
- certs:/etc/letsencrypt
|
||||
- ./aws.ini:/opt/aws.ini
|
||||
- ./entrypoint.sh:/opt/entrypoint.sh
|
||||
entrypoint: /bin/sh /opt/entrypoint.sh
|
||||
|
||||
app1:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app1
|
||||
|
||||
app2:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app2
|
||||
|
||||
app3:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- net_app3
|
||||
|
||||
volumes:
|
||||
bw_data:
|
||||
certs:
|
||||
|
||||
networks:
|
||||
net_app1:
|
||||
net_app2:
|
||||
net_app3:
|
|
@ -0,0 +1,24 @@
|
|||
#!/bin/sh
|
||||
|
||||
echo "Certbot started, domains = $DOMAINS"
|
||||
|
||||
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
|
||||
if [ "$EMAIL" = "" ] ; then
|
||||
EMAIL="contact@${first_domain}"
|
||||
fi
|
||||
|
||||
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
|
||||
echo "Renewing certificates ..."
|
||||
certbot renew
|
||||
else
|
||||
echo "Asking for certificates ..."
|
||||
export AWS_CONFIG_FILE=/opt/aws.ini
|
||||
certbot certonly -n --dns-route53 --email "$EMAIL" --agree-tos -d "$DOMAINS"
|
||||
fi
|
||||
|
||||
echo "Fixing permissions ..."
|
||||
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
|
||||
|
||||
echo "Certbot ended, sleeping for 24 hours"
|
||||
|
||||
sleep 86400
|
|
@ -77,6 +77,9 @@ fi
|
|||
# generate final configuration
|
||||
export TEMP_NGINX="no"
|
||||
log "ENTRYPOINT" "ℹ️" "Generating configuration ..."
|
||||
if [ "$SWARM_MODE" = "yes" ] || [ "$KUBERNETES_MODE" = "yes" ] || [ "$AUTOCONF_MODE" = "yes" ] ; then
|
||||
export SERVER_NAME=
|
||||
fi
|
||||
env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "/tmp/variables.env"
|
||||
/opt/bunkerweb/gen/main.py --settings /opt/bunkerweb/settings.json --templates /opt/bunkerweb/confs --output /etc/nginx --variables /tmp/variables.env
|
||||
if [ "$?" -ne 0 ] ; then
|
||||
|
|
|
@ -10,7 +10,7 @@ RUN dnf install -y ruby ruby-devel make gcc redhat-rpm-config rpm-build && \
|
|||
# Nginx
|
||||
RUN dnf update -y && \
|
||||
dnf install -y curl gnupg2 ca-certificates redhat-lsb-core && \
|
||||
dnf install nginx -y
|
||||
dnf install nginx-1.20.2 -y
|
||||
|
||||
# Copy dependencies sources folder
|
||||
COPY deps /tmp/bunkerweb/deps
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
--license agpl3
|
||||
--version %VERSION%
|
||||
--architecture x86_64
|
||||
--depends bash --depends epel-release --depends python39 --depends 'nginx >= 1.20.2' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends GeoIP-devel --depends file-libs --depends net-tools --depends gd
|
||||
--depends bash --depends epel-release --depends python39 --depends 'nginx = 1:1.20.2-1.el8.ngx' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends GeoIP-devel --depends file-libs --depends net-tools --depends gd
|
||||
--description "BunkerWeb %VERSION% for CentOS Stream 8"
|
||||
--url "https://www.bunkerweb.io"
|
||||
--maintainer "Bunkerity <contact at bunkerity dot com>"
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
--license agpl3
|
||||
--version %VERSION%
|
||||
--architecture amd64
|
||||
--depends bash --depends python3 --depends python3-pip --depends 'nginx (>= 1.20.2)' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools
|
||||
--depends bash --depends python3 --depends python3-pip --depends 'nginx = 1.20.2-1~bullseye' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools
|
||||
--description "BunkerWeb %VERSION% for Debian 11"
|
||||
--url "https://www.bunkerweb.io"
|
||||
--maintainer "Bunkerity <contact at bunkerity dot com>"
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
--license agpl3
|
||||
--version %VERSION%
|
||||
--architecture x86_64
|
||||
--depends bash --depends python3 --depends 'nginx >= 1.20.2' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends geoip-devel --depends gd
|
||||
--depends bash --depends python3 --depends 'nginx = 1:1.20.2-2.fc36' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends geoip-devel --depends gd
|
||||
--description "BunkerWeb %VERSION% for Fedora 36"
|
||||
--url "https://www.bunkerweb.io"
|
||||
--maintainer "Bunkerity <contact at bunkerity dot com>"
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
--license agpl3
|
||||
--version %VERSION%
|
||||
--architecture amd64
|
||||
--depends bash --depends python3 --depends python3-pip --depends 'nginx (>= 1.20.2)' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools
|
||||
--depends bash --depends python3 --depends python3-pip --depends 'nginx = 1.20.2-1~jammy' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools
|
||||
--description "BunkerWeb %VERSION% for Ubuntu 22.04"
|
||||
--url "https://www.bunkerweb.io"
|
||||
--maintainer "Bunkerity <contact at bunkerity dot com>"
|
||||
|
|
|
@ -11,7 +11,7 @@ function gen_package() {
|
|||
else
|
||||
type="deb"
|
||||
fi
|
||||
do_and_check_cmd docker run --rm -v "/tmp/packages/${linux}:/data" "bw-${linux}-tests:latest"
|
||||
do_and_check_cmd docker run --rm -v "/tmp/packages/${linux}:/data" "bw-${linux}-tests:latest" "$type"
|
||||
name="bunkerweb_${version}-1_amd64"
|
||||
if [ "$type" = "rpm" ] ; then
|
||||
name="bunkerweb-${version}-1.x86_64"
|
||||
|
|
Loading…
Reference in New Issue