librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

Merge branch 'dev' of https://github.com/bunkerity/bunkerized-nginx into dev

This commit is contained in:
TheophileDiot 2022-06-23 17:54:33 -04:00
parent 5ecf39ee02 ad091493c3
commit 2b43a9cbf5
38 changed files with 924 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

134
.github/workflows/dev.yml vendored
View File

@ -158,9 +158,141 @@ jobs:
cache-from: type=registry,ref=bunkerity/cache:bw-ui-arm-cache
cache-to: type=registry,ref=bunkerity/cache:bw-ui-arm-cache,mode=min
# Build linux ubuntu
build-bw-ubuntu:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW ubuntu
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-ubuntu
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest
cache-from: type=registry,ref=bunkerity/cache:bw-ubuntu-cache
cache-to: type=registry,ref=bunkerity/cache:bw-ubuntu-cache,mode=min
# Build linux debian
build-bw-debian:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW debian
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-debian
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest
cache-from: type=registry,ref=bunkerity/cache:bw-debian-cache
cache-to: type=registry,ref=bunkerity/cache:bw-debian-cache,mode=min
# Build linux centos
build-bw-centos:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW centos
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-centos
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest
cache-from: type=registry,ref=bunkerity/cache:bw-centos-cache
cache-to: type=registry,ref=bunkerity/cache:bw-centos-cache,mode=min
# Build linux fedora
build-bw-fedora:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW fedora
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-fedora
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest
cache-from: type=registry,ref=bunkerity/cache:bw-fedora-cache
cache-to: type=registry,ref=bunkerity/cache:bw-fedora-cache,mode=min
# Run tests
tests:
needs: build-bw-amd64
needs: [build-bw-amd64, build-bw-ubuntu, build-bw-debian, build-bw-centos, build-bw-fedora]
runs-on: [self-hosted, X64]
steps:

134
.github/workflows/prod.yml vendored
View File

@ -149,9 +149,133 @@ jobs:
tags: bunkerweb-ui-tests-arm:latest
cache-to: type=registry,ref=bunkerity/cache:bw-ui-arm-cache,mode=min
# Build linux ubuntu
build-bw-ubuntu:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW ubuntu
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-ubuntu
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest
# Build linux debian
build-bw-debian:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW debian
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-debian
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest
# Build linux centos
build-bw-centos:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW centos
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-centos
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest
# Build linux fedora
build-bw-fedora:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW fedora
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-fedora
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest
# Run tests
tests:
needs: build-bw-amd64
needs: [build-bw-amd64, build-bw-ubuntu, build-bw-debian, build-bw-centos, build-bw-fedora]
runs-on: [self-hosted, X64]
steps:
@ -185,6 +309,14 @@ jobs:
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-amd64:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-amd64:latest 10.20.1.1:5000/bw-autoconf-tests:latest && docker push 10.20.1.1:5000/bw-autoconf-tests:latest
- name: Import BW UI image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-amd64:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-amd64:latest 10.20.1.1:5000/bw-ui-tests:latest && docker push 10.20.1.1:5000/bw-ui-tests:latest
- name: Import Ubuntu image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest bw-ubuntu-tests:latest
- name: Import Debian image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest bw-debian-tests:latest
- name: Import Centos image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest bw-centos-tests:latest
- name: Import Fedora image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest bw-fedora-tests:latest
# CVE check on OS
- name: Check security vulnerabilities for BW

10
CHANGELOG.md
View File

@ -1,6 +1,16 @@
# Changelog
## v1.4.2 -
- Fix static config (SERVER_NAME not empty) support when using autoconf/swarm/k8s
- Fix config files overwrite when using Docker autoconf
- Add log_default() plugin hook
- Add various certbot-dns examples
- Force NGINX version dependencies in Linux packages DEB/RPM
- Add Discord to supported plugins
## v1.4.1 - 2022/16/06
- Fix sending local IPs to BunkerNet when DISABLE_DEFAULT_SERVER=yes
- Fix certbot bug when AUTOCONF_MODE=yes
- Fix certbot bug when MULTISITE=no

3
README.md
View File

@ -246,6 +246,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
| **ClamAV** | 0.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **CrowdSec** | 0.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 0.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **VirusTotal** | 0.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
You will find more information in the [plugins section](https://docs.bunkerweb.io/latest/plugins) of the documentation.
@ -280,7 +281,7 @@ This project is licensed under the terms of the [GNU Affero General Public Licen
# Contribute
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/master/LICENSE.md) to get started.
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/master/CONTRIBUTING.md) to get started.
# Security policy

9
autoconf/Config.py
View File

@ -131,10 +131,11 @@ class Config(ApiCaller, ConfigCaller) :
self._set_apis(self.__get_apis())
# write configs
ret = self.__write_configs()
if not ret :
success = False
log("CONFIG", "", "saving custom configs failed, configuration will not work as expected...")
if configs != None :
ret = self.__write_configs()
if not ret :
success = False
log("CONFIG", "", "saving custom configs failed, configuration will not work as expected...")
# get env
env = self.__get_full_env()

2
autoconf/DockerController.py
View File

@ -43,7 +43,7 @@ class DockerController(Controller) :
raise("get_configs is not supported with DockerController")
def apply_config(self) :
return self._config.apply(self._instances, self._services, configs=self._configs)
return self._config.apply(self._instances, self._services)
def process_events(self) :
for event in self.__client.events(decode=True, filters={"type": "container"}) :

46
confs/default-server-http.conf
View File

@ -12,4 +12,50 @@ server {
# include custom default-server configurations
include /opt/bunkerweb/configs/default-server-http/*.conf;
log_by_lua_block {
local utils = require "utils"
local logger = require "logger"
local datastore = require "datastore"
local plugins = require "plugins"
logger.log(ngx.INFO, "LOG", "Log phase started")
-- List all plugins
local list, err = plugins:list()
if not list then
logger.log(ngx.ERR, "LOG", "Can't list loaded plugins : " .. err)
list = {}
end
-- Call log_default method of plugins
for i, plugin in ipairs(list) do
local ret, plugin_lua = pcall(require, plugin.id .. "/" .. plugin.id)
if ret then
local plugin_obj = plugin_lua.new()
if plugin_obj.log_default ~= nil then
logger.log(ngx.INFO, "LOG", "Executing log_default() of " .. plugin.id)
local ok, err = plugin_obj:log_default()
if not ok then
logger.log(ngx.ERR, "LOG", "Error while calling log_default() on plugin " .. plugin.id .. " : " .. err)
else
logger.log(ngx.INFO, "LOG", "Return value from " .. plugin.id .. ".log_default() is : " .. err)
end
else
logger.log(ngx.INFO, "LOG", "log_default() method not found in " .. plugin.id .. ", skipped execution")
end
end
end
-- Display reason at info level
local reason = utils.get_reason()
if reason then
logger.log(ngx.INFO, "LOG", "Client was denied with reason : " .. reason)
end
logger.log(ngx.INFO, "LOG", "Log phase ended")
}
}

33
core/bunkernet/bunkernet.lua
View File

@ -141,11 +141,13 @@ function _M:report(ip, reason, method, url, headers)
return self:request("POST", "/report", data)
end
function _M:log()
-- Check if BunkerNet is activated
local use_bunkernet = utils.get_variable("USE_BUNKERNET")
if use_bunkernet ~= "yes" then
return true, "bunkernet not activated"
function _M:log(bypass_use_bunkernet)
if bypass_use_bunkernet then
-- Check if BunkerNet is activated
local use_bunkernet = utils.get_variable("USE_BUNKERNET")
if use_bunkernet ~= "yes" then
return true, "bunkernet not activated"
end
end
-- Check if BunkerNet ID is generated
if not self.id then
@ -193,6 +195,27 @@ function _M:log()
return true, "created report timer"
end
function _M:log_default()
-- Check if bunkernet is activated
local check, err = utils.has_variable("USE_BUNKERNET", "yes")
if check == nil then
return false, "error while checking variable USE_BUNKERNET (" .. err .. ")"
end
if not check then
return true, "bunkernet not enabled"
end
-- Check if default server is disabled
local check, err = utils.get_variable("DISABLE_DEFAULT_SERVER", false)
if check == nil then
return false, "error while getting variable DISABLE_DEFAULT_SERVER (" .. err .. ")"
end
if check ~= "yes" then
return true, "default server not disabled"
end
-- Call log method
return self:log(true)
end
function _M:access()
local use_bunkernet = utils.get_variable("USE_BUNKERNET")
if use_bunkernet ~= "yes" then

59
core/bunkernet/confs/default-server-http/bunkernet.conf
View File

@ -1,59 +0,0 @@
log_by_lua_block {
local bunkernet = require "bunkernet.bunkernet"
local utils = require "utils"
local datastore = require "datastore"
local logger = require "logger"
local disable_default_server = utils.get_variable("DISABLE_DEFAULT_SERVER", false)
local use_bunkernet = utils.has_variable("USE_BUNKERNET", "yes")
if disable_default_server == "yes" and use_bunkernet then
-- Instantiate bunkernet
local bnet, err = bunkernet.new()
if not bnet then
ngx.log(ngx.ERR, "BUNKERNET", "can't instantiate bunkernet " .. err)
return
end
-- Check if BunkerNet ID is generated
if not bnet.id then
return
end
-- Check if IP has been blocked
if ngx.status ~= ngx.HTTP_CLOSE then
return
end
-- Check if IP is global
local is_global, err = utils.ip_is_global(ngx.var.remote_addr)
if is_global == nil then
return
end
if not is_global then
return
end
-- Only report if it hasn't been reported for the same reason recently
local reported = datastore:get("plugin_bunkernet_cache_" .. ngx.var.remote_addr .. "default")
if reported then
return
end
-- report callback called in a light thread
local function report_callback(premature, obj, ip, reason, method, url, headers)
local ok, err, status, data = obj:report(ip, reason, method, url, headers)
if not ok then
logger.log(ngx.ERR, "BUNKERNET", "Can't report IP : " .. err)
elseif status ~= 200 then
logger.log(ngx.ERR, "BUNKERNET", "Error from remote server : " .. tostring(status))
else
logger.log(ngx.NOTICE, "BUNKERNET", "Successfully reported IP " .. ip .. " (reason : " .. reason .. ")")
local ok, err = datastore:set("plugin_bunkernet_cache_" .. ip .. reason, true, 3600)
if not ok then
logger.log(ngx.ERR, "BUNKERNET", "Can't store cached report : " .. err)
end
end
end
-- Set a timer at the end of log()
local hdr, err = ngx.timer.at(0, report_callback, bnet, ngx.var.remote_addr, "default", ngx.var.request_method, ngx.var.request_uri, ngx.req.get_headers())
if not hdr then
logger.log(ngx.ERR, "BUNKERNET", "can't create report timer : " .. err)
end
return
end
}

1
core/misc/confs/default-server-http/disable.conf
View File

@ -1,5 +1,6 @@
{% if DISABLE_DEFAULT_SERVER == "yes" +%}
location / {
set $reason "default";
return 444;
}
{% endif %}

9
docs/plugins.md
View File

@ -10,6 +10,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
| **ClamAV** | 0.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **CrowdSec** | 0.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 0.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **VirusTotal** | 0.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
## How to use a plugin
@ -242,16 +243,22 @@ function _M:log()
return true, "success"
end
function _M:log_default()
logger.log(ngx.NOTICE, "MYPLUGIN", "log_default called")
return true, "success"
end
return _M
```
The 3 functions `init`, `access`, and `log` are automatically called during specific contexts. Here are the details of each function :
The declared functions are automatically called during specific contexts. Here are the details of each function :
| Function | Context | Description | Return value |
| :------: | :--------------------------------------------------------------------------: | :-------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `init` | [init_by_lua](https://github.com/openresty/lua-nginx-module#init_by_lua) | Called when NGINX just started or received a reload order. the typical use case is to prepare any data that will be used by your plugin. | `ret`, `err`<ul><li>`ret` (boolean) : true if no error else false</li><li>`err` (string) : success or error message</li></ul> |
| `access` | [access_by_lua](https://github.com/openresty/lua-nginx-module#access_by_lua) | Called on each request received by the server. The typical use case is to do the security checks here and deny the request if needed. | `ret`, `err`, `return`, `status`<ul><li>`ret` (boolean) : true if no error else false</li><li>`err` (string) : success or error message</li><li>`return` (boolean) : true if you want to stop the access phase and send a status to the client</li><li>`status` (number) : the return value to set if `return` is set to true</li></ul> |
| `log` | [log_by_lua](https://github.com/openresty/lua-nginx-module#log_by_lua) | Called when a request has finished (and before it gets logged to the access logs). The typical use case is to make stats or compute counters for example. | `ret`, `err`<ul><li>`ret` (boolean) : true if no error else false</li><li>`err` (string) : success or error message</li></ul> |
| `log_default` | [log_by_lua](https://github.com/openresty/lua-nginx-module#log_by_lua) | Same as `log` but only called on the default server. | `ret`, `err`<ul><li>`ret` (boolean) : true if no error else false</li><li>`err` (string) : success or error message</li></ul> |
#### Libraries

7
examples/certbot-dns-cloudflare/README.md Normal file
View File

@ -0,0 +1,7 @@
Please have a look at the [certbot-dns-cloudflare documentation](https://certbot-dns-cloudflare.readthedocs.io/en/stable/) first.
Procedure :
- Edit domains in the compose file
- Edit CloudFlare credentials in cloudflare.ini file (generate using https://dash.cloudflare.com/?to=/:account/profile/api-tokens)
- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
- When certificates are generated, run your services : `docker-compose up -d`

5
examples/certbot-dns-cloudflare/cloudflare.ini Normal file
View File

@ -0,0 +1,5 @@
# Cloudflare API token used by Certbot (recommended)
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef012345671
# Cloudflare API credentials used by Certbot (not recommended)
#dns_cloudflare_email = cloudflare@example.com
#dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef012341

74
examples/certbot-dns-cloudflare/docker-compose.yml Normal file
View File

@ -0,0 +1,74 @@
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
- certs:/certs
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3
networks:
- net_app1
- net_app2
- net_app3
mycertbot:
image: certbot/dns-cloudflare
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
volumes:
- certs:/etc/letsencrypt
- ./cloudflare.ini:/opt/cloudflare.ini
- ./entrypoint.sh:/opt/entrypoint.sh
entrypoint: /bin/sh /opt/entrypoint.sh
app1:
image: tutum/hello-world
networks:
- net_app1
app2:
image: tutum/hello-world
networks:
- net_app2
app3:
image: tutum/hello-world
networks:
- net_app3
volumes:
bw_data:
certs:
networks:
net_app1:
net_app2:
net_app3:

23
examples/certbot-dns-cloudflare/entrypoint.sh Normal file
View File

@ -0,0 +1,23 @@
#!/bin/sh
echo "Certbot started, domains = $DOMAINS"
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
if [ "$EMAIL" = "" ] ; then
EMAIL="contact@${first_domain}"
fi
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
echo "Renewing certificates ..."
certbot renew
else
echo "Asking for certificates ..."
certbot certonly -n --dns-cloudflare --dns-cloudflare-credentials /opt/cloudflare.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
fi
echo "Fixing permissions ..."
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
echo "Certbot ended, sleeping for 24 hours"
sleep 86400

7
examples/certbot-dns-digitalocean/README.md Normal file
View File

@ -0,0 +1,7 @@
Please have a look at the [certbot-dns-digitalocean documentation](https://certbot-dns-digitalocean.readthedocs.io/en/stable/) first.
Procedure :
- Edit domains in the compose file
- Edit DigitalOcean credentials in digitalocean.ini file (generate using https://cloud.digitalocean.com/settings/api/tokens)
- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
- When certificates are generated, run your services : `docker-compose up -d`

2
examples/certbot-dns-digitalocean/digitalocean.ini Normal file
View File

@ -0,0 +1,2 @@
# DigitalOcean API credentials used by Certbot
dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff

74
examples/certbot-dns-digitalocean/docker-compose.yml Normal file
View File

@ -0,0 +1,74 @@
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
- certs:/certs
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3
networks:
- net_app1
- net_app2
- net_app3
mycertbot:
image: certbot/dns-digitalocean
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
volumes:
- certs:/etc/letsencrypt
- ./digitalocean.ini:/opt/digitalocean.ini
- ./entrypoint.sh:/opt/entrypoint.sh
entrypoint: /bin/sh /opt/entrypoint.sh
app1:
image: tutum/hello-world
networks:
- net_app1
app2:
image: tutum/hello-world
networks:
- net_app2
app3:
image: tutum/hello-world
networks:
- net_app3
volumes:
bw_data:
certs:
networks:
net_app1:
net_app2:
net_app3:

23
examples/certbot-dns-digitalocean/entrypoint.sh Normal file
View File

@ -0,0 +1,23 @@
#!/bin/sh
echo "Certbot started, domains = $DOMAINS"
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
if [ "$EMAIL" = "" ] ; then
EMAIL="contact@${first_domain}"
fi
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
echo "Renewing certificates ..."
certbot renew
else
echo "Asking for certificates ..."
certbot certonly -n --dns-digitalocean --dns-digitalocean-credentials /opt/digitalocean.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
fi
echo "Fixing permissions ..."
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
echo "Certbot ended, sleeping for 24 hours"
sleep 86400

7
examples/certbot-dns-google/README.md Normal file
View File

@ -0,0 +1,7 @@
Please have a look at the [certbot-dns-google documentation](https://certbot-dns-google.readthedocs.io/en/stable/) first.
Procedure :
- Edit domains in the compose file
- Edit Google credentials in google.json file (generate using https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount)
- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
- When certificates are generated, run your services : `docker-compose up -d`

74
examples/certbot-dns-google/docker-compose.yml Normal file
View File

@ -0,0 +1,74 @@
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
- certs:/certs
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3
networks:
- net_app1
- net_app2
- net_app3
mycertbot:
image: certbot/dns-google
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
volumes:
- certs:/etc/letsencrypt
- ./google.json:/opt/google.json
- ./entrypoint.sh:/opt/entrypoint.sh
entrypoint: /bin/sh /opt/entrypoint.sh
app1:
image: tutum/hello-world
networks:
- net_app1
app2:
image: tutum/hello-world
networks:
- net_app2
app3:
image: tutum/hello-world
networks:
- net_app3
volumes:
bw_data:
certs:
networks:
net_app1:
net_app2:
net_app3:

23
examples/certbot-dns-google/entrypoint.sh Normal file
View File

@ -0,0 +1,23 @@
#!/bin/sh
echo "Certbot started, domains = $DOMAINS"
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
if [ "$EMAIL" = "" ] ; then
EMAIL="contact@${first_domain}"
fi
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
echo "Renewing certificates ..."
certbot renew
else
echo "Asking for certificates ..."
certbot certonly -n --dns-google --dns-google-credentials /opt/google.json --email "$EMAIL" --agree-tos -d "$DOMAINS"
fi
echo "Fixing permissions ..."
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
echo "Certbot ended, sleeping for 24 hours"
sleep 86400

12
examples/certbot-dns-google/google.json Normal file
View File

@ -0,0 +1,12 @@
{
"type": "service_account",
"project_id": "...",
"private_key_id": "...",
"private_key": "...",
"client_email": "...",
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "..."
}

7
examples/certbot-dns-ovh/README.md Normal file
View File

@ -0,0 +1,7 @@
Please have a look at the [certbot-dns-ovh documentation](https://certbot-dns-ovh.readthedocs.io/en/stable/) first.
Procedure :
- Edit domains in the compose file
- Edit OVH credentials in ovh.ini file (generate using https://eu.api.ovh.com/createToken/)
- Run certbot only and wait for certificate to be generated : `docker-compose up -d mycertbot`
- When certificates are generated, run your services : `docker-compose up -d`

74
examples/certbot-dns-ovh/docker-compose.yml Normal file
View File

@ -0,0 +1,74 @@
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
- certs:/certs
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3
networks:
- net_app1
- net_app2
- net_app3
mycertbot:
image: certbot/dns-ovh
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
volumes:
- certs:/etc/letsencrypt
- ./ovh.ini:/opt/ovh.ini
- ./entrypoint.sh:/opt/entrypoint.sh
entrypoint: /bin/sh /opt/entrypoint.sh
app1:
image: tutum/hello-world
networks:
- net_app1
app2:
image: tutum/hello-world
networks:
- net_app2
app3:
image: tutum/hello-world
networks:
- net_app3
volumes:
bw_data:
certs:
networks:
net_app1:
net_app2:
net_app3:

23
examples/certbot-dns-ovh/entrypoint.sh Normal file
View File

@ -0,0 +1,23 @@
#!/bin/sh
echo "Certbot started, domains = $DOMAINS"
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
if [ "$EMAIL" = "" ] ; then
EMAIL="contact@${first_domain}"
fi
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
echo "Renewing certificates ..."
certbot renew
else
echo "Asking for certificates ..."
certbot certonly -n --dns-ovh --dns-ovh-credentials /opt/ovh.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
fi
echo "Fixing permissions ..."
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
echo "Certbot ended, sleeping for 24 hours"
sleep 86400

5
examples/certbot-dns-ovh/ovh.ini Normal file
View File

@ -0,0 +1,5 @@
# OVH API credentials used by Certbot
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = MDAwMDAwMDAwMDAw
dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw

7
examples/certbot-dns-route53/README.md Normal file
View File

@ -0,0 +1,7 @@
Please have a look at the [certbot-dns-route53 documentation](https://certbot-dns-route53.readthedocs.io/en/stable/) first.
Procedure :
- Edit domains in the compose file
- Edit AWS credentials in aws.ini file (generate using https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html)
- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
- When certificates are generated, run your services : `docker-compose up -d`

3
examples/certbot-dns-route53/aws.ini Normal file
View File

@ -0,0 +1,3 @@
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

74
examples/certbot-dns-route53/docker-compose.yml Normal file
View File

@ -0,0 +1,74 @@
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
- certs:/certs
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3
networks:
- net_app1
- net_app2
- net_app3
mycertbot:
image: certbot/dns-google
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
volumes:
- certs:/etc/letsencrypt
- ./aws.ini:/opt/aws.ini
- ./entrypoint.sh:/opt/entrypoint.sh
entrypoint: /bin/sh /opt/entrypoint.sh
app1:
image: tutum/hello-world
networks:
- net_app1
app2:
image: tutum/hello-world
networks:
- net_app2
app3:
image: tutum/hello-world
networks:
- net_app3
volumes:
bw_data:
certs:
networks:
net_app1:
net_app2:
net_app3:

24
examples/certbot-dns-route53/entrypoint.sh Normal file
View File

@ -0,0 +1,24 @@
#!/bin/sh
echo "Certbot started, domains = $DOMAINS"
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
if [ "$EMAIL" = "" ] ; then
EMAIL="contact@${first_domain}"
fi
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
echo "Renewing certificates ..."
certbot renew
else
echo "Asking for certificates ..."
export AWS_CONFIG_FILE=/opt/aws.ini
certbot certonly -n --dns-route53 --email "$EMAIL" --agree-tos -d "$DOMAINS"
fi
echo "Fixing permissions ..."
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
echo "Certbot ended, sleeping for 24 hours"
sleep 86400

3
helpers/entrypoint.sh
View File

@ -77,6 +77,9 @@ fi
# generate final configuration
export TEMP_NGINX="no"
log "ENTRYPOINT" "" "Generating configuration ..."
if [ "$SWARM_MODE" = "yes" ] || [ "$KUBERNETES_MODE" = "yes" ] || [ "$AUTOCONF_MODE" = "yes" ] ; then
export SERVER_NAME=
fi
env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "/tmp/variables.env"
/opt/bunkerweb/gen/main.py --settings /opt/bunkerweb/settings.json --templates /opt/bunkerweb/confs --output /etc/nginx --variables /tmp/variables.env
if [ "$?" -ne 0 ] ; then

2
linux/Dockerfile-fedora
View File

@ -10,7 +10,7 @@ RUN dnf install -y ruby ruby-devel make gcc redhat-rpm-config rpm-build && \
# Nginx
RUN dnf update -y && \
dnf install -y curl gnupg2 ca-certificates redhat-lsb-core && \
dnf install nginx -y
dnf install nginx-1.20.2 -y
# Copy dependencies sources folder
COPY deps /tmp/bunkerweb/deps

2
linux/fpm-centos
View File

@ -3,7 +3,7 @@
--license agpl3
--version %VERSION%
--architecture x86_64
--depends bash --depends epel-release --depends python39 --depends 'nginx >= 1.20.2' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends GeoIP-devel --depends file-libs --depends net-tools --depends gd
--depends bash --depends epel-release --depends python39 --depends 'nginx = 1:1.20.2-1.el8.ngx' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends GeoIP-devel --depends file-libs --depends net-tools --depends gd
--description "BunkerWeb %VERSION% for CentOS Stream 8"
--url "https://www.bunkerweb.io"
--maintainer "Bunkerity <contact at bunkerity dot com>"

2
linux/fpm-debian
View File

@ -3,7 +3,7 @@
--license agpl3
--version %VERSION%
--architecture amd64
--depends bash --depends python3 --depends python3-pip --depends 'nginx (>= 1.20.2)' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools
--depends bash --depends python3 --depends python3-pip --depends 'nginx = 1.20.2-1~bullseye' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools
--description "BunkerWeb %VERSION% for Debian 11"
--url "https://www.bunkerweb.io"
--maintainer "Bunkerity <contact at bunkerity dot com>"

2
linux/fpm-fedora
View File

@ -3,7 +3,7 @@
--license agpl3
--version %VERSION%
--architecture x86_64
--depends bash --depends python3 --depends 'nginx >= 1.20.2' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends geoip-devel --depends gd
--depends bash --depends python3 --depends 'nginx = 1:1.20.2-2.fc36' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends geoip-devel --depends gd
--description "BunkerWeb %VERSION% for Fedora 36"
--url "https://www.bunkerweb.io"
--maintainer "Bunkerity <contact at bunkerity dot com>"

2
linux/fpm-ubuntu
View File

@ -3,7 +3,7 @@
--license agpl3
--version %VERSION%
--architecture amd64
--depends bash --depends python3 --depends python3-pip --depends 'nginx (>= 1.20.2)' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools
--depends bash --depends python3 --depends python3-pip --depends 'nginx = 1.20.2-1~jammy' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools
--description "BunkerWeb %VERSION% for Ubuntu 22.04"
--url "https://www.bunkerweb.io"
--maintainer "Bunkerity <contact at bunkerity dot com>"

2
tests/linux.sh
View File

@ -11,7 +11,7 @@ function gen_package() {
else
type="deb"
fi
do_and_check_cmd docker run --rm -v "/tmp/packages/${linux}:/data" "bw-${linux}-tests:latest"
do_and_check_cmd docker run --rm -v "/tmp/packages/${linux}:/data" "bw-${linux}-tests:latest" "$type"
name="bunkerweb_${version}-1_amd64"
if [ "$type" = "rpm" ] ; then
name="bunkerweb-${version}-1.x86_64"