librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

docs - last polish

This commit is contained in:
bunkerity 2021-08-11 16:26:35 +02:00
parent e98da9b637
commit 2f80f64dd5
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
4 changed files with 39 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
README.md
View File

@ -57,6 +57,7 @@ You can find a live demo at [https://demo-nginx.bunkerity.com](https://demo-ngin
- [Table of contents](#table-of-contents)
- [Integrations](#integrations)
* [Docker](#docker)
* [Docker autoconf](#docker-autoconf)
* [Swarm](#swarm)
* [Kubernetes](#kubernetes)
* [Linux](#linux)
@ -92,11 +93,15 @@ To use bunkerized-nginx as a Docker container you have to pass specific environm
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/dev/docs/img/docker.png?raw=true" />
You will find more information about Docker integration in the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/integrations.html#docker).
## Docker autoconf
The downside of using environment variables is that the container needs to be recreated each time there is an update which is not very convenient. To counter that issue, you can use another image called bunkerized-nginx-autoconf which will listen for Docker events and automatically configure bunkerized-nginx instance in real time without recreating the container. Instead of defining environment variables for the bunkerized-nginx container, you simply add labels to your web services and bunkerized-nginx-autoconf will "automagically" take care of the rest.
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/dev/docs/img/autoconf-docker.png?raw=true" />
You will find more information about Docker integration and Docker autoconf feature in the [documentation](#TODO).
You will find more information about Docker autoconf feature in the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/integrations.html#docker-autoconf).
## Swarm
@ -104,7 +109,7 @@ Using bunkerized-nginx in a Docker Swarm cluster requires a shared folder access
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/dev/docs/img/swarm.png?raw=true" />
You will find more information about Docker Swarm integration in the [documentation](#TODO).
You will find more information about Docker Swarm integration in the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/integrations.html#docker-swarm).
## Kubernetes
@ -114,7 +119,7 @@ Using bunkerized-nginx in a Kubernetes cluster requires a shared folder accessib
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/dev/docs/img/kubernetes.png?raw=true" />
You will find more information about Kubernetes integration in the [documentation](#TODO).
You will find more information about Kubernetes integration in the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/integrations.html#kubernetes).
## Linux
@ -126,13 +131,13 @@ List of supported Linux distributions :
- CentOS 7
- Fedora 34
Unlike containers, Linux integration can be tedious because bunkerized-nginx has a bunch of dependencies that need to be installed before we can use it. Fortunately, we provide a [helper script](#TODO) to make the process easier and automatic. Once installed, the configuration is really simple, all you have to do is to edit the `/opt/bunkerized-nginx/variables.env` configuration file and run the `bunkerized-nginx` command to apply it.
Unlike containers, Linux integration can be tedious because bunkerized-nginx has a bunch of dependencies that need to be installed before we can use it. Fortunately, we provide a [helper script](https://github.com/bunkerity/bunkerized-nginx/blob/master/helpers/install.sh) to make the process easier and automatic. Once installed, the configuration is really simple, all you have to do is to edit the `/opt/bunkerized-nginx/variables.env` configuration file and run the `bunkerized-nginx` command to apply it.
You will find more information about Linux integration in the [documentation](#TODO).
You will find more information about Linux integration in the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/integrations.html#linux).
# Configuration
The configuration is made through what we call "environment variables" as a form of key/value pairs. You will find the complete list in the [documentation](#TODO).
The configuration is made through what we call "environment variables" as a form of key/value pairs. You will find the [quickstart guide](https://bunkerized-nginx.readthedocs.io/en/latest/quickstart_guide.html) and the complete [list of environment variables](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html) in the documentation.
## Singlesite
@ -186,13 +191,13 @@ app2.example.com_REMOTE_PHP_PATH=/var/www/html
| cache | /cache (container)<br> /opt/bunkerized-nginx/plugins (Linux) | Placeholder for caching data like external blacklists. | No |
| acme-challenge | /acme-challenge (container)<br> /opt/bunkerized-nginx/acme-challenge (Linux) | Placeholder for Let's Encrypt challenges. | No |
You will find more information about the special folders in the [documentation](#TODO).
You will find more information about the special folders in the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/special_folders.html).
# Web UI
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/dev/docs/img/web-ui.gif?raw=true" />
You will find more information about the web UI in the [documentation](#TODO).
You will find more information about the web UI in the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/web_ui.html).
# Security tuning

25
docs/plugins.md
View File

@ -1,10 +1,11 @@
# Plugins
Bunkerized-nginx comes with a plugin system that lets you extend the core with extra security features. To add a plugin you will need to download it, edit its settings and mount it to the `/plugins` volume.
Bunkerized-nginx comes with a plugin system that lets you extend the core with extra security features.
## Official plugins
- [ClamAV](https://github.com/bunkerity/bunkerized-nginx-clamav) : automatically scan uploaded files and deny access if a virus is detected
- [CrowdSec](https://github.com/bunkerity/bunkerized-nginx-crowdsec) : CrowdSec bouncer integration within bunkerized-nginx
## Community plugins
@ -13,9 +14,10 @@ If you have made a plugin and want it to be listed here, feel free to [create a
## Use a plugin
The generic way of using a plugin consists of :
- Download it to a folder (e.g. : myplugin/)
- Edit the settings inside the plugin.json files (e.g. : myplugin/plugin.json)
- Mount the plugin folder to the /plugins/plugin-id inside the container (e.g. : /where/is/myplugin:/plugins/myplugin)
- Download the plugin into your local drive (e.g., git clone)
- Edit the settings inside the plugin.json files (e.g., myplugin/plugin.json)
- If you are using a container based integration, you need to mount it to the [plugins special folder](https://bunkerized-nginx.readthedocs.io/en/latest/special_folders.html#plugins) inside the container (e.g., /where/is/myplugin:/plugins/myplugin)
- If you are using Linux integration, copy the downloaded plugin folder to the [plugins special folder](https://bunkerized-nginx.readthedocs.io/en/latest/special_folders.html#plugins) (e.g., cp -r myplugin /plugins)
To check if the plugin is loaded you should see log entries like that :
@ -52,6 +54,20 @@ Settings names and default values can be choosen freely. There will be no confli
local M = {}
local logger = require "logger"
-- this function will be called at startup
-- the name MUST be init without any argument
function M.init ()
-- the logger.log function lets you write into the logs
-- only ERROR level is available in init()
logger.log(ngx.ERR, "MyPlugin", "*NOT AN ERROR* init called")
-- here is how to retrieve a setting
local my_setting = ngx.shared.plugins_data:get("pluginid_MY_SETTING")
logger.log(ngx.ERR, "MyPlugin", "*NOT AN ERROR* my_setting = " .. my_setting)
return true
end
-- this function will be called for each request
-- the name MUST be check without any argument
function M.check ()
@ -66,7 +82,6 @@ function M.check ()
if my_setting == "block" then
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
return M

2
docs/security_tuning.md
View File

@ -199,6 +199,8 @@ You can quickly protect sensitive resources (e.g. : admin panels) by requiring H
- `AUTH_BASIC_PASSWORD=changeme` : the password required
- `AUTH_BASIC_TEXT=Restricted area` : the text that will be displayed to the user
Please note that bunkerized-nginx also supports [Authelia](https://github.com/authelia/authelia) for authentication (see the corresponding [environment variables](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#authelia) and a [full example](https://github.com/bunkerity/bunkerized-nginx/tree/dev/examples/authelia)).
## Whitelisting
Adding extra security can sometimes trigger false positives. Also, it might be not useful to do the security checks for specific clients because we decided to trust them. Bunkerized-nginx supports two types of whitelist : by IP address and by reverse DNS.

6
docs/troubleshooting.md
View File

@ -2,13 +2,15 @@
## Logs
When troubleshooting, the logs are your best friends. We try our best to provide user-friendly logs to help you understand what happened. Please note that we don't store the logs inside the container, they are all displayed on stdout/stderr so Docker can capture them. They can be displayed using the [docker logs](https://docs.docker.com/engine/reference/commandline/logs/) command.
When troubleshooting, the logs are your best friends. We try our best to provide user-friendly logs to help you understand what happened.
If you are using container based integrations, you can get the logs using your manager/orchestrator (e.g., docker logs, docker service logs, kubectl logs, ...). For Linux integration, everything is stored inside the `/var/log` folder.
You can edit the `LOG_LEVEL` environment variable to increase or decrease the verbosity of logs with the following values : `debug`, `info`, `notice`, `warn`, `error`, `crit`, `alert` or `emerg` (with `debug` being the most verbose level).
## Permissions
Don't forget that bunkerized-nginx runs as an unprivileged user with UID/GID 101. Double check the permissions of files and folders for each volumes (see the [volumes list](https://bunkerized-nginx.readthedocs.io/en/latest/volumes.html)).
Don't forget that bunkerized-nginx runs as an unprivileged user with UID/GID 101 when using container based integrations or simply the `nginx` user on Linux. Double check the permissions of files and folders for each special folders (see the [volumes list](https://bunkerized-nginx.readthedocs.io/en/latest/special_folders.html)).
## ModSecurity