librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

Merge pull request #507 from bunkerity/dev 

Merge branch "dev" into branch "staging"
This commit is contained in:
Théophile Diot 2023-05-26 16:39:10 -04:00 committed by GitHub
parent 6666a25fcc b60657e21f
commit 4d6d95037a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
187 changed files with 2827 additions and 2247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/create-arm.yml vendored
View File

@ -39,7 +39,7 @@ jobs:
id: scw
uses: scaleway/action-scw@bbcfd65cd2af73456ce439088e0d42c1657c4c38
with:
args: instance server create zone=fr-par-2 type=AMP2-C60 root-volume=block:50GB
args: instance server create zone=fr-par-2 type=AMP2-C48 root-volume=block:50GB
save-config: true
version: v2.13.0
access-key: ${{ secrets.SCW_ACCESS_KEY }}

4
README.md
View File

@ -69,7 +69,7 @@ Learn more about the core security features in the [security tuning](https://doc
## Demo
<p align="center">
<a href="https://www.youtube.com/watch?v=ZhYV-QELzA4" target="_blank"><img alt="BunkerWeb demo" src="https://yt-embed.herokuapp.com/embed?v=ZhYV-QELzA4" /></a>
<a href="https://www.youtube.com/watch?v=ZhYV-QELzA4" target="_blank"><img alt="BunkerWeb demo" src="https://img.youtube.com/vi/ZhYV-QELzA4/0.jpg" /></a>
</p>
A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](https://demo.bunkerweb.io). Feel free to visit it and perform some security tests.
@ -348,4 +348,4 @@ If you would like to contribute to the plugins you can read the [contributing gu
# Security policy
We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/tree/1.5.0/SECURITY.md) for more information.
We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/tree/1.5.0/SECURITY.md) for more information.

47
docs/plugins.md
View File

@ -13,6 +13,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| **Discord** | 1.0 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.0 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.0 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **Coraza** | 1.0 | Inspect requests using a Core Rule Set and deny malicious ones. | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
## How to use a plugin
@ -275,30 +276,29 @@ A file named **plugin.json** and written at the root of the plugin folder must c
```json
{
"id": "myplugin",
"order": 42,
"name": "My Plugin",
"description": "Just an example plugin.",
"version": "1.0",
"id": "myplugin",
"name": "My Plugin",
"description": "Just an example plugin.",
"version": "1.0",
"stream": "partial",
"settings": {
"DUMMY_SETTING": {
"context": "multisite",
"default": "1234",
"help": "Here is the help of the setting.",
"id": "dummy-id",
"label": "Dummy setting",
"regex": "^.*$",
"type": "text"
}
},
"jobs": [
{
"name": "my-job",
"file": "my-job.py",
"every": "hour"
}
]
"settings": {
"DUMMY_SETTING": {
"context": "multisite",
"default": "1234",
"help": "Here is the help of the setting.",
"id": "dummy-id",
"label": "Dummy setting",
"regex": "^.*$",
"type": "text"
}
},
"jobs": [
{
"name": "my-job",
"file": "my-job.py",
"every": "hour"
}
]
}
```
@ -307,7 +307,6 @@ Here are the details of the fields :
| Field | Mandatory | Type | Description |
| :-----------: | :-------: | :----: | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `id` | yes | string | Internal ID for the plugin : must be unique among other plugins (including "core" ones) and contain only lowercase chars. |
| `order` | yes | int | When the plugin should be executed during the access phase : `1` for whitelisting, `2` for blacklisting, `3` for "standard security feature" or `999` if your settings don't use the access phase. |
| `name` | yes | string | Name of your plugin. |
| `description` | yes | string | Description of your plugin. |
| `version` | yes | string | Version of your plugin. |

1
examples/authelia/docker-compose.yml
View File

@ -61,6 +61,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/authentik/docker-compose.yml
View File

@ -70,6 +70,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/behind-reverse-proxy/docker-compose.yml
View File

@ -41,6 +41,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/bigbluebutton/docker-compose.yml
View File

@ -67,6 +67,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/certbot-dns-cloudflare/docker-compose.yml
View File

@ -51,6 +51,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/certbot-dns-digitalocean/docker-compose.yml
View File

@ -51,6 +51,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/certbot-dns-google/docker-compose.yml
View File

@ -51,6 +51,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/certbot-dns-ovh/docker-compose.yml
View File

@ -51,6 +51,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/certbot-dns-route53/docker-compose.yml
View File

@ -51,6 +51,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

3
examples/cors/docker-compose.yml
View File

@ -55,6 +55,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -101,4 +102,4 @@ networks:
bw-services:
volumes:
bw-data:
bw-data:

1
examples/docker-configs/docker-compose.yml
View File

@ -70,6 +70,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/drupal/autoconf.yml
View File

@ -35,7 +35,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=drupaldb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
volumes:
db-data:

3
examples/drupal/docker-compose.yml
View File

@ -45,6 +45,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -66,7 +67,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=drupaldb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
networks:
- bw-services

2
examples/drupal/drupal-chart-values.yml
View File

@ -3,4 +3,4 @@ drupalPassword: "changeme42"
drupalEmail: "contact@example.com"
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

2
examples/drupal/swarm.yml
View File

@ -33,7 +33,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=drupaldb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
deploy:
placement:
constraints:

2
examples/ghost/autoconf.yml
View File

@ -24,4 +24,4 @@ volumes:
networks:
bw-services:
external: true
name: bw-services
name: bw-services

1
examples/ghost/docker-compose.yml
View File

@ -41,6 +41,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/ghost/ghost-chart-values.yml
View File

@ -3,4 +3,4 @@ ghostPassword: "changeme42"
ghostHost: "www.example.com"
mysql:
auth:
password: "changeme1337"
password: "changeme1337"

1
examples/gogs/docker-compose.yml
View File

@ -45,6 +45,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/hardened/docker-compose.yml
View File

@ -55,6 +55,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/joomla/autoconf.yml
View File

@ -36,7 +36,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=joomla_db
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
volumes:
joomla-data:

3
examples/joomla/docker-compose.yml
View File

@ -45,6 +45,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -68,7 +69,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=joomla_db
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
networks:
- bw-services
volumes:

2
examples/joomla/joomla-chart-values.yml
View File

@ -3,4 +3,4 @@ joomlaPassword: "changeme42"
joomlaEmail: "contact@example.com"
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

3
examples/joomla/swarm.yml
View File

@ -36,13 +36,12 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=joomla_db
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
deploy:
placement:
constraints:
- "node.role==worker"
networks:
bw-services:
external: true

1
examples/load-balancer/docker-compose.yml
View File

@ -48,6 +48,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/magento/autoconf.yml
View File

@ -55,7 +55,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=magentodb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
volumes:
magento-data:

3
examples/magento/docker-compose.yml
View File

@ -46,6 +46,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -85,7 +86,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=magentodb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
networks:
- bw-services

2
examples/magento/magento-chart-values.yml
View File

@ -7,4 +7,4 @@ magentoLastName: "Doe"
magentoAdminUri: "admin"
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

2
examples/magento/swarm.yml
View File

@ -50,7 +50,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=magentodb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
deploy:
placement:
constraints:

1
examples/mattermost/docker-compose.yml
View File

@ -61,6 +61,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/mongo-express/docker-compose.yml
View File

@ -44,6 +44,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

12
examples/moodle/autoconf.yml
View File

@ -13,10 +13,10 @@ services:
- moodle-files:/bitnami/moodle
- moodle-data:/bitnami/moodledata
environment:
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_DATABASE_HOST=mydb
- MOODLE_DATABASE_NAME=moodle
- MOODLE_DATABASE_USER=user
@ -36,10 +36,10 @@ services:
aliases:
- mydb
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=moodle
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MARIADB_CHARACTER_SET=utf8mb4
- MARIADB_COLLATE=utf8mb4_unicode_ci

13
examples/moodle/docker-compose.yml
View File

@ -42,6 +42,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -53,10 +54,10 @@ services:
- moodle-files:/bitnami/moodle
- moodle-data:/bitnami/moodledata
environment:
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_DATABASE_HOST=mydb
- MOODLE_DATABASE_NAME=moodle
- MOODLE_DATABASE_USER=user
@ -69,10 +70,10 @@ services:
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=moodle
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MARIADB_CHARACTER_SET=utf8mb4
- MARIADB_COLLATE=utf8mb4_unicode_ci
networks:

2
examples/moodle/moodle-chart-values.yml
View File

@ -4,4 +4,4 @@ moodlePassword: "changeme42"
moodleEmail: "admin@example.com"
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

4
examples/moodle/swarm.yml
View File

@ -36,10 +36,10 @@ services:
networks:
- bw-services
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=moodle
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MARIADB_CHARACTER_SET=utf8mb4
- MARIADB_COLLATE=utf8mb4_unicode_ci
deploy:

3
examples/nextcloud/autoconf.yml
View File

@ -56,7 +56,6 @@ services:
bunkerweb.CUSTOM_CONF_MODSEC_nextcloud=
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
mydb:
image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
@ -70,7 +69,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
volumes:
nc-files:

2
examples/nextcloud/docker-compose.yml
View File

@ -71,6 +71,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -110,7 +111,6 @@ volumes:
db-data:
nc-files:
networks:
bw-universe:
ipam:

2
examples/nextcloud/swarm.yml
View File

@ -48,7 +48,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
deploy:
placement:
constraints:

6
examples/passbolt/autoconf.yml
View File

@ -13,7 +13,7 @@ services:
environment:
- APP_FULL_BASE_URL=https://www.example.com # replace with your URL
- DATASOURCES_DEFAULT_HOST=mydb
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_USERNAME=user
- DATASOURCES_DEFAULT_DATABASE=passbolt
volumes:
@ -45,10 +45,10 @@ services:
aliases:
- mydb
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=passbolt
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
volumes:
gpg-data:

9
examples/passbolt/docker-compose.yml
View File

@ -7,7 +7,7 @@ services:
- 80:8080
- 443:8443
environment:
- SERVER_NAME=www.example.com # replace with your domain
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
@ -43,6 +43,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -58,7 +59,7 @@ services:
environment:
- APP_FULL_BASE_URL=https://www.example.com # replace with your URL
- DATASOURCES_DEFAULT_HOST=mydb
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_USERNAME=user
- DATASOURCES_DEFAULT_DATABASE=passbolt
volumes:
@ -81,10 +82,10 @@ services:
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=passbolt
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
networks:
- bw-services

6
examples/passbolt/swarm.yml
View File

@ -11,7 +11,7 @@ services:
environment:
- APP_FULL_BASE_URL=https://www.example.com # replace with your URL
- DATASOURCES_DEFAULT_HOST=mydb
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_USERNAME=user
- DATASOURCES_DEFAULT_DATABASE=passbolt
volumes:
@ -45,10 +45,10 @@ services:
networks:
- bw-services
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=passbolt
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
deploy:
placement:
constraints:

2
examples/php-cookie-flags/docker-compose.yml
View File

@ -48,6 +48,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -65,7 +66,6 @@ services:
volumes:
bw-data:
networks:
bw-universe:
ipam:

1
examples/php-multisite/docker-compose.yml
View File

@ -51,6 +51,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/php-singlesite/docker-compose.yml
View File

@ -47,6 +47,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/prestashop/docker-compose.yml
View File

@ -45,6 +45,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/prestashop/prestashop-chart-values.yml
View File

@ -10,4 +10,4 @@ service:
type: ClusterIP
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

1
examples/proxy-protocol/docker-compose.yml
View File

@ -44,6 +44,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/radarr/docker-compose.yml
View File

@ -51,6 +51,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/redmine/autoconf.yml
View File

@ -33,7 +33,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=redminedb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
volumes:
redmine-data:

3
examples/redmine/docker-compose.yml
View File

@ -41,6 +41,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -65,7 +66,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=redminedb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
networks:
- bw-universe
- bw-services

2
examples/redmine/redmine-chart-values.yml
View File

@ -6,4 +6,4 @@ service:
type: ClusterIP
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

2
examples/redmine/swarm.yml
View File

@ -33,7 +33,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=redminedb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
deploy:
placement:
constraints:

1
examples/reverse-proxy-multisite/docker-compose.yml
View File

@ -44,6 +44,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/reverse-proxy-singlesite/docker-compose.yml
View File

@ -49,6 +49,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/reverse-proxy-websocket/docker-compose.yml
View File

@ -42,6 +42,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

5
examples/stream-multisite/docker-compose.yml
View File

@ -50,18 +50,19 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
app1:
image: istio/tcp-echo-server:1.2
command: [ "9000", "app1" ]
command: ["9000", "app1"]
networks:
- bw-services
app2:
image: istio/tcp-echo-server:1.2
command: [ "9000", "app2" ]
command: ["9000", "app2"]
networks:
- bw-services

1
examples/syslog/docker-compose.yml
View File

@ -50,6 +50,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/tomcat/docker-compose.yml
View File

@ -40,6 +40,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/tor-hidden-service/docker-compose.yml
View File

@ -51,6 +51,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

4
examples/web-ui/docker-compose.yml
View File

@ -20,7 +20,8 @@ services:
- www.example.com_REVERSE_PROXY_URL=/changeme/ # replace with another url
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme # replace with another url
- www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
- www.example.com_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';
labels:
- "bunkerweb.INSTANCE"
networks:
@ -60,6 +61,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/wordpress/autoconf.yml
View File

@ -43,7 +43,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=wp
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
volumes:
wp-data:

3
examples/wordpress/docker-compose.yml
View File

@ -42,6 +42,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -66,7 +67,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=wp
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
networks:
- bw-services

2
examples/wordpress/swarm.yml
View File

@ -34,7 +34,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=wp
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
deploy:
placement:
constraints:

2
examples/wordpress/wordpress-chart-values.yml
View File

@ -8,4 +8,4 @@ wordpressTablePrefix: "changeme_"
wordpressScheme: "https"
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

1
misc/integrations/autoconf.mariadb.ui.yml
View File

@ -50,6 +50,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/autoconf.mariadb.yml
View File

@ -50,6 +50,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/autoconf.mysql.ui.yml
View File

@ -50,6 +50,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/autoconf.mysql.yml
View File

@ -50,6 +50,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/autoconf.postgres.ui.yml
View File

@ -50,6 +50,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/autoconf.postgres.yml
View File

@ -50,6 +50,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/autoconf.ui.yml
View File

@ -51,6 +51,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/autoconf.yml
View File

@ -51,6 +51,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/docker.mariadb.ui.yml
View File

@ -44,6 +44,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/docker.mariadb.yml
View File

@ -34,6 +34,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/docker.mysql.ui.yml
View File

@ -44,6 +44,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/docker.mysql.yml
View File

@ -34,6 +34,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/docker.postgres.ui.yml
View File

@ -45,6 +45,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/docker.postgres.yml
View File

@ -34,6 +34,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/docker.ui.yml
View File

@ -41,6 +41,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/docker.yml
View File

@ -34,6 +34,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
misc/integrations/swarm.mariadb.ui.yml
View File

@ -51,6 +51,7 @@ services:
- SERVICES=1
- SWARM=1
- TASKS=1
- LOG_LEVEL=warning
networks:
- bw-docker
deploy:

1
misc/integrations/swarm.mariadb.yml
View File

@ -55,6 +55,7 @@ services:
- SERVICES=1
- SWARM=1
- TASKS=1
- LOG_LEVEL=warning
networks:
- bw-docker
deploy:

1
misc/integrations/swarm.mysql.ui.yml
View File

@ -51,6 +51,7 @@ services:
- SERVICES=1
- SWARM=1
- TASKS=1
- LOG_LEVEL=warning
networks:
- bw-docker
deploy:

1
misc/integrations/swarm.mysql.yml
View File

@ -51,6 +51,7 @@ services:
- SERVICES=1
- SWARM=1
- TASKS=1
- LOG_LEVEL=warning
networks:
- bw-docker
deploy:

1
misc/integrations/swarm.postgres.ui.yml
View File

@ -51,6 +51,7 @@ services:
- SERVICES=1
- SWARM=1
- TASKS=1
- LOG_LEVEL=warning
networks:
- bw-docker
deploy:

1
misc/integrations/swarm.postgres.yml
View File

@ -51,6 +51,7 @@ services:
- SERVICES=1
- SWARM=1
- TASKS=1
- LOG_LEVEL=warning
networks:
- bw-docker
deploy:

26
src/autoconf/Config.py
View File

@ -1,13 +1,21 @@
from os import getenv
from time import sleep
#!/usr/bin/python3
from ConfigCaller import ConfigCaller
from Database import Database
from logger import setup_logger
from os import getenv
from threading import Lock
from time import sleep
from typing import Literal, Optional, Union
from ConfigCaller import ConfigCaller # type: ignore
from Database import Database # type: ignore
from logger import setup_logger # type: ignore
class Config(ConfigCaller):
def __init__(self, ctrl_type, lock=None):
def __init__(
self,
ctrl_type: Union[Literal["docker"], Literal["swarm"], Literal["kubernetes"]],
lock: Optional[Lock] = None,
):
super().__init__()
self.__ctrl_type = ctrl_type
self.__lock = lock
@ -77,6 +85,9 @@ class Config(ConfigCaller):
)
sleep(5)
if self.__lock:
self.__lock.acquire()
# update instances in database
err = self._db.update_instances(self.__instances)
if err:
@ -98,4 +109,7 @@ class Config(ConfigCaller):
f"Can't save autoconf custom configs in database: {err}, custom configs may not work as expected",
)
if self.__lock:
self.__lock.release()
return success

27
src/autoconf/Controller.py
View File

@ -1,14 +1,22 @@
#!/usr/bin/python3
from abc import ABC, abstractmethod
from os import getenv
from threading import Lock
from time import sleep
from typing import Literal, Optional, Union
from Config import Config
from logger import setup_logger
from logger import setup_logger # type: ignore
class Controller(ABC):
def __init__(self, ctrl_type, lock=None):
def __init__(
self,
ctrl_type: Union[Literal["docker"], Literal["swarm"], Literal["kubernetes"]],
lock: Optional[Lock] = None,
):
self._type = ctrl_type
self._instances = []
self._services = []
@ -27,7 +35,7 @@ class Controller(ABC):
self._config = Config(ctrl_type, lock)
self.__logger = setup_logger("Controller", getenv("LOG_LEVEL", "INFO"))
def wait(self, wait_time):
def wait(self, wait_time: int) -> list:
all_ready = False
while not all_ready:
self._instances = self.get_instances()
@ -59,8 +67,7 @@ class Controller(ABC):
def get_instances(self):
instances = []
for controller_instance in self._get_controller_instances():
for instance in self._to_instances(controller_instance):
instances.append(instance)
instances.extend(self._to_instances(controller_instance))
return instances
@abstractmethod
@ -86,10 +93,8 @@ class Controller(ABC):
def get_services(self):
services = []
for controller_service in self._get_controller_services():
for service in self._to_services(controller_service):
services.append(service)
for static_service in self._get_static_services():
services.append(static_service)
services.extend(self._to_services(controller_service))
services.extend(self._get_static_services())
return services
@abstractmethod
@ -106,8 +111,8 @@ class Controller(ABC):
def _is_service_present(self, server_name):
for service in self._services:
if not "SERVER_NAME" in service or service["SERVER_NAME"] == "":
if not "SERVER_NAME" in service or not service["SERVER_NAME"]:
continue
if server_name == service["SERVER_NAME"].split(" ")[0]:
if server_name == service["SERVER_NAME"].strip().split(" ")[0]:
return True
return False

28
src/autoconf/DockerController.py
View File

@ -1,11 +1,15 @@
#!/usr/bin/python3
from os import getenv
from typing import Any, Dict, List
from docker import DockerClient
from re import compile as re_compile
from traceback import format_exc
from docker.models.containers import Container
from Controller import Controller
from ConfigCaller import ConfigCaller
from logger import setup_logger
from ConfigCaller import ConfigCaller # type: ignore
from logger import setup_logger # type: ignore
class DockerController(Controller, ConfigCaller):
@ -18,13 +22,13 @@ class DockerController(Controller, ConfigCaller):
r"^bunkerweb.CUSTOM_CONF_(SERVER_HTTP|MODSEC_CRS|MODSEC)_(.+)$"
)
def _get_controller_instances(self):
def _get_controller_instances(self) -> List[Container]:
return self.__client.containers.list(filters={"label": "bunkerweb.INSTANCE"})
def _get_controller_services(self):
def _get_controller_services(self) -> List[Container]:
return self.__client.containers.list(filters={"label": "bunkerweb.SERVER_NAME"})
def _to_instances(self, controller_instance):
def _to_instances(self, controller_instance) -> List[dict]:
instance = {}
instance["name"] = controller_instance.name
instance["hostname"] = controller_instance.name
@ -40,18 +44,18 @@ class DockerController(Controller, ConfigCaller):
instance["env"][variable] = value
return [instance]
def _to_services(self, controller_service):
def _to_services(self, controller_service) -> List[dict]:
service = {}
for variable, value in controller_service.labels.items():
if not variable.startswith("bunkerweb."):
continue
real_variable = variable.replace("bunkerweb.", "", 1)
if not self._is_multisite_setting(real_variable):
if not self._is_setting_context(real_variable, "multisite"):
continue
service[real_variable] = value
return [service]
def _get_static_services(self):
def _get_static_services(self) -> List[dict]:
services = []
variables = {}
for instance in self.__client.containers.list(
@ -71,14 +75,14 @@ class DockerController(Controller, ConfigCaller):
for variable, value in variables.items():
prefix = variable.split("_")[0]
real_variable = variable.replace(f"{prefix}_", "", 1)
if prefix == server_name and self._is_multisite_setting(
real_variable
if prefix == server_name and self._is_setting_context(
real_variable, "multisite"
):
service[real_variable] = value
services.append(service)
return services
def get_configs(self):
def get_configs(self) -> Dict[str, Dict[str, Any]]:
configs = {config_type: {} for config_type in self._supported_config_types}
# get site configs from labels
for container in self.__client.containers.list(
@ -106,7 +110,7 @@ class DockerController(Controller, ConfigCaller):
] = value
return configs
def apply_config(self):
def apply_config(self) -> bool:
return self._config.apply(
self._instances, self._services, configs=self._configs
)

2
src/autoconf/Dockerfile
View File

@ -60,7 +60,7 @@ RUN apk add --no-cache bash && \
chmod 750 /usr/share/bunkerweb/cli/main.py /usr/share/bunkerweb/helpers/*.sh /usr/bin/bwcli /usr/share/bunkerweb/autoconf/main.py /usr/share/bunkerweb/deps/python/bin/*
# Fix CVEs
RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4"
# There are no CVEs for python:3.11.3-alpine at the moment
VOLUME /data /etc/nginx

39
src/autoconf/IngressController.py
View File

@ -1,13 +1,16 @@
#!/usr/bin/python3
from os import getenv
from time import sleep
from traceback import format_exc
from typing import List
from kubernetes import client, config, watch
from kubernetes.client.exceptions import ApiException
from threading import Thread, Lock
from Controller import Controller
from ConfigCaller import ConfigCaller
from logger import setup_logger
from ConfigCaller import ConfigCaller # type: ignore
from logger import setup_logger # type: ignore
class IngressController(Controller, ConfigCaller):
@ -20,7 +23,7 @@ class IngressController(Controller, ConfigCaller):
self.__internal_lock = Lock()
self.__logger = setup_logger("Ingress-controller", getenv("LOG_LEVEL", "INFO"))
def _get_controller_instances(self):
def _get_controller_instances(self) -> list:
return [
pod
for pod in self.__corev1.list_pod_for_all_namespaces(watch=False).items
@ -30,7 +33,7 @@ class IngressController(Controller, ConfigCaller):
)
]
def _to_instances(self, controller_instance):
def _to_instances(self, controller_instance) -> List[dict]:
instance = {}
instance["name"] = controller_instance.metadata.name
instance["hostname"] = controller_instance.status.pod_ip
@ -48,7 +51,9 @@ class IngressController(Controller, ConfigCaller):
pod = container
break
if not pod:
self.__logger.warning(f"Missing container bunkerweb in pod {controller_instance.metadata.name}")
self.__logger.warning(
f"Missing container bunkerweb in pod {controller_instance.metadata.name}"
)
else:
for env in pod.env:
instance["env"][env.name] = env.value or ""
@ -65,10 +70,10 @@ class IngressController(Controller, ConfigCaller):
instance["env"][variable] = value
return [instance]
def _get_controller_services(self):
def _get_controller_services(self) -> list:
return self.__networkingv1.list_ingress_for_all_namespaces(watch=False).items
def _to_services(self, controller_service):
def _to_services(self, controller_service) -> List[dict]:
if not controller_service.spec or not controller_service.spec.rules:
return []
@ -145,15 +150,15 @@ class IngressController(Controller, ConfigCaller):
continue
variable = annotation.replace("bunkerweb.io/", "", 1)
server_name = service["SERVER_NAME"].split(" ")[0]
server_name = service["SERVER_NAME"].strip().split(" ")[0]
if not variable.startswith(f"{server_name}_"):
continue
variable = variable.replace(f"{server_name}_", "", 1)
if self._is_multisite_setting(variable):
if self._is_setting_context(variable, "multisite"):
service[variable] = value
return services
def _get_static_services(self):
def _get_static_services(self) -> List[dict]:
services = []
variables = {}
for instance in self.__corev1.list_pod_for_all_namespaces(watch=False).items:
@ -168,12 +173,10 @@ class IngressController(Controller, ConfigCaller):
if container.name == "bunkerweb":
pod = container
break
if not pod :
if not pod:
continue
variables = {
env.name: env.value or "" for env in pod.env
}
variables = {env.name: env.value or "" for env in pod.env}
if "SERVER_NAME" in variables and variables["SERVER_NAME"].strip():
for server_name in variables["SERVER_NAME"].strip().split(" "):
@ -181,14 +184,14 @@ class IngressController(Controller, ConfigCaller):
for variable, value in variables.items():
prefix = variable.split("_")[0]
real_variable = variable.replace(f"{prefix}_", "", 1)
if prefix == server_name and self._is_multisite_setting(
real_variable
if prefix == server_name and self._is_setting_context(
real_variable, "multisite"
):
service[real_variable] = value
services.append(service)
return services
def get_configs(self):
def get_configs(self) -> dict:
configs = {config_type: {} for config_type in self._supported_config_types}
for configmap in self.__corev1.list_config_map_for_all_namespaces(
watch=False
@ -302,7 +305,7 @@ class IngressController(Controller, ConfigCaller):
self.__logger.warning("Got exception, retrying in 10 seconds ...")
sleep(10)
def apply_config(self):
def apply_config(self) -> bool:
return self._config.apply(
self._instances, self._services, configs=self._configs
)

28
src/autoconf/SwarmController.py
View File

@ -1,13 +1,17 @@
#!/usr/bin/python3
from os import getenv
from time import sleep
from traceback import format_exc
from threading import Thread, Lock
from typing import Any, Dict, List
from docker import DockerClient
from base64 import b64decode
from docker.models.services import Service
from Controller import Controller
from ConfigCaller import ConfigCaller
from logger import setup_logger
from ConfigCaller import ConfigCaller # type: ignore
from logger import setup_logger # type: ignore
class SwarmController(Controller, ConfigCaller):
@ -18,13 +22,13 @@ class SwarmController(Controller, ConfigCaller):
self.__internal_lock = Lock()
self.__logger = setup_logger("Swarm-controller", getenv("LOG_LEVEL", "INFO"))
def _get_controller_instances(self):
def _get_controller_instances(self) -> List[Service]:
return self.__client.services.list(filters={"label": "bunkerweb.INSTANCE"})
def _get_controller_services(self):
def _get_controller_services(self) -> List[Service]:
return self.__client.services.list(filters={"label": "bunkerweb.SERVER_NAME"})
def _to_instances(self, controller_instance):
def _to_instances(self, controller_instance) -> List[dict]:
instances = []
instance_env = {}
for env in controller_instance.attrs["Spec"]["TaskTemplate"]["ContainerSpec"][
@ -48,18 +52,18 @@ class SwarmController(Controller, ConfigCaller):
)
return instances
def _to_services(self, controller_service):
def _to_services(self, controller_service) -> List[dict]:
service = {}
for variable, value in controller_service.attrs["Spec"]["Labels"].items():
if not variable.startswith("bunkerweb."):
continue
real_variable = variable.replace("bunkerweb.", "", 1)
if not self._is_multisite_setting(real_variable):
if not self._is_setting_context(real_variable, "multisite"):
continue
service[real_variable] = value
return [service]
def _get_static_services(self):
def _get_static_services(self) -> List[dict]:
services = []
variables = {}
for instance in self.__client.services.list(
@ -81,14 +85,14 @@ class SwarmController(Controller, ConfigCaller):
for variable, value in variables.items():
prefix = variable.split("_")[0]
real_variable = variable.replace(f"{prefix}_", "", 1)
if prefix == server_name and self._is_multisite_setting(
real_variable
if prefix == server_name and self._is_setting_context(
real_variable, "multisite"
):
service[real_variable] = value
services.append(service)
return services
def get_configs(self):
def get_configs(self) -> Dict[str, Dict[str, Any]]:
configs = {}
for config_type in self._supported_config_types:
configs[config_type] = {}
@ -127,7 +131,7 @@ class SwarmController(Controller, ConfigCaller):
)
return configs
def apply_config(self):
def apply_config(self) -> bool:
return self._config.apply(
self._instances, self._services, configs=self._configs
)

24
src/autoconf/main.py
View File

@ -1,21 +1,20 @@
#!/usr/bin/python3
from os import _exit, getenv
from os import _exit, getenv, sep
from os.path import join
from signal import SIGINT, SIGTERM, signal
from sys import exit as sys_exit, path as sys_path
from traceback import format_exc
from pathlib import Path
sys_path.extend(
(
"/usr/share/bunkerweb/deps/python",
"/usr/share/bunkerweb/utils",
"/usr/share/bunkerweb/api",
"/usr/share/bunkerweb/db",
)
)
for deps_path in [
join(sep, "usr", "share", "bunkerweb", *paths)
for paths in (("deps", "python"), ("utils",), ("api",), ("db",))
]:
if deps_path not in sys_path:
sys_path.append(deps_path)
from logger import setup_logger
from logger import setup_logger # type: ignore
from SwarmController import SwarmController
from IngressController import IngressController
from DockerController import DockerController
@ -70,12 +69,11 @@ try:
_exit(1)
# Process events
Path("/var/tmp/bunkerweb/autoconf.healthy").write_text("ok")
Path(sep, "var", "tmp", "bunkerweb", "autoconf.healthy").write_text("ok")
logger.info("Processing events ...")
controller.process_events()
except:
logger.error(f"Exception while running autoconf :\n{format_exc()}")
sys_exit(1)
finally:
Path("/var/tmp/bunkerweb/autoconf.healthy").unlink(missing_ok=True)
Path(sep, "var", "tmp", "bunkerweb", "autoconf.healthy").unlink(missing_ok=True)

2
src/bw/Dockerfile
View File

@ -69,7 +69,7 @@ RUN apk add --no-cache pcre bash python3 && \
ln -s /proc/1/fd/1 /var/log/nginx/access.log
# Fix CVEs
RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" "curl>=8.1.0-r0" "libcurl>=8.1.0-r0"
RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" "curl>=8.1.0-r0" "libcurl>=8.1.0-r0" "libwebp>=1.2.4-r2"
VOLUME /data /etc/nginx

68
src/common/api/API.py
View File

@ -1,52 +1,48 @@
#!/usr/bin/python3
from typing import Literal, Optional, Union
from requests import request
class API:
def __init__(self, endpoint, host="bwapi"):
def __init__(self, endpoint: str, host: str = "bwapi"):
self.__endpoint = endpoint
self.__host = host
def get_endpoint(self):
def get_endpoint(self) -> str:
return self.__endpoint
def get_host(self):
def get_host(self) -> str:
return self.__host
def request(self, method, url, data=None, files=None, timeout=(10, 30)):
def request(
self,
method: Union[Literal["POST"], Literal["GET"]],
url: str,
data: Optional[Union[dict, bytes]] = None,
files=None,
timeout=(10, 30),
) -> tuple[bool, str, Optional[int], Optional[dict]]:
try:
headers = {}
headers["User-Agent"] = "bwapi"
headers["Host"] = self.__host
kwargs = {}
if isinstance(data, dict):
resp = request(
method,
f"{self.__endpoint}{url}",
json=data,
timeout=timeout,
headers=headers,
)
kwargs["json"] = data
elif isinstance(data, bytes):
resp = request(
method,
f"{self.__endpoint}{url}",
data=data,
timeout=timeout,
headers=headers,
)
elif files:
resp = request(
method,
f"{self.__endpoint}{url}",
files=files,
timeout=timeout,
headers=headers,
)
elif not data:
resp = request(
method, f"{self.__endpoint}{url}", timeout=timeout, headers=headers
)
else:
return False, "unsupported data type", None, None
kwargs["data"] = data
elif data is not None:
return False, f"Unsupported data type: {type(data)}", None, None
if files:
kwargs["files"] = files
resp = request(
method,
f"{self.__endpoint}{url}",
timeout=timeout,
headers={"User-Agent": "bwapi", "Host": self.__host},
**kwargs,
)
except Exception as e:
return False, str(e), None, None
return False, f"Request failed: {e}", None, None
return True, "ok", resp.status_code, resp.json()

39
src/common/cli/CLI.py
View File

@ -1,17 +1,20 @@
from os import getenv
#!/usr/bin/python3
from dotenv import dotenv_values
from os import getenv, sep
from os.path import join
from pathlib import Path
from redis import StrictRedis
from sys import path as sys_path
from typing import Tuple
if "/usr/share/bunkerweb/utils" not in sys_path:
sys_path.append("/usr/share/bunkerweb/utils")
if join(sep, "usr", "share", "bunkerweb", "utils") not in sys_path:
sys_path.append(join(sep, "usr", "share", "bunkerweb", "utils"))
from API import API
from ApiCaller import ApiCaller
from logger import setup_logger
from API import API # type: ignore
from ApiCaller import ApiCaller # type: ignore
from logger import setup_logger # type: ignore
def format_remaining_time(seconds):
@ -37,14 +40,15 @@ def format_remaining_time(seconds):
class CLI(ApiCaller):
def __init__(self):
self.__logger = setup_logger("CLI", getenv("LOG_LEVEL", "INFO"))
db_path = Path(sep, "usr", "share", "bunkerweb", "db")
if not Path("/usr/share/bunkerweb/db").is_dir():
self.__variables = dotenv_values("/etc/nginx/variables.env")
if not db_path.is_dir():
self.__variables = dotenv_values(join(sep, "etc", "nginx", "variables.env"))
else:
if "/usr/share/bunkerweb/db" not in sys_path:
sys_path.append("/usr/share/bunkerweb/db")
if str(db_path) not in sys_path:
sys_path.append(str(db_path))
from Database import Database
from Database import Database # type: ignore
db = Database(
self.__logger,
@ -110,7 +114,7 @@ class CLI(ApiCaller):
)
self.__use_redis = False
if not Path("/usr/share/bunkerweb/db").is_dir() or self.__integration not in (
if not db_path.is_dir() or self.__integration not in (
"kubernetes",
"swarm",
"autoconf",
@ -129,18 +133,17 @@ class CLI(ApiCaller):
self.auto_setup(self.__integration)
def __detect_integration(self) -> str:
integration_path = Path(sep, "usr", "share", "bunkerweb", "INTEGRATION")
os_release_path = Path(sep, "etc", "os-release")
if self.__variables.get("KUBERNETES_MODE", "no").lower() == "yes":
return "kubernetes"
elif self.__variables.get("SWARM_MODE", "no").lower() == "yes":
return "swarm"
elif self.__variables.get("AUTOCONF_MODE", "no").lower() == "yes":
return "autoconf"
elif Path("/usr/share/bunkerweb/INTEGRATION").is_file():
return Path("/usr/share/bunkerweb/INTEGRATION").read_text().strip().lower()
elif (
Path("/etc/os-release").is_file()
and "Alpine" in Path("/etc/os-release").read_text()
):
elif integration_path.is_file():
return integration_path.read_text().strip().lower()
elif os_release_path.is_file() and "Alpine" in os_release_path.read_text():
return "docker"
return "linux"

23
src/common/cli/main.py
View File

@ -1,20 +1,19 @@
#!/usr/bin/env python3
#!/usr/bin/python3
from argparse import ArgumentParser
from os import _exit, getenv
from sys import exit as sys_exit, path
from os import _exit, getenv, sep
from os.path import join
from sys import exit as sys_exit, path as sys_path
from traceback import format_exc
path.extend(
(
"/usr/share/bunkerweb/deps/python",
"/usr/share/bunkerweb/cli",
"/usr/share/bunkerweb/utils",
"/usr/share/bunkerweb/api",
)
)
for deps_path in [
join(sep, "usr", "share", "bunkerweb", *paths)
for paths in (("deps", "python"), ("utils",), ("api",), ("db",))
]:
if deps_path not in sys_path:
sys_path.append(deps_path)
from logger import setup_logger
from logger import setup_logger # type: ignore
from CLI import CLI
if __name__ == "__main__":

Some files were not shown because too many files have changed in this diff Show More