cors - init work on core plugin for CORS
This commit is contained in:
florian
parent
97e607110c
commit
7b769361af
|
|
@ -8,7 +8,7 @@
|
|||
- Add \*_CUSTOM_CONF_\* setting to automatically add custom config files from setting value
|
||||
- Add DENY_HTTP_STATUS setting to choose standard 403 error (default) or to close connection (444) when access is denied
|
||||
- Add documentation about Docker in rootless mode and podman
|
||||
- Migrate CI/CD to another provider
|
||||
- Migrate CI/CD infrastructure to another provider
|
||||
|
||||
## v1.4.2 - 2022/06/28
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
{% if USE_CORS == "yes" +%}
|
||||
{% if CORS_ALLOW_ORIGIN != "" %}add_header Access-Control-Allow-Origin '{{ CORS_ALLOW_ORIGIN }}' always;{% endif %}
|
||||
{% if CORS_EXPOSE_HEADERS != "" %}add_header Access-Control-Expose-Headers '{{ CORS_EXPOSE_HEADERS }}' always;{% endif %}
|
||||
{% if CORS_ALLOW_CREDENTIALS != "no" %}add_header Access-Control-Allow-Credentials true always;{% endif %}
|
||||
if ($request_method == 'OPTIONS') {
|
||||
{% if CORS_MAX_AGE != "no" %}add_header Access-Control-Max-Age '{{ CORS_MAX_AGE }}' always;{% endif %}
|
||||
{% if CORS_ALLOW_METHODS != "no" %}add_header Access-Control-Allow-Methods '{{ CORS_ALLOW_METHODS }}' always;{% endif %}
|
||||
{% if CORS_ALLOW_HEADERS != "no" %}add_header Access-Control-Allow-Headers '{{ CORS_ALLOW_Headers }}' always;{% endif %}
|
||||
add_header Content-Type 'text/plain; charset=utf-8';
|
||||
add_header Content-Length 0;
|
||||
return 204;
|
||||
}
|
||||
{% endif %}
|
||||
|
|
@ -0,0 +1,72 @@
|
|||
{
|
||||
"id": "cors",
|
||||
"order": 999,
|
||||
"name": "CORS",
|
||||
"description": "Cross-Origin Resource Sharing.",
|
||||
"version": "0.1",
|
||||
"settings": {
|
||||
"USE_CORS": {
|
||||
"context": "multisite",
|
||||
"default": "no",
|
||||
"help": "Use CORS",
|
||||
"id": "use-cors",
|
||||
"label": "Use CORS",
|
||||
"regex": "^(yes|no)$",
|
||||
"type": "check"
|
||||
},
|
||||
"CORS_ALLOW_ORIGIN": {
|
||||
"context": "multisite",
|
||||
"default": "*",
|
||||
"help": "Value of the Access-Control-Allow-Origin header.",
|
||||
"id": "cors-allow-origin",
|
||||
"label": "Access-Control-Allow-Origin value",
|
||||
"regex": "^.*$",
|
||||
"type": "text"
|
||||
},
|
||||
"CORS_EXPOSE_HEADERS": {
|
||||
"context": "multisite",
|
||||
"default": "Content-Length,Content-Range",
|
||||
"help": "Value of the Access-Control-Expose-Headers header.",
|
||||
"id": "cors-expose-headers",
|
||||
"label": "Access-Control-Expose-Headers value",
|
||||
"regex": "^.*$",
|
||||
"type": "text"
|
||||
},
|
||||
"CORS_MAX_AGE": {
|
||||
"context": "multisite",
|
||||
"default": "86400",
|
||||
"help": "Value of the Access-Control-Max-Age header.",
|
||||
"id": "cors-max-age",
|
||||
"label": "Access-Control-Max-Age value",
|
||||
"regex": "^[0-9]+$",
|
||||
"type": "text"
|
||||
},
|
||||
"CORS_ALLOW_CREDENTIALS": {
|
||||
"context": "multisite",
|
||||
"default": "no",
|
||||
"help": "Send the Access-Control-Allow-Credentials header.",
|
||||
"id": "cors-allow-credentials",
|
||||
"label": "Send Access-Control-Allow-Credentials",
|
||||
"regex": "^(yes|no)$",
|
||||
"type": "check"
|
||||
},
|
||||
"CORS_ALLOW_METHODS": {
|
||||
"context": "multisite",
|
||||
"default": "GET, POST, OPTIONS",
|
||||
"help": "Value of the Access-Control-Allow-Methods header.",
|
||||
"id": "cors-allow-methods",
|
||||
"label": "Access-Control-Allow-Methods value",
|
||||
"regex": "^.*$",
|
||||
"type": "text"
|
||||
},
|
||||
"CORS_ALLOW_HEADERS": {
|
||||
"context": "multisite",
|
||||
"default": "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range",
|
||||
"help": "Value of the Access-Control-Allow-Headers header.",
|
||||
"id": "cors-allow-headers",
|
||||
"label": "Access-Control-Allow-Headers value",
|
||||
"regex": "^.*$",
|
||||
"type": "text"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -828,7 +828,7 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
|
|||
|
||||
Once dependencies had been installed, you can now copy the BunkerWeb sources to the target `/opt/bunkerweb` folder :
|
||||
```shell
|
||||
for src in api cli confs core gen helpers job lua misc utils ui settings.json VERSION linux/variables.env linux/bunkerweb-ui.env linux/scripts ; do
|
||||
for src in api cli confs core gen helpers job lua misc utils ui settings.json VERSION linux/variables.env linux/ui.env linux/scripts ; do
|
||||
cp -r /tmp/bunkerweb/${src} /opt/bunkerweb
|
||||
done
|
||||
cp /opt/bunkerweb/helpers/bwcli /usr/local/bin
|
||||
|
|
|
|||
|
|
@ -69,6 +69,20 @@ Various security headers are available and most of them can be set using BunkerW
|
|||
| `X-Content-Type-Options` | `X_CONTENT_TYPE_OPTIONS` | `nosniff` |
|
||||
| `X-XSS-Protection` | `X_XSS_PROTECTION` | `1; mode=block` |
|
||||
|
||||
#### CORS
|
||||
|
||||
[Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) lets you manage how your service can be contacted from different origins. Please note that you will have to allow the `OPTIONS` HTTP method using the `ALLOWED_METHODS` if you want to enable it (more info [here](https://docs.bunkerweb.io/1.4/security-tuning/#allowed-methods)). Here is the list of settings related to CORS :
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|------------------------|------------------------------------------------------------------------------------|---------|--------|--------------------------------------------------|
|
||||
|`USE_CORS` |`no` |multisite|no |Use CORS |
|
||||
|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Value of the Access-Control-Allow-Origin header. |
|
||||
|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header.|
|
||||
|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. |
|
||||
|`CORS_ALLOW_CREDENTIALS`|`no` |multisite|no |Send the Access-Control-Allow-Credentials header. |
|
||||
|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. |
|
||||
|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. |
|
||||
|
||||
## HTTPS
|
||||
|
||||
Besides the HTTPS configuration, the following settings related to HTTPS can be set :
|
||||
|
|
|
|||
|
|
@ -104,6 +104,18 @@ When settings are considered as "multiple", it means that you can have multiple
|
|||
|`USE_BUNKERNET` |`yes` |multisite|no |Activate BunkerNet feature. |
|
||||
|`BUNKERNET_SERVER`|`https://api.bunkerweb.io`|global |no |Address of the BunkerNet API.|
|
||||
|
||||
### CORS
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|------------------------|------------------------------------------------------------------------------------|---------|--------|--------------------------------------------------|
|
||||
|`USE_CORS` |`no` |multisite|no |Use CORS |
|
||||
|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Value of the Access-Control-Allow-Origin header. |
|
||||
|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header.|
|
||||
|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. |
|
||||
|`CORS_ALLOW_CREDENTIALS`|`no` |multisite|no |Send the Access-Control-Allow-Credentials header. |
|
||||
|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. |
|
||||
|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. |
|
||||
|
||||
### Client cache
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|
|
@ -194,24 +206,25 @@ When settings are considered as "multiple", it means that you can have multiple
|
|||
|
||||
### Miscellaneous
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|-----------------------------|-----------------------|---------|--------|---------------------------------------------------------------------------------------------------------------------|
|
||||
|`DISABLE_DEFAULT_SERVER` |`no` |global |no |Close connection if the request vhost is unknown. |
|
||||
|`REDIRECT_HTTP_TO_HTTPS` |`no` |multisite|no |Redirect all HTTP request to HTTPS. |
|
||||
|`AUTO_REDIRECT_HTTP_TO_HTTPS`|`yes` |multisite|no |Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case. |
|
||||
|`ALLOWED_METHODS` |`GET\|POST\|HEAD` |multisite|no |Allowed HTTP methods to be sent by clients. |
|
||||
|`MAX_CLIENT_SIZE` |`10m` |multisite|no |Maximum body size (0 for infinite). |
|
||||
|`SERVE_FILES` |`yes` |multisite|no |Serve files from the local folder. |
|
||||
|`ROOT_FOLDER` | |multisite|no |Root folder containing files to serve (/opt/bunkerweb/www/{server_name} if unset). |
|
||||
|`HTTPS_PROTOCOLS` |`TLSv1.2 TLSv1.3` |multisite|no |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. |
|
||||
|`HTTP2` |`yes` |multisite|no |Support HTTP2 protocol when HTTPS is enabled. |
|
||||
|`LISTEN_HTTP` |`yes` |multisite|no |Respond to (insecure) HTTP requests. |
|
||||
|`USE_OPEN_FILE_CACHE` |`no` |multisite|no |Enable open file cache feature |
|
||||
|`OPEN_FILE_CACHE` |`max=1000 inactive=20s`|multisite|no |Open file cache directive |
|
||||
|`OPEN_FILE_CACHE_ERRORS` |`yes` |multisite|no |Enable open file cache for errors |
|
||||
|`OPEN_FILE_CACHE_MIN_USES` |`2` |multisite|no |Enable open file cache minimum uses |
|
||||
|`OPEN_FILE_CACHE_VALID` |`30s` |multisite|no |Open file cache valid time |
|
||||
|`EXTERNAL_PLUGIN_URLS` | |global |no |List of external plugins URLs (direct download to .zip file) to download and install (URLs are separated with space).|
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|-----------------------------|-----------------------|---------|--------|----------------------------------------------------------------------------------------------------------------------|
|
||||
|`DISABLE_DEFAULT_SERVER` |`no` |global |no |Close connection if the request vhost is unknown. |
|
||||
|`REDIRECT_HTTP_TO_HTTPS` |`no` |multisite|no |Redirect all HTTP request to HTTPS. |
|
||||
|`AUTO_REDIRECT_HTTP_TO_HTTPS`|`yes` |multisite|no |Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case. |
|
||||
|`ALLOWED_METHODS` |`GET\|POST\|HEAD` |multisite|no |Allowed HTTP methods to be sent by clients. |
|
||||
|`MAX_CLIENT_SIZE` |`10m` |multisite|no |Maximum body size (0 for infinite). |
|
||||
|`SERVE_FILES` |`yes` |multisite|no |Serve files from the local folder. |
|
||||
|`ROOT_FOLDER` | |multisite|no |Root folder containing files to serve (/opt/bunkerweb/www/{server_name} if unset). |
|
||||
|`HTTPS_PROTOCOLS` |`TLSv1.2 TLSv1.3` |multisite|no |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. |
|
||||
|`HTTP2` |`yes` |multisite|no |Support HTTP2 protocol when HTTPS is enabled. |
|
||||
|`LISTEN_HTTP` |`yes` |multisite|no |Respond to (insecure) HTTP requests. |
|
||||
|`USE_OPEN_FILE_CACHE` |`no` |multisite|no |Enable open file cache feature |
|
||||
|`OPEN_FILE_CACHE` |`max=1000 inactive=20s`|multisite|no |Open file cache directive |
|
||||
|`OPEN_FILE_CACHE_ERRORS` |`yes` |multisite|no |Enable open file cache for errors |
|
||||
|`OPEN_FILE_CACHE_MIN_USES` |`2` |multisite|no |Enable open file cache minimum uses |
|
||||
|`OPEN_FILE_CACHE_VALID` |`30s` |multisite|no |Open file cache valid time |
|
||||
|`EXTERNAL_PLUGIN_URLS` | |global |no |List of external plugins URLs (direct download to .zip file) to download and install (URLs are separated with space). |
|
||||
|`DENY_HTTP_STATUS` |`403` |global |no |HTTP status code to send when the request is denied (403 or 444). When using 444, BunkerWeb will close the connection.|
|
||||
|
||||
### ModSecurity
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue