librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

Merge pull request #437 from bunkerity/dev 

merge branch "dev" into branch "ui"
This commit is contained in:
Théophile Diot 2023-04-18 14:07:01 +02:00 committed by GitHub
parent 4d95e32f18 50829293c7
commit 859343e185
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1246 changed files with 225866 additions and 147175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
.github/workflows/staging-tests.yml vendored
View File

@ -100,27 +100,33 @@ jobs:
KUBECONFIG: "/tmp/k8s/kubeconfig"
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
IMAGE_TAG: "staging"
- name: Run Linux ubuntu tests
if: inputs.TYPE == 'linux'
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "ubuntu"
env:
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
- name: Run Linux debian tests
if: inputs.TYPE == 'linux'
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "debian"
env:
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
- name: Run Linux centos tests
if: inputs.TYPE == 'linux'
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "centos"
env:
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
# - name: Run Linux ubuntu tests
# if: inputs.TYPE == 'linux'
# run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "ubuntu"
# env:
# TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
# ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
# - name: Run Linux debian tests
# if: inputs.TYPE == 'linux'
# run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "debian"
# env:
# TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
# ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
# - name: Run Linux centos tests
# if: inputs.TYPE == 'linux'
# run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "centos"
# env:
# TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
# ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
- name: Run Linux fedora tests
if: inputs.TYPE == 'linux'
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "fedora"
env:
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
- name: Run Linux rhel tests
if: inputs.TYPE == 'linux'
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "rhel"
env:
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}

497
.github/workflows/staging.yml vendored
View File

@ -48,56 +48,56 @@ jobs:
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Linux
build-ubuntu:
uses: ./.github/workflows/staging-linux-build.yml
with:
LINUX: ubuntu
PACKAGE: deb
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
build-debian:
uses: ./.github/workflows/staging-linux-build.yml
with:
LINUX: debian
PACKAGE: deb
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
build-centos:
uses: ./.github/workflows/staging-linux-build.yml
with:
LINUX: centos
PACKAGE: rpm
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
build-fedora:
uses: ./.github/workflows/staging-linux-build.yml
with:
LINUX: fedora
PACKAGE: rpm
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
build-rhel:
uses: ./.github/workflows/staging-linux-build.yml
with:
LINUX: rhel
PACKAGE: rpm
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# build-ubuntu:
# uses: ./.github/workflows/staging-linux-build.yml
# with:
# LINUX: ubuntu
# PACKAGE: deb
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# build-debian:
# uses: ./.github/workflows/staging-linux-build.yml
# with:
# LINUX: debian
# PACKAGE: deb
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# build-centos:
# uses: ./.github/workflows/staging-linux-build.yml
# with:
# LINUX: centos
# PACKAGE: rpm
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# build-fedora:
# uses: ./.github/workflows/staging-linux-build.yml
# with:
# LINUX: fedora
# PACKAGE: rpm
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# build-rhel:
# uses: ./.github/workflows/staging-linux-build.yml
# with:
# LINUX: rhel
# PACKAGE: rpm
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Code security
code-security:
@ -131,42 +131,43 @@ jobs:
TYPE: docker
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
create-infra-autoconf:
needs: [code-security, build-bw, build-scheduler, build-autoconf]
uses: ./.github/workflows/staging-create-infra.yml
with:
TYPE: autoconf
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
create-infra-swarm:
needs: [code-security, build-bw, build-scheduler, build-autoconf]
uses: ./.github/workflows/staging-create-infra.yml
with:
TYPE: swarm
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
create-infra-k8s:
needs: [code-security, build-bw, build-scheduler, build-autoconf]
uses: ./.github/workflows/staging-create-infra.yml
with:
TYPE: k8s
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
create-infra-linux:
needs:
[
code-security,
build-ubuntu,
build-debian,
build-centos,
build-fedora,
build-rhel,
]
uses: ./.github/workflows/staging-create-infra.yml
with:
TYPE: linux
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# create-infra-autoconf:
# needs: [code-security, build-bw, build-scheduler, build-autoconf]
# uses: ./.github/workflows/staging-create-infra.yml
# with:
# TYPE: autoconf
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# create-infra-swarm:
# needs: [code-security, build-bw, build-scheduler, build-autoconf]
# uses: ./.github/workflows/staging-create-infra.yml
# with:
# TYPE: swarm
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# create-infra-k8s:
# needs: [code-security, build-bw, build-scheduler, build-autoconf]
# uses: ./.github/workflows/staging-create-infra.yml
# with:
# TYPE: k8s
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# create-infra-linux:
# needs:
# [
# code-security,
# build-ubuntu,
# build-debian,
# build-centos,
# build-fedora,
# build-rhel,
# ]
# needs: [code-security, build-rhel]
# uses: ./.github/workflows/staging-create-infra.yml
# with:
# TYPE: linux
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# Perform tests
tests-docker:
@ -176,42 +177,42 @@ jobs:
TYPE: docker
RUNS_ON: "['self-hosted', 'bw-docker']"
secrets: inherit
tests-autoconf:
needs: [create-infra-autoconf]
uses: ./.github/workflows/staging-tests.yml
with:
TYPE: autoconf
RUNS_ON: "['self-hosted', 'bw-autoconf']"
secrets: inherit
tests-swarm:
needs: [create-infra-swarm]
uses: ./.github/workflows/staging-tests.yml
with:
TYPE: swarm
RUNS_ON: "['self-hosted', 'bw-swarm']"
secrets: inherit
tests-k8s:
needs: [create-infra-k8s]
uses: ./.github/workflows/staging-tests.yml
with:
TYPE: k8s
RUNS_ON: "['ubuntu-latest']"
secrets: inherit
tests-linux:
needs: [create-infra-linux]
uses: ./.github/workflows/staging-tests.yml
with:
TYPE: linux
RUNS_ON: "['self-hosted', 'bw-linux']"
secrets: inherit
tests-ui:
needs: [code-security, build-ui]
uses: ./.github/workflows/staging-tests-ui.yml
with:
MODE: staging
secrets:
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# tests-autoconf:
# needs: [create-infra-autoconf]
# uses: ./.github/workflows/staging-tests.yml
# with:
# TYPE: autoconf
# RUNS_ON: "['self-hosted', 'bw-autoconf']"
# secrets: inherit
# tests-swarm:
# needs: [create-infra-swarm]
# uses: ./.github/workflows/staging-tests.yml
# with:
# TYPE: swarm
# RUNS_ON: "['self-hosted', 'bw-swarm']"
# secrets: inherit
# tests-k8s:
# needs: [create-infra-k8s]
# uses: ./.github/workflows/staging-tests.yml
# with:
# TYPE: k8s
# RUNS_ON: "['ubuntu-latest']"
# secrets: inherit
# tests-linux:
# needs: [create-infra-linux]
# uses: ./.github/workflows/staging-tests.yml
# with:
# TYPE: linux
# RUNS_ON: "['self-hosted', 'bw-linux']"
# secrets: inherit
# tests-ui:
# needs: [code-security, build-ui]
# uses: ./.github/workflows/staging-tests-ui.yml
# with:
# MODE: staging
# secrets:
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Delete infrastructures
delete-infra-docker:
@ -222,131 +223,131 @@ jobs:
TYPE: docker
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
delete-infra-autoconf:
if: ${{ always() }}
needs: [tests-autoconf]
uses: ./.github/workflows/staging-delete-infra.yml
with:
TYPE: autoconf
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
delete-infra-swarm:
if: ${{ always() }}
needs: [tests-swarm]
uses: ./.github/workflows/staging-delete-infra.yml
with:
TYPE: swarm
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
delete-infra-k8s:
if: ${{ always() }}
needs: [tests-k8s]
uses: ./.github/workflows/staging-delete-infra.yml
with:
TYPE: k8s
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
delete-infra-linux:
if: ${{ always() }}
needs: [tests-linux]
uses: ./.github/workflows/staging-delete-infra.yml
with:
TYPE: linux
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# delete-infra-autoconf:
# if: ${{ always() }}
# needs: [tests-autoconf]
# uses: ./.github/workflows/staging-delete-infra.yml
# with:
# TYPE: autoconf
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# delete-infra-swarm:
# if: ${{ always() }}
# needs: [tests-swarm]
# uses: ./.github/workflows/staging-delete-infra.yml
# with:
# TYPE: swarm
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# delete-infra-k8s:
# if: ${{ always() }}
# needs: [tests-k8s]
# uses: ./.github/workflows/staging-delete-infra.yml
# with:
# TYPE: k8s
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# delete-infra-linux:
# if: ${{ always() }}
# needs: [tests-linux]
# uses: ./.github/workflows/staging-delete-infra.yml
# with:
# TYPE: linux
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# Push containers
push-bunkerweb:
needs: [tests-docker, tests-autoconf, tests-swarm, tests-k8s, tests-ui]
uses: ./.github/workflows/staging-push-docker.yml
with:
PRIVATE_IMAGE: bunkerweb-tests:staging
PUBLIC_IMAGE: bunkerweb:beta
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
push-scheduler:
needs: [tests-docker, tests-autoconf, tests-swarm, tests-k8s, tests-ui]
uses: ./.github/workflows/staging-push-docker.yml
with:
PRIVATE_IMAGE: scheduler-tests:staging
PUBLIC_IMAGE: bunkerweb-scheduler:beta
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
push-autoconf:
needs: [tests-docker, tests-autoconf, tests-swarm, tests-k8s, tests-ui]
uses: ./.github/workflows/staging-push-docker.yml
with:
PRIVATE_IMAGE: autoconf-tests:staging
PUBLIC_IMAGE: bunkerweb-autoconf:beta
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
push-ui:
needs: [tests-docker, tests-autoconf, tests-swarm, tests-k8s, tests-ui]
uses: ./.github/workflows/staging-push-docker.yml
with:
PRIVATE_IMAGE: ui-tests:staging
PUBLIC_IMAGE: bunkerweb-ui:beta
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# # Push containers
# push-bunkerweb:
# needs: [tests-docker, tests-autoconf, tests-swarm, tests-k8s, tests-ui]
# uses: ./.github/workflows/staging-push-docker.yml
# with:
# PRIVATE_IMAGE: bunkerweb-tests:staging
# PUBLIC_IMAGE: bunkerweb:beta
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# push-scheduler:
# needs: [tests-docker, tests-autoconf, tests-swarm, tests-k8s, tests-ui]
# uses: ./.github/workflows/staging-push-docker.yml
# with:
# PRIVATE_IMAGE: scheduler-tests:staging
# PUBLIC_IMAGE: bunkerweb-scheduler:beta
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# push-autoconf:
# needs: [tests-docker, tests-autoconf, tests-swarm, tests-k8s, tests-ui]
# uses: ./.github/workflows/staging-push-docker.yml
# with:
# PRIVATE_IMAGE: autoconf-tests:staging
# PUBLIC_IMAGE: bunkerweb-autoconf:beta
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# push-ui:
# needs: [tests-docker, tests-autoconf, tests-swarm, tests-k8s, tests-ui]
# uses: ./.github/workflows/staging-push-docker.yml
# with:
# PRIVATE_IMAGE: ui-tests:staging
# PUBLIC_IMAGE: bunkerweb-ui:beta
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Push Linux packages
push-ubuntu:
needs: [tests-linux, tests-ui]
uses: ./.github/workflows/staging-push-packagecloud.yml
with:
SEPARATOR: _
SUFFIX: amd64
REPO: bunkerweb-dev
LINUX: ubuntu
VERSION: jammy
PACKAGE: deb
secrets:
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
push-debian:
needs: [tests-linux, tests-ui]
uses: ./.github/workflows/staging-push-packagecloud.yml
with:
SEPARATOR: _
SUFFIX: amd64
REPO: bunkerweb-dev
LINUX: debian
VERSION: bullseye
PACKAGE: deb
secrets:
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
push-rhel:
needs: [tests-linux, tests-ui]
uses: ./.github/workflows/staging-push-packagecloud.yml
with:
SEPARATOR: "-"
SUFFIX: 1.x86_64
REPO: bunkerweb-dev
LINUX: el
VERSION: 8
PACKAGE: rpm
secrets:
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
push-fedora:
needs: [tests-linux, tests-ui]
uses: ./.github/workflows/staging-push-packagecloud.yml
with:
SEPARATOR: "-"
SUFFIX: 1.x86_64
REPO: bunkerweb-dev
LINUX: fedora
VERSION: 37
PACKAGE: rpm
secrets:
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
# # Push Linux packages
# push-ubuntu:
# needs: [tests-linux, tests-ui]
# uses: ./.github/workflows/staging-push-packagecloud.yml
# with:
# SEPARATOR: _
# SUFFIX: amd64
# REPO: bunkerweb-dev
# LINUX: ubuntu
# VERSION: jammy
# PACKAGE: deb
# secrets:
# PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
# push-debian:
# needs: [tests-linux, tests-ui]
# uses: ./.github/workflows/staging-push-packagecloud.yml
# with:
# SEPARATOR: _
# SUFFIX: amd64
# REPO: bunkerweb-dev
# LINUX: debian
# VERSION: bullseye
# PACKAGE: deb
# secrets:
# PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
# push-rhel:
# needs: [tests-linux, tests-ui]
# uses: ./.github/workflows/staging-push-packagecloud.yml
# with:
# SEPARATOR: "-"
# SUFFIX: 1.x86_64
# REPO: bunkerweb-dev
# LINUX: el
# VERSION: 8
# PACKAGE: rpm
# secrets:
# PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
# push-fedora:
# needs: [tests-linux, tests-ui]
# uses: ./.github/workflows/staging-push-packagecloud.yml
# with:
# SEPARATOR: "-"
# SUFFIX: 1.x86_64
# REPO: bunkerweb-dev
# LINUX: fedora
# VERSION: 37
# PACKAGE: rpm
# secrets:
# PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}

3
.prettierignore
View File

@ -10,4 +10,5 @@ CONTRIBUTING.md
LICENSE.md
README.md
SECURITY.md
src/ui/static
src/ui/static
examples/*

23
CHANGELOG.md
View File

@ -1,6 +1,25 @@
# Changelog
## v1.4.6
## v1.4.8 - 2023/04/05
- Fix UI bug related to multiple settings
- Increase check reload interval in UI to avoid rate limit
- Fix Let's Encrypt error when using auth basic
- Fix wrong setting name in realip job (again)
- Fix blog posts retrieval in the UI
- Fix missing logs for UI
- Fix error log if BunkerNet ip list is empty
- Updated python dependencies
- Gunicorn will now show the logs in the console for the UI
- BunkerNet job will now create the ip list file at the beginning of the job to avoid errors
## v1.4.7 - 2023/02/27
- Fix DISABLE_DEFAULT_SERVER=yes not working with HTTPS (again)
- Fix wrong setting name in realip job
- Fix whitelisting not working with modsecurity
## v1.4.6 - 2023/02/14
- Fix error in the UI when a service have multiple domains
- Fix bwcli bans command
@ -186,4 +205,4 @@
- Fix default value for CONTENT_SECURITY_POLICY to allow file downloads
- Add ROOT_SITE_SUBFOLDER environment variable
## TODO - retrospective changelog
## TODO - retrospective changelog

47
README.md
View File

@ -1,12 +1,13 @@
<p align="center">
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/master/logo.png" />
<img alt="BunkerWeb logo" src="misc/logo.png" />
</p>
<p align="center">
<img src="https://img.shields.io/badge/bunkerweb-1.4.6-blue" />
<img src="https://img.shields.io/github/release/bunkerity/bunkerweb.svg" />
<img src="https://img.shields.io/github/last-commit/bunkerity/bunkerweb" />
<img src="https://img.shields.io/github/actions/workflow/status/bunkerity/bunkerweb/dev.yml?label=CI%2FCD%20dev&branch=dev" />
<img src="https://img.shields.io/github/actions/workflow/status/bunkerity/bunkerweb/dev.yml?label=CI%2FCD%20prod" />
<img src="https://img.shields.io/github/actions/workflow/status/bunkerity/bunkerweb/staging.yml?label=CI%2FCD%20staging&branch=staging" />
<img src="https://img.shields.io/github/actions/workflow/status/bunkerity/bunkerweb/prod.yml?label=CI%2FCD%20prod" />
<img src="https://img.shields.io/github/issues/bunkerity/bunkerweb">
<img src="https://img.shields.io/github/issues-pr/bunkerity/bunkerweb">
</p>
@ -23,21 +24,25 @@
📝 <a href="https://github.com/bunkerity/bunkerweb/discussions">Forum</a>
&#124;
⚙️ <a href="https://config.bunkerweb.io">Configurator</a>
&#124;
🗺️ <a href="https://threatmap.bunkerweb.io">Threatmap</a>
</p>
> Make security by default great again !
> 🛡️ Make security by default great again !
# BunkerWeb
<p align="center">
<img alt="overview" src="https://github.com/bunkerity/bunkerweb/raw/master/docs/assets/img/intro-overview.svg" />
<img alt="overview" src="docs/assets/img/intro-overview.svg" />
</p>
BunkerWeb is a web server based on the notorious [NGINX](https://nginx.org/) and focused on security.
BunkerWeb is an incredible web server that is built upon the reliable [NGINX](https://nginx.org/) and designed with a primary focus on security.
It integrates into existing environments ([Linux](#linux), [Docker](#docker), [Swarm](#swarm), [Kubernetes](#Kubernetes), …) to make your web services "secure by default" without any hassle. The security best practices are automatically applied for you while keeping control of every setting to meet your use case.
This web server can effortlessly be integrated into your current environment, whether you're using [Linux](#linux), [Docker](#docker), [Swarm](#swarm), [Kubernetes](#Kubernetes), and more. To ensure that your web services are "secure by default" without any added stress or effort.
BunkerWeb contains primary [security features](#security-tuning) as part of the core but can be easily extended with additional ones thanks to a [plugin system](#plugins).
With BunkerWeb, you can be assured that all security best practices are applied automatically, and you have total control over each setting to meet your unique needs. The web server comes with a table of primary [security features](#security-tuning) as part of the core, but you can easily expand it with extra features using the [plugin system](#plugins).
Overall, BunkerWeb is a great choice for anyone looking for a secure and user-friendly web server that guarantees optimum performance and uncompromised security for their web services.
## Why BunkerWeb ?
@ -50,7 +55,7 @@ BunkerWeb contains primary [security features](#security-tuning) as part of the
A non-exhaustive list of security features :
- **HTTPS** support with transparent **Let's Encrypt** automation
- **HTTPS** support with transparent **Let's Encrypt** automation.
- **State-of-the-art web security** : HTTP security headers, prevent leaks, TLS hardening, ...
- Integrated **ModSecurity WAF** with the **OWASP Core Rule Set**
- **Automatic ban** of strange behaviors based on HTTP status code
@ -64,7 +69,7 @@ Learn more about the core security features in the [security tuning](https://doc
## Demo
<p align="center">
<img alt="Demo GIF" src="https://github.com/bunkerity/bunkerweb/raw/master/docs/assets/img/demo.gif" />
<img alt="Demo GIF" src="docs/assets/img/demo.gif" />
</p>
A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](https://demo.bunkerweb.io). Feel free to visit it and perform some security tests.
@ -72,7 +77,7 @@ A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](http
# Concepts
<p align="center">
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/master/docs/assets/img/concepts.svg" />
<img alt="BunkerWeb logo" src="docs/assets/img/concepts.svg" />
</p>
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/latest/concepts).
@ -131,7 +136,7 @@ Another core component of BunkerWeb is the ModSecurity Web Application Firewall
## Docker
<p align="center">
<img alt="Docker" src="https://github.com/bunkerity/bunkerweb/raw/master/docs/assets/img/integration-docker.svg" />
<img alt="Docker" src="docs/assets/img/integration-docker.svg" />
</p>
We provide ready to use prebuilt images for x64, x86, armv7 and arm64 platforms on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb) using the `bunkerity/bunkerweb` tag.
@ -147,7 +152,7 @@ You will find more information in the [Docker integration section](https://docs.
## Docker autoconf
<p align="center">
<img alt="Docker autoconf" src="https://github.com/bunkerity/bunkerweb/raw/master/docs/assets/img/integration-autoconf.svg" />
<img alt="Docker autoconf" src="docs/assets/img/integration-autoconf.svg" />
</p>
The downside of using environment variables is that the container needs to be recreated each time there is an update which is not very convenient. To counter that issue, you can use another image called **autoconf** which will listen for Docker events and automatically reconfigure BunkerWeb in real-time without recreating the container.
@ -159,7 +164,7 @@ You will find more information in the [Docker autoconf section](https://docs.bun
## Swarm
<p align="center">
<img alt="Swarm" src="https://github.com/bunkerity/bunkerweb/raw/master/docs/assets/img/integration-swarm.svg" />
<img alt="Swarm" src="docs/assets/img/integration-swarm.svg" />
</p>
To automatically configure BunkerWeb instances, a special service, called **autoconf**, will be scheduled on a manager node. That service will listen for Docker Swarm events like service creation or deletion and automatically configure the **BunkerWeb instances** in real-time without downtime.
@ -173,7 +178,7 @@ You will find more information in the [Swarm section](https://docs.bunkerweb.io/
## Kubernetes
<p align="center">
<img alt="Kubernetes" src="https://github.com/bunkerity/bunkerweb/raw/master/docs/assets/img/integration-kubernetes.svg" />
<img alt="Kubernetes" src="docs/assets/img/integration-kubernetes.svg" />
</p>
The autoconf acts as an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) and will configure the BunkerWeb instances according to the [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/). It also monitors other Kubernetes objects like [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for custom configurations.
@ -183,7 +188,7 @@ You will find more information in the [Kubernetes section](https://docs.bunkerwe
## Linux
<p align="center">
<img alt="Linux" src="https://github.com/bunkerity/bunkerweb/raw/master/docs/assets/img/integration-linux.svg" />
<img alt="Linux" src="docs/assets/img/integration-linux.svg" />
</p>
List of supported Linux distros :
@ -200,7 +205,7 @@ You will find more information in the [Linux section](https://docs.bunkerweb.io/
## Ansible
<p align="center">
<img alt="Ansible" src="https://github.com/bunkerity/bunkerweb/raw/master/docs/assets/img/integration-ansible.svg" />
<img alt="Ansible" src="docs/assets/img/integration-ansible.svg" />
</p>
List of supported Linux distros :
@ -262,12 +267,12 @@ BunkerWeb comes with a plugin system to make it possible to easily add new featu
Here is the list of "official" plugins that we maintain (see the [bunkerweb-plugins](https://github.com/bunkerity/bunkerweb-plugins) repository for more information) :
| Name | Version | Description | Link |
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
| Name | Version | Description | Link |
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------: |
| **ClamAV** | 0.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **CrowdSec** | 0.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 0.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 0.1 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **Discord** | 0.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 0.1 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 0.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
You will find more information in the [plugins section](https://docs.bunkerweb.io/latest/plugins) of the documentation.

6
TODO Normal file
View File

@ -0,0 +1,6 @@
- utils refactoring
- load inline values for white/black/grey list core
- check if correct setting is set to yes in new() before loading stuff in self
- store object in ngx.ctx
- bwcli with redis
- move bans to cachestore

BIN
docs/assets/img/demo.gif
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.6 MiB

After

Width:  |  Height:  |  Size: 48 MiB

1533
docs/assets/img/intro-overview.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 137 KiB

After

Width:  |  Height:  |  Size: 111 KiB

62
docs/backup-new-integrations.md
View File

@ -17,13 +17,13 @@
sudo dnf install nginx-1.20.2
```
And finally install BunkerWeb 1.4.6 :
And finally install BunkerWeb 1.5.0-beta :
```shell
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
rpm -Uvh epel-release*rpm && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.4.6
sudo dnf install -y bunkerweb-1.5.0-beta
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
@ -96,7 +96,7 @@ vagrant ssh
python3 -m http.server -b 127.0.0.1
```
Configuration of BunkerWeb is done by editing the `/etc/bunkerweb/variables.env` file.
Configuration of BunkerWeb is done by editing the `/opt/bunkerweb/variables.env` file.
Connect to your vagrant machine :
```shell
@ -159,7 +159,7 @@ vagrant ssh
vagrant ssh
```
Configuration of BunkerWeb is done by editing the /etc/bunkerweb/variables.env file :
Configuration of BunkerWeb is done by editing the /opt/bunkerweb/variables.env file :
```conf
SERVER_NAME=app1.example.com app2.example.com app3.example.com
HTTP_PORT=80
@ -190,7 +190,7 @@ vagrant ssh
=== "Vagrant"
You will need to add the settings to the `/etc/bunkerweb/variables.env` file :
You will need to add the settings to the `/opt/bunkerweb/variables.env` file :
```conf
...
@ -204,7 +204,7 @@ vagrant ssh
=== "Vagrant"
You will need to add the settings to the `/etc/bunkerweb/variables.env` file :
You will need to add the settings to the `/opt/bunkerweb/variables.env` file :
```conf
...
@ -219,7 +219,7 @@ vagrant ssh
=== "Vagrant"
When using the [Vagrant integration](/1.4/integrations/#vagrant), custom configurations must be written to the `/etc/bunkerweb/configs` folder.
When using the [Vagrant integration](/1.4/integrations/#vagrant), custom configurations must be written to the `/opt/bunkerweb/configs` folder.
Here is an example for server-http/hello-world.conf :
```conf
@ -233,8 +233,8 @@ vagrant ssh
Because BunkerWeb runs as an unprivileged user (nginx:nginx), you will need to edit the permissions :
```shell
chown -R root:nginx /etc/bunkerweb/configs && \
chmod -R 770 /etc/bunkerweb/configs
chown -R root:nginx /opt/bunkerweb/configs && \
chmod -R 770 /opt/bunkerweb/configs
```
Don't forget to restart the BunkerWeb service once it's done.
@ -243,9 +243,9 @@ vagrant ssh
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
By default, BunkerWeb will search for web files inside the `/var/www/html` folder. You can use it to store your PHP application. Please note that you will need to configure your PHP-FPM service to get or set the user/group of the running processes and the UNIX socket file used to communicate with BunkerWeb.
By default, BunkerWeb will search for web files inside the `/opt/bunkerweb/www` folder. You can use it to store your PHP application. Please note that you will need to configure your PHP-FPM service to get or set the user/group of the running processes and the UNIX socket file used to communicate with BunkerWeb.
First of all, you will need to make sure that your PHP-FPM instance can access the files inside the `/var/www/html` folder and also that BunkerWeb can access the UNIX socket file in order to communicate with PHP-FPM. We recommend to set a different user like `www-data` for the PHP-FPM service and to give the nginx group access to the UNIX socket file. Here is corresponding PHP-FPM configuration :
First of all, you will need to make sure that your PHP-FPM instance can access the files inside the `/opt/bunkerweb/www` folder and also that BunkerWeb can access the UNIX socket file in order to communicate with PHP-FPM. We recommend to set a different user like `www-data` for the PHP-FPM service and to give the nginx group access to the UNIX socket file. Here is corresponding PHP-FPM configuration :
```ini
...
[www]
@ -263,14 +263,14 @@ vagrant ssh
systemctl restart php8.1-fpm
```
Once your application is copied to the `/var/www/html` folder, you will need to fix the permissions so BunkerWeb (user/group nginx) can at least read files and list folders and PHP-FPM (user/group www-data) is the owner of the files and folders :
Once your application is copied to the `/opt/bunkerweb/www` folder, you will need to fix the permissions so BunkerWeb (user/group nginx) can at least read files and list folders and PHP-FPM (user/group www-data) is the owner of the files and folders :
```shell
chown -R www-data:nginx /var/www/html && \
find /var/www/html -type f -exec chmod 0640 {} \; && \
find /var/www/html -type d -exec chmod 0750 {} \;
chown -R www-data:nginx /opt/bunkerweb/www && \
find /opt/bunkerweb/www -type f -exec chmod 0640 {} \; && \
find /opt/bunkerweb/www -type d -exec chmod 0750 {} \;
```
You can now edit the `/etc/bunkerweb/variable.env` file :
You can now edit the `/opt/bunkerweb/variable.env` file :
```env
HTTP_PORT=80
HTTPS_PORT=443
@ -278,7 +278,7 @@ vagrant ssh
SERVER_NAME=www.example.com
AUTO_LETS_ENCRYPT=yes
LOCAL_PHP=/run/php/php-fpm.sock
LOCAL_PHP_PATH=/var/www/html/
LOCAL_PHP_PATH=/opt/bunkerweb/www/
```
Let's check the status of BunkerWeb :
@ -299,9 +299,9 @@ vagrant ssh
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
By default, BunkerWeb will search for web files inside the `/var/www/html` folder. You can use it to store your PHP applications : each application will be in its own subfolder named the same as the primary server name. Please note that you will need to configure your PHP-FPM service to get or set the user/group of the running processes and the UNIX socket file used to communicate with BunkerWeb.
By default, BunkerWeb will search for web files inside the `/opt/bunkerweb/www` folder. You can use it to store your PHP applications : each application will be in its own subfolder named the same as the primary server name. Please note that you will need to configure your PHP-FPM service to get or set the user/group of the running processes and the UNIX socket file used to communicate with BunkerWeb.
First of all, you will need to make sure that your PHP-FPM instance can access the files inside the `/var/www/html` folder and also that BunkerWeb can access the UNIX socket file in order to communicate with PHP-FPM. We recommend to set a different user like `www-data` for the PHP-FPM service and to give the nginx group access to the UNIX socket file. Here is corresponding PHP-FPM configuration :
First of all, you will need to make sure that your PHP-FPM instance can access the files inside the `/opt/bunkerweb/www` folder and also that BunkerWeb can access the UNIX socket file in order to communicate with PHP-FPM. We recommend to set a different user like `www-data` for the PHP-FPM service and to give the nginx group access to the UNIX socket file. Here is corresponding PHP-FPM configuration :
```ini
...
[www]
@ -319,14 +319,14 @@ vagrant ssh
systemctl restart php8.1-fpm
```
Once your application is copied to the `/var/www/html` folder, you will need to fix the permissions so BunkerWeb (user/group nginx) can at least read files and list folders and PHP-FPM (user/group www-data) is the owner of the files and folders :
Once your application is copied to the `/opt/bunkerweb/www` folder, you will need to fix the permissions so BunkerWeb (user/group nginx) can at least read files and list folders and PHP-FPM (user/group www-data) is the owner of the files and folders :
```shell
chown -R www-data:nginx /var/www/html && \
find /var/www/html -type f -exec chmod 0640 {} \; && \
find /var/www/html -type d -exec chmod 0750 {} \;
chown -R www-data:nginx /opt/bunkerweb/www && \
find /opt/bunkerweb/www -type f -exec chmod 0640 {} \; && \
find /opt/bunkerweb/www -type d -exec chmod 0750 {} \;
```
You can now edit the `/etc/bunkerweb/variable.env` file :
You can now edit the `/opt/bunkerweb/variable.env` file :
```env
HTTP_PORT=80
HTTPS_PORT=443
@ -335,11 +335,11 @@ vagrant ssh
MULTISITE=yes
AUTO_LETS_ENCRYPT=yes
app1.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app1.example.com_LOCAL_PHP_PATH=/var/www/html/app1.example.com
app1.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app1.example.com
app2.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app2.example.com_LOCAL_PHP_PATH=/var/www/html/app2.example.com
app2.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app2.example.com
app3.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app3.example.com_LOCAL_PHP_PATH=/var/www/html/app3.example.com
app3.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app3.example.com
```
Let's check the status of BunkerWeb :
@ -360,7 +360,7 @@ vagrant ssh
=== "Vagrant"
When using the [Linux integration](/1.4/integrations/#linux), plugins must be written to the `/etc/bunkerweb/plugins` folder :
When using the [Linux integration](/1.4/integrations/#linux), plugins must be written to the `/opt/bunkerweb/plugins` folder :
```shell
git clone https://github.com/bunkerity/bunkerweb-plugins && \
cp -rp ./bunkerweb-plugins/* /data/plugins
@ -372,7 +372,7 @@ vagrant ssh
The installation of the web UI using the [Vagrant integration](/1.4/integrations/#vagrant) is pretty straightforward because it is installed with BunkerWeb.
The first thing to do is to edit the BunkerWeb configuration located at **/etc/bunkerweb/variables.env** to add settings related to the web UI :
The first thing to do is to edit the BunkerWeb configuration located at **/opt/bunkerweb/variables.env** to add settings related to the web UI :
```conf
HTTP_PORT=80
HTTPS_PORT=443
@ -401,7 +401,7 @@ vagrant ssh
systemctl restart bunkerweb
```
You can edit the **/etc/bunkerweb/ui.env** file containing the settings of the web UI :
You can edit the **/opt/bunkerweb/ui.env** file containing the settings of the web UI :
```conf
ADMIN_USERNAME=admin
ADMIN_PASSWORD=changeme
@ -410,7 +410,7 @@ vagrant ssh
Important things to note :
* `http(s)://bwadmin.example.com/changeme/` is the full base URL of the web UI (must match the sub(domain) and /changeme URL used in **/etc/bunkerweb/variables.env**)
* `http(s)://bwadmin.example.com/changeme/` is the full base URL of the web UI (must match the sub(domain) and /changeme URL used in **/opt/bunkerweb/variables.env**)
* replace the username `admin` and password `changeme` with strong ones
Restart the BunkerWeb UI service and you are now ready to access it :

4
docs/index.md
View File

@ -3,7 +3,7 @@
## Overview
<figure markdown>
![Overview](assets/img/intro-overview.svg){ align=center }
![Overview](assets/img/intro-overview.svg){ align=center, width="800" }
<figcaption>Make your web services secure by default !</figcaption>
</figure>
@ -38,7 +38,7 @@ Learn more about the core security features in the [security tuning](security-tu
## Demo
<figure markdown>
![Overwiew](assets/img/demo.gif){ align=center }
![Demo](assets/img/demo.gif){ align=center }
<figcaption>Fooling automated tools/scanners</figcaption>
</figure>

117
docs/integrations.md
View File

@ -12,7 +12,7 @@ Using BunkerWeb as a [Docker](https://www.docker.com/) container is a quick and
We provide ready-to-use prebuilt images for x64, x86 armv8 and armv7 architectures on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb) :
```shell
docker pull bunkerity/bunkerweb:1.4.6
docker pull bunkerity/bunkerweb:1.5.0-beta
```
Alternatively, you can build the Docker images directly from the [source](https://github.com/bunkerity/bunkerweb) (and get a coffee ☕ because it may take a long time depending on your hardware) :
@ -39,7 +39,7 @@ docker run \
-e MY_SETTING=value \
-e "MY_OTHER_SETTING=value with spaces" \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent :
@ -48,7 +48,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
environment:
- MY_SETTING=value
```
@ -73,7 +73,7 @@ docker run \
...
-v bw_data:/data \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent :
@ -82,7 +82,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
volumes:
- bw_data:/data
...
@ -152,7 +152,7 @@ docker run \
...
--network mynetwork \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
You will also need to do the same with your web application(s). Please note that the other containers are accessible using their name as the hostname.
@ -163,7 +163,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
networks:
- bw-net
...
@ -218,7 +218,7 @@ docker run \
-e SERVER_NAME= \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.AUTOCONF \
bunkerity/bunkerweb:1.4.6 && \
bunkerity/bunkerweb:1.5.0-beta && \
docker network connect bw-services mybunker
```
@ -235,7 +235,7 @@ docker run \
--network bw-autoconf \
-v bw-data:/data \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
bunkerity/bunkerweb-autoconf:1.4.6
bunkerity/bunkerweb-autoconf:1.5.0-beta
```
Here is the docker-compose equivalent for the BunkerWeb autoconf stack :
@ -246,7 +246,7 @@ version: '3.5'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -262,7 +262,7 @@ services:
- bw-services
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
volumes:
- bw-data:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
@ -364,7 +364,7 @@ docker service create \
-e MULTISITE=yes \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.AUTOCONF \
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
And the autoconf one :
@ -378,7 +378,7 @@ docker service \
--mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
--mount type=volume,source=bw-data,destination=/data \
-e SWARM_MODE=yes \
bunkerity/bunkerweb-autoconf:1.4.6
bunkerity/bunkerweb-autoconf:1.5.0-beta
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
@ -389,7 +389,7 @@ version: '3.5'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- published: 80
target: 8080
@ -416,7 +416,7 @@ services:
- "bunkerweb.AUTOCONF"
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
environment:
- SWARM_MODE=yes
volumes:
@ -580,7 +580,7 @@ spec:
livenessProbe:
exec:
command:
- /usr/share/bunkerweb/helpers/healthcheck.sh
- /opt/bunkerweb/helpers/healthcheck.sh
initialDelaySeconds: 30
periodSeconds: 5
timeoutSeconds: 1
@ -588,7 +588,7 @@ spec:
readinessProbe:
exec:
command:
- /usr/share/bunkerweb/helpers/healthcheck.sh
- /opt/bunkerweb/helpers/healthcheck.sh
initialDelaySeconds: 30
periodSeconds: 1
timeoutSeconds: 1
@ -706,11 +706,11 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo apt install -y nginx=1.20.2-1~$(lsb_release -cs)
```
And finally install BunkerWeb 1.4.6 :
And finally install BunkerWeb 1.5.0-beta :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo apt install -y bunkerweb=1.4.6
sudo apt install -y bunkerweb=1.5.0-beta
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
@ -736,11 +736,11 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo apt install -y nginx=1.20.2-1~jammy
```
And finally install BunkerWeb 1.4.6 :
And finally install BunkerWeb 1.5.0-beta :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo apt install -y bunkerweb=1.4.6
sudo apt install -y bunkerweb=1.5.0-beta
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
@ -755,20 +755,20 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo dnf install -y nginx-1.20.2
```
And finally install BunkerWeb 1.4.6 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | \
sed 's/yum install -y pygpgme --disablerepo='\''bunkerity_bunkerweb'\''/yum install -y python-gnupg/g' | \
sed 's/pypgpme_check=`rpm -qa | grep -qw pygpgme`/python-gnupg_check=`rpm -qa | grep -qw python-gnupg`/g' | sudo bash && \
sudo dnf makecache && \
sudo dnf install -y bunkerweb-1.4.6
```
And finally install BunkerWeb 1.5.0-beta :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | \
sed 's/yum install -y pygpgme --disablerepo='\''bunkerity_bunkerweb'\''/yum install -y python-gnupg/g' | \
sed 's/pypgpme_check=`rpm -qa | grep -qw pygpgme`/python-gnupg_check=`rpm -qa | grep -qw python-gnupg`/g' | sudo bash && \
sudo dnf makecache && \
sudo dnf install -y bunkerweb-1.5.0-beta
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
=== "CentOS Stream"
@ -788,12 +788,12 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo dnf install nginx-1.20.2
```
And finally install BunkerWeb 1.4.6 :
And finally install BunkerWeb 1.5.0-beta :
```shell
dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.4.6
sudo dnf install -y bunkerweb-1.5.0-beta
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
@ -806,9 +806,9 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
The first step is to install NGINX 1.20.2 using the repository of your choice or by [compiling it from source](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#compiling-and-installing-from-source).
The target installation folder of BunkerWeb is located at `/usr/share/bunkerweb`, let's create it :
The target installation folder of BunkerWeb is located at `/opt/bunkerweb`, let's create it :
```shell
mkdir /usr/share/bunkerweb
mkdir /opt/bunkerweb
```
You can now clone the BunkerWeb project to the `/tmp` folder :
@ -816,43 +816,40 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
https://github.com/bunkerity/bunkerweb.git /tmp/bunkerweb
```
BunkerWeb needs some dependencies to be compiled and installed to `/usr/share/bunkerweb/deps`, the easiest way to do it is by executing the [install.sh helper script](https://github.com/bunkerity/bunkerweb/blob/master/deps/install.sh) (please note that you will need to install additional packages which is not covered in this procedure and depends on your own system) :
BunkerWeb needs some dependencies to be compiled and installed to `/opt/bunkerweb/deps`, the easiest way to do it is by executing the [install.sh helper script](https://github.com/bunkerity/bunkerweb/blob/master/deps/install.sh) (please note that you will need to install additional packages which is not covered in this procedure and depends on your own system) :
```
mkdir /usr/share/bunkerweb/deps && \
mkdir /opt/bunkerweb/deps && \
/tmp/bunkerweb/deps/install.sh
```
Additional Python dependencies needs to be installed into the `/usr/share/bunkerweb/deps/python` folder :
Additional Python dependencies needs to be installed into the `/opt/bunkerweb/deps/python` folder :
```shell
mkdir -p /usr/share/bunkerweb/deps/python && \
cat src/scheduler/requirements.txt src/ui/requirements.txt src/common/gen/requirements.txt src/common/db/requirements.txt > /tmp/bunkerweb/deps/requirements.txt && \
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt && \
mkdir /opt/bunkerweb/deps/python && \
pip install --no-cache-dir --require-hashes --target /opt/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt && \
pip install --no-cache-dir --target /opt/bunkerweb/deps/python -r /tmp/bunkerweb/ui/requirements.txt
```
Once dependencies are installed, you will be able to copy the BunkerWeb sources to the target `/usr/share/bunkerweb` folder :
Once dependencies are installed, you will be able to copy the BunkerWeb sources to the target `/opt/bunkerweb` folder :
```shell
for src in api cli confs core gen helpers job lua misc utils ui settings.json VERSION linux/variables.env linux/ui.env linux/scripts ; do
cp -r /tmp/bunkerweb/${src} /usr/share/bunkerweb
cp -r /tmp/bunkerweb/${src} /opt/bunkerweb
done
cp /usr/share/bunkerweb/helpers/bwcli /usr/bin
cp /opt/bunkerweb/helpers/bwcli /usr/local/bin
```
Additional folders also need to be created :
```shell
mkdir -p /etc/bunkerweb/configs && \
mkdir -p /var/cache/bunkerweb && \
mkdir -p /etc/bunkerweb/plugins && \
mkdir -p /var/tmp/bunkerweb
mkdir /opt/bunkerweb/{configs,cache,plugins,tmp}
```
Permissions needs to be fixed :
```shell
find /usr/share/bunkerweb -path /usr/share/bunkerweb/deps -prune -o -type f -exec chmod 0740 {} \; && \
find /usr/share/bunkerweb -path /usr/share/bunkerweb/deps -prune -o -type d -exec chmod 0750 {} \; && \
find /usr/share/bunkerweb/core/*/jobs/* -type f -exec chmod 750 {} \; && \
chmod 770 /var/cache/bunkerweb /var/tmp/bunkerweb && \
chmod 750 /usr/share/bunkerweb/gen/main.py /usr/share/bunkerweb/scheduler/main.py /usr/share/bunkerweb/cli/main.py /usr/share/bunkerweb/helpers/*.sh /usr/share/bunkerweb/scripts/*.sh /usr/bin/bwcli /usr/share/bunkerweb/ui/main.py && \
chown -R root:nginx /usr/share/bunkerweb
find /opt/bunkerweb -path /opt/bunkerweb/deps -prune -o -type f -exec chmod 0740 {} \; && \
find /opt/bunkerweb -path /opt/bunkerweb/deps -prune -o -type d -exec chmod 0750 {} \; && \
find /opt/bunkerweb/core/*/jobs/* -type f -exec chmod 750 {} \; && \
chmod 770 /opt/bunkerweb/cache /opt/bunkerweb/tmp && \
chmod 750 /opt/bunkerweb/gen/main.py /opt/bunkerweb/job/main.py /opt/bunkerweb/cli/main.py /opt/bunkerweb/helpers/*.sh /opt/bunkerweb/scripts/*.sh /usr/local/bin/bwcli /opt/bunkerweb/ui/main.py && \
chown -R root:nginx /opt/bunkerweb
```
Last but not least, you will need to set up systemd unit files :
@ -865,7 +862,7 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
systemctl enable bunkerweb-ui
```
The configuration of BunkerWeb is done by editing the `/etc/bunkerweb/variables.env` file :
The configuration of BunkerWeb is done by editing the `/opt/bunkerweb/variables.env` file :
```conf
MY_SETTING_1=value1
@ -931,7 +928,7 @@ Configuration of BunkerWeb is done by using specific role variables :
| Name | Type | Description | Default value |
|:-----:|:-----:|--------------|----------------|
| `bunkerweb_version` | string | Version of BunkerWeb to install. | `1.4.6` |
| `bunkerweb_version` | string | Version of BunkerWeb to install. | `1.5.0-beta` |
| `nginx_version` | string | Version of NGINX to install. | `1.20.2` |
| `freeze_versions` | boolean | Prevent upgrade of BunkerWeb and NGINX when performing packages upgrades. | `true` |
| `variables_env` | string | Path of the variables.env file to configure BunkerWeb. | `files/variables.env` |
@ -941,4 +938,4 @@ Configuration of BunkerWeb is done by using specific role variables :
| `custom_www` | string | Path of the www directory to upload. | empty value |
| `custom_plugins` | string | Path of the plugins directory to upload. | empty value |
| `custom_www_owner` | string | Default owner for www files and folders. | `nginx` |
| `custom_www_group` | string | Default group for www files and folders. | `nginx` |
| `custom_www_group` | string | Default group for www files and folders. | `nginx` |

16
docs/plugins.md
View File

@ -53,13 +53,13 @@ The first step is to install the plugin by putting the plugin files inside the c
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
volumes:
- ./bw-data:/data
...
@ -148,6 +148,14 @@ The first step is to install the plugin by putting the plugin files inside the c
ansible-playbook -i inventory.yml playbook.yml
```
=== "Vagrant"
When using the [Vagrant integration](/1.4/integrations/#vagrant), plugins must be written to the `/etc/bunkerweb/plugins` folder :
```shell
git clone https://github.com/bunkerity/bunkerweb-plugins && \
cp -rp ./bunkerweb-plugins/* /data/plugins
```
## Writing a plugin
!!! tip "Existing plugins"
@ -182,7 +190,7 @@ A file named **plugin.json** and written at the root of the plugin folder must c
"regex": "^.*$",
"type": "text"
}
}
},
"jobs": [
{
"name": "my-job",
@ -428,4 +436,4 @@ def myplugin() :
!!! info "Python libraries"
You can use Python libraries that are already available like :
`Flask`, `Flask-Login`, `Flask-WTF`, `beautifulsoup4`, `docker`, `Jinja2`, `python-magic` and `requests`. To see the full list, you can have a look at the Web UI [requirements.txt](https://github.com/bunkerity/bunkerweb/blob/master/ui/requirements.txt). If you need external libraries, you can install them inside the **ui** folder of your plugin and then use the classical **import** directive.
`Flask`, `Flask-Login`, `Flask-WTF`, `beautifulsoup4`, `docker`, `Jinja2`, `python-magic` and `requests`. To see the full list, you can have a look at the Web UI [requirements.txt](https://github.com/bunkerity/bunkerweb/blob/master/ui/requirements.txt). If you need external libraries, you can install them inside the **ui** folder of your plugin and then use the classical **import** directive.

333
docs/quickstart-guide.md
View File

@ -54,7 +54,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
-e USE_REVERSE_PROXY=yes \
-e REVERSE_PROXY_URL=/ \
-e REVERSE_PROXY_HOST=http://myapp \
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent :
@ -64,7 +64,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
services:
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -314,6 +314,49 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
ansible-playbook -i inventory.yml playbook.yml
```
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
The following command will run a basic HTTP server on the port 8000 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1
```
Configuration of BunkerWeb is done by editing the `/etc/bunkerweb/variables.env` file.
Connect to your vagrant machine :
```shell
vagrant ssh
```
And then you can edit the `variables.env` file in your host machine like this :
```conf
SERVER_NAME=www.example.com
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/
REVERSE_PROXY_HOST=http://127.0.0.1:8000
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
### Multiple applications
!!! tip "Testing"
@ -379,7 +422,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
-e app1.example.com_REVERSE_PROXY_HOST=http://myapp1 \
-e app2.example.com_REVERSE_PROXY_HOST=http://myapp2 \
-e app3.example.com_REVERSE_PROXY_HOST=http://myapp3 \
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent :
@ -389,7 +432,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
services:
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -881,6 +924,64 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
systemctl start bunkerweb
```
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#Vagrant) stack running on your machine with some web applications running on the same machine as BunkerWeb.
Let's assume that you have some web applications running on the same machine as BunkerWeb :
=== "App #1"
The following command will run a basic HTTP server on the port 8001 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1 8001
```
=== "App #2"
The following command will run a basic HTTP server on the port 8002 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1 8002
```
=== "App #3"
The following command will run a basic HTTP server on the port 8003 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1 8003
```
Connect to your vagrant machine :
```shell
vagrant ssh
```
Configuration of BunkerWeb is done by editing the /etc/bunkerweb/variables.env file :
```conf
SERVER_NAME=app1.example.com app2.example.com app3.example.com
HTTP_PORT=80
HTTPS_PORT=443
MULTISITE=yes
DNS_RESOLVERS=8.8.8.8 8.8.4.4
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/
app1.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8001
app2.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8002
app3.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8003
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
=== "Ansible"
Let's assume that you have some web applications running on the same machine as BunkerWeb :
@ -981,13 +1082,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
...
environment:
- USE_REAL_IP=yes
@ -1006,13 +1107,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
...
environment:
- USE_REAL_IP=yes
@ -1031,13 +1132,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
...
environment:
- USE_REAL_IP=yes
@ -1062,7 +1163,7 @@ REAL_IP_HEADER=X-Forwarded-For
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
...
env:
- name: USE_REAL_IP
@ -1119,6 +1220,20 @@ REAL_IP_HEADER=X-Forwarded-For
ansible-playbook -i inventory.yml playbook.yml
```
=== "Vagrant"
You will need to add the settings to the `/etc/bunkerweb/variables.env` file :
```conf
...
USE_REAL_IP=yes
REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16
REAL_IP_HEADER=X-Forwarded-For
...
```
Don't forget to restart the BunkerWeb service once it's done.
### Proxy protocol
We will assume the following regarding the load balancers or reverse proxies (you will need to update the settings depending on your configuration) :
@ -1146,13 +1261,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
...
environment:
- USE_REAL_IP=yes
@ -1173,13 +1288,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
...
environment:
- USE_REAL_IP=yes
@ -1200,13 +1315,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
...
environment:
- USE_REAL_IP=yes
@ -1232,7 +1347,7 @@ REAL_IP_HEADER=proxy_protocol
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
...
env:
- name: USE_REAL_IP
@ -1293,6 +1408,21 @@ REAL_IP_HEADER=proxy_protocol
ansible-playbook -i inventory.yml playbook.yml
```
=== "Vagrant"
You will need to add the settings to the `/etc/bunkerweb/variables.env` file :
```conf
...
USE_REAL_IP=yes
USE_PROXY_PROTOCOL=yes
REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16
REAL_IP_HEADER=proxy_protocol
...
```
Don't forget to restart the BunkerWeb service once it's done.
## Custom configurations
Because BunkerWeb is based on the NGINX web server, you can add custom NGINX configurations in different NGINX contexts. You can also apply custom configurations for the ModSecurity WAF which is a core component of BunkerWeb (more info [here](/1.4/security-tuning/#modsecurity)). Here is the list of custom configurations types :
@ -1327,7 +1457,7 @@ Some integrations offer a more convenient way of applying configurations such as
Here is a dummy example using a docker-compose file :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
environment:
- |
CUSTOM_CONF_SERVER_HTTP_hello-world=
@ -1369,13 +1499,13 @@ Some integrations offer a more convenient way of applying configurations such as
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
volumes:
- ./bw-data:/data
...
@ -1436,13 +1566,13 @@ Some integrations offer a more convenient way of applying configurations such as
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb-autoconf:1.4.6
bunkerity/bunkerweb-autoconf:1.5.0-beta
```
Here is the docker-compose equivalent :
```yaml
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
volumes:
- ./bw-data:/data
...
@ -1559,6 +1689,28 @@ Some integrations offer a more convenient way of applying configurations such as
ansible-playbook -i inventory.yml playbook.yml
```
=== "Vagrant"
When using the [Vagrant integration](/1.4/integrations/#vagrant), custom configurations must be written to the `/etc/bunkerweb/configs` folder.
Here is an example for server-http/hello-world.conf :
```conf
location /hello {
default_type 'text/plain';
content_by_lua_block {
ngx.say('world')
}
}
```
Because BunkerWeb runs as an unprivileged user (nginx:nginx), you will need to edit the permissions :
```shell
chown -R root:nginx /etc/bunkerweb/configs && \
chmod -R 770 /etc/bunkerweb/configs
```
Don't forget to restart the BunkerWeb service once it's done.
## PHP
!!! warning "Support is in beta"
@ -1622,7 +1774,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
-e AUTO_LETS_ENCRYPT=yes \
-e REMOTE_PHP=myphp \
-e REMOTE_PHP_PATH=/app \
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent :
@ -1632,7 +1784,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
services:
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -1674,7 +1826,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
...
-v "${PWD}/myapp:/app" \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Once BunkerWeb and autoconf are ready, you will be able to create the PHP-FPM container, mount the application folder inside the container and configure it using specific labels :
@ -1738,7 +1890,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
...
-v "/shared/myapp:/app" \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Once BunkerWeb and autoconf are ready, you will be able to create the PHP-FPM service, mount the application folder inside the container and configure it using specific labels :
@ -1899,6 +2051,62 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
ansible-playbook -i inventory.yml playbook.yml
```
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
By default, BunkerWeb will search for web files inside the `/var/www/html` folder. You can use it to store your PHP application. Please note that you will need to configure your PHP-FPM service to get or set the user/group of the running processes and the UNIX socket file used to communicate with BunkerWeb.
First of all, you will need to make sure that your PHP-FPM instance can access the files inside the `/var/www/html` folder and also that BunkerWeb can access the UNIX socket file in order to communicate with PHP-FPM. We recommend to set a different user like `www-data` for the PHP-FPM service and to give the nginx group access to the UNIX socket file. Here is corresponding PHP-FPM configuration :
```ini
...
[www]
user = www-data
group = www-data
listen = /run/php/php-fpm.sock
listen.owner = www-data
listen.group = nginx
listen.mode = 0660
...
```
Don't forget to restart your PHP-FPM service :
```shell
systemctl restart php8.1-fpm
```
Once your application is copied to the `/var/www/html` folder, you will need to fix the permissions so BunkerWeb (user/group nginx) can at least read files and list folders and PHP-FPM (user/group www-data) is the owner of the files and folders :
```shell
chown -R www-data:nginx /var/www/html && \
find /var/www/html -type f -exec chmod 0640 {} \; && \
find /var/www/html -type d -exec chmod 0750 {} \;
```
You can now edit the `/etc/bunkerweb/variable.env` file :
```env
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
SERVER_NAME=www.example.com
AUTO_LETS_ENCRYPT=yes
LOCAL_PHP=/run/php/php-fpm.sock
LOCAL_PHP_PATH=/var/www/html/
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
### Multiple applications
!!! tip "Testing"
@ -1984,7 +2192,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
-e app2.example.com_REMOTE_PHP_PATH=/app \
-e app3.example.com_REMOTE_PHP=myphp3 \
-e app3.example.com_REMOTE_PHP_PATH=/app \
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Here is the docker-compose equivalent :
@ -1994,7 +2202,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
services:
mybunker:
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -2055,7 +2263,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
...
-v "${PWD}/myapps:/apps" \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Once BunkerWeb and autoconf are ready, you will be able to create the PHP-FPM containers, mount the right application folder inside each container and configure them using specific labels :
@ -2179,7 +2387,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
...
-v "/shared/myapps:/apps" \
...
bunkerity/bunkerweb:1.4.6
bunkerity/bunkerweb:1.5.0-beta
```
Once BunkerWeb and autoconf are ready, you will be able to create the PHP-FPM service, mount the application folder inside the container and configure it using specific labels :
@ -2412,4 +2620,65 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
You can now run the playbook :
```shell
ansible-playbook -i inventory.yml playbook.yml
```
```
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
By default, BunkerWeb will search for web files inside the `/var/www/html` folder. You can use it to store your PHP applications : each application will be in its own subfolder named the same as the primary server name. Please note that you will need to configure your PHP-FPM service to get or set the user/group of the running processes and the UNIX socket file used to communicate with BunkerWeb.
First of all, you will need to make sure that your PHP-FPM instance can access the files inside the `/var/www/html` folder and also that BunkerWeb can access the UNIX socket file in order to communicate with PHP-FPM. We recommend to set a different user like `www-data` for the PHP-FPM service and to give the nginx group access to the UNIX socket file. Here is corresponding PHP-FPM configuration :
```ini
...
[www]
user = www-data
group = www-data
listen = /run/php/php-fpm.sock
listen.owner = www-data
listen.group = nginx
listen.mode = 0660
...
```
Don't forget to restart your PHP-FPM service :
```shell
systemctl restart php8.1-fpm
```
Once your application is copied to the `/var/www/html` folder, you will need to fix the permissions so BunkerWeb (user/group nginx) can at least read files and list folders and PHP-FPM (user/group www-data) is the owner of the files and folders :
```shell
chown -R www-data:nginx /var/www/html && \
find /var/www/html -type f -exec chmod 0640 {} \; && \
find /var/www/html -type d -exec chmod 0750 {} \;
```
You can now edit the `/etc/bunkerweb/variable.env` file :
```env
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
SERVER_NAME=app1.example.com app2.example.com app3.example.com
MULTISITE=yes
AUTO_LETS_ENCRYPT=yes
app1.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app1.example.com_LOCAL_PHP_PATH=/var/www/html/app1.example.com
app2.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app2.example.com_LOCAL_PHP_PATH=/var/www/html/app2.example.com
app3.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app3.example.com_LOCAL_PHP_PATH=/var/www/html/app3.example.com
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```

2
docs/requirements.txt
View File

@ -1,5 +1,5 @@
mkdocs==1.4.2
mkdocs-material==9.1.4
mkdocs-material==9.1.6
pytablewriter==0.64.2
mike==1.1.2
jinja2<3.1.0

256
docs/settings.md
View File

@ -12,44 +12,48 @@ When settings are considered as "multiple", it means that you can have multiple
## Global settings
| Setting | Default | Context |Multiple| Description |
|-----------------------|------------------------------------------------------------------------------------------------------------------------|---------|--------|--------------------------------------------------|
|`IS_LOADING` |`no` |global |no |Internal use : set to yes when BW is loading. |
|`NGINX_PREFIX` |`/etc/nginx/` |global |no |Where nginx will search for configurations. |
|`HTTP_PORT` |`8080` |global |no |HTTP port number which bunkerweb binds to. |
|`HTTPS_PORT` |`8443` |global |no |HTTPS port number which bunkerweb binds to. |
|`MULTISITE` |`no` |global |no |Multi site activation. |
|`SERVER_NAME` |`www.example.com` |multisite|no |List of the virtual hosts served by bunkerweb. |
|`WORKER_PROCESSES` |`auto` |global |no |Number of worker processes. |
|`WORKER_RLIMIT_NOFILE` |`2048` |global |no |Maximum number of open files for worker processes.|
|`WORKER_CONNECTIONS` |`1024` |global |no |Maximum number of connections per worker. |
|`LOG_FORMAT` |`$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"`|global |no |The format to use for access logs. |
|`LOG_LEVEL` |`notice` |global |no |The level to use for error logs. |
|`DNS_RESOLVERS` |`127.0.0.11` |global |no |DNS addresses of resolvers to use. |
|`DATASTORE_MEMORY_SIZE`|`256m` |global |no |Size of the internal datastore. |
|`USE_API` |`yes` |global |no |Activate the API to control BunkerWeb. |
|`API_HTTP_PORT` |`5000` |global |no |Listen port number for the API. |
|`API_SERVER_NAME` |`bwapi` |global |no |Server name (virtual host) for the API. |
|`API_WHITELIST_IP` |`127.0.0.0/8` |global |no |List of IP/network allowed to contact the API. |
|`AUTOCONF_MODE` |`no` |global |no |Enable Autoconf Docker integration. |
|`SWARM_MODE` |`no` |global |no |Enable Docker Swarm integration. |
|`KUBERNETES_MODE` |`no` |global |no |Enable Kubernetes integration. |
| Setting | Default | Context |Multiple| Description |
|------------------------|------------------------------------------------------------------------------------------------------------------------|---------|--------|--------------------------------------------------|
|`IS_LOADING` |`no` |global |no |Internal use : set to yes when BW is loading. |
|`NGINX_PREFIX` |`/etc/nginx/` |global |no |Where nginx will search for configurations. |
|`HTTP_PORT` |`8080` |global |no |HTTP port number which bunkerweb binds to. |
|`HTTPS_PORT` |`8443` |global |no |HTTPS port number which bunkerweb binds to. |
|`MULTISITE` |`no` |global |no |Multi site activation. |
|`SERVER_NAME` |`www.example.com` |multisite|no |List of the virtual hosts served by bunkerweb. |
|`WORKER_PROCESSES` |`auto` |global |no |Number of worker processes. |
|`WORKER_RLIMIT_NOFILE` |`2048` |global |no |Maximum number of open files for worker processes.|
|`WORKER_CONNECTIONS` |`1024` |global |no |Maximum number of connections per worker. |
|`LOG_FORMAT` |`$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"`|global |no |The format to use for access logs. |
|`LOG_LEVEL` |`notice` |global |no |The level to use for error logs. |
|`DNS_RESOLVERS` |`127.0.0.11` |global |no |DNS addresses of resolvers to use. |
|`DATASTORE_MEMORY_SIZE` |`256m` |global |no |Size of the internal datastore. |
|`USE_API` |`yes` |global |no |Activate the API to control BunkerWeb. |
|`API_HTTP_PORT` |`5000` |global |no |Listen port number for the API. |
|`API_LISTEN_IP` |`0.0.0.0` |global |no |Listen IP address for the API. |
|`API_SERVER_NAME` |`bwapi` |global |no |Server name (virtual host) for the API. |
|`API_WHITELIST_IP` |`127.0.0.0/8` |global |no |List of IP/network allowed to contact the API. |
|`AUTOCONF_MODE` |`no` |global |no |Enable Autoconf Docker integration. |
|`SWARM_MODE` |`no` |global |no |Enable Docker Swarm integration. |
|`KUBERNETES_MODE` |`no` |global |no |Enable Kubernetes integration. |
|`SERVER_TYPE` |`http` |multisite|no |Server type : http or stream. |
|`LISTEN_STREAM` |`yes` |multisite|no |Enable listening for non-ssl (passthrough). |
|`LISTEN_STREAM_PORT` |`1337` |multisite|no |Listening port for non-ssl (passthrough). |
|`LISTEN_STREAM_PORT_SSL`|`4242` |multisite|no |Listening port for ssl (passthrough). |
|`USE_UDP` |`no` |multisite|no |UDP listen instead of TCP (stream). |
## Core settings
### Antibot
| Setting | Default | Context |Multiple| Description |
|---------------------------|------------|---------|--------|---------------------------------------------------------------------------------|
|`USE_ANTIBOT` |`no` |multisite|no |Activate antibot feature. |
|`ANTIBOT_URI` |`/challenge`|multisite|no |Unused URI that clients will be redirected to to solve the challenge. |
|`ANTIBOT_SESSION_SECRET` |`random` |global |no |Secret used to encrypt sessions variables for storing data related to challenges.|
|`ANTIBOT_SESSION_NAME` |`random` |global |no |Name of the cookie used by the antibot feature. |
|`ANTIBOT_RECAPTCHA_SCORE` |`0.7` |multisite|no |Minimum score required for reCAPTCHA challenge. |
|`ANTIBOT_RECAPTCHA_SITEKEY`| |multisite|no |Sitekey for reCAPTCHA challenge. |
|`ANTIBOT_RECAPTCHA_SECRET` | |multisite|no |Secret for reCAPTCHA challenge. |
|`ANTIBOT_HCAPTCHA_SITEKEY` | |multisite|no |Sitekey for hCaptcha challenge. |
|`ANTIBOT_HCAPTCHA_SECRET` | |multisite|no |Secret for hCaptcha challenge. |
| Setting | Default | Context |Multiple| Description |
|---------------------------|------------|---------|--------|---------------------------------------------------------------------|
|`USE_ANTIBOT` |`no` |multisite|no |Activate antibot feature. |
|`ANTIBOT_URI` |`/challenge`|multisite|no |Unused URI that clients will be redirected to to solve the challenge.|
|`ANTIBOT_RECAPTCHA_SCORE` |`0.7` |multisite|no |Minimum score required for reCAPTCHA challenge. |
|`ANTIBOT_RECAPTCHA_SITEKEY`| |multisite|no |Sitekey for reCAPTCHA challenge. |
|`ANTIBOT_RECAPTCHA_SECRET` | |multisite|no |Secret for reCAPTCHA challenge. |
|`ANTIBOT_HCAPTCHA_SITEKEY` | |multisite|no |Sitekey for hCaptcha challenge. |
|`ANTIBOT_HCAPTCHA_SECRET` | |multisite|no |Secret for hCaptcha challenge. |
### Auth basic
@ -69,26 +73,26 @@ When settings are considered as "multiple", it means that you can have multiple
|`BAD_BEHAVIOR_STATUS_CODES`|`400 401 403 404 405 429 444`|multisite|no |List of HTTP status codes considered as 'bad'. |
|`BAD_BEHAVIOR_BAN_TIME` |`86400` |multisite|no |The duration time (in seconds) of a ban when the corresponding IP has reached the threshold.|
|`BAD_BEHAVIOR_THRESHOLD` |`10` |multisite|no |Maximum number of 'bad' HTTP status codes within the period of time before IP is banned. |
|`BAD_BEHAVIOR_COUNT_TIME` |`60` |multisite|no |Period of time during which we count 'bad' HTTP status codes. |
|`BAD_BEHAVIOR_COUNT_TIME` |`60` |multisite|no |Period of time (in seconds) during which we count 'bad' HTTP status codes. |
### Blacklist
| Setting | Default | Context |Multiple| Description |
|----------------------------------|------------------------------------------------------------------------------------------------------------------------------|---------|--------|------------------------------------------------------------------------------------------------|
|`USE_BLACKLIST` |`yes` |multisite|no |Activate blacklist feature. |
|`BLACKLIST_IP_URLS` |`https://www.dan.me.uk/torlist/?exit` |global |no |List of URLs, separated with spaces, containing bad IP/network to block. |
|`BLACKLIST_IP` | |multisite|no |List of IP/network, separated with spaces, to block. |
|`BLACKLIST_IP_URLS` |`https://www.dan.me.uk/torlist/?exit` |global |no |List of URLs, separated with spaces, containing bad IP/network to block. |
|`BLACKLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS blacklist checks on global IP addresses. |
|`BLACKLIST_RDNS` |`.shodan.io .censys.io` |multisite|no |List of reverse DNS suffixes, separated with spaces, to block. |
|`BLACKLIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to block. |
|`BLACKLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS blacklist checks on global IP addresses. |
|`BLACKLIST_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to block. |
|`BLACKLIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to block. |
|`BLACKLIST_USER_AGENT` | |multisite|no |List of User-Agent, separated with spaces, to block. |
|`BLACKLIST_USER_AGENT_URLS` |`https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list`|global |no |List of URLs, separated with spaces, containing bad User-Agent to block. |
|`BLACKLIST_URI` | |multisite|no |List of URI, separated with spaces, to block. |
|`BLACKLIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to block. |
|`BLACKLIST_IGNORE_IP_URLS` | |global |no |List of URLs, separated with spaces, containing IP/network to ignore in the blacklist. |
|`BLACKLIST_IGNORE_IP` | |multisite|no |List of IP/network, separated with spaces, to ignore in the blacklist. |
|`BLACKLIST_IGNORE_IP_URLS` | |global |no |List of URLs, separated with spaces, containing IP/network to ignore in the blacklist. |
|`BLACKLIST_IGNORE_RDNS` | |multisite|no |List of reverse DNS suffixes, separated with spaces, to ignore in the blacklist. |
|`BLACKLIST_IGNORE_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to ignore in the blacklist.|
|`BLACKLIST_IGNORE_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to ignore in the blacklist. |
@ -128,12 +132,12 @@ When settings are considered as "multiple", it means that you can have multiple
### Client cache
| Setting | Default | Context |Multiple| Description |
|-------------------------|------------------------------------------------------------|---------|--------|-----------------------------------------------|
|`USE_CLIENT_CACHE` |`no` |multisite|no |Tell client to store locally static files. |
|`CLIENT_CACHE_EXTENSIONS`|`jpg\|jpeg\|png\|bmp\|ico\|svg\|tif\|css\|js\|otf\|ttf\|eot\|woff\|woff2`|global |no |List of file extensions that should be cached. |
|`CLIENT_CACHE_ETAG` |`yes` |multisite|no |Send the HTTP ETag header for static resources.|
|`CLIENT_CACHE_CONTROL` |`public, max-age=15552000` |multisite|no |Value of the Cache-Control HTTP header. |
| Setting | Default | Context |Multiple| Description |
|-------------------------|------------------------------------------------------------|---------|--------|--------------------------------------------------------------------|
|`USE_CLIENT_CACHE` |`no` |multisite|no |Tell client to store locally static files. |
|`CLIENT_CACHE_EXTENSIONS`|`jpg\|jpeg\|png\|bmp\|ico\|svg\|tif\|css\|js\|otf\|ttf\|eot\|woff\|woff2`|global |no |List of file extensions, separated with pipes that should be cached.|
|`CLIENT_CACHE_ETAG` |`yes` |multisite|no |Send the HTTP ETag header for static resources. |
|`CLIENT_CACHE_CONTROL` |`public, max-age=15552000` |multisite|no |Value of the Cache-Control HTTP header. |
### Country
@ -144,17 +148,17 @@ When settings are considered as "multiple", it means that you can have multiple
### Custom HTTPS certificate
| Setting |Default| Context |Multiple| Description |
|-------------------|-------|---------|--------|--------------------------------------------|
|`USE_CUSTOM_HTTPS` |`no` |multisite|no |Use custom HTTPS certificate. |
|`CUSTOM_HTTPS_CERT`| |multisite|no |Full path of the certificate or bundle file.|
|`CUSTOM_HTTPS_KEY` | |multisite|no |Full path of the key file. |
| Setting |Default| Context |Multiple| Description |
|-----------------|-------|---------|--------|--------------------------------------------|
|`USE_CUSTOM_SSL` |`no` |multisite|no |Use custom HTTPS certificate. |
|`CUSTOM_SSL_CERT`| |multisite|no |Full path of the certificate or bundle file.|
|`CUSTOM_SSL_KEY` | |multisite|no |Full path of the key file. |
### DB
| Setting | Default |Context|Multiple| Description |
|--------------|----------------------------|-------|--------|--------------------------------------------------|
|`DATABASE_URI`|`sqlite:////data/db.sqlite3`|global |no |The database URI, following the sqlalchemy format.|
| Setting | Default |Context|Multiple| Description |
|--------------|-----------------------------------------|-------|--------|--------------------------------------------------|
|`DATABASE_URI`|`sqlite:////var/lib/bunkerweb/db.sqlite3`|global |no |The database URI, following the sqlalchemy format.|
### DNSBL
@ -165,20 +169,21 @@ When settings are considered as "multiple", it means that you can have multiple
### Errors
|Setting |Default| Context |Multiple| Description |
|--------|-------|---------|--------|-------------------------------------------------------------------------------------------------|
|`ERRORS`| |multisite|no |List of HTTP error code and corresponding error pages (404=/my404.html 403=/errors/403.html ...).|
| Setting | Default | Context |Multiple| Description |
|-------------------------|-------------------------------------------------|---------|--------|------------------------------------------------------------------------------------------------------------------------|
|`ERRORS` | |multisite|no |List of HTTP error code and corresponding error pages, separated with spaces (404=/my404.html 403=/errors/403.html ...).|
|`INTERCEPTED_ERROR_CODES`|`400 401 403 404 405 413 429 500 501 502 503 504`|multisite|no |List of HTTP error code intercepted by Bunkerweb |
### Greylist
| Setting |Default| Context |Multiple| Description |
|--------------------------|-------|---------|--------|----------------------------------------------------------------------------------------------|
|`USE_GREYLIST` |`no` |multisite|no |Activate greylist feature. |
|`GREYLIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to put into the greylist. |
|`GREYLIST_IP` | |multisite|no |List of IP/network, separated with spaces, to put into the greylist. |
|`GREYLIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to put into the greylist. |
|`GREYLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS greylist checks on global IP addresses. |
|`GREYLIST_RDNS` | |multisite|no |List of reverse DNS suffixes, separated with spaces, to put into the greylist. |
|`GREYLIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to put into the greylist.|
|`GREYLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS greylist checks on global IP addresses. |
|`GREYLIST_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to put into the greylist. |
|`GREYLIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to put into the greylist. |
|`GREYLIST_USER_AGENT` | |multisite|no |List of User-Agent, separated with spaces, to put into the greylist. |
@ -203,20 +208,20 @@ When settings are considered as "multiple", it means that you can have multiple
### Headers
| Setting | Default | Context |Multiple| Description |
|---------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------------------|
|`CUSTOM_HEADER` | |multisite|yes |Custom header to add (HeaderName: HeaderValue). |
|`REMOVE_HEADERS` |`Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version` |multisite|no |Headers to remove (Header1 Header2 Header3 ...) |
|`STRICT_TRANSPORT_SECURITY`|`max-age=31536000` |multisite|no |Value for the Strict-Transport-Security header. |
|`COOKIE_FLAGS` |`* HttpOnly SameSite=Lax` |multisite|no |Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module).|
|`COOKIE_AUTO_SECURE_FLAG` |`yes` |multisite|no |Automatically add the Secure flag to all cookies. |
|`CONTENT_SECURITY_POLICY` |`object-src 'none'; form-action 'self'; frame-ancestors 'self';` |multisite|no |Value for the Content-Security-Policy header. |
|`REFERRER_POLICY` |`strict-origin-when-cross-origin` |multisite|no |Value for the Referrer-Policy header. |
|`PERMISSIONS_POLICY` |`accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()` |multisite|no |Value for the Permissions-Policy header. |
|`FEATURE_POLICY` |`accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';`|multisite|no |Value for the Feature-Policy header. |
|`X_FRAME_OPTIONS` |`SAMEORIGIN` |multisite|no |Value for the X-Frame-Options header. |
|`X_CONTENT_TYPE_OPTIONS` |`nosniff` |multisite|no |Value for the X-Content-Type-Options header. |
|`X_XSS_PROTECTION` |`1; mode=block` |multisite|no |Value for the X-XSS-Protection header. |
| Setting | Default | Context |Multiple| Description |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------------------|
|`CUSTOM_HEADER` | |multisite|yes |Custom header to add (HeaderName: HeaderValue). |
|`REMOVE_HEADERS` |`Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version` |multisite|no |Headers to remove (Header1 Header2 Header3 ...) |
|`STRICT_TRANSPORT_SECURITY`|`max-age=31536000` |multisite|no |Value for the Strict-Transport-Security header. |
|`COOKIE_FLAGS` |`* HttpOnly SameSite=Lax` |multisite|yes |Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module).|
|`COOKIE_AUTO_SECURE_FLAG` |`yes` |multisite|no |Automatically add the Secure flag to all cookies. |
|`CONTENT_SECURITY_POLICY` |`object-src 'none'; form-action 'self'; frame-ancestors 'self';` |multisite|no |Value for the Content-Security-Policy header. |
|`REFERRER_POLICY` |`strict-origin-when-cross-origin` |multisite|no |Value for the Referrer-Policy header. |
|`PERMISSIONS_POLICY` |`accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()` |multisite|no |Value for the Permissions-Policy header. |
|`FEATURE_POLICY` |`accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';`|multisite|no |Value for the Feature-Policy header. |
|`X_FRAME_OPTIONS` |`SAMEORIGIN` |multisite|no |Value for the X-Frame-Options header. |
|`X_CONTENT_TYPE_OPTIONS` |`nosniff` |multisite|no |Value for the X-Content-Type-Options header. |
|`X_XSS_PROTECTION` |`1; mode=block` |multisite|no |Value for the X-XSS-Protection header. |
### Let's Encrypt
@ -244,11 +249,11 @@ When settings are considered as "multiple", it means that you can have multiple
|`DISABLE_DEFAULT_SERVER` |`no` |global |no |Close connection if the request vhost is unknown. |
|`REDIRECT_HTTP_TO_HTTPS` |`no` |multisite|no |Redirect all HTTP request to HTTPS. |
|`AUTO_REDIRECT_HTTP_TO_HTTPS`|`yes` |multisite|no |Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case. |
|`ALLOWED_METHODS` |`GET\|POST\|HEAD` |multisite|no |Allowed HTTP methods to be sent by clients. |
|`ALLOWED_METHODS` |`GET\|POST\|HEAD` |multisite|no |Allowed HTTP and WebDAV methods, separated with pipes to be sent by clients. |
|`MAX_CLIENT_SIZE` |`10m` |multisite|no |Maximum body size (0 for infinite). |
|`SERVE_FILES` |`yes` |multisite|no |Serve files from the local folder. |
|`ROOT_FOLDER` | |multisite|no |Root folder containing files to serve (/var/www/html/{server_name} if unset). |
|`HTTPS_PROTOCOLS` |`TLSv1.2 TLSv1.3` |multisite|no |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. |
|`SSL_PROTOCOLS` |`TLSv1.2 TLSv1.3` |multisite|no |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. |
|`HTTP2` |`yes` |multisite|no |Support HTTP2 protocol when HTTPS is enabled. |
|`LISTEN_HTTP` |`yes` |multisite|no |Respond to (insecure) HTTP requests. |
|`USE_OPEN_FILE_CACHE` |`no` |multisite|no |Enable open file cache feature |
@ -280,14 +285,14 @@ When settings are considered as "multiple", it means that you can have multiple
### Real IP
| Setting | Default | Context |Multiple| Description |
|--------------------|-----------------------------------------|---------|--------|--------------------------------------------------------------------------------------|
|`USE_REAL_IP` |`no` |multisite|no |Retrieve the real IP of client. |
|`USE_PROXY_PROTOCOL`|`no` |multisite|no |Enable PROXY protocol communication. |
|`REAL_IP_FROM` |`192.168.0.0/16 172.16.0.0/12 10.0.0.0/8`|multisite|no |List of trusted IPs / networks where proxied requests come from. |
|`REAL_IP_FROM_URLS` | |global |no |List of URLs containing trusted IPs / networks where proxied requests come from. |
|`REAL_IP_HEADER` |`X-Forwarded-For` |multisite|no |HTTP header containing the real IP or special value proxy_protocol for PROXY protocol.|
|`REAL_IP_RECURSIVE` |`yes` |multisite|no |Perform a recursive search in the header container IP address. |
| Setting | Default | Context |Multiple| Description |
|--------------------|-----------------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------|
|`USE_REAL_IP` |`no` |multisite|no |Retrieve the real IP of client. |
|`USE_PROXY_PROTOCOL`|`no` |multisite|no |Enable PROXY protocol communication. |
|`REAL_IP_FROM` |`192.168.0.0/16 172.16.0.0/12 10.0.0.0/8`|multisite|no |List of trusted IPs / networks, separated with spaces, where proxied requests come from. |
|`REAL_IP_FROM_URLS` | |global |no |List of URLs containing trusted IPs / networks, separated with spaces, where proxied requests come from.|
|`REAL_IP_HEADER` |`X-Forwarded-For` |multisite|no |HTTP header containing the real IP or special value proxy_protocol for PROXY protocol. |
|`REAL_IP_RECURSIVE` |`yes` |multisite|no |Perform a recursive search in the header container IP address. |
### Redirect
@ -296,44 +301,75 @@ When settings are considered as "multiple", it means that you can have multiple
|`REDIRECT_TO` | |multisite|no |Redirect a whole site to another one. |
|`REDIRECT_TO_REQUEST_URI`|`no` |multisite|no |Append the requested URI to the redirect address.|
### Redis
| Setting |Default|Context|Multiple| Description |
|----------------------|-------|-------|--------|------------------------------------------------------------------|
|`USE_REDIS` |`no` |global |no |Activate Redis. |
|`REDIS_HOST` | |global |no |Redis server IP or hostname. |
|`REDIS_PORT` |`6379` |global |no |Redis server port. |
|`REDIS_DATABASE` |`0` |global |no |Redis database number. |
|`REDIS_SSL` |`no` |global |no |Use SSL/TLS connection with Redis server. |
|`REDIS_TIMEOUT` |`1000` |global |no |Redis server timeout (in ms) for connect, read and write. |
|`REDIS_KEEPALIVE_IDLE`|`30000`|global |no |Max idle time (in ms) before closing redis connection in the pool.|
|`REDIS_KEEPALIVE_POOL`|`10` |global |no |Max number of redis connection(s) kept in the pool. |
### Reverse proxy
| Setting | Default | Context |Multiple| Description |
|---------------------------------------|----------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------------------|
|`USE_REVERSE_PROXY` |`no` |multisite|no |Activate reverse proxy mode. |
|`REVERSE_PROXY_INTERCEPT_ERRORS` |`yes` |multisite|no |Intercept and rewrite errors. |
|`REVERSE_PROXY_HOST` | |multisite|yes |Full URL of the proxied resource (proxy_pass). |
|`REVERSE_PROXY_URL` | |multisite|yes |Location URL that will be proxied. |
|`REVERSE_PROXY_WS` |`no` |multisite|yes |Enable websocket on the proxied resource. |
|`REVERSE_PROXY_HEADERS` | |multisite|yes |List of HTTP headers to send to proxied resource separated with ; (values for proxy_set_header directive). |
|`REVERSE_PROXY_HEADERS_CLIENT` | |multisite|yes |List of HTTP headers to send to client separated with ; (values for add_header directive). |
|`REVERSE_PROXY_BUFFERING` |`yes` |multisite|yes |Enable or disable buffering of responses from proxied resource. |
|`REVERSE_PROXY_KEEPALIVE` |`no` |multisite|yes |Enable or disable keepalive connections with the proxied resource. |
|`REVERSE_PROXY_AUTH_REQUEST` | |multisite|yes |Enable authentication using an external provider (value of auth_request directive). |
|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`| |multisite|yes |Redirect clients to sign-in URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). |
|`REVERSE_PROXY_AUTH_REQUEST_SET` | |multisite|yes |List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).|
|`USE_PROXY_CACHE` |`no` |multisite|no |Enable or disable caching of the proxied resources. |
|`PROXY_CACHE_PATH_LEVELS` |`1:2` |global |no |Hierarchy levels of the cache. |
|`PROXY_CACHE_PATH_ZONE_SIZE` |`10m` |global |no |Maximum size of cached metadata when caching proxied resources. |
|`PROXY_CACHE_PATH_PARAMS` |`max_size=100m` |global |no |Additional parameters to add to the proxy_cache directive. |
|`PROXY_CACHE_METHODS` |`GET HEAD` |multisite|no |HTTP methods that should trigger a cache operation. |
|`PROXY_CACHE_MIN_USES` |`2` |multisite|no |The minimum number of requests before a response is cached. |
|`PROXY_CACHE_KEY` |`$scheme$host$request_uri` |multisite|no |The key used to uniquely identify a cached response. |
|`PROXY_CACHE_VALID` |`200=24h 301=1h 302=24h` |multisite|no |Define the caching time depending on the HTTP status code (list of status=time). |
|`PROXY_NO_CACHE` |`$http_pragma $http_authorization`|multisite|no |Conditions to disable caching of responses. |
|`PROXY_CACHE_BYPASS` |`0` |multisite|no |Conditions to bypass caching of responses. |
|`REVERSE_PROXY_CONNECT_TIMEOUT` |`60s` |multisite|yes |Timeout when connecting to the proxied resource. |
|`REVERSE_PROXY_READ_TIMEOUT` |`60s` |multisite|yes |Timeout when reading from the proxied resource. |
|`REVERSE_PROXY_SEND_TIMEOUT` |`60s` |multisite|yes |Timeout when sending to the proxied resource. |
| Setting | Default | Context |Multiple| Description |
|---------------------------------------|----------------------------------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------|
|`USE_REVERSE_PROXY` |`no` |multisite|no |Activate reverse proxy mode. |
|`REVERSE_PROXY_INTERCEPT_ERRORS` |`yes` |multisite|no |Intercept and rewrite errors. |
|`REVERSE_PROXY_HOST` | |multisite|yes |Full URL of the proxied resource (proxy_pass). |
|`REVERSE_PROXY_URL` | |multisite|yes |Location URL that will be proxied. |
|`REVERSE_PROXY_WS` |`no` |multisite|yes |Enable websocket on the proxied resource. |
|`REVERSE_PROXY_HEADERS` | |multisite|yes |List of HTTP headers to send to proxied resource separated with semicolons (values for proxy_set_header directive). |
|`REVERSE_PROXY_HEADERS_CLIENT` | |multisite|yes |List of HTTP headers to send to client separated with semicolons (values for add_header directive). |
|`REVERSE_PROXY_BUFFERING` |`yes` |multisite|yes |Enable or disable buffering of responses from proxied resource. |
|`REVERSE_PROXY_KEEPALIVE` |`no` |multisite|yes |Enable or disable keepalive connections with the proxied resource. |
|`REVERSE_PROXY_AUTH_REQUEST` | |multisite|yes |Enable authentication using an external provider (value of auth_request directive). |
|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`| |multisite|yes |Redirect clients to sign-in URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). |
|`REVERSE_PROXY_AUTH_REQUEST_SET` | |multisite|yes |List of variables to set from the authentication provider, separated with semicolons (values of auth_request_set directives).|
|`USE_PROXY_CACHE` |`no` |multisite|no |Enable or disable caching of the proxied resources. |
|`PROXY_CACHE_PATH_LEVELS` |`1:2` |global |no |Hierarchy levels of the cache. |
|`PROXY_CACHE_PATH_ZONE_SIZE` |`10m` |global |no |Maximum size of cached metadata when caching proxied resources. |
|`PROXY_CACHE_PATH_PARAMS` |`max_size=100m` |global |no |Additional parameters to add to the proxy_cache directive. |
|`PROXY_CACHE_METHODS` |`GET HEAD` |multisite|no |HTTP methods that should trigger a cache operation. |
|`PROXY_CACHE_MIN_USES` |`2` |multisite|no |The minimum number of requests before a response is cached. |
|`PROXY_CACHE_KEY` |`$scheme$host$request_uri` |multisite|no |The key used to uniquely identify a cached response. |
|`PROXY_CACHE_VALID` |`200=24h 301=1h 302=24h` |multisite|no |Define the caching time depending on the HTTP status code (list of status=time), separated with spaces. |
|`PROXY_NO_CACHE` |`$http_pragma $http_authorization`|multisite|no |Conditions to disable caching of responses. |
|`PROXY_CACHE_BYPASS` |`0` |multisite|no |Conditions to bypass caching of responses. |
|`REVERSE_PROXY_CONNECT_TIMEOUT` |`60s` |multisite|yes |Timeout when connecting to the proxied resource. |
|`REVERSE_PROXY_READ_TIMEOUT` |`60s` |multisite|yes |Timeout when reading from the proxied resource. |
|`REVERSE_PROXY_SEND_TIMEOUT` |`60s` |multisite|yes |Timeout when sending to the proxied resource. |
### Reverse scan
| Setting | Default | Context |Multiple| Description |
|----------------------|--------------------------|---------|--------|------------------------------------------------------------------|
|`USE_REVERSE_SCAN` |`no` |multisite|no |Enable scanning of clients ports and deny access if one is opened.|
|`REVERSE_SCAN_PORTS` |`22 80 443 3128 8000 8080`|multisite|no |List of port to scan when using reverse scan feature. |
|`REVERSE_SCAN_TIMEOUT`|`500` |multisite|no |Specify the maximum timeout (in ms) when scanning a port. |
### Self-signed certificate
| Setting | Default | Context |Multiple| Description |
|--------------------------|----------------------|---------|--------|-----------------------------------------|
|`GENERATE_SELF_SIGNED_SSL`|`no` |multisite|no |Generate and use self-signed certificate.|
|`SELF_SIGNED_SSL_EXPIRY` |`365` |multisite|no |Self-signed certificate expiry. |
|`SELF_SIGNED_SSL_EXPIRY` |`365` |multisite|no |Self-signed certificate expiry in days. |
|`SELF_SIGNED_SSL_SUBJ` |`/CN=www.example.com/`|multisite|no |Self-signed certificate subject. |
### Sessions
| Setting |Default |Context|Multiple| Description |
|---------------------------|--------|-------|--------|---------------------------------------------------------------------------------|
|`SESSIONS_SECRET` |`random`|global |no |Secret used to encrypt sessions variables for storing data related to challenges.|
|`SESSIONS_NAME` |`random`|global |no |Name of the cookie given to clients. |
|`SESSIONS_IDLING_TIMEOUT` |`1800` |global |no |Maximum time (in seconds) of inactivity before the session is invalidated. |
|`SESSIONS_ROLLING_TIMEOUT` |`3600` |global |no |Maximum time (in seconds) before a session must be renewed. |
|`SESSIONS_ABSOLUTE_TIMEOUT`|`86400` |global |no |Maximum time (in seconds) before a session is destroyed. |
### UI
|Setting |Default| Context |Multiple|Description|
@ -345,11 +381,11 @@ When settings are considered as "multiple", it means that you can have multiple
| Setting | Default | Context |Multiple| Description |
|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------|
|`USE_WHITELIST` |`yes` |multisite|no |Activate whitelist feature. |
|`WHITELIST_IP` |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247 54.208.102.37 107.21.1.8`|multisite|no |List of IP/network, separated with spaces, to put into the whitelist. |
|`WHITELIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to whitelist. |
|`WHITELIST_IP` |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247 54.208.102.37 107.21.1.8`|multisite|no |List of IP/network, separated with spaces, to whitelist. |
|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. |
|`WHITELIST_RDNS` |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com` |multisite|no |List of reverse DNS suffixes, separated with spaces, to whitelist. |
|`WHITELIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. |
|`WHITELIST_ASN` |`32934` |multisite|no |List of ASN numbers, separated with spaces, to whitelist. |
|`WHITELIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to whitelist. |
|`WHITELIST_USER_AGENT` | |multisite|no |List of User-Agent, separated with spaces, to whitelist. |

20
docs/troubleshooting.md
View File

@ -99,6 +99,19 @@ Here is how you can access the logs, depending on your integration :
ansible -i inventory.yml all -a "cat /var/log/nginx/access.log" --become
```
=== "Vagrant"
For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
```shell
journalctl -u bunkerweb --no-pager
```
Common logs are located inside the `/var/log/nginx` directory :
```shell
cat /var/log/nginx/error.log
cat /var/log/nginx/access.log
```
## Permissions
Don't forget that BunkerWeb runs as an unprivileged user for obvious security reasons. Double-check the permissions of files and folders used by BunkerWeb, especially if you use custom configurations (more info [here](/1.4/quickstart-guide/#custom-configurations)). You will need to set at least **RW** rights on files and **_RWX_** on folders.
@ -254,6 +267,13 @@ You can manually unban an IP which can be useful when doing some tests but it ne
ansible -i inventory.yml all -a "bwcli unban 1.2.3.4" --become
```
=== "Vagrant"
You can use the `bwcli` command (as root) :
```shell
sudo bwcli unban 1.2.3.4
```
## Whitelisting
If you have bots that need to access your website, the recommended way to avoid any false positive is to whitelist them using the [whitelisting feature](/1.4/security-tuning/#blacklisting-and-whitelisting). We don't recommend using the `WHITELIST_URI*` or `WHITELIST_USER_AGENT*` settings unless they are set to secret and unpredictable values. Common use cases are :

562
docs/web-ui.md
View File

@ -1,8 +1,5 @@
# Web UI
!!! note "Supported integrations"
At the moment, the web UI is only supported with the [Docker](/1.4/integrations/#docker), [Linux](/1.4/integrations/#linux) and [Ansible](/1.4/integrations/#ansible) integrations. It's not possible to use the web UI with other integrations like [Docker autoconf](/1.4/integrations/#docker-autoconf), [Swarm](/1.4/integrations/#swarm) or [Kubernetes](/1.4/integrations/#kubernetes). Please note that we plan to support more integrations as the project evolves.
## Overview
<p align="center">
@ -39,53 +36,51 @@ Because the web UI is a web application, the recommended installation procedure
!!! info "UI specific env variables"
* Don't forget to add `USE_UI` environnement variable as it adds the security rules needed for `Modsecurity` to work with the UI.
* Also add the `REVERSE_PROXY_INTERCEPT_ERRORS` environnement variable to stop Bunkerweb from intercepting HTTP errors.
* Also it is advised to tweak the `INTERCEPTED_ERROR_CODES` setting to stop Bunkerweb from intercepting certain HTTP errors.
=== "Docker"
When using the [Docker integration](/1.4/integrations/#docker), we recommend you to connect the BunkerWeb and web UI using a dedicated network and use another dedicated network for the communications between BunkerWeb and your web applications. The web UI can be deployed using a dedicated container based on the [bunkerweb-ui image](https://hub.docker.com/r/bunkerity/bunkerweb-ui).
When using the [Docker integration](/1.4/integrations/#docker), we recommend you to connect BunkerWeb and web UI using a dedicated network like with the scheduler and use another dedicated network for the communications between BunkerWeb and your web applications. The web UI can be deployed using a dedicated container based on the [bunkerweb-ui image](https://hub.docker.com/r/bunkerity/bunkerweb-ui).
Let's start by creating the networks (replace 10.20.30.0/24 with an unused network of your choice) :
```shell
docker network create --subnet 10.20.30.0/24 bw-ui && \
docker network create --subnet 10.20.30.0/24 bw-universe && \
docker network create bw-services
```
You will also need two volumes, one for the BunkerWeb data and another one to share the configuration files between the web UI and BunkerWeb :
You will also need the data volume, which where BunkerWeb's data will be stored :
```shell
docker volume create bw-data && \
docker volume create bw-confs
docker volume create bw-data
```
You can now create the BunkerWeb container with specific settings and volumes related to the web UI, please note the special `bunkerweb.UI` label which is mandatory :
You can now create the BunkerWeb container with specific settings related to the web UI, please note the special `bunkerweb.INSTANCE` label which is mandatory for the scheduler as well as the web UI to work properly :
```shell
docker run -d \
--name mybunker \
--name bunkerweb \
--network bw-services \
-p 80:8080 \
-p 443:8443 \
-v bw-data:/data \
-v bw-confs:/etc/nginx \
-e SERVER_NAME=bwadm.example.com \
-e MULTISITE=yes \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-e bwadm.example.com_USE_UI=yes \
-e "bwadm.example.com_CONTENT_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';" \
-e bwadm.example.com_USE_REVERSE_PROXY=yes \
-e bwadm.example.com_REVERSE_PROXY_URL=/changeme/ \
-e bwadm.example.com_REVERSE_PROXY_HOST=http://myui:7000 \
-e bwadm.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000 \
-e "bwadm.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme" \
-e bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no \
-l bunkerweb.UI \
bunkerity/bunkerweb:1.4.6 && \
docker network connect bw-ui mybunker
-e bwadm.example.com_INTERCEPTED_ERROR_CODES="400 401.5.0-beta 413 429 500 501 502 503 504" \
-l bunkerweb.INSTANCE \
bunkerity/bunkerweb:1.5.0-beta && \
docker network connect bw-universe bunkerweb
```
Important things to note :
* `bwadm.example.com` is the dedicated (sub)domain for accessing the web UI
* replace `10.20.30.0/24` with the same network address used for the `bw-ui` network
* replace `10.20.30.0/24` with the same network address used for the `bw-universe` network
* replace the `/changeme` URL with a custom one of your choice
* the `bunkerweb.UI` label is mandatory
* the `bunkerweb.INSTANCE` label is mandatory
The web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
@ -97,26 +92,36 @@ Because the web UI is a web application, the recommended installation procedure
Once the network is created, you can now create the docker socket proxy container :
```shell
docker run -d \
--name mydocker \
--name bw-docker \
--network bw-docker \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-e CONTAINERS=1 \
tecnativa/docker-socket-proxy
```
You can then create the scheduler container with the bw-data volume and the docker socket proxy network :
```shell
docker run -d \
--name bw-scheduler \
--network bw-universe \
-v bw-data:/data \
-e DOCKER_HOST=tcp://bw-docker:2375 \
bunkerity/bunkerweb-scheduler:1.5.0-beta && \
docker network connect bw-docker bw-scheduler
```
We can finally create the web UI container :
```shell
docker run -d \
--name myui \
--network bw-ui \
--name bw-ui \
--network bw-universe \
-v bw-data:/data \
-v bw-confs:/etc/nginx \
-e DOCKER_HOST=tcp://mydocker:2375 \
-e DOCKER_HOST=tcp://bw-docker:2375 \
-e ADMIN_USERNAME=admin \
-e ADMIN_PASSWORD=changeme \
-e ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/ \
bunkerity/bunkerweb-ui:1.4.6 && \
docker network connect bw-docker myui
bunkerity/bunkerweb-ui:1.5.0-beta && \
docker network connect bw-docker bw-ui
```
Important things to note :
@ -126,72 +131,469 @@ Because the web UI is a web application, the recommended installation procedure
Here is the docker-compose equivalent :
```yaml
version: '3'
version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.4.6
networks:
- bw-services
- bw-ui
bunkerweb:
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
volumes:
- bw-data:/data
- bw-confs:/etc/nginx
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=bwadm.example.com
- MULTISITE=yes
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- bwadm.example.com_USE_UI=yes
- bwadm.example.com_CONTENT_SECURITY_POLICY="object-src 'none'; frame-ancestors 'self';"
- bwadm.example.com_USE_REVERSE_PROXY=yes
- bwadm.example.com_REVERSE_PROXY_URL=/changeme/
- bwadm.example.com_REVERSE_PROXY_HOST=http://myui:7000
- bwadm.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- bwadm.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
labels:
- "bunkerweb.UI"
myui:
image: bunkerity/bunkerweb-ui:1.4.6
depends_on:
- mydocker
- "bunkerweb.INSTANCE"
networks:
- bw-ui
- bw-docker
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
volumes:
- bw-data:/data
- bw-confs:/etc/nginx
environment:
- DOCKER_HOST=tcp://mydocker:2375
- DOCKER_HOST=tcp://bw-docker:2375
networks:
- bw-universe
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0-beta
volumes:
- bw-data:/data
environment:
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/
mydocker:
image: tecnativa/docker-socket-proxy
networks:
- bw-docker
- bw-universe
bw-docker:
image: tecnativa/docker-socket-proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
networks:
- bw-docker
volumes:
bw-data:
networks:
bw-services:
bw-ui:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
```
=== "Docker autoconf"
When using the [Docker autoconf integration](/1.4/integrations/#docker-autoconf), we recommend you to connect the Autoconf and web UI containers using a dedicated network like with the scheduler and use another dedicated network for the communications between BunkerWeb and your web applications. The web UI can be deployed using a dedicated container based on the [bunkerweb-ui image](https://hub.docker.com/r/bunkerity/bunkerweb-ui).
Let's start by creating the networks (replace 10.20.30.0/24 with an unused network of your choice) :
```shell
docker network create --subnet 10.20.30.0/24 bw-universe && \
docker network create bw-services
```
You will also need the data volume, which where BunkerWeb's data will be stored :
```shell
docker volume create bw-data
```
You can now create the BunkerWeb container, please note the special `bunkerweb.INSTANCE` label which is mandatory for the scheduler as well as the web UI to work properly :
```shell
docker run -d \
--name bunkerweb \
--network bw-universe \
-p 80:8080 \
-p 443:8443 \
-e SERVER_NAME= \
-e MULTISITE=yes \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.INSTANCE \
bunkerity/bunkerweb:1.5.0-beta
```
Important things to note :
* replace `10.20.30.0/24` with the same network address used for the `bw-universe` network
* the `bunkerweb.INSTANCE` label is mandatory
The Autoconf and web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
To connect the docker socket proxy and the web UI, you will need another network :
```shell
docker network create bw-docker
```
Once the network is created, you can now create the docker socket proxy container :
```shell
docker run -d \
--name bw-docker \
--network bw-docker \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-e CONTAINERS=1 \
tecnativa/docker-socket-proxy
```
You can then create the autoconf container connected to the docker socket proxy network :
```shell
docker run -d \
--name bw-autoconf \
--network bw-universe \
-v bw-data:/data \
-e DOCKER_HOST=tcp://bw-docker:2375 \
bunkerity/bunkerweb-autoconf:1.5.0-beta && \
docker network connect bw-docker bw-autoconf
```
You can then create the scheduler container with the bw-data volume and the docker socket proxy network :
```shell
docker run -d \
--name bw-scheduler \
--network bw-universe \
-v bw-data:/data \
-e DOCKER_HOST=tcp://bw-docker:2375 \
bunkerity/bunkerweb-scheduler:1.5.0-beta && \
docker network connect bw-docker bw-scheduler
```
We can finally create the web UI container :
```shell
docker run -d \
--name bw-ui \
--network bw-universe \
-v bw-data:/data \
-e DOCKER_HOST=tcp://bw-docker:2375 \
-e ADMIN_USERNAME=admin \
-e ADMIN_PASSWORD=changeme \
-e ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/ \
-l "bunkerweb.SERVER_NAME=bwadm.example.com" \
-l "bunkerweb.USE_UI=yes" \
-l "bunkerweb.CONTENT_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';" \
-l "bunkerweb.USE_REVERSE_PROXY=yes" \
-l "bunkerweb.REVERSE_PROXY_URL=/changeme" \
-l "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000" \
-l "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme" \
-l "bunkerweb.INTERCEPTED_ERROR_CODES=400 401.5.0-beta 405 413 429 500 501 502 503 504" \
bunkerity/bunkerweb-ui:1.5.0-beta && \
docker network connect bw-docker bw-ui
```
Important things to note :
* `bwadm.example.com` is the dedicated (sub)domain for accessing the web UI
* replace the `/changeme` URL with a custom one of your choice
* `http(s)://bwadmin.example.com/changeme/` is the full base URL of the web UI (must match the sub(domain) and /changeme URL used when creating the BunkerWeb container)
* Replace the username `admin` and password `changeme` with strong ones
Here is the docker-compose equivalent :
```yaml
version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
labels:
- "bunkerweb.INSTANCE"
environment:
- SERVER_NAME=
- MULTISITE=yes
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTOCONF_MODE=yes
networks:
- bw-universe
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
volumes:
- bw-data:/data
environment:
- DOCKER_HOST=tcp://bw-docker:2375
networks:
- bw-universe
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
volumes:
- bw-data:/data
environment:
- DOCKER_HOST=tcp://bw-docker:2375
- AUTOCONF_MODE=yes
networks:
- bw-universe
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
networks:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0-beta
networks:
bw-docker:
bw-universe:
aliases:
- bw-ui
volumes:
- bw-data:/data
environment:
- DOCKER_HOST=tcp://bw-docker:2375
- AUTOCONF_MODE=yes
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://bwadm.example.com/changeme/
labels:
- "bunkerweb.SERVER_NAME=bwadm.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.CONTENT_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 401.5.0-beta 405 413 429 500 501 502 503 504"
volumes:
bw-data:
bw-confs:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
name: bw-services
bw-docker:
name: bw-docker
```
=== "Swarm"
When using the [Swarm integration](/1.4/integrations/#swarm), we recommend you to connect the Swarm and web UI containers using a dedicated network like with the scheduler and use another dedicated network for the communications between BunkerWeb and your web applications. The web UI can be deployed using a dedicated container based on the [bunkerweb-ui image](https://hub.docker.com/r/bunkerity/bunkerweb-ui).
Let's start by creating the networks (replace 10.20.30.0/24 with an unused network of your choice) :
```shell
docker network create --subnet 10.20.30.0/24 bw-universe && \
docker network create bw-services
```
You will also need the data volume, which where BunkerWeb's data will be stored :
```shell
docker volume create bw-data
```
You can now create the BunkerWeb container, please note the special `bunkerweb.INSTANCE` label which is mandatory for the scheduler as well as the web UI to work properly :
```shell
docker run -d \
--name bunkerweb \
--network bw-universe \
-p 80:8080 \
-p 443:8443 \
-e SERVER_NAME= \
-e MULTISITE=yes \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.INSTANCE \
bunkerity/bunkerweb:1.5.0-beta
```
Important things to note :
* replace `10.20.30.0/24` with the same network address used for the `bw-universe` network
* the `bunkerweb.INSTANCE` label is mandatory
The Autoconf and web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the **docker.sock** file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a [docker socket proxy](https://github.com/Tecnativa/docker-socket-proxy) to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).
To connect the docker socket proxy and the web UI, you will need another network :
```shell
docker network create bw-docker
```
Once the network is created, you can now create the docker socket proxy container :
```shell
docker run -d \
--name bw-docker \
--network bw-docker \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-e CONTAINERS=1 \
tecnativa/docker-socket-proxy
```
You can then create the autoconf container connected to the docker socket proxy network :
```shell
docker run -d \
--name bw-autoconf \
--network bw-universe \
-v bw-data:/data \
-e DOCKER_HOST=tcp://bw-docker:2375 \
bunkerity/bunkerweb-autoconf:1.5.0-beta && \
docker network connect bw-docker bw-autoconf
```
You can then create the scheduler container with the bw-data volume and the docker socket proxy network :
```shell
docker run -d \
--name bw-scheduler \
--network bw-universe \
-v bw-data:/data \
-e DOCKER_HOST=tcp://bw-docker:2375 \
bunkerity/bunkerweb-scheduler:1.5.0-beta && \
docker network connect bw-docker bw-scheduler
```
We can finally create the web UI container :
```shell
docker run -d \
--name bw-ui \
--network bw-universe \
-v bw-data:/data \
-e DOCKER_HOST=tcp://bw-docker:2375 \
-e ADMIN_USERNAME=admin \
-e ADMIN_PASSWORD=changeme \
-e ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/ \
-l "bunkerweb.SERVER_NAME=bwadm.example.com" \
-l "bunkerweb.USE_UI=yes" \
-l "bunkerweb.CONTENT_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';" \
-l "bunkerweb.USE_REVERSE_PROXY=yes" \
-l "bunkerweb.REVERSE_PROXY_URL=/changeme" \
-l "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000" \
-l "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme" \
-l "bunkerweb.INTERCEPTED_ERROR_CODES=400 401.5.0-beta 405 413 429 500 501 502 503 504" \
bunkerity/bunkerweb-ui:1.5.0-beta && \
docker network connect bw-docker bw-ui
```
Important things to note :
* `bwadm.example.com` is the dedicated (sub)domain for accessing the web UI
* replace the `/changeme` URL with a custom one of your choice
* `http(s)://bwadmin.example.com/changeme/` is the full base URL of the web UI (must match the sub(domain) and /changeme URL used when creating the BunkerWeb container)
* Replace the username `admin` and password `changeme` with strong ones
Here is the docker-compose equivalent :
```yaml
version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
labels:
- "bunkerweb.INSTANCE"
environment:
- SERVER_NAME=
- MULTISITE=yes
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTOCONF_MODE=yes
networks:
- bw-universe
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
volumes:
- bw-data:/data
environment:
- DOCKER_HOST=tcp://bw-docker:2375
networks:
- bw-universe
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
volumes:
- bw-data:/data
environment:
- DOCKER_HOST=tcp://bw-docker:2375
- AUTOCONF_MODE=yes
networks:
- bw-universe
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
networks:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0-beta
networks:
bw-docker:
bw-universe:
aliases:
- bw-ui
volumes:
- bw-data:/data
environment:
- DOCKER_HOST=tcp://bw-docker:2375
- AUTOCONF_MODE=yes
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://bwadm.example.com/changeme/
labels:
- "bunkerweb.SERVER_NAME=bwadm.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.CONTENT_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 401.5.0-beta 405 413 429 500 501 502 503 504"
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
name: bw-services
bw-docker:
name: bw-docker
```
=== "Kubernetes"
=== "Linux"
The installation of the web UI using the [Linux integration](/1.4/integrations/#linux) is pretty straightforward because it is installed with BunkerWeb.
@ -304,3 +706,53 @@ Because the web UI is a web application, the recommended installation procedure
```shell
ansible-playbook -i inventory.yml playbook.yml
```
=== "Vagrant"
The installation of the web UI using the [Vagrant integration](/1.4/integrations/#vagrant) is pretty straightforward because it is installed with BunkerWeb.
The first thing to do is to edit the BunkerWeb configuration located at **/etc/bunkerweb/variables.env** to add settings related to the web UI :
```conf
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
...
SERVER_NAME=bwadm.example.com
MULTISITE=yes
USE_API=yes
API_WHITELIST_IP=127.0.0.0/8
bwadm.example.com_USE_UI=yes
bwadm.example.com_USE_REVERSE_PROXY=yes
bwadm.example.com_REVERSE_PROXY_URL=/changeme/
bwadm.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
bwadm.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
...
```
Important things to note :
* `bwadm.example.com` is the dedicated (sub)domain for accessing the web UI
* replace the `/changeme` URLs with a custom one of your choice
Once the configuration file is edited, you will need to restart BunkerWeb :
```shell
systemctl restart bunkerweb
```
You can edit the **/etc/bunkerweb/ui.env** file containing the settings of the web UI :
```conf
ADMIN_USERNAME=admin
ADMIN_PASSWORD=changeme
ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/
```
Important things to note :
* `http(s)://bwadmin.example.com/changeme/` is the full base URL of the web UI (must match the sub(domain) and /changeme URL used in **/etc/bunkerweb/variables.env**)
* replace the username `admin` and password `changeme` with strong ones
Restart the BunkerWeb UI service and you are now ready to access it :
```shell
systemctl restart bunkerweb-ui
```

4
examples/authelia/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.4"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -44,7 +44,7 @@ services:
- app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/authentik/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.4"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -53,7 +53,7 @@ services:
- app2.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

5
examples/behind-reverse-proxy/docker-compose.yml
View File

@ -2,11 +2,10 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
environment:
- SERVER_NAME=www.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
@ -25,7 +24,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/bigbluebutton/docker-compose.yml
View File

@ -27,7 +27,7 @@ services:
...
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -50,7 +50,7 @@ services:
bw-universe:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/certbot-dns-cloudflare/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/certbot-dns-digitalocean/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/certbot-dns-google/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/certbot-dns-ovh/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/certbot-dns-route53/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -33,7 +33,7 @@ services:
- bw-services
bbw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

2
examples/community/brawdunoir-homelab/docker/bw/bw-data/modsec/nextcloud.conf
View File

@ -1 +1 @@
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"

4
examples/cors/autoconf.yml
View File

@ -21,7 +21,7 @@ services:
- bunkerweb.REMOTE_PHP_PATH=/app
myapp2:
image: php:fpm-alpine
image: php:fpm
networks:
bw-services:
aliases:
@ -38,7 +38,7 @@ services:
- bunkerweb.REMOTE_PHP_PATH=/app
myapp3:
image: php:fpm-alpine
image: php:fpm
networks:
bw-services:
aliases:

4
examples/cors/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -38,7 +38,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/docker-configs/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -53,7 +53,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/drupal/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

2
examples/drupal/setup-swarm.sh
View File

@ -10,4 +10,4 @@
docker config rm cfg_drupal_modsec_crs
# create configs
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs cfg_drupal_modsec_crs -l bunkerweb.CONFIG_SITE=www.example.com ./bw-data/configs/modsec-crs/drupal.conf
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_drupal_modsec_crs ./bw-data/configs/modsec-crs/drupal.conf

4
examples/ghost/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -24,7 +24,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/gogs/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

2
examples/gogs/setup-swarm.sh
View File

@ -10,4 +10,4 @@
docker config rm cfg_gogs_modsec_crs
# create configs
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs cfg_gogs_modsec_crs -l bunkerweb.CONFIG_SITE=www.example.com ./bw-data/configs/modsec-crs/gogs.conf
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_gogs_modsec_crs ./bw-data/configs/modsec-crs/gogs.conf

4
examples/hardened/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
# dropping all capabilities
cap_drop:
- ALL
@ -38,7 +38,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

10
examples/joomla/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:
@ -54,9 +54,9 @@ services:
- joomla-data:/var/www/html
environment:
- JOOMLA_DB_HOST=mydb
- JOOMLA_DB_NAME=${JOOMLA_DATABASE:-joomladb}
- JOOMLA_DB_USER=${JOOMLA_USER:-user}
- JOOMLA_DB_PASSWORD=${JOOMLA_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
- JOOMLA_DB_NAME=joomla_db
- JOOMLA_DB_USER=user
- JOOMLA_DB_PASSWORD=db-user-pwd # set a stronger password in a .env file (must match MYSQL_PASSWORD)
networks:
- bw-services

4
examples/load-balancer/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -31,7 +31,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

8
examples/magento/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -29,11 +29,11 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375"
- DOCKER_HOST=tcp://bw-docker-proxy:2375
volumes:
- bw-data:/data
networks:
@ -86,7 +86,7 @@ services:
- MYSQL_DATABASE=magentodb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
network:
networks:
- bw-services
volumes:

2
examples/magento/setup-swarm.sh
View File

@ -10,4 +10,4 @@
docker config rm cfg_magento_server_http
# create configs
docker config create -l bunkerweb.CONFIG_TYPE=server-http cfg_magento_server_http -l bunkerweb.CONFIG_SITE=www.example.com ./bw-data/configs/server-http/buffering.conf
docker config create -l bunkerweb.CONFIG_TYPE=server-http -l bunkerweb.CONFIG_SITE=www.example.com cfg_magento_server_http ./bw-data/configs/server-http/buffering.conf

2
examples/magento/tests.json
View File

@ -3,7 +3,7 @@
"kinds": ["docker", "autoconf", "swarm", "kubernetes"],
"timeout": 360,
"no_copy_container": true,
"delay": 240,
"delay": 300,
"tests": [
{
"type": "string",

5
examples/mattermost/docker-compose.yml
View File

@ -2,12 +2,13 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
@ -43,7 +44,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

0
examples/mongo-express/bw-data/configs/modsec/www.example.com/mongo-express.conf → examples/mongo-express/bw-data/configs/modsec/mongo-express.conf
View File

4
examples/mongo-express/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -27,7 +27,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

2
examples/mongo-express/setup-swarm.sh
View File

@ -10,4 +10,4 @@
docker config rm cfg_me_modsec
# create configs
docker config create -l bunkerweb.CONFIG_TYPE=modsec -l bunkerweb.CONFIG_SITE=www.example.com cfg_me_modsec ./bw-data/configs/modsec/www.example.com/mongo-express.conf
docker config create -l bunkerweb.CONFIG_TYPE=modsec -l bunkerweb.CONFIG_SITE=www.example.com cfg_me_modsec ./bw-data/configs/modsec/mongo-express.conf

5
examples/moodle/docker-compose.yml
View File

@ -2,12 +2,13 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- MAX_CLIENT_SIZE=50m
@ -24,7 +25,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

2
examples/moodle/swarm.yml
View File

@ -32,7 +32,7 @@ services:
mydb:
image: mariadb:10.5
volumes:
- db_data:/var/lib/mysql
- db-data:/var/lib/mysql
networks:
- bw-services
environment:

2
examples/nextcloud/autoconf.yml
View File

@ -54,7 +54,7 @@ services:
setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
- |
bunkerweb.CUSTOM_CONF_MODSEC_nextcloud=
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
mydb:

2
examples/nextcloud/bw-data/configs/modsec/nextcloud.conf
View File

@ -1 +1 @@
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"

16
examples/nextcloud/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -10,6 +10,7 @@ services:
- SERVER_NAME=www.example.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- API_WHITELIST_IP=127.0.0.1 10.20.30.0/24
- MAX_CLIENT_SIZE=10G
- USE_CLIENT_CACHE=yes
- SERVE_FILES=no
@ -53,7 +54,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:
@ -84,9 +85,9 @@ services:
- TRUSTED_PROXIES=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
- APACHE_DISABLE_REWRITE_IP=1
- MYSQL_HOST=mydb
- MYSQL_DATABASE=${NEXTCLOUD_DATABASE:-nextclouddb}
- MYSQL_USER=${NEXTCLOUD_USER:-user}
- MYSQL_PASSWORD=${NEXTCLOUD_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # set a stronger password in a .env file (must match MYSQL_PASSWORD)
networks:
- bw-services
@ -94,12 +95,12 @@ services:
image: mariadb:10.9
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- ./db-data:/var/lib/mysql
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
networks:
- bw-universe
- bw-services
@ -109,6 +110,7 @@ volumes:
db-data:
nc-files:
networks:
bw-universe:
ipam:

4
examples/nextcloud/setup-swarm.sh
View File

@ -11,5 +11,5 @@ docker config rm cfg_nextcloud_modsec
docker config rm cfg_nextcloud_modsec_crs
# create configs
docker config create -l bunkerweb.CONFIG_TYPE=modsec cfg_nextcloud_modsec -l bunkerweb.CONFIG_SITE=www.example.com ./bw-data/configs/modsec/nextcloud.conf
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs cfg_nextcloud_modsec_crs -l bunkerweb.CONFIG_SITE=www.example.com ./bw-data/configs/modsec-crs/nextcloud.conf
docker config create -l bunkerweb.CONFIG_TYPE=modsec -l bunkerweb.CONFIG_SITE=www.example.com cfg_nextcloud_modsec ./bw-data/configs/modsec/nextcloud.conf
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_nextcloud_modsec_crs ./bw-data/configs/modsec-crs/nextcloud.conf

4
examples/passbolt/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -26,7 +26,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/php-cookie-flags/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -31,7 +31,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

12
examples/php-cookie-flags/tests.json
View File

@ -1,12 +0,0 @@
{
"name": "php-cookie",
"kinds": ["docker"],
"timeout": 60,
"tests": [
{
"type": "string",
"url": "https://www.example.com",
"string": "Cookie 'my_cookie' is set!"
}
]
}

4
examples/php-multisite/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -34,7 +34,7 @@ services:
- net-app2
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

6
examples/php-singlesite/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -30,7 +30,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:
@ -68,4 +68,4 @@ networks:
config:
- subnet: 10.20.30.0/24
bw-services:
net-docker:
bw-docker:

7
examples/prestashop/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:
@ -65,7 +65,8 @@ services:
networks:
- bw-services
image: mariadb
mydb:
image: mariadb
volumes:
- db-data:/var/lib/mysql
networks:

4
examples/prestashop/tests.json
View File

@ -1,8 +1,8 @@
{
"name": "prestashop",
"kinds": ["docker", "autoconf", "swarm", "kubernetes"],
"timeout": 180,
"delay": 180,
"timeout": 240,
"delay": 240,
"tests": [
{
"type": "string",

4
examples/proxy-protocol/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
environment:
- SERVER_NAME=www.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
@ -27,7 +27,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/radarr/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -34,7 +34,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/redmine/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -24,7 +24,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/reverse-proxy-multisite/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -27,7 +27,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/reverse-proxy-singlesite/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -32,7 +32,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

2
examples/reverse-proxy-singlesite/setup-swarm.sh
View File

@ -10,4 +10,4 @@
docker config rm cfg_reverse_server_http
# create configs
docker config create -l bunkerweb.CONFIG_TYPE=server-http cfg_reverse_server_http -l bunkerweb.CONFIG_SITE=www.example.com ./bw-data/configs/server-http/redirects.conf
docker config create -l bunkerweb.CONFIG_TYPE=server-http -l bunkerweb.CONFIG_SITE=www.example.com cfg_reverse_server_http ./bw-data/configs/server-http/redirects.conf

4
examples/reverse-proxy-websocket/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -25,7 +25,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

0
examples/reverse-proxy-websocket/tests.json → examples/reverse-proxy-websocket/tests.json.todo
View File

4
examples/syslog/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
logging:
driver: syslog
options:
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
logging:
driver: syslog
options:

4
examples/tomcat/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -23,7 +23,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

4
examples/tor-hidden-service/docker-compose.yml
View File

@ -12,7 +12,7 @@ services:
- bw-universe
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
environment:
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
# disable common security measures based on IP
@ -34,7 +34,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:

6
examples/web-ui/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -32,7 +32,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:
@ -44,7 +44,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
depends_on:
- bw-docker-proxy
environment:

2
examples/wordpress/autoconf.yml
View File

@ -47,7 +47,7 @@ services:
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
volumes:
bw-data:
wp-data:
db-data:
networks:

10
examples/wordpress/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -25,7 +25,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- mybunker
environment:
@ -51,9 +51,9 @@ services:
- wp-data:/var/www/html
environment:
- WORDPRESS_DB_HOST=mydb
- WORDPRESS_DB_NAME=${WORDPRESS_DATABASE:-wp}
- WORDPRESS_DB_USER=${WORDPRESS_USER:-user}
- WORDPRESS_DB_PASSWORD=${WORDPRESS_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
- WORDPRESS_DB_NAME=wp
- WORDPRESS_DB_USER=user
- WORDPRESS_DB_PASSWORD=db-user-pwd # set a stronger password in a .env file (must match MYSQL_PASSWORD)
- WORDPRESS_TABLE_PREFIX=prefix_ # best practice : replace with a random prefix
networks:
- bw-services

2
examples/wordpress/setup-swarm.sh
View File

@ -10,4 +10,4 @@
docker config rm cfg_wordpress_modsec_crs
# create configs
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs cfg_wordpress_modsec_crs -l bunkerweb.CONFIG_SITE=www.example.com ./bw-data/configs/modsec-crs/wordpress.conf
docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_wordpress_modsec_crs ./bw-data/configs/modsec-crs/wordpress.conf

27
misc/bunker_rocket.ascii Normal file
View File

@ -0,0 +1,27 @@
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

19
misc/hardened_docker.ascii Normal file
View File

@ -0,0 +1,19 @@
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

8
misc/integrations/autoconf.mariadb.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -66,7 +66,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
networks:
bw-docker:
bw-universe:

6
misc/integrations/autoconf.mariadb.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker

8
misc/integrations/autoconf.mysql.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -66,7 +66,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
networks:
bw-docker:
bw-universe:

6
misc/integrations/autoconf.mysql.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker

8
misc/integrations/autoconf.postgres.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -65,7 +65,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
networks:
bw-docker:
bw-universe:

6
misc/integrations/autoconf.postgres.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker

8
misc/integrations/autoconf.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -18,7 +18,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -55,7 +55,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
networks:
bw-docker:
bw-universe:

6
misc/integrations/autoconf.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -18,7 +18,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker

6
misc/integrations/docker.mariadb.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -29,7 +29,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -50,7 +50,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
depends_on:
- bw-docker
environment:

4
misc/integrations/docker.mariadb.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -17,7 +17,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker

6
misc/integrations/docker.mysql.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -29,7 +29,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -50,7 +50,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
depends_on:
- bw-docker
environment:

4
misc/integrations/docker.mysql.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -17,7 +17,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker

6
misc/integrations/docker.postgres.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -29,7 +29,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -50,7 +50,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
depends_on:
- bw-docker
environment:

4
misc/integrations/docker.postgres.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -17,7 +17,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker

6
misc/integrations/docker.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -23,7 +23,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker
@ -45,7 +45,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
depends_on:
- bw-docker
volumes:

4
misc/integrations/docker.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- 80:8080
- 443:8443
@ -16,7 +16,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
depends_on:
- bunkerweb
- bw-docker

8
misc/integrations/k8s.mariadb.ui.yml
View File

@ -43,7 +43,7 @@ spec:
app: bunkerweb
# mandatory annotation
annotations:
bunkerweb.io/AUTOCONF: "yes"
bunkerweb.io/INSTANCE: "yes"
spec:
containers:
- name: bunkerweb
@ -77,6 +77,10 @@ spec:
value: ""
- name: MULTISITE
value: "yes"
- name: USE_REDIS
value: "yes"
- name: REDIS_HOST
value: "svc-bunkerweb-redis.default.svc.cluster.local"
livenessProbe:
exec:
command:
@ -223,7 +227,7 @@ spec:
spec:
containers:
- name: bunkerweb-ui
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
imagePullPolicy: Always
env:
- name: ADMIN_USERNAME

19
misc/integrations/k8s.mariadb.yml
View File

@ -43,7 +43,7 @@ spec:
app: bunkerweb
# mandatory annotation
annotations:
bunkerweb.io/AUTOCONF: "yes"
bunkerweb.io/INSTANCE: "yes"
spec:
containers:
- name: bunkerweb
@ -77,6 +77,10 @@ spec:
value: ""
- name: MULTISITE
value: "yes"
- name: USE_REDIS
value: "yes"
- name: REDIS_HOST
value: "svc-bunkerweb-redis.default.svc.cluster.local"
livenessProbe:
exec:
command:
@ -93,8 +97,6 @@ spec:
periodSeconds: 1
timeoutSeconds: 1
failureThreshold: 3
#imagePullSecrets:
#- name: secret-registry
---
apiVersion: apps/v1
kind: Deployment
@ -122,8 +124,6 @@ spec:
value: "yes"
- name: "DATABASE_URI"
value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db"
#imagePullSecrets:
#- name: secret-registry
---
apiVersion: apps/v1
kind: Deployment
@ -141,17 +141,16 @@ spec:
labels:
app: bunkerweb-scheduler
spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.6
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.4.6
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
value: "yes"
- name: "DATABASE_URI"
value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db"
#imagePullSecrets:
#- name: secret-registry
---
apiVersion: apps/v1
kind: Deployment
@ -258,5 +257,3 @@ spec:
resources:
requests:
storage: 5Gi
storageClassName: ""
volumeName: pv-bunkerweb

8
misc/integrations/k8s.mysql.ui.yml
View File

@ -43,7 +43,7 @@ spec:
app: bunkerweb
# mandatory annotation
annotations:
bunkerweb.io/AUTOCONF: "yes"
bunkerweb.io/INSTANCE: "yes"
spec:
containers:
- name: bunkerweb
@ -77,6 +77,10 @@ spec:
value: ""
- name: MULTISITE
value: "yes"
- name: USE_REDIS
value: "yes"
- name: REDIS_HOST
value: "svc-bunkerweb-redis.default.svc.cluster.local"
livenessProbe:
exec:
command:
@ -281,7 +285,7 @@ spec:
spec:
containers:
- name: bunkerweb-ui
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
imagePullPolicy: Always
env:
- name: ADMIN_USERNAME

6
misc/integrations/k8s.mysql.yml
View File

@ -43,7 +43,7 @@ spec:
app: bunkerweb
# mandatory annotation
annotations:
bunkerweb.io/AUTOCONF: "yes"
bunkerweb.io/INSTANCE: "yes"
spec:
containers:
- name: bunkerweb
@ -77,6 +77,10 @@ spec:
value: ""
- name: MULTISITE
value: "yes"
- name: USE_REDIS
value: "yes"
- name: REDIS_HOST
value: "svc-bunkerweb-redis.default.svc.cluster.local"
livenessProbe:
exec:
command:

8
misc/integrations/k8s.postgres.ui.yml
View File

@ -43,7 +43,7 @@ spec:
app: bunkerweb
# mandatory annotation
annotations:
bunkerweb.io/AUTOCONF: "yes"
bunkerweb.io/INSTANCE: "yes"
spec:
containers:
- name: bunkerweb
@ -77,6 +77,10 @@ spec:
value: ""
- name: MULTISITE
value: "yes"
- name: USE_REDIS
value: "yes"
- name: REDIS_HOST
value: "svc-bunkerweb-redis.default.svc.cluster.local"
livenessProbe:
exec:
command:
@ -221,7 +225,7 @@ spec:
spec:
containers:
- name: bunkerweb-ui
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
imagePullPolicy: Always
env:
- name: ADMIN_USERNAME

6
misc/integrations/k8s.postgres.yml
View File

@ -43,7 +43,7 @@ spec:
app: bunkerweb
# mandatory annotation
annotations:
bunkerweb.io/AUTOCONF: "yes"
bunkerweb.io/INSTANCE: "yes"
spec:
containers:
- name: bunkerweb
@ -77,6 +77,10 @@ spec:
value: ""
- name: MULTISITE
value: "yes"
- name: USE_REDIS
value: "yes"
- name: REDIS_HOST
value: "svc-bunkerweb-redis.default.svc.cluster.local"
livenessProbe:
exec:
command:

8
misc/integrations/swarm.mariadb.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- published: 80
target: 8080
@ -32,7 +32,7 @@ services:
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -59,7 +59,7 @@ services:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -86,7 +86,7 @@ services:
- bw-universe
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
environment:
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- DOCKER_HOST=tcp://bw-docker:2375

22
misc/integrations/swarm.mariadb.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- published: 80
target: 8080
@ -32,7 +32,7 @@ services:
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -40,6 +40,10 @@ services:
networks:
- bw-universe
- bw-docker
deploy:
placement:
constraints:
- "node.role == worker"
bw-docker:
image: tecnativa/docker-socket-proxy
@ -59,7 +63,7 @@ services:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -67,6 +71,10 @@ services:
networks:
- bw-universe
- bw-docker
deploy:
placement:
constraints:
- "node.role == worker"
bw-db:
image: mariadb:10.10
@ -79,11 +87,19 @@ services:
- bw-data:/var/lib/mysql
networks:
- bw-docker
deploy:
placement:
constraints:
- "node.role == worker"
bw-redis:
image: redis:7-alpine
networks:
- bw-universe
deploy:
placement:
constraints:
- "node.role == worker"
volumes:
bw-data:

8
misc/integrations/swarm.mysql.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.0-beta
ports:
- published: 80
target: 8080
@ -32,7 +32,7 @@ services:
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -59,7 +59,7 @@ services:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -86,7 +86,7 @@ services:
- bw-universe
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.0-beta
environment:
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- DOCKER_HOST=tcp://bw-docker:2375

Some files were not shown because too many files have changed in this diff Show More