mirror of
https://github.com/bunkerity/bunkerized-nginx
synced 2023-12-13 21:30:18 +01:00
Merge pull request #472 from bunkerity/dev
Merge branch "dev" into branch "ui"
This commit is contained in:
commit
8bb6f63fa7
57 changed files with 323 additions and 232 deletions
27
.github/workflows/beta.yml
vendored
27
.github/workflows/beta.yml
vendored
|
@ -96,7 +96,7 @@ jobs:
|
|||
strategy:
|
||||
matrix:
|
||||
linux: [ubuntu, debian, fedora, rhel]
|
||||
platforms: [linux/amd64, linux/arm64, linux/arm/v7]
|
||||
platforms: [linux/amd64, linux/arm64]
|
||||
include:
|
||||
- release: beta
|
||||
- linux: ubuntu
|
||||
|
@ -107,11 +107,6 @@ jobs:
|
|||
package: rpm
|
||||
- linux: rhel
|
||||
package: rpm
|
||||
exclude:
|
||||
- linux: fedora
|
||||
platforms: linux/arm/v7
|
||||
- linux: rhel
|
||||
platforms: linux/arm/v7
|
||||
uses: ./.github/workflows/linux-build.yml
|
||||
with:
|
||||
RELEASE: ${{ matrix.release }}
|
||||
|
@ -183,7 +178,7 @@ jobs:
|
|||
strategy:
|
||||
matrix:
|
||||
linux: [ubuntu, debian, fedora, el]
|
||||
arch: [amd64, arm64, armv7]
|
||||
arch: [amd64, arm64]
|
||||
include:
|
||||
- release: beta
|
||||
repo: bunkerweb
|
||||
|
@ -229,29 +224,19 @@ jobs:
|
|||
arch: arm64
|
||||
package_arch: aarch64
|
||||
- linux: el
|
||||
arch: amd64
|
||||
arch: arm64
|
||||
package_arch: aarch64
|
||||
- linux: ubuntu
|
||||
arch: armv7
|
||||
package_arch: armhf
|
||||
- linux: debian
|
||||
arch: armv7
|
||||
package_arch: armhf
|
||||
exclude:
|
||||
- linux: fedora
|
||||
arch: armv7
|
||||
- linux: el
|
||||
arch: armv7
|
||||
uses: ./.github/workflows/push-packagecloud.yml
|
||||
with:
|
||||
SEPARATOR: ${{ matrix.separator }}
|
||||
SUFFIX: ${{ matrix.suffix }}
|
||||
REPO: ${{ matrix.repo }}
|
||||
LINUX: ${{ matrix.linux }}
|
||||
VERSION: ${{ matrix.separator }}
|
||||
VERSION: ${{ matrix.version }}
|
||||
PACKAGE: ${{ matrix.package }}
|
||||
BW_VERSION: ${{ $matrix.package == 'rpm' && needs.wait-builds.outputs.versionrpm || needs.wait-builds.outputs.version }}
|
||||
BW_VERSION: ${{ matrix.package == 'rpm' && needs.wait-builds.outputs.versionrpm || needs.wait-builds.outputs.version }}
|
||||
PACKAGE_ARCH: ${{ matrix.package_arch }}
|
||||
ARCH: ${{ matrix.arch }}
|
||||
secrets:
|
||||
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
|
||||
|
||||
|
|
48
.github/workflows/linux-build.yml
vendored
48
.github/workflows/linux-build.yml
vendored
|
@ -19,13 +19,6 @@ on:
|
|||
required: false
|
||||
type: boolean
|
||||
default: false
|
||||
ARM_SSH_KEY:
|
||||
required: false
|
||||
ARM_SSH_IP:
|
||||
required: false
|
||||
ARM_SSH_CONFIG:
|
||||
required: false
|
||||
|
||||
secrets:
|
||||
DOCKER_USERNAME:
|
||||
required: true
|
||||
|
@ -35,6 +28,12 @@ on:
|
|||
required: true
|
||||
PRIVATE_REGISTRY_TOKEN:
|
||||
required: true
|
||||
ARM_SSH_KEY:
|
||||
required: false
|
||||
ARM_SSH_IP:
|
||||
required: false
|
||||
ARM_SSH_CONFIG:
|
||||
required: false
|
||||
|
||||
jobs:
|
||||
build:
|
||||
|
@ -48,8 +47,20 @@ jobs:
|
|||
echo "ARCH=${{ env.PLATFORMS }}" | sed 's/linux//g' | sed 's@/@@g' >> "$GITHUB_ENV"
|
||||
env:
|
||||
PLATFORMS: ${{ inputs.PLATFORMS }}
|
||||
- name: Extract linux arch
|
||||
if: inputs.PACKAGE == 'rpm'
|
||||
run : |
|
||||
echo "LARCH=${{ env.ARCH }}" | sed 's/amd64/x86_64/g' | sed 's/arm64/aarch64/g' >> "$GITHUB_ENV"
|
||||
env:
|
||||
ARCH: ${{ env.ARCH }}
|
||||
- name: Extract linux arch
|
||||
if: inputs.PACKAGE == 'deb'
|
||||
run : |
|
||||
echo "LARCH=${{ env.ARCH }}" >> "$GITHUB_ENV"
|
||||
env:
|
||||
ARCH: ${{ env.ARCH }}
|
||||
- name: Setup SSH for ARM node
|
||||
if: startsWith(env.ARCH, "arm") == true
|
||||
if: startsWith(env.ARCH, 'arm') == true
|
||||
run: |
|
||||
mkdir -p ~/.ssh
|
||||
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
|
||||
|
@ -61,10 +72,10 @@ jobs:
|
|||
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
- name: Setup Buildx
|
||||
uses: docker/setup-buildx-action@v2
|
||||
if: startsWith(env.ARCH, "arm") == false
|
||||
if: startsWith(env.ARCH, 'arm') == false
|
||||
- name: Setup Buildx (ARM)
|
||||
uses: docker/setup-buildx-action@v2
|
||||
if: startsWith(env.ARCH, "arm") == true
|
||||
if: startsWith(env.ARCH, 'arm') == true
|
||||
with:
|
||||
endpoint: ssh://root@arm
|
||||
platforms: linux/arm64,linux/arm/v7,linux/arm/v6
|
||||
|
@ -103,10 +114,23 @@ jobs:
|
|||
tags: local/bunkerweb-${{ inputs.LINUX }}:latest
|
||||
# Generate package
|
||||
- name: Generate package
|
||||
run: ./src/linux/package.sh ${{ inputs.LINUX }}
|
||||
if: startsWith(env.ARCH, 'arm') == false
|
||||
run: ./src/linux/package.sh ${{ inputs.LINUX }} ${{ env.LARCH }}
|
||||
env:
|
||||
LARCH: ${{ env.LARCH }}
|
||||
- name: Generate package (ARM)
|
||||
if: startsWith(env.ARCH, 'arm') == true
|
||||
run: |
|
||||
docker save local/bunkerweb-${{ inputs.LINUX }}:latest | ssh -C root@arm docker load
|
||||
scp ./src/linux/package.sh root@arm:/opt
|
||||
ssh root@arm chmod +x /opt/package.sh
|
||||
ssh root@arm /opt/package.sh ${{ inputs.LINUX }} ${{ env.LARCH }} "$(cat src/VERSION | tr -d '\n')"
|
||||
scp -r root@arm:/root/package-${{ inputs.LINUX }} ./package-${{ inputs.LINUX }}
|
||||
env:
|
||||
LARCH: ${{ env.LARCH }}
|
||||
- uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: package-${{ inputs.LINUX }}-${{ env.ARCH }}
|
||||
name: package-${{ inputs.LINUX }}-${{ env.LARCH }}
|
||||
path: package-${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
|
||||
# Build test image
|
||||
- name: Build test image
|
||||
|
|
6
.github/workflows/push-packagecloud.yml
vendored
6
.github/workflows/push-packagecloud.yml
vendored
|
@ -51,13 +51,13 @@ jobs:
|
|||
- uses: actions/download-artifact@v3
|
||||
if: inputs.LINUX != 'el'
|
||||
with:
|
||||
name: package-${{ inputs.LINUX }}-${{ inputs.ARCH }}
|
||||
name: package-${{ inputs.LINUX }}-${{ inputs.PACKAGE_ARCH }}
|
||||
path: /tmp/${{ inputs.LINUX }}
|
||||
- uses: actions/download-artifact@v3
|
||||
if: inputs.LINUX == 'el'
|
||||
with:
|
||||
name: package-rhel
|
||||
path: /tmp/${{ inputs.LINUX }}-${{ inputs.ARCH }}
|
||||
name: package-rhel-${{ inputs.PACKAGE_ARCH }}
|
||||
path: /tmp/${{ inputs.LINUX }}
|
||||
# Remove existing packages
|
||||
- name: Remove existing package
|
||||
run: package_cloud yank bunkerity/${{ inputs.REPO }}/${{ inputs.LINUX }}/${{ inputs.VERSION }} bunkerweb${{ inputs.SEPARATOR }}${{ inputs.BW_VERSION }}${{ inputs.SEPARATOR }}${{ inputs.SUFFIX }}${{ inputs.PACKAGE_ARCH }}.${{ inputs.PACKAGE }}
|
||||
|
|
24
.github/workflows/staging.yml
vendored
24
.github/workflows/staging.yml
vendored
|
@ -105,17 +105,17 @@ jobs:
|
|||
strategy:
|
||||
matrix:
|
||||
type: [docker, autoconf, swarm, k8s, linux]
|
||||
include:
|
||||
- type: docker
|
||||
runs_on: "['self-hosted', 'bw-docker']"
|
||||
- type: autoconf
|
||||
runs_on: "['self-hosted', 'bw-autoconf']"
|
||||
- type: swarm
|
||||
runs_on: "['self-hosted', 'bw-swarm']"
|
||||
- type: k8s
|
||||
runs_on: "['ubuntu-latest']"
|
||||
- type: linux
|
||||
runs_on: "['self-hosted', 'bw-linux']"
|
||||
include:
|
||||
- type: docker
|
||||
runs_on: "['self-hosted', 'bw-docker']"
|
||||
- type: autoconf
|
||||
runs_on: "['self-hosted', 'bw-autoconf']"
|
||||
- type: swarm
|
||||
runs_on: "['self-hosted', 'bw-swarm']"
|
||||
- type: k8s
|
||||
runs_on: "['ubuntu-latest']"
|
||||
- type: linux
|
||||
runs_on: "['self-hosted', 'bw-linux']"
|
||||
uses: ./.github/workflows/staging-tests.yml
|
||||
with:
|
||||
TYPE: ${{ matrix.type }}
|
||||
|
@ -133,7 +133,7 @@ jobs:
|
|||
# Delete infrastructures
|
||||
delete-infras:
|
||||
if: ${{ always() }}
|
||||
needs: [create-infras]
|
||||
needs: [staging-tests]
|
||||
strategy:
|
||||
matrix:
|
||||
type: [docker, autoconf, swarm, k8s, linux]
|
||||
|
|
|
@ -813,7 +813,7 @@ spec:
|
|||
<figcaption>Linux integration</figcaption>
|
||||
</figure>
|
||||
|
||||
List of supported Linux distros :
|
||||
List of supported Linux distros (amd64/x86_64 and arm64/aarch64 architectures) :
|
||||
|
||||
- Debian 11 "Bullseye"
|
||||
- Ubuntu 22.04 "Jammy"
|
||||
|
@ -1079,7 +1079,7 @@ BunkerWeb is managed using systemctl :
|
|||
<figcaption>Ansible integration</figcaption>
|
||||
</figure>
|
||||
|
||||
List of supported Linux distros :
|
||||
List of supported Linux distros (amd64/x86_64 and arm64/aarch64 architectures) :
|
||||
|
||||
- Debian 11 "Bullseye"
|
||||
- Ubuntu 22.04 "Jammy"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
mkdocs==1.4.2
|
||||
mkdocs-material==9.1.8
|
||||
mkdocs==1.4.3
|
||||
mkdocs-material==9.1.11
|
||||
pytablewriter==0.64.2
|
||||
mike==1.1.2
|
||||
jinja2<3.1.0
|
||||
|
|
|
@ -26,7 +26,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
|
||||
The security of the web UI is really important. If someone manages to gain access to the application, not only he will be able to edit your configurations but he could execute some code in the context of BunkerWeb (with a custom configuration containing LUA code for example). We highly recommend you to follow minimal security best practices like :
|
||||
|
||||
* Choose a strong password for the login
|
||||
* Choose a strong password for the login (**at least 8 chars with 1 lower case letter, 1 upper case letter, 1 digit and 1 special char is required**)
|
||||
* Put the web UI under a "hard to guess" URI
|
||||
* Do not open the web UI on the Internet without any further restrictions
|
||||
* Apply settings listed in the [security tuning section](security-tuning.md) of the documentation
|
||||
|
|
|
@ -1,3 +1,6 @@
|
|||
drupalUsername: "user"
|
||||
drupalPassword: "changeme42"
|
||||
drupalEmail: "contact@example.com"
|
||||
mariadb:
|
||||
auth:
|
||||
password: "changeme1337"
|
|
@ -3,7 +3,7 @@
|
|||
"kinds": ["docker", "autoconf", "swarm", "kubernetes", "linux"],
|
||||
"no_copy_container": true,
|
||||
"timeout": 60,
|
||||
"delay": 60,
|
||||
"delay": 120,
|
||||
"tests": [
|
||||
{
|
||||
"type": "string",
|
||||
|
|
|
@ -1,3 +1,6 @@
|
|||
ghostUsername: "user"
|
||||
ghostPassword: "changeme42"
|
||||
ghostHost: "www.example.com"
|
||||
mysql:
|
||||
auth:
|
||||
password: "changeme1337"
|
|
@ -1,3 +1,6 @@
|
|||
joomlaUsername: "user"
|
||||
joomlaPassword: "changeme42"
|
||||
joomlaEmail: "contact@example.com"
|
||||
mariadb:
|
||||
auth:
|
||||
password: "changeme1337"
|
|
@ -18,7 +18,7 @@ services:
|
|||
- REVERSE_PROXY_URL=/
|
||||
- REVERSE_PROXY_HOST=http://app
|
||||
- |
|
||||
CUSTOM_CONF_HTTP_upstream.conf=
|
||||
CUSTOM_CONF_HTTP_upstream=
|
||||
upstream app {
|
||||
server app1:80;
|
||||
server app2:80;
|
||||
|
|
|
@ -5,3 +5,6 @@ magentoEmail: "contact@example.com"
|
|||
magentoFirstName: "John"
|
||||
magentoLastName: "Doe"
|
||||
magentoAdminUri: "admin"
|
||||
mariadb:
|
||||
auth:
|
||||
password: "changeme1337"
|
|
@ -2,3 +2,6 @@ moodleSiteName: "My Moodle"
|
|||
moodleUsername: "admin"
|
||||
moodlePassword: "changeme42"
|
||||
moodleEmail: "admin@example.com"
|
||||
mariadb:
|
||||
auth:
|
||||
password: "changeme1337"
|
|
@ -8,3 +8,6 @@ prestashopCountry: "us"
|
|||
prestashopLanguage: "en"
|
||||
service:
|
||||
type: ClusterIP
|
||||
mariadb:
|
||||
auth:
|
||||
password: "changeme1337"
|
|
@ -4,3 +4,6 @@ redmineEmail: "user@example.com"
|
|||
redmineLanguage: "en"
|
||||
service:
|
||||
type: ClusterIP
|
||||
mariadb:
|
||||
auth:
|
||||
password: "changeme1337"
|
|
@ -6,3 +6,6 @@ wordpressLastName: "LastName"
|
|||
wordpressBlogName: "User's Blog!"
|
||||
wordpressTablePrefix: "changeme_"
|
||||
wordpressScheme: "https"
|
||||
mariadb:
|
||||
auth:
|
||||
password: "changeme1337"
|
|
@ -13,6 +13,7 @@ RUN apk add --no-cache --virtual .build-deps g++ gcc musl-dev jpeg-dev zlib-dev
|
|||
pip install --no-cache-dir --upgrade pip && \
|
||||
pip install wheel && \
|
||||
mkdir -p /usr/share/bunkerweb/deps/python && \
|
||||
export MAKEFLAGS="-j$(nproc)" && \
|
||||
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \
|
||||
apk del .build-deps
|
||||
|
||||
|
|
|
@ -51,7 +51,7 @@ class IngressController(Controller, ConfigCaller):
|
|||
self.__logger.warning(f"Missing container bunkerweb in pod {controller_instance.metadata.name}")
|
||||
else:
|
||||
for env in pod.env:
|
||||
instance["env"][env.name] = env.value
|
||||
instance["env"][env.name] = env.value or ""
|
||||
for controller_service in self._get_controller_services():
|
||||
if controller_service.metadata.annotations:
|
||||
for (
|
||||
|
|
|
@ -64,7 +64,9 @@ utils.has_variable = function(var, value)
|
|||
return true, "success"
|
||||
end
|
||||
end
|
||||
return false, "success"
|
||||
if servers ~= "" then
|
||||
return false, "success"
|
||||
end
|
||||
end
|
||||
return check_value == value, "success"
|
||||
end
|
||||
|
@ -93,7 +95,9 @@ utils.has_not_variable = function(var, value)
|
|||
return true, "success"
|
||||
end
|
||||
end
|
||||
return false, "success"
|
||||
if servers ~= "" then
|
||||
return false, "success"
|
||||
end
|
||||
end
|
||||
return check_value ~= value, "success"
|
||||
end
|
||||
|
|
|
@ -162,7 +162,7 @@ function blacklist:kind_to_ele(kind)
|
|||
end
|
||||
|
||||
function blacklist:is_in_cache(ele)
|
||||
local ok, data = self.cachestore:get("plugin_blacklist_" .. ele)
|
||||
local ok, data = self.cachestore:get("plugin_blacklist_" .. ngx.ctx.bw.server_name .. ele)
|
||||
if not ok then
|
||||
return false, data
|
||||
end
|
||||
|
@ -170,7 +170,7 @@ function blacklist:is_in_cache(ele)
|
|||
end
|
||||
|
||||
function blacklist:add_to_cache(ele, value)
|
||||
local ok, err = self.cachestore:set("plugin_blacklist_" .. ele, value, 86400)
|
||||
local ok, err = self.cachestore:set("plugin_blacklist_" .. ngx.ctx.bw.server_name .. ele, value, 86400)
|
||||
if not ok then
|
||||
return false, err
|
||||
end
|
||||
|
|
|
@ -23,13 +23,13 @@ from Database import Database
|
|||
from logger import setup_logger
|
||||
from jobs import cache_file, cache_hash, is_cached_file, file_hash
|
||||
|
||||
rdns_rx = re_compile(rb"^(\.?[a-z\d\-]+)*\.[a-z]{2,}$", IGNORECASE)
|
||||
rdns_rx = re_compile(rb"^[^ ]+$", IGNORECASE)
|
||||
asn_rx = re_compile(rb"^\d+$")
|
||||
uri_rx = re_compile(rb"^/")
|
||||
|
||||
|
||||
def check_line(kind: str, line: bytes) -> Tuple[bool, bytes]:
|
||||
if kind == "IP":
|
||||
if kind in ("IP", "IGNORE_IP"):
|
||||
if b"/" in line:
|
||||
with suppress(ValueError):
|
||||
ip_network(line.decode("utf-8"))
|
||||
|
@ -38,18 +38,18 @@ def check_line(kind: str, line: bytes) -> Tuple[bool, bytes]:
|
|||
with suppress(ValueError):
|
||||
ip_address(line.decode("utf-8"))
|
||||
return True, line
|
||||
elif kind == "RDNS":
|
||||
elif kind in ("RDNS", "IGNORE_RDNS"):
|
||||
if rdns_rx.match(line):
|
||||
return True, line.lower()
|
||||
elif kind == "ASN":
|
||||
elif kind in ("ASN", "IGNORE_ASN"):
|
||||
real_line = line.replace(b"AS", b"").replace(b"as", b"")
|
||||
if asn_rx.match(real_line):
|
||||
return True, real_line
|
||||
elif kind == "USER_AGENT":
|
||||
elif kind in ("USER_AGENT", "IGNORE_USER_AGENT"):
|
||||
return True, line.replace(b"\\ ", b" ").replace(b"\\.", b"%.").replace(
|
||||
b"\\\\", b"\\"
|
||||
).replace(b"-", b"%-")
|
||||
elif kind == "URI":
|
||||
elif kind in ("URI", "IGNORE_URI"):
|
||||
if uri_rx.match(line):
|
||||
return True, line
|
||||
|
||||
|
|
|
@ -48,7 +48,7 @@
|
|||
"help": "List of reverse DNS suffixes, separated with spaces, to block.",
|
||||
"id": "blacklist-rdns",
|
||||
"label": "Blacklist reverse DNS",
|
||||
"regex": "^( *((\\.([a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,})(?!.* \\3( |$))) *)*$",
|
||||
"regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$",
|
||||
"type": "text"
|
||||
},
|
||||
"BLACKLIST_RDNS_URLS": {
|
||||
|
@ -138,7 +138,7 @@
|
|||
"help": "List of reverse DNS suffixes, separated with spaces, to ignore in the blacklist.",
|
||||
"id": "blacklist-ignore-rdns",
|
||||
"label": "Blacklist ignore reverse DNS",
|
||||
"regex": "^( *((\\.([a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,})(?!.* \\3( |$))) *)*$",
|
||||
"regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$",
|
||||
"type": "text"
|
||||
},
|
||||
"BLACKLIST_IGNORE_RDNS_URLS": {
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
{% if USE_CORS == "yes" +%}
|
||||
{% if CORS_ALLOW_ORIGIN != "" %}add_header Access-Control-Allow-Origin '{{ CORS_ALLOW_ORIGIN }}' always;{% endif %}
|
||||
{% if CORS_EXPOSE_HEADERS != "" %}add_header Access-Control-Expose-Headers '{{ CORS_EXPOSE_HEADERS }}' always;{% endif %}
|
||||
{% if CORS_ALLOW_CREDENTIALS != "no" %}add_header Access-Control-Allow-Credentials true always;{% endif %}
|
||||
{% endif %}
|
|
@ -1,12 +1,22 @@
|
|||
local class = require "middleclass"
|
||||
local plugin = require "bunkerweb.plugin"
|
||||
local utils = require "bunkerweb.utils"
|
||||
local class = require "middleclass"
|
||||
local plugin = require "bunkerweb.plugin"
|
||||
local utils = require "bunkerweb.utils"
|
||||
|
||||
local cors = class("cors", plugin)
|
||||
local cors = class("cors", plugin)
|
||||
|
||||
function cors:initialize()
|
||||
-- Call parent initialize
|
||||
plugin.initialize(self, "cors")
|
||||
self.all_headers = {
|
||||
["CORS_ALLOW_ORIGIN"] = "Access-Control-Allow-Origin",
|
||||
["CORS_EXPOSE_HEADERS"] = "Access-Control-Expose-Headers"
|
||||
}
|
||||
self.preflight_headers = {
|
||||
["CORS_MAX_AGE"] = "Access-Control-Max-Age",
|
||||
["CORS_ALLOW_CREDENTIALS"] = "Access-Control-Allow-Credentials",
|
||||
["CORS_ALLOW_METHODS"] = "Access-Control-Allow-Methods",
|
||||
["CORS_ALLOW_HEADERS"] = "Access-Control-Allow-Headers"
|
||||
}
|
||||
end
|
||||
|
||||
function cors:header()
|
||||
|
@ -14,26 +24,40 @@ function cors:header()
|
|||
if self.variables["USE_CORS"] ~= "yes" then
|
||||
return self:ret(true, "service doesn't use CORS")
|
||||
end
|
||||
if ngx.ctx.bw.request_method ~= "OPTIONS" then
|
||||
return self:ret(true, "method is not OPTIONS")
|
||||
end
|
||||
-- Add headers
|
||||
local cors_headers = {
|
||||
["CORS_MAX_AGE"] = "Access-Control-Max-Age",
|
||||
["CORS_ALLOW_METHODS"] = "Access-Control-Allow-Methods",
|
||||
["CORS_ALLOW_HEADERS"] = "Access-Control-Allow-Headers"
|
||||
}
|
||||
for variable, header in pairs(cors_headers) do
|
||||
local value = self.variables[variable]
|
||||
if value ~= "" then
|
||||
ngx.header[header] = value
|
||||
-- Standard headers
|
||||
for variable, header in pairs(self.all_headers) do
|
||||
if self.variables[variable] ~= "" then
|
||||
ngx.header[header] = self.variables[variable]
|
||||
end
|
||||
end
|
||||
ngx.header["Content-Type"] = "text/html"
|
||||
ngx.header["Content-Length"] = "0"
|
||||
|
||||
-- Send CORS policy with a 204 (no content) status
|
||||
return self:ret(true, "sent CORS policy")
|
||||
-- Preflight request
|
||||
if ngx.ctx.bw.request_method == "OPTIONS" then
|
||||
for variable, header in pairs(self.preflight_headers) do
|
||||
if variable == "CORS_ALLOW_CREDENTIALS" then
|
||||
if self.variables["CORS_ALLOW_CREDENTIALS"] == "yes" then
|
||||
ngx.header[header] = "true"
|
||||
end
|
||||
elseif self.variables[variable] ~= "" then
|
||||
ngx.header[header] = self.variables[variable]
|
||||
end
|
||||
end
|
||||
ngx.header["Content-Type"] = "text/html"
|
||||
ngx.header["Content-Length"] = "0"
|
||||
return self:ret(true, "edited headers for preflight request")
|
||||
end
|
||||
return self:ret(true, "edited headers for standard request")
|
||||
end
|
||||
|
||||
return cors
|
||||
function cors:access()
|
||||
-- Check if access is needed
|
||||
if self.variables["USE_CORS"] ~= "yes" then
|
||||
return self:ret(true, "service doesn't use CORS")
|
||||
end
|
||||
-- Send CORS policy with a 204 (no content) status
|
||||
if ngx.ctx.bw.request_method == "OPTIONS" then
|
||||
return self:ret(true, "preflight request", ngx.HTTP_NO_CONTENT)
|
||||
end
|
||||
return self:ret(true, "standard request")
|
||||
end
|
||||
|
||||
return cors
|
||||
|
|
|
@ -92,7 +92,7 @@ function country:preread()
|
|||
end
|
||||
|
||||
function country:is_in_cache(ip)
|
||||
local ok, data = self.cachestore:get("plugin_country_cache_" .. ip)
|
||||
local ok, data = self.cachestore:get("plugin_country_cache_" .. ngx.ctx.bw.server_name .. ip)
|
||||
if not ok then
|
||||
return false, data
|
||||
end
|
||||
|
@ -100,7 +100,7 @@ function country:is_in_cache(ip)
|
|||
end
|
||||
|
||||
function country:add_to_cache(ip, country, result)
|
||||
local ok, err = self.cachestore:set("plugin_country_cache_" .. ip, cjson.encode({country = country, result = result}), 86400)
|
||||
local ok, err = self.cachestore:set("plugin_country_cache_" .. ngx.ctx.bw.server_name .. ip, cjson.encode({country = country, result = result}), 86400)
|
||||
if not ok then
|
||||
return false, err
|
||||
end
|
||||
|
|
|
@ -1,12 +1,15 @@
|
|||
{% set os_path = import("os.path") %}
|
||||
{% if USE_CUSTOM_SSL == "yes" and os_path.isfile("/data/cache/customcert/{}".format(CUSTOM_SSL_CERT.replace("/", "_"))) and os_path.isfile("/data/cache/customcert/{}".format(CUSTOM_SSL_KEY.replace("/", "_"))) +%}
|
||||
{% set cert_file_path = "/data/cache/customcert/{}".format(CUSTOM_SSL_CERT.replace("/", "_")) %}
|
||||
{% set key_file_path = "/data/cache/customcert/{}".format(CUSTOM_SSL_KEY.replace("/", "_")) %}
|
||||
|
||||
{% if USE_CUSTOM_SSL == "yes" and os_path.isfile(cert_file_path) and os_path.isfile(key_file_path) +%}
|
||||
|
||||
# listen on HTTPS PORT
|
||||
listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
|
||||
|
||||
# TLS config
|
||||
ssl_certificate {{ CUSTOM_SSL_CERT }};
|
||||
ssl_certificate_key {{ CUSTOM_SSL_KEY }};
|
||||
ssl_certificate {{ cert_file_path }};
|
||||
ssl_certificate_key {{ key_file_path }};
|
||||
ssl_protocols {{ SSL_PROTOCOLS }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_tickets off;
|
||||
|
|
|
@ -1,12 +1,15 @@
|
|||
{% set os_path = import("os.path") %}
|
||||
{% if USE_CUSTOM_SSL == "yes" and os_path.isfile(CUSTOM_SSL_CERT) and os_path.isfile(CUSTOM_SSL_KEY) +%}
|
||||
{% set cert_file_path = "/data/cache/customcert/{}".format(CUSTOM_SSL_CERT.replace("/", "_")) %}
|
||||
{% set key_file_path = "/data/cache/customcert/{}".format(CUSTOM_SSL_KEY.replace("/", "_")) %}
|
||||
|
||||
{% if USE_CUSTOM_SSL == "yes" and os_path.isfile(cert_file_path) and os_path.isfile(key_file_path) +%}
|
||||
|
||||
# listen
|
||||
listen 0.0.0.0:{{ LISTEN_STREAM_PORT_SSL }} ssl {% if USE_UDP == "yes" %} udp {% endif %}{% if USE_PROXY_PROTOCOL == "yes" %} proxy_protocol {% endif %};
|
||||
|
||||
# TLS config
|
||||
ssl_certificate {{ CUSTOM_SSL_CERT }};
|
||||
ssl_certificate_key {{ CUSTOM_SSL_KEY }};
|
||||
ssl_certificate {{ cert_file_path }};
|
||||
ssl_certificate_key {{ key_file_path }};
|
||||
ssl_protocols {{ SSL_PROTOCOLS }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_tickets off;
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
#!/usr/bin/python3
|
||||
|
||||
from os import getenv
|
||||
from os.path import basename
|
||||
from pathlib import Path
|
||||
from shutil import copy
|
||||
from sys import exit as sys_exit, path as sys_path
|
||||
|
@ -85,7 +86,7 @@ def check_cert(cert_path, key_path, first_server: Optional[str] = None) -> bool:
|
|||
err = db.update_job_cache(
|
||||
"custom-cert",
|
||||
first_server,
|
||||
key_cache_path.replace(".hash", "").split("/")[-1],
|
||||
basename(key_cache_path.replace(".hash", "")),
|
||||
Path(key_path).read_bytes(),
|
||||
checksum=key_hash,
|
||||
)
|
||||
|
@ -99,7 +100,7 @@ def check_cert(cert_path, key_path, first_server: Optional[str] = None) -> bool:
|
|||
err = db.update_job_cache(
|
||||
"custom-cert",
|
||||
first_server,
|
||||
cert_cache_path.replace(".hash", "").split("/")[-1],
|
||||
basename(cert_cache_path.replace(".hash", "")),
|
||||
Path(cert_path).read_bytes(),
|
||||
checksum=cert_hash,
|
||||
)
|
||||
|
|
|
@ -231,7 +231,7 @@ function greylist:is_greylisted_ua()
|
|||
end
|
||||
|
||||
function greylist:is_in_cache(ele)
|
||||
local ok, data = self.cachestore:get("plugin_greylist_" .. ele)
|
||||
local ok, data = self.cachestore:get("plugin_greylist_" .. ngx.ctx.bw.server_name .. ele)
|
||||
if not ok then
|
||||
return false, data
|
||||
end
|
||||
|
@ -239,7 +239,7 @@ function greylist:is_in_cache(ele)
|
|||
end
|
||||
|
||||
function greylist:add_to_cache(ele, value)
|
||||
local ok, err = self.cachestore:set("plugin_greylist_" .. ele, value, 86400)
|
||||
local ok, err = self.cachestore:set("plugin_greylist_" .. ngx.ctx.bw.server_name .. ele, value, 86400)
|
||||
if not ok then
|
||||
return false, err
|
||||
end
|
||||
|
|
|
@ -23,7 +23,7 @@ from Database import Database
|
|||
from logger import setup_logger
|
||||
from jobs import cache_file, cache_hash, is_cached_file, file_hash
|
||||
|
||||
rdns_rx = re_compile(rb"^(\.?[a-z\d\-]+)*\.[a-z]{2,}$", IGNORECASE)
|
||||
rdns_rx = re_compile(rb"^[^ ]+$", IGNORECASE)
|
||||
asn_rx = re_compile(rb"^\d+$")
|
||||
uri_rx = re_compile(rb"^/")
|
||||
|
||||
|
|
|
@ -48,7 +48,7 @@
|
|||
"help": "List of reverse DNS suffixes, separated with spaces, to put into the greylist.",
|
||||
"id": "greylist-rdns",
|
||||
"label": "Greylist reverse DNS",
|
||||
"regex": "^( *((\\.([a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,})(?!.* \\3( |$))) *)*$",
|
||||
"regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$",
|
||||
"type": "text"
|
||||
},
|
||||
"GREYLIST_RDNS_URLS": {
|
||||
|
|
|
@ -27,7 +27,7 @@ try:
|
|||
|
||||
if current_version != latest_version:
|
||||
logger.warning(
|
||||
f"\n\n🚨 A new version of BunkerWeb is available: {latest_version} (current: {current_version}) 🚨\n\n",
|
||||
f"* \n* \n* 🚨 A new version of BunkerWeb is available: {latest_version} (current: {current_version}) 🚨\n* \n* ",
|
||||
)
|
||||
except:
|
||||
status = 2
|
||||
|
|
|
@ -64,8 +64,9 @@ try:
|
|||
logger.info("RealIP is not activated, skipping download...")
|
||||
_exit(0)
|
||||
|
||||
# Create directory if it doesn't exist
|
||||
# Create directories if they don't exist
|
||||
Path("/var/cache/bunkerweb/realip").mkdir(parents=True, exist_ok=True)
|
||||
Path("/var/tmp/bunkerweb/realip").mkdir(parents=True, exist_ok=True)
|
||||
|
||||
db = Database(
|
||||
logger,
|
||||
|
|
|
@ -23,7 +23,7 @@ from Database import Database
|
|||
from logger import setup_logger
|
||||
from jobs import cache_file, cache_hash, is_cached_file, file_hash
|
||||
|
||||
rdns_rx = re_compile(rb"^(\.?[a-z\d\-]+)*\.[a-z]{2,}$", IGNORECASE)
|
||||
rdns_rx = re_compile(rb"^[^ ]+$", IGNORECASE)
|
||||
asn_rx = re_compile(rb"^\d+$")
|
||||
uri_rx = re_compile(rb"^/")
|
||||
|
||||
|
|
|
@ -48,7 +48,7 @@
|
|||
"help": "List of reverse DNS suffixes, separated with spaces, to whitelist.",
|
||||
"id": "whitelist-rdns",
|
||||
"label": "Whitelist reverse DNS",
|
||||
"regex": "^( *((\\.([a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,})(?!.* \\3( |$))) *)*$",
|
||||
"regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$",
|
||||
"type": "text"
|
||||
},
|
||||
"WHITELIST_RDNS_URLS": {
|
||||
|
|
|
@ -189,7 +189,7 @@ function whitelist:check_cache()
|
|||
end
|
||||
|
||||
function whitelist:is_in_cache(ele)
|
||||
local ok, data = self.cachestore:get("plugin_whitelist_" .. ele)
|
||||
local ok, data = self.cachestore:get("plugin_whitelist_" .. ngx.ctx.bw.server_name .. ele)
|
||||
if not ok then
|
||||
return false, data
|
||||
end
|
||||
|
@ -197,7 +197,7 @@ function whitelist:is_in_cache(ele)
|
|||
end
|
||||
|
||||
function whitelist:add_to_cache(ele, value)
|
||||
local ok, err = self.cachestore:set("plugin_whitelist_" .. ele, value, 86400)
|
||||
local ok, err = self.cachestore:set("plugin_whitelist_" .. ngx.ctx.bw.server_name .. ele, value, 86400)
|
||||
if not ok then
|
||||
return false, err
|
||||
end
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
docker==6.0.1
|
||||
docker==6.1.1
|
||||
kubernetes==26.1.0
|
||||
jinja2==3.1.2
|
||||
python-dotenv==1.0.0
|
||||
requests==2.29.0
|
||||
redis==4.5.4
|
||||
requests==2.30.0
|
||||
redis==4.5.5
|
||||
|
|
|
@ -12,9 +12,9 @@ cachetools==5.3.0 \
|
|||
--hash=sha256:13dfddc7b8df938c21a940dfa6557ce6e94a2f1cdfa58eb90c805721d58f2c14 \
|
||||
--hash=sha256:429e1a1e845c008ea6c85aa35d4b98b65d6a9763eeef3e37e92728a12d1de9d4
|
||||
# via google-auth
|
||||
certifi==2022.12.7 \
|
||||
--hash=sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3 \
|
||||
--hash=sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18
|
||||
certifi==2023.5.7 \
|
||||
--hash=sha256:0f0d56dc5a6ad56fd4ba36484d6cc34451e1c6548c61daad8c320169f91eddc7 \
|
||||
--hash=sha256:c6c2e98f5c7869efca1f8916fed228dd91539f9f1b444c314c06eef02980c716
|
||||
# via
|
||||
# kubernetes
|
||||
# requests
|
||||
|
@ -95,9 +95,9 @@ charset-normalizer==3.1.0 \
|
|||
--hash=sha256:f8303414c7b03f794347ad062c0516cee0e15f7a612abd0ce1e25caf6ceb47df \
|
||||
--hash=sha256:fca62a8301b605b954ad2e9c3666f9d97f63872aa4efcae5492baca2056b74ab
|
||||
# via requests
|
||||
docker==6.0.1 \
|
||||
--hash=sha256:896c4282e5c7af5c45e8b683b0b0c33932974fe6e50fc6906a0a83616ab3da97 \
|
||||
--hash=sha256:dbcb3bd2fa80dca0788ed908218bf43972772009b881ed1e20dfc29a65e49782
|
||||
docker==6.1.1 \
|
||||
--hash=sha256:5ec18b9c49d48ee145a5b5824bb126dc32fc77931e18444783fc07a7724badc0 \
|
||||
--hash=sha256:8308b23d3d0982c74f7aa0a3abd774898c0c4fba006e9c3bde4f68354e470fe2
|
||||
# via -r requirements.in
|
||||
google-auth==2.17.3 \
|
||||
--hash=sha256:ce311e2bc58b130fddf316df57c9b3943c2a7b4f6ec31de9663a9333e4064efc \
|
||||
|
@ -235,13 +235,13 @@ pyyaml==6.0 \
|
|||
--hash=sha256:e61ceaab6f49fb8bdfaa0f92c4b57bcfbea54c09277b1b4f7ac376bfb7a7c174 \
|
||||
--hash=sha256:f84fbc98b019fef2ee9a1cb3ce93e3187a6df0b2538a651bfb890254ba9f90b5
|
||||
# via kubernetes
|
||||
redis==4.5.4 \
|
||||
--hash=sha256:2c19e6767c474f2e85167909061d525ed65bea9301c0770bb151e041b7ac89a2 \
|
||||
--hash=sha256:73ec35da4da267d6847e47f68730fdd5f62e2ca69e3ef5885c6a78a9374c3893
|
||||
redis==4.5.5 \
|
||||
--hash=sha256:77929bc7f5dab9adf3acba2d3bb7d7658f1e0c2f1cafe7eb36434e751c471119 \
|
||||
--hash=sha256:dc87a0bdef6c8bfe1ef1e1c40be7034390c2ae02d92dcd0c7ca1729443899880
|
||||
# via -r requirements.in
|
||||
requests==2.29.0 \
|
||||
--hash=sha256:e8f3c9be120d3333921d213eef078af392fba3933ab7ed2d1cba3b56f2568c3b \
|
||||
--hash=sha256:f2e34a75f4749019bb0e3effb66683630e4ffeaf75819fb51bebef1bf5aef059
|
||||
requests==2.30.0 \
|
||||
--hash=sha256:10e94cc4f3121ee6da529d358cdaeaff2f1c409cd377dbc72b825852f2f7e294 \
|
||||
--hash=sha256:239d7d4458afcb28a692cdd298d87542235f4ca8d36d03a15bfc128a6559a2f4
|
||||
# via
|
||||
# -r requirements.in
|
||||
# docker
|
||||
|
@ -262,9 +262,9 @@ six==1.16.0 \
|
|||
# google-auth
|
||||
# kubernetes
|
||||
# python-dateutil
|
||||
urllib3==1.26.15 \
|
||||
--hash=sha256:8a388717b9476f934a21484e8c8e61875ab60644d29b9b39e11e4b9dc1c6b305 \
|
||||
--hash=sha256:aa751d169e23c7479ce47a0cb0da579e3ede798f994f5816a74e4f4500dcea42
|
||||
urllib3==2.0.2 \
|
||||
--hash=sha256:61717a1095d7e155cdb737ac7bb2f4324a858a1e2e6466f6d03ff630ca68d3cc \
|
||||
--hash=sha256:d055c2f9d38dc53c808f6fdc8eab7360b6fdbbde02340ed25cfbcd817c62469e
|
||||
# via
|
||||
# docker
|
||||
# kubernetes
|
||||
|
|
|
@ -33,6 +33,7 @@ RUN dnf install -y python39-pip brotli brotli-devel wget gperftools-devel perl l
|
|||
chmod +x /tmp/bunkerweb/deps/install.sh && \
|
||||
bash /tmp/bunkerweb/deps/install.sh && \
|
||||
mkdir /usr/share/bunkerweb/deps/python && \
|
||||
export MAKEFLAGS="-j$(nproc)" && \
|
||||
pip3.9 install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt
|
||||
|
||||
#RUN pip3.9 install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt
|
||||
|
|
|
@ -37,6 +37,7 @@ RUN apt update && \
|
|||
chmod +x /tmp/bunkerweb/deps/install.sh && \
|
||||
bash /tmp/bunkerweb/deps/install.sh && \
|
||||
mkdir /usr/share/bunkerweb/deps/python && \
|
||||
export MAKEFLAGS="-j$(nproc)" && \
|
||||
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt
|
||||
|
||||
# Dirty fix to avoid errors with --target and packages same namespace
|
||||
|
|
|
@ -31,6 +31,7 @@ RUN dnf install -y python3-pip brotli brotli-devel gperftools-devel perl libxslt
|
|||
chmod +x /tmp/bunkerweb/deps/install.sh && \
|
||||
bash /tmp/bunkerweb/deps/install.sh && \
|
||||
mkdir /usr/share/bunkerweb/deps/python && \
|
||||
export MAKEFLAGS="-j$(nproc)" && \
|
||||
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt
|
||||
# Dirty fix to avoid errors with --target and packages same namespace
|
||||
#cp -r /usr/lib64/python3.10/* /usr/lib/python3.10/ && \
|
||||
|
|
|
@ -5,7 +5,7 @@ ENV NGINX_VERSION 1.24.0
|
|||
|
||||
# Copy centos repo
|
||||
COPY src/linux/centos.repo /etc/yum.repos.d/centos.repo
|
||||
RUN sed -i "s/%ARCH%/$(uname -m)/g" src/linux/centos.repo /etc/yum.repos.d/centos.repo
|
||||
RUN sed -i "s/%ARCH%/$(uname -m)/g" /etc/yum.repos.d/centos.repo
|
||||
|
||||
# Copy RPM-GPG-KEY-CentOS-Official
|
||||
COPY src/linux/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
|
||||
|
@ -23,9 +23,9 @@ RUN dnf install -y ruby ruby-devel make gcc redhat-rpm-config rpm-build wget &&
|
|||
# Nginx
|
||||
COPY src/linux/nginx.repo /etc/yum.repos.d/nginx.repo
|
||||
RUN dnf install yum-utils -y && \
|
||||
wget https://nginx.org/packages/rhel/8/x86_64/RPMS/nginx-${NGINX_VERSION}-1.el8.ngx.x86_64.rpm && \
|
||||
dnf install nginx-${NGINX_VERSION}-1.el8.ngx.x86_64.rpm -y && \
|
||||
rm -rf nginx-${NGINX_VERSION}-1.el8.ngx.x86_64.rpm
|
||||
wget https://nginx.org/packages/rhel/8/$(uname -m)/RPMS/nginx-${NGINX_VERSION}-1.el8.ngx.$(uname -m).rpm && \
|
||||
dnf install nginx-${NGINX_VERSION}-1.el8.ngx.$(uname -m).rpm -y && \
|
||||
rm -rf nginx-${NGINX_VERSION}-1.el8.ngx.$(uname -m).rpm
|
||||
|
||||
# Copy dependencies sources folder
|
||||
COPY src/deps /tmp/bunkerweb/deps
|
||||
|
@ -46,6 +46,7 @@ RUN dnf install -y readline-devel python39-pip brotli brotli-devel gperftools-de
|
|||
chmod +x /tmp/bunkerweb/deps/install.sh && \
|
||||
bash /tmp/bunkerweb/deps/install.sh && \
|
||||
mkdir /usr/share/bunkerweb/deps/python && \
|
||||
export MAKEFLAGS="-j$(nproc)" && \
|
||||
pip3.9 install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt
|
||||
|
||||
#RUN pip3.10 install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt
|
||||
|
|
|
@ -37,6 +37,7 @@ RUN apt update && \
|
|||
chmod +x /tmp/bunkerweb/deps/install.sh && \
|
||||
bash /tmp/bunkerweb/deps/install.sh && \
|
||||
mkdir /usr/share/bunkerweb/deps/python && \
|
||||
export MAKEFLAGS="-j$(nproc)" && \
|
||||
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt
|
||||
|
||||
# Copy files
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
--name bunkerweb
|
||||
--license agpl3
|
||||
--version %VERSION%
|
||||
--architecture amd64
|
||||
--architecture %ARCH%
|
||||
--depends bash --depends python3 --depends procps --depends python3-pip --depends 'nginx = 1.24.0-1~bullseye' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools --depends sudo --depends lsof
|
||||
--description "BunkerWeb %VERSION% for Debian 11"
|
||||
--url "https://www.bunkerweb.io"
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
--name bunkerweb
|
||||
--license agpl3
|
||||
--version %VERSION%
|
||||
--architecture x86_64
|
||||
--depends bash --depends python3 --depends 'nginx = 1:1.24.0-1.fc37' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends geoip-devel --depends gd --depends sudo --depends procps --depends lsof --depends nginx-mod-stream
|
||||
--architecture %ARCH%
|
||||
--depends bash --depends python3 --depends 'nginx = 1:1.24.0-1.fc38' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends geoip-devel --depends gd --depends sudo --depends procps --depends lsof --depends nginx-mod-stream --depends pcre
|
||||
--description "BunkerWeb %VERSION% for Fedora 38"
|
||||
--url "https://www.bunkerweb.io"
|
||||
--maintainer "Bunkerity <contact at bunkerity dot com>"
|
||||
|
|
|
@ -2,9 +2,9 @@
|
|||
--name bunkerweb
|
||||
--license agpl3
|
||||
--version %VERSION%
|
||||
--architecture x86_64
|
||||
--architecture %ARCH%
|
||||
--depends bash --depends python39 --depends 'nginx = 1:1.24.0-1.el8.ngx' --depends libcurl-devel --depends libxml2 --depends file-libs --depends net-tools --depends gd --depends sudo --depends procps --depends lsof --depends geoip
|
||||
--description "BunkerWeb %VERSION% for Rhel 8"
|
||||
--description "BunkerWeb %VERSION% for RHEL 8"
|
||||
--url "https://www.bunkerweb.io"
|
||||
--maintainer "Bunkerity <contact at bunkerity dot com>"
|
||||
--before-install /usr/share/bunkerweb/scripts/beforeInstall.sh
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
--name bunkerweb
|
||||
--license agpl3
|
||||
--version %VERSION%
|
||||
--architecture %ARCH%
|
||||
--depends bash --depends python3 --depends python3-pip --depends 'nginx = 1.24.0-1~jammy' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools --depends sudo --depends procps --depends lsof
|
||||
--description "BunkerWeb %VERSION% for Ubuntu 22.04"
|
||||
--url "https://www.bunkerweb.io"
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
#!/bin/bash
|
||||
|
||||
VERSION="$(cat /usr/share/bunkerweb/VERSION | tr -d '\n')"
|
||||
ARCH="$(uname -m)"
|
||||
sed -i "s/%VERSION%/${VERSION}/g" .fpm
|
||||
sed -i "s/%ARCH%/${ARCH}/g" .fpm
|
||||
|
||||
fpm -t "$1" -p "/data/bunkerweb.$1"
|
|
@ -15,12 +15,17 @@ function do_and_check_cmd() {
|
|||
return 0
|
||||
}
|
||||
|
||||
# Check arg
|
||||
# Check args
|
||||
if [ "$1" = "" ] ; then
|
||||
echo "❌ Missing distro arg"
|
||||
exit 1
|
||||
fi
|
||||
linux="$1"
|
||||
if [ "$2" = "" ] ; then
|
||||
echo "❌ Missing arch arg"
|
||||
exit 1
|
||||
fi
|
||||
arch="$2"
|
||||
|
||||
# Create empty directory
|
||||
package_dir="${PWD}/package-$linux"
|
||||
|
@ -30,15 +35,18 @@ fi
|
|||
do_and_check_cmd mkdir "$package_dir"
|
||||
|
||||
# Generate package
|
||||
version="$(cat src/VERSION | tr -d '\n')"
|
||||
version="$3"
|
||||
if [ -f "src/VERSION" ] ; then
|
||||
version="$(cat src/VERSION | tr -d '\n')"
|
||||
fi
|
||||
type="deb"
|
||||
if [ "$linux" = "fedora" ] || [ "$linux" = "centos" ] || [ "$linux" = "rhel" ] ; then
|
||||
type="rpm"
|
||||
fi
|
||||
do_and_check_cmd docker run --rm -v "${package_dir}:/data" "local/bunkerweb-${linux}:latest" "$type"
|
||||
name="bunkerweb_${version}-1_amd64"
|
||||
name="bunkerweb_${version}-1_${arch}"
|
||||
if [ "$type" = "rpm" ] ; then
|
||||
name="bunkerweb-${version}-1.x86_64"
|
||||
name="bunkerweb-${version}-1.${arch}"
|
||||
fi
|
||||
do_and_check_cmd mv "${package_dir}/bunkerweb.$type" "${package_dir}/${name}.${type}"
|
||||
|
||||
|
|
|
@ -14,6 +14,7 @@ RUN apk add --no-cache --virtual .build-deps g++ gcc musl-dev jpeg-dev zlib-dev
|
|||
pip install --no-cache-dir --upgrade pip && \
|
||||
pip install wheel && \
|
||||
mkdir -p /usr/share/bunkerweb/deps/python && \
|
||||
export MAKEFLAGS="-j$(nproc)" && \
|
||||
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \
|
||||
pip install --no-cache-dir gunicorn && \
|
||||
apk del .build-deps
|
||||
|
|
|
@ -12,9 +12,9 @@ certbot==2.5.0 \
|
|||
--hash=sha256:76e6e5305021d3ee54c42fc471f8f0ed5dba790e6fd7fef6713060b0e42b97d7 \
|
||||
--hash=sha256:a2d730753124508effe79f648264f5cab4d1e9120acfd695a4a0c2b7bab4a966
|
||||
# via -r requirements.in
|
||||
certifi==2022.12.7 \
|
||||
--hash=sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3 \
|
||||
--hash=sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18
|
||||
certifi==2023.5.7 \
|
||||
--hash=sha256:0f0d56dc5a6ad56fd4ba36484d6cc34451e1c6548c61daad8c320169f91eddc7 \
|
||||
--hash=sha256:c6c2e98f5c7869efca1f8916fed228dd91539f9f1b444c314c06eef02980c716
|
||||
# via requests
|
||||
cffi==1.15.1 \
|
||||
--hash=sha256:00a9ed42e88df81ffae7a8ab6d9356b371399b91dbdf0c3cb1e84c03a13aceb5 \
|
||||
|
@ -236,9 +236,9 @@ pytz==2023.3 \
|
|||
# acme
|
||||
# certbot
|
||||
# pyrfc3339
|
||||
requests==2.29.0 \
|
||||
--hash=sha256:e8f3c9be120d3333921d213eef078af392fba3933ab7ed2d1cba3b56f2568c3b \
|
||||
--hash=sha256:f2e34a75f4749019bb0e3effb66683630e4ffeaf75819fb51bebef1bf5aef059
|
||||
requests==2.30.0 \
|
||||
--hash=sha256:10e94cc4f3121ee6da529d358cdaeaff2f1c409cd377dbc72b825852f2f7e294 \
|
||||
--hash=sha256:239d7d4458afcb28a692cdd298d87542235f4ca8d36d03a15bfc128a6559a2f4
|
||||
# via acme
|
||||
schedule==1.2.0 \
|
||||
--hash=sha256:415908febaba0bc9a7c727a32efb407d646fe994367ef9157d123aabbe539ea8 \
|
||||
|
@ -248,9 +248,9 @@ six==1.16.0 \
|
|||
--hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
|
||||
--hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
|
||||
# via configobj
|
||||
urllib3==1.26.15 \
|
||||
--hash=sha256:8a388717b9476f934a21484e8c8e61875ab60644d29b9b39e11e4b9dc1c6b305 \
|
||||
--hash=sha256:aa751d169e23c7479ce47a0cb0da579e3ede798f994f5816a74e4f4500dcea42
|
||||
urllib3==2.0.2 \
|
||||
--hash=sha256:61717a1095d7e155cdb737ac7bb2f4324a858a1e2e6466f6d03ff630ca68d3cc \
|
||||
--hash=sha256:d055c2f9d38dc53c808f6fdc8eab7360b6fdbbde02340ed25cfbcd817c62469e
|
||||
# via requests
|
||||
|
||||
# The following packages are considered to be unsafe in a requirements file:
|
||||
|
|
|
@ -1,66 +1,67 @@
|
|||
FROM python:3.11.3-alpine
|
||||
|
||||
# Copy python requirements
|
||||
COPY src/ui/requirements.txt /tmp/req/requirements.txt
|
||||
COPY src/common/gen/requirements.txt /tmp/req/requirements.txt.1
|
||||
COPY src/common/db/requirements.txt /tmp/req/requirements.txt.2
|
||||
|
||||
RUN mkdir -p /usr/share/bunkerweb/deps && \
|
||||
cat /tmp/req/requirements.txt /tmp/req/requirements.txt.1 /tmp/req/requirements.txt.2 > /usr/share/bunkerweb/deps/requirements.txt && \
|
||||
rm -rf /tmp/req
|
||||
|
||||
# Install python requirements
|
||||
RUN apk add --no-cache --virtual .build-deps g++ gcc musl-dev jpeg-dev zlib-dev libffi-dev cairo-dev pango-dev gdk-pixbuf-dev openssl-dev cargo file make postgresql-dev && \
|
||||
pip install --no-cache-dir --upgrade pip && \
|
||||
pip install wheel && \
|
||||
mkdir -p /usr/share/bunkerweb/deps/python && \
|
||||
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \
|
||||
apk del .build-deps
|
||||
|
||||
# Copy files
|
||||
# can't exclude specific files/dir from . so we are copying everything by hand
|
||||
COPY src/common/api /usr/share/bunkerweb/api
|
||||
COPY src/common/db /usr/share/bunkerweb/db
|
||||
COPY src/common/core /usr/share/bunkerweb/core
|
||||
COPY src/common/gen /usr/share/bunkerweb/gen
|
||||
COPY src/common/settings.json /usr/share/bunkerweb/settings.json
|
||||
COPY src/common/utils /usr/share/bunkerweb/utils
|
||||
COPY src/ui /usr/share/bunkerweb/ui
|
||||
COPY src/VERSION /usr/share/bunkerweb/VERSION
|
||||
|
||||
# Add ui user
|
||||
RUN apk add --no-cache bash && \
|
||||
addgroup -g 101 ui && \
|
||||
adduser -h /var/cache/nginx -g ui -s /bin/sh -G ui -D -H -u 101 ui && \
|
||||
echo "Docker" > /usr/share/bunkerweb/INTEGRATION && \
|
||||
mkdir -p /var/tmp/bunkerweb && \
|
||||
mkdir -p /etc/bunkerweb && \
|
||||
mkdir -p /data/cache && ln -s /data/cache /var/cache/bunkerweb && \
|
||||
mkdir -p /data/lib && ln -s /data/lib /var/lib/bunkerweb && \
|
||||
mkdir -p /var/log/nginx/ && touch /var/log/nginx/ui.log && \
|
||||
for dir in $(echo "configs plugins") ; do mkdir -p "/data/${dir}" && ln -s "/data/${dir}" "/etc/bunkerweb/${dir}" ; done && \
|
||||
for dir in $(echo "configs/http configs/stream configs/server-http configs/server-stream configs/default-server-http configs/default-server-stream configs/modsec configs/modsec-crs") ; do mkdir "/data/${dir}" ; done && \
|
||||
chown -R root:ui /data && \
|
||||
chmod -R 770 /data && \
|
||||
chown -R root:ui /usr/share/bunkerweb /var/cache/bunkerweb /var/lib/bunkerweb /etc/bunkerweb /var/tmp/bunkerweb /var/log/nginx && \
|
||||
for dir in $(echo "/usr/share/bunkerweb /etc/bunkerweb") ; do find ${dir} -type f -exec chmod 0740 {} \; ; done && \
|
||||
for dir in $(echo "/usr/share/bunkerweb /etc/bunkerweb") ; do find ${dir} -type d -exec chmod 0750 {} \; ; done && \
|
||||
chmod 770 /var/cache/bunkerweb /var/lib/bunkerweb /var/tmp/bunkerweb /var/log/nginx/ui.log && \
|
||||
chmod 750 /usr/share/bunkerweb/gen/*.py /usr/share/bunkerweb/ui/*.py /usr/share/bunkerweb/ui/src/*.py /usr/share/bunkerweb/deps/python/bin/* && \
|
||||
chmod 660 /usr/share/bunkerweb/INTEGRATION
|
||||
|
||||
# Fix CVEs
|
||||
RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4"
|
||||
|
||||
VOLUME /data /etc/nginx
|
||||
|
||||
EXPOSE 7000
|
||||
|
||||
WORKDIR /usr/share/bunkerweb/ui
|
||||
|
||||
USER ui:ui
|
||||
|
||||
HEALTHCHECK --interval=10s --timeout=10s --start-period=30s --retries=6 CMD /usr/share/bunkerweb/helpers/healthcheck-ui.sh
|
||||
|
||||
ENV PYTHONPATH /usr/share/bunkerweb/deps/python
|
||||
FROM python:3.11.3-alpine
|
||||
|
||||
# Copy python requirements
|
||||
COPY src/ui/requirements.txt /tmp/req/requirements.txt
|
||||
COPY src/common/gen/requirements.txt /tmp/req/requirements.txt.1
|
||||
COPY src/common/db/requirements.txt /tmp/req/requirements.txt.2
|
||||
|
||||
RUN mkdir -p /usr/share/bunkerweb/deps && \
|
||||
cat /tmp/req/requirements.txt /tmp/req/requirements.txt.1 /tmp/req/requirements.txt.2 > /usr/share/bunkerweb/deps/requirements.txt && \
|
||||
rm -rf /tmp/req
|
||||
|
||||
# Install python requirements
|
||||
RUN apk add --no-cache --virtual .build-deps g++ gcc musl-dev jpeg-dev zlib-dev libffi-dev cairo-dev pango-dev gdk-pixbuf-dev openssl-dev cargo file make postgresql-dev && \
|
||||
pip install --no-cache-dir --upgrade pip && \
|
||||
pip install wheel && \
|
||||
mkdir -p /usr/share/bunkerweb/deps/python && \
|
||||
export MAKEFLAGS="-j$(nproc)" && \
|
||||
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \
|
||||
apk del .build-deps
|
||||
|
||||
# Copy files
|
||||
# can't exclude specific files/dir from . so we are copying everything by hand
|
||||
COPY src/common/api /usr/share/bunkerweb/api
|
||||
COPY src/common/db /usr/share/bunkerweb/db
|
||||
COPY src/common/core /usr/share/bunkerweb/core
|
||||
COPY src/common/gen /usr/share/bunkerweb/gen
|
||||
COPY src/common/settings.json /usr/share/bunkerweb/settings.json
|
||||
COPY src/common/utils /usr/share/bunkerweb/utils
|
||||
COPY src/ui /usr/share/bunkerweb/ui
|
||||
COPY src/VERSION /usr/share/bunkerweb/VERSION
|
||||
|
||||
# Add ui user
|
||||
RUN apk add --no-cache bash && \
|
||||
addgroup -g 101 ui && \
|
||||
adduser -h /var/cache/nginx -g ui -s /bin/sh -G ui -D -H -u 101 ui && \
|
||||
echo "Docker" > /usr/share/bunkerweb/INTEGRATION && \
|
||||
mkdir -p /var/tmp/bunkerweb && \
|
||||
mkdir -p /etc/bunkerweb && \
|
||||
mkdir -p /data/cache && ln -s /data/cache /var/cache/bunkerweb && \
|
||||
mkdir -p /data/lib && ln -s /data/lib /var/lib/bunkerweb && \
|
||||
mkdir -p /var/log/nginx/ && touch /var/log/nginx/ui.log && \
|
||||
for dir in $(echo "configs plugins") ; do mkdir -p "/data/${dir}" && ln -s "/data/${dir}" "/etc/bunkerweb/${dir}" ; done && \
|
||||
for dir in $(echo "configs/http configs/stream configs/server-http configs/server-stream configs/default-server-http configs/default-server-stream configs/modsec configs/modsec-crs") ; do mkdir "/data/${dir}" ; done && \
|
||||
chown -R root:ui /data && \
|
||||
chmod -R 770 /data && \
|
||||
chown -R root:ui /usr/share/bunkerweb /var/cache/bunkerweb /var/lib/bunkerweb /etc/bunkerweb /var/tmp/bunkerweb /var/log/nginx && \
|
||||
for dir in $(echo "/usr/share/bunkerweb /etc/bunkerweb") ; do find ${dir} -type f -exec chmod 0740 {} \; ; done && \
|
||||
for dir in $(echo "/usr/share/bunkerweb /etc/bunkerweb") ; do find ${dir} -type d -exec chmod 0750 {} \; ; done && \
|
||||
chmod 770 /var/cache/bunkerweb /var/lib/bunkerweb /var/tmp/bunkerweb /var/log/nginx/ui.log && \
|
||||
chmod 750 /usr/share/bunkerweb/gen/*.py /usr/share/bunkerweb/ui/*.py /usr/share/bunkerweb/ui/src/*.py /usr/share/bunkerweb/deps/python/bin/* && \
|
||||
chmod 660 /usr/share/bunkerweb/INTEGRATION
|
||||
|
||||
# Fix CVEs
|
||||
RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4"
|
||||
|
||||
VOLUME /data /etc/nginx
|
||||
|
||||
EXPOSE 7000
|
||||
|
||||
WORKDIR /usr/share/bunkerweb/ui
|
||||
|
||||
USER ui:ui
|
||||
|
||||
HEALTHCHECK --interval=10s --timeout=10s --start-period=30s --retries=6 CMD /usr/share/bunkerweb/helpers/healthcheck-ui.sh
|
||||
|
||||
ENV PYTHONPATH /usr/share/bunkerweb/deps/python
|
||||
CMD ["python3", "-m", "gunicorn", "--user", "ui", "--group", "ui", "main:app", "--worker-class", "gevent", "--bind", "0.0.0.0:7000", "--graceful-timeout", "0", "--access-logfile", "-", "--error-logfile", "-"]
|
|
@ -1,4 +1,4 @@
|
|||
Flask==2.3.1
|
||||
Flask==2.3.2
|
||||
Flask_Login==0.6.2
|
||||
Flask_WTF==1.1.1
|
||||
beautifulsoup4==4.12.2
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# This file is autogenerated by pip-compile with Python 3.11
|
||||
# This file is autogenerated by pip-compile with Python 3.9
|
||||
# by the following command:
|
||||
#
|
||||
# pip-compile --allow-unsafe --generate-hashes --resolver=backtracking
|
||||
|
@ -39,9 +39,9 @@ click==8.1.3 \
|
|||
--hash=sha256:7682dc8afb30297001674575ea00d1814d808d6a36af415a82bd481d37ba7b8e \
|
||||
--hash=sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48
|
||||
# via flask
|
||||
flask==2.3.1 \
|
||||
--hash=sha256:8ba2a854608fdd603b67dccd4514a46450132227fb9df40127a8d0c1de8769ec \
|
||||
--hash=sha256:a6059db4297106e5a64b3215fa16ae641822c1cb97ecb498573549b2478602cb
|
||||
flask==2.3.2 \
|
||||
--hash=sha256:77fd4e1249d8c9923de34907236b747ced06e5467ecac1a7bb7115ae0e9670b0 \
|
||||
--hash=sha256:8c2f9abd47a9e8df7f0c3f091ce9497d011dc3b31effcf4c85a6e2b50f4114ef
|
||||
# via
|
||||
# -r requirements.in
|
||||
# flask-login
|
||||
|
@ -174,6 +174,10 @@ gunicorn==20.1.0 \
|
|||
--hash=sha256:9dcc4547dbb1cb284accfb15ab5667a0e5d1881cc443e0677b4882a4067a807e \
|
||||
--hash=sha256:e0a968b5ba15f8a328fdfd7ab1fcb5af4470c28aaf7e55df02a99bc13138e6e8
|
||||
# via -r requirements.in
|
||||
importlib-metadata==6.6.0 \
|
||||
--hash=sha256:43dd286a2cd8995d5eaef7fee2066340423b818ed3fd70adf0bad5f1fac53fed \
|
||||
--hash=sha256:92501cdf9cc66ebd3e612f1b4f0c0765dfa42f0fa38ffb319b6bd84dd675d705
|
||||
# via flask
|
||||
itsdangerous==2.1.2 \
|
||||
--hash=sha256:2c2349112351b88699d8d4b6b075022c0808887cb7ad10069318a8b0bc88db44 \
|
||||
--hash=sha256:5dbbc68b317e5e42f327f9021763545dc3fc3bfe22e6deb96aaf1fc38874156a
|
||||
|
@ -341,9 +345,9 @@ soupsieve==2.4.1 \
|
|||
--hash=sha256:1c1bfee6819544a3447586c889157365a27e10d88cde3ad3da0cf0ddf646feb8 \
|
||||
--hash=sha256:89d12b2d5dfcd2c9e8c22326da9d9aa9cb3dfab0a83a024f05704076ee8d35ea
|
||||
# via beautifulsoup4
|
||||
werkzeug==2.3.3 \
|
||||
--hash=sha256:4866679a0722de00796a74086238bb3b98d90f423f05de039abb09315487254a \
|
||||
--hash=sha256:a987caf1092edc7523edb139edb20c70571c4a8d5eed02e0b547b4739174d091
|
||||
werkzeug==2.3.4 \
|
||||
--hash=sha256:1d5a58e0377d1fe39d061a5de4469e414e78ccb1e1e59c0f5ad6fa1c36c52b76 \
|
||||
--hash=sha256:48e5e61472fee0ddee27ebad085614ebedb7af41e88f687aaf881afb723a162f
|
||||
# via
|
||||
# flask
|
||||
# flask-login
|
||||
|
@ -351,6 +355,10 @@ wtforms==3.0.1 \
|
|||
--hash=sha256:6b351bbb12dd58af57ffef05bc78425d08d1914e0fd68ee14143b7ade023c5bc \
|
||||
--hash=sha256:837f2f0e0ca79481b92884962b914eba4e72b7a2daaf1f939c890ed0124b834b
|
||||
# via flask-wtf
|
||||
zipp==3.15.0 \
|
||||
--hash=sha256:112929ad649da941c23de50f356a2b5570c954b65150642bccdd66bf194d224b \
|
||||
--hash=sha256:48904fc76a60e542af151aded95726c1a5c34ed43ab4134b597665c86d7ad556
|
||||
# via importlib-metadata
|
||||
zope-event==4.6 \
|
||||
--hash=sha256:73d9e3ef750cca14816a9c322c7250b0d7c9dbc337df5d1b807ff8d3d0b9e97c \
|
||||
--hash=sha256:81d98813046fc86cc4136e3698fee628a3282f9c320db18658c21749235fce80
|
||||
|
|
|
@ -4,7 +4,7 @@ ENV NGINX_VERSION 1.24.0
|
|||
|
||||
# Copy centos repo
|
||||
COPY src/linux/centos.repo /etc/yum.repos.d/centos.repo
|
||||
RUN sed -i "s/%ARCH%/$(uname -m)/g" src/linux/centos.repo /etc/yum.repos.d/centos.repo
|
||||
RUN sed -i "s/%ARCH%/$(uname -m)/g" /etc/yum.repos.d/centos.repo
|
||||
|
||||
# Copy RPM-GPG-KEY-CentOS-Official
|
||||
COPY src/linux/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
selenium==4.9.0
|
||||
requests==2.29.0
|
||||
selenium==4.9.1
|
||||
requests==2.30.0
|
||||
|
|
Loading…
Reference in a new issue