librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

Merge branch 'dev' into ui

This commit is contained in:
BlasenhauerJ 2023-06-19 21:34:14 +02:00
parent df47ba0e98 3e871efed8
commit 91c33f1d43
260 changed files with 2365 additions and 2149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
CHANGELOG.md
View File

@ -11,10 +11,18 @@
- [BUGFIX] ALLOWED_METHODS regex working with LOCK/UNLOCK methods
- [BUGFIX] Custom certificate bug after the refactoring
- [BUGFIX] Fix wrong variables in header phase (fix CORS feature too)
- [BUGFIX] Fix UI not working in Ubuntu (python zope module)
- [BUGFIX] Patch ModSecurity to run it after LUA code (should fix whitelist problems)
- [PERFORMANCE] Reduce CPU usage of scheduler
- [PERFORMANCE] Cache ngx.ctx instead of loading it each time
- [PERFORMANCE] Use per-worker LRU cache for common RO LUA values
- [FEATURE] Add Turnstile antibot mode
- [FEATURE] Add more CORS headers
- [FEATURE] Add KEEP_UPSTREAM_HEADERS to preserve headers when using reverse proxy
- [MISC] Add LOG_LEVEL=warning for docker socket proxy in docs, examples and boilerplates
- [MISC] Temp remove VMWare provider for Vagrant integration
- [MISC] Remove X-Script-Name header and ABSOLUTE_URI variable when using UI
## v1.5.0 - 2023/05/23

91
README.md
View File

@ -1,5 +1,5 @@
<p align="center">
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/misc/logo.png" />
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/misc/logo.png" />
</p>
<p align="center">
@ -17,7 +17,7 @@
&#124;
👨‍💻 <a href="https://demo.bunkerweb.io">Demo</a>
&#124;
🛡️ <a href="https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples">Examples</a>
🛡️ <a href="https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples">Examples</a>
&#124;
💬 <a href="https://discord.com/invite/fTf46FmtyD">Chat</a>
&#124;
@ -33,14 +33,14 @@
# BunkerWeb
<p align="center">
<img alt="overview" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/intro-overview.svg" />
<img alt="overview" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/intro-overview.svg" />
</p>
BunkerWeb is a next-generation and open-source Web Application Firewall (WAF).
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default". BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.5.0/integrations/#linux), [Docker](https://docs.bunkerweb.io/1.5.0/integrations/#docker), [Swarm](https://docs.bunkerweb.io/1.5.0/integrations/#swarm), [Kubernetes](https://docs.bunkerweb.io/1.5.0/integrations/#kubernetes), …) and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.5.0/web-ui/) if you don't like the CLI) to meet your own use-cases . In other words, cybersecurity is no more a hassle.
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default". BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.5.1/integrations/#linux), [Docker](https://docs.bunkerweb.io/1.5.1/integrations/#docker), [Swarm](https://docs.bunkerweb.io/1.5.1/integrations/#swarm), [Kubernetes](https://docs.bunkerweb.io/1.5.1/integrations/#kubernetes), …) and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.5.1/web-ui/) if you don't like the CLI) to meet your own use-cases . In other words, cybersecurity is no more a hassle.
BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.5.0/security-tuning/) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.5.0/plugins/)).
BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.5.1/security-tuning/) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.5.1/plugins/)).
## Why BunkerWeb ?
@ -64,7 +64,7 @@ A non-exhaustive list of security features :
- **Block known bad IPs** with external blacklists and DNSBL
- And much more ...
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.5.0/security-tuning/) section of the documentation.
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.5.1/security-tuning/) section of the documentation.
## Demo
@ -77,10 +77,10 @@ A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](http
# Concepts
<p align="center">
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/concepts.svg" />
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/concepts.svg" />
</p>
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.5.0/concepts).
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.5.1/concepts).
## Integrations
@ -88,13 +88,13 @@ The first concept is the integration of BunkerWeb into the target environment. W
The following integrations are officially supported :
- [Docker](https://docs.bunkerweb.io/1.5.0/integrations/#docker)
- [Docker autoconf](https://docs.bunkerweb.io/1.5.0/integrations/#docker-autoconf)
- [Swarm](https://docs.bunkerweb.io/1.5.0/integrations/#swarm)
- [Kubernetes](https://docs.bunkerweb.io/1.5.0/integrations/#kubernetes)
- [Linux](https://docs.bunkerweb.io/1.5.0/integrations/#linux)
- [Ansible](https://docs.bunkerweb.io/1.5.0/integrations/#ansible)
- [Vagrant](https://docs.bunkerweb.io/1.5.0/integrations/#vagrant)
- [Docker](https://docs.bunkerweb.io/1.5.1/integrations/#docker)
- [Docker autoconf](https://docs.bunkerweb.io/1.5.1/integrations/#docker-autoconf)
- [Swarm](https://docs.bunkerweb.io/1.5.1/integrations/#swarm)
- [Kubernetes](https://docs.bunkerweb.io/1.5.1/integrations/#kubernetes)
- [Linux](https://docs.bunkerweb.io/1.5.1/integrations/#linux)
- [Ansible](https://docs.bunkerweb.io/1.5.1/integrations/#ansible)
- [Vagrant](https://docs.bunkerweb.io/1.5.1/integrations/#vagrant)
## Settings
@ -126,7 +126,7 @@ When multisite mode is enabled, BunkerWeb will serve and protect multiple web ap
## Custom configurations
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.5.0/plugins)), you can use custom configurations to solve your specific challenges.
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.5.1/plugins)), you can use custom configurations to solve your specific challenges.
Under the hood, BunkerWeb uses the notorious NGINX web server, that's why you can leverage its configuration system for your specific needs. Custom NGINX configurations can be included in different [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) like HTTP or server (all servers and/or specific server block).
@ -160,7 +160,7 @@ In other words, the scheduler is the brain of BunkerWeb.
## Docker
<p align="center">
<img alt="Docker" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-docker.svg" />
<img alt="Docker" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-docker.svg" />
</p>
We provide ready to use prebuilt images for x64, x86, armv7 and arm64 platforms on [Docker Hub](https://hub.docker.com/u/bunkerity).
@ -171,46 +171,46 @@ Docker integration key concepts are :
- **Scheduler** container to store configuration and execute jobs
- **Networks** to expose ports for clients and connect to upstream web services
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.5.0/integrations/#docker) of the documentation.
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.5.1/integrations/#docker) of the documentation.
## Docker autoconf
<p align="center">
<img alt="Docker autoconf" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-autoconf.svg" />
<img alt="Docker autoconf" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-autoconf.svg" />
</p>
The downside of using environment variables is that the container needs to be recreated each time there is an update which is not very convenient. To counter that issue, you can use another image called **autoconf** which will listen for Docker events and automatically reconfigure BunkerWeb in real-time without recreating the container.
Instead of defining environment variables for the BunkerWeb container, you simply add **labels** to your web applications containers and the **autoconf** will "automagically" take care of the rest.
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.5.0/integrations/#docker-autoconf) of the documentation.
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.5.1/integrations/#docker-autoconf) of the documentation.
## Swarm
<p align="center">
<img alt="Swarm" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-swarm.svg" />
<img alt="Swarm" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-swarm.svg" />
</p>
To automatically configure BunkerWeb instances, a special service, called **autoconf** will listen for Docker Swarm events like service creation or deletion and automatically configure the **BunkerWeb instances** in real-time without downtime.
Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.5.0/integrations/#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.5.1/integrations/#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.5.0/integrations/#swarm) of the documentation.
You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.5.1/integrations/#swarm) of the documentation.
## Kubernetes
<p align="center">
<img alt="Kubernetes" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-kubernetes.svg" />
<img alt="Kubernetes" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-kubernetes.svg" />
</p>
The autoconf acts as an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) and will configure the BunkerWeb instances according to the [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/). It also monitors other Kubernetes objects like [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for custom configurations.
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.5.0/integrations/#kubernetes) of the documentation.
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.5.1/integrations/#kubernetes) of the documentation.
## Linux
<p align="center">
<img alt="Linux" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-linux.svg" />
<img alt="Linux" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-linux.svg" />
</p>
List of supported Linux distros :
@ -222,12 +222,12 @@ List of supported Linux distros :
Repositories of Linux packages for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb), they provide a bash script to automatically add and trust the repository (but you can also follow the [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer).
You will find more information in the [Linux section](https://docs.bunkerweb.io/1.5.0/integrations/#linux) of the documentation.
You will find more information in the [Linux section](https://docs.bunkerweb.io/1.5.1/integrations/#linux) of the documentation.
## Ansible
<p align="center">
<img alt="Ansible" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-ansible.svg" />
<img alt="Ansible" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-ansible.svg" />
</p>
List of supported Linux distros :
@ -241,7 +241,7 @@ List of supported Linux distros :
A specific BunkerWeb Ansible role is available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb) (source code is available [here](https://github.com/bunkerity/bunkerweb-ansible)).
You will find more information in the [Ansible section](https://docs.bunkerweb.io/1.5.0/integrations/#ansible) of the documentation.
You will find more information in the [Ansible section](https://docs.bunkerweb.io/1.5.1/integrations/#ansible) of the documentation.
## Vagrant
@ -250,11 +250,11 @@ We maintain ready to use Vagrant boxes hosted on Vagrant cloud for the following
- virtualbox
- libvirt
You will find more information in the [Vagrant section](https://docs.bunkerweb.io/1.5.0/integrations/#vagrant) of the documentation.
You will find more information in the [Vagrant section](https://docs.bunkerweb.io/1.5.1/integrations/#vagrant) of the documentation.
# Quickstart guide
Once you have setup BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.5.0/quickstart-guide/) that will cover the following common use cases :
Once you have setup BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.5.1/quickstart-guide/) that will cover the following common use cases :
- Protecting a single HTTP application
- Protecting multiple HTTP application
@ -265,9 +265,9 @@ Once you have setup BunkerWeb with the integration of your choice, you can follo
# Security tuning
BunkerWeb offers many security features that you can configure with [settings](https://docs.bunkerweb.io/1.5.0/settings). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives.
BunkerWeb offers many security features that you can configure with [settings](https://docs.bunkerweb.io/1.5.1/settings). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives.
You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.5.0/security-tuning) of the documentation.
You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.5.1/security-tuning) of the documentation.
# Settings
@ -277,7 +277,7 @@ As a general rule when multisite mode is enabled, if you want to apply settings
When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like `REVERSE_PROXY_URL_1=/subdir`, `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.
Check the [settings section](https://docs.bunkerweb.io/1.5.0/settings) of the documentation to get the full list.
Check the [settings section](https://docs.bunkerweb.io/1.5.1/settings) of the documentation to get the full list.
# Web UI
@ -295,7 +295,7 @@ The "Web UI" is a web application that helps you manage your BunkerWeb instance
- Monitor jobs execution
- View the logs and search pattern
You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.5.0/web-ui) of the documentation.
You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.5.1/web-ui) of the documentation.
# Plugins
@ -305,14 +305,15 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| Name | Version | Description | Link |
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
| **ClamAV** | 1.0 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **CrowdSec** | 1.0 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 1.0 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.0 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.0 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **Coraza** | 0.1 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **ClamAV** | 1.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.1 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **CrowdSec** | 1.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 1.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.1 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.1 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.0/plugins) of the documentation.
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.1/plugins) of the documentation.
# Support
@ -340,12 +341,12 @@ Please don't use [GitHub issues](https://github.com/bunkerity/bunkerweb/issues)
# License
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/tree/1.5.0/LICENSE.md).
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/tree/1.5.1/LICENSE.md).
# Contribute
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/1.5.0/CONTRIBUTING.md) to get started.
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/1.5.1/CONTRIBUTING.md) to get started.
# Security policy
We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/tree/1.5.0/SECURITY.md) for more information.
We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/tree/1.5.1/SECURITY.md) for more information.

2
SECURITY.md
View File

@ -4,7 +4,7 @@ Even though this project is focused on security, it is still prone to possible v
## Responsible disclosure
If you have found a security bug, please send us an email at security \[@\] bunkerity.com with technical details so we can resolve it as soon as possible.
If you have found a security bug, please send us an email at security \[@\] bunkerity.com (using a ProtonMail if possible) with technical details so we can resolve it as soon as possible.
Here is a non-exhaustive list of issues we consider as high risk :
- Vulnerability in the code

4
docs/concepts.md
View File

@ -79,7 +79,7 @@ app3.example.com_USE_BAD_BEHAVIOR=no
!!! info "Going further"
You will find concrete examples of multisite mode in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples) directory of the repository.
You will find concrete examples of multisite mode in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples) directory of the repository.
## Custom configurations
@ -91,7 +91,7 @@ Another core component of BunkerWeb is the ModSecurity Web Application Firewall
!!! info "Going further"
You will find concrete examples of custom configurations in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples) directory of the repository.
You will find concrete examples of custom configurations in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples) directory of the repository.
## Database

70
docs/integrations.md
View File

@ -12,7 +12,7 @@ Using BunkerWeb as a [Docker](https://www.docker.com/) container is a quick and
We provide ready-to-use prebuilt images for x64, x86 armv8 and armv7 architectures on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb) :
```shell
docker pull bunkerity/bunkerweb:1.5.0
docker pull bunkerity/bunkerweb:1.5.1
```
Alternatively, you can build the Docker image directly from the [source](https://github.com/bunkerity/bunkerweb) (and get a coffee ☕ because it may take a long time depending on your hardware) :
@ -30,7 +30,7 @@ Docker integration key concepts are :
- **Networks** to expose ports for clients and connect to upstream web services
!!! info "Database backend"
Please note that we assume you are using SQLite as database backend (which is the default for the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repostiory for more information.
Please note that we assume you are using SQLite as database backend (which is the default for the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repostiory for more information.
### Environment variables
@ -40,7 +40,7 @@ Settings are passed to BunkerWeb using Docker environment variables :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
labels:
- "bunkerweb.INSTANCE"
environment:
@ -59,7 +59,7 @@ Please note that the `bunkerweb.INSTANCE` is mandatory to make sure the schedule
The [scheduler](concepts.md#scheduler) is executed in its own container which is also available on Docker Hub :
```shell
docker pull bunkerity/bunkerweb-scheduler:1.5.0
docker pull bunkerity/bunkerweb-scheduler:1.5.1
```
Alternatively, you can build the Docker image directly from the [source](https://github.com/bunkerity/bunkerweb) (less coffee ☕ needed than BunkerWeb image) :
@ -76,7 +76,7 @@ A volume is needed to store the SQLite database that will be used by the schedul
...
services:
mybunker:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
volumes:
- bw-data:/data
...
@ -138,7 +138,7 @@ You will need to create the Docker API proxy container, mount the socket and set
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
env:
- DOCKER_HOST=tcp://bw-docker:2375
...
@ -148,6 +148,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
...
```
@ -185,7 +186,7 @@ The scheduler needs to contact the API of BunkerWeb and for obvious security rea
...
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -194,7 +195,7 @@ services:
- bw-universe
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
networks:
- bw-universe
- bw-docker
@ -224,7 +225,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -238,7 +239,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -256,6 +257,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -293,7 +295,7 @@ Instead of defining environment variables for the BunkerWeb container, you simpl
The Docker autoconf integration implies the use of **multisite mode**. Please refer to the [multisite section](concepts.md#multisite-mode) of the documentation for more information.
!!! info "Database backend"
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repostiory for more information.
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repostiory for more information.
Another container, named `bw-autoconf` for example, containing the autoconf service must be added to the stack. Since two services will generate the configuration for BunkerWeb, a "real" database backend (in other words, not SQLite) also needs to be added :
@ -302,7 +304,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -319,7 +321,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -332,7 +334,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -350,6 +352,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -427,7 +430,7 @@ Since we have multiple instances of BunkerWeb running, a shared data store imple
Using a shared folder or a specific driver for the database volume is left as an exercise for the reader (and depends on your own use-case).
!!! info "Database backend"
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
Here is the stack boilerplate that you can deploy using `docker stack deploy` :
@ -436,7 +439,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- published: 80
target: 8080
@ -466,7 +469,7 @@ services:
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -489,6 +492,7 @@ services:
- SERVICES=1
- SWARM=1
- TASKS=1
- LOG_LEVEL=warning
networks:
- bw-docker
deploy:
@ -497,7 +501,7 @@ services:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -596,7 +600,7 @@ The recommended setup is to define **BunkerWeb** as a **[DaemonSet](https://kube
Since we have multiple instances of BunkerWeb running, a shared data store implemented as a [Redis](https://redis.io/) service must be created : the instances will use it to cache and share data. You will find more information about the Redis settings [here](settings.md#redis)
!!! info "Database backend"
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
Please note that both scheduler and autoconf services needs to access the Kubernetes API. The recommended way of doing it is using [RBAC authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
@ -655,7 +659,7 @@ spec:
containers:
# using bunkerweb as name is mandatory
- name: bunkerweb
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -725,7 +729,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -752,7 +756,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -930,12 +934,12 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo apt install -y nginx=1.24.0-1~$(lsb_release -cs)
```
And finally install BunkerWeb 1.5.0 :
And finally install BunkerWeb 1.5.1 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo apt install -y bunkerweb=1.5.0
sudo apt install -y bunkerweb=1.5.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
@ -964,12 +968,12 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo apt install -y nginx=1.24.0-1~jammy
```
And finally install BunkerWeb 1.5.0 :
And finally install BunkerWeb 1.5.1 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo apt install -y bunkerweb=1.5.0
sudo apt install -y bunkerweb=1.5.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
@ -986,14 +990,14 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo dnf install -y nginx-1.24.0
```
And finally install BunkerWeb 1.5.0 :
And finally install BunkerWeb 1.5.1 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | \
sed 's/yum install -y pygpgme --disablerepo='\''bunkerity_bunkerweb'\''/yum install -y python-gnupg/g' | \
sed 's/pypgpme_check=`rpm -qa | grep -qw pygpgme`/python-gnupg_check=`rpm -qa | grep -qw python-gnupg`/g' | sudo bash && \
sudo dnf makecache && \
sudo dnf install -y bunkerweb-1.5.0
sudo dnf install -y bunkerweb-1.5.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
@ -1030,13 +1034,13 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
```shell
sudo dnf install nginx-1.24.0
```
And finally install BunkerWeb 1.5.0 :
And finally install BunkerWeb 1.5.1 :
```shell
dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.5.0
sudo dnf install -y bunkerweb-1.5.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
@ -1065,12 +1069,12 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo dnf install nginx-1.24.0
```
And finally install BunkerWeb 1.5.0 :
And finally install BunkerWeb 1.5.1 :
```shell
dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.5.0
sudo dnf install -y bunkerweb-1.5.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
@ -1209,7 +1213,7 @@ Configuration of BunkerWeb is done by using specific role variables :
| Name | Type | Description | Default value |
|:-----:|:-----:|--------------|----------------|
| `bunkerweb_version` | string | Version of BunkerWeb to install. | `1.5.0` |
| `bunkerweb_version` | string | Version of BunkerWeb to install. | `1.5.1` |
| `nginx_version` | string | Version of NGINX to install. | `1.24.0` |
| `freeze_versions` | boolean | Prevent upgrade of BunkerWeb and NGINX when performing packages upgrades. | `true` |
| `variables_env` | string | Path of the variables.env file to configure BunkerWeb. | `files/variables.env` |

2
docs/migrating.md
View File

@ -2,7 +2,7 @@
!!! warning "Read this if you were a 1.4.X user"
A lot of things changed since the 1.4.X releases. Container-based integrations stacks contain more services but, trust us, fundamental principles of BunkerWeb are still there. You will find ready to use boilerplates for various integrations in the [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repository.
A lot of things changed since the 1.4.X releases. Container-based integrations stacks contain more services but, trust us, fundamental principles of BunkerWeb are still there. You will find ready to use boilerplates for various integrations in the [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repository.
## Scheduler

27
docs/plugins.md
View File

@ -8,12 +8,13 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| Name | Version | Description | Link |
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
| **ClamAV** | 1.0 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **CrowdSec** | 1.0 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 1.0 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.0 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.0 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **Coraza** | 0.1 | Inspect requests using a Core Rule Set and deny malicious ones. | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **ClamAV** | 1.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.1 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **CrowdSec** | 1.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 1.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.1 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.1 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
## How to use a plugin
@ -21,7 +22,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
If you want to quickly install external plugins, you can use the `EXTERNAL_PLUGIN_URLS` setting. It takes a list of URLs, separated with space, pointing to compressed (zip format) archive containing one or more plugin(s).
You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.0.zip`
You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.1.zip`
### Manual
@ -57,7 +58,7 @@ The first step is to install the plugin by putting the plugin files inside the c
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
volumes:
- ./bw-data:/data
...
@ -94,7 +95,7 @@ The first step is to install the plugin by putting the plugin files inside the c
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
volumes:
- ./bw-data:/data
...
@ -133,7 +134,7 @@ The first step is to install the plugin by putting the plugin files inside the c
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
volumes:
- /shared/bw-plugins:/data/plugins
...
@ -180,7 +181,7 @@ The first step is to install the plugin by putting the plugin files inside the c
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -261,7 +262,7 @@ The first step is to install the plugin by putting the plugin files inside the c
!!! tip "Existing plugins"
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
The first step is to create a folder that will contain the plugin :
@ -506,7 +507,7 @@ end
!!! tip "More examples"
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/src/bw/lua/bunkerweb) of the repository.
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/src/bw/lua/bunkerweb) of the repository.
### Jobs

55
docs/quickstart-guide.md
View File

@ -4,7 +4,7 @@
We assume that you're already familiar with the [core concepts](concepts.md) and you have followed the [integrations instructions](integrations.md) for your environment.
!!! tip "Going further"
To demonstrate the use of BunkerWeb, we will deploy a dummy "Hello World" web application as an example. See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples) of the repository to get real-world examples.
To demonstrate the use of BunkerWeb, we will deploy a dummy "Hello World" web application as an example. See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples) of the repository to get real-world examples.
## Protect HTTP applications
@ -35,7 +35,7 @@ You will find more settings about reverse proxy in the [settings section](settin
- bw-services
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -52,7 +52,7 @@ You will find more settings about reverse proxy in the [settings section](settin
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -70,6 +70,7 @@ You will find more settings about reverse proxy in the [settings section](settin
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -385,7 +386,7 @@ You will find more settings about reverse proxy in the [settings section](settin
- bw-services
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -405,7 +406,7 @@ You will find more settings about reverse proxy in the [settings section](settin
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -423,6 +424,7 @@ You will find more settings about reverse proxy in the [settings section](settin
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -820,7 +822,7 @@ REAL_IP_HEADER=X-Forwarded-For
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
...
environment:
- USE_REAL_IP=yes
@ -835,7 +837,7 @@ REAL_IP_HEADER=X-Forwarded-For
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
...
environment:
- USE_REAL_IP=yes
@ -850,7 +852,7 @@ REAL_IP_HEADER=X-Forwarded-For
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
...
environment:
- USE_REAL_IP=yes
@ -970,7 +972,7 @@ REAL_IP_HEADER=proxy_protocol
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
...
environment:
- USE_REAL_IP=yes
@ -986,7 +988,7 @@ REAL_IP_HEADER=proxy_protocol
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
...
environment:
- USE_REAL_IP=yes
@ -1002,7 +1004,7 @@ REAL_IP_HEADER=proxy_protocol
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
...
environment:
- USE_REAL_IP=yes
@ -1148,7 +1150,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
- bw-services
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080 # Keep it if you want to use Let's Encrypt automation
- 10000:10000 # app1
@ -1170,7 +1172,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -1188,6 +1190,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -1218,7 +1221,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080 # Keep it if you want to use Let's Encrypt automation
- 10000:10000 # app1
@ -1276,7 +1279,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
# Keep it if you want to use Let's Encrypt automation
- published: 80
@ -1462,7 +1465,7 @@ Some integrations offer a more convenient way of applying configurations such as
```yaml
...
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
environment:
- |
CUSTOM_CONF_SERVER_HTTP_hello-world=
@ -1505,7 +1508,7 @@ Some integrations offer a more convenient way of applying configurations such as
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
volumes:
- ./bw-data:/data
...
@ -1574,7 +1577,7 @@ Some integrations offer a more convenient way of applying configurations such as
```yaml
myautoconf:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
volumes:
- ./bw-data:/data
...
@ -1807,7 +1810,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- bw-services
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
volumes:
- ./www:/var/www/html
ports:
@ -1830,7 +1833,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -1848,6 +1851,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -1907,7 +1911,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
volumes:
- ./www:/var/www/html
labels:
@ -1921,7 +1925,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -1938,6 +1942,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -2064,7 +2069,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
volumes:
- /shared/www:/var/www/html
...
@ -2343,7 +2348,7 @@ By default, BunkerWeb will only listen on IPv4 adresses and won't use IPv6 for n
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
environment:
- USE_IPv6=yes
@ -2388,7 +2393,7 @@ By default, BunkerWeb will only listen on IPv4 adresses and won't use IPv6 for n
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
environment:
- USE_IPv6=yes

4
docs/requirements.txt
View File

@ -1,6 +1,6 @@
mkdocs==1.4.3
mkdocs-material==9.1.15
mkdocs-material==9.1.16
pytablewriter==0.64.2
mike==1.1.2
jinja2<3.1.0
mkdocs-print-site-plugin==2.3.4
mkdocs-print-site-plugin==2.3.5

11
docs/security-tuning.md
View File

@ -63,6 +63,12 @@ STREAM support :x:
You can automatically remove verbose headers in the HTTP responses by using the `REMOVE_HEADERS` setting (default : `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`).
#### Keep upstream headers
STREAM support :x:
You can automatically keep headers from upstream servers and prevent BunkerWeb from overriding them in the HTTP responses by using the `KEEP_UPSTREAM_HEADERS` setting (default : `Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options`). A special value `*` is available to keep all headers. List of headers to keep must be separated with a space. Note that if the header is not present in the upstream response, it will be added by BunkerWeb.
#### Cookies
STREAM support :x:
@ -250,6 +256,7 @@ That kind of security is implemented but not enabled by default in BunkerWeb and
- **Captcha** : force the client to solve a classical captcha (no external dependencies)
- **hCaptcha** : force the client to solve a captcha from hCaptcha
- **reCAPTCHA** : force the client to get a minimum score with Google reCAPTCHA
- **Turnstile** : enforce rate limiting and access control for APIs and web applications using various mechanisms with Coudflare Turnstile
Here is the list of related settings :
@ -262,6 +269,8 @@ Here is the list of related settings :
|`ANTIBOT_RECAPTCHA_SECRET` | |multisite|no |Secret for reCAPTCHA challenge. |
|`ANTIBOT_HCAPTCHA_SITEKEY` | |multisite|no |Sitekey for hCaptcha challenge. |
|`ANTIBOT_HCAPTCHA_SECRET` | |multisite|no |Secret for hCaptcha challenge. |
|`ANTIBOT_TURNSTILE_SITEKEY`| |multisite|no |Sitekey for Turnstile challenge. |
|`ANTIBOT_TURNSTILE_SECRET` | |multisite|no |Secret for Turnstile challenge. |
|`ANTIBOT_TIME_RESOLVE` |`60` |multisite|no |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.|
|`ANTIBOT_TIME_VALID` |`86400` |multisite|no |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. |
@ -476,7 +485,7 @@ You can quickly protect sensitive resources like the admin area for example, by
### Auth request
You can deploy complex authentication (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples).
You can deploy complex authentication (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples).
**Auth request settings are related to reverse proxy rules.**

83
docs/settings.md
View File

@ -67,6 +67,8 @@ Bot detection by using a challenge.
|`ANTIBOT_RECAPTCHA_SECRET` | |multisite|no |Secret for reCAPTCHA challenge. |
|`ANTIBOT_HCAPTCHA_SITEKEY` | |multisite|no |Sitekey for hCaptcha challenge. |
|`ANTIBOT_HCAPTCHA_SECRET` | |multisite|no |Secret for hCaptcha challenge. |
|`ANTIBOT_TURNSTILE_SITEKEY`| |multisite|no |Sitekey for Turnstile challenge. |
|`ANTIBOT_TURNSTILE_SECRET` | |multisite|no |Secret for Turnstile challenge. |
|`ANTIBOT_TIME_RESOLVE` |`60` |multisite|no |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.|
|`ANTIBOT_TIME_VALID` |`86400` |multisite|no |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. |
@ -159,16 +161,19 @@ STREAM support :x:
Cross-Origin Resource Sharing.
| Setting | Default | Context |Multiple| Description |
|------------------------|------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------------------|
|`USE_CORS` |`no` |multisite|no |Use CORS |
|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Allowed origins to make CORS requests : PCRE regex or *. |
|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header. |
|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. |
|`CORS_ALLOW_CREDENTIALS`|`no` |multisite|no |Send the Access-Control-Allow-Credentials header. |
|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. |
|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. |
|`CORS_DENY_REQUEST` |`yes` |multisite|no |Deny request and don't send it to backend if Origin is not allowed.|
| Setting | Default | Context |Multiple| Description |
|------------------------------|------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------------------|
|`USE_CORS` |`no` |multisite|no |Use CORS |
|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Allowed origins to make CORS requests : PCRE regex or *. |
|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header. |
|`CROSS_ORIGIN_OPENER_POLICY` | |multisite|no |Value for the Cross-Origin-Opener-Policy header. |
|`CROSS_ORIGIN_EMBEDDER_POLICY`| |multisite|no |Value for the Cross-Origin-Embedder-Policy header. |
|`CROSS_ORIGIN_RESOURCE_POLICY`| |multisite|no |Value for the Cross-Origin-Resource-Policy header. |
|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. |
|`CORS_ALLOW_CREDENTIALS` |`no` |multisite|no |Send the Access-Control-Allow-Credentials header. |
|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. |
|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. |
|`CORS_DENY_REQUEST` |`yes` |multisite|no |Deny request and don't send it to backend if Origin is not allowed.|
### Client cache
@ -288,20 +293,22 @@ STREAM support :x:
Manage HTTP headers sent to clients.
| Setting | Default | Context |Multiple| Description |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------------------|
|`CUSTOM_HEADER` | |multisite|yes |Custom header to add (HeaderName: HeaderValue). |
|`REMOVE_HEADERS` |`Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version` |multisite|no |Headers to remove (Header1 Header2 Header3 ...) |
|`STRICT_TRANSPORT_SECURITY`|`max-age=31536000` |multisite|no |Value for the Strict-Transport-Security header. |
|`COOKIE_FLAGS` |`* HttpOnly SameSite=Lax` |multisite|yes |Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module).|
|`COOKIE_AUTO_SECURE_FLAG` |`yes` |multisite|no |Automatically add the Secure flag to all cookies. |
|`CONTENT_SECURITY_POLICY` |`object-src 'none'; form-action 'self'; frame-ancestors 'self';` |multisite|no |Value for the Content-Security-Policy header. |
|`REFERRER_POLICY` |`strict-origin-when-cross-origin` |multisite|no |Value for the Referrer-Policy header. |
|`PERMISSIONS_POLICY` |`accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()` |multisite|no |Value for the Permissions-Policy header. |
|`FEATURE_POLICY` |`accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';`|multisite|no |Value for the Feature-Policy header. |
|`X_FRAME_OPTIONS` |`SAMEORIGIN` |multisite|no |Value for the X-Frame-Options header. |
|`X_CONTENT_TYPE_OPTIONS` |`nosniff` |multisite|no |Value for the X-Content-Type-Options header. |
|`X_XSS_PROTECTION` |`1; mode=block` |multisite|no |Value for the X-XSS-Protection header. |
| Setting | Default | Context |Multiple| Description |
|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------------------|
|`CUSTOM_HEADER` | |multisite|yes |Custom header to add (HeaderName: HeaderValue). |
|`REMOVE_HEADERS` |`Server Expect-CT X-Powered-By X-AspNet-Version X-AspNetMvc-Version` |multisite|no |Headers to remove (Header1 Header2 Header3 ...) |
|`KEEP_UPSTREAM_HEADERS` |`Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options` |multisite|no |Headers to keep from upstream (Header1 Header2 Header3 ... or * for all). |
|`STRICT_TRANSPORT_SECURITY` |`max-age=31536000` |multisite|no |Value for the Strict-Transport-Security header. |
|`COOKIE_FLAGS` |`* HttpOnly SameSite=Lax` |multisite|yes |Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module).|
|`COOKIE_AUTO_SECURE_FLAG` |`yes` |multisite|no |Automatically add the Secure flag to all cookies. |
|`CONTENT_SECURITY_POLICY` |`object-src 'none'; form-action 'self'; frame-ancestors 'self';` |multisite|no |Value for the Content-Security-Policy header. |
|`CONTENT_SECURITY_POLICY_REPORT_ONLY`|`no` |multisite|no |Send reports for violations of the Content-Security-Policy header instead of blocking them. |
|`REFERRER_POLICY` |`strict-origin-when-cross-origin` |multisite|no |Value for the Referrer-Policy header. |
|`PERMISSIONS_POLICY` |`accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()` |multisite|no |Value for the Permissions-Policy header. |
|`FEATURE_POLICY` |`accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';`|multisite|no |Value for the Feature-Policy header. |
|`X_FRAME_OPTIONS` |`SAMEORIGIN` |multisite|no |Value for the X-Frame-Options header. |
|`X_CONTENT_TYPE_OPTIONS` |`nosniff` |multisite|no |Value for the X-Content-Type-Options header. |
|`X_XSS_PROTECTION` |`1; mode=block` |multisite|no |Value for the X-XSS-Protection header. |
### Let's Encrypt
@ -517,18 +524,18 @@ STREAM support :warning:
Allow access based on internal and external IP/network/rDNS/ASN whitelists.
| Setting | Default | Context |Multiple| Description |
|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------|
|`USE_WHITELIST` |`yes` |multisite|no |Activate whitelist feature. |
|`WHITELIST_IP` |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247 54.208.102.37 107.21.1.8`|multisite|no |List of IP/network, separated with spaces, to put into the whitelist. |
|`WHITELIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to whitelist. |
|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. |
|`WHITELIST_RDNS` |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com` |multisite|no |List of reverse DNS suffixes, separated with spaces, to whitelist. |
|`WHITELIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
|`WHITELIST_ASN` |`32934` |multisite|no |List of ASN numbers, separated with spaces, to whitelist. |
|`WHITELIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to whitelist. |
|`WHITELIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to whitelist. |
|`WHITELIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to whitelist. |
|`WHITELIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to whitelist. |
|`WHITELIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to whitelist. |
| Setting | Default | Context |Multiple| Description |
|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------|
|`USE_WHITELIST` |`yes` |multisite|no |Activate whitelist feature. |
|`WHITELIST_IP` |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247` |multisite|no |List of IP/network, separated with spaces, to put into the whitelist. |
|`WHITELIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to whitelist. |
|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. |
|`WHITELIST_RDNS` |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com`|multisite|no |List of reverse DNS suffixes, separated with spaces, to whitelist. |
|`WHITELIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
|`WHITELIST_ASN` |`32934` |multisite|no |List of ASN numbers, separated with spaces, to whitelist. |
|`WHITELIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to whitelist. |
|`WHITELIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to whitelist. |
|`WHITELIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to whitelist. |
|`WHITELIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to whitelist. |
|`WHITELIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to whitelist. |

63
docs/web-ui.md
View File

@ -55,13 +55,12 @@ Because the web UI is a web application, the recommended installation procedure
- `ADMIN_USERNAME` : username to access the web UI
- `ADMIN_PASSWORD` : password to access the web UI
- `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
!!! info "Database backend"
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) of the repository.
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) of the repository.
Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -70,7 +69,7 @@ Because the web UI is a web application, the recommended installation procedure
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -88,14 +87,13 @@ Because the web UI is a web application, the recommended installation procedure
- www.example.com_USE_REVERSE_PROXY=yes
- www.example.com_REVERSE_PROXY_URL=/changeme/
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -112,11 +110,12 @@ Because the web UI is a web application, the recommended installation procedure
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
depends_on:
- bw-docker
environment:
@ -124,7 +123,6 @@ Because the web UI is a web application, the recommended installation procedure
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
- ABSOLUTE_URI=http://www.example.com/changeme/
networks:
- bw-universe
- bw-docker
@ -177,13 +175,12 @@ Because the web UI is a web application, the recommended installation procedure
- `ADMIN_USERNAME` : username to access the web UI
- `ADMIN_PASSWORD` : password to access the web UI
- `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
!!! info "Database backend"
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) of the repository.
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) of the repository.
Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -192,7 +189,7 @@ Because the web UI is a web application, the recommended installation procedure
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -209,7 +206,7 @@ Because the web UI is a web application, the recommended installation procedure
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -222,7 +219,7 @@ Because the web UI is a web application, the recommended installation procedure
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -240,6 +237,7 @@ Because the web UI is a web application, the recommended installation procedure
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -256,7 +254,7 @@ Because the web UI is a web application, the recommended installation procedure
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
networks:
bw-docker:
bw-universe:
@ -268,14 +266,12 @@ Because the web UI is a web application, the recommended installation procedure
- AUTOCONF_MODE=yes
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://www.example.com/changeme/
labels:
- "bunkerweb.SERVER_NAME=www.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
@ -314,13 +310,12 @@ Because the web UI is a web application, the recommended installation procedure
- `ADMIN_USERNAME` : username to access the web UI
- `ADMIN_PASSWORD` : password to access the web UI
- `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
!!! info "Database backend"
If you want another Database backend than MariaDB please refer to the stack files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) of the repository.
If you want another Database backend than MariaDB please refer to the stack files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) of the repository.
Here is the stack boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -329,7 +324,7 @@ Because the web UI is a web application, the recommended installation procedure
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- published: 80
target: 8080
@ -359,7 +354,7 @@ Because the web UI is a web application, the recommended installation procedure
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -378,6 +373,7 @@ Because the web UI is a web application, the recommended installation procedure
- SERVICES=1
- SWARM=1
- TASKS=1
- LOG_LEVEL=warning
networks:
- bw-docker
deploy:
@ -386,7 +382,7 @@ Because the web UI is a web application, the recommended installation procedure
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -413,13 +409,12 @@ Because the web UI is a web application, the recommended installation procedure
- bw-universe
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
environment:
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
- ABSOLUTE_URI=http://www.example.com/changeme/
networks:
- bw-universe
- bw-docker
@ -430,9 +425,8 @@ Because the web UI is a web application, the recommended installation procedure
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
- "INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
bw-data:
@ -463,13 +457,12 @@ Because the web UI is a web application, the recommended installation procedure
- `ADMIN_USERNAME` : username to access the web UI
- `ADMIN_PASSWORD` : password to access the web UI
- `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Network segmentation between web UI and web services is not covered in this documentation. Please note that the web UI container is listening on the `7000` port.
!!! info "Database backend"
If you want another Database backend than MariaDB please refer to the yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) of the repository.
If you want another Database backend than MariaDB please refer to the yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) of the repository.
Here is the yaml boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -524,7 +517,7 @@ Because the web UI is a web application, the recommended installation procedure
containers:
# using bunkerweb as name is mandatory
- name: bunkerweb
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -594,7 +587,7 @@ Because the web UI is a web application, the recommended installation procedure
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -621,7 +614,7 @@ Because the web UI is a web application, the recommended installation procedure
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -705,15 +698,13 @@ Because the web UI is a web application, the recommended installation procedure
spec:
containers:
- name: bunkerweb-ui
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
imagePullPolicy: Always
env:
- name: ADMIN_USERNAME
value: "changeme"
- name: "ADMIN_PASSWORD"
value: "changeme"
- name: "ABSOLUTE_URI"
value: "http://www.example.com/changeme/"
- name: KUBERNETES_MODE
value: "YES"
- name: "DATABASE_URI"
@ -788,8 +779,8 @@ Because the web UI is a web application, the recommended installation procedure
name: ingress
annotations:
bunkerweb.io/www.example.com_USE_UI: "yes"
bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
bunkerweb.io/www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: '400 404 405 413 429 500 501 502 503 504'
spec:
rules:
- host: www.example.com
@ -819,7 +810,6 @@ Because the web UI is a web application, the recommended installation procedure
```conf
ADMIN_USERNAME=changeme
ADMIN_PASSWORD=changeme
ABSOLUTE_URI=http://www.example.com/changeme/
```
Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
@ -843,7 +833,6 @@ Because the web UI is a web application, the recommended installation procedure
www.example.com_USE_REVERSE_PROXY=yes
www.example.com_REVERSE_PROXY_URL=/changeme/
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
```
@ -862,7 +851,6 @@ Because the web UI is a web application, the recommended installation procedure
```conf
ADMIN_USERNAME=changeme
ADMIN_PASSWORD=changeme
ABSOLUTE_URI=http://www.example.com/changeme/
```
Here is the `my_variables.env` boilerplate you can use :
@ -877,7 +865,6 @@ Because the web UI is a web application, the recommended installation procedure
www.example.com_USE_REVERSE_PROXY=yes
www.example.com_REVERSE_PROXY_URL=/changeme/
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
```
@ -929,7 +916,6 @@ Because the web UI is a web application, the recommended installation procedure
```conf
ADMIN_USERNAME=changeme
ADMIN_PASSWORD=changeme
ABSOLUTE_URI=http://www.example.com/changeme/
```
Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
@ -952,7 +938,6 @@ Because the web UI is a web application, the recommended installation procedure
www.example.com_USE_REVERSE_PROXY=yes
www.example.com_REVERSE_PROXY_URL=/changeme/
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
```

4
examples/authelia/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.4"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -44,7 +44,7 @@ services:
- app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/authentik/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.4"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -53,7 +53,7 @@ services:
- app2.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/behind-reverse-proxy/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
environment:
- SERVER_NAME=www.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
@ -24,7 +24,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/bigbluebutton/docker-compose.yml
View File

@ -27,7 +27,7 @@ services:
...
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -50,7 +50,7 @@ services:
bw-universe:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/certbot-dns-cloudflare/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/certbot-dns-digitalocean/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/certbot-dns-google/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/certbot-dns-ovh/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/certbot-dns-route53/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -33,7 +33,7 @@ services:
- bw-services
bbw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/cors/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -38,7 +38,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/docker-configs/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -53,7 +53,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/drupal/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/ghost/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -24,7 +24,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/gogs/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

5
examples/hardened/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
# dropping all capabilities
cap_drop:
- ALL
@ -15,6 +15,7 @@ services:
tmpfs:
- /tmp:mode=0770,uid=0,gid=101
- /var/tmp/bunkerweb:mode=0770,uid=0,gid=101
- /var/run/bunkerweb:mode=0770,uid=0,gid=101
- /var/cache/bunkerweb:mode=0770,uid=0,gid=101
- /etc/nginx:mode=0770,uid=0,gid=101
ports:
@ -38,7 +39,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/joomla/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/load-balancer/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -31,7 +31,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

2
examples/load-balancer/tests.json
View File

@ -1,7 +1,7 @@
{
"name": "load-balancer",
"kinds": ["docker"],
"timeout": 60,
"timeout": 120,
"no_copy_container": true,
"tests": [
{

4
examples/magento/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -29,7 +29,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/mattermost/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -44,7 +44,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/mongo-express/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -27,7 +27,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/moodle/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -25,7 +25,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/nextcloud/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -54,7 +54,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/passbolt/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -26,7 +26,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/php-cookie-flags/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -31,7 +31,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/php-multisite/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -34,7 +34,7 @@ services:
- net-app2
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/php-singlesite/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -30,7 +30,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/prestashop/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/proxy-protocol/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
environment:
- SERVER_NAME=www.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
@ -27,7 +27,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/radarr/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -34,7 +34,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/redmine/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -24,7 +24,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/reverse-proxy-multisite/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -27,7 +27,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/reverse-proxy-singlesite/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -32,7 +32,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/reverse-proxy-websocket/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -25,7 +25,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/stream-multisite/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080 # required to resolve let's encrypt challenges
- 10000:10000 # app1 without SSL/TLS
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/syslog/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
logging:
driver: syslog
options:
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
logging:
driver: syslog
options:

4
examples/tomcat/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -23,7 +23,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

4
examples/tor-hidden-service/docker-compose.yml
View File

@ -12,7 +12,7 @@ services:
- bw-universe
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
environment:
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
# disable common security measures based on IP
@ -34,7 +34,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

9
examples/web-ui/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -19,9 +19,7 @@ services:
- www.example.com_USE_REVERSE_PROXY=yes
- www.example.com_REVERSE_PROXY_URL=/changeme/ # replace with another url
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme # replace with another url
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
- www.example.com_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';
labels:
- "bunkerweb.INSTANCE"
networks:
@ -29,7 +27,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -41,11 +39,10 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
depends_on:
- bw-docker-proxy
environment:
- ABSOLUTE_URI=https://www.example.com/changeme/ # replace with another url
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme # replace with a stronger password

4
examples/wordpress/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -25,7 +25,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:

10
misc/integrations/autoconf.mariadb.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -67,7 +67,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
networks:
bw-docker:
bw-universe:
@ -79,14 +79,12 @@ services:
- AUTOCONF_MODE=yes
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://www.example.com/changeme/
labels:
- "bunkerweb.SERVER_NAME=www.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:

6
misc/integrations/autoconf.mariadb.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker

10
misc/integrations/autoconf.mysql.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -67,7 +67,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
networks:
bw-docker:
bw-universe:
@ -79,14 +79,12 @@ services:
- AUTOCONF_MODE=yes
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://www.example.com/changeme/
labels:
- "bunkerweb.SERVER_NAME=www.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:

6
misc/integrations/autoconf.mysql.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker

10
misc/integrations/autoconf.postgres.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -66,7 +66,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
networks:
bw-docker:
bw-universe:
@ -78,14 +78,12 @@ services:
- AUTOCONF_MODE=yes
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://www.example.com/changeme/
labels:
- "bunkerweb.SERVER_NAME=www.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:

6
misc/integrations/autoconf.postgres.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker

10
misc/integrations/autoconf.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -18,7 +18,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -56,7 +56,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
networks:
bw-docker:
bw-universe:
@ -69,14 +69,12 @@ services:
- AUTOCONF_MODE=yes
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://www.example.com/changeme/
labels:
- "bunkerweb.SERVER_NAME=www.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:

6
misc/integrations/autoconf.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -18,7 +18,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker

8
misc/integrations/docker.mariadb.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -20,14 +20,13 @@ services:
- www.example.com_USE_REVERSE_PROXY=yes
- www.example.com_REVERSE_PROXY_URL=/changeme/
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -49,7 +48,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
depends_on:
- bw-docker
environment:
@ -57,7 +56,6 @@ services:
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
- ABSOLUTE_URI=http://www.example.com/changeme/
networks:
- bw-universe
- bw-docker

4
misc/integrations/docker.mariadb.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -17,7 +17,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker

8
misc/integrations/docker.mysql.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -20,14 +20,13 @@ services:
- www.example.com_USE_REVERSE_PROXY=yes
- www.example.com_REVERSE_PROXY_URL=/admin/
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -49,7 +48,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
depends_on:
- bw-docker
environment:
@ -57,7 +56,6 @@ services:
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the admin user
- ABSOLUTE_URI=http://www.example.com/changeme/
networks:
- bw-universe
- bw-docker

4
misc/integrations/docker.mysql.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -17,7 +17,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker

8
misc/integrations/docker.postgres.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -21,14 +21,13 @@ services:
- www.example.com_USE_REVERSE_PROXY=yes
- www.example.com_REVERSE_PROXY_URL=/admin/
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -50,7 +49,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
depends_on:
- bw-docker
environment:
@ -58,7 +57,6 @@ services:
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the admin user
- ABSOLUTE_URI=http://www.example.com/changeme
networks:
- bw-universe
- bw-docker

4
misc/integrations/docker.postgres.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -17,7 +17,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker

8
misc/integrations/docker.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -16,14 +16,13 @@ services:
- www.example.com_USE_REVERSE_PROXY=yes
- www.example.com_REVERSE_PROXY_URL=/changeme/
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -46,7 +45,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
depends_on:
- bw-docker
volumes:
@ -55,7 +54,6 @@ services:
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://www.example.com/changeme/
networks:
- bw-universe
- bw-docker

4
misc/integrations/docker.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -16,7 +16,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker

11
misc/integrations/k8s.mariadb.ui.yml
View File

@ -48,7 +48,7 @@ spec:
containers:
# using bunkerweb as name is mandatory
- name: bunkerweb
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -118,7 +118,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -145,7 +145,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -230,15 +230,13 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-ui
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
imagePullPolicy: Always
env:
- name: ADMIN_USERNAME
value: "changeme"
- name: "ADMIN_PASSWORD"
value: "changeme"
- name: "ABSOLUTE_URI"
value: "http://www.example.com/changeme/"
- name: KUBERNETES_MODE
value: "YES"
- name: "DATABASE_URI"
@ -313,7 +311,6 @@ metadata:
name: ingress
annotations:
bunkerweb.io/www.example.com_USE_UI: "yes"
bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: "400 404 405 413 429 500 501 502 503 504"
spec:
rules:

6
misc/integrations/k8s.mariadb.yml
View File

@ -48,7 +48,7 @@ spec:
containers:
# using bunkerweb as name is mandatory
- name: bunkerweb
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -118,7 +118,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -145,7 +145,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE

11
misc/integrations/k8s.mysql.ui.yml
View File

@ -48,7 +48,7 @@ spec:
containers:
# using bunkerweb as name is mandatory
- name: bunkerweb
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -118,7 +118,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -145,7 +145,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -230,15 +230,13 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-ui
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
imagePullPolicy: Always
env:
- name: ADMIN_USERNAME
value: "changeme"
- name: "ADMIN_PASSWORD"
value: "changeme"
- name: "ABSOLUTE_URI"
value: "http://www.example.com/changeme/"
- name: KUBERNETES_MODE
value: "YES"
- name: "DATABASE_URI"
@ -312,7 +310,6 @@ metadata:
name: ingress
annotations:
bunkerweb.io/www.example.com_USE_UI: "yes"
bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: "400 404 405 413 429 500 501 502 503 504"
spec:
rules:

6
misc/integrations/k8s.mysql.yml
View File

@ -48,7 +48,7 @@ spec:
containers:
# using bunkerweb as name is mandatory
- name: bunkerweb
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -118,7 +118,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -144,7 +144,7 @@ spec:
spec:
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE

11
misc/integrations/k8s.postgres.ui.yml
View File

@ -48,7 +48,7 @@ spec:
containers:
# using bunkerweb as name is mandatory
- name: bunkerweb
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -118,7 +118,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -145,7 +145,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -230,15 +230,13 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-ui
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
imagePullPolicy: Always
env:
- name: ADMIN_USERNAME
value: "changeme"
- name: "ADMIN_PASSWORD"
value: "changeme"
- name: "ABSOLUTE_URI"
value: "http://www.example.com/changeme/"
- name: KUBERNETES_MODE
value: "YES"
- name: "DATABASE_URI"
@ -312,7 +310,6 @@ metadata:
name: ingress
annotations:
bunkerweb.io/www.example.com_USE_UI: "yes"
bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: "400 404 405 413 429 500 501 502 503 504"
spec:
rules:

6
misc/integrations/k8s.postgres.yml
View File

@ -48,7 +48,7 @@ spec:
containers:
# using bunkerweb as name is mandatory
- name: bunkerweb
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -118,7 +118,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -144,7 +144,7 @@ spec:
spec:
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE

10
misc/integrations/swarm.mariadb.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- published: 80
target: 8080
@ -32,7 +32,7 @@ services:
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -60,7 +60,7 @@ services:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -87,13 +87,12 @@ services:
- bw-universe
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
environment:
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
- ABSOLUTE_URI=http://www.example.com/changeme/
networks:
- bw-universe
- bw-docker
@ -104,7 +103,6 @@ services:
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:

6
misc/integrations/swarm.mariadb.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- published: 80
target: 8080
@ -32,7 +32,7 @@ services:
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -64,7 +64,7 @@ services:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375

10
misc/integrations/swarm.mysql.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- published: 80
target: 8080
@ -32,7 +32,7 @@ services:
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -60,7 +60,7 @@ services:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -87,13 +87,12 @@ services:
- bw-universe
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
environment:
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
- ABSOLUTE_URI=http://www.example.com/changeme/
networks:
- bw-universe
- bw-docker
@ -104,7 +103,6 @@ services:
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:

6
misc/integrations/swarm.mysql.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- published: 80
target: 8080
@ -32,7 +32,7 @@ services:
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -60,7 +60,7 @@ services:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375

10
misc/integrations/swarm.postgres.ui.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- published: 80
target: 8080
@ -32,7 +32,7 @@ services:
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -60,7 +60,7 @@ services:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -86,13 +86,12 @@ services:
- bw-universe
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
environment:
- DATABASE_URI=postgresql://bunkerweb:changeme@bw-db:5432/db
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://www.example.com/changeme/
networks:
- bw-universe
- bw-docker
@ -103,7 +102,6 @@ services:
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:

6
misc/integrations/swarm.postgres.yml
View File

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- published: 80
target: 8080
@ -32,7 +32,7 @@ services:
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -60,7 +60,7 @@ services:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375

2
src/VERSION
View File

@ -1 +1 @@
1.5.0
1.5.1

6
src/autoconf/Dockerfile
View File

@ -1,4 +1,4 @@
FROM python:3.11.3-alpine AS builder
FROM python:3.11.4-alpine AS builder
# Copy python requirements
COPY src/common/gen/requirements.txt /tmp/req/requirements.txt
@ -32,7 +32,7 @@ COPY src/common/helpers /usr/share/bunkerweb/helpers
COPY src/common/settings.json /usr/share/bunkerweb/settings.json
COPY src/common/utils /usr/share/bunkerweb/utils
FROM python:3.11.3-alpine
FROM python:3.11.4-alpine
# Set default umask to prevent huge recursive chmod increasing the final image size
RUN umask 027
@ -60,7 +60,7 @@ RUN apk add --no-cache bash && \
chmod 750 /usr/share/bunkerweb/cli/main.py /usr/share/bunkerweb/helpers/*.sh /usr/bin/bwcli /usr/share/bunkerweb/autoconf/main.py /usr/share/bunkerweb/deps/python/bin/*
# Fix CVEs
RUN apk add --no-cache "libcrypto3>=3.1.1-r0" "libssl3>=3.1.1-r0"
# There are no CVE to fix for the moment
VOLUME /data /etc/nginx

2
src/bw/Dockerfile
View File

@ -70,7 +70,7 @@ RUN apk add --no-cache pcre bash python3 && \
ln -s /proc/1/fd/1 /var/log/nginx/access.log
# Fix CVEs
RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" "curl>=8.1.0-r0" "libcurl>=8.1.0-r0" "libwebp>=1.2.4-r2" "ncurses-libs>=6.3_p20221119-r1" "ncurses-terminfo-base>=6.3_p20221119-r1"
RUN apk add "libx11>=1.8.4-r1"
VOLUME /data /etc/nginx

57
src/bw/lua/bunkerweb/api.lua
View File

@ -1,11 +1,11 @@
local class = require "middleclass"
local datastore = require "bunkerweb.datastore"
local utils = require "bunkerweb.utils"
local logger = require "bunkerweb.logger"
local logger = require "bunkerweb.logger"
local cjson = require "cjson"
local upload = require "resty.upload"
local rsignal = require "resty.signal"
local process = require "ngx.process"
local rsignal = require "resty.signal"
local process = require "ngx.process"
local api = class("api")
@ -14,6 +14,16 @@ api.global = { GET = {}, POST = {}, PUT = {}, DELETE = {} }
function api:initialize()
self.datastore = datastore:new()
self.logger = logger:new("API")
self.ctx = ngx.ctx
local data, err = utils.get_variable("API_WHITELIST_IP", false)
self.ips = {}
if not data then
self.logger.log(ngx.ERR, "can't get API_WHITELIST_IP variable : " .. err)
else
for ip in data:gmatch("%S+") do
table.insert(self.ips, ip)
end
end
end
function api:log_cmd(cmd, status, stdout, stderr)
@ -71,17 +81,17 @@ api.global.POST["^/stop$"] = function(self)
end
api.global.POST["^/confs$"] = function(self)
local tmp = "/var/tmp/bunkerweb/api_" .. ngx.ctx.bw.uri:sub(2) .. ".tar.gz"
local destination = "/usr/share/bunkerweb/" .. ngx.ctx.bw.uri:sub(2)
if ngx.ctx.bw.uri == "/confs" then
local tmp = "/var/tmp/bunkerweb/api_" .. self.ctx.bw.uri:sub(2) .. ".tar.gz"
local destination = "/usr/share/bunkerweb/" .. self.ctx.bw.uri:sub(2)
if self.ctx.bw.uri == "/confs" then
destination = "/etc/nginx"
elseif ngx.ctx.bw.uri == "/data" then
elseif self.ctx.bw.uri == "/data" then
destination = "/data"
elseif ngx.ctx.bw.uri == "/cache" then
elseif self.ctx.bw.uri == "/cache" then
destination = "/var/cache/bunkerweb"
elseif ngx.ctx.bw.uri == "/custom_configs" then
elseif self.ctx.bw.uri == "/custom_configs" then
destination = "/etc/bunkerweb/configs"
elseif ngx.ctx.bw.uri == "/plugins" then
elseif self.ctx.bw.uri == "/plugins" then
destination = "/etc/bunkerweb/plugins"
end
local form, err = upload:new(4096)
@ -185,21 +195,25 @@ api.global.GET["^/bans$"] = function(self)
return self:response(ngx.HTTP_OK, "success", data)
end
function api:is_allowed_ip()
local data, err = self.datastore:get("api_whitelist_ip")
if not data then
return false, "can't access api_allowed_ips in datastore"
api.global.GET["^/variables$"] = function(self)
local variables, err = datastore:get('variables', true)
if not variables then
return self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", "can't access variables from datastore : " .. err)
end
if utils.is_ip_in_networks(ngx.ctx.bw.remote_addr, cjson.decode(data)) then
return self:response(ngx.HTTP_OK, "success", variables)
end
function api:is_allowed_ip()
if utils.is_ip_in_networks(self.ctx.bw.remote_addr, self.ips) then
return true, "ok"
end
return false, "IP is not in API_WHITELIST_IP"
end
function api:do_api_call()
if self.global[ngx.ctx.bw.request_method] ~= nil then
for uri, api_fun in pairs(self.global[ngx.ctx.bw.request_method]) do
if string.match(ngx.ctx.bw.uri, uri) then
if self.global[self.ctx.bw.request_method] ~= nil then
for uri, api_fun in pairs(self.global[self.ctx.bw.request_method]) do
if string.match(self.ctx.bw.uri, uri) then
local status, resp = api_fun(self)
local ret = true
if status ~= ngx.HTTP_OK then
@ -215,17 +229,16 @@ function api:do_api_call()
end
end
end
local list, err = self.datastore:get("plugins")
local list, err = self.datastore:get("plugins", true)
if not list then
local status, resp = self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", "can't list loaded plugins : " .. err)
return false, resp["msg"], ngx.HTTP_INTERNAL_SERVER_ERROR, resp
return false, resp["msg"], ngx.HTTP_INTERNAL_SERVER_ERROR, cjson.encode(resp)
end
list = cjson.decode(list)
for i, plugin in ipairs(list) do
if pcall(require, plugin.id .. "/" .. plugin.id) then
local plugin_lua = require(plugin.id .. "/" .. plugin.id)
if plugin_lua.api ~= nil then
local matched, status, resp = plugin_lua.api()
local matched, status, resp = plugin_lua:api(self.ctx)
if matched then
local ret = true
if status ~= ngx.HTTP_OK then

23
src/bw/lua/bunkerweb/cachestore.lua
View File

@ -1,16 +1,16 @@
local mlcache = require "resty.mlcache"
local mlcache = require "resty.mlcache"
local clusterstore = require "bunkerweb.clusterstore"
local logger = require "bunkerweb.logger"
local utils = require "bunkerweb.utils"
local class = require "middleclass"
local cachestore = class("cachestore")
local logger = require "bunkerweb.logger"
local utils = require "bunkerweb.utils"
local class = require "middleclass"
local cachestore = class("cachestore")
-- Instantiate mlcache object at module level (which will be cached when running init phase)
-- TODO : custom settings
local shm = "cachestore"
local ipc_shm = "cachestore_ipc"
local shm_miss = "cachestore_miss"
local shm_locks = "cachestore_locks"
local shm = "cachestore"
local ipc_shm = "cachestore_ipc"
local shm_miss = "cachestore_miss"
local shm_locks = "cachestore_locks"
if not ngx.shared.cachestore then
shm = "cachestore_stream"
ipc_shm = "cachestore_ipc_stream"
@ -42,7 +42,8 @@ if not cache then
module_logger:log(ngx.ERR, "can't instantiate mlcache : " .. err)
end
function cachestore:initialize(use_redis, new_cs)
function cachestore:initialize(use_redis, new_cs, ctx)
self.ctx = ctx
self.cache = cache
self.use_redis = use_redis or false
self.logger = module_logger
@ -50,7 +51,7 @@ function cachestore:initialize(use_redis, new_cs)
self.clusterstore = clusterstore:new(false)
self.shared_cs = false
else
self.clusterstore = utils.get_ctx_obj("clusterstore")
self.clusterstore = utils.get_ctx_obj("clusterstore", self.ctx)
self.shared_cs = true
end
end

3
src/bw/lua/bunkerweb/clusterstore.lua
View File

@ -77,7 +77,8 @@ function clusterstore:close()
if self.redis_client then
-- Equivalent to close but keep a pool of connections
if self.pool then
local ok, err = self.redis_client:set_keepalive(tonumber(self.variables["REDIS_KEEPALIVE_IDLE"]), tonumber(self.variables["REDIS_KEEPALIVE_POOL"]))
local ok, err = self.redis_client:set_keepalive(tonumber(self.variables["REDIS_KEEPALIVE_IDLE"]),
tonumber(self.variables["REDIS_KEEPALIVE_POOL"]))
self.redis_client = nil
if not ok then
require "bunkerweb.logger":new("clusterstore-close"):log(ngx.ERR, err)

46
src/bw/lua/bunkerweb/datastore.lua
View File

@ -1,6 +1,13 @@
local class = require "middleclass"
local lrucache = require "resty.lrucache"
local datastore = class("datastore")
local lru, err = lrucache.new(100000)
if not lru then
require "bunkerweb.logger":new("DATASTORE"):log(ngx.ERR,
"failed to instantiate LRU cache : " .. (err or "unknown error"))
end
function datastore:initialize()
self.dict = ngx.shared.datastore
if not self.dict then
@ -8,7 +15,11 @@ function datastore:initialize()
end
end
function datastore:get(key)
function datastore:get(key, worker)
if worker then
local value, err = lru:get(key)
return value, err or "not found"
end
local value, err = self.dict:get(key)
if not value and not err then
err = "not found"
@ -16,21 +27,35 @@ function datastore:get(key)
return value, err
end
function datastore:set(key, value, exptime)
function datastore:set(key, value, exptime, worker)
if worker then
lru:set(key, value, exptime)
return true, "success"
end
exptime = exptime or 0
return self.dict:safe_set(key, value, exptime)
end
function datastore:delete(key)
function datastore:delete(key, worker)
if worker then
lru:delete(key)
return true, "success"
end
self.dict:delete(key)
return true, "success"
end
function datastore:keys()
function datastore:keys(worker)
if worker then
return lru:keys(0)
end
return self.dict:get_keys(0)
end
function datastore:ttl(key)
if worker then
return false, "not supported by LRU"
end
local ttl, err = self.dict:ttl(key)
if not ttl then
return false, err
@ -38,8 +63,13 @@ function datastore:ttl(key)
return true, ttl
end
function datastore:delete_all(pattern)
local keys = self.dict:get_keys(0)
function datastore:delete_all(pattern, worker)
local keys = {}
if worker then
keys = lru:keys(0)
else
keys = self.dict:get_keys(0)
end
for i, key in ipairs(keys) do
if key:match(pattern) then
self.dict:delete(key)
@ -48,4 +78,8 @@ function datastore:delete_all(pattern)
return true, "success"
end
function datastore:flush_lru()
lru:flush_all()
end
return datastore

95
src/bw/lua/bunkerweb/helpers.lua
View File

@ -108,9 +108,9 @@ helpers.require_plugin = function(id)
return plugin_lua, "require() call successful for plugin " .. id
end
helpers.new_plugin = function(plugin_lua)
helpers.new_plugin = function(plugin_lua, ctx)
-- Require call
local ok, plugin_obj = pcall(plugin_lua.new, plugin_lua)
local ok, plugin_obj = pcall(plugin_lua.new, plugin_lua, ctx)
if not ok then
return false, "new error for plugin " .. plugin_lua.name .. " : " .. plugin_obj
end
@ -148,8 +148,9 @@ end
helpers.fill_ctx = function()
-- Return errors as table
local errors = {}
local ctx = ngx.ctx
-- Check if ctx is already filled
if not ngx.ctx.bw then
if not ctx.bw then
-- Instantiate bw table
local data = {}
-- Common vars
@ -158,14 +159,19 @@ helpers.fill_ctx = function()
data.kind = "stream"
end
data.remote_addr = ngx.var.remote_addr
data.uri = ngx.var.uri
data.request_uri = ngx.var.request_uri
data.request_method = ngx.var.request_method
data.http_user_agent = ngx.var.http_user_agent
data.http_host = ngx.var.http_host
data.server_name = ngx.var.server_name
data.http_content_type = ngx.var.http_content_type
data.http_origin = ngx.var.http_origin
if data.kind == "http" then
data.uri = ngx.var.uri
data.request_uri = ngx.var.request_uri
data.request_method = ngx.var.request_method
data.http_user_agent = ngx.var.http_user_agent
data.http_host = ngx.var.http_host
data.server_name = ngx.var.server_name
data.http_content_type = ngx.var.http_content_type
data.http_content_length = ngx.var.http_content_length
data.http_origin = ngx.var.http_origin
data.http_version = ngx.req.http_version()
end
-- IP data : global
local ip_is_global, err = utils.ip_is_global(data.remote_addr)
if ip_is_global == nil then
@ -180,17 +186,76 @@ helpers.fill_ctx = function()
data.integration = utils.get_integration()
data.version = utils.get_version()
-- Fill ctx
ngx.ctx.bw = data
ctx.bw = data
end
-- Always create new objects for current phases in case of cosockets
local use_redis, err = utils.get_variable("USE_REDIS", false)
if not use_redis then
table.insert(errors, "can't get variable from datastore : " .. err)
end
ngx.ctx.bw.datastore = require "bunkerweb.datastore":new()
ngx.ctx.bw.clusterstore = require "bunkerweb.clusterstore":new()
ngx.ctx.bw.cachestore = require "bunkerweb.cachestore":new(use_redis == "yes")
return true, "ctx filled", errors
ctx.bw.datastore = require "bunkerweb.datastore":new()
ctx.bw.clusterstore = require "bunkerweb.clusterstore":new()
ctx.bw.cachestore = require "bunkerweb.cachestore":new(use_redis == "yes")
return true, "ctx filled", errors, ctx
end
function helpers.load_variables(all_variables, plugins)
-- Extract settings from plugins and global ones
local all_settings = {}
for i, plugin in ipairs(plugins) do
if plugin.settings then
for setting, data in pairs(plugin.settings) do
all_settings[setting] = data
end
end
end
local file = io.open("/usr/share/bunkerweb/settings.json")
if not file then
return false, "can't open settings.json"
end
local ok, settings = pcall(cjson.decode, file:read("*a"))
file:close()
if not ok then
return false, "invalid settings.json : " .. err
end
for setting, data in pairs(settings) do
all_settings[setting] = data
end
-- Extract vars
local variables = { ["global"] = {} }
local multisite = all_variables["MULTISITE"] == "yes"
local server_names = {}
if multisite then
for server_name in all_variables["SERVER_NAME"]:gmatch("%S+") do
variables[server_name] = {}
table.insert(server_names, server_name)
end
end
for setting, data in pairs(all_settings) do
if all_variables[setting] then
variables["global"][setting] = all_variables[setting]
end
if multisite then
for i, server_name in ipairs(server_names) do
local key = server_name .. "_" .. setting
if all_variables[key] then
variables[server_name][setting] = all_variables[key]
end
end
end
if data.multiple then
for variable, value in pairs(all_variables) do
local found, _, prefix = variable:find("^([^_]*)_?" .. setting .. "_[0-9]+$")
if found then
if multisite and prefix and prefix ~= "" then
variables[prefix][variable] = value
end
variables["global"][variable] = value
end
end
end
end
return true, variables
end
return helpers

52
src/bw/lua/bunkerweb/plugin.lua
View File

@ -1,18 +1,19 @@
local class = require "middleclass"
local logger = require "bunkerweb.logger"
local datastore = require "bunkerweb.datastore"
local cachestore = require "bunkerweb.cachestore"
local class = require "middleclass"
local logger = require "bunkerweb.logger"
local datastore = require "bunkerweb.datastore"
local cachestore = require "bunkerweb.cachestore"
local clusterstore = require "bunkerweb.clusterstore"
local utils = require "bunkerweb.utils"
local cjson = require "cjson"
local plugin = class("plugin")
local utils = require "bunkerweb.utils"
local cjson = require "cjson"
local plugin = class("plugin")
function plugin:initialize(id)
function plugin:initialize(id, ctx)
-- Store common, values
self.id = id
local multisite = false
local current_phase = ngx.get_phase()
for i, check_phase in ipairs({ "set", "access", "content", "header_filter", "log", "preread", "log_stream", "log_default" }) do
for i, check_phase in ipairs({ "set", "access", "content", "header_filter", "log", "preread", "log_stream",
"log_default" }) do
if current_phase == check_phase then
multisite = true
break
@ -21,35 +22,46 @@ function plugin:initialize(id)
self.is_request = multisite
-- Store common objets
self.logger = logger:new(self.id)
local use_redis, err = utils.get_variable("USE_REDIS", false)
if not use_redis then
self.logger:log(ngx.ERR, err)
end
self.use_redis = use_redis == "yes"
local use_redis, err = utils.get_variable("USE_REDIS", false)
if not use_redis then
self.logger:log(ngx.ERR, err)
end
self.use_redis = use_redis == "yes"
if self.is_request then
self.datastore = utils.get_ctx_obj("datastore") or datastore:new()
self.cachestore = utils.get_ctx_obj("cachestore") or cachestore:new(use_redis == "yes", true)
self.clusterstore = utils.get_ctx_obj("clusterstore") or clusterstore:new(false)
-- Store ctx
self.ctx = ctx or ngx.ctx
self.datastore = utils.get_ctx_obj("datastore", self.ctx) or datastore:new()
self.cachestore = utils.get_ctx_obj("cachestore", self.ctx) or cachestore:new(use_redis == "yes", true, self.ctx)
self.clusterstore = utils.get_ctx_obj("clusterstore", self.ctx) or clusterstore:new(false)
else
self.datastore = datastore:new()
self.cachestore = cachestore:new(use_redis == "yes", true)
self.clusterstore = clusterstore:new(false)
end
-- Get metadata
local encoded_metadata, err = self.datastore:get("plugin_" .. id)
if not encoded_metadata then
local metadata, err = self.datastore:get("plugin_" .. id, true)
if not metadata then
self.logger:log(ngx.ERR, err)
return
end
-- Store variables
self.variables = {}
local metadata = cjson.decode(encoded_metadata)
self.multiples = {}
for k, v in pairs(metadata.settings) do
local value, err = utils.get_variable(k, v.context == "multisite" and multisite)
if value == nil then
self.logger:log(ngx.ERR, "can't get " .. k .. " variable : " .. err)
end
self.variables[k] = value
-- if v.multiple then
-- local multiples, err = utils.get_multiple_variables(k)
-- if not multiples then
-- self.logger:log(ngx.ERR, "can't get " .. k .. " multiple variable : " .. err)
-- self.multiples[k] = {}
-- else
-- self.multiples[k] = multiples
-- end
-- end
end
-- Is loading
local is_loading, err = utils.get_variable("IS_LOADING", false)

226
src/bw/lua/bunkerweb/utils.lua
View File

@ -1,16 +1,16 @@
local cdatastore = require "bunkerweb.datastore"
local mmdb = require "bunkerweb.mmdb"
local clogger = require "bunkerweb.logger"
local cdatastore = require "bunkerweb.datastore"
local mmdb = require "bunkerweb.mmdb"
local clogger = require "bunkerweb.logger"
local ipmatcher = require "resty.ipmatcher"
local resolver = require "resty.dns.resolver"
local session = require "resty.session"
local cjson = require "cjson"
local ipmatcher = require "resty.ipmatcher"
local resolver = require "resty.dns.resolver"
local session = require "resty.session"
local cjson = require "cjson"
local logger = clogger:new("UTILS")
local datastore = cdatastore:new()
local logger = clogger:new("UTILS")
local datastore = cdatastore:new()
local utils = {}
local utils = {}
math.randomseed(os.time())
@ -20,49 +20,32 @@ utils.get_variable = function(var, site_search)
site_search = true
end
-- Get global value
local value, err = datastore:get("variable_" .. var)
if not value then
return nil, "can't access variable " .. var .. " from datastore : " .. err
local variables, err = datastore:get('variables', true)
if not variables then
return nil, "can't access variables from datastore : " .. err
end
local value = variables["global"][var]
-- Site search case
if site_search then
-- Check if multisite is set to yes
local multisite, err = datastore:get("variable_MULTISITE")
if not multisite then
return nil, "can't access variable MULTISITE from datastore : " .. err
end
-- Multisite case
if multisite == "yes" and ngx.var.server_name then
local value_site, err = datastore:get("variable_" .. ngx.var.server_name .. "_" .. var)
if value_site then
value = value_site
end
end
local multisite = site_search and variables["global"]["MULTISITE"] == "yes" and ngx.var.server_name ~= "_"
if multisite then
value = variables[ngx.var.server_name][var]
end
return value, "success"
end
utils.has_variable = function(var, value)
-- Get global variable
local check_value, err = datastore:get("variable_" .. var)
if not value then
return nil, "Can't access variable " .. var .. " from datastore : " .. err
end
-- Check if multisite is set to yes
local multisite, err = datastore:get("variable_MULTISITE")
if not multisite then
return nil, "Can't access variable MULTISITE from datastore : " .. err
local variables, err = datastore:get('variables', true)
if not variables then
return nil, "can't access variables " .. var .. " from datastore : " .. err
end
-- Multisite case
if multisite == "yes" then
local servers, err = datastore:get("variable_SERVER_NAME")
if not servers then
return nil, "Can't access variable SERVER_NAME from datastore : " .. err
end
local multisite = variables["global"]["MULTISITE"] == "yes"
if multisite then
local servers = variables["global"]["SERVER_NAME"]
-- Check each server
for server in servers:gmatch("%S+") do
local check_value_site, err = datastore:get("variable_" .. server .. "_" .. var)
if check_value_site and check_value_site == value then
if variables[server][var] == value then
return true, "success"
end
end
@ -70,30 +53,22 @@ utils.has_variable = function(var, value)
return false, "success"
end
end
return check_value == value, "success"
return variables["global"][var] == value, "success"
end
utils.has_not_variable = function(var, value)
-- Get global variable
local check_value, err = datastore:get("variable_" .. var)
if not value then
return nil, "Can't access variable " .. var .. " from datastore : " .. err
end
-- Check if multisite is set to yes
local multisite, err = datastore:get("variable_MULTISITE")
if not multisite then
return nil, "Can't access variable MULTISITE from datastore : " .. err
local variables, err = datastore:get('variables', true)
if not variables then
return nil, "can't access variables " .. var .. " from datastore : " .. err
end
-- Multisite case
if multisite == "yes" then
local servers, err = datastore:get("variable_SERVER_NAME")
if not servers then
return nil, "Can't access variable SERVER_NAME from datastore : " .. err
end
local multisite = variables["global"]["MULTISITE"] == "yes"
if multisite then
local servers = variables["global"]["SERVER_NAME"]
-- Check each server
for server in servers:gmatch("%S+") do
local check_value_site, err = datastore:get("variable_" .. server .. "_" .. var)
if check_value_site and check_value_site ~= value then
if variables[server][var] ~= "value" then
return true, "success"
end
end
@ -101,33 +76,24 @@ utils.has_not_variable = function(var, value)
return false, "success"
end
end
return check_value ~= value, "success"
return variables["global"][var] ~= value, "success"
end
utils.get_multiple_variables = function(vars)
-- Get all keys
local keys = datastore:keys()
local variables, err = datastore:get('variables', true)
if not variables then
return nil, "can't access variables " .. var .. " from datastore : " .. err
end
local result = {}
-- Loop on keys
for i, key in ipairs(keys) do
-- Loop on scoped vars
for scope, scoped_vars in pairs(variables) do
result[scope] = {}
-- Loop on vars
for j, var in ipairs(vars) do
-- Filter on good ones
local _, _, server, subvar = key:find("variable_(.*)_?(" .. var .. "_?%d*)")
if subvar then
if not server or server == "" then
server = "global"
else
server = server:sub(1, -2)
for variable, value in pairs(scoped_vars) do
for i, var in ipairs(vars) do
if variable:find("^" .. var .. "_?[0-9]*$") then
result[scope][variable] = value
end
if result[server] == nil then
result[server] = {}
end
local value, err = datastore:get(key)
if not value then
return nil, err
end
result[server][subvar] = value
end
end
end
@ -205,23 +171,25 @@ end
utils.get_integration = function()
-- Check if already in datastore
local integration, err = datastore:get("misc_integration")
local integration, err = datastore:get("misc_integration", true)
if integration then
return integration
end
local variables, err = datastore:get("variables", true)
if not variables then
logger:log(ngx.ERR, "can't get variables from datastore : " .. err)
return "unknown"
end
-- Swarm
local var, err = datastore:get("variable_SWARM_MODE")
if var == "yes" then
if variables["global"]["SWARM_MODE"] == "yes" then
integration = "swarm"
else
-- Kubernetes
local var, err = datastore:get("variable_KUBERNETES_MODE")
if var == "yes" then
if variables["global"]["KUBERNETES_MODE"] == "yes" then
integration = "kubernetes"
else
-- Autoconf
local var, err = datastore:get("variable_AUTOCONF_MODE")
if var == "yes" then
if variables["global"]["AUTOCONF_MODE"] == "yes" then
integration = "autoconf"
else
-- Already present (e.g. : linux)
@ -247,7 +215,7 @@ utils.get_integration = function()
end
end
-- Save integration
local ok, err = datastore:set("misc_integration", integration)
local ok, err = datastore:set("misc_integration", integration, nil, true)
if not ok then
logger:log(ngx.ERR, "can't cache integration to datastore : " .. err)
end
@ -256,7 +224,7 @@ end
utils.get_version = function()
-- Check if already in datastore
local version, err = datastore:get("misc_version")
local version, err = datastore:get("misc_version", true)
if version then
return version
end
@ -269,17 +237,17 @@ utils.get_version = function()
version = f:read("*a"):gsub("[\n\r]", "")
f:close()
-- Save it to datastore
local ok, err = datastore:set("misc_version", version)
local ok, err = datastore:set("misc_version", version, nil, true)
if not ok then
logger:log(ngx.ERR, "can't cache version to datastore : " .. err)
end
return version
end
utils.get_reason = function()
utils.get_reason = function(ctx)
-- ngx.ctx
if ngx.ctx.reason then
return ngx.ctx.reason
if ctx.bw.reason then
return ctx.bw.reason
end
-- ngx.var
if ngx.var.reason and ngx.var.reason ~= "" then
@ -295,7 +263,7 @@ utils.get_reason = function()
return banned
end
-- unknown
if ngx.status == utils.get_deny_status() then
if ngx.status == utils.get_deny_status(ctx) then
return "unknown"
end
return nil
@ -303,30 +271,30 @@ end
utils.get_resolvers = function()
-- Get resolvers from datastore if existing
local str_resolvers, err = datastore:get("misc_resolvers")
if str_resolvers then
return cjson.decode(str_resolvers)
local resolvers, err = datastore:get("misc_resolvers", true)
if resolvers then
return resolvers
end
-- Otherwise extract DNS_RESOLVERS variable
local var_resolvers, err = datastore:get("variable_DNS_RESOLVERS")
if not var_resolvers then
logger:log(ngx.ERR, "can't get variable DNS_RESOLVERS from datastore : " .. err)
return nil, err
local variables, err = datastore:get("variables", true)
if not variables then
logger:log(ngx.ERR, "can't get variables from datastore : " .. err)
return "unknown"
end
-- Make table for resolver1 resolver2 ... string
local resolvers = {}
for str_resolver in var_resolvers:gmatch("%S+") do
for str_resolver in variables["global"]["DNS_RESOLVERS"]:gmatch("%S+") do
table.insert(resolvers, str_resolver)
end
-- Add it to the datastore
local ok, err = datastore:set("misc_resolvers", cjson.encode(resolvers))
local ok, err = datastore:set("misc_resolvers", resolvers, nil, true)
if not ok then
logger:log(ngx.ERR, "can't save misc_resolvers to datastore : " .. err)
end
return resolvers
end
utils.get_rdns = function(ip)
utils.get_rdns = function(ip)
-- Check cache
local cachestore = utils.new_cachestore()
local ok, value = cachestore:get("rdns_" .. ip)
@ -376,7 +344,7 @@ utils.get_rdns = function(ip)
return ptrs, ret_err
end
utils.get_ips = function(fqdn, ipv6)
utils.get_ips = function(fqdn, ipv6)
-- Check cache
local cachestore = utils.new_cachestore()
local ok, value = cachestore:get("dns_" .. fqdn)
@ -497,38 +465,38 @@ utils.rand = function(nb, no_numbers)
return result
end
utils.get_deny_status = function()
utils.get_deny_status = function(ctx)
-- Stream case
if ngx.ctx.bw and ngx.ctx.bw.kind == "stream" then
if ctx.bw and ctx.bw.kind == "stream" then
return 444
end
-- http case
local status, err = datastore:get("variable_DENY_HTTP_STATUS")
if not status then
logger:log(ngx.ERR, "can't get DENY_HTTP_STATUS variable " .. err)
local variables, err = datastore:get("variables", true)
if not variables then
logger:log(ngx.ERR, "can't get variables from datastore : " .. err)
return 403
end
return tonumber(status)
return tonumber(variables["global"]["DENY_HTTP_STATUS"])
end
utils.check_session = function()
local _session, err, exists, refreshed = session.start({audience = "metadata"})
utils.check_session = function(ctx)
local _session, err, exists, refreshed = session.start({ audience = "metadata" })
if exists then
for i, check in ipairs(ngx.ctx.bw.sessions_checks) do
for i, check in ipairs(ctx.bw.sessions_checks) do
local key = check[1]
local value = check[2]
if _session:get(key) ~= value then
local ok, err = _session:destroy()
if not ok then
_session:close()
return false, "session:destroy() error : " .. err
return false, "session:destroy() error : " .. err
end
logger:log(ngx.WARN, "session check " .. key .. " failed, destroying session")
return utils.check_session()
return utils.check_session(ctx)
end
end
else
for i, check in ipairs(ngx.ctx.bw.sessions_checks) do
for i, check in ipairs(ctx.bw.sessions_checks) do
_session:set(check[1], check[2])
end
local ok, err = _session:save()
@ -537,41 +505,41 @@ utils.check_session = function()
return false, "session:save() error : " .. err
end
end
ngx.ctx.bw.sessions_is_checked = true
ctx.bw.sessions_is_checked = true
_session:close()
return true, exists
end
utils.get_session = function(audience)
utils.get_session = function(audience, ctx)
-- Check session
if not ngx.ctx.bw.sessions_is_checked then
local ok, err = utils.check_session()
if not ctx.bw.sessions_is_checked then
local ok, err = utils.check_session(ctx)
if not ok then
return false, "error while checking session, " .. err
end
end
-- Open session with specific audience
local _session, err, exists = session.open({audience = audience})
local _session, err, exists = session.open({ audience = audience })
if err then
logger:log(ngx.INFO, "session:open() error : " .. err)
end
return _session
end
utils.get_session_data = function(_session, site)
utils.get_session_data = function(_session, site, ctx)
local site_only = site == nil or site
local data = _session:get_data()
if site_only then
return data[ngx.ctx.bw.server_name] or {}
return data[ctx.bw.server_name] or {}
end
return data
end
utils.set_session_data = function(_session, data, site)
utils.set_session_data = function(_session, data, site, ctx)
local site_only = site == nil or site
if site_only then
local all_data = _session:get_data()
all_data[ngx.ctx.bw.server_name] = data
all_data[ctx.bw.server_name] = data
_session:set_data(all_data)
return _session:save()
end
@ -683,7 +651,7 @@ utils.new_cachestore = function()
return require "bunkerweb.cachestore":new(use_redis, true)
end
utils.regex_match = function(str, regex, options)
utils.regex_match = function(str, regex, options)
local all_options = "o"
if options then
all_options = all_options .. options
@ -696,7 +664,7 @@ utils.regex_match = function(str, regex, options)
return match
end
utils.get_phases = function()
utils.get_phases = function()
return {
"init",
"init_worker",
@ -710,7 +678,7 @@ utils.get_phases = function()
}
end
utils.is_cosocket_available = function()
utils.is_cosocket_available = function()
local phases = {
"timer",
"access",
@ -725,7 +693,7 @@ utils.is_cosocket_available = function()
return false
end
utils.kill_all_threads = function(threads)
utils.kill_all_threads = function(threads)
for i, thread in ipairs(threads) do
local ok, err = ngx.thread.kill(thread)
if not ok then
@ -734,7 +702,7 @@ utils.kill_all_threads = function(threads)
end
end
utils.get_ctx_obj = function(obj)
utils.get_ctx_obj = function(obj)
if ngx.ctx and ngx.ctx.bw then
return ngx.ctx.bw[obj]
end

2
src/bw/lua/middleclass.lua
View File

@ -41,7 +41,7 @@ local function _createIndexWrapper(aClass, f)
return (f(self, name))
end
end
else -- if type(f) == "table" then
else -- if type(f) == "table" then
return function(self, name)
local value = aClass.__instanceDict[name]

BIN
src/bw/misc/asn.mmdb
View File

Binary file not shown.

BIN
src/bw/misc/country.mmdb
View File

Binary file not shown.

2
src/common/api/API.py
View File

@ -41,7 +41,7 @@ class API:
resp = request(
method,
f"{self.__endpoint}{url}",
f"{self.__endpoint}{url if not url.startswith('/') else url[1:]}",
timeout=timeout,
headers={"User-Agent": "bwapi", "Host": self.__host},
**kwargs,

17
src/common/confs/api.conf
View File

@ -25,7 +25,7 @@ server {
-- Fill ctx
logger:log(ngx.INFO, "filling ngx.ctx ...")
local ok, ret, errors = helpers.fill_ctx()
local ok, ret, errors, ctx = helpers.fill_ctx()
if not ok then
logger:log(ngx.ERR, "fill_ctx() failed : " .. ret)
elseif errors then
@ -36,30 +36,33 @@ server {
logger:log(ngx.INFO, "ngx.ctx filled (ret = " .. ret .. ")")
-- Check host header
if not ngx.ctx.bw.http_host or ngx.ctx.bw.http_host ~= "{{ API_SERVER_NAME }}" then
logger:log(ngx.WARN, "wrong Host header from IP " .. ngx.ctx.bw.remote_addr)
if not ctx.bw.http_host or ctx.bw.http_host ~= "{{ API_SERVER_NAME }}" then
logger:log(ngx.WARN, "wrong Host header from IP " .. ctx.bw.remote_addr)
return ngx.exit(ngx.HTTP_CLOSE)
end
-- Check IP
local ok, err = api:is_allowed_ip()
if not ok then
logger:log(ngx.WARN, "can't validate access from IP " .. ngx.ctx.bw.remote_addr .. " : " .. err)
logger:log(ngx.WARN, "can't validate access from IP " .. ctx.bw.remote_addr .. " : " .. err)
return ngx.exit(ngx.HTTP_CLOSE)
end
logger:log(ngx.NOTICE, "validated access from IP " .. ngx.ctx.bw.remote_addr)
logger:log(ngx.NOTICE, "validated access from IP " .. ctx.bw.remote_addr)
-- Do API call
local ok, err, status, resp = api:do_api_call()
if not ok then
logger:log(ngx.WARN, "call from " .. ngx.ctx.bw.remote_addr .. " on " .. ngx.ctx.bw.uri .. " failed : " .. err)
logger:log(ngx.WARN, "call from " .. ctx.bw.remote_addr .. " on " .. ctx.bw.uri .. " failed : " .. err)
else
logger:log(ngx.NOTICE, "successful call from " .. ngx.ctx.bw.remote_addr .. " on " .. ngx.ctx.bw.uri .. " : " .. err)
logger:log(ngx.NOTICE, "successful call from " .. ctx.bw.remote_addr .. " on " .. ctx.bw.uri .. " : " .. err)
end
-- Start API handler
logger:log(ngx.INFO, "API handler ended")
-- Save ctx
ngx.ctx = ctx
-- Send response
ngx.status = status
ngx.say(resp)

10
src/common/confs/default-server-http.conf
View File

@ -52,7 +52,7 @@ server {
-- Fill ctx
logger:log(ngx.INFO, "filling ngx.ctx ...")
local ok, ret, errors = helpers.fill_ctx()
local ok, ret, errors, ctx = helpers.fill_ctx()
if not ok then
logger:log(ngx.ERR, "fill_ctx() failed : " .. ret)
elseif errors then
@ -63,12 +63,11 @@ server {
logger:log(ngx.INFO, "ngx.ctx filled (ret = " .. ret .. ")")
-- Get plugins order
local order, err = datastore:get("plugins_order")
local order, err = datastore:get("plugins_order", true)
if not order then
logger:log(ngx.ERR, "can't get plugins order from datastore : " .. err)
return
end
order = cjson.decode(order)
-- Call log_default() methods
logger:log(ngx.INFO, "calling log_default() methods of plugins ...")
@ -102,10 +101,13 @@ server {
logger:log(ngx.INFO, "called log_default() methods of plugins")
-- Display reason at info level
if ngx.ctx.reason then
if ctx.reason then
logger:log(ngx.INFO, "client was denied with reason : " .. reason)
end
-- Save ctx
ngx.ctx = ctx
logger:log(ngx.INFO, "log_default phase ended")
}

119
src/common/confs/init-lua.conf
View File

@ -13,7 +13,8 @@ logger:log(ngx.NOTICE, "init phase started")
-- Remove previous data from the datastore
logger:log(ngx.NOTICE, "deleting old keys from datastore ...")
local data_keys = {"^plugin", "^variable_", "^api_", "^misc_"}
datastore:flush_lru()
local data_keys = {"^plugin", "^misc_"}
for i, key in pairs(data_keys) do
local ok, err = datastore:delete_all(key)
if not ok then
@ -24,58 +25,6 @@ for i, key in pairs(data_keys) do
end
logger:log(ngx.NOTICE, "deleted old keys from datastore")
-- Load variables into the datastore
logger:log(ngx.NOTICE, "saving variables into datastore ...")
local file = io.open("/etc/nginx/variables.env")
if not file then
logger:log(ngx.ERR, "can't open /etc/nginx/variables.env file")
return false
end
file:close()
for line in io.lines("/etc/nginx/variables.env") do
local variable, value = line:match("^([^=]+)=(.*)$")
local ok, err = datastore:set("variable_" .. variable, value)
if not ok then
logger:log(ngx.ERR, "can't save variable " .. variable .. " into datastore : " .. err)
return false
end
logger:log(ngx.INFO, "saved variable " .. variable .. "=" .. value .. " into datastore")
end
logger:log(ngx.NOTICE, "saved variables into datastore")
-- Purge cache
local cachestore = require "bunkerweb.cachestore":new(false, true)
local ok, err = cachestore:purge()
if not ok then
logger:log(ngx.ERR, "can't purge cachestore : " .. err)
end
-- Set API values into the datastore
logger:log(ngx.NOTICE, "saving API values into datastore ...")
local value, err = datastore:get("variable_USE_API")
if not value then
logger:log(ngx.ERR, "can't get variable USE_API from the datastore : " .. err)
return false
end
if value == "yes" then
local value, err = datastore:get("variable_API_WHITELIST_IP")
if not value then
logger:log(ngx.ERR, "can't get variable API_WHITELIST_IP from the datastore : " .. err)
return false
end
local whitelists = {}
for whitelist in value:gmatch("%S+") do
table.insert(whitelists, whitelist)
end
local ok, err = datastore:set("api_whitelist_ip", cjson.encode(whitelists))
if not ok then
logger:log(ngx.ERR, "can't save API whitelist_ip to datastore : " .. err)
return false
end
logger:log(ngx.INFO, "saved API whitelist_ip into datastore")
end
logger:log(ngx.NOTICE, "saved API values into datastore")
-- Load plugins into the datastore
logger:log(ngx.NOTICE, "saving plugins into datastore ...")
local plugins = {}
@ -87,7 +36,7 @@ for i, plugin_path in ipairs(plugin_paths) do
if not ok then
logger:log(ngx.ERR, plugin)
else
local ok, err = datastore:set("plugin_" .. plugin.id, cjson.encode(plugin))
local ok, err = datastore:set("plugin_" .. plugin.id, plugin, nil, true)
if not ok then
logger:log(ngx.ERR, "can't save " .. plugin.id .. " into datastore : " .. err)
else
@ -97,12 +46,70 @@ for i, plugin_path in ipairs(plugin_paths) do
end
end
end
local ok, err = datastore:set("plugins", cjson.encode(plugins))
local ok, err = datastore:set("plugins", plugins, nil, true)
if not ok then
logger:log(ngx.ERR, "can't save plugins into datastore : " .. err)
return false
end
-- Load variables into the datastore
logger:log(ngx.NOTICE, "saving variables into datastore ...")
local file = io.open("/etc/nginx/variables.env")
if not file then
logger:log(ngx.ERR, "can't open /etc/nginx/variables.env file")
return false
end
file:close()
local all_variables = {}
for line in io.lines("/etc/nginx/variables.env") do
local variable, value = line:match("^([^=]+)=(.*)$")
all_variables[variable] = value
end
local ok, variables = helpers.load_variables(all_variables, plugins)
if not ok then
logger:log(ngx.ERR, "error while loading variables : " .. variables)
return false
end
local ok, err = datastore:set("variables", variables, nil, true)
if not ok then
logger:log(ngx.ERR, "can't save plugins into datastore : " .. err)
return false
end
logger:log(ngx.NOTICE, "saved variables into datastore")
-- Purge cache
local cachestore = require "bunkerweb.cachestore":new(false, true)
local ok, err = cachestore:purge()
if not ok then
logger:log(ngx.ERR, "can't purge cachestore : " .. err)
end
-- Set API values into the datastore
-- logger:log(ngx.NOTICE, "saving API values into datastore ...")
-- local value, err = datastore:get("variable_USE_API")
-- if not value then
-- logger:log(ngx.ERR, "can't get variable USE_API from the datastore : " .. err)
-- return false
-- end
-- if value == "yes" then
-- local value, err = datastore:get("variable_API_WHITELIST_IP")
-- if not value then
-- logger:log(ngx.ERR, "can't get variable API_WHITELIST_IP from the datastore : " .. err)
-- return false
-- end
-- local whitelists = {}
-- for whitelist in value:gmatch("%S+") do
-- table.insert(whitelists, whitelist)
-- end
-- local ok, err = datastore:set("api_whitelist_ip", cjson.encode(whitelists))
-- if not ok then
-- logger:log(ngx.ERR, "can't save API whitelist_ip to datastore : " .. err)
-- return false
-- end
-- logger:log(ngx.INFO, "saved API whitelist_ip into datastore")
-- end
-- logger:log(ngx.NOTICE, "saved API values into datastore")
logger:log(ngx.NOTICE, "saving plugins order into datastore ...")
local ok, order = helpers.order_plugins(plugins)
if not ok then
@ -112,7 +119,7 @@ end
for phase, id_list in pairs(order) do
logger:log(ngx.NOTICE, "plugins order for phase " .. phase .. " : " .. cjson.encode(id_list))
end
local ok, err = datastore:set("plugins_order", cjson.encode(order))
local ok, err = datastore:set("plugins_order", order, nil, true)
if not ok then
logger:log(ngx.ERR, "can't save plugins order into datastore : " .. err)
return false

93
src/common/confs/init-stream-lua.conf
View File

@ -13,7 +13,8 @@ logger:log(ngx.NOTICE, "init-stream phase started")
-- Remove previous data from the datastore
logger:log(ngx.NOTICE, "deleting old keys from datastore ...")
local data_keys = {"^plugin", "^variable_", "^api_", "^misc_"}
datastore:flush_lru()
local data_keys = {"^plugin", "^misc_"}
for i, key in pairs(data_keys) do
local ok, err = datastore:delete_all(key)
if not ok then
@ -24,58 +25,6 @@ for i, key in pairs(data_keys) do
end
logger:log(ngx.NOTICE, "deleted old keys from datastore")
-- Load variables into the datastore
logger:log(ngx.NOTICE, "saving variables into datastore ...")
local file = io.open("/etc/nginx/variables.env")
if not file then
logger:log(ngx.ERR, "can't open /etc/nginx/variables.env file")
return false
end
file:close()
for line in io.lines("/etc/nginx/variables.env") do
local variable, value = line:match("^([^=]+)=(.*)$")
local ok, err = datastore:set("variable_" .. variable, value)
if not ok then
logger:log(ngx.ERR, "can't save variable " .. variable .. " into datastore : " .. err)
return false
end
logger:log(ngx.INFO, "saved variable " .. variable .. "=" .. value .. " into datastore")
end
logger:log(ngx.NOTICE, "saved variables into datastore")
-- Purge cache
local cachestore = require "bunkerweb.cachestore":new(false, true)
local ok, err = cachestore:purge()
if not ok then
logger:log(ngx.ERR, "can't purge cachestore : " .. err)
end
-- Set API values into the datastore
logger:log(ngx.NOTICE, "saving API values into datastore ...")
local value, err = datastore:get("variable_USE_API")
if not value then
logger:log(ngx.ERR, "can't get variable USE_API from the datastore : " .. err)
return false
end
if value == "yes" then
local value, err = datastore:get("variable_API_WHITELIST_IP")
if not value then
logger:log(ngx.ERR, "can't get variable API_WHITELIST_IP from the datastore : " .. err)
return false
end
local whitelists = {}
for whitelist in value:gmatch("%S+") do
table.insert(whitelists, whitelist)
end
local ok, err = datastore:set("api_whitelist_ip", cjson.encode(whitelists))
if not ok then
logger:log(ngx.ERR, "can't save API whitelist_ip to datastore : " .. err)
return false
end
logger:log(ngx.INFO, "saved API whitelist_ip into datastore")
end
logger:log(ngx.NOTICE, "saved API values into datastore")
-- Load plugins into the datastore
logger:log(ngx.NOTICE, "saving plugins into datastore ...")
local plugins = {}
@ -87,7 +36,7 @@ for i, plugin_path in ipairs(plugin_paths) do
if not ok then
logger:log(ngx.ERR, plugin)
else
local ok, err = datastore:set("plugin_" .. plugin.id, cjson.encode(plugin))
local ok, err = datastore:set("plugin_" .. plugin.id, plugin, true)
if not ok then
logger:log(ngx.ERR, "can't save " .. plugin.id .. " into datastore : " .. err)
else
@ -97,12 +46,44 @@ for i, plugin_path in ipairs(plugin_paths) do
end
end
end
local ok, err = datastore:set("plugins", cjson.encode(plugins))
local ok, err = datastore:set("plugins", plugins, nil, true)
if not ok then
logger:log(ngx.ERR, "can't save plugins into datastore : " .. err)
return false
end
-- Load variables into the datastore
logger:log(ngx.NOTICE, "saving variables into datastore ...")
local file = io.open("/etc/nginx/variables.env")
if not file then
logger:log(ngx.ERR, "can't open /etc/nginx/variables.env file")
return false
end
file:close()
local all_variables = {}
for line in io.lines("/etc/nginx/variables.env") do
local variable, value = line:match("^([^=]+)=(.*)$")
all_variables[variable] = value
end
local ok, variables = helpers.load_variables(all_variables, plugins)
if not ok then
logger:log(ngx.ERR, "error while loading variables : " .. variables)
return false
end
local ok, err = datastore:set("variables", variables, nil, true)
if not ok then
logger:log(ngx.ERR, "can't save plugins into datastore : " .. err)
return false
end
logger:log(ngx.NOTICE, "saved variables into datastore")
-- Purge cache
local cachestore = require "bunkerweb.cachestore":new(false, true)
local ok, err = cachestore:purge()
if not ok then
logger:log(ngx.ERR, "can't purge cachestore : " .. err)
end
logger:log(ngx.NOTICE, "saving plugins order into datastore ...")
local ok, order = helpers.order_plugins(plugins)
if not ok then
@ -112,7 +93,7 @@ end
for phase, id_list in pairs(order) do
logger:log(ngx.NOTICE, "plugins order for phase " .. phase .. " : " .. cjson.encode(id_list))
end
local ok, err = datastore:set("plugins_order", cjson.encode(order))
local ok, err = datastore:set("plugins_order", order, nil, true)
if not ok then
logger:log(ngx.ERR, "can't save plugins order into datastore : " .. err)
return false

3
src/common/confs/init-worker-lua.conf
View File

@ -57,7 +57,7 @@ local ready_work = function(premature)
logger:log(ngx.INFO, "init_worker phase started")
-- Get plugins order
local order, err = datastore:get("plugins_order")
local order, err = datastore:get("plugins_order", true)
if not order then
logger:log(ngx.ERR, "can't get plugins order from datastore : " .. err)
local ok, err = lock:unlock()
@ -66,7 +66,6 @@ local ready_work = function(premature)
end
return
end
order = cjson.decode(order)
-- Call init_worker() methods
logger:log(ngx.INFO, "calling init_worker() methods of plugins ...")

38
src/common/confs/server-http/access-lua.conf
View File

@ -21,7 +21,7 @@ logger:log(ngx.INFO, "access phase started")
-- Fill ctx
logger:log(ngx.INFO, "filling ngx.ctx ...")
local ok, ret, errors = helpers.fill_ctx()
local ok, ret, errors, ctx = helpers.fill_ctx()
if not ok then
logger:log(ngx.ERR, "fill_ctx() failed : " .. ret)
elseif errors then
@ -32,23 +32,24 @@ end
logger:log(ngx.INFO, "ngx.ctx filled (ret = " .. ret .. ")")
-- Process bans as soon as possible
local banned, reason, ttl = utils.is_banned(ngx.ctx.bw.remote_addr)
if banned == nil then
logger:log(ngx.ERR, "can't check if IP " .. ngx.ctx.bw.remote_addr .. " is banned : " .. reason)
elseif banned then
logger:log(ngx.WARN, "IP " .. ngx.ctx.bw.remote_addr .. " is banned with reason " .. reason .. " (" .. tostring(ttl) .. "s remaining)")
return ngx.exit(utils.get_deny_status())
else
logger:log(ngx.INFO, "IP " .. ngx.ctx.bw.remote_addr .. " is not banned")
if ctx.bw.is_whitelisted ~= "yes" then
local banned, reason, ttl = utils.is_banned(ctx.bw.remote_addr)
if banned == nil then
logger:log(ngx.ERR, "can't check if IP " .. ctx.bw.remote_addr .. " is banned : " .. reason)
elseif banned then
logger:log(ngx.WARN, "IP " .. ctx.bw.remote_addr .. " is banned with reason " .. reason .. " (" .. tostring(ttl) .. "s remaining)")
return ngx.exit(utils.get_deny_status(ctx))
else
logger:log(ngx.INFO, "IP " .. ctx.bw.remote_addr .. " is not banned")
end
end
-- Get plugins order
local order, err = datastore:get("plugins_order")
local order, err = datastore:get("plugins_order", true)
if not order then
logger:log(ngx.ERR, "can't get plugins order from datastore : " .. err)
return
end
order = cjson.decode(order)
-- Call access() methods
logger:log(ngx.INFO, "calling access() methods of plugins ...")
@ -65,7 +66,7 @@ for i, plugin_id in ipairs(order.access) do
-- Check if plugin has access method
if plugin_lua.access ~= nil then
-- New call
local ok, plugin_obj = helpers.new_plugin(plugin_lua)
local ok, plugin_obj = helpers.new_plugin(plugin_lua, ctx)
if not ok then
logger:log(ngx.ERR, plugin_obj)
else
@ -78,8 +79,8 @@ for i, plugin_id in ipairs(order.access) do
logger:log(ngx.INFO, plugin_id .. ":access() call successful : " .. ret.msg)
end
if ret.status then
if ret.status == utils.get_deny_status() then
ngx.ctx.reason = plugin_id
if ret.status == utils.get_deny_status(ctx) then
ctx.bw.reason = plugin_id
logger:log(ngx.WARN, "denied access from " .. plugin_id .. " : " .. ret.msg)
else
logger:log(ngx.NOTICE, plugin_id .. " returned status " .. tostring(ret.status) .. " : " .. ret.msg)
@ -99,13 +100,8 @@ for i, plugin_id in ipairs(order.access) do
end
logger:log(ngx.INFO, "called access() methods of plugins")
-- Save session if needed
-- local ok, err = utils.save_session()
-- if not ok then
-- logger:log(ngx.ERR, "can't save session : " .. err)
-- else
-- logger:log(ngx.INFO, "session save return : " .. err)
-- end
-- Save ctx
ngx.ctx = ctx
logger:log(ngx.INFO, "access phase ended")

Some files were not shown because too many files have changed in this diff Show More