mirror of
https://github.com/bunkerity/bunkerized-nginx
synced 2023-12-13 21:30:18 +01:00
Merge branch 'dev' into ui
This commit is contained in:
commit
91c33f1d43
260 changed files with 2365 additions and 2149 deletions
|
@ -11,10 +11,18 @@
|
|||
- [BUGFIX] ALLOWED_METHODS regex working with LOCK/UNLOCK methods
|
||||
- [BUGFIX] Custom certificate bug after the refactoring
|
||||
- [BUGFIX] Fix wrong variables in header phase (fix CORS feature too)
|
||||
- [BUGFIX] Fix UI not working in Ubuntu (python zope module)
|
||||
- [BUGFIX] Patch ModSecurity to run it after LUA code (should fix whitelist problems)
|
||||
- [PERFORMANCE] Reduce CPU usage of scheduler
|
||||
- [PERFORMANCE] Cache ngx.ctx instead of loading it each time
|
||||
- [PERFORMANCE] Use per-worker LRU cache for common RO LUA values
|
||||
- [FEATURE] Add Turnstile antibot mode
|
||||
- [FEATURE] Add more CORS headers
|
||||
- [FEATURE] Add KEEP_UPSTREAM_HEADERS to preserve headers when using reverse proxy
|
||||
- [MISC] Add LOG_LEVEL=warning for docker socket proxy in docs, examples and boilerplates
|
||||
- [MISC] Temp remove VMWare provider for Vagrant integration
|
||||
- [MISC] Remove X-Script-Name header and ABSOLUTE_URI variable when using UI
|
||||
|
||||
|
||||
## v1.5.0 - 2023/05/23
|
||||
|
||||
|
|
91
README.md
91
README.md
|
@ -1,5 +1,5 @@
|
|||
<p align="center">
|
||||
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/misc/logo.png" />
|
||||
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/misc/logo.png" />
|
||||
</p>
|
||||
|
||||
<p align="center">
|
||||
|
@ -17,7 +17,7 @@
|
|||
|
|
||||
👨💻 <a href="https://demo.bunkerweb.io">Demo</a>
|
||||
|
|
||||
🛡️ <a href="https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples">Examples</a>
|
||||
🛡️ <a href="https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples">Examples</a>
|
||||
|
|
||||
💬 <a href="https://discord.com/invite/fTf46FmtyD">Chat</a>
|
||||
|
|
||||
|
@ -33,14 +33,14 @@
|
|||
# BunkerWeb
|
||||
|
||||
<p align="center">
|
||||
<img alt="overview" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/intro-overview.svg" />
|
||||
<img alt="overview" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/intro-overview.svg" />
|
||||
</p>
|
||||
|
||||
BunkerWeb is a next-generation and open-source Web Application Firewall (WAF).
|
||||
|
||||
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default". BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.5.0/integrations/#linux), [Docker](https://docs.bunkerweb.io/1.5.0/integrations/#docker), [Swarm](https://docs.bunkerweb.io/1.5.0/integrations/#swarm), [Kubernetes](https://docs.bunkerweb.io/1.5.0/integrations/#kubernetes), …) and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.5.0/web-ui/) if you don't like the CLI) to meet your own use-cases . In other words, cybersecurity is no more a hassle.
|
||||
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default". BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.5.1/integrations/#linux), [Docker](https://docs.bunkerweb.io/1.5.1/integrations/#docker), [Swarm](https://docs.bunkerweb.io/1.5.1/integrations/#swarm), [Kubernetes](https://docs.bunkerweb.io/1.5.1/integrations/#kubernetes), …) and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.5.1/web-ui/) if you don't like the CLI) to meet your own use-cases . In other words, cybersecurity is no more a hassle.
|
||||
|
||||
BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.5.0/security-tuning/) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.5.0/plugins/)).
|
||||
BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.5.1/security-tuning/) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.5.1/plugins/)).
|
||||
|
||||
## Why BunkerWeb ?
|
||||
|
||||
|
@ -64,7 +64,7 @@ A non-exhaustive list of security features :
|
|||
- **Block known bad IPs** with external blacklists and DNSBL
|
||||
- And much more ...
|
||||
|
||||
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.5.0/security-tuning/) section of the documentation.
|
||||
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.5.1/security-tuning/) section of the documentation.
|
||||
|
||||
## Demo
|
||||
|
||||
|
@ -77,10 +77,10 @@ A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](http
|
|||
# Concepts
|
||||
|
||||
<p align="center">
|
||||
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/concepts.svg" />
|
||||
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/concepts.svg" />
|
||||
</p>
|
||||
|
||||
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.5.0/concepts).
|
||||
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.5.1/concepts).
|
||||
|
||||
## Integrations
|
||||
|
||||
|
@ -88,13 +88,13 @@ The first concept is the integration of BunkerWeb into the target environment. W
|
|||
|
||||
The following integrations are officially supported :
|
||||
|
||||
- [Docker](https://docs.bunkerweb.io/1.5.0/integrations/#docker)
|
||||
- [Docker autoconf](https://docs.bunkerweb.io/1.5.0/integrations/#docker-autoconf)
|
||||
- [Swarm](https://docs.bunkerweb.io/1.5.0/integrations/#swarm)
|
||||
- [Kubernetes](https://docs.bunkerweb.io/1.5.0/integrations/#kubernetes)
|
||||
- [Linux](https://docs.bunkerweb.io/1.5.0/integrations/#linux)
|
||||
- [Ansible](https://docs.bunkerweb.io/1.5.0/integrations/#ansible)
|
||||
- [Vagrant](https://docs.bunkerweb.io/1.5.0/integrations/#vagrant)
|
||||
- [Docker](https://docs.bunkerweb.io/1.5.1/integrations/#docker)
|
||||
- [Docker autoconf](https://docs.bunkerweb.io/1.5.1/integrations/#docker-autoconf)
|
||||
- [Swarm](https://docs.bunkerweb.io/1.5.1/integrations/#swarm)
|
||||
- [Kubernetes](https://docs.bunkerweb.io/1.5.1/integrations/#kubernetes)
|
||||
- [Linux](https://docs.bunkerweb.io/1.5.1/integrations/#linux)
|
||||
- [Ansible](https://docs.bunkerweb.io/1.5.1/integrations/#ansible)
|
||||
- [Vagrant](https://docs.bunkerweb.io/1.5.1/integrations/#vagrant)
|
||||
|
||||
## Settings
|
||||
|
||||
|
@ -126,7 +126,7 @@ When multisite mode is enabled, BunkerWeb will serve and protect multiple web ap
|
|||
|
||||
## Custom configurations
|
||||
|
||||
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.5.0/plugins)), you can use custom configurations to solve your specific challenges.
|
||||
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.5.1/plugins)), you can use custom configurations to solve your specific challenges.
|
||||
|
||||
Under the hood, BunkerWeb uses the notorious NGINX web server, that's why you can leverage its configuration system for your specific needs. Custom NGINX configurations can be included in different [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) like HTTP or server (all servers and/or specific server block).
|
||||
|
||||
|
@ -160,7 +160,7 @@ In other words, the scheduler is the brain of BunkerWeb.
|
|||
## Docker
|
||||
|
||||
<p align="center">
|
||||
<img alt="Docker" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-docker.svg" />
|
||||
<img alt="Docker" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-docker.svg" />
|
||||
</p>
|
||||
|
||||
We provide ready to use prebuilt images for x64, x86, armv7 and arm64 platforms on [Docker Hub](https://hub.docker.com/u/bunkerity).
|
||||
|
@ -171,46 +171,46 @@ Docker integration key concepts are :
|
|||
- **Scheduler** container to store configuration and execute jobs
|
||||
- **Networks** to expose ports for clients and connect to upstream web services
|
||||
|
||||
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.5.0/integrations/#docker) of the documentation.
|
||||
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.5.1/integrations/#docker) of the documentation.
|
||||
|
||||
## Docker autoconf
|
||||
|
||||
<p align="center">
|
||||
<img alt="Docker autoconf" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-autoconf.svg" />
|
||||
<img alt="Docker autoconf" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-autoconf.svg" />
|
||||
</p>
|
||||
|
||||
The downside of using environment variables is that the container needs to be recreated each time there is an update which is not very convenient. To counter that issue, you can use another image called **autoconf** which will listen for Docker events and automatically reconfigure BunkerWeb in real-time without recreating the container.
|
||||
|
||||
Instead of defining environment variables for the BunkerWeb container, you simply add **labels** to your web applications containers and the **autoconf** will "automagically" take care of the rest.
|
||||
|
||||
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.5.0/integrations/#docker-autoconf) of the documentation.
|
||||
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.5.1/integrations/#docker-autoconf) of the documentation.
|
||||
|
||||
## Swarm
|
||||
|
||||
<p align="center">
|
||||
<img alt="Swarm" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-swarm.svg" />
|
||||
<img alt="Swarm" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-swarm.svg" />
|
||||
</p>
|
||||
|
||||
To automatically configure BunkerWeb instances, a special service, called **autoconf** will listen for Docker Swarm events like service creation or deletion and automatically configure the **BunkerWeb instances** in real-time without downtime.
|
||||
|
||||
Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.5.0/integrations/#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
|
||||
Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.5.1/integrations/#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
|
||||
|
||||
You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.5.0/integrations/#swarm) of the documentation.
|
||||
You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.5.1/integrations/#swarm) of the documentation.
|
||||
|
||||
## Kubernetes
|
||||
|
||||
<p align="center">
|
||||
<img alt="Kubernetes" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-kubernetes.svg" />
|
||||
<img alt="Kubernetes" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-kubernetes.svg" />
|
||||
</p>
|
||||
|
||||
The autoconf acts as an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) and will configure the BunkerWeb instances according to the [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/). It also monitors other Kubernetes objects like [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for custom configurations.
|
||||
|
||||
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.5.0/integrations/#kubernetes) of the documentation.
|
||||
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.5.1/integrations/#kubernetes) of the documentation.
|
||||
|
||||
## Linux
|
||||
|
||||
<p align="center">
|
||||
<img alt="Linux" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-linux.svg" />
|
||||
<img alt="Linux" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-linux.svg" />
|
||||
</p>
|
||||
|
||||
List of supported Linux distros :
|
||||
|
@ -222,12 +222,12 @@ List of supported Linux distros :
|
|||
|
||||
Repositories of Linux packages for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb), they provide a bash script to automatically add and trust the repository (but you can also follow the [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer).
|
||||
|
||||
You will find more information in the [Linux section](https://docs.bunkerweb.io/1.5.0/integrations/#linux) of the documentation.
|
||||
You will find more information in the [Linux section](https://docs.bunkerweb.io/1.5.1/integrations/#linux) of the documentation.
|
||||
|
||||
## Ansible
|
||||
|
||||
<p align="center">
|
||||
<img alt="Ansible" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-ansible.svg" />
|
||||
<img alt="Ansible" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-ansible.svg" />
|
||||
</p>
|
||||
|
||||
List of supported Linux distros :
|
||||
|
@ -241,7 +241,7 @@ List of supported Linux distros :
|
|||
|
||||
A specific BunkerWeb Ansible role is available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb) (source code is available [here](https://github.com/bunkerity/bunkerweb-ansible)).
|
||||
|
||||
You will find more information in the [Ansible section](https://docs.bunkerweb.io/1.5.0/integrations/#ansible) of the documentation.
|
||||
You will find more information in the [Ansible section](https://docs.bunkerweb.io/1.5.1/integrations/#ansible) of the documentation.
|
||||
|
||||
## Vagrant
|
||||
|
||||
|
@ -250,11 +250,11 @@ We maintain ready to use Vagrant boxes hosted on Vagrant cloud for the following
|
|||
- virtualbox
|
||||
- libvirt
|
||||
|
||||
You will find more information in the [Vagrant section](https://docs.bunkerweb.io/1.5.0/integrations/#vagrant) of the documentation.
|
||||
You will find more information in the [Vagrant section](https://docs.bunkerweb.io/1.5.1/integrations/#vagrant) of the documentation.
|
||||
|
||||
# Quickstart guide
|
||||
|
||||
Once you have setup BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.5.0/quickstart-guide/) that will cover the following common use cases :
|
||||
Once you have setup BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.5.1/quickstart-guide/) that will cover the following common use cases :
|
||||
|
||||
- Protecting a single HTTP application
|
||||
- Protecting multiple HTTP application
|
||||
|
@ -265,9 +265,9 @@ Once you have setup BunkerWeb with the integration of your choice, you can follo
|
|||
|
||||
# Security tuning
|
||||
|
||||
BunkerWeb offers many security features that you can configure with [settings](https://docs.bunkerweb.io/1.5.0/settings). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives.
|
||||
BunkerWeb offers many security features that you can configure with [settings](https://docs.bunkerweb.io/1.5.1/settings). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives.
|
||||
|
||||
You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.5.0/security-tuning) of the documentation.
|
||||
You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.5.1/security-tuning) of the documentation.
|
||||
|
||||
# Settings
|
||||
|
||||
|
@ -277,7 +277,7 @@ As a general rule when multisite mode is enabled, if you want to apply settings
|
|||
|
||||
When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like `REVERSE_PROXY_URL_1=/subdir`, `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.
|
||||
|
||||
Check the [settings section](https://docs.bunkerweb.io/1.5.0/settings) of the documentation to get the full list.
|
||||
Check the [settings section](https://docs.bunkerweb.io/1.5.1/settings) of the documentation to get the full list.
|
||||
|
||||
# Web UI
|
||||
|
||||
|
@ -295,7 +295,7 @@ The "Web UI" is a web application that helps you manage your BunkerWeb instance
|
|||
- Monitor jobs execution
|
||||
- View the logs and search pattern
|
||||
|
||||
You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.5.0/web-ui) of the documentation.
|
||||
You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.5.1/web-ui) of the documentation.
|
||||
|
||||
# Plugins
|
||||
|
||||
|
@ -305,14 +305,15 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
|
|||
|
||||
| Name | Version | Description | Link |
|
||||
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
|
||||
| **ClamAV** | 1.0 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
|
||||
| **CrowdSec** | 1.0 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
|
||||
| **Discord** | 1.0 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
|
||||
| **Slack** | 1.0 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
|
||||
| **VirusTotal** | 1.0 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
|
||||
| **Coraza** | 0.1 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
|
||||
| **ClamAV** | 1.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
|
||||
| **Coraza** | 1.1 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
|
||||
| **CrowdSec** | 1.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
|
||||
| **Discord** | 1.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
|
||||
| **Slack** | 1.1 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
|
||||
| **VirusTotal** | 1.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
|
||||
| **WebHook** | 1.1 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
|
||||
|
||||
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.0/plugins) of the documentation.
|
||||
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.1/plugins) of the documentation.
|
||||
|
||||
# Support
|
||||
|
||||
|
@ -340,12 +341,12 @@ Please don't use [GitHub issues](https://github.com/bunkerity/bunkerweb/issues)
|
|||
|
||||
# License
|
||||
|
||||
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/tree/1.5.0/LICENSE.md).
|
||||
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/tree/1.5.1/LICENSE.md).
|
||||
|
||||
# Contribute
|
||||
|
||||
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/1.5.0/CONTRIBUTING.md) to get started.
|
||||
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/1.5.1/CONTRIBUTING.md) to get started.
|
||||
|
||||
# Security policy
|
||||
|
||||
We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/tree/1.5.0/SECURITY.md) for more information.
|
||||
We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/tree/1.5.1/SECURITY.md) for more information.
|
||||
|
|
|
@ -4,7 +4,7 @@ Even though this project is focused on security, it is still prone to possible v
|
|||
|
||||
## Responsible disclosure
|
||||
|
||||
If you have found a security bug, please send us an email at security \[@\] bunkerity.com with technical details so we can resolve it as soon as possible.
|
||||
If you have found a security bug, please send us an email at security \[@\] bunkerity.com (using a ProtonMail if possible) with technical details so we can resolve it as soon as possible.
|
||||
|
||||
Here is a non-exhaustive list of issues we consider as high risk :
|
||||
- Vulnerability in the code
|
||||
|
|
|
@ -79,7 +79,7 @@ app3.example.com_USE_BAD_BEHAVIOR=no
|
|||
|
||||
!!! info "Going further"
|
||||
|
||||
You will find concrete examples of multisite mode in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples) directory of the repository.
|
||||
You will find concrete examples of multisite mode in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples) directory of the repository.
|
||||
|
||||
## Custom configurations
|
||||
|
||||
|
@ -91,7 +91,7 @@ Another core component of BunkerWeb is the ModSecurity Web Application Firewall
|
|||
|
||||
!!! info "Going further"
|
||||
|
||||
You will find concrete examples of custom configurations in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples) directory of the repository.
|
||||
You will find concrete examples of custom configurations in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples) directory of the repository.
|
||||
|
||||
## Database
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@ Using BunkerWeb as a [Docker](https://www.docker.com/) container is a quick and
|
|||
We provide ready-to-use prebuilt images for x64, x86 armv8 and armv7 architectures on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb) :
|
||||
|
||||
```shell
|
||||
docker pull bunkerity/bunkerweb:1.5.0
|
||||
docker pull bunkerity/bunkerweb:1.5.1
|
||||
```
|
||||
|
||||
Alternatively, you can build the Docker image directly from the [source](https://github.com/bunkerity/bunkerweb) (and get a coffee ☕ because it may take a long time depending on your hardware) :
|
||||
|
@ -30,7 +30,7 @@ Docker integration key concepts are :
|
|||
- **Networks** to expose ports for clients and connect to upstream web services
|
||||
|
||||
!!! info "Database backend"
|
||||
Please note that we assume you are using SQLite as database backend (which is the default for the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repostiory for more information.
|
||||
Please note that we assume you are using SQLite as database backend (which is the default for the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repostiory for more information.
|
||||
|
||||
### Environment variables
|
||||
|
||||
|
@ -40,7 +40,7 @@ Settings are passed to BunkerWeb using Docker environment variables :
|
|||
...
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
labels:
|
||||
- "bunkerweb.INSTANCE"
|
||||
environment:
|
||||
|
@ -59,7 +59,7 @@ Please note that the `bunkerweb.INSTANCE` is mandatory to make sure the schedule
|
|||
The [scheduler](concepts.md#scheduler) is executed in its own container which is also available on Docker Hub :
|
||||
|
||||
```shell
|
||||
docker pull bunkerity/bunkerweb-scheduler:1.5.0
|
||||
docker pull bunkerity/bunkerweb-scheduler:1.5.1
|
||||
```
|
||||
|
||||
Alternatively, you can build the Docker image directly from the [source](https://github.com/bunkerity/bunkerweb) (less coffee ☕ needed than BunkerWeb image) :
|
||||
|
@ -76,7 +76,7 @@ A volume is needed to store the SQLite database that will be used by the schedul
|
|||
...
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
volumes:
|
||||
- bw-data:/data
|
||||
...
|
||||
|
@ -138,7 +138,7 @@ You will need to create the Docker API proxy container, mount the socket and set
|
|||
...
|
||||
services:
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
env:
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
...
|
||||
|
@ -148,6 +148,7 @@ services:
|
|||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
...
|
||||
```
|
||||
|
||||
|
@ -185,7 +186,7 @@ The scheduler needs to contact the API of BunkerWeb and for obvious security rea
|
|||
...
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -194,7 +195,7 @@ services:
|
|||
- bw-universe
|
||||
...
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
@ -224,7 +225,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -238,7 +239,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -256,6 +257,7 @@ services:
|
|||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
|
@ -293,7 +295,7 @@ Instead of defining environment variables for the BunkerWeb container, you simpl
|
|||
The Docker autoconf integration implies the use of **multisite mode**. Please refer to the [multisite section](concepts.md#multisite-mode) of the documentation for more information.
|
||||
|
||||
!!! info "Database backend"
|
||||
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repostiory for more information.
|
||||
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repostiory for more information.
|
||||
|
||||
Another container, named `bw-autoconf` for example, containing the autoconf service must be added to the stack. Since two services will generate the configuration for BunkerWeb, a "real" database backend (in other words, not SQLite) also needs to be added :
|
||||
|
||||
|
@ -302,7 +304,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -319,7 +321,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -332,7 +334,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -350,6 +352,7 @@ services:
|
|||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
|
@ -427,7 +430,7 @@ Since we have multiple instances of BunkerWeb running, a shared data store imple
|
|||
Using a shared folder or a specific driver for the database volume is left as an exercise for the reader (and depends on your own use-case).
|
||||
|
||||
!!! info "Database backend"
|
||||
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
|
||||
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
|
||||
|
||||
Here is the stack boilerplate that you can deploy using `docker stack deploy` :
|
||||
|
||||
|
@ -436,7 +439,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- published: 80
|
||||
target: 8080
|
||||
|
@ -466,7 +469,7 @@ services:
|
|||
- "bunkerweb.INSTANCE"
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -489,6 +492,7 @@ services:
|
|||
- SERVICES=1
|
||||
- SWARM=1
|
||||
- TASKS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
deploy:
|
||||
|
@ -497,7 +501,7 @@ services:
|
|||
- "node.role == manager"
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -596,7 +600,7 @@ The recommended setup is to define **BunkerWeb** as a **[DaemonSet](https://kube
|
|||
Since we have multiple instances of BunkerWeb running, a shared data store implemented as a [Redis](https://redis.io/) service must be created : the instances will use it to cache and share data. You will find more information about the Redis settings [here](settings.md#redis)
|
||||
|
||||
!!! info "Database backend"
|
||||
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
|
||||
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
|
||||
|
||||
Please note that both scheduler and autoconf services needs to access the Kubernetes API. The recommended way of doing it is using [RBAC authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
|
||||
|
||||
|
@ -655,7 +659,7 @@ spec:
|
|||
containers:
|
||||
# using bunkerweb as name is mandatory
|
||||
- name: bunkerweb
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
runAsUser: 101
|
||||
|
@ -725,7 +729,7 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-controller
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -752,7 +756,7 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-scheduler
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -930,12 +934,12 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
|
|||
sudo apt install -y nginx=1.24.0-1~$(lsb_release -cs)
|
||||
```
|
||||
|
||||
And finally install BunkerWeb 1.5.0 :
|
||||
And finally install BunkerWeb 1.5.1 :
|
||||
|
||||
```shell
|
||||
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
|
||||
sudo apt update && \
|
||||
sudo apt install -y bunkerweb=1.5.0
|
||||
sudo apt install -y bunkerweb=1.5.1
|
||||
```
|
||||
|
||||
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
|
||||
|
@ -964,12 +968,12 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
|
|||
sudo apt install -y nginx=1.24.0-1~jammy
|
||||
```
|
||||
|
||||
And finally install BunkerWeb 1.5.0 :
|
||||
And finally install BunkerWeb 1.5.1 :
|
||||
|
||||
```shell
|
||||
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
|
||||
sudo apt update && \
|
||||
sudo apt install -y bunkerweb=1.5.0
|
||||
sudo apt install -y bunkerweb=1.5.1
|
||||
```
|
||||
|
||||
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
|
||||
|
@ -986,14 +990,14 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
|
|||
sudo dnf install -y nginx-1.24.0
|
||||
```
|
||||
|
||||
And finally install BunkerWeb 1.5.0 :
|
||||
And finally install BunkerWeb 1.5.1 :
|
||||
|
||||
```shell
|
||||
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | \
|
||||
sed 's/yum install -y pygpgme --disablerepo='\''bunkerity_bunkerweb'\''/yum install -y python-gnupg/g' | \
|
||||
sed 's/pypgpme_check=`rpm -qa | grep -qw pygpgme`/python-gnupg_check=`rpm -qa | grep -qw python-gnupg`/g' | sudo bash && \
|
||||
sudo dnf makecache && \
|
||||
sudo dnf install -y bunkerweb-1.5.0
|
||||
sudo dnf install -y bunkerweb-1.5.1
|
||||
```
|
||||
|
||||
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
|
||||
|
@ -1030,13 +1034,13 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
|
|||
```shell
|
||||
sudo dnf install nginx-1.24.0
|
||||
```
|
||||
And finally install BunkerWeb 1.5.0 :
|
||||
And finally install BunkerWeb 1.5.1 :
|
||||
|
||||
```shell
|
||||
dnf install -y epel-release && \
|
||||
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
|
||||
sudo dnf check-update && \
|
||||
sudo dnf install -y bunkerweb-1.5.0
|
||||
sudo dnf install -y bunkerweb-1.5.1
|
||||
```
|
||||
|
||||
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
|
||||
|
@ -1065,12 +1069,12 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
|
|||
sudo dnf install nginx-1.24.0
|
||||
```
|
||||
|
||||
And finally install BunkerWeb 1.5.0 :
|
||||
And finally install BunkerWeb 1.5.1 :
|
||||
```shell
|
||||
dnf install -y epel-release && \
|
||||
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
|
||||
sudo dnf check-update && \
|
||||
sudo dnf install -y bunkerweb-1.5.0
|
||||
sudo dnf install -y bunkerweb-1.5.1
|
||||
```
|
||||
|
||||
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
|
||||
|
@ -1209,7 +1213,7 @@ Configuration of BunkerWeb is done by using specific role variables :
|
|||
|
||||
| Name | Type | Description | Default value |
|
||||
|:-----:|:-----:|--------------|----------------|
|
||||
| `bunkerweb_version` | string | Version of BunkerWeb to install. | `1.5.0` |
|
||||
| `bunkerweb_version` | string | Version of BunkerWeb to install. | `1.5.1` |
|
||||
| `nginx_version` | string | Version of NGINX to install. | `1.24.0` |
|
||||
| `freeze_versions` | boolean | Prevent upgrade of BunkerWeb and NGINX when performing packages upgrades. | `true` |
|
||||
| `variables_env` | string | Path of the variables.env file to configure BunkerWeb. | `files/variables.env` |
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
!!! warning "Read this if you were a 1.4.X user"
|
||||
|
||||
A lot of things changed since the 1.4.X releases. Container-based integrations stacks contain more services but, trust us, fundamental principles of BunkerWeb are still there. You will find ready to use boilerplates for various integrations in the [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repository.
|
||||
A lot of things changed since the 1.4.X releases. Container-based integrations stacks contain more services but, trust us, fundamental principles of BunkerWeb are still there. You will find ready to use boilerplates for various integrations in the [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repository.
|
||||
|
||||
## Scheduler
|
||||
|
||||
|
|
|
@ -8,12 +8,13 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
|
|||
|
||||
| Name | Version | Description | Link |
|
||||
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
|
||||
| **ClamAV** | 1.0 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
|
||||
| **CrowdSec** | 1.0 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
|
||||
| **Discord** | 1.0 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
|
||||
| **Slack** | 1.0 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
|
||||
| **VirusTotal** | 1.0 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
|
||||
| **Coraza** | 0.1 | Inspect requests using a Core Rule Set and deny malicious ones. | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
|
||||
| **ClamAV** | 1.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
|
||||
| **Coraza** | 1.1 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
|
||||
| **CrowdSec** | 1.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
|
||||
| **Discord** | 1.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
|
||||
| **Slack** | 1.1 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
|
||||
| **VirusTotal** | 1.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
|
||||
| **WebHook** | 1.1 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
|
||||
|
||||
## How to use a plugin
|
||||
|
||||
|
@ -21,7 +22,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
|
|||
|
||||
If you want to quickly install external plugins, you can use the `EXTERNAL_PLUGIN_URLS` setting. It takes a list of URLs, separated with space, pointing to compressed (zip format) archive containing one or more plugin(s).
|
||||
|
||||
You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.0.zip`
|
||||
You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.1.zip`
|
||||
|
||||
### Manual
|
||||
|
||||
|
@ -57,7 +58,7 @@ The first step is to install the plugin by putting the plugin files inside the c
|
|||
services:
|
||||
...
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
volumes:
|
||||
- ./bw-data:/data
|
||||
...
|
||||
|
@ -94,7 +95,7 @@ The first step is to install the plugin by putting the plugin files inside the c
|
|||
services:
|
||||
...
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
volumes:
|
||||
- ./bw-data:/data
|
||||
...
|
||||
|
@ -133,7 +134,7 @@ The first step is to install the plugin by putting the plugin files inside the c
|
|||
services:
|
||||
...
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
volumes:
|
||||
- /shared/bw-plugins:/data/plugins
|
||||
...
|
||||
|
@ -180,7 +181,7 @@ The first step is to install the plugin by putting the plugin files inside the c
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-scheduler
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -261,7 +262,7 @@ The first step is to install the plugin by putting the plugin files inside the c
|
|||
|
||||
!!! tip "Existing plugins"
|
||||
|
||||
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
|
||||
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
|
||||
|
||||
The first step is to create a folder that will contain the plugin :
|
||||
|
||||
|
@ -506,7 +507,7 @@ end
|
|||
|
||||
!!! tip "More examples"
|
||||
|
||||
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/src/bw/lua/bunkerweb) of the repository.
|
||||
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/src/bw/lua/bunkerweb) of the repository.
|
||||
|
||||
### Jobs
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
We assume that you're already familiar with the [core concepts](concepts.md) and you have followed the [integrations instructions](integrations.md) for your environment.
|
||||
|
||||
!!! tip "Going further"
|
||||
To demonstrate the use of BunkerWeb, we will deploy a dummy "Hello World" web application as an example. See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples) of the repository to get real-world examples.
|
||||
To demonstrate the use of BunkerWeb, we will deploy a dummy "Hello World" web application as an example. See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples) of the repository to get real-world examples.
|
||||
|
||||
## Protect HTTP applications
|
||||
|
||||
|
@ -35,7 +35,7 @@ You will find more settings about reverse proxy in the [settings section](settin
|
|||
- bw-services
|
||||
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -52,7 +52,7 @@ You will find more settings about reverse proxy in the [settings section](settin
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -70,6 +70,7 @@ You will find more settings about reverse proxy in the [settings section](settin
|
|||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
|
@ -385,7 +386,7 @@ You will find more settings about reverse proxy in the [settings section](settin
|
|||
- bw-services
|
||||
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -405,7 +406,7 @@ You will find more settings about reverse proxy in the [settings section](settin
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -423,6 +424,7 @@ You will find more settings about reverse proxy in the [settings section](settin
|
|||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
|
@ -820,7 +822,7 @@ REAL_IP_HEADER=X-Forwarded-For
|
|||
|
||||
```yaml
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
...
|
||||
environment:
|
||||
- USE_REAL_IP=yes
|
||||
|
@ -835,7 +837,7 @@ REAL_IP_HEADER=X-Forwarded-For
|
|||
|
||||
```yaml
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
...
|
||||
environment:
|
||||
- USE_REAL_IP=yes
|
||||
|
@ -850,7 +852,7 @@ REAL_IP_HEADER=X-Forwarded-For
|
|||
|
||||
```yaml
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
...
|
||||
environment:
|
||||
- USE_REAL_IP=yes
|
||||
|
@ -970,7 +972,7 @@ REAL_IP_HEADER=proxy_protocol
|
|||
|
||||
```yaml
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
...
|
||||
environment:
|
||||
- USE_REAL_IP=yes
|
||||
|
@ -986,7 +988,7 @@ REAL_IP_HEADER=proxy_protocol
|
|||
|
||||
```yaml
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
...
|
||||
environment:
|
||||
- USE_REAL_IP=yes
|
||||
|
@ -1002,7 +1004,7 @@ REAL_IP_HEADER=proxy_protocol
|
|||
|
||||
```yaml
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
...
|
||||
environment:
|
||||
- USE_REAL_IP=yes
|
||||
|
@ -1148,7 +1150,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
|
|||
- bw-services
|
||||
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080 # Keep it if you want to use Let's Encrypt automation
|
||||
- 10000:10000 # app1
|
||||
|
@ -1170,7 +1172,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -1188,6 +1190,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
|
|||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
|
@ -1218,7 +1221,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
|
|||
services:
|
||||
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080 # Keep it if you want to use Let's Encrypt automation
|
||||
- 10000:10000 # app1
|
||||
|
@ -1276,7 +1279,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
# Keep it if you want to use Let's Encrypt automation
|
||||
- published: 80
|
||||
|
@ -1462,7 +1465,7 @@ Some integrations offer a more convenient way of applying configurations such as
|
|||
```yaml
|
||||
...
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
environment:
|
||||
- |
|
||||
CUSTOM_CONF_SERVER_HTTP_hello-world=
|
||||
|
@ -1505,7 +1508,7 @@ Some integrations offer a more convenient way of applying configurations such as
|
|||
|
||||
```yaml
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
volumes:
|
||||
- ./bw-data:/data
|
||||
...
|
||||
|
@ -1574,7 +1577,7 @@ Some integrations offer a more convenient way of applying configurations such as
|
|||
|
||||
```yaml
|
||||
myautoconf:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
volumes:
|
||||
- ./bw-data:/data
|
||||
...
|
||||
|
@ -1807,7 +1810,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
|
|||
- bw-services
|
||||
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
volumes:
|
||||
- ./www:/var/www/html
|
||||
ports:
|
||||
|
@ -1830,7 +1833,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -1848,6 +1851,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
|
|||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
|
@ -1907,7 +1911,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
volumes:
|
||||
- ./www:/var/www/html
|
||||
labels:
|
||||
|
@ -1921,7 +1925,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -1938,6 +1942,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
|
|||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
|
@ -2064,7 +2069,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
volumes:
|
||||
- /shared/www:/var/www/html
|
||||
...
|
||||
|
@ -2343,7 +2348,7 @@ By default, BunkerWeb will only listen on IPv4 adresses and won't use IPv6 for n
|
|||
services:
|
||||
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
environment:
|
||||
- USE_IPv6=yes
|
||||
|
||||
|
@ -2388,7 +2393,7 @@ By default, BunkerWeb will only listen on IPv4 adresses and won't use IPv6 for n
|
|||
services:
|
||||
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
environment:
|
||||
- USE_IPv6=yes
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
mkdocs==1.4.3
|
||||
mkdocs-material==9.1.15
|
||||
mkdocs-material==9.1.16
|
||||
pytablewriter==0.64.2
|
||||
mike==1.1.2
|
||||
jinja2<3.1.0
|
||||
mkdocs-print-site-plugin==2.3.4
|
||||
mkdocs-print-site-plugin==2.3.5
|
|
@ -63,6 +63,12 @@ STREAM support :x:
|
|||
|
||||
You can automatically remove verbose headers in the HTTP responses by using the `REMOVE_HEADERS` setting (default : `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`).
|
||||
|
||||
#### Keep upstream headers
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
You can automatically keep headers from upstream servers and prevent BunkerWeb from overriding them in the HTTP responses by using the `KEEP_UPSTREAM_HEADERS` setting (default : `Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options`). A special value `*` is available to keep all headers. List of headers to keep must be separated with a space. Note that if the header is not present in the upstream response, it will be added by BunkerWeb.
|
||||
|
||||
#### Cookies
|
||||
|
||||
STREAM support :x:
|
||||
|
@ -250,6 +256,7 @@ That kind of security is implemented but not enabled by default in BunkerWeb and
|
|||
- **Captcha** : force the client to solve a classical captcha (no external dependencies)
|
||||
- **hCaptcha** : force the client to solve a captcha from hCaptcha
|
||||
- **reCAPTCHA** : force the client to get a minimum score with Google reCAPTCHA
|
||||
- **Turnstile** : enforce rate limiting and access control for APIs and web applications using various mechanisms with Coudflare Turnstile
|
||||
|
||||
Here is the list of related settings :
|
||||
|
||||
|
@ -262,6 +269,8 @@ Here is the list of related settings :
|
|||
|`ANTIBOT_RECAPTCHA_SECRET` | |multisite|no |Secret for reCAPTCHA challenge. |
|
||||
|`ANTIBOT_HCAPTCHA_SITEKEY` | |multisite|no |Sitekey for hCaptcha challenge. |
|
||||
|`ANTIBOT_HCAPTCHA_SECRET` | |multisite|no |Secret for hCaptcha challenge. |
|
||||
|`ANTIBOT_TURNSTILE_SITEKEY`| |multisite|no |Sitekey for Turnstile challenge. |
|
||||
|`ANTIBOT_TURNSTILE_SECRET` | |multisite|no |Secret for Turnstile challenge. |
|
||||
|`ANTIBOT_TIME_RESOLVE` |`60` |multisite|no |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.|
|
||||
|`ANTIBOT_TIME_VALID` |`86400` |multisite|no |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. |
|
||||
|
||||
|
@ -476,7 +485,7 @@ You can quickly protect sensitive resources like the admin area for example, by
|
|||
|
||||
### Auth request
|
||||
|
||||
You can deploy complex authentication (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples).
|
||||
You can deploy complex authentication (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples).
|
||||
|
||||
**Auth request settings are related to reverse proxy rules.**
|
||||
|
||||
|
|
|
@ -67,6 +67,8 @@ Bot detection by using a challenge.
|
|||
|`ANTIBOT_RECAPTCHA_SECRET` | |multisite|no |Secret for reCAPTCHA challenge. |
|
||||
|`ANTIBOT_HCAPTCHA_SITEKEY` | |multisite|no |Sitekey for hCaptcha challenge. |
|
||||
|`ANTIBOT_HCAPTCHA_SECRET` | |multisite|no |Secret for hCaptcha challenge. |
|
||||
|`ANTIBOT_TURNSTILE_SITEKEY`| |multisite|no |Sitekey for Turnstile challenge. |
|
||||
|`ANTIBOT_TURNSTILE_SECRET` | |multisite|no |Secret for Turnstile challenge. |
|
||||
|`ANTIBOT_TIME_RESOLVE` |`60` |multisite|no |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.|
|
||||
|`ANTIBOT_TIME_VALID` |`86400` |multisite|no |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. |
|
||||
|
||||
|
@ -159,16 +161,19 @@ STREAM support :x:
|
|||
|
||||
Cross-Origin Resource Sharing.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|------------------------|------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------------------|
|
||||
|`USE_CORS` |`no` |multisite|no |Use CORS |
|
||||
|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Allowed origins to make CORS requests : PCRE regex or *. |
|
||||
|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header. |
|
||||
|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. |
|
||||
|`CORS_ALLOW_CREDENTIALS`|`no` |multisite|no |Send the Access-Control-Allow-Credentials header. |
|
||||
|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. |
|
||||
|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. |
|
||||
|`CORS_DENY_REQUEST` |`yes` |multisite|no |Deny request and don't send it to backend if Origin is not allowed.|
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|------------------------------|------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------------------|
|
||||
|`USE_CORS` |`no` |multisite|no |Use CORS |
|
||||
|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Allowed origins to make CORS requests : PCRE regex or *. |
|
||||
|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header. |
|
||||
|`CROSS_ORIGIN_OPENER_POLICY` | |multisite|no |Value for the Cross-Origin-Opener-Policy header. |
|
||||
|`CROSS_ORIGIN_EMBEDDER_POLICY`| |multisite|no |Value for the Cross-Origin-Embedder-Policy header. |
|
||||
|`CROSS_ORIGIN_RESOURCE_POLICY`| |multisite|no |Value for the Cross-Origin-Resource-Policy header. |
|
||||
|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. |
|
||||
|`CORS_ALLOW_CREDENTIALS` |`no` |multisite|no |Send the Access-Control-Allow-Credentials header. |
|
||||
|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. |
|
||||
|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. |
|
||||
|`CORS_DENY_REQUEST` |`yes` |multisite|no |Deny request and don't send it to backend if Origin is not allowed.|
|
||||
|
||||
### Client cache
|
||||
|
||||
|
@ -288,20 +293,22 @@ STREAM support :x:
|
|||
|
||||
Manage HTTP headers sent to clients.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------------------|
|
||||
|`CUSTOM_HEADER` | |multisite|yes |Custom header to add (HeaderName: HeaderValue). |
|
||||
|`REMOVE_HEADERS` |`Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version` |multisite|no |Headers to remove (Header1 Header2 Header3 ...) |
|
||||
|`STRICT_TRANSPORT_SECURITY`|`max-age=31536000` |multisite|no |Value for the Strict-Transport-Security header. |
|
||||
|`COOKIE_FLAGS` |`* HttpOnly SameSite=Lax` |multisite|yes |Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module).|
|
||||
|`COOKIE_AUTO_SECURE_FLAG` |`yes` |multisite|no |Automatically add the Secure flag to all cookies. |
|
||||
|`CONTENT_SECURITY_POLICY` |`object-src 'none'; form-action 'self'; frame-ancestors 'self';` |multisite|no |Value for the Content-Security-Policy header. |
|
||||
|`REFERRER_POLICY` |`strict-origin-when-cross-origin` |multisite|no |Value for the Referrer-Policy header. |
|
||||
|`PERMISSIONS_POLICY` |`accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()` |multisite|no |Value for the Permissions-Policy header. |
|
||||
|`FEATURE_POLICY` |`accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';`|multisite|no |Value for the Feature-Policy header. |
|
||||
|`X_FRAME_OPTIONS` |`SAMEORIGIN` |multisite|no |Value for the X-Frame-Options header. |
|
||||
|`X_CONTENT_TYPE_OPTIONS` |`nosniff` |multisite|no |Value for the X-Content-Type-Options header. |
|
||||
|`X_XSS_PROTECTION` |`1; mode=block` |multisite|no |Value for the X-XSS-Protection header. |
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------------------|
|
||||
|`CUSTOM_HEADER` | |multisite|yes |Custom header to add (HeaderName: HeaderValue). |
|
||||
|`REMOVE_HEADERS` |`Server Expect-CT X-Powered-By X-AspNet-Version X-AspNetMvc-Version` |multisite|no |Headers to remove (Header1 Header2 Header3 ...) |
|
||||
|`KEEP_UPSTREAM_HEADERS` |`Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options` |multisite|no |Headers to keep from upstream (Header1 Header2 Header3 ... or * for all). |
|
||||
|`STRICT_TRANSPORT_SECURITY` |`max-age=31536000` |multisite|no |Value for the Strict-Transport-Security header. |
|
||||
|`COOKIE_FLAGS` |`* HttpOnly SameSite=Lax` |multisite|yes |Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module).|
|
||||
|`COOKIE_AUTO_SECURE_FLAG` |`yes` |multisite|no |Automatically add the Secure flag to all cookies. |
|
||||
|`CONTENT_SECURITY_POLICY` |`object-src 'none'; form-action 'self'; frame-ancestors 'self';` |multisite|no |Value for the Content-Security-Policy header. |
|
||||
|`CONTENT_SECURITY_POLICY_REPORT_ONLY`|`no` |multisite|no |Send reports for violations of the Content-Security-Policy header instead of blocking them. |
|
||||
|`REFERRER_POLICY` |`strict-origin-when-cross-origin` |multisite|no |Value for the Referrer-Policy header. |
|
||||
|`PERMISSIONS_POLICY` |`accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()` |multisite|no |Value for the Permissions-Policy header. |
|
||||
|`FEATURE_POLICY` |`accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';`|multisite|no |Value for the Feature-Policy header. |
|
||||
|`X_FRAME_OPTIONS` |`SAMEORIGIN` |multisite|no |Value for the X-Frame-Options header. |
|
||||
|`X_CONTENT_TYPE_OPTIONS` |`nosniff` |multisite|no |Value for the X-Content-Type-Options header. |
|
||||
|`X_XSS_PROTECTION` |`1; mode=block` |multisite|no |Value for the X-XSS-Protection header. |
|
||||
|
||||
### Let's Encrypt
|
||||
|
||||
|
@ -517,18 +524,18 @@ STREAM support :warning:
|
|||
|
||||
Allow access based on internal and external IP/network/rDNS/ASN whitelists.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------|
|
||||
|`USE_WHITELIST` |`yes` |multisite|no |Activate whitelist feature. |
|
||||
|`WHITELIST_IP` |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247 54.208.102.37 107.21.1.8`|multisite|no |List of IP/network, separated with spaces, to put into the whitelist. |
|
||||
|`WHITELIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to whitelist. |
|
||||
|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. |
|
||||
|`WHITELIST_RDNS` |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com` |multisite|no |List of reverse DNS suffixes, separated with spaces, to whitelist. |
|
||||
|`WHITELIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
|
||||
|`WHITELIST_ASN` |`32934` |multisite|no |List of ASN numbers, separated with spaces, to whitelist. |
|
||||
|`WHITELIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to whitelist. |
|
||||
|`WHITELIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to whitelist. |
|
||||
|`WHITELIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to whitelist. |
|
||||
|`WHITELIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to whitelist. |
|
||||
|`WHITELIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to whitelist. |
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------|
|
||||
|`USE_WHITELIST` |`yes` |multisite|no |Activate whitelist feature. |
|
||||
|`WHITELIST_IP` |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247` |multisite|no |List of IP/network, separated with spaces, to put into the whitelist. |
|
||||
|`WHITELIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to whitelist. |
|
||||
|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. |
|
||||
|`WHITELIST_RDNS` |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com`|multisite|no |List of reverse DNS suffixes, separated with spaces, to whitelist. |
|
||||
|`WHITELIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
|
||||
|`WHITELIST_ASN` |`32934` |multisite|no |List of ASN numbers, separated with spaces, to whitelist. |
|
||||
|`WHITELIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to whitelist. |
|
||||
|`WHITELIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to whitelist. |
|
||||
|`WHITELIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to whitelist. |
|
||||
|`WHITELIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to whitelist. |
|
||||
|`WHITELIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to whitelist. |
|
||||
|
||||
|
|
|
@ -55,13 +55,12 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
|
||||
- `ADMIN_USERNAME` : username to access the web UI
|
||||
- `ADMIN_PASSWORD` : password to access the web UI
|
||||
- `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
|
||||
|
||||
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
|
||||
|
||||
!!! info "Database backend"
|
||||
|
||||
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) of the repository.
|
||||
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) of the repository.
|
||||
|
||||
Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
|
||||
|
||||
|
@ -70,7 +69,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -88,14 +87,13 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- www.example.com_USE_REVERSE_PROXY=yes
|
||||
- www.example.com_REVERSE_PROXY_URL=/changeme/
|
||||
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
|
||||
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
|
||||
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -112,11 +110,12 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
depends_on:
|
||||
- bw-docker
|
||||
environment:
|
||||
|
@ -124,7 +123,6 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- ADMIN_USERNAME=changeme
|
||||
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
@ -177,13 +175,12 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
|
||||
- `ADMIN_USERNAME` : username to access the web UI
|
||||
- `ADMIN_PASSWORD` : password to access the web UI
|
||||
- `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
|
||||
|
||||
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
|
||||
|
||||
!!! info "Database backend"
|
||||
|
||||
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) of the repository.
|
||||
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) of the repository.
|
||||
|
||||
Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
|
||||
|
||||
|
@ -192,7 +189,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -209,7 +206,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- bw-services
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -222,7 +219,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- bw-docker
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -240,6 +237,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
|
@ -256,7 +254,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
networks:
|
||||
bw-docker:
|
||||
bw-universe:
|
||||
|
@ -268,14 +266,12 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- AUTOCONF_MODE=yes
|
||||
- ADMIN_USERNAME=admin
|
||||
- ADMIN_PASSWORD=changeme
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=www.example.com"
|
||||
- "bunkerweb.USE_UI=yes"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
|
||||
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
|
||||
|
||||
volumes:
|
||||
|
@ -314,13 +310,12 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
|
||||
- `ADMIN_USERNAME` : username to access the web UI
|
||||
- `ADMIN_PASSWORD` : password to access the web UI
|
||||
- `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
|
||||
|
||||
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
|
||||
|
||||
!!! info "Database backend"
|
||||
|
||||
If you want another Database backend than MariaDB please refer to the stack files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) of the repository.
|
||||
If you want another Database backend than MariaDB please refer to the stack files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) of the repository.
|
||||
|
||||
Here is the stack boilerplate that you can use (don't forget to edit the `changeme` data) :
|
||||
|
||||
|
@ -329,7 +324,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- published: 80
|
||||
target: 8080
|
||||
|
@ -359,7 +354,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- "bunkerweb.INSTANCE"
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -378,6 +373,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- SERVICES=1
|
||||
- SWARM=1
|
||||
- TASKS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
deploy:
|
||||
|
@ -386,7 +382,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- "node.role == manager"
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -413,13 +409,12 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- bw-universe
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
environment:
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- ADMIN_USERNAME=changeme
|
||||
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
@ -430,9 +425,8 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
|
||||
- "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
|
||||
- "INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
|
||||
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
|
||||
|
||||
volumes:
|
||||
bw-data:
|
||||
|
@ -463,13 +457,12 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
|
||||
- `ADMIN_USERNAME` : username to access the web UI
|
||||
- `ADMIN_PASSWORD` : password to access the web UI
|
||||
- `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
|
||||
|
||||
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Network segmentation between web UI and web services is not covered in this documentation. Please note that the web UI container is listening on the `7000` port.
|
||||
|
||||
!!! info "Database backend"
|
||||
|
||||
If you want another Database backend than MariaDB please refer to the yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) of the repository.
|
||||
If you want another Database backend than MariaDB please refer to the yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) of the repository.
|
||||
|
||||
Here is the yaml boilerplate that you can use (don't forget to edit the `changeme` data) :
|
||||
|
||||
|
@ -524,7 +517,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
containers:
|
||||
# using bunkerweb as name is mandatory
|
||||
- name: bunkerweb
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
runAsUser: 101
|
||||
|
@ -594,7 +587,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-controller
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -621,7 +614,7 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-scheduler
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -705,15 +698,13 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
spec:
|
||||
containers:
|
||||
- name: bunkerweb-ui
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: ADMIN_USERNAME
|
||||
value: "changeme"
|
||||
- name: "ADMIN_PASSWORD"
|
||||
value: "changeme"
|
||||
- name: "ABSOLUTE_URI"
|
||||
value: "http://www.example.com/changeme/"
|
||||
- name: KUBERNETES_MODE
|
||||
value: "YES"
|
||||
- name: "DATABASE_URI"
|
||||
|
@ -788,8 +779,8 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
name: ingress
|
||||
annotations:
|
||||
bunkerweb.io/www.example.com_USE_UI: "yes"
|
||||
bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
|
||||
bunkerweb.io/www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
|
||||
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: '400 404 405 413 429 500 501 502 503 504'
|
||||
spec:
|
||||
rules:
|
||||
- host: www.example.com
|
||||
|
@ -819,7 +810,6 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
```conf
|
||||
ADMIN_USERNAME=changeme
|
||||
ADMIN_PASSWORD=changeme
|
||||
ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
```
|
||||
|
||||
Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
|
||||
|
@ -843,7 +833,6 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
www.example.com_USE_REVERSE_PROXY=yes
|
||||
www.example.com_REVERSE_PROXY_URL=/changeme/
|
||||
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
|
||||
www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
|
||||
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
```
|
||||
|
||||
|
@ -862,7 +851,6 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
```conf
|
||||
ADMIN_USERNAME=changeme
|
||||
ADMIN_PASSWORD=changeme
|
||||
ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
```
|
||||
|
||||
Here is the `my_variables.env` boilerplate you can use :
|
||||
|
@ -877,7 +865,6 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
www.example.com_USE_REVERSE_PROXY=yes
|
||||
www.example.com_REVERSE_PROXY_URL=/changeme/
|
||||
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
|
||||
www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
|
||||
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
```
|
||||
|
||||
|
@ -929,7 +916,6 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
```conf
|
||||
ADMIN_USERNAME=changeme
|
||||
ADMIN_PASSWORD=changeme
|
||||
ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
```
|
||||
|
||||
Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
|
||||
|
@ -952,7 +938,6 @@ Because the web UI is a web application, the recommended installation procedure
|
|||
www.example.com_USE_REVERSE_PROXY=yes
|
||||
www.example.com_REVERSE_PROXY_URL=/changeme/
|
||||
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
|
||||
www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
|
||||
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
```
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.4"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -44,7 +44,7 @@ services:
|
|||
- app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.4"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -53,7 +53,7 @@ services:
|
|||
- app2.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
environment:
|
||||
- SERVER_NAME=www.example.com # replace with your domains
|
||||
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
|
||||
|
@ -24,7 +24,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -27,7 +27,7 @@ services:
|
|||
...
|
||||
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -50,7 +50,7 @@ services:
|
|||
bw-universe:
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -33,7 +33,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -33,7 +33,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -33,7 +33,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -33,7 +33,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -33,7 +33,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bbw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -38,7 +38,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -53,7 +53,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -28,7 +28,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -24,7 +24,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -28,7 +28,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
# dropping all capabilities
|
||||
cap_drop:
|
||||
- ALL
|
||||
|
@ -15,6 +15,7 @@ services:
|
|||
tmpfs:
|
||||
- /tmp:mode=0770,uid=0,gid=101
|
||||
- /var/tmp/bunkerweb:mode=0770,uid=0,gid=101
|
||||
- /var/run/bunkerweb:mode=0770,uid=0,gid=101
|
||||
- /var/cache/bunkerweb:mode=0770,uid=0,gid=101
|
||||
- /etc/nginx:mode=0770,uid=0,gid=101
|
||||
ports:
|
||||
|
@ -38,7 +39,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -28,7 +28,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -31,7 +31,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"name": "load-balancer",
|
||||
"kinds": ["docker"],
|
||||
"timeout": 60,
|
||||
"timeout": 120,
|
||||
"no_copy_container": true,
|
||||
"tests": [
|
||||
{
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -29,7 +29,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -44,7 +44,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -27,7 +27,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -25,7 +25,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -54,7 +54,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -26,7 +26,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -31,7 +31,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -34,7 +34,7 @@ services:
|
|||
- net-app2
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -30,7 +30,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -28,7 +28,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
environment:
|
||||
- SERVER_NAME=www.example.com # replace with your domains
|
||||
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
|
||||
|
@ -27,7 +27,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -34,7 +34,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -24,7 +24,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -27,7 +27,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -25,7 +25,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080 # required to resolve let's encrypt challenges
|
||||
- 10000:10000 # app1 without SSL/TLS
|
||||
|
@ -33,7 +33,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
logging:
|
||||
driver: syslog
|
||||
options:
|
||||
|
@ -28,7 +28,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
logging:
|
||||
driver: syslog
|
||||
options:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -23,7 +23,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -12,7 +12,7 @@ services:
|
|||
- bw-universe
|
||||
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
environment:
|
||||
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
|
||||
# disable common security measures based on IP
|
||||
|
@ -34,7 +34,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -19,9 +19,7 @@ services:
|
|||
- www.example.com_USE_REVERSE_PROXY=yes
|
||||
- www.example.com_REVERSE_PROXY_URL=/changeme/ # replace with another url
|
||||
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
|
||||
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme # replace with another url
|
||||
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
- www.example.com_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';
|
||||
labels:
|
||||
- "bunkerweb.INSTANCE"
|
||||
networks:
|
||||
|
@ -29,7 +27,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
@ -41,11 +39,10 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
depends_on:
|
||||
- bw-docker-proxy
|
||||
environment:
|
||||
- ABSOLUTE_URI=https://www.example.com/changeme/ # replace with another url
|
||||
- DOCKER_HOST=tcp://bw-docker-proxy:2375
|
||||
- ADMIN_USERNAME=changeme
|
||||
- ADMIN_PASSWORD=changeme # replace with a stronger password
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3"
|
|||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -25,7 +25,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -19,7 +19,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -67,7 +67,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
networks:
|
||||
bw-docker:
|
||||
bw-universe:
|
||||
|
@ -79,14 +79,12 @@ services:
|
|||
- AUTOCONF_MODE=yes
|
||||
- ADMIN_USERNAME=admin
|
||||
- ADMIN_PASSWORD=changeme
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=www.example.com"
|
||||
- "bunkerweb.USE_UI=yes"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
|
||||
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
|
||||
|
||||
volumes:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -19,7 +19,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -19,7 +19,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -67,7 +67,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
networks:
|
||||
bw-docker:
|
||||
bw-universe:
|
||||
|
@ -79,14 +79,12 @@ services:
|
|||
- AUTOCONF_MODE=yes
|
||||
- ADMIN_USERNAME=changeme
|
||||
- ADMIN_PASSWORD=changeme
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=www.example.com"
|
||||
- "bunkerweb.USE_UI=yes"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
|
||||
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
|
||||
|
||||
volumes:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -19,7 +19,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -19,7 +19,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -66,7 +66,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
networks:
|
||||
bw-docker:
|
||||
bw-universe:
|
||||
|
@ -78,14 +78,12 @@ services:
|
|||
- AUTOCONF_MODE=yes
|
||||
- ADMIN_USERNAME=admin
|
||||
- ADMIN_PASSWORD=changeme
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=www.example.com"
|
||||
- "bunkerweb.USE_UI=yes"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
|
||||
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
|
||||
|
||||
volumes:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -19,7 +19,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -18,7 +18,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -56,7 +56,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
networks:
|
||||
bw-docker:
|
||||
bw-universe:
|
||||
|
@ -69,14 +69,12 @@ services:
|
|||
- AUTOCONF_MODE=yes
|
||||
- ADMIN_USERNAME=admin
|
||||
- ADMIN_PASSWORD=changeme
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=www.example.com"
|
||||
- "bunkerweb.USE_UI=yes"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
|
||||
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
|
||||
|
||||
volumes:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -18,7 +18,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -20,14 +20,13 @@ services:
|
|||
- www.example.com_USE_REVERSE_PROXY=yes
|
||||
- www.example.com_REVERSE_PROXY_URL=/changeme/
|
||||
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
|
||||
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
|
||||
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -49,7 +48,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
depends_on:
|
||||
- bw-docker
|
||||
environment:
|
||||
|
@ -57,7 +56,6 @@ services:
|
|||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- ADMIN_USERNAME=changeme
|
||||
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -17,7 +17,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -20,14 +20,13 @@ services:
|
|||
- www.example.com_USE_REVERSE_PROXY=yes
|
||||
- www.example.com_REVERSE_PROXY_URL=/admin/
|
||||
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
|
||||
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin
|
||||
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -49,7 +48,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
depends_on:
|
||||
- bw-docker
|
||||
environment:
|
||||
|
@ -57,7 +56,6 @@ services:
|
|||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- ADMIN_USERNAME=admin
|
||||
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the admin user
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -17,7 +17,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -21,14 +21,13 @@ services:
|
|||
- www.example.com_USE_REVERSE_PROXY=yes
|
||||
- www.example.com_REVERSE_PROXY_URL=/admin/
|
||||
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
|
||||
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin
|
||||
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -50,7 +49,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
depends_on:
|
||||
- bw-docker
|
||||
environment:
|
||||
|
@ -58,7 +57,6 @@ services:
|
|||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- ADMIN_USERNAME=admin
|
||||
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the admin user
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -17,7 +17,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -16,14 +16,13 @@ services:
|
|||
- www.example.com_USE_REVERSE_PROXY=yes
|
||||
- www.example.com_REVERSE_PROXY_URL=/changeme/
|
||||
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
|
||||
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
|
||||
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
@ -46,7 +45,7 @@ services:
|
|||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
depends_on:
|
||||
- bw-docker
|
||||
volumes:
|
||||
|
@ -55,7 +54,6 @@ services:
|
|||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- ADMIN_USERNAME=changeme
|
||||
- ADMIN_PASSWORD=changeme
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
|
@ -16,7 +16,7 @@ services:
|
|||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
|
|
|
@ -48,7 +48,7 @@ spec:
|
|||
containers:
|
||||
# using bunkerweb as name is mandatory
|
||||
- name: bunkerweb
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
runAsUser: 101
|
||||
|
@ -118,7 +118,7 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-controller
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -145,7 +145,7 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-scheduler
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -230,15 +230,13 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-ui
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: ADMIN_USERNAME
|
||||
value: "changeme"
|
||||
- name: "ADMIN_PASSWORD"
|
||||
value: "changeme"
|
||||
- name: "ABSOLUTE_URI"
|
||||
value: "http://www.example.com/changeme/"
|
||||
- name: KUBERNETES_MODE
|
||||
value: "YES"
|
||||
- name: "DATABASE_URI"
|
||||
|
@ -313,7 +311,6 @@ metadata:
|
|||
name: ingress
|
||||
annotations:
|
||||
bunkerweb.io/www.example.com_USE_UI: "yes"
|
||||
bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
|
||||
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: "400 404 405 413 429 500 501 502 503 504"
|
||||
spec:
|
||||
rules:
|
||||
|
|
|
@ -48,7 +48,7 @@ spec:
|
|||
containers:
|
||||
# using bunkerweb as name is mandatory
|
||||
- name: bunkerweb
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
runAsUser: 101
|
||||
|
@ -118,7 +118,7 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-controller
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -145,7 +145,7 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-scheduler
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
|
|
@ -48,7 +48,7 @@ spec:
|
|||
containers:
|
||||
# using bunkerweb as name is mandatory
|
||||
- name: bunkerweb
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
runAsUser: 101
|
||||
|
@ -118,7 +118,7 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-controller
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -145,7 +145,7 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-scheduler
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -230,15 +230,13 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-ui
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: ADMIN_USERNAME
|
||||
value: "changeme"
|
||||
- name: "ADMIN_PASSWORD"
|
||||
value: "changeme"
|
||||
- name: "ABSOLUTE_URI"
|
||||
value: "http://www.example.com/changeme/"
|
||||
- name: KUBERNETES_MODE
|
||||
value: "YES"
|
||||
- name: "DATABASE_URI"
|
||||
|
@ -312,7 +310,6 @@ metadata:
|
|||
name: ingress
|
||||
annotations:
|
||||
bunkerweb.io/www.example.com_USE_UI: "yes"
|
||||
bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
|
||||
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: "400 404 405 413 429 500 501 502 503 504"
|
||||
spec:
|
||||
rules:
|
||||
|
|
|
@ -48,7 +48,7 @@ spec:
|
|||
containers:
|
||||
# using bunkerweb as name is mandatory
|
||||
- name: bunkerweb
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
runAsUser: 101
|
||||
|
@ -118,7 +118,7 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-controller
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -144,7 +144,7 @@ spec:
|
|||
spec:
|
||||
containers:
|
||||
- name: bunkerweb-controller
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
|
|
@ -48,7 +48,7 @@ spec:
|
|||
containers:
|
||||
# using bunkerweb as name is mandatory
|
||||
- name: bunkerweb
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
runAsUser: 101
|
||||
|
@ -118,7 +118,7 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-controller
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -145,7 +145,7 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-scheduler
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -230,15 +230,13 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-ui
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: ADMIN_USERNAME
|
||||
value: "changeme"
|
||||
- name: "ADMIN_PASSWORD"
|
||||
value: "changeme"
|
||||
- name: "ABSOLUTE_URI"
|
||||
value: "http://www.example.com/changeme/"
|
||||
- name: KUBERNETES_MODE
|
||||
value: "YES"
|
||||
- name: "DATABASE_URI"
|
||||
|
@ -312,7 +310,6 @@ metadata:
|
|||
name: ingress
|
||||
annotations:
|
||||
bunkerweb.io/www.example.com_USE_UI: "yes"
|
||||
bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
|
||||
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: "400 404 405 413 429 500 501 502 503 504"
|
||||
spec:
|
||||
rules:
|
||||
|
|
|
@ -48,7 +48,7 @@ spec:
|
|||
containers:
|
||||
# using bunkerweb as name is mandatory
|
||||
- name: bunkerweb
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
runAsUser: 101
|
||||
|
@ -118,7 +118,7 @@ spec:
|
|||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-controller
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
@ -144,7 +144,7 @@ spec:
|
|||
spec:
|
||||
containers:
|
||||
- name: bunkerweb-controller
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- published: 80
|
||||
target: 8080
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- "bunkerweb.INSTANCE"
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -60,7 +60,7 @@ services:
|
|||
- "node.role == manager"
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -87,13 +87,12 @@ services:
|
|||
- bw-universe
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
environment:
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- ADMIN_USERNAME=changeme
|
||||
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
@ -104,7 +103,6 @@ services:
|
|||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
|
||||
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
|
||||
|
||||
volumes:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- published: 80
|
||||
target: 8080
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- "bunkerweb.INSTANCE"
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -64,7 +64,7 @@ services:
|
|||
- "node.role == manager"
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- published: 80
|
||||
target: 8080
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- "bunkerweb.INSTANCE"
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -60,7 +60,7 @@ services:
|
|||
- "node.role == manager"
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -87,13 +87,12 @@ services:
|
|||
- bw-universe
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
environment:
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- ADMIN_USERNAME=changeme
|
||||
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
@ -104,7 +103,6 @@ services:
|
|||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
|
||||
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
|
||||
|
||||
volumes:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- published: 80
|
||||
target: 8080
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- "bunkerweb.INSTANCE"
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -60,7 +60,7 @@ services:
|
|||
- "node.role == manager"
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- published: 80
|
||||
target: 8080
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- "bunkerweb.INSTANCE"
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -60,7 +60,7 @@ services:
|
|||
- "node.role == manager"
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -86,13 +86,12 @@ services:
|
|||
- bw-universe
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.0
|
||||
image: bunkerity/bunkerweb-ui:1.5.1
|
||||
environment:
|
||||
- DATABASE_URI=postgresql://bunkerweb:changeme@bw-db:5432/db
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- ADMIN_USERNAME=changeme
|
||||
- ADMIN_PASSWORD=changeme
|
||||
- ABSOLUTE_URI=http://www.example.com/changeme/
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
@ -103,7 +102,6 @@ services:
|
|||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
|
||||
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
|
||||
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
|
||||
|
||||
volumes:
|
||||
|
|
|
@ -2,7 +2,7 @@ version: "3.5"
|
|||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.0
|
||||
image: bunkerity/bunkerweb:1.5.1
|
||||
ports:
|
||||
- published: 80
|
||||
target: 8080
|
||||
|
@ -32,7 +32,7 @@ services:
|
|||
- "bunkerweb.INSTANCE"
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.0
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
@ -60,7 +60,7 @@ services:
|
|||
- "node.role == manager"
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.0
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.1
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
|
|
|
@ -1 +1 @@
|
|||
1.5.0
|
||||
1.5.1
|
|
@ -1,4 +1,4 @@
|
|||
FROM python:3.11.3-alpine AS builder
|
||||
FROM python:3.11.4-alpine AS builder
|
||||
|
||||
# Copy python requirements
|
||||
COPY src/common/gen/requirements.txt /tmp/req/requirements.txt
|
||||
|
@ -32,7 +32,7 @@ COPY src/common/helpers /usr/share/bunkerweb/helpers
|
|||
COPY src/common/settings.json /usr/share/bunkerweb/settings.json
|
||||
COPY src/common/utils /usr/share/bunkerweb/utils
|
||||
|
||||
FROM python:3.11.3-alpine
|
||||
FROM python:3.11.4-alpine
|
||||
|
||||
# Set default umask to prevent huge recursive chmod increasing the final image size
|
||||
RUN umask 027
|
||||
|
@ -60,7 +60,7 @@ RUN apk add --no-cache bash && \
|
|||
chmod 750 /usr/share/bunkerweb/cli/main.py /usr/share/bunkerweb/helpers/*.sh /usr/bin/bwcli /usr/share/bunkerweb/autoconf/main.py /usr/share/bunkerweb/deps/python/bin/*
|
||||
|
||||
# Fix CVEs
|
||||
RUN apk add --no-cache "libcrypto3>=3.1.1-r0" "libssl3>=3.1.1-r0"
|
||||
# There are no CVE to fix for the moment
|
||||
|
||||
VOLUME /data /etc/nginx
|
||||
|
||||
|
|
|
@ -70,7 +70,7 @@ RUN apk add --no-cache pcre bash python3 && \
|
|||
ln -s /proc/1/fd/1 /var/log/nginx/access.log
|
||||
|
||||
# Fix CVEs
|
||||
RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" "curl>=8.1.0-r0" "libcurl>=8.1.0-r0" "libwebp>=1.2.4-r2" "ncurses-libs>=6.3_p20221119-r1" "ncurses-terminfo-base>=6.3_p20221119-r1"
|
||||
RUN apk add "libx11>=1.8.4-r1"
|
||||
|
||||
VOLUME /data /etc/nginx
|
||||
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
local class = require "middleclass"
|
||||
local datastore = require "bunkerweb.datastore"
|
||||
local utils = require "bunkerweb.utils"
|
||||
local logger = require "bunkerweb.logger"
|
||||
local logger = require "bunkerweb.logger"
|
||||
local cjson = require "cjson"
|
||||
local upload = require "resty.upload"
|
||||
local rsignal = require "resty.signal"
|
||||
local process = require "ngx.process"
|
||||
local rsignal = require "resty.signal"
|
||||
local process = require "ngx.process"
|
||||
|
||||
local api = class("api")
|
||||
|
||||
|
@ -14,6 +14,16 @@ api.global = { GET = {}, POST = {}, PUT = {}, DELETE = {} }
|
|||
function api:initialize()
|
||||
self.datastore = datastore:new()
|
||||
self.logger = logger:new("API")
|
||||
self.ctx = ngx.ctx
|
||||
local data, err = utils.get_variable("API_WHITELIST_IP", false)
|
||||
self.ips = {}
|
||||
if not data then
|
||||
self.logger.log(ngx.ERR, "can't get API_WHITELIST_IP variable : " .. err)
|
||||
else
|
||||
for ip in data:gmatch("%S+") do
|
||||
table.insert(self.ips, ip)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
function api:log_cmd(cmd, status, stdout, stderr)
|
||||
|
@ -71,17 +81,17 @@ api.global.POST["^/stop$"] = function(self)
|
|||
end
|
||||
|
||||
api.global.POST["^/confs$"] = function(self)
|
||||
local tmp = "/var/tmp/bunkerweb/api_" .. ngx.ctx.bw.uri:sub(2) .. ".tar.gz"
|
||||
local destination = "/usr/share/bunkerweb/" .. ngx.ctx.bw.uri:sub(2)
|
||||
if ngx.ctx.bw.uri == "/confs" then
|
||||
local tmp = "/var/tmp/bunkerweb/api_" .. self.ctx.bw.uri:sub(2) .. ".tar.gz"
|
||||
local destination = "/usr/share/bunkerweb/" .. self.ctx.bw.uri:sub(2)
|
||||
if self.ctx.bw.uri == "/confs" then
|
||||
destination = "/etc/nginx"
|
||||
elseif ngx.ctx.bw.uri == "/data" then
|
||||
elseif self.ctx.bw.uri == "/data" then
|
||||
destination = "/data"
|
||||
elseif ngx.ctx.bw.uri == "/cache" then
|
||||
elseif self.ctx.bw.uri == "/cache" then
|
||||
destination = "/var/cache/bunkerweb"
|
||||
elseif ngx.ctx.bw.uri == "/custom_configs" then
|
||||
elseif self.ctx.bw.uri == "/custom_configs" then
|
||||
destination = "/etc/bunkerweb/configs"
|
||||
elseif ngx.ctx.bw.uri == "/plugins" then
|
||||
elseif self.ctx.bw.uri == "/plugins" then
|
||||
destination = "/etc/bunkerweb/plugins"
|
||||
end
|
||||
local form, err = upload:new(4096)
|
||||
|
@ -185,21 +195,25 @@ api.global.GET["^/bans$"] = function(self)
|
|||
return self:response(ngx.HTTP_OK, "success", data)
|
||||
end
|
||||
|
||||
function api:is_allowed_ip()
|
||||
local data, err = self.datastore:get("api_whitelist_ip")
|
||||
if not data then
|
||||
return false, "can't access api_allowed_ips in datastore"
|
||||
api.global.GET["^/variables$"] = function(self)
|
||||
local variables, err = datastore:get('variables', true)
|
||||
if not variables then
|
||||
return self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", "can't access variables from datastore : " .. err)
|
||||
end
|
||||
if utils.is_ip_in_networks(ngx.ctx.bw.remote_addr, cjson.decode(data)) then
|
||||
return self:response(ngx.HTTP_OK, "success", variables)
|
||||
end
|
||||
|
||||
function api:is_allowed_ip()
|
||||
if utils.is_ip_in_networks(self.ctx.bw.remote_addr, self.ips) then
|
||||
return true, "ok"
|
||||
end
|
||||
return false, "IP is not in API_WHITELIST_IP"
|
||||
end
|
||||
|
||||
function api:do_api_call()
|
||||
if self.global[ngx.ctx.bw.request_method] ~= nil then
|
||||
for uri, api_fun in pairs(self.global[ngx.ctx.bw.request_method]) do
|
||||
if string.match(ngx.ctx.bw.uri, uri) then
|
||||
if self.global[self.ctx.bw.request_method] ~= nil then
|
||||
for uri, api_fun in pairs(self.global[self.ctx.bw.request_method]) do
|
||||
if string.match(self.ctx.bw.uri, uri) then
|
||||
local status, resp = api_fun(self)
|
||||
local ret = true
|
||||
if status ~= ngx.HTTP_OK then
|
||||
|
@ -215,17 +229,16 @@ function api:do_api_call()
|
|||
end
|
||||
end
|
||||
end
|
||||
local list, err = self.datastore:get("plugins")
|
||||
local list, err = self.datastore:get("plugins", true)
|
||||
if not list then
|
||||
local status, resp = self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", "can't list loaded plugins : " .. err)
|
||||
return false, resp["msg"], ngx.HTTP_INTERNAL_SERVER_ERROR, resp
|
||||
return false, resp["msg"], ngx.HTTP_INTERNAL_SERVER_ERROR, cjson.encode(resp)
|
||||
end
|
||||
list = cjson.decode(list)
|
||||
for i, plugin in ipairs(list) do
|
||||
if pcall(require, plugin.id .. "/" .. plugin.id) then
|
||||
local plugin_lua = require(plugin.id .. "/" .. plugin.id)
|
||||
if plugin_lua.api ~= nil then
|
||||
local matched, status, resp = plugin_lua.api()
|
||||
local matched, status, resp = plugin_lua:api(self.ctx)
|
||||
if matched then
|
||||
local ret = true
|
||||
if status ~= ngx.HTTP_OK then
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
local mlcache = require "resty.mlcache"
|
||||
local mlcache = require "resty.mlcache"
|
||||
local clusterstore = require "bunkerweb.clusterstore"
|
||||
local logger = require "bunkerweb.logger"
|
||||
local utils = require "bunkerweb.utils"
|
||||
local class = require "middleclass"
|
||||
local cachestore = class("cachestore")
|
||||
local logger = require "bunkerweb.logger"
|
||||
local utils = require "bunkerweb.utils"
|
||||
local class = require "middleclass"
|
||||
local cachestore = class("cachestore")
|
||||
|
||||
-- Instantiate mlcache object at module level (which will be cached when running init phase)
|
||||
-- TODO : custom settings
|
||||
local shm = "cachestore"
|
||||
local ipc_shm = "cachestore_ipc"
|
||||
local shm_miss = "cachestore_miss"
|
||||
local shm_locks = "cachestore_locks"
|
||||
local shm = "cachestore"
|
||||
local ipc_shm = "cachestore_ipc"
|
||||
local shm_miss = "cachestore_miss"
|
||||
local shm_locks = "cachestore_locks"
|
||||
if not ngx.shared.cachestore then
|
||||
shm = "cachestore_stream"
|
||||
ipc_shm = "cachestore_ipc_stream"
|
||||
|
@ -42,7 +42,8 @@ if not cache then
|
|||
module_logger:log(ngx.ERR, "can't instantiate mlcache : " .. err)
|
||||
end
|
||||
|
||||
function cachestore:initialize(use_redis, new_cs)
|
||||
function cachestore:initialize(use_redis, new_cs, ctx)
|
||||
self.ctx = ctx
|
||||
self.cache = cache
|
||||
self.use_redis = use_redis or false
|
||||
self.logger = module_logger
|
||||
|
@ -50,7 +51,7 @@ function cachestore:initialize(use_redis, new_cs)
|
|||
self.clusterstore = clusterstore:new(false)
|
||||
self.shared_cs = false
|
||||
else
|
||||
self.clusterstore = utils.get_ctx_obj("clusterstore")
|
||||
self.clusterstore = utils.get_ctx_obj("clusterstore", self.ctx)
|
||||
self.shared_cs = true
|
||||
end
|
||||
end
|
||||
|
|
|
@ -77,7 +77,8 @@ function clusterstore:close()
|
|||
if self.redis_client then
|
||||
-- Equivalent to close but keep a pool of connections
|
||||
if self.pool then
|
||||
local ok, err = self.redis_client:set_keepalive(tonumber(self.variables["REDIS_KEEPALIVE_IDLE"]), tonumber(self.variables["REDIS_KEEPALIVE_POOL"]))
|
||||
local ok, err = self.redis_client:set_keepalive(tonumber(self.variables["REDIS_KEEPALIVE_IDLE"]),
|
||||
tonumber(self.variables["REDIS_KEEPALIVE_POOL"]))
|
||||
self.redis_client = nil
|
||||
if not ok then
|
||||
require "bunkerweb.logger":new("clusterstore-close"):log(ngx.ERR, err)
|
||||
|
|
|
@ -1,6 +1,13 @@
|
|||
local class = require "middleclass"
|
||||
local lrucache = require "resty.lrucache"
|
||||
local datastore = class("datastore")
|
||||
|
||||
local lru, err = lrucache.new(100000)
|
||||
if not lru then
|
||||
require "bunkerweb.logger":new("DATASTORE"):log(ngx.ERR,
|
||||
"failed to instantiate LRU cache : " .. (err or "unknown error"))
|
||||
end
|
||||
|
||||
function datastore:initialize()
|
||||
self.dict = ngx.shared.datastore
|
||||
if not self.dict then
|
||||
|
@ -8,7 +15,11 @@ function datastore:initialize()
|
|||
end
|
||||
end
|
||||
|
||||
function datastore:get(key)
|
||||
function datastore:get(key, worker)
|
||||
if worker then
|
||||
local value, err = lru:get(key)
|
||||
return value, err or "not found"
|
||||
end
|
||||
local value, err = self.dict:get(key)
|
||||
if not value and not err then
|
||||
err = "not found"
|
||||
|
@ -16,21 +27,35 @@ function datastore:get(key)
|
|||
return value, err
|
||||
end
|
||||
|
||||
function datastore:set(key, value, exptime)
|
||||
function datastore:set(key, value, exptime, worker)
|
||||
if worker then
|
||||
lru:set(key, value, exptime)
|
||||
return true, "success"
|
||||
end
|
||||
exptime = exptime or 0
|
||||
return self.dict:safe_set(key, value, exptime)
|
||||
end
|
||||
|
||||
function datastore:delete(key)
|
||||
function datastore:delete(key, worker)
|
||||
if worker then
|
||||
lru:delete(key)
|
||||
return true, "success"
|
||||
end
|
||||
self.dict:delete(key)
|
||||
return true, "success"
|
||||
end
|
||||
|
||||
function datastore:keys()
|
||||
function datastore:keys(worker)
|
||||
if worker then
|
||||
return lru:keys(0)
|
||||
end
|
||||
return self.dict:get_keys(0)
|
||||
end
|
||||
|
||||
function datastore:ttl(key)
|
||||
if worker then
|
||||
return false, "not supported by LRU"
|
||||
end
|
||||
local ttl, err = self.dict:ttl(key)
|
||||
if not ttl then
|
||||
return false, err
|
||||
|
@ -38,8 +63,13 @@ function datastore:ttl(key)
|
|||
return true, ttl
|
||||
end
|
||||
|
||||
function datastore:delete_all(pattern)
|
||||
local keys = self.dict:get_keys(0)
|
||||
function datastore:delete_all(pattern, worker)
|
||||
local keys = {}
|
||||
if worker then
|
||||
keys = lru:keys(0)
|
||||
else
|
||||
keys = self.dict:get_keys(0)
|
||||
end
|
||||
for i, key in ipairs(keys) do
|
||||
if key:match(pattern) then
|
||||
self.dict:delete(key)
|
||||
|
@ -48,4 +78,8 @@ function datastore:delete_all(pattern)
|
|||
return true, "success"
|
||||
end
|
||||
|
||||
function datastore:flush_lru()
|
||||
lru:flush_all()
|
||||
end
|
||||
|
||||
return datastore
|
||||
|
|
|
@ -108,9 +108,9 @@ helpers.require_plugin = function(id)
|
|||
return plugin_lua, "require() call successful for plugin " .. id
|
||||
end
|
||||
|
||||
helpers.new_plugin = function(plugin_lua)
|
||||
helpers.new_plugin = function(plugin_lua, ctx)
|
||||
-- Require call
|
||||
local ok, plugin_obj = pcall(plugin_lua.new, plugin_lua)
|
||||
local ok, plugin_obj = pcall(plugin_lua.new, plugin_lua, ctx)
|
||||
if not ok then
|
||||
return false, "new error for plugin " .. plugin_lua.name .. " : " .. plugin_obj
|
||||
end
|
||||
|
@ -148,8 +148,9 @@ end
|
|||
helpers.fill_ctx = function()
|
||||
-- Return errors as table
|
||||
local errors = {}
|
||||
local ctx = ngx.ctx
|
||||
-- Check if ctx is already filled
|
||||
if not ngx.ctx.bw then
|
||||
if not ctx.bw then
|
||||
-- Instantiate bw table
|
||||
local data = {}
|
||||
-- Common vars
|
||||
|
@ -158,14 +159,19 @@ helpers.fill_ctx = function()
|
|||
data.kind = "stream"
|
||||
end
|
||||
data.remote_addr = ngx.var.remote_addr
|
||||
data.uri = ngx.var.uri
|
||||
data.request_uri = ngx.var.request_uri
|
||||
data.request_method = ngx.var.request_method
|
||||
data.http_user_agent = ngx.var.http_user_agent
|
||||
data.http_host = ngx.var.http_host
|
||||
data.server_name = ngx.var.server_name
|
||||
data.http_content_type = ngx.var.http_content_type
|
||||
data.http_origin = ngx.var.http_origin
|
||||
if data.kind == "http" then
|
||||
data.uri = ngx.var.uri
|
||||
data.request_uri = ngx.var.request_uri
|
||||
data.request_method = ngx.var.request_method
|
||||
data.http_user_agent = ngx.var.http_user_agent
|
||||
data.http_host = ngx.var.http_host
|
||||
data.server_name = ngx.var.server_name
|
||||
data.http_content_type = ngx.var.http_content_type
|
||||
data.http_content_length = ngx.var.http_content_length
|
||||
data.http_origin = ngx.var.http_origin
|
||||
data.http_version = ngx.req.http_version()
|
||||
end
|
||||
-- IP data : global
|
||||
local ip_is_global, err = utils.ip_is_global(data.remote_addr)
|
||||
if ip_is_global == nil then
|
||||
|
@ -180,17 +186,76 @@ helpers.fill_ctx = function()
|
|||
data.integration = utils.get_integration()
|
||||
data.version = utils.get_version()
|
||||
-- Fill ctx
|
||||
ngx.ctx.bw = data
|
||||
ctx.bw = data
|
||||
end
|
||||
-- Always create new objects for current phases in case of cosockets
|
||||
local use_redis, err = utils.get_variable("USE_REDIS", false)
|
||||
if not use_redis then
|
||||
table.insert(errors, "can't get variable from datastore : " .. err)
|
||||
end
|
||||
ngx.ctx.bw.datastore = require "bunkerweb.datastore":new()
|
||||
ngx.ctx.bw.clusterstore = require "bunkerweb.clusterstore":new()
|
||||
ngx.ctx.bw.cachestore = require "bunkerweb.cachestore":new(use_redis == "yes")
|
||||
return true, "ctx filled", errors
|
||||
ctx.bw.datastore = require "bunkerweb.datastore":new()
|
||||
ctx.bw.clusterstore = require "bunkerweb.clusterstore":new()
|
||||
ctx.bw.cachestore = require "bunkerweb.cachestore":new(use_redis == "yes")
|
||||
return true, "ctx filled", errors, ctx
|
||||
end
|
||||
|
||||
function helpers.load_variables(all_variables, plugins)
|
||||
-- Extract settings from plugins and global ones
|
||||
local all_settings = {}
|
||||
for i, plugin in ipairs(plugins) do
|
||||
if plugin.settings then
|
||||
for setting, data in pairs(plugin.settings) do
|
||||
all_settings[setting] = data
|
||||
end
|
||||
end
|
||||
end
|
||||
local file = io.open("/usr/share/bunkerweb/settings.json")
|
||||
if not file then
|
||||
return false, "can't open settings.json"
|
||||
end
|
||||
local ok, settings = pcall(cjson.decode, file:read("*a"))
|
||||
file:close()
|
||||
if not ok then
|
||||
return false, "invalid settings.json : " .. err
|
||||
end
|
||||
for setting, data in pairs(settings) do
|
||||
all_settings[setting] = data
|
||||
end
|
||||
-- Extract vars
|
||||
local variables = { ["global"] = {} }
|
||||
local multisite = all_variables["MULTISITE"] == "yes"
|
||||
local server_names = {}
|
||||
if multisite then
|
||||
for server_name in all_variables["SERVER_NAME"]:gmatch("%S+") do
|
||||
variables[server_name] = {}
|
||||
table.insert(server_names, server_name)
|
||||
end
|
||||
end
|
||||
for setting, data in pairs(all_settings) do
|
||||
if all_variables[setting] then
|
||||
variables["global"][setting] = all_variables[setting]
|
||||
end
|
||||
if multisite then
|
||||
for i, server_name in ipairs(server_names) do
|
||||
local key = server_name .. "_" .. setting
|
||||
if all_variables[key] then
|
||||
variables[server_name][setting] = all_variables[key]
|
||||
end
|
||||
end
|
||||
end
|
||||
if data.multiple then
|
||||
for variable, value in pairs(all_variables) do
|
||||
local found, _, prefix = variable:find("^([^_]*)_?" .. setting .. "_[0-9]+$")
|
||||
if found then
|
||||
if multisite and prefix and prefix ~= "" then
|
||||
variables[prefix][variable] = value
|
||||
end
|
||||
variables["global"][variable] = value
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return true, variables
|
||||
end
|
||||
|
||||
return helpers
|
||||
|
|
|
@ -1,18 +1,19 @@
|
|||
local class = require "middleclass"
|
||||
local logger = require "bunkerweb.logger"
|
||||
local datastore = require "bunkerweb.datastore"
|
||||
local cachestore = require "bunkerweb.cachestore"
|
||||
local class = require "middleclass"
|
||||
local logger = require "bunkerweb.logger"
|
||||
local datastore = require "bunkerweb.datastore"
|
||||
local cachestore = require "bunkerweb.cachestore"
|
||||
local clusterstore = require "bunkerweb.clusterstore"
|
||||
local utils = require "bunkerweb.utils"
|
||||
local cjson = require "cjson"
|
||||
local plugin = class("plugin")
|
||||
local utils = require "bunkerweb.utils"
|
||||
local cjson = require "cjson"
|
||||
local plugin = class("plugin")
|
||||
|
||||
function plugin:initialize(id)
|
||||
function plugin:initialize(id, ctx)
|
||||
-- Store common, values
|
||||
self.id = id
|
||||
local multisite = false
|
||||
local current_phase = ngx.get_phase()
|
||||
for i, check_phase in ipairs({ "set", "access", "content", "header_filter", "log", "preread", "log_stream", "log_default" }) do
|
||||
for i, check_phase in ipairs({ "set", "access", "content", "header_filter", "log", "preread", "log_stream",
|
||||
"log_default" }) do
|
||||
if current_phase == check_phase then
|
||||
multisite = true
|
||||
break
|
||||
|
@ -21,35 +22,46 @@ function plugin:initialize(id)
|
|||
self.is_request = multisite
|
||||
-- Store common objets
|
||||
self.logger = logger:new(self.id)
|
||||
local use_redis, err = utils.get_variable("USE_REDIS", false)
|
||||
if not use_redis then
|
||||
self.logger:log(ngx.ERR, err)
|
||||
end
|
||||
self.use_redis = use_redis == "yes"
|
||||
local use_redis, err = utils.get_variable("USE_REDIS", false)
|
||||
if not use_redis then
|
||||
self.logger:log(ngx.ERR, err)
|
||||
end
|
||||
self.use_redis = use_redis == "yes"
|
||||
if self.is_request then
|
||||
self.datastore = utils.get_ctx_obj("datastore") or datastore:new()
|
||||
self.cachestore = utils.get_ctx_obj("cachestore") or cachestore:new(use_redis == "yes", true)
|
||||
self.clusterstore = utils.get_ctx_obj("clusterstore") or clusterstore:new(false)
|
||||
-- Store ctx
|
||||
self.ctx = ctx or ngx.ctx
|
||||
self.datastore = utils.get_ctx_obj("datastore", self.ctx) or datastore:new()
|
||||
self.cachestore = utils.get_ctx_obj("cachestore", self.ctx) or cachestore:new(use_redis == "yes", true, self.ctx)
|
||||
self.clusterstore = utils.get_ctx_obj("clusterstore", self.ctx) or clusterstore:new(false)
|
||||
else
|
||||
self.datastore = datastore:new()
|
||||
self.cachestore = cachestore:new(use_redis == "yes", true)
|
||||
self.clusterstore = clusterstore:new(false)
|
||||
end
|
||||
-- Get metadata
|
||||
local encoded_metadata, err = self.datastore:get("plugin_" .. id)
|
||||
if not encoded_metadata then
|
||||
local metadata, err = self.datastore:get("plugin_" .. id, true)
|
||||
if not metadata then
|
||||
self.logger:log(ngx.ERR, err)
|
||||
return
|
||||
end
|
||||
-- Store variables
|
||||
self.variables = {}
|
||||
local metadata = cjson.decode(encoded_metadata)
|
||||
self.multiples = {}
|
||||
for k, v in pairs(metadata.settings) do
|
||||
local value, err = utils.get_variable(k, v.context == "multisite" and multisite)
|
||||
if value == nil then
|
||||
self.logger:log(ngx.ERR, "can't get " .. k .. " variable : " .. err)
|
||||
end
|
||||
self.variables[k] = value
|
||||
-- if v.multiple then
|
||||
-- local multiples, err = utils.get_multiple_variables(k)
|
||||
-- if not multiples then
|
||||
-- self.logger:log(ngx.ERR, "can't get " .. k .. " multiple variable : " .. err)
|
||||
-- self.multiples[k] = {}
|
||||
-- else
|
||||
-- self.multiples[k] = multiples
|
||||
-- end
|
||||
-- end
|
||||
end
|
||||
-- Is loading
|
||||
local is_loading, err = utils.get_variable("IS_LOADING", false)
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
local cdatastore = require "bunkerweb.datastore"
|
||||
local mmdb = require "bunkerweb.mmdb"
|
||||
local clogger = require "bunkerweb.logger"
|
||||
local cdatastore = require "bunkerweb.datastore"
|
||||
local mmdb = require "bunkerweb.mmdb"
|
||||
local clogger = require "bunkerweb.logger"
|
||||
|
||||
local ipmatcher = require "resty.ipmatcher"
|
||||
local resolver = require "resty.dns.resolver"
|
||||
local session = require "resty.session"
|
||||
local cjson = require "cjson"
|
||||
local ipmatcher = require "resty.ipmatcher"
|
||||
local resolver = require "resty.dns.resolver"
|
||||
local session = require "resty.session"
|
||||
local cjson = require "cjson"
|
||||
|
||||
local logger = clogger:new("UTILS")
|
||||
local datastore = cdatastore:new()
|
||||
local logger = clogger:new("UTILS")
|
||||
local datastore = cdatastore:new()
|
||||
|
||||
local utils = {}
|
||||
local utils = {}
|
||||
|
||||
math.randomseed(os.time())
|
||||
|
||||
|
@ -20,49 +20,32 @@ utils.get_variable = function(var, site_search)
|
|||
site_search = true
|
||||
end
|
||||
-- Get global value
|
||||
local value, err = datastore:get("variable_" .. var)
|
||||
if not value then
|
||||
return nil, "can't access variable " .. var .. " from datastore : " .. err
|
||||
local variables, err = datastore:get('variables', true)
|
||||
if not variables then
|
||||
return nil, "can't access variables from datastore : " .. err
|
||||
end
|
||||
local value = variables["global"][var]
|
||||
-- Site search case
|
||||
if site_search then
|
||||
-- Check if multisite is set to yes
|
||||
local multisite, err = datastore:get("variable_MULTISITE")
|
||||
if not multisite then
|
||||
return nil, "can't access variable MULTISITE from datastore : " .. err
|
||||
end
|
||||
-- Multisite case
|
||||
if multisite == "yes" and ngx.var.server_name then
|
||||
local value_site, err = datastore:get("variable_" .. ngx.var.server_name .. "_" .. var)
|
||||
if value_site then
|
||||
value = value_site
|
||||
end
|
||||
end
|
||||
local multisite = site_search and variables["global"]["MULTISITE"] == "yes" and ngx.var.server_name ~= "_"
|
||||
if multisite then
|
||||
value = variables[ngx.var.server_name][var]
|
||||
end
|
||||
return value, "success"
|
||||
end
|
||||
|
||||
utils.has_variable = function(var, value)
|
||||
-- Get global variable
|
||||
local check_value, err = datastore:get("variable_" .. var)
|
||||
if not value then
|
||||
return nil, "Can't access variable " .. var .. " from datastore : " .. err
|
||||
end
|
||||
-- Check if multisite is set to yes
|
||||
local multisite, err = datastore:get("variable_MULTISITE")
|
||||
if not multisite then
|
||||
return nil, "Can't access variable MULTISITE from datastore : " .. err
|
||||
local variables, err = datastore:get('variables', true)
|
||||
if not variables then
|
||||
return nil, "can't access variables " .. var .. " from datastore : " .. err
|
||||
end
|
||||
-- Multisite case
|
||||
if multisite == "yes" then
|
||||
local servers, err = datastore:get("variable_SERVER_NAME")
|
||||
if not servers then
|
||||
return nil, "Can't access variable SERVER_NAME from datastore : " .. err
|
||||
end
|
||||
local multisite = variables["global"]["MULTISITE"] == "yes"
|
||||
if multisite then
|
||||
local servers = variables["global"]["SERVER_NAME"]
|
||||
-- Check each server
|
||||
for server in servers:gmatch("%S+") do
|
||||
local check_value_site, err = datastore:get("variable_" .. server .. "_" .. var)
|
||||
if check_value_site and check_value_site == value then
|
||||
if variables[server][var] == value then
|
||||
return true, "success"
|
||||
end
|
||||
end
|
||||
|
@ -70,30 +53,22 @@ utils.has_variable = function(var, value)
|
|||
return false, "success"
|
||||
end
|
||||
end
|
||||
return check_value == value, "success"
|
||||
return variables["global"][var] == value, "success"
|
||||
end
|
||||
|
||||
utils.has_not_variable = function(var, value)
|
||||
-- Get global variable
|
||||
local check_value, err = datastore:get("variable_" .. var)
|
||||
if not value then
|
||||
return nil, "Can't access variable " .. var .. " from datastore : " .. err
|
||||
end
|
||||
-- Check if multisite is set to yes
|
||||
local multisite, err = datastore:get("variable_MULTISITE")
|
||||
if not multisite then
|
||||
return nil, "Can't access variable MULTISITE from datastore : " .. err
|
||||
local variables, err = datastore:get('variables', true)
|
||||
if not variables then
|
||||
return nil, "can't access variables " .. var .. " from datastore : " .. err
|
||||
end
|
||||
-- Multisite case
|
||||
if multisite == "yes" then
|
||||
local servers, err = datastore:get("variable_SERVER_NAME")
|
||||
if not servers then
|
||||
return nil, "Can't access variable SERVER_NAME from datastore : " .. err
|
||||
end
|
||||
local multisite = variables["global"]["MULTISITE"] == "yes"
|
||||
if multisite then
|
||||
local servers = variables["global"]["SERVER_NAME"]
|
||||
-- Check each server
|
||||
for server in servers:gmatch("%S+") do
|
||||
local check_value_site, err = datastore:get("variable_" .. server .. "_" .. var)
|
||||
if check_value_site and check_value_site ~= value then
|
||||
if variables[server][var] ~= "value" then
|
||||
return true, "success"
|
||||
end
|
||||
end
|
||||
|
@ -101,33 +76,24 @@ utils.has_not_variable = function(var, value)
|
|||
return false, "success"
|
||||
end
|
||||
end
|
||||
return check_value ~= value, "success"
|
||||
return variables["global"][var] ~= value, "success"
|
||||
end
|
||||
|
||||
utils.get_multiple_variables = function(vars)
|
||||
-- Get all keys
|
||||
local keys = datastore:keys()
|
||||
local variables, err = datastore:get('variables', true)
|
||||
if not variables then
|
||||
return nil, "can't access variables " .. var .. " from datastore : " .. err
|
||||
end
|
||||
local result = {}
|
||||
-- Loop on keys
|
||||
for i, key in ipairs(keys) do
|
||||
-- Loop on scoped vars
|
||||
for scope, scoped_vars in pairs(variables) do
|
||||
result[scope] = {}
|
||||
-- Loop on vars
|
||||
for j, var in ipairs(vars) do
|
||||
-- Filter on good ones
|
||||
local _, _, server, subvar = key:find("variable_(.*)_?(" .. var .. "_?%d*)")
|
||||
if subvar then
|
||||
if not server or server == "" then
|
||||
server = "global"
|
||||
else
|
||||
server = server:sub(1, -2)
|
||||
for variable, value in pairs(scoped_vars) do
|
||||
for i, var in ipairs(vars) do
|
||||
if variable:find("^" .. var .. "_?[0-9]*$") then
|
||||
result[scope][variable] = value
|
||||
end
|
||||
if result[server] == nil then
|
||||
result[server] = {}
|
||||
end
|
||||
local value, err = datastore:get(key)
|
||||
if not value then
|
||||
return nil, err
|
||||
end
|
||||
result[server][subvar] = value
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -205,23 +171,25 @@ end
|
|||
|
||||
utils.get_integration = function()
|
||||
-- Check if already in datastore
|
||||
local integration, err = datastore:get("misc_integration")
|
||||
local integration, err = datastore:get("misc_integration", true)
|
||||
if integration then
|
||||
return integration
|
||||
end
|
||||
local variables, err = datastore:get("variables", true)
|
||||
if not variables then
|
||||
logger:log(ngx.ERR, "can't get variables from datastore : " .. err)
|
||||
return "unknown"
|
||||
end
|
||||
-- Swarm
|
||||
local var, err = datastore:get("variable_SWARM_MODE")
|
||||
if var == "yes" then
|
||||
if variables["global"]["SWARM_MODE"] == "yes" then
|
||||
integration = "swarm"
|
||||
else
|
||||
-- Kubernetes
|
||||
local var, err = datastore:get("variable_KUBERNETES_MODE")
|
||||
if var == "yes" then
|
||||
if variables["global"]["KUBERNETES_MODE"] == "yes" then
|
||||
integration = "kubernetes"
|
||||
else
|
||||
-- Autoconf
|
||||
local var, err = datastore:get("variable_AUTOCONF_MODE")
|
||||
if var == "yes" then
|
||||
if variables["global"]["AUTOCONF_MODE"] == "yes" then
|
||||
integration = "autoconf"
|
||||
else
|
||||
-- Already present (e.g. : linux)
|
||||
|
@ -247,7 +215,7 @@ utils.get_integration = function()
|
|||
end
|
||||
end
|
||||
-- Save integration
|
||||
local ok, err = datastore:set("misc_integration", integration)
|
||||
local ok, err = datastore:set("misc_integration", integration, nil, true)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't cache integration to datastore : " .. err)
|
||||
end
|
||||
|
@ -256,7 +224,7 @@ end
|
|||
|
||||
utils.get_version = function()
|
||||
-- Check if already in datastore
|
||||
local version, err = datastore:get("misc_version")
|
||||
local version, err = datastore:get("misc_version", true)
|
||||
if version then
|
||||
return version
|
||||
end
|
||||
|
@ -269,17 +237,17 @@ utils.get_version = function()
|
|||
version = f:read("*a"):gsub("[\n\r]", "")
|
||||
f:close()
|
||||
-- Save it to datastore
|
||||
local ok, err = datastore:set("misc_version", version)
|
||||
local ok, err = datastore:set("misc_version", version, nil, true)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't cache version to datastore : " .. err)
|
||||
end
|
||||
return version
|
||||
end
|
||||
|
||||
utils.get_reason = function()
|
||||
utils.get_reason = function(ctx)
|
||||
-- ngx.ctx
|
||||
if ngx.ctx.reason then
|
||||
return ngx.ctx.reason
|
||||
if ctx.bw.reason then
|
||||
return ctx.bw.reason
|
||||
end
|
||||
-- ngx.var
|
||||
if ngx.var.reason and ngx.var.reason ~= "" then
|
||||
|
@ -295,7 +263,7 @@ utils.get_reason = function()
|
|||
return banned
|
||||
end
|
||||
-- unknown
|
||||
if ngx.status == utils.get_deny_status() then
|
||||
if ngx.status == utils.get_deny_status(ctx) then
|
||||
return "unknown"
|
||||
end
|
||||
return nil
|
||||
|
@ -303,30 +271,30 @@ end
|
|||
|
||||
utils.get_resolvers = function()
|
||||
-- Get resolvers from datastore if existing
|
||||
local str_resolvers, err = datastore:get("misc_resolvers")
|
||||
if str_resolvers then
|
||||
return cjson.decode(str_resolvers)
|
||||
local resolvers, err = datastore:get("misc_resolvers", true)
|
||||
if resolvers then
|
||||
return resolvers
|
||||
end
|
||||
-- Otherwise extract DNS_RESOLVERS variable
|
||||
local var_resolvers, err = datastore:get("variable_DNS_RESOLVERS")
|
||||
if not var_resolvers then
|
||||
logger:log(ngx.ERR, "can't get variable DNS_RESOLVERS from datastore : " .. err)
|
||||
return nil, err
|
||||
local variables, err = datastore:get("variables", true)
|
||||
if not variables then
|
||||
logger:log(ngx.ERR, "can't get variables from datastore : " .. err)
|
||||
return "unknown"
|
||||
end
|
||||
-- Make table for resolver1 resolver2 ... string
|
||||
local resolvers = {}
|
||||
for str_resolver in var_resolvers:gmatch("%S+") do
|
||||
for str_resolver in variables["global"]["DNS_RESOLVERS"]:gmatch("%S+") do
|
||||
table.insert(resolvers, str_resolver)
|
||||
end
|
||||
-- Add it to the datastore
|
||||
local ok, err = datastore:set("misc_resolvers", cjson.encode(resolvers))
|
||||
local ok, err = datastore:set("misc_resolvers", resolvers, nil, true)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save misc_resolvers to datastore : " .. err)
|
||||
end
|
||||
return resolvers
|
||||
end
|
||||
|
||||
utils.get_rdns = function(ip)
|
||||
utils.get_rdns = function(ip)
|
||||
-- Check cache
|
||||
local cachestore = utils.new_cachestore()
|
||||
local ok, value = cachestore:get("rdns_" .. ip)
|
||||
|
@ -376,7 +344,7 @@ utils.get_rdns = function(ip)
|
|||
return ptrs, ret_err
|
||||
end
|
||||
|
||||
utils.get_ips = function(fqdn, ipv6)
|
||||
utils.get_ips = function(fqdn, ipv6)
|
||||
-- Check cache
|
||||
local cachestore = utils.new_cachestore()
|
||||
local ok, value = cachestore:get("dns_" .. fqdn)
|
||||
|
@ -497,38 +465,38 @@ utils.rand = function(nb, no_numbers)
|
|||
return result
|
||||
end
|
||||
|
||||
utils.get_deny_status = function()
|
||||
utils.get_deny_status = function(ctx)
|
||||
-- Stream case
|
||||
if ngx.ctx.bw and ngx.ctx.bw.kind == "stream" then
|
||||
if ctx.bw and ctx.bw.kind == "stream" then
|
||||
return 444
|
||||
end
|
||||
-- http case
|
||||
local status, err = datastore:get("variable_DENY_HTTP_STATUS")
|
||||
if not status then
|
||||
logger:log(ngx.ERR, "can't get DENY_HTTP_STATUS variable " .. err)
|
||||
local variables, err = datastore:get("variables", true)
|
||||
if not variables then
|
||||
logger:log(ngx.ERR, "can't get variables from datastore : " .. err)
|
||||
return 403
|
||||
end
|
||||
return tonumber(status)
|
||||
return tonumber(variables["global"]["DENY_HTTP_STATUS"])
|
||||
end
|
||||
|
||||
utils.check_session = function()
|
||||
local _session, err, exists, refreshed = session.start({audience = "metadata"})
|
||||
utils.check_session = function(ctx)
|
||||
local _session, err, exists, refreshed = session.start({ audience = "metadata" })
|
||||
if exists then
|
||||
for i, check in ipairs(ngx.ctx.bw.sessions_checks) do
|
||||
for i, check in ipairs(ctx.bw.sessions_checks) do
|
||||
local key = check[1]
|
||||
local value = check[2]
|
||||
if _session:get(key) ~= value then
|
||||
local ok, err = _session:destroy()
|
||||
if not ok then
|
||||
_session:close()
|
||||
return false, "session:destroy() error : " .. err
|
||||
return false, "session:destroy() error : " .. err
|
||||
end
|
||||
logger:log(ngx.WARN, "session check " .. key .. " failed, destroying session")
|
||||
return utils.check_session()
|
||||
return utils.check_session(ctx)
|
||||
end
|
||||
end
|
||||
else
|
||||
for i, check in ipairs(ngx.ctx.bw.sessions_checks) do
|
||||
for i, check in ipairs(ctx.bw.sessions_checks) do
|
||||
_session:set(check[1], check[2])
|
||||
end
|
||||
local ok, err = _session:save()
|
||||
|
@ -537,41 +505,41 @@ utils.check_session = function()
|
|||
return false, "session:save() error : " .. err
|
||||
end
|
||||
end
|
||||
ngx.ctx.bw.sessions_is_checked = true
|
||||
ctx.bw.sessions_is_checked = true
|
||||
_session:close()
|
||||
return true, exists
|
||||
end
|
||||
|
||||
utils.get_session = function(audience)
|
||||
utils.get_session = function(audience, ctx)
|
||||
-- Check session
|
||||
if not ngx.ctx.bw.sessions_is_checked then
|
||||
local ok, err = utils.check_session()
|
||||
if not ctx.bw.sessions_is_checked then
|
||||
local ok, err = utils.check_session(ctx)
|
||||
if not ok then
|
||||
return false, "error while checking session, " .. err
|
||||
end
|
||||
end
|
||||
-- Open session with specific audience
|
||||
local _session, err, exists = session.open({audience = audience})
|
||||
local _session, err, exists = session.open({ audience = audience })
|
||||
if err then
|
||||
logger:log(ngx.INFO, "session:open() error : " .. err)
|
||||
end
|
||||
return _session
|
||||
end
|
||||
|
||||
utils.get_session_data = function(_session, site)
|
||||
utils.get_session_data = function(_session, site, ctx)
|
||||
local site_only = site == nil or site
|
||||
local data = _session:get_data()
|
||||
if site_only then
|
||||
return data[ngx.ctx.bw.server_name] or {}
|
||||
return data[ctx.bw.server_name] or {}
|
||||
end
|
||||
return data
|
||||
end
|
||||
|
||||
utils.set_session_data = function(_session, data, site)
|
||||
utils.set_session_data = function(_session, data, site, ctx)
|
||||
local site_only = site == nil or site
|
||||
if site_only then
|
||||
local all_data = _session:get_data()
|
||||
all_data[ngx.ctx.bw.server_name] = data
|
||||
all_data[ctx.bw.server_name] = data
|
||||
_session:set_data(all_data)
|
||||
return _session:save()
|
||||
end
|
||||
|
@ -683,7 +651,7 @@ utils.new_cachestore = function()
|
|||
return require "bunkerweb.cachestore":new(use_redis, true)
|
||||
end
|
||||
|
||||
utils.regex_match = function(str, regex, options)
|
||||
utils.regex_match = function(str, regex, options)
|
||||
local all_options = "o"
|
||||
if options then
|
||||
all_options = all_options .. options
|
||||
|
@ -696,7 +664,7 @@ utils.regex_match = function(str, regex, options)
|
|||
return match
|
||||
end
|
||||
|
||||
utils.get_phases = function()
|
||||
utils.get_phases = function()
|
||||
return {
|
||||
"init",
|
||||
"init_worker",
|
||||
|
@ -710,7 +678,7 @@ utils.get_phases = function()
|
|||
}
|
||||
end
|
||||
|
||||
utils.is_cosocket_available = function()
|
||||
utils.is_cosocket_available = function()
|
||||
local phases = {
|
||||
"timer",
|
||||
"access",
|
||||
|
@ -725,7 +693,7 @@ utils.is_cosocket_available = function()
|
|||
return false
|
||||
end
|
||||
|
||||
utils.kill_all_threads = function(threads)
|
||||
utils.kill_all_threads = function(threads)
|
||||
for i, thread in ipairs(threads) do
|
||||
local ok, err = ngx.thread.kill(thread)
|
||||
if not ok then
|
||||
|
@ -734,7 +702,7 @@ utils.kill_all_threads = function(threads)
|
|||
end
|
||||
end
|
||||
|
||||
utils.get_ctx_obj = function(obj)
|
||||
utils.get_ctx_obj = function(obj)
|
||||
if ngx.ctx and ngx.ctx.bw then
|
||||
return ngx.ctx.bw[obj]
|
||||
end
|
||||
|
|
|
@ -41,7 +41,7 @@ local function _createIndexWrapper(aClass, f)
|
|||
return (f(self, name))
|
||||
end
|
||||
end
|
||||
else -- if type(f) == "table" then
|
||||
else -- if type(f) == "table" then
|
||||
return function(self, name)
|
||||
local value = aClass.__instanceDict[name]
|
||||
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -41,7 +41,7 @@ class API:
|
|||
|
||||
resp = request(
|
||||
method,
|
||||
f"{self.__endpoint}{url}",
|
||||
f"{self.__endpoint}{url if not url.startswith('/') else url[1:]}",
|
||||
timeout=timeout,
|
||||
headers={"User-Agent": "bwapi", "Host": self.__host},
|
||||
**kwargs,
|
||||
|
|
|
@ -25,7 +25,7 @@ server {
|
|||
|
||||
-- Fill ctx
|
||||
logger:log(ngx.INFO, "filling ngx.ctx ...")
|
||||
local ok, ret, errors = helpers.fill_ctx()
|
||||
local ok, ret, errors, ctx = helpers.fill_ctx()
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "fill_ctx() failed : " .. ret)
|
||||
elseif errors then
|
||||
|
@ -36,30 +36,33 @@ server {
|
|||
logger:log(ngx.INFO, "ngx.ctx filled (ret = " .. ret .. ")")
|
||||
|
||||
-- Check host header
|
||||
if not ngx.ctx.bw.http_host or ngx.ctx.bw.http_host ~= "{{ API_SERVER_NAME }}" then
|
||||
logger:log(ngx.WARN, "wrong Host header from IP " .. ngx.ctx.bw.remote_addr)
|
||||
if not ctx.bw.http_host or ctx.bw.http_host ~= "{{ API_SERVER_NAME }}" then
|
||||
logger:log(ngx.WARN, "wrong Host header from IP " .. ctx.bw.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_CLOSE)
|
||||
end
|
||||
|
||||
-- Check IP
|
||||
local ok, err = api:is_allowed_ip()
|
||||
if not ok then
|
||||
logger:log(ngx.WARN, "can't validate access from IP " .. ngx.ctx.bw.remote_addr .. " : " .. err)
|
||||
logger:log(ngx.WARN, "can't validate access from IP " .. ctx.bw.remote_addr .. " : " .. err)
|
||||
return ngx.exit(ngx.HTTP_CLOSE)
|
||||
end
|
||||
logger:log(ngx.NOTICE, "validated access from IP " .. ngx.ctx.bw.remote_addr)
|
||||
logger:log(ngx.NOTICE, "validated access from IP " .. ctx.bw.remote_addr)
|
||||
|
||||
-- Do API call
|
||||
local ok, err, status, resp = api:do_api_call()
|
||||
if not ok then
|
||||
logger:log(ngx.WARN, "call from " .. ngx.ctx.bw.remote_addr .. " on " .. ngx.ctx.bw.uri .. " failed : " .. err)
|
||||
logger:log(ngx.WARN, "call from " .. ctx.bw.remote_addr .. " on " .. ctx.bw.uri .. " failed : " .. err)
|
||||
else
|
||||
logger:log(ngx.NOTICE, "successful call from " .. ngx.ctx.bw.remote_addr .. " on " .. ngx.ctx.bw.uri .. " : " .. err)
|
||||
logger:log(ngx.NOTICE, "successful call from " .. ctx.bw.remote_addr .. " on " .. ctx.bw.uri .. " : " .. err)
|
||||
end
|
||||
|
||||
-- Start API handler
|
||||
logger:log(ngx.INFO, "API handler ended")
|
||||
|
||||
-- Save ctx
|
||||
ngx.ctx = ctx
|
||||
|
||||
-- Send response
|
||||
ngx.status = status
|
||||
ngx.say(resp)
|
||||
|
|
|
@ -52,7 +52,7 @@ server {
|
|||
|
||||
-- Fill ctx
|
||||
logger:log(ngx.INFO, "filling ngx.ctx ...")
|
||||
local ok, ret, errors = helpers.fill_ctx()
|
||||
local ok, ret, errors, ctx = helpers.fill_ctx()
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "fill_ctx() failed : " .. ret)
|
||||
elseif errors then
|
||||
|
@ -63,12 +63,11 @@ server {
|
|||
logger:log(ngx.INFO, "ngx.ctx filled (ret = " .. ret .. ")")
|
||||
|
||||
-- Get plugins order
|
||||
local order, err = datastore:get("plugins_order")
|
||||
local order, err = datastore:get("plugins_order", true)
|
||||
if not order then
|
||||
logger:log(ngx.ERR, "can't get plugins order from datastore : " .. err)
|
||||
return
|
||||
end
|
||||
order = cjson.decode(order)
|
||||
|
||||
-- Call log_default() methods
|
||||
logger:log(ngx.INFO, "calling log_default() methods of plugins ...")
|
||||
|
@ -102,10 +101,13 @@ server {
|
|||
logger:log(ngx.INFO, "called log_default() methods of plugins")
|
||||
|
||||
-- Display reason at info level
|
||||
if ngx.ctx.reason then
|
||||
if ctx.reason then
|
||||
logger:log(ngx.INFO, "client was denied with reason : " .. reason)
|
||||
end
|
||||
|
||||
-- Save ctx
|
||||
ngx.ctx = ctx
|
||||
|
||||
logger:log(ngx.INFO, "log_default phase ended")
|
||||
|
||||
}
|
||||
|
|
|
@ -13,7 +13,8 @@ logger:log(ngx.NOTICE, "init phase started")
|
|||
|
||||
-- Remove previous data from the datastore
|
||||
logger:log(ngx.NOTICE, "deleting old keys from datastore ...")
|
||||
local data_keys = {"^plugin", "^variable_", "^api_", "^misc_"}
|
||||
datastore:flush_lru()
|
||||
local data_keys = {"^plugin", "^misc_"}
|
||||
for i, key in pairs(data_keys) do
|
||||
local ok, err = datastore:delete_all(key)
|
||||
if not ok then
|
||||
|
@ -24,58 +25,6 @@ for i, key in pairs(data_keys) do
|
|||
end
|
||||
logger:log(ngx.NOTICE, "deleted old keys from datastore")
|
||||
|
||||
-- Load variables into the datastore
|
||||
logger:log(ngx.NOTICE, "saving variables into datastore ...")
|
||||
local file = io.open("/etc/nginx/variables.env")
|
||||
if not file then
|
||||
logger:log(ngx.ERR, "can't open /etc/nginx/variables.env file")
|
||||
return false
|
||||
end
|
||||
file:close()
|
||||
for line in io.lines("/etc/nginx/variables.env") do
|
||||
local variable, value = line:match("^([^=]+)=(.*)$")
|
||||
local ok, err = datastore:set("variable_" .. variable, value)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save variable " .. variable .. " into datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
logger:log(ngx.INFO, "saved variable " .. variable .. "=" .. value .. " into datastore")
|
||||
end
|
||||
logger:log(ngx.NOTICE, "saved variables into datastore")
|
||||
|
||||
-- Purge cache
|
||||
local cachestore = require "bunkerweb.cachestore":new(false, true)
|
||||
local ok, err = cachestore:purge()
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't purge cachestore : " .. err)
|
||||
end
|
||||
|
||||
-- Set API values into the datastore
|
||||
logger:log(ngx.NOTICE, "saving API values into datastore ...")
|
||||
local value, err = datastore:get("variable_USE_API")
|
||||
if not value then
|
||||
logger:log(ngx.ERR, "can't get variable USE_API from the datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
if value == "yes" then
|
||||
local value, err = datastore:get("variable_API_WHITELIST_IP")
|
||||
if not value then
|
||||
logger:log(ngx.ERR, "can't get variable API_WHITELIST_IP from the datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
local whitelists = {}
|
||||
for whitelist in value:gmatch("%S+") do
|
||||
table.insert(whitelists, whitelist)
|
||||
end
|
||||
local ok, err = datastore:set("api_whitelist_ip", cjson.encode(whitelists))
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save API whitelist_ip to datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
logger:log(ngx.INFO, "saved API whitelist_ip into datastore")
|
||||
end
|
||||
logger:log(ngx.NOTICE, "saved API values into datastore")
|
||||
|
||||
-- Load plugins into the datastore
|
||||
logger:log(ngx.NOTICE, "saving plugins into datastore ...")
|
||||
local plugins = {}
|
||||
|
@ -87,7 +36,7 @@ for i, plugin_path in ipairs(plugin_paths) do
|
|||
if not ok then
|
||||
logger:log(ngx.ERR, plugin)
|
||||
else
|
||||
local ok, err = datastore:set("plugin_" .. plugin.id, cjson.encode(plugin))
|
||||
local ok, err = datastore:set("plugin_" .. plugin.id, plugin, nil, true)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save " .. plugin.id .. " into datastore : " .. err)
|
||||
else
|
||||
|
@ -97,12 +46,70 @@ for i, plugin_path in ipairs(plugin_paths) do
|
|||
end
|
||||
end
|
||||
end
|
||||
local ok, err = datastore:set("plugins", cjson.encode(plugins))
|
||||
local ok, err = datastore:set("plugins", plugins, nil, true)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save plugins into datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
|
||||
-- Load variables into the datastore
|
||||
logger:log(ngx.NOTICE, "saving variables into datastore ...")
|
||||
local file = io.open("/etc/nginx/variables.env")
|
||||
if not file then
|
||||
logger:log(ngx.ERR, "can't open /etc/nginx/variables.env file")
|
||||
return false
|
||||
end
|
||||
file:close()
|
||||
local all_variables = {}
|
||||
for line in io.lines("/etc/nginx/variables.env") do
|
||||
local variable, value = line:match("^([^=]+)=(.*)$")
|
||||
all_variables[variable] = value
|
||||
end
|
||||
local ok, variables = helpers.load_variables(all_variables, plugins)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "error while loading variables : " .. variables)
|
||||
return false
|
||||
end
|
||||
local ok, err = datastore:set("variables", variables, nil, true)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save plugins into datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
logger:log(ngx.NOTICE, "saved variables into datastore")
|
||||
|
||||
-- Purge cache
|
||||
local cachestore = require "bunkerweb.cachestore":new(false, true)
|
||||
local ok, err = cachestore:purge()
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't purge cachestore : " .. err)
|
||||
end
|
||||
|
||||
-- Set API values into the datastore
|
||||
-- logger:log(ngx.NOTICE, "saving API values into datastore ...")
|
||||
-- local value, err = datastore:get("variable_USE_API")
|
||||
-- if not value then
|
||||
-- logger:log(ngx.ERR, "can't get variable USE_API from the datastore : " .. err)
|
||||
-- return false
|
||||
-- end
|
||||
-- if value == "yes" then
|
||||
-- local value, err = datastore:get("variable_API_WHITELIST_IP")
|
||||
-- if not value then
|
||||
-- logger:log(ngx.ERR, "can't get variable API_WHITELIST_IP from the datastore : " .. err)
|
||||
-- return false
|
||||
-- end
|
||||
-- local whitelists = {}
|
||||
-- for whitelist in value:gmatch("%S+") do
|
||||
-- table.insert(whitelists, whitelist)
|
||||
-- end
|
||||
-- local ok, err = datastore:set("api_whitelist_ip", cjson.encode(whitelists))
|
||||
-- if not ok then
|
||||
-- logger:log(ngx.ERR, "can't save API whitelist_ip to datastore : " .. err)
|
||||
-- return false
|
||||
-- end
|
||||
-- logger:log(ngx.INFO, "saved API whitelist_ip into datastore")
|
||||
-- end
|
||||
-- logger:log(ngx.NOTICE, "saved API values into datastore")
|
||||
|
||||
logger:log(ngx.NOTICE, "saving plugins order into datastore ...")
|
||||
local ok, order = helpers.order_plugins(plugins)
|
||||
if not ok then
|
||||
|
@ -112,7 +119,7 @@ end
|
|||
for phase, id_list in pairs(order) do
|
||||
logger:log(ngx.NOTICE, "plugins order for phase " .. phase .. " : " .. cjson.encode(id_list))
|
||||
end
|
||||
local ok, err = datastore:set("plugins_order", cjson.encode(order))
|
||||
local ok, err = datastore:set("plugins_order", order, nil, true)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save plugins order into datastore : " .. err)
|
||||
return false
|
||||
|
|
|
@ -13,7 +13,8 @@ logger:log(ngx.NOTICE, "init-stream phase started")
|
|||
|
||||
-- Remove previous data from the datastore
|
||||
logger:log(ngx.NOTICE, "deleting old keys from datastore ...")
|
||||
local data_keys = {"^plugin", "^variable_", "^api_", "^misc_"}
|
||||
datastore:flush_lru()
|
||||
local data_keys = {"^plugin", "^misc_"}
|
||||
for i, key in pairs(data_keys) do
|
||||
local ok, err = datastore:delete_all(key)
|
||||
if not ok then
|
||||
|
@ -24,58 +25,6 @@ for i, key in pairs(data_keys) do
|
|||
end
|
||||
logger:log(ngx.NOTICE, "deleted old keys from datastore")
|
||||
|
||||
-- Load variables into the datastore
|
||||
logger:log(ngx.NOTICE, "saving variables into datastore ...")
|
||||
local file = io.open("/etc/nginx/variables.env")
|
||||
if not file then
|
||||
logger:log(ngx.ERR, "can't open /etc/nginx/variables.env file")
|
||||
return false
|
||||
end
|
||||
file:close()
|
||||
for line in io.lines("/etc/nginx/variables.env") do
|
||||
local variable, value = line:match("^([^=]+)=(.*)$")
|
||||
local ok, err = datastore:set("variable_" .. variable, value)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save variable " .. variable .. " into datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
logger:log(ngx.INFO, "saved variable " .. variable .. "=" .. value .. " into datastore")
|
||||
end
|
||||
logger:log(ngx.NOTICE, "saved variables into datastore")
|
||||
|
||||
-- Purge cache
|
||||
local cachestore = require "bunkerweb.cachestore":new(false, true)
|
||||
local ok, err = cachestore:purge()
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't purge cachestore : " .. err)
|
||||
end
|
||||
|
||||
-- Set API values into the datastore
|
||||
logger:log(ngx.NOTICE, "saving API values into datastore ...")
|
||||
local value, err = datastore:get("variable_USE_API")
|
||||
if not value then
|
||||
logger:log(ngx.ERR, "can't get variable USE_API from the datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
if value == "yes" then
|
||||
local value, err = datastore:get("variable_API_WHITELIST_IP")
|
||||
if not value then
|
||||
logger:log(ngx.ERR, "can't get variable API_WHITELIST_IP from the datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
local whitelists = {}
|
||||
for whitelist in value:gmatch("%S+") do
|
||||
table.insert(whitelists, whitelist)
|
||||
end
|
||||
local ok, err = datastore:set("api_whitelist_ip", cjson.encode(whitelists))
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save API whitelist_ip to datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
logger:log(ngx.INFO, "saved API whitelist_ip into datastore")
|
||||
end
|
||||
logger:log(ngx.NOTICE, "saved API values into datastore")
|
||||
|
||||
-- Load plugins into the datastore
|
||||
logger:log(ngx.NOTICE, "saving plugins into datastore ...")
|
||||
local plugins = {}
|
||||
|
@ -87,7 +36,7 @@ for i, plugin_path in ipairs(plugin_paths) do
|
|||
if not ok then
|
||||
logger:log(ngx.ERR, plugin)
|
||||
else
|
||||
local ok, err = datastore:set("plugin_" .. plugin.id, cjson.encode(plugin))
|
||||
local ok, err = datastore:set("plugin_" .. plugin.id, plugin, true)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save " .. plugin.id .. " into datastore : " .. err)
|
||||
else
|
||||
|
@ -97,12 +46,44 @@ for i, plugin_path in ipairs(plugin_paths) do
|
|||
end
|
||||
end
|
||||
end
|
||||
local ok, err = datastore:set("plugins", cjson.encode(plugins))
|
||||
local ok, err = datastore:set("plugins", plugins, nil, true)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save plugins into datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
|
||||
-- Load variables into the datastore
|
||||
logger:log(ngx.NOTICE, "saving variables into datastore ...")
|
||||
local file = io.open("/etc/nginx/variables.env")
|
||||
if not file then
|
||||
logger:log(ngx.ERR, "can't open /etc/nginx/variables.env file")
|
||||
return false
|
||||
end
|
||||
file:close()
|
||||
local all_variables = {}
|
||||
for line in io.lines("/etc/nginx/variables.env") do
|
||||
local variable, value = line:match("^([^=]+)=(.*)$")
|
||||
all_variables[variable] = value
|
||||
end
|
||||
local ok, variables = helpers.load_variables(all_variables, plugins)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "error while loading variables : " .. variables)
|
||||
return false
|
||||
end
|
||||
local ok, err = datastore:set("variables", variables, nil, true)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save plugins into datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
logger:log(ngx.NOTICE, "saved variables into datastore")
|
||||
|
||||
-- Purge cache
|
||||
local cachestore = require "bunkerweb.cachestore":new(false, true)
|
||||
local ok, err = cachestore:purge()
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't purge cachestore : " .. err)
|
||||
end
|
||||
|
||||
logger:log(ngx.NOTICE, "saving plugins order into datastore ...")
|
||||
local ok, order = helpers.order_plugins(plugins)
|
||||
if not ok then
|
||||
|
@ -112,7 +93,7 @@ end
|
|||
for phase, id_list in pairs(order) do
|
||||
logger:log(ngx.NOTICE, "plugins order for phase " .. phase .. " : " .. cjson.encode(id_list))
|
||||
end
|
||||
local ok, err = datastore:set("plugins_order", cjson.encode(order))
|
||||
local ok, err = datastore:set("plugins_order", order, nil, true)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "can't save plugins order into datastore : " .. err)
|
||||
return false
|
||||
|
|
|
@ -57,7 +57,7 @@ local ready_work = function(premature)
|
|||
logger:log(ngx.INFO, "init_worker phase started")
|
||||
|
||||
-- Get plugins order
|
||||
local order, err = datastore:get("plugins_order")
|
||||
local order, err = datastore:get("plugins_order", true)
|
||||
if not order then
|
||||
logger:log(ngx.ERR, "can't get plugins order from datastore : " .. err)
|
||||
local ok, err = lock:unlock()
|
||||
|
@ -66,7 +66,6 @@ local ready_work = function(premature)
|
|||
end
|
||||
return
|
||||
end
|
||||
order = cjson.decode(order)
|
||||
|
||||
-- Call init_worker() methods
|
||||
logger:log(ngx.INFO, "calling init_worker() methods of plugins ...")
|
||||
|
|
|
@ -21,7 +21,7 @@ logger:log(ngx.INFO, "access phase started")
|
|||
|
||||
-- Fill ctx
|
||||
logger:log(ngx.INFO, "filling ngx.ctx ...")
|
||||
local ok, ret, errors = helpers.fill_ctx()
|
||||
local ok, ret, errors, ctx = helpers.fill_ctx()
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, "fill_ctx() failed : " .. ret)
|
||||
elseif errors then
|
||||
|
@ -32,23 +32,24 @@ end
|
|||
logger:log(ngx.INFO, "ngx.ctx filled (ret = " .. ret .. ")")
|
||||
|
||||
-- Process bans as soon as possible
|
||||
local banned, reason, ttl = utils.is_banned(ngx.ctx.bw.remote_addr)
|
||||
if banned == nil then
|
||||
logger:log(ngx.ERR, "can't check if IP " .. ngx.ctx.bw.remote_addr .. " is banned : " .. reason)
|
||||
elseif banned then
|
||||
logger:log(ngx.WARN, "IP " .. ngx.ctx.bw.remote_addr .. " is banned with reason " .. reason .. " (" .. tostring(ttl) .. "s remaining)")
|
||||
return ngx.exit(utils.get_deny_status())
|
||||
else
|
||||
logger:log(ngx.INFO, "IP " .. ngx.ctx.bw.remote_addr .. " is not banned")
|
||||
if ctx.bw.is_whitelisted ~= "yes" then
|
||||
local banned, reason, ttl = utils.is_banned(ctx.bw.remote_addr)
|
||||
if banned == nil then
|
||||
logger:log(ngx.ERR, "can't check if IP " .. ctx.bw.remote_addr .. " is banned : " .. reason)
|
||||
elseif banned then
|
||||
logger:log(ngx.WARN, "IP " .. ctx.bw.remote_addr .. " is banned with reason " .. reason .. " (" .. tostring(ttl) .. "s remaining)")
|
||||
return ngx.exit(utils.get_deny_status(ctx))
|
||||
else
|
||||
logger:log(ngx.INFO, "IP " .. ctx.bw.remote_addr .. " is not banned")
|
||||
end
|
||||
end
|
||||
|
||||
-- Get plugins order
|
||||
local order, err = datastore:get("plugins_order")
|
||||
local order, err = datastore:get("plugins_order", true)
|
||||
if not order then
|
||||
logger:log(ngx.ERR, "can't get plugins order from datastore : " .. err)
|
||||
return
|
||||
end
|
||||
order = cjson.decode(order)
|
||||
|
||||
-- Call access() methods
|
||||
logger:log(ngx.INFO, "calling access() methods of plugins ...")
|
||||
|
@ -65,7 +66,7 @@ for i, plugin_id in ipairs(order.access) do
|
|||
-- Check if plugin has access method
|
||||
if plugin_lua.access ~= nil then
|
||||
-- New call
|
||||
local ok, plugin_obj = helpers.new_plugin(plugin_lua)
|
||||
local ok, plugin_obj = helpers.new_plugin(plugin_lua, ctx)
|
||||
if not ok then
|
||||
logger:log(ngx.ERR, plugin_obj)
|
||||
else
|
||||
|
@ -78,8 +79,8 @@ for i, plugin_id in ipairs(order.access) do
|
|||
logger:log(ngx.INFO, plugin_id .. ":access() call successful : " .. ret.msg)
|
||||
end
|
||||
if ret.status then
|
||||
if ret.status == utils.get_deny_status() then
|
||||
ngx.ctx.reason = plugin_id
|
||||
if ret.status == utils.get_deny_status(ctx) then
|
||||
ctx.bw.reason = plugin_id
|
||||
logger:log(ngx.WARN, "denied access from " .. plugin_id .. " : " .. ret.msg)
|
||||
else
|
||||
logger:log(ngx.NOTICE, plugin_id .. " returned status " .. tostring(ret.status) .. " : " .. ret.msg)
|
||||
|
@ -99,13 +100,8 @@ for i, plugin_id in ipairs(order.access) do
|
|||
end
|
||||
logger:log(ngx.INFO, "called access() methods of plugins")
|
||||
|
||||
-- Save session if needed
|
||||
-- local ok, err = utils.save_session()
|
||||
-- if not ok then
|
||||
-- logger:log(ngx.ERR, "can't save session : " .. err)
|
||||
-- else
|
||||
-- logger:log(ngx.INFO, "session save return : " .. err)
|
||||
-- end
|
||||
-- Save ctx
|
||||
ngx.ctx = ctx
|
||||
|
||||
logger:log(ngx.INFO, "access phase ended")
|
||||
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue