librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

fix regex checks with *_CUSTOM_CONF_* setting, add doc about DENY_STATUS_CODE

This commit is contained in:
bunkerity 2022-07-07 16:23:00 +02:00
parent 5586b3733b
commit afdd4de5a4
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
3 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -6,7 +6,7 @@
- Fix ui.env not read when using Linux integration
- Fix check if BunkerNet is activated on default server
- Add \*_CUSTOM_CONF_\* setting to automatically add custom config files from setting value
- Add DENY_HTTP_STATUS setting to choose standard 403 error (default) or to close connection (444)
- Add DENY_HTTP_STATUS setting to choose standard 403 error (default) or to close connection (444) when access is denied
- Add documentation about Docker in rootless mode and podman
- Migrate CI/CD to another provider

9
docs/security-tuning.md
View File

@ -7,6 +7,15 @@ BunkerWeb offers many security features that you can configure with [settings](/
## HTTP protocol
### Deny status code
The first thing to define is the kind of action to do when a client access is denied. You can control the action with the `DENY_STATUS_CODE` setting which allows the following values :
- `403` : send a "classical" Forbidden HTTP status code (a web page or custom content will be displayed)
- `444` : close the connection (no web page or custom content will be displayed)
The default value is `403` and we suggest you to set it to `444` only if you already fixed a lot of false positive, you are familiar with BunkerWeb and want a higher level of security.
### Default server
In the HTTP protocol, the Host header is used to determine which server the client wants to send the request to. That header is facultative and may be missing from the request or can be set as an unknown value. This is a common case, a lot of bots are scanning the Internet and are trying to exploit services or simply doing some fingerprinting.

4
helpers/entrypoint.sh
View File

@ -49,9 +49,9 @@ if [ "$SWARM_MODE" != "yes" ] && [ "$KUBERNETES_MODE" != "yes" ] && [ "$AUTOCONF
for var_name in $(python3 -c 'import os ; [print(k) for k in os.environ]') ; do
extracted=$(echo "$var_name" | sed -r 's/^([0-9a-z\.\-]*)_?CUSTOM_CONF_(HTTP|DEFAULT_SERVER_HTTP|SERVER_HTTP|MODSEC|MODSEC_CRS)_(.*)$/\1 \2 \3/g')
site=$(echo "$extracted" | cut -d ' ' -f 1)
type=$(echo "$extracted" | cut -d ' ' -f 2 | grep -E '(HTTP|DEFAULT_SERVER_HTTP|SERVER_HTTP|MODSEC|MODSEC_CRS)' | tr '[:upper:]' '[:lower:]' | sed 's/_/-/')
type=$(echo "$extracted" | cut -d ' ' -f 2 | grep -E '^(HTTP|DEFAULT_SERVER_HTTP|SERVER_HTTP|MODSEC|MODSEC_CRS)$' | tr '[:upper:]' '[:lower:]' | sed 's/_/-/')
name=$(echo "$extracted" | cut -d ' ' -f 3)
if [ "$type" = "" ] || [ "$name" = "" ] ; then
if [ "$name" = "" ] || [ "$(echo -n "$type" | grep -E '^(http|default-server-http|server-http|modsec|modsec-crs)$')" = "" ] ; then
continue
fi
target="/data/configs/${type}/"