add REDIRECT_TO_REQUEST_URI variable and edit environment variables docs
This commit is contained in:
parent
58f2926e95
commit
b13ff34569
|
@ -1 +1,5 @@
|
|||
{% if REDIRECT_TO_REQUEST_URI == "yes" %}
|
||||
return 301 {{ REDIRECT_TO }}$request_uri;
|
||||
{% else %}
|
||||
return 301 {{ REDIRECT_TO }};
|
||||
{% endif %}
|
||||
|
|
|
@ -87,24 +87,42 @@ Default value : *8443*
|
|||
Context : *global*
|
||||
The HTTPS port number used by nginx inside the container.
|
||||
|
||||
`WORKER_CONNECTIONS`
|
||||
`WORKER_CONNECTIONS`
|
||||
Values : *\<any positive integer\>*
|
||||
Default value : 1024
|
||||
Context : *global*
|
||||
Sets the value of the [worker_connections](https://nginx.org/en/docs/ngx_core_module.html#worker_connections) directive.
|
||||
|
||||
`WORKER_RLIMIT_NOFILE`
|
||||
`WORKER_RLIMIT_NOFILE`
|
||||
Values : *\<any positive integer\>*
|
||||
Default value : 2048
|
||||
Context : *global*
|
||||
Sets the value of the [worker_rlimit_nofile](https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile) directive.
|
||||
|
||||
`WORKER_PROCESSES`
|
||||
Values : *\<any positive integer or auto\>*
|
||||
Default value : auto
|
||||
Context : *global*
|
||||
Sets the value of the [worker_processes](https://nginx.org/en/docs/ngx_core_module.html#worker_processes) directive.
|
||||
|
||||
`INJECT_BODY`
|
||||
Values : *\<any HTML code\>*
|
||||
Values : *\<any HTML code\>*
|
||||
Default value :
|
||||
Context : *global*, *multisite*
|
||||
Use this variable to inject any HTML code you want before the \</body\> tag (e.g. : `\<script src="https://..."\>`)
|
||||
|
||||
`REDIRECT_TO`
|
||||
Values : *\<any valid absolute URI\>*
|
||||
Default value :
|
||||
Context : *global*, *multisite*
|
||||
Use this variable if you want to redirect one server to another (e.g., redirect apex to www : `REDIRECT_TO=https://www.example.com`).
|
||||
|
||||
`REDIRECT_TO_REQUEST_URI`
|
||||
Values : *yes* | *no*
|
||||
Default value : *no*
|
||||
Context : *global*, *multisite*
|
||||
When set to yes and `REDIRECT_TO` is set it will append the requested path to the redirection (e.g., https://example.com/something redirects to https://www.example.com/something).
|
||||
|
||||
### Information leak
|
||||
|
||||
`SERVER_TOKENS`
|
||||
|
@ -397,6 +415,12 @@ Default value : *contact@first-domain-in-server-name*
|
|||
Context : *global*, *multisite*
|
||||
Define the contact email address declare in the certificate.
|
||||
|
||||
`USE_LETS_ENCRYPT_STAGING`
|
||||
Values : *yes* | *no*
|
||||
Default value : *no*
|
||||
Context : *global*, *multisite*
|
||||
When set to yes, it tells certbot to use the [staging environment](https://letsencrypt.org/docs/staging-environment/) for Let's Encrypt certificate generation. Useful when you are testing your deployments to avoid being rate limited in the production environment.
|
||||
|
||||
### HTTP
|
||||
|
||||
`LISTEN_HTTP`
|
||||
|
@ -527,6 +551,8 @@ Sets the value of the [SecAuditEngine directive](https://github.com/SpiderLabs/M
|
|||
|
||||
## Security headers
|
||||
|
||||
If you want to keep your application headers and tell bunkerized-nginx to not override it, just set the corresponding environment variable to an empty value (e.g., `CONTENT_SECURITY_POLICY=`, `PERMISSIONS_POLICY=`, ...).
|
||||
|
||||
`X_FRAME_OPTIONS`
|
||||
Values : *DENY* | *SAMEORIGIN* | *ALLOW-FROM https://www.website.net*
|
||||
Default value : *DENY*
|
||||
|
@ -851,6 +877,18 @@ Default value : */app*
|
|||
Context : *global*, *multisite*
|
||||
The path where the PHP files are located inside the server specified in `REMOTE_PHP`.
|
||||
|
||||
`LOCAL_PHP`
|
||||
Values : *\<any valid absolute path\>*
|
||||
Default value :
|
||||
Context : *global*, *multisite*
|
||||
Set the absolute path of the unix socket file of a local PHP-FPM instance to execute .php files.
|
||||
|
||||
`LOCAL_PHP_PATH`
|
||||
Values : *\<any valid absolute path\>*
|
||||
Default value : */app*
|
||||
Context : *global*, *multisite*
|
||||
The path where the PHP files are located inside the server specified in `LOCAL_PHP`.
|
||||
|
||||
## Bad behavior
|
||||
|
||||
`USE_BAD_BEHAVIOR`
|
||||
|
@ -915,22 +953,34 @@ Choose authentication mode : show a web page (`portal`) or a simple auth basic p
|
|||
Values : *yes* | *no*
|
||||
Default value : *no*
|
||||
Context : *global*
|
||||
Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
|
||||
Only set to *yes* when you use *bunkerized-nginx* with Docker Swarm integration.
|
||||
|
||||
`KUBERNETES_MODE`
|
||||
Values : *yes* | *no*
|
||||
Default value : *no*
|
||||
Context : *global*
|
||||
Only set to *yes* when you use bunkerized-nginx with Kubernetes integration.
|
||||
|
||||
`USE_API`
|
||||
Values : *yes* | *no*
|
||||
Default value : *no*
|
||||
Context : *global*
|
||||
Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
|
||||
Only set to *yes* when you use bunkerized-nginx with Swarm/Kubernetes integration or with the web UI.
|
||||
|
||||
`API_URI`
|
||||
Values : *random* | *\<any valid URI path\>*
|
||||
Default value : *random*
|
||||
Context : *global*
|
||||
Set it to a random path when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
|
||||
Only set to *yes* when you use bunkerized-nginx with Swarm/Kubernetes integration or with the web UI.
|
||||
|
||||
`API_WHITELIST_IP`
|
||||
Values : *\<list of IP/CIDR separated with space\>*
|
||||
Default value : *192.168.0.0/16 172.16.0.0/12 10.0.0.0/8*
|
||||
Context : *global*
|
||||
List of IP/CIDR block allowed to send API order using the `API_URI` uri.
|
||||
|
||||
`USE_REDIS`
|
||||
Undocumented. Reserved for future use.
|
||||
|
||||
`REDIS_HOST`
|
||||
Undocumented. Reserved for future use.
|
||||
|
|
|
@ -87,6 +87,8 @@ Some important HTTP headers related to client security are sent with a default v
|
|||
|
||||
You can also remove headers (e.g., too verbose ones) by using the `REMOVE_HEADERS` environment variable which takes a list of header name separated with space (default value = `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`).
|
||||
|
||||
If you want to keep your application headers and tell bunkerized-nginx to not override it, just set the corresponding environment variable to an empty value (e.g., `CONTENT_SECURITY_POLICY=`, `PERMISSIONS_POLICY=`, ...).
|
||||
|
||||
## ModSecurity
|
||||
|
||||
ModSecurity is integrated and enabled by default alongside the OWASP Core Rule Set within bunkerized-nginx. To change this behaviour you can use the `USE_MODSECURITY=no` or `USE_MODSECURITY_CRS=no` environment variables.
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
#!/usr/bin/python3
|
||||
|
||||
import json
|
||||
|
||||
with open("settings.json") as f :
|
||||
data = json.loads(f.read())
|
||||
|
||||
with open("docs/environment_variables.md") as f :
|
||||
docs = f.read()
|
||||
|
||||
output = ""
|
||||
for cat in data :
|
||||
for param in data[cat]["params"] :
|
||||
if param["type"] == "multiple" :
|
||||
params = param["params"]
|
||||
else :
|
||||
params = [param]
|
||||
for true_param in params :
|
||||
if not true_param["env"] in docs :
|
||||
print("Missing variable in category " + cat + " : " + true_param["env"] + "=" + true_param["default"])
|
|
@ -66,11 +66,6 @@
|
|||
#BROTLI_MIN_LENGTH=1000
|
||||
#BROTLI_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml
|
||||
|
||||
# CrowdSec
|
||||
#USE_CROWDSEC=no
|
||||
#CROWDSEC_HOST=
|
||||
#CROWDSEC_KEY=
|
||||
|
||||
# DNSBL
|
||||
#USE_DNSBL=yes
|
||||
#DNSBL_LIST=bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org
|
||||
|
@ -78,6 +73,7 @@
|
|||
# HTTPS
|
||||
#AUTO_LETS_ENCRYPT=no
|
||||
#EMAIL_LETS_ENCRYPT=
|
||||
#USE_LETS_ENCRYPT_STAGING=no
|
||||
#REDIRECT_HTTP_TO_HTTPS=no
|
||||
#HTTP2=yes
|
||||
#HTTPS_PROTOCOLS=TLSv1.2 TLSv1.3
|
||||
|
@ -123,11 +119,13 @@
|
|||
#LIMIT_REQ_CACHE=10m
|
||||
|
||||
# Misc
|
||||
#SERVER_NAME=www.bunkerity.com
|
||||
#SERVER_NAME=www.example.com
|
||||
#MAX_CLIENT_SIZE=10m
|
||||
#ALLOWED_METHODS=GET|POST|HEAD
|
||||
#SERVE_FILES=yes
|
||||
#INJECT_BODY=
|
||||
#REDIRECT_TO=
|
||||
#REDIRECT_TO_REQUEST_URI=no
|
||||
|
||||
# ModSecurity
|
||||
#USE_MODSECURITY=yes
|
||||
|
@ -137,6 +135,8 @@
|
|||
# PHP
|
||||
#REMOTE_PHP=
|
||||
#REMOTE_PHP_PATH=/app
|
||||
#LOCAL_PHP=
|
||||
#LOCAL_PHP_PATH=/app
|
||||
|
||||
# Reverse proxy
|
||||
#USE_REVERSE_PROXY=no
|
||||
|
@ -156,11 +156,14 @@
|
|||
#BAD_BEHAVIOR_STATUS_CODES=400 401 403 404 405 429 444
|
||||
#BAD_BEHAVIOR_THRESHOLD=10
|
||||
|
||||
# API
|
||||
# Internal
|
||||
#USE_API=no
|
||||
#API_WHITELIST_IP=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
|
||||
#API_URI=random
|
||||
#SWARM_MODE=no
|
||||
#KUBERNETES_MODE=no
|
||||
#USE_REDIS=no
|
||||
#REDIS_HOST=
|
||||
|
||||
# nginx
|
||||
#MULTISITE=no
|
||||
|
@ -174,12 +177,15 @@
|
|||
#HTTPS_PORT=8443
|
||||
#WORKER_RLIMIT_NOFILE=2048
|
||||
#WORKER_CONNECTIONS=1024
|
||||
#WORKER_PROCESSES=auto
|
||||
|
||||
# Whitelist
|
||||
#USE_WHITELIST_IP=yes
|
||||
#WHITELIST_IP_LIST=23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8
|
||||
#USE_WHITELIST_REVERSE=yes
|
||||
#WHITELIST_REVERSE_LIST=.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net
|
||||
#WHITELIST_REVERSE_LIST=.googlebot.com .google.com .search.msn.com .crawl.yahoo.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net
|
||||
#WHITELIST_COUNTRY=
|
||||
#WHITELIST_USER_AGENT=
|
||||
#WHITELIST_URI=
|
||||
|
||||
|
||||
|
|
|
@ -534,7 +534,7 @@
|
|||
"env": "EMAIL_LETS_ENCRYPT",
|
||||
"id": "email-lets-encrypt",
|
||||
"label": "Email lets encrypt",
|
||||
"regex": "^([a-z0-9\\-\\.]+@[a-z\\-0-9\\.]+|.{0})$",
|
||||
"regex": "^([a-z0-9\\-\\._]+@[a-z\\-0-9\\.]+|.{0})$",
|
||||
"type": "text"
|
||||
},
|
||||
{
|
||||
|
@ -939,6 +939,15 @@
|
|||
"label": "Redirect every requests to another web service",
|
||||
"regex": "^(https?://.+|.{0})$",
|
||||
"type": "text"
|
||||
},
|
||||
{
|
||||
"context": "multisite",
|
||||
"default": "no",
|
||||
"env": "REDIRECT_TO_REQUEST_URI",
|
||||
"id": "redirect-to-request-uri",
|
||||
"label": "Append the requested path when redirecting",
|
||||
"regex": "^(yes|no)$",
|
||||
"type": "checkbox"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
@ -1375,7 +1384,7 @@
|
|||
},
|
||||
{
|
||||
"context": "multisite",
|
||||
"default": ".googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net",
|
||||
"default": ".googlebot.com .google.com .search.msn.com .crawl.yahoo.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net",
|
||||
"env": "WHITELIST_REVERSE_LIST",
|
||||
"id": "whitelist-reverse-list",
|
||||
"label": "Whitelist reverse list",
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
function cleanup() {
|
||||
docker kill "$1"
|
||||
docker volume rm "linux-tmp"
|
||||
}
|
||||
|
||||
image="$1"
|
||||
|
@ -11,8 +12,15 @@ if [ "$3" == "no" ] ; then
|
|||
do_cleanup="no"
|
||||
fi
|
||||
|
||||
echo "[*] Create volume"
|
||||
docker volume create linux-tmp
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker volume failed"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "[*] Run $image"
|
||||
id="$(docker run --rm -d -p 80:80 -p 443:443 --privileged=true --name "$name" "$image" /sbin/init)"
|
||||
id="$(docker run --rm -d -p 80:80 -p 443:443 --privileged=true --name "$name" -v linux-tmp:/tmp "$image" /sbin/init)"
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] docker run failed"
|
||||
cleanup "$name"
|
||||
|
|
Loading…
Reference in New Issue