add REDIRECT_TO_REQUEST_URI variable and edit environment variables docs

2021-08-20 14:59:16 +02:00 · 2021-08-20 14:59:16 +02:00 · b13ff34569
parent 58f2926e95
commit b13ff34569
7 changed files with 116 additions and 17 deletions
--- a/confs/site/redirect-to.conf
+++ b/confs/site/redirect-to.conf
@ -1 +1,5 @@
+{% if REDIRECT_TO_REQUEST_URI == "yes" %}
 return 301 {{ REDIRECT_TO }}$request_uri;
+{% else %}
+return 301 {{ REDIRECT_TO }};
+{% endif %}
--- a/docs/environment_variables.md
+++ b/docs/environment_variables.md
@ -87,24 +87,42 @@ Default value : *8443*
 Context : *global*  
 The HTTPS port number used by nginx inside the container.

-`WORKER_CONNECTIONS`
+`WORKER_CONNECTIONS`  
 Values : *\<any positive integer\>*  
 Default value : 1024  
 Context : *global*  
 Sets the value of the [worker_connections](https://nginx.org/en/docs/ngx_core_module.html#worker_connections) directive.

-`WORKER_RLIMIT_NOFILE`
+`WORKER_RLIMIT_NOFILE`  
 Values : *\<any positive integer\>*  
 Default value : 2048  
 Context : *global*  
 Sets the value of the [worker_rlimit_nofile](https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile) directive.

+`WORKER_PROCESSES`  
+Values : *\<any positive integer or auto\>*  
+Default value : auto  
+Context : *global*  
+Sets the value of the [worker_processes](https://nginx.org/en/docs/ngx_core_module.html#worker_processes) directive.
+
 `INJECT_BODY`  
-Values : *\<any HTML code\>*
+Values : *\<any HTML code\>*  
 Default value :  
 Context : *global*, *multisite*  
 Use this variable to inject any HTML code you want before the \</body\> tag (e.g. : `\<script src="https://..."\>`)

+`REDIRECT_TO`  
+Values : *\<any valid absolute URI\>*  
+Default value :  
+Context : *global*, *multisite*  
+Use this variable if you want to redirect one server to another (e.g., redirect apex to www : `REDIRECT_TO=https://www.example.com`).
+
+`REDIRECT_TO_REQUEST_URI`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+When set to yes and `REDIRECT_TO` is set it will append the requested path to the redirection (e.g., https://example.com/something redirects to https://www.example.com/something).
+
 ### Information leak

 `SERVER_TOKENS`  
@ -397,6 +415,12 @@ Default value : *contact@first-domain-in-server-name*
 Context : *global*, *multisite*  
 Define the contact email address declare in the certificate.

+`USE_LETS_ENCRYPT_STAGING`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*, *multisite*  
+When set to yes, it tells certbot to use the [staging environment](https://letsencrypt.org/docs/staging-environment/) for Let's Encrypt certificate generation. Useful when you are testing your deployments to avoid being rate limited in the production environment.
+
 ### HTTP

 `LISTEN_HTTP`  
@ -527,6 +551,8 @@ Sets the value of the [SecAuditEngine directive](https://github.com/SpiderLabs/M

 ## Security headers

+If you want to keep your application headers and tell bunkerized-nginx to not override it, just set the corresponding environment variable to an empty value (e.g., `CONTENT_SECURITY_POLICY=`, `PERMISSIONS_POLICY=`, ...).
+
 `X_FRAME_OPTIONS`  
 Values : *DENY* | *SAMEORIGIN* | *ALLOW-FROM https://www.website.net*
 Default value : *DENY*  
@ -851,6 +877,18 @@ Default value : */app*
 Context : *global*, *multisite*  
 The path where the PHP files are located inside the server specified in `REMOTE_PHP`.

+`LOCAL_PHP`  
+Values : *\<any valid absolute path\>*  
+Default value :  
+Context : *global*, *multisite*  
+Set the absolute path of the unix socket file of a local PHP-FPM instance to execute .php files.
+
+`LOCAL_PHP_PATH`  
+Values : *\<any valid absolute path\>*  
+Default value : */app*  
+Context : *global*, *multisite*  
+The path where the PHP files are located inside the server specified in `LOCAL_PHP`.
+
 ## Bad behavior

 `USE_BAD_BEHAVIOR`  
@ -915,22 +953,34 @@ Choose authentication mode : show a web page (`portal`) or a simple auth basic p
 Values : *yes* | *no*  
 Default value : *no*  
 Context : *global*  
-Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
+Only set to *yes* when you use *bunkerized-nginx* with Docker Swarm integration.
+
+`KUBERNETES_MODE`  
+Values : *yes* | *no*  
+Default value : *no*  
+Context : *global*  
+Only set to *yes* when you use bunkerized-nginx with Kubernetes integration.

 `USE_API`  
 Values : *yes* | *no*  
 Default value : *no*  
 Context : *global*  
-Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
+Only set to *yes* when you use bunkerized-nginx with Swarm/Kubernetes integration or with the web UI.

 `API_URI`  
 Values : *random* | *\<any valid URI path\>*  
 Default value : *random*  
 Context : *global*  
-Set it to a random path when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode).
+Only set to *yes* when you use bunkerized-nginx with Swarm/Kubernetes integration or with the web UI.

 `API_WHITELIST_IP`  
 Values : *\<list of IP/CIDR separated with space\>*  
 Default value : *192.168.0.0/16 172.16.0.0/12 10.0.0.0/8*  
 Context : *global*  
 List of IP/CIDR block allowed to send API order using the `API_URI` uri.
+
+`USE_REDIS`  
+Undocumented. Reserved for future use.
+
+`REDIS_HOST`  
+Undocumented. Reserved for future use.
--- a/docs/security_tuning.md
+++ b/docs/security_tuning.md
@ -87,6 +87,8 @@ Some important HTTP headers related to client security are sent with a default v

 You can also remove headers (e.g., too verbose ones) by using the `REMOVE_HEADERS` environment variable which takes a list of header name separated with space (default value = `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`).

+If you want to keep your application headers and tell bunkerized-nginx to not override it, just set the corresponding environment variable to an empty value (e.g., `CONTENT_SECURITY_POLICY=`, `PERMISSIONS_POLICY=`, ...).
+
 ## ModSecurity

 ModSecurity is integrated and enabled by default alongside the OWASP Core Rule Set within bunkerized-nginx. To change this behaviour you can use the `USE_MODSECURITY=no` or `USE_MODSECURITY_CRS=no` environment variables.
--- a/misc/set2doc.py
+++ b/misc/set2doc.py
@ -0,0 +1,20 @@
+#!/usr/bin/python3
+
+import json
+
+with open("settings.json") as f :
+	data = json.loads(f.read())
+
+with open("docs/environment_variables.md") as f :
+	docs = f.read()
+
+output = ""
+for cat in data :
+	for param in data[cat]["params"] :
+		if param["type"] == "multiple" :
+			params = param["params"]
+		else :
+			params = [param]
+		for true_param in params :
+			if not true_param["env"] in docs :
+				print("Missing variable in category " + cat + " : " + true_param["env"] + "=" + true_param["default"])
--- a/misc/variables.env
+++ b/misc/variables.env
@ -66,11 +66,6 @@
 #BROTLI_MIN_LENGTH=1000
 #BROTLI_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml

-# CrowdSec
-#USE_CROWDSEC=no
-#CROWDSEC_HOST=
-#CROWDSEC_KEY=
-
 # DNSBL
 #USE_DNSBL=yes
 #DNSBL_LIST=bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org
@ -78,6 +73,7 @@
 # HTTPS
 #AUTO_LETS_ENCRYPT=no
 #EMAIL_LETS_ENCRYPT=
+#USE_LETS_ENCRYPT_STAGING=no
 #REDIRECT_HTTP_TO_HTTPS=no
 #HTTP2=yes
 #HTTPS_PROTOCOLS=TLSv1.2 TLSv1.3
@ -123,11 +119,13 @@
 #LIMIT_REQ_CACHE=10m

 # Misc
-#SERVER_NAME=www.bunkerity.com
+#SERVER_NAME=www.example.com
 #MAX_CLIENT_SIZE=10m
 #ALLOWED_METHODS=GET|POST|HEAD
 #SERVE_FILES=yes
 #INJECT_BODY=
+#REDIRECT_TO=
+#REDIRECT_TO_REQUEST_URI=no

 # ModSecurity
 #USE_MODSECURITY=yes
@ -137,6 +135,8 @@
 # PHP
 #REMOTE_PHP=
 #REMOTE_PHP_PATH=/app
+#LOCAL_PHP=
+#LOCAL_PHP_PATH=/app

 # Reverse proxy
 #USE_REVERSE_PROXY=no
@ -156,11 +156,14 @@
 #BAD_BEHAVIOR_STATUS_CODES=400 401 403 404 405 429 444
 #BAD_BEHAVIOR_THRESHOLD=10

-# API
+# Internal
 #USE_API=no
 #API_WHITELIST_IP=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
 #API_URI=random
 #SWARM_MODE=no
+#KUBERNETES_MODE=no
+#USE_REDIS=no
+#REDIS_HOST=

 # nginx
 #MULTISITE=no
@ -174,12 +177,15 @@
 #HTTPS_PORT=8443
 #WORKER_RLIMIT_NOFILE=2048
 #WORKER_CONNECTIONS=1024
+#WORKER_PROCESSES=auto

 # Whitelist
 #USE_WHITELIST_IP=yes
 #WHITELIST_IP_LIST=23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8
 #USE_WHITELIST_REVERSE=yes
-#WHITELIST_REVERSE_LIST=.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net
+#WHITELIST_REVERSE_LIST=.googlebot.com .google.com .search.msn.com .crawl.yahoo.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net
 #WHITELIST_COUNTRY=
 #WHITELIST_USER_AGENT=
 #WHITELIST_URI=
+
+
--- a/settings.json
+++ b/settings.json
@ -534,7 +534,7 @@
                "env": "EMAIL_LETS_ENCRYPT",
                "id": "email-lets-encrypt",
                "label": "Email lets encrypt",
-                "regex": "^([a-z0-9\\-\\.]+@[a-z\\-0-9\\.]+|.{0})$",
+                "regex": "^([a-z0-9\\-\\._]+@[a-z\\-0-9\\.]+|.{0})$",
                "type": "text"
            },
            {
@ -939,6 +939,15 @@
                "label": "Redirect every requests to another web service",
                "regex": "^(https?://.+|.{0})$",
                "type": "text"
+            },
+            {
+                "context": "multisite",
+                "default": "no",
+                "env": "REDIRECT_TO_REQUEST_URI",
+                "id": "redirect-to-request-uri",
+                "label": "Append the requested path when redirecting",
+                "regex": "^(yes|no)$",
+                "type": "checkbox"
            }
        ]
    },
@ -1375,7 +1384,7 @@
            },
            {
                "context": "multisite",
-                "default": ".googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net",
+                "default": ".googlebot.com .google.com .search.msn.com .crawl.yahoo.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net",
                "env": "WHITELIST_REVERSE_LIST",
                "id": "whitelist-reverse-list",
                "label": "Whitelist reverse list",
--- a/tests/linux-run.sh
+++ b/tests/linux-run.sh
@ -2,6 +2,7 @@

 function cleanup() {
 	docker kill "$1"
+	docker volume rm "linux-tmp"
 }

 image="$1"
@ -11,8 +12,15 @@ if [ "$3" == "no" ] ; then
 	do_cleanup="no"
 fi

+echo "[*] Create volume"
+docker volume create linux-tmp
+if [ $? -ne 0 ] ; then
+	echo "[!] docker volume failed"
+	exit 1
+fi
+
 echo "[*] Run $image"
-id="$(docker run --rm -d -p 80:80 -p 443:443 --privileged=true --name "$name" "$image" /sbin/init)"
+id="$(docker run --rm -d -p 80:80 -p 443:443 --privileged=true --name "$name" -v linux-tmp:/tmp "$image" /sbin/init)"
 if [ $? -ne 0 ] ; then
 	echo "[!] docker run failed"
 	cleanup "$name"