librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

docs - last polish

This commit is contained in:
bunkerity 2023-04-28 15:06:06 +02:00
parent f5c28b27df
commit bbaaad8487
30 changed files with 255 additions and 690 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/about.md
View File

@ -34,7 +34,7 @@ Here is a non-exhaustive list of what you can do :
- Follow us on [LinkedIn](https://www.linkedin.com/company/bunkerity/), [Twitter](https://twitter.com/bunkerity) and [GitHub](https://github.com/bunkerity)
- Report bugs and propose new features using [issues](https://github.com/bunkerity/bunkerweb/issues)
- Contribute to the code using [pull requests](https://github.com/bunkerity/bunkerweb/pulls)
- Write an awesome [plugin](/1.4/plugins)
- Write an awesome [plugin](/1.5.0-beta/plugins)
- Talk about BunkerWeb to your friends/colleagues, on social media, on your blog, ...
## How to report security issue ?

441
docs/backup-new-integrations.md
View File

@ -1,441 +0,0 @@
****** INTEGRATIONS ******
=== "RHEL"
The first step is to add NGINX official repository. Create the following file at `/etc/yum.repos.d/nginx.repo` :
```conf
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
```
You should now be able to install NGINX 1.20.2 :
```shell
sudo dnf install nginx-1.20.2
```
And finally install BunkerWeb 1.5.0-beta :
```shell
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
rpm -Uvh epel-release*rpm && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.5.0-beta
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
## Vagrant
<figure markdown>
![Overwiew](assets/img/integration-ansible.svg){ align=center }
<figcaption>Vagrant integration</figcaption>
</figure>
List of supported Linux distros :
- Ubuntu 22.04 "Jammy"
[Vagrant](https://www.vagrantup.com/docs) is a tool for building and managing virtual machine environments in a single workflow. With an easy-to-use workflow and focus on automation, Vagrant lowers development environment setup time, increases production parity, and makes the "works on my machine" excuse a relic of the past.
A specific BunkerWeb box is available on vagrantup.
First of all download the box from vagrantup : ```shell vagrant box add bunkerity/bunkerity```
Then an list of boxes should appear, select the one whith your provider (virtualbox, vmware, libvirt).
This will download the box named bunkerity/bunkerity from [HashiCorp's Vagrant Cloud box catalog](https://vagrantcloud.com/boxes/search), where you can find and host boxes.
Now you've added a box to Vagrant either by initializing or adding it explicitly, you need to configure your project to use it as a base.
For initializing a new Vagrant project, you can use the `vagrant init bunkerity/bunkerity` command. This will create a Vagrantfile in the current directory.
Open the Vagrantfile and replace the contents with the following.
```shell
Vagrant.configure("2") do |config|
config.vm.box = "bunkerity/bunkerity"
end
```
Vagrant will automatically download the box in his latest version and add it to your Vagrant environment. If you want to use a specific version of the box, you can use the `config.vm.box_version` option.
For exemple:
```shell
Vagrant.configure("2") do |config|
config.vm.box = "bunkerity/bunkerity"
config.vm.box_version = "1.4.2"
end
```
Now you can start the box :
```shell
vagrant up
```
And then connect to it :
```shell
vagrant ssh
```
****** QUICKSTART ******
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
The following command will run a basic HTTP server on the port 8000 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1
```
Configuration of BunkerWeb is done by editing the `/etc/bunkerweb/variables.env` file.
Connect to your vagrant machine :
```shell
vagrant ssh
```
And then you can edit the `variables.env` file in your host machine like this :
```conf
SERVER_NAME=www.example.com
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/
REVERSE_PROXY_HOST=http://127.0.0.1:8000
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#Vagrant) stack running on your machine with some web applications running on the same machine as BunkerWeb.
Let's assume that you have some web applications running on the same machine as BunkerWeb :
=== "App #1"
The following command will run a basic HTTP server on the port 8001 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1 8001
```
=== "App #2"
The following command will run a basic HTTP server on the port 8002 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1 8002
```
=== "App #3"
The following command will run a basic HTTP server on the port 8003 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1 8003
```
Connect to your vagrant machine :
```shell
vagrant ssh
```
Configuration of BunkerWeb is done by editing the /etc/bunkerweb/variables.env file :
```conf
SERVER_NAME=app1.example.com app2.example.com app3.example.com
HTTP_PORT=80
HTTPS_PORT=443
MULTISITE=yes
DNS_RESOLVERS=8.8.8.8 8.8.4.4
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/
app1.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8001
app2.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8002
app3.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8003
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
=== "Vagrant"
You will need to add the settings to the `/etc/bunkerweb/variables.env` file :
```conf
...
USE_REAL_IP=yes
REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16
REAL_IP_HEADER=X-Forwarded-For
...
```
Don't forget to restart the BunkerWeb service once it's done.
=== "Vagrant"
You will need to add the settings to the `/etc/bunkerweb/variables.env` file :
```conf
...
USE_REAL_IP=yes
USE_PROXY_PROTOCOL=yes
REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16
REAL_IP_HEADER=proxy_protocol
...
```
Don't forget to restart the BunkerWeb service once it's done.
=== "Vagrant"
When using the [Vagrant integration](/1.4/integrations/#vagrant), custom configurations must be written to the `/etc/bunkerweb/configs` folder.
Here is an example for server-http/hello-world.conf :
```conf
location /hello {
default_type 'text/plain';
content_by_lua_block {
ngx.say('world')
}
}
```
Because BunkerWeb runs as an unprivileged user (nginx:nginx), you will need to edit the permissions :
```shell
chown -R root:nginx /etc/bunkerweb/configs && \
chmod -R 770 /etc/bunkerweb/configs
```
Don't forget to restart the BunkerWeb service once it's done.
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
By default, BunkerWeb will search for web files inside the `/var/www/html` folder. You can use it to store your PHP application. Please note that you will need to configure your PHP-FPM service to get or set the user/group of the running processes and the UNIX socket file used to communicate with BunkerWeb.
First of all, you will need to make sure that your PHP-FPM instance can access the files inside the `/var/www/html` folder and also that BunkerWeb can access the UNIX socket file in order to communicate with PHP-FPM. We recommend to set a different user like `www-data` for the PHP-FPM service and to give the nginx group access to the UNIX socket file. Here is corresponding PHP-FPM configuration :
```ini
...
[www]
user = www-data
group = www-data
listen = /run/php/php-fpm.sock
listen.owner = www-data
listen.group = nginx
listen.mode = 0660
...
```
Don't forget to restart your PHP-FPM service :
```shell
systemctl restart php8.1-fpm
```
Once your application is copied to the `/var/www/html` folder, you will need to fix the permissions so BunkerWeb (user/group nginx) can at least read files and list folders and PHP-FPM (user/group www-data) is the owner of the files and folders :
```shell
chown -R www-data:nginx /var/www/html && \
find /var/www/html -type f -exec chmod 0640 {} \; && \
find /var/www/html -type d -exec chmod 0750 {} \;
```
You can now edit the `/etc/bunkerweb/variable.env` file :
```env
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
SERVER_NAME=www.example.com
AUTO_LETS_ENCRYPT=yes
LOCAL_PHP=/run/php/php-fpm.sock
LOCAL_PHP_PATH=/var/www/html/
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
By default, BunkerWeb will search for web files inside the `/var/www/html` folder. You can use it to store your PHP applications : each application will be in its own subfolder named the same as the primary server name. Please note that you will need to configure your PHP-FPM service to get or set the user/group of the running processes and the UNIX socket file used to communicate with BunkerWeb.
First of all, you will need to make sure that your PHP-FPM instance can access the files inside the `/var/www/html` folder and also that BunkerWeb can access the UNIX socket file in order to communicate with PHP-FPM. We recommend to set a different user like `www-data` for the PHP-FPM service and to give the nginx group access to the UNIX socket file. Here is corresponding PHP-FPM configuration :
```ini
...
[www]
user = www-data
group = www-data
listen = /run/php/php-fpm.sock
listen.owner = www-data
listen.group = nginx
listen.mode = 0660
...
```
Don't forget to restart your PHP-FPM service :
```shell
systemctl restart php8.1-fpm
```
Once your application is copied to the `/var/www/html` folder, you will need to fix the permissions so BunkerWeb (user/group nginx) can at least read files and list folders and PHP-FPM (user/group www-data) is the owner of the files and folders :
```shell
chown -R www-data:nginx /var/www/html && \
find /var/www/html -type f -exec chmod 0640 {} \; && \
find /var/www/html -type d -exec chmod 0750 {} \;
```
You can now edit the `/etc/bunkerweb/variable.env` file :
```env
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
SERVER_NAME=app1.example.com app2.example.com app3.example.com
MULTISITE=yes
AUTO_LETS_ENCRYPT=yes
app1.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app1.example.com_LOCAL_PHP_PATH=/var/www/html/app1.example.com
app2.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app2.example.com_LOCAL_PHP_PATH=/var/www/html/app2.example.com
app3.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app3.example.com_LOCAL_PHP_PATH=/var/www/html/app3.example.com
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
****** PLUGINS ******
=== "Vagrant"
When using the [Linux integration](/1.4/integrations/#linux), plugins must be written to the `/etc/bunkerweb/plugins` folder :
```shell
git clone https://github.com/bunkerity/bunkerweb-plugins && \
cp -rp ./bunkerweb-plugins/* /data/plugins
```
****** UI ******
=== "Vagrant"
The installation of the web UI using the [Vagrant integration](/1.4/integrations/#vagrant) is pretty straightforward because it is installed with BunkerWeb.
The first thing to do is to edit the BunkerWeb configuration located at **/etc/bunkerweb/variables.env** to add settings related to the web UI :
```conf
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
...
SERVER_NAME=bwadm.example.com
MULTISITE=yes
USE_API=yes
API_WHITELIST_IP=127.0.0.0/8
bwadm.example.com_USE_UI=yes
bwadm.example.com_USE_REVERSE_PROXY=yes
bwadm.example.com_REVERSE_PROXY_URL=/changeme/
bwadm.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
bwadm.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
...
```
Important things to note :
* `bwadm.example.com` is the dedicated (sub)domain for accessing the web UI
* replace the `/changeme` URLs with a custom one of your choice
Once the configuration file is edited, you will need to restart BunkerWeb :
```shell
systemctl restart bunkerweb
```
You can edit the **/etc/bunkerweb/ui.env** file containing the settings of the web UI :
```conf
ADMIN_USERNAME=admin
ADMIN_PASSWORD=changeme
ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/
```
Important things to note :
* `http(s)://bwadmin.example.com/changeme/` is the full base URL of the web UI (must match the sub(domain) and /changeme URL used in **/etc/bunkerweb/variables.env**)
* replace the username `admin` and password `changeme` with strong ones
Restart the BunkerWeb UI service and you are now ready to access it :
```shell
systemctl restart bunkerweb-ui
```
****** TROUBLE ******
=== "Vagrant"
For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
```shell
journalctl -u bunkerweb --no-pager
```
Common logs are located inside the `/var/log/nginx` directory :
```shell
cat /var/log/nginx/error.log
cat /var/log/nginx/access.log
```
=== "Vagrant"
You can use the `bwcli` command (as root) :
```shell
sudo bwcli unban 1.2.3.4
```

8
docs/concepts.md
View File

@ -13,7 +13,7 @@ The following integrations are officially supported :
- [Docker](/1.5.0-beta/integrations/#docker)
- [Docker autoconf](/1.5.0-beta/integrations/#docker-autoconf)
- [Swarm](/1.5.0-beta/integrations/#swarm)
- [Kubernetes](/1.4/integrations/#kubernetes)
- [Kubernetes](/1.5.0-beta/integrations/#kubernetes)
- [Linux](/1.5.0-beta/integrations/#linux)
- [Ansible](/1.5.0-beta/integrations/#ansible)
- [Vagrant](/1.5.0-beta/integrations/#vagrant)
@ -44,7 +44,7 @@ USE_BROTLI=no
!!! info "Going further"
The complete list of available settings with descriptions and possible values is available in the [settings section](/1.4/settings) of the documentation.
The complete list of available settings with descriptions and possible values is available in the [settings section](/1.5.0-beta/settings) of the documentation.
!!! info "Settings generator tool"
@ -79,7 +79,7 @@ app3.example.com_USE_BAD_BEHAVIOR=no
!!! info "Going further"
You will find concrete examples of multisite mode in the [quickstart guide](/1.5.0-beta/quickstart-guide) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/master/examples) directory of the repository.
You will find concrete examples of multisite mode in the [quickstart guide](/1.5.0-beta/quickstart-guide) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/examples) directory of the repository.
## Custom configurations
@ -91,7 +91,7 @@ Another core component of BunkerWeb is the ModSecurity Web Application Firewall
!!! info "Going further"
You will find concrete examples of custom configurations in the [quickstart guide](/1.5.0-beta/quickstart-guide) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/master/examples) directory of the repository.
You will find concrete examples of custom configurations in the [quickstart guide](/1.5.0-beta/quickstart-guide) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/examples) directory of the repository.
## Database

158
docs/integrations.md
View File

@ -30,7 +30,7 @@ Docker integration key concepts are :
- **Networks** to expose ports for clients and connect to upstream web services
!!! info "Database backend"
Please note that we assume you are using SQLite as database backend (which is the default for the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/dev/misc/integrations) folder of the repostiory for more information.
Please note that we assume you are using SQLite as database backend (which is the default for the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/misc/integrations) folder of the repostiory for more information.
### Environment variables
@ -52,7 +52,7 @@ services:
Please note that the `bunkerweb.INSTANCE` is mandatory to make sure the scheduler can detect BunkerWeb instance(s).
!!! info "Full list"
For the complete list of environment variables, see the [settings section](/1.4/settings) of the documentation.
For the complete list of environment variables, see the [settings section](/1.5.0-beta/settings) of the documentation.
### Scheduler
@ -224,10 +224,10 @@ The downside of using environment variables is that the container needs to be re
Instead of defining environment variables for the BunkerWeb container, you simply add **labels** to your web applications containers and the **autoconf** will "automagically" take care of the rest.
!!! info "Multisite mode"
The Docker autoconf integration implies the use of **multisite mode**. Please refer to the [multisite section](/1.4/concepts/#multisite-mode) of the documentation for more information.
The Docker autoconf integration implies the use of **multisite mode**. Please refer to the [multisite section](/1.5.0-beta/concepts/#multisite-mode) of the documentation for more information.
!!! info "Database backend"
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/dev/misc/integrations) folder of the repostiory for more information.
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/misc/integrations) folder of the repostiory for more information.
Another container, named `bw-autoconf` for example, containing the autoconf service must be added to the stack. Since two services will generate the configuration for BunkerWeb, a "real" database backend (in other words, not SQLite) also needs to be added :
@ -341,7 +341,7 @@ Since we have multiple instances of BunkerWeb running, a shared data store imple
Using a shared folder or a specific driver for the database volume is left as an exercise for the reader (and depends on your own use-case).
!!! info "Database backend"
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/dev/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
Here is the stack boilerplate that you can deploy using `docker stack deploy` :
@ -510,7 +510,7 @@ The recommended setup is to define **BunkerWeb** as a **[DaemonSet](https://kube
Since we have multiple instances of BunkerWeb running, a shared data store implemented as a [Redis](https://redis.io/) service must be created : the instances will use it to cache and share data. You will find more information about the Redis settings [here](/1.5.0-beta/settings/#redis)
!!! info "Database backend"
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/dev/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
Please note that both scheduler and autoconf services needs to access the Kubernetes API. The recommended way of doing it is using [RBAC authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
@ -568,7 +568,7 @@ spec:
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -638,7 +638,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -665,7 +665,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.4.6
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -780,7 +780,7 @@ spec:
storage: 5Gi
```
Once the BunkerWeb Kubernetes stack is set up and running (see autoconf logs for more information), you will be able to deploy web applications in the cluster and declare your Ingress resource. Please note that [settings](/1.4/settings) need to be set as annotations for the Ingress resource with the special value **bunkerweb.io** for the domain part :
Once the BunkerWeb Kubernetes stack is set up and running (see autoconf logs for more information), you will be able to deploy web applications in the cluster and declare your Ingress resource. Please note that [settings](/1.5.0-beta/settings) need to be set as annotations for the Ingress resource with the special value **bunkerweb.io** for the domain part :
```yaml
apiVersion: networking.k8s.io/v1
@ -817,7 +817,6 @@ List of supported Linux distros :
- Debian 11 "Bullseye"
- Ubuntu 22.04 "Jammy"
- Fedora 37
- CentOS Stream 8
- RedHat Enterprise Linux (RHEL) 8.7
Please note that you will need to **install NGINX 1.24.0 before BunkerWeb**. For all distros, except Fedora, using prebuilt packages from [official NGINX repository](https://nginx.org/en/linux_packages.html) is mandatory. Compiling NGINX from source or using packages from different repositories won't work with the official prebuilt packages of BunkerWeb but you can build it from source.
@ -827,71 +826,81 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
=== "Debian"
The first step is to add NGINX official repository :
```shell
sudo apt install -y curl gnupg2 ca-certificates lsb-release debian-archive-keyring && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
sudo apt install -y curl gnupg2 ca-certificates lsb-release debian-archive-keyring && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
```
```
You should now be able to install NGINX 1.24.0 :
```shell
sudo apt update && \
sudo apt install -y nginx=1.24.0-1~$(lsb_release -cs)
```
And finally install BunkerWeb 1.5.0-beta :
```shell
sudo apt update && \
sudo apt install -y nginx=1.24.0-1~$(lsb_release -cs)
```
And finally install BunkerWeb 1.5.0-beta :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo apt install -y bunkerweb=1.5.0-beta
sudo apt update && \
sudo apt install -y bunkerweb=1.5.0-beta
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
```shell
sudo apt-mark hold nginx bunkerweb
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
```shell
sudo apt-mark hold nginx bunkerweb
```
=== "Ubuntu"
The first step is to add NGINX official repository :
```shell
sudo apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
sudo apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
```
```
You should now be able to install NGINX 1.24.0 :
```shell
sudo apt update && \
sudo apt install -y nginx=1.24.0-1~jammy
```
And finally install BunkerWeb 1.5.0-beta :
```shell
sudo apt update && \
sudo apt install -y nginx=1.24.0-1~jammy
```
And finally install BunkerWeb 1.5.0-beta :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo apt install -y bunkerweb=1.5.0-beta
sudo apt update && \
sudo apt install -y bunkerweb=1.5.0-beta
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
```shell
sudo apt-mark hold nginx bunkerweb
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
```shell
sudo apt-mark hold nginx bunkerweb
```
=== "Fedora"
Fedora already provides NGINX 1.24.0 that we support :
```shell
sudo dnf install -y nginx-1.24.0
```
```shell
sudo dnf install -y nginx-1.24.0
```
And finally install BunkerWeb 1.5.0-beta :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | \
sed 's/yum install -y pygpgme --disablerepo='\''bunkerity_bunkerweb'\''/yum install -y python-gnupg/g' | \
@ -900,12 +909,57 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo dnf install -y bunkerweb-1.5.0-beta
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
=== "RedHat"
The first step is to add NGINX official repository. Create the following file at `/etc/yum.repos.d/nginx.repo` :
```conf
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
```
You should now be able to install NGINX 1.24.0 :
```shell
sudo dnf install nginx-1.24.0
```
And finally install BunkerWeb 1.5.0-beta :
```shell
dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.5.0-beta
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
<!---
=== "CentOS Stream"
The first step is to add NGINX official repository. Create the following file at `/etc/yum.repos.d/nginx.repo` :
@ -926,7 +980,7 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
And finally install BunkerWeb 1.5.0-beta :
```shell
dnf install -y epel-release && \
dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.5.0-beta
@ -938,6 +992,7 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo dnf versionlock add bunkerweb
```
=== "From source"
The first step is to install NGINX 1.24.0 using the repository of your choice or by [compiling it from source](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#compiling-and-installing-from-source).
@ -952,7 +1007,7 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
https://github.com/bunkerity/bunkerweb.git /tmp/bunkerweb
```
BunkerWeb needs some dependencies to be compiled and installed to `/usr/share/bunkerweb/deps`, the easiest way to do it is by executing the [install.sh helper script](https://github.com/bunkerity/bunkerweb/blob/master/deps/install.sh) (please note that you will need to install additional packages which is not covered in this procedure and depends on your own system) :
BunkerWeb needs some dependencies to be compiled and installed to `/usr/share/bunkerweb/deps`, the easiest way to do it is by executing the [install.sh helper script](https://github.com/bunkerity/bunkerweb/blob/1.5.0-beta/deps/install.sh) (please note that you will need to install additional packages which is not covered in this procedure and depends on your own system) :
```
mkdir /usr/share/bunkerweb/deps && \
/tmp/bunkerweb/src/deps/install.sh
@ -999,6 +1054,7 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
systemctl enable bunkerweb && \
systemctl enable bunkerweb-ui
```
--->
The configuration of BunkerWeb is done by editing the `/etc/bunkerweb/variables.env` file :

8
docs/plugins.md
View File

@ -260,7 +260,7 @@ The first step is to install the plugin by putting the plugin files inside the c
!!! tip "Existing plugins"
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/master/core) (already included in BunkerWeb but they are plugins, technically speaking).
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
The first step is to create a folder that will contain the plugin :
@ -426,7 +426,7 @@ The declared functions are automatically called during specific contexts. Here a
#### Libraries
All directives from [NGINX LUA module](https://github.com/openresty/lua-nginx-module) and are available and [NGINX stream LUA module](https://github.com/openresty/stream-lua-nginx-module). On top of that, you can use the LUA libraries included within BunkerWeb : see [this script](https://github.com/bunkerity/bunkerweb/blob/master/deps/clone.sh) for the complete list.
All directives from [NGINX LUA module](https://github.com/openresty/lua-nginx-module) and are available and [NGINX stream LUA module](https://github.com/openresty/stream-lua-nginx-module). On top of that, you can use the LUA libraries included within BunkerWeb : see [this script](https://github.com/bunkerity/bunkerweb/blob/1.5.0-beta/src/deps/clone.sh) for the complete list.
If you need additional libraries, you can put them in the root folder of the plugin and access them by prefixing them with your plugin ID. Here is an example file named **mylibrary.lua** :
@ -507,7 +507,7 @@ end
!!! tip "More examples"
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/master/lua) of the repository.
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/src/bw/lua/bunkerweb) of the repository.
### Jobs
@ -554,4 +554,4 @@ def myplugin() :
!!! info "Python libraries"
You can use Python libraries that are already available like :
`Flask`, `Flask-Login`, `Flask-WTF`, `beautifulsoup4`, `docker`, `Jinja2`, `python-magic` and `requests`. To see the full list, you can have a look at the Web UI [requirements.txt](https://github.com/bunkerity/bunkerweb/blob/master/ui/requirements.txt). If you need external libraries, you can install them inside the **ui** folder of your plugin and then use the classical **import** directive.
`Flask`, `Flask-Login`, `Flask-WTF`, `beautifulsoup4`, `docker`, `Jinja2`, `python-magic` and `requests`. To see the full list, you can have a look at the Web UI [requirements.txt](https://github.com/bunkerity/bunkerweb/blob/1.5.0-beta/src/ui/requirements.txt). If you need external libraries, you can install them inside the **ui** folder of your plugin and then use the classical **import** directive.

70
docs/quickstart-guide.md
View File

@ -1,10 +1,10 @@
# Quickstart guide
!!! info "Prerequisites"
We assume that you're already familiar with the [core concepts](/1.4/concepts) and you have followed the [integrations instructions](/1.4/integrations) for your environment.
We assume that you're already familiar with the [core concepts](/1.5.0-beta/concepts) and you have followed the [integrations instructions](/1.5.0-beta/integrations) for your environment.
!!! tip "Going further"
To demonstrate the use of BunkerWeb, we will deploy a dummy "Hello World" web application as an example. See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/master/examples) of the repository to get real-world examples.
To demonstrate the use of BunkerWeb, we will deploy a dummy "Hello World" web application as an example. See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0-beta/examples) of the repository to get real-world examples.
## Protect HTTP applications
@ -16,7 +16,7 @@ The following settings can be used :
- `REVERSE_PROXY_URL` : the public path prefix
- `REVERSE_PROXY_HOST` : (internal) address of the proxied web application
You will find more settings about reverse proxy in the [settings section](/1.4/settings/#reverse-proxy) of the documentation.
You will find more settings about reverse proxy in the [settings section](/1.5.0-beta/settings/#reverse-proxy) of the documentation.
### Single application
@ -92,7 +92,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
=== "Docker autoconf"
We will assume that you already have the [Docker autoconf integration](/1.4/integrations/#docker-autoconf) stack running on your machine and connected to a network called `bw-services` so you can connect your existing application and configure BunkerWeb with labels :
We will assume that you already have the [Docker autoconf integration](/1.5.0-beta/integrations/#docker-autoconf) stack running on your machine and connected to a network called `bw-services` so you can connect your existing application and configure BunkerWeb with labels :
```yaml
version: '3.5'
@ -118,7 +118,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
=== "Swarm"
We will assume that you already have the [Swarm integration](/1.4/integrations/#swarm) stack running on your cluster and connected to a network called `bw-services` so you can connect your existing application and configure BunkerWeb with labels :
We will assume that you already have the [Swarm integration](/1.5.0-beta/integrations/#swarm) stack running on your cluster and connected to a network called `bw-services` so you can connect your existing application and configure BunkerWeb with labels :
```yaml
version: "3"
@ -148,7 +148,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
=== "Kubernetes"
We will assume that you already have the [Kubernetes integration](/1.4/integrations/#kubernetes) stack running on your cluster.
We will assume that you already have the [Kubernetes integration](/1.5.0-beta/integrations/#kubernetes) stack running on your cluster.
Let's assume that you have a typical Deployment with a Service to access the web application from within the cluster :
@ -213,7 +213,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
=== "Linux"
We will assume that you already have the [Linux integration](/1.4/integrations/#linux) stack running on your machine.
We will assume that you already have the [Linux integration](/1.5.0-beta/integrations/#linux) stack running on your machine.
The following command will run a basic HTTP server on the port 8000 and deliver the files in the current directory :
@ -299,7 +299,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
We will assume that you already have the [Vagrant integration](/1.5.0-beta/integrations/#vagrant) stack running on your machine.
The following command will run a basic HTTP server on the port 8000 and deliver the files in the current directory :
@ -444,7 +444,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
=== "Docker autoconf"
We will assume that you already have the [Docker autoconf integration](/1.4/integrations/#docker-autoconf) stack running on your machine and connected to a network called `bw-services` so you can connect your existing application and configure BunkerWeb with labels :
We will assume that you already have the [Docker autoconf integration](/1.5.0-beta/integrations/#docker-autoconf) stack running on your machine and connected to a network called `bw-services` so you can connect your existing application and configure BunkerWeb with labels :
```yaml
version: '3.5'
@ -494,7 +494,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
=== "Swarm"
We will assume that you already have the [Swarm integration](/1.4/integrations/#swarm) stack running on your cluster and connected to a network called `bw-services` so you can connect your existing application and configure BunkerWeb with labels :
We will assume that you already have the [Swarm integration](/1.5.0-beta/integrations/#swarm) stack running on your cluster and connected to a network called `bw-services` so you can connect your existing application and configure BunkerWeb with labels :
```yaml
version: "3"
@ -556,7 +556,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
=== "Kubernetes"
We will assume that you already have the [Kubernetes integration](/1.4/integrations/#kubernetes) stack running on your cluster.
We will assume that you already have the [Kubernetes integration](/1.5.0-beta/integrations/#kubernetes) stack running on your cluster.
Let's assume that you have typical Deployments with a Service to access the web applications from within the cluster :
@ -642,7 +642,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
=== "Linux"
We will assume that you already have the [Linux integration](/1.4/integrations/#linux) stack running on your machine.
We will assume that you already have the [Linux integration](/1.5.0-beta/integrations/#linux) stack running on your machine.
The following command will run a basic HTTP server on the port 8001 and deliver the files in the current directory (repeat it and change the port if you want to test BunkerWeb) :
@ -734,7 +734,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
We will assume that you already have the [Vagrant integration](/1.5.0-beta/integrations/#vagrant) stack running on your machine.
First of all, connect to your vagrant machine :
@ -797,7 +797,7 @@ The following settings can be used :
- `REAL_IP_FROM` : list of trusted IP/network address allowed to send us the "real IP"
- `REAL_IP_HEADER` : the HTTP header containing the real IP or special value `proxy_protocol` when using PROXY protocol
You will find more settings about real IP in the [settings section](/1.4/settings/#real-ip) of the documentation.
You will find more settings about real IP in the [settings section](/1.5.0-beta/settings/#real-ip) of the documentation.
### HTTP header
@ -831,7 +831,7 @@ REAL_IP_HEADER=X-Forwarded-For
=== "Docker autoconf"
Before running the [Docker autoconf integration](/1.4/integrations/#docker-autoconf) stack, you will need to add the settings for the BunkerWeb container :
Before running the [Docker autoconf integration](/1.5.0-beta/integrations/#docker-autoconf) stack, you will need to add the settings for the BunkerWeb container :
```yaml
mybunker:
@ -846,7 +846,7 @@ REAL_IP_HEADER=X-Forwarded-For
=== "Swarm"
Before running the [Swarm integration](/1.4/integrations/#swarm) stack, you will need to add the settings for the BunkerWeb service :
Before running the [Swarm integration](/1.5.0-beta/integrations/#swarm) stack, you will need to add the settings for the BunkerWeb service :
```yaml
mybunker:
@ -982,7 +982,7 @@ REAL_IP_HEADER=proxy_protocol
=== "Docker autoconf"
Before running the [Docker autoconf integration](/1.4/integrations/#docker-autoconf) stack, you will need to add the settings for the BunkerWeb container :
Before running the [Docker autoconf integration](/1.5.0-beta/integrations/#docker-autoconf) stack, you will need to add the settings for the BunkerWeb container :
```yaml
mybunker:
@ -998,7 +998,7 @@ REAL_IP_HEADER=proxy_protocol
=== "Swarm"
Before running the [Swarm integration](/1.4/integrations/#swarm) stack, you will need to add the settings for the BunkerWeb service :
Before running the [Swarm integration](/1.5.0-beta/integrations/#swarm) stack, you will need to add the settings for the BunkerWeb service :
```yaml
mybunker:
@ -1210,7 +1210,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
=== "Docker autoconf"
Before running the [Docker autoconf integration](/1.4/integrations/#docker-autoconf) stack on your machine, you will need to edit the ports :
Before running the [Docker autoconf integration](/1.5.0-beta/integrations/#docker-autoconf) stack on your machine, you will need to edit the ports :
```yaml
version: "3.5"
@ -1269,7 +1269,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
=== "Swarm"
Before running the [Swarm integration](/1.4/integrations/#swarm) stack on your machine, you will need to edit the ports :
Before running the [Swarm integration](/1.5.0-beta/integrations/#swarm) stack on your machine, you will need to edit the ports :
```yaml
version: "3.5"
@ -1426,7 +1426,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
## Custom configurations
Because BunkerWeb is based on the NGINX web server, you can add custom NGINX configurations in different NGINX contexts. You can also apply custom configurations for the ModSecurity WAF which is a core component of BunkerWeb (more info [here](/1.4/security-tuning/#modsecurity)). Here is the list of custom configurations types :
Because BunkerWeb is based on the NGINX web server, you can add custom NGINX configurations in different NGINX contexts. You can also apply custom configurations for the ModSecurity WAF which is a core component of BunkerWeb (more info [here](/1.5.0-beta/security-tuning/#modsecurity)). Here is the list of custom configurations types :
- **http** : http level of NGINX
- **server-http** : http/server level of NGINX
@ -1444,7 +1444,7 @@ Some integrations offer a more convenient way of applying configurations such as
=== "Docker"
When using the [Docker integration](/1.4/integrations/#docker), you have two choices for the addition of custom configurations :
When using the [Docker integration](/1.5.0-beta/integrations/#docker), you have two choices for the addition of custom configurations :
- Using specific settings `*_CUSTOM_CONF_*` as environment variables (recommended)
- Writing .conf files to the volume mounted on /data of the scheduler
@ -1513,7 +1513,7 @@ Some integrations offer a more convenient way of applying configurations such as
=== "Docker autoconf"
When using the [Docker autoconf integration](/1.4/integrations/#docker-autoconf), you have two choices for adding custom configurations :
When using the [Docker autoconf integration](/1.5.0-beta/integrations/#docker-autoconf), you have two choices for adding custom configurations :
- Using specific settings `*_CUSTOM_CONF_*` as labels (easiest)
- Writing .conf files to the volume mounted on /data of the scheduler
@ -1582,7 +1582,7 @@ Some integrations offer a more convenient way of applying configurations such as
=== "Swarm"
When using the [Swarm integration](/1.4/integrations/#swarm), custom configurations are managed using [Docker Configs](https://docs.docker.com/engine/swarm/configs/).
When using the [Swarm integration](/1.5.0-beta/integrations/#swarm), custom configurations are managed using [Docker Configs](https://docs.docker.com/engine/swarm/configs/).
To keep it simple, you don't even need to attach the Config to a service : the autoconf service is listening for Config events and will update the custom configurations when needed.
@ -1606,7 +1606,7 @@ Some integrations offer a more convenient way of applying configurations such as
=== "Kubernetes"
When using the [Kubernetes integration](/1.4/integrations/#kubernetes), custom configurations are managed using [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/).
When using the [Kubernetes integration](/1.5.0-beta/integrations/#kubernetes), custom configurations are managed using [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/).
To keep it simple, you don't even need to use the ConfigMap with a Pod (e.g. as environment variable or volume) : the autoconf Pod is listening for ConfigMap events and will update the custom configurations when needed.
@ -1636,7 +1636,7 @@ Some integrations offer a more convenient way of applying configurations such as
=== "Linux"
When using the [Linux integration](/1.4/integrations/#linux), custom configurations must be written to the /etc/bunkerweb/configs folder.
When using the [Linux integration](/1.5.0-beta/integrations/#linux), custom configurations must be written to the /etc/bunkerweb/configs folder.
Here is an example for server-http/hello-world.conf :
@ -1701,7 +1701,7 @@ Some integrations offer a more convenient way of applying configurations such as
=== "Vagrant"
When using the [Vagrant integration](/1.4/integrations/#vagrant), custom configurations must be written to the `/etc/bunkerweb/configs` folder.
When using the [Vagrant integration](/1.5.0-beta/integrations/#vagrant), custom configurations must be written to the `/etc/bunkerweb/configs` folder.
Here is an example for server-http/hello-world.conf :
@ -1750,7 +1750,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
=== "Docker"
When using the [Docker integration](/1.4/integrations/#docker), to support PHP applications, you will need to :
When using the [Docker integration](/1.5.0-beta/integrations/#docker), to support PHP applications, you will need to :
- Mount your PHP files into the `/var/www/html` folder of BunkerWeb
- Set up a PHP-FPM container for your application and mount the folder containing PHP files
@ -1870,9 +1870,9 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
=== "Docker autoconf"
!!! info "Multisite mode enabled"
The [Docker autoconf integration](/1.4/integrations/#docker-autoconf) integration implies the use of multisite mode : protecting one PHP application is the same as protecting multiple ones.
The [Docker autoconf integration](/1.5.0-beta/integrations/#docker-autoconf) integration implies the use of multisite mode : protecting one PHP application is the same as protecting multiple ones.
When using the [Docker autoconf integration](/1.4/integrations/#docker-autoconf), to support PHP applications, you will need to :
When using the [Docker autoconf integration](/1.5.0-beta/integrations/#docker-autoconf), to support PHP applications, you will need to :
- Mount your PHP files into the `/var/www/html` folder of BunkerWeb
- Set up a PHP-FPM containers for your applications and mount the folder containing PHP apps
@ -2022,12 +2022,12 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
=== "Swarm"
!!! info "Multisite mode enabled"
The [Swarm integration](/1.4/integrations/#docker-autoconf) integration implies the use of multisite mode : protecting one PHP application is the same as protecting multiple ones.
The [Swarm integration](/1.5.0-beta/integrations/#docker-autoconf) integration implies the use of multisite mode : protecting one PHP application is the same as protecting multiple ones.
!!! info "Shared volume"
Using PHP with the Docker Swarm integration needs a shared volume between all BunkerWeb and PHP-FPM instances which is not covered in this documentation.
When using the [Docker autoconf integration](/1.4/integrations/#docker-autoconf), to support PHP applications, you will need to :
When using the [Docker autoconf integration](/1.5.0-beta/integrations/#docker-autoconf), to support PHP applications, you will need to :
- Mount your PHP files into the `/var/www/html` folder of BunkerWeb
- Set up a PHP-FPM containers for your applications and mount the folder containing PHP apps
@ -2139,7 +2139,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
=== "Linux"
We will assume that you already have the [Linux integration](/1.4/integrations/#linux) stack running on your machine.
We will assume that you already have the [Linux integration](/1.5.0-beta/integrations/#linux) stack running on your machine.
By default, BunkerWeb will search for web files inside the `/var/www/html` folder. You can use it to store your PHP applications. Please note that you will need to configure your PHP-FPM service to get or set the user/group of the running processes and the UNIX socket file used to communicate with BunkerWeb.
@ -2224,7 +2224,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
!!! info "Linux"
Please follow the instruction for Linux integration to create a local `www` folder (permissions are not needed, Ansible will do it for you).
We will assume that you already have the [Ansible integration](/1.4/integrations/#ansible) setup on your machine.
We will assume that you already have the [Ansible integration](/1.5.0-beta/integrations/#ansible) setup on your machine.
Content of the `my_variables.env` configuration file :
@ -2273,7 +2273,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
!!! info "Linux"
Please follow the instruction for Linux integration to create the `/var/www/html` folder.
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
We will assume that you already have the [Vagrant integration](/1.5.0-beta/integrations/#vagrant) stack running on your machine.
Once PHP files are copied into the `/var/www/html`folder, you can now edit the `/etc/bunkerweb/variable.env` file :

10
docs/security-tuning.md
View File

@ -1,9 +1,9 @@
# Security tuning
BunkerWeb offers many security features that you can configure with [settings](/1.4/settings). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you tune them. By doing so you will be able to ensure the security level of your choice but also manage false positives.
BunkerWeb offers many security features that you can configure with [settings](/1.5.0-beta/settings). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you tune them. By doing so you will be able to ensure the security level of your choice but also manage false positives.
!!! tip "Other settings"
This section only focuses on security tuning, see the [settings section](/1.4/settings) of the documentation for other settings.
This section only focuses on security tuning, see the [settings section](/1.5.0-beta/settings) of the documentation for other settings.
<figure markdown>
![Overview](assets/img/core-order.svg){ align=center }
@ -98,7 +98,7 @@ Various security headers are available and most of them can be set using BunkerW
STREAM support :x:
[Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) lets you manage how your service can be contacted from different origins. Please note that you will have to allow the `OPTIONS` HTTP method using the `ALLOWED_METHODS` if you want to enable it (more info [here](https://docs.bunkerweb.io/1.4/security-tuning/#allowed-methods)). Here is the list of settings related to CORS :
[Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) lets you manage how your service can be contacted from different origins. Please note that you will have to allow the `OPTIONS` HTTP method using the `ALLOWED_METHODS` if you want to enable it (more info [here](https://docs.bunkerweb.io/1.5.0-beta/security-tuning/#allowed-methods)). Here is the list of settings related to CORS :
| Setting | Default | Context |Multiple| Description |
|------------------------|------------------------------------------------------------------------------------|---------|--------|--------------------------------------------------|
@ -183,7 +183,7 @@ ModSecurity is integrated and enabled by default alongside the OWASP Core Rule S
We strongly recommend keeping both ModSecurity and the OWASP Core Rule Set enabled. The only downsides are the false positives that may occur. But they can be fixed with some efforts and the CRS team maintains a list of exclusions for common applications (e.g., WordPress, Nextcloud, Drupal, Cpanel, ...).
Tuning ModSecurity and the CRS can be done using [custom configurations](/1.4/quickstart-guide/#custom-configurations) :
Tuning ModSecurity and the CRS can be done using [custom configurations](/1.5.0-beta/quickstart-guide/#custom-configurations) :
- modsec-crs : before the OWASP Core Rule Set is loaded
- modsec : after the OWASP Core Rule Set is loaded (also used if CRS is not loaded)
@ -456,7 +456,7 @@ You can quickly protect sensitive resources like the admin area for example, by
### Auth request
You can deploy complex authentication (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/master/examples).
You can deploy complex authentication (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/examples).
**Auth request settings are related to reverse proxy rules.**

8
docs/troubleshooting.md
View File

@ -114,7 +114,7 @@ Here is how you can access the logs, depending on your integration :
## Permissions
Don't forget that BunkerWeb runs as an unprivileged user for obvious security reasons. Double-check the permissions of files and folders used by BunkerWeb, especially if you use custom configurations (more info [here](/1.4/quickstart-guide/#custom-configurations)). You will need to set at least **RW** rights on files and **_RWX_** on folders.
Don't forget that BunkerWeb runs as an unprivileged user for obvious security reasons. Double-check the permissions of files and folders used by BunkerWeb, especially if you use custom configurations (more info [here](/1.5.0-beta/quickstart-guide/#custom-configurations)). You will need to set at least **RW** rights on files and **_RWX_** on folders.
## ModSecurity
@ -205,11 +205,11 @@ As we can see, there are 3 different logs :
One important thing to understand is that rule **949110** is not a "real" one : it's the one that will deny the request because the anomaly threshold is reached (which is **10** in this example). You should never remove the **949110** rule !
If it's a false-positive, you should then focus on both **930120** and **932160** rules. ModSecurity and/or CRS tuning is out of the scope of this documentation but don't forget that you can apply custom configurations before and after the CRS is loaded (more info [here](/1.4/quickstart-guide/#custom-configurations)).
If it's a false-positive, you should then focus on both **930120** and **932160** rules. ModSecurity and/or CRS tuning is out of the scope of this documentation but don't forget that you can apply custom configurations before and after the CRS is loaded (more info [here](/1.5.0-beta/quickstart-guide/#custom-configurations)).
## Bad Behavior
A common false-positive case is when the client is banned because of the "bad behavior" feature which means that too many suspicious HTTP status codes were generated within a time period (more info [here](/1.4/security-tuning/#bad-behavior)). You should start by reviewing the settings and then edit them according to your web application(s) like removing a suspicious HTTP code, decreasing the count time, increasing the threshold, ...
A common false-positive case is when the client is banned because of the "bad behavior" feature which means that too many suspicious HTTP status codes were generated within a time period (more info [here](/1.5.0-beta/security-tuning/#bad-behavior)). You should start by reviewing the settings and then edit them according to your web application(s) like removing a suspicious HTTP code, decreasing the count time, increasing the threshold, ...
## IP unban
@ -276,7 +276,7 @@ You can manually unban an IP which can be useful when doing some tests but it ne
## Whitelisting
If you have bots that need to access your website, the recommended way to avoid any false positive is to whitelist them using the [whitelisting feature](/1.4/security-tuning/#blacklisting-and-whitelisting). We don't recommend using the `WHITELIST_URI*` or `WHITELIST_USER_AGENT*` settings unless they are set to secret and unpredictable values. Common use cases are :
If you have bots that need to access your website, the recommended way to avoid any false positive is to whitelist them using the [whitelisting feature](/1.5.0-beta/security-tuning/#blacklisting-and-whitelisting). We don't recommend using the `WHITELIST_URI*` or `WHITELIST_USER_AGENT*` settings unless they are set to secret and unpredictable values. Common use cases are :
- Healthcheck / status bot
- Callback like IPN or webhook

79
docs/web-ui.md
View File

@ -29,11 +29,11 @@ Because the web UI is a web application, the recommended installation procedure
* Choose a strong password for the login
* Put the web UI under a "hard to guess" URI
* Do not open the web UI on the Internet without any further restrictions
* Apply settings listed in the [security tuning section](/1.4/security-tuning/) of the documentation
* Apply settings listed in the [security tuning section](/1.5.0-beta/security-tuning/) of the documentation
!!! info "Multisite mode"
The usage of the web UI implies enabling the [multisite mode](/1.4/concepts/#multisite-mode).
The usage of the web UI implies enabling the [multisite mode](/1.5.0-beta/concepts/#multisite-mode).
=== "Docker"
@ -61,7 +61,7 @@ Because the web UI is a web application, the recommended installation procedure
!!! info "Database backend"
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/master/misc/integrations) of the repository.
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/misc/integrations) of the repository.
Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -89,7 +89,7 @@ Because the web UI is a web application, the recommended installation procedure
- www.example.com_REVERSE_PROXY_URL=/changeme/
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
networks:
- bw-universe
- bw-services
@ -183,7 +183,7 @@ Because the web UI is a web application, the recommended installation procedure
!!! info "Database backend"
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/master/misc/integrations) of the repository.
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/misc/integrations) of the repository.
Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -276,7 +276,7 @@ Because the web UI is a web application, the recommended installation procedure
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
bw-data:
@ -320,7 +320,7 @@ Because the web UI is a web application, the recommended installation procedure
!!! info "Database backend"
If you want another Database backend than MariaDB please refer to the stack files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/master/misc/integrations) of the repository.
If you want another Database backend than MariaDB please refer to the stack files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/misc/integrations) of the repository.
Here is the stack boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -425,13 +425,14 @@ Because the web UI is a web application, the recommended installation procedure
- bw-docker
deploy:
labels:
- bunkerweb.SERVER_NAME=www.example.com
- bunkerweb.USE_UI=yes
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/changeme/
- bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000
- bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no
- "bunkerweb.SERVER_NAME=www.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
- "INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
bw-data:
@ -468,7 +469,7 @@ Because the web UI is a web application, the recommended installation procedure
!!! info "Database backend"
If you want another Database backend than MariaDB please refer to the yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/master/misc/integrations) of the repository.
If you want another Database backend than MariaDB please refer to the yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/misc/integrations) of the repository.
Here is the yaml boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -522,7 +523,7 @@ Because the web UI is a web application, the recommended installation procedure
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -592,7 +593,7 @@ Because the web UI is a web application, the recommended installation procedure
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -619,7 +620,7 @@ Because the web UI is a web application, the recommended installation procedure
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.4.6
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -804,7 +805,7 @@ Because the web UI is a web application, the recommended installation procedure
=== "Linux"
The installation of the web UI using the [Linux integration](/1.4/integrations/#linux) is pretty straightforward because it is installed with BunkerWeb.
The installation of the web UI using the [Linux integration](/1.5.0-beta/integrations/#linux) is pretty straightforward because it is installed with BunkerWeb.
The web UI comes as systemd service named `bunkerweb-ui` which is not enabled by default. If you want to start the web UI when on startup you can run the following command :
@ -836,12 +837,12 @@ Because the web UI is a web application, the recommended installation procedure
DNS_RESOLVERS=8.8.8.8 8.8.4.4
SERVER_NAME=www.example.com
MULTISITE=yes
USE_UI=yes
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/changeme/
REVERSE_PROXY_HOST=http://127.0.0.1:7000
REVERSE_PROXY_HEADERS=X-Script-Name /changeme
REVERSE_PROXY_INTERCEPT_ERRORS=no
www.example.com_USE_UI=yes
www.example.com_USE_REVERSE_PROXY=yes
www.example.com_REVERSE_PROXY_URL=/changeme/
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
```
Don't forget to restart the `bunkerweb` service :
@ -852,7 +853,7 @@ Because the web UI is a web application, the recommended installation procedure
=== "Ansible"
The installation of the web UI using the [Vagrant integration](/1.4/integrations/#linux) is pretty straightforward because it is installed with BunkerWeb.
The installation of the web UI using the [Vagrant integration](/1.5.0-beta/integrations/#linux) is pretty straightforward because it is installed with BunkerWeb.
Create a `my_ui.env` filed used to configure the web UI :
@ -870,12 +871,12 @@ Because the web UI is a web application, the recommended installation procedure
DNS_RESOLVERS=8.8.8.8 8.8.4.4
SERVER_NAME=www.example.com
MULTISITE=yes
USE_UI=yes
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/changeme/
REVERSE_PROXY_HOST=http://127.0.0.1:7000
REVERSE_PROXY_HEADERS=X-Script-Name /changeme
REVERSE_PROXY_INTERCEPT_ERRORS=no
www.example.com_USE_UI=yes
www.example.com_USE_REVERSE_PROXY=yes
www.example.com_REVERSE_PROXY_URL=/changeme/
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
```
The variable `enable_ui` can be set to `true` in order to activate the web UI service and the variable `custom_ui` can be used to specify the configuration file for the web UI :
@ -907,7 +908,7 @@ Because the web UI is a web application, the recommended installation procedure
=== "Vagrant"
The installation of the web UI using the [Vagrant integration](/1.4/integrations/#vagrant) is pretty straightforward because it is installed with BunkerWeb.
The installation of the web UI using the [Vagrant integration](/1.5.0-beta/integrations/#vagrant) is pretty straightforward because it is installed with BunkerWeb.
First of all, you will need to get a shell on your Vagrant box :
@ -945,12 +946,12 @@ Because the web UI is a web application, the recommended installation procedure
DNS_RESOLVERS=8.8.8.8 8.8.4.4
SERVER_NAME=www.example.com
MULTISITE=yes
USE_UI=yes
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/changeme/
REVERSE_PROXY_HOST=http://127.0.0.1:7000
REVERSE_PROXY_HEADERS=X-Script-Name /changeme # replace with another url
REVERSE_PROXY_INTERCEPT_ERRORS=no
www.example.com_USE_UI=yes
www.example.com_USE_REVERSE_PROXY=yes
www.example.com_REVERSE_PROXY_URL=/changeme/
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
```
Don't forget to restart the `bunkerweb` service :

2
misc/integrations/autoconf.mariadb.ui.yml
View File

@ -86,7 +86,7 @@ services:
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
bw-data:

2
misc/integrations/autoconf.mysql.ui.yml
View File

@ -86,7 +86,7 @@ services:
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
bw-data:

2
misc/integrations/autoconf.postgres.ui.yml
View File

@ -85,7 +85,7 @@ services:
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
bw-data:

2
misc/integrations/autoconf.ui.yml
View File

@ -76,7 +76,7 @@ services:
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
bw-data:

2
misc/integrations/docker.mariadb.ui.yml
View File

@ -21,7 +21,7 @@ services:
- www.example.com_REVERSE_PROXY_URL=/changeme/
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
networks:
- bw-universe
- bw-services

2
misc/integrations/docker.mysql.ui.yml
View File

@ -21,7 +21,7 @@ services:
- www.example.com_REVERSE_PROXY_URL=/admin/
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin
- www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
networks:
- bw-universe
- bw-services

2
misc/integrations/docker.postgres.ui.yml
View File

@ -22,7 +22,7 @@ services:
- www.example.com_REVERSE_PROXY_URL=/admin/
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin
- www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
networks:
- bw-universe
- bw-services

2
misc/integrations/docker.ui.yml
View File

@ -17,7 +17,7 @@ services:
- www.example.com_REVERSE_PROXY_URL=/changeme/
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
networks:
- bw-universe
- bw-services

8
misc/integrations/k8s.mariadb.ui.yml
View File

@ -47,7 +47,7 @@ spec:
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -117,7 +117,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -144,7 +144,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.4.6
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -313,7 +313,7 @@ metadata:
annotations:
bunkerweb.io/www.example.com_USE_UI: "yes"
bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
bunkerweb.io/www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: "400 404 405 413 429 500 501 502 503 504"
spec:
rules:
- host: www.example.com

6
misc/integrations/k8s.mariadb.yml
View File

@ -47,7 +47,7 @@ spec:
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -117,7 +117,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -144,7 +144,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.4.6
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE

8
misc/integrations/k8s.mysql.ui.yml
View File

@ -47,7 +47,7 @@ spec:
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -117,7 +117,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -144,7 +144,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.4.6
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -371,7 +371,7 @@ metadata:
annotations:
bunkerweb.io/www.example.com_USE_UI: "yes"
bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
bunkerweb.io/www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: "400 404 405 413 429 500 501 502 503 504"
spec:
rules:
- host: www.example.com

6
misc/integrations/k8s.mysql.yml
View File

@ -47,7 +47,7 @@ spec:
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -117,7 +117,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -143,7 +143,7 @@ spec:
spec:
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE

8
misc/integrations/k8s.postgres.ui.yml
View File

@ -47,7 +47,7 @@ spec:
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -117,7 +117,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -144,7 +144,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.4.6
image: bunkerity/bunkerweb-scheduler:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -323,7 +323,7 @@ metadata:
annotations:
bunkerweb.io/www.example.com_USE_UI: "yes"
bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
bunkerweb.io/www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: "400 404 405 413 429 500 501 502 503 504"
spec:
rules:
- host: www.example.com

6
misc/integrations/k8s.postgres.yml
View File

@ -47,7 +47,7 @@ spec:
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.6
image: bunkerity/bunkerweb:1.5.0-beta
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -117,7 +117,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -143,7 +143,7 @@ spec:
spec:
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.6
image: bunkerity/bunkerweb-autoconf:1.5.0-beta
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE

14
misc/integrations/swarm.mariadb.ui.yml
View File

@ -98,13 +98,13 @@ services:
- bw-docker
deploy:
labels:
- bunkerweb.SERVER_NAME=www.example.com
- bunkerweb.USE_UI=yes
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/changeme/
- bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000
- bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no
- "bunkerweb.SERVER_NAME=www.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
bw-data:

14
misc/integrations/swarm.mysql.ui.yml
View File

@ -98,13 +98,13 @@ services:
- bw-docker
deploy:
labels:
- bunkerweb.SERVER_NAME=www.example.com
- bunkerweb.USE_UI=yes
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/changeme/
- bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000
- bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no
- "bunkerweb.SERVER_NAME=www.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
bw-data:

14
misc/integrations/swarm.postgres.ui.yml
View File

@ -97,13 +97,13 @@ services:
- bw-docker
deploy:
labels:
- bunkerweb.SERVER_NAME=www.example.com
- bunkerweb.USE_UI=yes
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/changeme/
- bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000
- bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no
- "bunkerweb.SERVER_NAME=www.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
bw-data:

4
src/bw/lua/bunkerweb/api.lua
View File

@ -107,7 +107,7 @@ api.global.POST["^/unban$"] = function(self)
end
local ok, ip = pcall(cjson.decode, data)
if not ok then
return self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", "can't decode JSON : " .. env)
return self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", "can't decode JSON : " .. ip)
end
self.datastore:delete("bans_ip_" .. ip["ip"])
return self:response(ngx.HTTP_OK, "success", "ip " .. ip["ip"] .. " unbanned")
@ -126,7 +126,7 @@ api.global.POST["^/ban$"] = function(self)
end
local ok, ip = pcall(cjson.decode, data)
if not ok then
return self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", "can't decode JSON : " .. env)
return self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", "can't decode JSON : " .. ip)
end
self.datastore:set("bans_ip_" .. ip["ip"], "manual", ip["exp"])
return self:response(ngx.HTTP_OK, "success", "ip " .. ip["ip"] .. " banned")

48
src/common/confs/init-worker-stream-lua.conf
View File

@ -1,48 +0,0 @@
lua_shared_dict ready_lock_stream 16k;
init_worker_by_lua_block {
-- Our timer function
local ready_log = function(premature)
-- Instantiate objects
local logger = require "bunkerweb.logger":new("INIT")
local datastore = require "bunkerweb.datastore":new()
-- Don't print the ready log if we are in loading state
local is_loading, err = require "bunkerweb.utils".get_variable("IS_LOADING", false)
if not is_loading then
logger:log(ngx.ERR, "utils.get_variable() failed : " .. err)
return
elseif is_loading == "yes" then
return
end
-- Instantiate lock
local lock = require "resty.lock":new("ready_lock_stream")
if not lock then
logger:log(ngx.ERR, "lock:new() failed : " .. err)
return
end
-- Acquire lock
local elapsed, err = lock:lock("ready")
if elapsed == nil then
logger:log(ngx.ERR, "lock:lock() failed : " .. err)
else
-- Display ready log
local ok, err = datastore:get("misc_ready")
if not ok and err ~= "not found" then
logger:log(ngx.ERR, "datastore:get() failed : " .. err)
elseif not ok and err == "not found" then
logger:log(ngx.NOTICE, "BunkerWeb is ready to fool hackers ! 🚀")
local ok, err = datastore:set("misc_ready", "ok")
if not ok then
logger:log(ngx.ERR, "datastore:set() failed : " .. err)
end
end
end
-- Release lock
lock:unlock()
end
-- Start timer
ngx.timer.at(5, ready_log)
}

3
src/common/confs/stream.conf
View File

@ -37,9 +37,6 @@ lua_shared_dict cachestore_locks_stream {{ CACHESTORE_LOCKS_MEMORY_SIZE }};
# LUA init block
include /etc/nginx/init-stream-lua.conf;
# LUA init worker block
include /etc/nginx/init-worker-stream-lua.conf;
# TODO add default stream server if that makes any sense ?
# server config(s)

6
src/common/core/bunkernet/bunkernet.lua
View File

@ -2,7 +2,7 @@ local class = require "middleclass"
local plugin = require "bunkerweb.plugin"
local utils = require "bunkerweb.utils"
local datastore = require "bunkerweb.datastore"
local json = require "cjson"
local cjson = require "cjson"
local http = require "resty.http"
local bunkernet = class("bunkernet", plugin)
@ -40,7 +40,7 @@ function bunkernet:init()
return self:ret(false, "can't read instance id : " .. err)
end
-- Retrieve instance ID
id = f:read("*all"):gsub("[\r\n]", "")
local id = f:read("*all"):gsub("[\r\n]", "")
f:close()
-- Store ID in datastore
local ok, err = self.datastore:set("plugin_bunkernet_id", id)
@ -53,7 +53,7 @@ function bunkernet:init()
local db = {
ip = {}
}
f, err = io.open("/var/cache/bunkerweb/bunkernet/ip.list", "r")
local f, err = io.open("/var/cache/bunkerweb/bunkernet/ip.list", "r")
if not f then
ret = false
else