librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

v1.4.1 release

This commit is contained in:
florian 2022-06-16 11:26:58 +02:00
parent 424214fd56
commit bcaca6f034
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
45 changed files with 214 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/dev.yml vendored
View File

@ -181,7 +181,7 @@ jobs:
- name: Set variables
run: |
VER=$(cat VERSION | tr -d '\n')
if [ "$GITHUB_REF" = "refs/heads/main" ] ; then
if [ "$GITHUB_REF" = "refs/heads/master" ] ; then
echo "BUILD_MODE=prod" >> $GITHUB_ENV
else
echo "BUILD_MODE=dev" >> $GITHUB_ENV

163
.github/workflows/prod.yml vendored
View File

@ -70,12 +70,6 @@ jobs:
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build images
- name: Build BW for 386
@ -91,7 +85,7 @@ jobs:
context: .
file: autoconf/Dockerfile
platforms: linux/386
tags: /bunkerweb-autoconf-tests-386:latest
tags: bunkerweb-autoconf-tests-386:latest
cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-386-cache,mode=min
- name: Build BW UI for 386
uses: docker/build-push-action@v3
@ -103,82 +97,57 @@ jobs:
cache-to: type=registry,ref=bunkerity/cache:bw-ui-386-cache,mode=min
# Build bunkerweb/arm
# build-bw-arm:
# runs-on: [self-hosted, ARM64]
# steps:
build-bw-arm:
runs-on: ubuntu-latest
steps:
# Prepare
# - name: Checkout source code
# uses: actions/checkout@v3
# - name: Setup Buildx
# uses: docker/setup-buildx-action@v2
# - name: Login to Docker Hub
# uses: docker/login-action@v2
# with:
# username: ${{ secrets.DOCKER_USERNAME }}
# password: ${{ secrets.DOCKER_TOKEN }}
# - name: Login to private repository
# uses: docker/login-action@v2
# with:
# registry: ${{ secrets.PRIVATE_REGISTRY }}
# username: registry
# password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Setup SSH for ARM node
run: |
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
chmod 600 ~/.ssh/id_rsa_arm
echo "$SSH_CONFIG" > ~/.ssh/config
env:
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Append ARM node to buildx
run: |
docker buildx create --append --name ${{ steps.buildx.outputs.name }} --node arm --platform linux/arm64,linux/arm/v7,linux/arm/v6 ssh://ubuntu@arm
# Build images
# - name: Build BW for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-armv7-cache,mode=min
# - name: Build BW for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-armv8:latest
# cache-to: type=registry,ref=bunkerity/cache:bw-armv8-cache,mode=min
# - name: Build BW autoconf for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# file: autoconf/Dockerfile
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv7-cache,mode=min
# - name: Build BW autoconf for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# file: autoconf/Dockerfile
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-armv8:latest
# cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache,mode=min
# - name: Build BW UI for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# file: ui/Dockerfile
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv7-cache,mode=min
# - name: Build BW UI for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# file: ui/Dockerfile
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-armv8:latest
# cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache,mode=min
- name: Build BW for ARM
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-tests-arm:latest
cache-to: type=registry,ref=bunkerity/cache:bw-arm-cache,mode=min
- name: Build BW autoconf for ARM
uses: docker/build-push-action@v3
with:
context: .
file: autoconf/Dockerfile
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-autoconf-tests-arm:latest
cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-arm-cache,mode=min
- name: Build BW UI for ARM
uses: docker/build-push-action@v3
with:
context: .
file: ui/Dockerfile
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-ui-tests-arm:latest
cache-to: type=registry,ref=bunkerity/cache:bw-ui-arm-cache,mode=min
# Run tests
tests:
@ -203,7 +172,7 @@ jobs:
- name: Set variables
run: |
VER=$(cat VERSION | tr -d '\n')
if [ "$GITHUB_REF" = "refs/heads/main" ] ; then
if [ "$GITHUB_REF" = "refs/heads/master" ] ; then
echo "BUILD_MODE=prod" >> $GITHUB_ENV
else
echo "BUILD_MODE=dev" >> $GITHUB_ENV
@ -260,16 +229,19 @@ jobs:
# Push to dev registries
push-docker:
needs: [tests, build-bw-386]
needs: [tests, build-bw-386, build-bw-arm]
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set variables
run: |
VER=$(cat VERSION | tr -d '\n')
echo "VERSION=$VER" >> $GITHUB_ENV
- name: Setup Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
@ -282,44 +254,55 @@ jobs:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Set variables
- name: Setup SSH for ARM node
run: |
VER=$(cat VERSION | tr -d '\n')
echo "VERSION=$VER" >> $GITHUB_ENV
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
chmod 600 ~/.ssh/id_rsa_arm
echo "$SSH_CONFIG" > ~/.ssh/config
env:
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Append ARM node to buildx
run: |
docker buildx create --append --name ${{ steps.buildx.outputs.name }} --node arm --platform linux/arm64,linux/arm/v7,linux/arm/v6 ssh://ubuntu@arm
# Build and push
- name: Build and push BW
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb:latest,bunkerity/bunkerweb:latest,bunkerity/bunkerweb:${{ env.VERSION }}
cache-from: |
type=registry,ref=bunkerity/cache:bw-amd64-cache
type=registry,ref=bunkerity/cache:bw-386-cache
type=registry,ref=bunkerity/cache:bw-arm-cache
- name: Build and push BW autoconf
uses: docker/build-push-action@v3
with:
context: .
file: autoconf/Dockerfile
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf:latest,bunkerity/bunkerweb-autoconf:latest,bunkerity/bunkerweb-autoconf:${{ env.VERSION }}
cache-from: |
type=registry,ref=bunkerity/cache:bw-autoconf-amd64-cache
type=registry,ref=bunkerity/cache:bw-autoconf-386-cache
type=registry,ref=bunkerity/cache:bw-autoconf-arm-cache
- name: Build and push BW UI
uses: docker/build-push-action@v3
with:
context: .
file: ui/Dockerfile
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui:latest,bunkerity/bunkerweb-ui:latest,bunkerity/bunkerweb-ui:${{ env.VERSION }}
cache-from: |
type=registry,ref=bunkerity/cache:bw-ui-amd64-cache
type=registry,ref=bunkerity/cache:bw-ui-386-cache
type=registry,ref=bunkerity/cache:bw-ui-arm-cache
# Push to PackageCloud
push-linux:

2
CHANGELOG.md
View File

@ -1,6 +1,6 @@
# Changelog
## v1.4.1 -
## v1.4.1 - 2022/16/06
- Fix sending local IPs to BunkerNet when DISABLE_DEFAULT_SERVER=yes
- Fix certbot bug when AUTOCONF_MODE=yes
- Fix certbot bug when MULTISITE=no

2
README.md
View File

@ -3,7 +3,7 @@
</p>
<p align="center">
<img src="https://img.shields.io/badge/bunkerweb-1.4.0-blue" />
<img src="https://img.shields.io/badge/bunkerweb-1.4.1-blue" />
<img src="https://img.shields.io/github/last-commit/bunkerity/bunkerweb" />
<img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerweb/Automatic%20test%2C%20build%2C%20push%20and%20deploy%20%28DEV%29?label=CI%2FCD%20dev" />
<img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerweb/Automatic%20test%2C%20build%2C%20push%20and%20deploy%20%28PROD%29?label=CI%2FCD%20prod" />

2
VERSION
View File

@ -1 +1 @@
1.4.0
1.4.1

5
autoconf/DockerController.py
View File

@ -26,11 +26,6 @@ class DockerController(Controller) :
continue
value = env.replace(variable + "=", "", 1)
instance["env"][variable] = value
server_name = []
for controller_service in self._get_controller_services() :
if "bunkerweb.SERVER_NAME" in controller_service.labels :
server_name.append(controller_service.labels["bunkerweb.SERVER_NAME"].split(" ")[0])
instance["env"]["SERVER_NAME"] = " ".join(server_name)
return [instance]
def _get_controller_services(self) :

53
docs/integrations.md
View File

@ -12,7 +12,7 @@ Using BunkerWeb as a [Docker](https://www.docker.com/) container is a quick and
We provide ready to use prebuilt images for x64 and x86 architectures (armv7 and armv8 are not supported at the moment) on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb) :
```shell
docker pull bunkerity/bunkerweb:1.4.0
docker pull bunkerity/bunkerweb:1.4.1
```
Alternatively, you can build the Docker images directly from the [source](https://github.com/bunkerity/bunkerweb) (and take a coffee ☕ because it may be long depending on your hardware) :
@ -39,7 +39,7 @@ docker run \
-e MY_SETTING=value \
-e "MY_OTHER_SETTING=value with spaces" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@ -48,7 +48,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
environment:
- MY_SETTING=value
```
@ -73,7 +73,7 @@ docker run \
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@ -82,7 +82,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- bw-data:/data
...
@ -109,7 +109,7 @@ docker run \
...
-v ./bw-data:/data \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@ -119,7 +119,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- ./bw-data:/data
```
@ -141,7 +141,7 @@ docker run \
...
--network mynetwork \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
You will also need to do the same with your web application(s). Please note that the other containers are accessible using their name as the hostname.
@ -152,7 +152,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
networks:
- bw-net
...
@ -183,9 +183,6 @@ First of all, you will need to create the data volume :
docker volume create bw-data
```
- One for sharing the persistent data, mounted on **/data**
- Another one for sharing the generated Nginx configurations, mounted on **/etc/nginx**
Then, you can create two networks (replace 10.20.30.0/24 with an unused subnet of your choice) :
```shell
@ -210,7 +207,7 @@ docker run \
-e SERVER_NAME= \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.AUTOCONF \
bunkerity/bunkerweb:1.4.0 && \
bunkerity/bunkerweb:1.4.1 && \
docker network connect bw-services mybunker
```
@ -224,7 +221,7 @@ docker run \
--network bw-autoconf \
-v bw-data:/data \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
bunkerity/bunkerweb-autoconf:1.4.0
bunkerity/bunkerweb-autoconf:1.4.1
```
Here is the docker-compose equivalent for the BunkerWeb autoconf stack :
@ -235,12 +232,10 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
volumes:
- bw-data:/data
environment:
- AUTOCONF_MODE=yes
- MULTISITE=yes
@ -253,7 +248,7 @@ services:
- bw-services
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
volumes:
- bw-data:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
@ -355,7 +350,7 @@ docker service create \
-e MULTISITE=yes \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.AUTOCONF \
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
And the autoconf one :
@ -369,7 +364,7 @@ docker service \
--mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
--mount type=volume,source=bw-data,destination=/data \
-e SWARM_MODE=yes \
bunkerity/bunkerweb-autoconf:1.4.0
bunkerity/bunkerweb-autoconf:1.4.1
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
@ -380,7 +375,7 @@ version: '3.5'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- published: 80
target: 8080
@ -407,7 +402,7 @@ services:
- "bunkerweb.AUTOCONF"
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
environment:
- SWARM_MODE=yes
volumes:
@ -697,11 +692,11 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo apt install -y nginx=1.20.2-1~bullseye
```
And finally install BunkerWeb 1.4.0 :
And finally install BunkerWeb 1.4.1 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo apt install -y bunkerweb=1.4.0
sudo apt install -y bunkerweb=1.4.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
@ -727,11 +722,11 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo apt install -y nginx=1.20.2-1~jammy
```
And finally install BunkerWeb 1.4.0 :
And finally install BunkerWeb 1.4.1 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo apt install -y bunkerweb=1.4.0
sudo apt install -y bunkerweb=1.4.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
@ -749,7 +744,7 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.4.0
sudo dnf install -y bunkerweb-1.4.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
@ -776,12 +771,12 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo dnf install nginx-1.20.2
```
And finally install BunkerWeb 1.4.0 :
And finally install BunkerWeb 1.4.1 :
```shell
dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.4.0
sudo dnf install -y bunkerweb-1.4.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :

9
docs/migrating.md
View File

@ -2,7 +2,7 @@
!!! warning "Read this if you were a bunkerized user"
A lot of things have changed since the last bunkerized release. If you want to an upgrade, which we recommend you to do because BunkerWeb is by far better than bunkerized, please read carefully this section and also the whole documentation.
A lot of things have changed since the last bunkerized release. If you want to do an upgrade, which we recommend you to do because BunkerWeb is by far better than bunkerized, please read carefully this section and also the whole documentation.
## Volumes
@ -12,11 +12,14 @@ When using container-based integrations like [Docker](/1.4/integrations/#docker)
We decided to drop the following features :
- Authelia : we will make an official [plugin](/1.4/plugins) for that
- Blocking "bad" referrers : we may add it again in the future
- ROOT_SITE_SUBFOLDER : we will need to redesign this in the future
## Replaced BLOCK_*, WHITELIST_* and BLACKLIST_* settings
## Changed Authelia support
Instead of supporting only Authelia, we decided to support generic auth request settings. See the new [authelia example](https://github.com/bunkerity/bunkerweb/tree/master/examples/authelia) and [auth request documentation](https://docs.bunkerweb.io/1.4/security-tuning/#auth-request) for more information.
## Replaced BLOCK_\*, WHITELIST_\* and BLACKLIST_\* settings
The blocking mechanisms has been completely redesigned. We have detected that a lot of false positives came from the default blacklists hardcoded into bunkerized. That's why we decided to give the users the choice of their blacklists (and also whitelists) for IP address, reverse DNS, user-agent, URI and ASN, see the [Blacklisting and whitelisting](/1.4/security-tuning/#blacklisting-and-whitelisting) section of the [security tuning](/1.4/security-tuning).

4
docs/plugins.md
View File

@ -43,13 +43,13 @@ The first step is to install the plugin by putting the plugin files inside the c
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- ./bw-data:/data
...

44
docs/quickstart-guide.md
View File

@ -54,7 +54,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
-e USE_REVERSE_PROXY=yes \
-e REVERSE_PROXY_URL=/ \
-e REVERSE_PROXY_HOST=http://myapp \
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@ -64,7 +64,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@ -331,7 +331,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
-e app1.example.com_REVERSE_PROXY_HOST=http://myapp1 \
-e app2.example.com_REVERSE_PROXY_HOST=http://myapp2 \
-e app3.example.com_REVERSE_PROXY_HOST=http://myapp3 \
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@ -341,7 +341,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@ -875,13 +875,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@ -900,13 +900,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@ -925,13 +925,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@ -956,7 +956,7 @@ REAL_IP_HEADER=X-Forwarded-For
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
env:
- name: USE_REAL_IP
@ -1008,13 +1008,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@ -1035,13 +1035,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@ -1062,13 +1062,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@ -1094,7 +1094,7 @@ REAL_IP_HEADER=proxy_protocol
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
env:
- name: USE_REAL_IP
@ -1169,13 +1169,13 @@ Some integrations offer a more convenient way of applying configurations for exa
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- ./bw-data:/data
...
@ -1212,13 +1212,13 @@ Some integrations offer a more convenient way of applying configurations for exa
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- ./bw-data:/data
...

12
docs/security-tuning.md
View File

@ -297,6 +297,7 @@ Using both country blacklist and whitelist at the same time makes no sense. If y
## Authentication
### Auth basic
You can quickly protect sensitive resources like the admin area for example by requiring HTTP basic authentication. Here is the list of related settings :
| Setting | Default | Description |
@ -306,3 +307,14 @@ You can quickly protect sensitive resources like the admin area for example by r
| `AUTH_BASIC_USER` | `changeme` | The username required. |
| `AUTH_BASIC_PASSWORD` | `changeme` | The password required. |
| `AUTH_BASIC_TEXT` | `Restricted area` | Text to display in the auth prompt. |
### Auth request
You can deploy complex authentification (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/master/examples).
**Auth request settings are related to reverse proxy rules.**
| Setting | Default | Context |Multiple| Description |
|---------------------------------------|----------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------------------|
|`REVERSE_PROXY_AUTH_REQUEST` | |multisite|yes |Enable authentication using an external provider (value of auth_request directive). |
|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`| |multisite|yes |Redirect clients to signin URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). |
|`REVERSE_PROXY_AUTH_REQUEST_SET` | |multisite|yes |List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).|

47
docs/settings.md
View File

@ -249,26 +249,33 @@ When settings are considered as "multiple", it means that you can have multiple
### Reverse proxy
| Setting | Default | Context |Multiple| Description |
|--------------------------------|----------------------------------|---------|--------|-----------------------------------------------------------------------------------|
|`USE_REVERSE_PROXY` |`no` |multisite|no |Activate reverse proxy mode. |
|`REVERSE_PROXY_INTERCEPT_ERRORS`|`yes` |multisite|no |Intercept and rewrite errors. |
|`REVERSE_PROXY_HOST` | |multisite|yes |Full URL of the proxied resource (proxy_pass). |
|`REVERSE_PROXY_URL` | |multisite|yes |Location URL that will be proxied. |
|`REVERSE_PROXY_WS` |`no` |multisite|yes |Enable websocket on the proxied resource. |
|`REVERSE_PROXY_HEADERS` | |multisite|yes |List of HTTP headers to send to proxied resource. |
|`REVERSE_PROXY_BUFFERING` |`yes` |multisite|yes |Enable or disable buffering of responses from proxied resource. |
|`REVERSE_PROXY_KEEPALIVE` |`no` |multisite|yes |Enable or disable keepalive connections with the proxied resource. |
|`USE_PROXY_CACHE` |`no` |multisite|no |Enable or disable caching of the proxied resources. |
|`PROXY_CACHE_PATH_LEVELS` |`1:2` |global |no |Hierarchy levels of the cache. |
|`PROXY_CACHE_PATH_ZONE_SIZE` |`10m` |global |no |Maximum size of cached metadata when caching proxied resources. |
|`PROXY_CACHE_PATH_PARAMS` |`max_size=100m` |global |no |Additional parameters to add to the proxy_cache directive. |
|`PROXY_CACHE_METHODS` |`GET HEAD` |multisite|no |HTTP methods that should trigger a cache operation. |
|`PROXY_CACHE_MIN_USES` |`2` |multisite|no |The minimimum number of requests before a response is cached. |
|`PROXY_CACHE_KEY` |`$scheme$host$request_uri` |multisite|no |The key used to uniquely identify a cached response. |
|`PROXY_CACHE_VALID` |`200=24h 301=1h 302=24h` |multisite|no |Define the caching time dependending on the HTTP status code (list of status=time).|
|`PROXY_NO_CACHE` |`$http_pragma $http_authorization`|multisite|no |Conditions to disable caching of responses. |
|`PROXY_CACHE_BYPASS` |`0` |multisite|no |Conditions to bypass caching of responses. |
| Setting | Default | Context |Multiple| Description |
|---------------------------------------|----------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------------------|
|`USE_REVERSE_PROXY` |`no` |multisite|no |Activate reverse proxy mode. |
|`REVERSE_PROXY_INTERCEPT_ERRORS` |`yes` |multisite|no |Intercept and rewrite errors. |
|`REVERSE_PROXY_HOST` | |multisite|yes |Full URL of the proxied resource (proxy_pass). |
|`REVERSE_PROXY_URL` | |multisite|yes |Location URL that will be proxied. |
|`REVERSE_PROXY_WS` |`no` |multisite|yes |Enable websocket on the proxied resource. |
|`REVERSE_PROXY_HEADERS` | |multisite|yes |List of HTTP headers to send to proxied resource separated with ; (values for proxy_set_header directive). |
|`REVERSE_PROXY_HEADERS_CLIENT` | |multisite|yes |List of HTTP headers to send to client separated with ; (values for add_header directive). |
|`REVERSE_PROXY_BUFFERING` |`yes` |multisite|yes |Enable or disable buffering of responses from proxied resource. |
|`REVERSE_PROXY_KEEPALIVE` |`no` |multisite|yes |Enable or disable keepalive connections with the proxied resource. |
|`REVERSE_PROXY_AUTH_REQUEST` | |multisite|yes |Enable authentication using an external provider (value of auth_request directive). |
|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`| |multisite|yes |Redirect clients to signin URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). |
|`REVERSE_PROXY_AUTH_REQUEST_SET` | |multisite|yes |List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).|
|`USE_PROXY_CACHE` |`no` |multisite|no |Enable or disable caching of the proxied resources. |
|`PROXY_CACHE_PATH_LEVELS` |`1:2` |global |no |Hierarchy levels of the cache. |
|`PROXY_CACHE_PATH_ZONE_SIZE` |`10m` |global |no |Maximum size of cached metadata when caching proxied resources. |
|`PROXY_CACHE_PATH_PARAMS` |`max_size=100m` |global |no |Additional parameters to add to the proxy_cache directive. |
|`PROXY_CACHE_METHODS` |`GET HEAD` |multisite|no |HTTP methods that should trigger a cache operation. |
|`PROXY_CACHE_MIN_USES` |`2` |multisite|no |The minimimum number of requests before a response is cached. |
|`PROXY_CACHE_KEY` |`$scheme$host$request_uri` |multisite|no |The key used to uniquely identify a cached response. |
|`PROXY_CACHE_VALID` |`200=24h 301=1h 302=24h` |multisite|no |Define the caching time dependending on the HTTP status code (list of status=time). |
|`PROXY_NO_CACHE` |`$http_pragma $http_authorization`|multisite|no |Conditions to disable caching of responses. |
|`PROXY_CACHE_BYPASS` |`0` |multisite|no |Conditions to bypass caching of responses. |
|`REVERSE_PROXY_CONNECT_TIMEOUT` |`60s` |multisite|yes |Timeout when connecting to the proxied resource. |
|`REVERSE_PROXY_READ_TIMEOUT` |`60s` |multisite|yes |Timeout when reading from the proxied resource. |
|`REVERSE_PROXY_SEND_TIMEOUT` |`60s` |multisite|yes |Timeout when sending to the proxied resource. |
### Self-signed certificate

8
docs/web-ui.md
View File

@ -78,7 +78,7 @@ Because the web UI is a web application, the recommended installation procedure
-e "bwadm.example.com_REVERSE_PROXY_HEADER=X-Script-Name /changeme" \
-e bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no \
-l bunkerweb.UI \
bunkerity/bunkerweb:1.4.0 && \
bunkerity/bunkerweb:1.4.1 && \
docker network connect bw-ui mybunker
```
@ -117,7 +117,7 @@ Because the web UI is a web application, the recommended installation procedure
-e ADMIN_USERNAME=admin \
-e ADMIN_PASSWORD=changeme \
-e ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/
bunkerity/bunkerweb-ui:1.4.0 && \
bunkerity/bunkerweb-ui:1.4.1 && \
docker network connect bw-docker myui
```
@ -133,7 +133,7 @@ Because the web UI is a web application, the recommended installation procedure
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
networks:
- bw-services
- bw-ui
@ -156,7 +156,7 @@ Because the web UI is a web application, the recommended installation procedure
- "bunkerweb.UI"
myui:
image: bunkerity/bunkerweb-ui:1.4.0
image: bunkerity/bunkerweb-ui:1.4.1
depends_on:
- mydocker
networks:

2
examples/authelia/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3.4'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

4
examples/authentik/README.md
View File

@ -1 +1,3 @@
We assume that you are already familiar with [Authentik]().
We assume that you are already familiar with [Authentik](https://goauthentik.io/).
This example has been tested with a Proxy in Forward auth (domain level) mode (see [here](https://goauthentik.io/docs/providers/proxy/forward_auth) for more information).

2
examples/authentik/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3.4'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/behind-reverse-proxy/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly

2
examples/bigbluebutton/docker-compose.yml
View File

@ -27,7 +27,7 @@ services:
...
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/drupal/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

6
examples/ghost/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@ -31,7 +31,7 @@ services:
volumes:
- ./ghost-data:/var/lib/ghost/content
environment:
- url=http://www.example.com # replace with your domain
- url=https://www.example.com # replace with your domain
volumes:
bw_data:
bw_data:

2
examples/gogs/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/hardened/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
# dropping all capabilities
cap_drop:
- ALL

2
examples/joomla/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/load-balancer/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/magento/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/mongo-express/docker-compose.yml
View File

@ -24,7 +24,7 @@ services:
- mongo
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/moodle/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/nextcloud/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/passbolt/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/php-multisite/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/php-singlesite/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/prestashop/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/proxy-protocol/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly

2
examples/redmine/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/reverse-proxy-multisite/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/reverse-proxy-singlesite/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/reverse-proxy-websocket/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/syslog/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
logging:
driver: syslog
options:

2
examples/tomcat/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/tor-hidden-service/docker-compose.yml
View File

@ -11,7 +11,7 @@ services:
- SERVICE1_TOR_SERVICE_VERSION=3
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly

4
examples/web-ui/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@ -42,7 +42,7 @@ services:
- net_svc
myui:
image: bunkerity/bunkerweb-ui:1.4.0
image: bunkerity/bunkerweb-ui:1.4.1
depends_on:
- myuiproxy
volumes:

2
examples/wordpress/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

5
integrations/autoconf/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@ -20,7 +20,7 @@ services:
- bw-services
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
volumes:
- ./bw-data:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
@ -29,7 +29,6 @@ services:
volumes:
bw-data:
bw-conf:
networks:
bw-autoconf:

4
integrations/kubernetes/bunkerweb.yml
View File

@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -106,7 +106,7 @@ spec:
claimName: pvc-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE

4
integrations/swarm/stack.yml
View File

@ -3,7 +3,7 @@ version: '3.5'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- published: 80
target: 8080
@ -31,7 +31,7 @@ services:
- "bunkerweb.AUTOCONF"
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
environment:
- SWARM_MODE=yes
volumes: