Squashed 'src/deps/src/headers-more-nginx-module/' changes from 576cb8197..bea1be3bb
bea1be3bb doc: Fix typo. (#97) d502e4199 bugfix: nginx crash when accessing uninitialized pointer. 91eb0db9e bugfix: update handling of multiple headers changed in nginx 1.23.0. e536bc595 bugfix: fixed build error with nginx >= 1.23.0 00be83f1d doc: update the description of nginx compatibility. (#131) a4a068660 travis-ci: upgrade dist of travis-ci to ubuntu bionic. (#124) f85af9649 travis-ci: bumped the NGINX core to 1.19.9, remove clang compiler mode from travis to save credits. (#121) d6d7ebab3 travis-ci: bumped the NGINX core to 1.19.3. (#114) af8160e01 doc: we now work with nginx 1.17.x (up to 1.17.8 at least). 743a4bb1a travis-ci: bumped the NGINX core to 1.17.8. 552e216a0 travis-ci: switched to OpenResty's fork of LuaJIT. 7255ae95d travis-ci: bumped the NGINX core to 1.17.4. 380e994d3 doc: updated the nginx compatibility list. ab40f3446 travis: bumped the nginx core version to 1.17.1. d3a920ad3 travis: clone the lua-resty-core and lua-resty-lrucache repositories. 085fbbc28 travis: bumped the nginx core version to 1.15.8. f1fadb9e2 tests: t/input-cookie.t: fixed a failing test case with our newest version of ngx_http_lua's LuaJIT alert log. a9f7c7e86 tests: added a passing test for overriding Cache-Control header created by proxy module. 55fbdaba9 doc: bumped version to 0.33. f389f1178 tests: added new valgrind false positives in the latest nginx core. 79ac9547b tests: valgrind.suppress: removed too aggressive suppressions in nginx mem pools and luajit lj_str_new. a799a97ba tests: minor tweaks in valgrind.suppress. d63cf91ed tests: removed extra file-trailing newlines. 4512b82a8 feature: add wildcard match support for more_clear_input_headers. 7b0762aba doc: adjusted the doc for the use of wildcards in header names. thanks Dejiang Zhu for the report. 809668963 doc: updated copyright notice. 732874a0f travis-ci: several improvements and tweaks. 491df7f8d doc: fixed more_clear_input_headers usage examples. 5aa76052d doc: bumped version to 0.32. 04916fbc4 tests: skipped the newly added test case that cannot run in check leak test mode. 30fb25901 bugfix: more_set_input_headers: skips setting multi-value headers for bad requests to avoid segfaults. 84241e444 doc: bumped version to 0.31. 2054d9261 doc: typo fixes. 72c81c922 skipped check leak mode for two test cases using malformed requests. fbab58696 doc: claims that we work with 1.10.x since it is essentially the same as 1.9.x. 4fccc2a19 bugfix: fixed a typo in an error message. 0a5bad907 bugfix: when the nginx core does not properly initialize r->headers_in.headers (due to 400 bad requests and etc), more_set_input_headers might lead to crashes. thanks Marcin Teodorczyk for the report. 7fc33974d doc: fixed the release year. 4cb061b57 travis-ci: use "prove -r t" to run the test suite and test against nginx 1.10.0 instead of 1.8.1. cf016595f various coding style fixes. 4612cb62d Merge branch 'master' of github.com:openresty/headers-more-nginx-module 63b8039d7 doc: release 0.30 and compatibility with nginx cores as far as 1.9.15. b120f866e Merge pull request #52 from chipitsine/master 182d12a19 fixed "exit 0" on failed build 981a6914a feature: initial travis-ci support. f5559ec57 doc: documented the dynamic module support in this module. cabd03a86 doc: typo fix. 2f93b9a31 feature: now this module can be compiled as a dynamic module with ./configure --add-dynamic-module=PATH in NGINX 1.9.11+. thanks Sjir Bagmeijer for the original patch in #44. cc19196c7 minor test tweaks. e77178fd2 config: some refactoring. 443753c53 doc: ngx_openresty -> OpenResty. f14b3667c doc: stated that we are compatible with nginx cores as far as 1.9.7. 88f797a5c bumped version to 0.29. e8822662b bugfix: changing the built-in header X-Forwarded-For via more_set_input_headers or more_clear_input_headersmight not take effect in some parts of the nginx core (like $proxy_add_x_forwarded_for). bbaa39fd9 added a .gitattributes file to correct GitHub's language tag. 51dcf0901 doc: bumped version to 0.28. 473fc9d8e bugfix: fixed errors and warnings with C compilers without variadic macro support. a744defdf removed the useless code snippet enabled by the unused NGX_HTTP_HEADERS macro. it also triggered a compilation error. thanks Vadim A. Misbakh-Soloviov for the report in #39. c8b4b0a95 updated docs to reflect recent changes. 5031112c0 tests: fixed the test plan in input.t. 42d8019f0 bugfix: setting (builtin) request headers Upgrade, Accept, Accept-Language, Depth, Destination, Overwrite, and Date might not take effect in standard nginx modules like ngx_http_proxy, ngx_http_headers, and ngx_http_dav. bc48417d8 bugfix: when the response header Content-Type contains params like "; charset=utf-8", the -t MIME-List options did not work as expected at all. thanks Joseph Bartels for the report in #38. 4648e827e doc: we no longer sync from the nginx wiki site. d0e1a7408 util/build.sh: removed $LUAJIT_LIB and /usr/local/lib from the RPATH list. f6a745a16 bugfix: clearing input headers If-Unmodified-Since, If-Match, and If-None-Match did not clear the builtin "shortcut" fields in ngx_http_headers_in_t which might confuse other nginx modules like ngx_http_not_modified_filter_module. The first header gets "shortcuts" fields since nginx 0.9.2 while the latter two since nginx 1.3.3. 4b20caa63 tests: disabled the test cases exercising multiple http {} blocks since this undocumented feature has been disabled since nginx 1.9.3. ccaede889 doc: bumped version to 0.26. fdf4eabef minor coding style fixes. d20bf26a8 fixed compilation failures with nginx 1.7.11+ configured with --with-threads. a7f81f20b updated doc to reflect recent changes. 02fd3778a style: fixed the coding style of labels. b4f9e524a optimize: removed the unused C function ngx_http_headers_more_rm_header. thanks Markus Linnala for the catch in #28. 2a33f3d01 doc: made it clear that more_set_headers always override existing headers with the same name. 95d8178b0 suppressed a valgrind false positive in libdl. 0c6e05d31 updated docs to reflect recent changes. 61af6c9ee doc: documented the limitation that we cannot remove the "Connection" response header with this module. thanks Michael Orlando for bringing this up in #22. 6e9dd00bb added the missing bit in commit 40414ca1. thanks Edwin Cleton for the report. 6d4d619b3 minor coding style fix. 40414ca1f fixed a warning from the Microsoft C compiler. thanks Edwin Cleton for the report. 4b718e786 various coding style fixes. 7a6fd1136 doc: bumped version to 0.24 and claims that we work with nginx 1.4.4. fe2a70ea5 updated valgrind.suppress for i386. 540c6770f bugfix: more_set_input_headers did not completely override the existing request header with multiple values. thanks Aviram Cohen for the report. bb9271843 doc: minor markdown formatting tweaks. b66e2ef1b removed the plain text README file. ad3d8d622 bumped version to 0.23. 35f8faf54 doc: added syntax highlighting to the code samples. 9c4b6ee1d minor coding style fixes. 1caf5cc41 bugfix: removing request headers might lead to memory corruptions. 566cebf00 minor coding style fixes. 6f06b3720 doc: markdown: added a "table of contents" seciton and lots of "Back to TOC" links. 5f1425508 docs: eliminated links to the nginx wiki wherever possible. 211760978 bugfix: more_set_input_headers might overwrite the value of the $host variable with bad values. 5a70b6b46 bugfix: more_set_headers and more_clear_headers might now work when multiple http {} blocks were used in nginx.conf. 3bc9f941b bugfix: eliminated use of C global variables during configuration phase. 035a5f3d3 updated docs to reflect recent changes. 6d19a3980 fixed the test plan in sanity.t. 31d0e78b7 bumped version to 0.22. 3392914d2 added a (passing) test for setting response headers for HTTP 0.9 requests. 625c550aa updated .gitignore a bit. 147c2737b bugfix: segfaults would happen in more_set_input_headers and more_clear_input_headers when processing HTTP 0.9 requests. thanks Bin Wang for the report in #14. 26f96fb41 bugfix: we did not properly initialize the location response header field in commit b21333e2d. this is a further fix for issue #7. 00ee3cfcf massive coding style fixes. b21333e2d bugfix: segfault might happen when using more_set_headers or more_clear_headers in the case that the nginx core initiated a 301 redirect. this issue was caused by an optimization in the nginx core where ngx_http_core_find_config_phase, for example, does not fully initialize the "Location" response header after creating the header. thanks Brian Akins for the original report in #7 and Vladimir Protasov for the insight in chaoslawful/lua-nginx-module#260. ec05b8981 updated docs to reflect recent changes. be5ea9a6d bugfix: segmentation fault might happen in nginx 1.4.x when using more_set_input_headers on the Cookie request headers because recent versions of nginx no longer always initialize r->headers_in.cookies. 0df17d017 bumped version to 0.20. 376b7bc23 massive coding style fixes in ngx_http_headers_more_headers_in.c. e9f060d50 added test cases for the recent fixes in the Cookie request header handling. 2da1aaa9f fixed places where we should return NGX_ERROR instead of NGX_HTTP_INTERNAL_SERVER_ERROR; also fixed a clang warning. a45243e2f bugfix: modifying the Cookie request headers via more_set_input_headers/more_clear_input_headers did not update the Nginx internal data structure, r->headers_in.cookies, at the same time, which might cause issues when reading variables $cookie_COOKIE, for example. e9b817509 bugfix: modifying the Via request header via more_set_input_headers/more_clear_input_headers did not update the special internal field in the Nginx core, "r->headers_in.via", when the ngx_gzip_filter module is enabled. c7feaa395 bugfix: modifying the X-Real-IP request header via more_set_input_headers/more_clear_input_headers did not update the special internal field in the Nginx core, "r->headers_in.x_real_ip", when the ngx_realip module is enabled. 27c2137c6 bugfix: modifying the Connection request header via more_set_input_headers/more_clear_input_headers did not update the special internal flags in the Nginx core, "r->headers_in.connection_type" and "r->headers_in.keep_alive_n". 95ed9ce74 bugfix: modifying the User-Agent request header via more_set_input_headers/more_clear_input_headers did not update those special internal flags in the Nginx core, like "r->headers_in.msie6" and "r->headers_in.opera". 22ed8a414 updated docs to reflect recent changes. 9ba50727f updated tests to reflect recent changes in ngx_echo regarding the $echo_client_request_headers variable (commit agentzh/echo-nginx-module@2adcf59ec5. 27bcbd290 updated docs to reflect recent changes. 5f9684bbd updated .gitignore a bit. d658a2f90 bugfix: more_clear_input_headers would result in memory invalid reads when removing the 21st request headers. thanks Umesh Sirsiwal for reporting this issue as chaoslawful/lua-nginx-module#176. 0f6132327 removed the sendmsg/ngx_channel valgrind suppression rules. 07702cf8b updated valgrind.suppress for valgrind 3.8.0. bdb1068b6 updated docs to fix my English name. also fixed an issue in the sample code in docs that Transfer-Encoding cannot be cleared. thanks koukou73gr. 658698495 updated docs to reflect recent changes. 3147c8b4f updated .gitignore. 278ba7d20 bugfix: fixed a set-but-not-read warning from the clang static analyzer. 05a862b33 fixed compatibility with nginx 0.7.65. thanks Banping for reporting this. b7c8cfcd3 updated docs to reflect recent changes. 2f5f6601a updated .gitignore. 4ea0a75ad bugfix: more_clear_input_headers did not remove all the instances for the builtin headers or custom headers. bugfix: more_clear_input_headers might accidentally remove request headers that are not specified at all and leave the specified headers with just empty header values when removing multiple built-in headers. thanks Matthieu Tourne for reporting the issues. de80b7972 added a (passing) test for rewrite + more_set_input_headers. 81c8750f1 updated valgrind.suppress for linux i386. cf7e2d587 updated valgrind.suppress for the "hup reload" + valgrind/memcheck testing mode. 33a82ed11 updated valgrind.suppress and .gitignore. aa2ae0f8b updated valgrind.suppress. 4b4bfca98 updated valgrind.suppress. 34e238921 updated valgrind.suppress. 358052601 allow use of the DDEBUG macro from the outside (via the "-D DDEBUG=1" cc opton). de77fd22c updated docs to reflect recent changes. 719ffa26a reindexed the test cases. 5f082e564 Merge branch 'master' of github.com:agentzh/headers-more-nginx-module 006ecab22 bugfix: removing builtin headers in huge request headers with 20+ entries could result in data loss. thanks Chris Dumoulin for the patch in github issue #6. 4f911f68d updated valgrind.suppress for gcc 4.6. 87595f744 optimized the previous commit for padding header value strings with '\0'. 7a719b8ae bugfix: the more_set_input_headers directive might cause invalid memory reads because nginx request header values must be null terminated. thanks Maxim Dounin. ffdda4535 bugfix: more_set_input_headers did not handle the Accept-Encoding request headers properly. thanks 天街夜色. 6cd7ae83c bugfix: Cache-Control header modification might introduce empty value headers when using with the standard ngx_headers module. 55ad2f48e fixed the download page links in docs. be6a17e76 updated docs to state that we work with nginx 1.0.8 and 1.1.5. f7cb29e24 fixed setting Cache-Control response headers. we should properly prepare the r->cache_control array as well. 5de933dc4 we should not set header->hash with ngx_hash_key_lc, not simply to 1. b3c6230a3 use Test::Nginx::Socket instead of Test::Nginx::LWP. ff219e96e fixed a bug when setting a multi-value response header to a single value: the single value will be repeated on each old value. 379085532 confirmed that we work with nginx 1.0.6. 9057b0991 fixed on-demand hander/filter registration trick for HUP. 936a555d6 fixed the "<" and ">" symbols in the markdown doc. 5d484ecc7 updated links in docs. 8b78aec44 renamed the wiki file. 264e523fa added internal cross links to README.markdown. e6c635856 added more hyper-links to README.markdown. 61db52f55 removed unused utilities. 12ccabb15 fixed source lines exceeding 80 cols; checked README.markdown. 78286ca0d confirmed that we work with nginx 1.0.5. 137855d9d release v0.15. 5fac22379 now more_set_headers supports overriding charset in Content-Type. thanks ML. 2c629dee0 fixed an issue in more_clear_headers: we should remove all the instances of the headers specified, not only the first occurrence. thanks 李杨. b1c4273ae back-ported a bugfix from ngx_lua: in output header set, we should always set the header->hash to 1. thanks moodydeath for reporting it. 6a12aa524 confirmed that we work with nginx 1.0.2. ef15b439f minor updates. b27e5d92a minor coding style fixes. 28c62d1d2 added more tests for Accept-Ranges and also fixed a bug when clearing this header. thanks Bo Blangstrup. 7bba2a12b fixed the links to the test suite. 2cbbc15d6 updated the documentation to reflect recent changes. 3641ccfd5 updated .gitignore. fb2d8935d now we postpone the rewrite phase handler only once rather than on every main request previously. this will save some CPU cycles on every request. d732166eb removed the bundled Test::Nginx module from our repos; also raised test/t to the toplevel directory. 19e17f08b fixed two spots where we did not check against null pointers when allocating memory. 592845e90 now we use the 2-clause bsd license. 8bd248f0d updated README from the wiki page. df422fe8a minor tweaks of coding style and .gitignore. c808e71eb renamed the source file names a bit. c5b6141b4 minor coding style tweaks. b4abf2bbf Merge branch 'master' of github.com:agentzh/headers-more-nginx-module 80bcb021b Update Test::Nginx. 442f86638 updated Test::Nginx. 8447e58c5 updated Test::Nginx. 780408eff Use build farm's default server port in tests. 27735dd30 Update Test::Nginx. 9508330b0 releng work for 0.13. 7c6b53e24 fixed a bug in rewrite phase postponing algorithm which may cause eval {...} running after "if". thanks Liseen Wan (xunxin). 7d2db6fa0 enabled the no-pool-nginx patch in our build.sh script for nginx 0.8.41. b14033607 added a test case for adding a header with an empty variable as its value (from Piotr Sikora). 435fee6d3 updated readme to reflect recent changes. 079fa9507 fixed a vim typo... e64e736af we should explicitly clear r->headers_out.content_type_lowcase or it will defeat the gzip filter module. 55cbcab47 added tests for issue 3 ("breaks mime types") on GitHub but cannot reproduce the issue with nginx 0.7.66 nor nginx 0.8.40. b8c872152 updated docs for v0.11. 87e6e7318 fixed the variables-in-Range-header issue reported by Alexander Vetrin. 2afd97b48 use the name "ngx_headers_more" to help SEO. ae532d8d9 updated docs for v0.10. aaf5fce53 removed input headers physically from the r->headers_in.headers list because ngx_proxy does not honor h->hash. 793158dcf removed some debugging code. c68a095c4 now we can completely erase any output headers (both custom and builtin ones). 75b1bfa5d updated README to reflect recent changes. 00c986fde minor style tweaks in the .t files. c47b63790 fixed a memory initialization issue for more_set_input_headers -r, we should always initialize hv.replace even when replace == 0. thanks valgrind++ :D 1b93def22 implemented wildcard header clear 3a67ad830 work around the links in README. 126fce84c updated Test::Nginx. 5cd9a384f documented the -r option. 0b16d5c3f Merge branch 'dobe-r' 0febdfca7 added -r flag to more_set_input_headers 7da6665da updated .gitignore. d0f2bb40e sync'd the test scaffold with Test::Nginx 0.08 on CPAN. fb5ebd568 use ngx_null_string whenever possible. 348da493f sync'd Test::Nginx to 0.07. 4629b7f8e some coding style tweaks. a127664fc added t/bug.t db9913e9c updated docs to reflect recent changes. fc18a5cec fixed the more_clear_headers directive for builtin headers like "Server" and "Last-Modified" by always inserting an empty header when absent. Thanks Sebastiaan Deckers for reporting it. 753e74c66 sync'd Test::Nginx 0.05. 985eeb0b7 updated the test scaffold to Test::Nginx 0.04. dd3ec52a2 updated test scaffold. e427600d2 git ignore reindex. 1792f2d93 releng work for v0.06. f901cecf9 confirmed that we also work in subrequests in t/subrequest.t. 1cc21a715 now the input header handler runs at the *end* of the rewrite phase. b154fdb6b now we free empty headers and types array structs eagerly. 1a2d9c6f9 updated the test scaffold. 05e0fd6c0 sync'd the docs with the wiki page and confirmed that it works with the new nginx 0.8.28 release. 219e6dd05 added a test for rewriting the input Content-Length header using the rewrite module's set directive. d5af63059 sync'd with the wiki page. 628923157 added the wiki page as the main doc. bce15002d added a (passing) test for mixed input/output setters. 8288003cc more docs. 3391d9d71 fixed variables in more_set_input_headers by registering the handler in the "access phase". e2a7a9630 added new directives more_set_input_headers and more_clear_input_headers. 83bf8ed38 now we require at least 0.7.44 due to the use of ngx_http_complex_value_t. ad8b0e5ea releng for v0.03. b93bd9b1f fixed the uninitialized s/t bug in parse_statuses and parse_types. also added a (failing) test for the input header directives. 219d75425 first big refactoring in order to introduce input header support. 91cf5b797 refactored the structs into the header. 993e75b20 more README tweaks. 6023eac18 tested against the latest 0.8.27 and 0.7.64. 1da2c8721 added more docs to README. 8483f9a62 removed explicit clear header handlers. ade7573ba now we support variables in new headers' values. 742097fdc fixed a typo in README. c131b08ed 0.7.21 is the minimum nginx version requirement. 5e86ea379 more docs and more love. 934fe6677 updated README. c6af9971e this module is now usable. 0593d3b42 added tests for the Charset header. 6fdb040be more tests and more fixes. 51c432883 fixed Content-Type. ba695a3c0 fixed various bugs and all tests are passing now. b3b524553 fixed a bug where I carelessly used r->headers_in for r->headers_out. the test is passing now. 229898621 added a simple test which is failing atm :P 5af162eb9 things are complete now but we haven't tested anything yet :P bb0a53ca0 it finally compiles :) af379a735 implemented parsers for the -t and -s options in the config directives. 148554637 added usage to README. 8b0498a95 added README. 8876cec82 initial checkin REVERT:576cb8197
Merge commit 'c473aa40807f32438ffe34bdfe07f8f0485a6aa4' into dev REVERT:c473aa408
Squashed 'src/deps/src/lua-resty-openssl/' changes from b23c072a4..89195843c REVERT:456e6a33d
Update lua-resty-openssl to v1.0.1 REVERT:11c4fde61
Merge commit '805e5c9cee2a72af6b6297b2993109511b42d485' into dev REVERT:805e5c9ce
Squashed 'src/deps/src/libmaxminddb/' changes from ac4d0d248..93a7e0e56 REVERT:afcf420ee
Update libmaxminddb to v1.8.0 REVERT:7aa6affe1
Merge commit 'e3f305a953ef5dbf6802090c7013f4c38d762449' into dev REVERT:e3f305a95
Squashed 'src/deps/src/ngx_devel_kit/' changes from b4642d6ca..91e30eb05 REVERT:cba20187c
Update Nginx devel kit to v0.3.3 REVERT:10a58377b
Fix multiple CVEs related to libpq * CVE-2023-5869 * CVE-2023-5868 * CVE-2023-5870 REVERT:7c564e4cb
Update pre-commit hooks to latest versions REVERT:bff775f00
Fix issues with the Linux integration and external databases REVERT:71db00281
Merge pull request #759 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.161.0 REVERT:940eecd06
deps/gha: bump ruby/setup-ruby from 1.160.0 to 1.161.0 REVERT:42f7ef486
Update user interface demo image in README.md REVERT:b2a56a82a
Update BunkerWeb UI demo to use thumbnail image REVERT:0d0bad79b
Update Python version in Dockerfiles REVERT:b539a97ad
Fix CVE CVE-2023-5678 in Dockerfiles REVERT:05da26f01
Update dependencies to latest versions REVERT:e153c33aa
Update maxminddb and other dependencies versions REVERT:8d024a099
Merge pull request #751 from bunkerity/dependabot/github_actions/dev/rickstaa/action-create-tag-1.7.1 REVERT:ca6271c60
Merge pull request #750 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.160.0 REVERT:fbbec2f7f
deps/gha: bump rickstaa/action-create-tag from 1.6.6 to 1.7.1 REVERT:9c6f5289d
deps/gha: bump ruby/setup-ruby from 1.159.0 to 1.160.0 REVERT:bcded8f7c
Add refurb as a pre-commit-config hook and apply pre-commit-config REVERT:966a78da9
Update Git attributes to ignore text and end-of-line settings for vendored files REVERT:f111124b3
Update dependencies versions REVERT:d2b82b29d
Fix CVEs CVE-2023-43787, CVE-2023-43785 and CVE-2023-43786 REVERT:dc5a7b8b2
Update mmdb files REVERT:c32522ae2
Update Certbot module to version 2.7.4 + Update python deps hashes REVERT:54ead4e49
Merge pull request #744 from bunkerity/dependabot/github_actions/dev/rickstaa/action-create-tag-1.6.6 REVERT:d83536969
deps/gha: bump rickstaa/action-create-tag from 1.6.4 to 1.6.6 REVERT:b79b6548b
Merge pull request #741 from bunkerity/dependabot/github_actions/dev/hashicorp/setup-terraform-3.0.0 REVERT:b05b98185
docs - update plugins to 1.2 REVERT:e8803e346
cache linux test images, fix linux example of proxy protocol and add more logs to k8s tests REVERT:7565b2df5
Merge branch 'dev' into staging REVERT:c817f45ab
add ready checks to limit and redis core tests and fix wrong http port for behind reverse proxy linux test REVERT:f9f616a66
Merge branch 'dev' into staging REVERT:4871185dc
Update python deps and pin Flask-Login version REVERT:cd773b6e8
add ready checks to reversecan and sessions tests REVERT:898ef2eff
deps/gha: bump hashicorp/setup-terraform from 2.0.3 to 3.0.0 REVERT:fa628cb7d
linux - add default API_LISTEN_IP REVERT:18d682b5a
linux - add missing API_LISTEN_IP initial setting and perform only hot reload REVERT:4fbd974d2
tests - set trace verbosity for geckodriver logs REVERT:a7c343369
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:7d69b9105
tests - fix missing geckodriver log file in ui tests REVERT:29d7d94b2
[#739] Fix potential issue when fetching docker instances in the web UI REVERT:84eb94720
tests - add geckodriver log file for ui tests REVERT:40e118a71
tests - add more logs to ui linux tests REVERT:0e3d8e59c
tests - retry UI access in case of network exception REVERT:86875f486
tests - fix misc ready check when using https and add ready checks for linux ui REVERT:d4a2ba5fc
tests - add ready checks to customcert and misc REVERT:3020c5c8e
tests - add ready check for customcert core test REVERT:c1562bc89
Merge pull request #737 from bunkerity/dependabot/github_actions/dev/github/codeql-action-2.22.5 REVERT:322cfd217
deps/gha: bump github/codeql-action from 2.22.4 to 2.22.5 REVERT:caf732be1
Merge pull request #736 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.159.0 REVERT:667620b52
deps/gha: bump ruby/setup-ruby from 1.158.0 to 1.159.0 REVERT:fb21786b8
linux - fixing nginx service not disabled and fix another missing error log path in UI REVERT:5887b894f
ui - fix wrong error path when starting nginx REVERT:4e820f6de
linux - remove sudo command when reloading nginx REVERT:35d16233c
ci/cd - ignore ready conf for db tests and fix linux path for ready conf REVERT:9775cd5bb
ci/cd - fix missing string in /ready endpoint and add /ready endpoint to linux tests REVERT:274a8cdfb
ci/cd - trying to fix race condition for core tests REVERT:d73a5d0f4
Merge pull request #735 from bunkerity/dev REVERT:ed0e156bc
Update Werkzeug to version 3.0.1 in web UI REVERT:8ec9a7df4
Fix compatibility issue with Docker Compose v2 2.23.0 in examples and docs REVERT:72d856abe
Update certbot to version 2.7.3 + regenerate hashes for db and scheduler REVERT:ab76c458e
Merge pull request #732 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.158.0 REVERT:6edf97a0d
deps/gha: bump ruby/setup-ruby from 1.157.0 to 1.158.0 REVERT:58d6b8142
use cap in Linux and add openssf badge REVERT:a83a74cfa
Merge pull request #729 from bunkerity/dev REVERT:0975de123
[#717] Add a pool_recycle database engine arg to avoid losing connection with database REVERT:762092e5e
Remove no longer necessary retrying module REVERT:8963cb4d1
Update python deps REVERT:c2252503d
Merge pull request #721 from bunkerity/dependabot/github_actions/dev/ossf/scorecard-action-2.3.1 REVERT:626f10b4c
Merge pull request #722 from bunkerity/dependabot/github_actions/dev/actions/setup-node-4.0.0 REVERT:f2b9fc0f8
Merge pull request #724 from bunkerity/dependabot/docker/src/autoconf/dev/python-a5d1738 REVERT:c8eae49e5
deps/autoconf: bump python from `dc2e889` to `a5d1738` in /src/autoconf REVERT:ab320794a
Merge pull request #723 from bunkerity/dependabot/docker/src/ui/dev/python-a5d1738 REVERT:572436f20
Merge pull request #720 from bunkerity/dependabot/docker/src/scheduler/dev/python-a5d1738 REVERT:6f366450b
deps/ui: bump python from `dc2e889` to `a5d1738` in /src/ui REVERT:f6d2e205c
deps/scheduler: bump python in /src/scheduler REVERT:50a60382a
Fix CVE CVE-2023-5363 REVERT:989c14ae7
Fix CVE CVE-2023-5363 REVERT:a847f7778
deps/gha: bump actions/setup-node from 3.8.1 to 4.0.0 REVERT:8708ad70c
deps/gha: bump ossf/scorecard-action from 2.3.0 to 2.3.1 REVERT:eeda7a18c
Update python deps + add retrying module to db REVERT:5193d6cd1
Update docker images REVERT:09ee05083
Merge pull request #719 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.157.0 REVERT:0afed0621
Merge pull request #718 from bunkerity/dependabot/github_actions/dev/github/codeql-action-2.22.4 REVERT:8919592f5
deps/gha: bump ruby/setup-ruby from 1.156.0 to 1.157.0 REVERT:d253b4438
deps/gha: bump github/codeql-action from 2.22.3 to 2.22.4 REVERT:f798a9ef9
Merge pull request #715 from bunkerity/dev REVERT:cd902eba3
prepare for 1.5.3 🚀 REVERT:029217ff4
Fix update-version.sh script REVERT:10db67b87
Merge pull request #714 from bunkerity/dev REVERT:c7543df86
Add an handler when the ui test is reaching an error page due to a connectionFailure REVERT:1f5a1beac
[#645] Fix web UI not keeping the data when changing the sub server names + Fix custom cert when the server name have multiple domains REVERT:ff1fc9280
[#712] Fix custom configuration changes not taking effect immediately REVERT:838dcb17c
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:b18dbddcd
Merge pull request #713 from bunkerity/dependabot/pip/src/scheduler/dev/certbot-2.7.2 REVERT:ca6938dfe
Update ConfigFiles to use the correct name regex in web UI REVERT:643ea7c21
deps/scheduler: bump certbot from 2.7.1 to 2.7.2 in /src/scheduler REVERT:e41ce10e3
Merge pull request #711 from bunkerity/dev REVERT:b265cbad5
ci/cd - trying to fix azure/kubectl action REVERT:7e3aad9f0
[#645] Fix impossible to edit the server_name of an already existing service if the primary one was unchanged in web UI REVERT:60d43d0ce
Handle service creation and editing more elegantly in web UI REVERT:2df85b2c9
Updated python:3.12.0-alpine image's sha256 REVERT:3a3255e7b
Merge pull request #709 from bunkerity/staging REVERT:4c273fe84
Merge pull request #708 from bunkerity/dev REVERT:9964f42e6
Fix magento k8s tests REVERT:b2cf8986f
Tweak magento tests to use latest version back REVERT:7f219bea0
Fix CHANGELOG release date for v1.5.2 REVERT:b9f05ad16
Downgrade magento versions to working ones REVERT:bd6065af8
Update python deps and pin urllib3 version to 1.26.18 + Update pre-commit-config to format requirements.in files as well + Apply pre-commit REVERT:619e5644f
Remove pip caching when setting up python in workflows to avoid errors REVERT:3c3643021
Merge pull request #707 from bunkerity/dev REVERT:7598dbc54
Update python deps REVERT:f3982367a
Update dependabot script to add reviewers and tweak the schedule REVERT:d4f65903e
Update dependabot config file to include terraform and other python deps paths REVERT:38429efac
Merge pull request #705 from bunkerity/dependabot/github_actions/dev/actions/checkout-4.1.1 REVERT:d92e9a07a
Fix k8s terraform script REVERT:6738b9552
deps/gha: bump actions/checkout from 4.1.0 to 4.1.1 REVERT:0da22f44b
Update k8s terraform file and update scaleway terraform version REVERT:d77f6a72c
Fix README.md links and versions REVERT:7bf8be324
Try to fix magento k8s tests with static versioning REVERT:b9c5d3277
Fix timeout in ui tests and access_page function REVERT:b1b1ab868
Fix wrong values in helm chart values file for elasticsearch in k8s magento example REVERT:530b8a945
Fix allow empty values when saving a config in web UI REVERT:22552c5b8
[#694] Optimize certbot renew script to renew all domains in one command REVERT:db0dd5dae
[#694] Fix rare bug where database is locked REVERT:f89456cd4
Merge pull request #699 from Crazy3lf/master REVERT:34d68e8b7
Update regex for email REVERT:476d86706
Fix magento k8s tests by removing elasticsearch REVERT:4a10ec8c3
Merge pull request #701 from bunkerity/dev REVERT:c4b873e3f
Fix /etc/bunkerweb dir missing in linux core tests REVERT:bcaa8faa7
Replace deprecated `set-output` command with the new format REVERT:08944b901
Tweak test-core-linux to fix potential bugs REVERT:13be6a43c
Add more logs when an url file is in cache and gets deleted REVERT:2737fe7ce
Update python deps REVERT:2823fa2ab
Update plugin.json REVERT:001246b38
Merge pull request #697 from bunkerity/ui REVERT:1a43380d2
Merge pull request #696 from bunkerity/dependabot/github_actions/dev/github/codeql-action-2.22.3 REVERT:0b319d1aa
Merge pull request #695 from bunkerity/dependabot/github_actions/dev/rickstaa/action-create-tag-1.6.4 REVERT:7a15f8a65
deps/gha: bump github/codeql-action from 2.22.1 to 2.22.3 REVERT:a4a413eec
deps/gha: bump rickstaa/action-create-tag from 1.6.3 to 1.6.4 REVERT:7e3dabc5f
Update patch commands in deps.json to skip Reversed warning REVERT:8093c6161
Merge commit '29737209b138a1485d55c53acf1a6783b6e60167' into dev REVERT:29737209b
Squashed 'src/deps/src/luajit/' changes from e598aeb74..492cfdd0d REVERT:85913d6b2
Update luajit to v2.1-20231006 REVERT:15d3180b6
move disabled inp msg REVERT:522527f0a
Merge pull request #690 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.156.0 REVERT:85ef4e4de
Merge pull request #691 from bunkerity/dev REVERT:46d8acf7b
Update dummy-plugin to new standards REVERT:77bfe2697
Add StyLua and luacheck to precommit config file and apply it REVERT:da2a1eaa5
deps/gha: bump ruby/setup-ruby from 1.155.0 to 1.156.0 REVERT:cd1f87b9a
Update pre-commit config hooks version REVERT:e25fab28b
fix disabled msg behavior REVERT:c125a9bdd
Merge pull request #689 from bunkerity/dev REVERT:10fd431fb
Tweak update python deps script to make it more elegant REVERT:309689185
Update pythons deps REVERT:799756176
Merge pull request #684 from bunkerity/dependabot/github_actions/dev/github/codeql-action-2.22.1 REVERT:a12e5ca89
Merge pull request #683 from bunkerity/dependabot/github_actions/dev/stefanzweifel/git-auto-commit-action-5.0.0 REVERT:15ad3a625
Merge pull request #681 from bunkerity/dependabot/github_actions/dev/ossf/scorecard-action-2.3.0 REVERT:c57d725f4
Merge pull request #680 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.155.0 REVERT:95389260a
Merge pull request #688 from bunkerity/dev REVERT:6e5dd5557
Fix CVE CVE-2023-44487 REVERT:565f4e3f7
Merge pull request #687 from bunkerity/dev REVERT:f39adcab5
Update CHANGELOG.md REVERT:a3ec85b57
Fix often occurring error with ace script in web ui REVERT:b063ac8a3
[#652] Fix error when deleting a service that have custom configs on web UI REVERT:ff85f1c2b
Update CHANGELOG.md REVERT:4a9fdba42
[#645] Fix errors when using a server name with multiple values in web UI REVERT:47a7e1680
Fix secure_scheme_headers shenanigans with web ui REVERT:453108da9
Update mmdb files REVERT:2cbb10b3a
Revert "Test Aqua security vulnerabilities with BW" REVERT:d4d9f8745
Test Aqua security vulnerabilities with BW REVERT:899484c38
deps/gha: bump github/codeql-action from 2.21.9 to 2.22.1 REVERT:d461f3745
deps/gha: bump stefanzweifel/git-auto-commit-action from 4.16.0 to 5.0.0 REVERT:cd0ceb48b
deps/gha: bump ossf/scorecard-action from 2.2.0 to 2.3.0 REVERT:dc92ae825
deps/gha: bump ruby/setup-ruby from 1.154.0 to 1.155.0 REVERT:f5fe685d4
Fix children classes of Test REVERT:f4ce2c68f
Fix bw api not returning the reason of bans REVERT:d1a0f66c9
Merge pull request #677 from bunkerity/dev REVERT:6935d1cb8
Merge pull request #676 from bunkerity/dev REVERT:7ac66a6c6
Update python deps REVERT:2aa9f46ef
Fix default values in whitelist job REVERT:8f456722e
Augment delay in WebDriverWait in ui tests REVERT:8ae7b8f43
Fix redirect tests docker-compose file REVERT:9b4a9277d
Add libpq as a dependency for the Database to be able to connect with postgres REVERT:172874d1c
Fix redirect tests on docker REVERT:a518f47b9
Update CHANGELOG.md REVERT:0cee41867
[#656] Fix ACME renewal fails on redirection enabled Service REVERT:e956e03ba
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:c08fd07a6
Update linguist-vendored to add modsecurity files and non patch deps files REVERT:466c8e584
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:27d3ca1cd
autoconf - fix wrong types for dynamic settings REVERT:410557009
Add .gitattributes to override linguist-vendored paths REVERT:e7498279c
Revert Docker image update for tests REVERT:fe87486f9
Merge pull request #673 from bunkerity/dev REVERT:c2db157bb
Update python docker image to 3.12.0 REVERT:eb8088164
Tweak Dockerfiles to make the build nicer REVERT:202698f41
Fix python deps conflicts and update them REVERT:0eb18cb31
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:f12a01410
autoconf - update settings from db REVERT:628068e9a
Lint files with prettier REVERT:f3694f0cc
Add prettier as a precommit hook REVERT:b56cce63f
Fix codespell typos in README.md REVERT:87ca17663
Fix typos raised by codespell REVERT:eea5dd9b7
Add codespell precommit hook REVERT:8fbe69261
Fix mkdocs.yml file duplicate copyright key REVERT:cf82e73e9
Fix swarm postgres ui integration example REVERT:6b2df3585
Tweak py file to respect flake8 rules REVERT:508c728b6
Tweak pre-commit config and pyproject.toml file + Add flake8 as linter in precommit config REVERT:75e8c8339
Update CHANGELOG.md REVERT:07676a3d0
Use hashes instead of versions in github workflows REVERT:f0761eed2
Revert "Add fuzzing tests in CI/CD" REVERT:4babce974
Add fuzzing tests in CI/CD REVERT:a263f1f4f
Update cron for dev-update-mmdb REVERT:31a839968
Merge pull request #666 from bunkerity/dev REVERT:d8b256167
Merge pull request #665 from bunkerity/dev REVERT:87d2f04eb
Remove no longer necessary temp fix for Flask-login REVERT:c006e5088
Update python deps + Update Flask-Login to include the compatibility with Flask 3.0.0 REVERT:df9bf1f56
Merge pull request #664 from bunkerity/dev REVERT:6b0e623e5
Update Dockerfiles to install pip and its deps before the project ones REVERT:85068bfee
Add temp fix to support Werkzeug>=3.0.0 with Flask-login REVERT:5a7f9147f
Update python deps and update script REVERT:358905770
Fix bunkerweb-ui.sh script with variables not being exported correctly REVERT:5ed595be6
Fix shellcheck tests failing REVERT:e21e0c812
Add shellcheck and gitleaks to pre-commit-config + tweak excluded paths REVERT:1b7e1840c
Fix blacklist core tests' requirements.txt file REVERT:1f90d3668
Add a pre-commit-config file and passed all checks REVERT:f3fc69110
Fix typos in Dockerfile when installing python dependencies REVERT:073e8575e
Updated Dockerfile, python deps and npm package to use pinned dependencies REVERT:cd4d529d7
Merge pull request #660 from bunkerity/dev REVERT:b4a320afa
Made ui tests better REVERT:8ed656068
Small fixes on linux paths creating unnecessary folders REVERT:8fa7adb61
Small refactor on how the autoconf updates the config REVERT:4ec754143
Handle changes more elegantly with the scheduler REVERT:0f7df13df
Optimize save_config script REVERT:48096d711
Optimize the way the UI handles services creation and edition REVERT:c0816bb11
Fix potential cross-site scripting vulnerability in plugins.js in the UI REVERT:18e5f7bff
Merge pull request #659 from bunkerity/dev REVERT:ece5ce1cd
Add HTML sanitization when injecting code in pages in the UI REVERT:4d5002674
Extract codeQL workflow to have a separate one + Add scorecards analysis workflow file + Add UI tests for the UI branch REVERT:1c71572f4
Update tsparticles in the UI + remove unused static files REVERT:685cb9809
Update README to fix a few links and add the security scorecard badge REVERT:65d0aa3a8
Merge pull request #658 from bunkerity/dev REVERT:6e2db5991
Add a sleep before changing from cache page to log page to avoid errors in ui tests REVERT:1db769c32
Remove bugged UI tests check in linux REVERT:db99d1687
Update the condition that checks the integration in core tests REVERT:579c80357
Update UI starting script and ui tests script on linux REVERT:b901d2971
Update python deps REVERT:e23f931bd
Replace gevent with gthread in UI for security reasons REVERT:15eef6ef5
Try to fix python deps issues with linux and try to have more logs in linux ui tests REVERT:cc0167f42
Fix ui linux tests when waiting for the ui to be ready REVERT:fd4c147b8
Update how the scripts wait for the UI to get ready before starting the tests REVERT:95afba879
Change how the ui tests waits for the ui to be ready REVERT:ea5cb0db2
Try to fix ui linux test by adding more sleeps REVERT:cb3250e4e
Fix UI linux test (again) REVERT:153e9fecf
Fix bunkerweb linux scripts REVERT:81b5e80da
Try to fix deps permissions with linux ui tests (again) REVERT:6a162d725
Fix linux permissions with ui tests REVERT:be5fe2830
Try to fix ui python deps in ui linux tests REVERT:380e609ab
Change ui linux tests command into development mode REVERT:93006cf5c
Fix Firefox installation in core and ui linux tests REVERT:39f17bce6
Try to fix permission issues with Linux and ui python deps REVERT:94c7c832e
Fix permissions with python deps in ui linux tests REVERT:42be334e4
Fix permissions with ui tests on linux REVERT:cad3012e6
Try to fix python dependencies error with test ui linux REVERT:a04282d3f
Fix test core redis with linux REVERT:c757f5d49
Re generate requirements.txt file for the UI with python3.9 REVERT:052e06022
Fix core and ui workflow file for staging tests REVERT:e71b71146
Merge pull request #655 from bunkerity/dev REVERT:b90da0f90
Add better health check in linux ui tests REVERT:5c1fafe51
Updated CHANGELOG.md REVERT:c964d68f9
Add more tries when the dnsbl server isn't found REVERT:78a29e65e
Tweak reversescan core test to avoid false negative REVERT:0e9f29cc5
Revert "Fix UI shenanigans with python deps" REVERT:70ab9740d
Fix UI shenanigans with python deps REVERT:0303a8f7b
Update staging workflow file to include core and ui linux tests REVERT:16d4c1133
Optimize the way errors are being checked in linux core tests REVERT:2ddc8cec7
Update dnsbl list regex to accept an empty one REVERT:6534a429a
Fix looking for error in the wrong place in test code linux REVERT:25eb8de01
Try to fix a few shenanigans with linux core tests REVERT:2065d688f
Fix ui tests with docker checking the wrong containers if healthy REVERT:87f84d438
Add a retry on nginx error in linux core tests REVERT:99b30af8e
Fix reverse scan python script REVERT:1ff2aed68
Fix UI docker tests docker compose file REVERT:48bcb1198
Rearrange imports for blacklist init core test REVERT:ae9450d0d
Add whitelist and greylist linux core tests REVERT:9a17e92d6
Fix typos in dnsbl core test REVERT:2244f734f
Add dnsbl linux test REVERT:a29ac80e4
Add country linux tests REVERT:cff5c7767
Fix sessions core test for linux REVERT:6ae6764f2
Fix blacklist core tests docker compose REVERT:27959e1aa
Fix sessions permissions issues with python requirements REVERT:47e8f20f8
Fix CVE CVE-2023-38039 REVERT:6283ce2dd
Add linux tests for blacklist and bunkernet REVERT:f3d6f860e
Remove old cached files if urls are empty REVERT:61c8ef73b
Fix permission issues with sessions core test with linux REVERT:be25ae8e0
Fix failing linux core tests + add more logs when an error occur in ui tests REVERT:33e200f65
Fix UI using the wrong database when generating the new config REVERT:57374ecc2
Fix tests ui with linux REVERT:601f0fde6
Fix tests ui linux not starting the ui service REVERT:fdb9a7c29
Fix errors linux tests permission issues REVERT:df1205882
Fix tests ui linux executing the wrong file REVERT:db404a62c
Fix ui tests misconfiguration REVERT:a0aced3e5
Fix tests ui linux workflow file REVERT:e378be9a9
Fix typo in tests ui linux file name + add more logs in ui docker tests REVERT:432d1587c
Add linux ui tests REVERT:2ad886178
Fix selfsigned job with cryptography not being found REVERT:da4390b48
Fix python modules version conflict with web ui REVERT:7bd48203a
Fix and update python deps REVERT:ce2fa3d36
Fix a few core tests for linux REVERT:bca36e296
Update self-signed job to regenerate the cert if the subject or the date has changed REVERT:06da40bf1
Added more linux core tests REVERT:84a27a3fc
Fix DB core test with docker REVERT:9e3425182
Fix path issues with db core test init REVERT:c90cd7399
Fix permission issues in tests core linux REVERT:91e5528a3
Fix already existing tests core linux REVERT:aeee38ad3
Fix misc problems related to linux REVERT:d97326656
Fix Database not clearing old services when not using multisite REVERT:8a6e14d8c
Added linux tests to a few core plugins REVERT:0ece8fda0
Fix permission issues when starting BunkerWeb in antibot linux tests REVERT:e93513224
ci/cd Try to fix permission problems with Firefox in test core linux REVERT:761c01af6
ci/cd Fix test core linux shenanigans with Firefox REVERT:0d9349611
ci/cd Try to fix errors with firefox in test core linux REVERT:094d5d5df
ci/cd Fix a few things with test core linux + finish antibot linux core tests REVERT:fdae4549c
ci/cd Fix permission issues (again) with test core linux REVERT:d59cf1835
ci/cd fix permissions issue in test core linux + fix shenanigans with antibot linux core tests REVERT:43b1a038f
ci/cd clear out firefox before reinstalling it in test core linux REVERT:d192fbb82
ci/cd Install Firefox manually in test core linux REVERT:0239ca64b
ci/cd test core linux remove dns resolvers override REVERT:1dd1caeea
ci/cd Fix Firefox installation for test core linux REVERT:a0516f773
ci/cd Install firefox from apt instead of snap + fix antibot core tests for linux REVERT:480c680f1
ci/cd Fix timeout in geckodriver download for test core linux REVERT:a94dab208
ci/cd fix retry job when downloading the geckodriver in test core linux REVERT:d0a1aab15
ci/cd Fix perms issues (again) and optimize some things in test core linux REVERT:dd0c4c93a
ci/cd Install requirements and deps in test core linux REVERT:294402dbf
ci/cd fix perms issues with test core linux REVERT:cd35d35c2
ci/cd Fix perms in variables.env for test core linux REVERT:4cce8385c
ci/cd fix write in /etc/hosts file in test core linux REVERT:990b6336e
ci/cd Fix test core linux with dpkg versioning REVERT:ccc5eb304
ci/cd Fix version error with ubuntu and test core linux REVERT:6a3839040
ci/cd Fix tee command not being ran as sudo in tests core linux REVERT:453cfc2dc
ci/cd Fix BunkerWeb installation job with linux core tests REVERT:0b14f8a5d
ci/cd Fix install command in linux core tests REVERT:624f4b5bb
ci/cd Fix path of the .deb file REVERT:61bc8a3b1
ci/cd fix .deb fetching in Linux core tests REVERT:fa91bf6c6
ci/cd change needs and logic in test core linux REVERT:b54c7eb61
ci/cd test secret inherit for ubuntu private test image REVERT:30cba0a77
ci/cd fix dev.yml REVERT:80d56fcca
ci/cd start working on linux core tests REVERT:69307fba6
Fix issues with GitHub rejecting the requests REVERT:7c5177bf4
[#643] Fix UI clearing configs folder at startup REVERT:b5bd17d4d
Merge pull request #641 from bunkerity/dev REVERT:ad65e01a8
Update CHANGELOG.md REVERT:1259fb67d
Merge pull request #634 from bunkerity/dependabot/github_actions/dev/docker/setup-buildx-action-3 REVERT:b9e752f12
Merge pull request #636 from bunkerity/dependabot/github_actions/dev/docker/login-action-3 REVERT:278eb0c8a
Merge pull request #635 from bunkerity/dependabot/github_actions/dev/docker/build-push-action-5 REVERT:dec97c8c3
Merge pull request #637 from bunkerity/dependabot/github_actions/dev/docker/metadata-action-5 REVERT:9222420b7
[#640] Fix shenanigans when executing docker compose restart REVERT:07fb7cf16
[#638] When renaming a service in the UI, migrate the custom configurations as well REVERT:f83b2278d
Fix versions conflict between greenlet and gevent with UI REVERT:e51e17835
Update python deps REVERT:3c95971e3
Fix CVE CVE-2023-4863 REVERT:bb7ef35ae
Merge commit '35d13d7a097dd094cdbe993f18f29de0b08f1f2b' into dev REVERT:35d13d7a0
Squashed 'src/deps/src/zlib/' changes from 04f42ceca..09155eaa2 REVERT:d96253878
Merge commit '4430cf47ddc1f3647b3bc129f46fed2d7a145f8c' into dev REVERT:4430cf47d
Squashed 'src/deps/src/luasec/' changes from fddde111f..4c0628705 REVERT:37a2343e2
Merge commit 'd8ee65aa70e9737330c8a83301fd66c7dc8a8d7a' into dev REVERT:d8ee65aa7
Squashed 'src/deps/src/lua-resty-session/' changes from 8b5f8752f..5f2aed616 REVERT:6752b3647
Merge commit 'd7bde18da2a8a81f2d5f256bc975b1fb5b546107' into dev REVERT:d7bde18da
Squashed 'src/deps/src/lua-ffi-zlib/' changes from 1fb69ca50..61e95cb43 REVERT:af902fc4e
Merge commit 'e0a89a2fcd1d0dd4cc103fc054242e8e8b10b7bf' into dev REVERT:e0a89a2fc
Squashed 'src/deps/src/modsecurity/' changes from 205dac0e8..ccc2d9b53 REVERT:5ec7eb53a
Squashed 'src/deps/src/luajit/' changes from 04f33ff0..e598aeb7 REVERT:26d3d6c6c
Merge commit '5ec7eb53a1fa30beb59d3358f16716483787b02e' into dev REVERT:0aaede4d6
Update core deps REVERT:955c7e063
deps/gha: bump docker/metadata-action from 4 to 5 REVERT:8ea823e06
deps/gha: bump docker/login-action from 2 to 3 REVERT:a6efa5205
deps/gha: bump docker/build-push-action from 4 to 5 REVERT:a6b30f6a6
deps/gha: bump docker/setup-buildx-action from 2 to 3 REVERT:1144a7381
make logs optional in issues, change assignee for dependabot and edit sitemap URL of the doc REVERT:c364e4666
ci/cd - disable redirect when pushing doc REVERT:d4f38cc79
ci/cd - fix error when parsing ARM types REVERT:b6d49865b
ci/cd - get ARM type availability REVERT:d0a8cc381
ci/cd - use volume id instead of index for arm instance REVERT:30c952e9e
ci/cd - set boot volume for arm instance REVERT:2382fdd37
ci/cd - start arm server after creation REVERT:05ecf558c
ci/cd - use latest scw cli version REVERT:2b7ce389b
ci/cd - reflect changes on release tf from refactoring REVERT:d5d7364b1
Merge pull request #632 from bunkerity/dev REVERT:3adbd8757
[#628] Fix scheduler generating the wrong configuration with Linux REVERT:fd7950863
Merge pull request #631 from bunkerity/dev REVERT:3ae9636d5
Fix error with the CSP header override of the antibot REVERT:f99349900
Merge pull request #630 from bunkerity/dev REVERT:ea6ae5253
Update ANTIBOT_HCAPTCHA_SECRET setting's regex to support new format REVERT:5811dc549
Merge pull request #629 from bunkerity/dev REVERT:6404b701c
Update changelog REVERT:2b5654ba3
Update coreruleset to version 3.3.5 REVERT:c948e449a
[#622] Handle configs dir more nicely in Linux REVERT:fb5a8dc4f
[#622] Fix permissions with folders in linux integrations REVERT:5f19b3fda
Merge pull request #627 from bunkerity/dev REVERT:2fce08b72
Upgrade issue templates REVERT:2ed6584dd
Update python deps hashes REVERT:d6a14b671
Merge pull request #626 from bunkerity/dev REVERT:b3c398cb5
Remove jinja2 from requirements.txt as it creates conflicts REVERT:6334a3d63
Merge pull request #623 from bunkerity/dev REVERT:8ab4ea2e2
Update id of ui.conf rules to avoid conflicts REVERT:11664cc1d
Fix wrong variable name in limit core tests REVERT:9535c0414
Fix shinanigans with both multiple and global settings not being stored correctly in datastore REVERT:8cafded89
Fix variables that are both multiple and multisite not being stored properly in datastore REVERT:c6b2199dd
prepare for 1.5.2 🚀 REVERT:c418acdcf
Update CHANGELOG.md REVERT:9d0d72ba0
[#576] Add support for ModSecurity JSON LogFormat REVERT:cbc625938
Update mmdb files REVERT:f57fc5d3f
Fix menu.html dark_mode attribute in UI REVERT:c7e834a0d
Update python deps REVERT:673ee921f
Lint files REVERT:9fb8dfca4
Fix Scheduler running two times for no reason REVERT:4787400d7
[#615] Fix BunkerWeb not being able to start after a restart because of the /var/run/bunkerweb directory missing in Linux REVERT:f59476c26
Merge pull request #621 from bunkerity/dev REVERT:4be53d0cb
Merge pull request #620 from bunkerity/ui REVERT:55ba29cd5
Fix UI error when values are empty REVERT:947690af8
Fix UI workflow REVERT:5cdf0ecf4
Merge pull request #619 from bunkerity/ui REVERT:d1dd1fbae
Fix shinanigans with the /data volume in the doc REVERT:1b84c6202
[#613] Fix logs with web-ui and Linux REVERT:a2e0f1fe6
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:639eed8d0
Deactivate BunkerNet on first start with linux REVERT:500c3564a
ci/cd - perform staging tests again REVERT:448efc0ef
Merge branch 'staging' into dev REVERT:1b660691d
ci/cd - fix typos for docker/packages pushes REVERT:e62b7c9d1
Remove unused js files in web-ui REVERT:b87316d7c
Merge pull request #617 from bunkerity/ui REVERT:4cff39f49
Merge pull request #616 from bunkerity/dev REVERT:bceb28602
Lint files REVERT:d9d6ed9bb
Fix settings regex with web-ui REVERT:01be5baea
Merge pull request #611 from bunkerity/dev REVERT:059afec43
Update rhel docker image REVERT:e564d8407
Merge pull request #610 from bunkerity/dev REVERT:2c15b3746
Fix rhel typos "el" instead of "rhel" REVERT:6f26c42c8
Merge pull request #609 from bunkerity/dev REVERT:c5059ab22
Update doc to include TLS as well as HTTPS in some sections REVERT:a7a317b5b
Merge pull request #487 from bunkerity/dependabot/github_actions/dev/scaleway/action-scw-c718eca1fcb9fec1fb1433752d61599c6a0ad2e9 REVERT:0681cf2c9
Update actions/checkout to v4 REVERT:3a02c0ca5
Add more delays in badbehavior core test REVERT:040d44714
Change SQLite config to avoid locking REVERT:07725356b
Merge branch 'staging' into dev REVERT:6a995723c
autoconf - fix changes check bug with same variable name REVERT:47bf7299a
Lint py files REVERT:656c5008d
scheduler - ignore changes on first loop REVERT:c206daf9d
add basic config lock between autoconf and scheduler + remove reverse-proxy tests for linux REVERT:cf55ade15
ci/cd - various fixes for k8s tests REVERT:d28432e5f
Fix API_SERVER_NAME regex REVERT:b5638aae1
ci/cd - move k8s login in staging-tests job REVERT:4450762b8
ci/cd - fix image name in k8s tests REVERT:6e1660cd0
autoconf - fix wrong config update REVERT:cb4c99f45
ci/cd - fix docker tag command for linux tests REVERT:64d2ed91e
ci/cd - fix secret key REVERT:0e2420cff
ci/cd - add timeout for cleanup jobs REVERT:fa165522e
ci/cd - use same md for openssl commands REVERT:b03680388
ci/cd - remove double untar for k8s tests REVERT:bae27806b
ci/cd - fix tf state upload/download again REVERT:11794da8c
ci/cd - fix tf artefact command REVERT:c52e54b81
ci/cd - fix tf files again REVERT:e5c37a00a
ci/cd - fix k8s tf REVERT:9a3c26bf6
Merge branch 'dev' into staging REVERT:56422bca4
Update python deps regex for UI REVERT:ee47407df
Merge pull request #606 from bunkerity/dev REVERT:936b1e88f
Remove old CVE fixes for nginx image REVERT:f9f5b6570
Remove old CVE fixes for python images REVERT:8e8e042c2
Testing CVE on bw REVERT:1676ebeb7
Test CVE on autoconf REVERT:637573e59
Update docker images and python deps REVERT:c3a4847de
Update startup and temp env in bash files REVERT:3db7904d4
ci/cd - fix wrong image tag for Linux test images REVERT:037e1ba56
docs - add ghcr.io REVERT:d6aa6a9b0
ci/cd - staging improvements REVERT:9aba00673
Fix oddities with the scheduler and the Database REVERT:f7d9af9d6
Fix potential infinite loop when waiting for a configuration from the autoconf REVERT:95c796c1e
ci/cd - delete temp compose downgrade REVERT:423e3b4a3
ci/cd - log to ghcr before getting tests containers REVERT:511597b7e
ci/cd - fix tests image names REVERT:bb77dcedf
ci/cd - edit username for ghcr auth REVERT:3d0f17808
ci/cd - add dummy username for ghcr auth REVERT:5a9836fec
ci/cd - fix nested permissions REVERT:e1edfe4a7
ci/cd - fix missing permissions in wf REVERT:e81ab4ff9
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:87b405340
ci/cd - use gh cache for docker cache and pushes to ghcr.io REVERT:45a81203e
Update python deps REVERT:9feb66710
autoconf - force updating first configuration REVERT:3d13cf345
autoconf - only update data when needed and atomic changed metadata update REVERT:00cb6c1a8
tests - fix regex for geckodriver version REVERT:898ee7ec8
tests - tweak dpkg before installing BW REVERT:643b30f99
tests - ignore wrong testing version in deb packages REVERT:69e944d56
Revert "Fix LinuxTest package installation commands" REVERT:2b7f627d8
Merge pull request #602 from bunkerity/dev REVERT:82fb7b277
Fix LinuxTest package installation commands REVERT:1042e546b
Merge pull request #601 from bunkerity/dev REVERT:6d1d464e1
Remove tries limit in wget commands (defaulting to 20 tries) REVERT:b5de52ead
Add more retries when testing the newly created service in ui tests REVERT:267522749
Merge pull request #599 from bunkerity/dev REVERT:4f82856b4
Update staging-create-infra to use a static version for monolithprojects.github_actions_runner == 1.18.1 REVERT:d670b409b
Merge pull request #486 from bunkerity/dependabot/github_actions/dev/docker/build-push-action-4 REVERT:0b93916a3
Merge branch 'dev' into dependabot/github_actions/dev/docker/build-push-action-4 REVERT:76408cf04
Merge pull request #598 from bunkerity/dev REVERT:f7cd7d9da
Add dependency on tests-ui to not fail to push the testing image REVERT:8632dd324
Fix exit code for ui tests REVERT:fbf0232d5
Update python deps REVERT:5b6f00dfc
Revert "Remove unused imports in ui tests" REVERT:681def5f0
Remove unused imports in ui tests REVERT:a844b235b
Remove geckodriver.log REVERT:73e31ca62
Add wget to fix error with tests REVERT:d82136f04
Fix UI tests not exiting if container fails to start REVERT:55fd17790
Fix wget command when downloading the geckodriver sometimes fails REVERT:d8c95869e
Fix database with multisite variables REVERT:f24802b21
ci/cd - perform staging tests again REVERT:758fc13c3
ci/cd - replace version string for testing release REVERT:cd825cd34
ci/cd - fix wrong VERSION path for testing release REVERT:c03b1bb20
ci/cd - update VERSION file for testing release REVERT:a5e50d0f7
ci/cd - fix linux package name for staging REVERT:1a57e0a20
ci/cd - remove linux arm64 packages pushes REVERT:de568f335
ci/cd - temp disable staging tests REVERT:244b91247
ci/cd - fix syntax error in push-github wf REVERT:08ce31bb0
ci/cd - prepare for testing releases REVERT:7f47ac18c
Fix plugins errors when reloading with a select and upgrade check REVERT:b6b87fcb0
Update python deps REVERT:8bada2a02
Update update-version script and bw version in after-remove scripts REVERT:b8778de08
use nightly tag for docker-socket-proxy REVERT:b42b732d7
Merge branch 'staging' into dev REVERT:fc1c81ce2
linux - add python3 dev dependency when building packages REVERT:76d36f3b9
v1.5.1 release REVERT:63355bb88
tests - increase radarr delay (again) REVERT:0ecf47876
Merge pull request #592 from bunkerity/staging REVERT:59dfb728f
Fix DNS_RESOLVERS regex to be more open REVERT:47c560dd3
Merge pull request #591 from bunkerity/dev REVERT:ff1e6cc28
k8s - use same namespace as ingress for services REVERT:81c2c3187
Fix config synchronization in scheduler + Remove MULTISITE variables being fetched when MULTISITE is set to no REVERT:7f3f3ac7e
Add delay to radarr automatic tests REVERT:58d69ec20
Merge pull request #590 from bunkerity/dev REVERT:012bc3b43
Merge pull request #589 from bunkerity/staging REVERT:600ea7e16
Update python deps REVERT:18ee15971
lint python files REVERT:eee26b5d7
tests - add delay for reverse-proxy-singlesite REVERT:c00157ef3
fix wrong instances when using docker mode and add delay to docker-configs tests REVERT:6047a4335
set default value for ports in bw entrypoint, fix core db tests and fix missing PYTHONPATH for certbot job REVERT:ee2aeda13
tests - add static delay for linux tests and fix core db tests REVERT:bb6fd3073
linux - force kill nginx if graceful one doesn't work REVERT:6e6c08a71
ui - various edits REVERT:5df2a74ca
improved LE certificates checks and fix missing full SERVER_NAME when MULTISITE=no REVERT:843c02370
tests - fix wrong command in linux tests REVERT:8f7833413
linux - fix letsencryt not working and fix permissions on /etc/bunkerweb/configs for tests REVERT:0ccd75781
linux - add missing pip to rhel REVERT:adbed77f7
linux - install pip the official way REVERT:ef7a6ac42
linux - fix fedora dockerfile REVERT:31ca183b1
Merge branch 'dev' into staging REVERT:a763879c1
doc - update settings REVERT:03ba91e96
autoconf - fix deadlock with k8s REVERT:38ab5ea21
redirect - custom status code REVERT:ee5397df5
bw - add HTTP and HTTPS port to temp config REVERT:9efd7a5a5
sessions - fix infinite loop when session checks fail REVERT:784ce643f
db - disable connection pooling for one shot tasks REVERT:f3081e3c3
scheduler - fix parent setter call REVERT:26a1ef689
Update mmdb files REVERT:e2fe947cb
ci/cd - fix tests UI not showing logs REVERT:bf9cd367d
fix missing Strict-Transport-Policy header, fix X-Forwarded-Prefix with regex URLs and print logs when UI tests failed REVERT:26f2852e5
scheduler - fix typo in fstring REVERT:e93b2f65f
cache dev container images, fix CVE-2023-35945 and force scheduler to reload when instances change REVERT:f3ba16be9
add instances changes check to scheduler and auto push dev container images REVERT:d9394567e
add missing ctx arg in core plugins, always add X-Forwarded-Prefix header and add doc about timezone in containers REVERT:d59b305f1
fix concepts image in doc, revert clientcache update and refactor headers REVERT:ad45bbb4d
Update python deps and fix error with PyYAML compilation REVERT:db03aa9c7
Merge pull request #565 from bunkerity/dev REVERT:bb14be820
Update python deps updater REVERT:bedcf0c17
Fix bug with newer version of PyYAML by downgrading REVERT:68e9b057d
Merge pull request #564 from bunkerity/dev REVERT:810340a49
[#559] Fix typos for custom-cert's settings in docs and examples REVERT:a4db7c294
Fix CVE CVE-2023-2975 REVERT:758901dfc
Fix CVE CVE-2023-2975 REVERT:9216becb5
Update python deps REVERT:db413cc03
Merge pull request #555 from bunkerity/dev REVERT:a4f4dfe4e
remove unused imports in save_config.py REVERT:0d554a5f5
Update SERVER_NAME regex to be more open REVERT:c11b44285
Merge pull request #554 from bunkerity/dev REVERT:25af02e4a
FIx prevent the `DATABASE_URI` setting from being saved inside the database REVERT:9eec9e26c
[#552] Fix scheduler not changing databases on linux REVERT:845364b2b
Update log paths for linux based integrations REVERT:3dac0aef0
tests - temp fix for compose network errors REVERT:08f9e5f20
Fix bad behavior core tests by adding a custom subnet to the bw-docker network REVERT:fccb25bee
Add automatic bw-docker network removal between each try REVERT:d6407b818
Fix db core tests by making the network bw-docker entirely external REVERT:1cf281ef8
Update core tests to be even more verbose REVERT:3a714b9a3
Update core tests to be more verbose REVERT:864619542
Fix core db tests (again) REVERT:be46f7a8d
Optimize db core tests REVERT:559039dfd
Lint .conf files that contains lua code + remove useless comments REVERT:aa0769dde
Merge pull request #549 from bunkerity/dev REVERT:ae6ccfcff
Apply patch to luajit-geoip REVERT:ed234fd63
Apply post_install script to lua-resty-openssl REVERT:09ae6da55
Apply patch to lua-resty-ipmatcher REVERT:b516ca2ea
Apply patch to lua-ffi-zlib REVERT:1e7f92af8
Apply patches to Modsecurity-nginx REVERT:008dc09a6
Stop checking return code of post_install scripts in init_deps.sh REVERT:fcd230192
Fix init_deps.sh REVERT:f3809bc69
Add -R to pull commands in init_deps.sh REVERT:96586d4a6
Apply post_install script to Modsecurity REVERT:a75b90f52
Squashed 'src/deps/src/modsecurity/' changes from bbccedbdd..205dac0e8 REVERT:948182ffd
Merge commit 'a75b90f525b90bd74c090702034e02fdd6250e0e' into dev REVERT:544b4040e
Add post_install scripts to init_deps.sh and update install.sh REVERT:6e146e2a5
Squashed 'src/deps/src/modsecurity/' changes from 205dac0e8..bbccedbdd REVERT:847ff5a3d
Merge commit '6e146e2a54cb29eb0ac1bc9d65766fe90d30fa4f' into dev REVERT:bbccedbdd
Change tags into hashes in deps.json REVERT:14d69fa59
Update mmdb files REVERT:d5e358b72
Merge pull request #548 from bunkerity/dev REVERT:e0055328a
Fix add missing deps for core db tests REVERT:c93d5a2fc
Fix CVE CVE-2023-3316 REVERT:5631e2737
Merge pull request #547 from bunkerity/subtrees REVERT:3505c0d18
Remove clone.sh file REVERT:7b566b885
Squashed 'src/deps/src/zlib/' content from commit 04f42ceca REVERT:ffd310031
Merge commit '7b566b885e99301b243c5f61360e65238035e048' as 'src/deps/src/zlib' REVERT:45dca7b44
Merge commit '2ab324a69f219b4051b2e77d211ee1a7fb1462b5' as 'src/deps/src/stream-lua-nginx-module' REVERT:2ab324a69
Squashed 'src/deps/src/stream-lua-nginx-module/' content from commit 309198abf REVERT:f85f86e46
Merge commit 'c1073460677ba8aa2e325a1c57c3db1458f9fde5' as 'src/deps/src/luasocket' REVERT:c10734606
Squashed 'src/deps/src/luasocket/' content from commit 95b7efa9d REVERT:a7d4cc5bb
Squashed 'src/deps/src/luasec/' content from commit fddde111f REVERT:bd600e0d0
Merge commit 'a7d4cc5bbaabf8683b3b5cc1f42f9bd145cf1aa8' as 'src/deps/src/luasec' REVERT:d15662693
Merge commit '2d86912af87048b94c2921a60b3a8a5a0953e132' as 'src/deps/src/lualogging' REVERT:2d86912af
Squashed 'src/deps/src/lualogging/' content from commit 465c99478 REVERT:1fb404757
Merge commit 'f3ceeb73a958e774b1e2fa55d2607cdd3eb419ca' as 'src/deps/src/luajit-geoip' REVERT:f3ceeb73a
Squashed 'src/deps/src/luajit-geoip/' content from commit fde33e045 REVERT:f81788c00
Merge commit '2678b91586e9183b47327fbb0f11ad23020f195f' as 'src/deps/src/lua-resty-upload' REVERT:2678b9158
Squashed 'src/deps/src/lua-resty-upload/' content from commit 03704aee4 REVERT:2d06f2d7a
Merge commit 'bc06cd71b8896c6e7a1aac4610c9c3f878956238' as 'src/deps/src/lua-resty-template' REVERT:bc06cd71b
Squashed 'src/deps/src/lua-resty-template/' content from commit c08c6bc9e REVERT:a6379356e
Merge commit '3038a0b027f09090e1cd8f101d2ee8c52c383070' as 'src/deps/src/lua-resty-string' REVERT:3038a0b02
Squashed 'src/deps/src/lua-resty-string/' content from commit b192878f6 REVERT:fdf0050a9
Merge commit 'ee5198ba2810e33e08ff987ede5abe10fc74f6e3' as 'src/deps/src/lua-resty-signal' REVERT:ee5198ba2
Squashed 'src/deps/src/lua-resty-signal/' content from commit d07163e8c REVERT:a3cd342f3
Squashed 'src/deps/src/lua-resty-session/' content from commit 8b5f8752f REVERT:6f8ff3f12
Merge commit 'a3cd342f3e1fffd7b16b83a24e03bb9ed501b319' as 'src/deps/src/lua-resty-session' REVERT:2f1cde097
Merge commit 'eca8662cfe981f66ab92b53bbf83af65da02b2b7' as 'src/deps/src/lua-resty-redis' REVERT:eca8662cf
Squashed 'src/deps/src/lua-resty-redis/' content from commit d7c25f1b3 REVERT:0b94df087
Merge commit 'e59161ec204c7a95e4751b1c0e9a6bead7fcab39' as 'src/deps/src/lua-resty-random' REVERT:e59161ec2
Squashed 'src/deps/src/lua-resty-random/' content from commit 17b604f7f REVERT:a28005988
Squashed 'src/deps/src/lua-resty-openssl/' content from commit b23c072a4 REVERT:38fdd39d0
Merge commit 'a2800598825bb5a03b577cca2874ff1cfae863f4' as 'src/deps/src/lua-resty-openssl' REVERT:c2fa53ca1
Merge commit '31bf774f63b8b46a3c7b53028853036fff6fa0b8' as 'src/deps/src/lua-resty-mlcache' REVERT:31bf774f6
Squashed 'src/deps/src/lua-resty-mlcache/' content from commit f140f5666 REVERT:7b2273aeb
Merge commit 'c82b0bdd27762d2d4a9901a187506d2e5abd74f5' as 'src/deps/src/lua-resty-lrucache' REVERT:c82b0bdd2
Squashed 'src/deps/src/lua-resty-lrucache/' content from commit a79615ec9 REVERT:3dc8cc87c
Merge commit '746a6e16d027ab3bddfc610c987e5d61ab9b69d0' as 'src/deps/src/lua-resty-lock' REVERT:746a6e16d
Squashed 'src/deps/src/lua-resty-lock/' content from commit 9dc550e56 REVERT:62e740a0b
Merge commit '19515d9b26f2f4886ca117b91384509087f0ff3a' as 'src/deps/src/lua-resty-ipmatcher' REVERT:19515d9b2
Squashed 'src/deps/src/lua-resty-ipmatcher/' content from commit 7fbb618f7 REVERT:e566b98af
Merge commit '7160fd94e3dc22299ee3c9f8b0e71a5e2c1bb501' as 'src/deps/src/lua-resty-http' REVERT:7160fd94e
Squashed 'src/deps/src/lua-resty-http/' content from commit 4ab4269cf REVERT:cdd42bf25
Merge commit '1a7d4e58be28238599df3f5c15c56380c3e99732' as 'src/deps/src/lua-resty-env' REVERT:1a7d4e58b
Squashed 'src/deps/src/lua-resty-env/' content from commit adb294def REVERT:49db9c24d
Merge commit '0f4a0cb0ef514bee6b810f6d6cf982c5ef0abfca' as 'src/deps/src/lua-resty-dns' REVERT:0f4a0cb0e
Squashed 'src/deps/src/lua-resty-dns/' content from commit 869d2fbb0 REVERT:fe76b6830
Merge commit 'fd02afef8ec1ceb8a816dc202d05c6ece9887d31' as 'src/deps/src/lua-resty-core' REVERT:fd02afef8
Squashed 'src/deps/src/lua-resty-core/' content from commit 31fae862a REVERT:29d135bdb
Merge commit '36023392a6e3c8fb6aebb46140db759e61da220e' as 'src/deps/src/lua-nginx-module' REVERT:36023392a
Squashed 'src/deps/src/lua-nginx-module/' content from commit c47084b5d REVERT:b01aa0b15
Merge commit '32485e2860c2ea31fcef5b575f446c7a3036a550' as 'src/deps/src/lua-gd' REVERT:32485e286
Squashed 'src/deps/src/lua-gd/' content from commit 2ce8e478a REVERT:c46cd666a
Squashed 'src/deps/src/lua-ffi-zlib/' content from commit 1fb69ca50 REVERT:909841ea6
Merge commit 'c46cd666ab76bad7bd05c6261d692cda5b380f32' as 'src/deps/src/lua-ffi-zlib' REVERT:47ee3884f
Merge commit '4f9b885a2e8b7a10653653fee3bb91cf5102b0ef' as 'src/deps/src/lua-cjson' REVERT:4f9b885a2
Squashed 'src/deps/src/lua-cjson/' content from commit 881accc8f REVERT:bb450ac96
Squashed 'src/deps/src/libmaxminddb/' content from commit ac4d0d248 REVERT:e13868c63
Merge commit 'bb450ac96595432625ac34de8f7f42b3d06a5b30' as 'src/deps/src/libmaxminddb' REVERT:772e05d37
Merge commit '4a7228d2dcb7fe62526016b90a7c497fb6531e76' as 'src/deps/src/libinjection' REVERT:4a7228d2d
Squashed 'src/deps/src/libinjection/' content from commit 49904c42a REVERT:209d4a461
Merge commit 'ae8d8b233d52cbfdee68bd3ba21713149f5659c8' as 'src/deps/src/lbase64' REVERT:ae8d8b233
Squashed 'src/deps/src/lbase64/' content from commit c261320ed REVERT:992710650
Merge commit '1d1739b4eaa274c25c52b8ceb79ebdc717633ec0' as 'src/deps/src/headers-more-nginx-module' REVERT:1d1739b4e
Squashed 'src/deps/src/headers-more-nginx-module/' content from commit bea1be3bb REVERT:e43880b08
Squashed 'src/deps/src/ngx_devel_kit/' content from commit b4642d6ca REVERT:a09d5eb2c
Merge commit 'e43880b08395df25663560da3d8154226a167a77' as 'src/deps/src/ngx_devel_kit' REVERT:8973eb029
Merge commit '26773844e7bd57df1216bd74360a62ec2dc976e3' as 'src/deps/src/nginx_cookie_flag_module' REVERT:26773844e
Squashed 'src/deps/src/nginx_cookie_flag_module/' content from commit 4e48acf13 REVERT:79d1b4459
Merge commit '22e69251d9b5cd2611abf77ef7352abfa4d409d7' as 'src/deps/src/ngx_brotli' REVERT:22e69251d
Squashed 'src/deps/src/ngx_brotli/' content from commit 6e975bcb0 REVERT:4cd57ab8f
Merge commit 'b99663928782619ef854b4bf10a2bf7450d75266' as 'src/deps/src/nginx' REVERT:b99663928
Squashed 'src/deps/src/nginx/' content from commit 84cd72177 REVERT:d7f25398a
Merge commit 'a676d333fda890838d8fc4766720cc3f1d4c5389' as 'src/deps/src/modsecurity-nginx' REVERT:a676d333f
Squashed 'src/deps/src/modsecurity-nginx/' content from commit d59e4ad12 REVERT:7e8f4adc3
Squashed 'src/deps/src/modsecurity/' content from commit 205dac0e8 REVERT:999fb6b8e
Merge commit '7e8f4adc3b2b2a655640c73198fb920a5e8441d5' as 'src/deps/src/modsecurity' REVERT:6c0468f62
Squashed 'src/deps/src/luajit/' content from commit 04f33ff0 REVERT:6d05b14eb
Merge commit '6c0468f62b1120497a6fd0d21101dc41f29e7397' as 'src/deps/src/luajit' REVERT:1141afd20
Fix install.sh for nginx dynamic modules REVERT:97406bff4
Add libinjection deps back REVERT:a58ad9b50
Remove duplicate lua-ffi-zlib in deps REVERT:831ae129c
Make init_deps.sh executable REVERT:451648fa7
Remove old deps temporarily except lua REVERT:185d75076
Update how the deps are initialized REVERT:6a048e68f
Update how the deps are managed REVERT:129e8f7e0
Merge pull request #546 from bunkerity/dev REVERT:265123835
Update python deps REVERT:b0bc9a1bf
Update the documentation REVERT:2f7ed064f
docs - Fix typo in webhook link in plugins.md REVERT:7d6116163
Merge pull request #544 from bunkerity/dev REVERT:deed39a1f
Update lua-resty-openssl to version 0.8.23 REVERT:dd295729b
Add deps project submodules REVERT:b27f38349
Update lua-resty-session to version 4.0.4 and remove lua-pack deps as it's no longer needed REVERT:aeca252d9
Bump lua-resty-core version to 0.1.27 and lua-nginx-module version to 0.10.25 REVERT:1ec21261c
Revert "Init work with submodules" REVERT:718a9305d
Revert "Fix .gitmodules file" REVERT:a253f4a59
Revert "Remove old folders that are now submodules" REVERT:2e1e9a08c
Revert "Initialize submodules" REVERT:e2f1aba3c
Revert "Add other projects to submodules" REVERT:d9a98c6fa
Revert "Update commit SHA for submodule libinjection" REVERT:5ed3ba1d5
Revert "Fix path resolution for modules and remove nginx submodule" REVERT:b529d8525
Revert "Update checkout part of workflow to include submodules" REVERT:43783edb9
Revert "Add nginx as a submodule" REVERT:8417ed132
Add nginx as a submodule REVERT:ded0ec66d
Merge pull request #542 from bunkerity/dev REVERT:6cbbd0d56
Update timeout for wordpress tests to 120 seconds REVERT:d687b228e
Fix PERMISSIONS_POLICY authorizing self and links to be aside without spaces REVERT:bcc9fdef9
[#533] Fix SERVER_NAME regex to limit domains' size individually instead of the whole setting's value REVERT:524a140d2
[#534] [#504] Update ALLOWED_METHODS regex to accept more methods REVERT:a197e20d2
[#531] Fix typo in documentation about SSL REVERT:252a5831b
Merge pull request #541 from bunkerity/dev REVERT:07ed136af
Update setup-kubernetes of wordpress example REVERT:2eb73d15a
Merge pull request #537 from bunkerity/dev REVERT:30fec8a14
Remove python submodule, will add it back in the next major REVERT:4b4e0f8b3
Update checkout part of workflow to include submodules REVERT:c2cfd4dd9
Remove checkout from dev.yml REVERT:642da402b
Fix dev workflow REVERT:4bb6d40a5
Update dev workflow to checkout the code and submodules first REVERT:3bcdd9ca2
Merge pull request #536 from bunkerity/submodules REVERT:28d59221b
Fix path resolution for modules and remove nginx submodule REVERT:c8e25bcde
Update commit SHA for submodule libinjection REVERT:e1a5782a3
Update how the dependencies are being cleaned up REVERT:68bea47ed
Add other projects to submodules REVERT:2cd5c7f45
Initialize submodules REVERT:d7d3e2429
Remove old folders that are now submodules REVERT:a74727891
Fix .gitmodules file REVERT:b5fffc1f3
Init work with submodules REVERT:8c4c99e65
Merge pull request #530 from bunkerity/dev REVERT:ddc337394
Update log location for nginx and letsencrypt REVERT:1c362d078
Remove the deletion of let's encrypt lib and log folders after the job is finished REVERT:95c9bad8e
Remove unused enums in database model REVERT:7a972274f
Add database schema to concepts.md in the docs REVERT:561499536
Revert "Update README.md links to use local branch files" REVERT:4536e328e
Update README.md links to use local branch files REVERT:89070cfb7
Merge pull request #529 from bunkerity/ui REVERT:d6942a46e
Update where the scheduler copies its config REVERT:8a98da898
Merge pull request #528 from bunkerity/ui REVERT:26f831cb4
Merge branch 'dev' into ui REVERT:81f3914fc
Merge pull request #527 from bunkerity/dev REVERT:162198bb9
Update db core tests to ignore the added value for env custom configs REVERT:7a524b43e
Revert back to 30 seconds of sleep in tests ui after creating a custom config REVERT:b007916d6
Optimize the scheduler and gen even more (we love threads) REVERT:0661916ff
Update ui tests to wait more after creating a custom config REVERT:2105dc0f3
Update core db tests to use the right hash for plugins_page files REVERT:823119821
Fix rare error when hashing dictionaries in the scheduler REVERT:1e62626ac
Fix KeyError in scheduler REVERT:57eaedd8e
Merge pull request #526 from bunkerity/dev REVERT:4d984f623
Update CHANGELOG REVERT:d0fd6884c
Fix shinanigans with the custom configs and plugins jobs REVERT:8e6de2bdf
Augment authelia timeout REVERT:3565dd7b3
Update CHANGELOG.md REVERT:145df1df4
Merge pull request #525 from bunkerity/dev REVERT:df1359e87
Add possibility to download lists and plugins from a file path + Update python deps + Plugins now support tar and tar.gz as well REVERT:b756b2d7d
Lint py files REVERT:f57b6dad1
fix cursor gap on ace editor REVERT:91c33f1d4
Merge branch 'dev' into ui REVERT:ed2a54d16
Merge pull request #524 from bunkerity/dev REVERT:3e871efed
Update python deps REVERT:d27edab35
Merge pull request #523 from bunkerity/dev REVERT:9982ec36d
Remove useless import REVERT:80033642c
Add reverse proxy headers back REVERT:0836d4ee9
Merge pull request #522 from bunkerity/dev REVERT:2a2b7b6f5
Merge pull request #521 from bunkerity/staging REVERT:78236abe8
Check Aqua Security REVERT:c5ff63a40
Fix CVE CVE-2023-3138 REVERT:78ef5c482
Fix problems when creating custom configs or plugins and removing them completely REVERT:2c190ee96
add writeable /var/run/bunkerweb directory to hardened example REVERT:94867d0d6
letsencrypt - use same job name when retrieving data from db REVERT:9e00b9dd1
letsencrypt - use same job_name for both new and renew jobs REVERT:9adb209a8
lua - fix missing multisite variables in LRU REVERT:fdd3367a6
Merge branch 'staging' of github.com:bunkerity/bunkerweb into staging REVERT:dcf156135
prepare for 1.5.1 🚀 REVERT:4023e6dc6
road to v1.5.1 REVERT:af9e125c8
linux - merge change for debian packager REVERT:ab6025ec9
linux - fix missing zope modules REVERT:7e221eb89
debian working REVERT:f1435f231
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:b14dba775
bw - fix multiple variables not loaded in LUA REVERT:81bb9ede1
Removing python 3.11 from linux REVERT:7e66c577f
Removing python 3.11 in linux REVERT:236572f58
ui - remove python 3.11 import for Linux integrations REVERT:73060e42a
Fix limit core tests REVERT:df0c03cef
Fix UI wrong import REVERT:5d7ef69c9
Update limit core tests to avoid false negative REVERT:855ae8936
Update limit core tests to avoid false positive REVERT:16a1916db
Remove useless imports in lua code + lint REVERT:605e237fd
Remove 404 from Bad behavior status codes REVERT:fc8d76f33
Rollback on hcaptcha passive feature REVERT:c08e8d151
Update settings.md REVERT:44097cad0
Move the COEP, COOP and CORP headers to Cors plugin and change default values REVERT:3446e5f9b
Upgrade antibot to add a custom CSP on each pages + update plugins order REVERT:70f227feb
Fix error with multisite variables when requesting default server REVERT:f81b0bb4d
Fix multisite variables not being added in helpers REVERT:978697500
Fix has_variable method of utils REVERT:5b0b183a4
Remove no longer needed decode for plugin order from datastore REVERT:a2759e377
Add small tweaks on the datastore REVERT:b6d879257
Fix how we fetch plugins_order in the default server REVERT:94964a910
Update how we handle custom configs REVERT:6a1ff499c
Fix Lets'encrypt plugin api and internal API REVERT:179a7aa34
Fix lua sessions with antibot REVERT:a1385fe9b
fix ctx usage in reverse proxy + remove useless log in limit REVERT:23f9f14a4
Remove old CVEs fixes from Dockerfile REVERT:f77150bc2
Test Aqua Security CVEs REVERT:ec48e6601
Fix return value when no plugins have been found in api.lua REVERT:6ab48d9dd
Update python image to tag 3.11.4-alpine REVERT:ce24a0482
apply changes to current core REVERT:02d940393
perf - ctx caching and per worker LRU for readonly variables REVERT:a7069bd60
Update UI to stop using env variables but werkzeug middleware + Send X-Forwarded-Prefix headers to UI service REVERT:c39dd78ae
Update cors plugin tests REVERT:3b459b0e2
Fix shinanigans with API (again) REVERT:718310312
Fix shinanigans with the API REVERT:5deeacc3d
Fix letsencrypt jobs REVERT:c18f743d4
Fix PosixPath in jobs REVERT:85a53278e
Add a charset to cors Content-Type header REVERT:e01c14f11
Add Cross-Origin-*-Policy headers management and default values REVERT:0b3c1a8a0
Update KEEP_UPSTREAM_HEADERS setting's default value REVERT:95f673c1d
Update doc about headers REVERT:cee7672b5
Update settings.md in the doc REVERT:d5ea95da9
Increase load-balancer example test timeout REVERT:39e6821a4
Lint lua code REVERT:64aa12b70
Update python deps REVERT:c392a0b5f
Update mmdb files REVERT:f93dd34f6
Extend KEEP_UPSTREAM_HEADERS setting to clientcache and reverseproxy core plugins REVERT:a23d189d3
Merge pull request #516 from bunkerity/dev REVERT:df47ba0e9
Merge pull request #515 from bunkerity/dev REVERT:0ca7de1de
Add CVEs fixes back REVERT:84fcfb726
Test Aqua Security 2 REVERT:c20bd05d3
Test Aqua Security REVERT:c85a4183d
Fix Strict-Transport-Security not being sent REVERT:654172f43
Update headers core plugin lua code REVERT:afe6da4cf
Automatically add Content-Security-Policy header to response headers in the UI REVERT:5c7cd38b5
Edit headers core plugins to use lua Code + Add new setting KEEP_UPSTREAM_HEADERS REVERT:299a0b5c2
Remove apk update at beginning of each Dockerfile REVERT:6cc20efe7
Update bad behavior test BAD_BEHAVIOR_COUNT_TIME to 30 seconds REVERT:e2a3bfb10
Bad behavior core tests change the ban time to 60 seconds REVERT:4bbddf797
Merge pull request #509 from bunkerity/dev REVERT:1eeefead9
Core tests sleep between each request REVERT:9829ef752
Update UI to automatically set SCRIPT_NAME and ABSOLUTE_URI REVERT:b27958a19
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:410a64810
core - patch modsec to use access phase instead of preaccess REVERT:f7d986d6a
Change the way linux starts and the scheduler REVERT:95d4f0f87
Small tweaks on core jobs REVERT:4f324231d
Fix tmp variables path (again) REVERT:dc18f9884
Edit start.sh REVERT:3b36965f4
Fix tmp_variables_path in scheduler REVERT:ccc051e78
Fix /var/run/bunkerweb in fpm args REVERT:8b2517cdf
Remove ui cache download test - to much unstable REVERT:d1138855e
Fix gunicorn config for Docker and Linux REVERT:0c8bc97fa
Fix UI on Linux not using the right user REVERT:a68fb0c06
Refactor to make more sens and avoid specific errors REVERT:fff21746a
Correcting: Dockerfile-ubuntu End of statement block Jinja REVERT:3ab4a59b6
Update debian Dockerfiles to avoid updating apt packages only once REVERT:760ec3b3b
Add /var/run/bunkerweb removal script when uninstalling BunkerWeb REVERT:be459d240
Update pid files paths to /var/run/bunkerweb REVERT:8b697d87d
Fix Scheduler errors with the internal apis REVERT:89a3c8b0b
Update bunkerweb-ui file according to the new gunicorn usage REVERT:5e237d0d0
Update gunicorn to use a config file as well + Fix headers error + Small fixes REVERT:a424d59b1
Add apk update at the beginning of each Dockerfile REVERT:1d14db7e1
Update custom cert job to not duplicate certs if the cert is global REVERT:7efb82a7e
Update python deps REVERT:e920cba43
Fix CVE CVE-2023-2650 REVERT:413b75b04
Fix customcert plugin to accept multisite certs as well REVERT:87a9545d9
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:c53394845
various fixes REVERT:aca0d6da4
Small refactor on the ApiCaller and the Scheduler REVERT:1bd40a877
Removing vmware support in doc REVERT:612333d2a
Merge pull request #508 from bunkerity/dev REVERT:474ecbb41
Fix typo in phases list in plugin.lua REVERT:5fa21b3c8
Fix CVE CVE-2023-29491 REVERT:16a459bf7
Lint antibot html files REVERT:fd06a1e71
Add Turnstile antibot REVERT:d5e64320c
Fix small typo in misc.lua REVERT:4d6d95037
Merge pull request #507 from bunkerity/dev REVERT:b60657e21
Merge pull request #506 from gin-gitaxias/patch-3 REVERT:1f2c973a3
Fix docker-compose file for custom cert job REVERT:b314f4349
Update integrations to add LOG_LEVEL=warning env variable to docker proxy REVERT:0edfb2db3
Update example to add a LOG_LEVEL=warning to the docker proxy REVERT:83413aef2
Remove open ports from core tests docker compose files REVERT:334be4346
Fix custom-cert core plugin REVERT:953128be6
Update scheduler changes check to reduce CPU usage REVERT:bb7dcda48
Refactor paths resolutions for core plugins REVERT:108827952
whitelist - remove unused IPs of duckduckgo crawler REVERT:665b110c6
[#504] Fix ALLOWED_METHODS regex REVERT:5a2aa20bc
Update plugins.md REVERT:168dfc439
Refactor paths resolutions for UI + optimizations on the plugin upload REVERT:6e80c7b8d
Fix variable being ignored instead of saved inside the database when the value is empty REVERT:8dad7a0b7
Starting work on paths resolution refactor REVERT:b5a78c3aa
Test Acqua Security vulns (2) REVERT:ed6bee69c
Test Acqua Security vulns REVERT:3dba058b4
Fix custom configs not being cleared out once created REVERT:d9b093dab
Fix plugin example in documentation REVERT:162f1d978
Merge pull request #502 from bunkerity/ui REVERT:1f2fa95e7
Remove useless line in the head.html file + lint HTML files REVERT:1cd356781
Add multiple plugin upload in one compressed folder support for the UI REVERT:29673f918
fix font REVERT:180493616
Fix CVE CVE-2023-1999 REVERT:7fe7a997f
Merge pull request #501 from bunkerity/ui REVERT:5b75894d4
Fix UI latest version checking & Fix conditions in quick settings for services REVERT:1f6b3d59a
Merge pull request #500 from bunkerity/dev REVERT:548630e3e
Update python deps REVERT:aa299f085
Update plugin update and add to get only the necessary keys REVERT:f0126b6d6
Fix update-check job REVERT:8585007bc
deps/gha: bump scaleway/action-scw REVERT:a7535c300
docs - fix yt preview in readme REVERT:340b4a492
change arm server flavor REVERT:e7ea3952b
ui - add missing dep for docker/x86 REVERT:a586b5b6b
deps/gha: bump docker/build-push-action from 3 to 4 REVERT:3b7d8b6c1
Merge branch 'staging' into dev REVERT:6666a25fc
edit version, update images on docs and fix bug in Linux script REVERT:f84af3402
Add error ignoring when using the rmtree function REVERT:0b082bdab
Add handling of stderr being None in the scheduler REVERT:1f2b550f6
ci/cd - fix swarm examples and init work on release workflow REVERT:d5fcc6969
Merge branch 'dev' into staging REVERT:eda275589
Merge pull request #485 from bunkerity/dev REVERT:7506768c4
Merge branch 'ui' into dev REVERT:be3d40f18
Fix CLIENT_CACHE_CONTROL setting's regex to also work with JS REVERT:41059fb28
Merge pull request #484 from Hado-K3n/patch-16 REVERT:88f85b282
Merge branch 'dev' into patch-16 REVERT:e5e031b6b
Merge pull request #483 from Hado-K3n/patch-15 REVERT:2dbadbd29
Merge pull request #482 from Hado-K3n/patch-14 REVERT:95c7b5410
Merge pull request #481 from Hado-K3n/patch-13 REVERT:00739a5ab
Merge pull request #480 from Hado-K3n/patch-12 REVERT:a9f4be475
Merge pull request #479 from Hado-K3n/patch-11 REVERT:f85f73678
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:f1efe06e9
ci/cd - fix /opt/actions-runner perms for self-hosted runners REVERT:ad71be460
login now use local font REVERT:dcb800d2b
Update k8s.postgres.ui.yml REVERT:5a7f7f3c6
Update k8s.postgres.yml REVERT:e1f60127e
Update k8s.postgres.ui.yml REVERT:7553ffb63
fix client_cache_control regex REVERT:9324648f2
Update k8s.mysql.yml REVERT:eafe006a6
Update k8s.mysql.ui.yml REVERT:62a8ec975
Update k8s.mysql.ui.yml REVERT:dfcaba9ad
Merge pull request #478 from bunkerity/dev REVERT:737b999cd
Set CLIENT_CACHE_CONTROL setting's regex REVERT:9339af44c
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:78f7570e1
core - Fix bwcli condition when checking bans REVERT:40e30ed44
use shared redis connection pool in cachestore when we can REVERT:d6ca98ed1
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:10a4cefd0
update lua-resty-openssl deps and replace nginx -s calls with signals REVERT:97723185b
core - Add bwcli tests REVERT:ab3b3ea8f
ui-tests - update waiting time after creating a custom conf REVERT:5adec84d5
fix redis not contacted in subsequent phases and reflect changes on stream configs REVERT:1624c4e76
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:eea6d32cd
share common objects during the phase and add threading to DNSBL and reverse scan REVERT:99f8f69fa
Merge pull request #477 from bunkerity/ui REVERT:9b58b397c
Fix ui tests (again) REVERT:ace88d865
Fix plugins fetching for the UI REVERT:69b35636e
Fix UI tests (once again) REVERT:5dfe35b7b
Update how the plugins are being fetched by the UI REVERT:b75690fdf
Change the way python deps are installed REVERT:b19ebbe6a
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:c0c646aae
Merge pull request #476 from bunkerity/dev REVERT:edd6e2ded
improved session management and add IP/UA checks REVERT:c7ca5a822
Fix Database overriding services_settings if a global_value is set REVERT:e1883a04b
Merge pull request #475 from bunkerity/dev REVERT:af19cc226
core - Add redis tests REVERT:0087ae583
Update python deps REVERT:8133c134e
core - Fix db tests by removing "order" key check REVERT:f725d0fe6
Update keys name in datastore REVERT:05c478e83
Edit COOKIE_FLAGS regex REVERT:b5aaf6266
add forward reverse DNS to whitelist, disable redis in cachestore when sockets are not enabled, fix typo in cachestore and improve dns/rdns caching REVERT:8a8dd6fb7
db - remove order from plugin model REVERT:93c766e56
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:179beea4d
improved core plugin execution order REVERT:1d126e1d0
core - fix cors tests with the preflight request REVERT:dbb884099
core - Update allowed_methods test method to GET REVERT:62cb85453
core - Remove cert verification when testing allowed methods in misc tests REVERT:04919e8a0
Fix multiple CVEs REVERT:b32f31891
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:4962f786b
fix wrong env parsing in init phase, bypass modsec/crs when method is not allowed, refactor ALLOWED_METHODS and improve error page management REVERT:10bdf551a
core - Add misc tests REVERT:7158e7e9a
core - Optimize cors tests REVERT:3f51f59bc
Add check when plugins are configured + Add Semaphore to accelerate jobs execution + Code optimization REVERT:4c4fa44fb
ci/cd - fix core/cors tests REVERT:84d43c84d
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:b58798746
Update mmdb download to check the checksum at start REVERT:a9be973d5
use PCRE regex instead of LUA pattern and edit cors doc REVERT:4378f18cc
fix typo in bunkernet.lua, add missing Origin header in cors tests and fix allow origin expected value REVERT:7d84e03a1
fix header plugin phase not called for internal request (fixes CORS), fix bunkernet init_worker bug where ngx.ctx.bw is not available, add CORS_DENY_REQUEST setting and edit values for core/cors tests REVERT:838662141
Lint Lua code REVERT:36fdec105
core - fix sessions tests REVERT:ab54b18e0
core - fix reverse scan cache retrieval REVERT:9c6ca6a86
cors - various improvements REVERT:991f7ff8d
Fix tests core reverse scan wasn't using the image REVERT:9c77f77fa
Fix test core DB REVERT:9ee74aef4
Add up back when retrying to up the stack + remove useless print REVERT:7bf4c11bc
When docker up fails in core tests retry one time REVERT:82aadfa38
Update core db tests to add the settings.json file and optimizations REVERT:2a78d2c05
ci/cd - perform all core tests even if one failed REVERT:e3fc55be9
deps - add missing hash for python dep async-timeout REVERT:5f668aeca
ci/cd - fix syntax error in test core wf REVERT:e5e336c4f
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:9a2e37984
ci/cd core tests and antibot refactoring REVERT:2ac77ee49
Fix deps not being synced REVERT:394f5fe4b
Move back to images in the whitelist tests REVERT:b06210bdf
Remove unused files in tests core REVERT:e6bb9fb55
Add tests for core plugins REVERT:29f020f15
Update python deps REVERT:051923b6f
fix deprecated external network in compose files, various fixes in the documentation and add ipv6 to doc REVERT:2e1296d9a
show useful info in BW logs after startup/reload and reduce container images size REVERT:a686562f1
performance - cache empty rdns results REVERT:e36c743c7
performance - cache dns responses REVERT:75f3d6490
init IPv6 support, add missing healthcheck script in UI and purge local cache on init REVERT:a258612e4
add global data on settings filter REVERT:bc3ea0ed3
change select method check REVERT:ab71c484e
add global condition for disabled state REVERT:5c415afa1
various fixes - ttl on /bans api, dnsbl undercover bug, greylist, whitelist and wrong path in realip job REVERT:5c50f57f1
Revert "regular inp and multiple global=true are enabled" REVERT:9ceaaa874
regular inp and multiple global=true are enabled REVERT:3dde3ac0a
Fix no longer save SERVER_NAME when MULTISITE is set to "no" REVERT:c01b493c9
Increase compression level of tar files being saved in the database REVERT:4f4a8b508
Fix default global values being added to database when MULTISITE is set to "no" REVERT:408806718
Add external plugins being updated at the start of the scheduler REVERT:402ff16c8
Add "global" key to settings when fetching methods as well REVERT:dcdb43cf0
Merge pull request #473 from bunkerity/dev REVERT:ca8c56aaa
Remove unused function in UI src.Config REVERT:905946463
Fix scheduler restarting for no reason when having an external database REVERT:8a308b1a8
Fix database not providing the right SERVER_NAME setting value REVERT:cf26d7aa2
Fix database saving default values to global_values when multisite was set to "no" REVERT:8bb6f63fa
Merge pull request #472 from bunkerity/dev REVERT:64789276a
Update python deps REVERT:30194f959
Fix Access-Control-Allow-Credentials not being set to the right value when deactivated REVERT:50ee37db0
cors - refactoring REVERT:b8d89fe79
Fix customcert plugin REVERT:63f4e44c6
Fix CORS when sending an OPTIONS request REVERT:ac2e4dd64
Merge branch 'staging' into dev REVERT:e14475de4
ci/cd - fix missing version in linux package name REVERT:136f68cd3
ci/cd - fix typo in beta wf REVERT:d83730cf7
ci/cd - fix linux package name in upload/download steps REVERT:ae042854f
Fix blacklist download jobs where ignore urls were not being downloaded REVERT:86053d3dc
Update RDNS regex in jobs files REVERT:b2e26fc8f
Revert "Revert "Update RDNS regex"" REVERT:48354fb26
Revert "Update RDNS regex" REVERT:a544f18e2
Update update-check job to add stars so that the end of line shows REVERT:c6f304b37
Update RDNS regex REVERT:14ca85cdb
ci/cd - fix package.sh name in linux build wf REVERT:dc1cb6a6f
ci/cd - fix scp command in linux build wf REVERT:73acbe085
ci/cd - fix typo in linux build wf REVERT:45c90527c
ci/cd - fix linux package generation when arch is ARM REVERT:f4590749d
linux - fix arch in rhel package image REVERT:141f5a1d5
ci/cd - fix typo in beta wf (again) REVERT:6e82fde8a
ci/cd - fix typo in beta wf REVERT:00ba46ebf
prepare for 1.5.0-beta update REVERT:9a1c09c56
Merge branch 'staging' into beta REVERT:df787c75d
linux - add pcre dep to fedora package REVERT:93e567bb6
linux - fix fedora deps name and add architecture to fpm config REVERT:8b6d788c2
ci/cd - fix bitnami chart values REVERT:541b64698
increase drupal delay time for tests, fix tmp dir not created for realip-download job and fix has_*_variable check when multisite is yes REVERT:59324526c
speedup build process for python deps and fix default env value for autoconf/k8s REVERT:a58e5c60c
deps - upgrade python dependencies REVERT:27b1dddb0
linux - pin pip version REVERT:fd056102d
fix centos repo command in rhel dockerfiles and fix delete infras order for staging wf REVERT:fb0373343
ci/cd - use single quote in linux build wf REVERT:43cbc79c7
ci/cd - move ARM_* to secrets in linux build wf REVERT:7592e5a84
ci/cd - fix typo in staging.yml REVERT:39ace8175
fix load-balancer example and add server_name to cache keys when required REVERT:48d7e72e5
Merge branch 'dev' into ui REVERT:66921b007
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:819ad60a4
fix hcaptcha antibot and refactor ci/cd for staging REVERT:20913808c
Add .mypy_cache to .gitignore file REVERT:a086ff690
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:a286e7bd3
fix wrong container in autoconf/k8s, init work on linux arm and ci/cd refactoring REVERT:5a233ff90
Fix Database model types REVERT:18b3d7148
Update db model to use SmallIntegers REVERT:b36cd924f
Add `bw_` prefix to database table names REVERT:63ce1afcd
Handle errors more gently when API requests fails REVERT:d4934cfee
Remove test-ui service in the main docker compose file as it's been extracted REVERT:500d58e50
Separate the compose file back REVERT:21dc67b68
Update test.sh for ui-tests an the compose file REVERT:75d2be7db
Update tests-ui to fix them REVERT:041b7f71e
Update ui-tests to make a valid password REVERT:1245b8b01
Update regex in ui + Add regex module to requirements REVERT:913e9a2c2
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:97dc6540e
ci/cd - fix typo in dev wf REVERT:b75ba601b
Merge branch 'staging' into dev REVERT:573fe8fee
Change UI admin password check to a regex REVERT:51514df57
Remove not needed file in linux scripts REVERT:9ff64426b
Fix ui tests with the external plugins REVERT:74fe9d5c1
Lint jobs py files REVERT:97b362bb1
Fix let's encrypt error when deactivated REVERT:964d31893
Fix wrong attribute value when checking for external plugins REVERT:914686e78
Fix often occurring bug when testing the web UI REVERT:58db1352f
Revert "Fix often occurring bug when testing UI" REVERT:987af951d
Fix often occurring bug when testing UI REVERT:1c74c5d8d
ci/cd - refactoring REVERT:1cc9f5773
prepare for v1.5.0-beta fixes REVERT:ac94e5072
fix double .conf suffix in custom conf, migrate /etc/letsencrypt to /var/cache/letsencrypt, fix bunkernet jobs and lua code and fix reload for jobs REVERT:773874154
move /etc/letsencrypt to /var/cache/bunkerweb/letsencrypt (wip) REVERT:75ca603b7
WIP - fix bunkernet and missing reload for scheduled jobs REVERT:027605452
Fix bunkernet initial message when checking connection + add TODO REVERT:bddfb58a0
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:c7ab00208
Merge pull request #462 from bunkerity/testmmdb REVERT:ef551846b
ci/cd Update mmdb - Let only the schedule and change branch to push on REVERT:f41c096ec
Merge branch 'testmmdb' of https://github.com/bunkerity/bunkerweb into testmmdb REVERT:a7b7c2031
ci/cd Update mmdb - Add check for curl commands REVERT:fb5529566
Monthly mmdb update REVERT:0afb250b9
ci/cd mmdb update - Changed branch to push on REVERT:019a927b0
ci/cd remove secret required for auto mmdb update REVERT:283a63f16
ci/cd try fixing workflow auto download mmdb REVERT:42707ad46
ci/cd test mmdb update REVERT:cd57eb423
ci/cd - fix automatic push of doc REVERT:01fbacf0f
ci/cd - fix pdf path for draft release + fix missing git fetch before deploying doc REVERT:d693d065f
ci/cd - allow to update release tag, add PDF to release and fix multiline CHANGELOG in release REVERT:aa2ada0a0
ci/cd - update git user/mail for push doc wf REVERT:a47d7df40
ci/cd - execute apt install as root for doc to pdf workflow REVERT:c4093a2d7
ci/cd - increase ARM node storage REVERT:01e599493
ci/cd - concurrent builds for ARM + fix version string for RPM packages REVERT:aaa070165
linux - fix VERSION path in package script REVERT:0b93c6e10
ci/cd - add more cores to ARM instance REVERT:88db3fa34
ci/cd - fix build rhel var REVERT:5c01bd3f7
ci/cd - various fixes for push workflows REVERT:604d4c1a0
Merge pull request #459 from bunkerity/dev REVERT:bed6d742f
Decrease the compression level when sending configs to BunkerWeb REVERT:57cb6e9c4
Update python deps REVERT:0d1580cff
Small code refactor of the jobs and the scheduler's function that generates configs REVERT:766ca0e9c
Merge pull request #458 from bunkerity/dev REVERT:0ab07678d
Merge pull request #457 from bunkerity/ui REVERT:5412e6d24
fix logs checkbox REVERT:ba7422218
ci/cd - fix push workflows REVERT:fda2948e0
ci/cd - fix typo in push docker wf REVERT:59e5b1d54
ci/cd - fix push workflows REVERT:7ca7d7847
Merge branch 'beta' of github.com:bunkerity/bunkerweb into beta REVERT:939545644
add missing postgresql-dev build deps for ARM images REVERT:0b5746aba
ci/cd - add missing inputs for build arm REVERT:94dc501c1
ci/cd - remove load image in buildkit for ARM archs because of docker limitation REVERT:8ffaa7cf7
ci/cd - force shutdown when deleting ARM node REVERT:6e99e7a98
cicd - fix docker buildx arm driver REVERT:2eef2b8bb
ci/cd - fix variable share for ARM (again) REVERT:406c686e4
ci/cd - fix variable share for ARM REVERT:6cecc70c3
ci/cd - fix ssh command for ARM builder REVERT:2f992baab
Lint py files with black REVERT:7befd927d
Update python deps REVERT:a4ae0d517
Update cached mmdb files REVERT:c3d0d7ca7
Add workflow that automatically update cached mmdb files REVERT:d4ceb7c10
Remove dev comments for ui tests REVERT:b37c86e62
Fix ui tests problem with the logs page REVERT:a7b07c959
Fix wrong condition when fetching the logs on Docker REVERT:3b237ed3c
Fix UI tests REVERT:a55a0df5d
ci/cd - remove useless condition in create ARM workflow REVERT:ae33ca52e
ci/cd - fix wait-on variable REVERT:8867eb23b
ci/cd - fix wrong json keys from scw api REVERT:1b79e291e
ci/cd - various fixes for arm build REVERT:98ce5041d
ci/cd - use fixed sha1 commit for scw action in rm arm workflow REVERT:66d7216dc
ci/cd - fix typo in create arm workflow REVERT:45fa4d1c2
ci/cd - ignore /root/.cargo dir for security checks, use fixed sha1 commit for scw actions and add missing deps for ui/arm REVERT:9cd13990e
ci/cd - pass ARM ID as secret REVERT:266383abb
ci/cd - dynamic arm build node REVERT:4e0d2fce5
add missing dependencies when prebuilt crypto package is not present REVERT:823c09195
ci/cd - add missing var for ARM builds REVERT:e71dc132e
ci/cd - fix typo in container build workflow REVERT:0db5f7cf0
ci/cd - fix typo in beta workflow REVERT:4bfc5b693
ci/cd - fix wrong cache name in container build workflow REVERT:93d0a991a
ci/cd - fix typo in push doc workflow REVERT:1c178ed75
ci/cd - fix version output for beta/release workflows REVERT:ab7e1f624
ci/cd - add missing runs-on in beta/release workflows REVERT:0f499c9d3
ci/cd - fix typo in push packagecloud workflow REVERT:d0f6d59f6
road to v1.5.0-beta 🚀 REVERT:408662869
ci/cd - fix typo in doc-to-pdf REVERT:312757594
ci/cd - fix typo in beta/release (again) REVERT:11f86ea75
ci/cd - fix typo in beta/release REVERT:ad1606742
use proper links in docs, automatic doc push and add pdf to releases REVERT:08e1d157d
Fix ui-tests by removing no longer present checks REVERT:c8908695b
Remove unnecessary prints REVERT:641a27f5e
ci/cd - remove useless needs for ui branch REVERT:468407081
ci/cd - fix typo in staging workflow REVERT:6784bd691
ci/cd - fix wrong condition for container-build workflow REVERT:ef1897de8
ci/cd - add missing needs to tests-ui staging REVERT:9815f22d7
ci/cd fix typo in container-build workflow REVERT:65c6e48e9
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:14a4db8bd
use current_bw_version for docs, add automatic tests to ui branch and fix letsencrypt permissions for linux REVERT:f6b8d23fb
Fix ui tests by editing the attributes name to the new ones REVERT:58fd04430
ci/cd - fix typo in staging.yml REVERT:54a17c775
init work on CI/CD for generic beta releases, remove useless autoconf examples and fix linux postinstall script REVERT:4f2c58bd7
temp disable authelia test for k8s and add missing folders for LE on Linux REVERT:5e4ce4579
various fixes REVERT:fa67c5d7b
ci/cd - fix missing arg for copytree REVERT:04db308c9
ci/cd - edit staging workflow REVERT:5d2045803
ci/cd - edit staging workflow REVERT:e7717ba7f
Merge branch 'ui' into dev REVERT:bbaaad848
docs - last polish REVERT:0658230e2
enhance responsive REVERT:f5c28b27d
Merge branch 'ui' into dev REVERT:575312336
harmonize all titles dark color REVERT:2f336be77
enhance file manager and jobs svg REVERT:81a37a377
enhance actions btns REVERT:c3119f04e
docs - plugins REVERT:ffa91933e
docs - add YT demo REVERT:5741dce6d
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:7695a839f
docs - web UI REVERT:5fe0e0bfd
Merge pull request #454 from Hado-K3n/patch-7 REVERT:8c71f7d27
Merge pull request #455 from Hado-K3n/patch-8 REVERT:124378d7c
Merge pull request #456 from Hado-K3n/patch-9 REVERT:c6a184d90
fix ui integrations and fix stream support in db REVERT:d8b7db167
merge from ui REVERT:ddd83a808
docs - add stream support info and plugin description to settings page REVERT:289b58567
docs - add stream support info on security tuning page REVERT:4dda54a11
enhance style REVERT:0ca473c69
fix style issue between load and page transition REVERT:1145b798f
fix filter setting from custom selectors REVERT:63e7ccf13
better centering loading logo with text REVERT:001a63efc
continue custom selectors + fix script + style REVERT:4144faa93
fix create service issue + remove stash REVERT:72bc9e4bb
start creating custom selectors REVERT:98de3fc2f
docs - quickstart REVERT:f118f992f
merge from ui REVERT:5285a2f4a
force stash REVERT:1d354c9c6
docs - quickstart (wip) REVERT:55a7c8fee
force stash REVERT:64a9fe4db
fix checkbox + style issues + script duplicate REVERT:a90d9e627
ui - fix default value for inputs REVERT:7e1efcbc6
Merge branch 'ui' into dev REVERT:b5f0fe856
docks quickstart wip REVERT:01d8c65c9
remove hidden input checkbox + fix script REVERT:b7f63450e
add special method for mode REVERT:bc47f1fa5
Merge branch 'ui' into dev REVERT:7089e8b4d
fix checked state REVERT:d4fd4c473
fix checkbox + template REVERT:db5789fcb
Merge branch 'ui' into dev REVERT:ab20f83b2
Update k8s.postgres.ui.yml REVERT:bbea8ba3f
Update k8s.mysql.ui.yml REVERT:9a2005d1a
Update k8s.mariadb.ui.yml REVERT:9512de630
docs - quickstart guide (wip) REVERT:956a7bd23
Merge pull request #453 from gin-gitaxias/patch-2 REVERT:f8c5543fd
Update plugins.md REVERT:667bb3003
docs - quickstart guide (wip) REVERT:6b76596a8
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:78c2e16ea
add missing cluster config for ui/k8s and start quickstart guide doc REVERT:1e6cfe8b0
fix filter disabled issue + reset on modal open REVERT:574ecbd6b
Lower the environnement variable for the mode REVERT:aa3ce13a8
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:6f39fce6d
docs - integrations REVERT:92fc5d981
Remove ascii art showing in UI logs REVERT:ae7e3ddd9
Fix how the ApiCaller is initialized for UI instances REVERT:df94bc4af
Merge pull request #452 from bunkerity/dev REVERT:bf29fa2f9
Show how many plugins there are correctly in the home page REVERT:509bd21b0
Add log when deleting plugin REVERT:1530745a7
Merge pull request #451 from bunkerity/ui REVERT:a87abf3ce
update home dark mode + variable REVERT:8a5836dd9
add popup darkmode REVERT:3a4a6ee5f
new service doesn't force method="default" REVERT:1321a76c0
update service submit name for new or edit action REVERT:53e145b91
show method involved in disabled setting on hover REVERT:ceec21faa
update web-ui INTERCEPTED_ERROR_CODES REVERT:63ba00180
Fix logic when saving a service in the UI REVERT:479f18b17
Merge pull request #450 from bunkerity/ui REVERT:ab43bf84a
Make it so the UI and the scheduler no longer run as root in Linux REVERT:a7849a6e7
Fix mic mac with config files and UI REVERT:9009859aa
Merge pull request #449 from gin-gitaxias/patch-1 REVERT:0bf2116c4
docs - concepts REVERT:3616a9f20
Update security-tuning.md REVERT:435aae7cf
docs - index and migrating REVERT:c0e649d68
fix logs + select custom REVERT:1c3bbf1bc
stream - add example and fix ssl support REVERT:37ebde363
fix logs and plugins dropdown + margin REVERT:b64e55f75
Add bigger timeout to loading.html REVERT:da4bb8dce
Fix condition in helpers.lua REVERT:ab509c270
Fix UI with Linux REVERT:6916a81c5
bunkerweb is now W3C friendly REVERT:c7bc493e3
stream - fix various errors REVERT:bc1dbe18a
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:bd577cfb2
country fix (again) and init work on stream REVERT:a829528c3
Add bwcli to scheduler and fix it for the autoconf REVERT:9d829ebca
Finish updating bwcli REVERT:94b97a6bb
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:780c0c8c5
api - fix errors in calls and use ngx.ctx instead of ngx.var REVERT:5fb0be70a
Merge pull request #447 from Hado-K3n/patch-6 REVERT:6843902db
Merge pull request #446 from Hado-K3n/patch-5 REVERT:3419dca98
Update k8s.postgres.ui.yml REVERT:38c71cf94
Update k8s.mysql.ui.yml REVERT:b7c260561
[WIP] Update bwcli REVERT:995ff250f
Update python deps + add redis for the gen REVERT:a04490b47
Replace unnecessary import REVERT:5112ed46e
Merge pull request #445 from Hado-K3n/patch-4 REVERT:8558785b1
Update k8s.mariadb.ui.yml REVERT:95e64d6c8
bw - fix black/grey/whitelist rdns check and country check REVERT:8ea94a2e4
Merge pull request #444 from bunkerity/dev REVERT:9f1405d69
Remove unnecessary {-raw-} in index.html when loading REVERT:9a2f7e9ab
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:93b471444
Add marging to antibot files hcaptcha and recaptcha REVERT:93c0cd437
Merge pull request #443 from bunkerity/ui REVERT:e7d61a67c
update antibot and default template REVERT:5d05eaeae
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:a77d233ec
bw - add zlib dependency REVERT:9a69ca135
Merge pull request #442 from bunkerity/ui REVERT:823c12823
fix SERVER_NAME + fix delete form + enhance REVERT:52806afe7
Merge pull request #441 from bunkerity/dev REVERT:2ea726c22
Merge branch 'ui' into dev REVERT:dffc770a9
fix and enhance REVERT:12f8b8197
bw - add missing lua-ffi-zlib dependency, fix syntax error for white/black/greylist, fix error for dnsbl and fix limit request not working in local mode REVERT:4871a2104
api - add missing ctx fill REVERT:bcc5e6bb5
bw - add missing json decode in api and add missing require in country REVERT:83428d6cc
bw - fix resolvers nil error when doing dns checks REVERT:7eefcb8f8
antibot - manage direct access to challenge page REVERT:a372ffd52
fix invalid session error handling and remove debug log in whitelist REVERT:e55912b34
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:5f9f1e54f
load inline multisite values for white/black/grey list core REVERT:3b4882d82
Revert "Remove no longer present CVEs fix because these are already fix in the images" REVERT:c2e0e5106
limit - use atomic script for redis case REVERT:4bc0771d9
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:edf7e06e0
various redis fixes and display ready log REVERT:a93d9a7d9
Remove no longer present CVEs fix because these are already fix in the images REVERT:e4465d9a1
Fix jobs cache when a database is used REVERT:c9af9457e
Fix wrong condition when sending files REVERT:17a3d933b
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:a60b6f3ad
bad behavior - fix 500 error and do not pass objects with another lifetime to timers REVERT:c0e8e93ab
Fix documentation mistakes when soft merging 1.4 into dev REVERT:f1a868c66
Fix when the cache from jobs is saved into DB + sleep 5 seconds when waiting for the database for the UI REVERT:d32102376
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:510938fc2
antibot - fix bugs related to session REVERT:ed9605c10
Update python script that generates settings.md REVERT:3dabd42df
Update python deps REVERT:834fbaf01
remove antibot back btn + update raw REVERT:95c231515
antibot - various fixes, not fully fixed yet REVERT:56028b087
update antibot / loading / default page REVERT:502d4fcc0
Add back the fact that we don't download the mmdb country if we don't blacklist or whitelist a country REVERT:ccd56d3b6
change antibot and misc template style REVERT:c949c0232
Update the security tuning's blacklist category according to the settings REVERT:671543e6e
Add more ignored variables for missing setting name warning REVERT:dbd5739ab
Fix wrong setting names under `Custom certificate` category REVERT:5f26ebc69
Fix php-cookie-flags example REVERT:bba26b548
Reorder core plugins to stop having the warning at startup REVERT:db166c434
Add small fixes and lint to the error.html page REVERT:08f3d93ab
Update jobs will now also check and save the cache in the db REVERT:63b1fb947
Fix CVE CVE-2023-1255 REVERT:d5b11b8bb
Merge pull request #440 from Hado-K3n/patch-3 REVERT:92744c091
Merge pull request #439 from Hado-K3n/patch-2 REVERT:d46337f60
Merge pull request #438 from Hado-K3n/patch-1 REVERT:9b52a5c3c
clusterstore - various bug fixes REVERT:3f9d606e1
Update k8s.postgres.ui.yml REVERT:7e2f53c8c
Update k8s.msql.ui.yml REVERT:1f5d8bfab
Update k8s.mariadb.ui.yml REVERT:7a7d83a75
various fixes for redis/clusterstore - still WIP REVERT:a5e08e1c6
refactor of session management REVERT:0fdb108fe
core - do not execute init() if BW is in loading state REVERT:00b50c162
various fixes for core plugins REVERT:4ba5d6659
use ngx.ctx to store common values REVERT:860cc1a92
Merge branch 'dev' into ui REVERT:881d3a00d
fix git issue on windows REVERT:76a2ff656
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:28ef546a9
refactor - start to use ngx.ctx for per-request data REVERT:ed495b99f
Add CODE_OF_CONDUCT.md REVERT:0bd3e273b
Update compression_level of sent tarfiles to 5 instead of 9 REVERT:348ab7a1e
Add feature that allow the copy of code blocks in markdown + Update copyright REVERT:cf2938bf2
Update web-ui docs according to the next major version REVERT:79a46e2cf
Update the logic behind the check for linux os REVERT:9a325c7a9
Add new check for integrations in BunkerNet job REVERT:707256076
Add now the scheduler will pass his own env as well to jobs REVERT:9578ace02
Remove not used INTEGRATION file in BunkerWeb container REVERT:8c919c676
Update links in the home page of the web UI REVERT:ad64ce22e
Remove no longer needed packages that were fixing old CVEs REVERT:29cb6fe16
fix header phase and fix error template REVERT:d3d18e15a
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:a83254bf2
fix wrong log in access REVERT:859343e18
Merge pull request #437 from bunkerity/dev REVERT:50829293c
Merge branch 'ui' into dev REVERT:8e22b1f21
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:9849ce10c
fix wrong error check on phases and add missing ttl for *list cache items REVERT:3b5c083fc
Soft merge branch "1.4" into "dev" + changing versions REVERT:4d95e32f1
update error page REVERT:1da4b78f0
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:915b51c3b
fix error pages for default http server REVERT:535f1a055
Merge pull request #436 from bunkerity/staging REVERT:0afe038aa
WIP Ui REVERT:3b6c3815e
fix default-server-http.conf REVERT:b5fa473ae
Merge branch 'refactor' into staging REVERT:2fddbd862
refactor - disable asn checks for non global IPs, use resty.template with antibot and various fixes REVERT:8d63e3974
refactor - fix various errors and add missing dependencies REVERT:23725d483
Update prod shields.io link in README.md REVERT:303f380c7
Update demo.gif file REVERT:3c375039e
Optimization on the download of mmdb files REVERT:a7773dae2
Update intro-overview.svg REVERT:5eb884fe9
Fix bug when showing cache files for services in the UI REVERT:3fac889ff
Remove no longer used modsec rules for the UI REVERT:c3106e70e
Update README.md and edit the demo GIF + edit the .prettierignore file REVERT:928ed2d6c
refactoring and road to nginx 1.24.0 REVERT:34ab94640
Update python image in Dockerfiles + Add gevent to requirements for the UI REVERT:aa96c8503
update css REVERT:649d29b05
change news base url REVERT:217d1aa50
enhance style + menu script REVERT:e6ff51e20
Refactoring and Linting of py files and json REVERT:666b7a1ba
refactor - blacklist, errors, greylist, letsencrypt and redis REVERT:496edb83a
Adding thel documentation REVERT:ee83cea7f
Add ascii art showing randomly when starting REVERT:6d1914d62
Update python deps REVERT:648f15e42
Add new core plugin update-check REVERT:2075a5d4c
refactor - badbehavior, blacklist, bunkernet, cache, cors, country and dnsbl REVERT:5dd52186b
Fully adding vagrant in the doc REVERT:3a03f07f1
Changing vagrant integration REVERT:64997bae8
Adding vagrant integration REVERT:03ec271e2
refactor - improve clusterstore interface and automatically retrieve variables for plugins REVERT:29c57915c
antibot inherit from plugin REVERT:840c29568
continue work on refactoring REVERT:1ec83f256
renamed session to sessions REVERT:8c2908157
save work REVERT:afc0ac198
init work on refactoring REVERT:4cd3fc644
Merge pull request #434 from syrk4web/staging REVERT:bfc872be2
change flash logic when login REVERT:049e9c1ea
Update python deps REVERT:bf9b94ebf
Avoid Autoconf from running in root REVERT:92e698458
magento - fix docker example (again) REVERT:a771bdb18
magento - fix docker example REVERT:7c21b3da2
deps - update lua-resty-session to v4.0.3 REVERT:d4fae4b57
session - add missing settings REVERT:a85044220
init work on redis session REVERT:986f506e7
add missing API_WHITELIST_IP in mattermost and moodle examples REVERT:41e8f5c93
fix wrong init of counter in badbehavior and fix nextcloud/docker example REVERT:8e7205062
ci/cd - reduce dynamic subdomains for k8s tests because of annotation size limit of 63 chars REVERT:1bc42204d
ci/cd - use dynamic random subdomains to bypass LE rate limit REVERT:a1e44f6e4
Merge pull request #431 from gin-gitaxias/staging REVERT:7ccd3ef92
fix moodle/swarm example and disable reverse-proxy-websocket test REVERT:8b54073a7
fix missing backslashes in autoconf custom configs and add missing full reload after custom configs update REVERT:622f2eb2a
autoconf - check if service exists before adding config REVERT:5d14813be
fix typos after basic testing REVERT:9f7060564
autoconf - add missing import and fix double lock release REVERT:937cd10ee
refactoring and various improvements REVERT:6af3b985a
fix deadlock in autoconf/swarm and fix missing favicon in default and loading pages REVERT:f6ed21b3b
autoconf - fix global custom configs not supported in k8s/swarm mode REVERT:eee03c4ae
autoconf - fix variable typo in k8s watch REVERT:ecf4e77b3
autoconf - fix deadlock in watch loop REVERT:0b71819d2
watch services for autoconf/k8s and support real IP in default http server REVERT:d3d0136bf
various redis fixes and improvements REVERT:e80965ca9
lua - fix wrong variable name in access REVERT:220374db4
ci/cd - fix syntax error in jobs REVERT:9b8606d40
fix redis hostname for k8s files and only append tasks with a desired state of running for autoconf/swarm REVERT:c843be074
reverse proxy - allow all chars for URL settings REVERT:6a65104e7
fix return value of clusterstore.connect and disable auth basic for LE challenges REVERT:b429201ec
add missing LUA import for clusterstore and fix prestashop docker example REVERT:a9ce32c26
added a more precise scan response and modified .json like asked REVERT:f4442b642
ci/cd - fix syntax error in k8s test class REVERT:1c3c0d63b
ci/cd - fix missing k8s create infra job REVERT:e8c6d04aa
ci/cd - various fixes for k8s tests REVERT:1caa9a1e7
adding reverse-scan REVERT:5d41a5b98
Merge pull request #1 from gin-gitaxias/reverse-scan REVERT:77fb8c420
Add files via upload REVERT:1bb79b155
linux - add geoip deps to rhel rpm REVERT:cf8644602
Merge branch 'staging' of github.com:bunkerity/bunkerweb into staging REVERT:ea1394b04
ci/cd - add linux/rhel tests, fix docker/behind-reverse-proxy, fix missing stream module for linux/fedora and remove placement constraints for swarm REVERT:87bd26da0
Add threatmap to README REVERT:b3eb64745
ci/cd - temp disable autoconf tests and add missing packages for linux/centos REVERT:202f21aab
fix syntax error in ApiCaller REVERT:55a36f719
fix docker/joomla, fix autoconf/nextcloud and fix API calls for swarm tasks REVERT:1c3f094cd
ci/cd - fix wrong yaml edit for swarm and append LE settings for k8s REVERT:f07c0e66a
ci/cd - various fixes REVERT:e8ee460ef
fix CVE-2023-0464 and CVE-2023-0465 REVERT:dd2c8cbcd
Merge branch 'staging' of github.com:bunkerity/bunkerweb into staging REVERT:2d11a1c72
fix nextcloud modsec rule id, fix k8s pvc definition and remove useless logs from linux/start.sh REVERT:4f334a577
Add sleep between BunkerNet registering and ping to the API to avoid being rate limited REVERT:283828e8f
Fix Now support WebDAV methods in the ALLOWED_METHODS setting's regex REVERT:e50c92250
various fixes REVERT:b8b50b165
Remove check for messages after creating the service - tests-UI REVERT:e88406b5d
Fix ui tests with the new UI REVERT:922b32b2e
Merge pull request #429 from syrk4web/staging REVERT:671db37f7
fix autoconf/cors, fix docker/wordpress, fix wrong image name for k8s/scheduler and upgrade tests instances for swarm/k8s REVERT:be71b0781
format logs instance to avoid error REVERT:9e1876fea
logs fix + checkbox fix REVERT:4d245f9fe
change cache/download to jobs/download REVERT:6d16a766f
fix service delete + change style REVERT:5e598e90c
fix bw-data volume not reused between docker tests, fix wrong bw-data volume path for autoconf tests, add let's encrypt to autoconf tests and fix temp env not generated for linux REVERT:dc8b7dbe7
fix form input REVERT:bf22faddc
remove php-cookie-flags from tests, use HTTP(S)_PORT for temp nginx on linux and fix wrong volume path for autoconf tests REVERT:6c6845a79
enhance some responsive + change api REVERT:461789aed
ci/cd - fix BW CVEs and fix Linux restart REVERT:318228e59
change and fix service logic REVERT:fa7c7ac91
ci/cd - add www volumes for autoconf REVERT:f88eced33
Handle services settings sent to the UI better REVERT:357dc3e3a
Merge pull request #428 from syrk4web/staging REVERT:283306a07
Remove CVEs fix, it's no longer needed for now REVERT:276a96c55
Merge branch 'staging' of github.com:bunkerity/bunkerweb into staging REVERT:19870f154
various fixes for linux and get ui tests exit code from container REVERT:2485a47b2
Update python deps REVERT:bd88f9743
fix id rename error REVERT:82d8180d8
Merge branch 'staging' of https://github.com/syrk4web/bunkerweb into staging REVERT:41f43c46d
fix multiple REVERT:0f632803f
Merge branch 'staging' of https://github.com/syrk4web/bunkerweb into staging REVERT:53f480a66
enhance multiple logic + fix conflict REVERT:1cf4a5665
disable healthy checks for docker-poryx and dummy app in ui tests, add --no-reload-linux flag to generator and fix missing self arg in autoconf REVERT:041142a4f
add healthchecks to ui and autoconf docker images REVERT:4f9748cc2
earlier init autoconf in DB, healthcheck for scheduler and fix syntax error in linux/start.sh REVERT:54813ecd4
Merge branch 'staging' of github.com:bunkerity/bunkerweb into staging REVERT:d97b5e104
various fixes REVERT:8031c5060
Start handling disabled checkboxes + multiples REVERT:58ab870b2
increase cors/k8s/swarms timeout and fix tests/ui container names REVERT:cceda705b
update flash count on remove REVERT:e91f3dc22
Add a log when database is ready in UI + Small refactor of the Configurator REVERT:1e9a55c24
Add small tweaks to the UI and scheduler Dockerfiles REVERT:7dc26dafa
Fix disabled checkboxes no longer always have the value no with the UI REVERT:7dc25b3a5
fix redmine/docker example, remove double AUTOCONF_MODE in integrations, remove useless backslash in start.sh/linux, rename container for ui/tests REVERT:55d24a8d1
Change mmdb-country job to download the file only if needed REVERT:9e009f7be
Merge branch 'staging' of github.com:bunkerity/bunkerweb into staging REVERT:73b640bd3
fix cors/docker example, add missing AUTOCONF_MODE=yes to integrations YMLs, proper save_config for Linux and fix image name for UI tests REVERT:87bccaad6
Add `AUTOCONF_MODE` setting to scheduler in integrations examples REVERT:d331131c0
increase timeout for php-multisite, add API_LISTEN_IP setting, edit default variables.env for Linux and add more logs for tests REVERT:578a1a8c8
Add more precise logs in the jobs plugins REVERT:cb808c0ad
Fix bunkernet-ip.list file not being created in case of an error (same as 1.4) REVERT:c8d39ba6b
Fix scheduler no longer running as root + Fix permission errors with downloaded plugins REVERT:4a67a5f56
Merge pull request #426 from syrk4web/staging REVERT:4dea680ac
enhance style + some fix REVERT:d81088272
Change the category if the user needs to log in in the UI REVERT:e003b751d
Fix when saving plugins with pages REVERT:b829e4edf
Fix false positive error with plugin page in web UI REVERT:fc3ef3346
Add UI logs into console REVERT:ce85bc6b8
Fix openssl no longer prints progression in the console REVERT:2e144bf46
Merge pull request #424 from syrk4web/staging REVERT:defb2c333
Change the way the error page is rendered REVERT:2ae37ce8d
Fix regex for ANTIBOT_HCAPTCHA_SITEKEY setting REVERT:f335364fc
Lint antibot.lua REVERT:16842fef1
Fix errors with missing % symbol + fix errors because of the symbol REVERT:5f5a5a890
Fix css in antibot html files REVERT:ccde5c74f
fix real ip jobs REVERT:d3402ff3f
change loading, error and test files REVERT:a02218bc8
end examples refactoring REVERT:5845446b9
Revert "Fix errors regex, authorize same path for multiple errors" REVERT:be0df4160
Fix errors regex, authorize same path for multiple errors REVERT:89812362a
continue examples refactoring REVERT:5d214497b
Fix don't try to add an instance when saving the configuration with the UI REVERT:808b7b220
Update jobs connect to the database only when needed REVERT:aa0eff749
Fix regex in redis plugin that was breaking the UI + fix ui.conf missing comma + remove unused variables in templates REVERT:1ac434a5b
Update python deps REVERT:9c22f1e97
Refactor the py files REVERT:cfe5c6063
examples refactoring REVERT:e37e6c346
Fix mixup of swarm and kubernetes when reading env variables + refactoring REVERT:0356250d9
Fix problem with the bunkerweb container and plugins REVERT:548d157fe
Fix check if the Database is on read-only before trying to write REVERT:7c5aa4897
Update version string size to support new format REVERT:61b9517a8
Fix error when multiple jobs are trying to write in db at the same time REVERT:8c67d08ae
Lint code REVERT:966f57cea
init work on examples refactoring REVERT:0210ddd88
Add realip settings values to the initial BunkerWeb settings REVERT:6f29756dd
ci/cd - pull only interesting images for UI tests REVERT:2b1dbb1d4
fix default cert path again and ignore pull errors for UI tests REVERT:74a11c2ed
fix wrong cert/key path for default server REVERT:b3769b6e3
fix missing then in blacklist.lua, disable site search in redis.init(), remove counter from reverse-proxy/stream config and fix ui tests compose pull REVERT:c7d8b7dc1
update resty core and http lua to support latest version of stream lua and various fixes related to ci/cd REVERT:a62ef9f54
add missing init-stream-lua.conf and various fixes for ci/cd REVERT:65611020d
fix duplicate datastore http/stream, fix missing /var/www/html for linux and various fixes in tests REVERT:b28668d68
ci/cd - revert back to old condition for pulling images REVERT:706305917
ci/cd - fix wrong autoconf local image name, add missing secrets for tests-ui, fix wrong IMAGE_TAG for tests-k8s and try to fix pcre issue on linux REVERT:2d440d26e
ci/cd - add missing runs-on for reusable tests-ui REVERT:93945f391
ci/cd - add ui tests REVERT:5e31b6c4a
fix CVE-2022-1304 for autoconf, add missing load_module for ngx_stream_lua_module.so and fix missing -lpcre in configure step REVERT:01fab4162
ci/cd - fix CVE-2022-1304 and wrong TEST_DOMAINS REVERT:aa614b75a
ci/cd - replace Test.py with latest one, fix yaml paths, print logs when k8s stack is not healthy and fix wrong linux docker image name REVERT:88a295517
ci/cd - fix log() call REVERT:b95d1bc6d
ci/cd - add missing log() and fix TYPE for linux tests REVERT:2604d9a56
ci/cd - trying a hack to support dynamic runs-on REVERT:ed4d94529
ci/cd - trying to fix runs-on problem REVERT:53410e831
ci/cd - remove steps REVERT:609210021
ci/cd - inherit secrets for tests workflow REVERT:a168f2bce
ci/cd - fix rhel build and runs-on for tests REVERT:8bf211bc5
ci/cd - fix linux package generation (again) REVERT:9250faa52
ci/cd - fix linux package generation REVERT:139eaa2dd
ci/cd - add missing scripts REVERT:7149a34cc
ci/cd - add empty .trivyignore and rename redhat to rhel REVERT:5c5dbcfc7
ci/cd - fix type in push-packagecloud workflow REVERT:e826c619f
ci/cd - fix wrong quotes in delete-infra workflow REVERT:b24cbf73d
ci/cd - fix wrong quotes in tests workflow REVERT:99e27c430
ci/cd - add missing input in tests workflow REVERT:ee0e608de
ci/cd - fix negative conditions REVERT:10f9658f5
ci/cd - fix wrong jobs name in needs REVERT:27bac0382
ci/cd - trying to fix dynamic runs-on REVERT:97627cf83
ci/cd - pass runs-on to reusable workflows REVERT:8969b1e72
ci/cd - remove version from reusable workflows REVERT:8ca292fb3
ci/cd - change reusable workflow paths REVERT:8e73eb87c
ci/cd - fix syntax errors REVERT:46e3078dd
ci/cd - crash test incoming REVERT:95c5e2e47
ci/cd - move dynamic runs-on from reusable to staging workflow REVERT:131857a9b
ci/cd - fix wrong indent in staging/delete-infra-* REVERT:fc1cab1af
ci/cd - remove subfolder and continue work on staging REVERT:25729fda7
ci/cd - init work REVERT:bb2d868fa
Refactor tests REVERT:5e3dadbfe
Refactor ui REVERT:7fe168892
Refactor scheduler REVERT:36b5c372e
Refactor Instance and remove unused method REVERT:596258559
Accept incoming changes for misc jobs REVERT:c5a10aaa3
merge default-server-cert job REVERT:06acae405
rename *CUSTOM_HTTPS* to *CUSTOM_SSL* and continue work on stream support REVERT:6bf59b59a
Refactor the plugins jobs REVERT:7a8a75901
Fix multiple CVEs (see comment) (finally) REVERT:10ec01e7b
Fix wrong env var name in realip plugin REVERT:947ecf81f
stream - add is_stream variable to check if we are in stream or http mode REVERT:4f4c8ebf0
init work on stream support REVERT:79036e975
add ngx_devel_kit and lua-resty-env deps, support set_by_lua hook for plugins and init work on whitelisting support with modsecurity REVERT:c2402b118
fix duplicate root error when bw is starting, add modesec rule to core ui and init work on k8s/swarm integration files REVERT:dbd052e9a
Remove unnecessary import and use parent list of supported custom conf instead REVERT:fb917960b
Revert changes on the custom conf regex for the autoconf REVERT:26de0a233
Lint files REVERT:0faa34ac7
Add a regex to the setting REDIS_HOST REVERT:1d9459202
misc - add missing page.conf REVERT:1b113236a
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:29b373148
misc - default pages for default server REVERT:6cb714be0
Start adding integrations examples REVERT:99b85ec8a
Fix Apicaller error with swarm REVERT:37114ee2f
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:902fe6ad0
bw - init work on redis REVERT:7bf034fc9
Fix being able to delete autoconf services from UI (shouldn't be) REVERT:916caf2d6
Merge (soft) 1.4 branch into dev branch REVERT:f8e31f287
Update mattermost to use a static image REVERT:0f35c05ee
Ignore multiple CVEs due to missing deps in python:3.11-alpine REVERT:846e26e41
Fix multiple CVEs (again) REVERT:ebc7fbbce
Fix multiple CVEs (see comment) REVERT:f4081ebd3
Handle more errors with Bunkernet job REVERT:3b01b5144
Upgrade the way the jobs run_once are executed REVERT:8fa94d6a5
Edit DockerController regex to handle more custom confs and fix modsec conf mixing REVERT:c92d4224f
Update python deps + add cryptography for autoconf and MySQL REVERT:579975899
Fix checkbox not being sent when unchecked + double settings tab in UI REVERT:935805721
Fix CVE CVE-2023-22490 and CVE-2023-23946 REVERT:c671ccf7a
Add unauthorized_handler to UI REVERT:5ac64758e
Merge pull request #417 from syrk4web/dev REVERT:fdd0da35d
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:34d12cd55
Fix file manager always use the database now + create log file for UI if not exists REVERT:47ccd9f04
Log events back in the UI REVERT:39b0f3f19
fix + show one mult group REVERT:7828c0225
add checkbox fallback + DL script REVERT:e425eef9a
Fix weird shinanigans when saving services config REVERT:b75bc0344
Adjusting upgrade on file variables.env REVERT:79dabf763
Change the way bunkernet check on which instance type it is REVERT:3f462fb3b
Optimize logger REVERT:84f3a894f
Fix cache files not showing on UI REVERT:93933bde7
Fix custom conf MODSEC CRS being interpreted as MODSEC only REVERT:c22bccc76
Correcting nginx version for debian installation REVERT:8bedc9ce6
Correcting doc REVERT:3a60b3463
Modifying doc for packagecloud problem REVERT:9efa21709
Correcting fedora packagecloud problem REVERT:e3410058f
Correcting Ubuntu/Debian REVERT:60ac00f5f
fix inp value REVERT:6b13fbb84
change svg REVERT:c89205016
Adding Rhel integration REVERT:cb77a7010
change logs datepicker REVERT:8b0d8a9d3
remove log + fix service tab REVERT:facb597ee
fix float buttons REVERT:89930f1a3
Remove encoding from Database engine args REVERT:6122d59d8
Update python deps REVERT:d3a02be59
Rhel cannot be supported yet REVERT:a51aa27e4
Add some checks and solutions to rare syntax error REVERT:ae8e65057
Fedora upgrade working Correcting backup during upgrade Database backuped TroubleShooting some errors with OS Centos working REVERT:77f41a059
Backuping old confs working REVERT:8fcba30ab
Upgrade Debian/Ubuntu working REVERT:2e9a0c79e
fix select hover style REVERT:64961e395
Remove unused imports REVERT:b662d8453
Update python deps and remove oracledb REVERT:e9d981a56
Fix checkbox being disabled every time REVERT:39418790a
fix popover content REVERT:3d96fdb34
update dashboard REVERT:580f33e56
new file el is hidden on nav REVERT:4f6244e74
Lint code REVERT:1f2076756
Update Python deps REVERT:dcf9e301e
Fix UI not exiting correctly with gunicorn REVERT:f1a28b01b
Merge pull request #408 from syrk4web/dev REVERT:5739144e3
Fix bwcli /bans command REVERT:df7bbb960
Update VERSION to 1.5.0 REVERT:dd0f56bb0
Add password type for settings REVERT:d83d3aa3d
Fedora working Modifying centos systemd Adding %postun to rpm Modifying postun deb Centos working REVERT:b85e6ee6b
Updating to Fedora 37 REVERT:ca0d88fcc
Upgrading script: Ubuntu & Debian working REVERT:835f85d5d
enhance input field style REVERT:c4b5ddb95
Add setting to intercept specifics error codes REVERT:86c81a621
Merge pull request #407 from syrk4web/dev REVERT:e6cb5b0b0
Made the UI independent + update job download plugins REVERT:0ce5f216d
handle password inp REVERT:44ce5381c
Fix CVEs REVERT:12b4cfa22
Merge pull request #406 from syrk4web/dev REVERT:d7ee3ad66
fix file manager dropdown REVERT:efbcfd0e2
Beginning of automation testing for linux packages REVERT:50b83790a
Merge pull request #405 from syrk4web/dev REVERT:bf1d19f33
remove prefix multiple input REVERT:4d49f2f4b
Improving and correcting problems on packages REVERT:f5d87849a
Fix errors in the UI when a service have multiple domains REVERT:d6d1dd1ce
Merge pull request #403 from syrk4web/dev REVERT:0f5a73430
add condition for services REVERT:a5256dd80
Fix IPv4/Ipv6 CIDR regex REVERT:591a20cd8
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:c56fccbf2
Adjustements to upgrade REVERT:a3a5c1c74
Add ui tests requirements to the updated python deps REVERT:b1c99e408
Add tests for the UI REVERT:65f2bf09b
Remove the idea to store logs inside the database REVERT:7beb400b4
Fix stop gathering all the logs every time with the auto update REVERT:ab163ce13
Fix services settings saves and plugins deletion REVERT:6932f3ded
Add a new script to update python deps and update python deps REVERT:d14372075
Fix tar error when sending /etc/nginx to BW REVERT:9edf789ab
Update python deps REVERT:4b3b9b326
Merge pull request #397 from syrk4web/dev REVERT:557db479c
refactorise logs script REVERT:13f1dadf5
Merge pull request #396 from syrk4web/dev REVERT:adf96cadc
remove useless files REVERT:d2a634e7f
plugins + global_config fix REVERT:1aaac2dcf
Add regex for settings.json REVERT:871807b80
Add small fixes and tweaks REVERT:4c5172eda
Correction of problems REVERT:331d58324
Fixing details REVERT:e9c1b0cf8
Adjusting some details REVERT:c220e5997
Linux UI fix REVERT:13fbbfb67
Update job database while locking the threads REVERT:ea4ceae7b
Fix isPage logic in menu (UI) REVERT:8ee0ec88f
Remove test files in UI REVERT:d81c52654
Lint ui files and change .prettierignore file REVERT:5cc80d2ba
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:a6295248c
Merge pull request #394 from syrk4web/dev REVERT:38b59954a
Lint yml files REVERT:146338de6
Refactor every .py file REVERT:fcd8d8746
open another tab for doc REVERT:051192791
change style REVERT:9c80cdb32
add plugin page logic to menu REVERT:7689dac76
Filter CVEs fixes in Dockerfiles REVERT:0c8dfaaab
Update bw and autoconf Dockerfiles for let's encrypt REVERT:c5d3e77c1
Fix letsencrypt permission error and optimize the ownership commands in scheduler REVERT:8304116fd
Send more variables to the home page front REVERT:4379e21ea
Show dirs of every services even if they don't have a custom config REVERT:148d9d2d4
Remove user override in the job scheduler when executing jobs REVERT:c6498eda7
Add new php-cookie-flags example REVERT:f97e056ff
Update jobs REVERT:13fe4b6ee
Edit core plugins regex + make COOKIE_FLAGS multiple + edit DB model accordingly REVERT:2b2eadf44
Merge pull request #392 from syrk4web/dev REVERT:342fe956f
change data creating new service REVERT:bb7ca889c
enhance darkmode + fix + factorisation REVERT:cdc3cfc81
add toggle multiples + style REVERT:191c88238
Merge pull request #388 from syrk4web/dev REVERT:dbe49bb8f
Update intro image REVERT:7bdc46057
Change how the edit works in the config (UI) REVERT:364ef13b5
Fix error by calling a method on the wrong variable REVERT:1142ace55
Fix rare error with the jobs return code REVERT:477e87a2f
news script + multiples groups REVERT:a04f983a0
Merge pull request #385 from syrk4web/dev REVERT:e5574fbdc
change flash messages style REVERT:b1ca47253
Small tweaks and handle services variables better REVERT:98bda4d1e
Remove unused line in Templator REVERT:0b1be727f
Optimized the storage in the Database REVERT:47526dc8a
Merge pull request #384 from syrk4web/dev REVERT:00d3073b0
get custom method and check disabled state REVERT:02d10f619
Fix datepicker.js not being found because of the caps REVERT:da634af4a
Accelerate send_files method REVERT:be0ee60cd
handle stop signals with the web-ui REVERT:064f9eef9
Remove lines that will never be use in save_config REVERT:ec15a4e88
Handle stop signals from Docker in the scheduler REVERT:c49f50da2
Move BunkerWeb entrypoint to the correct dir REVERT:48bbb5e39
Merge pull request #382 from syrk4web/dev REVERT:b944de9e8
change service multiple script REVERT:07ab3deb0
Remove unused lines in selfsigned job REVERT:a4e863f09
Update authentik and migrate the example to the 1.5 REVERT:eeb810546
Migrate authelia example to the 1.5 REVERT:e2b2505d8
Fix saving config for multiple settings REVERT:a0c2db7a0
Fix how the config is get from the database REVERT:4595295bd
fix tab focus style + dark mode style REVERT:0bd6d5655
add flash script to login + enhance style REVERT:6f5aab11d
fix footer padding REVERT:37380b977
fix get multiple settings only REVERT:3f6432f4b
Merge pull request #381 from TheophileDiot/dev REVERT:ff84656cd
Update examples + add static versions REVERT:0e29d9f1f
enhance and fix REVERT:c195ffc86
Fix autoconf not working properly with the shared volume REVERT:291d64e29
Update community example + linting REVERT:4346322f7
fix services settings on modal open REVERT:f2daf7368
Merge pull request #380 from TheophileDiot/dev REVERT:ba9c16a5d
Merge branch 'dev' into dev REVERT:0db1550f2
Changed the way jobs' cache files are downloaded REVERT:fa54ebd49
Made a few tweaks + change the plugins for the services modals REVERT:0290f509e
add plugin_name (change values) REVERT:77931b623
add plugin_name REVERT:6560ca086
test REVERT:0d0f1aa95
Merge pull request #378 from TheophileDiot/dev REVERT:03e98985e
Migrate more examples and lint REVERT:016a8cd6d
changes REVERT:5263be27d
Change the way jobs are downloaded + folder created in configs REVERT:7813b51db
Merge pull request #377 from TheophileDiot/dev REVERT:c4bd535ac
Add autogen back for docker and the autoconf REVERT:243c4ca78
Merge pull request #376 from TheophileDiot/dev REVERT:e9687a5b1
Remove unnecessary comments REVERT:8537eea89
Merge pull request #375 from TheophileDiot/dev REVERT:3c9574dae
Linux: Updating nginx to 1.22 REVERT:9f84e02d8
refactoring services modal logic REVERT:b105896b2
add rename form REVERT:ff83b342d
fix issues REVERT:8e31672ac
Merge pull request #374 from TheophileDiot/dev REVERT:b3d80d7a6
Generate requirements with python3.9 + use new resolver REVERT:6bbbe70ee
Merge pull request #373 from TheophileDiot/dev REVERT:e33bad4b9
Fix comments + updated passbolt to support the 1.5 REVERT:37f21c5d4
Temporarily comment the post fetching REVERT:343d9d09e
Show plugin pages even if there are none REVERT:0a4f0eb57
Fix error with jobs wrapper REVERT:1d4998356
Fix darkmode + Add new variables to pass to the front REVERT:547021e7b
Fix job fetching for never ran jobs REVERT:0954e82f4
Fixes some bugs in the UI related to the plugins REVERT:3c5f6002d
filter script + manage files + fix css + enhance REVERT:e988aacf3
Merge pull request #371 from TheophileDiot/dev REVERT:cce181a29
Update customcert job REVERT:9ba06b64d
Update README REVERT:7f2eadacc
Update python version for the scheduler and requirements REVERT:8d6c3d0b8
Fix db get_config REVERT:cc748a048
enhance responsive + add loader REVERT:3bafe137d
refactorisation REVERT:e9dfb59f3
handle settings type multiple (fetch, add, remove) on services REVERT:8e5dda520
Changed the way the config is get from db REVERT:368122181
start multiple add and delete logic REVERT:fee59a51e
separate multiple from others inputs REVERT:50ba22914
upload plugins + jobs template + global enhance REVERT:94b0e6a0d
Changes on the flashed messages REVERT:2e0a733cd
Merge pull request #370 from TheophileDiot/dev REVERT:103e4a0ae
Update modsec CRS to v3.3.4 REVERT:f0f9d7dcf
Merge pull request #369 from TheophileDiot/dev REVERT:4dabe6dae
Advancements in the examples migration to 1.5 REVERT:115bfbdc1
Merge pull request #368 from TheophileDiot/dev REVERT:81ad9e9ac
Update examples and add docker-proxy REVERT:82ab6c7c4
Revert "Remove unsafe deps in the requirements and install setuptools manually" REVERT:b578823a1
Remove unsafe deps in the requirements and install setuptools manually REVERT:7fb61b5ef
No longer dump the jobs to the front REVERT:37ece3de1
Merge pull request #367 from TheophileDiot/dev REVERT:719d779e0
Start updating the examples to the 1.5 REVERT:2889b2638
Merge pull request #366 from TheophileDiot/dev REVERT:3c3bb7f20
Fix the way we fetch the config from the database (with suffixes) REVERT:f0d0dac91
Add the variables back instead of the "_" so it doesn't create an error REVERT:62ab9944c
Fix scheduler errors with sqlite in autoconf REVERT:739190051
Make the bunkernet not run in a thread to avoid errors REVERT:840ef8cf8
Fix typo in selfsigned job REVERT:5a95e6703
Edit the way the UI updates the config REVERT:34b5aba1c
Merge pull request #364 from TheophileDiot/dev REVERT:b7f60dbdc
Update deps and requirements REVERT:a0634b573
Merge pull request #363 from TheophileDiot/dev REVERT:c0efdf9c0
Replace /usr/sbin/nginx with nginx REVERT:db35e575e
Rename variables so they make more sens REVERT:b22cc44d8
Change the way jobs are sent from the database REVERT:4e96e57e0
Make certbot compatible with 1.5 REVERT:aaeda5300
Change the jobs logic + add support for arm REVERT:657722922
enhance templates REVERT:844b06e28
Fix how the jobs are sent to the front REVERT:3a0727b5c
login template done REVERT:0f5756cfb
enhance logs + prepare jinja variables REVERT:08e7c2104
plugins done + add name to settings REVERT:6b5d6e07e
Revert changes on the check_settings function REVERT:3ccc12d78
add dropdown + responsive REVERT:3ed3fbe99
Autotonf now update the instances too REVERT:e56f96d04
Update database model + Save instances to database + add the option to add logs into the database REVERT:c87c3637d
start plugins template REVERT:3a5d14952
Made few tweaks with the home page + remove useless functions REVERT:55e76b280
Fix path for dropzone's scripts REVERT:64d261acc
Change the way logs are parsed REVERT:f13455d11
send timestamp with ms REVERT:7aac0c352
fix ms REVERT:fb2e41c11
logs params REVERT:2967ed98c
fix fetch REVERT:4f9b2120e
test REVERT:f1e614fae
change ternary operator for fetch REVERT:fa5719db7
fetch logs + liveUpdate filter REVERT:2a2f2f1e9
Fix scheduler error REVERT:208716722
Merge pull request #361 from TheophileDiot/dev REVERT:fa98003f2
Thread the jobs run_once REVERT:89e8839bb
Optimize the regex for the core lists REVERT:51c5836ae
change logs script/template + continue jobs REVERT:f61b4428b
Merge pull request #360 from TheophileDiot/1.5 REVERT:a96771881
Change the logs date format + start editing the logs endpoint REVERT:d30adf670
Changing rhel REVERT:bf19cfe3d
Migrating Linux to 1.5. Still some details to adjust to be perfect REVERT:0cd6ed1af
When downloading new plugins, update the database properly + update job every time now REVERT:8f75af3d6
edit the .dockerignore REVERT:4f4beeef9
Create the database variable even when passing the variables, just in case REVERT:7347fe9bc
update jobs only once REVERT:b509ce16e
Copy the files after installing the requirements REVERT:64601ebf5
Remove useless warnings REVERT:c9238f993
Merge custom configs generation to avoid repetition REVERT:192c6755c
Update db for the jobs that are ran only once REVERT:c14765c6c
Change the way jobs are sent and how we update external plugins REVERT:888bedd51
Change how jobs are send from the database REVERT:babb1c72c
Revert "indentation" REVERT:44c74f9be
Revert "indentation" REVERT:984b6c5f0
ci/cd - speedup codeql by ignoring some folders not containing python files REVERT:355c947a4
start jobs template + enhance menu REVERT:272de0b8b
ci/cd - fix codeql config path REVERT:d9fc713c4
ci/cd - move codeql config to file REVERT:c2503d63d
ci/cd - add codeql REVERT:b098478bd
enhance service + darkmode script REVERT:fa1739439
ci/cd - init work on dependabot REVERT:82df3f17f
ci/cd - init work REVERT:f02adf300
indentation REVERT:c1031cb2c
indentation REVERT:e8581ecb4
enhance news/menu/base + logs scripts REVERT:eb99d00da
Revert "enhance news, menu + end logs scripts" REVERT:a7d3d0452
enhance news, menu + end logs scripts REVERT:c7556a39a
Merge pull request #358 from TheophileDiot/1.5 REVERT:e02e9c9ec
Edit how plugins work with the UI REVERT:f1d7add73
Merge pull request #357 from TheophileDiot/1.5 REVERT:1252d1651
Add the jobs feature and add the link when using sqlite REVERT:2154c7f54
Update database default DATABASE_URI REVERT:7957f63b8
Merge pull request #356 from TheophileDiot/1.5 REVERT:73668b476
Optimize plugin gathering REVERT:b3cfc1f01
Remove unnecessary lines and add plugins_errors endpoint REVERT:b57e50db2
Send needed settings with the services in ui REVERT:a0e66ab30
Change Database default path for the sqlite file REVERT:fdd393826
add ui work in progress REVERT:6b9a6a7e3
Merge branch '1.5' of https://github.com/TheophileDiot/bunkerweb into 1.5 REVERT:277e37bce
Revert "add ui" REVERT:05d4b77bb
Merge branch '1.5' of https://github.com/TheophileDiot/bunkerweb into 1.5 REVERT:e7e43e64d
Add dark_mode to ui REVERT:d40a93cb7
Revert "add ui" REVERT:d102f027f
add ui REVERT:b70d97671
add ui REVERT:7db7aee7c
Merge pull request #355 from TheophileDiot/1.5 REVERT:70844ca60
Fix database with autoconf REVERT:1a7d8978b
Merge pull request #353 from TheophileDiot/1.5 REVERT:93c74154a
fix fedora python deps bug REVERT:f2eabc0df
fix centos python dep bug REVERT:d199f124b
remove exits in ingress controller REVERT:3ec15eb4b
Update the docs from dev REVERT:5a8f81256
Merge branch 'dev' (softly) REVERT:d214352b7
Merge pull request #352 from TheophileDiot/1.5 REVERT:891757dab
Add support for arm + change scheduler python version REVERT:8dd377562
Merge pull request #351 from TheophileDiot/1.5 REVERT:630cf8b88
Change the way services are sent to the UI REVERT:b0c09b4de
Merge pull request #350 from TheophileDiot/1.5 REVERT:fa655e6f0
Remove no longer used install.sh and uninstall.sh REVERT:c8fbcbeae
Merge pull request #349 from TheophileDiot/1.5 REVERT:32101c3dc
Move UI deps, Make the DB compatible with PostgreSQL, MySQL and Oracle REVERT:035eed8f6
ui - add custom PYTHONPATH in Dockerfile REVERT:2a3e24bd2
Merge pull request #348 from TheophileDiot/1.5 REVERT:3984c4b0d
Separate deps and change prettierignore file and pyproject REVERT:47afdc88e
Merge pull request #347 from TheophileDiot/1.5 REVERT:01bb6f5e6
Stop converting the files content to base64 when sending them to front REVERT:c35874797
Return dumps of settings instead of the dict REVERT:a8f27ccb1
Merge pull request #346 from TheophileDiot/1.5 REVERT:edce79936
Update the structure and the paths REVERT:04578aab3
Changing path Linux folder REVERT:5ae714fc7
Merge pull request #344 from TheophileDiot/1.5 REVERT:f65a4cdd6
SMall tweaks on the UI + edit the ConfigFiles edits REVERT:06aa73fcf
Merge pull request #343 from TheophileDiot/1.5 REVERT:0811aad7f
Edit scheduler and change DB REVERT:858f6e00f
Change python version REVERT:b279d0240
Fix BunkerWeb gen on start REVERT:ef7fa5b4f
Merge pull request #342 from TheophileDiot/1.5 REVERT:11bcd9824
Merge branch '1.5' into 1.5 REVERT:bacef768c
Add integration manually in bunkerweb REVERT:5ec179aff
The UI get the custom configs from the database REVERT:0e6a5f3f9
Merge pull request #341 from TheophileDiot/1.5 REVERT:eec00ba2b
Update the Database and make it easier to gen REVERT:479b556fb
Merge pull request #340 from TheophileDiot/1.5 REVERT:375776e7d
Fix UI path_to_dict with the cache files REVERT:df62fd410
Merge pull request #339 from TheophileDiot/1.5 REVERT:1f58d0c51
Edit dockerfiles REVERT:6c07f9967
Merge pull request #338 from TheophileDiot/1.5 REVERT:069b45f37
Add some tweaks REVERT:850530cd0
Merge pull request #337 from TheophileDiot/1.5 REVERT:01b414552
Make the Database support every feature + updates REVERT:a12d013fc
Merge pull request #334 from TheophileDiot/1.5 REVERT:5f8353c11
Adapt everything so that the UI can work with every integration (some more tests are needed) REVERT:fe8962592
Merge pull request #333 from TheophileDiot/1.5 REVERT:66fb266f8
Centralize Database and optimize requests REVERT:7a03ed33f
Update pip in Dockerfiles every time REVERT:b09c05d3b
Update BunkerWeb deps REVERT:9c02d5f9e
Merge pull request #330 from TheophileDiot/1.5 REVERT:7d743e198
Update the database and the core plugins accordingly REVERT:ce6f01cf0
Merge pull request #329 from TheophileDiot/1.5 REVERT:9140dc324
Optimize Database connection and ApiCaller REVERT:81307c82c
Merge pull request #328 from TheophileDiot/1.5 REVERT:0edef7c52
Use Python 3.11 where we can REVERT:fe774e000
temp nginx is dead, long live to the IS_LOADING setting REVERT:0bf402fd7
Merge pull request #327 from TheophileDiot/1.5 REVERT:48242b9a3
Get all config with generator REVERT:0b73ea856
Merge pull request #326 from TheophileDiot/1.5 REVERT:09378458d
db.get_config() get entire config and doesn't filter anymore REVERT:100849023
Merge pull request #325 from TheophileDiot/1.5 REVERT:8b54762fc
Fix db init with autoconf REVERT:cfaeb1013
Merge pull request #324 from TheophileDiot/1.5 REVERT:7e53bfe55
Fix gen for Docker integration REVERT:54530d535
Merge pull request #323 from TheophileDiot/1.5 REVERT:79eea0e99
Linting + starting to migrate bunkerweb to the 1.5 REVERT:316b84ad3
Merge pull request #318 from TheophileDiot/Feature-specific-order-for-plugins REVERT:ba56c9f55
Merge pull request #317 from TheophileDiot/Fix-scheduler-error-reload-nginx-linux REVERT:a8f79e58f
Merge pull request #303 from TheophileDiot/Fix-custom-conf-disappearing REVERT:b2a7e053b
Merge pull request #314 from TheophileDiot/Feature-blacklist-ignore REVERT:96e656273
fix indent REVERT:01cecf14e
Merge pull request #313 from TheophileDiot/Feature-max-client-size-edit-modsec REVERT:873ccad9b
Add MODSECURITY_SEC_RULE_ENGINE and MODSECURITY_SEC_AUDIT_LOG_PARTS (#292) REVERT:97bf473e1
deps - add update checker for deps (#293) REVERT:5af2fb778
Complex example using autoconf (#271) REVERT:bd4c94e83
Add specific order for core plugins and check them REVERT:a96a8a8c2
Fix incorrect message while reloading nginx + more details on error REVERT:446ff93a4
Add ignore blacklist feature REVERT:5fdcc9e58
add g/G to the available file measurement units REVERT:d207aa4bf
Variable MAX_CLIENT_SIZE change the SecRequestBodyLimit value REVERT:57ad9d7ee
Fix old custom configs where never deleted REVERT:7860aeab9
Merge pull request #312 from TheophileDiot/dev REVERT:cac220023
Fix small typo in autoconf integration REVERT:5d9dc88cc
Merge pull request #307 from TheophileDiot/Restrict-access-IP-NET REVERT:40863f28a
Merge branch 'dev' into Restrict-access-IP-NET REVERT:67d514b53
Merge branch 'master' into dev REVERT:51e96416d
Merge pull request #304 from TheophileDiot/Fix-Endless-loading-after-update-service REVERT:ace1dfca2
Merge pull request #308 from TheophileDiot/Fix-doc REVERT:b9e5badd9
Fix last typos REVERT:a9865f850
Fix typo in plugins.md REVERT:e3d0120a0
Fix minor typos in the doc REVERT:9214bb939
Merge pull request #309 from TheophileDiot/Fix-flask-dev REVERT:80c1b225b
Replace flask development server with gunicorn REVERT:de0954fac
Fix typos in the docs REVERT:27b4ff330
Add the greylisting feature REVERT:06f65ffe2
Change the exposed port to 7000 REVERT:b0a887a15
Fix errors and warnings when editing a service REVERT:803ff8cb5
Fix CUSTOM_CONF_SERVER_HTTP disappearing after 60 minutes (autoconf) REVERT:94ce249d7
[#290] Fix typos in docs REVERT:478e98018
ci/cd - temp disable k8s test REVERT:8f44e108b
ci/cd - add docker system prune REVERT:72caf907a
ci/cd - temp disable swarm tests REVERT:01acb1cf3
ci/cd - temp disable nextcloud/swarm REVERT:fc3c7892d
ci/cd - add missing prepare for prod tests REVERT:2a04a5642
ci/cd - update ruby version for CentOS builder REVERT:6afdb298f
lua - fix pcall for asn/country mmdb lookup REVERT:04019a617
tests - fix nextcloud/swarm REVERT:34649bf33
docs - add Ansible to README REVERT:469a5343e
ci/cd - remove old linux packages before building REVERT:4244399eb
road to v1.4.3 🚀 REVERT:66029a316
tests - edit prod workflow REVERT:d0c245ba8
tests - fix bug when testing if a swarm stack is healthy REVERT:5633d5ff5
tests - remove mongo-express/swarm REVERT:61d57b4eb
tests - fix mongo-express/swarm REVERT:76f035e21
fix wrong DENY_HTTP_STATUS setting in docs, fix autoconf ghost/prestashop tests and some UI warns/errors REVERT:b35dbdffc
tests - fix ghost/docker REVERT:7e226301d
tests - fix prestashop/docker REVERT:8f273a929
ci/cd - fix missing comment chars REVERT:45f4e06ac
road to v1.4.3 REVERT:7fe58ddd5
tests - disable systemd start limit REVERT:561e64a89
tests - road to debian REVERT:29933fdeb
tests - add unzip package to linux container REVERT:7915da6df
docker - fix CVE-2022-3209 REVERT:d8f6c2756
tests - fix configs perms for linux REVERT:cb56e7d04
tests - add chown for custom linux configs REVERT:e84734314
tests - fix linux/drupal (again) REVERT:4caae414d
tests - fix linux/drupal REVERT:8a23b96bf
tests - disable linux/moodle REVERT:a4fd701d5
tests - temp disable linux/proxy-protocol REVERT:39ed524f0
tests - add missing variables.env for moodle/linux REVERT:d0e3f3ae2
tests - call cleanup-linux.sh REVERT:b0fa57b05
tests - replace restart with stop+start for linux tests REVERT:ec1136085
tests - print logs when setup_test fails REVERT:3be348ebe
tests - add haproxy cleanup for linux tests REVERT:884ca0f6d
tests - add missing variables.env files for linux REVERT:e4321629f
tests - road to linux tests 🚀 REVERT:c277a33e9
tests - add missing which command for fedora REVERT:512c60c51
tests - add some debug info when linux/setup fail REVERT:e64cc29a8
tests - create /run/php folder for rpm linux distros REVERT:42d29743b
linux - fix 755 perm on /opt/bunkerweb REVERT:505d5c2ae
tests - fix behind-reverse-proxy/linux REVERT:70992a0b5
tests - fix haproxy logging again REVERT:7e5465c59
tests - fix haproxy logging again REVERT:f5606b693
tests - fix haproxy directive REVERT:265742cd9
tests - haproxy add logs REVERT:0580662cc
linux - copy current variables.env to make temp one REVERT:8e15e2a40
linux - set /opt/bunkerweb permissions to 755 REVERT:17801caeb
temp disable arm REVERT:552588adf
temp disable arm REVERT:5849c66e6
tests - fix www.conf REVERT:052dc2346
tests - increase php logs verbosity for linux tests REVERT:331c7e954
tests - add debug log file for PHP REVERT:f71ad0f65
php - fix fastcgi_params path REVERT:34c648830
trying to fix PHP bug in Linux REVERT:5c99a4b0e
refactor linux/start.sh and fix tests/cors www copy REVERT:eb6f0d673
tests - fix purging wrong folder for linux tests REVERT:6ea38b1f7
bunkernet - fix wrong import in register job REVERT:b5c07dda0
tests - add cleanup for linux tests REVERT:17b6b0fdc
tests - fix PHP www.conf for Linux REVERT:512ed7200
tests - add cors/linux REVERT:d8071e4c4
tests - install php-fpm REVERT:790fa37ae
tests - fix behind-reverse-proxy/linux REVERT:6005a8f73
tests - fix behind-reverse-proxy/linux again and again REVERT:09f56a1c6
tests - fix behind-reverse-proxy/linux again REVERT:0c4d2edf1
tests - fix behind-reverse-proxy/linux REVERT:d53c54d4b
tests - add behind-reverse-proxy/linux REVERT:093d426bc
better management of registration with BunkerNet and fix syntax error in LinuxTest REVERT:3762c3874
tests - copy variables.env for Linux tests REVERT:55525abf1
tests - fix mattermost/k8s REVERT:23f8ec957
UI - fix container CVEs REVERT:a38ca5138
docker - dont generate config if already present REVERT:e92938f00
autoconf - fix container CVEs REVERT:c2ad79a79
Docker - fix CVE-2022-37434 REVERT:8eefb4bf5
examples - fix mattermost/k8s REVERT:6d1ef606f
examples - fix nextcloud/k8s REVERT:95c4ce723
enable bad behavior on default server and various k8s fixes REVERT:e295b020e
tests - increase redmine timeout and add pvc cleanups REVERT:1e499db50
examples - fix gogs/k8s REVERT:a64276136
disable bad behavior if client is whitelisted and fix redmine/reverse-proxy-multisite examples REVERT:115d517c7
tests - add delays REVERT:7c1474cd8
examples - fix moodle/k8s port number REVERT:305870cc2
examples - edit moodle/k8s port number REVERT:3df0f8505
tests - add delay to moodle REVERT:897528b73
tests - fix magento/k8s again REVERT:4f4c446f7
examples - fix magento/k8s again REVERT:69848dccc
examples - fix magento/k8s REVERT:0516f0a83
tests - assign bunkerweb-controller to srv1 REVERT:41524a9e3
tests - force pv REVERT:0d44b098f
tests - fix prestashop URL REVERT:0e315dc5f
tests - edit prestashopHost value REVERT:5741391de
tests - change k8s service type of prestashop to clusterip REVERT:6adff9ceb
tests - increase timeout and remove pvc for prestashop/k8s REVERT:97a2caf06
tests - fix Kubernetes missing variable assign REVERT:865f4f1b5
tests - fix prestashop/kubernetes REVERT:e8305b0b6
tests - fix missing prestashop/kubernetes.yml REVERT:840b875f7
docs - edit plugins page REVERT:978bbe9ca
examples - fix missing configs subfolder in nextcloud/bw-data REVERT:502c9f2fe
examples - fix radarr/swarm REVERT:1c4f8bf55
tests - automatic volumes prune for swarm tests REVERT:b6e2ad22a
tests - fix joomla/swarm REVERT:216686fc8
tests - add delay parameter REVERT:d648b1fbe
tests - increase magento timeout REVERT:d3b725294
tests - wait until swarm services are running REVERT:a48200bc0
examples - fix reverse-proxy-singlesite/swarm REVERT:b429dd804
tests - increase timeout for swarm healthy check REVERT:0440c61d0
examples - fix gogs/swarm REVERT:ae36b9899
docs - quick edit on PHP REVERT:9a83fadd8
examples - fix gogs/setup.swarm.sh permissions REVERT:09141f204
examples - fix magento/swarm REVERT:edf5421bf
examples - fix permissions for magento/setup-swarm.sh REVERT:c67564c7c
tests - increase timeout when doing requests REVERT:b07637009
examples - fix mongo-express/swarm REVERT:ec35b0a54
examples - fix mattermost/autoconf REVERT:95e3022eb
examples - fix autoconf/reverse-proxy-singlesite REVERT:d63538fd5
examples - fix wordpress custom conf variable name for docker/autoconf REVERT:e01b24072
tests - ignore error when replacing patterns in files (binary files) REVERT:217924fe4
examples - fix reverse-proxy-singlesite regex REVERT:bb6d02e0f
examples - escape dollars in reverse-proxy-singlesite compose files REVERT:5c42fb58d
tests - fix reverse-proxy-singlesite REVERT:2f8c5a1e9
examples - fix host for reverse-proxy-multisite REVERT:af866e825
edit docs/integrations for ansible and fix examples/mongo-express compose file REVERT:e90d4cc7e
tests - fix json for reverse-proxy-multisite REVERT:70ac3c01b
tests - fix missing arg no_copy_container REVERT:07a962466
tests - inline configs for docker/autoconf REVERT:87c57c67c
tests - refactoring on the road, still needs some work REVERT:8fb03a317
tests - on the road of refactoring REVERT:dc8570ca8
tests - add status type REVERT:151378570
tests - refactor mattermost example REVERT:4e7d795ea
tests - support custom cleanup-kubernetes.sh script and refactor some k8s tests with helm charts REVERT:cc9d228ab
update compose version to 3.3 for swarm examples so config directive is supported REVERT:181957147
remove trailing space in DockerController and add missing bunkerweb prefix for autoconf-configs example REVERT:324feb593
autoconf - fix missing configs update for DockerController REVERT:22398d567
cors - fix typos in autoconf.yml REVERT:5119c8da7
gogs - missing setting for autoconf REVERT:0fca93e3e
tests - sleep 30s between autoconf tests REVERT:17e14f4d5
tests - fix wildcard with sudo REVERT:3a46d318e
tests - remove only content of subfolders REVERT:4eff0c3f9
tests - fix behind reverse proxy url REVERT:bf58a17b8
gogs - add setup-docker REVERT:08d8bc880
tests - remove whole subfolders in bw-data REVERT:b38f7c54e
tests - add kubernetes-configs and fix missing s in urls REVERT:06f7fb096
tests - fix docker-configs (again) REVERT:b7101eb47
tests - fix docker-configs REVERT:a08b51bd0
tests - fix gogs expected string REVERT:b2bcfb8c7
tests - fix hardened expected string REVERT:d3014b42f
examples - refactoring in progress REVERT:7eae49719
tests - prevent default rate limit REVERT:be21b3933
tests - fix sudo cp again REVERT:7bb881aa3
tests - fix rename REVERT:a607bd67c
tests - replace python cp with sudo cp REVERT:6d06a32cc
tests - list example_data as root REVERT:c5526ef2f
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:75b2ae868
tests - fix example_data path for docker REVERT:72965e230
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:201e2cf0f
Correction logs Linux REVERT:203397444
tests - init cors and fix example_data path for autoconf REVERT:d8c8ceab3
tests - fix LinuxTest setup and init work on integrating examples with the new test system REVERT:c02d888b3
examples - rename setup scripts for drupal REVERT:9a9f9ebf3
examples - fix linux-setup.sh for drupal REVERT:6e381ee02
tests - disable copying bw-data files for k8s and swarm tests REVERT:0ee09d47d
tests - force removing directories with AutoconfTest REVERT:da2f6cb4f
tests - force removing directories with DockerTest REVERT:d1d2e51a3
cleanup tests directory and init tests refactoring for drupal REVERT:c14b08faa
examples - edit authelia configuration.yml file for Linux integration REVERT:80fee58e4
bunkernet - add default api server in jobs REVERT:37690a7a4
configs - enable default server if TEMP_NGINX is set REVERT:b3fdd109a
linux - fix wrong variables.env path when running jobs once REVERT:193449512
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:f5ede7897
examples - fix authelia variables.env REVERT:767a7ab31
Adjustements doc Ansible/Linux REVERT:81b370366
wait until Linux test container is initialized and fix variables.env for authelia REVERT:44fbf0315
authelia - extract tarball to tmp REVERT:02db54ce0
examples - follow redirect when downloading authelia for linux REVERT:14d61854e
add sudo to linux dependencies and curl to linux test images REVERT:6f35561fa
tests - fix cp and end_fun for LinuxTest REVERT:2505bc015
tests - add linux to authelia kinds REVERT:b1df38374
tests - temp enable docker REVERT:410212b15
tests - run docker cp in a shell REVERT:f2ac7bca7
tests - fix typo in LinuxTest REVERT:a0948923e
tests - copy local files for Linux tests REVERT:458ebe07f
tests - dynamically find deb/rpm name REVERT:2205043e7
tests - fix LinuxTest.docker_exec() REVERT:d370f1b05
tests - add missing chmod import to LinuxTest REVERT:bf6dd93aa
tests - replace rmdir with rmtree for LinuxTest REVERT:773517311
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:850a8057c
ignore CVE-2022-30065 until we have a fix REVERT:e6271ccd6
Final proofreading FPM REVERT:f0ddb8328
docker - fix CVE-2022-30065 for autoconf REVERT:f260bcf23
Small adjustements REVERT:fa319ec10
tests - fix argv len check REVERT:029406453
tests - fix typo in LinuxTest REVERT:f47ab0adc
tests - integrated LinuxTest REVERT:eca010231
FPM Linux/Ansible Doc REVERT:4d61e96e4
tests - LinuxTest on the road REVERT:c9c730346
tests - fix linux.sh REVERT:58a82ddcd
tests - copy Linux packages to local directory REVERT:8062d043c
tests - fix Linux dockerfile path REVERT:0a09f8a75
fix CVE-2022-29458 REVERT:bb425bc36
tests - init work on Linux tests REVERT:aa729daeb
examples - remove double $ from kubernetes authelia REVERT:7edd55544
fix k8s example for authelia and ignore error code when doing debug_fail for k8s tests REVERT:0fd77a809
examples - fix typo in kubernetes authelia REVERT:720f36f47
tests - init kubernetes refactoring REVERT:ea98b453d
tests - use unique domains for swarm tests REVERT:4bd0129e4
tests - also edit root domain REVERT:6e47b2991
tests - add sleep in the end of SwarmTest.init() REVERT:abc500a4d
tests - fix domains for SwarmTest REVERT:378047794
examples - fix authelia swarm compose version REVERT:4a5e50005
fix typo in SwarmTest and fix authelia swarm example REVERT:3b73c50c3
tests - ignore docker stack ps return code REVERT:ba6fddb56
tests - init swarm refactoring REVERT:9ecd2bd98
examples - add missing network aliases to authelia autoconf REVERT:7bbf77b7a
fix authelia autoconf example and debug fail before cleaning tests REVERT:f02fe1ed9
tests - remove only subdirectory on new tests and add cleanup when test failed REVERT:0383cadd6
tests - fix compose filename for autoconf tests REVERT:aeba0ba72
tests - add missing AutoconfTest object REVERT:67608a463
tests - add missing decode REVERT:8b3b1291c
tests - from replace/rename functions to class method REVERT:1c5c81d2c
tests - add missing import REVERT:fa2d52d80
tests - remove useless log and return boolean from Test.end REVERT:68bf5ef85
tests - remove wrong cleanup call REVERT:424b37bec
tests - change permissions as root REVERT:2780ee190
tests - add debug_fail function REVERT:07b0bb38d
docker - fix CVE-2022-29187 for ui and autoconf REVERT:b47c2696e
docker - fix CVE-2022-29187 REVERT:fdb8ca3ca
tests - replace internal _log with logger.log REVERT:eb59a9377
tests - init refactoring for autoconf REVERT:2e0542dbb
tests - ignore case when performing test REVERT:0a996bf12
tests - replace match with search REVERT:48a6ba632
tests - fix rm command REVERT:991ddb9eb
tests - remove file as root REVERT:1e1d7d7f1
tests - replace variable typo in get request REVERT:ebc94f515
tests - add missing char when replacing Docker volumes REVERT:e4f6017d6
tests - replace example domains with test domains REVERT:dfc5f2e79
tests - export runner env REVERT:c07f85a42
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:ab57be657
tests - fix missing copytree import and self parameter REVERT:5f79aea4b
fpm single/multiple docker&autoconf REVERT:cc760a646
tests - fix datetime import again REVERT:db2c35cb3
tests - fix datetime import REVERT:28f1b4f73
tests - rename variable REVERT:e1183a0d4
fix tests.json for authelia and exit when test exception occurs REVERT:16573a397
tests - do not run as root REVERT:de8cee491
tests - add missing imports REVERT:56afbd457
tests - run as root REVERT:590ad46cd
tests - fix missing chmod import and Test.init log call REVERT:8d580bc16
tests - fix missing Test import REVERT:a91fc7307
tests - fix indent and isfile import REVERT:773a37d45
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:b64af8526
tests - DockerTest on the road REVERT:0d3e1e2a1
Update the plugins docs REVERT:85217b57c
Fix a typo in the plugin page in the docs REVERT:ba75154d0
Add url_for function to custom plugins templates REVERT:c055ec7ec
Fix duplication in plugins REVERT:2c4efe9d0
Add Plugin Pages feature REVERT:795dfc077
Add static map files REVERT:8b4b3f3b0
ansible docs REVERT:2e4758e94
tests - DockerTest improvement REVERT:c155227ec
tests - init work on refactoring REVERT:dde185141
tests - increase timeout for magento REVERT:e62523d1d
lua - use pcall with mmdb functions REVERT:658ab7504
docs - add ansible diagram REVERT:8d6397a6b
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:f5c86cc4e
examples - add cors example REVERT:8760110fb
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:cc4f0b26a
Quickstart Ansible and integration REVERT:7b769361a
cors - init work on core plugin for CORS REVERT:97e607110
linux - rename bunkerweb-ui.env to ui.env REVERT:c3ee7929b
docs - change target of the web UI demo link to blank REVERT:969a1e5d7
Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev REVERT:5bf59c85d
docs - replace web UI gif with YT video REVERT:430f665cd
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev REVERT:5be21f9bf
Adding www folder REVERT:afdd4de5a
fix regex checks with *_CUSTOM_CONF_* setting, add doc about DENY_STATUS_CODE REVERT:5586b3733
misc - add DENY_HTTP_STATUS setting (403 or 444) REVERT:90e58f261
fix ui.env path for Linux integration and add docs for autoconf with rootless docker REVERT:a00607af2
docs - add instructions for podman REVERT:e880b7d59
docs - add infos about Docker in rootless mode REVERT:fc925ccb1
edit docs typo for UI and variable typo in autoconf REVERT:571422131
ui - fix CVE-2022-2097 REVERT:287e763e0
autoconf - fix CVE-2022-2097 REVERT:89f81140a
container - fix CVE-2022-2097 (again) REVERT:a5c98f709
container - fix CVE-2022-2097 REVERT:429214727
tests - fix data folder permissions (again) REVERT:6b1c5a93e
tests - fix data folder permissions REVERT:fb85d1d2d
autoconf - fix typo in variable REVERT:fdcbc8d36
custom conf - fix wrong path with multisite configs REVERT:b2bb93bcf
examples - fix docker-configs again REVERT:2b59086f6
examples - fix docker-configs REVERT:e09d4901e
containers - fix regex for *^CUSTOM_CONF_* REVERT:3594618e4
examples - fix typo in docker-configs (again) REVERT:e44311281
examples - fix typo in docker-configs REVERT:738e3b6e1
containers - use python hack to get env var values from string REVERT:5ac80a135
containers - replace compgen command with a python hack because compgen -e do not display var with dots REVERT:8f258486e
fix multiple CVE with curl/libcurl and add autoconf/docker CUSTOM_CONF configs examples REVERT:2dc18a794
autoconf - support both configs from files and autoconf REVERT:e0a700506
autoconf - init support of custom variables using labels REVERT:385b7c413
docs - add docs for custom config using labels REVERT:e25babe3d
custom conf - docker REVERT:a5457a164
custom conf - init setting support REVERT:0a1e8be71
examples - add missing setup.sh for mattermost REVERT:70c60f2a9
tests - add mattermost and radarr REVERT:f2dfb0172
examples - edit mattermost and add radarr REVERT:1a8eef2c8
fix autoconf import for IngressController and init work on mattermost example REVERT:cb106a112
autoconf - fix indent in IngressController REVERT:492648eeb
autoconf - fix 410 exceptions (k8s) REVERT:1425ad0b4
docs - update settings list REVERT:f7290b2c7
v1.4.2 release REVERT:c0a8a356c
linux - include bwcli in /usr/local/bin REVERT:40007b086
add slack to official plugins and init work on EXTERNAL_PLUGIN_URLS setting REVERT:6478512e4
scheduler - only send /data folder if apis are present REVERT:7aa6852d3
autoconf - fix missing scheduler in autoconf mode and missing apis list REVERT:7bba81b16
autoconf - fix wrong variable name for environment REVERT:5cb61380d
autoconf - add missing call to ConfigCaller constructor REVERT:b2758cea7
autoconf - init work on _get_static_services method REVERT:a18d77aee
autoconf - init work on static server configs as env var REVERT:4a699ef6c
fix missing local Linux images import in ci/cd, and fix bug related to jobs in Linux integration REVERT:5690a58ab
fix IFS checking permissions REVERT:e55928a37
fix bwcli commands when using Linux integration REVERT:0f2388b1f
fix permissions check when file has space in the name REVERT:2b43a9cbf
Merge branch 'dev' of https://github.com/bunkerity/bunkerized-nginx into dev REVERT:5ecf39ee0
Fix web-ui example with X-Script-Name REVERT:ad091493c
examples - add various certbot-dns examples REVERT:a65606c36
examples - add certbot-dns-ovh REVERT:cd0d70b8f
cache dev Linux images in ci/cd and disable site config generation for autoconf/swarm/k8s REVERT:e21a35017
plugins - support log_default() hook, same as log() but for default server REVERT:c563731e8
autoconf - fix overwrite configs file when using Docker autoconf REVERT:3c417d2ff
linux - fix fedora NGINX version in Dockerfile, fix missing arg when building DEB/RPM and force NGINX version DEB deps REVERT:970082f92
linux - force NGINX version in RPM deps REVERT:4a2504c3b
reflect ci/cd changes to dev REVERT:fd0c7b1e5
ci/cd - add automatic build for Linux images REVERT:1e6d62ce7
fix packagecloud yank name REVERT:1a4e21481
docs - edit supported architectures for prebuilt Docker images REVERT:bcaca6f03
v1.4.1 release REVERT:424214fd5
add changelog and add missing s in authentik url REVERT:82b42d5b9
Merge pull request #259 from Brawdunoir/master REVERT:db4e2cf26
update linux docs, minor fix in ingress example and update default value for bunkernet job REVERT:0ef82619b
temp disable automatic tests for authentik and test automatic arm build on dedicated hardware REVERT:f2655e331
remove arm build again, fix proxy_*_timeout directives and add authelia example REVERT:d51ae1c1b
Remove USE_ before authbasic plugin settings REVERT:cd0438b8c
support REVERSE_PROXY_*_TIMEOUT settings, remove useless push in CI/CD and try to build arm on GH runners REVERT:f9a042526
add docs about compiling BW from source on Linux, add docs about packages pinning on Linux and fix regex for REVERSE_PROXY_AUTH_REQUEST and REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL REVERT:15ac64b05
let's encrypt - fix bug when AUTOCONF_MODE=yes REVERT:e0f8895e9
init support for auth_request and add authentik example REVERT:e85229835
don't send local IP to BunkerNet on default server, fix certbot new when MULTISITE=no and fix unknown reason in get_reason REVERT:972a284ef
docker - drop support for prebuilt arm images REVERT:5258d8e58
docs - edit linux install procedure REVERT:acb4bea97
reflect CI/CD changes for master pushes REVERT:42067e864
GHA - temp disable armv7 build until we have a fix for cryptography dependency REVERT:217bddabf
GHA - different caches for armv7 and armv8 images REVERT:c5fba1367
fix GHA typos REVERT:1b21f9eac
fix UI tag in GHA jobs REVERT:389e05094
fix links in docs and change cache location for GHA jobs REVERT:05a89c303
fix registry URL in GHA jobs REVERT:a0ed8a27e
add debug flag to GHA buildx steps REVERT:d0ac5e305
update GHA actions version REVERT:b16f8f11a
update GHA actions version REVERT:a23ed06e6
fix typo in GHA jobs REVERT:6b9be078b
refactoring of GHA jobs REVERT:8e198ed82
linux - fix documentation link in systemd unit files REVERT:c3b527afe
actions - fix RPMs path REVERT:972e5471d
actions - fix linux deb/rpm generation REVERT:b246c6d7e
fix wrong branch name in actions and image name for linux tests REVERT:b78fd5542
fix freetype CVE REVERT:945241339
actions - rename main branch to master REVERT:1af2264fa
temp stop push to private repo REVERT:6f28708c1
docs - add missing setting REVERT:a9f886804
bunkerweb 1.4.0 REVERT:3a078326c
Merge pull request #199 from Myzel394/patch-1 REVERT:d43b82b75
remote API - only do action if 403 REVERT:3850cacb9
prepare for v1.3.2 REVERT:c00c7f46a
lua - verify certs when doing HTTPS requests REVERT:163af4a49
prepare for v1.3.2 REVERT:98e85eb99
docs - update security tuning sections : distributed blacklist and request limit REVERT:2e63bb025
docs - reflect kubernetes/swarm changes into the doc REVERT:6546a0edb
disable country ban if IP is local, update default values of PERMISSIONS_POLICY and FEATURE_POLICY, upgrade archlinux packages before testing REVERT:ab0038174
ui - fix ROOT_FOLDER bug in serve-files.conf REVERT:9f7097de0
request limit - fix some LUA code REVERT:24d6337a5
limit req - multiple url support REVERT:bfb5319c1
limit req - add burst and delay parameters REVERT:4c77a1482
use annotations as env var in Ingress definition, fix cidr parsing for reserved ips, fix missing empty when job is external, fix ping check for remote api and init work hour/day support for request limit REVERT:4e45fa387
integrations - acme without shared folder when using k8s/swarm REVERT:a9a26b82d
fixed typo REVERT:00d91dcaa
jobs - move certbot hooks to python REVERT:650ad7ea4
integrations - fix missing acme folder when using Swarm or Kubernetes REVERT:7045c0c2b
jobs - fix encoding error on CentOS REVERT:f0f432487
remote API - ban IP from distributed DB REVERT:fdc02be05
remote API - basic send of bad IPs REVERT:fb799765a
jobs - fix str/bytes hell REVERT:d53f02b5b
api - client side (untested) REVERT:7b9722fac
jobs - add remote API REVERT:31ed4ff83
centos - update ca-certificates in install script REVERT:bc5f3ee88
fix CVEs and add init to Debian test image REVERT:a6b21aae8
fix typo in settings.json, bump Debian to bullseyes, init support of Arch Linux REVERT:64aa9c253
init work remote API REVERT:5d94cc8f4
docs - init changes about storageless REVERT:e7ee21cbb
antibot - fix path for templates and data REVERT:a0f8cbdac
antibot - fix LUA typo in recaptcha mode REVERT:178d7a684
Merge pull request #182 from Nakinox/patch-2 REVERT:ca81535bb
swarm/k8s - less storage, more API REVERT:062fa3e78
integration - continue work on storageless config for k8s and swarm REVERT:95f2d2af9
Update docker-compose.yml REVERT:e55dff812
api - init work on storageless configuration REVERT:f0f1c79d4
v1.3.1 release REVERT:3d2f5e238
conf - add REVERSE_PROXY_KEEPALIVE REVERT:b079c99fb
Merge branch 'patch-15' of github.com:thelittlefireman/bunkerized-nginx into keepalive REVERT:2e403c6eb
config - add CUSTOM_HEADER REVERT:f75a05584
config - add REVERSE_PROXY_BUFFERING REVERT:148edf681
tests - add github token to trivy scanner REVERT:a19d8aa04
Merge pull request #180 from vepito/vepito-patch-1 REVERT:480cff86b
Merge pull request #179 from thelittlefireman/patch-16 REVERT:35df3423d
missing blank line REVERT:29f4069de
switch the use cases REVERT:72e438459
Fix typo related to non-HTTP configuration REVERT:a4a264773
jobs - fix docker reload and only do cron jobs when necessary REVERT:892e53369
Missmatch in docs with modsec folder REVERT:a05614160
deps - use ModSecurity v3.0.4 instead of v3.0.5 to avoid memory leak REVERT:0772a9ba8
docs - edit badge version REVERT:33e0ffd5b
Merge branch 'master' into dev REVERT:4cb3e089e
linux - git SHA1 commit in install.sh REVERT:8808f161c
docs - dev to master links and VERSION upgrade REVERT:1c60ec980
tests - fix volume wait with linux tests REVERT:b13ff3456
add REDIRECT_TO_REQUEST_URI variable and edit environment variables docs REVERT:58f2926e9
docs - various examples fixes REVERT:9de628f3e
Missing proxy_set_header for keep alive REVERT:6cc1abc89
Allow keep alive connection when ws is off REVERT:a824e1568
linux - rename cron REVERT:fd52bb7c8
linux - fix cron jobs REVERT:0938b20eb
UI - use sudo for Linux integration REVERT:b948e08bd
UI - use systemctl on Linux REVERT:fde14d162
linux - fix unknown scheme error and do nginx reload as root in UI REVERT:8a4eb3f2a
remove .site files (gen), uninstall remove folder at the end (linux) and run jobs when reloading local instances (UI) REVERT:2a0b84074
ui - fix bug when Docker is used but Swarm is disabled, add jobs from API /reload and fix docker-compose doc REVERT:aec22d1a8
ui - edit docs and fix CSRF REVERT:028fc61b4
docs - add dns_resolvers and permissions to Linux REVERT:a903960b4
docs - fix missing subfolder in Linux quickstart guide REVERT:a28f06f08
linux - run temp nginx to solve let's encrypt challenges REVERT:6c8bc6b34
tests - fix Linux systemd bug when writing to /tmp folder REVERT:2b3b4a5c3
linux - systemd support REVERT:57e4247ea
linux - systemd unit file REVERT:f9d4e9089
docs - edit k8s php service port and append suffix to hosts REVERT:4f024ec56
docs - add DNS_RESOLVERS for k8s integration REVERT:bc46fc3d4
append suffix to ingress hosts REVERT:0be1da18a
remove old conf before generation, dynamic DNS for PHP and reverse proxy and swarm fixes in quickstart guide REVERT:3cedc0ae1
quickstart guide fixes REVERT:f1d5c07cc
autoconf - various kubernetes fixes REVERT:c9a6b6c27
autoconf - fixed infinite lock REVERT:b199464a7
various bug fixes related to Swarm integration REVERT:4a9d64d9d
add favicon to web UI and fix some tech docs REVERT:31536a3fe
linux - reload as root REVERT:7b47c7304
examples - minor fixes in architecture images REVERT:83e7ce9cd
examples - polishing before next release REVERT:0ad5159a3
docs - add changelog for next version REVERT:6240d8e28
ui - read variables.env when Linux is used REVERT:2f80f64dd
docs - last polish REVERT:e98da9b63
docs polishing and fix install.sh gpg --verify REVERT:d9f770696
docs - web UI REVERT:75f299978
docs - special folders REVERT:ef34b2cec
docs quickstart / multisite REVERT:9b9110214
docs - quickstart guide / php REVERT:9e2a8070e
docs - quickstart guide / reverse proxy REVERT:733136ac1
docs - init quickstart REVERT:fa172ce5a
docs - linux integration REVERT:f6a9184ae
docs - k8s integration REVERT:d37dc2b62
docs - swarm integration REVERT:f7c115edf
docs - add autoconf doc to Docker section REVERT:dfbb09136
docs - init integrations/Docker REVERT:8e4a65fec
fix global.env generation and add web UI gif to README REVERT:0573ba7b5
ui - centering things without breaking sticky navbar and menu REVERT:bcd421de0
ui - various bug fixes more or less related to UI REVERT:2ec28c79c
docs - fix README toc REVERT:fec60a4b1
ui - minor styling fixes REVERT:dd7d1a2c7
ui - fix example, subpath behind reverse proxy and add socket proxy rights for swarm REVERT:0c1883472
docs - edit kubernetes overview image and add configuration section on the readme REVERT:4e6eab794
docs - fix wrong swarm image REVERT:b23135b66
docs - add docker and kubernetes images REVERT:ace9be397
docs - add autoconf and swarm images REVERT:8958e5107
docs - add overview image REVERT:b2cfc15c2
security - add security policy REVERT:94bef079a
examples - add architecture images REVERT:50266c228
examples - add the last missing README.md stubs REVERT:22e2fe869
examples improvement - added some README.md stubs REVERT:55186bbef
examples improvement - hardened, joomla, kubernetes, load-balancer and moodle REVERT:d8286ced7
examples improvement - certbot cloudflare and wildcard, clamav, crowdsec, ghost and gogs REVERT:44de2253d
examples improvement - traefik alternative, autoconf reverse proxy and basic website REVERT:6d73fbded
examples - update authelia and autoconf-php REVERT:b6809266a
autoconf - let's encrypt support for ingress controller REVERT:4e178b474
autoconf - basic ingress controller support for kubernetes REVERT:021147f9d
autoconf - fix wait and redis REVERT:5a26d06c8
autoconf - fix infinite lock and honor DOCKER_HOST env var REVERT:bc01427de
ignore CVE-2021-36159 and redirect job logs as root when using autoconf REVERT:652614f41
autoconf - use DNS for Swarm instances discovery REVERT:24d9cce82
autoconf - various bug fixes in Swarm mode REVERT:f866ef632
autoconf - minor fixes, prepare Swarm testing REVERT:1a32e7c02
autoconf - various bug fixes with DockerController REVERT:7180378d0
autoconf - init Config refactoring REVERT:6e66571fb
various cleaning REVERT:f44e41ced
jobs - lock and reload management REVERT:26db144df
autoconf refactoring and fix CVE-2021-36159 REVERT:a68ad53c3
autoconf - controller classes REVERT:01bba1d3f
autoconf - init refactoring before k8s integration REVERT:059707443
k8s - init work on parsing ingress rules, helpers to setup on k8s, basic examples REVERT:bc3c17a2f
examples - init k8s example REVERT:556836b49
autoconf - init annotations parser for k8s REVERT:22612f175
minor edit on Linux tests and init work on k8s API REVERT:50c279617
jobs - improved log and reload management REVERT:ef8969e2c
certbot - add USE_LETS_ENCRYPT_STAGING=yes/no env var for using staging or production servers of let's encrypt REVERT:0dc2a5ec2
edit visibility of Job members and integration of a generic checker for nginx REVERT:9a207dfdc
fix missing import in generator, expand networks to ips in jobs and init work on a generic checker with shared dict and redis support REVERT:a60fbbb5b
hotfix - fix CVE-2021-33560 REVERT:a1b9010d9
pull v1.2.8 fixes when applicable REVERT:3178545c2
v1.2.8 release REVERT:36b8760d4
resolve bugs on the stable version REVERT:8bb6676f5
settings - fix PHP_* again REVERT:4234f82c0
settings - edit EMAIL_LETS_ENCRYPT regex REVERT:b99fb27df
fix missing parameter when calling reload in autoconf and edit REMOTE_PHP_PATH regex REVERT:876fcd181
conf - add WORKER_PROCESSES REVERT:26dc79615
jobs - fix line edit REVERT:280d18986
jobs - avoid reload when not necessary REVERT:5f845680f
jobs - edit referrers and user-agents data and init work on autoconf integration REVERT:d12369c90
jobs - various bugs fixed and old files removed REVERT:366e39f59
jobs - SelfSignedCert, runner and reloader REVERT:71741b2d3
jobs - cache management REVERT:2fca4cd01
jobs - logging and error management REVERT:fccf14627
jobs - python stubs REVERT:b3684efaf
jobs - init work on refactoring REVERT:82548378a
crowdsec - move as external plugin REVERT:b926b0db6
examples - use example.com instead of website.com REVERT:6713f56ec
linux - fix centos install REVERT:2b923c05c
compile and install LUA 5.1.5 to /opt/bunkerized-nginx/deps and introduced REDIRECT_TO feature REVERT:71cf3cf5c
use local sources when building Docker image, add LOCAL_PHP and LOCAL_PHP_REMOTE to settings.json and fix pip bug related to removed working directory REVERT:8e3dbf1c7
fixed some fedora bugs, support LOCAL_PHP and LOCAL_PHP_PATH and sample variables.env REVERT:49ada6a8c
linux - init work on fedora support REVERT:947e86f7c
linux - uninstall script REVERT:a12561a85
remove useless nginx-keys folder and add lua_package_cpath to http conf REVERT:6b19bd026
deps - add cjson LUA files to deps folder REVERT:6738b28b9
deps - move dependencies to dedicated /opt/bunkerized-nginx/deps folder to avoid messing with the system REVERT:010c0fd6d
rename gen/requirements.py to requirements.txt, add git/bash to Docker deps and fix typos in README REVERT:ecf30a71f
deps - init work on single install script REVERT:ffc4fc950
deps - manual compile/install of libmaxmind and upgrade lua-resty-core REVERT:b9955699b
Merge pull request #152 from thelittlefireman/patch-11 REVERT:860fd1ace
Upgrade desps REVERT:eb5d13fb8
Upgrade lua-nginx module to 0.10.20 REVERT:ca41987cd
Upgrade corerules to 3.3.0 & modsecurity to 3.0.5 REVERT:3af1b397f
UI - digging bugs from services, still some work to do REVERT:72a09eac6
UI - add CSRF protection REVERT:0d3f7d392
UI - admin authentication and bootstrap update REVERT:6be082e0a
UI - init work on admin account REVERT:4947796c9
UI - fix instances bugs REVERT:ba197dfa4
UI - bind gunicorn to 127.0.0.1/0.0.0.0:5000 REVERT:4dd1ff847
UI - copy from helpers, systemd service and instances page update REVERT:f771ec43f
ui - init Instances class to support Linux and API for Docker/Swarm REVERT:e241b0c93
logs - move everything from /var/log to /var/log/nginx REVERT:d03a1a6e3
linux - add jobs.log REVERT:2c9c9fb62
linux - run master process as root REVERT:deb28c599
autoconf - fix folders REVERT:2ea7331da
jobs - disable post-jobs when SWARM_MODE=yes on SIGHUP REVERT:92ee40819
whitelist - fix /.well-known/acme-challenge whitelist for let's encrypt REVERT:2ccfb26e8
docker - fix CVE-2021-33560 REVERT:70f9f8417
templates - add missing new line when necessary REVERT:c4aef1d60
authelia - choose portal or auth basic mode REVERT:a385183d8
authelia - various fixes REVERT:cec47f3a7
body injection feature and add authelia to documentation REVERT:c894c8370
authelia - add variables to settings.json REVERT:f73b088f7
authelia - initial work REVERT:130c6752d
Merge pull request #148 from aFresquetIntech/dev REVERT:f97ea6785
Create .env REVERT:850429986
Correction REVERT:4a8da40cf
reverse-proxy-zammad REVERT:0114c7b09
examples - edit basic PHP REVERT:bebe89afb
linux - edit path for default errors, ignore comments in variables.env, install/prepare certbot REVERT:b2cceb608
linux - fix centos REVERT:37f5e4ed7
linux - fixed debian/ubuntu but still some work needed on centos REVERT:98568a57c
linux - fix /var/log and typo in daemon directive REVERT:499192287
linux - fix daemon directive and rights on /etc/nginx REVERT:bcb8acc36
linux - add RX permissions to /opt REVERT:a9279053a
linux - add executable right to gen/main.py REVERT:60057a17e
linux - fix tests docker cp and pass single -c argument to su REVERT:d0366fcc0
linux - started work on bunkerized-nginx command REVERT:b448d91ca
actions - fix centos test and docker image name when pushing REVERT:e309ce6fd
docker - fix permissions on /opt REVERT:37090dc66
actions - fix manifest error with buildx and load REVERT:6bb6facd8
add load: true when autobuilding images and move from /bin/sh to /bin/bash REVERT:a1fcbd4b8
fix actions and configure REVERT:09a2a4f9e
github actions refactoring REVERT:1e02368e8
linux/docker - common /opt/bunkerized-nginx folder REVERT:bbb5134a3
fix configure arguments and CRS include REVERT:b0f93fb84
fix Dockerfile again REVERT:c892f037d
fix Dockerfile REVERT:731c0f61d
linux - init work on installer REVERT:93543d396
Linux - use the same dependencies script for Docker REVERT:5ec9e6ab4
linux - CentOS 7 install REVERT:cc0d0af8d
linux - ubuntu installer REVERT:43d2097d1
linux - nginx install on Debian REVERT:f880e5e2a
linux - continued work on install helpers for Debian REVERT:9636013f5
linux - started work on installer REVERT:15bdb076c
hotfix - fix docs get_git_branch REVERT:d62c4f466
v1.2.7 release REVERT:ad52ef326
autoconf - prevent race condition by checking health state REVERT:3bd3b6fd7
Merge pull request #145 from thelittlefireman/patch-10 REVERT:e41acc20c
Upgrade ModSecurity-nginx to v1.0.2 REVERT:3c721dc2a
add HEALTHCHECK to Dockerfile and append 10.0.0.0/8 to DNSBL whitelist REVERT:491d879fe
jobs - cleaning the mess when using autoconf without swarm mode REVERT:52534510e
fix bug when AUTO_LETS_ENCRYPT=yes and certbot can't resolve challenges REVERT:2c7337576
jobs - fix syntax error REVERT:9e4961ccb
docs - rename sitemap to bypass rtd rewrite REVERT:01857d8ac
gen - display the reason when ignoring a variable REVERT:ab9f9e0a4
jobs - fix jobs when MULTISITE=yes REVERT:29dc64ca3
actions - add Docker cache to speedup auto build on the dev branch REVERT:b5cd4e037
docker - build and push images from GitHub actions because of future DockerHub restrictions on autobuild REVERT:16101144c
self-signed cert - fix bugs REVERT:95510e6e1
settings - add underscore to CUSTOM_HTTPS_CERT/KEY regex REVERT:dd5890e76
geoip - fix bug when using GeoIP REVERT:c3a437fa8
docs - rename the sitemap to avoid conflicts ? REVERT:518ddd323
docs - custom robots.txt REVERT:177a82ee6
docs - automated sitemap.yml REVERT:39db7b368
v1.2.6 release REVERT:9442e5914
jobs - fix jobs in Swarm mode REVERT:fcc6b3b5e
various bug fixes related to Swarm REVERT:678ad70b0
docs, various fixes and certbot-cloudflare example REVERT:e8f5db0b2
docs - add plugins system REVERT:8295f6aeb
plugins - clamav example REVERT:388fc1a0e
plugins - started basic plugin system REVERT:62217a321
add contributing guidelines and license REVERT:53e433b1a
readme - replace some badges REVERT:f640157b1
Merge pull request #138 from bunkerity/feature-request-template REVERT:d646f3e5b
Update issue templates REVERT:4b31d005e
crowdsec and generator fixes REVERT:d2135c19c
docs - road to v1.2.6 REVERT:8cda1baf7
fix web ui multiple variables and add default error pages REVERT:445032406
dnsbl - disable checks when IP is local REVERT:74fb01536
web UI - init work on using docker-socket-proxy REVERT:ee178de6a
web ui - mostly finished templating integration (needs some testing) REVERT:7323525b6
ui - show only multisite vars for settings REVERT:82e47f147
ui - Dockerfile fixes and missing get_config function REVERT:2db967ad1
templating - road to web ui REVERT:1d96620ae
templating - init integration into web ui REVERT:99c259bf1
templating - prepare integration into ui REVERT:c7b81cfc1
various bug fixes related to HTTPS REVERT:dfce0c06d
autoconf - fixing various bug when SWARM_MODE=yes REVERT:0f8e56a66
templating - fixing bugs with autoconf REVERT:f950abdc2
templating - started integration into autoconf REVERT:4a73ae819
various bug fixes on templates and nginx update to 1.20.1 REVERT:e2f02ee91
templating - prepare integration for autoconf REVERT:a991b262e
remove ClamAV because of GPL and started work on read-only filesystem REVERT:a8bc17e83
templating - started integration into docker image REVERT:ec19f9308
templating - added missing features in site templates REVERT:23aa05300
templating - auth basic support REVERT:289ad106c
templating - multisite support REVERT:bbc5bbc9e
templating - fix some site templates REVERT:633a07686
templating - init work on site templates REVERT:996c45df4
templating - init work on global templates REVERT:801530baf
templating - road to full jinja2 templates REVERT:c65dda391
templating - init work on templating with jinja2 REVERT:ea891969c
templating - updated settings.json with global settings REVERT:698ae17c4
templating - init work on generic settings management REVERT:664563284
antibot - basic pow with javascript REVERT:16e5ede13
antibot - custom templates REVERT:8260746fe
logs/lua - add logger tool REVERT:de560490d
fix LUA array variables and add LOG_LEVEL to the troubleshooting section REVERT:96db3a450
log - add LOG_LEVEL variable REVERT:73543f4b0
hardening - add no-new-privileges REVERT:d9bb97be5
lua - move global vars from lua to site config (untested) REVERT:863283d09
started work on moving variables from .lua to nginx REVERT:600484b16
crowdsec - fix bugs and update example REVERT:7c6a13c54
examples - improve nextcloud example so it works with webdav clients REVERT:b3bb4ec40
remove unnecessary dependencies and update doc about certificate bundle REVERT:69f465720
examples - fix typo BAD_BEHAVIOR_STATUS_CODES REVERT:d02985d21
check permissions for missing volumes and add comment about permissions on examples REVERT:b0ca85ff7
v1.2.5 - performance improvement REVERT:2f115c444
Merge pull request #131 from bunkerity/issue-templates REVERT:7f15741ea
Update issue templates REVERT:288b8eb85
docs improvement + road to v1.2.5 REVERT:61c08fb97
docs - troubleshooting REVERT:01ef47a66
docs - security tuning improvement REVERT:71515a910
doc - volumes list REVERT:a33d0658c
docs - road to a beautiful documentation REVERT:0b3ff6a9f
bad behavior - move from fail2ban to pure lua REVERT:eb2d0d330
performance - rsyslog and fail2ban removing REVERT:5bcbb3863
doc - official document started REVERT:ca660b250
init work on official doc REVERT:3a34436cd
add AquaeAtrae example for ROOT_SITE_SUBFOLDER REVERT:b1d03cd11
performance - move bad user-agents and referrers checks from nginx to LUA with caching REVERT:42c3fb874
add sandbox allow-downloads to the default value of CONTENT_SECURITY_POLICY REVERT:f1c043604
add missing backslash in the quickstart guide and update autoconf examples with the depends_on directive REVERT:fd61df205
performance - move external blacklists checks from nginx to LUA REVERT:009d6fb5a
choose connection and nofile numbers, increase error_log level to get modsecurity rules, add MODSECURITY_SEC_AUDIT_ENGINE var REVERT:ba4185a42
jobs - fix automatic reload REVERT:70976d0fb
fix user-agent not blocking and add documentation on bundle when USE_CUSTOM_HTTPS=yes REVERT:062a39c63
integrate AquaeAtrae work - add ROOT_SITE_SUBFOLDER REVERT:83841b290
jobs - edit adren work on external blacklists REVERT:10dc58cb6
Merge pull request #126 from adren/patch-6 REVERT:668754686
Merge pull request #125 from adren/patch-5 REVERT:84b1933f6
Merge pull request #124 from adren/patch-4 REVERT:15f6d0a32
Merge pull request #123 from adren/patch-3 REVERT:e628361a8
Merge pull request #122 from adren/patch-1 REVERT:f8d71e067
improved way to generate user-agent file REVERT:02ae3b6bd
change IFS before subshell REVERT:2fb0e7c47
deduplicate list of user-agents REVERT:9adcc2f1a
more optimized way to generate map referrer file REVERT:7b98db4d1
improve the generation of blocking file (abusers) REVERT:ddb2b8591
improve generation of block file (Tor exit nodes) REVERT:da1a460a6
huge improvement to generate blocking file REVERT:07be62684
hotfix - fix API in autoconf swarm mode REVERT:3bb164395
hotfix - move API_WHITELIST_IP edit to lua.sh REVERT:bc2568a17
v1.2.4 - nginx 1.20.0 support REVERT:5ec74880d
update README for v1.2.4 REVERT:f84fd7c9a
fix permissions issues for autoconf and fix volume for ghost example REVERT:6521d7a27
fix client cache so it works in combination with reverse proxy and examples update REVERT:813607fbc
improve crowdsec example and disable modsec logging when not necessary REVERT:843644f80
log - replace some WARN tags from LUA logs with NOTICE to avoid confusion REVERT:19fa0eb25
log - print modsec_audit.log to make debugging easier REVERT:b4df28722
log - send logs to remote syslog server REVERT:5ce41edc0
api - whitelist IP/network for API REVERT:a3cfb50b4
example - fix certbot wildcard REVERT:25494acac
example - wildcard certificate with certbot REVERT:a98dae1fb
fix CVE-2021-20205 and examples update REVERT:1a7abab57
nginx 1.20.0 support REVERT:42b7a57f0
fix autoconf bug when removing config with multiple server name and increase default LIMIT_CONN_MAX for average website with HTTP2 REVERT:02f9fbe5f
autoconf - fix certbot bug when multiple server_name for one service REVERT:69fe06677
autoconf - fix bug when multiple server_name for one service REVERT:74417abc9
fixing bugs - run as GID 101 instead of 0, different permissions checks in swarm mode and disable including server confs in swarm mode REVERT:ba7524a41
fixed LUA bug REVERT:b55aafb99
finding the LUA bug REVERT:deeb7a76a
Merge pull request #117 from thelittlefireman/patch-9 REVERT:ee8aaa4e7
fix lua crash 2 REVERT:605d59a45
Fix lua mistake REVERT:b85c991b6
bug fixes - /usr/local/lib/lua rights and syntax error in site-config REVERT:0d3658adf
REVERSE_PROXY_HEADERS - use proxy_set_header instead of more_set_headers REVERT:0b22209c9
documentation - userns remap feature REVERT:e44a1f3e1
added the uri to limit_req_zone key to limit bruteforce attack on a specific resource instead of the whole service REVERT:aa614f82f
print error when permissions are wrong on common volumes REVERT:c03d410b0
refactored whitelisting of user-agents REVERT:e190167bf
CIDR support with whitelist/blacklist IP REVERT:31e72dce1
fix /usr/local/lib/lua rights and multiple server_name support with autoconf REVERT:b8105fc55
feature - whitelist URI REVERT:e73c10fd8
crowdsec - fix permissions on /usr/local/lib/lua and on /var/log files REVERT:a122a259c
minor fix on AutoConf logs and auto disable etag with reverse proxy REVERT:7c4894d3b
autoconf - fix remove event, generate config from nginx vars, more logs REVERT:533c2a103
fix sed script when writing site env REVERT:5611d544d
remove reference to USE_PHP REVERT:397182f18
add link to twitter account REVERT:c5c5fb17b
v1.2.3 - swarm support REVERT:017a7780f
README update, default cron update and new parameters to ui REVERT:34d9db7a8
web ui - bug fixes REVERT:361c66ca6
fixed bugs with MULTISITE variables and swarm example REVERT:afc667885
road to v1.2.3 - fixing bugs REVERT:c40fb3317
road to swarm - automatic reload after jobs REVERT:93ad3c0b5
road to swarm - let's encrypt fix REVERT:ceed90488
road to swarm - still some mess to fix REVERT:b8027d2ba
Merge pull request #102 from thelittlefireman/proxy_custom_headers REVERT:8d03a14a6
Merge pull request #103 from thelittlefireman/fix_truncated_3 REVERT:d16f4517a
Enhancement add custom proxy headers #97 REVERT:89ca91b3f
Fix truncated variables (last commit) REVERT:6a714e2ec
road to swarm - fix race condition on initial configuration REVERT:0d3da0353
prepare /www directory, fix log socket path and whitelist acme challenges path REVERT:33163f65b
init work on disabling root processes REVERT:a2543384c
road to swarm - add openssl to autoconf, fix api_uri in LUA, fix file rights REVERT:3591715f2
road to swarm - fixing things REVERT:95f7ca5b2
road to swarm support - needs a lot of testing REVERT:816fa47cb
introducing SWARM_MODE env var REVERT:7756c2df3
Merge pull request #98 from mromanelli9/fix/readme REVERT:7509ec2f2
basic API to be used in swarm mode REVERT:6e93575e1
remove ALLOWALL from X_FRAME_OPTIONS options REVERT:ba4c97755
remove old anchor REVERT:781e4c8cb
autoconf little work on swarm support REVERT:e04c783d1
autoconf - init work on swarm mode REVERT:e12b656bd
Merge branch 'patch-7' of https://github.com/thelittlefireman/bunkerized-nginx into dev REVERT:cae05447d
custom crontab values REVERT:4b58e2265
Merge branch 'patch-5' of https://github.com/thelittlefireman/bunkerized-nginx into dev REVERT:6b56e21a0
Merge branch 'whitelist_ua' of https://github.com/thelittlefireman/bunkerized-nginx into dev REVERT:544a09e8d
Update lua-cs-bouncer REVERT:8386dd4a2
custom config outside server block REVERT:f052a2516
Merge branch 'pre_server_confs' of https://github.com/thelittlefireman/bunkerized-nginx into dev REVERT:43750f553
Merge pull request #73 from thelittlefireman/patch-4 REVERT:9142afdb5
Merge pull request #72 from thelittlefireman/patch-3 REVERT:66c4fed79
Fix env variable with space are truncated 2 REVERT:f41846e9d
Fix env variable with space are truncated REVERT:92cc705b9
Reduce memory usage : set cron tasks at different hours. REVERT:47fb3a05b
Upgrade crowdsecurity/lua-cs-bouncer REVERT:5940f402c
improve default tls security REVERT:d9ca275d5
Add before `server {}` config. REVERT:8353bd9c8
Allow to add a whitelist by site on user-agent REVERT:d902e2f29
Add last missing reverse proxy header REVERT:1a8b8043c
Add LIMIT_CONN var to server.conf REVERT:65120a7e9
Add USE_CONN_LIMIT info to Readme.md REVERT:b093a4755
Add default values for LIMIT_CONN REVERT:73dbf03c9
add USE_LIMIT_CONN zone to global config REVERT:6ee746236
Add USE_LIMIT_CONN to site-config REVERT:fa935eb6e
edit nginx.conf to add limit_conn REVERT:cf231e13c
Add limit-conn.conf REVERT:d5d699252
v1.2.2 - web UI (beta) REVERT:50f95420b
README update - road to v1.2.2 REVERT:dc382c3e0
various fixes - autoconf process order, multisite config and examples REVERT:0026328f2
edit default FAIL2BAN_IGNOREIP subnets REVERT:9023ab5ae
Merge pull request #67 from thelittlefireman/patch-2 REVERT:124474ad6
Edit README.md to add FAIL2BAN_IGNOREIP REVERT:eac9c8f51
Prepare FAIL2BAN_IGNOREIP to avoid self blocking REVERT:1ee490de6
Prepare FAIL2BAN_IGNOREIP to avoid self blocking REVERT:825e6a747
crowdsec v1 integrated REVERT:09a984c86
started crowdsec v1 integration REVERT:fd7afa17b
fix missing ';' in include REVERT:b9b7fdfcc
Merge pull request #63 from thelittlefireman/patch-1 REVERT:58e1d66bc
UI - minor alert css fix REVERT:7026643f8
UI - fix missing MULTISITE env var when managing services REVERT:06f688fe9
fixed stop and reload operations REVERT:c65b78b1c
UI - instances/services backend update (needs testing) REVERT:f9b9b9546
UI - introduced multiple config parameters (like reverse proxy) in frontend REVERT:b5fe6335c
UI - instances backend started REVERT:951f3957f
UI - default service values REVERT:0f520b891
UI - services backend started REVERT:569ad75c4
UI - config.json refactoring REVERT:bd7b6af66
UI - load config template from json REVERT:459bb8ea1
UI services modals and default CSP update (fix new tab links) REVERT:208b5acb3
UI - minor services list improvement REVERT:59b2fed41
UI - basic services list REVERT:a4871a915
Add missing proxy headers REVERT:026783f01
Fix missing reverse proxy headers REVERT:811585345
Fix missing proxy headers on site-config.sh REVERT:c5f283b00
UI - minor front update REVERT:03ce7a648
fix modsec double inclusion when MULTISITE=yes REVERT:3f7e2c54b
JOBS - fixed some job script and right temp nginx reload REVERT:bb0f46d8a
JOBS - fix job_log REVERT:c5b32dfc4
fix CVE-2020-1971 again REVERT:9a4f96ad1
fix CVE-2020-1971 REVERT:f258426f5
JOBS - fallback to old conf in case reload failed REVERT:119e96361
JOBS - be more verbose about jobs failure/success REVERT:373988670
Merge pull request #54 from thelittlefireman/patch-4 REVERT:2a956f2cd
Fix #52 REVERT:15a37a868
UI - minor UI improvement REVERT:3a3d52790
UI - basic read fixes REVERT:e6b5f460c
UI - basic read from docker API REVERT:002e3ed2b
security tests for autoconf and ui REVERT:7b55acbe8
web UI example and CVE-2020-8231 fix again REVERT:559b7835d
ui - automated build REVERT:4ea01bd93
print some logs when blocking bots REVERT:a73891a3b
fix CVE-2020-8231 REVERT:26199f52c
remove additional / in modsecurity include REVERT:5c3f94a84
edit reverse proxy var name in README REVERT:043fcdc13
autoconf - automated build REVERT:b86ded3d1
autoconf - multi arch Dockerfile REVERT:92569679b
dynamic reload of nginx by sending SIGHUP REVERT:15e74e486
more work on standalone autoconf REVERT:fd0a6412d
init work on standalone autoconf REVERT:419fdfc86
fix auth basic when MULTISITE=yes REVERT:0bc1f652b
v1.2.1 - autoconf feature (beta) REVERT:6c7461e29
integrate thelittlefireman work REVERT:d01bc5e01
Merge branch 'patch-1' of https://github.com/thelittlefireman/bunkerized-nginx into dev REVERT:75c69c810
last fixes before next release ? REVERT:e26b8482a
Add missing EMAIL_LETS_ENCRYPT parameter REVERT:f618c73e6
road to v1.2.1 REVERT:78c1e5c67
examples - same domains for internal tests REVERT:481e10d3e
reverse proxy - websocket example REVERT:aae2a7198
autoconf - php example REVERT:f3bf04e39
dirty fix to disable default server when MULTISITE=yes REVERT:36cbb927c
autoconf - various fixes REVERT:95153dbc5
moved UA, referrer and country check after whitelist and blacklist check REVERT:26947179a
moved UA and referrer check to LUA REVERT:88f27bfeb
autoconf - reverse proxy example and pass default vars REVERT:3cc1615c4
fix user-agent script REVERT:8bacf722a
Merge branch 'fix/variable-naming' of https://github.com/mromanelli9/bunkerized-nginx into dev REVERT:2bfc4b41f
first work on automatic configuration REVERT:587d4a92e
incorrect variable naming REVERT:c311d0c82
add crawler-detecter bad UA REVERT:0d03f49eb
websocket support with reverse proxy REVERT:2112c306a
custom log format REVERT:8f9dcc5ab
last fix ? REVERT:2fe05d3fd
fixing scripts again and again REVERT:db04c0345
fix referrers again REVERT:ed8bd902b
fix referrers script REVERT:3a7aa5d9c
block bad referrers REVERT:9ec9de6ca
multiple lets encrypt certificates when MULTISITE=yes REVERT:791342cbe
fix LUA DNS code when answers is nil REVERT:2f23671c3
fail2ban fix when MULTISITE=yes REVERT:e350a717f
fix default DNS_RESOLVERS REVERT:e818acb0d
prestashop example REVERT:b92f74ed9
dirty fix for CVE-2020-28928 REVERT:9688e6650
check all vulnerabilities with trivy REVERT:700dfc018
v1.2.0 release REVERT:42e4298b5
readme update - v1.2.0 changes REVERT:813b42cfa
php and nextcloud examples fix REVERT:58fcf0a72
added Permissions-Policy header REVERT:587918380
custom headers to remove REVERT:203259688
automatic trivy scan REVERT:eaf817d57
php config and examples fixes REVERT:dd7768c85
whitelist/blacklist country at LUA level to avoid SEO issues REVERT:fe1d724c9
country whitelist/blacklist REVERT:0635eb368
various bug fixes REVERT:fbf81c94b
cached blacklists data REVERT:ed451877a
examples update and multiple REVERSE_PROXY_* on single site REVERT:0f18e9c55
reverse proxy support via env vars REVERT:8f7cb5318
proxy caching support REVERT:60fbbc101
move some http directives to server REVERT:0f0593456
various fixes REVERT:8cdc155ac
multisite examples and certbot renew fix REVERT:1abe1da89
brotli support REVERT:f18c054b4
gzip support REVERT:4dea1975e
client caching REVERT:c2b05c463
fix BLOCK_COUNTRY bug and add support for ModSecurity custom confs when multisite=yes REVERT:2da51d92a
multisite - bug fixes REVERT:bd7997497
autotest through github actions REVERT:e89e34a84
auto test fix REVERT:ff02878dd
auto test setup REVERT:44b016be9
road to multi server block support REVERT:36c4f3e06
v1.1.2 - CrowdSec integration and custom ports REVERT:798f6c726
examples - nextcloud fix and tomcat REVERT:761c14a0b
custom HTTP and HTTPS ports REVERT:4a07eca69
crowdsec integration REVERT:e1274a608
passbolt example REVERT:3ec81cd84
Fix broken line in README REVERT:95752ff0c
v1.1.1 - TLS 1.2 support REVERT:8623510f8
https fix REVERT:95a76b11f
peterkimzz integration and dhparam REVERT:b0e4740a7
[New Features] - Added "HTTPS_PROTOCOLS" environment value to enable to customize TLS version. default value is "TLSv1.3". (because TLSv1.2 sometimes needed) - READMD.md REVERT:e84360857
README update - v1.1.0 REVERT:2f6866789
logrotate copytruncate REVERT:1d63838ee
examples - fix port number REVERT:e4bdd4af5
examples - nextcloud fix and moodle REVERT:2c33463af
renamed logrotate script REVERT:9ff210bed
wordpress and nextcloud examples REVERT:0b7301886
install CRS by tag in compile.sh REVERT:e1356e3eb
logrotate.conf update and some cleanup REVERT:34a0da444
logging fix again REVERT:022a653eb
display fail2ban.log and logging bug fix REVERT:4c11a9125
automatic docker tags with VERSION REVERT:88b52478c
automatic Secure flag on cookies REVERT:ce82e22db
remove integrated PHP REVERT:397415211
antibot - check IP with sessions and recaptcha REVERT:68d798855
tor hidden service example REVERT:16eab0f63
README update REVERT:6a22f7711
load balancer example REVERT:222426854
Merge pull request #13 from FacundoAcevedo/patch-1 REVERT:d63c57985
Fix typo in the link in the TOC REVERT:e19a7c693
run master nginx process as non-root user REVERT:7a8795883
dockerfile fix - compile REVERT:01095bd72
gpg fix and secure git clone REVERT:0e6729c62
check GPG signature of nginx sources REVERT:040b6a223
Merge branch 'patch-1' of https://github.com/fabianmoronzirfas/bunkerized-nginx into dev REVERT:5f62120e4
fix(typo): add missing »find« REVERT:e8503b9cc
ARM build fix REVERT:676571e4a
use nginx:stable-alpine as base image REVERT:34254a09e
examples and DNS_RESOLVERS fix REVERT:81cff3648
readme update REVERT:e166b1fea
awesome gif resized REVERT:f08bba8cc
awesome gif REVERT:ccf439228
session secret fix REVERT:c1d44387b
basic antibot feature through recaptcha v3 REVERT:135126e3f
readme fix REVERT:ac251b0f6
Merge branch 'master' of https://github.com/ZILosoft/bunkerized-nginx into dev REVERT:ac242c977
Update README.md REVERT:2909b7989
basic antibot feature through captcha REVERT:446ee3761
basic antibot using javascript REVERT:6e1c43c4c
basic antibot feature through cookie REVERT:652d8ac97
fixed typo in manifest REVERT:de1952b5f
README - toc update and title fix REVERT:16a458db2
README improvement REVERT:f27d80e0d
various fixes and lua logging REVERT:fc3d911ff
improved blacklist/whitelist/dnsbl with lua REVERT:ef7d842ff
arm64v8 auto build and master manifest REVERT:0e5704983
manifest for automated builds REVERT:aaef37007
improved logging with rsyslog REVERT:6e3c2ddcc
integrated ajarmoszuk work REVERT:919b418d5
Added the ability to self generate SSL certificates REVERT:fb1a0182e
Added the ability to see Real IPs if Nginx is running under another proxy (such as Traefik). REVERT:2e0a8307d
i386 fix again REVERT:181003efe
i386 fix REVERT:fca7bb075
automatic builds REVERT:764038d40
README update REVERT:f4c43a214
block proxies and abusers REVERT:3a9afa47b
Merge pull request #5 from ajarmoszuk/patch-1 REVERT:2c12df3b9
update default req_limit values REVERT:2f967a9f4
Update entrypoint.sh REVERT:eba5f6280
req limit REVERT:44155b5d6
dnsbl ipairs fix REVERT:829c1c697
some fixes and README update REVERT:f3721a50d
sitewide auth basic REVERT:b56e4e765
dnsbl feature REVERT:1654e913a
lua support REVERT:3e5ca583c
remote PHP-FPM support REVERT:bcd17dbea
automatic geoip update REVERT:14ec9f3e6
logrotate and compile fixes REVERT:5b5e6e33a
awesome logo REVERT:1aa1dcf50
logrotate support REVERT:f30a06d94
syslog integration and fail2ban improvement REVERT:cd19841ec
readme - details about modsec include order REVERT:94b29a6ca
fixed some include orders REVERT:bf605ce59
custom root folder and little fixes REVERT:b14b09ad5
default CSP update REVERT:4f5e5f013
readme improve REVERT:76bd069f2
php POST max size and custom HTTPS cert REVERT:1d6ab7275
http basic auth fix REVERT:472ec31cd
readme fix REVERT:caa415e12
http basic auth REVERT:8561d47be
create a customized image REVERT:4bede275f
fix typo REVERT:efcf93710
inspectFile fix REVERT:ccaaa8b57
readme fix REVERT:b83111ad1
realip, minor fixes and README REVERT:a2be2e8ae
improved README : format, modsec, fail2ban and clamav REVERT:48a0036d2
updated readme REVERT:bf0bef289
clamav support REVERT:193070b14
fail2ban support REVERT:716e54e59
custom http/server confs and better modsec customization REVERT:43403f69e
disable default server REVERT:69ac95b29
block country and various fixes REVERT:ecf2de8b7
multiple let's encrypt domains REVERT:8427564f4
user-agents escape fix REVERT:c56bde4f0
fix certbot-renew.sh syntax REVERT:834afa132
http to https redirect REVERT:d5f8c7647
custom modules and write access REVERT:5bcdb0219
f**k markup ? REVERT:3233f3b76
fix readme REVERT:62eda8173
improved README REVERT:09e6b50e5
custom conf REVERT:5d16f6a8f
fix README REVERT:1b5f6deb2
cookie flags and maxmind update REVERT:ea1dbc617
updated readme REVERT:0b703ea55
content security policy REVERT:1e642e2f1
initial readme REVERT:e90060ce6
initial work REVERT:70f849fbb
Initial commit git-subtree-dir: src/deps/src/headers-more-nginx-module git-subtree-split: bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0
|
@ -1,6 +0,0 @@
|
|||
.git
|
||||
.idea/
|
||||
.vscode/
|
||||
__pycache__
|
||||
env
|
||||
node_modules
|
18
.gitattributes
vendored
|
@ -1,17 +1 @@
|
|||
* text=auto eol=lf
|
||||
|
||||
# Folders
|
||||
src/deps/src/** -text -eol linguist-vendored=true
|
||||
src/common/core/modsecurity/files/** -text -eol linguist-vendored=true
|
||||
src/ui/static/js/editor/** -text -eol linguist-vendored=true
|
||||
src/ui/static/js/utils/purify/** -text -eol linguist-vendored=true
|
||||
src/ui/static/webfonts/** -text -eol linguist-vendored=true
|
||||
|
||||
# Files
|
||||
src/deps/misc/lua-pack.Makefile -linguist-vendored=true
|
||||
src/deps/misc/ngx_http_modsecurity_access.c -linguist-vendored=true
|
||||
src/ui/static/css/datepicker-foundation.css -linguist-vendored=true
|
||||
src/ui/static/css/flatpickr.css -linguist-vendored=true
|
||||
src/ui/static/css/flatpickr.dark.css -linguist-vendored=true
|
||||
src/ui/static/js/tsparticles.bundle.min.js -linguist-vendored=true
|
||||
src/ui/static/js/utils/flatpickr.js -linguist-vendored=true
|
||||
*.t linguist-language=Text
|
||||
|
|
91
.github/ISSUE_TEMPLATE/bug_report.yml
vendored
|
@ -1,91 +0,0 @@
|
|||
name: 🐛 Bug Report
|
||||
description: Create a report to help us reproduce and fix the bug
|
||||
title: "[BUG] "
|
||||
labels: ["bug"]
|
||||
body:
|
||||
- type: markdown
|
||||
attributes:
|
||||
value: >
|
||||
#### Before submitting a bug, please make sure the issue hasn't been already addressed by searching through [the existing and past issues](https://github.com/bunkerity/bunkerweb/issues?q=is%3Aissue+sort%3Acreated-desc+).
|
||||
- type: textarea
|
||||
id: what-happened
|
||||
attributes:
|
||||
label: What happened?
|
||||
description: Concise description of what you're trying to do, the expected behavior and the current bug.
|
||||
placeholder: Describe the bug, the expected behavior and the current behavior
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: how-to-reproduce
|
||||
attributes:
|
||||
label: How to reproduce?
|
||||
description: Concise description of how to reproduce the issue.
|
||||
placeholder: Describe how to reproduce the issue
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: configuration-file
|
||||
attributes:
|
||||
label: Configuration file(s) (yaml or .env)
|
||||
description: |
|
||||
Please copy and paste your configuration file or the relevant part of it.
|
||||
⚠️ DON'T FORGET TO REMOVE PRIVATE DATA LIKE IP ADDRESSES ! ⚠️
|
||||
placeholder: Configuration file
|
||||
render: YAML
|
||||
- type: textarea
|
||||
id: logs
|
||||
attributes:
|
||||
label: Relevant log output
|
||||
description: |
|
||||
Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
|
||||
⚠️ DON'T FORGET TO REMOVE PRIVATE DATA LIKE IP ADDRESSES ! ⚠️
|
||||
placeholder: Log output
|
||||
render: shell
|
||||
- type: input
|
||||
id: version
|
||||
attributes:
|
||||
label: BunkerWeb version
|
||||
description: What version of BunkerWeb are you running?
|
||||
placeholder: Version
|
||||
value: 1.5.3
|
||||
validations:
|
||||
required: true
|
||||
- type: dropdown
|
||||
id: integration
|
||||
attributes:
|
||||
label: What integration are you using?
|
||||
options:
|
||||
- Docker
|
||||
- Autoconf
|
||||
- Swarm
|
||||
- Kubernetes
|
||||
- Linux
|
||||
- Ansible
|
||||
- Vagrant
|
||||
default: 0
|
||||
validations:
|
||||
required: true
|
||||
- type: input
|
||||
id: linux-distribution
|
||||
attributes:
|
||||
label: Linux distribution (if applicable)
|
||||
description: What Linux distribution are you using? (e.g. Ubuntu Server 18.04)
|
||||
placeholder: Linux distribution
|
||||
- type: checkboxes
|
||||
id: removed-private-data
|
||||
attributes:
|
||||
label: Removed private data
|
||||
description: |
|
||||
We would like to emphasize that we are not responsible for any private data that may be inadvertently included in the logs or configuration files.
|
||||
⚠️ I have removed all private data from the configuration file and the logs ⚠️
|
||||
options:
|
||||
- label: I have removed all private data from the configuration file and the logs
|
||||
required: true
|
||||
- type: checkboxes
|
||||
id: terms
|
||||
attributes:
|
||||
label: Code of Conduct
|
||||
description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/bunkerity/bunkerweb/blob/master/CODE_OF_CONDUCT.md)
|
||||
options:
|
||||
- label: I agree to follow this project's Code of Conduct
|
||||
required: true
|
29
.github/ISSUE_TEMPLATE/documentation.yml
vendored
|
@ -1,29 +0,0 @@
|
|||
name: 📚 Documentation enhancement
|
||||
description: Suggest an idea that will improve BunkerWeb documentation or declare a bug in the documentation
|
||||
title: "[DOC] "
|
||||
labels: ["documentation"]
|
||||
body:
|
||||
- type: markdown
|
||||
attributes:
|
||||
value: >
|
||||
#### Before submitting a documentation enhancement request, please make sure the feature hasn't been already addressed by searching through [the existing and past documentation enhancement requests](https://github.com/bunkerity/bunkerweb/issues?q=is%3Aissue+sort%3Acreated-desc+%5BDOC%5D+in%3Atitle).
|
||||
- type: textarea
|
||||
id: description
|
||||
attributes:
|
||||
label: Description
|
||||
description: Concise description of the error or what is missing.
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: proposed-solution
|
||||
attributes:
|
||||
label: Proposed solution (optional)
|
||||
description: How it should be fixed or what should be added ?
|
||||
- type: checkboxes
|
||||
id: terms
|
||||
attributes:
|
||||
label: Code of Conduct
|
||||
description: By submitting this documentation enhancement request, you agree to follow our [Code of Conduct](https://github.com/bunkerity/bunkerweb/blob/master/CODE_OF_CONDUCT.md)
|
||||
options:
|
||||
- label: I agree to follow this project's Code of Conduct
|
||||
required: true
|
29
.github/ISSUE_TEMPLATE/feature_request.yml
vendored
|
@ -1,29 +0,0 @@
|
|||
name: 🚀 Feature Request
|
||||
description: Suggest an idea that will improve BunkerWeb
|
||||
title: "[FEATURE] "
|
||||
labels: ["enhancement"]
|
||||
body:
|
||||
- type: markdown
|
||||
attributes:
|
||||
value: >
|
||||
#### Before submitting a feature request, please make sure the feature hasn't been already addressed by searching through [the existing and past feature requests](https://github.com/bunkerity/bunkerweb/issues?q=is%3Aissue+sort%3Acreated-desc+%5BFEATURE%5D+in%3Atitle).
|
||||
- type: textarea
|
||||
id: whats-needed-and-why
|
||||
attributes:
|
||||
label: What's needed and why?
|
||||
description: Describe the feature you would like to see in the project and why it should be implemented.
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: implementations-ideas
|
||||
attributes:
|
||||
label: Implementations ideas (optional)
|
||||
description: How it should be used and integrated into the project ? List some posts, research papers or codes that we can use as implementation.
|
||||
- type: checkboxes
|
||||
id: terms
|
||||
attributes:
|
||||
label: Code of Conduct
|
||||
description: By submitting this feature request, you agree to follow our [Code of Conduct](https://github.com/bunkerity/bunkerweb/blob/master/CODE_OF_CONDUCT.md)
|
||||
options:
|
||||
- label: I agree to follow this project's Code of Conduct
|
||||
required: true
|
13
.github/codeql.yml
vendored
|
@ -1,13 +0,0 @@
|
|||
name: "CodeQL config"
|
||||
|
||||
paths:
|
||||
- src/autoconf
|
||||
- src/scheduler
|
||||
- src/ui
|
||||
- src/common
|
||||
paths-ignore:
|
||||
- src/ui/static/js/tsparticles.bundle.min.js
|
||||
- src/ui/static/js/editor
|
||||
- src/ui/static/js/utils/flatpickr.js
|
||||
- src/ui/static/js/utils/purify
|
||||
- src/common/core/modsecurity/files
|
172
.github/dependabot.yml
vendored
|
@ -1,172 +0,0 @@
|
|||
version: 2
|
||||
|
||||
updates:
|
||||
# GHA
|
||||
- package-ecosystem: "github-actions"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "09:00"
|
||||
timezone: "Europe/Paris"
|
||||
assignees:
|
||||
- "TheophileDiot"
|
||||
reviewers:
|
||||
- "TheophileDiot"
|
||||
commit-message:
|
||||
prefix: "deps/gha"
|
||||
target-branch: "dev"
|
||||
|
||||
# BW
|
||||
- package-ecosystem: "docker"
|
||||
directory: "/src/bw"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "09:00"
|
||||
timezone: "Europe/Paris"
|
||||
assignees:
|
||||
- "TheophileDiot"
|
||||
reviewers:
|
||||
- "TheophileDiot"
|
||||
commit-message:
|
||||
prefix: "deps/bw"
|
||||
target-branch: "dev"
|
||||
|
||||
# Scheduler
|
||||
- package-ecosystem: "docker"
|
||||
directory: "/src/scheduler"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "09:00"
|
||||
timezone: "Europe/Paris"
|
||||
assignees:
|
||||
- "TheophileDiot"
|
||||
reviewers:
|
||||
- "TheophileDiot"
|
||||
commit-message:
|
||||
prefix: "deps/scheduler"
|
||||
target-branch: "dev"
|
||||
- package-ecosystem: "pip"
|
||||
directory: "/src/scheduler"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "09:00"
|
||||
timezone: "Europe/Paris"
|
||||
assignees:
|
||||
- "TheophileDiot"
|
||||
reviewers:
|
||||
- "TheophileDiot"
|
||||
commit-message:
|
||||
prefix: "deps/scheduler"
|
||||
target-branch: "dev"
|
||||
|
||||
# Autoconf
|
||||
- package-ecosystem: "docker"
|
||||
directory: "/src/autoconf"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "09:00"
|
||||
timezone: "Europe/Paris"
|
||||
assignees:
|
||||
- "TheophileDiot"
|
||||
reviewers:
|
||||
- "TheophileDiot"
|
||||
commit-message:
|
||||
prefix: "deps/autoconf"
|
||||
target-branch: "dev"
|
||||
- package-ecosystem: "pip"
|
||||
directory: "/src/autoconf"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "09:00"
|
||||
timezone: "Europe/Paris"
|
||||
assignees:
|
||||
- "TheophileDiot"
|
||||
reviewers:
|
||||
- "TheophileDiot"
|
||||
commit-message:
|
||||
prefix: "deps/autoconf"
|
||||
target-branch: "dev"
|
||||
|
||||
# UI
|
||||
- package-ecosystem: "docker"
|
||||
directory: "/src/ui"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "09:00"
|
||||
timezone: "Europe/Paris"
|
||||
assignees:
|
||||
- "TheophileDiot"
|
||||
reviewers:
|
||||
- "TheophileDiot"
|
||||
commit-message:
|
||||
prefix: "deps/ui"
|
||||
target-branch: "dev"
|
||||
- package-ecosystem: "pip"
|
||||
directory: "/src/ui"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "09:00"
|
||||
timezone: "Europe/Paris"
|
||||
assignees:
|
||||
- "TheophileDiot"
|
||||
reviewers:
|
||||
- "TheophileDiot"
|
||||
commit-message:
|
||||
prefix: "deps/ui"
|
||||
target-branch: "dev"
|
||||
|
||||
# Misc
|
||||
- package-ecosystem: "pip"
|
||||
directory: "/src/deps"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "09:00"
|
||||
timezone: "Europe/Paris"
|
||||
assignees:
|
||||
- "TheophileDiot"
|
||||
reviewers:
|
||||
- "TheophileDiot"
|
||||
commit-message:
|
||||
prefix: "deps/deps"
|
||||
target-branch: "dev"
|
||||
- package-ecosystem: "pip"
|
||||
directory: "/src/common/gen"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "09:00"
|
||||
timezone: "Europe/Paris"
|
||||
assignees:
|
||||
- "TheophileDiot"
|
||||
reviewers:
|
||||
- "TheophileDiot"
|
||||
commit-message:
|
||||
prefix: "deps/common/gen"
|
||||
target-branch: "dev"
|
||||
- package-ecosystem: "pip"
|
||||
directory: "/src/common/db"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "09:00"
|
||||
timezone: "Europe/Paris"
|
||||
assignees:
|
||||
- "TheophileDiot"
|
||||
reviewers:
|
||||
- "TheophileDiot"
|
||||
commit-message:
|
||||
prefix: "deps/common/db"
|
||||
target-branch: "dev"
|
||||
|
||||
# Terraform
|
||||
- package-ecosystem: "terraform"
|
||||
directory: "/tests/terraform"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "09:00"
|
||||
timezone: "Europe/Paris"
|
||||
assignees:
|
||||
- "fl0ppy-d1sk"
|
||||
reviewers:
|
||||
- "fl0ppy-d1sk"
|
||||
commit-message:
|
||||
prefix: "deps/terraform"
|
||||
target-branch: "dev"
|
283
.github/workflows/beta.yml
vendored
|
@ -1,283 +0,0 @@
|
|||
name: Automatic push (BETA)
|
||||
|
||||
permissions: read-all
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [beta]
|
||||
|
||||
jobs:
|
||||
# Build amd64 + 386 containers images
|
||||
build-containers:
|
||||
strategy:
|
||||
matrix:
|
||||
image: [bunkerweb, scheduler, autoconf, ui]
|
||||
arch: [linux/amd64, linux/386]
|
||||
include:
|
||||
- release: beta
|
||||
cache: false
|
||||
push: false
|
||||
- image: bunkerweb
|
||||
dockerfile: src/bw/Dockerfile
|
||||
- image: scheduler
|
||||
dockerfile: src/scheduler/Dockerfile
|
||||
- image: autoconf
|
||||
dockerfile: src/autoconf/Dockerfile
|
||||
- image: ui
|
||||
dockerfile: src/ui/Dockerfile
|
||||
- arch: linux/amd64
|
||||
cache_suffix: amd64
|
||||
- arch: linux/386
|
||||
cache_suffix: "386"
|
||||
uses: ./.github/workflows/container-build.yml
|
||||
with:
|
||||
RELEASE: ${{ matrix.release }}
|
||||
ARCH: ${{ matrix.arch }}
|
||||
IMAGE: ${{ matrix.image }}
|
||||
DOCKERFILE: ${{ matrix.dockerfile }}
|
||||
CACHE: ${{ matrix.cache }}
|
||||
PUSH: ${{ matrix.push }}
|
||||
CACHE_SUFFIX: ${{ matrix.cache_suffix }}
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
|
||||
# Create ARM environment
|
||||
create-arm:
|
||||
uses: ./.github/workflows/create-arm.yml
|
||||
secrets:
|
||||
SCW_ACCESS_KEY: ${{ secrets.SCW_ACCESS_KEY }}
|
||||
SCW_SECRET_KEY: ${{ secrets.SCW_SECRET_KEY }}
|
||||
SCW_DEFAULT_PROJECT_ID: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
|
||||
SCW_DEFAULT_ORGANIZATION_ID: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
|
||||
ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
||||
ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
|
||||
# Build arm64 + arm/v7 images
|
||||
build-containers-arm:
|
||||
needs: [create-arm]
|
||||
strategy:
|
||||
matrix:
|
||||
image: [bunkerweb, scheduler, autoconf, ui]
|
||||
arch: ["linux/arm64,linux/arm/v7"]
|
||||
include:
|
||||
- release: beta
|
||||
cache: false
|
||||
push: false
|
||||
cache_suffix: arm
|
||||
- image: bunkerweb
|
||||
dockerfile: src/bw/Dockerfile
|
||||
- image: scheduler
|
||||
dockerfile: src/scheduler/Dockerfile
|
||||
- image: autoconf
|
||||
dockerfile: src/autoconf/Dockerfile
|
||||
- image: ui
|
||||
dockerfile: src/ui/Dockerfile
|
||||
uses: ./.github/workflows/container-build.yml
|
||||
with:
|
||||
RELEASE: ${{ matrix.release }}
|
||||
ARCH: ${{ matrix.arch }}
|
||||
IMAGE: ${{ matrix.image }}
|
||||
DOCKERFILE: ${{ matrix.dockerfile }}
|
||||
CACHE: ${{ matrix.cache }}
|
||||
PUSH: ${{ matrix.push }}
|
||||
CACHE_SUFFIX: ${{ matrix.cache_suffix }}
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
||||
ARM_SSH_IP: ${{ needs.create-arm.outputs.ip }}
|
||||
ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
|
||||
# Build Linux packages
|
||||
build-packages:
|
||||
needs: [create-arm]
|
||||
strategy:
|
||||
matrix:
|
||||
linux: [ubuntu, debian, fedora, rhel]
|
||||
platforms: [linux/amd64, linux/arm64]
|
||||
include:
|
||||
- release: beta
|
||||
- linux: ubuntu
|
||||
package: deb
|
||||
- linux: debian
|
||||
package: deb
|
||||
- linux: fedora
|
||||
package: rpm
|
||||
- linux: rhel
|
||||
package: rpm
|
||||
uses: ./.github/workflows/linux-build.yml
|
||||
with:
|
||||
RELEASE: ${{ matrix.release }}
|
||||
LINUX: ${{ matrix.linux }}
|
||||
PACKAGE: ${{ matrix.package }}
|
||||
TEST: false
|
||||
PLATFORMS: ${{ matrix.platforms }}
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
|
||||
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
|
||||
ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
||||
ARM_SSH_IP: ${{ needs.create-arm.outputs.ip }}
|
||||
ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
|
||||
# Wait for all builds and extract VERSION
|
||||
wait-builds:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [build-containers, build-containers-arm, build-packages]
|
||||
outputs:
|
||||
version: ${{ steps.getversion.outputs.version }}
|
||||
versionrpm: ${{ steps.getversionrpm.outputs.versionrpm }}
|
||||
steps:
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Get VERSION
|
||||
id: getversion
|
||||
run: echo "version=$(cat src/VERSION | tr -d '\n')" >> "$GITHUB_OUTPUT"
|
||||
- name: Get VERSION (for RPM based)
|
||||
id: getversionrpm
|
||||
run: echo "versionrpm=$(cat src/VERSION | tr -d '\n' | sed 's/-/_/g')" >> "$GITHUB_OUTPUT"
|
||||
|
||||
# Push Docker images
|
||||
push-images:
|
||||
needs: [create-arm, wait-builds]
|
||||
strategy:
|
||||
matrix:
|
||||
image:
|
||||
[bunkerweb, bunkerweb-scheduler, bunkerweb-autoconf, bunkerweb-ui]
|
||||
include:
|
||||
- release: beta
|
||||
- image: bunkerweb
|
||||
cache_from: bunkerweb
|
||||
dockerfile: src/bw/Dockerfile
|
||||
- image: bunkerweb-scheduler
|
||||
cache_from: scheduler
|
||||
dockerfile: src/scheduler/Dockerfile
|
||||
- image: bunkerweb-autoconf
|
||||
cache_from: autoconf
|
||||
dockerfile: src/autoconf/Dockerfile
|
||||
- image: bunkerweb-ui
|
||||
cache_from: ui
|
||||
dockerfile: src/ui/Dockerfile
|
||||
uses: ./.github/workflows/push-docker.yml
|
||||
with:
|
||||
IMAGE: bunkerity/${{ matrix.image }}:${{ matrix.release }},bunkerity/${{ matrix.image }}:${{ needs.wait-builds.outputs.version }}
|
||||
CACHE_FROM: ${{ matrix.cache_from }}-${{ matrix.release }}
|
||||
DOCKERFILE: ${{ matrix.dockerfile }}
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
||||
ARM_SSH_IP: ${{ needs.create-arm.outputs.ip }}
|
||||
ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
|
||||
# Push Linux packages
|
||||
push-packages:
|
||||
needs: [wait-builds]
|
||||
strategy:
|
||||
matrix:
|
||||
linux: [ubuntu, debian, fedora, rhel]
|
||||
arch: [amd64, arm64]
|
||||
include:
|
||||
- release: beta
|
||||
repo: bunkerweb
|
||||
- linux: ubuntu
|
||||
separator: _
|
||||
suffix: ""
|
||||
version: jammy
|
||||
package: deb
|
||||
- linux: debian
|
||||
separator: _
|
||||
suffix: ""
|
||||
version: bullseye
|
||||
package: deb
|
||||
- linux: fedora
|
||||
separator: "-"
|
||||
suffix: "1."
|
||||
version: 38
|
||||
package: rpm
|
||||
- linux: el
|
||||
separator: "-"
|
||||
suffix: "1."
|
||||
version: 8
|
||||
package: rpm
|
||||
- linux: ubuntu
|
||||
arch: amd64
|
||||
package_arch: amd64
|
||||
- linux: debian
|
||||
arch: amd64
|
||||
package_arch: amd64
|
||||
- linux: fedora
|
||||
arch: amd64
|
||||
package_arch: x86_64
|
||||
- linux: el
|
||||
arch: amd64
|
||||
package_arch: x86_64
|
||||
- linux: ubuntu
|
||||
arch: arm64
|
||||
package_arch: arm64
|
||||
- linux: debian
|
||||
arch: arm64
|
||||
package_arch: arm64
|
||||
- linux: fedora
|
||||
arch: arm64
|
||||
package_arch: aarch64
|
||||
- linux: el
|
||||
arch: arm64
|
||||
package_arch: aarch64
|
||||
uses: ./.github/workflows/push-packagecloud.yml
|
||||
with:
|
||||
SEPARATOR: ${{ matrix.separator }}
|
||||
SUFFIX: ${{ matrix.suffix }}
|
||||
REPO: ${{ matrix.repo }}
|
||||
LINUX: ${{ matrix.linux }}
|
||||
VERSION: ${{ matrix.version }}
|
||||
PACKAGE: ${{ matrix.package }}
|
||||
BW_VERSION: ${{ matrix.package == 'rpm' && needs.wait-builds.outputs.versionrpm || needs.wait-builds.outputs.version }}
|
||||
PACKAGE_ARCH: ${{ matrix.package_arch }}
|
||||
ARCH: ${{ matrix.arch }}
|
||||
secrets:
|
||||
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
|
||||
|
||||
# Create doc PDF
|
||||
doc-pdf:
|
||||
needs: [wait-builds, push-images, push-packages]
|
||||
uses: ./.github/workflows/doc-to-pdf.yml
|
||||
with:
|
||||
VERSION: ${{ needs.wait-builds.outputs.version }}
|
||||
|
||||
# Push on GH
|
||||
push-gh:
|
||||
needs: [wait-builds, doc-pdf]
|
||||
permissions:
|
||||
contents: write
|
||||
discussions: write
|
||||
uses: ./.github/workflows/push-github.yml
|
||||
with:
|
||||
VERSION: ${{ needs.wait-builds.outputs.version }}
|
||||
PRERELEASE: true
|
||||
|
||||
# Push doc
|
||||
push-doc:
|
||||
needs: [wait-builds, push-gh]
|
||||
permissions:
|
||||
contents: write
|
||||
uses: ./.github/workflows/push-doc.yml
|
||||
with:
|
||||
VERSION: ${{ needs.wait-builds.outputs.version }}
|
||||
ALIAS: beta
|
||||
secrets:
|
||||
BUNKERBOT_TOKEN: ${{ secrets.BUNKERBOT_TOKEN }}
|
||||
|
||||
# Remove ARM VM
|
||||
rm-arm:
|
||||
if: ${{ always() }}
|
||||
needs: [create-arm, push-images, build-packages]
|
||||
uses: ./.github/workflows/rm-arm.yml
|
||||
secrets:
|
||||
ARM_ID: ${{ needs.create-arm.outputs.id }}
|
||||
SCW_ACCESS_KEY: ${{ secrets.SCW_ACCESS_KEY }}
|
||||
SCW_SECRET_KEY: ${{ secrets.SCW_SECRET_KEY }}
|
||||
SCW_DEFAULT_PROJECT_ID: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
|
||||
SCW_DEFAULT_ORGANIZATION_ID: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
|
31
.github/workflows/codeql.yml
vendored
|
@ -1,31 +0,0 @@
|
|||
name: CodeQL Analysis
|
||||
|
||||
on:
|
||||
schedule:
|
||||
# Weekly on Saturdays.
|
||||
- cron: "30 1 * * 6"
|
||||
workflow_call:
|
||||
|
||||
jobs:
|
||||
code-security:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
language: ["python", "javascript"]
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
config-file: ./.github/codeql.yml
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
|
||||
with:
|
||||
category: "/language:${{matrix.language}}"
|
134
.github/workflows/container-build.yml
vendored
|
@ -1,134 +0,0 @@
|
|||
name: Build container (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
RELEASE:
|
||||
required: true
|
||||
type: string
|
||||
ARCH:
|
||||
required: true
|
||||
type: string
|
||||
IMAGE:
|
||||
required: true
|
||||
type: string
|
||||
DOCKERFILE:
|
||||
required: true
|
||||
type: string
|
||||
CACHE:
|
||||
required: false
|
||||
type: boolean
|
||||
default: true
|
||||
PUSH:
|
||||
required: false
|
||||
type: boolean
|
||||
default: true
|
||||
CACHE_SUFFIX:
|
||||
required: false
|
||||
type: string
|
||||
default: ""
|
||||
secrets:
|
||||
DOCKER_USERNAME:
|
||||
required: true
|
||||
DOCKER_TOKEN:
|
||||
required: true
|
||||
ARM_SSH_KEY:
|
||||
required: false
|
||||
ARM_SSH_IP:
|
||||
required: false
|
||||
ARM_SSH_CONFIG:
|
||||
required: false
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Replace VERSION
|
||||
if: inputs.RELEASE == 'testing'
|
||||
run: ./misc/update-version.sh testing
|
||||
- name: Setup SSH for ARM node
|
||||
if: inputs.CACHE_SUFFIX == 'arm'
|
||||
run: |
|
||||
mkdir -p ~/.ssh
|
||||
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
|
||||
chmod 600 ~/.ssh/id_rsa_arm
|
||||
echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
|
||||
env:
|
||||
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
||||
SSH_IP: ${{ secrets.ARM_SSH_IP }}
|
||||
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
- name: Setup Buildx
|
||||
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
|
||||
if: inputs.CACHE_SUFFIX != 'arm'
|
||||
- name: Setup Buildx (ARM)
|
||||
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
|
||||
if: inputs.CACHE_SUFFIX == 'arm'
|
||||
with:
|
||||
endpoint: ssh://root@arm
|
||||
platforms: linux/arm64,linux/arm/v7,linux/arm/v6
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to ghcr
|
||||
if: inputs.PUSH == true
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
# Compute metadata
|
||||
- name: Extract metadata
|
||||
id: meta
|
||||
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
|
||||
with:
|
||||
images: bunkerity/${{ inputs.IMAGE }}
|
||||
# Build cached image
|
||||
- name: Build image
|
||||
if: inputs.CACHE == true
|
||||
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
|
||||
with:
|
||||
context: .
|
||||
file: ${{ inputs.DOCKERFILE }}
|
||||
platforms: ${{ inputs.ARCH }}
|
||||
load: true
|
||||
tags: local/${{ inputs.IMAGE }}
|
||||
cache-from: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }}
|
||||
cache-to: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }},mode=min
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
# Build non-cached image
|
||||
- name: Build image
|
||||
if: inputs.CACHE != true
|
||||
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
|
||||
with:
|
||||
context: .
|
||||
file: ${{ inputs.DOCKERFILE }}
|
||||
platforms: ${{ inputs.ARCH }}
|
||||
load: ${{ inputs.CACHE_SUFFIX != 'arm' }}
|
||||
tags: local/${{ inputs.IMAGE }}
|
||||
cache-to: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }}-${{ inputs.CACHE_SUFFIX }},mode=min
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
# Check OS vulnerabilities
|
||||
- name: Check OS vulnerabilities
|
||||
if: ${{ inputs.CACHE_SUFFIX != 'arm' }}
|
||||
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 # master
|
||||
with:
|
||||
vuln-type: os
|
||||
skip-dirs: /root/.cargo
|
||||
image-ref: local/${{ inputs.IMAGE }}
|
||||
format: table
|
||||
exit-code: 1
|
||||
ignore-unfixed: false
|
||||
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
||||
trivyignores: .trivyignore
|
||||
# Push image
|
||||
- name: Push image
|
||||
if: inputs.PUSH == true
|
||||
run: docker tag local/$IMAGE ghcr.io/bunkerity/$IMAGE-tests:$TAG && docker push ghcr.io/bunkerity/$IMAGE-tests:$TAG
|
||||
env:
|
||||
IMAGE: "${{ inputs.IMAGE }}"
|
||||
TAG: "${{ inputs.RELEASE }}"
|
86
.github/workflows/create-arm.yml
vendored
|
@ -1,86 +0,0 @@
|
|||
name: Create ARM node (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
outputs:
|
||||
id:
|
||||
description: "ARM ID"
|
||||
value: ${{ jobs.build.outputs.id }}
|
||||
ip:
|
||||
description: "ARM IP"
|
||||
value: ${{ jobs.build.outputs.ip }}
|
||||
|
||||
secrets:
|
||||
SCW_ACCESS_KEY:
|
||||
required: true
|
||||
SCW_SECRET_KEY:
|
||||
required: true
|
||||
SCW_DEFAULT_PROJECT_ID:
|
||||
required: true
|
||||
SCW_DEFAULT_ORGANIZATION_ID:
|
||||
required: true
|
||||
ARM_SSH_KEY:
|
||||
required: true
|
||||
ARM_SSH_CONFIG:
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
id: ${{ steps.getinfo.outputs.id }}
|
||||
ip: ${{ steps.getinfo.outputs.ip }}
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Get ARM availabilities
|
||||
id: availabilities
|
||||
uses: scaleway/action-scw@c718eca1fcb9fec1fb1433752d61599c6a0ad2e9
|
||||
with:
|
||||
args: instance server-type get zone=fr-par-2
|
||||
export-config: true
|
||||
access-key: ${{ secrets.SCW_ACCESS_KEY }}
|
||||
secret-key: ${{ secrets.SCW_SECRET_KEY }}
|
||||
default-project-id: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
|
||||
default-organization-id: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
|
||||
- name: Extract ARM type
|
||||
run: |
|
||||
TYPE=$(echo "$JSON" | jq '.servers | with_entries(select(.key | contains("AMP"))) | with_entries(select(.value.availability != "shortage")) | keys[] | select(. | test("^AMP2-C[0-9]+$")) | sub("AMP2-C"; "") | tonumber' | sort -n | tail -n 1 | xargs -I {} echo "AMP2-C{}")
|
||||
echo "Type is $TYPE"
|
||||
echo "TYPE=$TYPE" >> "$GITHUB_ENV"
|
||||
env:
|
||||
JSON: ${{ steps.availabilities.outputs.json }}
|
||||
- name: Create ARM VM
|
||||
id: scw
|
||||
uses: scaleway/action-scw@c718eca1fcb9fec1fb1433752d61599c6a0ad2e9
|
||||
with:
|
||||
args: instance server create zone=fr-par-2 type=${{ env.TYPE }} root-volume=block:50GB
|
||||
- name: Get info
|
||||
id: getinfo
|
||||
run: |
|
||||
echo "id=${{ fromJson(steps.scw.outputs.json).id }}" >> "$GITHUB_OUTPUT"
|
||||
echo "ip=${{ fromJson(steps.scw.outputs.json).public_ip.address }}" >> "$GITHUB_OUTPUT"
|
||||
- name: Wait for VM
|
||||
uses: scaleway/action-scw@c718eca1fcb9fec1fb1433752d61599c6a0ad2e9
|
||||
with:
|
||||
args: instance server wait ${{ fromJson(steps.scw.outputs.json).ID }} zone=fr-par-2
|
||||
- name: Wait for SSH
|
||||
uses: iFaxity/wait-on-action@628831cec646e6dacca502f34a6c6b46e131e51d
|
||||
with:
|
||||
resource: tcp:${{ fromJson(steps.scw.outputs.json).public_ip.address }}:22
|
||||
timeout: 300000
|
||||
- name: Setup SSH for ARM node
|
||||
run: |
|
||||
mkdir -p ~/.ssh
|
||||
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
|
||||
chmod 600 ~/.ssh/id_rsa_arm
|
||||
echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
|
||||
env:
|
||||
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
||||
SSH_IP: ${{ fromJson(steps.scw.outputs.json).public_ip.address }}
|
||||
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
- name: Install Docker
|
||||
run: ssh root@$SSH_IP "curl -fsSL https://test.docker.com -o test-docker.sh ; sh test-docker.sh"
|
||||
env:
|
||||
SSH_IP: ${{ fromJson(steps.scw.outputs.json).public_ip.address }}
|
61
.github/workflows/dev-update-mmdb.yml
vendored
|
@ -1,61 +0,0 @@
|
|||
name: Update cached mmdb files
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
on:
|
||||
schedule:
|
||||
- cron: "0 12 1 * *"
|
||||
|
||||
jobs:
|
||||
mmdb-update:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
with:
|
||||
fetch-depth: 0
|
||||
token: ${{ secrets.BUNKERBOT_TOKEN }}
|
||||
ref: dev
|
||||
- name: Download mmdb files
|
||||
run: |
|
||||
mkdir -p src/bw/misc/
|
||||
cd src/bw/misc/
|
||||
CURL_RETURN_CODE=0
|
||||
CURL_OUTPUT=`curl -w httpcode=%{http_code} -s -o asn.mmdb.gz https://download.db-ip.com/free/dbip-asn-lite-$(date +%Y-%m).mmdb.gz 2> /dev/null` || CURL_RETURN_CODE=$?
|
||||
if [ ${CURL_RETURN_CODE} -ne 0 ]; then
|
||||
echo "Curl connection failed when downloading asn-lite mmdb file with return code - ${CURL_RETURN_CODE}"
|
||||
exit 1
|
||||
else
|
||||
echo "Curl connection success"
|
||||
# Check http code for curl operation/response in CURL_OUTPUT
|
||||
httpCode=$(echo "${CURL_OUTPUT}" | sed -e 's/.*\httpcode=//')
|
||||
if [ ${httpCode} -ne 200 ]; then
|
||||
echo "Curl operation/command failed due to server return code - ${httpCode}"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
CURL_RETURN_CODE=0
|
||||
CURL_OUTPUT=`curl -w httpcode=%{http_code} -s -o country.mmdb.gz https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).mmdb.gz 2> /dev/null` || CURL_RETURN_CODE=$?
|
||||
if [ ${CURL_RETURN_CODE} -ne 0 ]; then
|
||||
echo "Curl connection failed when downloading country-lite mmdb file with return code - ${CURL_RETURN_CODE}"
|
||||
exit 1
|
||||
else
|
||||
echo "Curl connection success"
|
||||
# Check http code for curl operation/response in CURL_OUTPUT
|
||||
httpCode=$(echo "${CURL_OUTPUT}" | sed -e 's/.*\httpcode=//')
|
||||
if [ ${httpCode} -ne 200 ]; then
|
||||
echo "Curl operation/command failed due to server return code - ${httpCode}"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
rm -f asn.mmdb country.mmdb
|
||||
gunzip asn.mmdb.gz country.mmdb.gz
|
||||
- name: Commit and push changes
|
||||
uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5.0.0
|
||||
with:
|
||||
branch: dev
|
||||
commit_message: "Monthly mmdb update"
|
||||
commit_options: "--no-verify"
|
||||
commit_user_name: "BunkerBot"
|
||||
commit_user_email: "bunkerbot@bunkerity.com"
|
214
.github/workflows/dev.yml
vendored
|
@ -1,214 +0,0 @@
|
|||
name: Automatic tests (DEV)
|
||||
|
||||
permissions: read-all
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [dev]
|
||||
|
||||
jobs:
|
||||
# Containers
|
||||
build-containers:
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
strategy:
|
||||
matrix:
|
||||
image: [bunkerweb, scheduler, autoconf, ui]
|
||||
include:
|
||||
- image: bunkerweb
|
||||
dockerfile: src/bw/Dockerfile
|
||||
- image: scheduler
|
||||
dockerfile: src/scheduler/Dockerfile
|
||||
- image: autoconf
|
||||
dockerfile: src/autoconf/Dockerfile
|
||||
- image: ui
|
||||
dockerfile: src/ui/Dockerfile
|
||||
uses: ./.github/workflows/container-build.yml
|
||||
with:
|
||||
RELEASE: dev
|
||||
ARCH: linux/amd64
|
||||
CACHE: true
|
||||
IMAGE: ${{ matrix.image }}
|
||||
DOCKERFILE: ${{ matrix.dockerfile }}
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
|
||||
# Build Linux packages
|
||||
build-packages:
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
strategy:
|
||||
matrix:
|
||||
linux: [ubuntu, debian, fedora, rhel]
|
||||
include:
|
||||
- linux: ubuntu
|
||||
package: deb
|
||||
- linux: debian
|
||||
package: deb
|
||||
- linux: fedora
|
||||
package: rpm
|
||||
- linux: rhel
|
||||
package: rpm
|
||||
uses: ./.github/workflows/linux-build.yml
|
||||
with:
|
||||
RELEASE: dev
|
||||
LINUX: ${{ matrix.linux }}
|
||||
PACKAGE: ${{ matrix.package }}
|
||||
TEST: true
|
||||
PLATFORMS: linux/amd64
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
|
||||
codeql:
|
||||
uses: ./.github/workflows/codeql.yml
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
# UI tests
|
||||
tests-ui:
|
||||
needs: [codeql, build-containers]
|
||||
uses: ./.github/workflows/tests-ui.yml
|
||||
with:
|
||||
RELEASE: dev
|
||||
tests-ui-linux:
|
||||
needs: [codeql, build-packages]
|
||||
uses: ./.github/workflows/tests-ui-linux.yml
|
||||
with:
|
||||
RELEASE: dev
|
||||
|
||||
# Core tests
|
||||
prepare-tests-core:
|
||||
needs: [codeql, build-containers, build-packages]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- id: set-matrix
|
||||
run: |
|
||||
tests=$(find ./tests/core/ -maxdepth 1 -mindepth 1 -type d -printf "%f\n" | jq -c --raw-input --slurp 'split("\n")| .[0:-1]')
|
||||
echo "tests=$tests" >> $GITHUB_OUTPUT
|
||||
outputs:
|
||||
tests: ${{ steps.set-matrix.outputs.tests }}
|
||||
tests-core:
|
||||
needs: prepare-tests-core
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
test: ${{ fromJson(needs.prepare-tests-core.outputs.tests) }}
|
||||
uses: ./.github/workflows/test-core.yml
|
||||
with:
|
||||
TEST: ${{ matrix.test }}
|
||||
RELEASE: dev
|
||||
tests-core-linux:
|
||||
needs: prepare-tests-core
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
test: ${{ fromJson(needs.prepare-tests-core.outputs.tests) }}
|
||||
uses: ./.github/workflows/test-core-linux.yml
|
||||
with:
|
||||
TEST: ${{ matrix.test }}
|
||||
RELEASE: dev
|
||||
secrets: inherit
|
||||
|
||||
# Push with dev tag
|
||||
push-dev:
|
||||
needs: [tests-ui, tests-core]
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to ghcr
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Push BW image
|
||||
run: docker pull ghcr.io/bunkerity/$FROM-tests:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev bunkerity/$TO:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev ghcr.io/bunkerity/$TO:dev && docker push bunkerity/$TO:dev && docker push ghcr.io/bunkerity/$TO:dev
|
||||
env:
|
||||
FROM: "bunkerweb"
|
||||
TO: "bunkerweb"
|
||||
- name: Push scheduler image
|
||||
run: docker pull ghcr.io/bunkerity/$FROM-tests:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev bunkerity/$TO:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev ghcr.io/bunkerity/$TO:dev && docker push bunkerity/$TO:dev && docker push ghcr.io/bunkerity/$TO:dev
|
||||
env:
|
||||
FROM: "scheduler"
|
||||
TO: "bunkerweb-scheduler"
|
||||
- name: Push UI image
|
||||
run: docker pull ghcr.io/bunkerity/$FROM-tests:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev bunkerity/$TO:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev ghcr.io/bunkerity/$TO:dev && docker push bunkerity/$TO:dev && docker push ghcr.io/bunkerity/$TO:dev
|
||||
env:
|
||||
FROM: "ui"
|
||||
TO: "bunkerweb-ui"
|
||||
- name: Push autoconf image
|
||||
run: docker pull ghcr.io/bunkerity/$FROM-tests:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev bunkerity/$TO:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev ghcr.io/bunkerity/$TO:dev && docker push bunkerity/$TO:dev && docker push ghcr.io/bunkerity/$TO:dev
|
||||
env:
|
||||
FROM: "autoconf"
|
||||
TO: "bunkerweb-autoconf"
|
||||
|
||||
# Push Linux packages
|
||||
push-packages:
|
||||
needs: [tests-ui-linux, tests-core-linux]
|
||||
strategy:
|
||||
matrix:
|
||||
linux: [ubuntu, debian, fedora, el]
|
||||
arch: [amd64]
|
||||
include:
|
||||
- release: dev
|
||||
repo: bunkerweb
|
||||
- linux: ubuntu
|
||||
separator: _
|
||||
suffix: ""
|
||||
version: jammy
|
||||
package: deb
|
||||
- linux: debian
|
||||
separator: _
|
||||
suffix: ""
|
||||
version: bullseye
|
||||
package: deb
|
||||
- linux: fedora
|
||||
separator: "-"
|
||||
suffix: "1."
|
||||
version: 38
|
||||
package: rpm
|
||||
- linux: el
|
||||
separator: "-"
|
||||
suffix: "1."
|
||||
version: 8
|
||||
package: rpm
|
||||
- linux: ubuntu
|
||||
arch: amd64
|
||||
package_arch: amd64
|
||||
- linux: debian
|
||||
arch: amd64
|
||||
package_arch: amd64
|
||||
- linux: fedora
|
||||
arch: amd64
|
||||
package_arch: x86_64
|
||||
- linux: el
|
||||
arch: amd64
|
||||
package_arch: x86_64
|
||||
uses: ./.github/workflows/push-packagecloud.yml
|
||||
with:
|
||||
SEPARATOR: ${{ matrix.separator }}
|
||||
SUFFIX: ${{ matrix.suffix }}
|
||||
REPO: ${{ matrix.repo }}
|
||||
LINUX: ${{ matrix.linux }}
|
||||
VERSION: ${{ matrix.version }}
|
||||
PACKAGE: ${{ matrix.package }}
|
||||
BW_VERSION: ${{ matrix.release }}
|
||||
PACKAGE_ARCH: ${{ matrix.package_arch }}
|
||||
ARCH: ${{ matrix.arch }}
|
||||
secrets:
|
||||
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
|
38
.github/workflows/doc-to-pdf.yml
vendored
|
@ -1,38 +0,0 @@
|
|||
name: Generate documentation PDF (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
VERSION:
|
||||
required: true
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Install Python
|
||||
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
|
||||
with:
|
||||
python-version: "3.10"
|
||||
- name: Install doc requirements
|
||||
run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt
|
||||
- name: Install chromium
|
||||
run: sudo apt install chromium-browser
|
||||
- name: Install node
|
||||
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
|
||||
with:
|
||||
node-version: 18
|
||||
- name: Install puppeteer
|
||||
run: cd docs && npm install
|
||||
- name: Run mkdocs serve in background
|
||||
run: mkdocs serve & sleep 10
|
||||
- name: Run pdf script
|
||||
run: node docs/misc/pdf.js http://localhost:8000/print_page/ BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf 'BunkerWeb documentation v${{ inputs.VERSION }}'
|
||||
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||
with:
|
||||
name: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
|
||||
path: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
|
152
.github/workflows/linux-build.yml
vendored
|
@ -1,152 +0,0 @@
|
|||
name: Build Linux package (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
RELEASE:
|
||||
required: true
|
||||
type: string
|
||||
LINUX:
|
||||
required: true
|
||||
type: string
|
||||
PACKAGE:
|
||||
required: true
|
||||
type: string
|
||||
PLATFORMS:
|
||||
required: true
|
||||
type: string
|
||||
TEST:
|
||||
required: false
|
||||
type: boolean
|
||||
default: false
|
||||
secrets:
|
||||
DOCKER_USERNAME:
|
||||
required: true
|
||||
DOCKER_TOKEN:
|
||||
required: true
|
||||
ARM_SSH_KEY:
|
||||
required: false
|
||||
ARM_SSH_IP:
|
||||
required: false
|
||||
ARM_SSH_CONFIG:
|
||||
required: false
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Replace VERSION
|
||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
|
||||
run: ./misc/update-version.sh ${{ inputs.RELEASE }}
|
||||
- name: Extract arch
|
||||
run: |
|
||||
echo "ARCH=${{ env.PLATFORMS }}" | sed 's/linux//g' | sed 's@/@@g' >> "$GITHUB_ENV"
|
||||
env:
|
||||
PLATFORMS: ${{ inputs.PLATFORMS }}
|
||||
- name: Extract linux arch
|
||||
if: inputs.PACKAGE == 'rpm'
|
||||
run: |
|
||||
echo "LARCH=${{ env.ARCH }}" | sed 's/amd64/x86_64/g' | sed 's/arm64/aarch64/g' >> "$GITHUB_ENV"
|
||||
env:
|
||||
ARCH: ${{ env.ARCH }}
|
||||
- name: Extract linux arch
|
||||
if: inputs.PACKAGE == 'deb'
|
||||
run: |
|
||||
echo "LARCH=${{ env.ARCH }}" >> "$GITHUB_ENV"
|
||||
env:
|
||||
ARCH: ${{ env.ARCH }}
|
||||
- name: Setup SSH for ARM node
|
||||
if: startsWith(env.ARCH, 'arm') == true
|
||||
run: |
|
||||
mkdir -p ~/.ssh
|
||||
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
|
||||
chmod 600 ~/.ssh/id_rsa_arm
|
||||
echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
|
||||
env:
|
||||
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
||||
SSH_IP: ${{ secrets.ARM_SSH_IP }}
|
||||
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
- name: Setup Buildx
|
||||
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
|
||||
if: startsWith(env.ARCH, 'arm') == false
|
||||
- name: Setup Buildx (ARM)
|
||||
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
|
||||
if: startsWith(env.ARCH, 'arm') == true
|
||||
with:
|
||||
endpoint: ssh://root@arm
|
||||
platforms: linux/arm64,linux/arm/v7,linux/arm/v6
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to ghcr
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
# Build testing package image
|
||||
- name: Build package image
|
||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
|
||||
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
|
||||
with:
|
||||
context: .
|
||||
load: true
|
||||
file: src/linux/Dockerfile-${{ inputs.LINUX }}
|
||||
platforms: ${{ inputs.PLATFORMS }}
|
||||
tags: local/bunkerweb-${{ inputs.LINUX }}:latest
|
||||
cache-from: type=gha,scope=${{ inputs.LINUX }}-${{ inputs.RELEASE }}
|
||||
cache-to: type=gha,scope=${{ inputs.LINUX }}-${{ inputs.RELEASE }},mode=min
|
||||
# Build non-testing package image
|
||||
- name: Build package image
|
||||
if: inputs.RELEASE != 'testing' && inputs.RELEASE != 'dev'
|
||||
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
|
||||
with:
|
||||
context: .
|
||||
load: true
|
||||
file: src/linux/Dockerfile-${{ inputs.LINUX }}
|
||||
platforms: ${{ inputs.PLATFORMS }}
|
||||
tags: local/bunkerweb-${{ inputs.LINUX }}:latest
|
||||
# Generate package
|
||||
- name: Generate package
|
||||
if: startsWith(env.ARCH, 'arm') == false
|
||||
run: ./src/linux/package.sh ${{ inputs.LINUX }} ${{ env.LARCH }}
|
||||
env:
|
||||
LARCH: ${{ env.LARCH }}
|
||||
- name: Generate package (ARM)
|
||||
if: startsWith(env.ARCH, 'arm') == true
|
||||
run: |
|
||||
docker save local/bunkerweb-${{ inputs.LINUX }}:latest | ssh -C root@arm docker load
|
||||
scp ./src/linux/package.sh root@arm:/opt
|
||||
ssh root@arm chmod +x /opt/package.sh
|
||||
ssh root@arm /opt/package.sh ${{ inputs.LINUX }} ${{ env.LARCH }} "$(cat src/VERSION | tr -d '\n')"
|
||||
scp -r root@arm:/root/package-${{ inputs.LINUX }} ./package-${{ inputs.LINUX }}
|
||||
env:
|
||||
LARCH: ${{ env.LARCH }}
|
||||
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||
with:
|
||||
name: package-${{ inputs.LINUX }}-${{ env.LARCH }}
|
||||
path: package-${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
|
||||
# Build test image
|
||||
- name: Extract metadata
|
||||
if: inputs.TEST == true
|
||||
id: meta
|
||||
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
|
||||
with:
|
||||
images: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
|
||||
- name: Build test image
|
||||
if: inputs.TEST == true
|
||||
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
|
||||
with:
|
||||
context: .
|
||||
file: tests/linux/Dockerfile-${{ inputs.LINUX }}
|
||||
platforms: ${{ inputs.PLATFORMS }}
|
||||
push: true
|
||||
tags: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
cache-from: type=gha,scope=${{ inputs.LINUX }}-${{ inputs.RELEASE }}-tests
|
||||
cache-to: type=gha,scope=${{ inputs.LINUX }}-${{ inputs.RELEASE }}-tests,mode=min
|
41
.github/workflows/push-doc.yml
vendored
|
@ -1,41 +0,0 @@
|
|||
name: Push documentation (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
VERSION:
|
||||
required: true
|
||||
type: string
|
||||
ALIAS:
|
||||
required: true
|
||||
type: string
|
||||
secrets:
|
||||
BUNKERBOT_TOKEN:
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
with:
|
||||
fetch-depth: 0
|
||||
token: ${{ secrets.BUNKERBOT_TOKEN }}
|
||||
- name: Replace VERSION
|
||||
if: inputs.VERSION == 'testing'
|
||||
run: ./misc/update-version.sh testing
|
||||
- name: Setup git user
|
||||
run: |
|
||||
git config --global user.name "BunkerBot"
|
||||
git config --global user.email "bunkerbot@bunkerity.com"
|
||||
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
|
||||
with:
|
||||
python-version: "3.10"
|
||||
- name: Install doc requirements
|
||||
run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt
|
||||
- name: Push doc
|
||||
run: mike deploy --update-aliases --push --no-redirect ${{ inputs.VERSION }} ${{ inputs.ALIAS }}
|
||||
- name: Set default doc
|
||||
if: inputs.ALIAS == 'latest'
|
||||
run: mike set-default --push latest
|
82
.github/workflows/push-docker.yml
vendored
|
@ -1,82 +0,0 @@
|
|||
name: Push image (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
IMAGE:
|
||||
required: true
|
||||
type: string
|
||||
TAGS:
|
||||
required: true
|
||||
type: string
|
||||
CACHE_FROM:
|
||||
required: true
|
||||
type: string
|
||||
DOCKERFILE:
|
||||
required: true
|
||||
type: string
|
||||
secrets:
|
||||
DOCKER_USERNAME:
|
||||
required: true
|
||||
DOCKER_TOKEN:
|
||||
required: true
|
||||
ARM_SSH_KEY:
|
||||
required: true
|
||||
ARM_SSH_CONFIG:
|
||||
required: true
|
||||
ARM_SSH_IP:
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
push:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Check out repository code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to ghcr
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Setup SSH for ARM node
|
||||
run: |
|
||||
mkdir -p ~/.ssh
|
||||
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
|
||||
chmod 600 ~/.ssh/id_rsa_arm
|
||||
echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
|
||||
env:
|
||||
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
||||
SSH_IP: ${{ secrets.ARM_SSH_IP }}
|
||||
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
- name: Setup Buildx (ARM)
|
||||
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
|
||||
with:
|
||||
endpoint: ssh://root@arm
|
||||
platforms: linux/arm64,linux/arm/v7,linux/arm/v6
|
||||
# Compute metadata
|
||||
- name: Extract metadata
|
||||
id: meta
|
||||
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
|
||||
with:
|
||||
images: bunkerity/${{ inputs.IMAGE }}
|
||||
# Build and push
|
||||
- name: Build and push
|
||||
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
|
||||
with:
|
||||
context: .
|
||||
file: ${{ inputs.DOCKERFILE }}
|
||||
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
|
||||
push: true
|
||||
tags: ${{ inputs.TAGS }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
cache-from: |
|
||||
type=gha,scope=${{ inputs.CACHE_FROM }}-amd64
|
||||
type=gha,scope=${{ inputs.CACHE_FROM }}-386
|
||||
type=gha,scope=${{ inputs.CACHE_FROM }}-arm
|
97
.github/workflows/push-github.yml
vendored
|
@ -1,97 +0,0 @@
|
|||
name: Push on GitHub (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
VERSION:
|
||||
required: true
|
||||
type: string
|
||||
PRERELEASE:
|
||||
required: true
|
||||
type: boolean
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checkout
|
||||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
# Get PDF doc
|
||||
- name: Get documentation
|
||||
if: inputs.VERSION != 'testing'
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
|
||||
# Create tag
|
||||
- uses: rickstaa/action-create-tag@861755f3fcbce1b21a65c17bad10e7d35c27b6d9 # v1.7.1
|
||||
name: Create tag
|
||||
if: inputs.VERSION != 'testing'
|
||||
with:
|
||||
tag: "v${{ inputs.VERSION }}"
|
||||
message: "v${{ inputs.VERSION }}"
|
||||
force_push_tag: true
|
||||
# Create tag
|
||||
- uses: rickstaa/action-create-tag@861755f3fcbce1b21a65c17bad10e7d35c27b6d9 # v1.7.1
|
||||
name: Create tag
|
||||
if: inputs.VERSION == 'testing'
|
||||
with:
|
||||
tag: "${{ inputs.VERSION }}"
|
||||
message: "${{ inputs.VERSION }}"
|
||||
force_push_tag: true
|
||||
# Extract changelog
|
||||
- name: Extract changelog
|
||||
if: inputs.VERSION != 'testing'
|
||||
id: getchangelog
|
||||
run: |
|
||||
content=$(awk -v n=2 '/##/{n--}; n > 0' CHANGELOG.md | grep -v '# Changelog' | grep -v '##' | sed '/^$/d')
|
||||
content="${content//'%'/'%25'}"
|
||||
content="${content//$'\n'/'%0A'}"
|
||||
content="${content//$'\r'/'%0D'}"
|
||||
echo "content=$content" >> $GITHUB_OUTPUT
|
||||
# Create release
|
||||
- name: Create release
|
||||
if: inputs.VERSION != 'testing'
|
||||
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
|
||||
with:
|
||||
body: |
|
||||
Documentation : https://docs.bunkerweb.io/${{ inputs.VERSION }}/
|
||||
|
||||
Docker tags :
|
||||
- BunkerWeb : `bunkerity/bunkerweb:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb:${{ inputs.VERSION }}`
|
||||
- Scheduler : `bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}`
|
||||
- Autoconf : `bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}`
|
||||
- UI : `bunkerity/bunkerweb-ui:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-ui:${{ inputs.VERSION }}`
|
||||
|
||||
Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=${{ inputs.VERSION }}&filter=all&dist=
|
||||
|
||||
Changelog :
|
||||
${{ steps.getchangelog.outputs.content }}
|
||||
draft: true
|
||||
prerelease: ${{ inputs.PRERELEASE }}
|
||||
name: v${{ inputs.VERSION }}
|
||||
tag_name: v${{ inputs.VERSION }}
|
||||
discussion_category_name: Announcements
|
||||
files: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
|
||||
# Create release
|
||||
- name: Create release
|
||||
if: inputs.VERSION == 'testing'
|
||||
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
|
||||
with:
|
||||
body: |
|
||||
**The testing version of BunkerWeb should not be used in production, please use the latest stable version instead.**
|
||||
|
||||
Documentation : https://docs.bunkerweb.io/${{ inputs.VERSION }}/
|
||||
|
||||
Docker tags :
|
||||
- BunkerWeb : `bunkerity/bunkerweb:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb:${{ inputs.VERSION }}`
|
||||
- Scheduler : `bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}`
|
||||
- Autoconf : `bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}`
|
||||
- UI : `bunkerity/bunkerweb-ui:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-ui:${{ inputs.VERSION }}`
|
||||
|
||||
Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=${{ inputs.VERSION }}&filter=all&dist=
|
||||
|
||||
Please note that when using Linux Debian or Ubuntu integration, you will need to add the `force-bad-version` directive to your `/etc/dpkg/dpkg.cfg` file before installing the testing version of BunkerWeb.
|
||||
draft: false
|
||||
prerelease: ${{ inputs.PRERELEASE }}
|
||||
name: Testing
|
||||
tag_name: ${{ inputs.VERSION }}
|
79
.github/workflows/push-packagecloud.yml
vendored
|
@ -1,79 +0,0 @@
|
|||
name: Push packagecloud (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
SEPARATOR:
|
||||
required: true
|
||||
type: string
|
||||
SUFFIX:
|
||||
required: true
|
||||
type: string
|
||||
REPO:
|
||||
required: true
|
||||
type: string
|
||||
LINUX:
|
||||
required: true
|
||||
type: string
|
||||
VERSION:
|
||||
required: true
|
||||
type: string
|
||||
PACKAGE:
|
||||
required: true
|
||||
type: string
|
||||
BW_VERSION:
|
||||
required: true
|
||||
type: string
|
||||
ARCH:
|
||||
required: true
|
||||
type: string
|
||||
PACKAGE_ARCH:
|
||||
required: true
|
||||
type: string
|
||||
secrets:
|
||||
PACKAGECLOUD_TOKEN:
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
push:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Check out repository code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Install ruby
|
||||
uses: ruby/setup-ruby@8575951200e472d5f2d95c625da0c7bec8217c42 # v1.161.0
|
||||
with:
|
||||
ruby-version: "3.0"
|
||||
- name: Install packagecloud
|
||||
run: gem install package_cloud
|
||||
# Download packages
|
||||
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
if: inputs.LINUX != 'el'
|
||||
with:
|
||||
name: package-${{ inputs.LINUX }}-${{ inputs.PACKAGE_ARCH }}
|
||||
path: /tmp/${{ inputs.LINUX }}
|
||||
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
if: inputs.LINUX == 'el'
|
||||
with:
|
||||
name: package-rhel-${{ inputs.PACKAGE_ARCH }}
|
||||
path: /tmp/${{ inputs.LINUX }}
|
||||
# Remove existing packages
|
||||
- name: Remove existing package
|
||||
run: package_cloud yank bunkerity/${{ inputs.REPO }}/${{ inputs.LINUX }}/${{ inputs.VERSION }} bunkerweb${{ inputs.SEPARATOR }}${{ inputs.BW_VERSION }}${{ inputs.SEPARATOR }}${{ inputs.SUFFIX }}${{ inputs.PACKAGE_ARCH }}.${{ inputs.PACKAGE }}
|
||||
continue-on-error: true
|
||||
env:
|
||||
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
|
||||
# Update name
|
||||
# - name: Rename package
|
||||
# if: inputs.BW_VERSION == 'testing'
|
||||
# run: sudo apt install -y rename && rename 's/[0-9]\.[0-9]\.[0-9]/testing/' /tmp/${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
|
||||
# Push package
|
||||
- name: Push package to packagecloud
|
||||
uses: danielmundi/upload-packagecloud@46cd0e61152bf952dbc0d1759e609d3d22649030 # v1
|
||||
with:
|
||||
PACKAGE-NAME: /tmp/${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
|
||||
PACKAGECLOUD-USERNAME: bunkerity
|
||||
PACKAGECLOUD-REPO: ${{ inputs.REPO }}
|
||||
PACKAGECLOUD-DISTRIB: ${{ inputs.LINUX }}/${{ inputs.VERSION }}
|
||||
PACKAGECLOUD-TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
|
295
.github/workflows/release.yml
vendored
|
@ -1,295 +0,0 @@
|
|||
name: Automatic push (RELEASE)
|
||||
|
||||
permissions: read-all
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [master]
|
||||
|
||||
jobs:
|
||||
scorecards-analysis:
|
||||
uses: ./.github/workflows/scorecards-analysis.yml
|
||||
|
||||
codeql:
|
||||
uses: ./.github/workflows/codeql.yml
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
# Build amd64 + 386 containers images
|
||||
build-containers:
|
||||
strategy:
|
||||
matrix:
|
||||
image: [bunkerweb, scheduler, autoconf, ui]
|
||||
arch: [linux/amd64, linux/386]
|
||||
include:
|
||||
- release: latest
|
||||
cache: false
|
||||
push: false
|
||||
- image: bunkerweb
|
||||
dockerfile: src/bw/Dockerfile
|
||||
- image: scheduler
|
||||
dockerfile: src/scheduler/Dockerfile
|
||||
- image: autoconf
|
||||
dockerfile: src/autoconf/Dockerfile
|
||||
- image: ui
|
||||
dockerfile: src/ui/Dockerfile
|
||||
- arch: linux/amd64
|
||||
cache_suffix: amd64
|
||||
- arch: linux/386
|
||||
cache_suffix: "386"
|
||||
uses: ./.github/workflows/container-build.yml
|
||||
with:
|
||||
RELEASE: ${{ matrix.release }}
|
||||
ARCH: ${{ matrix.arch }}
|
||||
IMAGE: ${{ matrix.image }}
|
||||
DOCKERFILE: ${{ matrix.dockerfile }}
|
||||
CACHE: ${{ matrix.cache }}
|
||||
PUSH: ${{ matrix.push }}
|
||||
CACHE_SUFFIX: ${{ matrix.cache_suffix }}
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
|
||||
# Create ARM environment
|
||||
create-arm:
|
||||
uses: ./.github/workflows/create-arm.yml
|
||||
secrets:
|
||||
SCW_ACCESS_KEY: ${{ secrets.SCW_ACCESS_KEY }}
|
||||
SCW_SECRET_KEY: ${{ secrets.SCW_SECRET_KEY }}
|
||||
SCW_DEFAULT_PROJECT_ID: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
|
||||
SCW_DEFAULT_ORGANIZATION_ID: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
|
||||
ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
||||
ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
|
||||
# Build arm64 + arm/v7 images
|
||||
build-containers-arm:
|
||||
needs: [create-arm]
|
||||
strategy:
|
||||
matrix:
|
||||
image: [bunkerweb, scheduler, autoconf, ui]
|
||||
arch: ["linux/arm64,linux/arm/v7"]
|
||||
include:
|
||||
- release: latest
|
||||
cache: false
|
||||
push: false
|
||||
cache_suffix: arm
|
||||
- image: bunkerweb
|
||||
dockerfile: src/bw/Dockerfile
|
||||
- image: scheduler
|
||||
dockerfile: src/scheduler/Dockerfile
|
||||
- image: autoconf
|
||||
dockerfile: src/autoconf/Dockerfile
|
||||
- image: ui
|
||||
dockerfile: src/ui/Dockerfile
|
||||
uses: ./.github/workflows/container-build.yml
|
||||
with:
|
||||
RELEASE: ${{ matrix.release }}
|
||||
ARCH: ${{ matrix.arch }}
|
||||
IMAGE: ${{ matrix.image }}
|
||||
DOCKERFILE: ${{ matrix.dockerfile }}
|
||||
CACHE: ${{ matrix.cache }}
|
||||
PUSH: ${{ matrix.push }}
|
||||
CACHE_SUFFIX: ${{ matrix.cache_suffix }}
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
||||
ARM_SSH_IP: ${{ needs.create-arm.outputs.ip }}
|
||||
ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
|
||||
# Build Linux packages
|
||||
build-packages:
|
||||
needs: [create-arm]
|
||||
strategy:
|
||||
matrix:
|
||||
linux: [ubuntu, debian, fedora, rhel]
|
||||
platforms: [linux/amd64, linux/arm64]
|
||||
include:
|
||||
- release: latest
|
||||
- linux: ubuntu
|
||||
package: deb
|
||||
- linux: debian
|
||||
package: deb
|
||||
- linux: fedora
|
||||
package: rpm
|
||||
- linux: rhel
|
||||
package: rpm
|
||||
uses: ./.github/workflows/linux-build.yml
|
||||
with:
|
||||
RELEASE: ${{ matrix.release }}
|
||||
LINUX: ${{ matrix.linux }}
|
||||
PACKAGE: ${{ matrix.package }}
|
||||
TEST: false
|
||||
PLATFORMS: ${{ matrix.platforms }}
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
||||
ARM_SSH_IP: ${{ needs.create-arm.outputs.ip }}
|
||||
ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
|
||||
# Wait for all builds and extract VERSION
|
||||
wait-builds:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [codeql, build-containers, build-containers-arm, build-packages]
|
||||
outputs:
|
||||
version: ${{ steps.getversion.outputs.version }}
|
||||
versionrpm: ${{ steps.getversionrpm.outputs.versionrpm }}
|
||||
steps:
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Get VERSION
|
||||
id: getversion
|
||||
run: echo "version=$(cat src/VERSION | tr -d '\n')" >> "$GITHUB_OUTPUT"
|
||||
- name: Get VERSION (for RPM based)
|
||||
id: getversionrpm
|
||||
run: echo "versionrpm=$(cat src/VERSION | tr -d '\n' | sed 's/-/_/g')" >> "$GITHUB_OUTPUT"
|
||||
|
||||
# Push Docker images
|
||||
push-images:
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
needs: [create-arm, wait-builds]
|
||||
strategy:
|
||||
matrix:
|
||||
image:
|
||||
[bunkerweb, bunkerweb-scheduler, bunkerweb-autoconf, bunkerweb-ui]
|
||||
include:
|
||||
- release: latest
|
||||
- image: bunkerweb
|
||||
cache_from: bunkerweb
|
||||
dockerfile: src/bw/Dockerfile
|
||||
- image: bunkerweb-scheduler
|
||||
cache_from: scheduler
|
||||
dockerfile: src/scheduler/Dockerfile
|
||||
- image: bunkerweb-autoconf
|
||||
cache_from: autoconf
|
||||
dockerfile: src/autoconf/Dockerfile
|
||||
- image: bunkerweb-ui
|
||||
cache_from: ui
|
||||
dockerfile: src/ui/Dockerfile
|
||||
uses: ./.github/workflows/push-docker.yml
|
||||
with:
|
||||
IMAGE: ${{ matrix.image }}
|
||||
TAGS: bunkerity/${{ matrix.image }}:${{ matrix.release }},bunkerity/${{ matrix.image }}:${{ needs.wait-builds.outputs.version }},ghcr.io/bunkerity/${{ matrix.image }}:${{ matrix.release }},ghcr.io/bunkerity/${{ matrix.image }}:${{ needs.wait-builds.outputs.version }}
|
||||
CACHE_FROM: ${{ matrix.cache_from }}-${{ matrix.release }}
|
||||
DOCKERFILE: ${{ matrix.dockerfile }}
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
|
||||
ARM_SSH_IP: ${{ needs.create-arm.outputs.ip }}
|
||||
ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
|
||||
|
||||
# Push Linux packages
|
||||
push-packages:
|
||||
needs: [wait-builds]
|
||||
strategy:
|
||||
matrix:
|
||||
linux: [ubuntu, debian, fedora, el]
|
||||
arch: [amd64, arm64]
|
||||
include:
|
||||
- release: latest
|
||||
repo: bunkerweb
|
||||
- linux: ubuntu
|
||||
separator: _
|
||||
suffix: ""
|
||||
version: jammy
|
||||
package: deb
|
||||
- linux: debian
|
||||
separator: _
|
||||
suffix: ""
|
||||
version: bullseye
|
||||
package: deb
|
||||
- linux: fedora
|
||||
separator: "-"
|
||||
suffix: "1."
|
||||
version: 38
|
||||
package: rpm
|
||||
- linux: el
|
||||
separator: "-"
|
||||
suffix: "1."
|
||||
version: 8
|
||||
package: rpm
|
||||
- linux: ubuntu
|
||||
arch: amd64
|
||||
package_arch: amd64
|
||||
- linux: debian
|
||||
arch: amd64
|
||||
package_arch: amd64
|
||||
- linux: fedora
|
||||
arch: amd64
|
||||
package_arch: x86_64
|
||||
- linux: el
|
||||
arch: amd64
|
||||
package_arch: x86_64
|
||||
- linux: ubuntu
|
||||
arch: arm64
|
||||
package_arch: arm64
|
||||
- linux: debian
|
||||
arch: arm64
|
||||
package_arch: arm64
|
||||
- linux: fedora
|
||||
arch: arm64
|
||||
package_arch: aarch64
|
||||
- linux: el
|
||||
arch: arm64
|
||||
package_arch: aarch64
|
||||
uses: ./.github/workflows/push-packagecloud.yml
|
||||
with:
|
||||
SEPARATOR: ${{ matrix.separator }}
|
||||
SUFFIX: ${{ matrix.suffix }}
|
||||
REPO: ${{ matrix.repo }}
|
||||
LINUX: ${{ matrix.linux }}
|
||||
VERSION: ${{ matrix.version }}
|
||||
PACKAGE: ${{ matrix.package }}
|
||||
BW_VERSION: ${{ matrix.package == 'rpm' && needs.wait-builds.outputs.versionrpm || needs.wait-builds.outputs.version }}
|
||||
PACKAGE_ARCH: ${{ matrix.package_arch }}
|
||||
ARCH: ${{ matrix.arch }}
|
||||
secrets:
|
||||
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
|
||||
|
||||
# Create doc PDF
|
||||
doc-pdf:
|
||||
needs: [wait-builds, push-images, push-packages]
|
||||
uses: ./.github/workflows/doc-to-pdf.yml
|
||||
with:
|
||||
VERSION: ${{ needs.wait-builds.outputs.version }}
|
||||
|
||||
# Push on GH
|
||||
push-gh:
|
||||
needs: [wait-builds, doc-pdf]
|
||||
permissions:
|
||||
contents: write
|
||||
discussions: write
|
||||
uses: ./.github/workflows/push-github.yml
|
||||
with:
|
||||
VERSION: ${{ needs.wait-builds.outputs.version }}
|
||||
PRERELEASE: false
|
||||
|
||||
# Push doc
|
||||
push-doc:
|
||||
needs: [wait-builds, push-gh]
|
||||
permissions:
|
||||
contents: write
|
||||
uses: ./.github/workflows/push-doc.yml
|
||||
with:
|
||||
VERSION: ${{ needs.wait-builds.outputs.version }}
|
||||
ALIAS: latest
|
||||
secrets:
|
||||
BUNKERBOT_TOKEN: ${{ secrets.BUNKERBOT_TOKEN }}
|
||||
|
||||
# Remove ARM VM
|
||||
rm-arm:
|
||||
if: ${{ always() }}
|
||||
needs: [create-arm, push-images, build-packages]
|
||||
uses: ./.github/workflows/rm-arm.yml
|
||||
secrets:
|
||||
ARM_ID: ${{ needs.create-arm.outputs.id }}
|
||||
SCW_ACCESS_KEY: ${{ secrets.SCW_ACCESS_KEY }}
|
||||
SCW_SECRET_KEY: ${{ secrets.SCW_SECRET_KEY }}
|
||||
SCW_DEFAULT_PROJECT_ID: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
|
||||
SCW_DEFAULT_ORGANIZATION_ID: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
|
32
.github/workflows/rm-arm.yml
vendored
|
@ -1,32 +0,0 @@
|
|||
name: Create ARM node (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
secrets:
|
||||
SCW_ACCESS_KEY:
|
||||
required: true
|
||||
SCW_SECRET_KEY:
|
||||
required: true
|
||||
SCW_DEFAULT_PROJECT_ID:
|
||||
required: true
|
||||
SCW_DEFAULT_ORGANIZATION_ID:
|
||||
required: true
|
||||
ARM_ID:
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
rm:
|
||||
if: ${{ always() }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Delete ARM VM
|
||||
uses: scaleway/action-scw@c718eca1fcb9fec1fb1433752d61599c6a0ad2e9
|
||||
with:
|
||||
args: instance server delete ${{ secrets.ARM_ID }} zone=fr-par-2 with-ip=true with-volumes=all force-shutdown=true
|
||||
access-key: ${{ secrets.SCW_ACCESS_KEY }}
|
||||
secret-key: ${{ secrets.SCW_SECRET_KEY }}
|
||||
default-project-id: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
|
||||
default-organization-id: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
|
30
.github/workflows/scorecards-analysis.yml
vendored
|
@ -1,30 +0,0 @@
|
|||
name: Scorecard analysis workflow
|
||||
|
||||
on:
|
||||
branch_protection_rule:
|
||||
schedule:
|
||||
# Weekly on Saturdays.
|
||||
- cron: "30 1 * * 6"
|
||||
workflow_call:
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
analysis:
|
||||
name: Scorecard analysis
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: "Checkout code"
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
with:
|
||||
persist-credentials: false
|
||||
- name: "Run analysis"
|
||||
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
publish_results: true
|
||||
- name: "Upload SARIF results to code scanning"
|
||||
uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
|
||||
with:
|
||||
sarif_file: results.sarif
|
62
.github/workflows/staging-create-infra.yml
vendored
|
@ -1,62 +0,0 @@
|
|||
name: Create staging infra (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
TYPE:
|
||||
required: true
|
||||
type: string
|
||||
secrets:
|
||||
CICD_SECRETS:
|
||||
required: true
|
||||
SECRET_KEY:
|
||||
required: true
|
||||
K8S_IP:
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
create:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Generate SSH keypair
|
||||
run: ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -q -N "" && ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub && echo -e "Host *\n StrictHostKeyChecking no" > ~/.ssh/ssh_config
|
||||
if: inputs.TYPE != 'k8s'
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Install terraform
|
||||
uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
|
||||
- name: Install kubectl
|
||||
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3.2
|
||||
if: inputs.TYPE == 'k8s'
|
||||
with:
|
||||
version: "v1.28.2"
|
||||
- name: Set up Python 3.11
|
||||
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
|
||||
if: inputs.TYPE != 'k8s'
|
||||
with:
|
||||
python-version: "3.11"
|
||||
- name: Install ansible
|
||||
run: pip install --no-cache-dir --require-hashes -r misc/requirements-ansible.txt
|
||||
if: inputs.TYPE != 'k8s'
|
||||
- name: Install ansible libs
|
||||
run: ansible-galaxy install --timeout 120 monolithprojects.github_actions_runner,1.18.1 && ansible-galaxy collection install --timeout 120 community.general
|
||||
if: inputs.TYPE != 'k8s'
|
||||
# Create infra
|
||||
- run: ./tests/create.sh ${{ inputs.TYPE }}
|
||||
env:
|
||||
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
|
||||
K8S_IP: ${{ secrets.K8S_IP }}
|
||||
- run: |
|
||||
tar -cf terraform.tar /tmp/${{ inputs.TYPE }}
|
||||
echo "$SECRET_KEY" > /tmp/.secret_key
|
||||
openssl enc -in terraform.tar -aes-256-cbc -pbkdf2 -iter 100000 -md sha256 -pass file:/tmp/.secret_key -out terraform.tar.enc
|
||||
rm -f /tmp/.secret_key
|
||||
if: always()
|
||||
env:
|
||||
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
||||
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||
if: always()
|
||||
with:
|
||||
name: tf-${{ inputs.TYPE }}
|
||||
path: terraform.tar.enc
|
49
.github/workflows/staging-delete-infra.yml
vendored
|
@ -1,49 +0,0 @@
|
|||
name: Delete staging infra (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
TYPE:
|
||||
required: true
|
||||
type: string
|
||||
secrets:
|
||||
CICD_SECRETS:
|
||||
required: true
|
||||
SECRET_KEY:
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
delete:
|
||||
if: ${{ always() }}
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 15
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Install terraform
|
||||
uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
|
||||
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: tf-${{ inputs.TYPE }}
|
||||
path: /tmp
|
||||
- run: |
|
||||
echo "$SECRET_KEY" > /tmp/.secret_key
|
||||
openssl enc -d -in /tmp/terraform.tar.enc -aes-256-cbc -pbkdf2 -iter 100000 -md sha256 -pass file:/tmp/.secret_key -out /tmp/terraform.tar
|
||||
rm -f /tmp/.secret_key
|
||||
tar xf /tmp/terraform.tar -C / && mkdir ~/.ssh && touch ~/.ssh/id_rsa.pub
|
||||
env:
|
||||
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
||||
- uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3.2
|
||||
if: inputs.TYPE == 'k8s'
|
||||
with:
|
||||
version: "v1.28.2"
|
||||
# Remove infra
|
||||
- run: kubectl delete daemonsets,replicasets,services,deployments,pods,rc,ingress,statefulsets --all --all-namespaces --timeout=60s ; kubectl delete pvc --all --timeout=60s ; kubectl delete pv --all --timeout=60s
|
||||
if: inputs.TYPE == 'k8s'
|
||||
continue-on-error: true
|
||||
env:
|
||||
KUBECONFIG: /tmp/k8s/kubeconfig
|
||||
- run: ./tests/rm.sh ${{ inputs.TYPE }}
|
||||
env:
|
||||
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
|
138
.github/workflows/staging-tests.yml
vendored
|
@ -1,138 +0,0 @@
|
|||
name: Perform staging tests (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
TYPE:
|
||||
required: true
|
||||
type: string
|
||||
RUNS_ON:
|
||||
required: true
|
||||
type: string
|
||||
# secrets:
|
||||
# PRIVATE_REGISTRY:
|
||||
# required: true
|
||||
# PRIVATE_REGISTRY_TOKEN:
|
||||
# required: true
|
||||
# TEST_DOMAINS:
|
||||
# required: true
|
||||
# ROOT_DOMAIN:
|
||||
# required: true
|
||||
|
||||
jobs:
|
||||
tests:
|
||||
runs-on: ${{ fromJSON(inputs.RUNS_ON) }}
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Login to ghcr
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- run: docker pull ghcr.io/bunkerity/bunkerweb-tests:testing && docker tag ghcr.io/bunkerity/bunkerweb-tests:testing local/bunkerweb-tests:latest
|
||||
if: contains(fromJSON('["linux", "k8s"]'), inputs.TYPE) != true
|
||||
- run: docker pull ghcr.io/bunkerity/scheduler-tests:testing && docker tag ghcr.io/bunkerity/scheduler-tests:testing local/scheduler-tests:latest
|
||||
if: contains(fromJSON('["linux", "k8s"]'), inputs.TYPE) != true
|
||||
- run: docker pull ghcr.io/bunkerity/autoconf-tests:testing && docker tag ghcr.io/bunkerity/autoconf-tests:testing local/autoconf-tests:latest
|
||||
if: contains(fromJSON('["autoconf", "swarm"]'), inputs.TYPE)
|
||||
- name: Push images to local repo
|
||||
run: docker tag local/bunkerweb-tests:latest 192.168.42.100:5000/bunkerweb-tests:latest && docker push 192.168.42.100:5000/bunkerweb-tests:latest && docker tag local/scheduler-tests:latest 192.168.42.100:5000/scheduler-tests:latest && docker push 192.168.42.100:5000/scheduler-tests:latest && docker tag local/autoconf-tests:latest 192.168.42.100:5000/autoconf-tests:latest && docker push 192.168.42.100:5000/autoconf-tests:latest
|
||||
if: inputs.TYPE == 'swarm'
|
||||
- name: Install test dependencies
|
||||
run: pip3 install --no-cache-dir --require-hashes -r tests/requirements.txt
|
||||
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: tf-k8s
|
||||
path: /tmp
|
||||
if: inputs.TYPE == 'k8s'
|
||||
- run: |
|
||||
echo "$SECRET_KEY" > /tmp/.secret_key
|
||||
openssl enc -d -in /tmp/terraform.tar.enc -aes-256-cbc -pbkdf2 -iter 100000 -md sha256 -pass file:/tmp/.secret_key -out /tmp/terraform.tar
|
||||
rm -f /tmp/.secret_key
|
||||
tar xf /tmp/terraform.tar -C /
|
||||
mkdir /tmp/reg
|
||||
cp tests/terraform/k8s-reg.tf /tmp/reg
|
||||
cp tests/terraform/providers.tf /tmp/reg
|
||||
cd /tmp/reg
|
||||
export TF_VAR_k8s_reg_user=${REG_USER}
|
||||
export TF_VAR_k8s_reg_token=${REG_TOKEN}
|
||||
terraform init
|
||||
terraform apply -auto-approve
|
||||
env:
|
||||
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
||||
REG_USER: ${{ github.actor }}
|
||||
REG_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
if: inputs.TYPE == 'k8s'
|
||||
- uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3.2
|
||||
if: inputs.TYPE == 'k8s'
|
||||
with:
|
||||
version: "v1.28.2"
|
||||
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
|
||||
if: inputs.TYPE == 'k8s'
|
||||
- name: Pull BW linux ubuntu test image
|
||||
if: inputs.TYPE == 'linux'
|
||||
run: docker pull ghcr.io/bunkerity/ubuntu-tests:testing && docker tag ghcr.io/bunkerity/ubuntu-tests:testing local/ubuntu:latest
|
||||
- name: Pull BW linux debian test image
|
||||
if: inputs.TYPE == 'linux'
|
||||
run: docker pull ghcr.io/bunkerity/debian-tests:testing && docker tag ghcr.io/bunkerity/debian-tests:testing local/debian:latest
|
||||
- name: Pull BW linux fedora test image
|
||||
if: inputs.TYPE == 'linux'
|
||||
run: docker pull ghcr.io/bunkerity/fedora-tests:testing && docker tag ghcr.io/bunkerity/fedora-tests:testing local/fedora:latest
|
||||
- name: Pull BW linux rhel test image
|
||||
if: inputs.TYPE == 'linux'
|
||||
run: docker pull ghcr.io/bunkerity/rhel-tests:testing && docker tag ghcr.io/bunkerity/rhel-tests:testing local/rhel:latest
|
||||
# Do tests
|
||||
- name: Run tests
|
||||
if: inputs.TYPE == 'docker'
|
||||
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "${{ inputs.TYPE }}"
|
||||
env:
|
||||
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_DOCKER }}
|
||||
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
|
||||
- name: Run tests
|
||||
if: inputs.TYPE == 'autoconf'
|
||||
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "${{ inputs.TYPE }}"
|
||||
env:
|
||||
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_AUTOCONF }}
|
||||
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
|
||||
- name: Run tests
|
||||
if: inputs.TYPE == 'swarm'
|
||||
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "${{ inputs.TYPE }}"
|
||||
env:
|
||||
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_SWARM }}
|
||||
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
|
||||
- name: Run tests
|
||||
if: inputs.TYPE == 'k8s'
|
||||
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "kubernetes"
|
||||
env:
|
||||
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_KUBERNETES }}
|
||||
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
|
||||
KUBECONFIG: "/tmp/k8s/kubeconfig"
|
||||
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
|
||||
IMAGE_TAG: "testing"
|
||||
- name: Run Linux ubuntu tests
|
||||
if: inputs.TYPE == 'linux'
|
||||
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "ubuntu"
|
||||
env:
|
||||
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
|
||||
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
|
||||
- name: Run Linux debian tests
|
||||
if: inputs.TYPE == 'linux'
|
||||
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "debian"
|
||||
env:
|
||||
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
|
||||
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
|
||||
- name: Run Linux fedora tests
|
||||
if: inputs.TYPE == 'linux'
|
||||
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "fedora"
|
||||
env:
|
||||
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
|
||||
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
|
||||
- name: Run Linux rhel tests
|
||||
if: inputs.TYPE == 'linux'
|
||||
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "rhel"
|
||||
env:
|
||||
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
|
||||
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
|
273
.github/workflows/staging.yml
vendored
|
@ -1,273 +0,0 @@
|
|||
name: Automatic tests (STAGING)
|
||||
|
||||
permissions: read-all
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [staging]
|
||||
|
||||
jobs:
|
||||
# Build Docker images
|
||||
build-containers:
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
strategy:
|
||||
matrix:
|
||||
image: [bunkerweb, scheduler, autoconf, ui]
|
||||
include:
|
||||
- image: bunkerweb
|
||||
dockerfile: src/bw/Dockerfile
|
||||
- image: scheduler
|
||||
dockerfile: src/scheduler/Dockerfile
|
||||
- image: autoconf
|
||||
dockerfile: src/autoconf/Dockerfile
|
||||
- image: ui
|
||||
dockerfile: src/ui/Dockerfile
|
||||
uses: ./.github/workflows/container-build.yml
|
||||
with:
|
||||
RELEASE: testing
|
||||
ARCH: linux/amd64
|
||||
CACHE: true
|
||||
PUSH: true
|
||||
IMAGE: ${{ matrix.image }}
|
||||
DOCKERFILE: ${{ matrix.dockerfile }}
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
|
||||
# Build Linux packages
|
||||
build-packages:
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
strategy:
|
||||
matrix:
|
||||
linux: [ubuntu, debian, fedora, rhel]
|
||||
include:
|
||||
- linux: ubuntu
|
||||
package: deb
|
||||
- linux: debian
|
||||
package: deb
|
||||
- linux: fedora
|
||||
package: rpm
|
||||
- linux: rhel
|
||||
package: rpm
|
||||
uses: ./.github/workflows/linux-build.yml
|
||||
with:
|
||||
RELEASE: testing
|
||||
LINUX: ${{ matrix.linux }}
|
||||
PACKAGE: ${{ matrix.package }}
|
||||
TEST: true
|
||||
PLATFORMS: linux/amd64
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
|
||||
codeql:
|
||||
uses: ./.github/workflows/codeql.yml
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
# Create infrastructures and prepare tests
|
||||
create-infras:
|
||||
needs: [codeql, build-containers, build-packages]
|
||||
strategy:
|
||||
matrix:
|
||||
type: [docker, autoconf, swarm, k8s, linux]
|
||||
uses: ./.github/workflows/staging-create-infra.yml
|
||||
with:
|
||||
TYPE: ${{ matrix.type }}
|
||||
secrets:
|
||||
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
|
||||
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
||||
K8S_IP: ${{ secrets.K8S_IP }}
|
||||
prepare-tests-core:
|
||||
needs: [codeql, build-containers, build-packages]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- id: set-matrix
|
||||
run: |
|
||||
tests=$(find ./tests/core/ -maxdepth 1 -mindepth 1 -type d -printf "%f\n" | jq -c --raw-input --slurp 'split("\n")| .[0:-1]')
|
||||
echo "tests=$tests" >> $GITHUB_OUTPUT
|
||||
outputs:
|
||||
tests: ${{ steps.set-matrix.outputs.tests }}
|
||||
|
||||
# Perform tests
|
||||
tests-ui:
|
||||
needs: [codeql, build-containers]
|
||||
uses: ./.github/workflows/tests-ui.yml
|
||||
with:
|
||||
RELEASE: testing
|
||||
tests-ui-linux:
|
||||
needs: [codeql, build-packages]
|
||||
uses: ./.github/workflows/tests-ui-linux.yml
|
||||
with:
|
||||
RELEASE: testing
|
||||
staging-tests:
|
||||
needs: [create-infras]
|
||||
strategy:
|
||||
matrix:
|
||||
type: [docker, autoconf, swarm, k8s, linux]
|
||||
include:
|
||||
- type: docker
|
||||
runs_on: "['self-hosted', 'bw-docker']"
|
||||
- type: autoconf
|
||||
runs_on: "['self-hosted', 'bw-autoconf']"
|
||||
- type: swarm
|
||||
runs_on: "['self-hosted', 'bw-swarm']"
|
||||
- type: k8s
|
||||
runs_on: "['ubuntu-latest']"
|
||||
- type: linux
|
||||
runs_on: "['self-hosted', 'bw-linux']"
|
||||
uses: ./.github/workflows/staging-tests.yml
|
||||
with:
|
||||
TYPE: ${{ matrix.type }}
|
||||
RUNS_ON: ${{ matrix.runs_on }}
|
||||
secrets: inherit
|
||||
tests-core:
|
||||
needs: prepare-tests-core
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
test: ${{ fromJson(needs.prepare-tests-core.outputs.tests) }}
|
||||
uses: ./.github/workflows/test-core.yml
|
||||
with:
|
||||
TEST: ${{ matrix.test }}
|
||||
RELEASE: testing
|
||||
tests-core-linux:
|
||||
needs: prepare-tests-core
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
test: ${{ fromJson(needs.prepare-tests-core.outputs.tests) }}
|
||||
uses: ./.github/workflows/test-core-linux.yml
|
||||
with:
|
||||
TEST: ${{ matrix.test }}
|
||||
RELEASE: testing
|
||||
secrets: inherit
|
||||
|
||||
# Delete infrastructures
|
||||
delete-infras:
|
||||
if: ${{ always() }}
|
||||
needs: [staging-tests]
|
||||
strategy:
|
||||
matrix:
|
||||
type: [docker, autoconf, swarm, k8s, linux]
|
||||
uses: ./.github/workflows/staging-delete-infra.yml
|
||||
with:
|
||||
TYPE: ${{ matrix.type }}
|
||||
secrets:
|
||||
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
|
||||
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
||||
|
||||
# Push Docker images
|
||||
push-images:
|
||||
needs: [staging-tests, tests-ui, tests-core]
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Login to Docker Hub
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_TOKEN }}
|
||||
- name: Login to ghcr
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Push BW image
|
||||
run: docker pull ghcr.io/bunkerity/bunkerweb-tests:testing && docker tag ghcr.io/bunkerity/bunkerweb-tests:testing bunkerity/bunkerweb:testing && docker push bunkerity/bunkerweb:testing && docker tag bunkerity/bunkerweb:testing ghcr.io/bunkerity/bunkerweb:testing && docker push ghcr.io/bunkerity/bunkerweb:testing
|
||||
- name: Push scheduler image
|
||||
run: docker pull ghcr.io/bunkerity/scheduler-tests:testing && docker tag ghcr.io/bunkerity/scheduler-tests:testing bunkerity/bunkerweb-scheduler:testing && docker push bunkerity/bunkerweb-scheduler:testing && docker tag bunkerity/bunkerweb-scheduler:testing ghcr.io/bunkerity/bunkerweb-scheduler:testing && docker push ghcr.io/bunkerity/bunkerweb-scheduler:testing
|
||||
- name: Push UI image
|
||||
run: docker pull ghcr.io/bunkerity/ui-tests:testing && docker tag ghcr.io/bunkerity/ui-tests:testing bunkerity/bunkerweb-ui:testing && docker push bunkerity/bunkerweb-ui:testing && docker tag bunkerity/bunkerweb-ui:testing ghcr.io/bunkerity/bunkerweb-ui:testing && docker push ghcr.io/bunkerity/bunkerweb-ui:testing
|
||||
- name: Push autoconf image
|
||||
run: docker pull ghcr.io/bunkerity/autoconf-tests:testing && docker tag ghcr.io/bunkerity/autoconf-tests:testing bunkerity/bunkerweb-autoconf:testing && docker push bunkerity/bunkerweb-autoconf:testing && docker tag bunkerity/bunkerweb-autoconf:testing ghcr.io/bunkerity/bunkerweb-autoconf:testing && docker push ghcr.io/bunkerity/bunkerweb-autoconf:testing
|
||||
|
||||
# Push Linux packages
|
||||
push-packages:
|
||||
needs: [staging-tests, tests-ui-linux, tests-core-linux]
|
||||
strategy:
|
||||
matrix:
|
||||
linux: [ubuntu, debian, fedora, el]
|
||||
arch: [amd64]
|
||||
include:
|
||||
- release: testing
|
||||
repo: bunkerweb
|
||||
- linux: ubuntu
|
||||
separator: _
|
||||
suffix: ""
|
||||
version: jammy
|
||||
package: deb
|
||||
- linux: debian
|
||||
separator: _
|
||||
suffix: ""
|
||||
version: bullseye
|
||||
package: deb
|
||||
- linux: fedora
|
||||
separator: "-"
|
||||
suffix: "1."
|
||||
version: 38
|
||||
package: rpm
|
||||
- linux: el
|
||||
separator: "-"
|
||||
suffix: "1."
|
||||
version: 8
|
||||
package: rpm
|
||||
- linux: ubuntu
|
||||
arch: amd64
|
||||
package_arch: amd64
|
||||
- linux: debian
|
||||
arch: amd64
|
||||
package_arch: amd64
|
||||
- linux: fedora
|
||||
arch: amd64
|
||||
package_arch: x86_64
|
||||
- linux: el
|
||||
arch: amd64
|
||||
package_arch: x86_64
|
||||
uses: ./.github/workflows/push-packagecloud.yml
|
||||
with:
|
||||
SEPARATOR: ${{ matrix.separator }}
|
||||
SUFFIX: ${{ matrix.suffix }}
|
||||
REPO: ${{ matrix.repo }}
|
||||
LINUX: ${{ matrix.linux }}
|
||||
VERSION: ${{ matrix.version }}
|
||||
PACKAGE: ${{ matrix.package }}
|
||||
BW_VERSION: ${{ matrix.release }}
|
||||
PACKAGE_ARCH: ${{ matrix.package_arch }}
|
||||
ARCH: ${{ matrix.arch }}
|
||||
secrets:
|
||||
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
|
||||
|
||||
# Push doc
|
||||
push-doc:
|
||||
needs: [push-images, push-packages]
|
||||
permissions:
|
||||
contents: write
|
||||
uses: ./.github/workflows/push-doc.yml
|
||||
with:
|
||||
VERSION: testing
|
||||
ALIAS: unstable
|
||||
secrets:
|
||||
BUNKERBOT_TOKEN: ${{ secrets.BUNKERBOT_TOKEN }}
|
||||
|
||||
# Push on GH
|
||||
push-gh:
|
||||
needs: [push-doc]
|
||||
permissions:
|
||||
contents: write
|
||||
discussions: write
|
||||
uses: ./.github/workflows/push-github.yml
|
||||
with:
|
||||
VERSION: testing
|
||||
PRERELEASE: true
|
97
.github/workflows/test-core-linux.yml
vendored
|
@ -1,97 +0,0 @@
|
|||
name: Core test Linux (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
TEST:
|
||||
required: true
|
||||
type: string
|
||||
RELEASE:
|
||||
required: true
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
tests:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Set up Python 3.11
|
||||
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
|
||||
with:
|
||||
python-version: "3.11"
|
||||
- name: Install Firefox manually and dependencies
|
||||
run: |
|
||||
sudo apt purge -y firefox
|
||||
sudo apt update
|
||||
sudo apt install --no-install-recommends -y openssl git nodejs tar bzip2 wget curl grep libx11-xcb1 libappindicator3-1 libasound2 libdbus-glib-1-2 libxtst6 libxt6 php-fpm unzip
|
||||
wget -O firefox-setup.tar.bz2 "https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64"
|
||||
sudo tar -xjf firefox-setup.tar.bz2 -C /opt/
|
||||
sudo rm -f /usr/bin/firefox
|
||||
sudo ln -s /opt/firefox/firefox /usr/bin/firefox
|
||||
sudo chmod 755 /opt/firefox /opt/firefox/firefox
|
||||
rm -f firefox-setup.tar.bz2
|
||||
- name: Download geckodriver
|
||||
uses: nick-fields/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0
|
||||
with:
|
||||
max_attempts: 3
|
||||
timeout_minutes: 20
|
||||
command: |
|
||||
GECKODRIVER_VERSION=`curl -i https://github.com/mozilla/geckodriver/releases/latest | grep -Po 'v[0-9]+\.[0-9]+\.[0-9]+'` && \
|
||||
wget -O geckodriver.tar.gz -w 5 https://github.com/mozilla/geckodriver/releases/download/$GECKODRIVER_VERSION/geckodriver-$GECKODRIVER_VERSION-linux64.tar.gz
|
||||
sudo tar -xzf geckodriver.tar.gz -C /usr/local/bin
|
||||
sudo chmod +x /usr/local/bin/geckodriver
|
||||
rm -f geckodriver.tar.gz
|
||||
- name: Login to ghcr
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Pull BW linux ubuntu test image
|
||||
run: docker pull ghcr.io/bunkerity/ubuntu-tests:${{ inputs.RELEASE }}
|
||||
- name: Copy deb file to host
|
||||
run: |
|
||||
container_id=$(docker create "ghcr.io/bunkerity/ubuntu-tests:${{ inputs.RELEASE }}")
|
||||
docker cp "$container_id:/opt/bunkerweb_${{ inputs.RELEASE }}-1_amd64.deb" "/tmp/bunkerweb.deb"
|
||||
docker rm "$container_id"
|
||||
- name: Install BunkerWeb
|
||||
run: |
|
||||
sudo apt install -y gnupg2 ca-certificates lsb-release ubuntu-keyring
|
||||
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
|
||||
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
|
||||
sudo apt update
|
||||
sudo apt install -y nginx=1.24.0-1~jammy
|
||||
- name: Fix version without a starting number
|
||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev'
|
||||
run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
|
||||
- name: Edit configuration files
|
||||
run: |
|
||||
# Misc
|
||||
echo "127.0.0.1 www.example.com" | sudo tee -a /etc/hosts
|
||||
echo "127.0.0.1 app1.example.com" | sudo tee -a /etc/hosts
|
||||
echo "127.0.0.1 bwadm.example.com" | sudo tee -a /etc/hosts
|
||||
sudo cp ./tests/www-deb.conf /etc/php/8.1/fpm/pool.d/www.conf
|
||||
sudo systemctl stop php8.1-fpm
|
||||
sudo systemctl start php8.1-fpm
|
||||
# BunkerWeb
|
||||
sudo mkdir -p /etc/bunkerweb
|
||||
echo "SERVER_NAME=www.example.com" | sudo tee /etc/bunkerweb/variables.env
|
||||
echo "HTTP_PORT=80" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "HTTPS_PORT=443" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo 'DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4' | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo 'API_LISTEN_IP=127.0.0.1' | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "USE_BUNKERNET=no" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "USE_BLACKLIST=no" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "LOG_LEVEL=info" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
sudo chown nginx:nginx /etc/bunkerweb/variables.env
|
||||
sudo chmod 777 /etc/bunkerweb/variables.env
|
||||
- name: Install BunkerWeb
|
||||
run: sudo apt install -fy /tmp/bunkerweb.deb
|
||||
- name: Run tests
|
||||
run: |
|
||||
cd ./tests/core/${{ inputs.TEST }}
|
||||
MAKEFLAGS="-j $(nproc)" find . -name "requirements.txt" -exec pip install --no-cache-dir --require-hashes -r {} \;
|
||||
sudo truncate -s 0 /var/log/bunkerweb/error.log
|
||||
./test.sh "linux"
|
36
.github/workflows/test-core.yml
vendored
|
@ -1,36 +0,0 @@
|
|||
name: Core test (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
TEST:
|
||||
required: true
|
||||
type: string
|
||||
RELEASE:
|
||||
required: true
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
test:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Login to ghcr
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Pull BW image
|
||||
run: docker pull ghcr.io/bunkerity/bunkerweb-tests:${{ inputs.RELEASE }} && docker tag ghcr.io/bunkerity/bunkerweb-tests:${{ inputs.RELEASE }} bunkerweb-tests
|
||||
- name: Pull Scheduler image
|
||||
run: docker pull ghcr.io/bunkerity/scheduler-tests:${{ inputs.RELEASE }} && docker tag ghcr.io/bunkerity/scheduler-tests:${{ inputs.RELEASE }} scheduler-tests
|
||||
# Run test
|
||||
- name: Run test
|
||||
run: |
|
||||
cd ./tests/core/${{ inputs.TEST }}
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i "s@bunkerity/bunkerweb:.*@bunkerweb-tests@" {} \;
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i "s@bunkerity/bunkerweb-scheduler:.*@scheduler-tests@" {} \;
|
||||
./test.sh "docker"
|
118
.github/workflows/tests-ui-linux.yml
vendored
|
@ -1,118 +0,0 @@
|
|||
name: Core test Linux (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
RELEASE:
|
||||
required: true
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
tests:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Set up Python 3.11
|
||||
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
|
||||
with:
|
||||
python-version: "3.11"
|
||||
- name: Install Firefox manually and dependencies
|
||||
run: |
|
||||
sudo apt purge -y firefox
|
||||
sudo apt update
|
||||
sudo apt install --no-install-recommends -y zip nodejs tar bzip2 wget curl grep libx11-xcb1 libappindicator3-1 libasound2 libdbus-glib-1-2 libxtst6 libxt6
|
||||
wget -O firefox-setup.tar.bz2 "https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64"
|
||||
sudo tar -xjf firefox-setup.tar.bz2 -C /opt/
|
||||
sudo rm -f /usr/bin/firefox
|
||||
sudo ln -s /opt/firefox/firefox /usr/bin/firefox
|
||||
sudo chmod 755 /opt/firefox /opt/firefox/firefox
|
||||
rm -f firefox-setup.tar.bz2
|
||||
- name: Download geckodriver
|
||||
uses: nick-fields/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0
|
||||
with:
|
||||
max_attempts: 3
|
||||
timeout_minutes: 20
|
||||
command: |
|
||||
GECKODRIVER_VERSION=`curl -i https://github.com/mozilla/geckodriver/releases/latest | grep -Po 'v[0-9]+\.[0-9]+\.[0-9]+'` && \
|
||||
wget -O geckodriver.tar.gz -w 5 https://github.com/mozilla/geckodriver/releases/download/$GECKODRIVER_VERSION/geckodriver-$GECKODRIVER_VERSION-linux64.tar.gz
|
||||
sudo tar -xzf geckodriver.tar.gz -C /usr/local/bin
|
||||
sudo chmod +x /usr/local/bin/geckodriver
|
||||
rm -f geckodriver.tar.gz
|
||||
- name: Login to ghcr
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Pull BW linux ubuntu test image
|
||||
run: docker pull ghcr.io/bunkerity/ubuntu-tests:${{ inputs.RELEASE }}
|
||||
- name: Copy deb file to host
|
||||
run: |
|
||||
container_id=$(docker create "ghcr.io/bunkerity/ubuntu-tests:${{ inputs.RELEASE }}")
|
||||
docker cp "$container_id:/opt/bunkerweb_${{ inputs.RELEASE }}-1_amd64.deb" "/tmp/bunkerweb.deb"
|
||||
docker rm "$container_id"
|
||||
- name: Install BunkerWeb
|
||||
run: |
|
||||
sudo apt install -y gnupg2 ca-certificates lsb-release ubuntu-keyring
|
||||
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
|
||||
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
|
||||
sudo apt update
|
||||
sudo apt install -y nginx=1.24.0-1~jammy
|
||||
- name: Fix version without a starting number
|
||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
|
||||
run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
|
||||
- name: Install BunkerWeb
|
||||
run: sudo apt install -fy /tmp/bunkerweb.deb
|
||||
- name: Edit configuration files
|
||||
run: |
|
||||
# Misc
|
||||
echo "127.0.0.1 www.example.com" | sudo tee -a /etc/hosts
|
||||
echo "127.0.0.1 app1.example.com" | sudo tee -a /etc/hosts
|
||||
# BunkerWeb
|
||||
echo "SERVER_NAME=www.example.com" | sudo tee /etc/bunkerweb/variables.env
|
||||
echo "HTTP_PORT=80" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "HTTPS_PORT=443" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo 'DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4' | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo 'API_LISTEN_IP=127.0.0.1' | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "MULTISITE=yes" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "LOG_LEVEL=info" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "USE_BUNKERNET=no" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "USE_BLACKLIST=no" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "DISABLE_DEFAULT_SERVER=yes" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "USE_CLIENT_CACHE=yes" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "USE_GZIP=yes" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "DATASTORE_MEMORY_SIZE=384m" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "www.example.com_USE_UI=yes" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "www.example.com_SERVE_FILES=no" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "www.example.com_USE_REVERSE_PROXY=yes" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "www.example.com_REVERSE_PROXY_URL=/admin" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
echo "www.example.com_INTERCEPTED_ERROR_CODES=400 405 413 429 500 501 502 503 504" | sudo tee -a /etc/bunkerweb/variables.env
|
||||
|
||||
echo "ADMIN_USERNAME=admin" | sudo tee /etc/bunkerweb/ui.env
|
||||
echo "ADMIN_PASSWORD=S\$cr3tP@ssw0rd" | sudo tee -a /etc/bunkerweb/ui.env
|
||||
|
||||
sudo chown nginx:nginx /etc/bunkerweb/variables.env /etc/bunkerweb/ui.env
|
||||
sudo chmod 777 /etc/bunkerweb/variables.env /etc/bunkerweb/ui.env
|
||||
- name: Run tests
|
||||
run: |
|
||||
cd ./tests/ui
|
||||
MAKEFLAGS="-j $(nproc)" find . -name "requirements.txt" -exec pip install --no-cache-dir --require-hashes -r {} \;
|
||||
touch test.txt
|
||||
zip test.zip test.txt
|
||||
rm test.txt
|
||||
echo '{
|
||||
"id": "discord",
|
||||
"name": "Discord",
|
||||
"description": "Send alerts to a Discord channel (using webhooks).",
|
||||
"version": "0.1",
|
||||
"stream": "no",
|
||||
"settings": {}
|
||||
}' | tee plugin.json
|
||||
zip discord.zip plugin.json
|
||||
rm plugin.json
|
||||
./tests.sh "linux"
|
||||
env:
|
||||
MODE: ${{ inputs.RELEASE }}
|
34
.github/workflows/tests-ui.yml
vendored
|
@ -1,34 +0,0 @@
|
|||
name: Perform tests for UI (REUSABLE)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
RELEASE:
|
||||
required: true
|
||||
type: string
|
||||
jobs:
|
||||
tests:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Prepare
|
||||
- name: Checkout source code
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Login to ghcr
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Pull BW image
|
||||
run: docker pull ghcr.io/bunkerity/bunkerweb-tests:${{ inputs.RELEASE }} && docker tag ghcr.io/bunkerity/bunkerweb-tests:${{ inputs.RELEASE }} bunkerweb-tests
|
||||
- name: Pull Scheduler image
|
||||
run: docker pull ghcr.io/bunkerity/scheduler-tests:${{ inputs.RELEASE }} && docker tag ghcr.io/bunkerity/scheduler-tests:${{ inputs.RELEASE }} scheduler-tests
|
||||
- name: Pull UI image
|
||||
run: docker pull ghcr.io/bunkerity/ui-tests:${{ inputs.RELEASE }} && docker tag ghcr.io/bunkerity/ui-tests:${{ inputs.RELEASE }} ui-tests
|
||||
# Do tests
|
||||
- name: Run tests
|
||||
run: |
|
||||
cd ./tests/ui
|
||||
./tests.sh "docker"
|
||||
env:
|
||||
MODE: ${{ inputs.RELEASE }}
|
75
.github/workflows/ui.yml
vendored
|
@ -1,75 +0,0 @@
|
|||
name: Automatic tests (UI)
|
||||
|
||||
permissions: read-all
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ui]
|
||||
|
||||
jobs:
|
||||
# Containers
|
||||
build-containers:
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
strategy:
|
||||
matrix:
|
||||
image: [bunkerweb, scheduler, ui]
|
||||
include:
|
||||
- image: bunkerweb
|
||||
dockerfile: src/bw/Dockerfile
|
||||
- image: scheduler
|
||||
dockerfile: src/scheduler/Dockerfile
|
||||
- image: ui
|
||||
dockerfile: src/ui/Dockerfile
|
||||
uses: ./.github/workflows/container-build.yml
|
||||
with:
|
||||
RELEASE: ui
|
||||
CACHE: true
|
||||
ARCH: linux/amd64
|
||||
IMAGE: ${{ matrix.image }}
|
||||
DOCKERFILE: ${{ matrix.dockerfile }}
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
|
||||
# Build Linux packages
|
||||
build-packages:
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
strategy:
|
||||
matrix:
|
||||
linux: [ubuntu]
|
||||
include:
|
||||
- linux: ubuntu
|
||||
package: deb
|
||||
uses: ./.github/workflows/linux-build.yml
|
||||
with:
|
||||
RELEASE: ui
|
||||
LINUX: ${{ matrix.linux }}
|
||||
PACKAGE: ${{ matrix.package }}
|
||||
TEST: true
|
||||
PLATFORMS: linux/amd64
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
|
||||
codeql:
|
||||
uses: ./.github/workflows/codeql.yml
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
# UI tests
|
||||
tests-ui:
|
||||
needs: [codeql, build-containers]
|
||||
uses: ./.github/workflows/tests-ui.yml
|
||||
with:
|
||||
RELEASE: ui
|
||||
tests-ui-linux:
|
||||
needs: [codeql, build-packages]
|
||||
uses: ./.github/workflows/tests-ui-linux.yml
|
||||
with:
|
||||
RELEASE: ui
|
62
.gitignore
vendored
|
@ -1,8 +1,54 @@
|
|||
site/
|
||||
.idea/
|
||||
.vscode/
|
||||
__pycache__
|
||||
env
|
||||
node_modules
|
||||
/src/ui/*.txt
|
||||
.mypy_cache
|
||||
reindex
|
||||
.libs
|
||||
*.swp
|
||||
*.slo
|
||||
*.la
|
||||
*.swo
|
||||
*.lo
|
||||
*~
|
||||
*.o
|
||||
print.txt
|
||||
.rsync
|
||||
*.tar.gz
|
||||
dist
|
||||
build[78]
|
||||
build
|
||||
tags
|
||||
update-readme
|
||||
*.tmp
|
||||
test/Makefile
|
||||
test/blib
|
||||
test.sh
|
||||
t.sh
|
||||
t/t.sh
|
||||
test/t/servroot/
|
||||
releng
|
||||
reset
|
||||
*.t_
|
||||
genmobi.sh
|
||||
*.mobi
|
||||
misc/chunked
|
||||
src/headers.c
|
||||
src/headers.h
|
||||
src/module.c
|
||||
src/module.h
|
||||
src/util.c
|
||||
src/util.h
|
||||
go
|
||||
ctags
|
||||
src/in.c
|
||||
src/in.h
|
||||
src/out.c
|
||||
src/out.h
|
||||
build[89]
|
||||
build1[0-9]
|
||||
buildroot/
|
||||
work/
|
||||
all
|
||||
t/servroot
|
||||
analyze
|
||||
cov
|
||||
nginx
|
||||
*.plist
|
||||
a.patch
|
||||
Makefile
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
globals = {"ngx", "delay", "unpack"}
|
||||
ignore = {"411"}
|
|
@ -1,77 +0,0 @@
|
|||
# See https://pre-commit.com for more information
|
||||
# See https://pre-commit.com/hooks.html for more hooks
|
||||
exclude: (^LICENSE.md$|^src/VERSION$|^src/(bw/misc/root-ca.pem$|deps/src/|common/core/modsecurity/files|ui/static/js/(editor/|utils/purify/|tsparticles\.bundle\.min\.js))|\.(svg|drawio|patch\d?|ascii|tf|tftpl)$)
|
||||
repos:
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: c4a0b883114b00d8d76b479c820ce7950211c99b # frozen: v4.5.0
|
||||
hooks:
|
||||
- id: requirements-txt-fixer
|
||||
name: Fix requirements.txt and requirements.in files
|
||||
description: Sorts entries in requirements.txt and requirements.in files.
|
||||
files: (requirements|constraints).*\.(txt|in)$
|
||||
- id: trailing-whitespace
|
||||
- id: end-of-file-fixer
|
||||
- id: check-yaml
|
||||
exclude: ^(mkdocs.yml|examples/bigbluebutton/docker-compose.yml)$
|
||||
args: ["--allow-multiple-documents"]
|
||||
- id: check-case-conflict
|
||||
|
||||
- repo: https://github.com/ambv/black
|
||||
rev: 2a1c67e0b2f81df602ec1f6e7aeb030b9709dc7c # frozen: 23.11.0
|
||||
hooks:
|
||||
- id: black
|
||||
name: Black Python Formatter
|
||||
language_version: python3.9
|
||||
|
||||
- repo: https://github.com/pre-commit/mirrors-prettier
|
||||
rev: ffb6a759a979008c0e6dff86e39f4745a2d9eac4 # frozen: v3.1.0
|
||||
hooks:
|
||||
- id: prettier
|
||||
name: Prettier Code Formatter
|
||||
|
||||
- repo: https://github.com/JohnnyMorganz/StyLua
|
||||
rev: f9afc7f33bc19f7708fbc1d7eea0606e0d41080a # frozen: v0.19.1
|
||||
hooks:
|
||||
- id: stylua-github
|
||||
exclude: ^src/(bw/lua/middleclass.lua|common/core/antibot/captcha.lua)$
|
||||
|
||||
- repo: https://github.com/lunarmodules/luacheck
|
||||
rev: ababb6d403d634eb74d2c541035e9ede966e710d # frozen: v1.1.1
|
||||
hooks:
|
||||
- id: luacheck
|
||||
exclude: ^src/(bw/lua/middleclass.lua|common/core/antibot/captcha.lua)$
|
||||
args: ["--std", "min", "--codes", "--ranges", "--no-cache"]
|
||||
|
||||
- repo: https://github.com/pycqa/flake8
|
||||
rev: 10f4af6dbcf93456ba7df762278ae61ba3120dc6 # frozen: 6.1.0
|
||||
hooks:
|
||||
- id: flake8
|
||||
name: Flake8 Python Linter
|
||||
args: ["--max-line-length=250", "--ignore=E266,E402,E722,W503"]
|
||||
|
||||
- repo: https://github.com/dosisod/refurb
|
||||
rev: 63209fc1735ef2497dd9c00774ba72a23bb1cdf9 # frozen: v1.23.0
|
||||
hooks:
|
||||
- id: refurb
|
||||
name: Refurb Python Refactoring Tool
|
||||
exclude: ^tests/
|
||||
|
||||
- repo: https://github.com/codespell-project/codespell
|
||||
rev: 6e41aba91fb32e9feb741a6258eefeb9c6e4a482 # frozen: v2.2.6
|
||||
hooks:
|
||||
- id: codespell
|
||||
name: Codespell Spell Checker
|
||||
exclude: (^src/(common/core/.+/files|bw/loading)/.+.html|modsecurity-rules.conf.*)$
|
||||
entry: codespell --ignore-regex="(tabEl|Widgits)" --skip src/ui/static/js/utils/flatpickr.js,CHANGELOG.md
|
||||
language: python
|
||||
types: [text]
|
||||
|
||||
- repo: https://github.com/gitleaks/gitleaks
|
||||
rev: b813e6fe08b87541cb77296359ba1b7a50a00c98 # frozen: v8.18.0
|
||||
hooks:
|
||||
- id: gitleaks
|
||||
|
||||
- repo: https://github.com/koalaman/shellcheck-precommit
|
||||
rev: 3f77b826548d8dc2d26675f077361c92773b50a7 # frozen: v0.9.0
|
||||
hooks:
|
||||
- id: shellcheck
|
|
@ -1,20 +0,0 @@
|
|||
docs/
|
||||
env/
|
||||
*/env/
|
||||
*.min*
|
||||
src/common/core/modsecurity/
|
||||
src/deps/src/
|
||||
mkdocs.yml
|
||||
CHANGELOG.md
|
||||
CONTRIBUTING.md
|
||||
CODE_OF_CONDUCT.md
|
||||
LICENSE.md
|
||||
README.md
|
||||
SECURITY.md
|
||||
tsparticles.bundle.min.js
|
||||
flatpickr.*
|
||||
src/ui/static/js/editor/*
|
||||
src/ui/static/js/utils/purify/*
|
||||
src/ui/templates/*
|
||||
datepicker-foundation.css
|
||||
examples/*
|
324
CHANGELOG.md
|
@ -1,324 +0,0 @@
|
|||
# Changelog
|
||||
|
||||
## v1.5.3 -
|
||||
|
||||
- [BUGFIX] Fix BunkerWeb not loading his own settings after a docker restart
|
||||
- [BUGFIX] Fix Custom configs not following the service name after an update on the UI
|
||||
- [BUGFIX] Fix UI clearing configs folder at startup
|
||||
- [BUGFIX] Fix Database not clearing old services when not using multisite
|
||||
- [BUGFIX] Fix UI using the wrong database when generating the new config when using an external database
|
||||
- [BUGFIX] Small fixes on linux paths creating unnecessary folders
|
||||
- [BUGFIX] Fix ACME renewal fails on redirection enabled Service
|
||||
- [BUGFIX] Fix errors when using a server name with multiple values in web UI
|
||||
- [BUGFIX] Fix error when deleting a service that have custom configs on web UI
|
||||
- [BUGFIX] Fix rare bug where database is locked
|
||||
- [MISC] Updated core dependencies
|
||||
- [MISC] Updated self-signed job to regenerate the cert if the subject or the expiration date has changed
|
||||
- [MISC] Jobs that download files from urls will now remove old cached files if urls are empty
|
||||
- [MISC] Replaced gevent with gthread in UI for security reasons
|
||||
- [MISC] Add HTML sanitization when injecting code in pages in the UI
|
||||
- [MISC] Optimize the way the UI handles services creation and edition
|
||||
- [MISC] Optimize certbot renew script to renew all domains in one command
|
||||
- [MISC] Use capability instead of sudo in Linux
|
||||
- [SECURITY] Init work on OpenSSF best practices
|
||||
|
||||
## v1.5.2 - 2023/09/10
|
||||
|
||||
- [BUGFIX] Fix UI fetching only default values from the database (fixes no trash button too)
|
||||
- [BUGFIX] Fix infinite loop when using autoconf
|
||||
- [BUGFIX] Fix BunkerWeb fails to start after reboot on Fedora and Rhel
|
||||
- [BUGFIX] Fix logs page not working in UI on Linux integrations
|
||||
- [BUGFIX] Fix settings regex that had issues in general and with the UI
|
||||
- [BUGFIX] Fix scheduler error with external plugins when reloading
|
||||
- [BUGFIX] Fix permissions with folders in linux integrations
|
||||
- [MISC] Push Docker images to GitHub packages (ghcr.io repository)
|
||||
- [MISC] Improved CI/CD
|
||||
- [MISC] Updated python dependencies
|
||||
- [MISC] Updated Python Docker image to 3.11.5-alpine in Dockerfiles
|
||||
- [MISC] Add support for ModSecurity JSON LogFormat
|
||||
- [MISC] Updated OWASP coreruleset to 3.3.5
|
||||
|
||||
## v1.5.1 - 2023/08/08
|
||||
|
||||
- [BUGFIX] New version checker in logs displays "404 not found"
|
||||
- [BUGFIX] New version checker in UI
|
||||
- [BUGFIX] Only get the right keys from plugin.json files when importing plugins
|
||||
- [BUGFIX] Remove external resources for Google fonts in UI
|
||||
- [BUGFIX] Support multiple plugin uploads in one zip when using the UI
|
||||
- [BUGFIX] Variable being ignored instead of saved in the database when value is empty
|
||||
- [BUGFIX] ALLOWED_METHODS regex working with LOCK/UNLOCK methods
|
||||
- [BUGFIX] Custom certificate bug after the refactoring
|
||||
- [BUGFIX] Wrong variables in header phase (fix CORS feature too)
|
||||
- [BUGFIX] UI not working in Ubuntu (python zope module)
|
||||
- [BUGFIX] Patch ModSecurity to run it after LUA code (should fix whitelist problems)
|
||||
- [BUGFIX] Custom configurations from env were not being deleted properly
|
||||
- [BUGFIX] Missing concepts image not displayed in the documentation
|
||||
- [BUGFIX] Scheduler not picking up new instances IPs in autoconf modes
|
||||
- [BUGFIX] Autoconf deadlock in k8s
|
||||
- [BUGFIX] Missing HTTP and HTTPS ports for temp nginx
|
||||
- [BUGFIX] Infinite loop when sessions is not valid
|
||||
- [BUGFIX] Missing valid LE certificates in edge cases
|
||||
- [BUGFIX] Wrong service namespace in k8s
|
||||
- [BUGFIX] DNS_RESOLVERS regex not accepting hostnames
|
||||
- [PERFORMANCE] Reduce CPU and RAM usage of scheduler
|
||||
- [PERFORMANCE] Cache ngx.ctx instead of loading it each time
|
||||
- [PERFORMANCE] Use per-worker LRU cache for common RO LUA values
|
||||
- [FEATURE] Add Turnstile antibot mode
|
||||
- [FEATURE] Add more CORS headers
|
||||
- [FEATURE] Add KEEP_UPSTREAM_HEADERS to preserve headers when using reverse proxy
|
||||
- [FEATURE] Add the possibility to download the different lists and plugins from a local file (like the blacklist)
|
||||
- [FEATURE] External plugins can now be downloaded from a tar.gz and tar.xz file as well as zip
|
||||
- [FEATURE] Add X-Forwarded-Prefix header when using reverse proxy
|
||||
- [FEATURE] Add REDIRECT_TO_STATUS_CODE to choose status code 301 or 302 when redirecting
|
||||
- [DOCUMENTATION] Add timezone information
|
||||
- [DOCUMENTATION] Add timezone informat
|
||||
- [MISC] Add LOG_LEVEL=warning for docker socket proxy in docs, examples and boilerplates
|
||||
- [MISC] Temp remove VMWare provider for Vagrant integration
|
||||
- [MISC] Remove X-Script-Name header and ABSOLUTE_URI variable when using UI
|
||||
- [MISC] Move logs to /var/log/bunkerweb folder
|
||||
- [MISC] Reduce "Got an error reading communication packets" warnings in mariadb/mysql
|
||||
|
||||
## v1.5.0 - 2023/05/23
|
||||
|
||||
- Refactoring of almost all the components of the project
|
||||
- Dedicated scheduler service to manage jobs and configuration
|
||||
- Store configuration in a database backend
|
||||
- Improved web UI and make it working with all integrations
|
||||
- Improved internal LUA code
|
||||
- Improved internal cache of BW
|
||||
- Add Redis support when using clustered integrations
|
||||
- Add RHEL integration
|
||||
- Add Vagrant integration
|
||||
- Init support of generic TCP/UDP (stream)
|
||||
- Init support of IPv6
|
||||
- Improved CI/CD : UI tests, core tests and release automation
|
||||
- Reduce Docker images size
|
||||
- Fix and improved core plugins : antibot, cors, dnsbl, ...
|
||||
- Use PCRE regex instead of LUA patterns
|
||||
- Connectivity tests at startup/reload with logging
|
||||
|
||||
## v1.5.0-beta - 2023/05/02
|
||||
|
||||
- Refactoring of almost all the components of the project
|
||||
- Dedicated scheduler service to manage jobs and configuration
|
||||
- Store configuration in a database backend
|
||||
- Improved web UI and make it working with all integrations
|
||||
- Improved internal LUA code
|
||||
- Improved internal cache of BW
|
||||
- Add Redis support when using clustered integrations
|
||||
- Add RHEL integration
|
||||
- Add Vagrant integration
|
||||
- Init support of generic TCP/UDP (stream)
|
||||
- Init support of IPv6
|
||||
- Improved CI/CD : UI tests, core tests and release automation
|
||||
- Reduce Docker images size
|
||||
- Fix and improved core plugins : antibot, cors, dnsbl, ...
|
||||
- Use PCRE regex instead of LUA patterns
|
||||
- Connectivity tests at startup/reload with logging
|
||||
|
||||
## v1.4.8 - 2023/04/05
|
||||
|
||||
- Fix UI bug related to multiple settings
|
||||
- Increase check reload interval in UI to avoid rate limit
|
||||
- Fix Let's Encrypt error when using auth basic
|
||||
- Fix wrong setting name in realip job (again)
|
||||
- Fix blog posts retrieval in the UI
|
||||
- Fix missing logs for UI
|
||||
- Fix error log if BunkerNet ip list is empty
|
||||
- Updated python dependencies
|
||||
- Gunicorn will now show the logs in the console for the UI
|
||||
- BunkerNet job will now create the ip list file at the beginning of the job to avoid errors
|
||||
|
||||
## v1.4.7 - 2023/02/27
|
||||
|
||||
- Fix DISABLE_DEFAULT_SERVER=yes not working with HTTPS (again)
|
||||
- Fix wrong setting name in realip job
|
||||
- Fix whitelisting not working with modsecurity
|
||||
|
||||
## v1.4.6 - 2023/02/14
|
||||
|
||||
- Fix error in the UI when a service have multiple domains
|
||||
- Fix bwcli bans command
|
||||
- Fix documentation about Linux Fedora install
|
||||
- Fix DISABLE_DEFAULT_SERVER=yes not working with HTTPS
|
||||
- Add INTERCEPTED_ERROR_CODES setting
|
||||
|
||||
## v1.4.5 - 2022/11/26
|
||||
|
||||
- Fix bwcli syntax error
|
||||
- Fix UI not working using Linux integration
|
||||
- Fix missing openssl dep in autoconf
|
||||
- Fix typo in selfsigned job
|
||||
|
||||
## v1.4.4 - 2022/11/10
|
||||
|
||||
- Fix k8s controller not watching the events when there is an exception
|
||||
- Fix python dependencies bug in CentOS and Fedora
|
||||
- Fix incorrect log when reloading nginx using Linux integration
|
||||
- Fix UI dev mode, production mode is now the default
|
||||
- Fix wrong exposed port in the UI container
|
||||
- Fix endless loading in the UI
|
||||
- Fix \*_CUSTOM_CONF_\* dissapear when jobs are executed
|
||||
- Fix various typos in documentation
|
||||
- Fix warning about StartLimitIntervalSec directive when using Linux
|
||||
- Fix incorrect log when issuing certbot renew
|
||||
- Fix certbot renew error when using Linux or Docker integration
|
||||
- Add greylist core feature
|
||||
- Add BLACKLIST_IGNORE_\* settings
|
||||
- Add automatic change of SecRequestBodyLimit modsec directive based on MAX_CLIENT_SIZE setting
|
||||
- Add MODSECURITY_SEC_RULE_ENGINE and MODSECURITY_SEC_AUDIT_LOG_PARTS settings
|
||||
- Add manual ban and get bans to the API/CLI
|
||||
- Add Brawdunoir community example
|
||||
- Improve core plugins order and add documentation about it
|
||||
- Improve overall documentation
|
||||
- Improve CI/CD
|
||||
|
||||
## v1.4.3 - 2022/08/26
|
||||
|
||||
- Fix various documentation errors/typos and add various enhancements
|
||||
- Fix ui.env not read when using Linux integration
|
||||
- Fix wrong variables.env path when using Linux integration
|
||||
- Fix missing default server when TEMP_NGINX=yes
|
||||
- Fix check if BunkerNet is activated on default server
|
||||
- Fix request crash when mmdb lookup fails
|
||||
- Fix bad behavior trigger when request is whitelisted
|
||||
- Fix bad behavior not triggered when request is on default server
|
||||
- Fix BW overriding config when config is already present
|
||||
- Add Ansible integration in beta
|
||||
- Add \*_CUSTOM_CONF_\* setting to automatically add custom config files from setting value
|
||||
- Add DENY_HTTP_STATUS setting to choose standard 403 error page (default) or 444 to close connection when access is denied
|
||||
- Add CORS (Cross-Origin Resource Sharing) core plugin
|
||||
- Add documentation about Docker in rootless mode and podman
|
||||
- Improve automatic tests setup
|
||||
- Migrate CI/CD infrastructure to another provider
|
||||
|
||||
## v1.4.2 - 2022/06/28
|
||||
|
||||
- Fix "too old resource version" exceptions when using k8s integration
|
||||
- Fix missing bwcli command with Linux integration
|
||||
- Fix various bugs with jobs scheduler when using autoconf/swarm/k8s
|
||||
- Fix bwcli unban command when using Linux integration
|
||||
- Fix permissions check when filename has a space
|
||||
- Fix static config (SERVER_NAME not empty) support when using autoconf/swarm/k8s
|
||||
- Fix config files overwrite when using Docker autoconf
|
||||
- Add EXTERNAL_PLUGIN_URLS setting to automatically download and install external plugins
|
||||
- Add log_default() plugin hook
|
||||
- Add various certbot-dns examples
|
||||
- Add mattermost example
|
||||
- Add radarr example
|
||||
- Add Discord and Slack to list of official plugins
|
||||
- Force NGINX version dependencies in Linux packages DEB/RPM
|
||||
|
||||
## v1.4.1 - 2022/06/16
|
||||
|
||||
- Fix sending local IPs to BunkerNet when DISABLE_DEFAULT_SERVER=yes
|
||||
- Fix certbot bug when AUTOCONF_MODE=yes
|
||||
- Fix certbot bug when MULTISITE=no
|
||||
- Add reverse proxy timeouts settings
|
||||
- Add auth_request settings
|
||||
- Add authentik and authelia examples
|
||||
- Prebuilt Docker images for arm64 and armv7
|
||||
- Improve documentation for Linux integration
|
||||
- Various fixes in the documentation
|
||||
|
||||
## v1.4.0 - 2022/06/06
|
||||
|
||||
- Project renamed to BunkerWeb
|
||||
- Internal architecture fully revised with a modular approach
|
||||
- Improved CI/CD with automatic tests for multiple integrations
|
||||
- Plugin improvement
|
||||
- Volume improvement for container-based integrations
|
||||
- Web UI improvement with various new features
|
||||
- Web tool to generate settings from a user-friendly UI
|
||||
- Linux packages
|
||||
- Various bug fixes
|
||||
|
||||
## v1.3.2 - 2021/10/24
|
||||
|
||||
- Use API instead of a shared folder for Swarm and Kubernetes integrations
|
||||
- Beta integration of distributed bad IPs database through a remote API
|
||||
- Improvement of the request limiting feature : hour/day rate and multiple URL support
|
||||
- Various bug fixes related to antibot feature
|
||||
- Init support of Arch Linux
|
||||
- Fix Moodle example
|
||||
- Fix ROOT_FOLDER bug in serve-files.conf when using the UI
|
||||
- Update default values for PERMISSIONS_POLICY and FEATURE_POLICY
|
||||
- Disable COUNTRY ban if IP is local
|
||||
|
||||
## v1.3.1 - 2021/09/02
|
||||
|
||||
- Use ModSecurity v3.0.4 instead of v3.0.5 to fix memory leak
|
||||
- Fix ignored variables to control jobs
|
||||
- Fix bug when LISTEN_HTTP=no and MULTISITE=yes
|
||||
- Add CUSTOM_HEADER variable
|
||||
- Add REVERSE_PROXY_BUFFERING variable
|
||||
- Add REVERSE_PROXY_KEEPALIVE variable
|
||||
- Fix documentation for modsec and modsec-crs special folders
|
||||
|
||||
## v1.3.0 - 2021/08/23
|
||||
|
||||
- Kubernetes integration in beta
|
||||
- Linux integration in beta
|
||||
- autoconf refactoring
|
||||
- jobs refactoring
|
||||
- UI refactoring
|
||||
- UI security : login/password authentication and CRSF protection
|
||||
- various dependencies updates
|
||||
- move CrowdSec as an external plugin
|
||||
- Authelia support
|
||||
- improve various regexes
|
||||
- add INJECT_BODY variable
|
||||
- add WORKER_PROCESSES variable
|
||||
- add USE_LETS_ENCRYPT_STAGING variable
|
||||
- add LOCAL_PHP and LOCAL_PHP_PATH variables
|
||||
- add REDIRECT_TO variable
|
||||
|
||||
## v1.2.8 - 2021/07/22
|
||||
|
||||
- Fix broken links in README
|
||||
- Fix regex for EMAIL_LETS_ENCRYPT
|
||||
- Fix regex for REMOTE_PHP and REMOTE_PHP_PATH
|
||||
- Fix regex for SELF_SIGNED_*
|
||||
- Fix various bugs related to web UI
|
||||
- Fix bug in autoconf (missing instances parameter to reload function)
|
||||
- Remove old .env files when generating a new configuration
|
||||
|
||||
## v1.2.7 - 2021/06/14
|
||||
|
||||
- Add custom robots.txt and sitemap to RTD
|
||||
- Fix missing GeoIP DB bug when using BLACKLIST/WHITELIST_COUNTRY
|
||||
- Add underscore "_" to allowed chars for CUSTOM_HTTPS_CERT/KEY
|
||||
- Fix bug when using automatic self-signed certificate
|
||||
- Build and push images from GitHub actions instead of Docker Hub autobuild
|
||||
- Display the reason when generator is ignoring a variable
|
||||
- Various bug fixes related to certbot and jobs
|
||||
- Split jobs into pre and post jobs
|
||||
- Add HEALTHCHECK to image
|
||||
- Fix race condition when using autoconf without Swarm by checking healthy state
|
||||
- Bump modsecurity-nginx to v1.0.2
|
||||
- Community chat with bridged platforms
|
||||
|
||||
## v1.2.6 - 2021/06/06
|
||||
|
||||
- Move from "ghetto-style" shell scripts to generic jinja2 templating
|
||||
- Init work on a basic plugins system
|
||||
- Move ClamAV to external plugin
|
||||
- Reduce image size by removing unnecessary dependencies
|
||||
- Fix CrowdSec example
|
||||
- Change some global variables to multisite
|
||||
- Add LOG_LEVEL environment variable
|
||||
- Read-only container support
|
||||
- Improved antibot javascript with a basic proof of work
|
||||
- Update nginx to 1.20.1
|
||||
- Support of docker-socket-proxy with web UI
|
||||
- Add certbot-cloudflare example
|
||||
- Disable DNSBL checks when IP is local
|
||||
|
||||
## v1.2.5 - 2021/05/14
|
||||
|
||||
- Performance improvement : move some nginx security checks to LUA and external blacklist parsing enhancement
|
||||
- Init work on official documentation on readthedocs
|
||||
- Fix default value for CONTENT_SECURITY_POLICY to allow file downloads
|
||||
- Add ROOT_SITE_SUBFOLDER environment variable
|
||||
|
||||
## TODO - retrospective changelog
|
|
@ -1,128 +0,0 @@
|
|||
# Contributor Covenant Code of Conduct
|
||||
|
||||
## Our Pledge
|
||||
|
||||
We as members, contributors, and leaders pledge to make participation in our
|
||||
community a harassment-free experience for everyone, regardless of age, body
|
||||
size, visible or invisible disability, ethnicity, sex characteristics, gender
|
||||
identity and expression, level of experience, education, socio-economic status,
|
||||
nationality, personal appearance, race, religion, or sexual identity
|
||||
and orientation.
|
||||
|
||||
We pledge to act and interact in ways that contribute to an open, welcoming,
|
||||
diverse, inclusive, and healthy community.
|
||||
|
||||
## Our Standards
|
||||
|
||||
Examples of behavior that contributes to a positive environment for our
|
||||
community include:
|
||||
|
||||
* Demonstrating empathy and kindness toward other people
|
||||
* Being respectful of differing opinions, viewpoints, and experiences
|
||||
* Giving and gracefully accepting constructive feedback
|
||||
* Accepting responsibility and apologizing to those affected by our mistakes,
|
||||
and learning from the experience
|
||||
* Focusing on what is best not just for us as individuals, but for the
|
||||
overall community
|
||||
|
||||
Examples of unacceptable behavior include:
|
||||
|
||||
* The use of sexualized language or imagery, and sexual attention or
|
||||
advances of any kind
|
||||
* Trolling, insulting or derogatory comments, and personal or political attacks
|
||||
* Public or private harassment
|
||||
* Publishing others' private information, such as a physical or email
|
||||
address, without their explicit permission
|
||||
* Other conduct which could reasonably be considered inappropriate in a
|
||||
professional setting
|
||||
|
||||
## Enforcement Responsibilities
|
||||
|
||||
Community leaders are responsible for clarifying and enforcing our standards of
|
||||
acceptable behavior and will take appropriate and fair corrective action in
|
||||
response to any behavior that they deem inappropriate, threatening, offensive,
|
||||
or harmful.
|
||||
|
||||
Community leaders have the right and responsibility to remove, edit, or reject
|
||||
comments, commits, code, wiki edits, issues, and other contributions that are
|
||||
not aligned to this Code of Conduct, and will communicate reasons for moderation
|
||||
decisions when appropriate.
|
||||
|
||||
## Scope
|
||||
|
||||
This Code of Conduct applies within all community spaces, and also applies when
|
||||
an individual is officially representing the community in public spaces.
|
||||
Examples of representing our community include using an official e-mail address,
|
||||
posting via an official social media account, or acting as an appointed
|
||||
representative at an online or offline event.
|
||||
|
||||
## Enforcement
|
||||
|
||||
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
||||
reported to the community leaders responsible for enforcement at
|
||||
contact@bunkerity.com.
|
||||
All complaints will be reviewed and investigated promptly and fairly.
|
||||
|
||||
All community leaders are obligated to respect the privacy and security of the
|
||||
reporter of any incident.
|
||||
|
||||
## Enforcement Guidelines
|
||||
|
||||
Community leaders will follow these Community Impact Guidelines in determining
|
||||
the consequences for any action they deem in violation of this Code of Conduct:
|
||||
|
||||
### 1. Correction
|
||||
|
||||
**Community Impact**: Use of inappropriate language or other behavior deemed
|
||||
unprofessional or unwelcome in the community.
|
||||
|
||||
**Consequence**: A private, written warning from community leaders, providing
|
||||
clarity around the nature of the violation and an explanation of why the
|
||||
behavior was inappropriate. A public apology may be requested.
|
||||
|
||||
### 2. Warning
|
||||
|
||||
**Community Impact**: A violation through a single incident or series
|
||||
of actions.
|
||||
|
||||
**Consequence**: A warning with consequences for continued behavior. No
|
||||
interaction with the people involved, including unsolicited interaction with
|
||||
those enforcing the Code of Conduct, for a specified period of time. This
|
||||
includes avoiding interactions in community spaces as well as external channels
|
||||
like social media. Violating these terms may lead to a temporary or
|
||||
permanent ban.
|
||||
|
||||
### 3. Temporary Ban
|
||||
|
||||
**Community Impact**: A serious violation of community standards, including
|
||||
sustained inappropriate behavior.
|
||||
|
||||
**Consequence**: A temporary ban from any sort of interaction or public
|
||||
communication with the community for a specified period of time. No public or
|
||||
private interaction with the people involved, including unsolicited interaction
|
||||
with those enforcing the Code of Conduct, is allowed during this period.
|
||||
Violating these terms may lead to a permanent ban.
|
||||
|
||||
### 4. Permanent Ban
|
||||
|
||||
**Community Impact**: Demonstrating a pattern of violation of community
|
||||
standards, including sustained inappropriate behavior, harassment of an
|
||||
individual, or aggression toward or disparagement of classes of individuals.
|
||||
|
||||
**Consequence**: A permanent ban from any sort of public interaction within
|
||||
the community.
|
||||
|
||||
## Attribution
|
||||
|
||||
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
|
||||
version 2.0, available at
|
||||
https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
|
||||
|
||||
Community Impact Guidelines were inspired by [Mozilla's code of conduct
|
||||
enforcement ladder](https://github.com/mozilla/diversity).
|
||||
|
||||
[homepage]: https://www.contributor-covenant.org
|
||||
|
||||
For answers to common questions about this code of conduct, see the FAQ at
|
||||
https://www.contributor-covenant.org/faq. Translations are available at
|
||||
https://www.contributor-covenant.org/translations.
|
|
@ -1,21 +0,0 @@
|
|||
# Contributing to bunkerweb
|
||||
|
||||
First off all, thanks for being here and showing your support to the project !
|
||||
|
||||
We accept many types of contributions whether they are technical or not. Every community feedback, work or help is, and will always be, appreciated.
|
||||
|
||||
## Talk about the project
|
||||
|
||||
The first thing you can do is to talk about the project. You can share it on social media (by the way, you can can also follow us on [LinkedIn](https://www.linkedin.com/company/bunkerity/), [Twitter](https://twitter.com/bunkerity) and [GitHub](https://github.com/bunkerity)), make a blog post about it or simply tell your friends/colleagues that's an awesome project..
|
||||
|
||||
## Join the community
|
||||
|
||||
You can join the [Discord server](https://discord.com/invite/fTf46FmtyD), the [GitHub discussions](https://github.com/bunkerity/bunkerweb/discussions) and the [/r/BunkerWeb](https://www.reddit.com/r/BunkerWeb) subreddit to talk about the project and help others.
|
||||
|
||||
## Reporting bugs / ask for features
|
||||
|
||||
The preferred way to report bugs and asking for features is using [issues](https://github.com/bunkerity/bunkerweb/issues). Before opening a new one, please check if a related issue is already opened using the "filters" bar. When creating a new issue please select and fill the "Bug report" or "Feature request" template.
|
||||
|
||||
## Code contribution
|
||||
|
||||
The preferred way to contribute code is using [pull requests](https://github.com/bunkerity/bunkerweb/pulls). Before creating a pull request, please check if your code is related to an opened issue. If that's not the case, you should first create an issue so we can discuss about it. This procedure is here to avoid wasting your time in case the PR will be rejected. For minor changes (e.g. : typo, quick fix, ...), opening an issue might be facultative. **Don't forget to edit the documentations when needed !**
|
660
LICENSE.md
|
@ -1,660 +0,0 @@
|
|||
### GNU AFFERO GENERAL PUBLIC LICENSE
|
||||
|
||||
Version 3, 19 November 2007
|
||||
|
||||
Copyright (C) 2007 Free Software Foundation, Inc.
|
||||
<https://fsf.org/>
|
||||
|
||||
Everyone is permitted to copy and distribute verbatim copies of this
|
||||
license document, but changing it is not allowed.
|
||||
|
||||
### Preamble
|
||||
|
||||
The GNU Affero General Public License is a free, copyleft license for
|
||||
software and other kinds of works, specifically designed to ensure
|
||||
cooperation with the community in the case of network server software.
|
||||
|
||||
The licenses for most software and other practical works are designed
|
||||
to take away your freedom to share and change the works. By contrast,
|
||||
our General Public Licenses are intended to guarantee your freedom to
|
||||
share and change all versions of a program--to make sure it remains
|
||||
free software for all its users.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
them if you wish), that you receive source code or can get it if you
|
||||
want it, that you can change the software or use pieces of it in new
|
||||
free programs, and that you know you can do these things.
|
||||
|
||||
Developers that use our General Public Licenses protect your rights
|
||||
with two steps: (1) assert copyright on the software, and (2) offer
|
||||
you this License which gives you legal permission to copy, distribute
|
||||
and/or modify the software.
|
||||
|
||||
A secondary benefit of defending all users' freedom is that
|
||||
improvements made in alternate versions of the program, if they
|
||||
receive widespread use, become available for other developers to
|
||||
incorporate. Many developers of free software are heartened and
|
||||
encouraged by the resulting cooperation. However, in the case of
|
||||
software used on network servers, this result may fail to come about.
|
||||
The GNU General Public License permits making a modified version and
|
||||
letting the public access it on a server without ever releasing its
|
||||
source code to the public.
|
||||
|
||||
The GNU Affero General Public License is designed specifically to
|
||||
ensure that, in such cases, the modified source code becomes available
|
||||
to the community. It requires the operator of a network server to
|
||||
provide the source code of the modified version running there to the
|
||||
users of that server. Therefore, public use of a modified version, on
|
||||
a publicly accessible server, gives the public access to the source
|
||||
code of the modified version.
|
||||
|
||||
An older license, called the Affero General Public License and
|
||||
published by Affero, was designed to accomplish similar goals. This is
|
||||
a different license, not a version of the Affero GPL, but Affero has
|
||||
released a new version of the Affero GPL which permits relicensing
|
||||
under this license.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
### TERMS AND CONDITIONS
|
||||
|
||||
#### 0. Definitions.
|
||||
|
||||
"This License" refers to version 3 of the GNU Affero General Public
|
||||
License.
|
||||
|
||||
"Copyright" also means copyright-like laws that apply to other kinds
|
||||
of works, such as semiconductor masks.
|
||||
|
||||
"The Program" refers to any copyrightable work licensed under this
|
||||
License. Each licensee is addressed as "you". "Licensees" and
|
||||
"recipients" may be individuals or organizations.
|
||||
|
||||
To "modify" a work means to copy from or adapt all or part of the work
|
||||
in a fashion requiring copyright permission, other than the making of
|
||||
an exact copy. The resulting work is called a "modified version" of
|
||||
the earlier work or a work "based on" the earlier work.
|
||||
|
||||
A "covered work" means either the unmodified Program or a work based
|
||||
on the Program.
|
||||
|
||||
To "propagate" a work means to do anything with it that, without
|
||||
permission, would make you directly or secondarily liable for
|
||||
infringement under applicable copyright law, except executing it on a
|
||||
computer or modifying a private copy. Propagation includes copying,
|
||||
distribution (with or without modification), making available to the
|
||||
public, and in some countries other activities as well.
|
||||
|
||||
To "convey" a work means any kind of propagation that enables other
|
||||
parties to make or receive copies. Mere interaction with a user
|
||||
through a computer network, with no transfer of a copy, is not
|
||||
conveying.
|
||||
|
||||
An interactive user interface displays "Appropriate Legal Notices" to
|
||||
the extent that it includes a convenient and prominently visible
|
||||
feature that (1) displays an appropriate copyright notice, and (2)
|
||||
tells the user that there is no warranty for the work (except to the
|
||||
extent that warranties are provided), that licensees may convey the
|
||||
work under this License, and how to view a copy of this License. If
|
||||
the interface presents a list of user commands or options, such as a
|
||||
menu, a prominent item in the list meets this criterion.
|
||||
|
||||
#### 1. Source Code.
|
||||
|
||||
The "source code" for a work means the preferred form of the work for
|
||||
making modifications to it. "Object code" means any non-source form of
|
||||
a work.
|
||||
|
||||
A "Standard Interface" means an interface that either is an official
|
||||
standard defined by a recognized standards body, or, in the case of
|
||||
interfaces specified for a particular programming language, one that
|
||||
is widely used among developers working in that language.
|
||||
|
||||
The "System Libraries" of an executable work include anything, other
|
||||
than the work as a whole, that (a) is included in the normal form of
|
||||
packaging a Major Component, but which is not part of that Major
|
||||
Component, and (b) serves only to enable use of the work with that
|
||||
Major Component, or to implement a Standard Interface for which an
|
||||
implementation is available to the public in source code form. A
|
||||
"Major Component", in this context, means a major essential component
|
||||
(kernel, window system, and so on) of the specific operating system
|
||||
(if any) on which the executable work runs, or a compiler used to
|
||||
produce the work, or an object code interpreter used to run it.
|
||||
|
||||
The "Corresponding Source" for a work in object code form means all
|
||||
the source code needed to generate, install, and (for an executable
|
||||
work) run the object code and to modify the work, including scripts to
|
||||
control those activities. However, it does not include the work's
|
||||
System Libraries, or general-purpose tools or generally available free
|
||||
programs which are used unmodified in performing those activities but
|
||||
which are not part of the work. For example, Corresponding Source
|
||||
includes interface definition files associated with source files for
|
||||
the work, and the source code for shared libraries and dynamically
|
||||
linked subprograms that the work is specifically designed to require,
|
||||
such as by intimate data communication or control flow between those
|
||||
subprograms and other parts of the work.
|
||||
|
||||
The Corresponding Source need not include anything that users can
|
||||
regenerate automatically from other parts of the Corresponding Source.
|
||||
|
||||
The Corresponding Source for a work in source code form is that same
|
||||
work.
|
||||
|
||||
#### 2. Basic Permissions.
|
||||
|
||||
All rights granted under this License are granted for the term of
|
||||
copyright on the Program, and are irrevocable provided the stated
|
||||
conditions are met. This License explicitly affirms your unlimited
|
||||
permission to run the unmodified Program. The output from running a
|
||||
covered work is covered by this License only if the output, given its
|
||||
content, constitutes a covered work. This License acknowledges your
|
||||
rights of fair use or other equivalent, as provided by copyright law.
|
||||
|
||||
You may make, run and propagate covered works that you do not convey,
|
||||
without conditions so long as your license otherwise remains in force.
|
||||
You may convey covered works to others for the sole purpose of having
|
||||
them make modifications exclusively for you, or provide you with
|
||||
facilities for running those works, provided that you comply with the
|
||||
terms of this License in conveying all material for which you do not
|
||||
control copyright. Those thus making or running the covered works for
|
||||
you must do so exclusively on your behalf, under your direction and
|
||||
control, on terms that prohibit them from making any copies of your
|
||||
copyrighted material outside their relationship with you.
|
||||
|
||||
Conveying under any other circumstances is permitted solely under the
|
||||
conditions stated below. Sublicensing is not allowed; section 10 makes
|
||||
it unnecessary.
|
||||
|
||||
#### 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
|
||||
|
||||
No covered work shall be deemed part of an effective technological
|
||||
measure under any applicable law fulfilling obligations under article
|
||||
11 of the WIPO copyright treaty adopted on 20 December 1996, or
|
||||
similar laws prohibiting or restricting circumvention of such
|
||||
measures.
|
||||
|
||||
When you convey a covered work, you waive any legal power to forbid
|
||||
circumvention of technological measures to the extent such
|
||||
circumvention is effected by exercising rights under this License with
|
||||
respect to the covered work, and you disclaim any intention to limit
|
||||
operation or modification of the work as a means of enforcing, against
|
||||
the work's users, your or third parties' legal rights to forbid
|
||||
circumvention of technological measures.
|
||||
|
||||
#### 4. Conveying Verbatim Copies.
|
||||
|
||||
You may convey verbatim copies of the Program's source code as you
|
||||
receive it, in any medium, provided that you conspicuously and
|
||||
appropriately publish on each copy an appropriate copyright notice;
|
||||
keep intact all notices stating that this License and any
|
||||
non-permissive terms added in accord with section 7 apply to the code;
|
||||
keep intact all notices of the absence of any warranty; and give all
|
||||
recipients a copy of this License along with the Program.
|
||||
|
||||
You may charge any price or no price for each copy that you convey,
|
||||
and you may offer support or warranty protection for a fee.
|
||||
|
||||
#### 5. Conveying Modified Source Versions.
|
||||
|
||||
You may convey a work based on the Program, or the modifications to
|
||||
produce it from the Program, in the form of source code under the
|
||||
terms of section 4, provided that you also meet all of these
|
||||
conditions:
|
||||
|
||||
- a) The work must carry prominent notices stating that you modified
|
||||
it, and giving a relevant date.
|
||||
- b) The work must carry prominent notices stating that it is
|
||||
released under this License and any conditions added under
|
||||
section 7. This requirement modifies the requirement in section 4
|
||||
to "keep intact all notices".
|
||||
- c) You must license the entire work, as a whole, under this
|
||||
License to anyone who comes into possession of a copy. This
|
||||
License will therefore apply, along with any applicable section 7
|
||||
additional terms, to the whole of the work, and all its parts,
|
||||
regardless of how they are packaged. This License gives no
|
||||
permission to license the work in any other way, but it does not
|
||||
invalidate such permission if you have separately received it.
|
||||
- d) If the work has interactive user interfaces, each must display
|
||||
Appropriate Legal Notices; however, if the Program has interactive
|
||||
interfaces that do not display Appropriate Legal Notices, your
|
||||
work need not make them do so.
|
||||
|
||||
A compilation of a covered work with other separate and independent
|
||||
works, which are not by their nature extensions of the covered work,
|
||||
and which are not combined with it such as to form a larger program,
|
||||
in or on a volume of a storage or distribution medium, is called an
|
||||
"aggregate" if the compilation and its resulting copyright are not
|
||||
used to limit the access or legal rights of the compilation's users
|
||||
beyond what the individual works permit. Inclusion of a covered work
|
||||
in an aggregate does not cause this License to apply to the other
|
||||
parts of the aggregate.
|
||||
|
||||
#### 6. Conveying Non-Source Forms.
|
||||
|
||||
You may convey a covered work in object code form under the terms of
|
||||
sections 4 and 5, provided that you also convey the machine-readable
|
||||
Corresponding Source under the terms of this License, in one of these
|
||||
ways:
|
||||
|
||||
- a) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by the
|
||||
Corresponding Source fixed on a durable physical medium
|
||||
customarily used for software interchange.
|
||||
- b) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by a
|
||||
written offer, valid for at least three years and valid for as
|
||||
long as you offer spare parts or customer support for that product
|
||||
model, to give anyone who possesses the object code either (1) a
|
||||
copy of the Corresponding Source for all the software in the
|
||||
product that is covered by this License, on a durable physical
|
||||
medium customarily used for software interchange, for a price no
|
||||
more than your reasonable cost of physically performing this
|
||||
conveying of source, or (2) access to copy the Corresponding
|
||||
Source from a network server at no charge.
|
||||
- c) Convey individual copies of the object code with a copy of the
|
||||
written offer to provide the Corresponding Source. This
|
||||
alternative is allowed only occasionally and noncommercially, and
|
||||
only if you received the object code with such an offer, in accord
|
||||
with subsection 6b.
|
||||
- d) Convey the object code by offering access from a designated
|
||||
place (gratis or for a charge), and offer equivalent access to the
|
||||
Corresponding Source in the same way through the same place at no
|
||||
further charge. You need not require recipients to copy the
|
||||
Corresponding Source along with the object code. If the place to
|
||||
copy the object code is a network server, the Corresponding Source
|
||||
may be on a different server (operated by you or a third party)
|
||||
that supports equivalent copying facilities, provided you maintain
|
||||
clear directions next to the object code saying where to find the
|
||||
Corresponding Source. Regardless of what server hosts the
|
||||
Corresponding Source, you remain obligated to ensure that it is
|
||||
available for as long as needed to satisfy these requirements.
|
||||
- e) Convey the object code using peer-to-peer transmission,
|
||||
provided you inform other peers where the object code and
|
||||
Corresponding Source of the work are being offered to the general
|
||||
public at no charge under subsection 6d.
|
||||
|
||||
A separable portion of the object code, whose source code is excluded
|
||||
from the Corresponding Source as a System Library, need not be
|
||||
included in conveying the object code work.
|
||||
|
||||
A "User Product" is either (1) a "consumer product", which means any
|
||||
tangible personal property which is normally used for personal,
|
||||
family, or household purposes, or (2) anything designed or sold for
|
||||
incorporation into a dwelling. In determining whether a product is a
|
||||
consumer product, doubtful cases shall be resolved in favor of
|
||||
coverage. For a particular product received by a particular user,
|
||||
"normally used" refers to a typical or common use of that class of
|
||||
product, regardless of the status of the particular user or of the way
|
||||
in which the particular user actually uses, or expects or is expected
|
||||
to use, the product. A product is a consumer product regardless of
|
||||
whether the product has substantial commercial, industrial or
|
||||
non-consumer uses, unless such uses represent the only significant
|
||||
mode of use of the product.
|
||||
|
||||
"Installation Information" for a User Product means any methods,
|
||||
procedures, authorization keys, or other information required to
|
||||
install and execute modified versions of a covered work in that User
|
||||
Product from a modified version of its Corresponding Source. The
|
||||
information must suffice to ensure that the continued functioning of
|
||||
the modified object code is in no case prevented or interfered with
|
||||
solely because modification has been made.
|
||||
|
||||
If you convey an object code work under this section in, or with, or
|
||||
specifically for use in, a User Product, and the conveying occurs as
|
||||
part of a transaction in which the right of possession and use of the
|
||||
User Product is transferred to the recipient in perpetuity or for a
|
||||
fixed term (regardless of how the transaction is characterized), the
|
||||
Corresponding Source conveyed under this section must be accompanied
|
||||
by the Installation Information. But this requirement does not apply
|
||||
if neither you nor any third party retains the ability to install
|
||||
modified object code on the User Product (for example, the work has
|
||||
been installed in ROM).
|
||||
|
||||
The requirement to provide Installation Information does not include a
|
||||
requirement to continue to provide support service, warranty, or
|
||||
updates for a work that has been modified or installed by the
|
||||
recipient, or for the User Product in which it has been modified or
|
||||
installed. Access to a network may be denied when the modification
|
||||
itself materially and adversely affects the operation of the network
|
||||
or violates the rules and protocols for communication across the
|
||||
network.
|
||||
|
||||
Corresponding Source conveyed, and Installation Information provided,
|
||||
in accord with this section must be in a format that is publicly
|
||||
documented (and with an implementation available to the public in
|
||||
source code form), and must require no special password or key for
|
||||
unpacking, reading or copying.
|
||||
|
||||
#### 7. Additional Terms.
|
||||
|
||||
"Additional permissions" are terms that supplement the terms of this
|
||||
License by making exceptions from one or more of its conditions.
|
||||
Additional permissions that are applicable to the entire Program shall
|
||||
be treated as though they were included in this License, to the extent
|
||||
that they are valid under applicable law. If additional permissions
|
||||
apply only to part of the Program, that part may be used separately
|
||||
under those permissions, but the entire Program remains governed by
|
||||
this License without regard to the additional permissions.
|
||||
|
||||
When you convey a copy of a covered work, you may at your option
|
||||
remove any additional permissions from that copy, or from any part of
|
||||
it. (Additional permissions may be written to require their own
|
||||
removal in certain cases when you modify the work.) You may place
|
||||
additional permissions on material, added by you to a covered work,
|
||||
for which you have or can give appropriate copyright permission.
|
||||
|
||||
Notwithstanding any other provision of this License, for material you
|
||||
add to a covered work, you may (if authorized by the copyright holders
|
||||
of that material) supplement the terms of this License with terms:
|
||||
|
||||
- a) Disclaiming warranty or limiting liability differently from the
|
||||
terms of sections 15 and 16 of this License; or
|
||||
- b) Requiring preservation of specified reasonable legal notices or
|
||||
author attributions in that material or in the Appropriate Legal
|
||||
Notices displayed by works containing it; or
|
||||
- c) Prohibiting misrepresentation of the origin of that material,
|
||||
or requiring that modified versions of such material be marked in
|
||||
reasonable ways as different from the original version; or
|
||||
- d) Limiting the use for publicity purposes of names of licensors
|
||||
or authors of the material; or
|
||||
- e) Declining to grant rights under trademark law for use of some
|
||||
trade names, trademarks, or service marks; or
|
||||
- f) Requiring indemnification of licensors and authors of that
|
||||
material by anyone who conveys the material (or modified versions
|
||||
of it) with contractual assumptions of liability to the recipient,
|
||||
for any liability that these contractual assumptions directly
|
||||
impose on those licensors and authors.
|
||||
|
||||
All other non-permissive additional terms are considered "further
|
||||
restrictions" within the meaning of section 10. If the Program as you
|
||||
received it, or any part of it, contains a notice stating that it is
|
||||
governed by this License along with a term that is a further
|
||||
restriction, you may remove that term. If a license document contains
|
||||
a further restriction but permits relicensing or conveying under this
|
||||
License, you may add to a covered work material governed by the terms
|
||||
of that license document, provided that the further restriction does
|
||||
not survive such relicensing or conveying.
|
||||
|
||||
If you add terms to a covered work in accord with this section, you
|
||||
must place, in the relevant source files, a statement of the
|
||||
additional terms that apply to those files, or a notice indicating
|
||||
where to find the applicable terms.
|
||||
|
||||
Additional terms, permissive or non-permissive, may be stated in the
|
||||
form of a separately written license, or stated as exceptions; the
|
||||
above requirements apply either way.
|
||||
|
||||
#### 8. Termination.
|
||||
|
||||
You may not propagate or modify a covered work except as expressly
|
||||
provided under this License. Any attempt otherwise to propagate or
|
||||
modify it is void, and will automatically terminate your rights under
|
||||
this License (including any patent licenses granted under the third
|
||||
paragraph of section 11).
|
||||
|
||||
However, if you cease all violation of this License, then your license
|
||||
from a particular copyright holder is reinstated (a) provisionally,
|
||||
unless and until the copyright holder explicitly and finally
|
||||
terminates your license, and (b) permanently, if the copyright holder
|
||||
fails to notify you of the violation by some reasonable means prior to
|
||||
60 days after the cessation.
|
||||
|
||||
Moreover, your license from a particular copyright holder is
|
||||
reinstated permanently if the copyright holder notifies you of the
|
||||
violation by some reasonable means, this is the first time you have
|
||||
received notice of violation of this License (for any work) from that
|
||||
copyright holder, and you cure the violation prior to 30 days after
|
||||
your receipt of the notice.
|
||||
|
||||
Termination of your rights under this section does not terminate the
|
||||
licenses of parties who have received copies or rights from you under
|
||||
this License. If your rights have been terminated and not permanently
|
||||
reinstated, you do not qualify to receive new licenses for the same
|
||||
material under section 10.
|
||||
|
||||
#### 9. Acceptance Not Required for Having Copies.
|
||||
|
||||
You are not required to accept this License in order to receive or run
|
||||
a copy of the Program. Ancillary propagation of a covered work
|
||||
occurring solely as a consequence of using peer-to-peer transmission
|
||||
to receive a copy likewise does not require acceptance. However,
|
||||
nothing other than this License grants you permission to propagate or
|
||||
modify any covered work. These actions infringe copyright if you do
|
||||
not accept this License. Therefore, by modifying or propagating a
|
||||
covered work, you indicate your acceptance of this License to do so.
|
||||
|
||||
#### 10. Automatic Licensing of Downstream Recipients.
|
||||
|
||||
Each time you convey a covered work, the recipient automatically
|
||||
receives a license from the original licensors, to run, modify and
|
||||
propagate that work, subject to this License. You are not responsible
|
||||
for enforcing compliance by third parties with this License.
|
||||
|
||||
An "entity transaction" is a transaction transferring control of an
|
||||
organization, or substantially all assets of one, or subdividing an
|
||||
organization, or merging organizations. If propagation of a covered
|
||||
work results from an entity transaction, each party to that
|
||||
transaction who receives a copy of the work also receives whatever
|
||||
licenses to the work the party's predecessor in interest had or could
|
||||
give under the previous paragraph, plus a right to possession of the
|
||||
Corresponding Source of the work from the predecessor in interest, if
|
||||
the predecessor has it or can get it with reasonable efforts.
|
||||
|
||||
You may not impose any further restrictions on the exercise of the
|
||||
rights granted or affirmed under this License. For example, you may
|
||||
not impose a license fee, royalty, or other charge for exercise of
|
||||
rights granted under this License, and you may not initiate litigation
|
||||
(including a cross-claim or counterclaim in a lawsuit) alleging that
|
||||
any patent claim is infringed by making, using, selling, offering for
|
||||
sale, or importing the Program or any portion of it.
|
||||
|
||||
#### 11. Patents.
|
||||
|
||||
A "contributor" is a copyright holder who authorizes use under this
|
||||
License of the Program or a work on which the Program is based. The
|
||||
work thus licensed is called the contributor's "contributor version".
|
||||
|
||||
A contributor's "essential patent claims" are all patent claims owned
|
||||
or controlled by the contributor, whether already acquired or
|
||||
hereafter acquired, that would be infringed by some manner, permitted
|
||||
by this License, of making, using, or selling its contributor version,
|
||||
but do not include claims that would be infringed only as a
|
||||
consequence of further modification of the contributor version. For
|
||||
purposes of this definition, "control" includes the right to grant
|
||||
patent sublicenses in a manner consistent with the requirements of
|
||||
this License.
|
||||
|
||||
Each contributor grants you a non-exclusive, worldwide, royalty-free
|
||||
patent license under the contributor's essential patent claims, to
|
||||
make, use, sell, offer for sale, import and otherwise run, modify and
|
||||
propagate the contents of its contributor version.
|
||||
|
||||
In the following three paragraphs, a "patent license" is any express
|
||||
agreement or commitment, however denominated, not to enforce a patent
|
||||
(such as an express permission to practice a patent or covenant not to
|
||||
sue for patent infringement). To "grant" such a patent license to a
|
||||
party means to make such an agreement or commitment not to enforce a
|
||||
patent against the party.
|
||||
|
||||
If you convey a covered work, knowingly relying on a patent license,
|
||||
and the Corresponding Source of the work is not available for anyone
|
||||
to copy, free of charge and under the terms of this License, through a
|
||||
publicly available network server or other readily accessible means,
|
||||
then you must either (1) cause the Corresponding Source to be so
|
||||
available, or (2) arrange to deprive yourself of the benefit of the
|
||||
patent license for this particular work, or (3) arrange, in a manner
|
||||
consistent with the requirements of this License, to extend the patent
|
||||
license to downstream recipients. "Knowingly relying" means you have
|
||||
actual knowledge that, but for the patent license, your conveying the
|
||||
covered work in a country, or your recipient's use of the covered work
|
||||
in a country, would infringe one or more identifiable patents in that
|
||||
country that you have reason to believe are valid.
|
||||
|
||||
If, pursuant to or in connection with a single transaction or
|
||||
arrangement, you convey, or propagate by procuring conveyance of, a
|
||||
covered work, and grant a patent license to some of the parties
|
||||
receiving the covered work authorizing them to use, propagate, modify
|
||||
or convey a specific copy of the covered work, then the patent license
|
||||
you grant is automatically extended to all recipients of the covered
|
||||
work and works based on it.
|
||||
|
||||
A patent license is "discriminatory" if it does not include within the
|
||||
scope of its coverage, prohibits the exercise of, or is conditioned on
|
||||
the non-exercise of one or more of the rights that are specifically
|
||||
granted under this License. You may not convey a covered work if you
|
||||
are a party to an arrangement with a third party that is in the
|
||||
business of distributing software, under which you make payment to the
|
||||
third party based on the extent of your activity of conveying the
|
||||
work, and under which the third party grants, to any of the parties
|
||||
who would receive the covered work from you, a discriminatory patent
|
||||
license (a) in connection with copies of the covered work conveyed by
|
||||
you (or copies made from those copies), or (b) primarily for and in
|
||||
connection with specific products or compilations that contain the
|
||||
covered work, unless you entered into that arrangement, or that patent
|
||||
license was granted, prior to 28 March 2007.
|
||||
|
||||
Nothing in this License shall be construed as excluding or limiting
|
||||
any implied license or other defenses to infringement that may
|
||||
otherwise be available to you under applicable patent law.
|
||||
|
||||
#### 12. No Surrender of Others' Freedom.
|
||||
|
||||
If conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot convey a
|
||||
covered work so as to satisfy simultaneously your obligations under
|
||||
this License and any other pertinent obligations, then as a
|
||||
consequence you may not convey it at all. For example, if you agree to
|
||||
terms that obligate you to collect a royalty for further conveying
|
||||
from those to whom you convey the Program, the only way you could
|
||||
satisfy both those terms and this License would be to refrain entirely
|
||||
from conveying the Program.
|
||||
|
||||
#### 13. Remote Network Interaction; Use with the GNU General Public License.
|
||||
|
||||
Notwithstanding any other provision of this License, if you modify the
|
||||
Program, your modified version must prominently offer all users
|
||||
interacting with it remotely through a computer network (if your
|
||||
version supports such interaction) an opportunity to receive the
|
||||
Corresponding Source of your version by providing access to the
|
||||
Corresponding Source from a network server at no charge, through some
|
||||
standard or customary means of facilitating copying of software. This
|
||||
Corresponding Source shall include the Corresponding Source for any
|
||||
work covered by version 3 of the GNU General Public License that is
|
||||
incorporated pursuant to the following paragraph.
|
||||
|
||||
Notwithstanding any other provision of this License, you have
|
||||
permission to link or combine any covered work with a work licensed
|
||||
under version 3 of the GNU General Public License into a single
|
||||
combined work, and to convey the resulting work. The terms of this
|
||||
License will continue to apply to the part which is the covered work,
|
||||
but the work with which it is combined will remain governed by version
|
||||
3 of the GNU General Public License.
|
||||
|
||||
#### 14. Revised Versions of this License.
|
||||
|
||||
The Free Software Foundation may publish revised and/or new versions
|
||||
of the GNU Affero General Public License from time to time. Such new
|
||||
versions will be similar in spirit to the present version, but may
|
||||
differ in detail to address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the Program
|
||||
specifies that a certain numbered version of the GNU Affero General
|
||||
Public License "or any later version" applies to it, you have the
|
||||
option of following the terms and conditions either of that numbered
|
||||
version or of any later version published by the Free Software
|
||||
Foundation. If the Program does not specify a version number of the
|
||||
GNU Affero General Public License, you may choose any version ever
|
||||
published by the Free Software Foundation.
|
||||
|
||||
If the Program specifies that a proxy can decide which future versions
|
||||
of the GNU Affero General Public License can be used, that proxy's
|
||||
public statement of acceptance of a version permanently authorizes you
|
||||
to choose that version for the Program.
|
||||
|
||||
Later license versions may give you additional or different
|
||||
permissions. However, no additional obligations are imposed on any
|
||||
author or copyright holder as a result of your choosing to follow a
|
||||
later version.
|
||||
|
||||
#### 15. Disclaimer of Warranty.
|
||||
|
||||
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
|
||||
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
|
||||
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT
|
||||
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
|
||||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
|
||||
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
|
||||
DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
|
||||
CORRECTION.
|
||||
|
||||
#### 16. Limitation of Liability.
|
||||
|
||||
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR
|
||||
CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
|
||||
ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT
|
||||
NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
|
||||
LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
|
||||
TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
|
||||
PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
#### 17. Interpretation of Sections 15 and 16.
|
||||
|
||||
If the disclaimer of warranty and limitation of liability provided
|
||||
above cannot be given local legal effect according to their terms,
|
||||
reviewing courts shall apply local law that most closely approximates
|
||||
an absolute waiver of all civil liability in connection with the
|
||||
Program, unless a warranty or assumption of liability accompanies a
|
||||
copy of the Program in return for a fee.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
### How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these
|
||||
terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest to
|
||||
attach them to the start of each source file to most effectively state
|
||||
the exclusion of warranty; and each file should have at least the
|
||||
"copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU Affero General Public License as
|
||||
published by the Free Software Foundation, either version 3 of the
|
||||
License, or (at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU Affero General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Affero General Public License
|
||||
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
Also add information on how to contact you by electronic and paper
|
||||
mail.
|
||||
|
||||
If your software can interact with users remotely through a computer
|
||||
network, you should also make sure that it provides a way for users to
|
||||
get its source. For example, if your program is a web application, its
|
||||
interface could display a "Source" link that leads users to an archive
|
||||
of the code. There are many ways you could offer source, and different
|
||||
solutions will be better for different programs; see section 13 for
|
||||
the specific requirements.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or
|
||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||
necessary. For more information on this, and how to apply and follow
|
||||
the GNU AGPL, see <https://www.gnu.org/licenses/>.
|
363
README.md
|
@ -1,363 +0,0 @@
|
|||
<p align="center">
|
||||
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/misc/logo.png" />
|
||||
</p>
|
||||
|
||||
<p align="center">
|
||||
<img src="https://img.shields.io/github/v/release/bunkerity/bunkerweb?label=stable" />
|
||||
<img src="https://img.shields.io/github/v/release/bunkerity/bunkerweb?include_prereleases&label=latest" />
|
||||
<br />
|
||||
<img src="https://img.shields.io/github/last-commit/bunkerity/bunkerweb" />
|
||||
<img src="https://img.shields.io/github/issues/bunkerity/bunkerweb">
|
||||
<img src="https://img.shields.io/github/issues-pr/bunkerity/bunkerweb">
|
||||
<br />
|
||||
<img src="https://img.shields.io/github/actions/workflow/status/bunkerity/bunkerweb/dev.yml?branch=dev&label=CI%2FCD%20dev" />
|
||||
<img src="https://img.shields.io/github/actions/workflow/status/bunkerity/bunkerweb/staging.yml?branch=staging&label=CI%2FCD%20staging" />
|
||||
<a href="https://www.bestpractices.dev/projects/8001">
|
||||
<img src="https://www.bestpractices.dev/projects/8001/badge">
|
||||
</a>
|
||||
</p>
|
||||
|
||||
<p align="center">
|
||||
📓 <a href="https://docs.bunkerweb.io">Documentation</a>
|
||||
|
|
||||
👨💻 <a href="https://demo.bunkerweb.io">Demo</a>
|
||||
|
|
||||
🛡️ <a href="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/examples">Examples</a>
|
||||
|
|
||||
💬 <a href="https://discord.com/invite/fTf46FmtyD">Chat</a>
|
||||
|
|
||||
📝 <a href="https://github.com/bunkerity/bunkerweb/discussions">Forum</a>
|
||||
|
|
||||
⚙️ <a href="https://config.bunkerweb.io">Configurator</a>
|
||||
|
|
||||
🗺️ <a href="https://threatmap.bunkerweb.io">Threatmap</a>
|
||||
</p>
|
||||
|
||||
> 🛡️ Make security by default great again !
|
||||
|
||||
# BunkerWeb
|
||||
|
||||
<p align="center">
|
||||
<img alt="Overview banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/intro-overview.svg" />
|
||||
</p>
|
||||
|
||||
BunkerWeb is a next-generation and open-source Web Application Firewall (WAF).
|
||||
|
||||
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default". BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.5.3/integrations/#linux), [Docker](https://docs.bunkerweb.io/1.5.3/integrations/#docker), [Swarm](https://docs.bunkerweb.io/1.5.3/integrations/#swarm), [Kubernetes](https://docs.bunkerweb.io/1.5.3/integrations/#kubernetes), …) and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.5.3/web-ui/) if you don't like the CLI) to meet your own use-cases . In other words, cybersecurity is no more a hassle.
|
||||
|
||||
BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.5.3/security-tuning/) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.5.3/plugins/)).
|
||||
|
||||
## Why BunkerWeb ?
|
||||
|
||||
- **Easy integration into existing environments** : support for Linux, Docker, Swarm, Kubernetes, Ansible, Vagrant, ...
|
||||
- **Highly customizable** : enable, disable and configure features easily to meet your use case
|
||||
- **Secure by default** : offers out-of-the-box and hassle-free minimal security for your web services
|
||||
- **Awesome web UI** : keep control of everything more efficiently without the need of the CLI
|
||||
- **Plugin system** : extend BunkerWeb to meet your own use-cases
|
||||
- **Free as in "freedom"** : licensed under the free [AGPLv3 license](https://www.gnu.org/licenses/agpl-3.0.en.html)
|
||||
|
||||
## Security features
|
||||
|
||||
A non-exhaustive list of security features :
|
||||
|
||||
- **HTTPS** support with transparent **Let's Encrypt** automation
|
||||
- **State-of-the-art web security** : HTTP security headers, prevent leaks, TLS hardening, ...
|
||||
- Integrated **ModSecurity WAF** with the **OWASP Core Rule Set**
|
||||
- **Automatic ban** of strange behaviors based on HTTP status code
|
||||
- Apply **connections and requests limit** for clients
|
||||
- **Block bots** by asking them to solve a **challenge** (e.g. : cookie, javascript, captcha, hCaptcha or reCAPTCHA)
|
||||
- **Block known bad IPs** with external blacklists and DNSBL
|
||||
- And much more ...
|
||||
|
||||
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.5.3/security-tuning/) section of the documentation.
|
||||
|
||||
## Demo
|
||||
|
||||
<p align="center">
|
||||
<a href="https://www.youtube.com/watch?v=ZhYV-QELzA4" target="_blank"><img alt="BunkerWeb demo" src="https://img.youtube.com/vi/ZhYV-QELzA4/0.jpg" /></a>
|
||||
</p>
|
||||
|
||||
A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](https://demo.bunkerweb.io). Feel free to visit it and perform some security tests.
|
||||
|
||||
# Concepts
|
||||
|
||||
<p align="center">
|
||||
<img alt="Concepts banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/concepts.svg" />
|
||||
</p>
|
||||
|
||||
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.5.3/concepts).
|
||||
|
||||
## Integrations
|
||||
|
||||
The first concept is the integration of BunkerWeb into the target environment. We prefer to use the word "integration" instead of "installation" because one of the goals of BunkerWeb is to integrate seamlessly into existing environments.
|
||||
|
||||
The following integrations are officially supported :
|
||||
|
||||
- [Docker](https://docs.bunkerweb.io/1.5.3/integrations/#docker)
|
||||
- [Docker autoconf](https://docs.bunkerweb.io/1.5.3/integrations/#docker-autoconf)
|
||||
- [Swarm](https://docs.bunkerweb.io/1.5.3/integrations/#swarm)
|
||||
- [Kubernetes](https://docs.bunkerweb.io/1.5.3/integrations/#kubernetes)
|
||||
- [Linux](https://docs.bunkerweb.io/1.5.3/integrations/#linux)
|
||||
- [Ansible](https://docs.bunkerweb.io/1.5.3/integrations/#ansible)
|
||||
- [Vagrant](https://docs.bunkerweb.io/1.5.3/integrations/#vagrant)
|
||||
|
||||
## Settings
|
||||
|
||||
Once BunkerWeb is integrated into your environment, you will need to configure it to serve and protect your web applications.
|
||||
|
||||
The configuration of BunkerWeb is done by using what we call the "settings" or "variables". Each setting is identified by a name such as `AUTO_LETS_ENCRYPT` or `USE_ANTIBOT`. You can assign values to the settings to configure BunkerWeb.
|
||||
|
||||
Here is a dummy example of a BunkerWeb configuration :
|
||||
|
||||
```conf
|
||||
SERVER_NAME=www.example.com
|
||||
AUTO_LETS_ENCRYPT=yes
|
||||
USE_ANTIBOT=captcha
|
||||
REFERRER_POLICY=no-referrer
|
||||
USE_MODSECURITY=no
|
||||
USE_GZIP=yes
|
||||
USE_BROTLI=no
|
||||
```
|
||||
|
||||
You will find an easy to use settings generator at [config.bunkerweb.io](https://config.bunkerweb.io).
|
||||
|
||||
## Multisite mode
|
||||
|
||||
The multisite mode is a crucial concept to understand when using BunkerWeb. Because the goal is to protect web applications, we intrinsically inherit the concept of "virtual host" or "vhost" (more info [here](https://en.wikipedia.org/wiki/Virtual_hosting)) which makes it possible to serve multiple web applications from a single (or a cluster of) instance.
|
||||
|
||||
By default, the multisite mode of BunkerWeb is disabled which means that only one web application will be served and all the settings will be applied to it. The typical use case is when you have a single application to protect : you don't have to worry about the multisite and the default behavior should be the right one for you.
|
||||
|
||||
When multisite mode is enabled, BunkerWeb will serve and protect multiple web applications. Each web application is identified by a unique server name and have its own set of settings. The typical use case is when you have multiple applications to protect and you want to use a single (or a cluster depending of the integration) instance of BunkerWeb.
|
||||
|
||||
## Custom configurations
|
||||
|
||||
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.5.3/plugins)), you can use custom configurations to solve your specific challenges.
|
||||
|
||||
Under the hood, BunkerWeb uses the notorious NGINX web server, that's why you can leverage its configuration system for your specific needs. Custom NGINX configurations can be included in different [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) like HTTP or server (all servers and/or specific server block).
|
||||
|
||||
Another core component of BunkerWeb is the ModSecurity Web Application Firewall : you can also use custom configurations to fix some false positives or add custom rules for example.
|
||||
|
||||
## Database
|
||||
|
||||
State of the current configuration of BunkerWeb is stored in a backend database which contains the following data :
|
||||
|
||||
- Settings defined for all the services
|
||||
- Custom configurations
|
||||
- BunkerWeb instances
|
||||
- Metadata about jobs execution
|
||||
- Cached files
|
||||
|
||||
The following backend database are supported : SQLite, MariaDB, MySQL and PostgreSQL
|
||||
|
||||
## Scheduler
|
||||
|
||||
To make things automagically work together, a dedicated service called the scheduler is in charge of :
|
||||
|
||||
- Storing the settings and custom configurations inside the database
|
||||
- Executing various tasks (called jobs)
|
||||
- Generating a configuration which is understood by BunkerWeb
|
||||
- Being the intermediary for other services (like web UI or autoconf)
|
||||
|
||||
In other words, the scheduler is the brain of BunkerWeb.
|
||||
|
||||
# Setup
|
||||
|
||||
## Docker
|
||||
|
||||
<p align="center">
|
||||
<img alt="Docker banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/integration-docker.svg" />
|
||||
</p>
|
||||
|
||||
We provide ready to use prebuilt images for x64, x86, armv7 and arm64 platforms on [Docker Hub](https://hub.docker.com/u/bunkerity).
|
||||
|
||||
Docker integration key concepts are :
|
||||
|
||||
- **Environment variables** to configure BunkerWeb
|
||||
- **Scheduler** container to store configuration and execute jobs
|
||||
- **Networks** to expose ports for clients and connect to upstream web services
|
||||
|
||||
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.5.3/integrations/#docker) of the documentation.
|
||||
|
||||
## Docker autoconf
|
||||
|
||||
<p align="center">
|
||||
<img alt="Docker autoconf banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/integration-autoconf.svg" />
|
||||
</p>
|
||||
|
||||
The downside of using environment variables is that the container needs to be recreated each time there is an update which is not very convenient. To counter that issue, you can use another image called **autoconf** which will listen for Docker events and automatically reconfigure BunkerWeb in real-time without recreating the container.
|
||||
|
||||
Instead of defining environment variables for the BunkerWeb container, you simply add **labels** to your web applications containers and the **autoconf** will "automagically" take care of the rest.
|
||||
|
||||
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.5.3/integrations/#docker-autoconf) of the documentation.
|
||||
|
||||
## Swarm
|
||||
|
||||
<p align="center">
|
||||
<img alt="Swarm banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/integration-swarm.svg" />
|
||||
</p>
|
||||
|
||||
To automatically configure BunkerWeb instances, a special service, called **autoconf** will listen for Docker Swarm events like service creation or deletion and automatically configure the **BunkerWeb instances** in real-time without downtime.
|
||||
|
||||
Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.5.3/integrations/#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
|
||||
|
||||
You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.5.3/integrations/#swarm) of the documentation.
|
||||
|
||||
## Kubernetes
|
||||
|
||||
<p align="center">
|
||||
<img alt="Kubernetes banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/integration-kubernetes.svg" />
|
||||
</p>
|
||||
|
||||
The autoconf acts as an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) and will configure the BunkerWeb instances according to the [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/). It also monitors other Kubernetes objects like [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for custom configurations.
|
||||
|
||||
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.5.3/integrations/#kubernetes) of the documentation.
|
||||
|
||||
## Linux
|
||||
|
||||
<p align="center">
|
||||
<img alt="Linux banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/integration-linux.svg" />
|
||||
</p>
|
||||
|
||||
List of supported Linux distros :
|
||||
|
||||
- Debian 11 "Bullseye"
|
||||
- Ubuntu 22.04 "Jammy"
|
||||
- Fedora 38
|
||||
- RHEL 8.7
|
||||
|
||||
Repositories of Linux packages for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb), they provide a bash script to automatically add and trust the repository (but you can also follow the [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer).
|
||||
|
||||
You will find more information in the [Linux section](https://docs.bunkerweb.io/1.5.3/integrations/#linux) of the documentation.
|
||||
|
||||
## Ansible
|
||||
|
||||
<p align="center">
|
||||
<img alt="Ansible banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/integration-ansible.svg" />
|
||||
</p>
|
||||
|
||||
List of supported Linux distros :
|
||||
|
||||
- Debian 11 "Bullseye"
|
||||
- Ubuntu 22.04 "Jammy"
|
||||
- Fedora 38
|
||||
- RHEL 8.7
|
||||
|
||||
[Ansible](https://www.ansible.com/) is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates.
|
||||
|
||||
A specific BunkerWeb Ansible role is available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb) (source code is available [here](https://github.com/bunkerity/bunkerweb-ansible)).
|
||||
|
||||
You will find more information in the [Ansible section](https://docs.bunkerweb.io/1.5.3/integrations/#ansible) of the documentation.
|
||||
|
||||
## Vagrant
|
||||
|
||||
We maintain ready to use Vagrant boxes hosted on Vagrant cloud for the following providers :
|
||||
|
||||
- virtualbox
|
||||
- libvirt
|
||||
|
||||
You will find more information in the [Vagrant section](https://docs.bunkerweb.io/1.5.3/integrations/#vagrant) of the documentation.
|
||||
|
||||
# Quickstart guide
|
||||
|
||||
Once you have setup BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.5.3/quickstart-guide/) that will cover the following common use cases :
|
||||
|
||||
- Protecting a single HTTP application
|
||||
- Protecting multiple HTTP application
|
||||
- Retrieving the real IP of clients when operating behind a load balancer
|
||||
- Adding custom configurations
|
||||
- Protecting generic TCP/UDP applications
|
||||
- In combination with PHP
|
||||
|
||||
# Security tuning
|
||||
|
||||
BunkerWeb offers many security features that you can configure with [settings](https://docs.bunkerweb.io/1.5.3/settings). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives.
|
||||
|
||||
You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.5.3/security-tuning) of the documentation.
|
||||
|
||||
# Settings
|
||||
|
||||
To help you tuning BunkerWeb we have made an easy to use settings generator tool available at [config.bunkerweb.io](https://config.bunkerweb.io).
|
||||
|
||||
As a general rule when multisite mode is enabled, if you want to apply settings with multisite context to a specific server you will need to add the primary (first) server name as a prefix like `www.example.com_USE_ANTIBOT=captcha` or `myapp.example.com_USE_GZIP=yes` for example.
|
||||
|
||||
When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like `REVERSE_PROXY_URL_1=/subdir`, `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.
|
||||
|
||||
Check the [settings section](https://docs.bunkerweb.io/1.5.3/settings) of the documentation to get the full list.
|
||||
|
||||
# Web UI
|
||||
|
||||
<p align="center">
|
||||
<a href="https://www.youtube.com/watch?v=Ao20SfvQyr4">
|
||||
<img src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/user_interface_demo.png" height="300" />
|
||||
</a>
|
||||
</p>
|
||||
|
||||
The "Web UI" is a web application that helps you manage your BunkerWeb instance using a user-friendly interface instead of the command-line one.
|
||||
|
||||
- Start, stop, restart and reload your BunkerWeb instance
|
||||
- Add, edit and delete settings for your web applications
|
||||
- Add, edit and delete custom configurations for NGINX and ModSecurity
|
||||
- Install and uninstall external plugins
|
||||
- Explore the cached files
|
||||
- Monitor jobs execution
|
||||
- View the logs and search pattern
|
||||
|
||||
You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.5.3/web-ui) of the documentation.
|
||||
|
||||
# Plugins
|
||||
|
||||
BunkerWeb comes with a plugin system to make it possible to easily add new features. Once a plugin is installed, you can manage it using additional settings defined by the plugin.
|
||||
|
||||
Here is the list of "official" plugins that we maintain (see the [bunkerweb-plugins](https://github.com/bunkerity/bunkerweb-plugins) repository for more information) :
|
||||
|
||||
| Name | Version | Description | Link |
|
||||
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------: |
|
||||
| **ClamAV** | 1.2 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
|
||||
| **Coraza** | 1.2 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
|
||||
| **CrowdSec** | 1.2 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
|
||||
| **Discord** | 1.2 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
|
||||
| **Slack** | 1.2 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
|
||||
| **VirusTotal** | 1.2 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
|
||||
| **WebHook** | 1.2 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
|
||||
|
||||
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.3/plugins) of the documentation.
|
||||
|
||||
# Support
|
||||
|
||||
## Professional
|
||||
|
||||
We offer professional services related to BunkerWeb like :
|
||||
|
||||
* Consulting
|
||||
* Support
|
||||
* Custom development
|
||||
* Partnership
|
||||
|
||||
Please contact us at [contact@bunkerity.com](mailto:contact@bunkerity.com) if you are interested.
|
||||
|
||||
## Community
|
||||
|
||||
To get free community support you can use the following media :
|
||||
|
||||
* The #help channel of BunkerWeb in the [Discord server](https://discord.com/invite/fTf46FmtyD)
|
||||
* The help category of [GitHub discussions](https://github.com/bunkerity/bunkerweb/discussions)
|
||||
* The [/r/BunkerWeb](https://www.reddit.com/r/BunkerWeb) subreddit
|
||||
* The [Server Fault](https://serverfault.com/) and [Super User](https://superuser.com/) forums
|
||||
|
||||
Please don't use [GitHub issues](https://github.com/bunkerity/bunkerweb/issues) to ask for help, use it only for bug reports and feature requests.
|
||||
|
||||
# License
|
||||
|
||||
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/raw/v1.5.3/LICENSE.md).
|
||||
|
||||
# Contribute
|
||||
|
||||
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/raw/v1.5.3/CONTRIBUTING.md) to get started.
|
||||
|
||||
# Security policy
|
||||
|
||||
We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/raw/v1.5.3/SECURITY.md) for more information.
|
||||
|
||||
# Stargazers over time
|
||||
|
||||
[![Stargazers over time](https://starchart.cc/bunkerity/bunkerweb.svg)](https://starchart.cc/bunkerity/bunkerweb)
|
17
SECURITY.md
|
@ -1,17 +0,0 @@
|
|||
# Security policy
|
||||
|
||||
Even though this project is focused on security, it is still prone to possible vulnerabilities. We consider every security bug as a serious issue and will try our best to address it.
|
||||
|
||||
## Responsible disclosure
|
||||
|
||||
If you have found a security bug, please send us an email at security \[@\] bunkerity.com (using a ProtonMail if possible) with technical details so we can resolve it as soon as possible.
|
||||
|
||||
Here is a non-exhaustive list of issues we consider as high risk :
|
||||
- Vulnerability in the code
|
||||
- Bypass of a security feature
|
||||
- Vulnerability in a third-party dependency
|
||||
- Risk in the supply chain
|
||||
|
||||
## Bounty
|
||||
|
||||
To encourage responsible disclosure, we may reward you with a bounty at the sole discretion of the maintainers.
|
5
TODO
|
@ -1,5 +0,0 @@
|
|||
- Ansible
|
||||
- Vagrant
|
||||
- Plugins
|
||||
- Find a way to do rdns in background
|
||||
- fix db warnings (Got an error reading communication packets)
|
|
@ -1,4 +0,0 @@
|
|||
FROM squidfunk/mkdocs-material@sha256:e5f28aa0c3ac8206f93e44a0c52ea85616b0d6c674319cd1d87a241594788355
|
||||
|
||||
COPY mkdocs.yml /docs
|
||||
COPY docs /docs/docs
|
|
@ -1,97 +0,0 @@
|
|||
# About
|
||||
|
||||
## Who maintains BunkerWeb ?
|
||||
|
||||
BunkerWeb is maintained by [Bunkerity](https://www.bunkerity.com), a French 🇫🇷 company specialized in Cybersecurity 🛡️.
|
||||
|
||||
## Do you offer professional services ?
|
||||
|
||||
Yes, we offer professional services related to BunkerWeb such as :
|
||||
|
||||
- Consulting
|
||||
- Support
|
||||
- Custom development
|
||||
- Partnership
|
||||
|
||||
Please contact us at [contact@bunkerity.com](mailto:contact@bunkerity.com) if you are interested.
|
||||
|
||||
## Where to get community support ?
|
||||
|
||||
To get free community support, you can use the following media :
|
||||
|
||||
- The #help channel of BunkerWeb in the [Discord server](https://discord.com/invite/fTf46FmtyD)
|
||||
- The help category of [GitHub discussions](https://github.com/bunkerity/bunkerweb/discussions)
|
||||
- The [/r/BunkerWeb](https://www.reddit.com/r/BunkerWeb) subreddit
|
||||
- The [Server Fault](https://serverfault.com/) and [Super User](https://superuser.com/) forums
|
||||
|
||||
Please don't use [GitHub issues](https://github.com/bunkerity/bunkerweb/issues) to ask for help, use it only for bug reports and feature requests.
|
||||
|
||||
## How can I contribute ?
|
||||
|
||||
Here is a non-exhaustive list of what you can do :
|
||||
|
||||
- Join the [Discord server](https://discord.com/invite/fTf46FmtyD), [/r/BunkerWeb](https://www.reddit.com/r/BunkerWeb) subreddit and [GitHub discussions](https://github.com/bunkerity/bunkerweb/discussions) to talk about the project and help others
|
||||
- Follow us on [LinkedIn](https://www.linkedin.com/company/bunkerity/), [Twitter](https://twitter.com/bunkerity) and [GitHub](https://github.com/bunkerity)
|
||||
- Report bugs and propose new features using [issues](https://github.com/bunkerity/bunkerweb/issues)
|
||||
- Contribute to the code using [pull requests](https://github.com/bunkerity/bunkerweb/pulls)
|
||||
- Write an awesome [plugin](plugins.md)
|
||||
- Talk about BunkerWeb to your friends/colleagues, on social media, on your blog, ...
|
||||
|
||||
## How to report security issue ?
|
||||
|
||||
Please contact us at [security@bunkerity.com](mailto:security@bunkerity.com) using the following PGP key :
|
||||
|
||||
```conf
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBGCEMiMBEACtXJBDbF86qjC/Q1cfmJfYcYrbk6eE5czknG294XObC97wAgDf
|
||||
/MbX6bnti4kDRpflGDqQtwOXudcEzledTD4bdDUKvZwqPoYQGa24uCuUxSINTLXr
|
||||
RuoMaKfpvs7trsFXp5iYUqf4Org2aaJE7Tk/9sOvxgdqsT22jEgCZXTRU1qG494U
|
||||
u6XRQN8hKlw6aa6njjX9vUk6Jpl46/kwwO9mpXBZX6iFKYnBlUWs2k8d6D6cO5aZ
|
||||
KLoYyz5v3Gw2hHSqj4qbVQPTIT7qrrcfd8nblYK7Dh3IM+vQq7a7lB0AudIyBNPd
|
||||
rsypi9ZYgwI3lv/rmQnDc32Ua5cLvTvgg/XoaNK9ogc3kei1+hXODEgRA/zvSKqq
|
||||
20i/1Y0OnIGv89LOI6urWpOgDAhQUV5xvANll2lm3Bkmy29UOzNadUc/yImxrM06
|
||||
HwX82ju6PFAqOaxMW6SEE71ylGOSlikAGNcmmc5Ihd1J/VRZA4PBiQ31gQxFRpUC
|
||||
3NTw2QNAD1kjni5PuQD10Q1Ognvb6uJh/MtqsoX6r1t+Oly9MblFSuyqFkqNO3F0
|
||||
QAJqprhJlQ3YOcJdJ1EZR7qs0xJm5h+lw0Z/UINqkwiZUW3PCO8BKxfq6sfdwM8L
|
||||
5hPhyUzy2gIJ0J/4NGYEBH1ojoYODGU8OCSmyjSTY9SoVMeWDfqYP4ZTvQARAQAB
|
||||
tCVidW5rZXJpdHktcGdwIDxjb250YWN0QGJ1bmtlcml0eS5jb20+iQJUBBMBCAA+
|
||||
FiEEw78SjkcVxXCq7hStPYCAbxJgKnwFAmCEMiMCGwMFCQPCIP0FCwkIBwIGFQoJ
|
||||
CAsCBBYCAwECHgECF4AACgkQPYCAbxJgKnzvYhAAnNqGB6ce2eZzwk1EiNlNaXaA
|
||||
hFWLq/s/J1IOAP+0V5jKJxA6zTX01HyIfIIHQy6nrxxEXzYsIUHdJ+HBPCNswCqn
|
||||
2d/aDkkfoEUc1bUD0c2bXfoSCsAeIoK+eOf6iSr4IENVoIUYFQTUKFNu+Y7eDL0I
|
||||
J8Xadg53G+fkK9LE6TeYpBs3hDT4w7vlDfIwWa1NC9HoLzSmZ2fqZ7SnihLGsLmp
|
||||
98VqDrDjhRPzrz5/tVYgvPCQQU5ED/TayCCYvrGpw9gP8qmEOabIUz0ppGwEfQVs
|
||||
Wycilm1/Js/qjdbxUFMipBIzDu7bI3kMLmENhI+16Xtub9dUrvkW2SdDngYhtWj8
|
||||
IzVOe6N/XDuiRGpaYFpEuXbrnDFexe1ygZwnVHt3fukPfa7W8mhMs2kY1ishIA0O
|
||||
WElKO1Q6N0ZWEad0PwM8NCDjaDUNWQC36ZF/MS+ipHWx9joPUjImY2AXDjN+L+Si
|
||||
ABQIe4Fo6Jx6S6Bi8YvPq8idYZvaWFJjBvmaPjxdUMPbIsMRiEjvlrhvqhLuVBpE
|
||||
lGA+M4UJGw5yBl+yiiLDuws/Fppv9HwNqw6Uq1m1XaW859Om1GGBKYfphyn+fHjR
|
||||
7ftOuT7Ss4zioXT4mscOZgkfzDAqgpZiHjYhe7tLUu7iD6UEsZmey/gRV0hCxng3
|
||||
N7yaRrBu0+3sIQV4jYC5Ag0EYIQyIwEQALSurJGOx7At5mRFjvhXd4/JHuBZZOSI
|
||||
M45LSJ+mKYnAGmwsL0AneZMIf6Yc0Vcn32oqlIXN5aB8jIt91pChLre8tl/lFZZP
|
||||
xY3WIEBJhZF0FIUqSQLjg4HD0S70REii7Om1kgtZueid8V6T5F1JDcO2mDoh8oc9
|
||||
h9nRQ1Ld6dblEuwBzbFkI1K6OUk1+ec7+mQc7orHdBVgelmqwG7fGZnPiN3XfklF
|
||||
dnwSkFIX/qkAsKQmmx1VSzaGFoPLajf4wrkzZdA3iEafsHyvdEFlezZCZ7TsoHBh
|
||||
tNg1Psg6MbBVgiMfHyRHSEBJZ7r5Awj2MpFUFMOd1IPcor1I254mx0VYfCvof4Km
|
||||
Ri1F/86kHc23A77pd4HFYZWiZjaWhh12L+wz5fDL5/sSFXVGSCtSWIKx6FjysZ+v
|
||||
szk3lItHoomZhA7M+FjU/cOjq9hae9uwZeU39DQk0/npln2RcHitoqgUIzII5woO
|
||||
S3SlMSc910tHf40D2cBr1iFKC0jQICjkDexB9CtNx/N25SJmLfiimYtk6/NHlPq4
|
||||
HXdq6ZfLZ7xQmuGcyWv4f0pwA2CK3twISpsIxIKe456WYTDtQu9d1s987dvmw6F/
|
||||
qURC6m2WPGroHb8COQTKzbshjpGUmLpyR3FXki4wNXeI1KaQLL7NpZmK6yJlWviO
|
||||
1sCjh4m7VS+zABEBAAGJAjwEGAEIACYWIQTDvxKORxXFcKruFK09gIBvEmAqfAUC
|
||||
YIQyIwIbDAUJA8Ig/QAKCRA9gIBvEmAqfP2WEACqmXEhu4ARl2yT9bay0+W3F1q1
|
||||
MrLQkcVOau2ihXx3PhYsXRUoEFj72VDAar41WIlHsPJfB14WtSlYcX2XdjHLHMpC
|
||||
dL2eGhqIcHzFChR0vGjtvm2wae/rJTChWf8WXiHrRnRcfFFfhpCvkNi43fQeH4yp
|
||||
cel2a35WV+IRbnkCkaly2NG3XO0t83Siok8Ku+OJGPatUMxJmaEVQeeXVPDzVRva
|
||||
rtvyd9Sclkd9QDPBLZyWHC1vsPKGRJpi5uDZjGxhaFRkimw/SYtFHj7AUrMKAIHB
|
||||
GfEcwC3Eq4rF0FeCOPfBd2vwGGrRflx76jK9rj288ta9Oq6u6ev8PCVzt0E7jrSf
|
||||
AX88vfVRcxihNfj/9i5xmY596jpgbvNA2aJX2hAO3Q8pD6AunVXPUyc3RlFHt7jC
|
||||
tL+9Xv7Qwjz7OToWqj+9cM6T+6oZLxYNVPT72Z/KOFW+mzGb87qjcsDMb/hu2fNq
|
||||
tSWyZk2AAgHQyG1y8vCQQzsDnUDM6NIPwYG5XMP+11WAsPk5fP1ksixpUqIWgjhY
|
||||
M22YUsjLeaRtgSmhAGIkbBgecs1EHSZZ6sf2lB8gSom1wW0UCBPSifP0DwYFizS5
|
||||
SOk62kZ0lqEctwgKDe3MNQnPxt9+tU9L1pIkyXgXihcOLiCMl434K0djJXxIbiX0
|
||||
JvbFAfI3qteepvnjBQ==
|
||||
=g1tf
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
```
|
|
@ -1,19 +0,0 @@
|
|||
:root {
|
||||
--md-primary-fg-color: #125678;
|
||||
--md-text-font: "Roboto";
|
||||
}
|
||||
|
||||
.md-footer {
|
||||
background-color: #125678;
|
||||
}
|
||||
|
||||
/*
|
||||
@font-face {
|
||||
font-family: Consolas, monaco, monospace;
|
||||
}
|
||||
|
||||
@font-face {
|
||||
font-family: "TitleFont";
|
||||
src: "assets/font-title.woff";
|
||||
}
|
||||
*/
|
Before Width: | Height: | Size: 1.4 KiB |
Before Width: | Height: | Size: 38 KiB |
Before Width: | Height: | Size: 76 KiB |
Before Width: | Height: | Size: 138 KiB |
Before Width: | Height: | Size: 48 MiB |
Before Width: | Height: | Size: 91 KiB |
Before Width: | Height: | Size: 104 KiB |
Before Width: | Height: | Size: 70 KiB |
Before Width: | Height: | Size: 170 KiB |
Before Width: | Height: | Size: 98 KiB |
Before Width: | Height: | Size: 138 KiB |
Before Width: | Height: | Size: 111 KiB |
Before Width: | Height: | Size: 3.6 KiB |
Before Width: | Height: | Size: 66 KiB |
Before Width: | Height: | Size: 4 KiB |
146
docs/concepts.md
|
@ -1,146 +0,0 @@
|
|||
# Concepts
|
||||
|
||||
<figure markdown>
|
||||
![Overview](assets/img/concepts.svg){ align=center, width="600" }
|
||||
</figure>
|
||||
|
||||
## Integrations
|
||||
|
||||
The first concept is the integration of BunkerWeb into the target environment. We prefer to use the word "integration" instead of "installation" because one of the goals of BunkerWeb is to integrate seamlessly into existing environments.
|
||||
|
||||
The following integrations are officially supported :
|
||||
|
||||
- [Docker](integrations.md#docker)
|
||||
- [Docker autoconf](integrations.md#docker-autoconf)
|
||||
- [Swarm](integrations.md#swarm)
|
||||
- [Kubernetes](integrations.md#kubernetes)
|
||||
- [Linux](integrations.md#linux)
|
||||
- [Ansible](integrations.md#ansible)
|
||||
- [Vagrant](integrations.md#vagrant)
|
||||
|
||||
If you think that a new integration should be supported, do not hesitate to open a [new issue](https://github.com/bunkerity/bunkerweb/issues) on the GitHub repository.
|
||||
|
||||
!!! info "Going further"
|
||||
|
||||
The technical details of all BunkerWeb integrations are available in the [integrations section](integrations.md) of the documentation.
|
||||
|
||||
## Settings
|
||||
|
||||
Once BunkerWeb is integrated into your environment, you will need to configure it to serve and protect your web applications.
|
||||
|
||||
The configuration of BunkerWeb is done by using what we call the "settings" or "variables". Each setting is identified by a name such as `AUTO_LETS_ENCRYPT` or `USE_ANTIBOT`. You can assign values to the settings to configure BunkerWeb.
|
||||
|
||||
Here is a dummy example of a BunkerWeb configuration :
|
||||
|
||||
```conf
|
||||
SERVER_NAME=www.example.com
|
||||
AUTO_LETS_ENCRYPT=yes
|
||||
USE_ANTIBOT=captcha
|
||||
REFERRER_POLICY=no-referrer
|
||||
USE_MODSECURITY=no
|
||||
USE_GZIP=yes
|
||||
USE_BROTLI=no
|
||||
```
|
||||
|
||||
!!! info "Going further"
|
||||
|
||||
The complete list of available settings with descriptions and possible values is available in the [settings section](settings.md) of the documentation.
|
||||
|
||||
!!! info "Settings generator tool"
|
||||
|
||||
To help you tune BunkerWeb, we offer an easy-to-use settings generator tool available at [config.bunkerweb.io](https://config.bunkerweb.io).
|
||||
|
||||
## Multisite mode
|
||||
|
||||
Understanding the multisite mode is essential when utilizing BunkerWeb. As our primary focus is safeguarding web applications, our solution is intricately linked to the concept of "virtual hosts" or "vhosts" (more info [here](https://en.wikipedia.org/wiki/Virtual_hosting)). These virtual hosts enable the serving of multiple web applications from a single instance or cluster.
|
||||
|
||||
By default, BunkerWeb has the multisite mode disabled. This means that only one web application will be served, and all settings will be applied to it. This setup is ideal when you have a single application to protect, as you don't need to concern yourself with multisite configurations.
|
||||
|
||||
However, when the multisite mode is enabled, BunkerWeb becomes capable of serving and protecting multiple web applications. Each web application is identified by a unique server name and has its own set of settings. This mode proves beneficial when you have multiple applications to secure, and you prefer to utilize a single instance (or a cluster) of BunkerWeb.
|
||||
|
||||
The activation of the multisite mode is controlled by the `MULTISITE` setting, which can be set to `yes` to enable it or `no` to keep it disabled (which is the default value).
|
||||
|
||||
Each setting within BunkerWeb has a specific context that determines where it can be applied. If the context is set to "global," the setting can't be applied per server or site but is instead applied to the entire configuration as a whole. On the other hand, if the context is "multisite," the setting can be applied globally and per server. To define a multisite setting for a specific server, simply add the server name as a prefix to the setting name. For example, `app1.example.com_AUTO_LETS_ENCRYPT` or `app2.example.com_USE_ANTIBOT` are examples of setting names with server name prefixes. When a multisite setting is defined globally without a server prefix, all servers inherit that setting. However, individual servers can still override the setting if the same setting is defined with a server name prefix.
|
||||
|
||||
Understanding the intricacies of multisite mode and its associated settings allows you to tailor BunkerWeb's behavior to suit your specific requirements, ensuring optimal protection for your web applications.
|
||||
|
||||
Here's a dummy example of a multisite BunkerWeb configuration :
|
||||
|
||||
```conf
|
||||
MULTISITE=yes
|
||||
SERVER_NAME=app1.example.com app2.example.com app3.example.com
|
||||
AUTO_LETS_ENCRYPT=yes
|
||||
USE_GZIP=yes
|
||||
USE_BROTLI=yes
|
||||
app1.example.com_USE_ANTIBOT=javascript
|
||||
app1.example.com_USE_MODSECURITY=no
|
||||
app2.example.com_USE_ANTIBOT=cookie
|
||||
app2.example.com_WHITELIST_COUNTRY=FR
|
||||
app3.example.com_USE_BAD_BEHAVIOR=no
|
||||
```
|
||||
|
||||
!!! info "Going further"
|
||||
|
||||
You will find concrete examples of multisite mode in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/examples) directory of the repository.
|
||||
|
||||
## Custom configurations
|
||||
|
||||
To address unique challenges and cater to specific use cases, BunkerWeb offers the flexibility of custom configurations. While the provided settings and [external plugins](plugins.md) cover a wide range of scenarios, there may be situations that require additional customization.
|
||||
|
||||
BunkerWeb is built on the renowned NGINX web server, which provides a powerful configuration system. This means you can leverage NGINX's configuration capabilities to meet your specific needs. Custom NGINX configurations can be included in various [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) such as HTTP or server, allowing you to fine-tune the behavior of BunkerWeb according to your requirements. Whether you need to customize global settings or apply configurations to specific server blocks, BunkerWeb empowers you to optimize its behavior to align perfectly with your use case.
|
||||
|
||||
Another integral component of BunkerWeb is the ModSecurity Web Application Firewall. With custom configurations, you have the flexibility to address false positives or add custom rules to further enhance the protection provided by ModSecurity. These custom configurations allow you to fine-tune the behavior of the firewall and ensure that it aligns with the specific requirements of your web applications.
|
||||
|
||||
By leveraging custom configurations, you unlock a world of possibilities to tailor BunkerWeb's behavior and security measures precisely to your needs. Whether it's adjusting NGINX configurations or fine-tuning ModSecurity, BunkerWeb provides the flexibility to meet your unique challenges effectively.
|
||||
|
||||
!!! info "Going further"
|
||||
|
||||
You will find concrete examples of custom configurations in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/examples) directory of the repository.
|
||||
|
||||
## Database
|
||||
|
||||
BunkerWeb securely stores its current configuration in a backend database, which contains essential data for smooth operation. The following information is stored in the database:
|
||||
|
||||
- **Settings for all services**: The database holds the defined settings for all the services provided by BunkerWeb. This ensures that your configurations and preferences are preserved and readily accessible.
|
||||
|
||||
- **Custom configurations**: Any custom configurations you create are also stored in the backend database. This includes personalized settings and modifications tailored to your specific requirements.
|
||||
|
||||
- **BunkerWeb instances**: Information about BunkerWeb instances, including their setup and relevant details, is stored in the database. This allows for easy management and monitoring of multiple instances if applicable.
|
||||
|
||||
- **Metadata about job execution**: The database stores metadata related to the execution of various jobs within BunkerWeb. This includes information about scheduled tasks, maintenance processes, and other automated activities.
|
||||
|
||||
- **Cached files**: BunkerWeb utilizes caching mechanisms for improved performance. The database holds cached files, ensuring efficient retrieval and delivery of frequently accessed resources.
|
||||
|
||||
Under the hood, whenever you edit a setting or add a new configuration, BunkerWeb automatically stores the changes in the database, ensuring data persistence and consistency. BunkerWeb supports multiple backend database options, including SQLite, MariaDB, MySQL, and PostgreSQL.
|
||||
|
||||
Configuring the database is straightforward using the `DATABASE_URI` setting, which follows the specified formats for each supported database:
|
||||
|
||||
- **SQLite**: `sqlite:///var/lib/bunkerweb/db.sqlite3`
|
||||
- **MariaDB**: `mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db`
|
||||
- **MySQL**: `mysql+pymysql://bunkerweb:changeme@bw-db:3306/db`
|
||||
- **PostgreSQL**: `postgresql://bunkerweb:changeme@bw-db:5432/db`
|
||||
|
||||
By specifying the appropriate database URI in the configuration, you can seamlessly integrate BunkerWeb with your preferred database backend, ensuring efficient and reliable storage of your configuration data.
|
||||
|
||||
<figure markdown>
|
||||
![Overview](assets/img/bunkerweb_db.svg){ align=center, width="800" }
|
||||
<figcaption>Database Schema</figcaption>
|
||||
</figure>
|
||||
|
||||
## Scheduler
|
||||
|
||||
For seamless coordination and automation, BunkerWeb employs a specialized service known as the scheduler. The scheduler plays a vital role in ensuring smooth operation by performing the following tasks:
|
||||
|
||||
- **Storing settings and custom configurations**: The scheduler is responsible for storing all the settings and custom configurations within the backend database. This centralizes the configuration data, making it easily accessible and manageable.
|
||||
|
||||
- **Executing various tasks (jobs)**: The scheduler handles the execution of various tasks, referred to as jobs. These jobs encompass a range of activities, such as periodic maintenance, scheduled updates, or any other automated tasks required by BunkerWeb.
|
||||
|
||||
- **Generating BunkerWeb configuration**: The scheduler generates a configuration that is readily understood by BunkerWeb. This configuration is derived from the stored settings and custom configurations, ensuring that the entire system operates cohesively.
|
||||
|
||||
- **Acting as an intermediary for other services**: The scheduler acts as an intermediary, facilitating communication and coordination between different components of BunkerWeb. It interfaces with services such as the web UI or autoconf, ensuring a seamless flow of information and data exchange.
|
||||
|
||||
In essence, the scheduler serves as the brain of BunkerWeb, orchestrating various operations and ensuring the smooth functioning of the system.
|
||||
|
||||
Depending on the integration approach, the execution environment of the scheduler may differ. In container-based integrations, the scheduler is executed within its dedicated container, providing isolation and flexibility. On the other hand, for Linux-based integrations, the scheduler is self-contained within the bunkerweb service, simplifying the deployment and management process.
|
||||
|
||||
By employing the scheduler, BunkerWeb streamlines the automation and coordination of essential tasks, enabling efficient and reliable operation of the entire system.
|
|
@ -1 +0,0 @@
|
|||
<mxfile host="app.diagrams.net" modified="2022-10-13T12:11:36.746Z" agent="5.0 (Windows)" etag="qIM9S_K3KBWfpHSqmD4a" version="20.4.0"><diagram id="C5RBs43oDa-KdzZeNtuy" name="Page-1">7Z1df6I4FIc/jZfdHxDevFSkrVuHzqjdrntHlVF20HQR2zqffkMhAglqtEJoYW4Gjrz/z3OScxJoCxjLtxvffl58gzPHa0nC7K0Fei1JkkRdR/+Flm1sAWo7ssx9dxbZxMQwcn87sVGIrRt35qwzGwYQeoH7nDVO4WrlTIOMzfZ9+Jrd7Cf0smd9tucOZRhNbY+2PrqzYBFZdUlL7LeOO1/gM4v4/pY23ji+k/XCnsHXlAmYLWD4EAbR0vLNcLzw6eHn8tjfPnqDX+rNnz/W/9kP3bux9ddVdLDrU3bZ3YLvrIKzD73a2Lf9lfFyfbUdXc2DjvjPuH8lg+jYL7a3iR9YfLPBFj9BZ4YeaLwK/WAB53Ble2Zi7fpws5o54XkEtJZsM4DwGRlFZPzXCYJt7B32JoDItAiWXvxrdM7wRIRoR+443m4NN/7UOXCbsYKB7c+d4NDjkHa6IiIcuHQCf4t29B3PDtyX7NXZsWfOd9slTx8txAKcIIaQo4XqoevtztwXtDgPFzuGYY5G+Ad0ntRvOZt3zZu+he1PPrkluT8pvechTkOJXxdu4Iye7ffH/IpiRZ6AL44fOG9nSEg/cRyA2nJ0nDj8KNHaa0KyiPFcpCjWhYIkwnh8cV5kRl6kPeqVw4tMafF42x+bg/5obKI19GyvKXH8BVw+bdbHPfqn63kG9KD/vh8QRUXVtNAOV0HKfv3+r0ACVFXIEHCF/T3NgJLDgAgKg4B+8F8Rgl135SgFgCcF+MBHmo3B0Oz0JiEVzI0B3Zh0LCsh68w2hZ3APaTtI7MoAvV29QhU60EgYCVQ4Uog3YnuDjrG3YUaoopgIO56WhXiQK8HBworBxpXDhRKjZuhOfliGAClehhoLF0A4/7BGg8nTWt/WF9Fr5y+oB5Zp9RmDHOAa9qJL/Mwbbuol5RfjhLXs0bdQe2BE9v8gatHhgtYM1zANcMFTBnuOcB1H6w7c2iZ49pBR/ZiqgBdXi+mfOjQY/W3f6dXJuHB/lDwau8tPni0to3XCoeVNRkG+gdhjXf9Dl104YnLCHLWZSRFyR4jurJ4N8IZdtfxAf/IG6uikB52xiYz/4P+t/64hn1cMpWvAv108niQfsd7gq9p8N8N6IfwcblT23sHdNYJh5CRderZ67U7zeqRjRXngu+8ucFuN7Sc2gutJTuFK2UFC5wRHq8YtPM9JeUIeX6AbR+NKaqWdUSF9K/oTqmYQh9JI1xaJscA90Qn5CD2NrXZc7jB+sAla8SAjKhmxt3RQnTIi8Y+WWmaQrKFYxnP55oogrzqJD0yY4373fuwB2rcmsYdc9tlmWavfk2X1q5cy4W7RRedt2Fava8zawMpQotU6rwNWW3iJxkWWeKnkK9zSfM7mPL+UQqVo1gZt53BwLRu9qYIZHzcuYDIECOzsRB1BAxVPxA7i8JPJgpqzNOm1MLwk7niJ1QMP4kVP670SSz0fR/en9SuDc0fD+ZofH6H5SsAydocFscj04Bhz7TYRwsbYdMq8lP2xBkRBZZRUoF2komzh8soeLkKZRSZtYyyr6NUThll97JF7IaA7EezVlEkorYByKTpQkUUmaw/KmXUUPLGbT9VhTHBYdJK6o2cKozMOcSeOUnloLErKOKyIBl5WdEgR6llsRg0qAJHGWgoeSWMBo2ip63yRUMjau9y+0w0dLL0LheDRlvggUZeEaJBo+iZrJxbDeFSrYZSTqshCjx6VEpeiaBho+gxW85skEO2pEuzsqGSzQYJ2aXYEAEPNk58s7rqbAh82WCdGsyZDfVIT4iZDTKjJ/tmn5uNE6fXNmwcYoN5Fi/ndIPwtLOn+mhkJl7UTB8+fapPPw+uUmx8jlScDPfntxtkAbegdqMt8kCDbT7VYHD/2Axb5XrznmErgN2N27CV0tTmecyPVPa8KlBSb5kojijnDlupwpGuxYWiHjlbGWglRD3MXAXQIEZ0RVY00t0BziO6CvPUYa4juoB412ZXkDwVDUAMJ8lKMWjIZMJaBhpasXnkCq6cg1yc0eFFh792w7ssZ/4CTx/WyfB+bqFQJI+EneviGR8gP7ZVxrsdGkvGV0pf5oPuWPHuxnE3Yq5AENGZtXJ9MY+hEyHrnvIZlDQEWS9ZBz785eBMIw5v6aQkNtmeO1+FroZkd5C9i+NjJ/5h6c5m7wE0L+HJ+mKroByGHHSmp1SqOa5U2EsgGp3A1E4SUSAjPl9NdLrnXD9NJL1amtDTKSbmqG6iKGK1RJEaUChN8mbpl6sKPYJcP1U08jslgLcqdM5ZP1XIRoU/K3QOVT9VBKFqqtCfqa1fY08WjfmrQr/8VTtWdLJcib+ozE0UOqWvISrkpzfxRCFeqrTpDLJ+qlBj/XidmypNDhmqIFdNliaLROmJVjVV6CyyhrAoxBdp+MtCp5GNLLtvqfGThc4jaygLFcS4y9IkknktfnGyoNXkDxtGw5bJ34cE5v8=</diagram></mxfile>
|
|
@ -1 +0,0 @@
|
|||
<mxfile host="app.diagrams.net" modified="2022-04-18T18:09:08.815Z" agent="5.0 (Windows)" etag="uCmxwbMvDXNNCQliGYIF" version="17.4.5"><diagram id="To2Da4PRRWEcok_Ws3eM" name="Page-1">7Vxtd6I4FP41fqyHFwP40aLOetrRbtvZmf2IEJEtEhdia/fXb4IBIYnjS8XiDJ6eCjchyM3zPCT3Blq6vVh/iZ3l/CvyYNjSFG/d0vstTVMV3SJf1PK+sQDT2Bj8OPBYpa3hKfgPZkcy6yrwYFKqiBEKcbAsG10URdDFJZsTx+itXG2GwvJZl44PBcOT64Si9Xvg4TmzqoqyLfgDBv6cndoCrGDhZJWZIZk7HnormPRBS7djhPBma7G2YUidl/llc9xwR2n+w2IY4UMOGGkTy5v/dzddjpcunPQj95+7G9YZr064Yhfc0oyQtHc7JRs+3bAn4+fHyT2p9XDfGw+ycnKivAq7QPyeeS1Gq8iD9MQqKX6bBxg+LR2Xlr4RnBDbHC9CVjwLwtBGIYrJfoQiUuk2wTF6gZmxpemqBgzTopVRhIfOIggpnmwUJSh0EmZ/Qqs4PcccYwIPDeg98o84hP6jFZK2j5AfQmcZJG0XLdICN0mrDmebVskm367sd7zCGAcEJr0w8CNShtEyd0SxT1g30epwXTCxPvoC0QLimJxWYaUdk+Hlndt/28IvZ8e8gDzVYEaHQd7P296igmwwYBwBEnU/SMaTPkGGQj3UAKRagKigDJBcYPYCpFMVQDrHAERrAHJZBakBQMAxABk3AKkWIGa3dgAxJQDhOpyMn5Z0cxbCdY+O7IgzYOSxzb5LnJkEbrnftyBROBQQRw+HBvkIUGD4uDQK5L0dOlMYPqAkwAGiVpf0OowL1e+5ClOEMTmffuuwdvIjyHf8/oO6og2y3b+ZZ9Kd/rq09872dgIOO7EP8f5xA/RKQ2wRlgXYAQnqMlsMQwcHr+WBuQyJ7AwPKCC/OEe9BkAJ9cJ4KUl7lR1VHEjzDell+phcOxu/CO2kvMiv+nSqWAJVRmN78nU0/kKsz4+94XBkC+QhyoDL1JCDXtRJAUc8UBeB59HTSDWYI+AOpbs0186goUAFbbVbwkFXVFFV7bYNTYS0DirS0e6HdZR1eyOiO0TUGwa0S34ujbWRvLJSqcA4TfK6yp6GKta8bDDSjA9+pfFBp1ZkASY3PtBPHB8A0GmrWrmtC48RVFnIpuHLlfMF1IovVvdM42lL3zEdvRRZtE8giweg5XV+G7IkpA9x5q1piNwX6sB1gH8wZ9HtlD1tDbDdLX/oTkafLe1KpGOHncK7JHPoToBc5f1MN8r81Exu0nEoPzvmnoaq5qcu8HM0fh48jnv3zYz3cjNe3VDaSvFjlFGR7X/m9FeVZSIaKW+knJPoKxtqGRY3QrK67RPFXIj9i01VLediMqiR88vLOcFUSc7VGqq5LCu0SQ1Sv21Tg0Wb4jnYuaHbN0nspkcZ/67QBjy0A6j7ifN3uD51fO72gtPzVrLT3n4b3w0evw9uC+lK2c8SzByyT05kFgH482xmaZJOP9cJWY2LQubyWgKpRIYrS1uqYjLm4mhUZg675WW23ZhN0ao8DR7/GtmDmgO0AsDo6qcDRpagqYGkHQOiKxe+M+AKaHUTIk1MkOTddNP79jyxJ+NhXXrgCm89fI9/vpJoshB/oyRXpiRWp3ZKIouG1xhDv9mQhgdMDYRIDM8K/t4Tc8uiSIdG3HZ0wa8acTs107grWlGK4DGnlRe2pDUOWeiyN5DGwgg1CaQBs9PmlgHqp6YtJW11ANdWxaE0bfdswgteM/W7W01hHEEMCYiV3sMoX3odS+6zheMEFjcxuOoXEQLTkuj5hQNvujibeISOR3n8Sq6WeMWmTUR+DKmLFCeiZS6KZoG/IF12fuCEcIYb2GSw4WL4epaQLWJGpqLneEJsqdg3nRvjTw9ptjdA7y8+nEufEDtuCHDkstPfbARwRM7NPC3nZu7LuclWvnJ39Qusrvi8xRQc5bSTM3D841mSps43bJCyVZzh9d8jAmwCSYptxYcRjB0Mc01fkT0K0WZAsF/ZBRmXsOLUNRZ6RzbZq25wIEXPx6d7jdafrPWZnh+n9WpdtB5chdbzAs1T6WClt/Y0VLHOi4uhGp2vh84bplY/YZc9pM0L+wvE7pz1RwEOnpPM835KezIp9yQn6ZplgoEmi6HO0g8pWVJWpJcIbskfvS+SH2grbUOnXy3Qp7NQWqCmZo2zdqXWtAm+ZndHw2Z6NCmXNKJyNs3i6pI/cnnsRrhY+/T1OO2XPBTTDlx6H7hdxqN0o08AeJ1YBlxEGkgi0qZsMmpVhOPd77RhCQw3h9s2mZDJiZBfGGVRjsMyCw1DKmNIEPm/4njvDBS0uOc8gXIYBa2q4kHisig7HWB8lQQHG8ZUxhh38QmEOe51JvUikqYCjkhiZNWSEIl/vPNsRPr48/xNbvWnoNkVD903RT53bvWQ6fVhydZPmzZziy0Bnww9OLFqcVlV/jZV8bT5DC8baEh3GOnUhnQffAibn3ydSjo+VgX4XGHVpBNTiH04CyIanIpXYbp2YUY6njgWTikXYfwauNTcxKqqnd+bahkZnQu/50gOF0kOK4OLu0qo7jRBzUsnrzSlnb3u+TJYIbvb9ydvlGj7Fmp98D8=</diagram></mxfile>
|
|
@ -1,67 +0,0 @@
|
|||
# Introduction
|
||||
|
||||
## Overview
|
||||
|
||||
<figure markdown>
|
||||
![Overview](assets/img/intro-overview.svg){ align=center, width="800" }
|
||||
<figcaption>Make your web services secure by default !</figcaption>
|
||||
</figure>
|
||||
|
||||
Introducing BunkerWeb, the **cutting-edge** and **open-source Web Application Firewall** (WAF) that will revolutionize your web security experience.
|
||||
|
||||
With BunkerWeb, your web services are safeguarded by default, providing you with peace of mind and enhanced protection. Powered by [NGINX](https://nginx.org/), this comprehensive web server combines advanced features seamlessly, ensuring your online assets remain secure.
|
||||
|
||||
BunkerWeb effortlessly integrates into your existing environments, whether it's [Linux](integrations.md#linux), [Docker](integrations.md#docker), [Swarm](integrations.md#swarm), [Kubernetes](integrations.md#kubernetes), or more. Its versatility allows for easy configuration to suit your specific requirements. Don't worry if you prefer a user-friendly interface—BunkerWeb offers an exceptional [web UI](web-ui.md) alongside the command-line interface (CLI), ensuring accessibility for all users.
|
||||
|
||||
Experience the transformation in cybersecurity, where complexities and obstacles are a thing of the past. With BunkerWeb, fortifying your digital assets has never been more delightful and hassle-free.
|
||||
|
||||
Furthermore, BunkerWeb boasts a comprehensive set of primary [security features](security-tuning.md) at its core. However, what sets it apart is its remarkable flexibility through an intuitive [plugin system](plugins.md). This ingenious design empowers you to effortlessly enhance BunkerWeb with additional security measures, ensuring a tailored and robust defense for your web applications.
|
||||
|
||||
By seamlessly integrating new plugins into BunkerWeb, you can customize and expand its capabilities to address specific security requirements unique to your environment. Whether you need to strengthen authentication protocols, bolster threat detection, or implement specialized security measures, BunkerWeb's [plugin system](plugins.md) grants you the freedom to fortify your web infrastructure with ease.
|
||||
|
||||
With BunkerWeb's dynamic [plugin system](plugins.md), security becomes an enjoyable journey of exploration and empowerment. Discover the endless possibilities and create a fortified web environment that perfectly aligns with your needs.
|
||||
|
||||
|
||||
## Why BunkerWeb ?
|
||||
|
||||
- **Easy integration into existing environments** : Seamlessly integrate BunkerWeb into various environments such as Linux, Docker, Swarm, Kubernetes, Ansible, Vagrant, and more. Enjoy a smooth transition and hassle-free implementation.
|
||||
|
||||
- **Highly customizable** : Tailor BunkerWeb to your specific requirements with ease. Enable, disable, and configure features effortlessly, allowing you to customize the security settings according to your unique use case.
|
||||
|
||||
- **Secure by default** : BunkerWeb provides out-of-the-box, hassle-free minimal security for your web services. Experience peace of mind and enhanced protection right from the start.
|
||||
|
||||
- **Awesome web UI** : Take control of BunkerWeb more efficiently with the exceptional web user interface (UI). Navigate settings and configurations effortlessly through a user-friendly graphical interface, eliminating the need for the command-line interface (CLI).
|
||||
|
||||
- **Plugin system** : Extend the capabilities of BunkerWeb to meet your own use cases. Seamlessly integrate additional security measures and customize the functionality of BunkerWeb according to your specific requirements.
|
||||
|
||||
- **Free as in "freedom"** : BunkerWeb is licensed under the free [AGPLv3 license](https://www.gnu.org/licenses/agpl-3.0.en.html), embracing the principles of freedom and openness. Enjoy the freedom to use, modify, and distribute the software, backed by a supportive community.
|
||||
|
||||
## Security features
|
||||
|
||||
Explore the impressive array of security features offered by BunkerWeb. While not exhaustive, here are some notable highlights:
|
||||
|
||||
- **HTTPS** support with transparent **Let's Encrypt** automation : Easily secure your web services with automated Let's Encrypt integration, ensuring encrypted communication between clients and your server.
|
||||
|
||||
- **State-of-the-art web security** : Benefit from cutting-edge web security measures, including comprehensive HTTP security headers, prevention of data leaks, and TLS hardening techniques.
|
||||
|
||||
- Integrated **ModSecurity WAF** with the **OWASP Core Rule Set** : Enjoy enhanced protection against web application attacks with the integration of ModSecurity, fortified by the renowned OWASP Core Rule Set.
|
||||
|
||||
- **Automatic ban** of strange behaviors based on HTTP status code : BunkerWeb intelligently identifies and blocks suspicious activities by automatically banning behaviors that trigger abnormal HTTP status codes.
|
||||
|
||||
- Apply **connections and requests limit** for clients : Set limits on the number of connections and requests from clients, preventing resource exhaustion and ensuring fair usage of server resources.
|
||||
|
||||
- **Block bots** with **challenge-based verification** : Keep malicious bots at bay by challenging them to solve puzzles such as cookies, JavaScript tests, captcha, hCaptcha, reCAPTCHA or Turnstile, effectively blocking unauthorized access.
|
||||
|
||||
- **Block known bad IPs** with external blacklists and DNSBL : Utilize external blacklists and DNS-based blackhole lists (DNSBL) to proactively block known malicious IP addresses, bolstering your defense against potential threats.
|
||||
|
||||
- **And much more...** : BunkerWeb is packed with a plethora of additional security features that go beyond this list, providing you with comprehensive protection and peace of mind.
|
||||
|
||||
To delve deeper into the core security features, we invite you to explore the [security tuning](security-tuning.md) section of the documentation. Discover how BunkerWeb empowers you to fine-tune and optimize security measures according to your specific needs.
|
||||
|
||||
## Demo
|
||||
|
||||
<p align="center">
|
||||
<iframe style="display: block;" width="560" height="315" src="https://www.youtube-nocookie.com/embed/ZhYV-QELzA4" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
|
||||
</p>
|
||||
|
||||
A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](https://demo.bunkerweb.io). Feel free to visit it and perform some security tests.
|
1256
docs/integrations.md
|
@ -1,89 +0,0 @@
|
|||
#!/usr/bin/python3
|
||||
|
||||
from io import StringIO
|
||||
from json import loads
|
||||
from glob import glob
|
||||
from pathlib import Path
|
||||
from pytablewriter import MarkdownTableWriter
|
||||
|
||||
|
||||
def print_md_table(settings) -> MarkdownTableWriter:
|
||||
writer = MarkdownTableWriter(
|
||||
headers=["Setting", "Default", "Context", "Multiple", "Description"],
|
||||
value_matrix=[
|
||||
[
|
||||
f"`{setting}`",
|
||||
"" if data["default"] == "" else f"`{data['default']}`",
|
||||
data["context"],
|
||||
"no" if "multiple" not in data else "yes",
|
||||
data["help"],
|
||||
]
|
||||
for setting, data in settings.items()
|
||||
],
|
||||
)
|
||||
return writer
|
||||
|
||||
|
||||
def stream_support(support) -> str:
|
||||
md = "STREAM support "
|
||||
if support == "no":
|
||||
md += ":x:"
|
||||
elif support == "yes":
|
||||
md += ":white_check_mark:"
|
||||
else:
|
||||
md += ":warning:"
|
||||
return md
|
||||
|
||||
|
||||
doc = StringIO()
|
||||
|
||||
print("# Settings\n", file=doc)
|
||||
print(
|
||||
'!!! info "Settings generator tool"\n\n To help you tune BunkerWeb, we have made an easy-to-use settings generator tool available at [config.bunkerweb.io](https://config.bunkerweb.io).\n',
|
||||
file=doc,
|
||||
)
|
||||
print(
|
||||
"This section contains the full list of settings supported by BunkerWeb."
|
||||
+ " If you are not yet familiar with BunkerWeb, you should first read the [concepts](concepts.md) section of the documentation."
|
||||
+ " Please follow the instructions for your own [integration](integrations.md) on how to apply the settings.\n",
|
||||
file=doc,
|
||||
)
|
||||
print(
|
||||
"As a general rule when multisite mode is enabled, if you want to apply settings with multisite context to a specific server, you will need to add the primary"
|
||||
+ " (first) server name as a prefix like `www.example.com_USE_ANTIBOT=captcha` or `myapp.example.com_USE_GZIP=yes` for example.\n",
|
||||
file=doc,
|
||||
)
|
||||
print(
|
||||
'When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like `REVERSE_PROXY_URL_1=/subdir`,'
|
||||
+ " `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.\n",
|
||||
file=doc,
|
||||
)
|
||||
|
||||
# Print global settings
|
||||
print("## Global settings\n", file=doc)
|
||||
print(f"\n{stream_support('partial')}\n", file=doc)
|
||||
with open("src/common/settings.json", "r") as f:
|
||||
print(print_md_table(loads(f.read())), file=doc)
|
||||
print(file=doc)
|
||||
|
||||
# Print core settings
|
||||
print("## Core settings\n", file=doc)
|
||||
core_settings = {}
|
||||
for core in glob("src/common/core/*/plugin.json"):
|
||||
with open(core, "r") as f:
|
||||
core_plugin = loads(f.read())
|
||||
if len(core_plugin["settings"]) > 0:
|
||||
core_settings[core_plugin["name"]] = core_plugin
|
||||
|
||||
for name, data in dict(sorted(core_settings.items())).items():
|
||||
print(f"### {data['name']}\n", file=doc)
|
||||
print(f"{stream_support(data['stream'])}\n", file=doc)
|
||||
print(f"{data['description']}\n", file=doc)
|
||||
print(print_md_table(data["settings"]), file=doc)
|
||||
|
||||
doc.seek(0)
|
||||
content = doc.read()
|
||||
doc = StringIO(content.replace("\\|", "|"))
|
||||
doc.seek(0)
|
||||
|
||||
Path("docs", "settings.md").write_text(doc.read(), encoding="utf-8")
|
|
@ -1,41 +0,0 @@
|
|||
# Migrating from 1.4.X
|
||||
|
||||
!!! warning "Read this if you were a 1.4.X user"
|
||||
|
||||
A lot of things changed since the 1.4.X releases. Container-based integrations stacks contain more services but, trust us, fundamental principles of BunkerWeb are still there. You will find ready to use boilerplates for various integrations in the [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/misc/integrations) folder of the repository.
|
||||
|
||||
## Scheduler
|
||||
|
||||
Back to the 1.4.X releases, jobs (like Let's Encrypt certificate generation/renewal or blacklists download) **were executed in the same container as BunkerWeb**. For the purpose of [separation of concerns](https://en.wikipedia.org/wiki/Separation_of_concerns), we decided to create a **separate service** which is now responsible for managing jobs.
|
||||
|
||||
Called **Scheduler**, this service also generates the final configuration used by BunkerWeb and acts as an intermediary between autoconf and BunkerWeb. In other words, the scheduler is the **brain of the BunkerWeb 1.5.X stack**.
|
||||
|
||||
You will find more information about the scheduler [here](concepts.md#scheduler).
|
||||
|
||||
## Database
|
||||
|
||||
BunkerWeb configuration is **no more stored in a plain file** (located at `/etc/nginx/variables.env` if you didn't know it). That's it, we now support a **fully-featured database as a backend** to store settings, cache, custom configs, ... 🥳
|
||||
|
||||
Using a real database offers many advantages :
|
||||
|
||||
- Backup of the current configuration
|
||||
- Usage with multiple services (scheduler, web UI, ...)
|
||||
- Upgrade to a new BunkerWeb version
|
||||
|
||||
Please note that we actually support, **SQLite**, **MySQL**, **MariaDB** and **PostgreSQL** as backends.
|
||||
|
||||
You will find more information about the database [here](concepts.md#database).
|
||||
|
||||
## Redis
|
||||
|
||||
When BunkerWeb 1.4.X was used in cluster mode (Swarm or Kubernetes integrations), **data were not shared among the nodes**. For example, if an attacker was banned via the "bad behavior" feature on a specific node, **he could still connect to the other nodes**.
|
||||
|
||||
Security is not the only reason to have a shared data store for clustered integrations, **caching** is also another one. We can now **store results** of time-consuming operations like (reverse) dns lookups so they are **available for other nodes**.
|
||||
|
||||
We actually support **Redis** as a backend for the shared data store.
|
||||
|
||||
See the list of [redis settings](settings.md#redis) and the corresponding documentation of your integration for more information.
|
||||
|
||||
## Default values and new settings
|
||||
|
||||
The default value of some settings have changed and we have added many other settings, we recommend you read the [security tuning](security-tuning.md) and [settings](settings.md) sections of the documentation.
|
|
@ -1,49 +0,0 @@
|
|||
const puppeteer = require('puppeteer');
|
||||
var args = process.argv.slice(2);
|
||||
var url = args[0];
|
||||
var pdfPath = args[1];
|
||||
var title = args[2];
|
||||
|
||||
console.log('Saving', url, 'to', pdfPath);
|
||||
|
||||
// date – formatted print date
|
||||
// title – document title
|
||||
// url – document location
|
||||
// pageNumber – current page number
|
||||
// totalPages – total pages in the document
|
||||
headerHtml = `
|
||||
<div style="font-size: 10px; text-align: center; width: 100%;">
|
||||
<span>${title}</span>
|
||||
</div>`;
|
||||
|
||||
footerHtml = `<div style="font-size: 10px; text-align: center; width: 100%;"><span class="pageNumber"></span> / <span class="totalPages"></span></div>`;
|
||||
|
||||
|
||||
(async() => {
|
||||
const browser = await puppeteer.launch({
|
||||
headless: true,
|
||||
executablePath: process.env.CHROME_BIN || null,
|
||||
args: ['--no-sandbox', '--headless', '--disable-gpu', '--disable-dev-shm-usage']
|
||||
});
|
||||
|
||||
const page = await browser.newPage();
|
||||
await page.goto(url, { waitUntil: 'networkidle2' });
|
||||
await page.pdf({
|
||||
path: pdfPath, // path to save pdf file
|
||||
format: 'A4', // page format
|
||||
displayHeaderFooter: true, // display header and footer (in this example, required!)
|
||||
printBackground: true, // print background
|
||||
landscape: false, // use horizontal page layout
|
||||
headerTemplate: headerHtml, // indicate html template for header
|
||||
footerTemplate: footerHtml,
|
||||
scale: 1, //Scale amount must be between 0.1 and 2
|
||||
margin: { // increase margins (in this example, required!)
|
||||
top: 80,
|
||||
bottom: 80,
|
||||
left: 30,
|
||||
right: 30
|
||||
}
|
||||
});
|
||||
|
||||
await browser.close();
|
||||
})();
|
|
@ -1,22 +0,0 @@
|
|||
{% extends "base.html" %}
|
||||
|
||||
{% block outdated %}
|
||||
You're not viewing the documentation of the latest version.
|
||||
<a href="{{ '../' ~ base_url }}">
|
||||
<strong>Click here to view latest.</strong>
|
||||
</a>
|
||||
{% endblock %}
|
||||
|
||||
{% block announce %}
|
||||
📢 Looking for tailored support, consulting or development for BunkerWeb ?
|
||||
Contact us at <a href="mailto:contact@bunkerity.com" style="color: #3f6ec6; text-decoration: underline">contact@bunkerity.com</a> for enterprise offers !
|
||||
{% endblock %}
|
||||
|
||||
{% block libs %}
|
||||
<script
|
||||
async
|
||||
defer
|
||||
data-domain="docs.bunkerweb.io"
|
||||
src="https://data.bunkerity.com/js/script.js"
|
||||
></script>
|
||||
{% endblock %}
|
1115
docs/package-lock.json
generated
|
@ -1,5 +0,0 @@
|
|||
{
|
||||
"dependencies": {
|
||||
"puppeteer": "^21.3.6"
|
||||
}
|
||||
}
|
557
docs/plugins.md
|
@ -1,557 +0,0 @@
|
|||
# Plugins
|
||||
|
||||
BunkerWeb comes with a plugin system making it possible to easily add new features. Once a plugin is installed, you can manage it using additional settings defined by the plugin.
|
||||
|
||||
## Official plugins
|
||||
|
||||
Here is the list of "official" plugins that we maintain (see the [bunkerweb-plugins](https://github.com/bunkerity/bunkerweb-plugins) repository for more information) :
|
||||
|
||||
| Name | Version | Description | Link |
|
||||
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
|
||||
| **ClamAV** | 1.2 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
|
||||
| **Coraza** | 1.2 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
|
||||
| **CrowdSec** | 1.2 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
|
||||
| **Discord** | 1.2 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
|
||||
| **Slack** | 1.2 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
|
||||
| **VirusTotal** | 1.2 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
|
||||
| **WebHook** | 1.2 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
|
||||
|
||||
## How to use a plugin
|
||||
|
||||
### Automatic
|
||||
|
||||
If you want to quickly install external plugins, you can use the `EXTERNAL_PLUGIN_URLS` setting. It takes a list of URLs, separated with space, pointing to compressed (zip format) archive containing one or more plugin(s).
|
||||
|
||||
You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.2.zip`
|
||||
|
||||
### Manual
|
||||
|
||||
The first step is to install the plugin by putting the plugin files inside the corresponding `plugins` data folder, the procedure depends on your integration :
|
||||
|
||||
=== "Docker"
|
||||
|
||||
When using the [Docker integration](integrations.md#docker), plugins must be written to the volume mounted on `/data/plugins` into the scheduler container.
|
||||
|
||||
The first thing to do is to create the plugins folder :
|
||||
|
||||
```shell
|
||||
mkdir -p ./bw-data/plugins
|
||||
```
|
||||
|
||||
Then, you can drop the plugins of your choice into that folder :
|
||||
|
||||
```shell
|
||||
git clone https://github.com/bunkerity/bunkerweb-plugins && \
|
||||
cp -rp ./bunkerweb-plugins/* ./bw-data/plugins
|
||||
```
|
||||
|
||||
Because the scheduler runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
|
||||
|
||||
```shell
|
||||
chown -R 101:101 ./bw-data
|
||||
```
|
||||
|
||||
Then you can mount the volume when starting your Docker stack :
|
||||
|
||||
```yaml
|
||||
version: '3.5'
|
||||
services:
|
||||
...
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.3
|
||||
volumes:
|
||||
- ./bw-data:/data
|
||||
...
|
||||
```
|
||||
|
||||
=== "Docker autoconf"
|
||||
|
||||
When using the [Docker autoconf integration](integrations.md#docker-autoconf), plugins must be written to the volume mounted on `/data/plugins` into the scheduler container.
|
||||
|
||||
|
||||
The first thing to do is to create the plugins folder :
|
||||
|
||||
```shell
|
||||
mkdir -p ./bw-data/plugins
|
||||
```
|
||||
|
||||
Then, you can drop the plugins of your choice into that folder :
|
||||
|
||||
```shell
|
||||
git clone https://github.com/bunkerity/bunkerweb-plugins && \
|
||||
cp -rp ./bunkerweb-plugins/* ./bw-data/plugins
|
||||
```
|
||||
|
||||
Because the scheduler runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
|
||||
|
||||
```shell
|
||||
chown -R 101:101 ./bw-data
|
||||
```
|
||||
|
||||
Then you can mount the volume when starting your Docker stack :
|
||||
|
||||
```yaml
|
||||
version: '3.5'
|
||||
services:
|
||||
...
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.3
|
||||
volumes:
|
||||
- ./bw-data:/data
|
||||
...
|
||||
```
|
||||
|
||||
=== "Swarm"
|
||||
|
||||
When using the [Swarm integration](integrations.md#swarm), plugins must be written to the volume mounted on `/data/plugins` into the scheduler container.
|
||||
|
||||
!!! info "Swarm volume"
|
||||
Configuring a Swarm volume that will persist when the scheduler service is running on different nodes is not covered is in this documentation. We will assume that you have a shared folder mounted on `/shared` across all nodes.
|
||||
|
||||
The first thing to do is to create the plugins folder :
|
||||
|
||||
```shell
|
||||
mkdir -p /shared/bw-plugins
|
||||
```
|
||||
|
||||
Then, you can drop the plugins of your choice into that folder :
|
||||
|
||||
```shell
|
||||
git clone https://github.com/bunkerity/bunkerweb-plugins && \
|
||||
cp -rp ./bunkerweb-plugins/* /shared/bw-plugins
|
||||
```
|
||||
|
||||
Because the scheduler runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
|
||||
|
||||
```shell
|
||||
chown -R 101:101 /shared/bw-plugins
|
||||
```
|
||||
|
||||
Then you can mount the volume when starting your Swarm stack :
|
||||
|
||||
```yaml
|
||||
version: '3.5'
|
||||
services:
|
||||
...
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.3
|
||||
volumes:
|
||||
- /shared/bw-plugins:/data/plugins
|
||||
...
|
||||
```
|
||||
|
||||
=== "Kubernetes"
|
||||
|
||||
When using the [Kubernetes integration](integrations.md#kubernetes), plugins must be written to the volume mounted on `/data/plugins` into the scheduler container.
|
||||
|
||||
The fist thing to do is to declare a [PersistentVolumeClaim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) that will contain our plugins data :
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: pvc-bunkerweb-plugins
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 5Gi
|
||||
```
|
||||
|
||||
You can now add the volume mount and an init containers to automatically provision the volume :
|
||||
|
||||
```yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: bunkerweb-scheduler
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: bunkerweb-scheduler
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: bunkerweb-scheduler
|
||||
spec:
|
||||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-scheduler
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.3
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
value: "yes"
|
||||
- name: "DATABASE_URI"
|
||||
value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db"
|
||||
volumeMounts:
|
||||
- mountPath: "/data/plugins"
|
||||
name: vol-plugins
|
||||
initContainers:
|
||||
- name: bunkerweb-scheduler-init
|
||||
image: alpine/git
|
||||
command: ["/bin/sh", "-c"]
|
||||
args: ["git clone https://github.com/bunkerity/bunkerweb-plugins /data/plugins && chown -R 101:101 /data/plugins"]
|
||||
volumeMounts:
|
||||
- mountPath: "/data/plugins"
|
||||
name: vol-plugins
|
||||
volumes:
|
||||
- name: vol-plugins
|
||||
persistentVolumeClaim:
|
||||
claimName: pvc-bunkerweb-plugins
|
||||
```
|
||||
|
||||
=== "Linux"
|
||||
|
||||
When using the [Linux integration](integrations.md#linux), plugins must be written to the `/etc/bunkerweb/plugins` folder :
|
||||
|
||||
```shell
|
||||
git clone https://github.com/bunkerity/bunkerweb-plugins && \
|
||||
cp -rp ./bunkerweb-plugins/* /etc/bunkerweb/plugins && \
|
||||
chown -R nginx:nginx /etc/bunkerweb/plugins
|
||||
```
|
||||
|
||||
=== "Ansible"
|
||||
|
||||
When using the [Ansible integration](integrations.md#ansible), you can use the `plugins` variable to set a local folder containing your plugins that will be copied to your BunkerWeb instances.
|
||||
|
||||
Let's assume that you have plugins inside the `bunkerweb-plugins` folder :
|
||||
|
||||
```shell
|
||||
git clone https://github.com/bunkerity/bunkerweb-plugins
|
||||
```
|
||||
|
||||
In your Ansible inventory, you can use the `plugins` variable to set the path of plugins folder :
|
||||
|
||||
```ini
|
||||
[mybunkers]
|
||||
192.168.0.42 ... custom_plugins="{{ playbook_dir }}/bunkerweb-plugins"
|
||||
```
|
||||
|
||||
Or alternatively, in your playbook file :
|
||||
|
||||
```yaml
|
||||
- hosts: all
|
||||
become: true
|
||||
vars:
|
||||
- custom_plugins: "{{ playbook_dir }}/bunkerweb-plugins"
|
||||
roles:
|
||||
- bunkerity.bunkerweb
|
||||
```
|
||||
|
||||
Run the playbook :
|
||||
|
||||
```shell
|
||||
ansible-playbook -i inventory.yml playbook.yml
|
||||
```
|
||||
|
||||
=== "Vagrant"
|
||||
|
||||
When using the [Vagrant integration](integrations.md#vagrant), plugins must be written to the `/etc/bunkerweb/plugins` folder (you will need to do a `vagrant ssh` first) :
|
||||
|
||||
```shell
|
||||
git clone https://github.com/bunkerity/bunkerweb-plugins && \
|
||||
cp -rp ./bunkerweb-plugins/* /etc/bunkerweb/plugins
|
||||
```
|
||||
|
||||
## Writing a plugin
|
||||
|
||||
!!! tip "Existing plugins"
|
||||
|
||||
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
|
||||
|
||||
The first step is to create a folder that will contain the plugin :
|
||||
|
||||
```shell
|
||||
mkdir myplugin && \
|
||||
cd myplugin
|
||||
```
|
||||
|
||||
### Metadata
|
||||
|
||||
A file named **plugin.json** and written at the root of the plugin folder must contain metadata about the plugin. Here is an example :
|
||||
|
||||
```json
|
||||
{
|
||||
"id": "myplugin",
|
||||
"name": "My Plugin",
|
||||
"description": "Just an example plugin.",
|
||||
"version": "1.0",
|
||||
"stream": "partial",
|
||||
"settings": {
|
||||
"DUMMY_SETTING": {
|
||||
"context": "multisite",
|
||||
"default": "1234",
|
||||
"help": "Here is the help of the setting.",
|
||||
"id": "dummy-id",
|
||||
"label": "Dummy setting",
|
||||
"regex": "^.*$",
|
||||
"type": "text"
|
||||
}
|
||||
},
|
||||
"jobs": [
|
||||
{
|
||||
"name": "my-job",
|
||||
"file": "my-job.py",
|
||||
"every": "hour"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
Here are the details of the fields :
|
||||
|
||||
| Field | Mandatory | Type | Description |
|
||||
| :-----------: | :-------: | :----: | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `id` | yes | string | Internal ID for the plugin : must be unique among other plugins (including "core" ones) and contain only lowercase chars. |
|
||||
| `name` | yes | string | Name of your plugin. |
|
||||
| `description` | yes | string | Description of your plugin. |
|
||||
| `version` | yes | string | Version of your plugin. |
|
||||
| `stream` | yes | string | Information about stream support : `no`, `yes` or `partial`.
|
||||
| `settings` | yes | dict | List of the settings of your plugin. |
|
||||
| `jobs` | no | list | List of the jobs of your plugin. |
|
||||
|
||||
Each setting has the following fields (the key is the ID of the settings used in a configuration) :
|
||||
|
||||
| Field | Mandatory | Type | Description |
|
||||
| :--------: | :-------: | :----: | :----------------------------------------------------------- |
|
||||
| `context` | yes | string | Context of the setting : `multisite` or `global`. |
|
||||
| `default` | yes | string | The default value of the setting. |
|
||||
| `help` | yes | string | Help text about the plugin (shown in web UI). |
|
||||
| `id` | yes | string | Internal ID used by the web UI for HTML elements. |
|
||||
| `label` | yes | string | Label shown by the web UI. |
|
||||
| `regex` | yes | string | The regex used to validate the value provided by the user. |
|
||||
| `type` | yes | string | The type of the field : `text`, `check`, `select` or `password`. |
|
||||
| `multiple` | no | string | Unique ID to group multiple settings with numbers as suffix. |
|
||||
| `select` | no | list | List of possible string values when `type` is `select`. |
|
||||
|
||||
Each job has the following fields :
|
||||
|
||||
| Field | Mandatory | Type | Description |
|
||||
| :-----: | :-------: | :----: | :-------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `name` | yes | string | Name of the job. |
|
||||
| `file` | yes | string | Name of the file inside the jobs folder. |
|
||||
| `every` | yes | string | Job scheduling frequency : `minute`, `hour`, `day`, `week` or `once` (no frequency, only once before (re)generating the configuration). |
|
||||
|
||||
### Configurations
|
||||
|
||||
You can add custom NGINX configurations by adding a folder named **confs** with content similar to the [custom configurations](quickstart-guide.md#custom-configurations). Each subfolder inside the **confs** will contain [jinja2](https://jinja.palletsprojects.com) templates that will be generated and loaded at the corresponding context (`http`, `server-http`, `default-server-http`, `stream` and `server-stream`).
|
||||
|
||||
Here is an example for a configuration template file inside the **confs/server-http** folder named **example.conf** :
|
||||
|
||||
```conf
|
||||
location /setting {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
ngx.say('{{ DUMMY_SETTING }}')
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
`{{ DUMMY_SETTING }}` will be replaced by the value of the `DUMMY_SETTING` chosen by the user of the plugin.
|
||||
|
||||
### LUA
|
||||
|
||||
#### Main script
|
||||
|
||||
Under the hood, BunkerWeb is using the [NGINX LUA module](https://github.com/openresty/lua-nginx-module) to execute code within NGINX. Plugins that need to execute code must provide a lua file at the root directory of the plugin folder using the `id` value of **plugin.json** as its name. Here is an example named **myplugin.lua** :
|
||||
|
||||
```lua
|
||||
local class = require "middleclass"
|
||||
local plugin = require "bunkerweb.plugin"
|
||||
local utils = require "bunkerweb.utils"
|
||||
|
||||
|
||||
local myplugin = class("myplugin", plugin)
|
||||
|
||||
|
||||
function myplugin:initialize()
|
||||
plugin.initialize(self, "myplugin")
|
||||
self.dummy = "dummy"
|
||||
end
|
||||
|
||||
function myplugin:init()
|
||||
self.logger:log(ngx.NOTICE, "init called")
|
||||
return self:ret(true, "success")
|
||||
end
|
||||
|
||||
function myplugin:set()
|
||||
self.logger:log(ngx.NOTICE, "set called")
|
||||
return self:ret(true, "success")
|
||||
end
|
||||
|
||||
function myplugin:access()
|
||||
self.logger:log(ngx.NOTICE, "access called")
|
||||
return self:ret(true, "success")
|
||||
end
|
||||
|
||||
function myplugin:log()
|
||||
self.logger:log(ngx.NOTICE, "log called")
|
||||
return self:ret(true, "success")
|
||||
end
|
||||
|
||||
function myplugin:log_default()
|
||||
self.logger:log(ngx.NOTICE, "log_default called")
|
||||
return self:ret(true, "success")
|
||||
end
|
||||
|
||||
function myplugin:preread()
|
||||
self.logger:log(ngx.NOTICE, "preread called")
|
||||
return self:ret(true, "success")
|
||||
end
|
||||
|
||||
function myplugin:log_stream()
|
||||
self.logger:log(ngx.NOTICE, "log_stream called")
|
||||
return self:ret(true, "success")
|
||||
end
|
||||
|
||||
return myplugin
|
||||
```
|
||||
|
||||
The declared functions are automatically called during specific contexts. Here are the details of each function :
|
||||
|
||||
| Function | Context | Description | Return value |
|
||||
| :------: | :--------------------------------------------------------------------------: | :-------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `init` | [init_by_lua](https://github.com/openresty/lua-nginx-module#init_by_lua) | Called when NGINX just started or received a reload order. the typical use case is to prepare any data that will be used by your plugin. | `ret`, `msg`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li></ul>|
|
||||
| `set` | [set_by_lua](https://github.com/openresty/lua-nginx-module#set_by_lua) | Called before each request received by the server.The typical use case is for computing before access phase. | `ret`, `msg`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li></ul>|
|
||||
| `access` | [access_by_lua](https://github.com/openresty/lua-nginx-module#access_by_lua) | Called on each request received by the server. The typical use case is to do the security checks here and deny the request if needed. | `ret`, `msg`,`status`,`redirect`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li><li>`status` (number) : interrupt current process and return [HTTP status](https://github.com/openresty/lua-nginx-module#http-status-constants)</li><li>`redirect` (URL) : if set will redirect to given URL</li></ul> |
|
||||
| `log` | [log_by_lua](https://github.com/openresty/lua-nginx-module#log_by_lua) | Called when a request has finished (and before it gets logged to the access logs). The typical use case is to make stats or compute counters for example. | `ret`, `msg`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li></ul> |
|
||||
| `log_default` | [log_by_lua](https://github.com/openresty/lua-nginx-module#log_by_lua) | Same as `log` but only called on the default server. | `ret`, `msg`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li></ul> |
|
||||
| `preread` | [preread_by_lua](https://github.com/openresty/stream-lua-nginx-module#preread_by_lua_block) | Similar to the `access` function but for stream mode. | `ret`, `msg`,`status`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li><li>`status` (number) : interrupt current process and return [status](https://github.com/openresty/lua-nginx-module#http-status-constants)</li></ul> |
|
||||
| `log_stream` | [log_by_lua](https://github.com/openresty/stream-lua-nginx-module#log_by_lua_block) | Similar to the `log` function but for stream mode. | `ret`, `msg`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li></ul> |
|
||||
|
||||
#### Libraries
|
||||
|
||||
All directives from [NGINX LUA module](https://github.com/openresty/lua-nginx-module) and are available and [NGINX stream LUA module](https://github.com/openresty/stream-lua-nginx-module). On top of that, you can use the LUA libraries included within BunkerWeb : see [this script](https://github.com/bunkerity/bunkerweb/blobsrc/deps/clone.sh) for the complete list.
|
||||
|
||||
If you need additional libraries, you can put them in the root folder of the plugin and access them by prefixing them with your plugin ID. Here is an example file named **mylibrary.lua** :
|
||||
|
||||
```lua
|
||||
local _M = {}
|
||||
|
||||
_M.dummy = function ()
|
||||
return "dummy"
|
||||
end
|
||||
|
||||
return _M
|
||||
```
|
||||
|
||||
And here is how you can use it from the **myplugin.lua** file :
|
||||
|
||||
```lua
|
||||
local mylibrary = require "myplugin.mylibrary"
|
||||
|
||||
...
|
||||
|
||||
mylibrary.dummy()
|
||||
|
||||
...
|
||||
```
|
||||
|
||||
#### Helpers
|
||||
|
||||
Some helpers modules provide common helpful helpers :
|
||||
|
||||
- `self.variables` : allows to access and store plugins' attributes
|
||||
- `self.logger` : print logs
|
||||
- `bunkerweb.utils` : various useful functions
|
||||
- `bunkerweb.datastore` : access the global shared data on one instance (key/value store)
|
||||
- `bunkerweb.clusterstore` : access a Redis data store shared between BunkerWeb instances (key/value store)
|
||||
|
||||
To access the functions, you first need to **require** the modules :
|
||||
|
||||
```lua
|
||||
local utils = require "bunkerweb.utils"
|
||||
local datastore = require "bunkerweb.datastore"
|
||||
local clustestore = require "bunkerweb.clustertore"
|
||||
```
|
||||
|
||||
Retrieve a setting value :
|
||||
|
||||
```lua
|
||||
local myvar = self.variables["DUMMY_SETTING"]
|
||||
if not myvar then
|
||||
self.logger:log(ngx.ERR, "can't retrieve setting DUMMY_SETTING")
|
||||
else
|
||||
self.logger:log(ngx.NOTICE, "DUMMY_SETTING = " .. value)
|
||||
end
|
||||
```
|
||||
|
||||
Store something in the local cache :
|
||||
|
||||
```lua
|
||||
local ok, err = self.datastore:set("plugin_myplugin_something", "somevalue")
|
||||
if not ok then
|
||||
self.logger:log(ngx.ERR, "can't save plugin_myplugin_something into datastore : " .. err)
|
||||
else
|
||||
self.logger:log(ngx.NOTICE, "successfully saved plugin_myplugin_something into datastore")
|
||||
end
|
||||
```
|
||||
|
||||
Check if an IP address is global :
|
||||
|
||||
```lua
|
||||
local ret, err = utils.ip_is_global(ngx.ctx.bw.remote_addr)
|
||||
if ret == nil then
|
||||
self.logger:log(ngx.ERR, "error while checking if IP " .. ngx.ctx.bw.remote_addr .. " is global or not : " .. err)
|
||||
elseif not ret then
|
||||
self.logger:log(ngx.NOTICE, "IP " .. ngx.ctx.bw.remote_addr .. " is not global")
|
||||
else
|
||||
self.logger:log(ngx.NOTICE, "IP " .. ngx.ctx.bw.remote_addr .. " is global")
|
||||
end
|
||||
```
|
||||
|
||||
!!! tip "More examples"
|
||||
|
||||
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/src/bw/lua/bunkerweb) of the repository.
|
||||
|
||||
### Jobs
|
||||
|
||||
BunkerWeb uses an internal job scheduler for periodic tasks like renewing certificates with certbot, downloading blacklists, downloading MMDB files, ... You can add tasks of your choice by putting them inside a subfolder named **jobs** and listing them in the **plugin.json** metadata file. Don't forget to add the execution permissions for everyone to avoid any problems when a user is cloning and installing your plugin.
|
||||
|
||||
### Plugin page
|
||||
|
||||
Plugin pages are used to display information about your plugin and interact with the user inside the plugins section of the [web UI](web-ui.md).
|
||||
|
||||
Everything related to the web UI is located inside a subfolder named **ui** at the root directory of your plugin. A template file named **template.html** and located inside the **ui** subfolder contains the client code and logic to display your page. Another file named **actions.py** and also located inside the **ui** subfolder contains code that will be executed when the user is interacting with your page (filling a form for example).
|
||||
|
||||
!!! info "Jinja 2 template"
|
||||
The **template.html** file is a Jinja2 template, please refer to the [Jinja2 documentation](https://jinja.palletsprojects.com) if needed.
|
||||
|
||||
A plugin page can have a form that is used to submit data to the plugin. To get the values of the form, you need to put a **actions.py** file in the **ui** folder. Inside the file, **you must define a function that has the same name as the plugin**. This function will be called when the form is submitted. You can then use the **request** object (from the [Flask library](https://flask.palletsprojects.com)) to get the values of the form. The form's action must finish with **/plugins/<*plugin_id*>**. The helper function `url_for` will generate for you the prefix of the URL : `{{ url_for('plugins') }}/plugin_id`.
|
||||
|
||||
If you want to display variables generated from your **actions.py** in your template file, you can return a dictionary with variables name as keys and variables value as values. Here is dummy example where we return a single variable :
|
||||
|
||||
```python
|
||||
def myplugin() :
|
||||
return {"foo": "bar"}
|
||||
```
|
||||
|
||||
And we display it in the **template.html** file :
|
||||
```html
|
||||
{% if foo %}
|
||||
Content of foo is : {{ foo }}.
|
||||
{% endif %}
|
||||
```
|
||||
|
||||
Please note that every form submission is protected via a CSRF token, you will need to include the following snippet into your forms :
|
||||
```html
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
|
||||
```
|
||||
|
||||
Retrieving user submitted data is pretty simple, thanks to the request module provided by Flask :
|
||||
|
||||
```python
|
||||
from flask import request
|
||||
|
||||
def myplugin() :
|
||||
my_form_value = request.form["my_form_input"]
|
||||
```
|
||||
|
||||
!!! info "Python libraries"
|
||||
You can use Python libraries that are already available like :
|
||||
`Flask`, `Flask-Login`, `Flask-WTF`, `beautifulsoup4`, `docker`, `Jinja2`, `python-magic` and `requests`. To see the full list, you can have a look at the Web UI [requirements.txt](https://github.com/bunkerity/bunkerweb/blobsrc/ui/requirements.txt). If you need external libraries, you can install them inside the **ui** folder of your plugin and then use the classical **import** directive.
|
|
@ -1,5 +0,0 @@
|
|||
mike==2.0.0
|
||||
mkdocs==1.5.3
|
||||
mkdocs-material==9.4.8
|
||||
mkdocs-print-site-plugin==2.3.6
|
||||
pytablewriter==1.2.0
|
|
@ -1,527 +0,0 @@
|
|||
#
|
||||
# This file is autogenerated by pip-compile with Python 3.9
|
||||
# by the following command:
|
||||
#
|
||||
# pip-compile --allow-unsafe --generate-hashes --strip-extras requirements.in
|
||||
#
|
||||
babel==2.13.1 \
|
||||
--hash=sha256:33e0952d7dd6374af8dbf6768cc4ddf3ccfefc244f9986d4074704f2fbd18900 \
|
||||
--hash=sha256:7077a4984b02b6727ac10f1f7294484f737443d7e2e66c5e4380e41a3ae0b4ed
|
||||
# via mkdocs-material
|
||||
certifi==2023.7.22 \
|
||||
--hash=sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082 \
|
||||
--hash=sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9
|
||||
# via requests
|
||||
chardet==5.2.0 \
|
||||
--hash=sha256:1b3b6ff479a8c414bc3fa2c0852995695c4a026dcd6d0633b2dd092ca39c1cf7 \
|
||||
--hash=sha256:e1cf59446890a00105fe7b7912492ea04b6e6f06d4b742b2c788469e34c82970
|
||||
# via mbstrdecoder
|
||||
charset-normalizer==3.3.2 \
|
||||
--hash=sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027 \
|
||||
--hash=sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087 \
|
||||
--hash=sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786 \
|
||||
--hash=sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8 \
|
||||
--hash=sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09 \
|
||||
--hash=sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185 \
|
||||
--hash=sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574 \
|
||||
--hash=sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e \
|
||||
--hash=sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519 \
|
||||
--hash=sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898 \
|
||||
--hash=sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269 \
|
||||
--hash=sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3 \
|
||||
--hash=sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f \
|
||||
--hash=sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6 \
|
||||
--hash=sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8 \
|
||||
--hash=sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a \
|
||||
--hash=sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73 \
|
||||
--hash=sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc \
|
||||
--hash=sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714 \
|
||||
--hash=sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2 \
|
||||
--hash=sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc \
|
||||
--hash=sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce \
|
||||
--hash=sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d \
|
||||
--hash=sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e \
|
||||
--hash=sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6 \
|
||||
--hash=sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269 \
|
||||
--hash=sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96 \
|
||||
--hash=sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d \
|
||||
--hash=sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a \
|
||||
--hash=sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4 \
|
||||
--hash=sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77 \
|
||||
--hash=sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d \
|
||||
--hash=sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0 \
|
||||
--hash=sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed \
|
||||
--hash=sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068 \
|
||||
--hash=sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac \
|
||||
--hash=sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25 \
|
||||
--hash=sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8 \
|
||||
--hash=sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab \
|
||||
--hash=sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26 \
|
||||
--hash=sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2 \
|
||||
--hash=sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db \
|
||||
--hash=sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f \
|
||||
--hash=sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5 \
|
||||
--hash=sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99 \
|
||||
--hash=sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c \
|
||||
--hash=sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d \
|
||||
--hash=sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811 \
|
||||
--hash=sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa \
|
||||
--hash=sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a \
|
||||
--hash=sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03 \
|
||||
--hash=sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b \
|
||||
--hash=sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04 \
|
||||
--hash=sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c \
|
||||
--hash=sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001 \
|
||||
--hash=sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458 \
|
||||
--hash=sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389 \
|
||||
--hash=sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99 \
|
||||
--hash=sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985 \
|
||||
--hash=sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537 \
|
||||
--hash=sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238 \
|
||||
--hash=sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f \
|
||||
--hash=sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d \
|
||||
--hash=sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796 \
|
||||
--hash=sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a \
|
||||
--hash=sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143 \
|
||||
--hash=sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8 \
|
||||
--hash=sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c \
|
||||
--hash=sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5 \
|
||||
--hash=sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5 \
|
||||
--hash=sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711 \
|
||||
--hash=sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4 \
|
||||
--hash=sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6 \
|
||||
--hash=sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c \
|
||||
--hash=sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7 \
|
||||
--hash=sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4 \
|
||||
--hash=sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b \
|
||||
--hash=sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae \
|
||||
--hash=sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12 \
|
||||
--hash=sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c \
|
||||
--hash=sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae \
|
||||
--hash=sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8 \
|
||||
--hash=sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887 \
|
||||
--hash=sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b \
|
||||
--hash=sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4 \
|
||||
--hash=sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f \
|
||||
--hash=sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5 \
|
||||
--hash=sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33 \
|
||||
--hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \
|
||||
--hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561
|
||||
# via requests
|
||||
click==8.1.7 \
|
||||
--hash=sha256:ae74fb96c20a0277a1d615f1e4d73c8414f5a98db8b799a7931d1582f3390c28 \
|
||||
--hash=sha256:ca9853ad459e787e2192211578cc907e7594e294c7ccc834310722b41b9ca6de
|
||||
# via mkdocs
|
||||
colorama==0.4.6 \
|
||||
--hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
|
||||
--hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
|
||||
# via mkdocs-material
|
||||
dataproperty==1.0.1 \
|
||||
--hash=sha256:0b8b07d4fb6453fcf975b53d35dea41f3cfd69c9d79b5010c3cf224ff0407a7a \
|
||||
--hash=sha256:723e5729fa6e885e127a771a983ee1e0e34bb141aca4ffe1f0bfa7cde34650a4
|
||||
# via
|
||||
# pytablewriter
|
||||
# tabledata
|
||||
ghp-import==2.1.0 \
|
||||
--hash=sha256:8337dd7b50877f163d4c0289bc1f1c7f127550241988d568c1db512c4324a619 \
|
||||
--hash=sha256:9c535c4c61193c2df8871222567d7fd7e5014d835f97dc7b7439069e2413d343
|
||||
# via mkdocs
|
||||
idna==3.4 \
|
||||
--hash=sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4 \
|
||||
--hash=sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2
|
||||
# via requests
|
||||
importlib-metadata==6.8.0 \
|
||||
--hash=sha256:3ebb78df84a805d7698245025b975d9d67053cd94c79245ba4b3eb694abe68bb \
|
||||
--hash=sha256:dbace7892d8c0c4ac1ad096662232f831d4e64f4c4545bd53016a3e9d4654743
|
||||
# via
|
||||
# markdown
|
||||
# mike
|
||||
# mkdocs
|
||||
importlib-resources==6.1.1 \
|
||||
--hash=sha256:3893a00122eafde6894c59914446a512f728a0c1a45f9bb9b63721b6bacf0b4a \
|
||||
--hash=sha256:e8bf90d8213b486f428c9c39714b920041cb02c184686a3dee24905aaa8105d6
|
||||
# via mike
|
||||
jinja2==3.1.2 \
|
||||
--hash=sha256:31351a702a408a9e7595a8fc6150fc3f43bb6bf7e319770cbc0db9df9437e852 \
|
||||
--hash=sha256:6088930bfe239f0e6710546ab9c19c9ef35e29792895fed6e6e31a023a182a61
|
||||
# via
|
||||
# mike
|
||||
# mkdocs
|
||||
# mkdocs-material
|
||||
markdown==3.5.1 \
|
||||
--hash=sha256:5874b47d4ee3f0b14d764324d2c94c03ea66bee56f2d929da9f2508d65e722dc \
|
||||
--hash=sha256:b65d7beb248dc22f2e8a31fb706d93798093c308dc1aba295aedeb9d41a813bd
|
||||
# via
|
||||
# mkdocs
|
||||
# mkdocs-material
|
||||
# pymdown-extensions
|
||||
markupsafe==2.1.3 \
|
||||
--hash=sha256:05fb21170423db021895e1ea1e1f3ab3adb85d1c2333cbc2310f2a26bc77272e \
|
||||
--hash=sha256:0a4e4a1aff6c7ac4cd55792abf96c915634c2b97e3cc1c7129578aa68ebd754e \
|
||||
--hash=sha256:10bbfe99883db80bdbaff2dcf681dfc6533a614f700da1287707e8a5d78a8431 \
|
||||
--hash=sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686 \
|
||||
--hash=sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c \
|
||||
--hash=sha256:1577735524cdad32f9f694208aa75e422adba74f1baee7551620e43a3141f559 \
|
||||
--hash=sha256:1b40069d487e7edb2676d3fbdb2b0829ffa2cd63a2ec26c4938b2d34391b4ecc \
|
||||
--hash=sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb \
|
||||
--hash=sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939 \
|
||||
--hash=sha256:282c2cb35b5b673bbcadb33a585408104df04f14b2d9b01d4c345a3b92861c2c \
|
||||
--hash=sha256:2c1b19b3aaacc6e57b7e25710ff571c24d6c3613a45e905b1fde04d691b98ee0 \
|
||||
--hash=sha256:2ef12179d3a291be237280175b542c07a36e7f60718296278d8593d21ca937d4 \
|
||||
--hash=sha256:338ae27d6b8745585f87218a3f23f1512dbf52c26c28e322dbe54bcede54ccb9 \
|
||||
--hash=sha256:3c0fae6c3be832a0a0473ac912810b2877c8cb9d76ca48de1ed31e1c68386575 \
|
||||
--hash=sha256:3fd4abcb888d15a94f32b75d8fd18ee162ca0c064f35b11134be77050296d6ba \
|
||||
--hash=sha256:42de32b22b6b804f42c5d98be4f7e5e977ecdd9ee9b660fda1a3edf03b11792d \
|
||||
--hash=sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd \
|
||||
--hash=sha256:504b320cd4b7eff6f968eddf81127112db685e81f7e36e75f9f84f0df46041c3 \
|
||||
--hash=sha256:525808b8019e36eb524b8c68acdd63a37e75714eac50e988180b169d64480a00 \
|
||||
--hash=sha256:56d9f2ecac662ca1611d183feb03a3fa4406469dafe241673d521dd5ae92a155 \
|
||||
--hash=sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac \
|
||||
--hash=sha256:65c1a9bcdadc6c28eecee2c119465aebff8f7a584dd719facdd9e825ec61ab52 \
|
||||
--hash=sha256:68e78619a61ecf91e76aa3e6e8e33fc4894a2bebe93410754bd28fce0a8a4f9f \
|
||||
--hash=sha256:69c0f17e9f5a7afdf2cc9fb2d1ce6aabdb3bafb7f38017c0b77862bcec2bbad8 \
|
||||
--hash=sha256:6b2b56950d93e41f33b4223ead100ea0fe11f8e6ee5f641eb753ce4b77a7042b \
|
||||
--hash=sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007 \
|
||||
--hash=sha256:787003c0ddb00500e49a10f2844fac87aa6ce977b90b0feaaf9de23c22508b24 \
|
||||
--hash=sha256:7ef3cb2ebbf91e330e3bb937efada0edd9003683db6b57bb108c4001f37a02ea \
|
||||
--hash=sha256:8023faf4e01efadfa183e863fefde0046de576c6f14659e8782065bcece22198 \
|
||||
--hash=sha256:8758846a7e80910096950b67071243da3e5a20ed2546e6392603c096778d48e0 \
|
||||
--hash=sha256:8afafd99945ead6e075b973fefa56379c5b5c53fd8937dad92c662da5d8fd5ee \
|
||||
--hash=sha256:8c41976a29d078bb235fea9b2ecd3da465df42a562910f9022f1a03107bd02be \
|
||||
--hash=sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2 \
|
||||
--hash=sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1 \
|
||||
--hash=sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707 \
|
||||
--hash=sha256:962f82a3086483f5e5f64dbad880d31038b698494799b097bc59c2edf392fce6 \
|
||||
--hash=sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c \
|
||||
--hash=sha256:9dcdfd0eaf283af041973bff14a2e143b8bd64e069f4c383416ecd79a81aab58 \
|
||||
--hash=sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823 \
|
||||
--hash=sha256:aa7bd130efab1c280bed0f45501b7c8795f9fdbeb02e965371bbef3523627779 \
|
||||
--hash=sha256:ab4a0df41e7c16a1392727727e7998a467472d0ad65f3ad5e6e765015df08636 \
|
||||
--hash=sha256:ad9e82fb8f09ade1c3e1b996a6337afac2b8b9e365f926f5a61aacc71adc5b3c \
|
||||
--hash=sha256:af598ed32d6ae86f1b747b82783958b1a4ab8f617b06fe68795c7f026abbdcad \
|
||||
--hash=sha256:b076b6226fb84157e3f7c971a47ff3a679d837cf338547532ab866c57930dbee \
|
||||
--hash=sha256:b7ff0f54cb4ff66dd38bebd335a38e2c22c41a8ee45aa608efc890ac3e3931bc \
|
||||
--hash=sha256:bfce63a9e7834b12b87c64d6b155fdd9b3b96191b6bd334bf37db7ff1fe457f2 \
|
||||
--hash=sha256:c011a4149cfbcf9f03994ec2edffcb8b1dc2d2aede7ca243746df97a5d41ce48 \
|
||||
--hash=sha256:c9c804664ebe8f83a211cace637506669e7890fec1b4195b505c214e50dd4eb7 \
|
||||
--hash=sha256:ca379055a47383d02a5400cb0d110cef0a776fc644cda797db0c5696cfd7e18e \
|
||||
--hash=sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b \
|
||||
--hash=sha256:cd0f502fe016460680cd20aaa5a76d241d6f35a1c3350c474bac1273803893fa \
|
||||
--hash=sha256:ceb01949af7121f9fc39f7d27f91be8546f3fb112c608bc4029aef0bab86a2a5 \
|
||||
--hash=sha256:d080e0a5eb2529460b30190fcfcc4199bd7f827663f858a226a81bc27beaa97e \
|
||||
--hash=sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb \
|
||||
--hash=sha256:df0be2b576a7abbf737b1575f048c23fb1d769f267ec4358296f31c2479db8f9 \
|
||||
--hash=sha256:e09031c87a1e51556fdcb46e5bd4f59dfb743061cf93c4d6831bf894f125eb57 \
|
||||
--hash=sha256:e4dd52d80b8c83fdce44e12478ad2e85c64ea965e75d66dbeafb0a3e77308fcc \
|
||||
--hash=sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc \
|
||||
--hash=sha256:fec21693218efe39aa7f8599346e90c705afa52c5b31ae019b2e57e8f6542bb2 \
|
||||
--hash=sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11
|
||||
# via
|
||||
# jinja2
|
||||
# mkdocs
|
||||
mbstrdecoder==1.1.3 \
|
||||
--hash=sha256:d66c1ed3f2dc4e7c5d87cd44a75be10bc5af4250f95b38bbaedd7851308ce938 \
|
||||
--hash=sha256:dcfd2c759322eb44fe193a9e0b1b86c5b87f3ec5ea8e1bb43b3e9ae423f1e8fe
|
||||
# via
|
||||
# dataproperty
|
||||
# pytablewriter
|
||||
# typepy
|
||||
mergedeep==1.3.4 \
|
||||
--hash=sha256:0096d52e9dad9939c3d975a774666af186eda617e6ca84df4c94dec30004f2a8 \
|
||||
--hash=sha256:70775750742b25c0d8f36c55aed03d24c3384d17c951b3175d898bd778ef0307
|
||||
# via mkdocs
|
||||
mike==2.0.0 \
|
||||
--hash=sha256:566f1cab1a58cc50b106fb79ea2f1f56e7bfc8b25a051e95e6eaee9fba0922de \
|
||||
--hash=sha256:87f496a65900f93ba92d72940242b65c86f3f2f82871bc60ebdcffc91fad1d9e
|
||||
# via -r requirements.in
|
||||
mkdocs==1.5.3 \
|
||||
--hash=sha256:3b3a78e736b31158d64dbb2f8ba29bd46a379d0c6e324c2246c3bc3d2189cfc1 \
|
||||
--hash=sha256:eb7c99214dcb945313ba30426c2451b735992c73c2e10838f76d09e39ff4d0e2
|
||||
# via
|
||||
# -r requirements.in
|
||||
# mike
|
||||
# mkdocs-material
|
||||
mkdocs-material==9.4.8 \
|
||||
--hash=sha256:8b20f6851bddeef37dced903893cd176cf13a21a482e97705a103c45f06ce9b9 \
|
||||
--hash=sha256:f0c101453e8bc12b040e8b64ca39a405d950d8402609b1378cc2b98976e74b5f
|
||||
# via
|
||||
# -r requirements.in
|
||||
# mkdocs-print-site-plugin
|
||||
mkdocs-material-extensions==1.3 \
|
||||
--hash=sha256:0297cc48ba68a9fdd1ef3780a3b41b534b0d0df1d1181a44676fda5f464eeadc \
|
||||
--hash=sha256:f0446091503acb110a7cab9349cbc90eeac51b58d1caa92a704a81ca1e24ddbd
|
||||
# via mkdocs-material
|
||||
mkdocs-print-site-plugin==2.3.6 \
|
||||
--hash=sha256:01ccb1ceccc87f29e1612bebb77c3bf9980809fbce750fc2113f9d6acea589d4 \
|
||||
--hash=sha256:82e5cabcfb7fe3074daecea018f28ccb4bff086f965e3103fe91019a76752f22
|
||||
# via -r requirements.in
|
||||
packaging==23.2 \
|
||||
--hash=sha256:048fb0e9405036518eaaf48a55953c750c11e1a1b68e0dd1a9d62ed0c092cfc5 \
|
||||
--hash=sha256:8c491190033a9af7e1d931d0b5dacc2ef47509b34dd0de67ed209b5203fc88c7
|
||||
# via
|
||||
# mkdocs
|
||||
# typepy
|
||||
paginate==0.5.6 \
|
||||
--hash=sha256:5e6007b6a9398177a7e1648d04fdd9f8c9766a1a945bceac82f1929e8c78af2d
|
||||
# via mkdocs-material
|
||||
pathspec==0.11.2 \
|
||||
--hash=sha256:1d6ed233af05e679efb96b1851550ea95bbb64b7c490b0f5aa52996c11e92a20 \
|
||||
--hash=sha256:e0d8d0ac2f12da61956eb2306b69f9469b42f4deb0f3cb6ed47b9cce9996ced3
|
||||
# via mkdocs
|
||||
pathvalidate==3.2.0 \
|
||||
--hash=sha256:5e8378cf6712bff67fbe7a8307d99fa8c1a0cb28aa477056f8fc374f0dff24ad \
|
||||
--hash=sha256:cc593caa6299b22b37f228148257997e2fa850eea2daf7e4cc9205cef6908dee
|
||||
# via pytablewriter
|
||||
platformdirs==4.0.0 \
|
||||
--hash=sha256:118c954d7e949b35437270383a3f2531e99dd93cf7ce4dc8340d3356d30f173b \
|
||||
--hash=sha256:cb633b2bcf10c51af60beb0ab06d2f1d69064b43abf4c185ca6b28865f3f9731
|
||||
# via mkdocs
|
||||
pygments==2.16.1 \
|
||||
--hash=sha256:13fc09fa63bc8d8671a6d247e1eb303c4b343eaee81d861f3404db2935653692 \
|
||||
--hash=sha256:1daff0494820c69bc8941e407aa20f577374ee88364ee10a98fdbe0aece96e29
|
||||
# via mkdocs-material
|
||||
pymdown-extensions==10.4 \
|
||||
--hash=sha256:bc46f11749ecd4d6b71cf62396104b4a200bad3498cb0f5dad1b8502fe461a35 \
|
||||
--hash=sha256:cfc28d6a09d19448bcbf8eee3ce098c7d17ff99f7bd3069db4819af181212037
|
||||
# via mkdocs-material
|
||||
pyparsing==3.1.1 \
|
||||
--hash=sha256:32c7c0b711493c72ff18a981d24f28aaf9c1fb7ed5e9667c9e84e3db623bdbfb \
|
||||
--hash=sha256:ede28a1a32462f5a9705e07aea48001a08f7cf81a021585011deba701581a0db
|
||||
# via mike
|
||||
pytablewriter==1.2.0 \
|
||||
--hash=sha256:0204a4bb684a22140d640f2599f09e137bcdc18b3dd49426f4a555016e246b46 \
|
||||
--hash=sha256:4a30e2bb4bf5bc1069b1d2b2bc41947577c4517ab0875b23a5b194d296f543d8
|
||||
# via -r requirements.in
|
||||
python-dateutil==2.8.2 \
|
||||
--hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \
|
||||
--hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9
|
||||
# via
|
||||
# ghp-import
|
||||
# typepy
|
||||
pytz==2023.3.post1 \
|
||||
--hash=sha256:7b4fddbeb94a1eba4b557da24f19fdf9db575192544270a9101d8509f9f43d7b \
|
||||
--hash=sha256:ce42d816b81b68506614c11e8937d3aa9e41007ceb50bfdcb0749b921bf646c7
|
||||
# via typepy
|
||||
pyyaml==6.0.1 \
|
||||
--hash=sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5 \
|
||||
--hash=sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc \
|
||||
--hash=sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df \
|
||||
--hash=sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741 \
|
||||
--hash=sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206 \
|
||||
--hash=sha256:18aeb1bf9a78867dc38b259769503436b7c72f7a1f1f4c93ff9a17de54319b27 \
|
||||
--hash=sha256:1d4c7e777c441b20e32f52bd377e0c409713e8bb1386e1099c2415f26e479595 \
|
||||
--hash=sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62 \
|
||||
--hash=sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98 \
|
||||
--hash=sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696 \
|
||||
--hash=sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290 \
|
||||
--hash=sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9 \
|
||||
--hash=sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d \
|
||||
--hash=sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6 \
|
||||
--hash=sha256:4fb147e7a67ef577a588a0e2c17b6db51dda102c71de36f8549b6816a96e1867 \
|
||||
--hash=sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47 \
|
||||
--hash=sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486 \
|
||||
--hash=sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6 \
|
||||
--hash=sha256:596106435fa6ad000c2991a98fa58eeb8656ef2325d7e158344fb33864ed87e3 \
|
||||
--hash=sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007 \
|
||||
--hash=sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938 \
|
||||
--hash=sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0 \
|
||||
--hash=sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c \
|
||||
--hash=sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735 \
|
||||
--hash=sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d \
|
||||
--hash=sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28 \
|
||||
--hash=sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4 \
|
||||
--hash=sha256:9046c58c4395dff28dd494285c82ba00b546adfc7ef001486fbf0324bc174fba \
|
||||
--hash=sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8 \
|
||||
--hash=sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5 \
|
||||
--hash=sha256:afd7e57eddb1a54f0f1a974bc4391af8bcce0b444685d936840f125cf046d5bd \
|
||||
--hash=sha256:b1275ad35a5d18c62a7220633c913e1b42d44b46ee12554e5fd39c70a243d6a3 \
|
||||
--hash=sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0 \
|
||||
--hash=sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515 \
|
||||
--hash=sha256:baa90d3f661d43131ca170712d903e6295d1f7a0f595074f151c0aed377c9b9c \
|
||||
--hash=sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c \
|
||||
--hash=sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924 \
|
||||
--hash=sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34 \
|
||||
--hash=sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43 \
|
||||
--hash=sha256:c8098ddcc2a85b61647b2590f825f3db38891662cfc2fc776415143f599bb859 \
|
||||
--hash=sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673 \
|
||||
--hash=sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54 \
|
||||
--hash=sha256:d858aa552c999bc8a8d57426ed01e40bef403cd8ccdd0fc5f6f04a00414cac2a \
|
||||
--hash=sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b \
|
||||
--hash=sha256:f003ed9ad21d6a4713f0a9b5a7a0a79e08dd0f221aff4525a2be4c346ee60aab \
|
||||
--hash=sha256:f22ac1c3cac4dbc50079e965eba2c1058622631e526bd9afd45fedd49ba781fa \
|
||||
--hash=sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c \
|
||||
--hash=sha256:fca0e3a251908a499833aa292323f32437106001d436eca0e6e7833256674585 \
|
||||
--hash=sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d \
|
||||
--hash=sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f
|
||||
# via
|
||||
# mike
|
||||
# mkdocs
|
||||
# pymdown-extensions
|
||||
# pyyaml-env-tag
|
||||
pyyaml-env-tag==0.1 \
|
||||
--hash=sha256:70092675bda14fdec33b31ba77e7543de9ddc88f2e5b99160396572d11525bdb \
|
||||
--hash=sha256:af31106dec8a4d68c60207c1886031cbf839b68aa7abccdb19868200532c2069
|
||||
# via mkdocs
|
||||
regex==2023.10.3 \
|
||||
--hash=sha256:00ba3c9818e33f1fa974693fb55d24cdc8ebafcb2e4207680669d8f8d7cca79a \
|
||||
--hash=sha256:00e871d83a45eee2f8688d7e6849609c2ca2a04a6d48fba3dff4deef35d14f07 \
|
||||
--hash=sha256:06e9abc0e4c9ab4779c74ad99c3fc10d3967d03114449acc2c2762ad4472b8ca \
|
||||
--hash=sha256:0b9ac09853b2a3e0d0082104036579809679e7715671cfbf89d83c1cb2a30f58 \
|
||||
--hash=sha256:0d47840dc05e0ba04fe2e26f15126de7c755496d5a8aae4a08bda4dd8d646c54 \
|
||||
--hash=sha256:0f649fa32fe734c4abdfd4edbb8381c74abf5f34bc0b3271ce687b23729299ed \
|
||||
--hash=sha256:107ac60d1bfdc3edb53be75e2a52aff7481b92817cfdddd9b4519ccf0e54a6ff \
|
||||
--hash=sha256:11175910f62b2b8c055f2b089e0fedd694fe2be3941b3e2633653bc51064c528 \
|
||||
--hash=sha256:12bd4bc2c632742c7ce20db48e0d99afdc05e03f0b4c1af90542e05b809a03d9 \
|
||||
--hash=sha256:16f8740eb6dbacc7113e3097b0a36065a02e37b47c936b551805d40340fb9971 \
|
||||
--hash=sha256:1c0e8fae5b27caa34177bdfa5a960c46ff2f78ee2d45c6db15ae3f64ecadde14 \
|
||||
--hash=sha256:2c54e23836650bdf2c18222c87f6f840d4943944146ca479858404fedeb9f9af \
|
||||
--hash=sha256:3367007ad1951fde612bf65b0dffc8fd681a4ab98ac86957d16491400d661302 \
|
||||
--hash=sha256:36362386b813fa6c9146da6149a001b7bd063dabc4d49522a1f7aa65b725c7ec \
|
||||
--hash=sha256:39807cbcbe406efca2a233884e169d056c35aa7e9f343d4e78665246a332f597 \
|
||||
--hash=sha256:39cdf8d141d6d44e8d5a12a8569d5a227f645c87df4f92179bd06e2e2705e76b \
|
||||
--hash=sha256:3b2c3502603fab52d7619b882c25a6850b766ebd1b18de3df23b2f939360e1bd \
|
||||
--hash=sha256:3ccf2716add72f80714b9a63899b67fa711b654be3fcdd34fa391d2d274ce767 \
|
||||
--hash=sha256:3fef4f844d2290ee0ba57addcec17eec9e3df73f10a2748485dfd6a3a188cc0f \
|
||||
--hash=sha256:4023e2efc35a30e66e938de5aef42b520c20e7eda7bb5fb12c35e5d09a4c43f6 \
|
||||
--hash=sha256:4a3ee019a9befe84fa3e917a2dd378807e423d013377a884c1970a3c2792d293 \
|
||||
--hash=sha256:4a8bf76e3182797c6b1afa5b822d1d5802ff30284abe4599e1247be4fd6b03be \
|
||||
--hash=sha256:4a992f702c9be9c72fa46f01ca6e18d131906a7180950958f766c2aa294d4b41 \
|
||||
--hash=sha256:4c34d4f73ea738223a094d8e0ffd6d2c1a1b4c175da34d6b0de3d8d69bee6bcc \
|
||||
--hash=sha256:4cd1bccf99d3ef1ab6ba835308ad85be040e6a11b0977ef7ea8c8005f01a3c29 \
|
||||
--hash=sha256:4ef80829117a8061f974b2fda8ec799717242353bff55f8a29411794d635d964 \
|
||||
--hash=sha256:58837f9d221744d4c92d2cf7201c6acd19623b50c643b56992cbd2b745485d3d \
|
||||
--hash=sha256:5a8f91c64f390ecee09ff793319f30a0f32492e99f5dc1c72bc361f23ccd0a9a \
|
||||
--hash=sha256:5addc9d0209a9afca5fc070f93b726bf7003bd63a427f65ef797a931782e7edc \
|
||||
--hash=sha256:6239d4e2e0b52c8bd38c51b760cd870069f0bdf99700a62cd509d7a031749a55 \
|
||||
--hash=sha256:66e2fe786ef28da2b28e222c89502b2af984858091675044d93cb50e6f46d7af \
|
||||
--hash=sha256:69c0771ca5653c7d4b65203cbfc5e66db9375f1078689459fe196fe08b7b4930 \
|
||||
--hash=sha256:6ac965a998e1388e6ff2e9781f499ad1eaa41e962a40d11c7823c9952c77123e \
|
||||
--hash=sha256:6c56c3d47da04f921b73ff9415fbaa939f684d47293f071aa9cbb13c94afc17d \
|
||||
--hash=sha256:6f85739e80d13644b981a88f529d79c5bdf646b460ba190bffcaf6d57b2a9863 \
|
||||
--hash=sha256:706e7b739fdd17cb89e1fbf712d9dc21311fc2333f6d435eac2d4ee81985098c \
|
||||
--hash=sha256:741ba2f511cc9626b7561a440f87d658aabb3d6b744a86a3c025f866b4d19e7f \
|
||||
--hash=sha256:7434a61b158be563c1362d9071358f8ab91b8d928728cd2882af060481244c9e \
|
||||
--hash=sha256:76066d7ff61ba6bf3cb5efe2428fc82aac91802844c022d849a1f0f53820502d \
|
||||
--hash=sha256:7979b834ec7a33aafae34a90aad9f914c41fd6eaa8474e66953f3f6f7cbd4368 \
|
||||
--hash=sha256:7eece6fbd3eae4a92d7c748ae825cbc1ee41a89bb1c3db05b5578ed3cfcfd7cb \
|
||||
--hash=sha256:7ef1e014eed78ab650bef9a6a9cbe50b052c0aebe553fb2881e0453717573f52 \
|
||||
--hash=sha256:81dce2ddc9f6e8f543d94b05d56e70d03a0774d32f6cca53e978dc01e4fc75b8 \
|
||||
--hash=sha256:82fcc1f1cc3ff1ab8a57ba619b149b907072e750815c5ba63e7aa2e1163384a4 \
|
||||
--hash=sha256:8d1f21af4c1539051049796a0f50aa342f9a27cde57318f2fc41ed50b0dbc4ac \
|
||||
--hash=sha256:90a79bce019c442604662d17bf69df99090e24cdc6ad95b18b6725c2988a490e \
|
||||
--hash=sha256:9145f092b5d1977ec8c0ab46e7b3381b2fd069957b9862a43bd383e5c01d18c2 \
|
||||
--hash=sha256:91dc1d531f80c862441d7b66c4505cd6ea9d312f01fb2f4654f40c6fdf5cc37a \
|
||||
--hash=sha256:979c24cbefaf2420c4e377ecd1f165ea08cc3d1fbb44bdc51bccbbf7c66a2cb4 \
|
||||
--hash=sha256:994645a46c6a740ee8ce8df7911d4aee458d9b1bc5639bc968226763d07f00fa \
|
||||
--hash=sha256:9b98b7681a9437262947f41c7fac567c7e1f6eddd94b0483596d320092004533 \
|
||||
--hash=sha256:9c6b4d23c04831e3ab61717a707a5d763b300213db49ca680edf8bf13ab5d91b \
|
||||
--hash=sha256:9c6d0ced3c06d0f183b73d3c5920727268d2201aa0fe6d55c60d68c792ff3588 \
|
||||
--hash=sha256:9fd88f373cb71e6b59b7fa597e47e518282455c2734fd4306a05ca219a1991b0 \
|
||||
--hash=sha256:a8f4e49fc3ce020f65411432183e6775f24e02dff617281094ba6ab079ef0915 \
|
||||
--hash=sha256:a9e908ef5889cda4de038892b9accc36d33d72fb3e12c747e2799a0e806ec841 \
|
||||
--hash=sha256:ad08a69728ff3c79866d729b095872afe1e0557251da4abb2c5faff15a91d19a \
|
||||
--hash=sha256:adbccd17dcaff65704c856bd29951c58a1bd4b2b0f8ad6b826dbd543fe740988 \
|
||||
--hash=sha256:b0c7d2f698e83f15228ba41c135501cfe7d5740181d5903e250e47f617eb4292 \
|
||||
--hash=sha256:b3ab05a182c7937fb374f7e946f04fb23a0c0699c0450e9fb02ef567412d2fa3 \
|
||||
--hash=sha256:b6104f9a46bd8743e4f738afef69b153c4b8b592d35ae46db07fc28ae3d5fb7c \
|
||||
--hash=sha256:ba7cd6dc4d585ea544c1412019921570ebd8a597fabf475acc4528210d7c4a6f \
|
||||
--hash=sha256:bc72c231f5449d86d6c7d9cc7cd819b6eb30134bb770b8cfdc0765e48ef9c420 \
|
||||
--hash=sha256:bce8814b076f0ce5766dc87d5a056b0e9437b8e0cd351b9a6c4e1134a7dfbda9 \
|
||||
--hash=sha256:be5e22bbb67924dea15039c3282fa4cc6cdfbe0cbbd1c0515f9223186fc2ec5f \
|
||||
--hash=sha256:be6b7b8d42d3090b6c80793524fa66c57ad7ee3fe9722b258aec6d0672543fd0 \
|
||||
--hash=sha256:bfe50b61bab1b1ec260fa7cd91106fa9fece57e6beba05630afe27c71259c59b \
|
||||
--hash=sha256:bff507ae210371d4b1fe316d03433ac099f184d570a1a611e541923f78f05037 \
|
||||
--hash=sha256:c148bec483cc4b421562b4bcedb8e28a3b84fcc8f0aa4418e10898f3c2c0eb9b \
|
||||
--hash=sha256:c15ad0aee158a15e17e0495e1e18741573d04eb6da06d8b84af726cfc1ed02ee \
|
||||
--hash=sha256:c2169b2dcabf4e608416f7f9468737583ce5f0a6e8677c4efbf795ce81109d7c \
|
||||
--hash=sha256:c55853684fe08d4897c37dfc5faeff70607a5f1806c8be148f1695be4a63414b \
|
||||
--hash=sha256:c65a3b5330b54103e7d21cac3f6bf3900d46f6d50138d73343d9e5b2900b2353 \
|
||||
--hash=sha256:c7964c2183c3e6cce3f497e3a9f49d182e969f2dc3aeeadfa18945ff7bdd7051 \
|
||||
--hash=sha256:cc3f1c053b73f20c7ad88b0d1d23be7e7b3901229ce89f5000a8399746a6e039 \
|
||||
--hash=sha256:ce615c92d90df8373d9e13acddd154152645c0dc060871abf6bd43809673d20a \
|
||||
--hash=sha256:d29338556a59423d9ff7b6eb0cb89ead2b0875e08fe522f3e068b955c3e7b59b \
|
||||
--hash=sha256:d8a993c0a0ffd5f2d3bda23d0cd75e7086736f8f8268de8a82fbc4bd0ac6791e \
|
||||
--hash=sha256:d9c727bbcf0065cbb20f39d2b4f932f8fa1631c3e01fcedc979bd4f51fe051c5 \
|
||||
--hash=sha256:dac37cf08fcf2094159922edc7a2784cfcc5c70f8354469f79ed085f0328ebdf \
|
||||
--hash=sha256:dd829712de97753367153ed84f2de752b86cd1f7a88b55a3a775eb52eafe8a94 \
|
||||
--hash=sha256:e54ddd0bb8fb626aa1f9ba7b36629564544954fff9669b15da3610c22b9a0991 \
|
||||
--hash=sha256:e77c90ab5997e85901da85131fd36acd0ed2221368199b65f0d11bca44549711 \
|
||||
--hash=sha256:ebedc192abbc7fd13c5ee800e83a6df252bec691eb2c4bedc9f8b2e2903f5e2a \
|
||||
--hash=sha256:ef71561f82a89af6cfcbee47f0fabfdb6e63788a9258e913955d89fdd96902ab \
|
||||
--hash=sha256:f0a47efb1dbef13af9c9a54a94a0b814902e547b7f21acb29434504d18f36e3a \
|
||||
--hash=sha256:f4f2ca6df64cbdd27f27b34f35adb640b5d2d77264228554e68deda54456eb11 \
|
||||
--hash=sha256:fb02e4257376ae25c6dd95a5aec377f9b18c09be6ebdefa7ad209b9137b73d48
|
||||
# via mkdocs-material
|
||||
requests==2.31.0 \
|
||||
--hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \
|
||||
--hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1
|
||||
# via
|
||||
# importlib-metadata
|
||||
# importlib-resources
|
||||
|
||||
# The following packages are considered to be unsafe in a requirements file:
|
||||
setuptools==68.2.2 \
|
||||
--hash=sha256:4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87 \
|
||||
--hash=sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a
|
||||
# via mkdocs-material
|
||||
six==1.16.0 \
|
||||
--hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
|
||||
--hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
|
||||
# via python-dateutil
|
||||
tabledata==1.3.3 \
|
||||
--hash=sha256:4abad1c996d8607e23b045b44dc0c5f061668f3c37585302c5f6c84c93a89962 \
|
||||
--hash=sha256:c90daaba9a408e4397934b3ff2f6c06797d5289676420bf520c741ad43e6ff91
|
||||
# via pytablewriter
|
||||
tcolorpy==0.1.4 \
|
||||
--hash=sha256:d0926480aa5012f34877d69fc3b670f207dc165674e68ad07458fa6ee5b12724 \
|
||||
--hash=sha256:f0dceb1cb95e554cee63024b3cd2fd8d4628c568773de2d1e6b4f0478461901c
|
||||
# via pytablewriter
|
||||
typepy==1.3.2 \
|
||||
--hash=sha256:b69fd48b9f50cdb3809906eef36b855b3134ff66c8893a4f8580abddb0b39517 \
|
||||
--hash=sha256:d5d1022a424132622993800f1d2cd16cfdb691ac4e3b9c325f0fcb37799db1ae
|
||||
# via
|
||||
# dataproperty
|
||||
# pytablewriter
|
||||
# tabledata
|
||||
# typepy
|
||||
urllib3==2.0.7 \
|
||||
--hash=sha256:c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84 \
|
||||
--hash=sha256:fdb6d215c776278489906c2f8916e6e7d4f5a9b602ccbcfdf7f016fc8da0596e
|
||||
# via requests
|
||||
verspec==0.1.0 \
|
||||
--hash=sha256:741877d5633cc9464c45a469ae2a31e801e6dbbaa85b9675d481cda100f11c31 \
|
||||
--hash=sha256:c4504ca697b2056cdb4bfa7121461f5a0e81809255b41c03dda4ba823637c01e
|
||||
# via mike
|
||||
watchdog==3.0.0 \
|
||||
--hash=sha256:0e06ab8858a76e1219e68c7573dfeba9dd1c0219476c5a44d5333b01d7e1743a \
|
||||
--hash=sha256:13bbbb462ee42ec3c5723e1205be8ced776f05b100e4737518c67c8325cf6100 \
|
||||
--hash=sha256:233b5817932685d39a7896b1090353fc8efc1ef99c9c054e46c8002561252fb8 \
|
||||
--hash=sha256:25f70b4aa53bd743729c7475d7ec41093a580528b100e9a8c5b5efe8899592fc \
|
||||
--hash=sha256:2b57a1e730af3156d13b7fdddfc23dea6487fceca29fc75c5a868beed29177ae \
|
||||
--hash=sha256:336adfc6f5cc4e037d52db31194f7581ff744b67382eb6021c868322e32eef41 \
|
||||
--hash=sha256:3aa7f6a12e831ddfe78cdd4f8996af9cf334fd6346531b16cec61c3b3c0d8da0 \
|
||||
--hash=sha256:3ed7c71a9dccfe838c2f0b6314ed0d9b22e77d268c67e015450a29036a81f60f \
|
||||
--hash=sha256:4c9956d27be0bb08fc5f30d9d0179a855436e655f046d288e2bcc11adfae893c \
|
||||
--hash=sha256:4d98a320595da7a7c5a18fc48cb633c2e73cda78f93cac2ef42d42bf609a33f9 \
|
||||
--hash=sha256:4f94069eb16657d2c6faada4624c39464f65c05606af50bb7902e036e3219be3 \
|
||||
--hash=sha256:5113334cf8cf0ac8cd45e1f8309a603291b614191c9add34d33075727a967709 \
|
||||
--hash=sha256:51f90f73b4697bac9c9a78394c3acbbd331ccd3655c11be1a15ae6fe289a8c83 \
|
||||
--hash=sha256:5d9f3a10e02d7371cd929b5d8f11e87d4bad890212ed3901f9b4d68767bee759 \
|
||||
--hash=sha256:7ade88d0d778b1b222adebcc0927428f883db07017618a5e684fd03b83342bd9 \
|
||||
--hash=sha256:7c5f84b5194c24dd573fa6472685b2a27cc5a17fe5f7b6fd40345378ca6812e3 \
|
||||
--hash=sha256:7e447d172af52ad204d19982739aa2346245cc5ba6f579d16dac4bfec226d2e7 \
|
||||
--hash=sha256:8ae9cda41fa114e28faf86cb137d751a17ffd0316d1c34ccf2235e8a84365c7f \
|
||||
--hash=sha256:8f3ceecd20d71067c7fd4c9e832d4e22584318983cabc013dbf3f70ea95de346 \
|
||||
--hash=sha256:9fac43a7466eb73e64a9940ac9ed6369baa39b3bf221ae23493a9ec4d0022674 \
|
||||
--hash=sha256:a70a8dcde91be523c35b2bf96196edc5730edb347e374c7de7cd20c43ed95397 \
|
||||
--hash=sha256:adfdeab2da79ea2f76f87eb42a3ab1966a5313e5a69a0213a3cc06ef692b0e96 \
|
||||
--hash=sha256:ba07e92756c97e3aca0912b5cbc4e5ad802f4557212788e72a72a47ff376950d \
|
||||
--hash=sha256:c07253088265c363d1ddf4b3cdb808d59a0468ecd017770ed716991620b8f77a \
|
||||
--hash=sha256:c9d8c8ec7efb887333cf71e328e39cffbf771d8f8f95d308ea4125bf5f90ba64 \
|
||||
--hash=sha256:d00e6be486affb5781468457b21a6cbe848c33ef43f9ea4a73b4882e5f188a44 \
|
||||
--hash=sha256:d429c2430c93b7903914e4db9a966c7f2b068dd2ebdd2fa9b9ce094c7d459f33
|
||||
# via mkdocs
|
||||
zipp==3.17.0 \
|
||||
--hash=sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31 \
|
||||
--hash=sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0
|
||||
# via pytablewriter
|
|
@ -1,4 +0,0 @@
|
|||
User-agent: *
|
||||
Allow: /latest/
|
||||
|
||||
Sitemap: https://docs.bunkerweb.io/latest/sitemap.xml
|
|
@ -1,495 +0,0 @@
|
|||
# Security tuning
|
||||
|
||||
BunkerWeb offers many security features that you can configure with [settings](settings.md). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you tune them. By doing so you will be able to ensure the security level of your choice but also manage false positives.
|
||||
|
||||
!!! tip "Other settings"
|
||||
This section only focuses on security tuning, see the [settings section](settings.md) of the documentation for other settings.
|
||||
|
||||
<figure markdown>
|
||||
![Overview](assets/img/core-order.svg){ align=center }
|
||||
<figcaption>Overview and order of the core security plugins</figcaption>
|
||||
</figure>
|
||||
|
||||
## HTTP protocol
|
||||
|
||||
### Deny status code
|
||||
|
||||
STREAM support :warning:
|
||||
|
||||
The first thing to define is the kind of action to do when a client access is denied. You can control the action with the `DENY_HTTP_STATUS` setting which allows the following values :
|
||||
|
||||
- `403` : send a "classical" Forbidden HTTP status code (a web page or custom content will be displayed)
|
||||
- `444` : close the connection (no web page or custom content will be displayed)
|
||||
|
||||
The default value is `403` and we suggest you set it to `444` only if you already fixed a lot of false positive, you are familiar with BunkerWeb and want a higher level of security.
|
||||
|
||||
When using stream mode, value is ignored and always set to `444` with effect of closing the connection.
|
||||
|
||||
### Default server
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
In the HTTP protocol, the Host header is used to determine which server the client wants to send the request to. That header is facultative and may be missing from the request or can be set as an unknown value. This is a common case, a lot of bots are scanning the Internet and are trying to exploit services or simply doing some fingerprinting.
|
||||
|
||||
You can disable any request containing undefined or unknown Host value by setting `DISABLE_DEFAULT_SERVER` to `yes` (default : `no`). Please note that clients won't even receive a response, the TCP connection will be closed (using the special 444 status code of NGINX).
|
||||
|
||||
### Allowed methods
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
You can control the allowed HTTP methods by listing them (separated with "|") in the `ALLOWED_METHODS` setting (default : `GET|POST|HEAD`). Clients sending a method which is not listed will get a "405 - Method Not Allowed".
|
||||
|
||||
### Max sizes
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
You can control the maximum body size with the `MAX_CLIENT_SIZE` setting (default : `10m`). See [here](https://nginx.org/en/docs/syntax.html) for accepted values. You can use the special value `0` to allow a body of infinite size (not recommended).
|
||||
|
||||
### Serve files
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
To disable serving files from the www folder, you can set `SERVE_FILES` to `no` (default : `yes`). The value `no` is recommended if you use BunkerWeb as a reverse proxy.
|
||||
|
||||
### Headers
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Headers are very important when it comes to HTTP security. While some of them might be too verbose, others' verbosity will need to be increased, especially on the client-side.
|
||||
|
||||
#### Remove headers
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
You can automatically remove verbose headers in the HTTP responses by using the `REMOVE_HEADERS` setting (default : `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`).
|
||||
|
||||
#### Keep upstream headers
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
You can automatically keep headers from upstream servers and prevent BunkerWeb from overriding them in the HTTP responses by using the `KEEP_UPSTREAM_HEADERS` setting (default : `Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options`). A special value `*` is available to keep all headers. List of headers to keep must be separated with a space. Note that if the header is not present in the upstream response, it will be added by BunkerWeb.
|
||||
|
||||
#### Cookies
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
When it comes to cookies security, we can use the following flags :
|
||||
|
||||
- HttpOnly : disable any access to the cookie from Javascript using document.cookie
|
||||
- SameSite : policy when requests come from third-party websites
|
||||
- Secure : only send cookies on HTTPS request
|
||||
|
||||
Cookie flags can be overridden with values of your choice by using the `COOKIE_FLAGS` setting (default : `* HttpOnly SameSite=Lax`). See [here](https://github.com/AirisX/nginx_cookie_flag_module) for accepted values.
|
||||
|
||||
The Secure flag can be automatically added if HTTPS is used by using the `COOKIE_AUTO_SECURE_FLAG` setting (default : `yes`). The value `no` is not recommended unless you know what you're doing.
|
||||
|
||||
#### Security headers
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Various security headers are available and most of them can be set using BunkerWeb settings. Here is the list of headers, the corresponding setting and default value :
|
||||
|
||||
| Header | Setting | Default |
|
||||
| :-------------------------: | :-------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: |
|
||||
| `Content-Security-Policy` | `CONTENT_SECURITY_POLICY` | `object-src 'none'; frame-src 'self'; child-src 'self'; form-action 'self'; frame-ancestors 'self';` |
|
||||
| `Strict-Transport-Security` | `STRICT_TRANSPORT_SECURITY` | `max-age=31536000` |
|
||||
| `Referrer-Policy` | `REFERRER_POLICY` | `strict-origin-when-cross-origin` |
|
||||
| `Permissions-Policy` | `PERMISSIONS_POLICY` | `accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()` |
|
||||
| `Feature-Policy` | `FEATURE_POLICY` | `accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';` |
|
||||
| `X-Frame-Options` | `X_FRAME_OPTIONS` | `SAMEORIGIN` |
|
||||
| `X-Content-Type-Options` | `X_CONTENT_TYPE_OPTIONS` | `nosniff` |
|
||||
| `X-XSS-Protection` | `X_XSS_PROTECTION` | `1; mode=block` |
|
||||
|
||||
#### CORS
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
[Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) lets you manage how your service can be contacted from different origins. Please note that you will have to allow the `OPTIONS` HTTP method using the `ALLOWED_METHODS` if you want to enable it (more info [here](#allowed-methods)). Here is the list of settings related to CORS :
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|------------------------|------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------------------|
|
||||
|`USE_CORS` |`no` |multisite|no |Use CORS |
|
||||
|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Allowed origins to make CORS requests : PCRE regex or *. |
|
||||
|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header. |
|
||||
|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. |
|
||||
|`CORS_ALLOW_CREDENTIALS`|`no` |multisite|no |Send the Access-Control-Allow-Credentials header. |
|
||||
|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. |
|
||||
|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. |
|
||||
|`CORS_DENY_REQUEST` |`yes` |multisite|no |Deny request and don't send it to backend if Origin is not allowed.|
|
||||
|
||||
Here is some examples of possible values for `CORS_ALLOW_ORIGIN` setting :
|
||||
|
||||
- `*` will allow all origin
|
||||
- `^https://www\.example\.com$` will allow `https://www.example.com`
|
||||
- `^https://.+\.example.com$` will allow any origins when domain ends with `.example.com`
|
||||
- `^https://(www\.example1\.com|www\.example2\.com)$` will allow both `https://www.example1.com` and `https://www.example2.com`
|
||||
- `^https?://www\.example\.com$` will allow both `https://www.example.com` and `http://www.example.com`
|
||||
|
||||
## HTTPS / SSL/TLS
|
||||
|
||||
Besides the HTTPS / SSL/TLS configuration, the following settings related to HTTPS / SSL/TLS can be set :
|
||||
|
||||
| Setting | Default | Description |
|
||||
| :---------------------------: | :---------------: | :----------------------------------------------------------------------------------------------------------- |
|
||||
| `REDIRECT_HTTP_TO_HTTPS` | `no` | When set to `yes`, will redirect every HTTP request to HTTPS even if BunkerWeb is not configured with HTTPS. |
|
||||
| `AUTO_REDIRECT_HTTP_TO_HTTPS` | `yes` | When set to `yes`, will redirect every HTTP request to HTTPS only if BunkerWeb is configured with HTTPS. |
|
||||
| `SSL_PROTOCOLS` | `TLSv1.2 TLSv1.3` | List of supported SSL/TLS protocols when SSL is enabled. |
|
||||
| `HTTP2` | `yes` | When set to `yes`, will enable HTTP2 protocol support when using HTTPS. |
|
||||
| `LISTEN_HTTP` | `yes` | When set to `no`, BunkerWeb will not listen for HTTP requests. Useful if you want HTTPS only for example. |
|
||||
|
||||
### Let's Encrypt
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
BunkerWeb comes with automatic Let's Encrypt certificate generation and renewal. This is the easiest way of getting HTTPS / SSL/TLS working out of the box for public-facing web applications. Please note that you will need to set up proper DNS A record(s) for each of your domains pointing to your public IP(s) where BunkerWeb is accessible.
|
||||
|
||||
Here is the list of related settings :
|
||||
|
||||
| Setting | Default | Description |
|
||||
| :------------------------: | :----------------------: | :----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `AUTO_LETS_ENCRYPT` | `no` | When set to `yes`, HTTPS / SSL/TLS will be enabled with automatic certificate generation and renewal from Let's Encrypt. |
|
||||
| `EMAIL_LETS_ENCRYPT` | `contact@{FIRST_SERVER}` | Email to use when generating certificates. Let's Encrypt will send notifications to that email like certificate expiration. |
|
||||
| `USE_LETS_ENCRYPT_STAGING` | `no` | When set to `yes`, the staging server of Let's Encrypt will be used instead of the production one. Useful when doing tests to avoid being "blocked" due to limits. |
|
||||
|
||||
Full Let's Encrypt automation is fully working with stream mode as long as you open the `80/tcp` port from the outside. Please note that you will need to use the `LISTEN_STREAM_PORT_SSL` setting in order to choose your listening SSL/TLS port.
|
||||
|
||||
### Custom certificate
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
If you want to use your own certificates, here is the list of related settings :
|
||||
|
||||
| Setting |Default| Context |Multiple| Description |
|
||||
|-----------------|-------|---------|--------|--------------------------------------------------------------------------------|
|
||||
|`USE_CUSTOM_SSL` |`no` |multisite|no |Use custom HTTPS / SSL/TLS certificate. |
|
||||
|`CUSTOM_SSL_CERT`| |multisite|no |Full path of the certificate or bundle file (must be readable by the scheduler).|
|
||||
|`CUSTOM_SSL_KEY` | |multisite|no |Full path of the key file (must be readable by the scheduler). |
|
||||
|
||||
|
||||
When `USE_CUSTOM_SSL` is set to `yes`, BunkerWeb will check every day if the custom certificate specified in `CUSTOM_SSL_CERT` is modified and will reload NGINX if that's the case.
|
||||
|
||||
When using stream mode, you will need to use the `LISTEN_STREAM_PORT_SSL` setting in order to choose your listening SSL/TLS port.
|
||||
|
||||
### Self-signed
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
If you want to quickly test HTTPS / SSL/TLS for staging/dev environment you can configure BunkerWeb to generate self-signed certificates, here is the list of related settings :
|
||||
|
||||
| Setting | Default | Description |
|
||||
| :------------------------: | :--------------------: | :------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `GENERATE_SELF_SIGNED_SSL` | `no` | When set to `yes`, HTTPS / SSL/TLS will be enabled with automatic self-signed certificate generation and renewal from Let's Encrypt. |
|
||||
| `SELF_SIGNED_SSL_EXPIRY` | `365` | Number of days for the certificate expiration (**-days** value used with **openssl**). |
|
||||
| `SELF_SIGNED_SSL_SUBJ` | `/CN=www.example.com/` | Certificate subject to use (**-subj** value used with **openssl**). |
|
||||
|
||||
When using stream mode, you will need to use the `LISTEN_STREAM_PORT_SSL` setting in order to choose your listening SSL/TLS port.
|
||||
|
||||
## ModSecurity
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
ModSecurity is integrated and enabled by default alongside the OWASP Core Rule Set within BunkerWeb. Here is the list of related settings :
|
||||
|
||||
| Setting | Default | Description |
|
||||
| :-------------------: | :-----: | :---------------------------------------------------------------------------------------------------- |
|
||||
| `USE_MODSECURITY` | `yes` | When set to `yes`, ModSecurity will be enabled. |
|
||||
| `USE_MODSECURITY_CRS` | `yes` | When set to `yes` and `USE_MODSECURITY` is also set to `yes`, the OWASP Core Rule Set will be loaded. |
|
||||
|
||||
We strongly recommend keeping both ModSecurity and the OWASP Core Rule Set enabled. The only downsides are the false positives that may occur. But they can be fixed with some efforts and the CRS team maintains a list of exclusions for common applications (e.g., WordPress, Nextcloud, Drupal, Cpanel, ...).
|
||||
|
||||
Tuning ModSecurity and the CRS can be done using [custom configurations](quickstart-guide.md#custom-configurations) :
|
||||
|
||||
- modsec-crs : before the OWASP Core Rule Set is loaded
|
||||
- modsec : after the OWASP Core Rule Set is loaded (also used if CRS is not loaded)
|
||||
|
||||
For example, you can add a custom configuration with type `modsec-crs` to add CRS exclusions :
|
||||
|
||||
```conf
|
||||
SecAction \
|
||||
"id:900130,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:tx.crs_exclusions_wordpress=1"
|
||||
```
|
||||
|
||||
You can also add a custom configuration with type `modsec` to update loaded CRS rules :
|
||||
|
||||
```conf
|
||||
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
|
||||
SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
|
||||
SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
|
||||
```
|
||||
|
||||
## Bad behavior
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
When attackers search for and/or exploit vulnerabilities they might generate some "suspicious" HTTP status codes that a "regular" user won’t generate within a period of time. If we detect that kind of behavior we can ban the offending IP address and force the attacker to come up with a new one.
|
||||
|
||||
That kind of security measure is implemented and enabled by default in BunkerWeb and is called "Bad behavior". Here is the list of the related settings :
|
||||
|
||||
| Setting | Default | Description |
|
||||
| :-------------------------: | :---------------------------: | :--------------------------------------------------------------------------- |
|
||||
| `USE_BAD_BEHAVIOR` | `yes` | When set to `yes`, the Bad behavior feature will be enabled. |
|
||||
| `BAD_BEHAVIOR_STATUS_CODES` | `400 401 403 404 405 429 444` | List of HTTP status codes considered as "suspicious". |
|
||||
| `BAD_BEHAVIOR_BAN_TIME` | `86400` | The duration time (in seconds) of a ban when a client reached the threshold. |
|
||||
| `BAD_BEHAVIOR_THRESHOLD` | `10` | Maximum number of "suspicious" HTTP status codes within the time period. |
|
||||
| `BAD_BEHAVIOR_COUNT_TIME` | `60` | Period of time during which we count "suspicious" HTTP status codes. |
|
||||
|
||||
In other words, with the default values, if a client generates more than `10` status codes from the list `400 401 403 404 405 429 444` within `60` seconds their IP address will be banned for `86400` seconds.
|
||||
|
||||
When using stream mode, only the `444` status code will count as "bad".
|
||||
|
||||
## Antibot
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Attackers will certainly use automated tools to exploit/find some vulnerabilities in your web applications. One countermeasure is to challenge the users to detect if they look like a bot. If the challenge is solved, we consider the client as "legitimate" and they can access the web application.
|
||||
|
||||
That kind of security is implemented but not enabled by default in BunkerWeb and is called "Antibot". Here is the list of supported challenges :
|
||||
|
||||
- **Cookie** : send a cookie to the client, we expect to get the cookie back on other requests
|
||||
- **Javascript** : force a client to solve a computation challenge using Javascript
|
||||
- **Captcha** : force the client to solve a classical captcha (no external dependencies)
|
||||
- **hCaptcha** : force the client to solve a captcha from hCaptcha
|
||||
- **reCAPTCHA** : force the client to get a minimum score with Google reCAPTCHA
|
||||
- **Turnstile** : enforce rate limiting and access control for APIs and web applications using various mechanisms with Coudflare Turnstile
|
||||
|
||||
Here is the list of related settings :
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|---------------------------|------------|---------|--------|------------------------------------------------------------------------------------------------------------------------------|
|
||||
|`USE_ANTIBOT` |`no` |multisite|no |Activate antibot feature. |
|
||||
|`ANTIBOT_URI` |`/challenge`|multisite|no |Unused URI that clients will be redirected to to solve the challenge. |
|
||||
|`ANTIBOT_RECAPTCHA_SCORE` |`0.7` |multisite|no |Minimum score required for reCAPTCHA challenge. |
|
||||
|`ANTIBOT_RECAPTCHA_SITEKEY`| |multisite|no |Sitekey for reCAPTCHA challenge. |
|
||||
|`ANTIBOT_RECAPTCHA_SECRET` | |multisite|no |Secret for reCAPTCHA challenge. |
|
||||
|`ANTIBOT_HCAPTCHA_SITEKEY` | |multisite|no |Sitekey for hCaptcha challenge. |
|
||||
|`ANTIBOT_HCAPTCHA_SECRET` | |multisite|no |Secret for hCaptcha challenge. |
|
||||
|`ANTIBOT_TURNSTILE_SITEKEY`| |multisite|no |Sitekey for Turnstile challenge. |
|
||||
|`ANTIBOT_TURNSTILE_SECRET` | |multisite|no |Secret for Turnstile challenge. |
|
||||
|`ANTIBOT_TIME_RESOLVE` |`60` |multisite|no |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.|
|
||||
|`ANTIBOT_TIME_VALID` |`86400` |multisite|no |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. |
|
||||
|
||||
Please note that antibot feature is using a cookie to maintain a session with clients. If you are using BunkerWeb in a clustered environment, you will need to set the `SESSIONS_SECRET` and `SESSIONS_NAME` settings to another value than the default one (which is `random`). You will find more info about sessions [here](settings.md#sessions).
|
||||
|
||||
## Blacklisting, whitelisting and greylisting
|
||||
|
||||
The blacklisting security feature is very easy to understand : if a specific criteria is met, the client will be banned. As for the whitelisting, it's the exact opposite : if a specific criteria is met, the client will be allowed and no additional security check will be done. Whereas for the greylisting : if a specific criteria is met, the client will be allowed but additional security checks will be done.
|
||||
|
||||
You can configure blacklisting, whitelisting and greylisting at the same time. If that's the case, note that whitelisting is executed before blacklisting and greylisting : even if a criteria is true for all of them, the client will be whitelisted.
|
||||
|
||||
### Blacklisting
|
||||
|
||||
STREAM support :warning:
|
||||
|
||||
You can use the following settings to set up blacklisting :
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|----------------------------------|------------------------------------------------------------------------------------------------------------------------------|---------|--------|------------------------------------------------------------------------------------------------|
|
||||
|`USE_BLACKLIST` |`yes` |multisite|no |Activate blacklist feature. |
|
||||
|`BLACKLIST_IP` | |multisite|no |List of IP/network, separated with spaces, to block. |
|
||||
|`BLACKLIST_IP_URLS` |`https://www.dan.me.uk/torlist/?exit` |global |no |List of URLs, separated with spaces, containing bad IP/network to block. |
|
||||
|`BLACKLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS blacklist checks on global IP addresses. |
|
||||
|`BLACKLIST_RDNS` |`.shodan.io .censys.io` |multisite|no |List of reverse DNS suffixes, separated with spaces, to block. |
|
||||
|`BLACKLIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to block. |
|
||||
|`BLACKLIST_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to block. |
|
||||
|`BLACKLIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to block. |
|
||||
|`BLACKLIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to block. |
|
||||
|`BLACKLIST_USER_AGENT_URLS` |`https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list`|global |no |List of URLs, separated with spaces, containing bad User-Agent to block. |
|
||||
|`BLACKLIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to block. |
|
||||
|`BLACKLIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to block. |
|
||||
|`BLACKLIST_IGNORE_IP` | |multisite|no |List of IP/network, separated with spaces, to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_IP_URLS` | |global |no |List of URLs, separated with spaces, containing IP/network to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_RDNS` | |multisite|no |List of reverse DNS suffixes, separated with spaces, to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to ignore in the blacklist.|
|
||||
|`BLACKLIST_IGNORE_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing User-Agent to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_URI_URLS` | |global |no |List of URLs, separated with spaces, containing URI to ignore in the blacklist. |
|
||||
|
||||
When using stream mode, only IP, RDNS and ASN checks will be done.
|
||||
|
||||
### Greylisting
|
||||
|
||||
STREAM support :warning:
|
||||
|
||||
You can use the following settings to set up greylisting :
|
||||
|
||||
| Setting |Default| Context |Multiple| Description |
|
||||
|--------------------------|-------|---------|--------|----------------------------------------------------------------------------------------------|
|
||||
|`USE_GREYLIST` |`no` |multisite|no |Activate greylist feature. |
|
||||
|`GREYLIST_IP` | |multisite|no |List of IP/network, separated with spaces, to put into the greylist. |
|
||||
|`GREYLIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to put into the greylist. |
|
||||
|`GREYLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS greylist checks on global IP addresses. |
|
||||
|`GREYLIST_RDNS` | |multisite|no |List of reverse DNS suffixes, separated with spaces, to put into the greylist. |
|
||||
|`GREYLIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to put into the greylist.|
|
||||
|`GREYLIST_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to put into the greylist. |
|
||||
|`GREYLIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to put into the greylist. |
|
||||
|`GREYLIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to put into the greylist. |
|
||||
|`GREYLIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to put into the greylist. |
|
||||
|`GREYLIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to put into the greylist. |
|
||||
|`GREYLIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to put into the greylist. |
|
||||
|
||||
When using stream mode, only IP, RDNS and ASN checks will be done.
|
||||
|
||||
### Whitelisting
|
||||
|
||||
STREAM support :warning:
|
||||
|
||||
You can use the following settings to set up whitelisting :
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------|
|
||||
|`USE_WHITELIST` |`yes` |multisite|no |Activate whitelist feature. |
|
||||
|`WHITELIST_IP` |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247 54.208.102.37 107.21.1.8`|multisite|no |List of IP/network, separated with spaces, to put into the whitelist. |
|
||||
|`WHITELIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to whitelist. |
|
||||
|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. |
|
||||
|`WHITELIST_RDNS` |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com` |multisite|no |List of reverse DNS suffixes, separated with spaces, to whitelist. |
|
||||
|`WHITELIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
|
||||
|`WHITELIST_ASN` |`32934` |multisite|no |List of ASN numbers, separated with spaces, to whitelist. |
|
||||
|`WHITELIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to whitelist. |
|
||||
|`WHITELIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to whitelist. |
|
||||
|`WHITELIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to whitelist. |
|
||||
|`WHITELIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to whitelist. |
|
||||
|`WHITELIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to whitelist. |
|
||||
|
||||
When using stream mode, only IP, RDNS and ASN checks will be done.
|
||||
|
||||
## Reverse scan
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
Reverse scan is a feature designed to detect open ports by establishing TCP connections with clients' IP addresses.
|
||||
Consider adding this feature if you want to detect possible open proxies or connections from servers.
|
||||
|
||||
We provide a list of suspicious ports by default but it can be modified to fit your needs. Be mindful, adding too many ports to the list can significantly slow down clients' connections due to the network checks. If a listed port is open, the client's access will be denied.
|
||||
|
||||
Please be aware, this feature is new and further improvements will be added soon.
|
||||
|
||||
Here is the list of settings related to reverse scan :
|
||||
|
||||
| Setting | Default | Description |
|
||||
| :----------: | :--------------------------------------------------------------------------: | :--------------------------------------------- |
|
||||
| `USE_REVERSE_SCAN` | `no` | When set to `yes`, will enable ReverseScan. |
|
||||
| `REVERSE_SCAN_PORTS` | `22 80 443 3128 8000 8080` | List of suspicious ports to scan. |
|
||||
| `REVERSE_SCAN_TIMEOUT` | `500` | Specify the maximum timeout (in ms) when scanning a port. |
|
||||
|
||||
## BunkerNet
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
BunkerNet is a crowdsourced database of malicious requests shared between all BunkerWeb instances over the world.
|
||||
|
||||
If you enable BunkerNet, malicious requests will be sent to a remote server and will be analyzed by our systems. By doing so, we can extract malicious data from everyone's reports and give back the results to each BunkerWeb instances participating into BunkerNet.
|
||||
|
||||
At the moment, that feature should be considered in "beta". We only extract malicious IP and we are very strict about how we do it to avoid any "poisoning". We strongly recommend activating it (which is the default) because the more instances participate, the more data we have to improve the algorithm.
|
||||
|
||||
The setting used to enable or disable BunkerNet is `USE_BUNKERNET` (default : `yes`).
|
||||
|
||||
## DNSBL
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
DNSBL or "DNS BlackList" is an external list of malicious IPs that you query using the DNS protocol. Automatic querying of that kind of blacklist is supported by BunkerWeb. If a remote DNSBL server of your choice says that the IP address of the client is in the blacklist, it will be banned.
|
||||
|
||||
Here is the list of settings related to DNSBL :
|
||||
|
||||
| Setting | Default | Description |
|
||||
| :----------: | :--------------------------------------------------------------------------: | :--------------------------------------------- |
|
||||
| `USE_DNSBL` | `yes` | When set to `yes`, will enable DNSBL checking. |
|
||||
| `DNSBL_LIST` | `bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org` | List of DNSBL servers to ask. |
|
||||
|
||||
## Limiting
|
||||
|
||||
BunkerWeb supports applying a limit policy to :
|
||||
|
||||
- Number of connections per IP
|
||||
- Number of requests per IP and URL within a time period
|
||||
|
||||
Please note that it should not be considered as an effective solution against DoS or DDoS but rather as an anti-bruteforce measure or rate limit policy for API.
|
||||
|
||||
In both cases (connections or requests) if the limit is reached, the client will receive the HTTP status "429 - Too Many Requests".
|
||||
|
||||
### Connections
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
The following settings are related to the Limiting connections feature :
|
||||
|
||||
| Setting | Default | Description |
|
||||
| :--------------------: | :-----: | :----------------------------------------------------------------------------------------- |
|
||||
| `USE_LIMIT_CONN` | `yes` | When set to `yes`, will limit the maximum number of concurrent connections for a given IP. |
|
||||
| `LIMIT_CONN_MAX_HTTP1` | `10` | Maximum number of concurrent connections when using HTTP1 protocol. |
|
||||
| `LIMIT_CONN_MAX_HTTP2` | `100` | Maximum number of concurrent streams when using HTTP2 protocol. |
|
||||
| `LIMIT_CONN_MAX_STREAM`| `10` | Maximum number of connections per IP when using stream. |
|
||||
|
||||
### Requests
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
The following settings are related to the Limiting requests feature :
|
||||
|
||||
| Setting |Default| Context |Multiple| Description |
|
||||
|-----------------------|-------|---------|--------|---------------------------------------------------------------------------------------------|
|
||||
|`USE_LIMIT_REQ` |`yes` |multisite|no |Activate limit requests feature. |
|
||||
|`LIMIT_REQ_URL` |`/` |multisite|yes |URL (PCRE regex) where the limit request will be applied or special value / for all requests.|
|
||||
|`LIMIT_REQ_RATE` |`2r/s` |multisite|yes |Rate to apply to the URL (s for second, m for minute, h for hour and d for day). |
|
||||
|`USE_LIMIT_CONN` |`yes` |multisite|no |Activate limit connections feature. |
|
||||
|`LIMIT_CONN_MAX_HTTP1` |`10` |multisite|no |Maximum number of connections per IP when using HTTP/1.X protocol. |
|
||||
|`LIMIT_CONN_MAX_HTTP2` |`100` |multisite|no |Maximum number of streams per IP when using HTTP/2 protocol. |
|
||||
|`LIMIT_CONN_MAX_STREAM`|`10` |multisite|no |Maximum number of connections per IP when using stream. |
|
||||
|
||||
Please note that you can add different rates for different URLs by adding a number as a suffix to the settings for example : `LIMIT_REQ_URL_1=^/url1$`, `LIMIT_REQ_RATE_1=5r/d`, `LIMIT_REQ_URL_2=^/url2/subdir/.*$`, `LIMIT_REQ_RATE_2=1r/m`, ...
|
||||
|
||||
Another important thing to note is that `LIMIT_REQ_URL` values are PCRE regex.
|
||||
|
||||
## Country
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
The country security feature allows you to apply policy based on the country of the IP address of clients :
|
||||
|
||||
- Deny any access if the country is in a blacklist
|
||||
- Only allow access if the country is in a whitelist (other security checks will still be executed)
|
||||
|
||||
Here is the list of related settings :
|
||||
|
||||
| Setting | Default | Description |
|
||||
| :-----------------: | :-----: | :------------------------------------------- |
|
||||
| `BLACKLIST_COUNTRY` | | List of 2 letters country code to blacklist. |
|
||||
| `WHITELIST_COUNTRY` | | List of 2 letters country code to whitelist. |
|
||||
|
||||
Using both country blacklist and whitelist at the same time makes no sense. If you do, please note that only the whitelist will be executed.
|
||||
|
||||
## Authentication
|
||||
|
||||
### Auth basic
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
You can quickly protect sensitive resources like the admin area for example, by requiring HTTP basic authentication. Here is the list of related settings :
|
||||
|
||||
| Setting | Default | Description |
|
||||
| :-----------------------: | :---------------: | :------------------------------------------------------------------------------------------- |
|
||||
| `USE_AUTH_BASIC` | `no` | When set to `yes` HTTP auth basic will be enabled. |
|
||||
| `AUTH_BASIC_LOCATION` | `sitewide` | Location (URL) of the sensitive resource. Use special value `sitewide` to enable everywhere. |
|
||||
| `AUTH_BASIC_USER` | `changeme` | The username required. |
|
||||
| `AUTH_BASIC_PASSWORD` | `changeme` | The password required. |
|
||||
| `AUTH_BASIC_TEXT` | `Restricted area` | Text to display in the auth prompt. |
|
||||
|
||||
### Auth request
|
||||
|
||||
You can deploy complex authentication (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/examples).
|
||||
|
||||
**Auth request settings are related to reverse proxy rules.**
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|---------------------------------------|----------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------------------|
|
||||
|`REVERSE_PROXY_AUTH_REQUEST` | |multisite|yes |Enable authentication using an external provider (value of auth_request directive). |
|
||||
|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`| |multisite|yes |Redirect clients to sign-in URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). |
|
||||
|`REVERSE_PROXY_AUTH_REQUEST_SET` | |multisite|yes |List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).|
|
541
docs/settings.md
|
@ -1,541 +0,0 @@
|
|||
# Settings
|
||||
|
||||
!!! info "Settings generator tool"
|
||||
|
||||
To help you tune BunkerWeb, we have made an easy-to-use settings generator tool available at [config.bunkerweb.io](https://config.bunkerweb.io).
|
||||
|
||||
This section contains the full list of settings supported by BunkerWeb. If you are not yet familiar with BunkerWeb, you should first read the [concepts](concepts.md) section of the documentation. Please follow the instructions for your own [integration](integrations.md) on how to apply the settings.
|
||||
|
||||
As a general rule when multisite mode is enabled, if you want to apply settings with multisite context to a specific server, you will need to add the primary (first) server name as a prefix like `www.example.com_USE_ANTIBOT=captcha` or `myapp.example.com_USE_GZIP=yes` for example.
|
||||
|
||||
When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like `REVERSE_PROXY_URL_1=/subdir`, `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.
|
||||
|
||||
## Global settings
|
||||
|
||||
|
||||
STREAM support :warning:
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|------------------------------|------------------------------------------------------------------------------------------------------------------------|---------|--------|--------------------------------------------------|
|
||||
|`IS_LOADING` |`no` |global |no |Internal use : set to yes when BW is loading. |
|
||||
|`NGINX_PREFIX` |`/etc/nginx/` |global |no |Where nginx will search for configurations. |
|
||||
|`HTTP_PORT` |`8080` |global |no |HTTP port number which bunkerweb binds to. |
|
||||
|`HTTPS_PORT` |`8443` |global |no |HTTPS port number which bunkerweb binds to. |
|
||||
|`MULTISITE` |`no` |global |no |Multi site activation. |
|
||||
|`SERVER_NAME` |`www.example.com` |multisite|no |List of the virtual hosts served by bunkerweb. |
|
||||
|`WORKER_PROCESSES` |`auto` |global |no |Number of worker processes. |
|
||||
|`WORKER_RLIMIT_NOFILE` |`2048` |global |no |Maximum number of open files for worker processes.|
|
||||
|`WORKER_CONNECTIONS` |`1024` |global |no |Maximum number of connections per worker. |
|
||||
|`LOG_FORMAT` |`$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"`|global |no |The format to use for access logs. |
|
||||
|`LOG_LEVEL` |`notice` |global |no |The level to use for error logs. |
|
||||
|`DNS_RESOLVERS` |`127.0.0.11` |global |no |DNS addresses of resolvers to use. |
|
||||
|`DATASTORE_MEMORY_SIZE` |`64m` |global |no |Size of the internal datastore. |
|
||||
|`CACHESTORE_MEMORY_SIZE` |`64m` |global |no |Size of the internal cachestore. |
|
||||
|`CACHESTORE_IPC_MEMORY_SIZE` |`16m` |global |no |Size of the internal cachestore (ipc). |
|
||||
|`CACHESTORE_MISS_MEMORY_SIZE` |`16m` |global |no |Size of the internal cachestore (miss). |
|
||||
|`CACHESTORE_LOCKS_MEMORY_SIZE`|`16m` |global |no |Size of the internal cachestore (locks). |
|
||||
|`USE_API` |`yes` |global |no |Activate the API to control BunkerWeb. |
|
||||
|`API_HTTP_PORT` |`5000` |global |no |Listen port number for the API. |
|
||||
|`API_LISTEN_IP` |`0.0.0.0` |global |no |Listen IP address for the API. |
|
||||
|`API_SERVER_NAME` |`bwapi` |global |no |Server name (virtual host) for the API. |
|
||||
|`API_WHITELIST_IP` |`127.0.0.0/8` |global |no |List of IP/network allowed to contact the API. |
|
||||
|`AUTOCONF_MODE` |`no` |global |no |Enable Autoconf Docker integration. |
|
||||
|`SWARM_MODE` |`no` |global |no |Enable Docker Swarm integration. |
|
||||
|`KUBERNETES_MODE` |`no` |global |no |Enable Kubernetes integration. |
|
||||
|`SERVER_TYPE` |`http` |multisite|no |Server type : http or stream. |
|
||||
|`LISTEN_STREAM` |`yes` |multisite|no |Enable listening for non-ssl (passthrough). |
|
||||
|`LISTEN_STREAM_PORT` |`1337` |multisite|no |Listening port for non-ssl (passthrough). |
|
||||
|`LISTEN_STREAM_PORT_SSL` |`4242` |multisite|no |Listening port for ssl (passthrough). |
|
||||
|`USE_UDP` |`no` |multisite|no |UDP listen instead of TCP (stream). |
|
||||
|`USE_IPV6` |`no` |global |no |Enable IPv6 connectivity. |
|
||||
|
||||
|
||||
## Core settings
|
||||
|
||||
### Antibot
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Bot detection by using a challenge.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|---------------------------|------------|---------|--------|------------------------------------------------------------------------------------------------------------------------------|
|
||||
|`USE_ANTIBOT` |`no` |multisite|no |Activate antibot feature. |
|
||||
|`ANTIBOT_URI` |`/challenge`|multisite|no |Unused URI that clients will be redirected to to solve the challenge. |
|
||||
|`ANTIBOT_RECAPTCHA_SCORE` |`0.7` |multisite|no |Minimum score required for reCAPTCHA challenge. |
|
||||
|`ANTIBOT_RECAPTCHA_SITEKEY`| |multisite|no |Sitekey for reCAPTCHA challenge. |
|
||||
|`ANTIBOT_RECAPTCHA_SECRET` | |multisite|no |Secret for reCAPTCHA challenge. |
|
||||
|`ANTIBOT_HCAPTCHA_SITEKEY` | |multisite|no |Sitekey for hCaptcha challenge. |
|
||||
|`ANTIBOT_HCAPTCHA_SECRET` | |multisite|no |Secret for hCaptcha challenge. |
|
||||
|`ANTIBOT_TURNSTILE_SITEKEY`| |multisite|no |Sitekey for Turnstile challenge. |
|
||||
|`ANTIBOT_TURNSTILE_SECRET` | |multisite|no |Secret for Turnstile challenge. |
|
||||
|`ANTIBOT_TIME_RESOLVE` |`60` |multisite|no |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.|
|
||||
|`ANTIBOT_TIME_VALID` |`86400` |multisite|no |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. |
|
||||
|
||||
### Auth basic
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Enforce login before accessing a resource or the whole site using HTTP basic auth method.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|---------------------|-----------------|---------|--------|------------------------------------------------|
|
||||
|`USE_AUTH_BASIC` |`no` |multisite|no |Use HTTP basic auth |
|
||||
|`AUTH_BASIC_LOCATION`|`sitewide` |multisite|no |URL of the protected resource or sitewide value.|
|
||||
|`AUTH_BASIC_USER` |`changeme` |multisite|no |Username |
|
||||
|`AUTH_BASIC_PASSWORD`|`changeme` |multisite|no |Password |
|
||||
|`AUTH_BASIC_TEXT` |`Restricted area`|multisite|no |Text to display |
|
||||
|
||||
### Bad behavior
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
Ban IP generating too much 'bad' HTTP status code in a period of time.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|---------------------------|-----------------------------|---------|--------|--------------------------------------------------------------------------------------------|
|
||||
|`USE_BAD_BEHAVIOR` |`yes` |multisite|no |Activate Bad behavior feature. |
|
||||
|`BAD_BEHAVIOR_STATUS_CODES`|`400 401 403 404 405 429 444`|multisite|no |List of HTTP status codes considered as 'bad'. |
|
||||
|`BAD_BEHAVIOR_BAN_TIME` |`86400` |multisite|no |The duration time (in seconds) of a ban when the corresponding IP has reached the threshold.|
|
||||
|`BAD_BEHAVIOR_THRESHOLD` |`10` |multisite|no |Maximum number of 'bad' HTTP status codes within the period of time before IP is banned. |
|
||||
|`BAD_BEHAVIOR_COUNT_TIME` |`60` |multisite|no |Period of time (in seconds) during which we count 'bad' HTTP status codes. |
|
||||
|
||||
### Blacklist
|
||||
|
||||
STREAM support :warning:
|
||||
|
||||
Deny access based on internal and external IP/network/rDNS/ASN blacklists.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|----------------------------------|------------------------------------------------------------------------------------------------------------------------------|---------|--------|------------------------------------------------------------------------------------------------|
|
||||
|`USE_BLACKLIST` |`yes` |multisite|no |Activate blacklist feature. |
|
||||
|`BLACKLIST_IP` | |multisite|no |List of IP/network, separated with spaces, to block. |
|
||||
|`BLACKLIST_IP_URLS` |`https://www.dan.me.uk/torlist/?exit` |global |no |List of URLs, separated with spaces, containing bad IP/network to block. |
|
||||
|`BLACKLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS blacklist checks on global IP addresses. |
|
||||
|`BLACKLIST_RDNS` |`.shodan.io .censys.io` |multisite|no |List of reverse DNS suffixes, separated with spaces, to block. |
|
||||
|`BLACKLIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to block. |
|
||||
|`BLACKLIST_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to block. |
|
||||
|`BLACKLIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to block. |
|
||||
|`BLACKLIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to block. |
|
||||
|`BLACKLIST_USER_AGENT_URLS` |`https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list`|global |no |List of URLs, separated with spaces, containing bad User-Agent to block. |
|
||||
|`BLACKLIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to block. |
|
||||
|`BLACKLIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to block. |
|
||||
|`BLACKLIST_IGNORE_IP` | |multisite|no |List of IP/network, separated with spaces, to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_IP_URLS` | |global |no |List of URLs, separated with spaces, containing IP/network to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_RDNS` | |multisite|no |List of reverse DNS suffixes, separated with spaces, to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to ignore in the blacklist.|
|
||||
|`BLACKLIST_IGNORE_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing User-Agent to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to ignore in the blacklist. |
|
||||
|`BLACKLIST_IGNORE_URI_URLS` | |global |no |List of URLs, separated with spaces, containing URI to ignore in the blacklist. |
|
||||
|
||||
### Brotli
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Compress HTTP requests with the brotli algorithm.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------|
|
||||
|`USE_BROTLI` |`no` |multisite|no |Use brotli |
|
||||
|`BROTLI_TYPES` |`application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml`|multisite|no |List of MIME types that will be compressed with brotli.|
|
||||
|`BROTLI_MIN_LENGTH`|`1000` |multisite|no |Minimum length for brotli compression. |
|
||||
|`BROTLI_COMP_LEVEL`|`6` |multisite|no |The compression level of the brotli algorithm. |
|
||||
|
||||
### BunkerNet
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
Share threat data with other BunkerWeb instances via BunkerNet.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|------------------|--------------------------|---------|--------|-----------------------------|
|
||||
|`USE_BUNKERNET` |`yes` |multisite|no |Activate BunkerNet feature. |
|
||||
|`BUNKERNET_SERVER`|`https://api.bunkerweb.io`|global |no |Address of the BunkerNet API.|
|
||||
|
||||
### CORS
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Cross-Origin Resource Sharing.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|------------------------------|------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------------------|
|
||||
|`USE_CORS` |`no` |multisite|no |Use CORS |
|
||||
|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Allowed origins to make CORS requests : PCRE regex or *. |
|
||||
|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header. |
|
||||
|`CROSS_ORIGIN_OPENER_POLICY` | |multisite|no |Value for the Cross-Origin-Opener-Policy header. |
|
||||
|`CROSS_ORIGIN_EMBEDDER_POLICY`| |multisite|no |Value for the Cross-Origin-Embedder-Policy header. |
|
||||
|`CROSS_ORIGIN_RESOURCE_POLICY`| |multisite|no |Value for the Cross-Origin-Resource-Policy header. |
|
||||
|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. |
|
||||
|`CORS_ALLOW_CREDENTIALS` |`no` |multisite|no |Send the Access-Control-Allow-Credentials header. |
|
||||
|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. |
|
||||
|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. |
|
||||
|`CORS_DENY_REQUEST` |`yes` |multisite|no |Deny request and don't send it to backend if Origin is not allowed.|
|
||||
|
||||
### Client cache
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Manage caching for clients.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|-------------------------|------------------------------------------------------------|---------|--------|--------------------------------------------------------------------|
|
||||
|`USE_CLIENT_CACHE` |`no` |multisite|no |Tell client to store locally static files. |
|
||||
|`CLIENT_CACHE_EXTENSIONS`|`jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2`|global |no |List of file extensions, separated with pipes that should be cached.|
|
||||
|`CLIENT_CACHE_ETAG` |`yes` |multisite|no |Send the HTTP ETag header for static resources. |
|
||||
|`CLIENT_CACHE_CONTROL` |`public, max-age=15552000` |multisite|no |Value of the Cache-Control HTTP header. |
|
||||
|
||||
### Country
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
Deny access based on the country of the client IP.
|
||||
|
||||
| Setting |Default| Context |Multiple| Description |
|
||||
|-------------------|-------|---------|--------|-----------------------------------------------------------------------------|
|
||||
|`BLACKLIST_COUNTRY`| |multisite|no |Deny access if the country of the client is in the list (2 letters code). |
|
||||
|`WHITELIST_COUNTRY`| |multisite|no |Deny access if the country of the client is not in the list (2 letters code).|
|
||||
|
||||
### Custom HTTPS certificate
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
Choose custom certificate for HTTPS.
|
||||
|
||||
| Setting |Default| Context |Multiple| Description |
|
||||
|-----------------|-------|---------|--------|--------------------------------------------------------------------------------|
|
||||
|`USE_CUSTOM_SSL` |`no` |multisite|no |Use custom HTTPS certificate. |
|
||||
|`CUSTOM_SSL_CERT`| |multisite|no |Full path of the certificate or bundle file (must be readable by the scheduler).|
|
||||
|`CUSTOM_SSL_KEY` | |multisite|no |Full path of the key file (must be readable by the scheduler). |
|
||||
|
||||
### DB
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
Integrate easily the Database.
|
||||
|
||||
| Setting | Default |Context|Multiple| Description |
|
||||
|--------------|-----------------------------------------|-------|--------|--------------------------------------------------|
|
||||
|`DATABASE_URI`|`sqlite:////var/lib/bunkerweb/db.sqlite3`|global |no |The database URI, following the sqlalchemy format.|
|
||||
|
||||
### DNSBL
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
Deny access based on external DNSBL servers.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|------------|----------------------------------------------------------------------------|---------|--------|-----------------------|
|
||||
|`USE_DNSBL` |`yes` |multisite|no |Activate DNSBL feature.|
|
||||
|`DNSBL_LIST`|`bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org`|global |no |List of DNSBL servers. |
|
||||
|
||||
### Errors
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Manage default error pages
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|-------------------------|-------------------------------------------------|---------|--------|------------------------------------------------------------------------------------------------------------------------|
|
||||
|`ERRORS` | |multisite|no |List of HTTP error code and corresponding error pages, separated with spaces (404=/my404.html 403=/errors/403.html ...).|
|
||||
|`INTERCEPTED_ERROR_CODES`|`400 401 403 404 405 413 429 500 501 502 503 504`|multisite|no |List of HTTP error code intercepted by Bunkerweb |
|
||||
|
||||
### Greylist
|
||||
|
||||
STREAM support :warning:
|
||||
|
||||
Allow access while keeping security features based on internal and external IP/network/rDNS/ASN greylists.
|
||||
|
||||
| Setting |Default| Context |Multiple| Description |
|
||||
|--------------------------|-------|---------|--------|----------------------------------------------------------------------------------------------|
|
||||
|`USE_GREYLIST` |`no` |multisite|no |Activate greylist feature. |
|
||||
|`GREYLIST_IP` | |multisite|no |List of IP/network, separated with spaces, to put into the greylist. |
|
||||
|`GREYLIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to put into the greylist. |
|
||||
|`GREYLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS greylist checks on global IP addresses. |
|
||||
|`GREYLIST_RDNS` | |multisite|no |List of reverse DNS suffixes, separated with spaces, to put into the greylist. |
|
||||
|`GREYLIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to put into the greylist.|
|
||||
|`GREYLIST_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to put into the greylist. |
|
||||
|`GREYLIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to put into the greylist. |
|
||||
|`GREYLIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to put into the greylist. |
|
||||
|`GREYLIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to put into the greylist. |
|
||||
|`GREYLIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to put into the greylist. |
|
||||
|`GREYLIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to put into the greylist. |
|
||||
|
||||
### Gzip
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Compress HTTP requests with the gzip algorithm.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|-----------------------------------------------------|
|
||||
|`USE_GZIP` |`no` |multisite|no |Use gzip |
|
||||
|`GZIP_TYPES` |`application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml`|multisite|no |List of MIME types that will be compressed with gzip.|
|
||||
|`GZIP_MIN_LENGTH`|`1000` |multisite|no |Minimum length for gzip compression. |
|
||||
|`GZIP_COMP_LEVEL`|`5` |multisite|no |The compression level of the gzip algorithm. |
|
||||
|
||||
### HTML injection
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Inject custom HTML code before the </body> tag.
|
||||
|
||||
| Setting |Default| Context |Multiple| Description |
|
||||
|-------------|-------|---------|--------|------------------------|
|
||||
|`INJECT_BODY`| |multisite|no |The HTML code to inject.|
|
||||
|
||||
### Headers
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Manage HTTP headers sent to clients.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------------------|
|
||||
|`CUSTOM_HEADER` | |multisite|yes |Custom header to add (HeaderName: HeaderValue). |
|
||||
|`REMOVE_HEADERS` |`Server Expect-CT X-Powered-By X-AspNet-Version X-AspNetMvc-Version` |multisite|no |Headers to remove (Header1 Header2 Header3 ...) |
|
||||
|`KEEP_UPSTREAM_HEADERS` |`Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options` |multisite|no |Headers to keep from upstream (Header1 Header2 Header3 ... or * for all). |
|
||||
|`STRICT_TRANSPORT_SECURITY` |`max-age=31536000` |multisite|no |Value for the Strict-Transport-Security header. |
|
||||
|`COOKIE_FLAGS` |`* HttpOnly SameSite=Lax` |multisite|yes |Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module).|
|
||||
|`COOKIE_AUTO_SECURE_FLAG` |`yes` |multisite|no |Automatically add the Secure flag to all cookies. |
|
||||
|`CONTENT_SECURITY_POLICY` |`object-src 'none'; form-action 'self'; frame-ancestors 'self';` |multisite|no |Value for the Content-Security-Policy header. |
|
||||
|`CONTENT_SECURITY_POLICY_REPORT_ONLY`|`no` |multisite|no |Send reports for violations of the Content-Security-Policy header instead of blocking them. |
|
||||
|`REFERRER_POLICY` |`strict-origin-when-cross-origin` |multisite|no |Value for the Referrer-Policy header. |
|
||||
|`PERMISSIONS_POLICY` |`accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()` |multisite|no |Value for the Permissions-Policy header. |
|
||||
|`FEATURE_POLICY` |`accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';`|multisite|no |Value for the Feature-Policy header. |
|
||||
|`X_FRAME_OPTIONS` |`SAMEORIGIN` |multisite|no |Value for the X-Frame-Options header. |
|
||||
|`X_CONTENT_TYPE_OPTIONS` |`nosniff` |multisite|no |Value for the X-Content-Type-Options header. |
|
||||
|`X_XSS_PROTECTION` |`1; mode=block` |multisite|no |Value for the X-XSS-Protection header. |
|
||||
|
||||
### Let's Encrypt
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
Automatic creation, renewal and configuration of Let's Encrypt certificates.
|
||||
|
||||
| Setting |Default| Context |Multiple| Description |
|
||||
|--------------------------|-------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
|`AUTO_LETS_ENCRYPT` |`no` |multisite|no |Activate automatic Let's Encrypt mode. |
|
||||
|`EMAIL_LETS_ENCRYPT` | |multisite|no |Email used for Let's Encrypt notification and in certificate. |
|
||||
|`USE_LETS_ENCRYPT_STAGING`|`no` |multisite|no |Use the staging environment for Let’s Encrypt certificate generation. Useful when you are testing your deployments to avoid being rate limited in the production environment.|
|
||||
|
||||
### Limit
|
||||
|
||||
STREAM support :warning:
|
||||
|
||||
Limit maximum number of requests and connections.
|
||||
|
||||
| Setting |Default| Context |Multiple| Description |
|
||||
|-----------------------|-------|---------|--------|---------------------------------------------------------------------------------------------|
|
||||
|`USE_LIMIT_REQ` |`yes` |multisite|no |Activate limit requests feature. |
|
||||
|`LIMIT_REQ_URL` |`/` |multisite|yes |URL (PCRE regex) where the limit request will be applied or special value / for all requests.|
|
||||
|`LIMIT_REQ_RATE` |`2r/s` |multisite|yes |Rate to apply to the URL (s for second, m for minute, h for hour and d for day). |
|
||||
|`USE_LIMIT_CONN` |`yes` |multisite|no |Activate limit connections feature. |
|
||||
|`LIMIT_CONN_MAX_HTTP1` |`10` |multisite|no |Maximum number of connections per IP when using HTTP/1.X protocol. |
|
||||
|`LIMIT_CONN_MAX_HTTP2` |`100` |multisite|no |Maximum number of streams per IP when using HTTP/2 protocol. |
|
||||
|`LIMIT_CONN_MAX_STREAM`|`10` |multisite|no |Maximum number of connections per IP when using stream. |
|
||||
|
||||
### Miscellaneous
|
||||
|
||||
STREAM support :warning:
|
||||
|
||||
Miscellaneous settings.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|-----------------------------|-----------------------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------|
|
||||
|`DISABLE_DEFAULT_SERVER` |`no` |global |no |Close connection if the request vhost is unknown. |
|
||||
|`REDIRECT_HTTP_TO_HTTPS` |`no` |multisite|no |Redirect all HTTP request to HTTPS. |
|
||||
|`AUTO_REDIRECT_HTTP_TO_HTTPS`|`yes` |multisite|no |Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case. |
|
||||
|`ALLOWED_METHODS` |`GET|POST|HEAD` |multisite|no |Allowed HTTP and WebDAV methods, separated with pipes to be sent by clients. |
|
||||
|`MAX_CLIENT_SIZE` |`10m` |multisite|no |Maximum body size (0 for infinite). |
|
||||
|`SERVE_FILES` |`yes` |multisite|no |Serve files from the local folder. |
|
||||
|`ROOT_FOLDER` | |multisite|no |Root folder containing files to serve (/var/www/html/{server_name} if unset). |
|
||||
|`SSL_PROTOCOLS` |`TLSv1.2 TLSv1.3` |multisite|no |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. |
|
||||
|`HTTP2` |`yes` |multisite|no |Support HTTP2 protocol when HTTPS is enabled. |
|
||||
|`LISTEN_HTTP` |`yes` |multisite|no |Respond to (insecure) HTTP requests. |
|
||||
|`USE_OPEN_FILE_CACHE` |`no` |multisite|no |Enable open file cache feature |
|
||||
|`OPEN_FILE_CACHE` |`max=1000 inactive=20s`|multisite|no |Open file cache directive |
|
||||
|`OPEN_FILE_CACHE_ERRORS` |`yes` |multisite|no |Enable open file cache for errors |
|
||||
|`OPEN_FILE_CACHE_MIN_USES` |`2` |multisite|no |Enable open file cache minimum uses |
|
||||
|`OPEN_FILE_CACHE_VALID` |`30s` |multisite|no |Open file cache valid time |
|
||||
|`EXTERNAL_PLUGIN_URLS` | |global |no |List of external plugins URLs (direct download to .zip or .tar file) to download and install (URLs are separated with space).|
|
||||
|`DENY_HTTP_STATUS` |`403` |global |no |HTTP status code to send when the request is denied (403 or 444). When using 444, BunkerWeb will close the connection. |
|
||||
|
||||
### ModSecurity
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Management of the ModSecurity WAF.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|---------------------------------|--------------|---------|--------|------------------------------------------|
|
||||
|`USE_MODSECURITY` |`yes` |multisite|no |Enable ModSecurity WAF. |
|
||||
|`USE_MODSECURITY_CRS` |`yes` |multisite|no |Enable OWASP Core Rule Set. |
|
||||
|`MODSECURITY_SEC_AUDIT_ENGINE` |`RelevantOnly`|multisite|no |SecAuditEngine directive of ModSecurity. |
|
||||
|`MODSECURITY_SEC_RULE_ENGINE` |`On` |multisite|no |SecRuleEngine directive of ModSecurity. |
|
||||
|`MODSECURITY_SEC_AUDIT_LOG_PARTS`|`ABCFHZ` |multisite|no |SecAuditLogParts directive of ModSecurity.|
|
||||
|
||||
### PHP
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Manage local or remote PHP-FPM.
|
||||
|
||||
| Setting |Default| Context |Multiple| Description |
|
||||
|-----------------|-------|---------|--------|------------------------------------------------------------|
|
||||
|`REMOTE_PHP` | |multisite|no |Hostname of the remote PHP-FPM instance. |
|
||||
|`REMOTE_PHP_PATH`| |multisite|no |Root folder containing files in the remote PHP-FPM instance.|
|
||||
|`LOCAL_PHP` | |multisite|no |Path to the PHP-FPM socket file. |
|
||||
|`LOCAL_PHP_PATH` | |multisite|no |Root folder containing files in the local PHP-FPM instance. |
|
||||
|
||||
### Real IP
|
||||
|
||||
STREAM support :warning:
|
||||
|
||||
Get real IP of clients when BunkerWeb is behind a reverse proxy / load balancer.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|--------------------|-----------------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------|
|
||||
|`USE_REAL_IP` |`no` |multisite|no |Retrieve the real IP of client. |
|
||||
|`USE_PROXY_PROTOCOL`|`no` |multisite|no |Enable PROXY protocol communication. |
|
||||
|`REAL_IP_FROM` |`192.168.0.0/16 172.16.0.0/12 10.0.0.0/8`|multisite|no |List of trusted IPs / networks, separated with spaces, where proxied requests come from. |
|
||||
|`REAL_IP_FROM_URLS` | |global |no |List of URLs containing trusted IPs / networks, separated with spaces, where proxied requests come from.|
|
||||
|`REAL_IP_HEADER` |`X-Forwarded-For` |multisite|no |HTTP header containing the real IP or special value proxy_protocol for PROXY protocol. |
|
||||
|`REAL_IP_RECURSIVE` |`yes` |multisite|no |Perform a recursive search in the header container IP address. |
|
||||
|
||||
### Redirect
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Manage HTTP redirects.
|
||||
|
||||
| Setting |Default| Context |Multiple| Description |
|
||||
|-------------------------|-------|---------|--------|-------------------------------------------------|
|
||||
|`REDIRECT_TO` | |multisite|no |Redirect a whole site to another one. |
|
||||
|`REDIRECT_TO_REQUEST_URI`|`no` |multisite|no |Append the requested URI to the redirect address.|
|
||||
|`REDIRECT_TO_STATUS_CODE`|`301` |multisite|no |Status code to send to client when redirecting. |
|
||||
|
||||
### Redis
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
Redis server configuration when using BunkerWeb in cluster mode.
|
||||
|
||||
| Setting |Default|Context|Multiple| Description |
|
||||
|----------------------|-------|-------|--------|------------------------------------------------------------------|
|
||||
|`USE_REDIS` |`no` |global |no |Activate Redis. |
|
||||
|`REDIS_HOST` | |global |no |Redis server IP or hostname. |
|
||||
|`REDIS_PORT` |`6379` |global |no |Redis server port. |
|
||||
|`REDIS_DATABASE` |`0` |global |no |Redis database number. |
|
||||
|`REDIS_SSL` |`no` |global |no |Use SSL/TLS connection with Redis server. |
|
||||
|`REDIS_TIMEOUT` |`1000` |global |no |Redis server timeout (in ms) for connect, read and write. |
|
||||
|`REDIS_KEEPALIVE_IDLE`|`30000`|global |no |Max idle time (in ms) before closing redis connection in the pool.|
|
||||
|`REDIS_KEEPALIVE_POOL`|`10` |global |no |Max number of redis connection(s) kept in the pool. |
|
||||
|
||||
### Reverse proxy
|
||||
|
||||
STREAM support :warning:
|
||||
|
||||
Manage reverse proxy configurations.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|---------------------------------------|----------------------------------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------|
|
||||
|`USE_REVERSE_PROXY` |`no` |multisite|no |Activate reverse proxy mode. |
|
||||
|`REVERSE_PROXY_INTERCEPT_ERRORS` |`yes` |multisite|no |Intercept and rewrite errors. |
|
||||
|`REVERSE_PROXY_HOST` | |multisite|yes |Full URL of the proxied resource (proxy_pass). |
|
||||
|`REVERSE_PROXY_URL` | |multisite|yes |Location URL that will be proxied. |
|
||||
|`REVERSE_PROXY_WS` |`no` |multisite|yes |Enable websocket on the proxied resource. |
|
||||
|`REVERSE_PROXY_HEADERS` | |multisite|yes |List of HTTP headers to send to proxied resource separated with semicolons (values for proxy_set_header directive). |
|
||||
|`REVERSE_PROXY_HEADERS_CLIENT` | |multisite|yes |List of HTTP headers to send to client separated with semicolons (values for add_header directive). |
|
||||
|`REVERSE_PROXY_BUFFERING` |`yes` |multisite|yes |Enable or disable buffering of responses from proxied resource. |
|
||||
|`REVERSE_PROXY_KEEPALIVE` |`no` |multisite|yes |Enable or disable keepalive connections with the proxied resource. |
|
||||
|`REVERSE_PROXY_AUTH_REQUEST` | |multisite|yes |Enable authentication using an external provider (value of auth_request directive). |
|
||||
|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`| |multisite|yes |Redirect clients to sign-in URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). |
|
||||
|`REVERSE_PROXY_AUTH_REQUEST_SET` | |multisite|yes |List of variables to set from the authentication provider, separated with semicolons (values of auth_request_set directives).|
|
||||
|`USE_PROXY_CACHE` |`no` |multisite|no |Enable or disable caching of the proxied resources. |
|
||||
|`PROXY_CACHE_PATH_LEVELS` |`1:2` |global |no |Hierarchy levels of the cache. |
|
||||
|`PROXY_CACHE_PATH_ZONE_SIZE` |`10m` |global |no |Maximum size of cached metadata when caching proxied resources. |
|
||||
|`PROXY_CACHE_PATH_PARAMS` |`max_size=100m` |global |no |Additional parameters to add to the proxy_cache directive. |
|
||||
|`PROXY_CACHE_METHODS` |`GET HEAD` |multisite|no |HTTP methods that should trigger a cache operation. |
|
||||
|`PROXY_CACHE_MIN_USES` |`2` |multisite|no |The minimum number of requests before a response is cached. |
|
||||
|`PROXY_CACHE_KEY` |`$scheme$host$request_uri` |multisite|no |The key used to uniquely identify a cached response. |
|
||||
|`PROXY_CACHE_VALID` |`200=24h 301=1h 302=24h` |multisite|no |Define the caching time depending on the HTTP status code (list of status=time), separated with spaces. |
|
||||
|`PROXY_NO_CACHE` |`$http_pragma $http_authorization`|multisite|no |Conditions to disable caching of responses. |
|
||||
|`PROXY_CACHE_BYPASS` |`0` |multisite|no |Conditions to bypass caching of responses. |
|
||||
|`REVERSE_PROXY_CONNECT_TIMEOUT` |`60s` |multisite|yes |Timeout when connecting to the proxied resource. |
|
||||
|`REVERSE_PROXY_READ_TIMEOUT` |`60s` |multisite|yes |Timeout when reading from the proxied resource. |
|
||||
|`REVERSE_PROXY_SEND_TIMEOUT` |`60s` |multisite|yes |Timeout when sending to the proxied resource. |
|
||||
|
||||
### Reverse scan
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
Scan clients ports to detect proxies or servers.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|----------------------|--------------------------|---------|--------|------------------------------------------------------------------|
|
||||
|`USE_REVERSE_SCAN` |`no` |multisite|no |Enable scanning of clients ports and deny access if one is opened.|
|
||||
|`REVERSE_SCAN_PORTS` |`22 80 443 3128 8000 8080`|multisite|no |List of port to scan when using reverse scan feature. |
|
||||
|`REVERSE_SCAN_TIMEOUT`|`500` |multisite|no |Specify the maximum timeout (in ms) when scanning a port. |
|
||||
|
||||
### Self-signed certificate
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
Generate self-signed certificate.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|--------------------------|----------------------|---------|--------|-----------------------------------------|
|
||||
|`GENERATE_SELF_SIGNED_SSL`|`no` |multisite|no |Generate and use self-signed certificate.|
|
||||
|`SELF_SIGNED_SSL_EXPIRY` |`365` |multisite|no |Self-signed certificate expiry in days. |
|
||||
|`SELF_SIGNED_SSL_SUBJ` |`/CN=www.example.com/`|multisite|no |Self-signed certificate subject. |
|
||||
|
||||
### Sessions
|
||||
|
||||
STREAM support :white_check_mark:
|
||||
|
||||
Management of session used by other plugins.
|
||||
|
||||
| Setting |Default |Context|Multiple| Description |
|
||||
|---------------------------|--------|-------|--------|---------------------------------------------------------------------------------|
|
||||
|`SESSIONS_SECRET` |`random`|global |no |Secret used to encrypt sessions variables for storing data related to challenges.|
|
||||
|`SESSIONS_NAME` |`random`|global |no |Name of the cookie given to clients. |
|
||||
|`SESSIONS_IDLING_TIMEOUT` |`1800` |global |no |Maximum time (in seconds) of inactivity before the session is invalidated. |
|
||||
|`SESSIONS_ROLLING_TIMEOUT` |`3600` |global |no |Maximum time (in seconds) before a session must be renewed. |
|
||||
|`SESSIONS_ABSOLUTE_TIMEOUT`|`86400` |global |no |Maximum time (in seconds) before a session is destroyed. |
|
||||
|`SESSIONS_CHECK_IP` |`yes` |global |no |Destroy session if IP address is different than original one. |
|
||||
|`SESSIONS_CHECK_USER_AGENT`|`yes` |global |no |Destroy session if User-Agent is different than original one. |
|
||||
|
||||
### UI
|
||||
|
||||
STREAM support :x:
|
||||
|
||||
Integrate easily the BunkerWeb UI.
|
||||
|
||||
|Setting |Default| Context |Multiple|Description|
|
||||
|--------|-------|---------|--------|-----------|
|
||||
|`USE_UI`|`no` |multisite|no |Use UI |
|
||||
|
||||
### Whitelist
|
||||
|
||||
STREAM support :warning:
|
||||
|
||||
Allow access based on internal and external IP/network/rDNS/ASN whitelists.
|
||||
|
||||
| Setting | Default | Context |Multiple| Description |
|
||||
|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------|
|
||||
|`USE_WHITELIST` |`yes` |multisite|no |Activate whitelist feature. |
|
||||
|`WHITELIST_IP` |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247` |multisite|no |List of IP/network, separated with spaces, to put into the whitelist. |
|
||||
|`WHITELIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to whitelist. |
|
||||
|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. |
|
||||
|`WHITELIST_RDNS` |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com`|multisite|no |List of reverse DNS suffixes, separated with spaces, to whitelist. |
|
||||
|`WHITELIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
|
||||
|`WHITELIST_ASN` |`32934` |multisite|no |List of ASN numbers, separated with spaces, to whitelist. |
|
||||
|`WHITELIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to whitelist. |
|
||||
|`WHITELIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to whitelist. |
|
||||
|`WHITELIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to whitelist. |
|
||||
|`WHITELIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to whitelist. |
|
||||
|`WHITELIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to whitelist. |
|
|
@ -1,287 +0,0 @@
|
|||
# Troubleshooting
|
||||
|
||||
## Logs
|
||||
|
||||
When troubleshooting, logs are your best friends. We try our best to provide user-friendly logs to help you understand what's happening.
|
||||
|
||||
Please note that you can set `LOG_LEVEL` setting to `info` (default : `notice`) to increase the verbosity of BunkerWeb.
|
||||
|
||||
Here is how you can access the logs, depending on your integration :
|
||||
|
||||
=== "Docker"
|
||||
|
||||
!!! tip "List containers"
|
||||
To list the running containers, you can use the following command :
|
||||
```shell
|
||||
docker ps
|
||||
```
|
||||
|
||||
You can use the `docker logs` command (replace `mybunker` with the name of your container) :
|
||||
```shell
|
||||
docker logs mybunker
|
||||
```
|
||||
|
||||
Here is the docker-compose equivalent (replace `mybunker` with the name of the services declared in the docker-compose.yml file) :
|
||||
```shell
|
||||
docker-compose logs mybunker
|
||||
```
|
||||
|
||||
=== "Docker autoconf"
|
||||
|
||||
!!! tip "List containers"
|
||||
To list the running containers, you can use the following command :
|
||||
```shell
|
||||
docker ps
|
||||
```
|
||||
|
||||
You can use the `docker logs` command (replace `mybunker` and `myautoconf` with the name of your containers) :
|
||||
```shell
|
||||
docker logs mybunker
|
||||
docker logs myautoconf
|
||||
```
|
||||
|
||||
Here is the docker-compose equivalent (replace `mybunker` and `myautoconf` with the name of the services declared in the docker-compose.yml file) :
|
||||
```shell
|
||||
docker-compose logs mybunker
|
||||
docker-compose logs myautoconf
|
||||
```
|
||||
|
||||
=== "Swarm"
|
||||
|
||||
!!! tip "List services"
|
||||
To list the services, you can use the following command :
|
||||
```shell
|
||||
docker service ls
|
||||
```
|
||||
|
||||
You can use the `docker service logs` command (replace `mybunker` and `myautoconf` with the name of your services) :
|
||||
```shell
|
||||
docker service logs mybunker
|
||||
docker service logs myautoconf
|
||||
```
|
||||
|
||||
=== "Kubernetes"
|
||||
|
||||
!!! tip "List pods"
|
||||
To list the pods, you can use the following command :
|
||||
```shell
|
||||
kubectl get pods
|
||||
```
|
||||
You can use the `kubectl logs` command (replace `mybunker` and `myautoconf` with the name of your pods) :
|
||||
```shell
|
||||
kubectl logs mybunker
|
||||
kubectl logs myautoconf
|
||||
```
|
||||
|
||||
=== "Linux"
|
||||
|
||||
For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
|
||||
```shell
|
||||
journalctl -u bunkerweb --no-pager
|
||||
```
|
||||
|
||||
Common logs are located inside the `/var/log/bunkerweb` directory :
|
||||
```shell
|
||||
cat /var/log/bunkerweb/error.log
|
||||
cat /var/log/bunkerweb/access.log
|
||||
```
|
||||
|
||||
=== "Ansible"
|
||||
|
||||
For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
|
||||
```shell
|
||||
ansible -i inventory.yml all -a "journalctl -u bunkerweb --no-pager" --become
|
||||
```
|
||||
|
||||
Common logs are located inside the `/var/log/bunkerweb` directory :
|
||||
```shell
|
||||
ansible -i inventory.yml all -a "cat /var/log/bunkerweb/error.log" --become
|
||||
ansible -i inventory.yml all -a "cat /var/log/bunkerweb/access.log" --become
|
||||
```
|
||||
|
||||
=== "Vagrant"
|
||||
|
||||
For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
|
||||
```shell
|
||||
journalctl -u bunkerweb --no-pager
|
||||
```
|
||||
|
||||
Common logs are located inside the `/var/log/bunkerweb` directory :
|
||||
```shell
|
||||
cat /var/log/bunkerweb/error.log
|
||||
cat /var/log/bunkerweb/access.log
|
||||
```
|
||||
|
||||
## Permissions
|
||||
|
||||
Don't forget that BunkerWeb runs as an unprivileged user for obvious security reasons. Double-check the permissions of files and folders used by BunkerWeb, especially if you use custom configurations (more info [here](quickstart-guide.md#custom-configurations)). You will need to set at least **RW** rights on files and **_RWX_** on folders.
|
||||
|
||||
## ModSecurity
|
||||
|
||||
The default BunkerWeb configuration of ModSecurity is to load the Core Rule Set in anomaly scoring mode with a paranoia level (PL) of 1 :
|
||||
|
||||
- Each matched rule will increase an anomaly score (so many rules can match a single request)
|
||||
- PL1 includes rules with fewer chances of false positives (but less security than PL4)
|
||||
- the default threshold for anomaly score is 5 for requests and 4 for responses
|
||||
|
||||
Let's take the following logs as an example of ModSecurity detection using default configuration (formatted for better readability) :
|
||||
|
||||
```log
|
||||
2022/04/26 12:01:10 [warn] 85#85: *11 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:id' (Value: `/etc/passwd' )
|
||||
[file "/usr/share/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"]
|
||||
[line "78"]
|
||||
[id "930120"]
|
||||
[rev ""]
|
||||
[msg "OS File Access Attempt"]
|
||||
[data "Matched Data: etc/passwd found within ARGS:id: /etc/passwd"]
|
||||
[severity "2"]
|
||||
[ver "OWASP_CRS/3.3.2"]
|
||||
[maturity "0"]
|
||||
[accuracy "0"]
|
||||
[tag "application-multi"]
|
||||
[tag "language-multi"]
|
||||
[tag "platform-multi"]
|
||||
[tag "attack-lfi"]
|
||||
[tag "paranoia-level/1"]
|
||||
[tag "OWASP_CRS"]
|
||||
[tag "capec/1000/255/153/126"]
|
||||
[tag "PCI/6.5.4"]
|
||||
[hostname "172.17.0.2"]
|
||||
[uri "/"]
|
||||
[unique_id "165097447014.179282"]
|
||||
[ref "o1,10v9,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase"],
|
||||
client: 172.17.0.1, server: localhost, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
|
||||
2022/04/26 12:01:10 [warn] 85#85: *11 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:id' (Value: `/etc/passwd' )
|
||||
[file "/usr/share/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"]
|
||||
[line "480"]
|
||||
[id "932160"]
|
||||
[rev ""]
|
||||
[msg "Remote Command Execution: Unix Shell Code Found"]
|
||||
[data "Matched Data: etc/passwd found within ARGS:id: /etc/passwd"]
|
||||
[severity "2"]
|
||||
[ver "OWASP_CRS/3.3.2"]
|
||||
[maturity "0"]
|
||||
[accuracy "0"]
|
||||
[tag "application-multi"]
|
||||
[tag "language-shell"]
|
||||
[tag "platform-unix"]
|
||||
[tag "attack-rce"]
|
||||
[tag "paranoia-level/1"]
|
||||
[tag "OWASP_CRS"]
|
||||
[tag "capec/1000/152/248/88"]
|
||||
[tag "PCI/6.5.2"]
|
||||
[hostname "172.17.0.2"]
|
||||
[uri "/"]
|
||||
[unique_id "165097447014.179282"]
|
||||
[ref "o1,10v9,11t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"],
|
||||
client: 172.17.0.1, server: localhost, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
|
||||
2022/04/26 12:01:10 [error] 85#85: *11 [client 172.17.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' )
|
||||
[file "/usr/share/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
|
||||
[line "80"]
|
||||
[id "949110"]
|
||||
[rev ""]
|
||||
[msg "Inbound Anomaly Score Exceeded (Total Score: 10)"]
|
||||
[data ""]
|
||||
[severity "2"]
|
||||
[ver "OWASP_CRS/3.3.2"]
|
||||
[maturity "0"]
|
||||
[accuracy "0"]
|
||||
[tag "application-multi"]
|
||||
[tag "language-multi"]
|
||||
[tag "platform-multi"]
|
||||
[tag "attack-generic"]
|
||||
[hostname "172.17.0.2"]
|
||||
[uri "/"]
|
||||
[unique_id "165097447014.179282"]
|
||||
[ref ""],
|
||||
client: 172.17.0.1, server: localhost, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
|
||||
```
|
||||
|
||||
As we can see, there are 3 different logs :
|
||||
|
||||
1. Rule **930120** matched
|
||||
2. Rule **932160** matched
|
||||
3. Access denied (rule **949110**)
|
||||
|
||||
One important thing to understand is that rule **949110** is not a "real" one : it's the one that will deny the request because the anomaly threshold is reached (which is **10** in this example). You should never remove the **949110** rule !
|
||||
|
||||
If it's a false-positive, you should then focus on both **930120** and **932160** rules. ModSecurity and/or CRS tuning is out of the scope of this documentation but don't forget that you can apply custom configurations before and after the CRS is loaded (more info [here](quickstart-guide.md#custom-configurations)).
|
||||
|
||||
## Bad Behavior
|
||||
|
||||
A common false-positive case is when the client is banned because of the "bad behavior" feature which means that too many suspicious HTTP status codes were generated within a time period (more info [here](security-tuning.md#bad-behavior)). You should start by reviewing the settings and then edit them according to your web application(s) like removing a suspicious HTTP code, decreasing the count time, increasing the threshold, ...
|
||||
|
||||
## IP unban
|
||||
|
||||
You can manually unban an IP which can be useful when doing some tests but it needs the setting `USE_API` set to `yes` (which is not the default) so you can contact the internal API of BunkerWeb (replace `1.2.3.4` with the IP address to unban) :
|
||||
|
||||
=== "Docker"
|
||||
|
||||
You can use the `docker exec` command (replace `mybunker` with the name of your container) :
|
||||
```shell
|
||||
docker exec mybunker bwcli unban 1.2.3.4
|
||||
```
|
||||
|
||||
Here is the docker-compose equivalent (replace `mybunker` with the name of the services declared in the docker-compose.yml file) :
|
||||
```shell
|
||||
docker-compose exec mybunker bwcli unban 1.2.3.4
|
||||
```
|
||||
|
||||
=== "Docker autoconf"
|
||||
|
||||
You can use the `docker exec` command (replace `myautoconf` with the name of your container) :
|
||||
```shell
|
||||
docker exec myautoconf bwcli unban 1.2.3.4
|
||||
```
|
||||
|
||||
Here is the docker-compose equivalent (replace `myautoconf` with the name of the services declared in the docker-compose.yml file) :
|
||||
```shell
|
||||
docker-compose exec myautoconf bwcli unban 1.2.3.4
|
||||
```
|
||||
|
||||
=== "Swarm"
|
||||
|
||||
You can use the `docker exec` command (replace `myautoconf` with the name of your service) :
|
||||
```shell
|
||||
docker exec $(docker ps -q -f name=myautoconf) bwcli unban 1.2.3.4
|
||||
```
|
||||
|
||||
=== "Kubernetes"
|
||||
|
||||
You can use the `kubectl exec` command (replace `myautoconf` with the name of your pod) :
|
||||
```shell
|
||||
kubectl exec myautoconf bwcli unban 1.2.3.4
|
||||
```
|
||||
|
||||
=== "Linux"
|
||||
|
||||
You can use the `bwcli` command (as root) :
|
||||
```shell
|
||||
sudo bwcli unban 1.2.3.4
|
||||
```
|
||||
|
||||
=== "Ansible"
|
||||
|
||||
You can use the `bwcli` command :
|
||||
```shell
|
||||
ansible -i inventory.yml all -a "bwcli unban 1.2.3.4" --become
|
||||
```
|
||||
|
||||
=== "Vagrant"
|
||||
|
||||
You can use the `bwcli` command (as root) :
|
||||
```shell
|
||||
sudo bwcli unban 1.2.3.4
|
||||
```
|
||||
|
||||
## Whitelisting
|
||||
|
||||
If you have bots that need to access your website, the recommended way to avoid any false positive is to whitelist them using the [whitelisting feature](security-tuning.md#blacklisting-and-whitelisting). We don't recommend using the `WHITELIST_URI*` or `WHITELIST_USER_AGENT*` settings unless they are set to secret and unpredictable values. Common use cases are :
|
||||
|
||||
- Healthcheck / status bot
|
||||
- Callback like IPN or webhook
|
||||
- Social media crawler
|
||||
|
||||
## Timezone
|
||||
|
||||
When using container-based integrations, the timezone of the container may not match the one of the host machine. To resolve that, you can set the `TZ` environment variable to the timezone of your choice on your containers (e.g. `TZ=Europe/Paris`). You will find the list of timezone identifiers [here](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List).
|
950
docs/web-ui.md
|
@ -1,950 +0,0 @@
|
|||
# Web UI
|
||||
|
||||
## Overview
|
||||
|
||||
<p align="center">
|
||||
<iframe style="display: block;" width="560" height="315" src="https://www.youtube-nocookie.com/embed/Ao20SfvQyr4" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
|
||||
</p>
|
||||
|
||||
The "Web UI" is a web application that helps you manage your BunkerWeb instance using a user-friendly interface instead of the command-line one.
|
||||
|
||||
## Features
|
||||
|
||||
- Start, stop, restart and reload your BunkerWeb instance
|
||||
- Add, edit and delete settings for your web applications
|
||||
- Add, edit and delete custom configurations for NGINX and ModSecurity
|
||||
- Install and uninstall external plugins
|
||||
- Explore the cached files
|
||||
- Monitor jobs execution
|
||||
- View the logs and search pattern
|
||||
|
||||
## Installation
|
||||
|
||||
Because the web UI is a web application, the recommended installation procedure is to use BunkerWeb in front of it as a reverse proxy.
|
||||
|
||||
!!! warning "Security considerations"
|
||||
|
||||
The security of the web UI is really important. If someone manages to gain access to the application, not only he will be able to edit your configurations but he could execute some code in the context of BunkerWeb (with a custom configuration containing LUA code for example). We highly recommend you to follow minimal security best practices like :
|
||||
|
||||
* Choose a strong password for the login (**at least 8 chars with 1 lower case letter, 1 upper case letter, 1 digit and 1 special char is required**)
|
||||
* Put the web UI under a "hard to guess" URI
|
||||
* Do not open the web UI on the Internet without any further restrictions
|
||||
* Apply settings listed in the [security tuning section](security-tuning.md) of the documentation
|
||||
|
||||
!!! info "Multisite mode"
|
||||
|
||||
The usage of the web UI implies enabling the [multisite mode](concepts.md#multisite-mode).
|
||||
|
||||
=== "Docker"
|
||||
|
||||
The web UI can be deployed using a dedicated container which is available on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb-ui) :
|
||||
|
||||
```shell
|
||||
docker pull bunkerity/bunkerweb-ui
|
||||
```
|
||||
|
||||
Alternatively, you can also build it yourself :
|
||||
|
||||
```shell
|
||||
git clone https://github.com/bunkerity/bunkerweb.git && \
|
||||
cd bunkerweb && \
|
||||
docker build -t my-bunkerweb-ui -f src/ui/Dockerfile .
|
||||
```
|
||||
|
||||
The following environment variables are used to configure the web UI container :
|
||||
|
||||
- `ADMIN_USERNAME` : username to access the web UI
|
||||
- `ADMIN_PASSWORD` : password to access the web UI
|
||||
|
||||
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
|
||||
|
||||
!!! info "Database backend"
|
||||
|
||||
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/misc/integrations) of the repository.
|
||||
|
||||
Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
|
||||
|
||||
```yaml
|
||||
version: "3.5"
|
||||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.3
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
labels:
|
||||
- "bunkerweb.INSTANCE=yes"
|
||||
environment:
|
||||
- SERVER_NAME=www.example.com
|
||||
- MULTISITE=yes
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
|
||||
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- www.example.com_USE_UI=yes
|
||||
- www.example.com_USE_REVERSE_PROXY=yes
|
||||
- www.example.com_REVERSE_PROXY_URL=/changeme
|
||||
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
|
||||
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-services
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.3
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
environment:
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
||||
bw-docker:
|
||||
image: tecnativa/docker-socket-proxy:nightly
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.3
|
||||
depends_on:
|
||||
- bw-docker
|
||||
environment:
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- ADMIN_USERNAME=changeme
|
||||
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
||||
bw-db:
|
||||
image: mariadb:10.10
|
||||
environment:
|
||||
- MYSQL_RANDOM_ROOT_PASSWORD=yes
|
||||
- MYSQL_DATABASE=db
|
||||
- MYSQL_USER=bunkerweb
|
||||
- MYSQL_PASSWORD=changeme # Remember to set a stronger password for the database
|
||||
volumes:
|
||||
- bw-data:/var/lib/mysql
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
volumes:
|
||||
bw-data:
|
||||
|
||||
networks:
|
||||
bw-universe:
|
||||
name: bw-universe
|
||||
ipam:
|
||||
driver: default
|
||||
config:
|
||||
- subnet: 10.20.30.0/24
|
||||
bw-services:
|
||||
name: bw-services
|
||||
bw-docker:
|
||||
name: bw-docker
|
||||
```
|
||||
|
||||
=== "Docker autoconf"
|
||||
|
||||
The web UI can be deployed using a dedicated container which is available on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb-ui) :
|
||||
|
||||
```shell
|
||||
docker pull bunkerity/bunkerweb-ui
|
||||
```
|
||||
|
||||
Alternatively, you can also build it yourself :
|
||||
|
||||
```shell
|
||||
git clone https://github.com/bunkerity/bunkerweb.git && \
|
||||
cd bunkerweb && \
|
||||
docker build -t my-bunkerweb-ui -f src/ui/Dockerfile .
|
||||
```
|
||||
|
||||
The following environment variables are used to configure the web UI container :
|
||||
|
||||
- `ADMIN_USERNAME` : username to access the web UI
|
||||
- `ADMIN_PASSWORD` : password to access the web UI
|
||||
|
||||
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
|
||||
|
||||
!!! info "Database backend"
|
||||
|
||||
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/misc/integrations) of the repository.
|
||||
|
||||
Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
|
||||
|
||||
```yaml
|
||||
version: "3.5"
|
||||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.3
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
labels:
|
||||
- "bunkerweb.INSTANCE=yes"
|
||||
environment:
|
||||
- SERVER_NAME=
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
|
||||
- AUTOCONF_MODE=yes
|
||||
- MULTISITE=yes
|
||||
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-services
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.3
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
environment:
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
|
||||
- AUTOCONF_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.3
|
||||
depends_on:
|
||||
- bunkerweb
|
||||
- bw-docker
|
||||
environment:
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- AUTOCONF_MODE=yes
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
||||
bw-docker:
|
||||
image: tecnativa/docker-socket-proxy:nightly
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
bw-db:
|
||||
image: mariadb:10.10
|
||||
environment:
|
||||
- MYSQL_RANDOM_ROOT_PASSWORD=yes
|
||||
- MYSQL_DATABASE=db
|
||||
- MYSQL_USER=bunkerweb
|
||||
- MYSQL_PASSWORD=changeme
|
||||
volumes:
|
||||
- bw-data:/var/lib/mysql
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.3
|
||||
networks:
|
||||
bw-docker:
|
||||
bw-universe:
|
||||
aliases:
|
||||
- bw-ui
|
||||
environment:
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- AUTOCONF_MODE=yes
|
||||
- ADMIN_USERNAME=admin
|
||||
- ADMIN_PASSWORD=changeme
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=www.example.com"
|
||||
- "bunkerweb.USE_UI=yes"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/changeme"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
|
||||
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
|
||||
|
||||
volumes:
|
||||
bw-data:
|
||||
|
||||
networks:
|
||||
bw-universe:
|
||||
name: bw-universe
|
||||
ipam:
|
||||
driver: default
|
||||
config:
|
||||
- subnet: 10.20.30.0/24
|
||||
bw-services:
|
||||
name: bw-services
|
||||
bw-docker:
|
||||
name: bw-docker
|
||||
```
|
||||
|
||||
=== "Swarm"
|
||||
|
||||
The web UI can be deployed using a dedicated container which is available on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb-ui) :
|
||||
|
||||
```shell
|
||||
docker pull bunkerity/bunkerweb-ui
|
||||
```
|
||||
|
||||
Alternatively, you can also build it yourself :
|
||||
|
||||
```shell
|
||||
git clone https://github.com/bunkerity/bunkerweb.git && \
|
||||
cd bunkerweb && \
|
||||
docker build -t my-bunkerweb-ui -f src/ui/Dockerfile .
|
||||
```
|
||||
|
||||
The following environment variables are used to configure the web UI container :
|
||||
|
||||
- `ADMIN_USERNAME` : username to access the web UI
|
||||
- `ADMIN_PASSWORD` : password to access the web UI
|
||||
|
||||
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
|
||||
|
||||
!!! info "Database backend"
|
||||
|
||||
If you want another Database backend than MariaDB please refer to the stack files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/misc/integrations) of the repository.
|
||||
|
||||
Here is the stack boilerplate that you can use (don't forget to edit the `changeme` data) :
|
||||
|
||||
```yaml
|
||||
version: "3.5"
|
||||
|
||||
services:
|
||||
bunkerweb:
|
||||
image: bunkerity/bunkerweb:1.5.3
|
||||
ports:
|
||||
- published: 80
|
||||
target: 8080
|
||||
mode: host
|
||||
protocol: tcp
|
||||
- published: 443
|
||||
target: 8443
|
||||
mode: host
|
||||
protocol: tcp
|
||||
environment:
|
||||
- SERVER_NAME=
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
|
||||
- SWARM_MODE=yes
|
||||
- MULTISITE=yes
|
||||
- USE_REDIS=yes
|
||||
- REDIS_HOST=bw-redis
|
||||
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-services
|
||||
deploy:
|
||||
mode: global
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role == worker"
|
||||
labels:
|
||||
- "bunkerweb.INSTANCE=yes"
|
||||
|
||||
bw-autoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.3
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
||||
bw-docker:
|
||||
image: tecnativa/docker-socket-proxy:nightly
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONFIGS=1
|
||||
- CONTAINERS=1
|
||||
- SERVICES=1
|
||||
- SWARM=1
|
||||
- TASKS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
deploy:
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role == manager"
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.3
|
||||
environment:
|
||||
- SWARM_MODE=yes
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
|
||||
bw-db:
|
||||
image: mariadb:10.10
|
||||
environment:
|
||||
- MYSQL_RANDOM_ROOT_PASSWORD=yes
|
||||
- MYSQL_DATABASE=db
|
||||
- MYSQL_USER=bunkerweb
|
||||
- MYSQL_PASSWORD=changeme
|
||||
volumes:
|
||||
- bw-data:/var/lib/mysql
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
bw-redis:
|
||||
image: redis:7-alpine
|
||||
networks:
|
||||
- bw-universe
|
||||
|
||||
bw-ui:
|
||||
image: bunkerity/bunkerweb-ui:1.5.3
|
||||
environment:
|
||||
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
|
||||
- DOCKER_HOST=tcp://bw-docker:2375
|
||||
- ADMIN_USERNAME=changeme
|
||||
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
deploy:
|
||||
labels:
|
||||
- "bunkerweb.SERVER_NAME=www.example.com"
|
||||
- "bunkerweb.USE_UI=yes"
|
||||
- "bunkerweb.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerweb.REVERSE_PROXY_URL=/changeme"
|
||||
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
|
||||
- "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
|
||||
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
|
||||
|
||||
volumes:
|
||||
bw-data:
|
||||
|
||||
networks:
|
||||
bw-universe:
|
||||
name: bw-universe
|
||||
driver: overlay
|
||||
attachable: true
|
||||
ipam:
|
||||
config:
|
||||
- subnet: 10.20.30.0/24
|
||||
bw-services:
|
||||
name: bw-services
|
||||
driver: overlay
|
||||
attachable: true
|
||||
bw-docker:
|
||||
name: bw-docker
|
||||
driver: overlay
|
||||
attachable: true
|
||||
```
|
||||
|
||||
=== "Kubernetes"
|
||||
|
||||
The web UI can be deployed using a dedicated container which is available on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb-ui) as a standard [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/).
|
||||
|
||||
The following environment variables are used to configure the web UI container :
|
||||
|
||||
- `ADMIN_USERNAME` : username to access the web UI
|
||||
- `ADMIN_PASSWORD` : password to access the web UI
|
||||
|
||||
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Network segmentation between web UI and web services is not covered in this documentation. Please note that the web UI container is listening on the `7000` port.
|
||||
|
||||
!!! info "Database backend"
|
||||
|
||||
If you want another Database backend than MariaDB please refer to the yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/misc/integrations) of the repository.
|
||||
|
||||
Here is the yaml boilerplate that you can use (don't forget to edit the `changeme` data) :
|
||||
|
||||
```yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cr-bunkerweb
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services", "pods", "configmaps"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: sa-bunkerweb
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: crb-bunkerweb
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: sa-bunkerweb
|
||||
namespace: default
|
||||
apiGroup: ""
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: cr-bunkerweb
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: bunkerweb
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: bunkerweb
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: bunkerweb
|
||||
# mandatory annotation
|
||||
annotations:
|
||||
bunkerweb.io/INSTANCE: "yes"
|
||||
spec:
|
||||
containers:
|
||||
# using bunkerweb as name is mandatory
|
||||
- name: bunkerweb
|
||||
image: bunkerity/bunkerweb:1.5.3
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
runAsUser: 101
|
||||
runAsGroup: 101
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
hostPort: 80
|
||||
- containerPort: 8443
|
||||
hostPort: 443
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
value: "yes"
|
||||
# replace with your DNS resolvers
|
||||
# e.g. : kube-dns.kube-system.svc.cluster.local
|
||||
- name: DNS_RESOLVERS
|
||||
value: "coredns.kube-system.svc.cluster.local"
|
||||
- name: USE_API
|
||||
value: "yes"
|
||||
# 10.0.0.0/8 is the cluster internal subnet
|
||||
- name: API_WHITELIST_IP
|
||||
value: "127.0.0.0/8 10.0.0.0/8"
|
||||
- name: SERVER_NAME
|
||||
value: ""
|
||||
- name: MULTISITE
|
||||
value: "yes"
|
||||
- name: USE_REDIS
|
||||
value: "yes"
|
||||
- name: REDIS_HOST
|
||||
value: "svc-bunkerweb-redis.default.svc.cluster.local"
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /usr/share/bunkerweb/helpers/healthcheck.sh
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 5
|
||||
timeoutSeconds: 1
|
||||
failureThreshold: 3
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /usr/share/bunkerweb/helpers/healthcheck.sh
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 1
|
||||
timeoutSeconds: 1
|
||||
failureThreshold: 3
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: bunkerweb-controller
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: bunkerweb-controller
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: bunkerweb-controller
|
||||
spec:
|
||||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-controller
|
||||
image: bunkerity/bunkerweb-autoconf:1.5.3
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
value: "yes"
|
||||
- name: "DATABASE_URI"
|
||||
value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db"
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: bunkerweb-scheduler
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: bunkerweb-scheduler
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: bunkerweb-scheduler
|
||||
spec:
|
||||
serviceAccountName: sa-bunkerweb
|
||||
containers:
|
||||
- name: bunkerweb-scheduler
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.3
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: KUBERNETES_MODE
|
||||
value: "yes"
|
||||
- name: "DATABASE_URI"
|
||||
value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db"
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: bunkerweb-redis
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: bunkerweb-redis
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: bunkerweb-redis
|
||||
spec:
|
||||
containers:
|
||||
- name: bunkerweb-redis
|
||||
image: redis:7-alpine
|
||||
imagePullPolicy: Always
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: bunkerweb-db
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: bunkerweb-db
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: bunkerweb-db
|
||||
spec:
|
||||
containers:
|
||||
- name: bunkerweb-db
|
||||
image: mariadb:10.10
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: MYSQL_RANDOM_ROOT_PASSWORD
|
||||
value: "yes"
|
||||
- name: "MYSQL_DATABASE"
|
||||
value: "db"
|
||||
- name: "MYSQL_USER"
|
||||
value: "bunkerweb"
|
||||
- name: "MYSQL_PASSWORD"
|
||||
value: "changeme"
|
||||
volumeMounts:
|
||||
- mountPath: "/var/lib/mysql"
|
||||
name: vol-db
|
||||
volumes:
|
||||
- name: vol-db
|
||||
persistentVolumeClaim:
|
||||
claimName: pvc-bunkerweb
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: bunkerweb-ui
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: bunkerweb-ui
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: bunkerweb-ui
|
||||
spec:
|
||||
containers:
|
||||
- name: bunkerweb-ui
|
||||
image: bunkerity/bunkerweb-ui:1.5.3
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: ADMIN_USERNAME
|
||||
value: "changeme"
|
||||
- name: "ADMIN_PASSWORD"
|
||||
value: "changeme"
|
||||
- name: KUBERNETES_MODE
|
||||
value: "YES"
|
||||
- name: "DATABASE_URI"
|
||||
value: "mariadb+pymysql://bunkerweb:testor@svc-bunkerweb-db:3306/db"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc-bunkerweb
|
||||
spec:
|
||||
clusterIP: None
|
||||
selector:
|
||||
app: bunkerweb
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc-bunkerweb-db
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: bunkerweb-db
|
||||
ports:
|
||||
- name: sql
|
||||
protocol: TCP
|
||||
port: 3306
|
||||
targetPort: 3306
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc-bunkerweb-redis
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: bunkerweb-redis
|
||||
ports:
|
||||
- name: redis
|
||||
protocol: TCP
|
||||
port: 6379
|
||||
targetPort: 6379
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc-bunkerweb-ui
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: bunkerweb-ui
|
||||
ports:
|
||||
- name: http
|
||||
protocol: TCP
|
||||
port: 7000
|
||||
targetPort: 7000
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: pvc-bunkerweb
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 5Gi
|
||||
volumeName: pv-bunkerweb
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: ingress
|
||||
annotations:
|
||||
bunkerweb.io/www.example.com_USE_UI: "yes"
|
||||
bunkerweb.io/www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
|
||||
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: '400 404 405 413 429 500 501 502 503 504'
|
||||
spec:
|
||||
rules:
|
||||
- host: www.example.com
|
||||
http:
|
||||
paths:
|
||||
- path: /changeme
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: svc-bunkerweb-ui
|
||||
port:
|
||||
number: 7000
|
||||
```
|
||||
|
||||
=== "Linux"
|
||||
|
||||
The installation of the web UI using the [Linux integration](integrations.md#linux) is pretty straightforward because it is installed with BunkerWeb.
|
||||
|
||||
The web UI comes as systemd service named `bunkerweb-ui` which is not enabled by default. If you want to start the web UI when on startup you can run the following command :
|
||||
|
||||
```shell
|
||||
systemctl enable bunkerweb
|
||||
```
|
||||
|
||||
A dedicated environment file located at `/etc/bunkerweb/ui.env` is used to configure the web UI :
|
||||
|
||||
```conf
|
||||
ADMIN_USERNAME=changeme
|
||||
ADMIN_PASSWORD=changeme
|
||||
```
|
||||
|
||||
Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
|
||||
|
||||
```shell
|
||||
systemctl restart bunkerweb-ui
|
||||
```
|
||||
|
||||
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Please note that the web UI is listening on the `7000` port and only on the loopback interface.
|
||||
|
||||
Here is the `/etc/bunkerweb/variables.env` boilerplate you can use :
|
||||
|
||||
```conf
|
||||
HTTP_PORT=80
|
||||
HTTPS_PORT=443
|
||||
DNS_RESOLVERS=8.8.8.8 8.8.4.4
|
||||
API_LISTEN_IP=127.0.0.1
|
||||
SERVER_NAME=www.example.com
|
||||
MULTISITE=yes
|
||||
www.example.com_USE_UI=yes
|
||||
www.example.com_USE_REVERSE_PROXY=yes
|
||||
www.example.com_REVERSE_PROXY_URL=/changeme
|
||||
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
|
||||
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
```
|
||||
|
||||
Don't forget to restart the `bunkerweb` service :
|
||||
|
||||
```shell
|
||||
systemctl restart bunkerweb
|
||||
```
|
||||
|
||||
=== "Ansible"
|
||||
|
||||
The installation of the web UI using the [Vagrant integration](integrations.md#linux) is pretty straightforward because it is installed with BunkerWeb.
|
||||
|
||||
Create a `my_ui.env` filed used to configure the web UI :
|
||||
|
||||
```conf
|
||||
ADMIN_USERNAME=changeme
|
||||
ADMIN_PASSWORD=changeme
|
||||
```
|
||||
|
||||
Here is the `my_variables.env` boilerplate you can use :
|
||||
|
||||
```conf
|
||||
HTTP_PORT=80
|
||||
HTTPS_PORT=443
|
||||
DNS_RESOLVERS=8.8.8.8 8.8.4.4
|
||||
API_LISTEN_IP=127.0.0.1
|
||||
SERVER_NAME=www.example.com
|
||||
MULTISITE=yes
|
||||
www.example.com_USE_UI=yes
|
||||
www.example.com_USE_REVERSE_PROXY=yes
|
||||
www.example.com_REVERSE_PROXY_URL=/changeme
|
||||
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
|
||||
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
```
|
||||
|
||||
The variable `enable_ui` can be set to `true` in order to activate the web UI service and the variable `custom_ui` can be used to specify the configuration file for the web UI :
|
||||
|
||||
```ini
|
||||
[mybunkers]
|
||||
192.168.0.42 variables_env="{{ playbook_dir }}/my_variables.env" enable_ui=true custom_ui="{{ playbook_dir }}/my_ui.env"
|
||||
```
|
||||
|
||||
Or alternatively, in your playbook file :
|
||||
|
||||
```yaml
|
||||
- hosts: all
|
||||
become: true
|
||||
vars:
|
||||
- variables_env: "{{ playbook_dir }}/my_variables.env"
|
||||
- enable_ui: true
|
||||
- custom_ui: "{{ playbook_dir }}/my_ui.env"
|
||||
roles:
|
||||
- bunkerity.bunkerweb
|
||||
```
|
||||
|
||||
|
||||
You can now run the playbook and be able to access the web UI :
|
||||
|
||||
```shell
|
||||
ansible-playbook -i inventory.yml playbook.yml
|
||||
```
|
||||
|
||||
=== "Vagrant"
|
||||
|
||||
The installation of the web UI using the [Vagrant integration](integrations.md#vagrant) is pretty straightforward because it is installed with BunkerWeb.
|
||||
|
||||
First of all, you will need to get a shell on your Vagrant box :
|
||||
|
||||
```shell
|
||||
vagrant ssh
|
||||
```
|
||||
|
||||
The web UI comes as systemd service named `bunkerweb-ui` which is not enabled by default. If you want to start the web UI when on startup you can run the following command :
|
||||
|
||||
```shell
|
||||
systemctl enable bunkerweb
|
||||
```
|
||||
|
||||
A dedicated environment file located at `/etc/bunkerweb/ui.env` is used to configure the web UI :
|
||||
|
||||
```conf
|
||||
ADMIN_USERNAME=changeme
|
||||
ADMIN_PASSWORD=changeme
|
||||
```
|
||||
|
||||
Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
|
||||
|
||||
```shell
|
||||
systemctl restart bunkerweb-ui
|
||||
```
|
||||
|
||||
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Please note that the web UI is listening on the `7000` port and only on the loopback interface.
|
||||
|
||||
Here is the `/etc/bunkerweb/variables.env` boilerplate you can use :
|
||||
|
||||
```conf
|
||||
HTTP_PORT=80
|
||||
HTTPS_PORT=443
|
||||
DNS_RESOLVERS=8.8.8.8 8.8.4.4
|
||||
API_LISTEN_IP=127.0.0.1
|
||||
SERVER_NAME=www.example.com
|
||||
MULTISITE=yes
|
||||
www.example.com_USE_UI=yes
|
||||
www.example.com_USE_REVERSE_PROXY=yes
|
||||
www.example.com_REVERSE_PROXY_URL=/changeme
|
||||
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
|
||||
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
|
||||
```
|
||||
|
||||
Don't forget to restart the `bunkerweb` service :
|
||||
|
||||
```shell
|
||||
systemctl restart bunkerweb
|
||||
```
|
|
@ -1,78 +0,0 @@
|
|||
---
|
||||
###############################################################
|
||||
# Authelia configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: a_very_important_secret
|
||||
default_redirection_url: https://auth.example.com
|
||||
|
||||
ntp:
|
||||
disable_failure: true
|
||||
|
||||
server:
|
||||
host: 0.0.0.0
|
||||
port: 9091
|
||||
|
||||
log:
|
||||
level: debug
|
||||
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
|
||||
|
||||
totp:
|
||||
issuer: authelia.com
|
||||
|
||||
# duo_api:
|
||||
# hostname: api-123456789.example.com
|
||||
# integration_key: ABCDEF
|
||||
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
|
||||
# secret_key: 1234567890abcdefghifjkl
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users_database.yml
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules:
|
||||
# Rules applied to everyone
|
||||
- domain: auth.example.com
|
||||
policy: bypass
|
||||
- domain: app1.example.com
|
||||
policy: one_factor
|
||||
- domain: app2.example.com
|
||||
policy: two_factor
|
||||
|
||||
session:
|
||||
name: authelia_session
|
||||
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
domain: example.com # Should match whatever your root protected domain is
|
||||
|
||||
redis:
|
||||
host: redis
|
||||
port: 6379
|
||||
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
|
||||
# password: authelia
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
|
||||
storage:
|
||||
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
|
||||
local:
|
||||
path: /config/db.sqlite3
|
||||
|
||||
notifier:
|
||||
filesystem:
|
||||
filename: /config/notification.txt
|
||||
#notifier:
|
||||
# smtp:
|
||||
# username: test
|
||||
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
|
||||
# password: password
|
||||
# host: mail.example.com
|
||||
# port: 25
|
||||
# sender: admin@example.com
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
###############################################################
|
||||
# Users Database #
|
||||
###############################################################
|
||||
|
||||
# This file can be used if you do not have an LDAP set up.
|
||||
|
||||
# List of users
|
||||
users:
|
||||
authelia:
|
||||
displayname: "Authelia User"
|
||||
# Password is authelia
|
||||
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
|
||||
email: authelia@authelia.com
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
|
@ -1,81 +0,0 @@
|
|||
version: "3"
|
||||
|
||||
services:
|
||||
# APPLICATIONS
|
||||
app1:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
bw-services:
|
||||
aliases:
|
||||
- app1
|
||||
labels:
|
||||
- bunkerweb.SERVER_NAME=app1.example.com
|
||||
- bunkerweb.USE_REVERSE_PROXY=yes
|
||||
- bunkerweb.REVERSE_PROXY_URL=/
|
||||
- bunkerweb.REVERSE_PROXY_HOST=http://app1
|
||||
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia
|
||||
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
|
||||
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
|
||||
- bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
|
||||
- bunkerweb.REVERSE_PROXY_URL_999=/authelia
|
||||
- bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
|
||||
- bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
|
||||
|
||||
app2:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
bw-services:
|
||||
aliases:
|
||||
- app2
|
||||
labels:
|
||||
- bunkerweb.SERVER_NAME=app2.example.com
|
||||
- bunkerweb.USE_REVERSE_PROXY=yes
|
||||
- bunkerweb.REVERSE_PROXY_URL=/
|
||||
- bunkerweb.REVERSE_PROXY_HOST=http://app2
|
||||
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia
|
||||
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
|
||||
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
|
||||
- bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
|
||||
- bunkerweb.REVERSE_PROXY_URL_999=/authelia
|
||||
- bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
|
||||
- bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
|
||||
|
||||
# AUTHELIA
|
||||
authelia:
|
||||
image: authelia/authelia:4
|
||||
networks:
|
||||
bw-services:
|
||||
aliases:
|
||||
- authelia
|
||||
volumes:
|
||||
- ./authelia:/config
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
disable: true
|
||||
environment:
|
||||
- TZ=Europe/Paris
|
||||
labels:
|
||||
- bunkerweb.SERVER_NAME=auth.example.com
|
||||
- bunkerweb.USE_REVERSE_PROXY=yes
|
||||
- bunkerweb.REVERSE_PROXY_URL=/
|
||||
- bunkerweb.REVERSE_PROXY_HOST=http://authelia:9091
|
||||
- bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no
|
||||
|
||||
redis:
|
||||
image: redis:7-alpine
|
||||
networks:
|
||||
bw-services:
|
||||
aliases:
|
||||
- redis
|
||||
volumes:
|
||||
- ./redis:/data
|
||||
expose:
|
||||
- 6379
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- TZ=Europe/Paris
|
||||
|
||||
networks:
|
||||
bw-services:
|
||||
external: true
|
||||
name: bw-services
|
|
@ -1,116 +0,0 @@
|
|||
version: "3.4"
|
||||
|
||||
services:
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.5.3
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
labels:
|
||||
- "bunkerweb.INSTANCE=yes"
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-services
|
||||
environment:
|
||||
- MULTISITE=yes
|
||||
- SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
|
||||
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
|
||||
- SERVE_FILES=no
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
# Proxy to auth_request URI
|
||||
- REVERSE_PROXY_URL_999=/authelia
|
||||
- REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
|
||||
- REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
|
||||
# Authelia
|
||||
- auth.example.com_REVERSE_PROXY_URL=/
|
||||
- auth.example.com_REVERSE_PROXY_HOST=http://authelia:9091
|
||||
- auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
|
||||
# Applications
|
||||
- app1.example.com_REVERSE_PROXY_URL=/
|
||||
- app1.example.com_REVERSE_PROXY_HOST=http://app1
|
||||
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
|
||||
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
|
||||
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
|
||||
- app1.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
|
||||
- app2.example.com_REVERSE_PROXY_URL=/
|
||||
- app2.example.com_REVERSE_PROXY_HOST=http://app2
|
||||
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
|
||||
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
|
||||
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
|
||||
- app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
|
||||
|
||||
bw-scheduler:
|
||||
image: bunkerity/bunkerweb-scheduler:1.5.3
|
||||
depends_on:
|
||||
- mybunker
|
||||
environment:
|
||||
- DOCKER_HOST=tcp://bw-docker-proxy:2375
|
||||
networks:
|
||||
- bw-universe
|
||||
- bw-docker
|
||||
volumes:
|
||||
- bw-data:/data
|
||||
|
||||
bw-docker-proxy:
|
||||
image: tecnativa/docker-socket-proxy:nightly
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- CONTAINERS=1
|
||||
- LOG_LEVEL=warning
|
||||
networks:
|
||||
- bw-docker
|
||||
|
||||
# APPLICATIONS
|
||||
app1:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- bw-services
|
||||
app2:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- bw-services
|
||||
|
||||
# AUTHELIA
|
||||
authelia:
|
||||
image: authelia/authelia:4
|
||||
container_name: authelia
|
||||
networks:
|
||||
- bw-services
|
||||
volumes:
|
||||
- ./authelia:/config
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
disable: true
|
||||
environment:
|
||||
- TZ=Europe/Paris
|
||||
|
||||
redis:
|
||||
image: redis:7-alpine
|
||||
container_name: redis
|
||||
networks:
|
||||
- bw-services
|
||||
volumes:
|
||||
- ./redis:/data
|
||||
expose:
|
||||
- 6379
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- TZ=Europe/Paris
|
||||
|
||||
volumes:
|
||||
bw-data:
|
||||
|
||||
networks:
|
||||
bw-universe:
|
||||
name: bw-universe
|
||||
ipam:
|
||||
driver: default
|
||||
config:
|
||||
- subnet: 10.20.30.0/24
|
||||
bw-services:
|
||||
bw-docker:
|
|
@ -1,303 +0,0 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: ingress
|
||||
annotations:
|
||||
bunkerweb.io/AUTO_LETS_ENCRYPT: "yes"
|
||||
bunkerweb.io/app1.example.com_REVERSE_PROXY_AUTH_REQUEST: "/authelia"
|
||||
bunkerweb.io/app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://auth.example.com/?rd=$scheme%3A%2F%2F$host$request_uri"
|
||||
bunkerweb.io/app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$user $upstream_http_remote_user;$groups $upstream_http_remote_groups;$name $upstream_http_remote_name;$email $upstream_http_remote_email"
|
||||
bunkerweb.io/app1.example.com_REVERSE_PROXY_HEADERS: "Remote-User $user;Remote-Groups $groups;Remote-Name $name;Remote-Email $email"
|
||||
bunkerweb.io/app1.example.com_REVERSE_PROXY_URL_999: "/authelia"
|
||||
bunkerweb.io/app1.example.com_REVERSE_PROXY_HOST_999: "http://authelia:9091/api/verify"
|
||||
bunkerweb.io/app1.example.com_REVERSE_PROXY_HEADERS_999: "X-Original-URL $scheme://$http_host$request_uri;Content-Length ''"
|
||||
bunkerweb.io/app2.example.com_REVERSE_PROXY_AUTH_REQUEST: "/authelia"
|
||||
bunkerweb.io/app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://auth.example.com/?rd=$scheme%3A%2F%2F$host$request_uri"
|
||||
bunkerweb.io/app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$user $upstream_http_remote_user;$groups $upstream_http_remote_groups;$name $upstream_http_remote_name;$email $upstream_http_remote_email"
|
||||
bunkerweb.io/app2.example.com_REVERSE_PROXY_HEADERS: "Remote-User $user;Remote-Groups $groups;Remote-Name $name;Remote-Email $email"
|
||||
bunkerweb.io/app2.example.com_REVERSE_PROXY_URL_999: "/authelia"
|
||||
bunkerweb.io/app2.example.com_REVERSE_PROXY_HOST_999: "http://authelia:9091/api/verify"
|
||||
bunkerweb.io/app2.example.com_REVERSE_PROXY_HEADERS_999: "X-Original-URL $scheme://$http_host$request_uri;Content-Length ''"
|
||||
bunkerweb.io/auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
|
||||
spec:
|
||||
rules:
|
||||
- host: app1.example.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: svc-app1
|
||||
port:
|
||||
number: 80
|
||||
- host: app2.example.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: svc-app2
|
||||
port:
|
||||
number: 80
|
||||
- host: auth.example.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: svc-authelia
|
||||
port:
|
||||
number: 9091
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: app1
|
||||
labels:
|
||||
app: app1
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: app1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: app1
|
||||
spec:
|
||||
containers:
|
||||
- name: app1
|
||||
image: tutum/hello-world
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc-app1
|
||||
spec:
|
||||
selector:
|
||||
app: app1
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
targetPort: 80
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: app2
|
||||
labels:
|
||||
app: app2
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: app2
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: app2
|
||||
spec:
|
||||
containers:
|
||||
- name: app2
|
||||
image: tutum/hello-world
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc-app2
|
||||
spec:
|
||||
selector:
|
||||
app: app2
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
targetPort: 80
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: cfg-authelia
|
||||
data:
|
||||
configuration.yml: |
|
||||
---
|
||||
###############################################################
|
||||
# Authelia configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: a_very_important_secret
|
||||
default_redirection_url: https://auth.example.com
|
||||
|
||||
ntp:
|
||||
disable_failure: true
|
||||
|
||||
server:
|
||||
host: 0.0.0.0
|
||||
port: 9091
|
||||
|
||||
log:
|
||||
level: debug
|
||||
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
|
||||
|
||||
totp:
|
||||
issuer: authelia.com
|
||||
|
||||
# duo_api:
|
||||
# hostname: api-123456789.example.com
|
||||
# integration_key: ABCDEF
|
||||
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
|
||||
# secret_key: 1234567890abcdefghifjkl
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users_database.yml
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules:
|
||||
# Rules applied to everyone
|
||||
- domain: auth.example.com
|
||||
policy: bypass
|
||||
- domain: app1.example.com
|
||||
policy: one_factor
|
||||
- domain: app2.example.com
|
||||
policy: two_factor
|
||||
|
||||
session:
|
||||
name: authelia_session
|
||||
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
domain: example.com # Should match whatever your root protected domain is
|
||||
|
||||
redis:
|
||||
host: svc-redis
|
||||
port: 6379
|
||||
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
|
||||
# password: authelia
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
|
||||
storage:
|
||||
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
|
||||
local:
|
||||
path: /config/db.sqlite3
|
||||
|
||||
notifier:
|
||||
filesystem:
|
||||
filename: /config/notification.txt
|
||||
#notifier:
|
||||
# smtp:
|
||||
# username: test
|
||||
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
|
||||
# password: password
|
||||
# host: mail.example.com
|
||||
# port: 25
|
||||
# sender: admin@example.com
|
||||
...
|
||||
users_database.yml: |
|
||||
---
|
||||
###############################################################
|
||||
# Users Database #
|
||||
###############################################################
|
||||
|
||||
# This file can be used if you do not have an LDAP set up.
|
||||
|
||||
# List of users
|
||||
users:
|
||||
authelia:
|
||||
displayname: "Authelia User"
|
||||
# Password is authelia
|
||||
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
|
||||
email: authelia@authelia.com
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
...
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: authelia
|
||||
labels:
|
||||
app: authelia
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: authelia
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: authelia
|
||||
spec:
|
||||
containers:
|
||||
- name: authelia
|
||||
image: authelia/authelia
|
||||
env:
|
||||
- name: TZ
|
||||
value: "Europe/Paris"
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /config/configuration.yml
|
||||
subPath: configuration.yml
|
||||
- name: config
|
||||
mountPath: /config/users_database.yml
|
||||
subPath: users_database.yml
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: cfg-authelia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc-authelia
|
||||
spec:
|
||||
selector:
|
||||
app: authelia
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9091
|
||||
targetPort: 9091
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: redis
|
||||
labels:
|
||||
app: redis
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: redis
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: redis
|
||||
spec:
|
||||
containers:
|
||||
- name: redis
|
||||
image: redis:alpine
|
||||
env:
|
||||
- name: TZ
|
||||
value: "Europe/Paris"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc-redis
|
||||
spec:
|
||||
selector:
|
||||
app: redis
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 6379
|
||||
targetPort: 6379
|
|
@ -1,19 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ "$(id -u)" -ne 0 ] ; then
|
||||
echo "❌ Run me as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
curl https://github.com/authelia/authelia/releases/download/v4.36.2/authelia-v4.36.2-linux-amd64.tar.gz -Lo /tmp/authelia.tar.gz
|
||||
tar -xzf /tmp/authelia.tar.gz -C /tmp
|
||||
mv /tmp/authelia-linux-amd64 /usr/bin/authelia
|
||||
mv /tmp/authelia.service /etc/systemd/system
|
||||
mkdir /etc/authelia
|
||||
cp ./authelia/* /etc/authelia
|
||||
sed -i "s@/config/@/etc/authelia/@g" /etc/authelia/configuration.yml
|
||||
sed -i "s@redis:@@g" /etc/authelia/configuration.yml
|
||||
sed -i "s@host: redis@@g" /etc/authelia/configuration.yml
|
||||
sed -i "s@port: 6379@@g" /etc/authelia/configuration.yml
|
||||
systemctl daemon-reload
|
||||
systemctl start authelia
|
|
@ -1,103 +0,0 @@
|
|||
version: "3"
|
||||
|
||||
services:
|
||||
# APPLICATIONS
|
||||
app1:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- bw-services
|
||||
deploy:
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role==worker"
|
||||
labels:
|
||||
- bunkerweb.SERVER_NAME=app1.example.com
|
||||
- bunkerweb.USE_REVERSE_PROXY=yes
|
||||
- bunkerweb.REVERSE_PROXY_URL=/
|
||||
- bunkerweb.REVERSE_PROXY_HOST=http://app1
|
||||
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia
|
||||
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
|
||||
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
|
||||
- bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
|
||||
- bunkerweb.REVERSE_PROXY_URL_999=/authelia
|
||||
- bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
|
||||
- bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
|
||||
|
||||
app2:
|
||||
image: tutum/hello-world
|
||||
networks:
|
||||
- bw-services
|
||||
deploy:
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role==worker"
|
||||
labels:
|
||||
- bunkerweb.SERVER_NAME=app2.example.com
|
||||
- bunkerweb.USE_REVERSE_PROXY=yes
|
||||
- bunkerweb.REVERSE_PROXY_URL=/
|
||||
- bunkerweb.REVERSE_PROXY_HOST=http://app2
|
||||
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia
|
||||
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
|
||||
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
|
||||
- bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
|
||||
- bunkerweb.REVERSE_PROXY_URL_999=/authelia
|
||||
- bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
|
||||
- bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
|
||||
|
||||
# AUTHELIA
|
||||
authelia:
|
||||
image: authelia/authelia:4
|
||||
networks:
|
||||
- bw-services
|
||||
configs:
|
||||
- source: config_authelia_configuration
|
||||
target: /config/configuration.yml
|
||||
uid: "0"
|
||||
gid: "0"
|
||||
mode: 0444
|
||||
- source: config_authelia_users_database
|
||||
target: /config/users_database.yml
|
||||
uid: "0"
|
||||
gid: "0"
|
||||
mode: 0444
|
||||
healthcheck:
|
||||
disable: true
|
||||
environment:
|
||||
- TZ=Europe/Paris
|
||||
deploy:
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role==worker"
|
||||
labels:
|
||||
- bunkerweb.SERVER_NAME=auth.example.com
|
||||
- bunkerweb.USE_REVERSE_PROXY=yes
|
||||
- bunkerweb.REVERSE_PROXY_URL=/
|
||||
- bunkerweb.REVERSE_PROXY_HOST=http://authelia:9091
|
||||
- bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no
|
||||
|
||||
redis:
|
||||
image: redis:7-alpine
|
||||
networks:
|
||||
- bw-services
|
||||
volumes:
|
||||
- redis:/data
|
||||
environment:
|
||||
- TZ=Europe/Paris
|
||||
deploy:
|
||||
placement:
|
||||
constraints:
|
||||
- "node.role==worker"
|
||||
|
||||
networks:
|
||||
bw-services:
|
||||
external: true
|
||||
name: bw-services
|
||||
|
||||
volumes:
|
||||
redis:
|
||||
|
||||
configs:
|
||||
config_authelia_configuration:
|
||||
file: ./authelia/configuration.yml
|
||||
config_authelia_users_database:
|
||||
file: ./authelia/users_database.yml
|
|
@ -1,18 +0,0 @@
|
|||
{
|
||||
"name": "authelia",
|
||||
"kinds": ["docker", "autoconf", "swarm", "linux"],
|
||||
"timeout": 120,
|
||||
"delay": 60,
|
||||
"tests": [
|
||||
{
|
||||
"type": "string",
|
||||
"url": "https://app1.example.com",
|
||||
"string": "authelia"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"url": "https://app2.example.com",
|
||||
"string": "authelia"
|
||||
}
|
||||
]
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
HTTP_PORT=80
|
||||
HTTPS_PORT=443
|
||||
DNS_RESOLVERS=8.8.8.8 8.8.4.4
|
||||
API_LISTEN_IP=127.0.0.1
|
||||
MULTISITE=yes
|
||||
# Replace with your domains
|
||||
SERVER_NAME=auth.example.com app1.example.com app2.example.com
|
||||
SERVE_FILES=no
|
||||
DISABLE_DEFAULT_SERVER=yes
|
||||
AUTO_LETS_ENCRYPT=yes
|
||||
USE_CLIENT_CACHE=yes
|
||||
USE_GZIP=yes
|
||||
USE_REVERSE_PROXY=yes
|
||||
# Proxy to auth_request URI
|
||||
REVERSE_PROXY_URL_999=/authelia
|
||||
REVERSE_PROXY_HOST_999=http://127.0.0.1:9091/api/verify
|
||||
REVERSE_PROXY_HEADERS_999=X-Original-URL $scheme://$http_host$request_uri;Content-Length ""
|
||||
# Authelia
|
||||
auth.example.com_REVERSE_PROXY_URL=/
|
||||
auth.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:9091
|
||||
auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
|
||||
# Applications
|
||||
app1.example.com_REVERSE_PROXY_URL=/
|
||||
app1.example.com_REVERSE_PROXY_HOST=http://app1.example.com
|
||||
app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
|
||||
app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$scheme%3A%2F%2F$host$request_uri
|
||||
app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$user $upstream_http_remote_user;$groups $upstream_http_remote_groups;$name $upstream_http_remote_name;$email $upstream_http_remote_email
|
||||
app1.example.com_REVERSE_PROXY_HEADERS=Remote-User $user;Remote-Groups $groups;Remote-Name $name;Remote-Email $email
|
||||
app2.example.com_REVERSE_PROXY_URL=/
|
||||
app2.example.com_REVERSE_PROXY_HOST=http://app2.example.com
|
||||
app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
|
||||
app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$scheme%3A%2F%2F$host$request_uri
|
||||
app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$user $upstream_http_remote_user;$groups $upstream_http_remote_groups;$name $upstream_http_remote_name;$email $upstream_http_remote_email
|
||||
app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $user;Remote-Groups $groups;Remote-Name $name;Remote-Email $email
|