librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

examples refactoring

This commit is contained in:
florian 2023-03-13 09:42:22 +01:00
parent e37e6c3460
commit cfe5c6063a
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
24 changed files with 392 additions and 352 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
examples/load-balancer/bw-data/configs/http/upstream.conf
View File

@ -1,5 +0,0 @@
upstream app {
server app1:80;
server app2:80;
server app3:80;
}

18
examples/load-balancer/docker-compose.yml
View File

@ -6,14 +6,6 @@ services:
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw-data:/data # contains upstreams definition at http context
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
@ -43,21 +35,21 @@ services:
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://docker-proxy:2375
- DOCKER_HOST=tcp://bw-docker-proxy:2375
volumes:
- bw-data:/data
networks:
- bw-universe
- net-docker
- bw-docker
docker-proxy:
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
networks:
- net-docker
- bw-docker
app1:
image: tutum/hello-world
@ -84,4 +76,4 @@ networks:
config:
- subnet: 10.20.30.0/24
bw-services:
net-docker:
bw-docker:

23
examples/magento/autoconf.yml
View File

@ -8,7 +8,7 @@ services:
aliases:
- mymagento
volumes:
- ./magento-data:/bitnami/magento
- magento-data:/bitnami/magento
environment:
- MAGENTO_USERNAME=admin # replace with admin username
- MAGENTO_PASSWORD=changeme42 # replace with a stronger password
@ -41,9 +41,26 @@ services:
# ⚠️ you need to create the directory and fix permissions ⚠️
# see setup-autoconf.sh
volumes:
- ./elasticsearch-data:/bitnami/elasticsearch/data
- elasticsearch-data:/bitnami/elasticsearch/data
# For the database, you can refer to the autoconf integration example including a database
mydb:
image: mariadb:10.2
networks:
bw-services:
aliases:
- mydb
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=magentodb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
volumes:
magento-data:
elasticsearch-data:
db-data:
networks:
bw-services:

72
examples/magento/docker-compose.yml
View File

@ -1,35 +1,27 @@
version: "3"
x-bunkerweb-env: &bunkerweb-env
DATABASE_URI: "mariadb+pymysql://${MAGENTO_USER:-user}:${MAGENTO_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw-data:/data
environment:
<<: *bunkerweb-env
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://mymagento:8080"
CUSTOM_CONF_SERVER_HTTP_magento: "proxy_busy_buffers_size 512k;proxy_buffers 4 512k;proxy_buffer_size 256k;"
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mymagento:8080
- |
CUSTOM_CONF_SERVER_HTTP_magento=
proxy_busy_buffers_size 512k;
proxy_buffers 4 512k;
proxy_buffer_size 256k;
labels:
- "bunkerweb.INSTANCE" # required for the scheduler to recognize the container
networks:
@ -41,27 +33,26 @@ services:
depends_on:
- mybunker
environment:
<<: *bunkerweb-env
DOCKER_HOST: "tcp://docker-proxy:2375"
- DOCKER_HOST=tcp://bw-docker-proxy:2375"
volumes:
- bw-data:/data
networks:
- bw-universe
- net-docker
- bw-docker
docker-proxy:
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
networks:
- net-docker
- bw-docker
mymagento:
image: bitnami/magento:2
volumes:
- ./magento-data:/bitnami/magento
- magento-data:/bitnami/magento
environment:
- MAGENTO_USERNAME=admin # replace with admin username
- MAGENTO_PASSWORD=changeme42 # replace with a stronger password
@ -70,9 +61,9 @@ services:
- MAGENTO_ENABLE_HTTPS=yes
- MAGENTO_ENABLE_ADMIN_HTTPS=yes
- MAGENTO_DATABASE_HOST=mydb
- MAGENTO_DATABASE_NAME=${MAGENTO_DATABASE:-magentodb}
- MAGENTO_DATABASE_USER=${MAGENTO_USER:-user}
- MAGENTO_DATABASE_PASSWORD=${MAGENTO_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
- MAGENTO_DATABASE_NAME=mangentodb
- MAGENTO_DATABASE_USER=user
- MAGENTO_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- ELASTICSEARCH_HOST=myelasticsearch
networks:
- bw-services
@ -82,24 +73,27 @@ services:
# ⚠️ you need to create the directory and fix permissions ⚠️
# see setup-docker.sh
volumes:
- ./elasticsearch-data:/bitnami/elasticsearch/data
- elasticsearch-data:/bitnami/elasticsearch/data
networks:
- bw-services
mydb:
image: mariadb:10.10
image: mariadb:10.2
volumes:
- db-data:/var/lib/mysql
environment:
MARIADB_RANDOM_ROOT_PASSWORD: "yes"
entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${MAGENTO_USER:-user}\"; CREATE USER \"${MAGENTO_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${MAGENTO_DATABASE:-magentodb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${MAGENTO_DATABASE:-magentodb}.* TO \"${MAGENTO_USER:-user}\"@\"%\" IDENTIFIED BY \"${MAGENTO_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${MAGENTO_USER:-user}\"@\"%\" IDENTIFIED BY \"${MAGENTO_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci"
networks:
- bw-universe
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=magentodb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
network:
- bw-services
volumes:
bw-data:
db-data:
magento-data:
elasticsearch-data:
networks:
bw-universe:
@ -108,4 +102,4 @@ networks:
config:
- subnet: 10.20.30.0/24
bw-services:
net-docker:
bw-docker:

10
examples/magento/setup-autoconf.sh
View File

@ -1,10 +0,0 @@
#!/bin/bash
if [ $(id -u) -ne 0 ] ; then
echo "❌ Run me as root"
exit 1
fi
mkdir elasticsearch-data
chown 1001:1001 elasticsearch-data
chmod 770 elasticsearch-data

10
examples/magento/setup-docker.sh
View File

@ -1,10 +0,0 @@
#!/bin/bash
if [ $(id -u) -ne 0 ] ; then
echo "❌ Run me as root"
exit 1
fi
mkdir elasticsearch-data
chown 1001:1001 elasticsearch-data
chmod 770 elasticsearch-data

26
examples/magento/swarm.yml
View File

@ -6,7 +6,7 @@ services:
networks:
- bw-services
volumes:
- magento_data:/bitnami/magento
- magento-data:/bitnami/magento
environment:
- MAGENTO_USERNAME=admin # replace with admin username
- MAGENTO_PASSWORD=changeme42 # replace with a stronger password
@ -34,13 +34,27 @@ services:
networks:
- bw-services
volumes:
- elasticsearch_data:/bitnami/elasticsearch/data
- elasticsearch-data:/bitnami/elasticsearch/data
deploy:
placement:
constraints:
- "node.role==worker"
# For the database, you can refer to the swarm integration example including a database
mydb:
image: mariadb:10.2
networks:
- bw-services
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=magentodb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
deploy:
placement:
constraints:
- "node.role==worker"
networks:
bw-services:
@ -48,6 +62,6 @@ networks:
name: bw-services
volumes:
db_data:
elasticsearch_data:
magento_data:
db-data:
elasticsearch-data:
magento-data:

24
examples/mattermost/autoconf.yml
View File

@ -63,7 +63,29 @@ services:
- bunkerweb.LIMIT_REQ_URL_3=^/static/
- bunkerweb.LIMIT_REQ_RATE_3=10r/s
# For the postgres database, you can refer to the autoconf integration example including a postgres database
postgres:
image: postgres:${POSTGRES_IMAGE_TAG}
networks:
bw-services:
aliases:
- postgres
restart: ${RESTART_POLICY}
security_opt:
- no-new-privileges:true
pids_limit: 100
read_only: true
tmpfs:
- /tmp
- /var/run/postgresql
volumes:
- ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data
environment:
# timezone inside container
- TZ
# necessary Postgres options/variables
- POSTGRES_USER
- POSTGRES_PASSWORD
- POSTGRES_DB
networks:
bw-services:

70
examples/mattermost/docker-compose.yml
View File

@ -1,54 +1,41 @@
version: "3"
x-bunkerweb-env: &bunkerweb-env
DATABASE_URI: "postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres/${BUNKERWEB_DATABASE:-bunkerweb}"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw-data:/data
environment:
<<: *bunkerweb-env
SERVER_NAME: "${DOMAIN}" # set your domain name in the .env file, for additional domains, just add them separated by a space
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
SERVE_FILES: "no"
MAX_CLIENT_SIZE: "50m"
USE_GZIP: "yes"
- SERVER_NAME=www.example.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- SERVE_FILES=no
- MAX_CLIENT_SIZE=50m
- USE_GZIP=yes
# Methods used to query the api
# more info at https://api.mattermost.com/
ALLOWED_METHODS: "GET|POST|HEAD|DELETE|PUT"
- ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT
# Reverse proxy to Mattermost
# second endpoint needs websocket enabled
# more info at https://docs.mattermost.com/install/config-proxy-nginx.html
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_INTERCEPT_ERRORS: "no"
REVERSE_PROXY_URL_1: "/"
REVERSE_PROXY_HOST_1: "http://mattermost:8065"
REVERSE_PROXY_URL_2: "~ /api/v[0-9]+/(users/)?websocket$$"
REVERSE_PROXY_HOST_2: "http://mattermost:8065"
REVERSE_PROXY_WS_2: "yes"
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_INTERCEPT_ERRORS=no
- REVERSE_PROXY_URL_1=/
- REVERSE_PROXY_HOST_1=http://mattermost:8065
- REVERSE_PROXY_URL_2=~ /api/v[0-9]+/(users/)?websocket$$
- REVERSE_PROXY_HOST_2=http://mattermost:8065
- REVERSE_PROXY_WS_2=yes
# Default limit rate for URLs
LIMIT_REQ_URL_1: "/"
LIMIT_REQ_RATE_1: "3r/s"
- LIMIT_REQ_URL_1=/
- LIMIT_REQ_RATE_1=3r/s
# Limit rate for api endpoints
LIMIT_REQ_URL_2: "^/api/"
LIMIT_REQ_RATE_2: "10r/s"
- LIMIT_REQ_URL_2=^/api/
- LIMIT_REQ_RATE_2=10r/s
# Limit rate for static resources
LIMIT_REQ_URL_3: "^/static/"
LIMIT_REQ_RATE_3: "10r/s"
- LIMIT_REQ_URL_3=^/static/
- LIMIT_REQ_RATE_3=10r/s
labels:
- "bunkerweb.INSTANCE" # required for the scheduler to recognize the container
networks:
@ -60,22 +47,21 @@ services:
depends_on:
- mybunker
environment:
<<: *bunkerweb-env
DOCKER_HOST: "tcp://docker-proxy:2375"
- DOCKER_HOST=tcp://bw-docker-proxy:2375
volumes:
- bw-data:/data
networks:
- bw-universe
- net-docker
- bw-docker
docker-proxy:
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
networks:
- net-docker
- bw-docker
mattermost:
depends_on:
@ -124,16 +110,14 @@ services:
- /var/run/postgresql
volumes:
- ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data
- ./init-db.sh:/docker-entrypoint-initdb.d/init-db.sh
environment:
# timezone inside container
- TZ
# necessary Postgres options/variables
- POSTGRES_USER
- POSTGRES_PASSWORD
- POSTGRES_MULTIPLE_DATABASES=${POSTGRES_DB},${BUNKERWEB_DATABASE:-bunkerweb}
- POSTGRES_DB
networks:
- bw-universe
- bw-services
volumes:
@ -146,4 +130,4 @@ networks:
config:
- subnet: 10.20.30.0/24
bw-services:
net-docker:
bw-docker:

22
examples/mattermost/init-db.sh
View File

@ -1,22 +0,0 @@
#!/bin/bash
set -e
set -u
function create_user_and_database() {
local database=$1
echo " Creating user and database '$database'"
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
CREATE USER $database;
CREATE DATABASE $database;
GRANT ALL PRIVILEGES ON DATABASE $database TO $database;
EOSQL
}
if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then
echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES"
for db in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do
create_user_and_database $db
done
echo "Multiple databases created"
fi

5
examples/mongo-express/autoconf.yml
View File

@ -8,7 +8,7 @@ services:
aliases:
- mongo
volumes:
- ./db:/data/db
- db-data:/data/db
environment:
- MONGO_INITDB_ROOT_USERNAME=root # replace with a less obvious username
- MONGO_INITDB_ROOT_PASSWORD=toor # replace with a better password
@ -38,6 +38,9 @@ services:
bunkerweb.CUSTOM_CONF_MODSEC_mongo-express=
SecRule REQUEST_FILENAME "@rx ^/db" "id:1,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=attack-protocol,nolog"
volumes:
db-data:
networks:
bw-services:
external:

21
examples/mongo-express/docker-compose.yml
View File

@ -6,14 +6,6 @@ services:
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw-data:/data
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
@ -39,26 +31,26 @@ services:
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://docker-proxy:2375
- DOCKER_HOST=tcp://bw-docker-proxy:2375
volumes:
- bw-data:/data
networks:
- bw-universe
- net-docker
- bw-docker
docker-proxy:
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
networks:
- net-docker
- bw-docker
mongo:
image: mongo:5.0.14
volumes:
- ./db:/data/db
- db-data:/data/db
environment:
- MONGO_INITDB_ROOT_USERNAME=root # replace with a less obvious username
- MONGO_INITDB_ROOT_PASSWORD=toor # replace with a better password
@ -82,6 +74,7 @@ services:
volumes:
bw-data:
db-data:
networks:
bw-universe:
@ -90,4 +83,4 @@ networks:
config:
- subnet: 10.20.30.0/24
bw-services:
net-docker:
bw-docker:

4
examples/mongo-express/swarm.yml
View File

@ -6,7 +6,7 @@ services:
networks:
- bw-services
volumes:
- db:/data/db
- db-data:/data/db
environment:
- MONGO_INITDB_ROOT_USERNAME=root # replace with a less obvious username
- MONGO_INITDB_ROOT_PASSWORD=toor # replace with a better password
@ -48,4 +48,4 @@ networks:
name: bw-services
volumes:
db:
db-data:

43
examples/moodle/autoconf.yml
View File

@ -10,27 +10,38 @@ services:
depends_on:
- mydb
volumes:
- moodle_files:/bitnami/moodle
- moodle_data:/bitnami/moodledata
- moodle-files:/bitnami/moodle
- moodle-data:/bitnami/moodledata
environment:
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_DATABASE_HOST=mydb
- MOODLE_DATABASE_NAME=${MOODLE_DATABASE:-moodledb}
- MOODLE_DATABASE_USER=${MOODLE_USER:-user}
- MOODLE_DATABASE_PASSWORD=${MOODLE_PASSWORD:-secret} # replace with a stronger password (must match MYSQL_PASSWORD)
- MOODLE_DATABASE_NAME=moodle
- MOODLE_DATABASE_USER=user
- MOODLE_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
labels:
- bunkerweb.SERVER_NAME=www.example.com
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/
- bunkerweb.REVERSE_PROXY_HOST=https://mymoodle:8443
# For the database, you can refer to the autoconf integration example including a database
# In this example, you will need to add the following lines to the mydb service:
# - MARIADB_CHARACTER_SET=utf8mb4
# - MARIADB_COLLATE=utf8mb4_unicode_ci
mydb:
image: mariadb:10.5
volumes:
- db-data:/var/lib/mysql
networks:
bw-services:
aliases:
- mydb
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=moodle
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MARIADB_CHARACTER_SET=utf8mb4
- MARIADB_COLLATE=utf8mb4_unicode_ci
networks:
bw-services:
@ -38,6 +49,6 @@ networks:
name: bw-services
volumes:
db_data:
moodle_files:
moodle_data:
db-data:
moodle-files:
moodle-data:

75
examples/moodle/docker-compose.yml
View File

@ -1,35 +1,22 @@
version: "3"
x-bunkerweb-env: &bunkerweb-env
DATABASE_URI: "mariadb+pymysql://${MOODLE_USER:-user}:${MOODLE_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw-data:/data
environment:
<<: *bunkerweb-env
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
MAX_CLIENT_SIZE: "50m"
SERVE_FILES: "no"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "https://mymoodle:8443"
- SERVER_NAME=www.example.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- MAX_CLIENT_SIZE=50m
- SERVE_FILES=no
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=https://mymoodle:8443
labels:
- "bunkerweb.INSTANCE" # required for the scheduler to recognize the container
networks:
@ -41,56 +28,60 @@ services:
depends_on:
- mybunker
environment:
<<: *bunkerweb-env
DOCKER_HOST: "tcp://docker-proxy:2375"
- DOCKER_HOST=tcp://bw-docker-proxy:2375
volumes:
- bw-data:/data
networks:
- bw-universe
- net-docker
- bw-docker
docker-proxy:
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
networks:
- net-docker
- bw-docker
mymoodle:
image: bitnami/moodle:4.1.0
depends_on:
- mydb
volumes:
- ./moodle-files:/bitnami/moodle
- ./moodle-data:/bitnami/moodledata
- moodle-files:/bitnami/moodle
- moodle-data:/bitnami/moodledata
environment:
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_DATABASE_HOST=mydb
- MOODLE_DATABASE_NAME=${MOODLE_DATABASE:-moodledb}
- MOODLE_DATABASE_USER=${MOODLE_USER:-user}
- MOODLE_DATABASE_PASSWORD=${MOODLE_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
- MOODLE_DATABASE_NAME=moodle
- MOODLE_DATABASE_USER=user
- MOODLE_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
networks:
- bw-services
mydb:
image: mariadb:10.10
image: mariadb:10.5
volumes:
- db-data:/var/lib/mysql
environment:
MARIADB_RANDOM_ROOT_PASSWORD: "yes"
entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${MOODLE_USER:-user}\"; CREATE USER \"${MOODLE_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${MOODLE_DATABASE:-moodledb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${MOODLE_DATABASE:-moodledb}.* TO \"${MOODLE_USER:-user}\"@\"%\" IDENTIFIED BY \"${MOODLE_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${MOODLE_USER:-user}\"@\"%\" IDENTIFIED BY \"${MOODLE_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci"
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=moodle
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MARIADB_CHARACTER_SET=utf8mb4
- MARIADB_COLLATE=utf8mb4_unicode_ci
networks:
- bw-universe
- bw-services
volumes:
bw-data:
db-data:
moodle-files:
moodle-data:
networks:
bw-universe:
@ -99,4 +90,4 @@ networks:
config:
- subnet: 10.20.30.0/24
bw-services:
net-docker:
bw-docker:

31
examples/moodle/swarm.yml
View File

@ -8,8 +8,8 @@ services:
depends_on:
- mydb
volumes:
- moodle_files:/bitnami/moodle
- moodle_data:/bitnami/moodledata
- moodle-files:/bitnami/moodle
- moodle-data:/bitnami/moodledata
environment:
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
@ -29,10 +29,23 @@ services:
- bunkerweb.REVERSE_PROXY_URL=/
- bunkerweb.REVERSE_PROXY_HOST=https://mymoodle:8443
# For the database, you can refer to the swarm integration example including a database
# In this example, you will need to add the following lines to the mydb service:
# - MARIADB_CHARACTER_SET=utf8mb4
# - MARIADB_COLLATE=utf8mb4_unicode_ci
mydb:
image: mariadb:10.5
volumes:
- db_data:/var/lib/mysql
networks:
- bw-services
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=moodle
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MARIADB_CHARACTER_SET=utf8mb4
- MARIADB_COLLATE=utf8mb4_unicode_ci
deploy:
placement:
constraints:
- "node.role==worker"
networks:
bw-services:
@ -40,6 +53,6 @@ networks:
name: bw-services
volumes:
db_data:
moodle_files:
moodle_data:
db-data:
moodle-files:
moodle-data:

22
examples/nextcloud/autoconf.yml
View File

@ -4,7 +4,7 @@ services:
mync:
image: nextcloud:stable-apache
volumes:
- ./nc-files:/var/www/html
- nc-files:/var/www/html
networks:
bw-services:
aliases:
@ -56,7 +56,25 @@ services:
bunkerweb.CUSTOM_CONF_MODSEC_nextcloud=
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
# For the database, you can refer to the autoconf integration example including a database
mydb:
image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- db-data:/var/lib/mysql
networks:
bw-services:
aliases:
- mydb
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
volumes:
nc-files:
db-data:
networks:
bw-services:

101
examples/nextcloud/docker-compose.yml
View File

@ -1,49 +1,51 @@
version: "3"
x-bunkerweb-env: &bunkerweb-env
DATABASE_URI: "mariadb+pymysql://${NEXTCLOUD_USER:-user}:${NEXTCLOUD_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw-data:/data
environment:
<<: *bunkerweb-env
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
MAX_CLIENT_SIZE: "10G"
USE_CLIENT_CACHE: "yes"
SERVE_FILES: "no"
ALLOWED_METHODS: "GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS"
X_FRAME_OPTIONS: "SAMEORIGIN"
USE_GZIP: "yes"
BAD_BEHAVIOR_STATUS_CODES: "400 401 403 405 444"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://mync"
LIMIT_REQ_URL_1: "/apps"
LIMIT_REQ_RATE_1: "5r/s"
LIMIT_REQ_URL_2: "/apps/text/session/sync"
LIMIT_REQ_RATE_2: "8r/s"
LIMIT_REQ_URL_3: "/core/preview"
LIMIT_REQ_RATE_3: "5r/s"
CUSTOM_CONF_MODSEC_CRS_nextcloud:
'SecAction "id:900130,phase:1,nolog,pass,t:none,setvar:tx.crs_exclusions_nextcloud=1"
# WebDAV SecAction "id:900200,phase:1,nolog,pass,t:none,setvar:''tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS''"'
CUSTOM_CONF_MODSEC_nextcloud: 'SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"'
- SERVER_NAME=www.example.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- MAX_CLIENT_SIZE=10G
- USE_CLIENT_CACHE=yes
- SERVE_FILES=no
- ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
- X_FRAME_OPTIONS=SAMEORIGIN
- USE_GZIP=yes
- BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mync
- LIMIT_REQ_URL_1=/apps
- LIMIT_REQ_RATE_1=5r/s
- LIMIT_REQ_URL_2=/apps/text/session/sync
- LIMIT_REQ_RATE_2=8r/s
- LIMIT_REQ_URL_3=/core/preview
- LIMIT_REQ_RATE_3=5r/s
- |
CUSTOM_CONF_MODSEC_CRS_nextcloud=
SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_nextcloud=1"
# WebDAV
SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
- |
CUSTOM_CONF_MODSEC_nextcloud=
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
labels:
- "bunkerweb.INSTANCE" # required for the scheduler to recognize the container
networks:
@ -55,27 +57,26 @@ services:
depends_on:
- mybunker
environment:
<<: *bunkerweb-env
DOCKER_HOST: "tcp://docker-proxy:2375"
- DOCKER_HOST=tcp://bw-docker-proxy:2375
volumes:
- bw-data:/data
networks:
- bw-universe
- net-docker
- bw-docker
docker-proxy:
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
networks:
- net-docker
- bw-docker
mync:
image: nextcloud:24-apache
volumes:
- ./nc-files:/var/www/html
- nc-files:/var/www/html
environment:
- NEXTCLOUD_ADMIN_USER=admin # replace with the admin username
- NEXTCLOUD_ADMIN_PASSWORD=changeme # replace with a stronger password
@ -90,12 +91,15 @@ services:
- bw-services
mydb:
image: mariadb:10.10
image: mariadb:10.9
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- db-data:/var/lib/mysql
- ./db-data:/var/lib/mysql
environment:
MARIADB_RANDOM_ROOT_PASSWORD: "yes"
entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${NEXTCLOUD_USER:-user}\"; CREATE USER \"${NEXTCLOUD_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${NEXTCLOUD_DATABASE:-nextclouddb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${NEXTCLOUD_DATABASE:-nextclouddb}.* TO \"${NEXTCLOUD_USER:-user}\"@\"%\" IDENTIFIED BY \"${NEXTCLOUD_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${NEXTCLOUD_USER:-user}\"@\"%\" IDENTIFIED BY \"${NEXTCLOUD_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci"
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
networks:
- bw-universe
- bw-services
@ -103,6 +107,7 @@ services:
volumes:
bw-data:
db-data:
nc-files:
networks:
bw-universe:
@ -111,4 +116,4 @@ networks:
config:
- subnet: 10.20.30.0/24
bw-services:
net-docker:
bw-docker:

22
examples/nextcloud/swarm.yml
View File

@ -4,7 +4,7 @@ services:
mync:
image: nextcloud:24-apache
volumes:
- nc_files:/var/www/html
- nc-files:/var/www/html
networks:
- bw-services
environment:
@ -37,7 +37,22 @@ services:
- bunkerweb.LIMIT_REQ_URL_3=/core/preview
- bunkerweb.LIMIT_REQ_RATE_3=5r/s
# For the database, you can refer to the swarm integration example including a database
mydb:
image: mariadb:10.9
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- db-data:/var/lib/mysql
networks:
- bw-services
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
deploy:
placement:
constraints:
- "node.role==worker"
networks:
bw-services:
@ -45,4 +60,5 @@ networks:
name: bw-services
volumes:
nc_files:
nc-files:
db-data:

30
examples/passbolt/autoconf.yml
View File

@ -12,14 +12,13 @@ services:
- mypassbolt
environment:
- APP_FULL_BASE_URL=https://www.example.com # replace with your URL
- PASSBOLT_SSL_FORCE=false
- DATASOURCES_DEFAULT_HOST=mydb
- DATASOURCES_DEFAULT_DATABASE=${PASSBOLT_DATABASE:-passboltdb}
- DATASOURCES_DEFAULT_USERNAME=${PASSBOLT_USER:-user}
- DATASOURCES_DEFAULT_PASSWORD=${PASSBOLT_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_USERNAME=user
- DATASOURCES_DEFAULT_DATABASE=passbolt
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
- gpg-data:/etc/passbolt/gpg
- jwt-data:/etc/passbolt/jwt
command:
[
"/usr/bin/wait-for.sh",
@ -37,11 +36,24 @@ services:
- bunkerweb.REVERSE_PROXY_URL=/
- bunkerweb.REVERSE_PROXY_HOST=https://mypassbolt
# For the database, you can refer to the autoconf integration example including a database
mydb:
image: mariadb
volumes:
- db-data:/var/lib/mysql
networks:
bw-services:
aliases:
- mydb
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=passbolt
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
volumes:
gpg_volume:
jwt_volume:
gpg-data:
jwt-data:
db-data:
networks:
bw-services:

69
examples/passbolt/docker-compose.yml
View File

@ -1,36 +1,24 @@
version: "3"
x-bunkerweb-env: &bunkerweb-env
DATABASE_URI: "mariadb+pymysql://${PASSBOLT_USER:-user}:${PASSBOLT_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw-data:/data
environment:
<<: *bunkerweb-env
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
COOKIE_FLAGS: "* SameSite=Lax"
DISABLE_DEFAULT_SERVER: "yes"
ALLOWED_METHODS: "GET|POST|HEAD|PUT|DELETE"
SERVE_FILES: "no"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "https://mypassbolt"
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- COOKIE_FLAGS=* SameSite=Lax
- ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
- SERVE_FILES=no
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=https://mypassbolt
labels:
- "bunkerweb.INSTANCE" # required for the scheduler to recognize the container
networks:
@ -42,22 +30,21 @@ services:
depends_on:
- mybunker
environment:
<<: *bunkerweb-env
DOCKER_HOST: "tcp://docker-proxy:2375"
- DOCKER_HOST=tcp://bw-docker-proxy:2375
volumes:
- bw-data:/data
networks:
- bw-universe
- net-docker
- bw-docker
docker-proxy:
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
networks:
- net-docker
- bw-docker
# you will need to add a user by hand
# example : docker-compose exec mypassbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u <your@email.com> -f <yourname> -l <surname> -r admin" -s /bin/sh www-data
@ -70,14 +57,13 @@ services:
- mydb
environment:
- APP_FULL_BASE_URL=https://www.example.com # replace with your URL
- PASSBOLT_SSL_FORCE=false
- DATASOURCES_DEFAULT_HOST=mydb
- DATASOURCES_DEFAULT_DATABASE=${PASSBOLT_DATABASE:-passboltdb}
- DATASOURCES_DEFAULT_USERNAME=${PASSBOLT_USER:-user}
- DATASOURCES_DEFAULT_PASSWORD=${PASSBOLT_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_USERNAME=user
- DATASOURCES_DEFAULT_DATABASE=passbolt
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
- gpg-data:/etc/passbolt/gpg
- jwt-data:/etc/passbolt/jwt
command:
[
"/usr/bin/wait-for.sh",
@ -95,15 +81,16 @@ services:
volumes:
- db-data:/var/lib/mysql
environment:
MARIADB_RANDOM_ROOT_PASSWORD: "yes"
entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${PASSBOLT_USER:-user}\"; CREATE USER \"${PASSBOLT_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${PASSBOLT_DATABASE:-passboltdb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${PASSBOLT_DATABASE:-passboltdb}.* TO \"${PASSBOLT_USER:-user}\"@\"%\" IDENTIFIED BY \"${PASSBOLT_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${PASSBOLT_USER:-user}\"@\"%\" IDENTIFIED BY \"${PASSBOLT_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci"
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=passbolt
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
networks:
- bw-universe
- bw-services
volumes:
gpg_volume:
jwt_volume:
gpg-data:
jwt-data:
db-data:
bw-data:
@ -114,4 +101,4 @@ networks:
config:
- subnet: 10.20.30.0/24
bw-services:
net-docker:
bw-docker:

31
examples/passbolt/swarm.yml
View File

@ -10,14 +10,13 @@ services:
- bw-services
environment:
- APP_FULL_BASE_URL=https://www.example.com # replace with your URL
- PASSBOLT_SSL_FORCE=false
- DATASOURCES_DEFAULT_HOST=mydb
- DATASOURCES_DEFAULT_DATABASE=${PASSBOLT_DATABASE:-passboltdb}
- DATASOURCES_DEFAULT_USERNAME=${PASSBOLT_USER:-user}
- DATASOURCES_DEFAULT_PASSWORD=${PASSBOLT_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_USERNAME=user
- DATASOURCES_DEFAULT_DATABASE=passbolt
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
- gpg-data:/etc/passbolt/gpg
- jwt-data:/etc/passbolt/jwt
command:
[
"/usr/bin/wait-for.sh",
@ -39,7 +38,21 @@ services:
- bunkerweb.REVERSE_PROXY_URL=/
- bunkerweb.REVERSE_PROXY_HOST=https://mypassbolt
# For the database, you can refer to the swarm integration example including a database
mydb:
image: mariadb
volumes:
- db-data:/var/lib/mysql
networks:
- bw-services
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=passbolt
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
deploy:
placement:
constraints:
- "node.role==worker"
networks:
bw-services:
@ -47,4 +60,6 @@ networks:
name: bw-services
volumes:
db_data:
db-data:
gpg-data:
jwt-data:

2
src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec
View File

@ -123,4 +123,4 @@ include /etc/nginx/{{ SERVER_NAME.split(" ")[0] }}/modsec/*.conf
{% if USE_MODSECURITY_CRS == "yes" %}
SecRuleUpdateActionById 949110 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity"
SecRuleUpdateActionById 959100 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity"
{% endif %}
{% endif %}

8
src/common/core/ui/confs/modsec/ui.conf
View File

@ -1,5 +1,5 @@
{% if USE_UI == "yes" +%}
SecRule REQUEST_FILENAME "@rx /services$" "id:1,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog"
SecRule REQUEST_FILENAME "@rx /global_config$" "id:2,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=platform-pgsqlnolog"
SecRule REQUEST_FILENAME "@rx /configs$" "id:3,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog"
{% endif +%}
SecRule REQUEST_FILENAME "@rx /services$" "id:1001,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog"
SecRule REQUEST_FILENAME "@rx /global_config$" "id:1002,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=platform-pgsqlnolog"
SecRule REQUEST_FILENAME "@rx /configs$" "id:1003,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog"
{% endif +%}