librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

road to v1.5.0-beta 🚀

This commit is contained in:
florian 2023-04-29 21:43:26 +02:00
parent 4086628697
commit d0f6d59f6f
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
6 changed files with 278 additions and 241 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/beta.yml vendored
View File

@ -397,7 +397,7 @@ jobs:
# Push doc
push-doc:
needs: [publish-gh]
needs: [push-gh]
permissions:
contents: write
uses: ./.github/workflows/push-doc.yml

2
.github/workflows/push-github.yml vendored
View File

@ -49,7 +49,7 @@ jobs:
Changelog :
${{steps.getchangelog.outputs.content}}
draft: false
draft: true
prerelease: ${{ inputs.PRERELEASE }}
name: v${{ inputs.VERSION }}
tag_name: v${{ inputs.VERSION }}

2
.github/workflows/release.yml vendored
View File

@ -373,7 +373,7 @@ jobs:
# Push doc
push-doc:
needs: [publish-gh]
needs: [push-gh]
permissions:
contents: write
uses: ./.github/workflows/push-doc.yml

360
.github/workflows/staging.yml vendored
View File

@ -32,18 +32,18 @@ jobs:
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# build-autoconf:
# uses: ./.github/workflows/container-build.yml
# with:
# RELEASE: staging
# ARCH: linux/amd64
# IMAGE: autoconf
# DOCKERFILE: src/autoconf/Dockerfile
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
build-autoconf:
uses: ./.github/workflows/container-build.yml
with:
RELEASE: staging
ARCH: linux/amd64
IMAGE: autoconf
DOCKERFILE: src/autoconf/Dockerfile
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
build-ui:
uses: ./.github/workflows/container-build.yml
with:
@ -58,28 +58,28 @@ jobs:
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Linux
# build-ubuntu:
# uses: ./.github/workflows/linux-build.yml
# with:
# RELEASE: staging
# LINUX: ubuntu
# PACKAGE: deb
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# build-debian:
# uses: ./.github/workflows/linux-build.yml
# with:
# RELEASE: staging
# LINUX: debian
# PACKAGE: deb
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
build-ubuntu:
uses: ./.github/workflows/linux-build.yml
with:
RELEASE: staging
LINUX: ubuntu
PACKAGE: deb
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
build-debian:
uses: ./.github/workflows/linux-build.yml
with:
RELEASE: staging
LINUX: debian
PACKAGE: deb
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# build-centos:
# uses: ./.github/workflows/linux-build.yml
# with:
@ -91,28 +91,28 @@ jobs:
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# build-fedora:
# uses: ./.github/workflows/linux-build.yml
# with:
# RELEASE: staging
# LINUX: fedora
# PACKAGE: rpm
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# build-rhel:
# uses: ./.github/workflows/linux-build.yml
# with:
# RELEASE: staging
# LINUX: rhel
# PACKAGE: rpm
# secrets:
# DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
# DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
build-fedora:
uses: ./.github/workflows/linux-build.yml
with:
RELEASE: staging
LINUX: fedora
PACKAGE: rpm
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
build-rhel:
uses: ./.github/workflows/linux-build.yml
with:
RELEASE: staging
LINUX: rhel
PACKAGE: rpm
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Code security
code-security:
@ -139,132 +139,132 @@ jobs:
category: "/language:${{matrix.language}}"
# Create infrastructures
# create-infra-docker:
# needs: [code-security, build-bw, build-scheduler]
# uses: ./.github/workflows/staging-create-infra.yml
# with:
# TYPE: docker
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# create-infra-autoconf:
# needs: [code-security, build-bw, build-scheduler, build-autoconf]
# uses: ./.github/workflows/staging-create-infra.yml
# with:
# TYPE: autoconf
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# create-infra-swarm:
# needs: [code-security, build-bw, build-scheduler, build-autoconf]
# uses: ./.github/workflows/staging-create-infra.yml
# with:
# TYPE: swarm
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# create-infra-k8s:
# needs: [code-security, build-bw, build-scheduler, build-autoconf]
# uses: ./.github/workflows/staging-create-infra.yml
# with:
# TYPE: k8s
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# create-infra-linux:
# needs:
# [
# code-security,
# build-ubuntu,
# build-debian,
# build-fedora,
# build-rhel,
# ]
# uses: ./.github/workflows/staging-create-infra.yml
# with:
# TYPE: linux
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
create-infra-docker:
needs: [code-security, build-bw, build-scheduler]
uses: ./.github/workflows/staging-create-infra.yml
with:
TYPE: docker
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
create-infra-autoconf:
needs: [code-security, build-bw, build-scheduler, build-autoconf]
uses: ./.github/workflows/staging-create-infra.yml
with:
TYPE: autoconf
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
create-infra-swarm:
needs: [code-security, build-bw, build-scheduler, build-autoconf]
uses: ./.github/workflows/staging-create-infra.yml
with:
TYPE: swarm
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
create-infra-k8s:
needs: [code-security, build-bw, build-scheduler, build-autoconf]
uses: ./.github/workflows/staging-create-infra.yml
with:
TYPE: k8s
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
create-infra-linux:
needs:
[
code-security,
build-ubuntu,
build-debian,
build-fedora,
build-rhel,
]
uses: ./.github/workflows/staging-create-infra.yml
with:
TYPE: linux
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# Perform tests
# tests-docker:
# needs: [create-infra-docker]
# uses: ./.github/workflows/staging-tests.yml
# with:
# TYPE: docker
# RUNS_ON: "['self-hosted', 'bw-docker']"
# secrets: inherit
# tests-autoconf:
# needs: [create-infra-autoconf]
# uses: ./.github/workflows/staging-tests.yml
# with:
# TYPE: autoconf
# RUNS_ON: "['self-hosted', 'bw-autoconf']"
# secrets: inherit
# tests-swarm:
# needs: [create-infra-swarm]
# uses: ./.github/workflows/staging-tests.yml
# with:
# TYPE: swarm
# RUNS_ON: "['self-hosted', 'bw-swarm']"
# secrets: inherit
# tests-k8s:
# needs: [create-infra-k8s]
# uses: ./.github/workflows/staging-tests.yml
# with:
# TYPE: k8s
# RUNS_ON: "['ubuntu-latest']"
# secrets: inherit
# tests-linux:
# needs: [create-infra-linux]
# uses: ./.github/workflows/staging-tests.yml
# with:
# TYPE: linux
# RUNS_ON: "['self-hosted', 'bw-linux']"
# secrets: inherit
tests-ui:
needs: [code-security, build-bw, build-scheduler, build-ui]
uses: ./.github/workflows/tests-ui.yml
tests-docker:
needs: [create-infra-docker]
uses: ./.github/workflows/staging-tests.yml
with:
RELEASE: staging
secrets:
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
TYPE: docker
RUNS_ON: "['self-hosted', 'bw-docker']"
secrets: inherit
tests-autoconf:
needs: [create-infra-autoconf]
uses: ./.github/workflows/staging-tests.yml
with:
TYPE: autoconf
RUNS_ON: "['self-hosted', 'bw-autoconf']"
secrets: inherit
tests-swarm:
needs: [create-infra-swarm]
uses: ./.github/workflows/staging-tests.yml
with:
TYPE: swarm
RUNS_ON: "['self-hosted', 'bw-swarm']"
secrets: inherit
tests-k8s:
needs: [create-infra-k8s]
uses: ./.github/workflows/staging-tests.yml
with:
TYPE: k8s
RUNS_ON: "['ubuntu-latest']"
secrets: inherit
tests-linux:
needs: [create-infra-linux]
uses: ./.github/workflows/staging-tests.yml
with:
TYPE: linux
RUNS_ON: "['self-hosted', 'bw-linux']"
secrets: inherit
# tests-ui:
# needs: [code-security, build-bw, build-scheduler, build-ui]
# uses: ./.github/workflows/tests-ui.yml
# with:
# RELEASE: staging
# secrets:
# PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
# PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Delete infrastructures
# delete-infra-docker:
# if: ${{ always() }}
# needs: [tests-docker]
# uses: ./.github/workflows/staging-delete-infra.yml
# with:
# TYPE: docker
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# delete-infra-autoconf:
# if: ${{ always() }}
# needs: [tests-autoconf]
# uses: ./.github/workflows/staging-delete-infra.yml
# with:
# TYPE: autoconf
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# delete-infra-swarm:
# if: ${{ always() }}
# needs: [tests-swarm]
# uses: ./.github/workflows/staging-delete-infra.yml
# with:
# TYPE: swarm
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# delete-infra-k8s:
# if: ${{ always() }}
# needs: [tests-k8s]
# uses: ./.github/workflows/staging-delete-infra.yml
# with:
# TYPE: k8s
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# delete-infra-linux:
# if: ${{ always() }}
# needs: [tests-linux]
# uses: ./.github/workflows/staging-delete-infra.yml
# with:
# TYPE: linux
# secrets:
# CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
delete-infra-docker:
if: ${{ always() }}
needs: [tests-docker]
uses: ./.github/workflows/staging-delete-infra.yml
with:
TYPE: docker
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
delete-infra-autoconf:
if: ${{ always() }}
needs: [tests-autoconf]
uses: ./.github/workflows/staging-delete-infra.yml
with:
TYPE: autoconf
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
delete-infra-swarm:
if: ${{ always() }}
needs: [tests-swarm]
uses: ./.github/workflows/staging-delete-infra.yml
with:
TYPE: swarm
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
delete-infra-k8s:
if: ${{ always() }}
needs: [tests-k8s]
uses: ./.github/workflows/staging-delete-infra.yml
with:
TYPE: k8s
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
delete-infra-linux:
if: ${{ always() }}
needs: [tests-linux]
uses: ./.github/workflows/staging-delete-infra.yml
with:
TYPE: linux
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}

151
README.md
View File

@ -1,5 +1,5 @@
<p align="center">
<img alt="BunkerWeb logo" src="misc/logo.png" />
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0-beta/misc/logo.png" />
</p>
<p align="center">
@ -17,7 +17,7 @@
&#124;
👨‍💻 <a href="https://demo.bunkerweb.io">Demo</a>
&#124;
🛡️ <a href="https://github.com/bunkerity/bunkerweb/tree/master/examples">Examples</a>
🛡️ <a href="https://github.com/bunkerity/bunkerweb/tree/v1.5.0-beta/examples">Examples</a>
&#124;
💬 <a href="https://discord.com/invite/fTf46FmtyD">Chat</a>
&#124;
@ -33,29 +33,29 @@
# BunkerWeb
<p align="center">
<img alt="overview" src="docs/assets/img/intro-overview.svg" />
<img alt="overview" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0-beta/docs/assets/img/intro-overview.svg" />
</p>
BunkerWeb is an incredible web server that is built upon the reliable [NGINX](https://nginx.org/) and designed with a primary focus on security.
BunkerWeb is a next-generation and open-source Web Application Firewall (WAF).
This web server can effortlessly be integrated into your current environment, whether you're using [Linux](#linux), [Docker](#docker), [Swarm](#swarm), [Kubernetes](#Kubernetes), and more. To ensure that your web services are "secure by default" without any added stress or effort.
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default". BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.5.0-beta/integrations/#linux), [Docker](https://docs.bunkerweb.io/1.5.0-beta/integrations/#docker), [Swarm](https://docs.bunkerweb.io/1.5.0-beta/integrations/#swarm), [Kubernetes](https://docs.bunkerweb.io/1.5.0-beta/integrations/#kubernetes), …) and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.5.0-beta/web-ui/) if you don't like the CLI) to meet your own use-cases . In other words, cybersecurity is no more a hassle.
With BunkerWeb, you can be assured that all security best practices are applied automatically, and you have total control over each setting to meet your unique needs. The web server comes with a table of primary [security features](#security-tuning) as part of the core, but you can easily expand it with extra features using the [plugin system](#plugins).
Overall, BunkerWeb is a great choice for anyone looking for a secure and user-friendly web server that guarantees optimum performance and uncompromised security for their web services.
BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.5.0-beta/security-tuning/) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.5.0-beta/plugins/)).
## Why BunkerWeb ?
- **Easy integration into existing environments** : support for Linux, Docker, Swarm and Kubernetes
- **Easy integration into existing environments** : support for Linux, Docker, Swarm, Kubernetes, Ansible, Vagrant, ...
- **Highly customizable** : enable, disable and configure features easily to meet your use case
- **Secure by default** : offers out-of-the-box and hassle-free minimal security for your web services
- **Awesome web UI** : keep control of everything more efficiently without the need of the CLI
- **Plugin system** : extend BunkerWeb to meet your own use-cases
- **Free as in "freedom"** : licensed under the free [AGPLv3 license](https://www.gnu.org/licenses/agpl-3.0.en.html)
## Security features
A non-exhaustive list of security features :
- **HTTPS** support with transparent **Let's Encrypt** automation.
- **HTTPS** support with transparent **Let's Encrypt** automation
- **State-of-the-art web security** : HTTP security headers, prevent leaks, TLS hardening, ...
- Integrated **ModSecurity WAF** with the **OWASP Core Rule Set**
- **Automatic ban** of strange behaviors based on HTTP status code
@ -64,12 +64,12 @@ A non-exhaustive list of security features :
- **Block known bad IPs** with external blacklists and DNSBL
- And much more ...
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/latest/security-tuning) section of the documentation.
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.5.0-beta/security-tuning/) section of the documentation.
## Demo
<p align="center">
<img alt="Demo GIF" src="docs/assets/img/demo.gif" />
<a href="https://www.youtube.com/watch?v=ZhYV-QELzA4" target="_blank"><img alt="BunkerWeb demo" src="https://yt-embed.herokuapp.com/embed?v=ZhYV-QELzA4" /></a>
</p>
A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](https://demo.bunkerweb.io). Feel free to visit it and perform some security tests.
@ -77,10 +77,10 @@ A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](http
# Concepts
<p align="center">
<img alt="BunkerWeb logo" src="docs/assets/img/concepts.svg" />
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0-beta/docs/assets/img/concepts.svg" />
</p>
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/latest/concepts).
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.5.0-beta/concepts).
## Integrations
@ -88,18 +88,19 @@ The first concept is the integration of BunkerWeb into the target environment. W
The following integrations are officially supported :
- [Docker](https://docs.bunkerweb.io/latest/integrations/#docker)
- [Docker autoconf](https://docs.bunkerweb.io/latest/integrations/#docker-autoconf)
- [Swarm](https://docs.bunkerweb.io/latest/integrations/#swarm)
- [Kubernetes](https://docs.bunkerweb.io/latest/integrations/#kubernetes)
- [Linux](https://docs.bunkerweb.io/latest/integrations/#linux)
- [Ansible](https://docs.bunkerweb.io/latest/integrations/#ansible)
- [Docker](https://docs.bunkerweb.io/1.5.0-beta/integrations/#docker)
- [Docker autoconf](https://docs.bunkerweb.io/1.5.0-beta/integrations/#docker-autoconf)
- [Swarm](https://docs.bunkerweb.io/1.5.0-beta/integrations/#swarm)
- [Kubernetes](https://docs.bunkerweb.io/1.5.0-beta/integrations/#kubernetes)
- [Linux](https://docs.bunkerweb.io/1.5.0-beta/integrations/#linux)
- [Ansible](https://docs.bunkerweb.io/1.5.0-beta/integrations/#ansible)
- [Vagrant](https://docs.bunkerweb.io/1.5.0-beta/integrations/#vagrant)
## Settings
Once BunkerWeb is integrated into your environment, you will need to configure it to serve and protect your web applications.
Configuration of BunkerWeb is done using what we called the "settings" or "variables". Each setting is identified by a name like `AUTO_LETS_ENCRYPT` or `USE_ANTIBOT` for example. You can assign values to the settings to configure BunkerWeb.
The configuration of BunkerWeb is done by using what we call the "settings" or "variables". Each setting is identified by a name such as `AUTO_LETS_ENCRYPT` or `USE_ANTIBOT`. You can assign values to the settings to configure BunkerWeb.
Here is a dummy example of a BunkerWeb configuration :
@ -125,115 +126,149 @@ When multisite mode is enabled, BunkerWeb will serve and protect multiple web ap
## Custom configurations
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/latest/plugins)), you can use custom configurations to solve your specific challenges.
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.5.0-beta/plugins)), you can use custom configurations to solve your specific challenges.
Under the hood, BunkerWeb uses the notorious NGINX web server, that's why you can leverage its configuration system for your specific needs. Custom NGINX configurations can be included in different [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) like HTTP or server (all servers and/or specific server block).
Another core component of BunkerWeb is the ModSecurity Web Application Firewall : you can also use custom configurations to fix some false positives or add custom rules for example.
## Database
State of the current configuration of BunkerWeb is stored in a backend database which contains the following data :
- Settings defined for all the services
- Custom configurations
- BunkerWeb instances
- Metadata about jobs execution
- Cached files
The following backend database are supported : SQLite, MariaDB, MySQL and PostgreSQL
## Scheduler
To make things automagically work together, a dedicated service called the scheduler is in charge of :
- Storing the settings and custom configurations inside the database
- Executing various tasks (called jobs)
- Generating a configuration which is understood by BunkerWeb
- Being the intermediary for other services (like web UI or autoconf)
In other words, the scheduler is the brain of BunkerWeb.
# Setup
## Docker
<p align="center">
<img alt="Docker" src="docs/assets/img/integration-docker.svg" />
<img alt="Docker" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0-beta/docs/assets/img/integration-docker.svg" />
</p>
We provide ready to use prebuilt images for x64, x86, armv7 and arm64 platforms on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb) using the `bunkerity/bunkerweb` tag.
We provide ready to use prebuilt images for x64, x86, armv7 and arm64 platforms on [Docker Hub](https://hub.docker.com/u/bunkerity).
Usage and configuration of the BunkerWeb container are based on :
Docker integration key concepts are :
- **Environment variables** to configure BunkerWeb and meet your use cases
- **Volume** to cache important data and mount custom configuration files
- **Environment variables** to configure BunkerWeb
- **Scheduler** container to store configuration and execute jobs
- **Networks** to expose ports for clients and connect to upstream web services
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/latest/integrations/#docker) of the documentation.
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.5.0-beta/integrations/#docker) of the documentation.
## Docker autoconf
<p align="center">
<img alt="Docker autoconf" src="docs/assets/img/integration-autoconf.svg" />
<img alt="Docker autoconf" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0-beta/docs/assets/img/integration-autoconf.svg" />
</p>
The downside of using environment variables is that the container needs to be recreated each time there is an update which is not very convenient. To counter that issue, you can use another image called **autoconf** which will listen for Docker events and automatically reconfigure BunkerWeb in real-time without recreating the container.
Instead of defining environment variables for the BunkerWeb container, you simply add **labels** to your web applications containers and the **autoconf** will "automagically" take care of the rest.
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/latest/integrations/#docker-autoconf) of the documentation.
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.5.0-beta/integrations/#docker-autoconf) of the documentation.
## Swarm
<p align="center">
<img alt="Swarm" src="docs/assets/img/integration-swarm.svg" />
<img alt="Swarm" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0-beta/docs/assets/img/integration-swarm.svg" />
</p>
To automatically configure BunkerWeb instances, a special service, called **autoconf**, will be scheduled on a manager node. That service will listen for Docker Swarm events like service creation or deletion and automatically configure the **BunkerWeb instances** in real-time without downtime.
To automatically configure BunkerWeb instances, a special service, called **autoconf** will listen for Docker Swarm events like service creation or deletion and automatically configure the **BunkerWeb instances** in real-time without downtime.
Like the [Docker autoconf integration](#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.5.0-beta/integrations/#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
The recommended setup is to schedule the **BunkerWeb service** as a **global service** on all worker nodes and the **autoconf service** as a **single replicated service** on a manager node.
You will find more information in the [Swarm section](https://docs.bunkerweb.io/latest/integrations/#swarm) of the documentation.
You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.5.0-beta/integrations/#swarm) of the documentation.
## Kubernetes
<p align="center">
<img alt="Kubernetes" src="docs/assets/img/integration-kubernetes.svg" />
<img alt="Kubernetes" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0-beta/docs/assets/img/integration-kubernetes.svg" />
</p>
The autoconf acts as an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) and will configure the BunkerWeb instances according to the [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/). It also monitors other Kubernetes objects like [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for custom configurations.
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/latest/integrations/#kubernetes) of the documentation.
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.5.0-beta/integrations/#kubernetes) of the documentation.
## Linux
<p align="center">
<img alt="Linux" src="docs/assets/img/integration-linux.svg" />
<img alt="Linux" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0-beta/docs/assets/img/integration-linux.svg" />
</p>
List of supported Linux distros :
- Debian 11 "Bullseye"
- Ubuntu 22.04 "Jammy"
- Fedora 36
- CentOS Stream 8
- Fedora 37
- RHEL 8.7
Repositories of Linux packages for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb), they provide a bash script to automatically add and trust the repository (but you can also follow the [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer).
You will find more information in the [Linux section](https://docs.bunkerweb.io/latest/integrations/#linux) of the documentation.
You will find more information in the [Linux section](https://docs.bunkerweb.io/1.5.0-beta/integrations/#linux) of the documentation.
## Ansible
<p align="center">
<img alt="Ansible" src="docs/assets/img/integration-ansible.svg" />
<img alt="Ansible" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0-beta/docs/assets/img/integration-ansible.svg" />
</p>
List of supported Linux distros :
- Debian 11 "Bullseye"
- Ubuntu 22.04 "Jammy"
- Fedora 36
- CentOS Stream 8
- Fedora 37
- RHEL 8.7
[Ansible](https://docs.ansible.com/ansible/latest/index.html) is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates.
[Ansible](https://www.ansible.com/) is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates.
A specific BunkerWeb Ansible role is available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb) (source code is available [here](https://github.com/bunkerity/bunkerweb-ansible)).
You will find more information in the [Ansible section](https://docs.bunkerweb.io/latest/integrations/#ansible) of the documentation.
You will find more information in the [Ansible section](https://docs.bunkerweb.io/1.5.0-beta/integrations/#ansible) of the documentation.
## Vagrant
We maintain ready to use Vagrant boxes hosted on Vagrant cloud for the following providers :
- vmware_desktop
- virtualbox
- libvirt
You will find more information in the [Vagrant section](https://docs.bunkerweb.io/1.5.0-beta/integrations/#vagrant) of the documentation.
# Quickstart guide
Once you have setup BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/latest/quickstart-guide/) that will cover the following common use cases :
Once you have setup BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.5.0-beta/quickstart-guide/) that will cover the following common use cases :
- Protecting a single HTTP application
- Protecting multiple HTTP application
- Retrieving the real IP of clients when operating behind a load balancer
- Adding custom configurations
- Protecting generic TCP/UDP applications
- In combination with PHP
# Security tuning
BunkerWeb offers many security features that you can configure with [settings](/settings). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives.
BunkerWeb offers many security features that you can configure with [settings](https://docs.bunkerweb.io/1.5.0-beta/settings). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives.
You will find more information in the [security tuning section](https://docs.bunkerweb.io/latest/security-tuning) of the documentation.
You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.5.0-beta/security-tuning) of the documentation.
# Settings
@ -243,12 +278,12 @@ As a general rule when multisite mode is enabled, if you want to apply settings
When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like `REVERSE_PROXY_URL_1=/subdir`, `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.
Check the [settings section](https://docs.bunkerweb.io/latest/settings) of the documentation to get the full list.
Check the [settings section](https://docs.bunkerweb.io/1.5.0-beta/settings) of the documentation to get the full list.
# Web UI
<p align="center">
<a href="https://www.youtube.com/watch?v=2n4EarhW7-Y" target="_blank"><img alt="BunkerWeb UI demo" src="https://yt-embed.herokuapp.com/embed?v=2n4EarhW7-Y" /></a>
<a href="https://www.youtube.com/watch?v=Ao20SfvQyr4" target="_blank"><img alt="BunkerWeb UI demo" src="https://yt-embed.herokuapp.com/embed?v=Ao20SfvQyr4" /></a>
</p>
The "Web UI" is a web application that helps you manage your BunkerWeb instance using a user-friendly interface instead of the command-line one.
@ -257,9 +292,11 @@ The "Web UI" is a web application that helps you manage your BunkerWeb instance
- Add, edit and delete settings for your web applications
- Add, edit and delete custom configurations for NGINX and ModSecurity
- Install and uninstall external plugins
- Explore the cached files
- Monitor jobs execution
- View the logs and search pattern
You will find more information in the [Web UI section](https://docs.bunkerweb.io/latest/web-ui) of the documentation.
You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.5.0-beta/web-ui) of the documentation.
# Plugins
@ -275,7 +312,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| **Slack** | 0.1 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 0.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
You will find more information in the [plugins section](https://docs.bunkerweb.io/latest/plugins) of the documentation.
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.0-beta/plugins) of the documentation.
# Support
@ -303,12 +340,12 @@ Please don't use [GitHub issues](https://github.com/bunkerity/bunkerweb/issues)
# License
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/tree/master/LICENSE.md).
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/LICENSE.md).
# Contribute
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/master/CONTRIBUTING.md) to get started.
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/CONTRIBUTING.md) to get started.
# Security policy
We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/tree/master/SECURITY.md) for more information.
We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/tree/1.5.0-beta/SECURITY.md) for more information.

2
docs/integrations.md
View File

@ -1088,7 +1088,7 @@ List of supported Linux distros :
[Ansible](https://docs.ansible.com/ansible/latest/index.html) is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates.
A specific BunkerWeb Ansible role is available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb) (source code is available [here](https://github.com/bunkerity/bunkerweb-ansible)).
A specific BunkerWeb Ansible role is available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb).
First of all, download the role from ansible-galaxy :
```shell