custom conf - docker
This commit is contained in:
parent
a5457a164c
commit
e25babe3d2
|
@ -93,7 +93,11 @@ volumes:
|
|||
!!! warning
|
||||
BunkerWeb runs as an **unprivileged user with UID 101 and GID 101** inside the container. The reason behind this is the security : in case a vulnerability is exploited, the attacker won't have full root (UID/GID 0) privileges.
|
||||
But there is a downside : if you use a **local folder for the persistent data**, you will need to **set the correct permissions** so the unprivileged user can write data to it. Something like that should do the trick :
|
||||
`shell mkdir bw-data && \ chown root:101 bw-data && \ chmod 770 bw-data `
|
||||
```shell
|
||||
mkdir bw-data && \
|
||||
chown root:101 bw-data && \
|
||||
chmod 770 bw-data
|
||||
```
|
||||
|
||||
Alternatively, if the folder already exists :
|
||||
|
||||
|
|
|
@ -1140,7 +1140,35 @@ Some integrations offer a more convenient way of applying configurations for exa
|
|||
|
||||
=== "Docker"
|
||||
|
||||
When using the [Docker integration](/1.4/integrations/#docker), custom configurations must be written to the volume mounted on /data.
|
||||
When using the [Docker integration](/1.4/integrations/#docker), you have two choices for adding custom configurations :
|
||||
|
||||
- Using specific settings `*_CUSTOM_CONF_*` as environment variable (easiest)
|
||||
- Writing .conf files to the volume mounted on /data
|
||||
|
||||
**Using settings**
|
||||
|
||||
The custom setting to use must follow the pattern `<SITE>_CUSTOM_CONF_<TYPE>_<NAME>` :
|
||||
|
||||
- `<SITE>` : optional primary server name if multisite mode is enabled and the config must be applied to a specific service
|
||||
- `<TYPE>` : the type of config, accepted values are `HTTP`, `DEFAULT_SERVER_HTTP`, `SERVER_HTTP`, `MODSEC` and `MODSEC_CRS`
|
||||
- `<NAME>` : the name of your config without the .conf suffix
|
||||
|
||||
Here is a dummy example using a docker-compose file :
|
||||
```yaml
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.4.2
|
||||
environment:
|
||||
- |
|
||||
CUSTOM_CONF_SERVER_HTTP_test=
|
||||
location /hello {
|
||||
default_type 'text/plain';
|
||||
content_by_lua_block {
|
||||
ngx.say('world')
|
||||
}
|
||||
...
|
||||
```
|
||||
|
||||
**Using files**
|
||||
|
||||
The first thing to do is to create the folders :
|
||||
```shell
|
||||
|
@ -1200,25 +1228,19 @@ Some integrations offer a more convenient way of applying configurations for exa
|
|||
}" > ./bw-data/configs/server-http/hello-world.conf
|
||||
```
|
||||
|
||||
Because BunkerWeb runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
|
||||
```shell
|
||||
chown -R root:101 bw-data && \
|
||||
chmod -R 770 bw-data
|
||||
```
|
||||
|
||||
When starting the BunkerWeb container, you will need to mount the folder on /data :
|
||||
When starting the BunkerWeb autoconf container, you will need to mount the folder on /data :
|
||||
```shell
|
||||
docker run \
|
||||
...
|
||||
-v "${PWD}/bw-data:/data" \
|
||||
...
|
||||
bunkerity/bunkerweb:1.4.2
|
||||
bunkerity/bunkerweb-autoconf:1.4.2
|
||||
```
|
||||
|
||||
Here is the docker-compose equivalent :
|
||||
```yaml
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.4.2
|
||||
myautoconf:
|
||||
image: bunkerity/bunkerweb-autoconf:1.4.2
|
||||
volumes:
|
||||
- ./bw-data:/data
|
||||
...
|
||||
|
|
|
@ -46,24 +46,28 @@ fi
|
|||
|
||||
if [ "$SWARM_MODE" != "yes" ] && [ "$KUBERNETES_MODE" != "yes" ] && [ "$AUTOCONF_MODE" != "yes" ] ; then
|
||||
# extract and drop configs
|
||||
for var_name in $(compgen -v) ; do
|
||||
extracted=$(echo "$var_name" | | sed -r 's/^([a-z\.\-]*)_?CUSTOM_CONF_(HTTP|DEFAULT_SERVER_HTTP|SERVER_HTTP|MODSEC|MODSEC_CRS)_(.*)$/\1 \2 \3/g')
|
||||
for var_name in $(compgen -e) ; do
|
||||
extracted=$(echo "$var_name" | sed -r 's/^([a-z\.\-]*)_?CUSTOM_CONF_(HTTP|DEFAULT_SERVER_HTTP|SERVER_HTTP|MODSEC|MODSEC_CRS)_(.*)$/\1 \2 \3/g')
|
||||
site=$(echo "$extracted" | cut -d ' ' -f 1)
|
||||
type=$(echo "$extracted" | cut -d ' ' -f 2 | tr '[:upper:]' '[:lower:]' | sed 's/_/-/')
|
||||
type=$(echo "$extracted" | cut -d ' ' -f 2 | grep -E '(HTTP|DEFAULT_SERVER_HTTP|SERVER_HTTP|MODSEC|MODSEC_CRS)' | tr '[:upper:]' '[:lower:]' | sed 's/_/-/')
|
||||
name=$(echo "$extracted" | cut -d ' ' -f 3)
|
||||
if [ "$type" = "" ] ; then
|
||||
if [ "$type" = "" ] || [ "$name" = "" ] ; then
|
||||
continue
|
||||
fi
|
||||
target="/data/configs/${type}/"
|
||||
if [ "$site" != "" ] && [ ! -d "/data/configs/${type}/${site}" ] ; then
|
||||
mkdir "/data/configs/${type}/${site}"
|
||||
target="${target}/${site}/"
|
||||
mkdir "$target"
|
||||
fi
|
||||
echo "${!var_name}" > "/data/configs/${type}/${site}/${name}.conf"
|
||||
target="${target}${name}.conf"
|
||||
log "ENTRYPOINT" "ℹ️" "Saving custom config to $target ..."
|
||||
echo "${!var_name}" > "$target"
|
||||
done
|
||||
|
||||
# execute temp nginx with no server
|
||||
export TEMP_NGINX="yes"
|
||||
log "ENTRYPOINT" "ℹ️" "Generating configuration for temp nginx ..."
|
||||
env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "/tmp/variables.env"
|
||||
get_env > "/tmp/variables.env"
|
||||
/opt/bunkerweb/gen/main.py --settings /opt/bunkerweb/settings.json --templates /opt/bunkerweb/confs --output /etc/nginx --variables /tmp/variables.env
|
||||
if [ "$?" -ne 0 ] ; then
|
||||
log "ENTRYPOINT" "❌" "Generator failed"
|
||||
|
@ -95,7 +99,7 @@ log "ENTRYPOINT" "ℹ️" "Generating configuration ..."
|
|||
if [ "$SWARM_MODE" = "yes" ] || [ "$KUBERNETES_MODE" = "yes" ] || [ "$AUTOCONF_MODE" = "yes" ] ; then
|
||||
export SERVER_NAME=
|
||||
fi
|
||||
env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "/tmp/variables.env"
|
||||
get_env > "/tmp/variables.env"
|
||||
/opt/bunkerweb/gen/main.py --settings /opt/bunkerweb/settings.json --templates /opt/bunkerweb/confs --output /etc/nginx --variables /tmp/variables.env
|
||||
if [ "$?" -ne 0 ] ; then
|
||||
log "ENTRYPOINT" "❌" "Generator failed"
|
||||
|
|
|
@ -51,3 +51,12 @@ function log() {
|
|||
echo "$when $category - $severity - $message"
|
||||
}
|
||||
|
||||
# get only interesting env (var=value)
|
||||
function get_env() {
|
||||
for var_name in $(compgen -e) ; do
|
||||
filter=$(echo -n "$var_name" | sed -r 's/^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME|([a-z\.\-]*)_?CUSTOM_CONF_(HTTP|DEFAULT_SERVER_HTTP|SERVER_HTTP|MODSEC|MODSEC_CRS)_(.*))$//g')
|
||||
if [ "$filter" != "" ] ; then
|
||||
echo "${var_name}=${!var_name}"
|
||||
fi
|
||||
done
|
||||
}
|
Loading…
Reference in New Issue