librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

temp nginx is dead, long live to the IS_LOADING setting

This commit is contained in:
bunkerity 2022-10-20 17:11:12 +02:00
parent 0bf402fd7a
commit fe774e0009
61 changed files with 22 additions and 1802 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile
View File

@ -33,7 +33,11 @@ COPY bw/cli /opt/bunkerweb/cli
COPY bw/helpers /opt/bunkerweb/helpers
COPY bw/lua /opt/bunkerweb/lua
COPY bw/misc /opt/bunkerweb/misc
COPY bw/temp_nginx /etc/nginx
COPY bw/gen /opt/bunkerweb/gen
COPY bw/settings.json /opt/bunkerweb/settings.json
COPY db /opt/bunkerweb/db
COPY bw/confs /opt/bunkerweb/confs
COPY bw/loading /opt/bunkerweb/loading
COPY utils /opt/bunkerweb/utils
COPY VERSION /opt/bunkerweb/VERSION

6
bw/confs/default-server-http.conf
View File

@ -10,6 +10,12 @@ server {
listen 0.0.0.0:{{ HTTP_PORT }} default_server {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
{% endif %}
{% if IS_LOADING == "yes" +%}
root /opt/bunkerweb/loading;
index index.html;
{% endif %}
# include core and plugins default-server configurations
include /etc/nginx/default-server-http/*.conf;

4
bw/confs/http.conf
View File

@ -56,7 +56,7 @@ include /etc/nginx/init-lua.conf;
include /etc/nginx/healthcheck.conf;
# default server
{% if MULTISITE == "yes" or DISABLE_DEFAULT_SERVER == "yes" or TEMP_NGINX == "yes" +%}
{% if MULTISITE == "yes" or DISABLE_DEFAULT_SERVER == "yes" or IS_LOADING == "yes" +%}
include /etc/nginx/default-server-http.conf;
{% endif +%}
@ -64,7 +64,6 @@ include /etc/nginx/default-server-http.conf;
server_tokens off;
# server config(s)
{% if TEMP_NGINX != "yes" +%}
{% if MULTISITE == "yes" and SERVER_NAME != "" %}
{% set map_servers = {} %}
{% for server_name in SERVER_NAME.split(" ") %}
@ -91,4 +90,3 @@ include /etc/nginx/{{ first_server }}/server.conf;
{% elif MULTISITE == "no" and SERVER_NAME != "" +%}
include /etc/nginx/server.conf;
{% endif %}
{% endif %}

4
bw/confs/nginx.conf
View File

@ -12,11 +12,7 @@ load_module /opt/bunkerweb/modules/ngx_http_brotli_static_module.so;
#load_module /opt/bunkerweb/modules/ngx_stream_lua_module.so;
# PID file
{% if TEMP_NGINX != "yes" +%}
pid /opt/bunkerweb/tmp/nginx.pid;
{% else +%}
pid /opt/bunkerweb/tmp/nginx-temp.pid;
{% endif %}
# worker number (default = auto)
worker_processes {{ WORKER_PROCESSES }};

6
bw/helpers/entrypoint.sh
View File

@ -32,6 +32,10 @@ function trap_reload() {
}
trap "trap_reload" HUP
# generate "temp" config
echo -e "IS_LOADING=yes\nSERVER_NAME=\nAPI_HTTP_PORT=${API_HTTP_PORT:-5000}\nAPI_SERVER_NAME=${API_SERVER_NAME:-bwapi}\nAPI_WHITELIST_IP=${API_WHITELIST_IP:-127.0.0.0/8}" > /tmp/variables.env
python3 /opt/bunkerweb/gen/main.py --variables /tmp/variables.env
# start nginx
log "ENTRYPOINT" "" "Starting nginx ..."
nginx -g "daemon off;" &
@ -44,4 +48,4 @@ while [ -f "/opt/bunkerweb/tmp/nginx.pid" ] ; do
done
log "ENTRYPOINT" "" "BunkerWeb stopped"
exit 0
exit 0

0
bw/temp_nginx/www/index.html → bw/loading/index.html
View File

9
bw/settings.json
View File

@ -1,11 +1,12 @@
{
"TEMP_NGINX": {
"IS_LOADING": {
"context": "global",
"default": "no",
"help": "internal-use",
"help": "Internal use : set to yes when BW is loading.",
"id": "internal-use",
"regex": ".*",
"type": "text"
"label": "internal use",
"regex": "^(yes|no)$",
"type": "check"
},
"NGINX_PREFIX": {
"context": "global",

64
bw/temp_nginx/access-lua.conf
View File

@ -1,64 +0,0 @@
access_by_lua_block {
local logger = require "logger"
local datastore = require "datastore"
local plugins = require "plugins"
local utils = require "utils"
-- Don't process internal requests
if ngx.req.is_internal() then
logger.log(ngx.INFO, "ACCESS", "Skipped access phase because request is internal")
return
end
logger.log(ngx.INFO, "ACCESS", "Access phase started")
-- Process bans as soon as possible
local banned, err = datastore:get("bans_ip_" .. ngx.var.remote_addr)
if banned then
logger.log(ngx.WARN, "ACCESS", "IP " .. ngx.var.remote_addr .. " is banned with reason : " .. banned)
ngx.exit(utils.get_deny_status())
end
-- List all plugins
local list, err = plugins:list()
if not list then
logger.log(ngx.ERR, "ACCESS", "Can't list loaded plugins : " .. err)
list = {}
end
-- Call access method of plugins
for i, plugin in ipairs(list) do
local ret, plugin_lua = pcall(require, plugin.id .. "/" .. plugin.id)
if ret then
local plugin_obj = plugin_lua.new()
if plugin_obj.access ~= nil then
logger.log(ngx.INFO, "ACCESS", "Executing access() of " .. plugin.id)
local ok, err, ret, value = plugin_obj:access()
if not ok then
logger.log(ngx.ERR, "ACCESS", "Error while calling access() on plugin " .. plugin.id .. " : " .. err)
else
logger.log(ngx.INFO, "ACCESS", "Return value from " .. plugin.id .. ".access() is : " .. err)
end
if ret then
if type(value) == "number" then
if value == utils.get_deny_status() then
logger.log(ngx.WARN, "ACCESS", "Denied access from " .. plugin.id .. " : " .. err)
ngx.var.reason = plugin.id
else
logger.log(ngx.NOTICE, "ACCESS", plugin.id .. " returned status " .. tostring(value) .. " : " .. err)
end
return ngx.exit(value)
else
return value
end
end
else
logger.log(ngx.INFO, "ACCESS", "access() method not found in " .. plugin.id .. ", skipped execution")
end
end
end
logger.log(ngx.INFO, "ACCESS", "Access phase ended")
}

38
bw/temp_nginx/api.conf
View File

@ -1,38 +0,0 @@
server {
server_name bwapi;
# HTTP listen
listen 0.0.0.0:5000;
listen 127.0.0.1:5000;
# maximum body size for API
client_max_body_size 1G;
# default mime type is JSON
default_type 'application/json';
# check IP and do the API call
access_by_lua_block {
local api = require "api"
local logger = require "logger"
if not ngx.var.http_host or ngx.var.http_host ~= "bwapi" then
logger.log(ngx.WARN, "API", "Wrong Host header from IP " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_CLOSE)
end
local ok, err = api:is_allowed_ip()
if not ok then
logger.log(ngx.WARN, "API", "Can't validate access from IP " .. ngx.var.remote_addr .. " : " .. err)
return ngx.exit(ngx.HTTP_CLOSE)
end
logger.log(ngx.NOTICE, "API", "Validated access from IP " .. ngx.var.remote_addr)
local ok, err, status, resp = api:do_api_call()
if not ok then
logger.log(ngx.WARN, "API", "Call from " .. ngx.var.remote_addr .. " on " .. ngx.var.uri .. " failed : " .. err)
else
logger.log(ngx.NOTICE, "API", "Successful call from " .. ngx.var.remote_addr .. " on " .. ngx.var.uri .. " : " .. err)
end
ngx.status = status
ngx.say(resp)
return ngx.exit(status)
}
}

63
bw/temp_nginx/default-server-http.conf
View File

@ -1,63 +0,0 @@
server {
# reason variable
set $reason '';
server_name _;
# HTTP listen
listen 0.0.0.0:8080 default_server ;
# include core and plugins default-server configurations
include /etc/nginx/default-server-http/*.conf;
# include custom default-server configurations
include /opt/bunkerweb/configs/default-server-http/*.conf;
log_by_lua_block {
local utils = require "utils"
local logger = require "logger"
local datastore = require "datastore"
local plugins = require "plugins"
logger.log(ngx.INFO, "LOG", "Log phase started")
-- List all plugins
local list, err = plugins:list()
if not list then
logger.log(ngx.ERR, "LOG", "Can't list loaded plugins : " .. err)
list = {}
end
-- Call log_default method of plugins
for i, plugin in ipairs(list) do
local ret, plugin_lua = pcall(require, plugin.id .. "/" .. plugin.id)
if ret then
local plugin_obj = plugin_lua.new()
if plugin_obj.log_default ~= nil then
logger.log(ngx.INFO, "LOG", "Executing log_default() of " .. plugin.id)
local ok, err = plugin_obj:log_default()
if not ok then
logger.log(ngx.ERR, "LOG", "Error while calling log_default() on plugin " .. plugin.id .. " : " .. err)
else
logger.log(ngx.INFO, "LOG", "Return value from " .. plugin.id .. ".log_default() is : " .. err)
end
else
logger.log(ngx.INFO, "LOG", "log_default() method not found in " .. plugin.id .. ", skipped execution")
end
end
end
-- Display reason at info level
local reason = utils.get_reason()
if reason then
logger.log(ngx.INFO, "LOG", "Client was denied with reason : " .. reason)
end
logger.log(ngx.INFO, "LOG", "Log phase ended")
}
}

0
bw/temp_nginx/default-server-http/disable.conf
View File

4
bw/temp_nginx/default-server-http/lets-encrypt.conf
View File

@ -1,4 +0,0 @@
# set location for challenges
location ~ ^/.well-known/acme-challenge/ {
root /opt/bunkerweb/tmp/lets-encrypt;
}

1
bw/temp_nginx/default-server-http/whitelist.conf
View File

@ -1 +0,0 @@
set $is_whitelisted '';

8
bw/temp_nginx/dhparam
View File

@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

25
bw/temp_nginx/fastcgi.conf
View File

@ -1,25 +0,0 @@
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

25
bw/temp_nginx/fastcgi_params
View File

@ -1,25 +0,0 @@
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

25
bw/temp_nginx/healthcheck.conf
View File

@ -1,25 +0,0 @@
server {
# healthcheck service for docker, swarm and k8s
server_name healthcheck.bunkerweb.io;
# only listen on localhost
listen 127.0.0.1:6000;
# healthcheck endpoint
location ~ ^/healthz$ {
keepalive_timeout 0;
default_type "text/plain";
content_by_lua_block {
ngx.say("ok")
}
}
# disable logging
access_log off;
# don't respond to other requests
location / {
return 444;
}
}

67
bw/temp_nginx/http.conf
View File

@ -1,67 +0,0 @@
# /etc/nginx/base_http.conf
# zero copy within the kernel
sendfile on;
# send packets only if filled
tcp_nopush on;
# remove 200ms delay
tcp_nodelay on;
# load mime types and set default one
include /etc/nginx/mime.types;
default_type application/octet-stream;
# access log format
log_format logf '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log logf;
# temp paths
proxy_temp_path /opt/bunkerweb/tmp/proxy_temp;
client_body_temp_path /opt/bunkerweb/tmp/client_temp;
fastcgi_temp_path /opt/bunkerweb/tmp/fastcgi_temp;
uwsgi_temp_path /opt/bunkerweb/tmp/uwsgi_temp;
scgi_temp_path /opt/bunkerweb/tmp/scgi_temp;
# close connections in FIN_WAIT1 state
reset_timedout_connection on;
# timeouts
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 15;
send_timeout 10;
# resolvers to use
resolver 127.0.0.11 ipv6=off;
# remove ports when sending redirects
port_in_redirect off;
# lua path and dicts
lua_package_path "/opt/bunkerweb/lua/?.lua;/opt/bunkerweb/core/?.lua;/opt/bunkerweb/plugins/?.lua;/opt/bunkerweb/deps/lib/lua/?.lua;;";
lua_package_cpath "/opt/bunkerweb/deps/lib/?.so;/opt/bunkerweb/deps/lib/lua/?.so;;";
lua_ssl_trusted_certificate "/opt/bunkerweb/misc/root-ca.pem";
lua_ssl_verify_depth 2;
lua_shared_dict datastore 256m;
# LUA init block
include /etc/nginx/init-lua.conf;
# API server
include /etc/nginx/api.conf;
# healthcheck server
include /etc/nginx/healthcheck.conf;
# default server
# disable sending nginx version globally
server_tokens off;
# server config(s)
include /etc/nginx/server.conf;

9
bw/temp_nginx/http/antibot.conf
View File

@ -1,9 +0,0 @@
map "random" $session_secret {
default "random";
"random" "C5rVWIkDAQrYckTEHCMfcdFaEN9kz7oG";
}
map "random" $session_name {
default "random";
"random" "045T9173ACZquAQh";
}

4
bw/temp_nginx/http/client-cache.conf
View File

@ -1,4 +0,0 @@
map $uri $cache_control {
default "";
"~\.(jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2)$" "public, max-age=15552000";
}

4
bw/temp_nginx/http/headers.conf
View File

@ -1,4 +0,0 @@
map $scheme $header_cookie_secure {
default "";
"https" "secure";
}

19
bw/temp_nginx/http/limitconn.conf
View File

@ -1,19 +0,0 @@
map $http2 $v1ip {
default "";
"" $binary_remote_addr;
}
map $http2 $v2ip {
default $binary_remote_addr;
"" "";
}
limit_conn_zone $v1ip zone=v1ips:10m;
limit_conn_zone $v2ip zone=v2ips:10m;
limit_conn_log_level warn;
limit_conn_status 429;

5
bw/temp_nginx/http/reverse-proxy.conf
View File

@ -1,5 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

118
bw/temp_nginx/init-lua.conf
View File

@ -1,118 +0,0 @@
init_by_lua_block {
local logger = require "logger"
local datastore = require "datastore"
local plugins = require "plugins"
local utils = require "utils"
local cjson = require "cjson"
logger.log(ngx.NOTICE, "INIT", "Init phase started")
-- Remove previous data from the datastore
local data_keys = {"^plugin_", "^variable_", "^plugins$", "^api_", "^misc_"}
for i, key in pairs(data_keys) do
local ok, err = datastore:delete_all(key)
if not ok then
logger.log(ngx.ERR, "INIT", "Can't delete " .. key .. " from datastore : " .. err)
return false
end
logger.log(ngx.INFO, "INIT", "Deleted " .. key .. " from datastore")
end
-- Load variables into the datastore
local file = io.open("/etc/nginx/variables.env")
if not file then
logger.log(ngx.ERR, "INIT", "Can't open /etc/nginx/variables.env file")
return false
end
file:close()
for line in io.lines("/etc/nginx/variables.env") do
local variable, value = line:match("(.+)=(.*)")
ok, err = datastore:set("variable_" .. variable, value)
if not ok then
logger.log(ngx.ERR, "INIT", "Can't save variable " .. variable .. " into datastore")
return false
end
end
-- Set default values into the datastore
ok, err = datastore:set("plugins", cjson.encode({}))
if not ok then
logger.log(ngx.ERR, "INIT", "Can't set default value for plugins into the datastore : " .. err)
return false
end
ok, err = utils.set_values()
if not ok then
logger.log(ngx.ERR, "INIT", "Error while setting default values : " .. err)
return false
end
-- API setup
local value, err = datastore:get("variable_USE_API")
if not value then
logger.log(ngx.ERR, "INIT", "Can't get variable USE_API from the datastore")
return false
end
if value == "yes" then
value, err = datastore:get("variable_API_WHITELIST_IP")
if not value then
logger.log(ngx.ERR, "INIT", "Can't get variable API_WHITELIST_IP from the datastore")
return false
end
local whitelists = { data = {}}
for whitelist in value:gmatch("%S+") do
table.insert(whitelists.data, whitelist)
end
ok, err = datastore:set("api_whitelist_ip", cjson.encode(whitelists))
if not ok then
logger.log(ngx.ERR, "INIT", "Can't save api_whitelist_ip to datastore : " .. err)
return false
end
end
-- Load plugins into the datastore
local plugin_paths = {"/opt/bunkerweb/core", "/opt/bunkerweb/plugins"}
for i, plugin_path in ipairs(plugin_paths) do
local paths = io.popen("find -L " .. plugin_path .. " -maxdepth 1 -type d ! -path " .. plugin_path)
for path in paths:lines() do
plugin, err = plugins:load(path)
if not plugin then
logger.log(ngx.ERR, "INIT", "Error while loading plugin from " .. path .. " : " .. err)
return false
end
logger.log(ngx.NOTICE, "INIT", "Loaded plugin " .. plugin.id .. " v" .. plugin.version)
end
end
-- Call init method of plugins
local list, err = plugins:list()
if not list then
logger.log(ngx.ERR, "INIT", "Can't list loaded plugins : " .. err)
list = {}
end
for i, plugin in ipairs(list) do
local ret, plugin_lua = pcall(require, plugin.id .. "/" .. plugin.id)
if ret then
local plugin_obj = plugin_lua.new()
if plugin_obj.init ~= nil then
ok, err = plugin_obj:init()
if not ok then
logger.log(ngx.ERR, "INIT", "Plugin " .. plugin.id .. " failed on init() : " .. err)
else
logger.log(ngx.INFO, "INIT", "Successfull init() call for plugin " .. plugin.id .. " : " .. err)
end
else
logger.log(ngx.INFO, "INIT", "init() method not found in " .. plugin.id .. ", skipped execution")
end
else
if plugin_lua:match("not found") then
logger.log(ngx.INFO, "INIT", "can't require " .. plugin.id .. " : not found")
else
logger.log(ngx.ERR, "INIT", "can't require " .. plugin.id .. " : " .. plugin_lua)
end
end
end
logger.log(ngx.NOTICE, "INIT", "Init phase ended")
}

44
bw/temp_nginx/log-lua.conf
View File

@ -1,44 +0,0 @@
log_by_lua_block {
local utils = require "utils"
local logger = require "logger"
local datastore = require "datastore"
local plugins = require "plugins"
logger.log(ngx.INFO, "LOG", "Log phase started")
-- List all plugins
local list, err = plugins:list()
if not list then
logger.log(ngx.ERR, "LOG", "Can't list loaded plugins : " .. err)
list = {}
end
-- Call log method of plugins
for i, plugin in ipairs(list) do
local ret, plugin_lua = pcall(require, plugin.id .. "/" .. plugin.id)
if ret then
local plugin_obj = plugin_lua.new()
if plugin_obj.log ~= nil then
logger.log(ngx.INFO, "LOG", "Executing log() of " .. plugin.id)
local ok, err = plugin_obj:log()
if not ok then
logger.log(ngx.ERR, "LOG", "Error while calling log() on plugin " .. plugin.id .. " : " .. err)
else
logger.log(ngx.INFO, "LOG", "Return value from " .. plugin.id .. ".log() is : " .. err)
end
else
logger.log(ngx.INFO, "LOG", "log() method not found in " .. plugin.id .. ", skipped execution")
end
end
end
-- Display reason at info level
local reason = utils.get_reason()
if reason then
logger.log(ngx.INFO, "LOG", "Client was denied with reason : " .. reason)
end
logger.log(ngx.INFO, "LOG", "Log phase ended")
}

99
bw/temp_nginx/mime.types
View File

@ -1,99 +0,0 @@
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}

0
bw/temp_nginx/modsec/ui.conf
View File

61
bw/temp_nginx/nginx.conf
View File

@ -1,61 +0,0 @@
# /etc/nginx/nginx.conf
# load dynamic modules
load_module /opt/bunkerweb/modules/ngx_http_cookie_flag_filter_module.so;
#load_module /opt/bunkerweb/modules/ngx_http_geoip2_module.so;
load_module /opt/bunkerweb/modules/ngx_http_headers_more_filter_module.so;
load_module /opt/bunkerweb/modules/ngx_http_lua_module.so;
load_module /opt/bunkerweb/modules/ngx_http_modsecurity_module.so;
load_module /opt/bunkerweb/modules/ngx_http_brotli_filter_module.so;
load_module /opt/bunkerweb/modules/ngx_http_brotli_static_module.so;
#load_module /opt/bunkerweb/modules/ngx_stream_geoip2_module.so;
#load_module /opt/bunkerweb/modules/ngx_stream_lua_module.so;
# PID file
pid /opt/bunkerweb/tmp/nginx.pid;
# worker number (default = auto)
worker_processes auto;
# faster regexp
pcre_jit on;
# max open files for each worker
worker_rlimit_nofile 2048;
# error log level
error_log /var/log/nginx/error.log notice;
# reason env var
env REASON;
events {
# max connections per worker
worker_connections 1024;
# epoll seems to be the best on Linux
use epoll;
}
http {
# include base http configuration
include /etc/nginx/http.conf;
# include core and plugins http configurations
include /etc/nginx/http/*.conf;
# include custom http configurations
include /opt/bunkerweb/configs/http/*.conf;
}
#stream {
# include base stream configuration
# include /etc/nginx/stream.conf;
# include core and plugins stream configurations
# include /etc/nginx/stream/*.conf;
# include custom stream configurations
# include /opt/bunkerweb/configs/stream/*.conf;
#}

17
bw/temp_nginx/scgi_params
View File

@ -1,17 +0,0 @@
scgi_param REQUEST_METHOD $request_method;
scgi_param REQUEST_URI $request_uri;
scgi_param QUERY_STRING $query_string;
scgi_param CONTENT_TYPE $content_type;
scgi_param DOCUMENT_URI $document_uri;
scgi_param DOCUMENT_ROOT $document_root;
scgi_param SCGI 1;
scgi_param SERVER_PROTOCOL $server_protocol;
scgi_param REQUEST_SCHEME $scheme;
scgi_param HTTPS $https if_not_empty;
scgi_param REMOTE_ADDR $remote_addr;
scgi_param REMOTE_PORT $remote_port;
scgi_param SERVER_PORT $server_port;
scgi_param SERVER_NAME $server_name;

4
bw/temp_nginx/server-http/allowed-methods.conf
View File

@ -1,4 +0,0 @@
if ($request_method !~ ^(GET|POST|HEAD)$) {
return 405;
}

0
bw/temp_nginx/server-http/auth-basic.conf
View File

0
bw/temp_nginx/server-http/brotli.conf
View File

0
bw/temp_nginx/server-http/client-cache.conf
View File

0
bw/temp_nginx/server-http/cors.conf
View File

0
bw/temp_nginx/server-http/custom-cert.conf
View File

317
bw/temp_nginx/server-http/custom-headers.conf
View File

@ -1,317 +0,0 @@

314
bw/temp_nginx/server-http/errors.conf
View File

@ -1,314 +0,0 @@
error_page 400 @400;
location @400 {
auth_basic off;
internal;
modsecurity off;
default_type 'text/html';
content_by_lua_block {
local logger = require "logger"
local errors = require "errors.errors"
local html, err
if ngx.status == 200 then
html, err = errors.error_html(tostring(405))
else
html, err = errors.error_html(tostring(ngx.status))
end
if not html then
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 400 : " .. err)
else
ngx.say(html)
end
}
}
error_page 401 @401;
location @401 {
auth_basic off;
internal;
modsecurity off;
default_type 'text/html';
content_by_lua_block {
local logger = require "logger"
local errors = require "errors.errors"
local html, err
if ngx.status == 200 then
html, err = errors.error_html(tostring(405))
else
html, err = errors.error_html(tostring(ngx.status))
end
if not html then
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 401 : " .. err)
else
ngx.say(html)
end
}
}
error_page 403 @403;
location @403 {
auth_basic off;
internal;
modsecurity off;
default_type 'text/html';
content_by_lua_block {
local logger = require "logger"
local errors = require "errors.errors"
local html, err
if ngx.status == 200 then
html, err = errors.error_html(tostring(405))
else
html, err = errors.error_html(tostring(ngx.status))
end
if not html then
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 403 : " .. err)
else
ngx.say(html)
end
}
}
error_page 404 @404;
location @404 {
auth_basic off;
internal;
modsecurity off;
default_type 'text/html';
content_by_lua_block {
local logger = require "logger"
local errors = require "errors.errors"
local html, err
if ngx.status == 200 then
html, err = errors.error_html(tostring(405))
else
html, err = errors.error_html(tostring(ngx.status))
end
if not html then
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 404 : " .. err)
else
ngx.say(html)
end
}
}
error_page 405 =200 @405;
location @405 {
auth_basic off;
internal;
modsecurity off;
default_type 'text/html';
content_by_lua_block {
local logger = require "logger"
local errors = require "errors.errors"
local html, err
if ngx.status == 200 then
html, err = errors.error_html(tostring(405))
else
html, err = errors.error_html(tostring(ngx.status))
end
if not html then
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 405 : " .. err)
else
ngx.say(html)
end
}
}
error_page 413 @413;
location @413 {
auth_basic off;
internal;
modsecurity off;
default_type 'text/html';
content_by_lua_block {
local logger = require "logger"
local errors = require "errors.errors"
local html, err
if ngx.status == 200 then
html, err = errors.error_html(tostring(405))
else
html, err = errors.error_html(tostring(ngx.status))
end
if not html then
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 413 : " .. err)
else
ngx.say(html)
end
}
}
error_page 429 @429;
location @429 {
auth_basic off;
internal;
modsecurity off;
default_type 'text/html';
content_by_lua_block {
local logger = require "logger"
local errors = require "errors.errors"
local html, err
if ngx.status == 200 then
html, err = errors.error_html(tostring(405))
else
html, err = errors.error_html(tostring(ngx.status))
end
if not html then
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 429 : " .. err)
else
ngx.say(html)
end
}
}
error_page 500 @500;
location @500 {
auth_basic off;
internal;
modsecurity off;
default_type 'text/html';
content_by_lua_block {
local logger = require "logger"
local errors = require "errors.errors"
local html, err
if ngx.status == 200 then
html, err = errors.error_html(tostring(405))
else
html, err = errors.error_html(tostring(ngx.status))
end
if not html then
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 500 : " .. err)
else
ngx.say(html)
end
}
}
error_page 501 @501;
location @501 {
auth_basic off;
internal;
modsecurity off;
default_type 'text/html';
content_by_lua_block {
local logger = require "logger"
local errors = require "errors.errors"
local html, err
if ngx.status == 200 then
html, err = errors.error_html(tostring(405))
else
html, err = errors.error_html(tostring(ngx.status))
end
if not html then
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 501 : " .. err)
else
ngx.say(html)
end
}
}
error_page 502 @502;
location @502 {
auth_basic off;
internal;
modsecurity off;
default_type 'text/html';
content_by_lua_block {
local logger = require "logger"
local errors = require "errors.errors"
local html, err
if ngx.status == 200 then
html, err = errors.error_html(tostring(405))
else
html, err = errors.error_html(tostring(ngx.status))
end
if not html then
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 502 : " .. err)
else
ngx.say(html)
end
}
}
error_page 503 @503;
location @503 {
auth_basic off;
internal;
modsecurity off;
default_type 'text/html';
content_by_lua_block {
local logger = require "logger"
local errors = require "errors.errors"
local html, err
if ngx.status == 200 then
html, err = errors.error_html(tostring(405))
else
html, err = errors.error_html(tostring(ngx.status))
end
if not html then
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 503 : " .. err)
else
ngx.say(html)
end
}
}
error_page 504 @504;
location @504 {
auth_basic off;
internal;
modsecurity off;
default_type 'text/html';
content_by_lua_block {
local logger = require "logger"
local errors = require "errors.errors"
local html, err
if ngx.status == 200 then
html, err = errors.error_html(tostring(405))
else
html, err = errors.error_html(tostring(ngx.status))
end
if not html then
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 504 : " .. err)
else
ngx.say(html)
end
}
}

27
bw/temp_nginx/server-http/fastcgi_params
View File

@ -1,27 +0,0 @@
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

0
bw/temp_nginx/server-http/gzip.conf
View File

0
bw/temp_nginx/server-http/htpasswd
View File

0
bw/temp_nginx/server-http/inject.conf
View File

5
bw/temp_nginx/server-http/lets-encrypt.conf
View File

@ -1,5 +0,0 @@
# set location for challenges
location ~ ^/.well-known/acme-challenge/ {
root /opt/bunkerweb/tmp/lets-encrypt;
}

5
bw/temp_nginx/server-http/limitconn.conf
View File

@ -1,5 +0,0 @@
limit_conn v1ips 10;
limit_conn v2ips 100;

1
bw/temp_nginx/server-http/max-client-size.conf
View File

@ -1 +0,0 @@
client_max_body_size 10m;

84
bw/temp_nginx/server-http/modsecurity-rules.conf.modsec
View File

@ -1,84 +0,0 @@
# process rules with disruptive actions
SecRuleEngine On
# allow body checks
SecRequestBodyAccess On
# enable XML parsing
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# enable JSON parsing
SecRule REQUEST_HEADERS:Content-Type "application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
# maximum data size
SecRequestBodyLimit 10485760
SecRequestBodyNoFilesLimit 131072
# reject requests if bigger than max data size
SecRequestBodyLimitAction Reject
# reject if we can't process the body
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
# be strict with multipart/form-data body
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# enable response body checks
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml application/json
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
# log usefull stuff
SecAuditEngine RelevantOnly
SecAuditLogParts ABCFHZ
SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log
# include OWASP CRS configurations
include /opt/bunkerweb/core/modsecurity/files/crs-setup.conf
# custom CRS configurations before loading rules (e.g. exclusions)
# unset REASON env var
SecAction "nolog,phase:1,setenv:REASON=none"
# Auto update allowed methods
SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET POST HEAD'"
# include OWASP CRS rules
include /opt/bunkerweb/core/modsecurity/files/coreruleset/rules/*.conf
# custom rules after loading the CRS
include /etc/nginx/modsec/*.conf
# set REASON env var
SecRuleUpdateActionById 949110 "t:none,deny,status:403,setenv:REASON=modsecurity"
SecRuleUpdateActionById 959100 "t:none,deny,status:403,setenv:REASON=modsecurity"

3
bw/temp_nginx/server-http/modsecurity.conf
View File

@ -1,3 +0,0 @@
modsecurity on;
modsecurity_rules_file /etc/nginx/server-http/modsecurity-rules.conf.modsec;

4
bw/temp_nginx/server-http/open-file-cache.conf
View File

@ -1,4 +0,0 @@
open_file_cache max=1000 inactive=20s;
open_file_cache_errors on ;
open_file_cache_min_uses 2;
open_file_cache_valid 30s;

0
bw/temp_nginx/server-http/php.conf
View File

0
bw/temp_nginx/server-http/real-ip.conf
View File

3
bw/temp_nginx/server-http/redirect-http-to-https.conf
View File

@ -1,3 +0,0 @@

0
bw/temp_nginx/server-http/redirect.conf
View File

8
bw/temp_nginx/server-http/remove-headers.conf
View File

@ -1,8 +0,0 @@
more_clear_headers 'Server';
more_clear_headers 'X-Powered-By';
more_clear_headers 'X-AspNet-Version';
more_clear_headers 'X-AspNetMvc-Version';

0
bw/temp_nginx/server-http/reverse-proxy.conf
View File

34
bw/temp_nginx/server-http/security-headers.conf
View File

@ -1,34 +0,0 @@
set_cookie_flag * HttpOnly SameSite=Lax;
more_set_headers "Content-Security-Policy: object-src 'none'; form-action 'self'; frame-ancestors 'self';";
more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
more_set_headers "Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()";
more_set_headers "Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';";
more_set_headers "X-Frame-Options: SAMEORIGIN";
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "X-XSS-Protection: 1; mode=block";

0
bw/temp_nginx/server-http/self-signed.conf
View File

3
bw/temp_nginx/server-http/serve-files.conf
View File

@ -1,3 +0,0 @@
root /opt/bunkerweb/www/;
try_files $uri $uri/ =404;

1
bw/temp_nginx/server-http/whitelist.conf
View File

@ -1 +0,0 @@
set $is_whitelisted '';

28
bw/temp_nginx/server.conf
View File

@ -1,28 +0,0 @@
server {
# server name (vhost)
server_name www.example.com;
# HTTP listen
listen 0.0.0.0:8080 default_server;
index index.php index.html index.htm;
# custom config
include /opt/bunkerweb/configs/server-http/*.conf;
# reason variable
set $reason '';
# include LUA files
include /etc/nginx/access-lua.conf;
include /etc/nginx/log-lua.conf;
# include config files
include /etc/nginx/server-http/*.conf;
location / {
root /etc/nginx/www/;
try_files $uri /index.html;
}
}

47
bw/temp_nginx/stream.conf
View File

@ -1,47 +0,0 @@
# /etc/nginx/stream.conf
# size of the preread buffer
preread_buffer_size 16k;
# timeout of the preread phase
preread_timeout 30s;
# proxy protocol timeout
proxy_protocol_timeout 30s;
# resolvers to use
resolver 127.0.0.11 ipv6=off;
# resolver timeout
resolver_timeout 30s;
# remove 200ms delay
tcp_nodelay on;
# bucket hash size
variables_hash_bucket_size 64;
variables_hash_max_size 1024;
# log format and level
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /var/log/nginx/access.log proxy;
# lua path and dicts
lua_package_path "/opt/bunkerweb/lua/?.lua;/opt/bunkerweb/core/?.lua;/opt/bunkerweb/plugins/?.lua;/opt/bunkerweb/deps/lib/lua/?.lua;;";
lua_package_cpath "/opt/bunkerweb/deps/lib/?.so;/opt/bunkerweb/deps/lib/lua/?.so;;";
lua_ssl_trusted_certificate "/opt/bunkerweb/misc/root-ca.pem";
lua_ssl_verify_depth 2;
lua_shared_dict datastore 256m;
# LUA init block
include /etc/nginx/init-lua.conf;
# default server when MULTISITE=yes
# server config(s)
include /etc/nginx/server.conf;

17
bw/temp_nginx/uwsgi_params
View File

@ -1,17 +0,0 @@
uwsgi_param QUERY_STRING $query_string;
uwsgi_param REQUEST_METHOD $request_method;
uwsgi_param CONTENT_TYPE $content_type;
uwsgi_param CONTENT_LENGTH $content_length;
uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param REQUEST_SCHEME $scheme;
uwsgi_param HTTPS $https if_not_empty;
uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name;

184
bw/temp_nginx/variables.env
View File

@ -1,184 +0,0 @@
TEMP_NGINX=yes
NGINX_PREFIX=/etc/nginx/
HTTP_PORT=8080
HTTPS_PORT=8443
MULTISITE=no
SERVER_NAME=www.example.com
WORKER_PROCESSES=auto
WORKER_RLIMIT_NOFILE=2048
WORKER_CONNECTIONS=1024
LOG_FORMAT=$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
LOG_LEVEL=notice
DNS_RESOLVERS=127.0.0.11
DATASTORE_MEMORY_SIZE=256m
USE_API=yes
API_HTTP_PORT=5000
API_SERVER_NAME=bwapi
API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
AUTOCONF_MODE=no
SWARM_MODE=no
KUBERNETES_MODE=no
USE_BROTLI=no
BROTLI_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml
BROTLI_MIN_LENGTH=1000
BROTLI_COMP_LEVEL=6
USE_CUSTOM_HTTPS=no
CUSTOM_HTTPS_CERT=
CUSTOM_HTTPS_KEY=
USE_AUTH_BASIC=no
AUTH_BASIC_LOCATION=sitewide
AUTH_BASIC_USER=changeme
AUTH_BASIC_PASSWORD=changeme
AUTH_BASIC_TEXT=Restricted area
DATABASE_URI=sqlite:////data/db.sqlite3
ERRORS=
REMOVE_HEADERS=Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version
STRICT_TRANSPORT_SECURITY=max-age=31536000
COOKIE_FLAGS=* HttpOnly SameSite=Lax
COOKIE_AUTO_SECURE_FLAG=yes
CONTENT_SECURITY_POLICY=object-src 'none'; form-action 'self'; frame-ancestors 'self';
REFERRER_POLICY=strict-origin-when-cross-origin
PERMISSIONS_POLICY=accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()
FEATURE_POLICY=accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';
X_FRAME_OPTIONS=SAMEORIGIN
X_CONTENT_TYPE_OPTIONS=nosniff
X_XSS_PROTECTION=1; mode=block
USE_MODSECURITY=yes
USE_MODSECURITY_CRS=yes
MODSECURITY_SEC_AUDIT_ENGINE=RelevantOnly
MODSECURITY_SEC_RULE_ENGINE=On
MODSECURITY_SEC_AUDIT_LOG_PARTS=ABCFHZ
USE_REVERSE_PROXY=no
REVERSE_PROXY_INTERCEPT_ERRORS=yes
USE_PROXY_CACHE=no
PROXY_CACHE_PATH_LEVELS=1:2
PROXY_CACHE_PATH_ZONE_SIZE=10m
PROXY_CACHE_PATH_PARAMS=max_size=100m
PROXY_CACHE_METHODS=GET HEAD
PROXY_CACHE_MIN_USES=2
PROXY_CACHE_KEY=$scheme$host$request_uri
PROXY_CACHE_VALID=200=24h 301=1h 302=24h
PROXY_NO_CACHE=$http_pragma $http_authorization
PROXY_CACHE_BYPASS=0
DISABLE_DEFAULT_SERVER=no
REDIRECT_HTTP_TO_HTTPS=no
AUTO_REDIRECT_HTTP_TO_HTTPS=yes
ALLOWED_METHODS=GET|POST|HEAD
MAX_CLIENT_SIZE=10m
SERVE_FILES=yes
ROOT_FOLDER=
HTTPS_PROTOCOLS=TLSv1.2 TLSv1.3
HTTP2=yes
LISTEN_HTTP=yes
USE_OPEN_FILE_CACHE=no
OPEN_FILE_CACHE=max=1000 inactive=20s
OPEN_FILE_CACHE_ERRORS=yes
OPEN_FILE_CACHE_MIN_USES=2
OPEN_FILE_CACHE_VALID=30s
EXTERNAL_PLUGIN_URLS=
DENY_HTTP_STATUS=403
USE_BAD_BEHAVIOR=yes
BAD_BEHAVIOR_STATUS_CODES=400 401 403 404 405 429 444
BAD_BEHAVIOR_BAN_TIME=86400
BAD_BEHAVIOR_THRESHOLD=10
BAD_BEHAVIOR_COUNT_TIME=60
AUTO_LETS_ENCRYPT=no
EMAIL_LETS_ENCRYPT=
USE_LETS_ENCRYPT_STAGING=no
GENERATE_SELF_SIGNED_SSL=no
SELF_SIGNED_SSL_EXPIRY=365
SELF_SIGNED_SSL_SUBJ=/CN=www.example.com/
REMOTE_PHP=
REMOTE_PHP_PATH=
LOCAL_PHP=
LOCAL_PHP_PATH=
REDIRECT_TO=
REDIRECT_TO_REQUEST_URI=no
USE_CLIENT_CACHE=no
CLIENT_CACHE_EXTENSIONS=jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2
CLIENT_CACHE_ETAG=yes
CLIENT_CACHE_CONTROL=public, max-age=15552000
USE_REAL_IP=no
USE_PROXY_PROTOCOL=no
REAL_IP_FROM=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
REAL_IP_FROM_URLS=
REAL_IP_HEADER=X-Forwarded-For
REAL_IP_RECURSIVE=yes
USE_GZIP=no
GZIP_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml
GZIP_MIN_LENGTH=1000
GZIP_COMP_LEVEL=5
INJECT_BODY=
USE_CORS=no
CORS_ALLOW_ORIGIN=*
CORS_EXPOSE_HEADERS=Content-Length,Content-Range
CORS_MAX_AGE=86400
CORS_ALLOW_CREDENTIALS=no
CORS_ALLOW_METHODS=GET, POST, OPTIONS
CORS_ALLOW_HEADERS=DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
USE_UI=no
USE_DNSBL=yes
DNSBL_LIST=bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org
USE_ANTIBOT=no
ANTIBOT_URI=/challenge
ANTIBOT_SESSION_SECRET=random
ANTIBOT_SESSION_NAME=random
ANTIBOT_RECAPTCHA_SCORE=0.7
ANTIBOT_RECAPTCHA_SITEKEY=
ANTIBOT_RECAPTCHA_SECRET=
ANTIBOT_HCAPTCHA_SITEKEY=
ANTIBOT_HCAPTCHA_SECRET=
USE_WHITELIST=yes
WHITELIST_IP_URLS=
WHITELIST_IP=20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247 54.208.102.37 107.21.1.8
WHITELIST_RDNS=.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com
WHITELIST_RDNS_URLS=
WHITELIST_RDNS_GLOBAL=yes
WHITELIST_ASN=32934
WHITELIST_ASN_URLS=
WHITELIST_USER_AGENT=
WHITELIST_USER_AGENT_URLS=
WHITELIST_URI=
WHITELIST_URI_URLS=
USE_BLACKLIST=yes
BLACKLIST_IP_URLS=https://www.dan.me.uk/torlist/?exit
BLACKLIST_IP=
BLACKLIST_RDNS=.shodan.io .censys.io
BLACKLIST_RDNS_URLS=
BLACKLIST_RDNS_GLOBAL=yes
BLACKLIST_ASN=
BLACKLIST_ASN_URLS=
BLACKLIST_USER_AGENT=
BLACKLIST_USER_AGENT_URLS=https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list
BLACKLIST_URI=
BLACKLIST_URI_URLS=
BLACKLIST_IGNORE_IP_URLS=
BLACKLIST_IGNORE_IP=
BLACKLIST_IGNORE_RDNS=
BLACKLIST_IGNORE_RDNS_URLS=
BLACKLIST_IGNORE_ASN=
BLACKLIST_IGNORE_ASN_URLS=
BLACKLIST_IGNORE_USER_AGENT=
BLACKLIST_IGNORE_USER_AGENT_URLS=
BLACKLIST_IGNORE_URI=
BLACKLIST_IGNORE_URI_URLS=
USE_GREYLIST=no
GREYLIST_IP_URLS=
GREYLIST_IP=
GREYLIST_RDNS=
GREYLIST_RDNS_URLS=
GREYLIST_RDNS_GLOBAL=yes
GREYLIST_ASN=
GREYLIST_ASN_URLS=
GREYLIST_USER_AGENT=
GREYLIST_USER_AGENT_URLS=
GREYLIST_URI=
GREYLIST_URI_URLS=
USE_LIMIT_REQ=yes
USE_LIMIT_CONN=yes
LIMIT_CONN_MAX_HTTP1=10
LIMIT_CONN_MAX_HTTP2=100
BLACKLIST_COUNTRY=
WHITELIST_COUNTRY=
USE_BUNKERNET=yes
BUNKERNET_SERVER=https://api.bunkerweb.io