temp nginx is dead, long live to the IS_LOADING setting
This commit is contained in:
parent
0bf402fd7a
commit
fe774e0009
|
@ -33,7 +33,11 @@ COPY bw/cli /opt/bunkerweb/cli
|
|||
COPY bw/helpers /opt/bunkerweb/helpers
|
||||
COPY bw/lua /opt/bunkerweb/lua
|
||||
COPY bw/misc /opt/bunkerweb/misc
|
||||
COPY bw/temp_nginx /etc/nginx
|
||||
COPY bw/gen /opt/bunkerweb/gen
|
||||
COPY bw/settings.json /opt/bunkerweb/settings.json
|
||||
COPY db /opt/bunkerweb/db
|
||||
COPY bw/confs /opt/bunkerweb/confs
|
||||
COPY bw/loading /opt/bunkerweb/loading
|
||||
COPY utils /opt/bunkerweb/utils
|
||||
COPY VERSION /opt/bunkerweb/VERSION
|
||||
|
||||
|
|
|
@ -10,6 +10,12 @@ server {
|
|||
listen 0.0.0.0:{{ HTTP_PORT }} default_server {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if IS_LOADING == "yes" +%}
|
||||
root /opt/bunkerweb/loading;
|
||||
index index.html;
|
||||
{% endif %}
|
||||
|
||||
# include core and plugins default-server configurations
|
||||
include /etc/nginx/default-server-http/*.conf;
|
||||
|
||||
|
|
|
@ -56,7 +56,7 @@ include /etc/nginx/init-lua.conf;
|
|||
include /etc/nginx/healthcheck.conf;
|
||||
|
||||
# default server
|
||||
{% if MULTISITE == "yes" or DISABLE_DEFAULT_SERVER == "yes" or TEMP_NGINX == "yes" +%}
|
||||
{% if MULTISITE == "yes" or DISABLE_DEFAULT_SERVER == "yes" or IS_LOADING == "yes" +%}
|
||||
include /etc/nginx/default-server-http.conf;
|
||||
{% endif +%}
|
||||
|
||||
|
@ -64,7 +64,6 @@ include /etc/nginx/default-server-http.conf;
|
|||
server_tokens off;
|
||||
|
||||
# server config(s)
|
||||
{% if TEMP_NGINX != "yes" +%}
|
||||
{% if MULTISITE == "yes" and SERVER_NAME != "" %}
|
||||
{% set map_servers = {} %}
|
||||
{% for server_name in SERVER_NAME.split(" ") %}
|
||||
|
@ -91,4 +90,3 @@ include /etc/nginx/{{ first_server }}/server.conf;
|
|||
{% elif MULTISITE == "no" and SERVER_NAME != "" +%}
|
||||
include /etc/nginx/server.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
|
@ -12,11 +12,7 @@ load_module /opt/bunkerweb/modules/ngx_http_brotli_static_module.so;
|
|||
#load_module /opt/bunkerweb/modules/ngx_stream_lua_module.so;
|
||||
|
||||
# PID file
|
||||
{% if TEMP_NGINX != "yes" +%}
|
||||
pid /opt/bunkerweb/tmp/nginx.pid;
|
||||
{% else +%}
|
||||
pid /opt/bunkerweb/tmp/nginx-temp.pid;
|
||||
{% endif %}
|
||||
|
||||
# worker number (default = auto)
|
||||
worker_processes {{ WORKER_PROCESSES }};
|
||||
|
|
|
@ -32,6 +32,10 @@ function trap_reload() {
|
|||
}
|
||||
trap "trap_reload" HUP
|
||||
|
||||
# generate "temp" config
|
||||
echo -e "IS_LOADING=yes\nSERVER_NAME=\nAPI_HTTP_PORT=${API_HTTP_PORT:-5000}\nAPI_SERVER_NAME=${API_SERVER_NAME:-bwapi}\nAPI_WHITELIST_IP=${API_WHITELIST_IP:-127.0.0.0/8}" > /tmp/variables.env
|
||||
python3 /opt/bunkerweb/gen/main.py --variables /tmp/variables.env
|
||||
|
||||
# start nginx
|
||||
log "ENTRYPOINT" "ℹ️" "Starting nginx ..."
|
||||
nginx -g "daemon off;" &
|
||||
|
@ -44,4 +48,4 @@ while [ -f "/opt/bunkerweb/tmp/nginx.pid" ] ; do
|
|||
done
|
||||
|
||||
log "ENTRYPOINT" "ℹ️" "BunkerWeb stopped"
|
||||
exit 0
|
||||
exit 0
|
||||
|
|
|
@ -1,11 +1,12 @@
|
|||
{
|
||||
"TEMP_NGINX": {
|
||||
"IS_LOADING": {
|
||||
"context": "global",
|
||||
"default": "no",
|
||||
"help": "internal-use",
|
||||
"help": "Internal use : set to yes when BW is loading.",
|
||||
"id": "internal-use",
|
||||
"regex": ".*",
|
||||
"type": "text"
|
||||
"label": "internal use",
|
||||
"regex": "^(yes|no)$",
|
||||
"type": "check"
|
||||
},
|
||||
"NGINX_PREFIX": {
|
||||
"context": "global",
|
||||
|
|
|
@ -1,64 +0,0 @@
|
|||
access_by_lua_block {
|
||||
|
||||
local logger = require "logger"
|
||||
local datastore = require "datastore"
|
||||
local plugins = require "plugins"
|
||||
local utils = require "utils"
|
||||
|
||||
-- Don't process internal requests
|
||||
if ngx.req.is_internal() then
|
||||
logger.log(ngx.INFO, "ACCESS", "Skipped access phase because request is internal")
|
||||
return
|
||||
end
|
||||
|
||||
logger.log(ngx.INFO, "ACCESS", "Access phase started")
|
||||
|
||||
-- Process bans as soon as possible
|
||||
local banned, err = datastore:get("bans_ip_" .. ngx.var.remote_addr)
|
||||
if banned then
|
||||
logger.log(ngx.WARN, "ACCESS", "IP " .. ngx.var.remote_addr .. " is banned with reason : " .. banned)
|
||||
ngx.exit(utils.get_deny_status())
|
||||
end
|
||||
|
||||
-- List all plugins
|
||||
local list, err = plugins:list()
|
||||
if not list then
|
||||
logger.log(ngx.ERR, "ACCESS", "Can't list loaded plugins : " .. err)
|
||||
list = {}
|
||||
end
|
||||
|
||||
-- Call access method of plugins
|
||||
for i, plugin in ipairs(list) do
|
||||
local ret, plugin_lua = pcall(require, plugin.id .. "/" .. plugin.id)
|
||||
if ret then
|
||||
local plugin_obj = plugin_lua.new()
|
||||
if plugin_obj.access ~= nil then
|
||||
logger.log(ngx.INFO, "ACCESS", "Executing access() of " .. plugin.id)
|
||||
local ok, err, ret, value = plugin_obj:access()
|
||||
if not ok then
|
||||
logger.log(ngx.ERR, "ACCESS", "Error while calling access() on plugin " .. plugin.id .. " : " .. err)
|
||||
else
|
||||
logger.log(ngx.INFO, "ACCESS", "Return value from " .. plugin.id .. ".access() is : " .. err)
|
||||
end
|
||||
if ret then
|
||||
if type(value) == "number" then
|
||||
if value == utils.get_deny_status() then
|
||||
logger.log(ngx.WARN, "ACCESS", "Denied access from " .. plugin.id .. " : " .. err)
|
||||
ngx.var.reason = plugin.id
|
||||
else
|
||||
logger.log(ngx.NOTICE, "ACCESS", plugin.id .. " returned status " .. tostring(value) .. " : " .. err)
|
||||
end
|
||||
return ngx.exit(value)
|
||||
else
|
||||
return value
|
||||
end
|
||||
end
|
||||
else
|
||||
logger.log(ngx.INFO, "ACCESS", "access() method not found in " .. plugin.id .. ", skipped execution")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
logger.log(ngx.INFO, "ACCESS", "Access phase ended")
|
||||
|
||||
}
|
|
@ -1,38 +0,0 @@
|
|||
server {
|
||||
server_name bwapi;
|
||||
|
||||
# HTTP listen
|
||||
listen 0.0.0.0:5000;
|
||||
listen 127.0.0.1:5000;
|
||||
|
||||
# maximum body size for API
|
||||
client_max_body_size 1G;
|
||||
|
||||
# default mime type is JSON
|
||||
default_type 'application/json';
|
||||
|
||||
# check IP and do the API call
|
||||
access_by_lua_block {
|
||||
local api = require "api"
|
||||
local logger = require "logger"
|
||||
if not ngx.var.http_host or ngx.var.http_host ~= "bwapi" then
|
||||
logger.log(ngx.WARN, "API", "Wrong Host header from IP " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_CLOSE)
|
||||
end
|
||||
local ok, err = api:is_allowed_ip()
|
||||
if not ok then
|
||||
logger.log(ngx.WARN, "API", "Can't validate access from IP " .. ngx.var.remote_addr .. " : " .. err)
|
||||
return ngx.exit(ngx.HTTP_CLOSE)
|
||||
end
|
||||
logger.log(ngx.NOTICE, "API", "Validated access from IP " .. ngx.var.remote_addr)
|
||||
local ok, err, status, resp = api:do_api_call()
|
||||
if not ok then
|
||||
logger.log(ngx.WARN, "API", "Call from " .. ngx.var.remote_addr .. " on " .. ngx.var.uri .. " failed : " .. err)
|
||||
else
|
||||
logger.log(ngx.NOTICE, "API", "Successful call from " .. ngx.var.remote_addr .. " on " .. ngx.var.uri .. " : " .. err)
|
||||
end
|
||||
ngx.status = status
|
||||
ngx.say(resp)
|
||||
return ngx.exit(status)
|
||||
}
|
||||
}
|
|
@ -1,63 +0,0 @@
|
|||
server {
|
||||
|
||||
# reason variable
|
||||
set $reason '';
|
||||
|
||||
server_name _;
|
||||
|
||||
# HTTP listen
|
||||
|
||||
listen 0.0.0.0:8080 default_server ;
|
||||
|
||||
# include core and plugins default-server configurations
|
||||
include /etc/nginx/default-server-http/*.conf;
|
||||
|
||||
# include custom default-server configurations
|
||||
include /opt/bunkerweb/configs/default-server-http/*.conf;
|
||||
|
||||
log_by_lua_block {
|
||||
|
||||
local utils = require "utils"
|
||||
local logger = require "logger"
|
||||
local datastore = require "datastore"
|
||||
local plugins = require "plugins"
|
||||
|
||||
logger.log(ngx.INFO, "LOG", "Log phase started")
|
||||
|
||||
-- List all plugins
|
||||
local list, err = plugins:list()
|
||||
if not list then
|
||||
logger.log(ngx.ERR, "LOG", "Can't list loaded plugins : " .. err)
|
||||
list = {}
|
||||
end
|
||||
|
||||
-- Call log_default method of plugins
|
||||
for i, plugin in ipairs(list) do
|
||||
local ret, plugin_lua = pcall(require, plugin.id .. "/" .. plugin.id)
|
||||
if ret then
|
||||
local plugin_obj = plugin_lua.new()
|
||||
if plugin_obj.log_default ~= nil then
|
||||
logger.log(ngx.INFO, "LOG", "Executing log_default() of " .. plugin.id)
|
||||
local ok, err = plugin_obj:log_default()
|
||||
if not ok then
|
||||
logger.log(ngx.ERR, "LOG", "Error while calling log_default() on plugin " .. plugin.id .. " : " .. err)
|
||||
else
|
||||
logger.log(ngx.INFO, "LOG", "Return value from " .. plugin.id .. ".log_default() is : " .. err)
|
||||
end
|
||||
else
|
||||
logger.log(ngx.INFO, "LOG", "log_default() method not found in " .. plugin.id .. ", skipped execution")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- Display reason at info level
|
||||
local reason = utils.get_reason()
|
||||
if reason then
|
||||
logger.log(ngx.INFO, "LOG", "Client was denied with reason : " .. reason)
|
||||
end
|
||||
|
||||
logger.log(ngx.INFO, "LOG", "Log phase ended")
|
||||
|
||||
}
|
||||
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
# set location for challenges
|
||||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /opt/bunkerweb/tmp/lets-encrypt;
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
set $is_whitelisted '';
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
|
@ -1,25 +0,0 @@
|
|||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param REQUEST_METHOD $request_method;
|
||||
fastcgi_param CONTENT_TYPE $content_type;
|
||||
fastcgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
fastcgi_param REQUEST_URI $request_uri;
|
||||
fastcgi_param DOCUMENT_URI $document_uri;
|
||||
fastcgi_param DOCUMENT_ROOT $document_root;
|
||||
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||||
fastcgi_param REQUEST_SCHEME $scheme;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
|
@ -1,25 +0,0 @@
|
|||
|
||||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param REQUEST_METHOD $request_method;
|
||||
fastcgi_param CONTENT_TYPE $content_type;
|
||||
fastcgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
fastcgi_param REQUEST_URI $request_uri;
|
||||
fastcgi_param DOCUMENT_URI $document_uri;
|
||||
fastcgi_param DOCUMENT_ROOT $document_root;
|
||||
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||||
fastcgi_param REQUEST_SCHEME $scheme;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
|
@ -1,25 +0,0 @@
|
|||
server {
|
||||
|
||||
# healthcheck service for docker, swarm and k8s
|
||||
server_name healthcheck.bunkerweb.io;
|
||||
|
||||
# only listen on localhost
|
||||
listen 127.0.0.1:6000;
|
||||
|
||||
# healthcheck endpoint
|
||||
location ~ ^/healthz$ {
|
||||
keepalive_timeout 0;
|
||||
default_type "text/plain";
|
||||
content_by_lua_block {
|
||||
ngx.say("ok")
|
||||
}
|
||||
}
|
||||
|
||||
# disable logging
|
||||
access_log off;
|
||||
|
||||
# don't respond to other requests
|
||||
location / {
|
||||
return 444;
|
||||
}
|
||||
}
|
|
@ -1,67 +0,0 @@
|
|||
# /etc/nginx/base_http.conf
|
||||
|
||||
# zero copy within the kernel
|
||||
sendfile on;
|
||||
|
||||
# send packets only if filled
|
||||
tcp_nopush on;
|
||||
|
||||
# remove 200ms delay
|
||||
tcp_nodelay on;
|
||||
|
||||
# load mime types and set default one
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# access log format
|
||||
log_format logf '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
|
||||
access_log /var/log/nginx/access.log logf;
|
||||
|
||||
# temp paths
|
||||
proxy_temp_path /opt/bunkerweb/tmp/proxy_temp;
|
||||
client_body_temp_path /opt/bunkerweb/tmp/client_temp;
|
||||
fastcgi_temp_path /opt/bunkerweb/tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /opt/bunkerweb/tmp/uwsgi_temp;
|
||||
scgi_temp_path /opt/bunkerweb/tmp/scgi_temp;
|
||||
|
||||
# close connections in FIN_WAIT1 state
|
||||
reset_timedout_connection on;
|
||||
|
||||
# timeouts
|
||||
client_body_timeout 10;
|
||||
client_header_timeout 10;
|
||||
keepalive_timeout 15;
|
||||
send_timeout 10;
|
||||
|
||||
# resolvers to use
|
||||
resolver 127.0.0.11 ipv6=off;
|
||||
|
||||
# remove ports when sending redirects
|
||||
port_in_redirect off;
|
||||
|
||||
# lua path and dicts
|
||||
lua_package_path "/opt/bunkerweb/lua/?.lua;/opt/bunkerweb/core/?.lua;/opt/bunkerweb/plugins/?.lua;/opt/bunkerweb/deps/lib/lua/?.lua;;";
|
||||
lua_package_cpath "/opt/bunkerweb/deps/lib/?.so;/opt/bunkerweb/deps/lib/lua/?.so;;";
|
||||
lua_ssl_trusted_certificate "/opt/bunkerweb/misc/root-ca.pem";
|
||||
lua_ssl_verify_depth 2;
|
||||
lua_shared_dict datastore 256m;
|
||||
|
||||
# LUA init block
|
||||
include /etc/nginx/init-lua.conf;
|
||||
|
||||
# API server
|
||||
include /etc/nginx/api.conf;
|
||||
|
||||
# healthcheck server
|
||||
include /etc/nginx/healthcheck.conf;
|
||||
|
||||
# default server
|
||||
|
||||
|
||||
# disable sending nginx version globally
|
||||
server_tokens off;
|
||||
|
||||
# server config(s)
|
||||
|
||||
|
||||
include /etc/nginx/server.conf;
|
|
@ -1,9 +0,0 @@
|
|||
map "random" $session_secret {
|
||||
default "random";
|
||||
"random" "C5rVWIkDAQrYckTEHCMfcdFaEN9kz7oG";
|
||||
}
|
||||
|
||||
map "random" $session_name {
|
||||
default "random";
|
||||
"random" "045T9173ACZquAQh";
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
map $uri $cache_control {
|
||||
default "";
|
||||
"~\.(jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2)$" "public, max-age=15552000";
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
map $scheme $header_cookie_secure {
|
||||
default "";
|
||||
"https" "secure";
|
||||
}
|
|
@ -1,19 +0,0 @@
|
|||
|
||||
|
||||
map $http2 $v1ip {
|
||||
default "";
|
||||
"" $binary_remote_addr;
|
||||
}
|
||||
|
||||
map $http2 $v2ip {
|
||||
default $binary_remote_addr;
|
||||
"" "";
|
||||
}
|
||||
|
||||
limit_conn_zone $v1ip zone=v1ips:10m;
|
||||
limit_conn_zone $v2ip zone=v2ips:10m;
|
||||
|
||||
limit_conn_log_level warn;
|
||||
|
||||
limit_conn_status 429;
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
|
@ -1,118 +0,0 @@
|
|||
init_by_lua_block {
|
||||
|
||||
local logger = require "logger"
|
||||
local datastore = require "datastore"
|
||||
local plugins = require "plugins"
|
||||
local utils = require "utils"
|
||||
local cjson = require "cjson"
|
||||
|
||||
logger.log(ngx.NOTICE, "INIT", "Init phase started")
|
||||
|
||||
-- Remove previous data from the datastore
|
||||
local data_keys = {"^plugin_", "^variable_", "^plugins$", "^api_", "^misc_"}
|
||||
for i, key in pairs(data_keys) do
|
||||
local ok, err = datastore:delete_all(key)
|
||||
if not ok then
|
||||
logger.log(ngx.ERR, "INIT", "Can't delete " .. key .. " from datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
logger.log(ngx.INFO, "INIT", "Deleted " .. key .. " from datastore")
|
||||
end
|
||||
|
||||
-- Load variables into the datastore
|
||||
local file = io.open("/etc/nginx/variables.env")
|
||||
if not file then
|
||||
logger.log(ngx.ERR, "INIT", "Can't open /etc/nginx/variables.env file")
|
||||
return false
|
||||
end
|
||||
file:close()
|
||||
for line in io.lines("/etc/nginx/variables.env") do
|
||||
local variable, value = line:match("(.+)=(.*)")
|
||||
ok, err = datastore:set("variable_" .. variable, value)
|
||||
if not ok then
|
||||
logger.log(ngx.ERR, "INIT", "Can't save variable " .. variable .. " into datastore")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
-- Set default values into the datastore
|
||||
ok, err = datastore:set("plugins", cjson.encode({}))
|
||||
if not ok then
|
||||
logger.log(ngx.ERR, "INIT", "Can't set default value for plugins into the datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
ok, err = utils.set_values()
|
||||
if not ok then
|
||||
logger.log(ngx.ERR, "INIT", "Error while setting default values : " .. err)
|
||||
return false
|
||||
end
|
||||
|
||||
-- API setup
|
||||
local value, err = datastore:get("variable_USE_API")
|
||||
if not value then
|
||||
logger.log(ngx.ERR, "INIT", "Can't get variable USE_API from the datastore")
|
||||
return false
|
||||
end
|
||||
if value == "yes" then
|
||||
value, err = datastore:get("variable_API_WHITELIST_IP")
|
||||
if not value then
|
||||
logger.log(ngx.ERR, "INIT", "Can't get variable API_WHITELIST_IP from the datastore")
|
||||
return false
|
||||
end
|
||||
local whitelists = { data = {}}
|
||||
for whitelist in value:gmatch("%S+") do
|
||||
table.insert(whitelists.data, whitelist)
|
||||
end
|
||||
ok, err = datastore:set("api_whitelist_ip", cjson.encode(whitelists))
|
||||
if not ok then
|
||||
logger.log(ngx.ERR, "INIT", "Can't save api_whitelist_ip to datastore : " .. err)
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
-- Load plugins into the datastore
|
||||
local plugin_paths = {"/opt/bunkerweb/core", "/opt/bunkerweb/plugins"}
|
||||
for i, plugin_path in ipairs(plugin_paths) do
|
||||
local paths = io.popen("find -L " .. plugin_path .. " -maxdepth 1 -type d ! -path " .. plugin_path)
|
||||
for path in paths:lines() do
|
||||
plugin, err = plugins:load(path)
|
||||
if not plugin then
|
||||
logger.log(ngx.ERR, "INIT", "Error while loading plugin from " .. path .. " : " .. err)
|
||||
return false
|
||||
end
|
||||
logger.log(ngx.NOTICE, "INIT", "Loaded plugin " .. plugin.id .. " v" .. plugin.version)
|
||||
end
|
||||
end
|
||||
|
||||
-- Call init method of plugins
|
||||
local list, err = plugins:list()
|
||||
if not list then
|
||||
logger.log(ngx.ERR, "INIT", "Can't list loaded plugins : " .. err)
|
||||
list = {}
|
||||
end
|
||||
for i, plugin in ipairs(list) do
|
||||
local ret, plugin_lua = pcall(require, plugin.id .. "/" .. plugin.id)
|
||||
if ret then
|
||||
local plugin_obj = plugin_lua.new()
|
||||
if plugin_obj.init ~= nil then
|
||||
ok, err = plugin_obj:init()
|
||||
if not ok then
|
||||
logger.log(ngx.ERR, "INIT", "Plugin " .. plugin.id .. " failed on init() : " .. err)
|
||||
else
|
||||
logger.log(ngx.INFO, "INIT", "Successfull init() call for plugin " .. plugin.id .. " : " .. err)
|
||||
end
|
||||
else
|
||||
logger.log(ngx.INFO, "INIT", "init() method not found in " .. plugin.id .. ", skipped execution")
|
||||
end
|
||||
else
|
||||
if plugin_lua:match("not found") then
|
||||
logger.log(ngx.INFO, "INIT", "can't require " .. plugin.id .. " : not found")
|
||||
else
|
||||
logger.log(ngx.ERR, "INIT", "can't require " .. plugin.id .. " : " .. plugin_lua)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
logger.log(ngx.NOTICE, "INIT", "Init phase ended")
|
||||
|
||||
}
|
|
@ -1,44 +0,0 @@
|
|||
log_by_lua_block {
|
||||
|
||||
local utils = require "utils"
|
||||
local logger = require "logger"
|
||||
local datastore = require "datastore"
|
||||
local plugins = require "plugins"
|
||||
|
||||
logger.log(ngx.INFO, "LOG", "Log phase started")
|
||||
|
||||
-- List all plugins
|
||||
local list, err = plugins:list()
|
||||
if not list then
|
||||
logger.log(ngx.ERR, "LOG", "Can't list loaded plugins : " .. err)
|
||||
list = {}
|
||||
end
|
||||
|
||||
-- Call log method of plugins
|
||||
for i, plugin in ipairs(list) do
|
||||
local ret, plugin_lua = pcall(require, plugin.id .. "/" .. plugin.id)
|
||||
if ret then
|
||||
local plugin_obj = plugin_lua.new()
|
||||
if plugin_obj.log ~= nil then
|
||||
logger.log(ngx.INFO, "LOG", "Executing log() of " .. plugin.id)
|
||||
local ok, err = plugin_obj:log()
|
||||
if not ok then
|
||||
logger.log(ngx.ERR, "LOG", "Error while calling log() on plugin " .. plugin.id .. " : " .. err)
|
||||
else
|
||||
logger.log(ngx.INFO, "LOG", "Return value from " .. plugin.id .. ".log() is : " .. err)
|
||||
end
|
||||
else
|
||||
logger.log(ngx.INFO, "LOG", "log() method not found in " .. plugin.id .. ", skipped execution")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- Display reason at info level
|
||||
local reason = utils.get_reason()
|
||||
if reason then
|
||||
logger.log(ngx.INFO, "LOG", "Client was denied with reason : " .. reason)
|
||||
end
|
||||
|
||||
logger.log(ngx.INFO, "LOG", "Log phase ended")
|
||||
|
||||
}
|
|
@ -1,99 +0,0 @@
|
|||
|
||||
types {
|
||||
text/html html htm shtml;
|
||||
text/css css;
|
||||
text/xml xml;
|
||||
image/gif gif;
|
||||
image/jpeg jpeg jpg;
|
||||
application/javascript js;
|
||||
application/atom+xml atom;
|
||||
application/rss+xml rss;
|
||||
|
||||
text/mathml mml;
|
||||
text/plain txt;
|
||||
text/vnd.sun.j2me.app-descriptor jad;
|
||||
text/vnd.wap.wml wml;
|
||||
text/x-component htc;
|
||||
|
||||
image/avif avif;
|
||||
image/png png;
|
||||
image/svg+xml svg svgz;
|
||||
image/tiff tif tiff;
|
||||
image/vnd.wap.wbmp wbmp;
|
||||
image/webp webp;
|
||||
image/x-icon ico;
|
||||
image/x-jng jng;
|
||||
image/x-ms-bmp bmp;
|
||||
|
||||
font/woff woff;
|
||||
font/woff2 woff2;
|
||||
|
||||
application/java-archive jar war ear;
|
||||
application/json json;
|
||||
application/mac-binhex40 hqx;
|
||||
application/msword doc;
|
||||
application/pdf pdf;
|
||||
application/postscript ps eps ai;
|
||||
application/rtf rtf;
|
||||
application/vnd.apple.mpegurl m3u8;
|
||||
application/vnd.google-earth.kml+xml kml;
|
||||
application/vnd.google-earth.kmz kmz;
|
||||
application/vnd.ms-excel xls;
|
||||
application/vnd.ms-fontobject eot;
|
||||
application/vnd.ms-powerpoint ppt;
|
||||
application/vnd.oasis.opendocument.graphics odg;
|
||||
application/vnd.oasis.opendocument.presentation odp;
|
||||
application/vnd.oasis.opendocument.spreadsheet ods;
|
||||
application/vnd.oasis.opendocument.text odt;
|
||||
application/vnd.openxmlformats-officedocument.presentationml.presentation
|
||||
pptx;
|
||||
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
|
||||
xlsx;
|
||||
application/vnd.openxmlformats-officedocument.wordprocessingml.document
|
||||
docx;
|
||||
application/vnd.wap.wmlc wmlc;
|
||||
application/wasm wasm;
|
||||
application/x-7z-compressed 7z;
|
||||
application/x-cocoa cco;
|
||||
application/x-java-archive-diff jardiff;
|
||||
application/x-java-jnlp-file jnlp;
|
||||
application/x-makeself run;
|
||||
application/x-perl pl pm;
|
||||
application/x-pilot prc pdb;
|
||||
application/x-rar-compressed rar;
|
||||
application/x-redhat-package-manager rpm;
|
||||
application/x-sea sea;
|
||||
application/x-shockwave-flash swf;
|
||||
application/x-stuffit sit;
|
||||
application/x-tcl tcl tk;
|
||||
application/x-x509-ca-cert der pem crt;
|
||||
application/x-xpinstall xpi;
|
||||
application/xhtml+xml xhtml;
|
||||
application/xspf+xml xspf;
|
||||
application/zip zip;
|
||||
|
||||
application/octet-stream bin exe dll;
|
||||
application/octet-stream deb;
|
||||
application/octet-stream dmg;
|
||||
application/octet-stream iso img;
|
||||
application/octet-stream msi msp msm;
|
||||
|
||||
audio/midi mid midi kar;
|
||||
audio/mpeg mp3;
|
||||
audio/ogg ogg;
|
||||
audio/x-m4a m4a;
|
||||
audio/x-realaudio ra;
|
||||
|
||||
video/3gpp 3gpp 3gp;
|
||||
video/mp2t ts;
|
||||
video/mp4 mp4;
|
||||
video/mpeg mpeg mpg;
|
||||
video/quicktime mov;
|
||||
video/webm webm;
|
||||
video/x-flv flv;
|
||||
video/x-m4v m4v;
|
||||
video/x-mng mng;
|
||||
video/x-ms-asf asx asf;
|
||||
video/x-ms-wmv wmv;
|
||||
video/x-msvideo avi;
|
||||
}
|
|
@ -1,61 +0,0 @@
|
|||
# /etc/nginx/nginx.conf
|
||||
|
||||
# load dynamic modules
|
||||
load_module /opt/bunkerweb/modules/ngx_http_cookie_flag_filter_module.so;
|
||||
#load_module /opt/bunkerweb/modules/ngx_http_geoip2_module.so;
|
||||
load_module /opt/bunkerweb/modules/ngx_http_headers_more_filter_module.so;
|
||||
load_module /opt/bunkerweb/modules/ngx_http_lua_module.so;
|
||||
load_module /opt/bunkerweb/modules/ngx_http_modsecurity_module.so;
|
||||
load_module /opt/bunkerweb/modules/ngx_http_brotli_filter_module.so;
|
||||
load_module /opt/bunkerweb/modules/ngx_http_brotli_static_module.so;
|
||||
#load_module /opt/bunkerweb/modules/ngx_stream_geoip2_module.so;
|
||||
#load_module /opt/bunkerweb/modules/ngx_stream_lua_module.so;
|
||||
|
||||
# PID file
|
||||
|
||||
pid /opt/bunkerweb/tmp/nginx.pid;
|
||||
|
||||
# worker number (default = auto)
|
||||
worker_processes auto;
|
||||
|
||||
# faster regexp
|
||||
pcre_jit on;
|
||||
|
||||
# max open files for each worker
|
||||
worker_rlimit_nofile 2048;
|
||||
|
||||
# error log level
|
||||
error_log /var/log/nginx/error.log notice;
|
||||
|
||||
# reason env var
|
||||
env REASON;
|
||||
|
||||
events {
|
||||
# max connections per worker
|
||||
worker_connections 1024;
|
||||
|
||||
# epoll seems to be the best on Linux
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http {
|
||||
# include base http configuration
|
||||
include /etc/nginx/http.conf;
|
||||
|
||||
# include core and plugins http configurations
|
||||
include /etc/nginx/http/*.conf;
|
||||
|
||||
# include custom http configurations
|
||||
include /opt/bunkerweb/configs/http/*.conf;
|
||||
}
|
||||
|
||||
#stream {
|
||||
# include base stream configuration
|
||||
# include /etc/nginx/stream.conf;
|
||||
|
||||
# include core and plugins stream configurations
|
||||
# include /etc/nginx/stream/*.conf;
|
||||
|
||||
# include custom stream configurations
|
||||
# include /opt/bunkerweb/configs/stream/*.conf;
|
||||
#}
|
|
@ -1,17 +0,0 @@
|
|||
|
||||
scgi_param REQUEST_METHOD $request_method;
|
||||
scgi_param REQUEST_URI $request_uri;
|
||||
scgi_param QUERY_STRING $query_string;
|
||||
scgi_param CONTENT_TYPE $content_type;
|
||||
|
||||
scgi_param DOCUMENT_URI $document_uri;
|
||||
scgi_param DOCUMENT_ROOT $document_root;
|
||||
scgi_param SCGI 1;
|
||||
scgi_param SERVER_PROTOCOL $server_protocol;
|
||||
scgi_param REQUEST_SCHEME $scheme;
|
||||
scgi_param HTTPS $https if_not_empty;
|
||||
|
||||
scgi_param REMOTE_ADDR $remote_addr;
|
||||
scgi_param REMOTE_PORT $remote_port;
|
||||
scgi_param SERVER_PORT $server_port;
|
||||
scgi_param SERVER_NAME $server_name;
|
|
@ -1,4 +0,0 @@
|
|||
|
||||
if ($request_method !~ ^(GET|POST|HEAD)$) {
|
||||
return 405;
|
||||
}
|
|
@ -1,317 +0,0 @@
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -1,314 +0,0 @@
|
|||
|
||||
|
||||
|
||||
|
||||
error_page 400 @400;
|
||||
|
||||
location @400 {
|
||||
auth_basic off;
|
||||
internal;
|
||||
modsecurity off;
|
||||
default_type 'text/html';
|
||||
content_by_lua_block {
|
||||
local logger = require "logger"
|
||||
local errors = require "errors.errors"
|
||||
local html, err
|
||||
if ngx.status == 200 then
|
||||
html, err = errors.error_html(tostring(405))
|
||||
else
|
||||
html, err = errors.error_html(tostring(ngx.status))
|
||||
end
|
||||
if not html then
|
||||
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 400 : " .. err)
|
||||
else
|
||||
ngx.say(html)
|
||||
end
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
error_page 401 @401;
|
||||
|
||||
location @401 {
|
||||
auth_basic off;
|
||||
internal;
|
||||
modsecurity off;
|
||||
default_type 'text/html';
|
||||
content_by_lua_block {
|
||||
local logger = require "logger"
|
||||
local errors = require "errors.errors"
|
||||
local html, err
|
||||
if ngx.status == 200 then
|
||||
html, err = errors.error_html(tostring(405))
|
||||
else
|
||||
html, err = errors.error_html(tostring(ngx.status))
|
||||
end
|
||||
if not html then
|
||||
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 401 : " .. err)
|
||||
else
|
||||
ngx.say(html)
|
||||
end
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
error_page 403 @403;
|
||||
|
||||
location @403 {
|
||||
auth_basic off;
|
||||
internal;
|
||||
modsecurity off;
|
||||
default_type 'text/html';
|
||||
content_by_lua_block {
|
||||
local logger = require "logger"
|
||||
local errors = require "errors.errors"
|
||||
local html, err
|
||||
if ngx.status == 200 then
|
||||
html, err = errors.error_html(tostring(405))
|
||||
else
|
||||
html, err = errors.error_html(tostring(ngx.status))
|
||||
end
|
||||
if not html then
|
||||
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 403 : " .. err)
|
||||
else
|
||||
ngx.say(html)
|
||||
end
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
error_page 404 @404;
|
||||
|
||||
location @404 {
|
||||
auth_basic off;
|
||||
internal;
|
||||
modsecurity off;
|
||||
default_type 'text/html';
|
||||
content_by_lua_block {
|
||||
local logger = require "logger"
|
||||
local errors = require "errors.errors"
|
||||
local html, err
|
||||
if ngx.status == 200 then
|
||||
html, err = errors.error_html(tostring(405))
|
||||
else
|
||||
html, err = errors.error_html(tostring(ngx.status))
|
||||
end
|
||||
if not html then
|
||||
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 404 : " .. err)
|
||||
else
|
||||
ngx.say(html)
|
||||
end
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
error_page 405 =200 @405;
|
||||
|
||||
location @405 {
|
||||
auth_basic off;
|
||||
internal;
|
||||
modsecurity off;
|
||||
default_type 'text/html';
|
||||
content_by_lua_block {
|
||||
local logger = require "logger"
|
||||
local errors = require "errors.errors"
|
||||
local html, err
|
||||
if ngx.status == 200 then
|
||||
html, err = errors.error_html(tostring(405))
|
||||
else
|
||||
html, err = errors.error_html(tostring(ngx.status))
|
||||
end
|
||||
if not html then
|
||||
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 405 : " .. err)
|
||||
else
|
||||
ngx.say(html)
|
||||
end
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
error_page 413 @413;
|
||||
|
||||
location @413 {
|
||||
auth_basic off;
|
||||
internal;
|
||||
modsecurity off;
|
||||
default_type 'text/html';
|
||||
content_by_lua_block {
|
||||
local logger = require "logger"
|
||||
local errors = require "errors.errors"
|
||||
local html, err
|
||||
if ngx.status == 200 then
|
||||
html, err = errors.error_html(tostring(405))
|
||||
else
|
||||
html, err = errors.error_html(tostring(ngx.status))
|
||||
end
|
||||
if not html then
|
||||
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 413 : " .. err)
|
||||
else
|
||||
ngx.say(html)
|
||||
end
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
error_page 429 @429;
|
||||
|
||||
location @429 {
|
||||
auth_basic off;
|
||||
internal;
|
||||
modsecurity off;
|
||||
default_type 'text/html';
|
||||
content_by_lua_block {
|
||||
local logger = require "logger"
|
||||
local errors = require "errors.errors"
|
||||
local html, err
|
||||
if ngx.status == 200 then
|
||||
html, err = errors.error_html(tostring(405))
|
||||
else
|
||||
html, err = errors.error_html(tostring(ngx.status))
|
||||
end
|
||||
if not html then
|
||||
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 429 : " .. err)
|
||||
else
|
||||
ngx.say(html)
|
||||
end
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
error_page 500 @500;
|
||||
|
||||
location @500 {
|
||||
auth_basic off;
|
||||
internal;
|
||||
modsecurity off;
|
||||
default_type 'text/html';
|
||||
content_by_lua_block {
|
||||
local logger = require "logger"
|
||||
local errors = require "errors.errors"
|
||||
local html, err
|
||||
if ngx.status == 200 then
|
||||
html, err = errors.error_html(tostring(405))
|
||||
else
|
||||
html, err = errors.error_html(tostring(ngx.status))
|
||||
end
|
||||
if not html then
|
||||
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 500 : " .. err)
|
||||
else
|
||||
ngx.say(html)
|
||||
end
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
error_page 501 @501;
|
||||
|
||||
location @501 {
|
||||
auth_basic off;
|
||||
internal;
|
||||
modsecurity off;
|
||||
default_type 'text/html';
|
||||
content_by_lua_block {
|
||||
local logger = require "logger"
|
||||
local errors = require "errors.errors"
|
||||
local html, err
|
||||
if ngx.status == 200 then
|
||||
html, err = errors.error_html(tostring(405))
|
||||
else
|
||||
html, err = errors.error_html(tostring(ngx.status))
|
||||
end
|
||||
if not html then
|
||||
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 501 : " .. err)
|
||||
else
|
||||
ngx.say(html)
|
||||
end
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
error_page 502 @502;
|
||||
|
||||
location @502 {
|
||||
auth_basic off;
|
||||
internal;
|
||||
modsecurity off;
|
||||
default_type 'text/html';
|
||||
content_by_lua_block {
|
||||
local logger = require "logger"
|
||||
local errors = require "errors.errors"
|
||||
local html, err
|
||||
if ngx.status == 200 then
|
||||
html, err = errors.error_html(tostring(405))
|
||||
else
|
||||
html, err = errors.error_html(tostring(ngx.status))
|
||||
end
|
||||
if not html then
|
||||
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 502 : " .. err)
|
||||
else
|
||||
ngx.say(html)
|
||||
end
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
error_page 503 @503;
|
||||
|
||||
location @503 {
|
||||
auth_basic off;
|
||||
internal;
|
||||
modsecurity off;
|
||||
default_type 'text/html';
|
||||
content_by_lua_block {
|
||||
local logger = require "logger"
|
||||
local errors = require "errors.errors"
|
||||
local html, err
|
||||
if ngx.status == 200 then
|
||||
html, err = errors.error_html(tostring(405))
|
||||
else
|
||||
html, err = errors.error_html(tostring(ngx.status))
|
||||
end
|
||||
if not html then
|
||||
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 503 : " .. err)
|
||||
else
|
||||
ngx.say(html)
|
||||
end
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
error_page 504 @504;
|
||||
|
||||
location @504 {
|
||||
auth_basic off;
|
||||
internal;
|
||||
modsecurity off;
|
||||
default_type 'text/html';
|
||||
content_by_lua_block {
|
||||
local logger = require "logger"
|
||||
local errors = require "errors.errors"
|
||||
local html, err
|
||||
if ngx.status == 200 then
|
||||
html, err = errors.error_html(tostring(405))
|
||||
else
|
||||
html, err = errors.error_html(tostring(ngx.status))
|
||||
end
|
||||
if not html then
|
||||
logger.log(ngx.ERR, "ERRORS", "Error while computing HTML error template for 504 : " .. err)
|
||||
else
|
||||
ngx.say(html)
|
||||
end
|
||||
}
|
||||
}
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
|
||||
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
|
||||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param REQUEST_METHOD $request_method;
|
||||
fastcgi_param CONTENT_TYPE $content_type;
|
||||
fastcgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
fastcgi_param REQUEST_URI $request_uri;
|
||||
fastcgi_param DOCUMENT_URI $document_uri;
|
||||
|
||||
fastcgi_param DOCUMENT_ROOT $document_root;
|
||||
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||||
fastcgi_param REQUEST_SCHEME $scheme;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
|
@ -1,5 +0,0 @@
|
|||
# set location for challenges
|
||||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /opt/bunkerweb/tmp/lets-encrypt;
|
||||
}
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
|
||||
|
||||
limit_conn v1ips 10;
|
||||
limit_conn v2ips 100;
|
||||
|
|
@ -1 +0,0 @@
|
|||
client_max_body_size 10m;
|
|
@ -1,84 +0,0 @@
|
|||
# process rules with disruptive actions
|
||||
SecRuleEngine On
|
||||
|
||||
# allow body checks
|
||||
SecRequestBodyAccess On
|
||||
|
||||
# enable XML parsing
|
||||
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
|
||||
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
||||
|
||||
# enable JSON parsing
|
||||
SecRule REQUEST_HEADERS:Content-Type "application/json" \
|
||||
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
|
||||
|
||||
# maximum data size
|
||||
SecRequestBodyLimit 10485760
|
||||
SecRequestBodyNoFilesLimit 131072
|
||||
|
||||
# reject requests if bigger than max data size
|
||||
SecRequestBodyLimitAction Reject
|
||||
|
||||
# reject if we can't process the body
|
||||
SecRule REQBODY_ERROR "!@eq 0" \
|
||||
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
|
||||
|
||||
# be strict with multipart/form-data body
|
||||
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
||||
"id:'200003',phase:2,t:none,log,deny,status:400, \
|
||||
msg:'Multipart request body failed strict validation: \
|
||||
PE %{REQBODY_PROCESSOR_ERROR}, \
|
||||
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
||||
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
||||
DB %{MULTIPART_DATA_BEFORE}, \
|
||||
DA %{MULTIPART_DATA_AFTER}, \
|
||||
HF %{MULTIPART_HEADER_FOLDING}, \
|
||||
LF %{MULTIPART_LF_LINE}, \
|
||||
SM %{MULTIPART_MISSING_SEMICOLON}, \
|
||||
IQ %{MULTIPART_INVALID_QUOTING}, \
|
||||
IP %{MULTIPART_INVALID_PART}, \
|
||||
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
||||
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
||||
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
|
||||
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
|
||||
|
||||
# enable response body checks
|
||||
SecResponseBodyAccess On
|
||||
SecResponseBodyMimeType text/plain text/html text/xml application/json
|
||||
SecResponseBodyLimit 524288
|
||||
SecResponseBodyLimitAction ProcessPartial
|
||||
|
||||
# log usefull stuff
|
||||
SecAuditEngine RelevantOnly
|
||||
SecAuditLogParts ABCFHZ
|
||||
SecAuditLogType Serial
|
||||
SecAuditLog /var/log/nginx/modsec_audit.log
|
||||
|
||||
# include OWASP CRS configurations
|
||||
include /opt/bunkerweb/core/modsecurity/files/crs-setup.conf
|
||||
|
||||
# custom CRS configurations before loading rules (e.g. exclusions)
|
||||
|
||||
# unset REASON env var
|
||||
SecAction "nolog,phase:1,setenv:REASON=none"
|
||||
|
||||
# Auto update allowed methods
|
||||
|
||||
SecAction \
|
||||
"id:900200,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:'tx.allowed_methods=GET POST HEAD'"
|
||||
|
||||
|
||||
# include OWASP CRS rules
|
||||
include /opt/bunkerweb/core/modsecurity/files/coreruleset/rules/*.conf
|
||||
|
||||
# custom rules after loading the CRS
|
||||
include /etc/nginx/modsec/*.conf
|
||||
|
||||
# set REASON env var
|
||||
SecRuleUpdateActionById 949110 "t:none,deny,status:403,setenv:REASON=modsecurity"
|
||||
SecRuleUpdateActionById 959100 "t:none,deny,status:403,setenv:REASON=modsecurity"
|
|
@ -1,3 +0,0 @@
|
|||
|
||||
modsecurity on;
|
||||
modsecurity_rules_file /etc/nginx/server-http/modsecurity-rules.conf.modsec;
|
|
@ -1,4 +0,0 @@
|
|||
open_file_cache max=1000 inactive=20s;
|
||||
open_file_cache_errors on ;
|
||||
open_file_cache_min_uses 2;
|
||||
open_file_cache_valid 30s;
|
|
@ -1,3 +0,0 @@
|
|||
|
||||
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
|
||||
more_clear_headers 'Server';
|
||||
|
||||
more_clear_headers 'X-Powered-By';
|
||||
|
||||
more_clear_headers 'X-AspNet-Version';
|
||||
|
||||
more_clear_headers 'X-AspNetMvc-Version';
|
|
@ -1,34 +0,0 @@
|
|||
|
||||
|
||||
|
||||
|
||||
set_cookie_flag * HttpOnly SameSite=Lax;
|
||||
|
||||
|
||||
|
||||
|
||||
more_set_headers "Content-Security-Policy: object-src 'none'; form-action 'self'; frame-ancestors 'self';";
|
||||
|
||||
|
||||
|
||||
more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
|
||||
|
||||
|
||||
|
||||
more_set_headers "Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()";
|
||||
|
||||
|
||||
|
||||
more_set_headers "Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';";
|
||||
|
||||
|
||||
|
||||
more_set_headers "X-Frame-Options: SAMEORIGIN";
|
||||
|
||||
|
||||
|
||||
more_set_headers "X-Content-Type-Options: nosniff";
|
||||
|
||||
|
||||
|
||||
more_set_headers "X-XSS-Protection: 1; mode=block";
|
|
@ -1,3 +0,0 @@
|
|||
|
||||
root /opt/bunkerweb/www/;
|
||||
try_files $uri $uri/ =404;
|
|
@ -1 +0,0 @@
|
|||
set $is_whitelisted '';
|
|
@ -1,28 +0,0 @@
|
|||
server {
|
||||
# server name (vhost)
|
||||
server_name www.example.com;
|
||||
|
||||
# HTTP listen
|
||||
|
||||
listen 0.0.0.0:8080 default_server;
|
||||
|
||||
index index.php index.html index.htm;
|
||||
|
||||
# custom config
|
||||
include /opt/bunkerweb/configs/server-http/*.conf;
|
||||
|
||||
# reason variable
|
||||
set $reason '';
|
||||
|
||||
# include LUA files
|
||||
include /etc/nginx/access-lua.conf;
|
||||
include /etc/nginx/log-lua.conf;
|
||||
|
||||
# include config files
|
||||
include /etc/nginx/server-http/*.conf;
|
||||
|
||||
location / {
|
||||
root /etc/nginx/www/;
|
||||
try_files $uri /index.html;
|
||||
}
|
||||
}
|
|
@ -1,47 +0,0 @@
|
|||
# /etc/nginx/stream.conf
|
||||
|
||||
# size of the preread buffer
|
||||
preread_buffer_size 16k;
|
||||
|
||||
# timeout of the preread phase
|
||||
preread_timeout 30s;
|
||||
|
||||
# proxy protocol timeout
|
||||
proxy_protocol_timeout 30s;
|
||||
|
||||
# resolvers to use
|
||||
resolver 127.0.0.11 ipv6=off;
|
||||
|
||||
# resolver timeout
|
||||
resolver_timeout 30s;
|
||||
|
||||
# remove 200ms delay
|
||||
tcp_nodelay on;
|
||||
|
||||
# bucket hash size
|
||||
variables_hash_bucket_size 64;
|
||||
variables_hash_max_size 1024;
|
||||
|
||||
# log format and level
|
||||
log_format proxy '$remote_addr [$time_local] '
|
||||
'$protocol $status $bytes_sent $bytes_received '
|
||||
'$session_time "$upstream_addr" '
|
||||
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
|
||||
access_log /var/log/nginx/access.log proxy;
|
||||
|
||||
# lua path and dicts
|
||||
lua_package_path "/opt/bunkerweb/lua/?.lua;/opt/bunkerweb/core/?.lua;/opt/bunkerweb/plugins/?.lua;/opt/bunkerweb/deps/lib/lua/?.lua;;";
|
||||
lua_package_cpath "/opt/bunkerweb/deps/lib/?.so;/opt/bunkerweb/deps/lib/lua/?.so;;";
|
||||
lua_ssl_trusted_certificate "/opt/bunkerweb/misc/root-ca.pem";
|
||||
lua_ssl_verify_depth 2;
|
||||
lua_shared_dict datastore 256m;
|
||||
|
||||
# LUA init block
|
||||
include /etc/nginx/init-lua.conf;
|
||||
|
||||
# default server when MULTISITE=yes
|
||||
|
||||
|
||||
# server config(s)
|
||||
|
||||
include /etc/nginx/server.conf;
|
|
@ -1,17 +0,0 @@
|
|||
|
||||
uwsgi_param QUERY_STRING $query_string;
|
||||
uwsgi_param REQUEST_METHOD $request_method;
|
||||
uwsgi_param CONTENT_TYPE $content_type;
|
||||
uwsgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
uwsgi_param REQUEST_URI $request_uri;
|
||||
uwsgi_param PATH_INFO $document_uri;
|
||||
uwsgi_param DOCUMENT_ROOT $document_root;
|
||||
uwsgi_param SERVER_PROTOCOL $server_protocol;
|
||||
uwsgi_param REQUEST_SCHEME $scheme;
|
||||
uwsgi_param HTTPS $https if_not_empty;
|
||||
|
||||
uwsgi_param REMOTE_ADDR $remote_addr;
|
||||
uwsgi_param REMOTE_PORT $remote_port;
|
||||
uwsgi_param SERVER_PORT $server_port;
|
||||
uwsgi_param SERVER_NAME $server_name;
|
|
@ -1,184 +0,0 @@
|
|||
TEMP_NGINX=yes
|
||||
NGINX_PREFIX=/etc/nginx/
|
||||
HTTP_PORT=8080
|
||||
HTTPS_PORT=8443
|
||||
MULTISITE=no
|
||||
SERVER_NAME=www.example.com
|
||||
WORKER_PROCESSES=auto
|
||||
WORKER_RLIMIT_NOFILE=2048
|
||||
WORKER_CONNECTIONS=1024
|
||||
LOG_FORMAT=$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
|
||||
LOG_LEVEL=notice
|
||||
DNS_RESOLVERS=127.0.0.11
|
||||
DATASTORE_MEMORY_SIZE=256m
|
||||
USE_API=yes
|
||||
API_HTTP_PORT=5000
|
||||
API_SERVER_NAME=bwapi
|
||||
API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
|
||||
AUTOCONF_MODE=no
|
||||
SWARM_MODE=no
|
||||
KUBERNETES_MODE=no
|
||||
USE_BROTLI=no
|
||||
BROTLI_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml
|
||||
BROTLI_MIN_LENGTH=1000
|
||||
BROTLI_COMP_LEVEL=6
|
||||
USE_CUSTOM_HTTPS=no
|
||||
CUSTOM_HTTPS_CERT=
|
||||
CUSTOM_HTTPS_KEY=
|
||||
USE_AUTH_BASIC=no
|
||||
AUTH_BASIC_LOCATION=sitewide
|
||||
AUTH_BASIC_USER=changeme
|
||||
AUTH_BASIC_PASSWORD=changeme
|
||||
AUTH_BASIC_TEXT=Restricted area
|
||||
DATABASE_URI=sqlite:////data/db.sqlite3
|
||||
ERRORS=
|
||||
REMOVE_HEADERS=Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version
|
||||
STRICT_TRANSPORT_SECURITY=max-age=31536000
|
||||
COOKIE_FLAGS=* HttpOnly SameSite=Lax
|
||||
COOKIE_AUTO_SECURE_FLAG=yes
|
||||
CONTENT_SECURITY_POLICY=object-src 'none'; form-action 'self'; frame-ancestors 'self';
|
||||
REFERRER_POLICY=strict-origin-when-cross-origin
|
||||
PERMISSIONS_POLICY=accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()
|
||||
FEATURE_POLICY=accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';
|
||||
X_FRAME_OPTIONS=SAMEORIGIN
|
||||
X_CONTENT_TYPE_OPTIONS=nosniff
|
||||
X_XSS_PROTECTION=1; mode=block
|
||||
USE_MODSECURITY=yes
|
||||
USE_MODSECURITY_CRS=yes
|
||||
MODSECURITY_SEC_AUDIT_ENGINE=RelevantOnly
|
||||
MODSECURITY_SEC_RULE_ENGINE=On
|
||||
MODSECURITY_SEC_AUDIT_LOG_PARTS=ABCFHZ
|
||||
USE_REVERSE_PROXY=no
|
||||
REVERSE_PROXY_INTERCEPT_ERRORS=yes
|
||||
USE_PROXY_CACHE=no
|
||||
PROXY_CACHE_PATH_LEVELS=1:2
|
||||
PROXY_CACHE_PATH_ZONE_SIZE=10m
|
||||
PROXY_CACHE_PATH_PARAMS=max_size=100m
|
||||
PROXY_CACHE_METHODS=GET HEAD
|
||||
PROXY_CACHE_MIN_USES=2
|
||||
PROXY_CACHE_KEY=$scheme$host$request_uri
|
||||
PROXY_CACHE_VALID=200=24h 301=1h 302=24h
|
||||
PROXY_NO_CACHE=$http_pragma $http_authorization
|
||||
PROXY_CACHE_BYPASS=0
|
||||
DISABLE_DEFAULT_SERVER=no
|
||||
REDIRECT_HTTP_TO_HTTPS=no
|
||||
AUTO_REDIRECT_HTTP_TO_HTTPS=yes
|
||||
ALLOWED_METHODS=GET|POST|HEAD
|
||||
MAX_CLIENT_SIZE=10m
|
||||
SERVE_FILES=yes
|
||||
ROOT_FOLDER=
|
||||
HTTPS_PROTOCOLS=TLSv1.2 TLSv1.3
|
||||
HTTP2=yes
|
||||
LISTEN_HTTP=yes
|
||||
USE_OPEN_FILE_CACHE=no
|
||||
OPEN_FILE_CACHE=max=1000 inactive=20s
|
||||
OPEN_FILE_CACHE_ERRORS=yes
|
||||
OPEN_FILE_CACHE_MIN_USES=2
|
||||
OPEN_FILE_CACHE_VALID=30s
|
||||
EXTERNAL_PLUGIN_URLS=
|
||||
DENY_HTTP_STATUS=403
|
||||
USE_BAD_BEHAVIOR=yes
|
||||
BAD_BEHAVIOR_STATUS_CODES=400 401 403 404 405 429 444
|
||||
BAD_BEHAVIOR_BAN_TIME=86400
|
||||
BAD_BEHAVIOR_THRESHOLD=10
|
||||
BAD_BEHAVIOR_COUNT_TIME=60
|
||||
AUTO_LETS_ENCRYPT=no
|
||||
EMAIL_LETS_ENCRYPT=
|
||||
USE_LETS_ENCRYPT_STAGING=no
|
||||
GENERATE_SELF_SIGNED_SSL=no
|
||||
SELF_SIGNED_SSL_EXPIRY=365
|
||||
SELF_SIGNED_SSL_SUBJ=/CN=www.example.com/
|
||||
REMOTE_PHP=
|
||||
REMOTE_PHP_PATH=
|
||||
LOCAL_PHP=
|
||||
LOCAL_PHP_PATH=
|
||||
REDIRECT_TO=
|
||||
REDIRECT_TO_REQUEST_URI=no
|
||||
USE_CLIENT_CACHE=no
|
||||
CLIENT_CACHE_EXTENSIONS=jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2
|
||||
CLIENT_CACHE_ETAG=yes
|
||||
CLIENT_CACHE_CONTROL=public, max-age=15552000
|
||||
USE_REAL_IP=no
|
||||
USE_PROXY_PROTOCOL=no
|
||||
REAL_IP_FROM=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
|
||||
REAL_IP_FROM_URLS=
|
||||
REAL_IP_HEADER=X-Forwarded-For
|
||||
REAL_IP_RECURSIVE=yes
|
||||
USE_GZIP=no
|
||||
GZIP_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml
|
||||
GZIP_MIN_LENGTH=1000
|
||||
GZIP_COMP_LEVEL=5
|
||||
INJECT_BODY=
|
||||
USE_CORS=no
|
||||
CORS_ALLOW_ORIGIN=*
|
||||
CORS_EXPOSE_HEADERS=Content-Length,Content-Range
|
||||
CORS_MAX_AGE=86400
|
||||
CORS_ALLOW_CREDENTIALS=no
|
||||
CORS_ALLOW_METHODS=GET, POST, OPTIONS
|
||||
CORS_ALLOW_HEADERS=DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
|
||||
USE_UI=no
|
||||
USE_DNSBL=yes
|
||||
DNSBL_LIST=bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org
|
||||
USE_ANTIBOT=no
|
||||
ANTIBOT_URI=/challenge
|
||||
ANTIBOT_SESSION_SECRET=random
|
||||
ANTIBOT_SESSION_NAME=random
|
||||
ANTIBOT_RECAPTCHA_SCORE=0.7
|
||||
ANTIBOT_RECAPTCHA_SITEKEY=
|
||||
ANTIBOT_RECAPTCHA_SECRET=
|
||||
ANTIBOT_HCAPTCHA_SITEKEY=
|
||||
ANTIBOT_HCAPTCHA_SECRET=
|
||||
USE_WHITELIST=yes
|
||||
WHITELIST_IP_URLS=
|
||||
WHITELIST_IP=20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247 54.208.102.37 107.21.1.8
|
||||
WHITELIST_RDNS=.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com
|
||||
WHITELIST_RDNS_URLS=
|
||||
WHITELIST_RDNS_GLOBAL=yes
|
||||
WHITELIST_ASN=32934
|
||||
WHITELIST_ASN_URLS=
|
||||
WHITELIST_USER_AGENT=
|
||||
WHITELIST_USER_AGENT_URLS=
|
||||
WHITELIST_URI=
|
||||
WHITELIST_URI_URLS=
|
||||
USE_BLACKLIST=yes
|
||||
BLACKLIST_IP_URLS=https://www.dan.me.uk/torlist/?exit
|
||||
BLACKLIST_IP=
|
||||
BLACKLIST_RDNS=.shodan.io .censys.io
|
||||
BLACKLIST_RDNS_URLS=
|
||||
BLACKLIST_RDNS_GLOBAL=yes
|
||||
BLACKLIST_ASN=
|
||||
BLACKLIST_ASN_URLS=
|
||||
BLACKLIST_USER_AGENT=
|
||||
BLACKLIST_USER_AGENT_URLS=https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list
|
||||
BLACKLIST_URI=
|
||||
BLACKLIST_URI_URLS=
|
||||
BLACKLIST_IGNORE_IP_URLS=
|
||||
BLACKLIST_IGNORE_IP=
|
||||
BLACKLIST_IGNORE_RDNS=
|
||||
BLACKLIST_IGNORE_RDNS_URLS=
|
||||
BLACKLIST_IGNORE_ASN=
|
||||
BLACKLIST_IGNORE_ASN_URLS=
|
||||
BLACKLIST_IGNORE_USER_AGENT=
|
||||
BLACKLIST_IGNORE_USER_AGENT_URLS=
|
||||
BLACKLIST_IGNORE_URI=
|
||||
BLACKLIST_IGNORE_URI_URLS=
|
||||
USE_GREYLIST=no
|
||||
GREYLIST_IP_URLS=
|
||||
GREYLIST_IP=
|
||||
GREYLIST_RDNS=
|
||||
GREYLIST_RDNS_URLS=
|
||||
GREYLIST_RDNS_GLOBAL=yes
|
||||
GREYLIST_ASN=
|
||||
GREYLIST_ASN_URLS=
|
||||
GREYLIST_USER_AGENT=
|
||||
GREYLIST_USER_AGENT_URLS=
|
||||
GREYLIST_URI=
|
||||
GREYLIST_URI_URLS=
|
||||
USE_LIMIT_REQ=yes
|
||||
USE_LIMIT_CONN=yes
|
||||
LIMIT_CONN_MAX_HTTP1=10
|
||||
LIMIT_CONN_MAX_HTTP2=100
|
||||
BLACKLIST_COUNTRY=
|
||||
WHITELIST_COUNTRY=
|
||||
USE_BUNKERNET=yes
|
||||
BUNKERNET_SERVER=https://api.bunkerweb.io
|
Loading…
Reference in New Issue