From 163af4a49d2917af9fd7702fd3bc5c0224b8f8f0 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Fri, 22 Oct 2021 21:16:36 +0200 Subject: [PATCH] prepare for v1.3.2 --- README.md | 6 ++--- confs/site/log-lua.conf | 12 ++++++++-- docs/environment_variables.md | 45 ++++++++++++++++++++++++++++------- docs/security_tuning.md | 2 +- entrypoint/jobs.sh | 4 ++-- 5 files changed, 53 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index c2a2ee8..6d44ca3 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@

- + @@ -38,8 +38,8 @@ Non-exhaustive list of features : - Automatic ban of strange behaviors - Antibot challenge through cookie, javascript, captcha or recaptcha v3 - Block TOR, proxies, bad user-agents, countries, ... -- Block known bad IP with DNSBL -- Prevent bruteforce attacks with rate limiting +- Block known bad IP with DNSBL and distributed blacklist +- Prevent bruteforce attacks and protect API resources with rate limiting - Plugins system for external security checks (ClamAV, CrowdSec, ...) - Easy to configure with environment variables or web UI - Seamless integration into existing environments : Linux, Docker, Swarm, Kubernetes, ... diff --git a/confs/site/log-lua.conf b/confs/site/log-lua.conf index d8758e9..a587b32 100644 --- a/confs/site/log-lua.conf +++ b/confs/site/log-lua.conf @@ -23,8 +23,16 @@ local use_remote_api = {% if USE_REMOTE_API == "yes" %}true{% else %} local remoteapi = require "remoteapi" local iputils = require "resty.iputils" -if use_remote_api and not iputils.ip_in_cidrs(ngx.var.remote_addr, cjson.decode(ngx.shared.reserved_ips:get("data"))) and ngx.shared.remote_api:get("id") ~= "empty" and ngx.shared.remote_api:get("ping") ~= "ko" then - if ngx.status == ngx.HTTP_FORBIDDEN then +if use_remote_api and not iputils.ip_in_cidrs(ngx.var.remote_addr, cjson.decode(ngx.shared.reserved_ips:get("data"))) and ngx.shared.remote_api:get("id") ~= "empty" then + if ngx.shared.remote_api:get("ping") == "ko" then + if remoteapi.ping2() then + ngx.shared.remote_api:set("ping", "ok", 0) + logger.log(ngx.NOTICE, "REMOTE API", "Successfully requested the remote API again") + else + logger.log(ngx.ERR, "REMOTE API", "Can't contact the remote API, feature will be disabled") + end + end + if ngx.shared.remote_api:get("ping") ~= "ko" and ngx.status == ngx.HTTP_FORBIDDEN then local reason = "other" if use_bad_behavior and new_bad_behavior_ban then reason = "behavior" diff --git a/docs/environment_variables.md b/docs/environment_variables.md index 9e30828..f914cda 100644 --- a/docs/environment_variables.md +++ b/docs/environment_variables.md @@ -603,14 +603,14 @@ More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Refer `FEATURE_POLICY` Values : *<directive> <allow list>* -Default value : *accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'* +Default value : *accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; sync-xhr 'none'; usb 'none'; wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none"* Context : *global*, *multisite* Tells the browser which features can be used on the website. More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy). `PERMISSIONS_POLICY` Values : *feature=(allow list)* -Default value : accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=() +Default value : *accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()* Context : *global*, *multisite* Tells the browser which features can be used on the website. More info [here](https://www.w3.org/TR/permissions-policy-1/). @@ -686,6 +686,20 @@ Default value : Context : *global*, *multisite* The secret given by Google when `USE_ANTIBOT` is set to *recaptcha*. +### Distributed blacklist + +`USE_REMOTE_API` +Values : *yes* | *no* +Default value : *yes* +Context : *global*, *multisite* +If set to yes, the instance will participate into the distributed blacklist shared among all other instances. The blacklist will be automaticaly downloaded on a periodic basis. + +`REMOTE_API_SERVER` +Values : *\* +Default value : +Context : *global* +Full URL of the remote API used for the distributed blacklist. + ### External blacklists `BLOCK_USER_AGENT` @@ -828,19 +842,34 @@ Values : *yes* | *no* Default value : *yes* Context : *global*, *multisite* If set to yes, the amount of HTTP requests made by a user for a given resource will be limited during a period of time. -More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/) (the key used is $binary_remote_addr$uri). + +`LIMIT_REQ_URL` +Values : *\* +Default value : +Context : *global*, *multisite* +The URL where you want to apply the request limiting. Use special value of `/` to apply it globally for all URL. +You can set multiple rules by adding a suffix number to the variable name like this : `LIMIT_REQ_URL_1`, `LIMIT_REQ_URL_2`, `LIMIT_REQ_URL_3`, ... `LIMIT_REQ_RATE` -Values : *Xr/s* | *Xr/m* +Values : *Xr/s* | *Xr/m* | *Xr/h* | *Xr/d* Default value : *1r/s* Context : *global*, *multisite* -The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 1 request to the same URI and from the same IP per second. +The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 1 request to the same URI and from the same IP per second. Possible value are : `s` (second), `m` (minute), `h` (hour) and `d` (day)). +You can set multiple rules by adding a suffix number to the variable name like this : `LIMIT_REQ_RATE_1`, `LIMIT_REQ_RATE_2`, `LIMIT_REQ_RATE_3`, ... `LIMIT_REQ_BURST` -Values : ** -Default value : *2* +Values : *\* +Default value : *5* Context : *global*, *multisite* -The number of requests to put in queue before rejecting requests. +The number of requests to put in queue before rejecting requests. +You can set multiple rules by adding a suffix number to the variable name like this : `LIMIT_REQ_BURST_1`, `LIMIT_REQ_BURST_2`, `LIMIT_REQ_BURST_3`, ... + +`LIMIT_REQ_DELAY` +Values : *\* +Default value : *1* +Context : *global*, *multisite* +The number of seconds to wait before requests in queue are processed. Values like `0.1`, `0.01` or `0.001` are also accepted. +You can set multiple rules by adding a suffix number to the variable name like this : `LIMIT_REQ_DELAY_1`, `LIMIT_REQ_DELAY_2`, `LIMIT_REQ_DELAY_3`, ... `LIMIT_REQ_CACHE` Values : *Xm* | *Xk* diff --git a/docs/security_tuning.md b/docs/security_tuning.md index 915ba19..495bd1a 100644 --- a/docs/security_tuning.md +++ b/docs/security_tuning.md @@ -194,7 +194,7 @@ Here is the list of related environment variables and their default value : - `LIMIT_REQ_BURST=5 : the number of request tu put in a queue before effectively rejecting requests - `LIMIT_REQ_DELAY=1` : the number of seconds to wait before we proceed requests in queue -Please note that you can apply different rate to different URL by appending number as a suffix (more info [here](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#requests-limiting)). +Please note that you can apply different rate to different URL by appending a number as suffix (more info [here](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#requests-limiting)). ### Connections diff --git a/entrypoint/jobs.sh b/entrypoint/jobs.sh index c2a48a4..7daf951 100644 --- a/entrypoint/jobs.sh +++ b/entrypoint/jobs.sh @@ -90,8 +90,8 @@ fi # remote API if [ "$(has_value USE_REMOTE_API yes)" != "" ] ; then - /opt/bunkerized-nginx/jobs/main.py --name remote-api-register --server "$(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2)" --version "$(cat /opt/bunkerized-nginx/VERSION)" + /opt/bunkerized-nginx/jobs/main.py --name remote-api-register --cache --server "$(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2)" --version "$(cat /opt/bunkerized-nginx/VERSION)" if [ $? -eq 0 ] ; then - /opt/bunkerized-nginx/jobs/main.py --name remote-api-database --server "$(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2)" --version "$(cat /opt/bunkerized-nginx/VERSION)" --id "$(cat /opt/bunkerized-nginx/cache/machine.id)" + /opt/bunkerized-nginx/jobs/main.py --name remote-api-database --cache --server "$(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2)" --version "$(cat /opt/bunkerized-nginx/VERSION)" --id "$(cat /opt/bunkerized-nginx/cache/machine.id)" fi fi