Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

prepare for v1.3.2

Browse Source
This commit is contained in:
bunkerity 2021-10-22 21:16:36 +02:00
parent 98e85eb99f
commit 163af4a49d
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
5 changed files with 53 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -3,7 +3,7 @@
</p> </p>
<p align="center"> <p align="center">
<img src="https://img.shields.io/badge/bunkerized--nginx-1.3.1-blue" /> <img src="https://img.shields.io/badge/bunkerized--nginx-1.3.2-blue" />
<img src="https://img.shields.io/badge/nginx-1.20.1-blue" /> <img src="https://img.shields.io/badge/nginx-1.20.1-blue" />
<img src="https://img.shields.io/github/last-commit/bunkerity/bunkerized-nginx" /> <img src="https://img.shields.io/github/last-commit/bunkerity/bunkerized-nginx" />
<img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerized-nginx/Automatic%20test?label=automatic%20test" /> <img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerized-nginx/Automatic%20test?label=automatic%20test" />
@ -38,8 +38,8 @@ Non-exhaustive list of features :
- Automatic ban of strange behaviors - Automatic ban of strange behaviors
- Antibot challenge through cookie, javascript, captcha or recaptcha v3 - Antibot challenge through cookie, javascript, captcha or recaptcha v3
- Block TOR, proxies, bad user-agents, countries, ... - Block TOR, proxies, bad user-agents, countries, ...
- Block known bad IP with DNSBL - Block known bad IP with DNSBL and distributed blacklist
- Prevent bruteforce attacks with rate limiting - Prevent bruteforce attacks and protect API resources with rate limiting
- Plugins system for external security checks (ClamAV, CrowdSec, ...) - Plugins system for external security checks (ClamAV, CrowdSec, ...)
- Easy to configure with environment variables or web UI - Easy to configure with environment variables or web UI
- Seamless integration into existing environments : Linux, Docker, Swarm, Kubernetes, ... - Seamless integration into existing environments : Linux, Docker, Swarm, Kubernetes, ...

12
confs/site/log-lua.conf
View File

@ -23,8 +23,16 @@ local use_remote_api = {% if USE_REMOTE_API == "yes" %}true{% else %}
local remoteapi = require "remoteapi" local remoteapi = require "remoteapi"
local iputils = require "resty.iputils" local iputils = require "resty.iputils"
if use_remote_api and not iputils.ip_in_cidrs(ngx.var.remote_addr, cjson.decode(ngx.shared.reserved_ips:get("data"))) and ngx.shared.remote_api:get("id") ~= "empty" and ngx.shared.remote_api:get("ping") ~= "ko" then if use_remote_api and not iputils.ip_in_cidrs(ngx.var.remote_addr, cjson.decode(ngx.shared.reserved_ips:get("data"))) and ngx.shared.remote_api:get("id") ~= "empty" then
if ngx.status == ngx.HTTP_FORBIDDEN then if ngx.shared.remote_api:get("ping") == "ko" then
if remoteapi.ping2() then
ngx.shared.remote_api:set("ping", "ok", 0)
logger.log(ngx.NOTICE, "REMOTE API", "Successfully requested the remote API again")
else
logger.log(ngx.ERR, "REMOTE API", "Can't contact the remote API, feature will be disabled")
end
end
if ngx.shared.remote_api:get("ping") ~= "ko" and ngx.status == ngx.HTTP_FORBIDDEN then
local reason = "other" local reason = "other"
if use_bad_behavior and new_bad_behavior_ban then if use_bad_behavior and new_bad_behavior_ban then
reason = "behavior" reason = "behavior"

43
docs/environment_variables.md
View File

@ -603,14 +603,14 @@ More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Refer
`FEATURE_POLICY` `FEATURE_POLICY`
Values : *&lt;directive&gt; &lt;allow list&gt;* Values : *&lt;directive&gt; &lt;allow list&gt;*
Default value : *accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'* Default value : *accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; sync-xhr 'none'; usb 'none'; wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none"*
Context : *global*, *multisite* Context : *global*, *multisite*
Tells the browser which features can be used on the website. Tells the browser which features can be used on the website.
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy). More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy).
`PERMISSIONS_POLICY` `PERMISSIONS_POLICY`
Values : *feature=(allow list)* Values : *feature=(allow list)*
Default value : accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=() Default value : *accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()*
Context : *global*, *multisite* Context : *global*, *multisite*
Tells the browser which features can be used on the website. Tells the browser which features can be used on the website.
More info [here](https://www.w3.org/TR/permissions-policy-1/). More info [here](https://www.w3.org/TR/permissions-policy-1/).
@ -686,6 +686,20 @@ Default value :
Context : *global*, *multisite* Context : *global*, *multisite*
The secret given by Google when `USE_ANTIBOT` is set to *recaptcha*. The secret given by Google when `USE_ANTIBOT` is set to *recaptcha*.
### Distributed blacklist
`USE_REMOTE_API`
Values : *yes* | *no*
Default value : *yes*
Context : *global*, *multisite*
If set to yes, the instance will participate into the distributed blacklist shared among all other instances. The blacklist will be automaticaly downloaded on a periodic basis.
`REMOTE_API_SERVER`
Values : *\<any valid full URL\>*
Default value :
Context : *global*
Full URL of the remote API used for the distributed blacklist.
### External blacklists ### External blacklists
`BLOCK_USER_AGENT` `BLOCK_USER_AGENT`
@ -828,19 +842,34 @@ Values : *yes* | *no*
Default value : *yes* Default value : *yes*
Context : *global*, *multisite* Context : *global*, *multisite*
If set to yes, the amount of HTTP requests made by a user for a given resource will be limited during a period of time. If set to yes, the amount of HTTP requests made by a user for a given resource will be limited during a period of time.
More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/) (the key used is $binary_remote_addr$uri).
`LIMIT_REQ_URL`
Values : *\<any valid url\>*
Default value :
Context : *global*, *multisite*
The URL where you want to apply the request limiting. Use special value of `/` to apply it globally for all URL.
You can set multiple rules by adding a suffix number to the variable name like this : `LIMIT_REQ_URL_1`, `LIMIT_REQ_URL_2`, `LIMIT_REQ_URL_3`, ...
`LIMIT_REQ_RATE` `LIMIT_REQ_RATE`
Values : *Xr/s* | *Xr/m* Values : *Xr/s* | *Xr/m* | *Xr/h* | *Xr/d*
Default value : *1r/s* Default value : *1r/s*
Context : *global*, *multisite* Context : *global*, *multisite*
The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 1 request to the same URI and from the same IP per second. The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 1 request to the same URI and from the same IP per second. Possible value are : `s` (second), `m` (minute), `h` (hour) and `d` (day)).
You can set multiple rules by adding a suffix number to the variable name like this : `LIMIT_REQ_RATE_1`, `LIMIT_REQ_RATE_2`, `LIMIT_REQ_RATE_3`, ...
`LIMIT_REQ_BURST` `LIMIT_REQ_BURST`
Values : *<any valid integer\>* Values : *\<any valid integer\>*
Default value : *2* Default value : *5*
Context : *global*, *multisite* Context : *global*, *multisite*
The number of requests to put in queue before rejecting requests. The number of requests to put in queue before rejecting requests.
You can set multiple rules by adding a suffix number to the variable name like this : `LIMIT_REQ_BURST_1`, `LIMIT_REQ_BURST_2`, `LIMIT_REQ_BURST_3`, ...
`LIMIT_REQ_DELAY`
Values : *\<any valid float\>*
Default value : *1*
Context : *global*, *multisite*
The number of seconds to wait before requests in queue are processed. Values like `0.1`, `0.01` or `0.001` are also accepted.
You can set multiple rules by adding a suffix number to the variable name like this : `LIMIT_REQ_DELAY_1`, `LIMIT_REQ_DELAY_2`, `LIMIT_REQ_DELAY_3`, ...
`LIMIT_REQ_CACHE` `LIMIT_REQ_CACHE`
Values : *Xm* | *Xk* Values : *Xm* | *Xk*

2
docs/security_tuning.md
View File

@ -194,7 +194,7 @@ Here is the list of related environment variables and their default value :
- `LIMIT_REQ_BURST=5 : the number of request tu put in a queue before effectively rejecting requests - `LIMIT_REQ_BURST=5 : the number of request tu put in a queue before effectively rejecting requests
- `LIMIT_REQ_DELAY=1` : the number of seconds to wait before we proceed requests in queue - `LIMIT_REQ_DELAY=1` : the number of seconds to wait before we proceed requests in queue
Please note that you can apply different rate to different URL by appending number as a suffix (more info [here](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#requests-limiting)). Please note that you can apply different rate to different URL by appending a number as suffix (more info [here](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#requests-limiting)).
### Connections ### Connections

4
entrypoint/jobs.sh
View File

@ -90,8 +90,8 @@ fi
# remote API # remote API
if [ "$(has_value USE_REMOTE_API yes)" != "" ] ; then if [ "$(has_value USE_REMOTE_API yes)" != "" ] ; then
/opt/bunkerized-nginx/jobs/main.py --name remote-api-register --server "$(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2)" --version "$(cat /opt/bunkerized-nginx/VERSION)" /opt/bunkerized-nginx/jobs/main.py --name remote-api-register --cache --server "$(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2)" --version "$(cat /opt/bunkerized-nginx/VERSION)"
if [ $? -eq 0 ] ; then if [ $? -eq 0 ] ; then
/opt/bunkerized-nginx/jobs/main.py --name remote-api-database --server "$(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2)" --version "$(cat /opt/bunkerized-nginx/VERSION)" --id "$(cat /opt/bunkerized-nginx/cache/machine.id)" /opt/bunkerized-nginx/jobs/main.py --name remote-api-database --cache --server "$(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2)" --version "$(cat /opt/bunkerized-nginx/VERSION)" --id "$(cat /opt/bunkerized-nginx/cache/machine.id)"
fi fi
fi fi