diff --git a/README.md b/README.md index 86060ec..8f3c35a 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ Fooling automated tools/scanners : + [HTTP](#http) + [Custom certificate](#custom-certificate) + [Self-signed certificate](#self-signed-certificate) - + [Misc](#misc-1) + + [Misc](#misc) * [ModSecurity](#modsecurity) * [Security headers](#security-headers) * [Blocking](#blocking) @@ -59,13 +59,12 @@ Fooling automated tools/scanners : + [Custom blacklisting](#custom-blacklisting) + [Requests limiting](#requests-limiting) + [Countries](#countries) - + [Misc](#misc-2) * [PHP](#php) + [Remote PHP](#remote-php) + [Local PHP (will be removed)](#local-php--will-be-removed-) * [Fail2ban](#fail2ban) * [ClamAV](#clamav) - * [Misc](#misc-3) + * [Misc](#misc-2) - [Create your own image](#create-your-own-image) - [Include custom configurations](#include-custom-configurations) @@ -184,6 +183,11 @@ Default value : *yes* If set to yes, nginx will serve files from /www directory within the container. A use case to not serving files is when you setup bunkerized-nginx as a reverse proxy via a custom configuration. +`DNS_RESOLVERS` +Values : *\* +Default value : *127.0.0.11 8.8.8.8* +The IP addresses of the DNS resolvers to use when performing DNS lookups. + `WRITE_ACCESS` Values : *yes* | *no* Default value : *no* @@ -574,13 +578,6 @@ Values : *\ \ ...* Default value : Block some countries from accessing your website. Use 2 letters country code separated with space. -### Misc - -`DNS_RESOLVERS` -Values : *\* -Default value : *8.8.8.8 8.8.4.4* -The IP addresses of the DNS resolvers to use when performing reverse DNS lookups. - ## PHP ### Remote PHP diff --git a/entrypoint.sh b/entrypoint.sh index 5047f63..e6119c2 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -126,7 +126,7 @@ USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}" ROOT_FOLDER="${ROOT_FOLDER-/www}" LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}" LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}" -DNS_RESOLVERS="${DNS_RESOLVERS-8.8.8.8 8.8.4.4}" +DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11 8.8.8.8}" USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}" WHITELIST_IP_LIST="${WHITELIST_IP_LIST-23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}" USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}" diff --git a/examples/basic-website-with-php/docker-compose.yml b/examples/basic-website-with-php/docker-compose.yml index be39b8e..9356673 100644 --- a/examples/basic-website-with-php/docker-compose.yml +++ b/examples/basic-website-with-php/docker-compose.yml @@ -12,7 +12,7 @@ services: - ./web-files:/www - ./letsencrypt:/etc/letsencrypt environment: - - SERVER_NAME=www.website.com # replace with your domain + - SERVER_NAME=www.website.com # replace with your domain - AUTO_LETS_ENCRYPT=yes - REDIRECT_HTTP_TO_HTTPS=yes - DISABLE_DEFAULT_SERVER=yes diff --git a/examples/behind-traefik/docker-compose.yml b/examples/behind-traefik/docker-compose.yml index bdb147b..ed7804e 100644 --- a/examples/behind-traefik/docker-compose.yml +++ b/examples/behind-traefik/docker-compose.yml @@ -3,14 +3,15 @@ version: '3' services: mytraefik: - image: traefik + image: traefik:v1.7.26 restart: always ports: - 80:80 - 443:443 volumes: - /var/run/docker.sock:/var/run/docker.sock - - ./traefik:/etc/traefik + - ./traefik/traefik.toml:/traefik.toml + - ./traefik/acme.json:/acme.json mywww1: image: bunkerity/bunkerized-nginx @@ -24,7 +25,7 @@ services: labels: - 'traefik.enable=true' - 'traefik.port=80' - - 'traefik.frontend.rule=Host:web1.domain.com # replace with your domain + - 'traefik.frontend.rule=Host:app1.website.com' # replace with your domain mywww2: image: bunkerity/bunkerized-nginx @@ -38,7 +39,7 @@ services: labels: - 'traefik.enable=true' - 'traefik.port=80' - - 'traefik.frontend.rule=Host:web2.domain.com # replace with your domain + - 'traefik.frontend.rule=Host:app2.website.com' # replace with your domain myphp1: image: php:fpm diff --git a/examples/behind-traefik/traefik/acme.json b/examples/behind-traefik/traefik/acme.json new file mode 100644 index 0000000..e69de29 diff --git a/examples/behind-traefik/traefik/traefik.tml b/examples/behind-traefik/traefik/traefik.tml deleted file mode 100644 index 258cd57..0000000 --- a/examples/behind-traefik/traefik/traefik.tml +++ /dev/null @@ -1 +0,0 @@ -todo diff --git a/examples/behind-traefik/traefik/traefik.toml b/examples/behind-traefik/traefik/traefik.toml new file mode 100644 index 0000000..4453d7b --- /dev/null +++ b/examples/behind-traefik/traefik/traefik.toml @@ -0,0 +1,29 @@ +debug = false + +logLevel = "ERROR" +defaultEntryPoints = ["https","http"] + +[entryPoints] + [entryPoints.http] + address = ":80" + [entryPoints.http.redirect] + entryPoint = "https" + [entryPoints.https] + address = ":443" + [entryPoints.https.tls] + +[retry] + +[docker] +endpoint = "unix:///var/run/docker.sock" +domain = "website.com" +watch = true +exposedByDefault = false + +[acme] +email = "contact@website.com" +storage = "acme.json" +entryPoint = "https" +onHostRule = true +[acme.httpChallenge] +entryPoint = "http" diff --git a/examples/reverse-proxy/docker-compose.yml b/examples/reverse-proxy/docker-compose.yml index 53b0b4a..3d87e25 100644 --- a/examples/reverse-proxy/docker-compose.yml +++ b/examples/reverse-proxy/docker-compose.yml @@ -9,12 +9,28 @@ services: - 80:80 - 443:443 volumes: - - ./http-confs:/www + - ./letsencrypt:/etc/letsencrypt + - ./server-confs:/server-confs environment: - - SERVER_NAME=pma.domain.com app.domain.com # replace with your domains + - SERVER_NAME=app1.website.com app2.website.com # replace with your domains - SERVE_FILES=no - DISABLE_DEFAULT_SERVER=yes - REDIRECT_HTTP_TO_HTTPS=yes - AUTO_LETS_ENCRYPT=yes -# TODO : pma + nodeJS ? + app1: + image: node + restart: always + working_dir: /home/node/app + volumes: + - ./js-app:/home/node/app + environment: + - NODE_ENV=production + command: bash -c "npm install express && node index.js" + + app2: + image: phpmyadmin:apache + restart: always + environment: + - PMA_ARBITRARY=1 + - PMA_ABSOLUTE_URI=https://app2.website.com diff --git a/examples/reverse-proxy/js-app/index.js b/examples/reverse-proxy/js-app/index.js new file mode 100644 index 0000000..35fb70b --- /dev/null +++ b/examples/reverse-proxy/js-app/index.js @@ -0,0 +1,12 @@ +const express = require('express') +const app = express() +const port = 3000 + +app.get('/', (req, res) => { + res.send('Hello World!') +}) + +app.listen(port, () => { + console.log(`Example app listening at http://localhost:${port}`) +}) + diff --git a/examples/reverse-proxy/js-app/package.json b/examples/reverse-proxy/js-app/package.json new file mode 100644 index 0000000..8f2840d --- /dev/null +++ b/examples/reverse-proxy/js-app/package.json @@ -0,0 +1,14 @@ +{ + "name": "js-app", + "version": "1.0.0", + "description": "demo", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "author": "", + "license": "ISC", + "dependencies": { + "express": "^4.17.1" + } +} diff --git a/examples/reverse-proxy/server-confs/reverse-proxy.conf b/examples/reverse-proxy/server-confs/reverse-proxy.conf new file mode 100644 index 0000000..d89ca56 --- /dev/null +++ b/examples/reverse-proxy/server-confs/reverse-proxy.conf @@ -0,0 +1,12 @@ +proxy_set_header Host $host; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +location / { + if ($host = app1.website.com) { + proxy_pass http://app1:3000$request_uri; + } + + if ($host = app2.website.com) { + proxy_pass http://app2$request_uri; + } +}