Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Deployed 972a284 to 1.4 with MkDocs 1.2.3 and mike 1.1.2

Browse Source
This commit is contained in:
florian 2022-06-06 23:10:16 +01:00
parent 4ca05eb80e
commit 563f4761e6
15 changed files with 1767 additions and 1769 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
1.4/about/index.html
View File

@ -654,14 +654,14 @@ documentation for the current version.
<li>Follow us on <a href="https://www.linkedin.com/company/bunkerity/">LinkedIn</a>, <a href="https://twitter.com/bunkerity">Twitter</a> and <a href="https://github.com/bunkerity">GitHub</a></li>
<li>Report bugs and propose new features using <a href="https://github.com/bunkerity/bunkerweb/issues">issues</a></li>
<li>Contribute to the code using <a href="https://github.com/bunkerity/bunkerweb/pulls">pull requests</a></li>
<li>Write an awesome <a href="/plugins">plugin</a></li>
<li>Write an awesome <a href="/1.4/plugins">plugin</a></li>
<li>Talk about BunkerWeb to your friends/colleagues, on social media, on your blog, ...</li>
</ul>
<h2 id="how-to-report-security-issue">How to report security issue ?</h2>
<p>Please contact us at <a href="mailto:security@bunkerity.com">security@bunkerity.com</a> using the following PGP key :</p>
<div class="highlight"><pre><span></span><code>-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGCEMiMBEACtXJBDbF86qjC/Q1cfmJfYcYrbk6eE5czknG294XObC97wAgDf
<p>```conf
-----BEGIN PGP PUBLIC KEY BLOCK-----</p>
<p>mQINBGCEMiMBEACtXJBDbF86qjC/Q1cfmJfYcYrbk6eE5czknG294XObC97wAgDf
/MbX6bnti4kDRpflGDqQtwOXudcEzledTD4bdDUKvZwqPoYQGa24uCuUxSINTLXr
RuoMaKfpvs7trsFXp5iYUqf4Org2aaJE7Tk/9sOvxgdqsT22jEgCZXTRU1qG494U
u6XRQN8hKlw6aa6njjX9vUk6Jpl46/kwwO9mpXBZX6iFKYnBlUWs2k8d6D6cO5aZ
@ -711,7 +711,7 @@ SOk62kZ0lqEctwgKDe3MNQnPxt9+tU9L1pIkyXgXihcOLiCMl434K0djJXxIbiX0
JvbFAfI3qteepvnjBQ==
=g1tf
-----END PGP PUBLIC KEY BLOCK-----
</code></pre></div>
```</p>
</article>

32
1.4/concepts/index.html
View File

@ -627,32 +627,32 @@ documentation for the current version.
<p>The first concept is the integration of BunkerWeb into the target environment. We prefer to use the word "integration" instead of "installation" because one of the goals of BunkerWeb is to integrate seamlessly into existing environments.</p>
<p>The following integrations are officially supported :</p>
<ul>
<li><a href="/integrations/#docker">Docker</a></li>
<li><a href="/integrations/#docker-autoconf">Docker autoconf</a></li>
<li><a href="/integrations/#swarm">Swarm</a></li>
<li><a href="/integrations/#kubernetes">Kubernetes</a></li>
<li><a href="/integrations/#linux">Linux</a></li>
<li><a href="/1.4/integrations/#docker">Docker</a></li>
<li><a href="/1.4/integrations/#docker-autoconf">Docker autoconf</a></li>
<li><a href="/1.4/integrations/#swarm">Swarm</a></li>
<li><a href="/1.4/integrations/#kubernetes">Kubernetes</a></li>
<li><a href="/1.4/integrations/#linux">Linux</a></li>
</ul>
<p>If you think that a new integration should be supported, do not hesitate to open a <a href="https://github.com/bunkerity/bunkerweb/issues">new issue</a> on the GitHub repository.</p>
<div class="admonition info">
<p class="admonition-title">Going further</p>
<p>The technical details of all BunkerWeb integrations are available in the <a href="/integrations">integrations section</a> of the documentation.</p>
<p>The technical details of all BunkerWeb integrations are available in the <a href="/1.4/integrations">integrations section</a> of the documentation.</p>
</div>
<h2 id="settings">Settings</h2>
<p>Once BunkerWeb is integrated into your environment, you will need to configure it to serve and protect your web applications.</p>
<p>Configuration of BunkerWeb is done using what we called the "settings" or "variables". Each setting is identified by a name like <code>AUTO_LETS_ENCRYPT</code> or <code>USE_ANTIBOT</code> for example. You can assign values to the settings to configure BunkerWeb.</p>
<p>Here is a dummy example of a BunkerWeb configuration :</p>
<div class="highlight"><pre><span></span><code>SERVER_NAME=www.example.com
<p><code>conf
SERVER_NAME=www.example.com
AUTO_LETS_ENCRYPT=yes
USE_ANTIBOT=captcha
REFERRER_POLICY=no-referrer
USE_MODSECURITY=no
USE_GZIP=yes
USE_BROTLI=no
</code></pre></div>
USE_BROTLI=no</code></p>
<div class="admonition info">
<p class="admonition-title">Going further</p>
<p>The complete list of available settings with descriptions and possible values is available in the <a href="/settings">settings section</a> of the documentation.</p>
<p>The complete list of available settings with descriptions and possible values is available in the <a href="/1.4/settings">settings section</a> of the documentation.</p>
</div>
<div class="admonition info">
<p class="admonition-title">Settings generator tool</p>
@ -665,7 +665,8 @@ USE_BROTLI=no
<p>The multisite mode is controlled by the <code>MULTISITE</code> setting which can be set to <code>yes</code> (enabled) or <code>no</code> (disabled, which is the default).</p>
<p>Each setting has a context which defines "where" it can be applied. If the context is global then the setting can't be set per server (or "per site", "per app") but only to the whole configuration. Otherwise, if the context is multisite, the setting can be set globally and per server. Defining a multisite setting to a specific server is done by adding the server name as a prefix of the setting name like <code>app1.example.com_AUTO_LETS_ENCRYPT</code> or <code>app2.example.com_USE_ANTIBOT</code> for example. When a multisite setting is defined globally (without any server prefix), all the servers will inherit that setting (but can still be overriden if we set the same setting with the server name prefix).</p>
<p>Here is a dummy example of a multisite BunkerWeb configuration :</p>
<div class="highlight"><pre><span></span><code>MULTISITE=yes
<p><code>conf
MULTISITE=yes
SERVER_NAME=app1.example.com app2.example.com app3.example.com
AUTO_LETS_ENCRYPT=yes
USE_GZIP=yes
@ -674,19 +675,18 @@ app1.example.com_USE_ANTIBOT=javascript
app1.example.com_USE_MODSECURITY=no
app2.example.com_USE_ANTIBOT=cookie
app2.example.com_WHITELIST_COUNTRY=FR
app3.example.com_USE_BAD_BEHAVIOR=no
</code></pre></div>
app3.example.com_USE_BAD_BEHAVIOR=no</code></p>
<div class="admonition info">
<p class="admonition-title">Going further</p>
<p>You will find concrete examples of multisite mode in the <a href="/quickstart-guide">quickstart guide</a> of the documentation and the <a href="https://github.com/bunkerity/bunkerweb/tree/master/examples">examples</a> directory of the repository.</p>
<p>You will find concrete examples of multisite mode in the <a href="/1.4/quickstart-guide">quickstart guide</a> of the documentation and the <a href="https://github.com/bunkerity/bunkerweb/tree/master/examples">examples</a> directory of the repository.</p>
</div>
<h2 id="custom-configurations">Custom configurations</h2>
<p>Because meeting all the use cases only using the settings is not an option (even with <a href="/plugins">external plugins</a>), you can use custom configurations to solve your specific challenges.</p>
<p>Because meeting all the use cases only using the settings is not an option (even with <a href="/1.4/plugins">external plugins</a>), you can use custom configurations to solve your specific challenges.</p>
<p>Under the hood, BunkerWeb uses the notorious NGINX web server, that's why you can leverage its configuration system for your specific needs. Custom NGINX configurations can be included in different <a href="https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts">contexts</a> like HTTP or server (all servers and/or specific server block).</p>
<p>Another core component of BunkerWeb is the ModSecurity Web Application Firewall : you can also use custom configurations to fix some false positives or add custom rules for example.</p>
<div class="admonition info">
<p class="admonition-title">Going further</p>
<p>You will find concrete examples of custom configurations in the <a href="/quickstart-guide">quickstart guide</a> of the documentation and the <a href="https://github.com/bunkerity/bunkerweb/tree/master/examples">examples</a> directory of the repository.</p>
<p>You will find concrete examples of custom configurations in the <a href="/1.4/quickstart-guide">quickstart guide</a> of the documentation and the <a href="https://github.com/bunkerity/bunkerweb/tree/master/examples">examples</a> directory of the repository.</p>
</div>

4
1.4/index.html
View File

@ -627,8 +627,8 @@ documentation for the current version.
<figcaption>Make your web services secure by default !</figcaption>
</figure>
<p>BunkerWeb is a web server based on the notorious <a href="https://nginx.org/">NGINX</a> and focused on security.</p>
<p>It integrates into existing environments (<a href="/integrations/#linux">Linux</a>, <a href="/integrations/#docker">Docker</a>, <a href="/integrations/#swarm">Swarm</a>, <a href="/integrations/#Kubernetes">Kubernetes</a>, …) to make your web services "secure by default" without any hassle. The security best practices are automatically applied for you while keeping control of every setting to meet your use case.</p>
<p>BunkerWeb contains primary <a href="/security-tuning">security features</a> as part of the core but can be easily extended with additional ones thanks to a <a href="/plugins">plugin system</a>.</p>
<p>It integrates into existing environments (<a href="/1.4/integrations/#linux">Linux</a>, <a href="/1.4/integrations/#docker">Docker</a>, <a href="/1.4/integrations/#swarm">Swarm</a>, <a href="/1.4/integrations/#Kubernetes">Kubernetes</a>, …) to make your web services "secure by default" without any hassle. The security best practices are automatically applied for you while keeping control of every setting to meet your use case.</p>
<p>BunkerWeb contains primary <a href="/1.4/security-tuning">security features</a> as part of the core but can be easily extended with additional ones thanks to a <a href="/1.4/plugins">plugin system</a>.</p>
<h2 id="why-bunkerweb">Why BunkerWeb ?</h2>
<ul>
<li><strong>Easy integration into existing environments</strong> : support for Linux, Docker, Swarm and Kubernetes</li>

963
1.4/integrations/index.html
View File

File diff suppressed because it is too large Load Diff

3
1.4/json2md.py
View File

@ -22,7 +22,8 @@ def print_md_table(settings) :
print("")
print("# Settings\n")
print("This section contains the full list of settings supported by BunkerWeb. If you are not familiar with BunkerWeb, you should first read the [concepts](/concepts) section of the documentation. Please follow the instructions for your own [integration](/integrations) on how to apply the settings.\n")
print("!!! info \"Settings generator tool\"\n\n To help you tuning BunkerWeb we have made an easy to use settings generator tool available at [config.bunkerweb.io](https://config.bunkerweb.io).\n")
print("This section contains the full list of settings supported by BunkerWeb. If you are not familiar with BunkerWeb, you should first read the [concepts](/1.4/concepts) section of the documentation. Please follow the instructions for your own [integration](/1.4/integrations) on how to apply the settings.\n")
print("As a general rule when multisite mode is enabled, if you want to apply settings with multisite context to a specific server you will need to add the primary (first) server name as a prefix like `www.example.com_USE_ANTIBOT=captcha` or `myapp.example.com_USE_GZIP=yes` for example.\n")
print("When settings are considered as \"multiple\", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like `REVERSE_PROXY_URL_1=/subdir`, `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.\n")

10
1.4/migrating/index.html
View File

@ -639,22 +639,22 @@ documentation for the current version.
<p>A lot of things have changed since the last bunkerized release. If you want to an upgrade, which we recommend you to do because BunkerWeb is by far better than bunkerized, please read carefully this section and also the whole documentation.</p>
</div>
<h2 id="volumes">Volumes</h2>
<p>When using container-based integrations like <a href="/integrations/#docker">Docker</a>, <a href="/integrations/#docker-autoconf">Docker autoconf</a>, <a href="/integrations/#swarm">Swarm</a> or <a href="/integrations/#kubernetes">Kubernetes</a>, volumes for storing data like certificates, cache or custom configurations has changed. We now have a single "bw-data" volume which contains everything and should be easier to manage than bunkerized.</p>
<p>When using container-based integrations like <a href="/1.4/integrations/#docker">Docker</a>, <a href="/1.4/integrations/#docker-autoconf">Docker autoconf</a>, <a href="/1.4/integrations/#swarm">Swarm</a> or <a href="/1.4/integrations/#kubernetes">Kubernetes</a>, volumes for storing data like certificates, cache or custom configurations has changed. We now have a single "bw-data" volume which contains everything and should be easier to manage than bunkerized.</p>
<h2 id="removed-features">Removed features</h2>
<p>We decided to drop the following features :</p>
<ul>
<li>Authelia : we will make an official <a href="/plugins">plugin</a> for that</li>
<li>Authelia : we will make an official <a href="/1.4/plugins">plugin</a> for that</li>
<li>Blocking "bad" referrers : we may add it again in the future</li>
<li>ROOT_SITE_SUBFOLDER : we will need to redesign this in the future</li>
</ul>
<h2 id="replaced-block_-whitelist_-and-blacklist_-settings">Replaced BLOCK_<em>, WHITELIST_</em> and BLACKLIST_* settings</h2>
<p>The blocking mechanisms has been completely redesigned. We have detected that a lot of false positives came from the default blacklists hardcoded into bunkerized. That's why we decided to give the users the choice of their blacklists (and also whitelists) for IP address, reverse DNS, user-agent, URI and ASN, see the <a href="/security-tuning/#blacklisting-and-whitelisting">Blacklisting and whitelisting</a> section of the <a href="/security-tuning">security tuning</a>.</p>
<p>The blocking mechanisms has been completely redesigned. We have detected that a lot of false positives came from the default blacklists hardcoded into bunkerized. That's why we decided to give the users the choice of their blacklists (and also whitelists) for IP address, reverse DNS, user-agent, URI and ASN, see the <a href="/1.4/security-tuning/#blacklisting-and-whitelisting">Blacklisting and whitelisting</a> section of the <a href="/1.4/security-tuning">security tuning</a>.</p>
<h2 id="changed-whitelist_user_agent-setting-behavior">Changed WHITELIST_USER_AGENT setting behavior</h2>
<p>The new behavior of the WHITELIST_USER_AGENT setting is to <strong>disable completely security checks</strong> if the User-Agent value of a client match any of the patterns. In bunkerized it was used to ignore specific User-Agent values when <code>BLOCK_USER_AGENT</code> was set to <code>yes</code> to avoid false positives. You can choose the blacklist of your choice to avoid FP (see previous section).</p>
<h2 id="changed-proxy_real_ip_-settings">Changed PROXY_REAL_IP_* settings</h2>
<p>To avoid any confusion between reverse proxy and real IP, we decided to renamed the <code>PROXY_REAL_IP_*</code> settings, you will find more information on the subject <a href="/quickstart-guide/#behind-load-balancer-or-reverse-proxy">here</a>.</p>
<p>To avoid any confusion between reverse proxy and real IP, we decided to renamed the <code>PROXY_REAL_IP_*</code> settings, you will find more information on the subject <a href="/1.4/quickstart-guide/#behind-load-balancer-or-reverse-proxy">here</a>.</p>
<h2 id="default-values-and-new-settings">Default values and new settings</h2>
<p>The default value of settings may have changed and we have added many other settings, we recommend you to read the <a href="/security-tuning">security tuning</a> and <a href="/settings">settings</a> sections of the documentation.</p>
<p>The default value of settings may have changed and we have added many other settings, we recommend you to read the <a href="/1.4/security-tuning">security tuning</a> and <a href="/1.4/settings">settings</a> sections of the documentation.</p>
</article>

299
1.4/plugins/index.html
View File

@ -712,69 +712,69 @@ documentation for the current version.
<div class="tabbed-set tabbed-alternate" data-tabs="1:5"><input checked="checked" id="__tabbed_1_1" name="__tabbed_1" type="radio" /><input id="__tabbed_1_2" name="__tabbed_1" type="radio" /><input id="__tabbed_1_3" name="__tabbed_1" type="radio" /><input id="__tabbed_1_4" name="__tabbed_1" type="radio" /><input id="__tabbed_1_5" name="__tabbed_1" type="radio" /><div class="tabbed-labels"><label for="__tabbed_1_1">Docker</label><label for="__tabbed_1_2">Docker autoconf</label><label for="__tabbed_1_3">Swarm</label><label for="__tabbed_1_4">Kubernetes</label><label for="__tabbed_1_5">Linux</label></div>
<div class="tabbed-content">
<div class="tabbed-block">
<p>When using the <a href="/integrations/#docker">Docker integration</a>, plugins must be written to the volume mounted on <code>/data</code>.</p>
<p>When using the <a href="/1.4/integrations/#docker">Docker integration</a>, plugins must be written to the volume mounted on <code>/data</code>.</p>
<p>The first thing to do is to create the plugins folder :
<div class="highlight"><pre><span></span><code>mkdir -p ./bw-data/plugins
</code></pre></div></p>
<code>shell
mkdir -p ./bw-data/plugins</code></p>
<p>Then you can drop the plugins of your choice into that folder :
<div class="highlight"><pre><span></span><code>git clone https://github.com/bunkerity/bunkerweb-plugins <span class="o">&amp;&amp;</span> <span class="se">\</span>
cp -rp ./bunkerweb-plugins/* ./bw-data/plugins
</code></pre></div></p>
<code>shell
git clone https://github.com/bunkerity/bunkerweb-plugins &amp;&amp; \
cp -rp ./bunkerweb-plugins/* ./bw-data/plugins</code></p>
<p>Because BunkerWeb runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
<div class="highlight"><pre><span></span><code>chown -R root:101 bw-data <span class="o">&amp;&amp;</span> <span class="se">\</span>
chmod -R <span class="m">770</span> bw-data
</code></pre></div></p>
<code>shell
chown -R root:101 bw-data &amp;&amp; \
chmod -R 770 bw-data</code></p>
<p>When starting the BunkerWeb container, you will need to mount the folder on <code>/data</code> :
<div class="highlight"><pre><span></span><code>docker run <span class="se">\</span>
<code>shell
docker run \
...
-v <span class="s2">&quot;</span><span class="si">${</span><span class="nv">PWD</span><span class="si">}</span><span class="s2">/bw-data:/data&quot;</span> <span class="se">\</span>
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
</code></pre></div></p>
bunkerity/bunkerweb:1.4.0</code></p>
<p>Here is the docker-compose equivalent :
<div class="highlight"><pre><span></span><code><span class="nt">mybunker</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bunkerity/bunkerweb:1.4.0</span><span class="w"></span>
<span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./bw-data:/data</span><span class="w"></span>
<span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">...</span><span class="w"></span>
</code></pre></div></p>
<code>yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
volumes:
- ./bw-data:/data
...</code></p>
</div>
<div class="tabbed-block">
<p>When using the <a href="/integrations/#docker-autoconf">Docker autoconf integration</a>, plugins must be written to the volume mounted on <code>/data</code>.</p>
<p>When using the <a href="/1.4/integrations/#docker-autoconf">Docker autoconf integration</a>, plugins must be written to the volume mounted on <code>/data</code>.</p>
<p>The easiest way to do it is by starting the Docker autoconf stack with a folder mounted on <code>/data</code> (instead of a named volume). Once the stack is started, you can copy the plugins of your choice to the <code>plugins</code> folder from your host :
<div class="highlight"><pre><span></span><code>git clone https://github.com/bunkerity/bunkerweb-plugins <span class="o">&amp;&amp;</span> <span class="se">\</span>
cp -rp ./bunkerweb-plugins/* ./bw-data/plugins
</code></pre></div></p>
<code>shell
git clone https://github.com/bunkerity/bunkerweb-plugins &amp;&amp; \
cp -rp ./bunkerweb-plugins/* ./bw-data/plugins</code></p>
<p>Because BunkerWeb runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
<div class="highlight"><pre><span></span><code>chown -R root:101 bw-data <span class="o">&amp;&amp;</span> <span class="se">\</span>
chmod -R <span class="m">770</span> bw-data
</code></pre></div></p>
<code>shell
chown -R root:101 bw-data &amp;&amp; \
chmod -R 770 bw-data</code></p>
</div>
<div class="tabbed-block">
<p>When using the <a href="/integrations/#swarm">Swarm integration</a>, the easiest way of installing plugins is by using <code>docker exec</code> and downloading the plugins from the container.</p>
<p>When using the <a href="/1.4/integrations/#swarm">Swarm integration</a>, the easiest way of installing plugins is by using <code>docker exec</code> and downloading the plugins from the container.</p>
<p>Execute a shell inside the autoconf container (use <code>docker ps</code> to get the name) :
<div class="highlight"><pre><span></span><code>docker <span class="nb">exec</span> -it myautoconf /bin/bash
</code></pre></div></p>
<code>shell
docker exec -it myautoconf /bin/bash</code></p>
<p>Once you have a shell inside the container, you can drop the plugins of your choice inside the <code>/data/plugins</code> folder :
<div class="highlight"><pre><span></span><code>git clone https://github.com/bunkerity/bunkerweb-plugins <span class="o">&amp;&amp;</span> <span class="se">\</span>
cp -rp ./bunkerweb-plugins/* /data/plugins
</code></pre></div></p>
<code>shell
git clone https://github.com/bunkerity/bunkerweb-plugins &amp;&amp; \
cp -rp ./bunkerweb-plugins/* /data/plugins</code></p>
</div>
<div class="tabbed-block">
<p>When using the <a href="/integrations/#kubernetes">Kubernetes integration</a>, the easiest way of installing plugins is by using <code>kubectl exec</code> and downloading the plugins from the container.</p>
<p>When using the <a href="/1.4/integrations/#kubernetes">Kubernetes integration</a>, the easiest way of installing plugins is by using <code>kubectl exec</code> and downloading the plugins from the container.</p>
<p>Execute a shell inside the autoconf container (use <code>kubectl get pods</code> to get the name) :
<div class="highlight"><pre><span></span><code>kubectl <span class="nb">exec</span> -it myautoconf -- /bin/bash
</code></pre></div></p>
<code>shell
kubectl exec -it myautoconf -- /bin/bash</code></p>
<p>Once you have a shell inside the container, you can drop the plugins of your choice inside the <code>/data/plugins</code> folder :
<div class="highlight"><pre><span></span><code>git clone https://github.com/bunkerity/bunkerweb-plugins <span class="o">&amp;&amp;</span> <span class="se">\</span>
cp -rp ./bunkerweb-plugins/* /data/plugins
</code></pre></div></p>
<code>shell
git clone https://github.com/bunkerity/bunkerweb-plugins &amp;&amp; \
cp -rp ./bunkerweb-plugins/* /data/plugins</code></p>
</div>
<div class="tabbed-block">
<p>When using the <a href="/integrations/#linux">Linux integration</a>, plugins must be written to the <code>/opt/bunkerweb/plugins</code> folder :
<div class="highlight"><pre><span></span><code>git clone https://github.com/bunkerity/bunkerweb-plugins <span class="o">&amp;&amp;</span> <span class="se">\</span>
cp -rp ./bunkerweb-plugins/* /data/plugins
</code></pre></div></p>
<p>When using the <a href="/1.4/integrations/#linux">Linux integration</a>, plugins must be written to the <code>/opt/bunkerweb/plugins</code> folder :
<code>shell
git clone https://github.com/bunkerity/bunkerweb-plugins &amp;&amp; \
cp -rp ./bunkerweb-plugins/* /data/plugins</code></p>
</div>
</div>
</div>
@ -785,37 +785,37 @@ cp -rp ./bunkerweb-plugins/* /data/plugins
<p>If the documentation is not enough you can have a look at the existing source code of <a href="https://github.com/bunkerity/bunkerweb-plugins">official plugins</a> and the <a href="https://github.com/bunkerity/bunkerweb/tree/master/core">core plugins</a> (already included in BunkerWeb but they are plugins technically speaking).</p>
</div>
<p>The first step is to create a folder that will contain the plugin :</p>
<div class="highlight"><pre><span></span><code>mkdir myplugin <span class="o">&amp;&amp;</span> <span class="se">\</span>
<span class="nb">cd</span> myplugin
</code></pre></div>
<p><code>shell
mkdir myplugin &amp;&amp; \
cd myplugin</code></p>
<h3 id="metadata">Metadata</h3>
<p>A file named <strong>plugin.json</strong> and written at the root of the plugin folder must contain metadata about the plugin. Here is an example :</p>
<div class="highlight"><pre><span></span><code><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;id&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;myplugin&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;order&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">42</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;My Plugin&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;description&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Just an example plugin.&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;1.0&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;settings&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;DUMMY_SETTING&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;context&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;multisite&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;default&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;1234&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;help&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Here is the help of the setting.&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;id&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;dummy-id&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;label&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Dummy setting&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;regex&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;^.*$&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;type&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;text&quot;</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;jobs&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"></span>
<span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;my-job&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;file&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;my-job.py&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;every&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;hour&quot;</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="p">]</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<p><code>json
{
"id": "myplugin",
"order": 42,
"name": "My Plugin",
"description": "Just an example plugin.",
"version": "1.0",
"settings": {
"DUMMY_SETTING": {
"context": "multisite",
"default": "1234",
"help": "Here is the help of the setting.",
"id": "dummy-id",
"label": "Dummy setting",
"regex": "^.*$",
"type": "text"
}
}
"jobs": [
{
"name": "my-job",
"file": "my-job.py",
"every": "hour"
}
]
}</code></p>
<p>Here are the details of the fields :</p>
<table>
<thead>
@ -970,49 +970,44 @@ cp -rp ./bunkerweb-plugins/* /data/plugins
</tbody>
</table>
<h3 id="configurations">Configurations</h3>
<p>You can add custom NGINX configurations by adding a folder named <strong>confs</strong> with content similar to the <a href="/quickstart-guide/#custom-configurations">custom configurations</a>. Each subfolder inside the <strong>confs</strong> will contain <a href="https://jinja.palletsprojects.com">jinja2</a> templates that will be generated and loaded at the corresponding context (<code>http</code>, <code>server-http</code> and <code>default-server-http</code>).</p>
<p>You can add custom NGINX configurations by adding a folder named <strong>confs</strong> with content similar to the <a href="/1.4/quickstart-guide/#custom-configurations">custom configurations</a>. Each subfolder inside the <strong>confs</strong> will contain <a href="https://jinja.palletsprojects.com">jinja2</a> templates that will be generated and loaded at the corresponding context (<code>http</code>, <code>server-http</code> and <code>default-server-http</code>).</p>
<p>Here is an example for a configuration template file inside the <strong>confs/server-http</strong> folder named <strong>example.conf</strong> :</p>
<div class="highlight"><pre><span></span><code>location /setting {
default_type &#39;text/plain&#39;;
<p><code>conf
location /setting {
default_type 'text/plain';
content_by_lua_block {
ngx.say(&#39;{{ DUMMY_SETTING }}&#39;)
ngx.say('{{ DUMMY_SETTING }}')
}
}
</code></pre></div>
}</code></p>
<p><code>{{ DUMMY_SETTING }}</code> will be replaced by the value of the <code>DUMMY_SETTING</code> chosen by the user of the plugin.</p>
<h3 id="lua">LUA</h3>
<h4 id="main-script">Main script</h4>
<p>Under the hood, BunkerWeb is using the <a href="https://github.com/openresty/lua-nginx-module">NGINX LUA module</a> to execute code within NGINX. Plugins that need to execute code must provide a lua file at the root directory of the plugin folder using the <code>id</code> value of <strong>plugin.json</strong> as its name. Here is an example named <strong>myplugin.lua</strong> :</p>
<div class="highlight"><pre><span></span><code><span class="kd">local</span> <span class="n">_M</span> <span class="o">=</span> <span class="p">{}</span>
<span class="n">_M</span><span class="p">.</span><span class="n">__index</span> <span class="o">=</span> <span class="n">_M</span>
<span class="kd">local</span> <span class="n">utils</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">&quot;utils&quot;</span>
<span class="kd">local</span> <span class="n">datastore</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">&quot;datastore&quot;</span>
<span class="kd">local</span> <span class="n">logger</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">&quot;logger&quot;</span>
<span class="kr">function</span> <span class="nc">_M</span><span class="p">.</span><span class="nf">new</span><span class="p">()</span>
<span class="kd">local</span> <span class="n">self</span> <span class="o">=</span> <span class="nb">setmetatable</span><span class="p">({},</span> <span class="n">_M</span><span class="p">)</span>
<span class="n">self</span><span class="p">.</span><span class="n">dummy</span> <span class="o">=</span> <span class="s2">&quot;dummy&quot;</span>
<span class="kr">return</span> <span class="n">self</span><span class="p">,</span> <span class="kc">nil</span>
<span class="kr">end</span>
<span class="kr">function</span> <span class="nc">_M</span><span class="p">:</span><span class="nf">init</span><span class="p">()</span>
<span class="n">logger</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">NOTICE</span><span class="p">,</span> <span class="s2">&quot;MYPLUGIN&quot;</span><span class="p">,</span> <span class="s2">&quot;init called&quot;</span><span class="p">)</span>
<span class="kr">return</span> <span class="kc">true</span><span class="p">,</span> <span class="s2">&quot;success&quot;</span>
<span class="kr">end</span>
<span class="kr">function</span> <span class="nc">_M</span><span class="p">:</span><span class="nf">access</span><span class="p">()</span>
<span class="n">logger</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">NOTICE</span><span class="p">,</span> <span class="s2">&quot;MYPLUGIN&quot;</span><span class="p">,</span> <span class="s2">&quot;access called&quot;</span><span class="p">)</span>
<span class="kr">return</span> <span class="kc">true</span><span class="p">,</span> <span class="s2">&quot;success&quot;</span><span class="p">,</span> <span class="kc">nil</span><span class="p">,</span> <span class="kc">nil</span>
<span class="kr">end</span>
<span class="kr">function</span> <span class="nc">_M</span><span class="p">:</span><span class="nf">log</span><span class="p">()</span>
<span class="n">logger</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">NOTICE</span><span class="p">,</span> <span class="s2">&quot;MYPLUGIN&quot;</span><span class="p">,</span> <span class="s2">&quot;log called&quot;</span><span class="p">)</span>
<span class="kr">return</span> <span class="kc">true</span><span class="p">,</span> <span class="s2">&quot;success&quot;</span>
<span class="kr">end</span>
<span class="kr">return</span> <span class="n">_M</span>
</code></pre></div>
<p>```lua
local _M = {}
_M.__index = _M</p>
<p>local utils = require "utils"
local datastore = require "datastore"
local logger = require "logger"</p>
<p>function _M.new()
local self = setmetatable({}, _M)
self.dummy = "dummy"
return self, nil
end</p>
<p>function _M:init()
logger.log(ngx.NOTICE, "MYPLUGIN", "init called")
return true, "success"
end</p>
<p>function _M:access()
logger.log(ngx.NOTICE, "MYPLUGIN", "access called")
return true, "success", nil, nil
end</p>
<p>function _M:log()
logger.log(ngx.NOTICE, "MYPLUGIN", "log called")
return true, "success"
end</p>
<p>return _M
```</p>
<p>The 3 functions <code>init</code>, <code>access</code>, and <code>log</code> are automatically called during specific contexts. Here are the details of each function :</p>
<table>
<thead>
@ -1047,23 +1042,20 @@ cp -rp ./bunkerweb-plugins/* /data/plugins
<h4 id="libraries">Libraries</h4>
<p>All directives from <a href="https://github.com/openresty/lua-nginx-module">NGINX LUA module</a> are available. On top of that, you can use the LUA libraries included within BunkerWeb : see <a href="https://github.com/bunkerity/bunkerweb/blob/master/deps/clone.sh">this script</a> for the complete list.</p>
<p>If you need additional libraries, you can put them in the root folder of the plugin and access them by prefixing them with your plugin ID. Here is an example file named <strong>mylibrary.lua</strong> :</p>
<div class="highlight"><pre><span></span><code><span class="kd">local</span> <span class="n">_M</span> <span class="o">=</span> <span class="p">{}</span>
<span class="n">_M</span><span class="p">.</span><span class="n">dummy</span> <span class="o">=</span> <span class="kr">function</span> <span class="p">()</span>
<span class="kr">return</span> <span class="s2">&quot;dummy&quot;</span>
<span class="kr">end</span>
<span class="kr">return</span> <span class="n">_M</span>
</code></pre></div>
<p>```lua
local _M = {}</p>
<p>_M.dummy = function ()
return "dummy"
end</p>
<p>return _M
```</p>
<p>And here is how you can use it from the <strong>myplugin.lua</strong> file :</p>
<div class="highlight"><pre><span></span><code><span class="kd">local</span> <span class="n">mylibrary</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">&quot;myplugin.mylibrary&quot;</span>
<span class="p">...</span>
<span class="n">mylibrary</span><span class="p">.</span><span class="n">dummy</span><span class="p">()</span>
<span class="p">...</span>
</code></pre></div>
<p>```lua
local mylibrary = require "myplugin.mylibrary"</p>
<p>...</p>
<p>mylibrary.dummy()</p>
<p>...
```</p>
<h4 id="helpers">Helpers</h4>
<p>Some helpers modules provide common helpful functions :</p>
<ul>
@ -1072,40 +1064,39 @@ cp -rp ./bunkerweb-plugins/* /data/plugins
<li><strong>utils</strong> : various useful functions</li>
</ul>
<p>To access the functions, you first need to <strong>require</strong> the module :</p>
<div class="highlight"><pre><span></span><code><span class="p">...</span>
<span class="kd">local</span> <span class="n">utils</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">&quot;utils&quot;</span>
<span class="kd">local</span> <span class="n">datastore</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">&quot;datastore&quot;</span>
<span class="kd">local</span> <span class="n">logger</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">&quot;logger&quot;</span>
<span class="p">...</span>
</code></pre></div>
<p>```lua
...</p>
<p>local utils = require "utils"
local datastore = require "datastore"
local logger = require "logger"</p>
<p>...
```</p>
<p>Retrieve a setting value :</p>
<div class="highlight"><pre><span></span><code><span class="kd">local</span> <span class="n">value</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">utils</span><span class="p">:</span><span class="n">get_variable</span><span class="p">(</span><span class="s2">&quot;DUMMY_SETTING&quot;</span><span class="p">)</span>
<span class="kr">if</span> <span class="ow">not</span> <span class="n">value</span> <span class="kr">then</span>
<span class="n">logger</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">ERR</span><span class="p">,</span> <span class="s2">&quot;MYPLUGIN&quot;</span><span class="p">,</span> <span class="s2">&quot;can&#39;t retrieve setting DUMMY_SETTING : &quot;</span> <span class="o">..</span> <span class="n">err</span><span class="p">)</span>
<span class="kr">else</span>
<span class="n">logger</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">NOTICE</span><span class="p">,</span> <span class="s2">&quot;MYPLUGIN&quot;</span><span class="p">,</span> <span class="s2">&quot;DUMMY_SETTING = &quot;</span> <span class="o">..</span> <span class="n">value</span><span class="p">)</span>
<span class="kr">end</span>
</code></pre></div>
<p><code>lua
local value, err = utils:get_variable("DUMMY_SETTING")
if not value then
logger.log(ngx.ERR, "MYPLUGIN", "can't retrieve setting DUMMY_SETTING : " .. err)
else
logger.log(ngx.NOTICE, "MYPLUGIN", "DUMMY_SETTING = " .. value)
end</code></p>
<p>Store something in the cache :</p>
<div class="highlight"><pre><span></span><code><span class="kd">local</span> <span class="n">ok</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">datastore</span><span class="p">:</span><span class="n">set</span><span class="p">(</span><span class="s2">&quot;plugin_myplugin_something&quot;</span><span class="p">,</span> <span class="s2">&quot;somevalue&quot;</span><span class="p">)</span>
<span class="kr">if</span> <span class="ow">not</span> <span class="n">value</span> <span class="kr">then</span>
<span class="n">logger</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">ERR</span><span class="p">,</span> <span class="s2">&quot;MYPLUGIN&quot;</span><span class="p">,</span> <span class="s2">&quot;can&#39;t save plugin_myplugin_something into datastore : &quot;</span> <span class="o">..</span> <span class="n">err</span><span class="p">)</span>
<span class="kr">else</span>
<span class="n">logger</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">NOTICE</span><span class="p">,</span> <span class="s2">&quot;MYPLUGIN&quot;</span><span class="p">,</span> <span class="s2">&quot;successfully saved plugin_myplugin_something into datastore into datastore&quot;</span><span class="p">)</span>
<span class="kr">end</span>
</code></pre></div>
<p><code>lua
local ok, err = datastore:set("plugin_myplugin_something", "somevalue")
if not value then
logger.log(ngx.ERR, "MYPLUGIN", "can't save plugin_myplugin_something into datastore : " .. err)
else
logger.log(ngx.NOTICE, "MYPLUGIN", "successfully saved plugin_myplugin_something into datastore into datastore")
end</code></p>
<p>Check if an IP address is global :</p>
<div class="highlight"><pre><span></span><code><span class="kd">local</span> <span class="n">ret</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">utils</span><span class="p">.</span><span class="n">ip_is_global</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">var</span><span class="p">.</span><span class="n">remote_addr</span><span class="p">)</span>
<span class="kr">if</span> <span class="n">ret</span> <span class="o">==</span> <span class="kc">nil</span> <span class="kr">then</span>
<span class="n">logger</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">ERR</span><span class="p">,</span> <span class="s2">&quot;MYPLUGIN&quot;</span><span class="p">,</span> <span class="s2">&quot;error while checking if IP &quot;</span> <span class="o">..</span> <span class="n">ngx</span><span class="p">.</span><span class="n">var</span><span class="p">.</span><span class="n">remote_addr</span> <span class="o">..</span> <span class="s2">&quot; is global or not : &quot;</span> <span class="o">..</span> <span class="n">err</span><span class="p">)</span>
<span class="kr">elseif</span> <span class="ow">not</span> <span class="n">ret</span> <span class="kr">then</span>
<span class="n">logger</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">NOTICE</span><span class="p">,</span> <span class="s2">&quot;MYPLUGIN&quot;</span><span class="p">,</span> <span class="s2">&quot;IP &quot;</span> <span class="o">..</span> <span class="n">ngx</span><span class="p">.</span><span class="n">var</span><span class="p">.</span><span class="n">remote_addr</span> <span class="o">..</span> <span class="s2">&quot; is not global&quot;</span><span class="p">)</span>
<span class="kr">else</span>
<span class="n">logger</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="n">ngx</span><span class="p">.</span><span class="n">NOTICE</span><span class="p">,</span> <span class="s2">&quot;MYPLUGIN&quot;</span><span class="p">,</span> <span class="s2">&quot;IP &quot;</span> <span class="o">..</span> <span class="n">ngx</span><span class="p">.</span><span class="n">var</span><span class="p">.</span><span class="n">remote_addr</span> <span class="o">..</span> <span class="s2">&quot; is global&quot;</span><span class="p">)</span>
<span class="kr">end</span>
</code></pre></div>
<p><code>lua
local ret, err = utils.ip_is_global(ngx.var.remote_addr)
if ret == nil then
logger.log(ngx.ERR, "MYPLUGIN", "error while checking if IP " .. ngx.var.remote_addr .. " is global or not : " .. err)
elseif not ret then
logger.log(ngx.NOTICE, "MYPLUGIN", "IP " .. ngx.var.remote_addr .. " is not global")
else
logger.log(ngx.NOTICE, "MYPLUGIN", "IP " .. ngx.var.remote_addr .. " is global")
end</code></p>
<div class="admonition tip">
<p class="admonition-title">More examples</p>
<p>If you want to see the full list of available functions, you can have a look at the files present in the <a href="https://github.com/bunkerity/bunkerweb/tree/master/lua">lua directory</a> of the repository.</p>

1698
1.4/quickstart-guide/index.html
View File

File diff suppressed because it is too large Load Diff

2
1.4/search/search_index.json
View File

File diff suppressed because one or more lines are too long

22
1.4/security-tuning/index.html
View File

@ -804,10 +804,10 @@ documentation for the current version.
<h1 id="security-tuning">Security tuning</h1>
<p>BunkerWeb offers many security features that you can configure with <a href="/settings">settings</a>. Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives.</p>
<p>BunkerWeb offers many security features that you can configure with <a href="/1.4/settings">settings</a>. Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives.</p>
<div class="admonition tip">
<p class="admonition-title">Other settings</p>
<p>This section only focuses on security tuning, see the <a href="/settings">settings section</a> of the documentation for other settings.</p>
<p>This section only focuses on security tuning, see the <a href="/1.4/settings">settings section</a> of the documentation for other settings.</p>
</div>
<h2 id="http-protocol">HTTP protocol</h2>
<h3 id="default-server">Default server</h3>
@ -1033,25 +1033,25 @@ documentation for the current version.
</tbody>
</table>
<p>We strongly recommend keeping both ModSecurity and the OWASP Core Rule Set enabled. The only downsides are the false positives that may occur. But they can be fixed with some efforts and the CRS team maintains a list of exclusions for common applications (e.g., WordPress, Nextcloud, Drupal, Cpanel, ...).</p>
<p>Tuning ModSecurity and the CRS can be done using <a href="/quickstart-guide/#custom-configurations">custom configurations</a> :</p>
<p>Tuning ModSecurity and the CRS can be done using <a href="/1.4/quickstart-guide/#custom-configurations">custom configurations</a> :</p>
<ul>
<li>modsec-crs : before the OWASP Core Rule Set is loaded</li>
<li>modsec : after the OWASP Core Rule Set is loaded (also used if CRS is not loaded)</li>
</ul>
<p>For example, you can add a custom configuration with type <code>modsec-crs</code> to add CRS exclusions :</p>
<div class="highlight"><pre><span></span><code>SecAction \
&quot;id:900130,\
<p><code>conf
SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_wordpress=1&quot;
</code></pre></div>
setvar:tx.crs_exclusions_wordpress=1"</code></p>
<p>You can also add a custom configuration with type <code>modsec</code> to update loaded CRS rules :</p>
<div class="highlight"><pre><span></span><code>SecRule REQUEST_FILENAME &quot;/wp-admin/admin-ajax.php&quot; &quot;id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce&quot;
SecRule REQUEST_FILENAME &quot;/wp-admin/options.php&quot; &quot;id:2,ctl:ruleRemoveByTag=attack-xss&quot;
SecRule REQUEST_FILENAME &quot;^/wp-json/yoast&quot; &quot;id:3,ctl:ruleRemoveById=930120&quot;
</code></pre></div>
<p><code>conf
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"</code></p>
<h2 id="bad-behavior">Bad behavior</h2>
<p>When attackers search for and/or exploit vulnerabilities they might generate some "suspicious" HTTP status codes that a "regular" user wont generate within a period of time. If we detect that kind of behavior we can ban the offending IP address and force the attacker to come up with a new one.</p>
<p>That kind of security measure is implemented and enabled by default in BunkerWeb and is called "Bad behavior". Here is the list of the related settings :</p>

2
1.4/settings/index.html
View File

@ -791,7 +791,7 @@ documentation for the current version.
<p class="admonition-title">Settings generator tool</p>
<p>To help you tuning BunkerWeb we have made an easy to use settings generator tool available at <a href="https://config.bunkerweb.io">config.bunkerweb.io</a>.</p>
</div>
<p>This section contains the full list of settings supported by BunkerWeb. If you are not familiar with BunkerWeb, you should first read the <a href="/concepts">concepts</a> section of the documentation. Please follow the instructions for your own <a href="/integrations">integration</a> on how to apply the settings.</p>
<p>This section contains the full list of settings supported by BunkerWeb. If you are not familiar with BunkerWeb, you should first read the <a href="/1.4/concepts">concepts</a> section of the documentation. Please follow the instructions for your own <a href="/1.4/integrations">integration</a> on how to apply the settings.</p>
<p>As a general rule when multisite mode is enabled, if you want to apply settings with multisite context to a specific server you will need to add the primary (first) server name as a prefix like <code>www.example.com_USE_ANTIBOT=captcha</code> or <code>myapp.example.com_USE_GZIP=yes</code> for example.</p>
<p>When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like <code>REVERSE_PROXY_URL_1=/subdir</code>, <code>REVERSE_PROXY_HOST_1=http://myhost1</code>, <code>REVERSE_PROXY_URL_2=/anotherdir</code>, <code>REVERSE_PROXY_HOST_2=http://myhost2</code>, ... for example.</p>
<h2 id="global-settings">Global settings</h2>

22
1.4/sitemap.xml
View File

@ -2,57 +2,57 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://docs.bunkerweb.io/1.4/</loc>
<lastmod>2022-06-03</lastmod>
<lastmod>2022-06-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docs.bunkerweb.io/1.4/about/</loc>
<lastmod>2022-06-03</lastmod>
<lastmod>2022-06-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docs.bunkerweb.io/1.4/concepts/</loc>
<lastmod>2022-06-03</lastmod>
<lastmod>2022-06-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docs.bunkerweb.io/1.4/integrations/</loc>
<lastmod>2022-06-03</lastmod>
<lastmod>2022-06-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docs.bunkerweb.io/1.4/migrating/</loc>
<lastmod>2022-06-03</lastmod>
<lastmod>2022-06-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docs.bunkerweb.io/1.4/plugins/</loc>
<lastmod>2022-06-03</lastmod>
<lastmod>2022-06-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docs.bunkerweb.io/1.4/quickstart-guide/</loc>
<lastmod>2022-06-03</lastmod>
<lastmod>2022-06-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docs.bunkerweb.io/1.4/security-tuning/</loc>
<lastmod>2022-06-03</lastmod>
<lastmod>2022-06-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docs.bunkerweb.io/1.4/settings/</loc>
<lastmod>2022-06-03</lastmod>
<lastmod>2022-06-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docs.bunkerweb.io/1.4/troubleshooting/</loc>
<lastmod>2022-06-03</lastmod>
<lastmod>2022-06-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docs.bunkerweb.io/1.4/web-ui/</loc>
<lastmod>2022-06-03</lastmod>
<lastmod>2022-06-06</lastmod>
<changefreq>daily</changefreq>
</url>
</urlset>

BIN
1.4/sitemap.xml.gz
View File

Binary file not shown.

228
1.4/troubleshooting/index.html
View File

@ -644,66 +644,66 @@ documentation for the current version.
<div class="admonition tip">
<p class="admonition-title">List containers</p>
<p>To list the running containers you can use the following command :
<div class="highlight"><pre><span></span><code>docker ps
</code></pre></div></p>
<code>shell
docker ps</code></p>
</div>
<p>You can use the <code>docker logs</code> command (replace <code>mybunker</code> with the name of your container) :
<div class="highlight"><pre><span></span><code>docker logs mybunker
</code></pre></div></p>
<code>shell
docker logs mybunker</code></p>
<p>Here is the docker-compose equivalent (replace <code>mybunker</code> with the name of the services declared in the docker-compose.yml file) :
<div class="highlight"><pre><span></span><code>docker-compose logs mybunker
</code></pre></div></p>
<code>shell
docker-compose logs mybunker</code></p>
</div>
<div class="tabbed-block">
<div class="admonition tip">
<p class="admonition-title">List containers</p>
<p>To list the running containers you can use the following command :
<div class="highlight"><pre><span></span><code>docker ps
</code></pre></div></p>
<code>shell
docker ps</code></p>
</div>
<p>You can use the <code>docker logs</code> command (replace <code>mybunker</code> and <code>myautoconf</code> with the name of your containers) :
<div class="highlight"><pre><span></span><code>docker logs mybunker
docker logs myautoconf
</code></pre></div></p>
<code>shell
docker logs mybunker
docker logs myautoconf</code></p>
<p>Here is the docker-compose equivalent (replace <code>mybunker</code> and <code>myautoconf</code> with the name of the services declared in the docker-compose.yml file) :
<div class="highlight"><pre><span></span><code>docker-compose logs mybunker
docker-compose logs myautoconf
</code></pre></div></p>
<code>shell
docker-compose logs mybunker
docker-compose logs myautoconf</code></p>
</div>
<div class="tabbed-block">
<div class="admonition tip">
<p class="admonition-title">List services</p>
<p>To list the services you can use the following command :
<div class="highlight"><pre><span></span><code>docker service ls
</code></pre></div></p>
<code>shell
docker service ls</code></p>
</div>
<p>You can use the <code>docker service logs</code> command (replace <code>mybunker</code> and <code>myautoconf</code> my with the name of your services) :
<div class="highlight"><pre><span></span><code>docker service logs mybunker
docker service logs myautoconf
</code></pre></div></p>
<code>shell
docker service logs mybunker
docker service logs myautoconf</code></p>
</div>
<div class="tabbed-block">
<div class="admonition tip">
<p class="admonition-title">List pods</p>
<p>To list the pods you can use the following command :
<div class="highlight"><pre><span></span><code>kubectl get pods
</code></pre></div></p>
<code>shell
kubectl get pods</code></p>
</div>
<p>You can use the <code>kubectl logs</code> command (replace <code>mybunker</code> and <code>myautoconf</code> my with the name of your pods) :
<div class="highlight"><pre><span></span><code>kubectl logs mybunker
kubectl logs myautoconf
</code></pre></div></p>
<code>shell
kubectl logs mybunker
kubectl logs myautoconf</code></p>
</div>
<div class="tabbed-block">
<p>The logs are located inside the <code>/var/log/nginx</code> directory. There is two files :
<div class="highlight"><pre><span></span><code>cat /var/log/nginx/error.log
cat /var/log/nginx/access.log
</code></pre></div></p>
<code>shell
cat /var/log/nginx/error.log
cat /var/log/nginx/access.log</code></p>
</div>
</div>
</div>
<h2 id="permissions">Permissions</h2>
<p>Don't forget that BunkerWeb runs as an unprivileged user for obvious security reasons. Double-check the permissions of files and folders used by BunkerWeb especially if you use custom configurations (more info <a href="/quickstart-guide/#custom-configurations">here</a>). You will need to set at least <strong>RW</strong> rights on files and <strong><em>RWX</em></strong> on folders.</p>
<p>Don't forget that BunkerWeb runs as an unprivileged user for obvious security reasons. Double-check the permissions of files and folders used by BunkerWeb especially if you use custom configurations (more info <a href="/1.4/quickstart-guide/#custom-configurations">here</a>). You will need to set at least <strong>RW</strong> rights on files and <strong><em>RWX</em></strong> on folders.</p>
<h2 id="modsecurity">ModSecurity</h2>
<p>The default BunkerWeb configuration of ModSecurity is to load the Core Rule Set in anomaly scoring mode with a paranoia level (PL) of 1 :</p>
<ul>
@ -712,75 +712,75 @@ cat /var/log/nginx/access.log
<li>the default threshold for anomaly score is 5 for requests and 4 for responses</li>
</ul>
<p>Let's take the following logs as an example of ModSecurity detection using default configuration (formatted for better readability) :</p>
<div class="highlight"><pre><span></span><code>2022/04/26 12:01:10 [warn] 85#85: *11 ModSecurity: Warning. Matched &quot;Operator `PmFromFile&#39; with parameter `lfi-os-files.data&#39; against variable `ARGS:id&#39; (Value: `/etc/passwd&#39; )
[file &quot;/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf&quot;]
[line &quot;78&quot;]
[id &quot;930120&quot;]
[rev &quot;&quot;]
[msg &quot;OS File Access Attempt&quot;]
[data &quot;Matched Data: etc/passwd found within ARGS:id: /etc/passwd&quot;]
[severity &quot;2&quot;]
[ver &quot;OWASP_CRS/3.3.2&quot;]
[maturity &quot;0&quot;]
[accuracy &quot;0&quot;]
[tag &quot;application-multi&quot;]
[tag &quot;language-multi&quot;]
[tag &quot;platform-multi&quot;]
[tag &quot;attack-lfi&quot;]
[tag &quot;paranoia-level/1&quot;]
[tag &quot;OWASP_CRS&quot;]
[tag &quot;capec/1000/255/153/126&quot;]
[tag &quot;PCI/6.5.4&quot;]
[hostname &quot;172.17.0.2&quot;]
[uri &quot;/&quot;]
[unique_id &quot;165097447014.179282&quot;]
[ref &quot;o1,10v9,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase&quot;],
client: 172.17.0.1, server: localhost, request: &quot;GET /?id=/etc/passwd HTTP/1.1&quot;, host: &quot;localhost&quot;
2022/04/26 12:01:10 [warn] 85#85: *11 ModSecurity: Warning. Matched &quot;Operator `PmFromFile&#39; with parameter `unix-shell.data&#39; against variable `ARGS:id&#39; (Value: `/etc/passwd&#39; )
[file &quot;/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf&quot;]
[line &quot;480&quot;]
[id &quot;932160&quot;]
[rev &quot;&quot;]
[msg &quot;Remote Command Execution: Unix Shell Code Found&quot;]
[data &quot;Matched Data: etc/passwd found within ARGS:id: /etc/passwd&quot;]
[severity &quot;2&quot;]
[ver &quot;OWASP_CRS/3.3.2&quot;]
[maturity &quot;0&quot;]
[accuracy &quot;0&quot;]
[tag &quot;application-multi&quot;]
[tag &quot;language-shell&quot;]
[tag &quot;platform-unix&quot;]
[tag &quot;attack-rce&quot;]
[tag &quot;paranoia-level/1&quot;]
[tag &quot;OWASP_CRS&quot;]
[tag &quot;capec/1000/152/248/88&quot;]
[tag &quot;PCI/6.5.2&quot;]
[hostname &quot;172.17.0.2&quot;]
[uri &quot;/&quot;]
[unique_id &quot;165097447014.179282&quot;]
[ref &quot;o1,10v9,11t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase&quot;],
client: 172.17.0.1, server: localhost, request: &quot;GET /?id=/etc/passwd HTTP/1.1&quot;, host: &quot;localhost&quot;
2022/04/26 12:01:10 [error] 85#85: *11 [client 172.17.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched &quot;Operator `Ge&#39; with parameter `5&#39; against variable `TX:ANOMALY_SCORE&#39; (Value: `10&#39; )
[file &quot;/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf&quot;]
[line &quot;80&quot;]
[id &quot;949110&quot;]
[rev &quot;&quot;]
[msg &quot;Inbound Anomaly Score Exceeded (Total Score: 10)&quot;]
[data &quot;&quot;]
[severity &quot;2&quot;]
[ver &quot;OWASP_CRS/3.3.2&quot;]
[maturity &quot;0&quot;]
[accuracy &quot;0&quot;]
[tag &quot;application-multi&quot;]
[tag &quot;language-multi&quot;]
[tag &quot;platform-multi&quot;]
[tag &quot;attack-generic&quot;]
[hostname &quot;172.17.0.2&quot;]
[uri &quot;/&quot;]
[unique_id &quot;165097447014.179282&quot;]
[ref &quot;&quot;],
client: 172.17.0.1, server: localhost, request: &quot;GET /?id=/etc/passwd HTTP/1.1&quot;, host: &quot;localhost&quot;
</code></pre></div>
<p><code>log
2022/04/26 12:01:10 [warn] 85#85: *11 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:id' (Value: `/etc/passwd' )
[file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"]
[line "78"]
[id "930120"]
[rev ""]
[msg "OS File Access Attempt"]
[data "Matched Data: etc/passwd found within ARGS:id: /etc/passwd"]
[severity "2"]
[ver "OWASP_CRS/3.3.2"]
[maturity "0"]
[accuracy "0"]
[tag "application-multi"]
[tag "language-multi"]
[tag "platform-multi"]
[tag "attack-lfi"]
[tag "paranoia-level/1"]
[tag "OWASP_CRS"]
[tag "capec/1000/255/153/126"]
[tag "PCI/6.5.4"]
[hostname "172.17.0.2"]
[uri "/"]
[unique_id "165097447014.179282"]
[ref "o1,10v9,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase"],
client: 172.17.0.1, server: localhost, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2022/04/26 12:01:10 [warn] 85#85: *11 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:id' (Value: `/etc/passwd' )
[file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"]
[line "480"]
[id "932160"]
[rev ""]
[msg "Remote Command Execution: Unix Shell Code Found"]
[data "Matched Data: etc/passwd found within ARGS:id: /etc/passwd"]
[severity "2"]
[ver "OWASP_CRS/3.3.2"]
[maturity "0"]
[accuracy "0"]
[tag "application-multi"]
[tag "language-shell"]
[tag "platform-unix"]
[tag "attack-rce"]
[tag "paranoia-level/1"]
[tag "OWASP_CRS"]
[tag "capec/1000/152/248/88"]
[tag "PCI/6.5.2"]
[hostname "172.17.0.2"]
[uri "/"]
[unique_id "165097447014.179282"]
[ref "o1,10v9,11t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"],
client: 172.17.0.1, server: localhost, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2022/04/26 12:01:10 [error] 85#85: *11 [client 172.17.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' )
[file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "80"]
[id "949110"]
[rev ""]
[msg "Inbound Anomaly Score Exceeded (Total Score: 10)"]
[data ""]
[severity "2"]
[ver "OWASP_CRS/3.3.2"]
[maturity "0"]
[accuracy "0"]
[tag "application-multi"]
[tag "language-multi"]
[tag "platform-multi"]
[tag "attack-generic"]
[hostname "172.17.0.2"]
[uri "/"]
[unique_id "165097447014.179282"]
[ref ""],
client: 172.17.0.1, server: localhost, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"</code></p>
<p>As we can see there are 3 different logs :</p>
<ol>
<li>Rule <strong>930120</strong> matched</li>
@ -788,48 +788,48 @@ cat /var/log/nginx/access.log
<li>Access denied (rule <strong>949110</strong>)</li>
</ol>
<p>One important thing to understand is that rule <strong>949110</strong> is not a "real" one : it's the one that will deny the request because the anomaly threshold is reached (which is <strong>10</strong> in this example). You should never remove the <strong>949110</strong> rule !</p>
<p>If it's a false-positive you should then focus on both <strong>930120</strong> and <strong>932160</strong> rules. ModSecurity and/or CRS tuning is out of the scope of this documentation but don't forget that you can apply custom configurations before and after the CRS is loaded (more info <a href="/quickstart-guide/#custom-configurations">here</a>).</p>
<p>If it's a false-positive you should then focus on both <strong>930120</strong> and <strong>932160</strong> rules. ModSecurity and/or CRS tuning is out of the scope of this documentation but don't forget that you can apply custom configurations before and after the CRS is loaded (more info <a href="/1.4/quickstart-guide/#custom-configurations">here</a>).</p>
<h2 id="bad-behavior">Bad Behavior</h2>
<p>A common false-positive case is that the client is banned because of the "bad behavior" feature which means that too many suspicious HTTP status codes were generated within a time period (more info <a href="/security-tuning/#bad-behavior">here</a>). You should start by reviewing the settings and edit them according to your web application(s) like removing a suspicious HTTP code, decreasing the count time, increasing the threshold, ...</p>
<p>A common false-positive case is that the client is banned because of the "bad behavior" feature which means that too many suspicious HTTP status codes were generated within a time period (more info <a href="/1.4/security-tuning/#bad-behavior">here</a>). You should start by reviewing the settings and edit them according to your web application(s) like removing a suspicious HTTP code, decreasing the count time, increasing the threshold, ...</p>
<h2 id="ip-unban">IP unban</h2>
<p>You can manually unban an IP which can be useful when doing some tests but it needs the setting <code>USE_API</code> set to <code>yes</code> (which is not the default) so you can contact the internal API of BunkerWeb (replace <code>1.2.3.4</code> with the IP address to unban) :</p>
<div class="tabbed-set tabbed-alternate" data-tabs="2:5"><input checked="checked" id="__tabbed_2_1" name="__tabbed_2" type="radio" /><input id="__tabbed_2_2" name="__tabbed_2" type="radio" /><input id="__tabbed_2_3" name="__tabbed_2" type="radio" /><input id="__tabbed_2_4" name="__tabbed_2" type="radio" /><input id="__tabbed_2_5" name="__tabbed_2" type="radio" /><div class="tabbed-labels"><label for="__tabbed_2_1">Docker</label><label for="__tabbed_2_2">Docker autoconf</label><label for="__tabbed_2_3">Swarm</label><label for="__tabbed_2_4">Kubernetes</label><label for="__tabbed_2_5">Linux</label></div>
<div class="tabbed-content">
<div class="tabbed-block">
<p>You can use the <code>docker exec</code> command (replace <code>mybunker</code> with the name of your container) :
<div class="highlight"><pre><span></span><code>docker <span class="nb">exec</span> mybunker bwcli unban <span class="m">1</span>.2.3.4
</code></pre></div></p>
<code>shell
docker exec mybunker bwcli unban 1.2.3.4</code></p>
<p>Here is the docker-compose equivalent (replace <code>mybunker</code> with the name of the services declared in the docker-compose.yml file) :
<div class="highlight"><pre><span></span><code>docker-compose <span class="nb">exec</span> mybunker bwcli unban <span class="m">1</span>.2.3.4
</code></pre></div></p>
<code>shell
docker-compose exec mybunker bwcli unban 1.2.3.4</code></p>
</div>
<div class="tabbed-block">
<p>You can use the <code>docker exec</code> command (replace <code>mya</code> with the name of your container) :
<div class="highlight"><pre><span></span><code>docker <span class="nb">exec</span> mybunker bwcli unban <span class="m">1</span>.2.3.4
</code></pre></div></p>
<code>shell
docker exec mybunker bwcli unban 1.2.3.4</code></p>
<p>Here is the docker-compose equivalent (replace <code>mybunker</code> with the name of the services declared in the docker-compose.yml file) :
<div class="highlight"><pre><span></span><code>docker-compose <span class="nb">exec</span> mybunker bwcli unban <span class="m">1</span>.2.3.4
</code></pre></div></p>
<code>shell
docker-compose exec mybunker bwcli unban 1.2.3.4</code></p>
</div>
<div class="tabbed-block">
<p>You can use the <code>docker exec</code> command (replace <code>myautoconf</code> with the name of your service) :
<div class="highlight"><pre><span></span><code>docker <span class="nb">exec</span> <span class="k">$(</span>docker ps -q -f <span class="nv">name</span><span class="o">=</span>myautoconf<span class="k">)</span> bwcli unban <span class="m">1</span>.2.3.4
</code></pre></div></p>
<code>shell
docker exec $(docker ps -q -f name=myautoconf) bwcli unban 1.2.3.4</code></p>
</div>
<div class="tabbed-block">
<p>You can use the <code>kubectl exec</code> command (replace <code>myautoconf</code> with the name of your pod) :
<div class="highlight"><pre><span></span><code>kubectl <span class="nb">exec</span> myautoconf bwcli unban <span class="m">1</span>.2.3.4
</code></pre></div></p>
<code>shell
kubectl exec myautoconf bwcli unban 1.2.3.4</code></p>
</div>
<div class="tabbed-block">
<p>You can use the <code>bwcli</code> command :
<div class="highlight"><pre><span></span><code>bwcli unban <span class="m">1</span>.2.3.4
</code></pre></div></p>
<code>shell
bwcli unban 1.2.3.4</code></p>
</div>
</div>
</div>
<h2 id="whitelisting">Whitelisting</h2>
<p>If you have bots that need to access your website, the recommended way to avoid any false positive is to whitelist it using the <a href="/security-tuning/#blacklisting-and-whitelisting">whitelisting feature</a>. We don't recommend using the <code>WHITELIST_URI*</code> or <code>WHITELIST_USER_AGENT*</code> settings unless they are set to secret and unpredictable values. Common use cases are :</p>
<p>If you have bots that need to access your website, the recommended way to avoid any false positive is to whitelist it using the <a href="/1.4/security-tuning/#blacklisting-and-whitelisting">whitelisting feature</a>. We don't recommend using the <code>WHITELIST_URI*</code> or <code>WHITELIST_USER_AGENT*</code> settings unless they are set to secret and unpredictable values. Common use cases are :</p>
<ul>
<li>Healthcheck / status bot</li>
<li>Callback like IPN or webhook</li>

241
1.4/web-ui/index.html
View File

@ -641,12 +641,12 @@ documentation for the current version.
<li>Choose a strong password for the login</li>
<li>Put the web UI under a "hard to guess" URI</li>
<li>Do not open the web UI on the Internet without any further restrictions</li>
<li>Apply settings listed in the <a href="/security-tuning/">security tuning section</a> of the documentation</li>
<li>Apply settings listed in the <a href="/1.4/security-tuning/">security tuning section</a> of the documentation</li>
</ul>
</div>
<div class="admonition info">
<p class="admonition-title">Multisite mode</p>
<p>The installation of the web UI implies enabling the <a href="/concepts/#multisite-mode">multisite mode</a>.</p>
<p>The installation of the web UI implies enabling the <a href="/1.4/concepts/#multisite-mode">multisite mode</a>.</p>
</div>
<div class="admonition info">
<p class="admonition-title">UI specific env variables</p>
@ -658,36 +658,36 @@ documentation for the current version.
<div class="tabbed-set tabbed-alternate" data-tabs="1:2"><input checked="checked" id="__tabbed_1_1" name="__tabbed_1" type="radio" /><input id="__tabbed_1_2" name="__tabbed_1" type="radio" /><div class="tabbed-labels"><label for="__tabbed_1_1">Docker</label><label for="__tabbed_1_2">Linux</label></div>
<div class="tabbed-content">
<div class="tabbed-block">
<p>When using the <a href="/integrations/#docker">Docker integration</a>, we recommend you to connect the BunkerWeb and web UI using a dedicated network and use another dedicated network for the communications between BunkerWeb and your web applications. The web UI can be deployed using a dedicated container based on the <a href="https://hub.docker.com/r/bunkerity/bunkerweb-ui">bunkerweb-ui image</a>.</p>
<p>When using the <a href="/1.4/integrations/#docker">Docker integration</a>, we recommend you to connect the BunkerWeb and web UI using a dedicated network and use another dedicated network for the communications between BunkerWeb and your web applications. The web UI can be deployed using a dedicated container based on the <a href="https://hub.docker.com/r/bunkerity/bunkerweb-ui">bunkerweb-ui image</a>.</p>
<p>Let's start by creating the networks (replace 10.20.30.0/24 with an unused network of your choice) :
<div class="highlight"><pre><span></span><code>docker network create --subnet <span class="m">10</span>.20.30.0/24 bw-ui <span class="o">&amp;&amp;</span> <span class="se">\</span>
docker network create bw-services
</code></pre></div></p>
<code>shell
docker network create --subnet 10.20.30.0/24 bw-ui &amp;&amp; \
docker network create bw-services</code></p>
<p>You will also need two volumes, one for the BunkerWeb data and another one to share the configuration files between the web UI and BunkerWeb :
<div class="highlight"><pre><span></span><code>docker volume create bw-data <span class="o">&amp;&amp;</span> <span class="se">\</span>
docker volume create bw-confs
</code></pre></div></p>
<code>shell
docker volume create bw-data &amp;&amp; \
docker volume create bw-confs</code></p>
<p>You can now create the BunkerWeb container with specific settings and volumes related to the web UI, please note the special <code>bunkerweb.UI</code> label which is mandatory :
<div class="highlight"><pre><span></span><code>docker run -d <span class="se">\</span>
<code>shell
docker run -d \
--name mybunker
--network bw-services <span class="se">\</span>
-p <span class="m">80</span>:8080 <span class="se">\</span>
-p <span class="m">443</span>:8443 <span class="se">\</span>
-v bw-data:/data <span class="se">\</span>
-v bw-confs:/etc/nginx <span class="se">\</span>
-e <span class="nv">SERVER_NAME</span><span class="o">=</span>bwadm.example.com <span class="se">\</span>
-e <span class="nv">MULTISITE</span><span class="o">=</span>yes <span class="se">\</span>
-e <span class="s2">&quot;API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24&quot;</span> <span class="se">\</span>
-e bwadm.example.com_USE_UI<span class="o">=</span>yes <span class="se">\</span>
-e bwadm.example.com_USE_REVERSE_PROXY<span class="o">=</span>yes <span class="se">\</span>
-e bwadm.example.com_REVERSE_PROXY_URL<span class="o">=</span>/changeme <span class="se">\</span>
-e bwadm.example.com_REVERSE_PROXY_HOST<span class="o">=</span>http://myui:7000 <span class="se">\</span>
-e <span class="s2">&quot;bwadm.example.com_REVERSE_PROXY_HEADER=X-Script-Name /changeme&quot;</span> <span class="se">\</span>
-e bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS<span class="o">=</span>no <span class="se">\</span>
-l bunkerweb.UI <span class="se">\</span>
bunkerity/bunkerweb:1.4.0 <span class="o">&amp;&amp;</span> <span class="se">\</span>
docker network connect bw-ui mybunker
</code></pre></div></p>
--network bw-services \
-p 80:8080 \
-p 443:8443 \
-v bw-data:/data \
-v bw-confs:/etc/nginx \
-e SERVER_NAME=bwadm.example.com \
-e MULTISITE=yes \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-e bwadm.example.com_USE_UI=yes \
-e bwadm.example.com_USE_REVERSE_PROXY=yes \
-e bwadm.example.com_REVERSE_PROXY_URL=/changeme \
-e bwadm.example.com_REVERSE_PROXY_HOST=http://myui:7000 \
-e "bwadm.example.com_REVERSE_PROXY_HEADER=X-Script-Name /changeme" \
-e bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no \
-l bunkerweb.UI \
bunkerity/bunkerweb:1.4.0 &amp;&amp; \
docker network connect bw-ui mybunker</code></p>
<p>Important things to note :</p>
<ul>
<li><code>bwadm.example.com</code> is the dedicated (sub)domain for accessing the web UI</li>
@ -697,103 +697,99 @@ docker network connect bw-ui mybunker
</ul>
<p>The web UI will need to access the Docker API in order to get metadata about the running containers. It can be done easily by mounting the <strong>docker.sock</strong> file into the container. But there is a security risk : if the web UI is exploited, all your container(s) and the host will be impacted because, at the moment, Docker doesn't provide any restriction feature. We highly recommend using something like a <a href="https://github.com/Tecnativa/docker-socket-proxy">docker socket proxy</a> to mitigate that risk (only a subset of read-only API endpoints will be available to the web UI container).</p>
<p>To connect the docker socket proxy and the web UI, you will need another network :
<div class="highlight"><pre><span></span><code>docker network create bw-docker
</code></pre></div></p>
<code>shell
docker network create bw-docker</code></p>
<p>Once the network is created, you can now create the docker socket proxy container :
<div class="highlight"><pre><span></span><code>docker run -d <span class="se">\</span>
--name mydocker <span class="se">\</span>
--network bw-docker <span class="se">\</span>
--privileged <span class="se">\</span>
-v /var/run/docker.sock:/var/run/docker.sock:ro <span class="se">\</span>
tecnativa/docker-socket-proxy
</code></pre></div></p>
<code>shell
docker run -d \
--name mydocker \
--network bw-docker \
--privileged \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
tecnativa/docker-socket-proxy</code></p>
<p>We can finally create the web UI container :
<div class="highlight"><pre><span></span><code>docker run -d <span class="se">\</span>
--name myui <span class="se">\</span>
--network bw-ui <span class="se">\</span>
-v bw-data:/data <span class="se">\</span>
-v bw-confs:/etc/nginx <span class="se">\</span>
-e <span class="nv">DOCKER_HOST</span><span class="o">=</span>tcp://mydocker:2375 <span class="se">\</span>
-e <span class="nv">ADMIN_USERNAME</span><span class="o">=</span>admin <span class="se">\</span>
-e <span class="nv">ADMIN_PASSWORD</span><span class="o">=</span>changeme <span class="se">\</span>
-e <span class="nv">ABSOLUTE_URI</span><span class="o">=</span>http<span class="o">(</span>s<span class="o">)</span>://bwadm.example.com/changeme/
bunkerity/bunkerweb-ui:1.4.0 <span class="o">&amp;&amp;</span> <span class="se">\</span>
docker network connect bw-docker myui
</code></pre></div></p>
<code>shell
docker run -d \
--name myui \
--network bw-ui \
-v bw-data:/data \
-v bw-confs:/etc/nginx \
-e DOCKER_HOST=tcp://mydocker:2375 \
-e ADMIN_USERNAME=admin \
-e ADMIN_PASSWORD=changeme \
-e ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/
bunkerity/bunkerweb-ui:1.4.0 &amp;&amp; \
docker network connect bw-docker myui</code></p>
<p>Important things to note :</p>
<ul>
<li><code>http(s)://bwadmin.example.com/changeme/</code> is the full base URL of the web UI (must match the sub(domain) and /changeme URL used when creating the BunkerWeb container)</li>
<li>Replace the username <code>admin</code> and password <code>changeme</code> with strong ones</li>
</ul>
<p>Here is the docker-compose equivalent :
<div class="highlight"><pre><span></span><code><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;3&#39;</span><span class="w"></span>
<span class="nt">services</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">mybunker</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bunkerity/bunkerweb:1.4.0</span><span class="w"></span>
<span class="w"> </span><span class="nt">networks</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bw-services</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bw-ui</span><span class="w"></span>
<span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80:8080</span><span class="w"></span>
<span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bw-data:/data</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bw-confs:/etc/nginx</span><span class="w"></span>
<span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SERVER_NAME=bwadm.example.com</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">MULTISITE=yes</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bwadm.example.com_USE_UI=yes</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bwadm.example.com_USE_REVERSE_PROXY=yes</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bwadm.example.com_REVERSE_PROXY_URL=/changeme/</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bwadm.example.com_REVERSE_PROXY_HOST=http://myui:7000</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bwadm.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no</span><span class="w"></span>
<span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;bunkerweb.UI&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">myui</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bunkerity/bunkerweb-ui:1.4.0</span><span class="w"></span>
<span class="w"> </span><span class="nt">depends_on</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mydocker</span><span class="w"></span>
<span class="w"> </span><span class="nt">networks</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bw-ui</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bw-docker</span><span class="w"></span>
<span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bw-data:/data</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bw-confs:/etc/nginx</span><span class="w"></span>
<span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">DOCKER_HOST=tcp://mydocker:2375</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ADMIN_USERNAME=admin</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ADMIN_PASSWORD=changeme</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/</span><span class="w"></span>
<span class="w"> </span><span class="nt">mydocker</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tecnativa/docker-socket-proxy</span><span class="w"></span>
<span class="w"> </span><span class="nt">networks</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bw-docker</span><span class="w"></span>
<span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/var/run/docker.sock:/var/run/docker.sock:ro</span><span class="w"></span>
<span class="nt">networks</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">bw-services</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">bw-ui</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">ipam</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span><span class="w"></span>
<span class="w"> </span><span class="nt">config</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">subnet</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10.20.30.0/24</span><span class="w"></span>
<span class="w"> </span><span class="nt">bw-docker</span><span class="p">:</span><span class="w"></span>
<span class="nt">volumes</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">bw-data</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">bw-confs</span><span class="p">:</span><span class="w"></span>
</code></pre></div></p>
```yaml
version: '3'</p>
<p>services:</p>
<p>mybunker:
image: bunkerity/bunkerweb:1.4.0
networks:
- bw-services
- bw-ui
ports:
- 80:8080
volumes:
- bw-data:/data
- bw-confs:/etc/nginx
environment:
- SERVER_NAME=bwadm.example.com
- MULTISITE=yes
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- bwadm.example.com_USE_UI=yes
- bwadm.example.com_USE_REVERSE_PROXY=yes
- bwadm.example.com_REVERSE_PROXY_URL=/changeme/
- bwadm.example.com_REVERSE_PROXY_HOST=http://myui:7000
- bwadm.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
labels:
- "bunkerweb.UI"</p>
<p>myui:
image: bunkerity/bunkerweb-ui:1.4.0
depends_on:
- mydocker
networks:
- bw-ui
- bw-docker
volumes:
- bw-data:/data
- bw-confs:/etc/nginx
environment:
- DOCKER_HOST=tcp://mydocker:2375
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/</p>
<p>mydocker:
image: tecnativa/docker-socket-proxy
networks:
- bw-docker
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro</p>
<p>networks:
bw-services:
bw-ui:
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-docker:</p>
<p>volumes:
bw-data:
bw-confs:
```</p>
</div>
<div class="tabbed-block">
<p>The installation of the web UI using the <a href="/integrations/#linux">Linux integration</a> is pretty straightforward because it is installed with BunkerWeb.</p>
<p>The installation of the web UI using the <a href="/1.4/integrations/#linux">Linux integration</a> is pretty straightforward because it is installed with BunkerWeb.</p>
<p>The first thing to do is to edit the BunkerWeb configuration located at <strong>/opt/bunkerweb/variables.env</strong> to add settings related to the web UI :
<div class="highlight"><pre><span></span><code>HTTP_PORT=80
<code>conf
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
...
@ -807,29 +803,28 @@ bwadm.example.com_REVERSE_PROXY_URL=/changeme
bwadm.example.com_REVERSE_PROXY_HOST=http://myui:7000
bwadm.example.com_REVERSE_PROXY_HEADER=X-Script-Name /changeme
bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
...
</code></pre></div></p>
...</code></p>
<p>Important things to note :</p>
<ul>
<li><code>bwadm.example.com</code> is the dedicated (sub)domain for accessing the web UI</li>
<li>replace the <code>/changeme</code> URL with a custom one of your choice</li>
</ul>
<p>Once the configuration file is edited, you will need to reload BunkerWeb :
<div class="highlight"><pre><span></span><code>systemctl reload bunkerweb
</code></pre></div></p>
<code>shell
systemctl reload bunkerweb</code></p>
<p>You can edit the <strong>/opt/bunkerweb/ui.env</strong> file containing the settings of the web UI :
<div class="highlight"><pre><span></span><code>ADMIN_USERNAME=admin
<code>conf
ADMIN_USERNAME=admin
ADMIN_PASSWORD=changeme
ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/
</code></pre></div></p>
ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/</code></p>
<p>Important things to note :</p>
<ul>
<li><code>http(s)://bwadmin.example.com/changeme/</code> is the full base URL of the web UI (must match the sub(domain) and /changeme URL used in <strong>/opt/bunkerweb/variables.env</strong>)</li>
<li>replace the username <code>admin</code> and password <code>changeme</code> with strong ones</li>
</ul>
<p>Restart the BunkerWeb UI service and you are now ready to access it :
<div class="highlight"><pre><span></span><code>systemctl restart bunkerweb-ui
</code></pre></div></p>
<code>shell
systemctl restart bunkerweb-ui</code></p>
</div>
</div>
</div>