diff --git a/README.md b/README.md index 41281cc..af7423d 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@

- +

@@ -29,7 +29,7 @@ bunkerized-nginx is a web server based on the notorious nginx and focused on security. It integrates into existing environments (Linux, Docker, Swarm, Kubernetes, ...) to make your web services "secure by default" without any hassle. The security best practices are automatically applied for you while keeping control of every settings to meet your own use case. - + Non-exhaustive list of features : - HTTPS support with transparent Let's Encrypt automation @@ -46,7 +46,7 @@ Non-exhaustive list of features : Fooling automated tools/scanners : - + You can find a live demo at [https://demo-nginx.bunkerity.com](https://demo-nginx.bunkerity.com), feel free to do some security tests. @@ -91,7 +91,7 @@ $ docker build -t bunkerized-nginx . To use bunkerized-nginx as a Docker container you have to pass specific environment variables, mount volumes and redirect ports to make it accessible from the outside. - + You will find more information about Docker integration in the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/integrations.html#docker). @@ -99,7 +99,7 @@ You will find more information about Docker integration in the [documentation](h The downside of using environment variables is that the container needs to be recreated each time there is an update which is not very convenient. To counter that issue, you can use another image called bunkerized-nginx-autoconf which will listen for Docker events and automatically configure bunkerized-nginx instance in real time without recreating the container. Instead of defining environment variables for the bunkerized-nginx container, you simply add labels to your web services and bunkerized-nginx-autoconf will "automagically" take care of the rest. - + You will find more information about Docker autoconf feature in the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/integrations.html#docker-autoconf). @@ -107,7 +107,7 @@ You will find more information about Docker autoconf feature in the [documentati Using bunkerized-nginx in a Docker Swarm cluster requires a shared folder accessible from both managers and workers (anything like NFS, GlusterFS, CephFS or even SSHFS will work). The deployment and configuration is very similar to the "Docker autoconf" one but with services instead of containers. A service based on the bunkerized-nginx-autoconf image needs to be scheduled on a manager node (don't worry it doesn't expose any network port for obvious security reasons). This service will listen for Docker Swarm events like service creation or deletion and generate the configuration according to the labels of each service. Once configuration generation is done, the bunkerized-nginx-autoconf service will send a reload order to all the bunkerized-nginx tasks so they can load the new configuration. - + You will find more information about Docker Swarm integration in the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/integrations.html#docker-swarm). @@ -117,7 +117,7 @@ You will find more information about Docker Swarm integration in the [documentat Using bunkerized-nginx in a Kubernetes cluster requires a shared folder accessible from the nodes (anything like NFS, GlusterFS, CephFS or even SSHFS will work). The bunkerized-nginx-autoconf acts as an Ingress Controller and connects to the k8s API to get cluster events and generate a new configuration when it's needed. Once the configuration is generated, the Ingress Controller sends a reload order to the bunkerized-nginx instances running in the cluster. - + You will find more information about Kubernetes integration in the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/integrations.html#kubernetes). @@ -195,7 +195,7 @@ You will find more information about the special folders in the [documentation]( # Web UI - + You will find more information about the web UI in the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/web_ui.html). diff --git a/VERSION b/VERSION index c04c650..f0bb29e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.2.7 +1.3.0 diff --git a/docs/conf.py b/docs/conf.py index 8644d9e..2cf9480 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -50,7 +50,7 @@ copyright = '2021, bunkerity' author = 'bunkerity' # The full version, including alpha/beta/rc tags -release = 'v1.2.7' +release = 'v1.3.0' # -- General configuration --------------------------------------------------- diff --git a/docs/integrations.md b/docs/integrations.md index 439220d..21d2ae9 100644 --- a/docs/integrations.md +++ b/docs/integrations.md @@ -16,7 +16,7 @@ $ docker build -t bunkerized-nginx . To use bunkerized-nginx as a Docker container you have to pass specific environment variables, mount volumes and redirect ports to make it accessible from the outside. - + To demonstrate the use of the Docker image, we will create a simple "Hello World" static file that will be served by bunkerized-nginx. @@ -106,7 +106,7 @@ services: The downside of using environment variables is that the container needs to be recreated each time there is an update which is not very convenient. To counter that issue, you can use another image called bunkerized-nginx-autoconf which will listen for Docker events and automatically configure bunkerized-nginx instance in real time without recreating the container. Instead of defining environment variables for the bunkerized-nginx container, you simply add labels to your web services and bunkerized-nginx-autoconf will "automagically" take care of the rest. - + First of all, you will need a network to allow communication between bunkerized-nginx and your web services : ```shell @@ -243,7 +243,7 @@ When your container is not needed anymore, you can delete it as usual. The autoc Using bunkerized-nginx in a Docker Swarm cluster requires a shared folder accessible from both managers and workers (anything like NFS, GlusterFS, CephFS or even SSHFS will work). The deployment and configuration is very similar to the "Docker autoconf" one but with services instead of containers. A service based on the bunkerized-nginx-autoconf image needs to be scheduled on a manager node (don't worry it doesn't expose any network port for obvious security reasons). This service will listen for Docker Swarm events like service creation or deletion and generate the configuration according to the labels of each service. Once configuration generation is done, the bunkerized-nginx-autoconf service will send a reload order to all the bunkerized-nginx tasks so they can load the new configuration. - + **We will assume that a shared directory is mounted at the /shared location on both your managers and workers. Keep in mind that bunkerized-nginx and autoconf are running as unprivileged users with UID and GID 101. You must set the rights and permissions of the subfolders in /shared accordingly.** @@ -429,7 +429,7 @@ When your service is not needed anymore, you can delete it as usual. The autocon Using bunkerized-nginx in a Kubernetes cluster requires a shared folder accessible from the nodes (anything like NFS, GlusterFS, CephFS or even SSHFS will work). The bunkerized-nginx-autoconf acts as an Ingress Controller and connects to the k8s API to get cluster events and generate a new configuration when it's needed. Once the configuration is generated, the Ingress Controller sends a reload order to the bunkerized-nginx instances running in the cluster. - + **We will assume that a shared directory is mounted at the /shared location on your nodes. Keep in mind that bunkerized-nginx and autoconf are running as unprivileged users with UID and GID 101. You must set the rights and permissions of the subfolders in /shared accordingly.** @@ -726,12 +726,12 @@ Unlike containers, Linux integration can be tedious because bunkerized-nginx has First of all you will need to install bunkerized-nginx. The recommended way is to use the official installer script : ```shell -$ curl -fsSL https://TODO -o /tmp/bunkerized-nginx.sh +$ curl -fsSL https://github.com/bunkerity/bunkerized-nginx/releases/download/v1.3.0/linux-install.sh -o /tmp/bunkerized-nginx.sh ``` Before executing it, you should also check the signature : ```shell -$ curl -fsSL https://TODO -o /tmp/bunkerized-nginx.sh.asc +$ curl -fsSL https://github.com/bunkerity/bunkerized-nginx/releases/download/v1.3.0/linux-install.sh.asc -o /tmp/bunkerized-nginx.sh.asc $ gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys contact@bunkerity.com $ gpg --verify /tmp/bunkerized-nginx.sh.asc /tmp/bunkerized-nginx.sh ``` diff --git a/docs/introduction.md b/docs/introduction.md index daa0280..c6de173 100644 --- a/docs/introduction.md +++ b/docs/introduction.md @@ -1,14 +1,14 @@ # Introduction

- +

> Make security by default great again ! bunkerized-nginx is a web server based on the notorious nginx and focused on security. It integrates into existing environments (Linux, Docker, Swarm, Kubernetes, ...) to make your web services "secured by default" without any hassle. The security best practices are automatically applied for you while keeping control of every settings to meet your own use case. - + Non-exhaustive list of features : - HTTPS support with transparent Let's Encrypt automation @@ -25,6 +25,6 @@ Non-exhaustive list of features : Fooling automated tools/scanners : - + You can find a live demo at [https://demo-nginx.bunkerity.com](https://demo-nginx.bunkerity.com), feel free to do some security tests. diff --git a/docs/security_tuning.md b/docs/security_tuning.md index 01d7f04..ccb0690 100644 --- a/docs/security_tuning.md +++ b/docs/security_tuning.md @@ -95,7 +95,7 @@ ModSecurity is integrated and enabled by default alongside the OWASP Core Rule S We strongly recommend to keep both ModSecurity and the OWASP Core Rule Set enabled. The only downsides are the false positives that may occur. But they can be fixed easily and the CRS team maintains a list of exclusions for common application (e.g., wordpress, nextcloud, drupal, cpanel, ...). -Tuning the CRS with bunkerized-nginx is pretty simple : you can add configuration before and after the rules are loaded. You just need to mount your .conf files into the `/modsec-crs-confs` (before CRS is loaded) and `/modsec-confs` (after CRS is loaded) volumes. If you are using Linux integration the [special folders](https://bunkerized-nginx.readthedocs.io/en/dev/special_folders.html) are `/opt/bunkerized-nginx/modsec-confs` and `/opt/bunkerized-nginx/modsec-crs-confs`. +Tuning the CRS with bunkerized-nginx is pretty simple : you can add configuration before and after the rules are loaded. You just need to mount your .conf files into the `/modsec-crs-confs` (before CRS is loaded) and `/modsec-confs` (after CRS is loaded) volumes. If you are using Linux integration the [special folders](https://bunkerized-nginx.readthedocs.io/en/latest/special_folders.html) are `/opt/bunkerized-nginx/modsec-confs` and `/opt/bunkerized-nginx/modsec-crs-confs`. Here is a Docker example to illustrate it : diff --git a/docs/web_ui.md b/docs/web_ui.md index c72cc40..fdb446f 100644 --- a/docs/web_ui.md +++ b/docs/web_ui.md @@ -2,7 +2,7 @@ ## Overview - + ## Usage diff --git a/examples/authelia/README.md b/examples/authelia/README.md index 4f69af3..2c46e23 100644 --- a/examples/authelia/README.md +++ b/examples/authelia/README.md @@ -8,7 +8,7 @@ We will assume that you already have some basic knownledges about Authelia. If t ## Architecture - + ## Configuration diff --git a/examples/autoconf-php/README.md b/examples/autoconf-php/README.md index bb82afd..ebd1ef7 100644 --- a/examples/autoconf-php/README.md +++ b/examples/autoconf-php/README.md @@ -4,7 +4,7 @@ Quickly deploy PHP app on Docker containers without restarting bunkerized-nginx. ## Architecture - + ## Autoconf diff --git a/examples/autoconf-reverse-proxy/README.md b/examples/autoconf-reverse-proxy/README.md index 7feb8f2..910d2ce 100644 --- a/examples/autoconf-reverse-proxy/README.md +++ b/examples/autoconf-reverse-proxy/README.md @@ -4,7 +4,7 @@ Quickly deploy web app on Docker containers without restarting bunkerized-nginx. ## Architecture - + ## Autoconf diff --git a/examples/basic-website-with-php/README.md b/examples/basic-website-with-php/README.md index 20c433a..035c280 100644 --- a/examples/basic-website-with-php/README.md +++ b/examples/basic-website-with-php/README.md @@ -4,7 +4,7 @@ This is a basic example for a typical PHP website/app. ## Architecture - + ## Docker diff --git a/examples/certbot-cloudflare/README.md b/examples/certbot-cloudflare/README.md index 3ab3ea3..d2cf3ff 100644 --- a/examples/certbot-cloudflare/README.md +++ b/examples/certbot-cloudflare/README.md @@ -8,7 +8,7 @@ We will assume that you already have some basic knowledges about Cloudflare. If ## Architecture - + ## Configuration diff --git a/examples/certbot-wildcard/README.md b/examples/certbot-wildcard/README.md index c1cc1aa..cc4fd60 100644 --- a/examples/certbot-wildcard/README.md +++ b/examples/certbot-wildcard/README.md @@ -8,7 +8,7 @@ We will assume that you already have some basic knowledges about Let's Encrypt D ## Architecture - + ## Configuration diff --git a/examples/clamav/README.md b/examples/clamav/README.md index 638b99c..1a56557 100644 --- a/examples/clamav/README.md +++ b/examples/clamav/README.md @@ -8,7 +8,7 @@ This example uses a bunkerized-nginx plugin, you can have a look at the [documen ## Architecture - + ## Configuration diff --git a/examples/crowdsec/README.md b/examples/crowdsec/README.md index 8afd603..d40e2b9 100644 --- a/examples/crowdsec/README.md +++ b/examples/crowdsec/README.md @@ -8,7 +8,7 @@ This example uses a bunkerized-nginx plugin, you can have a look at the [documen ## Architecture - + ## Configuration diff --git a/examples/ghost/README.md b/examples/ghost/README.md index 4a42b35..668fa4f 100644 --- a/examples/ghost/README.md +++ b/examples/ghost/README.md @@ -4,7 +4,7 @@ Ghost is a free and open source blogging platform written in JavaScript and dist ## Architecture - + ## Docker diff --git a/examples/gogs/README.md b/examples/gogs/README.md index 1021743..87b950d 100644 --- a/examples/gogs/README.md +++ b/examples/gogs/README.md @@ -4,7 +4,7 @@ Gogs is an easy to install, cross-platform and lightweight self-hosted Git servi ## Architecture - + ## Configuration diff --git a/examples/hardened/README.md b/examples/hardened/README.md index 65f5880..647c4ad 100644 --- a/examples/hardened/README.md +++ b/examples/hardened/README.md @@ -4,7 +4,7 @@ Example on how you can harden the container executing bunkerized-nginx. See the ## Architecture - + ## Docker diff --git a/examples/joomla/README.md b/examples/joomla/README.md index e12ca64..519f73b 100644 --- a/examples/joomla/README.md +++ b/examples/joomla/README.md @@ -4,7 +4,7 @@ Joomla is a free and open-source content management system (CMS) for publishing ## Architecture - + ## Docker diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md index 0db9ede..dc795e5 100644 --- a/examples/kubernetes/README.md +++ b/examples/kubernetes/README.md @@ -4,7 +4,7 @@ Basic examples on how to use bunkerized-nginx within a Kubernetes cluster. See t ## Architecture - + ## Kubernetes diff --git a/examples/load-balancer/README.md b/examples/load-balancer/README.md index 53fdb13..5ec1107 100644 --- a/examples/load-balancer/README.md +++ b/examples/load-balancer/README.md @@ -4,7 +4,7 @@ Simple example on how to load balance requests to multiple backends. ## Architecture - + ## Configuration diff --git a/examples/moodle/README.md b/examples/moodle/README.md index afe70a3..4d44907 100644 --- a/examples/moodle/README.md +++ b/examples/moodle/README.md @@ -4,7 +4,7 @@ Moodle is a free and open-source learning management system (LMS) written in PHP ## Architecture - + ## Docker diff --git a/examples/multisite-basic/README.md b/examples/multisite-basic/README.md index e9a7b4c..865eb32 100644 --- a/examples/multisite-basic/README.md +++ b/examples/multisite-basic/README.md @@ -4,7 +4,7 @@ This is a basic example for hosting multiple web services. ## Architecture - + ## Docker diff --git a/examples/multisite-custom-confs/README.md b/examples/multisite-custom-confs/README.md index 7b05e17..ca9d345 100644 --- a/examples/multisite-custom-confs/README.md +++ b/examples/multisite-custom-confs/README.md @@ -4,7 +4,7 @@ This is a basic example for hosting multiple web services with custom configurat ## Architecture - + ## Docker diff --git a/examples/multisite-custom-subfolders/README.md b/examples/multisite-custom-subfolders/README.md index 6f4216b..8ced7af 100644 --- a/examples/multisite-custom-subfolders/README.md +++ b/examples/multisite-custom-subfolders/README.md @@ -4,7 +4,7 @@ This is a basic example for hosting multiple web services with custom subfolders ## Architecture - + ## Docker diff --git a/examples/nextcloud/README.md b/examples/nextcloud/README.md index e3bf12e..0c817f5 100644 --- a/examples/nextcloud/README.md +++ b/examples/nextcloud/README.md @@ -4,7 +4,7 @@ Nextcloud is a suite of client-server software for creating and using file hosti ## Architecture - + ## Docker diff --git a/examples/passbolt/README.md b/examples/passbolt/README.md index 88e630f..4e6394d 100644 --- a/examples/passbolt/README.md +++ b/examples/passbolt/README.md @@ -4,7 +4,7 @@ Passbolt is a free open source password manager for teams. See the official [web ## Architecture - + ## Docker diff --git a/examples/prestashop/README.md b/examples/prestashop/README.md index da82623..aef395f 100644 --- a/examples/prestashop/README.md +++ b/examples/prestashop/README.md @@ -4,7 +4,7 @@ PrestaShop is a freemium, open source e-commerce platform. See the official [web ## Architecture - + ## Docker diff --git a/examples/redmine/README.md b/examples/redmine/README.md index 39563a1..00640f2 100644 --- a/examples/redmine/README.md +++ b/examples/redmine/README.md @@ -4,7 +4,7 @@ Redmine is a free and open source, web-based project management and issue tracki ## Architecture - + ## Docker diff --git a/examples/reverse-proxy-multisite/README.md b/examples/reverse-proxy-multisite/README.md index db2f60b..6f242e8 100644 --- a/examples/reverse-proxy-multisite/README.md +++ b/examples/reverse-proxy-multisite/README.md @@ -4,7 +4,7 @@ Simple example to show how to setup bunkerized-nginx in front of some existing H ## Architecture - + ## Docker diff --git a/examples/reverse-proxy-singlesite/README.md b/examples/reverse-proxy-singlesite/README.md index 07b5f60..09ed23a 100644 --- a/examples/reverse-proxy-singlesite/README.md +++ b/examples/reverse-proxy-singlesite/README.md @@ -4,7 +4,7 @@ Simple example to show how to setup bunkerized-nginx in front of some existing H ## Architecture - + ## Docker diff --git a/examples/reverse-proxy-websocket/README.md b/examples/reverse-proxy-websocket/README.md index 23e2c4a..cf26912 100644 --- a/examples/reverse-proxy-websocket/README.md +++ b/examples/reverse-proxy-websocket/README.md @@ -4,7 +4,7 @@ Simple example to show how to setup bunkerized-nginx in front of some existing W ## Architecture - + ## Docker diff --git a/examples/swarm-redis/README.md b/examples/swarm-redis/README.md index 57bbfbf..19d122c 100644 --- a/examples/swarm-redis/README.md +++ b/examples/swarm-redis/README.md @@ -4,7 +4,7 @@ Basic examples on how to deploy and use bunkerized-nginx within a Docker Swarm c ## Architecture - + ## Swarm diff --git a/examples/swarm/README.md b/examples/swarm/README.md index 133ea75..82f4a9a 100644 --- a/examples/swarm/README.md +++ b/examples/swarm/README.md @@ -4,7 +4,7 @@ Basic examples on how to deploy and use bunkerized-nginx within a Docker Swarm c ## Architecture - + ## Swarm diff --git a/examples/syslog/README.md b/examples/syslog/README.md index 6cdaaa6..ba98b9d 100644 --- a/examples/syslog/README.md +++ b/examples/syslog/README.md @@ -4,7 +4,7 @@ Send bunkerized-nginx logs to a remote syslog server. ## Architecture - + ## Docker diff --git a/examples/tomcat/README.md b/examples/tomcat/README.md index ee1a2fe..af8667c 100644 --- a/examples/tomcat/README.md +++ b/examples/tomcat/README.md @@ -4,7 +4,7 @@ Deploy bunkerized-nginx in front of Jakarta EE apps. ## Architecture - + ## Docker diff --git a/examples/tor-hidden-service/README.md b/examples/tor-hidden-service/README.md index 715d66c..c730b85 100644 --- a/examples/tor-hidden-service/README.md +++ b/examples/tor-hidden-service/README.md @@ -4,7 +4,7 @@ Secure your TOR hidden services ".onion" with bunkerized-nginx. ## Architecture - + ## Docker diff --git a/examples/traefik-alternative/README.md b/examples/traefik-alternative/README.md index cf21c60..21cb123 100644 --- a/examples/traefik-alternative/README.md +++ b/examples/traefik-alternative/README.md @@ -6,7 +6,7 @@ You can easily switch from Traefik to bunkerized-nginx if you are more concerned ## Architecture - + ## Autoconf diff --git a/examples/web-ui/README.md b/examples/web-ui/README.md index 3924f8c..327abd1 100644 --- a/examples/web-ui/README.md +++ b/examples/web-ui/README.md @@ -4,7 +4,7 @@ Use the web UI panel to configure your bunkerized-nginx instances. ## Architecture - + ## Docker diff --git a/examples/wordpress/README.md b/examples/wordpress/README.md index baa5505..411aa91 100644 --- a/examples/wordpress/README.md +++ b/examples/wordpress/README.md @@ -4,7 +4,7 @@ WordPress is a free and open-source content management system (CMS) written in P ## Architecture - + ## Docker diff --git a/examples/zammad/README.md b/examples/zammad/README.md index 83e54fd..7d3476c 100644 --- a/examples/zammad/README.md +++ b/examples/zammad/README.md @@ -4,7 +4,7 @@ Zammad is a web-based, open source user support/ticketing solution. See the offi ## Architecture - + ## Docker