diff --git a/Dockerfile b/Dockerfile index 9542d6c..75f3637 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,9 @@ COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh +# fix CVE-2021-20205 +RUN apk add "libjpeg-turbo>=2.1.0-r0" + VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index e3a616f..cdecc70 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -16,6 +16,9 @@ COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh +# fix CVE-2021-20205 +RUN apk add "libjpeg-turbo>=2.1.0-r0" + VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index fe1209f..4956e58 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -23,6 +23,9 @@ COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh +# fix CVE-2021-20205 +RUN apk add "libjpeg-turbo>=2.1.0-r0" + VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index b46c2f0..2dd06dd 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -23,6 +23,9 @@ COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh +# fix CVE-2021-20205 +RUN apk add "libjpeg-turbo>=2.1.0-r0" + VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/Dockerfile-i386 b/Dockerfile-i386 index f099c09..9ef9e48 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -16,6 +16,9 @@ COPY lua/ /opt/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh +# fix CVE-2021-20205 +RUN apk add "libjpeg-turbo>=2.1.0-r0" + VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge EXPOSE 8080/tcp 8443/tcp diff --git a/examples/autoconf-reverse-proxy/docker-compose.yml b/examples/autoconf-reverse-proxy/docker-compose.yml index 27da89e..2c7a3c7 100644 --- a/examples/autoconf-reverse-proxy/docker-compose.yml +++ b/examples/autoconf-reverse-proxy/docker-compose.yml @@ -18,6 +18,7 @@ services: - REDIRECT_HTTP_TO_HTTPS=yes - DISABLE_DEFAULT_SERVER=yes - USE_CLIENT_CACHE=yes + - USE_PROXY_CACHE=yes - USE_GZIP=yes - USE_BROTLI=yes - USE_REVERSE_PROXY=yes diff --git a/examples/crowdsec/docker-compose.yml b/examples/crowdsec/docker-compose.yml index a550e0e..29a2be9 100644 --- a/examples/crowdsec/docker-compose.yml +++ b/examples/crowdsec/docker-compose.yml @@ -34,7 +34,7 @@ services: - net2 mycrowdsec: - image: crowdsecurity/crowdsec:v1.0.2 + image: crowdsecurity/crowdsec:v1.0.13 restart: always volumes: - ./acquis.yaml:/etc/crowdsec/acquis.yaml diff --git a/examples/drupal/docker-compose.yml b/examples/drupal/docker-compose.yml new file mode 100644 index 0000000..68678d7 --- /dev/null +++ b/examples/drupal/docker-compose.yml @@ -0,0 +1,43 @@ +version: '3' + +services: + + mywww: + image: bunkerity/bunkerized-nginx + restart: always + ports: + - 80:8080 + - 443:8443 + volumes: + - ./drupal-files:/www:ro + - ./letsencrypt:/etc/letsencrypt + #- ./server-confs:/server-confs:ro # custom confs at server context for permalinks + - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Drupal exclusions + environment: + - SERVER_NAME=www.website.com # replace with your domain + - AUTO_LETS_ENCRYPT=yes + - REDIRECT_HTTP_TO_HTTPS=yes + - DISABLE_DEFAULT_SERVER=yes + - MAX_CLIENT_SIZE=50m + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_BROTLI=yes + - REMOTE_PHP=mydrupal + - REMOTE_PHP_PATH=/var/www/html + + mydrupal: + image: drupal:fpm-alpine + restart: always + volumes: + - ./drupal-files:/var/www/html + + mydb: + image: mariadb + restart: always + volumes: + - ./db-data:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=drupaldb + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password diff --git a/examples/drupal/modsec-crs-confs/drupal.conf b/examples/drupal/modsec-crs-confs/drupal.conf new file mode 100644 index 0000000..da9441e --- /dev/null +++ b/examples/drupal/modsec-crs-confs/drupal.conf @@ -0,0 +1,7 @@ +SecAction \ + "id:900130,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.crs_exclusions_drupal=1" diff --git a/examples/ghost/docker-compose.yml b/examples/ghost/docker-compose.yml new file mode 100644 index 0000000..72cf0de --- /dev/null +++ b/examples/ghost/docker-compose.yml @@ -0,0 +1,33 @@ +version: '3' + +services: + + myreverse: + image: bunkerity/bunkerized-nginx + restart: always + ports: + - 80:8080 + - 443:8443 + volumes: + - ./letsencrypt:/etc/letsencrypt + #- ./modsec-crs-confs:/modsec-crs-confs:ro # fix FP with CRS + environment: + - SERVER_NAME=www.website.com # replace with your domain + - SERVE_FILES=no + - DISABLE_DEFAULT_SERVER=yes + - REDIRECT_HTTP_TO_HTTPS=yes + - AUTO_LETS_ENCRYPT=yes + - USE_PROXY_CACHE=yes + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_BROTLI=yes + - USE_REVERSE_PROXY=yes + - REVERSE_PROXY_URL=/ + - REVERSE_PROXY_HOST=http://myghost:2368/ + + myghost: + image: ghost:alpine + volumes: + - ./data-ghost:/ + environment: + - url=https://www.website.com # replace with your domain diff --git a/examples/ghost/modsec-crs-confs/gogs.conf b/examples/ghost/modsec-crs-confs/gogs.conf new file mode 100644 index 0000000..f6f11c0 --- /dev/null +++ b/examples/ghost/modsec-crs-confs/gogs.conf @@ -0,0 +1,7 @@ +SecAction \ + "id:900220,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'" diff --git a/examples/gogs/docker-compose.yml b/examples/gogs/docker-compose.yml new file mode 100644 index 0000000..369a5ca --- /dev/null +++ b/examples/gogs/docker-compose.yml @@ -0,0 +1,31 @@ +version: '3' + +services: + + myreverse: + image: bunkerity/bunkerized-nginx + restart: always + ports: + - 80:8080 + - 443:8443 + volumes: + - ./letsencrypt:/etc/letsencrypt + - ./modsec-crs-confs:/modsec-crs-confs:ro # fix FP with CRS + environment: + - SERVER_NAME=www.website.com # replace with your domain + - SERVE_FILES=no + - DISABLE_DEFAULT_SERVER=yes + - REDIRECT_HTTP_TO_HTTPS=yes + - AUTO_LETS_ENCRYPT=yes + - USE_PROXY_CACHE=yes + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_BROTLI=yes + - USE_REVERSE_PROXY=yes + - REVERSE_PROXY_URL=/ + - REVERSE_PROXY_HOST=http://mygogs:3000/ + + mygogs: + image: gogs/gogs + volumes: + - ./data-gogs:/data diff --git a/examples/gogs/modsec-crs-confs/gogs.conf b/examples/gogs/modsec-crs-confs/gogs.conf new file mode 100644 index 0000000..f6f11c0 --- /dev/null +++ b/examples/gogs/modsec-crs-confs/gogs.conf @@ -0,0 +1,7 @@ +SecAction \ + "id:900220,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'" diff --git a/examples/joomla/docker-compose.yml b/examples/joomla/docker-compose.yml new file mode 100644 index 0000000..37b755c --- /dev/null +++ b/examples/joomla/docker-compose.yml @@ -0,0 +1,46 @@ +version: '3' + +services: + + mywww: + image: bunkerity/bunkerized-nginx + restart: always + ports: + - 80:8080 + - 443:8443 + volumes: + - ./joomla-files:/www:ro + - ./letsencrypt:/etc/letsencrypt + environment: + - SERVER_NAME=www.website.com # replace with your domain + - AUTO_LETS_ENCRYPT=yes + - REDIRECT_HTTP_TO_HTTPS=yes + - DISABLE_DEFAULT_SERVER=yes + - MAX_CLIENT_SIZE=50m + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_BROTLI=yes + - REMOTE_PHP=myjoomla + - REMOTE_PHP_PATH=/var/www/html + + myjoomla: + image: joomla:fpm-alpine + restart: always + volumes: + - ./joomla-files:/var/www/html + environment: + - JOOMLA_DB_HOST=mydb + - JOOMLA_DB_NAME=joomladb + - JOOMLA_DB_USER=user + - JOOMLA_DB_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) + + mydb: + image: mariadb + restart: always + volumes: + - ./db-data:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=joomladb + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD) diff --git a/examples/load-balancer/docker-compose.yml b/examples/load-balancer/docker-compose.yml index 4b2dca9..46a8f73 100644 --- a/examples/load-balancer/docker-compose.yml +++ b/examples/load-balancer/docker-compose.yml @@ -18,6 +18,7 @@ services: - REDIRECT_HTTP_TO_HTTPS=yes - AUTO_LETS_ENCRYPT=yes - USE_PROXY_CACHE=yes + - USE_CLIENT_CACHE=yes - USE_GZIP=yes - USE_BROTLI=yes - USE_REVERSE_PROXY=yes diff --git a/examples/moodle/docker-compose.yml b/examples/moodle/docker-compose.yml index 3249a69..040a077 100644 --- a/examples/moodle/docker-compose.yml +++ b/examples/moodle/docker-compose.yml @@ -18,6 +18,7 @@ services: - MAX_CLIENT_SIZE=50m - SERVE_FILES=no - USE_PROXY_CACHE=yes + - USE_CLIENT_CACHE=yes - USE_GZIP=yes - USE_BROTLI=yes - USE_REVERSE_PROXY=yes diff --git a/examples/multisite-basic/docker-compose.yml b/examples/multisite-basic/docker-compose.yml index dae433a..1b7dc36 100644 --- a/examples/multisite-basic/docker-compose.yml +++ b/examples/multisite-basic/docker-compose.yml @@ -25,7 +25,6 @@ services: - app2.website.com_REMOTE_PHP=myapp2 - app2.website.com_REMOTE_PHP_PATH=/app - app3.website.com_SERVE_FILES=no - - app3.website.com_USE_CLIENT_CACHE=no - app3.website.com_USE_PROXY_CACHE=yes - app3.website.com_USE_REVERSE_PROXY=yes - app3.website.com_REVERSE_PROXY_URL=/ diff --git a/examples/multisite-custom-server-confs/docker-compose.yml b/examples/multisite-custom-server-confs/docker-compose.yml index 5501880..5f809c0 100644 --- a/examples/multisite-custom-server-confs/docker-compose.yml +++ b/examples/multisite-custom-server-confs/docker-compose.yml @@ -27,9 +27,9 @@ services: - wp.website.com_REMOTE_PHP_PATH=/var/www/html - nc.website.com_REMOTE_PHP=mync - nc.website.com_REMOTE_PHP_PATH=/var/www/html - - nc.website.com_LIMIT_REQ_RATE=40r/s - - nc.website.com_LIMIT_REQ_BURST=60 - - nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT + - nc.website.com_LIMIT_REQ_RATE=5r/s + - nc.website.com_LIMIT_REQ_BURST=10 + - nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS - nc.website.com_X_FRAME_OPTIONS=SAMEORIGIN - nc.website.com_FAIL2BAN_STATUS_CODE=400|401|403|405|444 networks: diff --git a/examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf b/examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf index 88a7b2c..87d3748 100644 --- a/examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf +++ b/examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf @@ -1 +1,2 @@ SecRuleRemoveById 921110 +SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS" diff --git a/examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf b/examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf index 654b883..7b7b167 100644 --- a/examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf +++ b/examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf @@ -1 +1,4 @@ +SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce" +SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss" +SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120" SecRuleRemoveById 953120 diff --git a/examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf b/examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf index d34684d..117b4a8 100644 --- a/examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf +++ b/examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf @@ -12,4 +12,4 @@ SecAction \ nolog,\ pass,\ t:none,\ - setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'" + setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'" diff --git a/examples/nextcloud/docker-compose.yml b/examples/nextcloud/docker-compose.yml index b9b5b2b..233fac6 100644 --- a/examples/nextcloud/docker-compose.yml +++ b/examples/nextcloud/docker-compose.yml @@ -23,16 +23,16 @@ services: - USE_CLIENT_CACHE=yes - REMOTE_PHP=mync - REMOTE_PHP_PATH=/var/www/html - - LIMIT_REQ_RATE=40r/s - - LIMIT_REQ_BURST=60 - - ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT + - LIMIT_REQ_RATE=5r/s + - LIMIT_REQ_BURST=10 + - ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS - X_FRAME_OPTIONS=SAMEORIGIN - USE_GZIP=yes - USE_BROTLI=yes - FAIL2BAN_STATUS_CODE=400|401|403|405|444 mync: - image: nextcloud:20-fpm + image: nextcloud:21-fpm restart: always volumes: - ./nc-files:/var/www/html diff --git a/examples/nextcloud/modsec-confs/nextcloud.conf b/examples/nextcloud/modsec-confs/nextcloud.conf index 88a7b2c..87d3748 100644 --- a/examples/nextcloud/modsec-confs/nextcloud.conf +++ b/examples/nextcloud/modsec-confs/nextcloud.conf @@ -1 +1,2 @@ SecRuleRemoveById 921110 +SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS" diff --git a/examples/nextcloud/modsec-crs-confs/nextcloud.conf b/examples/nextcloud/modsec-crs-confs/nextcloud.conf index d34684d..117b4a8 100644 --- a/examples/nextcloud/modsec-crs-confs/nextcloud.conf +++ b/examples/nextcloud/modsec-crs-confs/nextcloud.conf @@ -12,4 +12,4 @@ SecAction \ nolog,\ pass,\ t:none,\ - setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'" + setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'" diff --git a/examples/passbolt/docker-compose.yml b/examples/passbolt/docker-compose.yml index 0e3281a..de8ad92 100644 --- a/examples/passbolt/docker-compose.yml +++ b/examples/passbolt/docker-compose.yml @@ -20,6 +20,7 @@ services: - ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE - SERVE_FILES=no - USE_PROXY_CACHE=yes + - USE_CLIENT_CACHE=yes - USE_GZIP=yes - USE_BROTLI=yes - USE_REVERSE_PROXY=yes diff --git a/examples/redmine/docker-compose.yml b/examples/redmine/docker-compose.yml new file mode 100644 index 0000000..0a9cec0 --- /dev/null +++ b/examples/redmine/docker-compose.yml @@ -0,0 +1,47 @@ +version: '3' + +services: + + myreverse: + image: bunkerity/bunkerized-nginx + restart: always + ports: + - 80:8080 + - 443:8443 + volumes: + - ./letsencrypt:/etc/letsencrypt + environment: + - SERVER_NAME=www.website.com # replace with your domain + - SERVE_FILES=no + - DISABLE_DEFAULT_SERVER=yes + - REDIRECT_HTTP_TO_HTTPS=yes + - AUTO_LETS_ENCRYPT=yes + - USE_PROXY_CACHE=yes + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_BROTLI=yes + - USE_REVERSE_PROXY=yes + - REVERSE_PROXY_URL=/ + - REVERSE_PROXY_HOST=http://myredmine:3000/ + + redmine: + image: redmine + restart: always + volumes: + - ./redmine-data:/usr/src/redmine/files + environment: + - REDMINE_DB_MYSQL=mydb + - REDMINE_DB_DATABASE=redminedb + - REDMINE_DB_USERNAME=user + - REDMINE_DB_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) + + mydb: + image: mariadb + restart: always + volumes: + - ./db-data:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=redminedb + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD) diff --git a/examples/reverse-proxy-multisite/docker-compose.yml b/examples/reverse-proxy-multisite/docker-compose.yml index 6973f9b..e5dcd47 100644 --- a/examples/reverse-proxy-multisite/docker-compose.yml +++ b/examples/reverse-proxy-multisite/docker-compose.yml @@ -18,6 +18,7 @@ services: - REDIRECT_HTTP_TO_HTTPS=yes - AUTO_LETS_ENCRYPT=yes - USE_PROXY_CACHE=yes + - USE_CLIENT_CACHE=yes - USE_GZIP=yes - USE_BROTLI=yes - USE_REVERSE_PROXY=yes diff --git a/examples/reverse-proxy-singlesite/docker-compose.yml b/examples/reverse-proxy-singlesite/docker-compose.yml index 27b5926..f496ee8 100644 --- a/examples/reverse-proxy-singlesite/docker-compose.yml +++ b/examples/reverse-proxy-singlesite/docker-compose.yml @@ -18,6 +18,7 @@ services: - REDIRECT_HTTP_TO_HTTPS=yes - AUTO_LETS_ENCRYPT=yes - USE_PROXY_CACHE=yes + - USE_CLIENT_CACHE=yes - USE_GZIP=yes - USE_BROTLI=yes - USE_REVERSE_PROXY=yes diff --git a/examples/reverse-proxy-websocket/docker-compose.yml b/examples/reverse-proxy-websocket/docker-compose.yml index cd4fc10..80c6b68 100644 --- a/examples/reverse-proxy-websocket/docker-compose.yml +++ b/examples/reverse-proxy-websocket/docker-compose.yml @@ -17,6 +17,7 @@ services: - REDIRECT_HTTP_TO_HTTPS=yes - AUTO_LETS_ENCRYPT=yes - USE_PROXY_CACHE=yes + - USE_CLIENT_CACHE=yes - USE_GZIP=yes - USE_BROTLI=yes - USE_REVERSE_PROXY=yes diff --git a/examples/swarm/stack.yml b/examples/swarm/stack.yml index 8167891..6199dc8 100644 --- a/examples/swarm/stack.yml +++ b/examples/swarm/stack.yml @@ -32,7 +32,7 @@ services: mode: host protocol: tcp volumes: - - /shared/confs:/etc/nginx:ro + - /shared/confs:/etc/nginx - /shared/letsencrypt:/etc/letsencrypt:ro - /shared/acme-challenge:/acme-challenge:ro - /shared/www:/www:ro @@ -45,6 +45,7 @@ services: - AUTO_LETS_ENCRYPT=yes - REDIRECT_HTTP_TO_HTTPS=yes - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes networks: - net_config - net_services @@ -86,6 +87,7 @@ services: - "node.role==worker" labels: - "bunkerized-nginx.SERVER_NAME=app2.website.com" + - "bunkerized-nginx.USE_PROXY_CACHE=yes" - "bunkerized-nginx.USE_REVERSE_PROXY=yes" - "bunkerized-nginx.REVERSE_PROXY_URL=/" - "bunkerized-nginx.REVERSE_PROXY_HOST=http://app2" diff --git a/examples/tomcat/docker-compose.yml b/examples/tomcat/docker-compose.yml index e6d8274..c60afdc 100644 --- a/examples/tomcat/docker-compose.yml +++ b/examples/tomcat/docker-compose.yml @@ -17,6 +17,7 @@ services: - REDIRECT_HTTP_TO_HTTPS=yes - AUTO_LETS_ENCRYPT=yes - USE_PROXY_CACHE=yes + - USE_CLIENT_CACHE=yes - USE_GZIP=yes - USE_BROTLI=yes - USE_REVERSE_PROXY=yes diff --git a/examples/web-ui/docker-compose.yml b/examples/web-ui/docker-compose.yml index 1949e4f..11ca4be 100644 --- a/examples/web-ui/docker-compose.yml +++ b/examples/web-ui/docker-compose.yml @@ -18,6 +18,7 @@ services: - AUTO_LETS_ENCRYPT=yes - REDIRECT_HTTP_TO_HTTPS=yes - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes - USE_GZIP=yes - USE_BROTLI=yes - admin.website.com_SERVE_FILES=no diff --git a/examples/wordpress/docker-compose.yml b/examples/wordpress/docker-compose.yml index 1f230d9..18a1124 100644 --- a/examples/wordpress/docker-compose.yml +++ b/examples/wordpress/docker-compose.yml @@ -13,6 +13,7 @@ services: - ./letsencrypt:/etc/letsencrypt - ./server-confs:/server-confs:ro # custom confs at server context for permalinks - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Wordpress exclusions + - ./modsec-confs:/modsec-confs:ro # avoid some FP with CRS environment: - SERVER_NAME=www.website.com # replace with your domain - AUTO_LETS_ENCRYPT=yes diff --git a/examples/wordpress/modsec-confs/wordpress.conf b/examples/wordpress/modsec-confs/wordpress.conf new file mode 100644 index 0000000..7b7b167 --- /dev/null +++ b/examples/wordpress/modsec-confs/wordpress.conf @@ -0,0 +1,4 @@ +SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce" +SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss" +SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120" +SecRuleRemoveById 953120