bunkerweb 1.4.0

core/realip/confs/server-http/real-ip.conf

@@ -0,0 +1,16 @@
+{% if USE_REAL_IP == "yes" +%}
+	{% for element in read_lines("/opt/bunkerweb/cache/realip/combined.list") +%}
+set_real_ip_from {{ element }};
+	{% endfor +%}
+	{% if REAL_IP_FROM != "" %}
+		{% for element in REAL_IP_FROM.split(" ") +%}
+set_real_ip_from {{ element }};
+		{% endfor %}
+	{% endif %}
+real_ip_header {{ REAL_IP_HEADER }};
+	{% if REAL_IP_RECURSIVE == "yes" +%}
+real_ip_recursive on;
+	{% else +%}
+real_ip_recursive off;
+	{% endif +%}
+{% endif %}

core/realip/jobs/realip-download.py

@@ -0,0 +1,103 @@
+#!/usr/bin/python3
+
+import sys, os, traceback
+
+sys.path.append("/opt/bunkerweb/deps/python")
+sys.path.append("/opt/bunkerweb/utils")
+
+import logger, jobs, requests, ipaddress
+
+def check_line(line) :
+    if "/" in line :
+        try :
+            ipaddress.ip_network(line)
+            return True, line
+        except :
+            pass
+    else :
+        try :
+            ipaddress.ip_address(line)
+            return True, line
+        except :
+            pass
+    return False, ""
+
+status = 0
+
+try :
+
+    # Check if at least a server has Blacklist activated
+    blacklist_activated = False
+    # Multisite case
+    if os.getenv("MULTISITE") == "yes" :
+        for first_server in os.getenv("SERVER_NAME").split(" ") :
+            if os.getenv(first_server + "_USE_REALIP", os.getenv("USE_REALIP")) == "yes" :
+                blacklist_activated = True
+                break
+    # Singlesite case
+    elif os.getenv("USE_REALIP") == "yes" :
+        blacklist_activated = True
+    if not blacklist_activated :
+        logger.log("REALIP", "ℹ️", "RealIP is not activated, skipping download...")
+        os._exit(0)
+
+    # Create directory if it doesn't exist
+    os.makedirs("/opt/bunkerweb/cache/realip", exist_ok=True)
+
+    # Don't go further if the cache is fresh
+    if jobs.is_cached_file("/opt/bunkerweb/cache/realip/combined.list", "hour") :
+        logger.log("REALIP", "ℹ️", "RealIP list is already in cache, skipping download...")
+        os._exit(0)
+
+    # Get URLs
+    urls = []
+    for url in os.getenv("REALIP_FROM_URLS", "").split(" ") :
+        if url != "" and url not in urls :
+            urls.append(url)
+
+    # Download and write data to temp file
+    i = 0
+    f = open("/opt/bunkerweb/tmp/realip-combined.list", "w")
+    for url in urls :
+        try :
+            logger.log("REALIP", "ℹ️", "Downloading RealIP list from " + url + " ...")
+            resp = requests.get(url, stream=True)
+            if resp.status_code != 200 :
+                continue
+            for line in resp.iter_lines(decode_unicode=True) :
+                line = line.strip().split(" ")[0]
+                if line == "" or line.startswith("#") or line.startswith(";") :
+                    continue
+                ok, data = check_line(line)
+                if ok :
+                    f.write(data + "\n")
+                    i += 1
+        except :
+            status = 2
+            logger.log("REALIP", "❌", "Exception while getting RealIP list from " + url + " :")
+            print(traceback.format_exc())
+    f.close()
+
+    # Check if file has changed
+    file_hash = jobs.file_hash("/opt/bunkerweb/tmp/realip-combined.list")
+    cache_hash = jobs.cache_hash("/opt/bunkerweb/cache/realip/combined.list")
+    if file_hash == cache_hash :
+        logger.log("REALIP", "ℹ️", "New file is identical to cache file, reload is not needed")
+        os._exit(0)
+
+    # Put file in cache
+    cached, err = jobs.cache_file("/opt/bunkerweb/tmp/realip-combined.list", "/opt/bunkerweb/cache/realip/combined.list", file_hash)
+    if not cached :
+        logger.log("REALIP", "❌", "Error while caching list : " + err)
+        os._exit(2)
+
+    logger.log("REALIP", "ℹ️", "Downloaded " + str(i) + " trusted IP/net")
+
+    status = 1
+
+except :
+    status = 2
+    logger.log("REALIP", "❌", "Exception while running realip-download.py :")
+    print(traceback.format_exc())
+
+sys.exit(status)

core/realip/plugin.json

@@ -0,0 +1,71 @@
+{
+	"id": "realip",
+	"order": 999,
+	"name": "Real IP",
+	"description": "Get real IP of clients when BunkerWeb is behind a reverse proxy / load balancer.",
+	"version": "0.1",
+	"settings": {
+		"USE_REAL_IP": {
+			"context": "multisite",
+			"default": "no",
+			"help": "Retrieve the real IP of client.",
+			"id": "use-real-ip",
+			"label": "Use real ip",
+			"regex": "^(yes|no)$",
+			"type": "check"
+		},
+		"USE_PROXY_PROTOCOL": {
+			"context": "multisite",
+			"default": "no",
+			"help": "Enable PROXY protocol communication.",
+			"id": "use-proxy-protocol",
+			"label": "Use PROXY protocol",
+			"regex": "^(yes|no)$",
+			"type": "check"
+		},
+		"REAL_IP_FROM": {
+			"context": "multisite",
+			"default": "192.168.0.0/16 172.16.0.0/12 10.0.0.0/8",
+			"help": "List of trusted IPs / networks where proxied requests come from.",
+			"id": "real-ip-from",
+			"label": "Real IP from",
+			"regex": "^.*$",
+			"type": "text"
+		},
+		"REAL_IP_FROM_URLS": {
+			"context": "global",
+			"default": "",
+			"help": "List of URLs containing trusted IPs / networks where proxied requests come from.",
+			"id": "real-ip-from-urls",
+			"label": "Real IP from URLs",
+			"regex": "^.*$",
+			"type": "text"
+		},
+		"REAL_IP_HEADER": {
+			"context": "multisite",
+			"default": "X-Forwarded-For",
+			"help": "HTTP header containing the real IP or special value proxy_protocol for PROXY protocol.",
+			"id": "real-ip-header",
+			"label": "Real IP header",
+			"regex": "^.*$",
+			"type": "text"
+		},
+		"REAL_IP_RECURSIVE": {
+			"context": "multisite",
+			"default": "yes",
+			"help": "Perform a recursive search in the header container IP address.",
+			"id": "real-ip-header",
+			"label": "Real IP recursive",
+			"regex": "^(yes|no)$",
+			"type": "check"
+		}
+	},
+	"jobs": [
+		{
+			"name": "realip-download",
+			"file": "realip-download.py",
+			"every": "hour",
+			"reload": true
+		}
+	]
+}