Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bunkerweb 1.4.0

Browse Source
This commit is contained in:
bunkerity
2022-06-03 17:24:14 +02:00
parent 3a078326c5
commit a9f886804a
5245 changed files with 1432051 additions and 27894 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
examples/authelia/README.md
View File

@@ -1,27 +0,0 @@
# Authelia
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal. See [website](https://www.authelia.com/) and [GitHub repo](https://github.com/authelia/authelia) for more information.
## Preamble
We will assume that you already have some basic knownledges about Authelia. If that's not the case, you should read their [documentation](https://www.authelia.com/) first.
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/authelia/architecture.png?raw=true" />
## Configuration
First of all, you will need to edit the configuration files inside the authelia folder (e.g. : domains, DB backend, email notifier, ...).
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/authelia/docker-compose.yml).
## Docker autoconf
See [docker-compose.autoconf.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/authelia/docker-compose.autoconf.yml).
## Docker Swarm
See [docker-compose.swarm.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/authelia/docker-compose.swarm.yml).

BIN
examples/authelia/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 21 KiB

72
examples/authelia/authelia/configuration.yml
View File

@@ -1,72 +0,0 @@
###############################################################
# Authelia configuration #
###############################################################
host: 0.0.0.0
port: 9091
# log:
# level: debug
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
jwt_secret: a_very_important_secret
default_redirection_url: https://auth.example.com
totp:
issuer: authelia.com
# duo_api:
# hostname: api-123456789.example.com
# integration_key: ABCDEF
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
# secret_key: 1234567890abcdefghifjkl
authentication_backend:
file:
path: /config/users_database.yml
access_control:
default_policy: deny
rules:
# Rules applied to everyone
- domain: auth.example.com
policy: bypass
- domain: app1.example.com
policy: one_factor
- domain: app2.example.com
policy: two_factor
session:
name: authelia_session
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: example.com # Should match whatever your root protected domain is
redis:
host: redis
port: 6379
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
# password: authelia
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
local:
path: /config/db.sqlite3
notifier:
disable_startup_check: false
filesystem:
filename: /config/notification.txt
#notifier:
# smtp:
# username: test
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
# password: password
# host: mail.example.com
# port: 25
# sender: admin@example.com

16
examples/authelia/authelia/users_database.yml
View File

@@ -1,16 +0,0 @@
###############################################################
# Users Database #
###############################################################
# This file can be used if you do not have an LDAP set up.
# List of users
users:
authelia:
displayname: "Authelia User"
# Password is Authelia
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
email: authelia@authelia.com
groups:
- admins
- dev

70
examples/authelia/docker-compose.autoconf.yml
View File

@@ -1,70 +0,0 @@
version: '3.3'
services:
authelia:
image: authelia/authelia
networks:
services-net:
aliases:
- authelia
volumes:
- ./authelia:/config
healthcheck:
disable: true
environment:
- TZ=France/Paris
labels:
- "bunkerized-nginx.SERVER_NAME=auth.example.com"
- "bunkerized-nginx.USE_REVERSE_PROXY=yes"
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://authelia:9091"
redis:
image: redis:alpine
networks:
services-net:
aliases:
- redis
volumes:
- ./redis:/data
environment:
- TZ=France/Paris
myapp1:
image: php:fpm
networks:
services-net:
aliases:
- myapp1
volumes:
- ./web-files/app1.example.com:/app
labels:
- "bunkerized-nginx.SERVER_NAME=app1.example.com"
- "bunkerized-nginx.USE_AUTHELIA=yes"
- "bunkerized-nginx.AUTHELIA_BACKEND=https://auth.example.com"
- "bunkerized-nginx.AUTHELIA_UPSTREAM=http://authelia:9091"
- "bunkerized-nginx.REMOTE_PHP=myapp1"
- "bunkerized-nginx.REMOTE_PHP_PATH=/app"
myapp2:
image: php:apache
networks:
services-net:
aliases:
- myapp2
volumes:
- ./web-files/app2.example.com:/var/www/html
labels:
- "bunkerized-nginx.SERVER_NAME=app2.example.com"
- "bunkerized-nginx.USE_AUTHELIA=yes"
- "bunkerized-nginx.AUTHELIA_BACKEND=https://auth.example.com"
- "bunkerized-nginx.AUTHELIA_UPSTREAM=http://authelia:9091"
- "bunkerized-nginx.USE_REVERSE_PROXY=yes"
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://myapp2"
networks:
services-net:
external:
name: services-net

82
examples/authelia/docker-compose.swarm.yml
View File

@@ -1,82 +0,0 @@
version: '3.3'
services:
authelia:
image: authelia/authelia
networks:
services-net:
aliases:
- authelia
volumes:
- /shared/authelia:/config
healthcheck:
disable: true
environment:
- TZ=France/Paris
deploy:
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerized-nginx.SERVER_NAME=auth.example.com"
- "bunkerized-nginx.USE_REVERSE_PROXY=yes"
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://authelia:9091"
redis:
image: redis:alpine
networks:
services-net:
aliases:
- redis
volumes:
- /shared/redis:/data
environment:
- TZ=France/Paris
myapp1:
image: php:fpm
networks:
services-net:
aliases:
- myapp1
volumes:
- /shared/www/app1.example.com:/app
deploy:
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerized-nginx.SERVER_NAME=app1.example.com"
- "bunkerized-nginx.USE_AUTHELIA=yes"
- "bunkerized-nginx.AUTHELIA_BACKEND=https://auth.example.com"
- "bunkerized-nginx.AUTHELIA_UPSTREAM=http://authelia:9091"
- "bunkerized-nginx.REMOTE_PHP=myapp1"
- "bunkerized-nginx.REMOTE_PHP_PATH=/app"
myapp2:
image: php:apache
networks:
services-net:
aliases:
- myapp2
volumes:
- /shared/www/app2.example.com:/var/www/html
deploy:
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerized-nginx.SERVER_NAME=app2.example.com"
- "bunkerized-nginx.USE_AUTHELIA=yes"
- "bunkerized-nginx.AUTHELIA_BACKEND=https://auth.example.com"
- "bunkerized-nginx.AUTHELIA_UPSTREAM=http://authelia:9091"
- "bunkerized-nginx.USE_REVERSE_PROXY=yes"
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://myapp2"
networks:
services-net:
external:
name: services-net

71
examples/authelia/docker-compose.yml
View File

@@ -1,71 +0,0 @@
---
version: '3.3'
services:
authelia:
image: authelia/authelia
volumes:
- ./authelia:/config
restart: unless-stopped
healthcheck:
disable: true
environment:
- TZ=France/Paris
redis:
image: redis:alpine
volumes:
- ./redis:/data
restart: unless-stopped
environment:
- TZ=France/Paris
bunkerized-nginx:
image: bunkerity/bunkerized-nginx
restart: always
depends_on:
- authelia
- myapp1
- myapp2
ports:
- 80:8080
- 443:8443
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
volumes:
- ./web-files:/www:ro
- ./letsencrypt:/etc/letsencrypt
environment:
- SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
- MULTISITE=yes
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_AUTHELIA=yes
- AUTHELIA_BACKEND=https://auth.example.com
- AUTHELIA_UPSTREAM=http://authelia:9091
- auth.example.com_USE_AUTHELIA=no
- auth.example.com_USE_REVERSE_PROXY=yes
- auth.example.com_REVERSE_PROXY_URL=/
- auth.example.com_REVERSE_PROXY_HOST=http://authelia:9091
- app1.example.com_REMOTE_PHP=myapp1
- app1.example.com_REMOTE_PHP_PATH=/app
- app2.example.com_SERVE_FILES=no
- app2.example.com_USE_REVERSE_PROXY=yes
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://myapp2
myapp1:
image: php:fpm
restart: always
volumes:
- ./web-files/app1.example.com:/app
myapp2:
image: php:apache
restart: always
volumes:
- ./web-files/app2.example.com:/var/www/html

10
examples/authelia/web-files/app1.example.com/index.php
View File

@@ -1,10 +0,0 @@
<?php
echo "Welcome to app1 !<br><br>";
echo "REMOTE_USER = " . $_SERVER['REMOTE_USER'] . "<br>";
echo "REMOTE_GROUPS = " . $_SERVER['REMOTE_GROUPS'] . "<br>";
echo "REMOTE_NAME = " . $_SERVER['REMOTE_NAME'] . "<br>";
echo "REMOTE_EMAIL = " . $_SERVER['REMOTE_EMAIL'] . "<br>";
?>

10
examples/authelia/web-files/app2.example.com/index.php
View File

@@ -1,10 +0,0 @@
<?php
echo "Welcome to app2 !<br><br>";
echo "REMOTE_USER = " . $_SERVER['HTTP_REMOTE_USER'] . "<br>";
echo "REMOTE_GROUPS = " . $_SERVER['HTTP_REMOTE_GROUPS'] . "<br>";
echo "REMOTE_NAME = " . $_SERVER['HTTP_REMOTE_NAME'] . "<br>";
echo "REMOTE_EMAIL = " . $_SERVER['HTTP_REMOTE_EMAIL'] . "<br>";
?>

13
examples/autoconf-php/README.md
View File

@@ -1,13 +0,0 @@
# Autoconf PHP
Quickly deploy PHP app on Docker containers without restarting bunkerized-nginx.
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/autoconf-php/architecture.png?raw=true" />
## Autoconf
First of all, you need to setup the [Docker autoconf integration](https://bunkerized-nginx.readthedocs.io/en/latest/integrations.html#docker-autoconf).
Then, you can add and remove PHP apps with special `bunkerized-nginx.*` labels so the configurations are automatically generated : see [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/autoconf-php/docker-compose.yml).

BIN
examples/autoconf-php/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

7
examples/autoconf-php/bw-data/www/app1.example.com/index.php Normal file
View File

@@ -0,0 +1,7 @@
<?php
echo "Hello from app1 !";
?>
<script src="/js/script.js"></script>

1
examples/autoconf-php/bw-data/www/app1.example.com/js/script.js Normal file
View File

@@ -0,0 +1 @@
alert('JavaScript is working!');

7
examples/autoconf-php/bw-data/www/app2.example.com/index.php Normal file
View File

@@ -0,0 +1,7 @@
<?php
echo "Hello from app2 !";
?>
<script src="/js/script.js"></script>

1
examples/autoconf-php/bw-data/www/app2.example.com/js/script.js Normal file
View File

@@ -0,0 +1 @@
alert('JavaScript is working!');

7
examples/autoconf-php/bw-data/www/app3.example.com/index.php Normal file
View File

@@ -0,0 +1,7 @@
<?php
echo "Hello from app3 !";
?>
<script src="/js/script.js"></script>

1
examples/autoconf-php/bw-data/www/app3.example.com/js/script.js Normal file
View File

@@ -0,0 +1 @@
alert('JavaScript is working!');

46
examples/autoconf-php/docker-compose.yml
View File

@@ -5,43 +5,55 @@ services:
myapp1:
image: php:fpm
networks:
services-net:
bw-services:
aliases:
- myapp1
# ⚠️ UID and GID of mywww (101:101) and php:fpm (33:33) are not the same ⚠️
# but both needs access to the files and folders of web-files
# don't forget to edit the permissions of the files and folders accordingly
# example : chown -R 33:101 ./bw-data/www && find ./bw-data/www -type f -exec chmod 0640 {} \; && find ./bw-data/www -type d -exec chmod 0750 {} \;
volumes:
- ./web-files/app1.example.com:/app
- ./bw-data/www/app1.example.com:/app # folder containing PHP app1 (don't forget to rename it)
labels:
- "bunkerized-nginx.SERVER_NAME=app1.example.com" # replace with your domain
- "bunkerized-nginx.REMOTE_PHP=myapp1"
- "bunkerized-nginx.REMOTE_PHP_PATH=/app"
- "bunkerweb.SERVER_NAME=app1.example.com" # replace with your domain
- "bunkerweb.REMOTE_PHP=myapp1"
- "bunkerweb.REMOTE_PHP_PATH=/app"
myapp2:
image: php:fpm
networks:
services-net:
bw-services:
aliases:
- myapp2
# ⚠️ UID and GID of mywww (101:101) and php:fpm (33:33) are not the same ⚠️
# but both needs access to the files and folders of web-files
# don't forget to edit the permissions of the files and folders accordingly
# example : chown -R 33:101 ./bw-data/www && find ./bw-data/www -type f -exec chmod 0640 {} \; && find ./bw-data/www -type d -exec chmod 0750 {} \;
volumes:
- ./web-files/app2.example.com:/app
- ./bw-data/www/app2.example.com:/app # folder containing PHP app2 (don't forget to rename it)
labels:
- "bunkerized-nginx.SERVER_NAME=app2.example.com" # replace with your domain
- "bunkerized-nginx.REMOTE_PHP=myapp2"
- "bunkerized-nginx.REMOTE_PHP_PATH=/app"
- "bunkerweb.SERVER_NAME=app2.example.com" # replace with your domain
- "bunkerweb.REMOTE_PHP=myapp2"
- "bunkerweb.REMOTE_PHP_PATH=/app"
myapp3:
image: php:fpm
networks:
services-net:
bw-services:
aliases:
- myapp3
# ⚠️ UID and GID of mywww (101:101) and php:fpm (33:33) are not the same ⚠️
# but both needs access to the files and folders of web-files
# don't forget to edit the permissions of the files and folders accordingly
# example : chown -R 33:101 ./bw-data/www && find ./bw-data/www -type f -exec chmod 0640 {} \; && find ./bw-data/www -type d -exec chmod 0750 {} \;
volumes:
- ./web-files/app3.example.com:/app
- ./bw-data/www/app3.example.com:/app # folder containing PHP app3 (don't forget to rename it)
labels:
- "bunkerized-nginx.SERVER_NAME=app3.example.com" # replace with your domain
- "bunkerized-nginx.REMOTE_PHP=myapp3"
- "bunkerized-nginx.REMOTE_PHP_PATH=/app"
- "bunkerweb.SERVER_NAME=app3.example.com" # replace with your domain
- "bunkerweb.REMOTE_PHP=myapp3"
- "bunkerweb.REMOTE_PHP_PATH=/app"
networks:
services-net:
bw-services:
external:
name: services-net
name: bw-services

13
examples/autoconf-php/setup.sh Executable file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
if [ $(id -u) -ne 0 ] ; then
echo "❌ Run me as root"
exit 1
fi
chown -R 101:101 bw-data
find ./bw-data/ -type f -exec chmod 0644 {} \;
find ./bw-data/ -type d -exec chmod 0755 {} \;
chown -R 101:33 ./bw-data/www
find ./bw-data/www -type f -exec chmod 0664 {} \;
find ./bw-data/www -type d -exec chmod 0775 {} \;

5
examples/autoconf-php/web-files/app1.example.com/index.php
View File

@@ -1,5 +0,0 @@
<?php
echo "Hello from app1 !";
?>

5
examples/autoconf-php/web-files/app2.example.com/index.php
View File

@@ -1,5 +0,0 @@
<?php
echo "Hello from app2 !";
?>

5
examples/autoconf-php/web-files/app3.example.com/index.php
View File

@@ -1,5 +0,0 @@
<?php
echo "Hello from app3 !";
?>

13
examples/autoconf-reverse-proxy/README.md
View File

@@ -1,13 +0,0 @@
# Autoconf reverse proxy
Quickly deploy web app on Docker containers without restarting bunkerized-nginx.
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/autoconf-reverse-proxy/architecture.png?raw=true" />
## Autoconf
First of all, you need to setup the [Docker autoconf integration](https://bunkerized-nginx.readthedocs.io/en/latest/integrations.html#docker-autoconf).
Then, you can add and remove web apps with special `bunkerized-nginx.*` labels so the configurations are automatically generated : see [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/autoconf-reverse-proxy/docker-compose.yml).

BIN
examples/autoconf-reverse-proxy/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

46
examples/autoconf-reverse-proxy/docker-compose.yml
View File

@@ -3,48 +3,42 @@ version: '3'
services:
myapp1:
build: js-app
image: tutum/hello-world
networks:
services-net:
bw-services:
aliases:
- myapp1
environment:
- NODE_ENV=production
labels:
- "bunkerized-nginx.SERVER_NAME=app1.example.com" # replace with your domain
- "bunkerized-nginx.USE_REVERSE_PROXY=yes"
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://myapp1:3000"
- "bunkerweb.SERVER_NAME=app1.example.com" # replace with your domain
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/"
- "bunkerweb.REVERSE_PROXY_HOST=http://myapp1"
myapp2:
build: js-app
image: tutum/hello-world
networks:
services-net:
bw-services:
aliases:
- myapp2
environment:
- NODE_ENV=production
labels:
- "bunkerized-nginx.SERVER_NAME=app2.example.com" # replace with your domain
- "bunkerized-nginx.USE_REVERSE_PROXY=yes"
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://myapp2:3000"
- "bunkerweb.SERVER_NAME=app2.example.com" # replace with your domain
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/"
- "bunkerweb.REVERSE_PROXY_HOST=http://myapp2"
myapp3:
build: js-app
image: tutum/hello-world
networks:
services-net:
bw-services:
aliases:
- myapp3
environment:
- NODE_ENV=production
labels:
- "bunkerized-nginx.SERVER_NAME=app3.example.com" # replace with your domain
- "bunkerized-nginx.USE_REVERSE_PROXY=yes"
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://myapp3:3000"
- "bunkerweb.SERVER_NAME=app3.example.com" # replace with your domain
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/"
- "bunkerweb.REVERSE_PROXY_HOST=http://myapp3"
networks:
services-net:
bw-services:
external:
name: services-net
name: bw-services

11
examples/autoconf-reverse-proxy/js-app/Dockerfile
View File

@@ -1,11 +0,0 @@
FROM node
COPY app/ /home/node/app
RUN cd /home/node/app && npm install && chown -R root:node /home/node/app && chmod -R 770 /home/node/app
WORKDIR /home/node/app
USER node
CMD ["node", "index.js"]

13
examples/autoconf-reverse-proxy/js-app/app/index.js
View File

@@ -1,13 +0,0 @@
const express = require('express')
const app = express()
const port = 3000
var os = require("os");
app.get('/', (req, res) => {
res.send('Container id = ' + os.hostname())
})
app.listen(port, () => {
console.log(`Example app listening at http://localhost:${port}`)
})

14
examples/autoconf-reverse-proxy/js-app/app/package.json
View File

@@ -1,14 +0,0 @@
{
"name": "js-app",
"version": "1.0.0",
"description": "demo",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"express": "^4.17.1"
}
}

17
examples/basic-website-with-php/README.md
View File

@@ -1,17 +0,0 @@
# Basic website with PHP
This is a basic example for a typical PHP website/app.
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/basic-website-with-php/architecture.png?raw=true" />
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/basic-website-with-php/docker-compose.yml).
## Linux
Please note that you need to install and configure a php-fpm instance on your server.
See [variables.env](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/basic-website-with-php/variables.env).

BIN
examples/basic-website-with-php/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 8.4 KiB

31
examples/basic-website-with-php/docker-compose.yml
View File

@@ -1,31 +0,0 @@
version: '3'
services:
mywww:
image: bunkerity/bunkerized-nginx
depends_on:
- myphp
ports:
- 80:8080
- 443:8443
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
volumes:
- ./web-files:/www:ro
- ./letsencrypt:/etc/letsencrypt
environment:
- SERVER_NAME=www.example.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- REMOTE_PHP=myphp
- REMOTE_PHP_PATH=/app
myphp:
image: php:fpm
restart: always
volumes:
- ./web-files:/app

10
examples/basic-website-with-php/variables.env
View File

@@ -1,10 +0,0 @@
HTTP_PORT=80
HTTPS_PORT=443
SERVER_NAME=www.example.com
AUTO_LETS_ENCRYPT=yes
REDIRECT_HTTP_TO_HTTPS=yes
DISABLE_DEFAULT_SERVER=yes
USE_CLIENT_CACHE=yes
USE_GZIP=yes
LOCAL_PHP=/run/php/php7.3-fpm.sock
LOCAL_PHP_PATH=/opt/bunkerize-nginx/www

5
examples/basic-website-with-php/web-files/index.php
View File

@@ -1,5 +0,0 @@
<?php
echo "Hello World!";
?>

54
examples/behind-reverse-proxy/docker-compose.yml Normal file
View File

@@ -0,0 +1,54 @@
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
environment:
- SERVER_NAME=www.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myapp
# real IP settings
- USE_REAL_IP=yes
- REAL_IP_FROM=10.10.10.0/24
networks:
- net_proxy
- net_apps
myproxy:
image: haproxy
ports:
- 80:8080
volumes:
- ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
networks:
- net_proxy
myapp:
image: tutum/hello-world
networks:
- net_apps
volumes:
bw_data:
networks:
net_proxy:
ipam:
driver: default
config:
- subnet: 10.10.10.0/24
net_apps:

14
examples/behind-reverse-proxy/haproxy.cfg Normal file
View File

@@ -0,0 +1,14 @@
defaults
timeout connect 5s
timeout client 5s
timeout server 5s
frontend http_front
mode http
bind *:8080
default_backend http_back
backend http_back
mode http
option forwardfor
server server01 mybunker:8080

60
examples/bigbluebutton/docker-compose.yml Normal file
View File

@@ -0,0 +1,60 @@
version: '3.6'
# clone the repository https://github.com/bigbluebutton/docker into the root directory and run the following command: ./scripts/setup
# when executing the file ./scripts/setup do this:
# Should greenlight be included? (y/n): y
# Should an automatic HTTPS Proxy be included? (y/n): n
# ...
# Please enter the domain name: www.example.com (your domain name)
# after generating your bigbluebutton docker-compose.yml file, you can modify the following to add bunkerweb to it
services:
...
nginx:
...
# comment this line
# network_mode: host
# then add the following lines
networks:
bbb-net:
ipv4_address: 10.7.7.253
...
...
mybunker:
image: bunkerity/bunkerweb:1.4.0
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
environment:
- SERVER_NAME=${DOMAIN}
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_WS=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://10.7.7.253:48087
# You have to put this IP address in your docker-compose.yml file
networks:
bbb-net:
ipv4_address: 10.7.7.254
...
volumes:
...
bw_data:

21
examples/certbot-cloudflare/README.md
View File

@@ -1,21 +0,0 @@
# Certbot with Cloudflare
Cloudflare supports HTTPS traffic between their servers and the origin one. This examples shows how to automatically valid HTTPS certificates signed by Let's Encrypt using the Cloudflare API.
## Preamble
We will assume that you already have some basic knowledges about Cloudflare. If that's not the case, we have made a dedicated blog post [here](https://www.bunkerity.com/web-security-at-almost-no-cost-cloudflare-free-plan-with-bunkerized-nginx/).
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/certbot-cloudflare/architecture.png?raw=true" />
## Configuration
First of all you will need to edit the **certbot-new.sh** and **cloudflare.ini** files (e.g : domains, CF token, ...).
Then run the **certbot-new.sh** script to get the certificates and add cron job for **certbot-renew.sh** to setup automatic renewal.
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/certbot-cloudflare/docker-compose.yml).

BIN
examples/certbot-cloudflare/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

33
examples/certbot-cloudflare/certbot-new.sh
View File

@@ -1,33 +0,0 @@
#!/bin/sh
# you need to run it before starting bunkerized-nginx to get the first certificate
# edit according to your values
DOMAINS="example.com,*.example.com"
EMAIL="contact@example.com"
SERVICE="mywww"
# ask for the certificate
# don't forget to first edit the cloudflare.ini file
docker run --rm \
-v "${PWD}/cloudflare.ini:/tmp/cloudflare.ini" \
-v "${PWD}/letsencrypt:/etc/letsencrypt" \
certbot/dns-cloudflare \
certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /tmp/cloudflare.ini \
--dns-cloudflare-propagation-seconds 60 \
-d "$DOMAINS" \
--email "$EMAIL" \
--agree-tos \
--no-eff-email
if [ $? -ne 0 ] ; then
echo "error while getting certificate for $DOMAINS"
exit 1
fi
# fix permissions
chgrp -R 101 "${PWD}/letsencrypt"
chmod -R 750 "${PWD}/letsencrypt"
echo "Certificate for $DOMAINS created !"

28
examples/certbot-cloudflare/certbot-renew.sh
View File

@@ -1,28 +0,0 @@
#!/bin/sh
# you should add it to your crontab like :
# 0 0 * * * cd /your/folder && ./certbot-renew.sh
# edit with your service name
SERVICE="mywww"
# ask for the renew
# don't forget to first edit the cloudflare.ini file
docker run --rm \
-v "${PWD}/cloudflare.ini:/tmp/cloudflare.ini" \
-v "${PWD}/letsencrypt:/etc/letsencrypt" \
certbot/dns-cloudflare \
renew
if [ $? -ne 0 ] ; then
echo "error while renewing certificate for $DOMAINS"
exit 1
fi
# fix permissions
chgrp -R 101 "${PWD}/letsencrypt"
chmod -R 750 "${PWD}/letsencrypt"
# reload bunkerized-nginx
docker-compose kill -s SIGHUP mywww
echo "Certificate(s) renewed (if needed) !"

5
examples/certbot-cloudflare/cloudflare.ini
View File

@@ -1,5 +0,0 @@
# Cloudflare API token used by Certbot
# More info :
# https://certbot-dns-cloudflare.readthedocs.io/en/stable/index.html#credentials
# https://developers.cloudflare.com/api/tokens/create
dns_cloudflare_api_token = YOUR-API-TOKEN-HERE

38
examples/certbot-cloudflare/docker-compose.yml
View File

@@ -1,38 +0,0 @@
version: '3'
services:
mywww:
image: bunkerity/bunkerized-nginx
restart: always
depends_on:
- myphp
ports:
- 80:8080
- 443:8443
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
volumes:
- ./web-files:/www:ro
- ./letsencrypt:/letsencrypt:ro
environment:
- SERVER_NAME=www.example.com # replace with your domain(s)
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/letsencrypt/live/example.com/fullchain.pem # replace with your path
- CUSTOM_HTTPS_KEY=/letsencrypt/live/example.com/privkey.pem # replace with your path
- REDIRECT_HTTP_TO_HTTPS=yes
- PROXY_REAL_IP=yes
# networks from https://www.cloudflare.com/ips-v4/
# you should check if the networks listed are up to date
- PROXY_REAL_IP_FROM=173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 172.64.0.0/13 131.0.72.0/22 104.16.0.0/13 104.24.0.0/14
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- REMOTE_PHP=myphp
- REMOTE_PHP_PATH=/app
myphp:
image: php:fpm
restart: always
volumes:
- ./web-files:/app

5
examples/certbot-cloudflare/web-files/index.php
View File

@@ -1,5 +0,0 @@
<?php
echo "Hello World behind Cloudflare !";
?>

21
examples/certbot-wildcard/README.md
View File

@@ -1,21 +0,0 @@
# Certbot wildcard
Simple example on how to get wildcard Let's Encrypt certificates through DNS challenge and use them with bunkerized-nginx.
## Preamble
We will assume that you already have some basic knowledges about Let's Encrypt DNS challenge. If that's not the case, you should read the [documentation](https://certbot.eff.org/docs/using.html#manual).
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/certbot-wildcard/architecture.png?raw=true" />
## Configuration
First of all you will need to edit the **certbot-wildcard.sh** file with your domain(s).
Then you can run the script to get the certificates. Don't forget that you will need to edit your DNS zone to prove that you own the domain(s).
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/certbot-wildcard/docker-compose.yml).

BIN
examples/certbot-wildcard/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

35
examples/certbot-wildcard/certbot-wildcard.sh
View File

@@ -1,35 +0,0 @@
#!/bin/sh
# you need to run it before starting bunkerized-nginx
# since it's manual there is no auto renew, you need to run it again before it expires
# replace with your values
DOMAINS="example.com,*.example.com"
SERVICE="mywww"
# ask for wildcard certificate
# it's interactive and you will need to add a DNS entry
docker run --rm \
-it \
-v "${PWD}/letsencrypt:/etc/letsencrypt" \
certbot/certbot \
certonly \
--manual \
-d "$DOMAINS" \
--agree-tos
if [ $? -ne 0 ] ; then
echo "error while getting certificate for $DOMAINS"
exit 1
fi
# fix permissions
chgrp -R 101 "${PWD}/letsencrypt"
chmod -R 750 "${PWD}/letsencrypt"
# reload nginx if it's already running (in case of a "renew")
if [ -z `docker-compose ps -q $SERVICE` ] || [ -z `docker ps -q --no-trunc | grep $(docker-compose ps -q $SERVICE)` ]; then
echo "bunkerized-nginx is not running, skipping nginx reload"
else
echo "bunkerized-nginx is running, sending reload order"
docker-compose exec $SERVICE nginx -s reload
fi

44
examples/certbot-wildcard/docker-compose.yml
View File

@@ -1,44 +0,0 @@
version: '3'
services:
mywww:
image: bunkerity/bunkerized-nginx
restart: always
depends_on:
- myapp1
- myapp2
ports:
- 80:8080
- 443:8443
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
volumes:
- ./web-files:/www:ro
- ./letsencrypt:/letsencrypt:ro
environment:
- SERVER_NAME=app1.example.com app2.example.com # replace with your domains
- MULTISITE=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/letsencrypt/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/letsencrypt/live/example.com/privkey.pem
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- app1.example.com_REMOTE_PHP=myapp1
- app1.example.com_REMOTE_PHP_PATH=/app
- app2.example.com_REMOTE_PHP=myapp2
- app2.example.com_REMOTE_PHP_PATH=/app
myapp1:
image: php:fpm
restart: always
volumes:
- ./web-files/app1.example.com:/app
myapp2:
image: php:fpm
restart: always
volumes:
- ./web-files/app2.example.com:/app

5
examples/certbot-wildcard/web-files/app1.example.com/index.php
View File

@@ -1,5 +0,0 @@
<?php
echo "hello from app1 !";
?>

5
examples/certbot-wildcard/web-files/app2.example.com/index.php
View File

@@ -1,5 +0,0 @@
<?php
echo "hello from app2 !";
?>

19
examples/clamav/README.md
View File

@@ -1,19 +0,0 @@
# ClamAV plugin
Automatically scan files with ClamAV when they are uploaded and deny the upload if the file is detected. See the [bunkerized-nginx-clamav](https://github.com/bunkerity/bunkerized-nginx-clamav) repository for more information.
## Preamble
This example uses a bunkerized-nginx plugin, you can have a look at the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/plugins.html) to get more information about plugins.
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/clamav/architecture.png?raw=true" />
## Configuration
You will need to clone the bunkerized-nginx-clamav plugin and edit the **plugin.json** file.
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/clamav/docker-compose.yml).

BIN
examples/clamav/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 22 KiB

1
examples/clamav/bunkerized-nginx-clamav

Submodule examples/clamav/bunkerized-nginx-clamav deleted from a48ee83b95

46
examples/clamav/docker-compose.yml
View File

@@ -1,46 +0,0 @@
version: '3'
services:
mywww:
image: bunkerity/bunkerized-nginx
restart: always
depends_on:
- myphp
ports:
- 80:8080
- 443:8443
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
volumes:
- ./web-files:/www:ro
- ./letsencrypt:/etc/letsencrypt
- ./bunkerized-nginx-clamav:/plugins/clamav # you will need to download the plugin see download-plugin.sh
environment:
- SERVER_NAME=www.example.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- REMOTE_PHP=myphp
- REMOTE_PHP_PATH=/app
clamav-server:
image: mkodockx/docker-clamav:alpine-idb-amd64
clamav-rest-api:
image: benzino77/clamav-rest-api
depends_on:
- clamav-server
environment:
- NODE_ENV=production
- CLAMD_IP=clamav-server
- APP_PORT=8080
- APP_FORM_KEY=FILES
myphp:
image: php:fpm
restart: always
volumes:
- ./web-files:/app

3
examples/clamav/download-plugin.sh
View File

@@ -1,3 +0,0 @@
#!/bin/sh
git clone https://github.com/bunkerity/bunkerized-nginx-clamav.git

19
examples/clamav/web-files/index.php
View File

@@ -1,19 +0,0 @@
<!DOCTYPE html>
<html>
<body>
<?php
if (file_exists($_FILES['myfile']['tmp_name']) && is_uploaded_file($_FILES['myfile']['tmp_name'])) {
echo 'File is clean !';
}
?>
<form action="index.php" method="post" enctype="multipart/form-data">
Select file to scan :
<input type="file" name="myfile">
<input type="submit" value="Scan file" name="submit">
</form>
</body>
</html>

21
examples/crowdsec/README.md
View File

@@ -1,21 +0,0 @@
# Crowdsec plugin
Crowdsec integration example with bunkerized-nginx. See the [bunkerized-nginx-crowdsec](https://github.com/bunkerity/bunkerized-nginx-crowdsec) repository for more information.
## Preamble
This example uses a bunkerized-nginx plugin, you can have a look at the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/plugins.html) to get more information about plugins.
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/crowdsec/architecture.png?raw=true" />
## Configuration
First of all you will need to get a bouncer key, you can use the **bouncer_key.sh** to generate one.
Then you can clone the bunkerized-nginx-crowdsec plugin and edit the **plugin.json** file.
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/crowdsec/docker-compose.yml).

5
examples/crowdsec/acquis.yaml
View File

@@ -1,5 +0,0 @@
filenames:
- /var/log/nginx.log
labels:
type: nginx
---

BIN
examples/crowdsec/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

23
examples/crowdsec/bouncer_key.sh
View File

@@ -1,23 +0,0 @@
#!/bin/sh
# first, you need to run the crowdsec service
echo "running crowdsec service ..."
docker-compose up -d mycrowdsec
# wait a little until it's up
sleep 10
# get the bouncer key
docker-compose exec mycrowdsec cscli bouncers add MyBouncer
# enter the key into the CROWDSEC_KEY setting
read -p "edit CROWDSEC_KEY env var in plugin.json file and press enter" edited
# start all services
docker-compose up -d
# wait a little until it's up
sleep 10
# restart crowdsec so it reads the log files
docker-compose restart mycrowdsec

1
examples/crowdsec/bunkerized-nginx-crowdsec

Submodule examples/crowdsec/bunkerized-nginx-crowdsec deleted from 6dadb32c01

92
examples/crowdsec/docker-compose.yml
View File

@@ -1,92 +0,0 @@
version: '3'
services:
mywww:
image: bunkerity/bunkerized-nginx
restart: always
# mandatory for crowdsec :
# you need to redirect Docker logs to the syslog server
logging:
driver: syslog
options:
syslog-address: "udp://10.10.10.254:514"
depends_on:
- mysyslog
- myapp1
- myapp2
ports:
- 80:8080
- 443:8443
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
volumes:
- ./web-files:/www:ro
- ./letsencrypt:/etc/letsencrypt
- ./bunkerized-nginx-crowdsec:/plugins/crowdsec # edit plugin.json
environment:
- SERVER_NAME=app1.example.com app2.example.com # replace with your domains
- MULTISITE=yes
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- app1.example.com_REMOTE_PHP=myapp1
- app1.example.com_REMOTE_PHP_PATH=/app
- app2.example.com_REMOTE_PHP=myapp2
- app2.example.com_REMOTE_PHP_PATH=/app
networks:
net0:
net1:
net2:
mycrowdsec:
image: crowdsecurity/crowdsec:v1.0.13
restart: always
volumes:
- ./acquis.yaml:/etc/crowdsec/acquis.yaml
- nginx_logs:/var/log:ro
environment:
- COLLECTIONS=crowdsecurity/nginx
- REGISTER_TO_ONLINE_API=true
networks:
- net0
mysyslog:
image: balabit/syslog-ng
restart: always
volumes:
- ./syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf
- nginx_logs:/var/log
networks:
net0:
ipv4_address: 10.10.10.254
myapp1:
image: php:fpm
restart: always
volumes:
- ./web-files/app1.example.com:/app
networks:
- net1
myapp2:
image: php:fpm
restart: always
volumes:
- ./web-files/app2.example.com:/app
networks:
- net2
networks:
net0:
ipam:
driver: default
config:
- subnet: 10.10.10.0/24
net1:
net2:
volumes:
nginx_logs:

18
examples/crowdsec/syslog-ng.conf
View File

@@ -1,18 +0,0 @@
@version: 3.31
source s_net {
udp(
ip("0.0.0.0")
);
};
template t_imp {
template("$MSG\n");
template_escape(no);
};
destination d_file {
file("/var/log/nginx.log" template(t_imp));
};
log { source(s_net); destination(d_file); };

5
examples/crowdsec/web-files/app1.example.com/index.php
View File

@@ -1,5 +0,0 @@
<?php
echo "hello from app1 !";
?>

5
examples/crowdsec/web-files/app2.example.com/index.php
View File

@@ -1,5 +0,0 @@
<?php
echo "hello from app2 !";
?>

2
examples/wordpress/modsec-crs-confs/wordpress.conf → examples/drupal/bw-data/configs/modsec-crs/drupal.conf
View File

@@ -4,4 +4,4 @@ SecAction \
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_wordpress=1"
setvar:tx.crs_exclusions_drupal=1"

48
examples/drupal/docker-compose.yml Normal file
View File

@@ -0,0 +1,48 @@
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- ./bw-data:/data # contains custom Core Rule Set confs to add Drupal exclusions
environment:
- SERVER_NAME=www.example.com # replace with your domain
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mydrupal
# Remove the following lines after finishing the installation of PrestaShop
- LIMIT_REQ_URL_1=/core/install.php
- LIMIT_REQ_RATE_1=5r/s
mydrupal:
image: drupal:9-apache
volumes:
- ./drupal-modules:/var/www/html/modules
- ./drupal-profiles:/var/www/html/profiles
- ./drupal-themes:/var/www/html/themes
- ./drupal-sites:/var/www/html/sites
mydb:
image: mariadb
volumes:
- ./db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=drupaldb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password

9
examples/drupal/setup.sh Executable file
View File

@@ -0,0 +1,9 @@
#!/bin/bash
if [ $(id -u) -ne 0 ] ; then
echo "❌ Run me as root"
exit 1
fi
chown -R root:101 bw-data
chmod -R 770 bw-data

11
examples/ghost/README.md
View File

@@ -1,11 +0,0 @@
# Ghost
Ghost is a free and open source blogging platform written in JavaScript and distributed under the MIT License, designed to simplify the process of online publishing for individual bloggers as well as online publications. More info at official [website](https://ghost.org) and [repository](https://github.com/TryGhost/Ghost).
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/ghost/architecture.png?raw=true" />
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/ghost/docker-compose.yml).

BIN
examples/ghost/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.9 KiB

29
examples/ghost/docker-compose.yml
View File

@@ -2,33 +2,36 @@ version: '3'
services:
myreverse:
image: bunkerity/bunkerized-nginx
restart: always
depends_on:
- myghost
mybunker:
image: bunkerity/bunkerweb:1.4.0
ports:
- 80:8080
- 443:8443
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- ./letsencrypt:/etc/letsencrypt
- bw_data:/data
environment:
- SERVER_NAME=www.example.com # replace with your domain
- SERVER_NAME=www.example.com # replace with your domain
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myghost:2368/
- REVERSE_PROXY_HOST=http://myghost:2368
myghost:
image: ghost:alpine
volumes:
- ./data-ghost:/var/lib/ghost/content
- ./ghost-data:/var/lib/ghost/content
environment:
- url=https://www.example.com # replace with your domain
- url=http://www.example.com # replace with your domain
volumes:
bw_data:

15
examples/gogs/README.md
View File

@@ -1,15 +0,0 @@
# Gogs
Gogs is an easy to install, cross-platform and lightweight self-hosted Git service. More info on the [website](https://gogs.io/).
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/gogs/architecture.png?raw=true" />
## Configuration
You will need to edit the `data-gogs/gogs/conf/app.ini` with your own settings.
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/gogs/docker-compose.yml).

BIN
examples/gogs/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 17 KiB

2
examples/gogs/modsec-crs-confs/gogs.conf → examples/gogs/bw-data/configs/modsec-crs/gogs.conf
View File

@@ -4,4 +4,4 @@ SecAction \
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"

23
examples/gogs/docker-compose.yml
View File

@@ -2,29 +2,34 @@ version: '3'
services:
myreverse:
image: bunkerity/bunkerized-nginx
restart: always
mybunker:
image: bunkerity/bunkerweb:1.4.0
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- ./letsencrypt:/etc/letsencrypt
- ./modsec-crs-confs:/modsec-crs-confs:ro # fix FP with CRS
- ./bw-data:/data # contains some Core Rule Set configuration to fix FP
environment:
- SERVER_NAME=www.example.com # replace with your domain
- SERVER_NAME=www.example.com # replace with your domain
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mygogs:3000
- WHITELIST_USER_AGENT=^git
- REVERSE_PROXY_HEADERS_1=Authorization $http_authorization
- MAX_CLIENT_SIZE=1G
mygogs:
image: gogs/gogs
volumes:
- ./data-gogs:/data
- ./gogs-data:/data

0
examples/gogs/data-gogs/gogs/conf/app.ini → examples/gogs/gogs-data/gogs/conf/app.ini
View File

9
examples/gogs/setup.sh Executable file
View File

@@ -0,0 +1,9 @@
#!/bin/bash
if [ $(id -u) -ne 0 ] ; then
echo "❌ Run me as root"
exit 1
fi
chown -R root:101 bw-data
chmod -R 770 bw-data

11
examples/hardened/README.md
View File

@@ -1,11 +0,0 @@
# Hardened
Example on how you can harden the container executing bunkerized-nginx. See the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/security_tuning.html#container-hardening) for details.
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/hardened/architecture.png?raw=true" />
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/hardened/docker-compose.yml).

BIN
examples/hardened/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 8.4 KiB

38
examples/hardened/docker-compose.yml
View File

@@ -2,8 +2,8 @@ version: '3'
services:
mywww:
image: bunkerity/bunkerized-nginx
mybunker:
image: bunkerity/bunkerweb:1.4.0
# dropping all capabilities
cap_drop:
- ALL
@@ -12,37 +12,35 @@ services:
- no-new-privileges
# read-only file system
read_only: true
# folders that need write access
tmpfs:
- /tmp
restart: always
depends_on:
- myphp
- /tmp:mode=0770,uid=0,gid=101
- /opt/bunkerweb/tmp:mode=0770,uid=0,gid=101
- /etc/nginx:mode=0770,uid=0,gid=101
ports:
- 80:8080
- 443:8443
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- cache:/cache
- nginx_conf:/etc/nginx
- ./web-files:/www:ro
- ./letsencrypt:/etc/letsencrypt
- bw_data:/data
environment:
- SERVER_NAME=www.example.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- REMOTE_PHP=myphp
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myapp
- REMOTE_PHP_PATH=/app
myphp:
image: php:fpm
restart: always
volumes:
- ./web-files:/app
myapp:
image: tutum/hello-world
volumes:
nginx_conf:
cache:
bw_data:

5
examples/hardened/web-files/index.php
View File

@@ -1,5 +0,0 @@
<?php
echo "Hello World!";
?>

11
examples/joomla/README.md
View File

@@ -1,11 +0,0 @@
# Joomla
Joomla is a free and open-source content management system (CMS) for publishing web content on websites. Web content applications include discussion forums, photo galleries, e-Commerce and user communities and numerous other web-based applications. More info on the official [website](https://www.joomla.org/) and [repository](https://github.com/joomla/joomla-cms).
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/joomla/architecture.png?raw=true" />
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/joomla/docker-compose.yml).

BIN
examples/joomla/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 KiB

46
examples/joomla/docker-compose.yml
View File

@@ -2,48 +2,54 @@ version: '3'
services:
mywww:
image: bunkerity/bunkerized-nginx
restart: always
depends_on:
- myjoomla
mybunker:
image: bunkerity/bunkerweb:1.4.0
ports:
- 80:8080
- 443:8443
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- ./joomla-files:/www:ro
- ./letsencrypt:/etc/letsencrypt
- bw_data:/data
environment:
- SERVER_NAME=www.example.com # replace with your domain
- SERVER_NAME=www.example.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- MAX_CLIENT_SIZE=50m
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- REMOTE_PHP=myjoomla
- REMOTE_PHP_PATH=/var/www/html
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myjoomla
- LIMIT_REQ_URL_1=/administrator/
- LIMIT_REQ_RATE_1=8r/s
# Remove the following lines after finishing the installation of PrestaShop
- LIMIT_REQ_URL_2=/installation/index.php
- LIMIT_REQ_RATE_2=8r/s
myjoomla:
image: joomla:fpm-alpine
restart: always
image: joomla:4-apache
volumes:
- ./joomla-files:/var/www/html
environment:
- JOOMLA_DB_HOST=mydb
- JOOMLA_DB_NAME=joomladb
- JOOMLA_DB_NAME=joomla_db
- JOOMLA_DB_USER=user
- JOOMLA_DB_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- JOOMLA_DB_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
mydb:
image: mariadb
restart: always
volumes:
- ./db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=joomladb
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=joomla_db
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
volumes:
bw_data:

101
examples/kubernetes-configs/apps.yml Normal file
View File

@@ -0,0 +1,101 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: app1
labels:
app: app1
spec:
replicas: 1
selector:
matchLabels:
app: app1
template:
metadata:
labels:
app: app1
spec:
containers:
- name: app1
image: tutum/hello-world
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app2
labels:
app: app2
spec:
replicas: 1
selector:
matchLabels:
app: app2
template:
metadata:
labels:
app: app2
spec:
containers:
- name: app2
image: tutum/hello-world
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app3
labels:
app: app3
spec:
replicas: 1
selector:
matchLabels:
app: app3
template:
metadata:
labels:
app: app3
spec:
containers:
- name: app3
image: tutum/hello-world
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-app1
spec:
selector:
app: app1
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-app2
spec:
selector:
app: app2
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-app3
spec:
selector:
app: app3
ports:
- protocol: TCP
port: 80
targetPort: 80

66
examples/kubernetes-configs/configs.yml Normal file
View File

@@ -0,0 +1,66 @@
# you don't even need to mount the config as volumes : a declaration is enough, the controller will take care of the rest
# bunkerweb.io/CONFIG_TYPE accepted values are http, stream, server-http, server-stream, default-server-http, modsec and modsec-crs
# bunkerweb.io/CONFIG_SITE lets you choose on which web service the config should be applied (MULTISITE mode) and if it's not set, the config will be applied for all services
# more info at https://docs.bunkerweb.io
apiVersion: v1
kind: ConfigMap
metadata:
name: cfg-bunkerweb-all-server-http
annotations:
bunkerweb.io/CONFIG_TYPE: "server-http"
data:
myconf: |
location /hello {
default_type "text/plain";
content_by_lua_block {
ngx.say("hello")
}
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cfg-bunkerweb-app1-server-http
annotations:
bunkerweb.io/CONFIG_TYPE: "server-http"
bunkerweb.io/CONFIG_SITE: "app1.example.com"
data:
myconf: |
location /app1 {
default_type "text/plain";
content_by_lua_block {
ngx.say("app1")
}
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cfg-bunkerweb-app2-server-http
annotations:
bunkerweb.io/CONFIG_TYPE: "server-http"
bunkerweb.io/SERVER_NAME: "app2.example.com"
data:
myconf: |
location /app2 {
default_type "text/plain";
content_by_lua_block {
ngx.say("app2")
}
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cfg-bunkerweb-app3-server-http
annotations:
bunkerweb.io/CONFIG_TYPE: "server-http"
bunkerweb.io/SERVER_NAME: "app3.example.com"
data:
myconf: |
location /app3 {
default_type "text/plain";
content_by_lua_block {
ngx.say("app3")
}
}

40
examples/kubernetes-configs/ingress.yml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
annotations:
bunkerweb.io/AUTOCONF: "yes"
bunkerweb.io/AUTO_LETS_ENCRYPT: "yes"
bunkerweb.io/USE_LETS_ENCRYPT_STAGING: "yes"
spec:
rules:
- host: app1.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-app1
port:
number: 80
- host: app2.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-app2
port:
number: 80
- host: app3.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-app3
port:
number: 80

101
examples/kubernetes-ingress/apps.yml Normal file
View File

@@ -0,0 +1,101 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: app1
labels:
app: app1
spec:
replicas: 1
selector:
matchLabels:
app: app1
template:
metadata:
labels:
app: app1
spec:
containers:
- name: app1
image: tutum/hello-world
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app2
labels:
app: app2
spec:
replicas: 1
selector:
matchLabels:
app: app2
template:
metadata:
labels:
app: app2
spec:
containers:
- name: app2
image: tutum/hello-world
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app3
labels:
app: app3
spec:
replicas: 1
selector:
matchLabels:
app: app3
template:
metadata:
labels:
app: app3
spec:
containers:
- name: app3
image: tutum/hello-world
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-app1
spec:
selector:
app: app1
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-app2
spec:
selector:
app: app2
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-app3
spec:
selector:
app: app3
ports:
- protocol: TCP
port: 80
targetPort: 80

40
examples/kubernetes-ingress/ingress.yml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
annotations:
bunkerweb.io/AUTOCONF: "yes"
bunkerweb.io/AUTO_LETS_ENCRYPT: "yes"
bunkerweb.io/USE_LETS_ENCRYPT_STAGING: "yes"
spec:
rules:
- host: app1.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-app1
port:
number: 80
- host: app2.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-app2
port:
number: 80
- host: app3.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-app3
port:
number: 80

12
examples/kubernetes/README.md
View File

@@ -1,12 +0,0 @@
# Kubernetes
Basic examples on how to use bunkerized-nginx within a Kubernetes cluster. See the [Kubernetes integration section of the documentation](https://bunkerized-nginx.readthedocs.io/en/latest/integrations.html#kubernetes) for more information.
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/kubernetes/architecture.png?raw=true" />
## Kubernetes
See [ingress.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/kubernetes/ingress.yml), [php.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/kubernetes/php.yml) and [reverse-proxy.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/kubernetes/reverse-proxy.yml).

BIN
examples/kubernetes/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

66
examples/kubernetes/ingress.yml
View File

@@ -1,66 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bunkerized-nginx-ingress
# this label is mandatory
labels:
bunkerized-nginx: "yes"
annotations:
# add any global and default environment variables here as annotations with the "bunkerized-nginx." prefix
# examples :
#bunkerized-nginx.AUTO_LETS_ENCRYPT: "yes"
#bunkerized-nginx.USE_ANTIBOT: "javascript"
#bunkerized-nginx.REDIRECT_HTTP_TO_HTTPS: "yes"
#bunkerized-nginx.app.example.com_REVERSE_PROXY_WS: "yes"
#bunkerized-nginx.app.example.com_USE_MODSECURITY: "no"
# add "static" routes here (see https://kubernetes.io/docs/concepts/services-networking/ingress/)
# and/or add annotations to your services (see https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/kubernetes)
spec:
tls:
- hosts:
- app1.example.com
rules:
- host: "app1.example.com"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: app1
port:
number: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app1
labels:
app: app1
spec:
replicas: 1
selector:
matchLabels:
app: app1
template:
metadata:
labels:
app: app1
spec:
containers:
- name: app1
image: containous/whoami
---
apiVersion: v1
kind: Service
metadata:
name: app1
spec:
type: ClusterIP
selector:
app: app1
ports:
- protocol: TCP
port: 80
targetPort: 80

48
examples/kubernetes/php.yml
View File

@@ -1,48 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: app2
labels:
app: app2
spec:
replicas: 1
selector:
matchLabels:
app: app2
template:
metadata:
labels:
app: app2
spec:
containers:
- name: app2
image: php:fpm
volumeMounts:
- name: www
mountPath: /var/www/html
volumes:
- name: www
hostPath:
path: /shared/www/app2.example.com
type: Directory
---
apiVersion: v1
kind: Service
metadata:
name: app2
# this label is mandatory
labels:
bunkerized-nginx: "yes"
annotations:
bunkerized-nginx.SERVER_NAME: "app2.example.com"
bunkerized-nginx.REMOTE_PHP: "app2.default.svc.cluster.local"
bunkerized-nginx.REMOTE_PHP_PATH: "/var/www/html"
bunkerized-nginx.AUTO_LETS_ENCRYPT: "yes"
spec:
type: ClusterIP
selector:
app: app2
ports:
- protocol: TCP
port: 9000
targetPort: 9000

41
examples/kubernetes/reverse-proxy.yml
View File

@@ -1,41 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: app3
labels:
app: app3
spec:
replicas: 1
selector:
matchLabels:
app: app3
template:
metadata:
labels:
app: app3
spec:
containers:
- name: app3
image: containous/whoami
---
apiVersion: v1
kind: Service
metadata:
name: app3
# this label is mandatory
labels:
bunkerized-nginx: "yes"
annotations:
bunkerized-nginx.SERVER_NAME: "app3.example.com"
bunkerized-nginx.USE_REVERSE_PROXY: "yes"
bunkerized-nginx.REVERSE_PROXY_URL: "/"
bunkerized-nginx.REVERSE_PROXY_HOST: "http://app3.default.svc.cluster.local"
bunkerized-nginx.AUTO_LETS_ENCRYPT: "yes"
spec:
type: ClusterIP
selector:
app: app3
ports:
- protocol: TCP
port: 80
targetPort: 80

15
examples/load-balancer/README.md
View File

@@ -1,15 +0,0 @@
# Load balancer
Simple example on how to load balance requests to multiple backends.
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/load-balancer/architecture.png?raw=true" />
## Configuration
Edit the custom `upstream` directive in the **http-confs/upstream.conf** file according to your use case.
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/load-balancer/docker-compose.yml).

BIN
examples/load-balancer/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

5
examples/load-balancer/bw-data/configs/http/upstream.conf Normal file
View File

@@ -0,0 +1,5 @@
upstream app {
server app1:80;
server app2:80;
server app3:80;
}

38
examples/load-balancer/docker-compose.yml
View File

@@ -2,28 +2,24 @@ version: '3'
services:
myreverse:
image: bunkerity/bunkerized-nginx
restart: always
depends_on:
- app1
- app2
- app3
mybunker:
image: bunkerity/bunkerweb:1.4.0
ports:
- 80:8080
- 443:8443
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- ./letsencrypt:/etc/letsencrypt
- ./http-confs:/http-confs:ro
- ./bw-data:/data # contains upstreams definition at http context
environment:
- SERVER_NAME=www.example.com # replace with your domain
- SERVER_NAME=www.example.com # replace with your domain
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
@@ -31,20 +27,10 @@ services:
- REVERSE_PROXY_HOST=http://app
app1:
build: js-app
restart: always
environment:
- NODE_ENV=production
image: tutum/hello-world
app2:
build: js-app
restart: always
environment:
- NODE_ENV=production
image: tutum/hello-world
app3:
build: js-app
restart: always
environment:
- NODE_ENV=production
image: tutum/hello-world

5
examples/load-balancer/http-confs/upstream.conf
View File

@@ -1,5 +0,0 @@
upstream app {
server app1:3000;
server app2:3000;
server app3:3000;
}

11
examples/load-balancer/js-app/Dockerfile
View File

@@ -1,11 +0,0 @@
FROM node
COPY app/ /home/node/app
RUN cd /home/node/app && npm install && chown -R root:node /home/node/app && chmod -R 770 /home/node/app
WORKDIR /home/node/app
USER node
CMD ["node", "index.js"]

13
examples/load-balancer/js-app/app/index.js
View File

@@ -1,13 +0,0 @@
const express = require('express')
const app = express()
const port = 3000
var os = require("os");
app.get('/', (req, res) => {
res.send('Container id = ' + os.hostname())
})
app.listen(port, () => {
console.log(`Example app listening at http://localhost:${port}`)
})

Some files were not shown because too many files have changed in this diff Show More