Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bunkerweb 1.4.0

Browse Source
This commit is contained in:
bunkerity
2022-06-03 17:24:14 +02:00
parent 3a078326c5
commit a9f886804a
5245 changed files with 1432051 additions and 27894 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
examples/nextcloud/README.md
View File

@@ -1,11 +0,0 @@
# Nextcloud
Nextcloud is a suite of client-server software for creating and using file hosting services. It is enterprise-ready with comprehensive support options. See the official [website](https://nextcloud.com/) and [repository](https://github.com/nextcloud/server) for more information.
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/nextcloud/architecture.png?raw=true" />
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/nextcloud/docker-compose.yml).

BIN
examples/nextcloud/architecture.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 19 KiB

1
examples/nextcloud/modsec-crs-confs/nextcloud.conf → examples/nextcloud/bw-data/modsec-crs/nextcloud.conf
View File

@@ -6,6 +6,7 @@ SecAction \
t:none,\
setvar:tx.crs_exclusions_nextcloud=1"
# WebDAV
SecAction \
"id:900200,\
phase:1,\

1
examples/nextcloud/bw-data/modsec/nextcloud.conf Normal file
View File

@@ -0,0 +1 @@
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"

51
examples/nextcloud/docker-compose.yml
View File

@@ -2,58 +2,63 @@ version: '3'
services:
mywww:
image: bunkerity/bunkerized-nginx
restart: always
depends_on:
- mync
mybunker:
image: bunkerity/bunkerweb:1.4.0
ports:
- 80:8080
- 443:8443
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- ./nc-files:/www:ro
- ./letsencrypt:/etc/letsencrypt
- ./server-confs:/server-confs:ro # custom nginx confs at server context to make Nextcloud working
- ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Nextcloud exclusions
- ./modsec-confs:/modsec-confs:ro # disable some false positive
- ./bw-data:/data # contains custom Core Rule Set confs to add Nextcloud exclusions
environment:
- SERVER_NAME=www.example.com # replace with your domain
- SERVER_NAME=www.example.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- MAX_CLIENT_SIZE=10G
- USE_CLIENT_CACHE=yes
- REMOTE_PHP=mync
- REMOTE_PHP_PATH=/var/www/html
- LIMIT_REQ_RATE=5r/s
- LIMIT_REQ_BURST=10
- SERVE_FILES=no
- ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
- X_FRAME_OPTIONS=SAMEORIGIN
- USE_GZIP=yes
- BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444
- WHITELIST_USER_AGENT=WebDAV
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mync
- LIMIT_REQ_URL_1=/apps
- LIMIT_REQ_RATE_1=5r/s
- LIMIT_REQ_URL_2=/apps/text/session/sync
- LIMIT_REQ_RATE_2=8r/s
- LIMIT_REQ_URL_3=/core/preview
- LIMIT_REQ_RATE_3=5r/s
mync:
image: nextcloud:21-fpm
restart: always
image: nextcloud:stable-apache
volumes:
- ./nc-files:/var/www/html
environment:
- MYSQL_HOST=mydb
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- NEXTCLOUD_ADMIN_USER=admin # replace with the admin username
- NEXTCLOUD_ADMIN_PASSWORD=changeme # replace with a stronger password
- NEXTCLOUD_TRUSTED_DOMAINS=www.example.com # replace with your domain(s)
- TRUSTED_PROXIES=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
- APACHE_DISABLE_REWRITE_IP=1
mydb:
image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: always
volumes:
- ./db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)

2
examples/nextcloud/modsec-confs/nextcloud.conf
View File

@@ -1,2 +0,0 @@
SecRuleRemoveById 921110
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,nolog,pass,ctl:ruleRemoveByTag=OWASP_CRS"

32
examples/nextcloud/server-confs/nextcloud.conf
View File

@@ -1,32 +0,0 @@
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi.conf;
fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass mync:9000;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
}
location / {
try_files $uri /index.php$request_uri;
}

9
examples/nextcloud/setup.sh Executable file
View File

@@ -0,0 +1,9 @@
#!/bin/bash
if [ $(id -u) -ne 0 ] ; then
echo "❌ Run me as root"
exit 1
fi
chown -R root:101 bw-data
chmod -R 770 bw-data