bunkerweb 1.4.0

2022-06-03 17:24:14 +02:00
parent 3a078326c5
commit a9f886804a
5245 changed files with 1432051 additions and 27894 deletions
--- a/misc/asn.mmdb
+++ b/misc/asn.mmdb
--- a/misc/country.mmdb
+++ b/misc/country.mmdb
--- a/misc/cron
+++ b/misc/cron
@@ -1,8 +0,0 @@
-15 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew >> /var/log/nginx/jobs.log 2>&1
-30 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name user-agents >> /var/log/nginx/jobs.log 2>&1
-45 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_REFERRER yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name referrers >> /var/log/nginx/jobs.log 2>&1
-0 1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_ABUSERS yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name abusers >> /var/log/nginx/jobs.log 2>&1
-0 2 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_PROXIES yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name proxies >> /var/log/nginx/jobs.log 2>&1
-30 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value USE_REMOTE_API yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name remote-api-database --server "$(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2)" --version "$(cat /opt/bunkerized-nginx/VERSION)" --id "$(cat /opt/bunkerized-nginx/cache/machine.id)" >> /var/log/nginx/jobs.log 2>&1
-0 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes >> /var/log/nginx/jobs.log 2>&1
-0 3 2 * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ] && /opt/bunkerized-nginx/jobs/main.py --reload --name geoip >> /var/log/nginx/jobs.log 2>&1
--- a/misc/cron-autoconf
+++ b/misc/cron-autoconf
@@ -1,8 +0,0 @@
-15 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name certbot-renew" nginx >> /var/log/nginx/jobs.log 2>&1
-30 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name user-agents" nginx >> /var/log/nginx/jobs.log 2>&1
-45 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_REFERRER yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name referrers" nginx >> /var/log/nginx/jobs.log 2>&1
-0 1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_ABUSERS yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name abusers" nginx >> /var/log/nginx/jobs.log 2>&1
-0 2 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_PROXIES yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name proxies" nginx >> /var/log/nginx/jobs.log 2>&1
-30 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value USE_REMOTE_API yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name remote-api-database --server $(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2) --version $(cat /opt/bunkerized-nginx/VERSION) --id $(cat /opt/bunkerized-nginx/cache/machine.id)" nginx >> /var/log/nginx/jobs.log 2>&1
-0 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name exit-nodes" nginx >> /var/log/nginx/jobs.log 2>&1
-0 3 2 * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name geoip" nginx >> /var/log/nginx/jobs.log 2>&1
--- a/misc/cron-linux
+++ b/misc/cron-linux
@@ -1,8 +0,0 @@
-15 0 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew >> /var/log/nginx/jobs.log 2>&1
-30 0 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name user-agents >> /var/log/nginx/jobs.log 2>&1
-45 0 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_REFERRER yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name referrers >> /var/log/nginx/jobs.log 2>&1
-0 1 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_ABUSERS yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name abusers >> /var/log/nginx/jobs.log 2>&1
-0 2 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_PROXIES yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name proxies >> /var/log/nginx/jobs.log 2>&1
-30 */1 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value USE_REMOTE_API yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name remote-api-database --server "$(grep '^REMOTE_API_SERVER=' /etc/nginx/global.env | cut -d '=' -f 2)" --version "$(cat /opt/bunkerized-nginx/VERSION)" --id "$(cat /opt/bunkerized-nginx/cache/machine.id)" >> /var/log/nginx/jobs.log 2>&1
-0 */1 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes >> /var/log/nginx/jobs.log 2>&1
-0 3 2 * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ] && /opt/bunkerized-nginx/jobs/main.py --reload --name geoip >> /var/log/nginx/jobs.log 2>&1
--- a/misc/nginx.service
+++ b/misc/nginx.service
@@ -1,15 +0,0 @@
-[Unit]
-Description=bunkerized-nginx - web services security
-Documentation=https://bunkerized-nginx.readthedocs.io
-After=network-online.target remote-fs.target nss-lookup.target
-Wants=network-online.target
-
-[Service]
-Type=forking
-PIDFile=/tmp/nginx.pid
-ExecStart=/usr/sbin/nginx -g 'daemon on; user nginx;'
-ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /tmp/nginx.pid)"
-ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /tmp/nginx.pid)"
-
-[Install]
-WantedBy=multi-user.target
--- a/misc/root-ca.pem
+++ b/misc/root-ca.pem
--- a/misc/set2conf.py
+++ b/misc/set2conf.py
@@ -1,19 +0,0 @@
-#!/usr/bin/python3
-
-import json
-
-with open("settings.json") as f :
-	data = json.loads(f.read())
-
-output = ""
-for cat in data :
-	output += "# " + cat + "\n"
-	for param in data[cat]["params"] :
-		if param["type"] == "multiple" :
-			params = param["params"]
-		else :
-			params = [param]
-		for true_param in params :
-			output += "#" + true_param["env"] + "=" + true_param["default"] + "\n"
-	output += "\n"
-print(output)
--- a/misc/set2doc.py
+++ b/misc/set2doc.py
@@ -1,20 +0,0 @@
-#!/usr/bin/python3
-
-import json
-
-with open("settings.json") as f :
-	data = json.loads(f.read())
-
-with open("docs/environment_variables.md") as f :
-	docs = f.read()
-
-output = ""
-for cat in data :
-	for param in data[cat]["params"] :
-		if param["type"] == "multiple" :
-			params = param["params"]
-		else :
-			params = [param]
-		for true_param in params :
-			if not true_param["env"] in docs :
-				print("Missing variable in category " + cat + " : " + true_param["env"] + "=" + true_param["default"])
--- a/misc/variables.env
+++ b/misc/variables.env
@@ -1,191 +0,0 @@
-# List of environment variables for bunkerized-nginx.
-# Manual : https://bunkerized-nginx.readthedocs.io/en/latest/
-
-# Antibot
-#USE_ANTIBOT=no
-#ANTIBOT_URI=/challenge
-#ANTIBOT_SESSION_SECRET=random
-#ANTIBOT_RECAPTCHA_SITEKEY=
-#ANTIBOT_RECAPTCHA_SECRET=
-#ANTIBOT_RECAPTCHA_SCORE=0.7
-
-# Authelia
-#USE_AUTHELIA=no
-#AUTHELIA_BACKEND=
-#AUTHELIA_UPSTREAM=
-#AUTHELIA_MODE=portal
-
-# Basic auth
-#USE_AUTH_BASIC=no
-#AUTH_BASIC_LOCATION=sitewide
-#AUTH_BASIC_USER=changeme
-#AUTH_BASIC_PASSWORD=changeme
-#AUTH_BASIC_TEXT=Restricted area
-
-# Blacklist
-#USE_BLACKLIST_IP=yes
-#BLACKLIST_IP_LIST=
-#USE_BLACKLIST_REVERSE=yes
-#BLACKLIST_REVERSE_LIST=.shodan.io
-#BLACKLIST_COUNTRY=
-
-# Block
-#BLOCK_USER_AGENT=yes
-#BLOCK_TOR_EXIT_NODE=yes
-#BLOCK_PROXIES=yes
-#BLOCK_ABUSERS=yes
-#BLOCK_REFERRER=yes
-
-# Cache
-#USE_CLIENT_CACHE=no
-#CLIENT_CACHE_EXTENSIONS=jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2
-#CLIENT_CACHE_CONTROL=public, max-age=15552000
-#CLIENT_CACHE_ETAG=on
-#USE_OPEN_FILE_CACHE=no
-#OPEN_FILE_CACHE=max=1000 inactive=20s
-#OPEN_FILE_CACHE_ERRORS=on
-#OPEN_FILE_CACHE_MIN_USES=2
-#OPEN_FILE_CACHE_VALID=30s
-#USE_PROXY_CACHE=no
-#PROXY_CACHE_PATH_ZONE_SIZE=10m
-#PROXY_CACHE_PATH_PARAMS=max_size=100m
-#PROXY_CACHE_METHODS=GET HEAD
-#PROXY_CACHE_MIN_USES=2
-#PROXY_CACHE_KEY=\$scheme\$host\$request_uri
-#PROXY_CACHE_VALID=200=10m 301=10m 302=1h
-#PROXY_NO_CACHE=\$http_authorization
-#PROXY_CACHE_BYPASS=\$http_authorization
-
-# Compression
-#USE_GZIP=no
-#GZIP_COMP_LEVEL=5
-#GZIP_MIN_LENGTH=1000
-#GZIP_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml
-#USE_BROTLI=no
-#BROTLI_COMP_LEVEL=6
-#BROTLI_MIN_LENGTH=1000
-#BROTLI_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml
-
-# DNSBL
-#USE_DNSBL=yes
-#DNSBL_LIST=bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org
-
-# HTTPS
-#AUTO_LETS_ENCRYPT=no
-#EMAIL_LETS_ENCRYPT=
-#USE_LETS_ENCRYPT_STAGING=no
-#REDIRECT_HTTP_TO_HTTPS=no
-#HTTP2=yes
-#HTTPS_PROTOCOLS=TLSv1.2 TLSv1.3
-#LISTEN_HTTP=yes
-#USE_CUSTOM_HTTPS=no
-#CUSTOM_HTTPS_CERT=
-#CUSTOM_HTTPS_KEY=
-#GENERATE_SELF_SIGNED_SSL=no
-#SELF_SIGNED_SSL_EXPIRY=365
-#SELF_SIGNED_SSL_COUNTRY=CH
-#SELF_SIGNED_SSL_STATE=Switzerland
-#SELF_SIGNED_SSL_CITY=Bern
-#SELF_SIGNED_SSL_OU=IT
-#SELF_SIGNED_SSL_ORG=Acme Inc
-#SELF_SIGNED_SSL_CN=bunkerized
-
-# Headers
-#X_FRAME_OPTIONS=DENY
-#X_XSS_PROTECTION=1; mode=block
-#X_CONTENT_TYPE_OPTIONS=nosniff
-#REFERRER_POLICY=no-referrer
-#FEATURE_POLICY=accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'
-#PERMISSIONS_POLICY=accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()
-#COOKIE_FLAGS=* HttpOnly SameSite=Lax
-#COOKIE_AUTO_SECURE_FLAG=yes
-#STRICT_TRANSPORT_SECURITY=max-age=31536000
-#CONTENT_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-downloads; base-uri 'self';
-
-# Info leak
-#REMOVE_HEADERS=Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version
-#DISABLE_DEFAULT_SERVER=no
-#ERRORS=
-
-# Limit conn
-#USE_LIMIT_CONN=yes
-#LIMIT_CONN_MAX=50
-#LIMIT_CONN_CACHE=10m
-
-# Limit req
-#USE_LIMIT_REQ=yes
-#LIMIT_REQ_RATE=1r/s
-#LIMIT_REQ_BURST=2
-#LIMIT_REQ_CACHE=10m
-
-# Misc
-#SERVER_NAME=www.example.com
-#MAX_CLIENT_SIZE=10m
-#ALLOWED_METHODS=GET|POST|HEAD
-#SERVE_FILES=yes
-#INJECT_BODY=
-#REDIRECT_TO=
-#REDIRECT_TO_REQUEST_URI=no
-
-# ModSecurity
-#USE_MODSECURITY=yes
-#USE_MODSECURITY_CRS=yes
-#MODSECURITY_SEC_AUDIT_ENGINE=RelevantOnly
-
-# PHP
-#REMOTE_PHP=
-#REMOTE_PHP_PATH=/app
-#LOCAL_PHP=
-#LOCAL_PHP_PATH=/app
-
-# Reverse proxy
-#USE_REVERSE_PROXY=no
-#REVERSE_PROXY_URL=
-#REVERSE_PROXY_HOST=
-#REVERSE_PROXY_WS=no
-#REVERSE_PROXY_HEADERS=
-#PROXY_REAL_IP=no
-#PROXY_REAL_IP_FROM=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
-#PROXY_REAL_IP_HEADER=X-Forwarded-For
-#PROXY_REAL_IP_RECURSIVE=on
-
-# Bad behavior
-#USE_BAD_BEHAVIOR=yes
-#BAD_BEHAVIOR_BAN_TIME=86400
-#BAD_BEHAVIOR_COUNT_TIME=60
-#BAD_BEHAVIOR_STATUS_CODES=400 401 403 404 405 429 444
-#BAD_BEHAVIOR_THRESHOLD=10
-
-# Internal
-#USE_API=no
-#API_WHITELIST_IP=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
-#API_URI=random
-#SWARM_MODE=no
-#KUBERNETES_MODE=no
-#USE_REDIS=no
-#REDIS_HOST=
-
-# nginx
-#MULTISITE=no
-#DNS_RESOLVERS=127.0.0.11
-#LOG_FORMAT=$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
-#LOG_LEVEL=info
-#ROOT_FOLDER=/opt/bunkerized-nginx/www
-#ROOT_SITE_SUBFOLDER=
-#SERVER_TOKENS=off
-#HTTP_PORT=8080
-#HTTPS_PORT=8443
-#WORKER_RLIMIT_NOFILE=2048
-#WORKER_CONNECTIONS=1024
-#WORKER_PROCESSES=auto
-
-# Whitelist
-#USE_WHITELIST_IP=yes
-#WHITELIST_IP_LIST=23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8
-#USE_WHITELIST_REVERSE=yes
-#WHITELIST_REVERSE_LIST=.googlebot.com .google.com .search.msn.com .crawl.yahoo.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net
-#WHITELIST_COUNTRY=
-#WHITELIST_USER_AGENT=
-#WHITELIST_URI=
-
-