Please contact us at security@bunkerity.com using the following PGP key :
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGCEMiMBEACtXJBDbF86qjC/Q1cfmJfYcYrbk6eE5czknG294XObC97wAgDf
-/MbX6bnti4kDRpflGDqQtwOXudcEzledTD4bdDUKvZwqPoYQGa24uCuUxSINTLXr
-RuoMaKfpvs7trsFXp5iYUqf4Org2aaJE7Tk/9sOvxgdqsT22jEgCZXTRU1qG494U
-u6XRQN8hKlw6aa6njjX9vUk6Jpl46/kwwO9mpXBZX6iFKYnBlUWs2k8d6D6cO5aZ
-KLoYyz5v3Gw2hHSqj4qbVQPTIT7qrrcfd8nblYK7Dh3IM+vQq7a7lB0AudIyBNPd
-rsypi9ZYgwI3lv/rmQnDc32Ua5cLvTvgg/XoaNK9ogc3kei1+hXODEgRA/zvSKqq
-20i/1Y0OnIGv89LOI6urWpOgDAhQUV5xvANll2lm3Bkmy29UOzNadUc/yImxrM06
-HwX82ju6PFAqOaxMW6SEE71ylGOSlikAGNcmmc5Ihd1J/VRZA4PBiQ31gQxFRpUC
-3NTw2QNAD1kjni5PuQD10Q1Ognvb6uJh/MtqsoX6r1t+Oly9MblFSuyqFkqNO3F0
-QAJqprhJlQ3YOcJdJ1EZR7qs0xJm5h+lw0Z/UINqkwiZUW3PCO8BKxfq6sfdwM8L
-5hPhyUzy2gIJ0J/4NGYEBH1ojoYODGU8OCSmyjSTY9SoVMeWDfqYP4ZTvQARAQAB
-tCVidW5rZXJpdHktcGdwIDxjb250YWN0QGJ1bmtlcml0eS5jb20+iQJUBBMBCAA+
-FiEEw78SjkcVxXCq7hStPYCAbxJgKnwFAmCEMiMCGwMFCQPCIP0FCwkIBwIGFQoJ
-CAsCBBYCAwECHgECF4AACgkQPYCAbxJgKnzvYhAAnNqGB6ce2eZzwk1EiNlNaXaA
-hFWLq/s/J1IOAP+0V5jKJxA6zTX01HyIfIIHQy6nrxxEXzYsIUHdJ+HBPCNswCqn
-2d/aDkkfoEUc1bUD0c2bXfoSCsAeIoK+eOf6iSr4IENVoIUYFQTUKFNu+Y7eDL0I
-J8Xadg53G+fkK9LE6TeYpBs3hDT4w7vlDfIwWa1NC9HoLzSmZ2fqZ7SnihLGsLmp
-98VqDrDjhRPzrz5/tVYgvPCQQU5ED/TayCCYvrGpw9gP8qmEOabIUz0ppGwEfQVs
-Wycilm1/Js/qjdbxUFMipBIzDu7bI3kMLmENhI+16Xtub9dUrvkW2SdDngYhtWj8
-IzVOe6N/XDuiRGpaYFpEuXbrnDFexe1ygZwnVHt3fukPfa7W8mhMs2kY1ishIA0O
-WElKO1Q6N0ZWEad0PwM8NCDjaDUNWQC36ZF/MS+ipHWx9joPUjImY2AXDjN+L+Si
-ABQIe4Fo6Jx6S6Bi8YvPq8idYZvaWFJjBvmaPjxdUMPbIsMRiEjvlrhvqhLuVBpE
-lGA+M4UJGw5yBl+yiiLDuws/Fppv9HwNqw6Uq1m1XaW859Om1GGBKYfphyn+fHjR
-7ftOuT7Ss4zioXT4mscOZgkfzDAqgpZiHjYhe7tLUu7iD6UEsZmey/gRV0hCxng3
-N7yaRrBu0+3sIQV4jYC5Ag0EYIQyIwEQALSurJGOx7At5mRFjvhXd4/JHuBZZOSI
-M45LSJ+mKYnAGmwsL0AneZMIf6Yc0Vcn32oqlIXN5aB8jIt91pChLre8tl/lFZZP
-xY3WIEBJhZF0FIUqSQLjg4HD0S70REii7Om1kgtZueid8V6T5F1JDcO2mDoh8oc9
-h9nRQ1Ld6dblEuwBzbFkI1K6OUk1+ec7+mQc7orHdBVgelmqwG7fGZnPiN3XfklF
-dnwSkFIX/qkAsKQmmx1VSzaGFoPLajf4wrkzZdA3iEafsHyvdEFlezZCZ7TsoHBh
-tNg1Psg6MbBVgiMfHyRHSEBJZ7r5Awj2MpFUFMOd1IPcor1I254mx0VYfCvof4Km
-Ri1F/86kHc23A77pd4HFYZWiZjaWhh12L+wz5fDL5/sSFXVGSCtSWIKx6FjysZ+v
-szk3lItHoomZhA7M+FjU/cOjq9hae9uwZeU39DQk0/npln2RcHitoqgUIzII5woO
-S3SlMSc910tHf40D2cBr1iFKC0jQICjkDexB9CtNx/N25SJmLfiimYtk6/NHlPq4
-HXdq6ZfLZ7xQmuGcyWv4f0pwA2CK3twISpsIxIKe456WYTDtQu9d1s987dvmw6F/
-qURC6m2WPGroHb8COQTKzbshjpGUmLpyR3FXki4wNXeI1KaQLL7NpZmK6yJlWviO
-1sCjh4m7VS+zABEBAAGJAjwEGAEIACYWIQTDvxKORxXFcKruFK09gIBvEmAqfAUC
-YIQyIwIbDAUJA8Ig/QAKCRA9gIBvEmAqfP2WEACqmXEhu4ARl2yT9bay0+W3F1q1
-MrLQkcVOau2ihXx3PhYsXRUoEFj72VDAar41WIlHsPJfB14WtSlYcX2XdjHLHMpC
-dL2eGhqIcHzFChR0vGjtvm2wae/rJTChWf8WXiHrRnRcfFFfhpCvkNi43fQeH4yp
-cel2a35WV+IRbnkCkaly2NG3XO0t83Siok8Ku+OJGPatUMxJmaEVQeeXVPDzVRva
-rtvyd9Sclkd9QDPBLZyWHC1vsPKGRJpi5uDZjGxhaFRkimw/SYtFHj7AUrMKAIHB
-GfEcwC3Eq4rF0FeCOPfBd2vwGGrRflx76jK9rj288ta9Oq6u6ev8PCVzt0E7jrSf
-AX88vfVRcxihNfj/9i5xmY596jpgbvNA2aJX2hAO3Q8pD6AunVXPUyc3RlFHt7jC
-tL+9Xv7Qwjz7OToWqj+9cM6T+6oZLxYNVPT72Z/KOFW+mzGb87qjcsDMb/hu2fNq
-tSWyZk2AAgHQyG1y8vCQQzsDnUDM6NIPwYG5XMP+11WAsPk5fP1ksixpUqIWgjhY
-M22YUsjLeaRtgSmhAGIkbBgecs1EHSZZ6sf2lB8gSom1wW0UCBPSifP0DwYFizS5
-SOk62kZ0lqEctwgKDe3MNQnPxt9+tU9L1pIkyXgXihcOLiCMl434K0djJXxIbiX0
-JvbFAfI3qteepvnjBQ==
-=g1tf
------END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGCEMiMBEACtXJBDbF86qjC/Q1cfmJfYcYrbk6eE5czknG294XObC97wAgDf
+/MbX6bnti4kDRpflGDqQtwOXudcEzledTD4bdDUKvZwqPoYQGa24uCuUxSINTLXr
+RuoMaKfpvs7trsFXp5iYUqf4Org2aaJE7Tk/9sOvxgdqsT22jEgCZXTRU1qG494U
+u6XRQN8hKlw6aa6njjX9vUk6Jpl46/kwwO9mpXBZX6iFKYnBlUWs2k8d6D6cO5aZ
+KLoYyz5v3Gw2hHSqj4qbVQPTIT7qrrcfd8nblYK7Dh3IM+vQq7a7lB0AudIyBNPd
+rsypi9ZYgwI3lv/rmQnDc32Ua5cLvTvgg/XoaNK9ogc3kei1+hXODEgRA/zvSKqq
+20i/1Y0OnIGv89LOI6urWpOgDAhQUV5xvANll2lm3Bkmy29UOzNadUc/yImxrM06
+HwX82ju6PFAqOaxMW6SEE71ylGOSlikAGNcmmc5Ihd1J/VRZA4PBiQ31gQxFRpUC
+3NTw2QNAD1kjni5PuQD10Q1Ognvb6uJh/MtqsoX6r1t+Oly9MblFSuyqFkqNO3F0
+QAJqprhJlQ3YOcJdJ1EZR7qs0xJm5h+lw0Z/UINqkwiZUW3PCO8BKxfq6sfdwM8L
+5hPhyUzy2gIJ0J/4NGYEBH1ojoYODGU8OCSmyjSTY9SoVMeWDfqYP4ZTvQARAQAB
+tCVidW5rZXJpdHktcGdwIDxjb250YWN0QGJ1bmtlcml0eS5jb20+iQJUBBMBCAA+
+FiEEw78SjkcVxXCq7hStPYCAbxJgKnwFAmCEMiMCGwMFCQPCIP0FCwkIBwIGFQoJ
+CAsCBBYCAwECHgECF4AACgkQPYCAbxJgKnzvYhAAnNqGB6ce2eZzwk1EiNlNaXaA
+hFWLq/s/J1IOAP+0V5jKJxA6zTX01HyIfIIHQy6nrxxEXzYsIUHdJ+HBPCNswCqn
+2d/aDkkfoEUc1bUD0c2bXfoSCsAeIoK+eOf6iSr4IENVoIUYFQTUKFNu+Y7eDL0I
+J8Xadg53G+fkK9LE6TeYpBs3hDT4w7vlDfIwWa1NC9HoLzSmZ2fqZ7SnihLGsLmp
+98VqDrDjhRPzrz5/tVYgvPCQQU5ED/TayCCYvrGpw9gP8qmEOabIUz0ppGwEfQVs
+Wycilm1/Js/qjdbxUFMipBIzDu7bI3kMLmENhI+16Xtub9dUrvkW2SdDngYhtWj8
+IzVOe6N/XDuiRGpaYFpEuXbrnDFexe1ygZwnVHt3fukPfa7W8mhMs2kY1ishIA0O
+WElKO1Q6N0ZWEad0PwM8NCDjaDUNWQC36ZF/MS+ipHWx9joPUjImY2AXDjN+L+Si
+ABQIe4Fo6Jx6S6Bi8YvPq8idYZvaWFJjBvmaPjxdUMPbIsMRiEjvlrhvqhLuVBpE
+lGA+M4UJGw5yBl+yiiLDuws/Fppv9HwNqw6Uq1m1XaW859Om1GGBKYfphyn+fHjR
+7ftOuT7Ss4zioXT4mscOZgkfzDAqgpZiHjYhe7tLUu7iD6UEsZmey/gRV0hCxng3
+N7yaRrBu0+3sIQV4jYC5Ag0EYIQyIwEQALSurJGOx7At5mRFjvhXd4/JHuBZZOSI
+M45LSJ+mKYnAGmwsL0AneZMIf6Yc0Vcn32oqlIXN5aB8jIt91pChLre8tl/lFZZP
+xY3WIEBJhZF0FIUqSQLjg4HD0S70REii7Om1kgtZueid8V6T5F1JDcO2mDoh8oc9
+h9nRQ1Ld6dblEuwBzbFkI1K6OUk1+ec7+mQc7orHdBVgelmqwG7fGZnPiN3XfklF
+dnwSkFIX/qkAsKQmmx1VSzaGFoPLajf4wrkzZdA3iEafsHyvdEFlezZCZ7TsoHBh
+tNg1Psg6MbBVgiMfHyRHSEBJZ7r5Awj2MpFUFMOd1IPcor1I254mx0VYfCvof4Km
+Ri1F/86kHc23A77pd4HFYZWiZjaWhh12L+wz5fDL5/sSFXVGSCtSWIKx6FjysZ+v
+szk3lItHoomZhA7M+FjU/cOjq9hae9uwZeU39DQk0/npln2RcHitoqgUIzII5woO
+S3SlMSc910tHf40D2cBr1iFKC0jQICjkDexB9CtNx/N25SJmLfiimYtk6/NHlPq4
+HXdq6ZfLZ7xQmuGcyWv4f0pwA2CK3twISpsIxIKe456WYTDtQu9d1s987dvmw6F/
+qURC6m2WPGroHb8COQTKzbshjpGUmLpyR3FXki4wNXeI1KaQLL7NpZmK6yJlWviO
+1sCjh4m7VS+zABEBAAGJAjwEGAEIACYWIQTDvxKORxXFcKruFK09gIBvEmAqfAUC
+YIQyIwIbDAUJA8Ig/QAKCRA9gIBvEmAqfP2WEACqmXEhu4ARl2yT9bay0+W3F1q1
+MrLQkcVOau2ihXx3PhYsXRUoEFj72VDAar41WIlHsPJfB14WtSlYcX2XdjHLHMpC
+dL2eGhqIcHzFChR0vGjtvm2wae/rJTChWf8WXiHrRnRcfFFfhpCvkNi43fQeH4yp
+cel2a35WV+IRbnkCkaly2NG3XO0t83Siok8Ku+OJGPatUMxJmaEVQeeXVPDzVRva
+rtvyd9Sclkd9QDPBLZyWHC1vsPKGRJpi5uDZjGxhaFRkimw/SYtFHj7AUrMKAIHB
+GfEcwC3Eq4rF0FeCOPfBd2vwGGrRflx76jK9rj288ta9Oq6u6ev8PCVzt0E7jrSf
+AX88vfVRcxihNfj/9i5xmY596jpgbvNA2aJX2hAO3Q8pD6AunVXPUyc3RlFHt7jC
+tL+9Xv7Qwjz7OToWqj+9cM6T+6oZLxYNVPT72Z/KOFW+mzGb87qjcsDMb/hu2fNq
+tSWyZk2AAgHQyG1y8vCQQzsDnUDM6NIPwYG5XMP+11WAsPk5fP1ksixpUqIWgjhY
+M22YUsjLeaRtgSmhAGIkbBgecs1EHSZZ6sf2lB8gSom1wW0UCBPSifP0DwYFizS5
+SOk62kZ0lqEctwgKDe3MNQnPxt9+tU9L1pIkyXgXihcOLiCMl434K0djJXxIbiX0
+JvbFAfI3qteepvnjBQ==
+=g1tf
+-----END PGP PUBLIC KEY BLOCK-----
@@ -801,7 +801,7 @@ documentation for the current version.
-
+
diff --git a/1.4/concepts/index.html b/1.4/concepts/index.html
index d68fabd..e92c7bc 100644
--- a/1.4/concepts/index.html
+++ b/1.4/concepts/index.html
@@ -642,13 +642,13 @@ documentation for the current version.
Once BunkerWeb is integrated into your environment, you will need to configure it to serve and protect your web applications.
Configuration of BunkerWeb is done using what we called the "settings" or "variables". Each setting is identified by a name like AUTO_LETS_ENCRYPT or USE_ANTIBOT for example. You can assign values to the settings to configure BunkerWeb.
Here is a dummy example of a BunkerWeb configuration :
-SERVER_NAME=www.example.com
-AUTO_LETS_ENCRYPT=yes
-USE_ANTIBOT=captcha
-REFERRER_POLICY=no-referrer
-USE_MODSECURITY=no
-USE_GZIP=yes
-USE_BROTLI=no
+SERVER_NAME=www.example.com
+AUTO_LETS_ENCRYPT=yes
+USE_ANTIBOT=captcha
+REFERRER_POLICY=no-referrer
+USE_MODSECURITY=no
+USE_GZIP=yes
+USE_BROTLI=no
Going further
@@ -665,16 +665,16 @@ documentation for the current version.
The multisite mode is controlled by the MULTISITE setting which can be set to yes (enabled) or no (disabled, which is the default).
Each setting has a context which defines "where" it can be applied. If the context is global then the setting can't be set per server (or "per site", "per app") but only to the whole configuration. Otherwise, if the context is multisite, the setting can be set globally and per server. Defining a multisite setting to a specific server is done by adding the server name as a prefix of the setting name like app1.example.com_AUTO_LETS_ENCRYPT or app2.example.com_USE_ANTIBOT for example. When a multisite setting is defined globally (without any server prefix), all the servers will inherit that setting (but can still be overriden if we set the same setting with the server name prefix).
Here is a dummy example of a multisite BunkerWeb configuration :
-MULTISITE=yes
-SERVER_NAME=app1.example.com app2.example.com app3.example.com
-AUTO_LETS_ENCRYPT=yes
-USE_GZIP=yes
-USE_BROTLI=yes
-app1.example.com_USE_ANTIBOT=javascript
-app1.example.com_USE_MODSECURITY=no
-app2.example.com_USE_ANTIBOT=cookie
-app2.example.com_WHITELIST_COUNTRY=FR
-app3.example.com_USE_BAD_BEHAVIOR=no
+MULTISITE=yes
+SERVER_NAME=app1.example.com app2.example.com app3.example.com
+AUTO_LETS_ENCRYPT=yes
+USE_GZIP=yes
+USE_BROTLI=yes
+app1.example.com_USE_ANTIBOT=javascript
+app1.example.com_USE_MODSECURITY=no
+app2.example.com_USE_ANTIBOT=cookie
+app2.example.com_WHITELIST_COUNTRY=FR
+app3.example.com_USE_BAD_BEHAVIOR=no
Going further
@@ -792,7 +792,7 @@ documentation for the current version.
-
+
diff --git a/1.4/index.html b/1.4/index.html
index 4688969..421b7d5 100644
--- a/1.4/index.html
+++ b/1.4/index.html
@@ -745,7 +745,7 @@ documentation for the current version.
-
+
diff --git a/1.4/integrations/index.html b/1.4/integrations/index.html
index 02de8f3..4edb532 100644
--- a/1.4/integrations/index.html
+++ b/1.4/integrations/index.html
@@ -661,13 +661,13 @@ documentation for the current version.
Docker integration
Using BunkerWeb as a Docker container is a quick and easy way to test and use it as long as you are familiar with the Docker technology.
-We provide ready to use prebuilt images for x64 and x86 architectures (armv7 and armv8 are not supported at the moment) on Docker Hub :
-docker pull bunkerity/bunkerweb:1.4.0
+We provide ready to use prebuilt images for x64, x86 armv8 and armv7 architectures on Docker Hub :
+docker pull bunkerity/bunkerweb:1.4.1
Alternatively, you can build the Docker images directly from the source (and take a coffee ☕ because it may be long depending on your hardware) :
-git clone https://github.com/bunkerity/bunkerweb.git && \
-cd bunkerweb && \
-docker build -t my-bunkerweb .
+git clone https://github.com/bunkerity/bunkerweb.git && \
+cd bunkerweb && \
+docker build -t my-bunkerweb .
Usage and configuration of the BunkerWeb container are based on :
@@ -677,20 +677,20 @@ documentation for the current version.
Environment variables
Settings are passed to BunkerWeb using Docker environment variables. You can use the -e flag :
-docker run \
- ...
- -e MY_SETTING=value \
- -e "MY_OTHER_SETTING=value with spaces" \
- ...
- bunkerity/bunkerweb:1.4.0
+docker run \
+ ...
+ -e MY_SETTING=value \
+ -e "MY_OTHER_SETTING=value with spaces" \
+ ...
+ bunkerity/bunkerweb:1.4.1
Here is the docker-compose equivalent :
-...
-services:
- mybunker:
- image: bunkerity/bunkerweb:1.4.0
- environment:
- - MY_SETTING=value
+...
+services:
+ mybunker:
+ image: bunkerity/bunkerweb:1.4.1
+ environment:
+ - MY_SETTING=value
Full list
@@ -699,25 +699,25 @@ documentation for the current version.
Volume
A volume is used to share data with BunkerWeb and store persistent data like certificates, cached files, ...
The easiest way of managing the volume is by using a named one. You will first need to create it :
-docker volume create bw-data
+docker volume create bw-data
Once it's created, you can mount it on /data when running the container :
-docker run \
- ...
- -v "${PWD}/bw-data:/data" \
- ...
- bunkerity/bunkerweb:1.4.0
+docker run \
+ ...
+ -v "${PWD}/bw-data:/data" \
+ ...
+ bunkerity/bunkerweb:1.4.1
Here is the docker-compose equivalent :
-...
-services:
- mybunker:
- image: bunkerity/bunkerweb:1.4.0
- volumes:
- - bw-data:/data
-...
-volumes:
- bw-data:
+...
+services:
+ mybunker:
+ image: bunkerity/bunkerweb:1.4.1
+ volumes:
+ - bw-data:/data
+...
+volumes:
+ bw-data:
Warning
@@ -726,47 +726,47 @@ But there is a downside : if you use a local folder for the persistent d
shell mkdir bw-data && \ chown root:101 bw-data && \ chmod 770 bw-data
Alternatively, if the folder already exists :
-chown -R root:101 bw-data && \
-chmod -R 770 bw-data
+chown -R root:101 bw-data && \
+chmod -R 770 bw-data
Mounting the folder :
-docker run \
- ...
- -v ./bw-data:/data \
- ...
- bunkerity/bunkerweb:1.4.0
+docker run \
+ ...
+ -v ./bw-data:/data \
+ ...
+ bunkerity/bunkerweb:1.4.1
Here is the docker-compose equivalent :
-...
-services:
- mybunker:
- image: bunkerity/bunkerweb:1.4.0
- volumes:
- - ./bw-data:/data
+...
+services:
+ mybunker:
+ image: bunkerity/bunkerweb:1.4.1
+ volumes:
+ - ./bw-data:/data
Networks
The easiest way to connect BunkerWeb to web applications is by using Docker networks.
First of all, you will need to create a network :
-docker network create mynetwork
+docker network create mynetwork
Once it's created, you will need to connect the container to that network :
-docker run \
- ...
- --network mynetwork \
- ...
- bunkerity/bunkerweb:1.4.0
+docker run \
+ ...
+ --network mynetwork \
+ ...
+ bunkerity/bunkerweb:1.4.1
You will also need to do the same with your web application(s). Please note that the other containers are accessible using their name as the hostname.
Here is the docker-compose equivalent :
-...
-services:
- mybunker:
- image: bunkerity/bunkerweb:1.4.0
- networks:
- - bw-net
-...
-networks:
- bw-net:
+...
+services:
+ mybunker:
+ image: bunkerity/bunkerweb:1.4.1
+ networks:
+ - bw-net
+...
+networks:
+ bw-net:
Docker autoconf
@@ -785,120 +785,115 @@ But there is a downside : if you use a local folder for the persistent d
The Docker autoconf integration implies the use of multisite mode. Please refer to the multisite section of the documentation for more information.
First of all, you will need to create the data volume :
-docker volume create bw-data
+docker volume create bw-data
-
-- One for sharing the persistent data, mounted on /data
-- Another one for sharing the generated Nginx configurations, mounted on /etc/nginx
-
Then, you can create two networks (replace 10.20.30.0/24 with an unused subnet of your choice) :
-docker network create --subnet 10.20.30.0/24 bw-autoconf && \
-docker network create bw-services
+docker network create --subnet 10.20.30.0/24 bw-autoconf && \
+docker network create bw-services
- One for communication between BunkerWeb and autoconf
- Another one for communication between BunkerWeb and web applications
You can now create the BunkerWeb container with the AUTOCONF_MODE=yes setting and the bunkerweb.AUTOCONF label (replace 10.20.30.0/24 with the subnet specified before) :
-docker run \
- -d \
- --name mybunker \
- --network bw-autoconf \
- -p 80:8080 \
- -p 443:8443 \
- -e AUTOCONF_MODE=yes \
- -e MULTISITE=yes \
- -e SERVER_NAME= \
- -e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
- -l bunkerweb.AUTOCONF \
- bunkerity/bunkerweb:1.4.0 && \
-
-docker network connect bw-services mybunker
+docker run \
+ -d \
+ --name mybunker \
+ --network bw-autoconf \
+ -p 80:8080 \
+ -p 443:8443 \
+ -e AUTOCONF_MODE=yes \
+ -e MULTISITE=yes \
+ -e SERVER_NAME= \
+ -e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
+ -l bunkerweb.AUTOCONF \
+ bunkerity/bunkerweb:1.4.1 && \
+
+docker network connect bw-services mybunker
And the autoconf one :
-docker run \
- -d \
- --name myautoconf \
- --network bw-autoconf \
- -v bw-data:/data \
- -v /var/run/docker.sock:/var/run/docker.sock:ro \
- bunkerity/bunkerweb-autoconf:1.4.0
+docker run \
+ -d \
+ --name myautoconf \
+ --network bw-autoconf \
+ -v bw-data:/data \
+ -v /var/run/docker.sock:/var/run/docker.sock:ro \
+ bunkerity/bunkerweb-autoconf:1.4.1
Here is the docker-compose equivalent for the BunkerWeb autoconf stack :
-version: '3'
-
-services:
-
- mybunker:
- image: bunkerity/bunkerweb:1.4.0
- ports:
- - 80:8080
- - 443:8443
- volumes:
- - bw-data:/data
- environment:
- - MULTISITE=yes
- - SERVER_NAME=
- - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- labels:
- - "bunkerweb.AUTOCONF"
- networks:
- - bw-autoconf
- - bw-services
-
- myautoconf:
- image: bunkerity/bunkerweb-autoconf:1.4.0
- volumes:
- - bw-data:/data
- - /var/run/docker.sock:/var/run/docker.sock:ro
- networks:
- - bw-autoconf
-
-volumes:
- bw-data:
-
-networks:
- bw-autoconf:
- ipam:
- driver: default
- config:
- - subnet: 10.20.30.0/24
- bw-services:
- name: bw-services
+version: '3'
+
+services:
+
+ mybunker:
+ image: bunkerity/bunkerweb:1.4.1
+ ports:
+ - 80:8080
+ - 443:8443
+ environment:
+ - AUTOCONF_MODE=yes
+ - MULTISITE=yes
+ - SERVER_NAME=
+ - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
+ labels:
+ - "bunkerweb.AUTOCONF"
+ networks:
+ - bw-autoconf
+ - bw-services
+
+ myautoconf:
+ image: bunkerity/bunkerweb-autoconf:1.4.1
+ volumes:
+ - bw-data:/data
+ - /var/run/docker.sock:/var/run/docker.sock:ro
+ networks:
+ - bw-autoconf
+
+volumes:
+ bw-data:
+
+networks:
+ bw-autoconf:
+ ipam:
+ driver: default
+ config:
+ - subnet: 10.20.30.0/24
+ bw-services:
+ name: bw-services
Once the stack is setup, you can now create the web application container and add the settings as labels using the "bunkerweb." prefix in order to automatically setup BunkerWeb :
-docker run \
- -d \
- --name myapp \
- --network bw-services \
- -l bunkerweb.MY_SETTING_1=value1 \
- -l bunkerweb.MY_SETTING_2=value2 \
- ...
- mywebapp:4.2
+docker run \
+ -d \
+ --name myapp \
+ --network bw-services \
+ -l bunkerweb.MY_SETTING_1=value1 \
+ -l bunkerweb.MY_SETTING_2=value2 \
+ ...
+ mywebapp:4.2
Here is the docker-compose equivalent :
-...
-
-services:
-
- myapp:
- image: mywebapp:4.2
- networks:
- bw-services:
- aliases:
- - myapp
- labels:
- - "bunkerweb.MY_SETTING_1=value1"
- - "bunkerweb.MY_SETTING_2=value2"
-
-...
-
-networks:
- bw-services:
- external:
- name: bw-services
-
-...
+...
+
+services:
+
+ myapp:
+ image: mywebapp:4.2
+ networks:
+ bw-services:
+ aliases:
+ - myapp
+ labels:
+ - "bunkerweb.MY_SETTING_1=value1"
+ - "bunkerweb.MY_SETTING_2=value2"
+
+...
+
+networks:
+ bw-services:
+ external:
+ name: bw-services
+
+...
Swarm
@@ -914,132 +909,132 @@ But there is a downside : if you use a local folder for the persistent d
Like the Docker autoconf integration, configuration for web services is defined using labels starting with the special bunkerweb. prefix.
The recommended setup is to schedule the BunkerWeb service as a global service on all worker nodes and the autoconf service as a single replicated service on a manager node.
First of all, you will need to create two networks (replace 10.20.30.0/24 with an unused subnet of your choice) :
-docker network create -d overlay --attachable --subnet 10.20.30.0/24 bw-autoconf && \
-docker network create -d overlay --attachable bw-services
+docker network create -d overlay --attachable --subnet 10.20.30.0/24 bw-autoconf && \
+docker network create -d overlay --attachable bw-services
- One for communication between BunkerWeb and autoconf
- Another one for communication between BunkerWeb and web applications
You can now create the BunkerWeb service (replace 10.20.30.0/24 with the subnet specified before) :
-docker service create \
- --name mybunker \
- --mode global \
- --constraint node.role==worker \
- --network bw-autoconf \
- --network bw-services \
- -p published=80,target=8080,mode=host \
- -p published=443,target=8443,mode=host \
- -e SWARM_MODE=yes \
- -e SERVER_NAME= \
- -e MULTISITE=yes \
- -e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
- -l bunkerweb.AUTOCONF \
- bunkerity/bunkerweb:1.4.0
+docker service create \
+ --name mybunker \
+ --mode global \
+ --constraint node.role==worker \
+ --network bw-autoconf \
+ --network bw-services \
+ -p published=80,target=8080,mode=host \
+ -p published=443,target=8443,mode=host \
+ -e SWARM_MODE=yes \
+ -e SERVER_NAME= \
+ -e MULTISITE=yes \
+ -e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
+ -l bunkerweb.AUTOCONF \
+ bunkerity/bunkerweb:1.4.1
And the autoconf one :
-docker service \
- create \
- --name myautoconf \
- --constraint node.role==manager \
- --network bw-autoconf \
- --mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
- --mount type=volume,source=bw-data,destination=/data \
- -e SWARM_MODE=yes \
- bunkerity/bunkerweb-autoconf:1.4.0
+docker service \
+ create \
+ --name myautoconf \
+ --constraint node.role==manager \
+ --network bw-autoconf \
+ --mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
+ --mount type=volume,source=bw-data,destination=/data \
+ -e SWARM_MODE=yes \
+ bunkerity/bunkerweb-autoconf:1.4.1
Here is the docker-compose equivalent (using docker stack deploy) :
-version: '3.5'
-
-services:
-
- mybunker:
- image: bunkerity/bunkerweb:1.4.0
- ports:
- - published: 80
- target: 8080
- mode: host
- protocol: tcp
- - published: 443
- target: 8443
- mode: host
- protocol: tcp
- environment:
- - SWARM_MODE=yes
- - SERVER_NAME=
- - MULTISITE=yes
- - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- networks:
- - bw-autoconf
- - bw-services
- deploy:
- mode: global
- placement:
- constraints:
- - "node.role==worker"
- labels:
- - "bunkerweb.AUTOCONF"
-
- myautoconf:
- image: bunkerity/bunkerweb-autoconf:1.4.0
- environment:
- - SWARM_MODE=yes
- volumes:
- - bw-data:/data
- - /var/run/docker.sock:/var/run/docker.sock:ro
- networks:
- - bw-autoconf
- deploy:
- replicas: 1
- placement:
- constraints:
- - "node.role==manager"
-
-networks:
- bw-autoconf:
- driver: overlay
- attachable: true
- name: bw-autoconf
- ipam:
- config:
- - subnet: 10.20.30.0/24
- bw-services:
- driver: overlay
- attachable: true
- name: bw-services
-
-volumes:
- bw-data:
+version: '3.5'
+
+services:
+
+ mybunker:
+ image: bunkerity/bunkerweb:1.4.1
+ ports:
+ - published: 80
+ target: 8080
+ mode: host
+ protocol: tcp
+ - published: 443
+ target: 8443
+ mode: host
+ protocol: tcp
+ environment:
+ - SWARM_MODE=yes
+ - SERVER_NAME=
+ - MULTISITE=yes
+ - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
+ networks:
+ - bw-autoconf
+ - bw-services
+ deploy:
+ mode: global
+ placement:
+ constraints:
+ - "node.role==worker"
+ labels:
+ - "bunkerweb.AUTOCONF"
+
+ myautoconf:
+ image: bunkerity/bunkerweb-autoconf:1.4.1
+ environment:
+ - SWARM_MODE=yes
+ volumes:
+ - bw-data:/data
+ - /var/run/docker.sock:/var/run/docker.sock:ro
+ networks:
+ - bw-autoconf
+ deploy:
+ replicas: 1
+ placement:
+ constraints:
+ - "node.role==manager"
+
+networks:
+ bw-autoconf:
+ driver: overlay
+ attachable: true
+ name: bw-autoconf
+ ipam:
+ config:
+ - subnet: 10.20.30.0/24
+ bw-services:
+ driver: overlay
+ attachable: true
+ name: bw-services
+
+volumes:
+ bw-data:
Once the BunkerWeb Swarm stack is set up and running (see autoconf logs for more information), you can now deploy web applications in the cluster and use labels to dynamically configure BunkerWeb :
-docker service \
- create \
- --name myapp \
- --network bw-services \
- -l bunkerweb.MY_SETTING_1=value1 \
- -l bunkerweb.MY_SETTING_2=value2 \
- ...
- mywebapp:4.2
+docker service \
+ create \
+ --name myapp \
+ --network bw-services \
+ -l bunkerweb.MY_SETTING_1=value1 \
+ -l bunkerweb.MY_SETTING_2=value2 \
+ ...
+ mywebapp:4.2
Here is the docker-compose equivalent (using docker stack deploy) :
-...
-services:
- myapp:
- image: mywebapp:4.2
- networks:
- - bw-services
- deploy:
- placement:
- constraints:
- - "node.role==worker"
- labels:
- - "bunkerweb.MY_SETTING_1=value1"
- - "bunkerweb.MY_SETTING_2=value2"
-...
-networks:
- bw-services:
- external:
- name: bw-services
+...
+services:
+ myapp:
+ image: mywebapp:4.2
+ networks:
+ - bw-services
+ deploy:
+ placement:
+ constraints:
+ - "node.role==worker"
+ labels:
+ - "bunkerweb.MY_SETTING_1=value1"
+ - "bunkerweb.MY_SETTING_2=value2"
+...
+networks:
+ bw-services:
+ external:
+ name: bw-services
Kubernetes
@@ -1049,167 +1044,167 @@ But there is a downside : if you use a local folder for the persistent d
The autoconf acts as an Ingress controller and will configure the BunkerWeb instances according to the Ingress resources. It also monitors other Kubernetes objects like ConfigMap for custom configurations.
The first step to install BunkerWeb on a Kubernetes cluster is to add a role and permissions on the cluster for the autoconf :
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cr-bunkerweb
-rules:
-- apiGroups: [""]
- resources: ["services", "pods", "configmaps"]
- verbs: ["get", "watch", "list"]
-- apiGroups: ["networking.k8s.io"]
- resources: ["ingresses"]
- verbs: ["get", "watch", "list"]
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: sa-bunkerweb
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: crb-bunkerweb
-subjects:
-- kind: ServiceAccount
- name: sa-bunkerweb
- namespace: default
- apiGroup: ""
-roleRef:
- kind: ClusterRole
- name: cr-bunkerweb
- apiGroup: rbac.authorization.k8s.io
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cr-bunkerweb
+rules:
+- apiGroups: [""]
+ resources: ["services", "pods", "configmaps"]
+ verbs: ["get", "watch", "list"]
+- apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses"]
+ verbs: ["get", "watch", "list"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: sa-bunkerweb
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: crb-bunkerweb
+subjects:
+- kind: ServiceAccount
+ name: sa-bunkerweb
+ namespace: default
+ apiGroup: ""
+roleRef:
+ kind: ClusterRole
+ name: cr-bunkerweb
+ apiGroup: rbac.authorization.k8s.io
The recommended way of deploying BunkerWeb is using a DaemonSet which means each node in the cluster will run an instance of BunkerWeb :
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: bunkerweb
-spec:
- selector:
- matchLabels:
- app: bunkerweb
- template:
- metadata:
- labels:
- app: bunkerweb
- # mandatory annotation
- annotations:
- bunkerweb.io/AUTOCONF: "yes"
- spec:
- containers:
- - name: bunkerweb
- image: bunkerity/bunkerweb
- securityContext:
- runAsUser: 101
- runAsGroup: 101
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- ports:
- - containerPort: 8080
- hostPort: 80
- - containerPort: 8443
- hostPort: 443
- env:
- - name: KUBERNETES_MODE
- value: "yes"
- # replace with your DNS resolvers
- # e.g. : kube-dns.kube-system.svc.cluster.local
- - name: DNS_RESOLVERS
- value: "coredns.kube-system.svc.cluster.local"
- - name: USE_API
- value: "yes"
- # 10.0.0.0/8 is the cluster internal subnet
- - name: API_WHITELIST_IP
- value: "127.0.0.0/8 10.0.0.0/8"
- - name: SERVER_NAME
- value: ""
- - name: MULTISITE
- value: "yes"
- livenessProbe:
- exec:
- command:
- - /opt/bunkerweb/helpers/healthcheck.sh
- initialDelaySeconds: 30
- periodSeconds: 5
- timeoutSeconds: 1
- failureThreshold: 3
- readinessProbe:
- exec:
- command:
- - /opt/bunkerweb/helpers/healthcheck.sh
- initialDelaySeconds: 30
- periodSeconds: 1
- timeoutSeconds: 1
- failureThreshold: 3
----
-apiVersion: v1
-kind: Service
-metadata:
- name: svc-bunkerweb
-spec:
- clusterIP: None
- selector:
- app: bunkerweb
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: bunkerweb
+spec:
+ selector:
+ matchLabels:
+ app: bunkerweb
+ template:
+ metadata:
+ labels:
+ app: bunkerweb
+ # mandatory annotation
+ annotations:
+ bunkerweb.io/AUTOCONF: "yes"
+ spec:
+ containers:
+ - name: bunkerweb
+ image: bunkerity/bunkerweb
+ securityContext:
+ runAsUser: 101
+ runAsGroup: 101
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ ports:
+ - containerPort: 8080
+ hostPort: 80
+ - containerPort: 8443
+ hostPort: 443
+ env:
+ - name: KUBERNETES_MODE
+ value: "yes"
+ # replace with your DNS resolvers
+ # e.g. : kube-dns.kube-system.svc.cluster.local
+ - name: DNS_RESOLVERS
+ value: "coredns.kube-system.svc.cluster.local"
+ - name: USE_API
+ value: "yes"
+ # 10.0.0.0/8 is the cluster internal subnet
+ - name: API_WHITELIST_IP
+ value: "127.0.0.0/8 10.0.0.0/8"
+ - name: SERVER_NAME
+ value: ""
+ - name: MULTISITE
+ value: "yes"
+ livenessProbe:
+ exec:
+ command:
+ - /opt/bunkerweb/helpers/healthcheck.sh
+ initialDelaySeconds: 30
+ periodSeconds: 5
+ timeoutSeconds: 1
+ failureThreshold: 3
+ readinessProbe:
+ exec:
+ command:
+ - /opt/bunkerweb/helpers/healthcheck.sh
+ initialDelaySeconds: 30
+ periodSeconds: 1
+ timeoutSeconds: 1
+ failureThreshold: 3
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: svc-bunkerweb
+spec:
+ clusterIP: None
+ selector:
+ app: bunkerweb
In order to store persistent data, you will need a PersistentVolumeClaim :
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
- name: pvc-bunkerweb
-spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: pvc-bunkerweb
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
Now, you can start the autoconf as a single replica Deployment :
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: bunkerweb-controller
-spec:
- replicas: 1
- strategy:
- type: Recreate
- selector:
- matchLabels:
- app: bunkerweb-controller
- template:
- metadata:
- labels:
- app: bunkerweb-controller
- spec:
- serviceAccountName: sa-bunkerweb
- volumes:
- - name: vol-bunkerweb
- persistentVolumeClaim:
- claimName: pvc-bunkerweb
- containers:
- - name: bunkerweb-controller
- image: bunkerity/bunkerweb-autoconf
- imagePullPolicy: Always
- env:
- - name: KUBERNETES_MODE
- value: "yes"
- volumeMounts:
- - name: vol-bunkerweb
- mountPath: /data
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: bunkerweb-controller
+spec:
+ replicas: 1
+ strategy:
+ type: Recreate
+ selector:
+ matchLabels:
+ app: bunkerweb-controller
+ template:
+ metadata:
+ labels:
+ app: bunkerweb-controller
+ spec:
+ serviceAccountName: sa-bunkerweb
+ volumes:
+ - name: vol-bunkerweb
+ persistentVolumeClaim:
+ claimName: pvc-bunkerweb
+ containers:
+ - name: bunkerweb-controller
+ image: bunkerity/bunkerweb-autoconf
+ imagePullPolicy: Always
+ env:
+ - name: KUBERNETES_MODE
+ value: "yes"
+ volumeMounts:
+ - name: vol-bunkerweb
+ mountPath: /data
Once the BunkerWeb Kubernetes stack is setup and running (see autoconf logs for more information), you can now deploy web applications in the cluster and declare your Ingress resource. Please note that settings need to be set as annotations for the Ingress resource with the special value bunkerweb.io for the domain part :
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: ingress
- annotations:
- bunkerweb.io/MY_SETTING_1: "value1"
- bunkerweb.io/MY_SETTING_2: "value2"
-spec:
- rules:
-...
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress
+ annotations:
+ bunkerweb.io/MY_SETTING_1: "value1"
+ bunkerweb.io/MY_SETTING_2: "value2"
+spec:
+ rules:
+...
Linux
@@ -1224,83 +1219,140 @@ But there is a downside : if you use a local folder for the persistent d
Fedora 36
CentOS Stream 8
-Please note that you will need to install NGINX 1.20.2 before BunkerWeb. For all distros, except Fedora, using prebuilt packages from official NGINX repository is mandatory. Compiling NGINX from source or using packages from different repositories won't work with the official supported way of installing BunkerWeb on Linux.
+Please note that you will need to install NGINX 1.20.2 before BunkerWeb. For all distros, except Fedora, using prebuilt packages from official NGINX repository is mandatory. Compiling NGINX from source or using packages from different repositories won't work with the official prebuild packages of BunkerWeb but you can build it from source.
Repositories of Linux packages for BunkerWeb are available on PackageCloud, they provide a bash script to automatically add and trust the repository (but you can also follow the manual installation instructions if you prefer).
-
+
The first step is to add NGINX official repository :
-
sudo apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring && \
-curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
-| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
-echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
-http://nginx.org/packages/debian `lsb_release -cs` nginx" \
-| sudo tee /etc/apt/sources.list.d/nginx.list
+sudo apt install -y curl gnupg2 ca-certificates lsb-release debian-archive-keyring && \
+curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
+| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
+echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
+http://nginx.org/packages/debian `lsb_release -cs` nginx" \
+| sudo tee /etc/apt/sources.list.d/nginx.list
You should now be able to install NGINX 1.20.2 :
-
sudo apt update && \
-sudo apt install nginx=1.20.2-1~bullseye
+sudo apt update && \
+sudo apt install -y nginx=1.20.2-1~bullseye
-And finally install BunkerWeb 1.4.0 :
-
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
-apt update && \
-apt install -y bunkerweb=1.4.0
+And finally install BunkerWeb 1.4.1 :
+
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
+sudo apt update && \
+sudo apt install -y bunkerweb=1.4.1
+
+To prevent upgrading NGINX and/or BunkerWeb packages when executing apt upgrade, you can use the following command :
+
sudo apt-mark hold nginx bunkerweb
The first step is to add NGINX official repository :
-
sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring && \
-curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
-| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
-echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
-http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
-| sudo tee /etc/apt/sources.list.d/nginx.list
+sudo apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring && \
+curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
+| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
+echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
+http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
+| sudo tee /etc/apt/sources.list.d/nginx.list
You should now be able to install NGINX 1.20.2 :
-
sudo apt update && \
-sudo apt install nginx=1.20.2-1~jammy
+sudo apt update && \
+sudo apt install -y nginx=1.20.2-1~jammy
-And finally install BunkerWeb 1.4.0 :
-
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
-apt update && \
-apt install -y bunkerweb=1.4.0
+And finally install BunkerWeb 1.4.1 :
+
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
+sudo apt update && \
+sudo apt install -y bunkerweb=1.4.1
+
+To prevent upgrading NGINX and/or BunkerWeb packages when executing apt upgrade, you can use the following command :
+
sudo apt-mark hold nginx bunkerweb
Fedora already provides NGINX 1.20.2 that we support :
-
sudo dnf install nginx-1.20.2
+sudo dnf install -y nginx-1.20.2
-curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
-dnf check-update && \
-dnf install -y bunkerweb-1.4.0
+curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
+sudo dnf check-update && \
+sudo dnf install -y bunkerweb-1.4.1
+To prevent upgrading NGINX and/or BunkerWeb packages when executing dnf upgrade, you can use the following command :
+
sudo dnf versionlock add nginx && \
+sudo dnf versionlock add bunkerweb
+
The first step is to add NGINX official repository, create the following file at /etc/yum.repos.d/nginx.repo :
-
[nginx-stable]
-name=nginx stable repo
-baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
-gpgcheck=1
-enabled=1
-gpgkey=https://nginx.org/keys/nginx_signing.key
-module_hotfixes=true
+[nginx-stable]
+name=nginx stable repo
+baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
+gpgcheck=1
+enabled=1
+gpgkey=https://nginx.org/keys/nginx_signing.key
+module_hotfixes=true
You should now be able to install NGINX 1.20.2 :
-
sudo dnf install nginx-1.20.2
+sudo dnf install nginx-1.20.2
-And finally install BunkerWeb 1.4.0 :
-
dnf install -y epel-release && \
-curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
-dnf check-update && \
-dnf install -y bunkerweb-1.4.0
+And finally install BunkerWeb 1.4.1 :
+
dnf install -y epel-release && \
+curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
+sudo dnf check-update && \
+sudo dnf install -y bunkerweb-1.4.1
+
+To prevent upgrading NGINX and/or BunkerWeb packages when executing dnf upgrade, you can use the following command :
+
sudo dnf versionlock add nginx && \
+sudo dnf versionlock add bunkerweb
+
+
+
+The first step is to install NGINX 1.20.2 using the repository of your choice or by compiling it from source.
+The target installation folder of BunkerWeb is located at /opt/bunkerweb, let's create it :
+
mkdir /opt/bunkerweb
+
+You can now clone the BunkerWeb project to the /tmp folder :
+
https://github.com/bunkerity/bunkerweb.git /tmp/bunkerweb
+
+BunkerWeb needs some dependencies to be compiled and install to /opt/bunkerweb/deps, the easiest way to it is by executing the install.sh helper script (please note that you will need to install additional packages which is not covered in this procedure and depends on your own system) :
+
mkdir /opt/bunkerweb/deps && \
+/tmp/bunkerweb/deps/install.sh
+
+Additional Python dependencies needs to be installed into the /opt/bunkerweb/deps/python folder :
+
mkdir /opt/bunkerweb/deps/python && \
+pip install --no-cache-dir --require-hashes --target /opt/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt && \
+pip install --no-cache-dir --target /opt/bunkerweb/deps/python -r /tmp/bunkerweb/ui/requirements.txt
+
+Once dependencies had been installed, you can now copy the BunkerWeb sources to the target /opt/bunkerweb folder :
+
for src in api cli confs core gen helpers job lua misc utils ui settings.json VERSION linux/variables.env linux/bunkerweb-ui.env linux/scripts ; do
+ cp -r /tmp/bunkerweb/${src} /opt/bunkerweb
+done
+cp /opt/bunkerweb/helpers/bwcli /usr/local/bin
+
+Additional folders also need to be created :
+
mkdir /opt/bunkerweb/{configs,cache,plugins,tmp}
+
+Permissions needs to be fixed :
+
find /opt/bunkerweb -path /opt/bunkerweb/deps -prune -o -type f -exec chmod 0740 {} \; && \
+find /opt/bunkerweb -path /opt/bunkerweb/deps -prune -o -type d -exec chmod 0750 {} \; && \
+find /opt/bunkerweb/core/*/jobs/* -type f -exec chmod 750 {} \; && \
+chmod 770 /opt/bunkerweb/cache /opt/bunkerweb/tmp && \
+chmod 750 /opt/bunkerweb/gen/main.py /opt/bunkerweb/job/main.py /opt/bunkerweb/cli/main.py /opt/bunkerweb/helpers/*.sh /opt/bunkerweb/scripts/*.sh /usr/local/bin/bwcli /opt/bunkerweb/ui/main.py && \
+chown -R root:nginx /opt/bunkerweb
+
+Last but not least, you will need to setup systemd unit files :
+
cp /tmp/bunkerweb/linux/*.service /etc/systemd/system && \
+systemctl daemon-reload && \
+systemctl stop nginx && \
+systemctl disable nginx && \
+systemctl enable bunkerweb && \
+systemctl enable bunkerweb-ui
Configuration of BunkerWeb is done by editing the /opt/bunkerweb/variables.env file :
-MY_SETTING_1=value1
-MY_SETTING_2=value2
-...
+MY_SETTING_1=value1
+MY_SETTING_2=value2
+...
BunkerWeb is managed using systemctl :
@@ -1414,7 +1466,7 @@ But there is a downside : if you use a local folder for the persistent d
-
+
diff --git a/1.4/migrating/index.html b/1.4/migrating/index.html
index 9142f83..b49e2dc 100644
--- a/1.4/migrating/index.html
+++ b/1.4/migrating/index.html
@@ -442,11 +442,18 @@ documentation for the current version.
Removed features
+
+
+ -
+
+ Changed Authelia support
+
+
-
- Replaced BLOCK_, WHITELIST_ and BLACKLIST_* settings
+ Replaced BLOCK_*, WHITELIST_* and BLACKLIST_* settings
@@ -636,18 +643,19 @@ documentation for the current version.
Migrating from bunkerized
Read this if you were a bunkerized user
-A lot of things have changed since the last bunkerized release. If you want to an upgrade, which we recommend you to do because BunkerWeb is by far better than bunkerized, please read carefully this section and also the whole documentation.
+A lot of things have changed since the last bunkerized release. If you want to do an upgrade, which we recommend you to do because BunkerWeb is by far better than bunkerized, please read carefully this section and also the whole documentation.
Volumes
When using container-based integrations like Docker, Docker autoconf, Swarm or Kubernetes, volumes for storing data like certificates, cache or custom configurations has changed. We now have a single "bw-data" volume which contains everything and should be easier to manage than bunkerized.
Removed features
We decided to drop the following features :
-- Authelia : we will make an official plugin for that
- Blocking "bad" referrers : we may add it again in the future
- ROOT_SITE_SUBFOLDER : we will need to redesign this in the future
-Replaced BLOCK_, WHITELIST_ and BLACKLIST_* settings
+Changed Authelia support
+Instead of supporting only Authelia, we decided to support generic auth request settings. See the new authelia example and auth request documentation for more information.
+Replaced BLOCK_*, WHITELIST_* and BLACKLIST_* settings
The blocking mechanisms has been completely redesigned. We have detected that a lot of false positives came from the default blacklists hardcoded into bunkerized. That's why we decided to give the users the choice of their blacklists (and also whitelists) for IP address, reverse DNS, user-agent, URI and ASN, see the Blacklisting and whitelisting section of the security tuning.
Changed WHITELIST_USER_AGENT setting behavior
The new behavior of the WHITELIST_USER_AGENT setting is to disable completely security checks if the User-Agent value of a client match any of the patterns. In bunkerized it was used to ignore specific User-Agent values when BLOCK_USER_AGENT was set to yes to avoid false positives. You can choose the blacklist of your choice to avoid FP (see previous section).
@@ -759,7 +767,7 @@ documentation for the current version.
-
+
diff --git a/1.4/plugins/index.html b/1.4/plugins/index.html
index 761f663..f7fce21 100644
--- a/1.4/plugins/index.html
+++ b/1.4/plugins/index.html
@@ -714,66 +714,66 @@ documentation for the current version.
When using the Docker integration, plugins must be written to the volume mounted on /data.
The first thing to do is to create the plugins folder :
-
mkdir -p ./bw-data/plugins
+mkdir -p ./bw-data/plugins
Then you can drop the plugins of your choice into that folder :
-
git clone https://github.com/bunkerity/bunkerweb-plugins && \
-cp -rp ./bunkerweb-plugins/* ./bw-data/plugins
+git clone https://github.com/bunkerity/bunkerweb-plugins && \
+cp -rp ./bunkerweb-plugins/* ./bw-data/plugins
Because BunkerWeb runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
-
chown -R root:101 bw-data && \
-chmod -R 770 bw-data
+chown -R root:101 bw-data && \
+chmod -R 770 bw-data
When starting the BunkerWeb container, you will need to mount the folder on /data :
-
docker run \
- ...
- -v "${PWD}/bw-data:/data" \
- ...
- bunkerity/bunkerweb:1.4.0
+docker run \
+ ...
+ -v "${PWD}/bw-data:/data" \
+ ...
+ bunkerity/bunkerweb:1.4.1
Here is the docker-compose equivalent :
-
mybunker:
- image: bunkerity/bunkerweb:1.4.0
- volumes:
- - ./bw-data:/data
- ...
+mybunker:
+ image: bunkerity/bunkerweb:1.4.1
+ volumes:
+ - ./bw-data:/data
+ ...
When using the Docker autoconf integration, plugins must be written to the volume mounted on /data.
The easiest way to do it is by starting the Docker autoconf stack with a folder mounted on /data (instead of a named volume). Once the stack is started, you can copy the plugins of your choice to the plugins folder from your host :
-
git clone https://github.com/bunkerity/bunkerweb-plugins && \
-cp -rp ./bunkerweb-plugins/* ./bw-data/plugins
+git clone https://github.com/bunkerity/bunkerweb-plugins && \
+cp -rp ./bunkerweb-plugins/* ./bw-data/plugins
Because BunkerWeb runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
-
chown -R root:101 bw-data && \
-chmod -R 770 bw-data
+chown -R root:101 bw-data && \
+chmod -R 770 bw-data
When using the Swarm integration, the easiest way of installing plugins is by using docker exec and downloading the plugins from the container.
Execute a shell inside the autoconf container (use docker ps to get the name) :
-
docker exec -it myautoconf /bin/bash
+docker exec -it myautoconf /bin/bash
Once you have a shell inside the container, you can drop the plugins of your choice inside the /data/plugins folder :
-
git clone https://github.com/bunkerity/bunkerweb-plugins && \
-cp -rp ./bunkerweb-plugins/* /data/plugins
+git clone https://github.com/bunkerity/bunkerweb-plugins && \
+cp -rp ./bunkerweb-plugins/* /data/plugins
When using the Kubernetes integration, the easiest way of installing plugins is by using kubectl exec and downloading the plugins from the container.
Execute a shell inside the autoconf container (use kubectl get pods to get the name) :
-
kubectl exec -it myautoconf -- /bin/bash
+kubectl exec -it myautoconf -- /bin/bash
Once you have a shell inside the container, you can drop the plugins of your choice inside the /data/plugins folder :
-
git clone https://github.com/bunkerity/bunkerweb-plugins && \
-cp -rp ./bunkerweb-plugins/* /data/plugins
+git clone https://github.com/bunkerity/bunkerweb-plugins && \
+cp -rp ./bunkerweb-plugins/* /data/plugins
When using the Linux integration, plugins must be written to the /opt/bunkerweb/plugins folder :
-
@@ -785,36 +785,36 @@ documentation for the current version.
If the documentation is not enough you can have a look at the existing source code of official plugins and the core plugins (already included in BunkerWeb but they are plugins technically speaking).
The first step is to create a folder that will contain the plugin :
-mkdir myplugin && \
-cd myplugin
+mkdir myplugin && \
+cd myplugin
Metadata
A file named plugin.json and written at the root of the plugin folder must contain metadata about the plugin. Here is an example :
-{
- "id": "myplugin",
- "order": 42,
- "name": "My Plugin",
- "description": "Just an example plugin.",
- "version": "1.0",
- "settings": {
- "DUMMY_SETTING": {
- "context": "multisite",
- "default": "1234",
- "help": "Here is the help of the setting.",
- "id": "dummy-id",
- "label": "Dummy setting",
- "regex": "^.*$",
- "type": "text"
- }
- }
- "jobs": [
- {
- "name": "my-job",
- "file": "my-job.py",
- "every": "hour"
- }
- ]
-}
+{
+ "id": "myplugin",
+ "order": 42,
+ "name": "My Plugin",
+ "description": "Just an example plugin.",
+ "version": "1.0",
+ "settings": {
+ "DUMMY_SETTING": {
+ "context": "multisite",
+ "default": "1234",
+ "help": "Here is the help of the setting.",
+ "id": "dummy-id",
+ "label": "Dummy setting",
+ "regex": "^.*$",
+ "type": "text"
+ }
+ }
+ "jobs": [
+ {
+ "name": "my-job",
+ "file": "my-job.py",
+ "every": "hour"
+ }
+ ]
+}
Here are the details of the fields :
@@ -972,46 +972,46 @@ documentation for the current version.
Configurations
You can add custom NGINX configurations by adding a folder named confs with content similar to the custom configurations. Each subfolder inside the confs will contain jinja2 templates that will be generated and loaded at the corresponding context (http, server-http and default-server-http).
Here is an example for a configuration template file inside the confs/server-http folder named example.conf :
-location /setting {
- default_type 'text/plain';
- content_by_lua_block {
- ngx.say('{{ DUMMY_SETTING }}')
- }
-}
+location /setting {
+ default_type 'text/plain';
+ content_by_lua_block {
+ ngx.say('{{ DUMMY_SETTING }}')
+ }
+}
{{ DUMMY_SETTING }} will be replaced by the value of the DUMMY_SETTING chosen by the user of the plugin.
LUA
Main script
Under the hood, BunkerWeb is using the NGINX LUA module to execute code within NGINX. Plugins that need to execute code must provide a lua file at the root directory of the plugin folder using the id value of plugin.json as its name. Here is an example named myplugin.lua :
-local _M = {}
-_M.__index = _M
-
-local utils = require "utils"
-local datastore = require "datastore"
-local logger = require "logger"
-
-function _M.new()
- local self = setmetatable({}, _M)
- self.dummy = "dummy"
- return self, nil
-end
-
-function _M:init()
- logger.log(ngx.NOTICE, "MYPLUGIN", "init called")
- return true, "success"
-end
-
-function _M:access()
- logger.log(ngx.NOTICE, "MYPLUGIN", "access called")
- return true, "success", nil, nil
-end
-
-function _M:log()
- logger.log(ngx.NOTICE, "MYPLUGIN", "log called")
- return true, "success"
-end
-
-return _M
+local _M = {}
+_M.__index = _M
+
+local utils = require "utils"
+local datastore = require "datastore"
+local logger = require "logger"
+
+function _M.new()
+ local self = setmetatable({}, _M)
+ self.dummy = "dummy"
+ return self, nil
+end
+
+function _M:init()
+ logger.log(ngx.NOTICE, "MYPLUGIN", "init called")
+ return true, "success"
+end
+
+function _M:access()
+ logger.log(ngx.NOTICE, "MYPLUGIN", "access called")
+ return true, "success", nil, nil
+end
+
+function _M:log()
+ logger.log(ngx.NOTICE, "MYPLUGIN", "log called")
+ return true, "success"
+end
+
+return _M
The 3 functions init, access, and log are automatically called during specific contexts. Here are the details of each function :
@@ -1047,22 +1047,22 @@ documentation for the current version.
Libraries
All directives from NGINX LUA module are available. On top of that, you can use the LUA libraries included within BunkerWeb : see this script for the complete list.
If you need additional libraries, you can put them in the root folder of the plugin and access them by prefixing them with your plugin ID. Here is an example file named mylibrary.lua :
-local _M = {}
-
-_M.dummy = function ()
- return "dummy"
-end
-
-return _M
+local _M = {}
+
+_M.dummy = function ()
+ return "dummy"
+end
+
+return _M
And here is how you can use it from the myplugin.lua file :
-local mylibrary = require "myplugin.mylibrary"
-
-...
-
-mylibrary.dummy()
-
-...
+local mylibrary = require "myplugin.mylibrary"
+
+...
+
+mylibrary.dummy()
+
+...
Helpers
Some helpers modules provide common helpful functions :
@@ -1072,39 +1072,39 @@ documentation for the current version.
- utils : various useful functions
To access the functions, you first need to require the module :
-...
-
-local utils = require "utils"
-local datastore = require "datastore"
-local logger = require "logger"
-
-...
+...
+
+local utils = require "utils"
+local datastore = require "datastore"
+local logger = require "logger"
+
+...
Retrieve a setting value :
-local value, err = utils:get_variable("DUMMY_SETTING")
-if not value then
- logger.log(ngx.ERR, "MYPLUGIN", "can't retrieve setting DUMMY_SETTING : " .. err)
-else
- logger.log(ngx.NOTICE, "MYPLUGIN", "DUMMY_SETTING = " .. value)
-end
+local value, err = utils:get_variable("DUMMY_SETTING")
+if not value then
+ logger.log(ngx.ERR, "MYPLUGIN", "can't retrieve setting DUMMY_SETTING : " .. err)
+else
+ logger.log(ngx.NOTICE, "MYPLUGIN", "DUMMY_SETTING = " .. value)
+end
Store something in the cache :
-local ok, err = datastore:set("plugin_myplugin_something", "somevalue")
-if not value then
- logger.log(ngx.ERR, "MYPLUGIN", "can't save plugin_myplugin_something into datastore : " .. err)
-else
- logger.log(ngx.NOTICE, "MYPLUGIN", "successfully saved plugin_myplugin_something into datastore into datastore")
-end
+local ok, err = datastore:set("plugin_myplugin_something", "somevalue")
+if not value then
+ logger.log(ngx.ERR, "MYPLUGIN", "can't save plugin_myplugin_something into datastore : " .. err)
+else
+ logger.log(ngx.NOTICE, "MYPLUGIN", "successfully saved plugin_myplugin_something into datastore into datastore")
+end
Check if an IP address is global :
-local ret, err = utils.ip_is_global(ngx.var.remote_addr)
-if ret == nil then
- logger.log(ngx.ERR, "MYPLUGIN", "error while checking if IP " .. ngx.var.remote_addr .. " is global or not : " .. err)
-elseif not ret then
- logger.log(ngx.NOTICE, "MYPLUGIN", "IP " .. ngx.var.remote_addr .. " is not global")
-else
- logger.log(ngx.NOTICE, "MYPLUGIN", "IP " .. ngx.var.remote_addr .. " is global")
-end
+local ret, err = utils.ip_is_global(ngx.var.remote_addr)
+if ret == nil then
+ logger.log(ngx.ERR, "MYPLUGIN", "error while checking if IP " .. ngx.var.remote_addr .. " is global or not : " .. err)
+elseif not ret then
+ logger.log(ngx.NOTICE, "MYPLUGIN", "IP " .. ngx.var.remote_addr .. " is not global")
+else
+ logger.log(ngx.NOTICE, "MYPLUGIN", "IP " .. ngx.var.remote_addr .. " is global")
+end
More examples
@@ -1216,7 +1216,7 @@ documentation for the current version.
-
+
diff --git a/1.4/quickstart-guide/index.html b/1.4/quickstart-guide/index.html
index 9aaaba5..fdbdce4 100644
--- a/1.4/quickstart-guide/index.html
+++ b/1.4/quickstart-guide/index.html
@@ -676,217 +676,217 @@ documentation for the current version.
When using Docker integration, the easiest way of protecting an existing application is to create a network so BunkerWeb can send requests using the container name.
Create the Docker network if it's not already created :
-
docker network create bw-net
+docker network create bw-net
Then instantiate your app :
-
docker run -d \
- --name myapp \
- --network bw-net \
- nginxdemos/hello:plain-text
+docker run -d \
+ --name myapp \
+ --network bw-net \
+ nginxdemos/hello:plain-text
Create the BunkerWeb volume if it's not already created :
-
docker volume create bw-data
+docker volume create bw-data
You can now run BunkerWeb and configure it for your app :
-
docker run -d \
- --name mybunker \
- --network bw-net \
- -p 80:8080 \
- -p 443:8443 \
- -v bw-data:/data \
- -e SERVER_NAME=www.example.com \
- -e USE_REVERSE_PROXY=yes \
- -e REVERSE_PROXY_URL=/ \
- -e REVERSE_PROXY_HOST=http://myapp \
- bunkerity/bunkerweb:1.4.0
+docker run -d \
+ --name mybunker \
+ --network bw-net \
+ -p 80:8080 \
+ -p 443:8443 \
+ -v bw-data:/data \
+ -e SERVER_NAME=www.example.com \
+ -e USE_REVERSE_PROXY=yes \
+ -e REVERSE_PROXY_URL=/ \
+ -e REVERSE_PROXY_HOST=http://myapp \
+ bunkerity/bunkerweb:1.4.1
Here is the docker-compose equivalent :
-
version: '3'
-
-services:
-
- mybunker:
- image: bunkerity/bunkerweb:1.4.0
- ports:
- - 80:8080
- - 443:8443
- volumes:
- - bw-data:/data
- environment:
- - USE_REVERSE_PROXY=yes
- - REVERSE_PROXY_URL=/
- - REVERSE_PROXY_HOST=http://myapp
- networks:
- - bw-net
-
- myapp:
- image: nginxdemos/hello:plain-text
- networks:
- - bw-net
-
-volumes:
- bw-data:
-
-networks:
- bw-net:
- name: bw-net
+version: '3'
+
+services:
+
+ mybunker:
+ image: bunkerity/bunkerweb:1.4.1
+ ports:
+ - 80:8080
+ - 443:8443
+ volumes:
+ - bw-data:/data
+ environment:
+ - USE_REVERSE_PROXY=yes
+ - REVERSE_PROXY_URL=/
+ - REVERSE_PROXY_HOST=http://myapp
+ networks:
+ - bw-net
+
+ myapp:
+ image: nginxdemos/hello:plain-text
+ networks:
+ - bw-net
+
+volumes:
+ bw-data:
+
+networks:
+ bw-net:
+ name: bw-net
We will assume that you already have the Docker autoconf integration stack running on your machine and connected to a network called bw-services.
You can instantiate your container and pass the settings as labels :
-
docker run -d \
- --name myapp \
- --network bw-services \
- -l bunkerweb.SERVER_NAME=www.example.com \
- -l bunkerweb.USE_REVERSE_PROXY=yes \
- -l bunkerweb.USE_REVERSE_URL=/ \
- -l bunkerweb.REVERSE_PROXY_HOST=http://myapp \
- nginxdemos/hello:plain-text
+docker run -d \
+ --name myapp \
+ --network bw-services \
+ -l bunkerweb.SERVER_NAME=www.example.com \
+ -l bunkerweb.USE_REVERSE_PROXY=yes \
+ -l bunkerweb.USE_REVERSE_URL=/ \
+ -l bunkerweb.REVERSE_PROXY_HOST=http://myapp \
+ nginxdemos/hello:plain-text
Here is the docker-compose equivalent :
-
version: '3'
-
-services:
-
- myapp:
- image: nginxdemos/hello:plain-text
- networks:
- bw-services:
- aliases:
- - myapp
- labels:
- - "bunkerweb.SERVER_NAME=www.example.com"
- - "bunkerweb.USE_REVERSE_PROXY=yes"
- - "bunkerweb.REVERSE_PROXY_URL=/"
- - "bunkerweb.REVERSE_PROXY_HOST=http://myapp"
-
-networks:
- bw-services:
- external:
- name: bw-services
+version: '3'
+
+services:
+
+ myapp:
+ image: nginxdemos/hello:plain-text
+ networks:
+ bw-services:
+ aliases:
+ - myapp
+ labels:
+ - "bunkerweb.SERVER_NAME=www.example.com"
+ - "bunkerweb.USE_REVERSE_PROXY=yes"
+ - "bunkerweb.REVERSE_PROXY_URL=/"
+ - "bunkerweb.REVERSE_PROXY_HOST=http://myapp"
+
+networks:
+ bw-services:
+ external:
+ name: bw-services
We will assume that you already have the Swarm integration stack running on your cluster.
You can instantiate your service and pass the settings as labels :
-
docker service \
- create \
- --name myapp \
- --network bw-services \
- -l bunkerweb.SERVER_NAME=www.example.com \
- -l bunkerweb.USE_REVERSE_PROXY=yes \
- -l bunkerweb.REVERSE_PROXY_HOST=http://myapp \
- -l bunkerweb.REVERSE_PROXY_URL=/ \
- nginxdemos/hello:plain-text
+docker service \
+ create \
+ --name myapp \
+ --network bw-services \
+ -l bunkerweb.SERVER_NAME=www.example.com \
+ -l bunkerweb.USE_REVERSE_PROXY=yes \
+ -l bunkerweb.REVERSE_PROXY_HOST=http://myapp \
+ -l bunkerweb.REVERSE_PROXY_URL=/ \
+ nginxdemos/hello:plain-text
Here is the docker-compose equivalent (using docker stack deploy) :
-
version: "3"
-
-services:
-
- myapp:
- image: nginxdemos/hello:plain-text
- networks:
- bw-services:
- aliases:
- - myapp
- deploy:
- placement:
- constraints:
- - "node.role==worker"
- labels:
- - "bunkerweb.SERVER_NAME=www.example.com"
- - "bunkerweb.USE_REVERSE_PROXY=yes"
- - "bunkerweb.REVERSE_PROXY_URL=/"
- - "bunkerweb.REVERSE_PROXY_HOST=http://myapp"
-
-networks:
- bw-services:
- external:
- name: bw-services
+version: "3"
+
+services:
+
+ myapp:
+ image: nginxdemos/hello:plain-text
+ networks:
+ bw-services:
+ aliases:
+ - myapp
+ deploy:
+ placement:
+ constraints:
+ - "node.role==worker"
+ labels:
+ - "bunkerweb.SERVER_NAME=www.example.com"
+ - "bunkerweb.USE_REVERSE_PROXY=yes"
+ - "bunkerweb.REVERSE_PROXY_URL=/"
+ - "bunkerweb.REVERSE_PROXY_HOST=http://myapp"
+
+networks:
+ bw-services:
+ external:
+ name: bw-services
We will assume that you already have the Kubernetes integration stack running on your cluster.
Let's assume that you have a typical Deployment with a Service to access the web application from within the cluster :
-
apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: app
- labels:
- app: app
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: app
- template:
- metadata:
- labels:
- app: app
- spec:
- containers:
- - name: app
- image: nginxdemos/hello:plain-text
- ports:
- - containerPort: 80
----
-apiVersion: v1
-kind: Service
-metadata:
- name: svc-app
-spec:
- selector:
- app: app
- ports:
- - protocol: TCP
- port: 80
- targetPort: 80
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: app
+ labels:
+ app: app
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app
+ template:
+ metadata:
+ labels:
+ app: app
+ spec:
+ containers:
+ - name: app
+ image: nginxdemos/hello:plain-text
+ ports:
+ - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: svc-app
+spec:
+ selector:
+ app: app
+ ports:
+ - protocol: TCP
+ port: 80
+ targetPort: 80
Here is the corresponding Ingress definition to serve and protect the web application :
-
apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: ingress
- annotations:
- bunkerweb.io/AUTOCONF: "yes"
-spec:
- rules:
- - host: www.example.com
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: svc-app
- port:
- number: 80
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress
+ annotations:
+ bunkerweb.io/AUTOCONF: "yes"
+spec:
+ rules:
+ - host: www.example.com
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: svc-app
+ port:
+ number: 80
We will assume that you already have the Linux integration stack running on your machine.
The following command will run a basic HTTP server on the port 8000 and deliver the files in the current directory :
-
python3 -m http.server -b 127.0.0.1
+python3 -m http.server -b 127.0.0.1
Configuration of BunkerWeb is done by editing the /opt/bunkerweb/variables.env file :
-
SERVER_NAME=www.example.com
-HTTP_PORT=80
-HTTPS_PORT=443
-DNS_RESOLVERS=8.8.8.8 8.8.4.4
-USE_REVERSE_PROXY=yes
-REVERSE_PROXY_URL=/
-REVERSE_PROXY_HOST=http://127.0.0.1:8000
+SERVER_NAME=www.example.com
+HTTP_PORT=80
+HTTPS_PORT=443
+DNS_RESOLVERS=8.8.8.8 8.8.4.4
+USE_REVERSE_PROXY=yes
+REVERSE_PROXY_URL=/
+REVERSE_PROXY_HOST=http://127.0.0.1:8000
Let's check the status of BunkerWeb :
-
systemctl status bunkerweb
+systemctl status bunkerweb
If it's already running we can just reload it :
-
@@ -902,97 +902,97 @@ documentation for the current version.
When using Docker integration, the easiest way of protecting multiple existing applications is to create a network so BunkerWeb can send requests using the container names.
Create the Docker network if it's not already created :
-
docker network create bw-net
+docker network create bw-net
Then instantiate your apps :
-docker run -d \
- --name myapp1 \
- --network bw-net \
- nginxdemos/hello:plain-text
+docker run -d \
+ --name myapp1 \
+ --network bw-net \
+ nginxdemos/hello:plain-text
-
Create the BunkerWeb volume if it's not already created :
-
docker volume create bw-data
+docker volume create bw-data
You can now run BunkerWeb and configure it for your apps :
-
docker run -d \
- --name mybunker \
- --network bw-net \
- -p 80:8080 \
- -p 443:8443 \
- -v bw-data:/data \
- -e MULTISITE=yes
- -e "SERVER_NAME=app1.example.com app2.example.com app3.example.com" \
- -e USE_REVERSE_PROXY=yes \
- -e REVERSE_PROXY_URL=/ \
- -e app1.example.com_REVERSE_PROXY_HOST=http://myapp1 \
- -e app2.example.com_REVERSE_PROXY_HOST=http://myapp2 \
- -e app3.example.com_REVERSE_PROXY_HOST=http://myapp3 \
- bunkerity/bunkerweb:1.4.0
+docker run -d \
+ --name mybunker \
+ --network bw-net \
+ -p 80:8080 \
+ -p 443:8443 \
+ -v bw-data:/data \
+ -e MULTISITE=yes
+ -e "SERVER_NAME=app1.example.com app2.example.com app3.example.com" \
+ -e USE_REVERSE_PROXY=yes \
+ -e REVERSE_PROXY_URL=/ \
+ -e app1.example.com_REVERSE_PROXY_HOST=http://myapp1 \
+ -e app2.example.com_REVERSE_PROXY_HOST=http://myapp2 \
+ -e app3.example.com_REVERSE_PROXY_HOST=http://myapp3 \
+ bunkerity/bunkerweb:1.4.1
Here is the docker-compose equivalent :
-
version: '3'
-
-services:
-
- mybunker:
- image: bunkerity/bunkerweb:1.4.0
- ports:
- - 80:8080
- - 443:8443
- volumes:
- - bw-data:/data
- environment:
- - MULTISITE=yes
- - SERVER_NAME=app1.example.com app2.example.com app3.example.com
- - USE_REVERSE_PROXY=yes
- - REVERSE_PROXY_URL=/
- - app1.example.com_REVERSE_PROXY_HOST=http://myapp1
- - app2.example.com_REVERSE_PROXY_HOST=http://myapp2
- - app3.example.com_REVERSE_PROXY_HOST=http://myapp3
- networks:
- - bw-net
-
- myapp1:
- image: nginxdemos/hello:plain-text
- networks:
- - bw-net
-
- myapp2:
- image: nginxdemos/hello:plain-text
- networks:
- - bw-net
-
- myapp3:
- image: nginxdemos/hello:plain-text
- networks:
- - bw-net
-
-volumes:
- bw-data:
-
-networks:
- bw-net:
- name: bw-net
+version: '3'
+
+services:
+
+ mybunker:
+ image: bunkerity/bunkerweb:1.4.1
+ ports:
+ - 80:8080
+ - 443:8443
+ volumes:
+ - bw-data:/data
+ environment:
+ - MULTISITE=yes
+ - SERVER_NAME=app1.example.com app2.example.com app3.example.com
+ - USE_REVERSE_PROXY=yes
+ - REVERSE_PROXY_URL=/
+ - app1.example.com_REVERSE_PROXY_HOST=http://myapp1
+ - app2.example.com_REVERSE_PROXY_HOST=http://myapp2
+ - app3.example.com_REVERSE_PROXY_HOST=http://myapp3
+ networks:
+ - bw-net
+
+ myapp1:
+ image: nginxdemos/hello:plain-text
+ networks:
+ - bw-net
+
+ myapp2:
+ image: nginxdemos/hello:plain-text
+ networks:
+ - bw-net
+
+ myapp3:
+ image: nginxdemos/hello:plain-text
+ networks:
+ - bw-net
+
+volumes:
+ bw-data:
+
+networks:
+ bw-net:
+ name: bw-net
@@ -1001,102 +1001,102 @@ documentation for the current version.
-docker run -d \
- --name myapp1 \
- --network bw-services \
- -l bunkerweb.SERVER_NAME=app1.example.com \
- -l bunkerweb.USE_REVERSE_PROXY=yes \
- -l bunkerweb.USE_REVERSE_URL=/ \
- -l bunkerweb.REVERSE_PROXY_HOST=http://myapp1 \
- nginxdemos/hello:plain-text
+docker run -d \
+ --name myapp1 \
+ --network bw-services \
+ -l bunkerweb.SERVER_NAME=app1.example.com \
+ -l bunkerweb.USE_REVERSE_PROXY=yes \
+ -l bunkerweb.USE_REVERSE_URL=/ \
+ -l bunkerweb.REVERSE_PROXY_HOST=http://myapp1 \
+ nginxdemos/hello:plain-text
Here is the docker-compose equivalent :
-
version: '3'
-
-services:
-
- myapp1:
- image: nginxdemos/hello:plain-text
- networks:
- bw-services:
- aliases:
- - myapp1
- labels:
- - "bunkerweb.SERVER_NAME=app1.example.com"
- - "bunkerweb.USE_REVERSE_PROXY=yes"
- - "bunkerweb.REVERSE_PROXY_URL=/"
- - "bunkerweb.REVERSE_PROXY_HOST=http://myapp1"
-
-networks:
- bw-services:
- external:
- name: bw-services
+version: '3'
+
+services:
+
+ myapp1:
+ image: nginxdemos/hello:plain-text
+ networks:
+ bw-services:
+ aliases:
+ - myapp1
+ labels:
+ - "bunkerweb.SERVER_NAME=app1.example.com"
+ - "bunkerweb.USE_REVERSE_PROXY=yes"
+ - "bunkerweb.REVERSE_PROXY_URL=/"
+ - "bunkerweb.REVERSE_PROXY_HOST=http://myapp1"
+
+networks:
+ bw-services:
+ external:
+ name: bw-services
-docker run -d \
- --name myapp2 \
- --network bw-services \
- -l bunkerweb.SERVER_NAME=app2.example.com \
- -l bunkerweb.USE_REVERSE_PROXY=yes \
- -l bunkerweb.USE_REVERSE_URL=/ \
- -l bunkerweb.REVERSE_PROXY_HOST=http://myapp2 \
- nginxdemos/hello:plain-text
+docker run -d \
+ --name myapp2 \
+ --network bw-services \
+ -l bunkerweb.SERVER_NAME=app2.example.com \
+ -l bunkerweb.USE_REVERSE_PROXY=yes \
+ -l bunkerweb.USE_REVERSE_URL=/ \
+ -l bunkerweb.REVERSE_PROXY_HOST=http://myapp2 \
+ nginxdemos/hello:plain-text
Here is the docker-compose equivalent :
-
version: '3'
-
-services:
-
- myapp2:
- image: nginxdemos/hello:plain-text
- networks:
- bw-services:
- aliases:
- - myapp2
- labels:
- - "bunkerweb.SERVER_NAME=app2.example.com"
- - "bunkerweb.USE_REVERSE_PROXY=yes"
- - "bunkerweb.REVERSE_PROXY_URL=/"
- - "bunkerweb.REVERSE_PROXY_HOST=http://myapp2"
-
-networks:
- bw-services:
- external:
- name: bw-services
+version: '3'
+
+services:
+
+ myapp2:
+ image: nginxdemos/hello:plain-text
+ networks:
+ bw-services:
+ aliases:
+ - myapp2
+ labels:
+ - "bunkerweb.SERVER_NAME=app2.example.com"
+ - "bunkerweb.USE_REVERSE_PROXY=yes"
+ - "bunkerweb.REVERSE_PROXY_URL=/"
+ - "bunkerweb.REVERSE_PROXY_HOST=http://myapp2"
+
+networks:
+ bw-services:
+ external:
+ name: bw-services