Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add REDIRECT_TO_REQUEST_URI variable and edit environment variables docs

Browse Source
This commit is contained in:
bunkerity 2021-08-20 14:59:16 +02:00
parent 58f2926e95
commit b13ff34569
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
7 changed files with 116 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
confs/site/redirect-to.conf
View File

@ -1 +1,5 @@
{% if REDIRECT_TO_REQUEST_URI == "yes" %}
return 301 {{ REDIRECT_TO }}$request_uri; return 301 {{ REDIRECT_TO }}$request_uri;
{% else %}
return 301 {{ REDIRECT_TO }};
{% endif %}

62
docs/environment_variables.md
View File

@ -87,24 +87,42 @@ Default value : *8443*
Context : *global* Context : *global*
The HTTPS port number used by nginx inside the container. The HTTPS port number used by nginx inside the container.
`WORKER_CONNECTIONS` `WORKER_CONNECTIONS`
Values : *\<any positive integer\>* Values : *\<any positive integer\>*
Default value : 1024 Default value : 1024
Context : *global* Context : *global*
Sets the value of the [worker_connections](https://nginx.org/en/docs/ngx_core_module.html#worker_connections) directive. Sets the value of the [worker_connections](https://nginx.org/en/docs/ngx_core_module.html#worker_connections) directive.
`WORKER_RLIMIT_NOFILE` `WORKER_RLIMIT_NOFILE`
Values : *\<any positive integer\>* Values : *\<any positive integer\>*
Default value : 2048 Default value : 2048
Context : *global* Context : *global*
Sets the value of the [worker_rlimit_nofile](https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile) directive. Sets the value of the [worker_rlimit_nofile](https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile) directive.
`WORKER_PROCESSES`
Values : *\<any positive integer or auto\>*
Default value : auto
Context : *global*
Sets the value of the [worker_processes](https://nginx.org/en/docs/ngx_core_module.html#worker_processes) directive.
`INJECT_BODY` `INJECT_BODY`
Values : *\<any HTML code\>* Values : *\<any HTML code\>*
Default value : Default value :
Context : *global*, *multisite* Context : *global*, *multisite*
Use this variable to inject any HTML code you want before the \</body\> tag (e.g. : `\<script src="https://..."\>`) Use this variable to inject any HTML code you want before the \</body\> tag (e.g. : `\<script src="https://..."\>`)
`REDIRECT_TO`
Values : *\<any valid absolute URI\>*
Default value :
Context : *global*, *multisite*
Use this variable if you want to redirect one server to another (e.g., redirect apex to www : `REDIRECT_TO=https://www.example.com`).
`REDIRECT_TO_REQUEST_URI`
Values : *yes* | *no*
Default value : *no*
Context : *global*, *multisite*
When set to yes and `REDIRECT_TO` is set it will append the requested path to the redirection (e.g., https://example.com/something redirects to https://www.example.com/something).
### Information leak ### Information leak
`SERVER_TOKENS` `SERVER_TOKENS`
@ -397,6 +415,12 @@ Default value : *contact@first-domain-in-server-name*
Context : *global*, *multisite* Context : *global*, *multisite*
Define the contact email address declare in the certificate. Define the contact email address declare in the certificate.
`USE_LETS_ENCRYPT_STAGING`
Values : *yes* | *no*
Default value : *no*
Context : *global*, *multisite*
When set to yes, it tells certbot to use the [staging environment](https://letsencrypt.org/docs/staging-environment/) for Let's Encrypt certificate generation. Useful when you are testing your deployments to avoid being rate limited in the production environment.
### HTTP ### HTTP
`LISTEN_HTTP` `LISTEN_HTTP`
@ -527,6 +551,8 @@ Sets the value of the [SecAuditEngine directive](https://github.com/SpiderLabs/M
## Security headers ## Security headers
If you want to keep your application headers and tell bunkerized-nginx to not override it, just set the corresponding environment variable to an empty value (e.g., `CONTENT_SECURITY_POLICY=`, `PERMISSIONS_POLICY=`, ...).
`X_FRAME_OPTIONS` `X_FRAME_OPTIONS`
Values : *DENY* | *SAMEORIGIN* | *ALLOW-FROM https://www.website.net* Values : *DENY* | *SAMEORIGIN* | *ALLOW-FROM https://www.website.net*
Default value : *DENY* Default value : *DENY*
@ -851,6 +877,18 @@ Default value : */app*
Context : *global*, *multisite* Context : *global*, *multisite*
The path where the PHP files are located inside the server specified in `REMOTE_PHP`. The path where the PHP files are located inside the server specified in `REMOTE_PHP`.
`LOCAL_PHP`
Values : *\<any valid absolute path\>*
Default value :
Context : *global*, *multisite*
Set the absolute path of the unix socket file of a local PHP-FPM instance to execute .php files.
`LOCAL_PHP_PATH`
Values : *\<any valid absolute path\>*
Default value : */app*
Context : *global*, *multisite*
The path where the PHP files are located inside the server specified in `LOCAL_PHP`.
## Bad behavior ## Bad behavior
`USE_BAD_BEHAVIOR` `USE_BAD_BEHAVIOR`
@ -915,22 +953,34 @@ Choose authentication mode : show a web page (`portal`) or a simple auth basic p
Values : *yes* | *no* Values : *yes* | *no*
Default value : *no* Default value : *no*
Context : *global* Context : *global*
Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode). Only set to *yes* when you use *bunkerized-nginx* with Docker Swarm integration.
`KUBERNETES_MODE`
Values : *yes* | *no*
Default value : *no*
Context : *global*
Only set to *yes* when you use bunkerized-nginx with Kubernetes integration.
`USE_API` `USE_API`
Values : *yes* | *no* Values : *yes* | *no*
Default value : *no* Default value : *no*
Context : *global* Context : *global*
Only set to *yes* when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode). Only set to *yes* when you use bunkerized-nginx with Swarm/Kubernetes integration or with the web UI.
`API_URI` `API_URI`
Values : *random* | *\<any valid URI path\>* Values : *random* | *\<any valid URI path\>*
Default value : *random* Default value : *random*
Context : *global* Context : *global*
Set it to a random path when you use *bunkerized-nginx* with *autoconf* feature in swarm mode. More info [here](#swarm-mode). Only set to *yes* when you use bunkerized-nginx with Swarm/Kubernetes integration or with the web UI.
`API_WHITELIST_IP` `API_WHITELIST_IP`
Values : *\<list of IP/CIDR separated with space\>* Values : *\<list of IP/CIDR separated with space\>*
Default value : *192.168.0.0/16 172.16.0.0/12 10.0.0.0/8* Default value : *192.168.0.0/16 172.16.0.0/12 10.0.0.0/8*
Context : *global* Context : *global*
List of IP/CIDR block allowed to send API order using the `API_URI` uri. List of IP/CIDR block allowed to send API order using the `API_URI` uri.
`USE_REDIS`
Undocumented. Reserved for future use.
`REDIS_HOST`
Undocumented. Reserved for future use.

2
docs/security_tuning.md
View File

@ -87,6 +87,8 @@ Some important HTTP headers related to client security are sent with a default v
You can also remove headers (e.g., too verbose ones) by using the `REMOVE_HEADERS` environment variable which takes a list of header name separated with space (default value = `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`). You can also remove headers (e.g., too verbose ones) by using the `REMOVE_HEADERS` environment variable which takes a list of header name separated with space (default value = `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`).
If you want to keep your application headers and tell bunkerized-nginx to not override it, just set the corresponding environment variable to an empty value (e.g., `CONTENT_SECURITY_POLICY=`, `PERMISSIONS_POLICY=`, ...).
## ModSecurity ## ModSecurity
ModSecurity is integrated and enabled by default alongside the OWASP Core Rule Set within bunkerized-nginx. To change this behaviour you can use the `USE_MODSECURITY=no` or `USE_MODSECURITY_CRS=no` environment variables. ModSecurity is integrated and enabled by default alongside the OWASP Core Rule Set within bunkerized-nginx. To change this behaviour you can use the `USE_MODSECURITY=no` or `USE_MODSECURITY_CRS=no` environment variables.

20
misc/set2doc.py Executable file
View File

@ -0,0 +1,20 @@
#!/usr/bin/python3
import json
with open("settings.json") as f :
data = json.loads(f.read())
with open("docs/environment_variables.md") as f :
docs = f.read()
output = ""
for cat in data :
for param in data[cat]["params"] :
if param["type"] == "multiple" :
params = param["params"]
else :
params = [param]
for true_param in params :
if not true_param["env"] in docs :
print("Missing variable in category " + cat + " : " + true_param["env"] + "=" + true_param["default"])

22
misc/variables.env
View File

@ -66,11 +66,6 @@
#BROTLI_MIN_LENGTH=1000 #BROTLI_MIN_LENGTH=1000
#BROTLI_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml #BROTLI_TYPES=application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml
# CrowdSec
#USE_CROWDSEC=no
#CROWDSEC_HOST=
#CROWDSEC_KEY=
# DNSBL # DNSBL
#USE_DNSBL=yes #USE_DNSBL=yes
#DNSBL_LIST=bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org #DNSBL_LIST=bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org
@ -78,6 +73,7 @@
# HTTPS # HTTPS
#AUTO_LETS_ENCRYPT=no #AUTO_LETS_ENCRYPT=no
#EMAIL_LETS_ENCRYPT= #EMAIL_LETS_ENCRYPT=
#USE_LETS_ENCRYPT_STAGING=no
#REDIRECT_HTTP_TO_HTTPS=no #REDIRECT_HTTP_TO_HTTPS=no
#HTTP2=yes #HTTP2=yes
#HTTPS_PROTOCOLS=TLSv1.2 TLSv1.3 #HTTPS_PROTOCOLS=TLSv1.2 TLSv1.3
@ -123,11 +119,13 @@
#LIMIT_REQ_CACHE=10m #LIMIT_REQ_CACHE=10m
# Misc # Misc
#SERVER_NAME=www.bunkerity.com #SERVER_NAME=www.example.com
#MAX_CLIENT_SIZE=10m #MAX_CLIENT_SIZE=10m
#ALLOWED_METHODS=GET|POST|HEAD #ALLOWED_METHODS=GET|POST|HEAD
#SERVE_FILES=yes #SERVE_FILES=yes
#INJECT_BODY= #INJECT_BODY=
#REDIRECT_TO=
#REDIRECT_TO_REQUEST_URI=no
# ModSecurity # ModSecurity
#USE_MODSECURITY=yes #USE_MODSECURITY=yes
@ -137,6 +135,8 @@
# PHP # PHP
#REMOTE_PHP= #REMOTE_PHP=
#REMOTE_PHP_PATH=/app #REMOTE_PHP_PATH=/app
#LOCAL_PHP=
#LOCAL_PHP_PATH=/app
# Reverse proxy # Reverse proxy
#USE_REVERSE_PROXY=no #USE_REVERSE_PROXY=no
@ -156,11 +156,14 @@
#BAD_BEHAVIOR_STATUS_CODES=400 401 403 404 405 429 444 #BAD_BEHAVIOR_STATUS_CODES=400 401 403 404 405 429 444
#BAD_BEHAVIOR_THRESHOLD=10 #BAD_BEHAVIOR_THRESHOLD=10
# API # Internal
#USE_API=no #USE_API=no
#API_WHITELIST_IP=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 #API_WHITELIST_IP=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
#API_URI=random #API_URI=random
#SWARM_MODE=no #SWARM_MODE=no
#KUBERNETES_MODE=no
#USE_REDIS=no
#REDIS_HOST=
# nginx # nginx
#MULTISITE=no #MULTISITE=no
@ -174,12 +177,15 @@
#HTTPS_PORT=8443 #HTTPS_PORT=8443
#WORKER_RLIMIT_NOFILE=2048 #WORKER_RLIMIT_NOFILE=2048
#WORKER_CONNECTIONS=1024 #WORKER_CONNECTIONS=1024
#WORKER_PROCESSES=auto
# Whitelist # Whitelist
#USE_WHITELIST_IP=yes #USE_WHITELIST_IP=yes
#WHITELIST_IP_LIST=23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8 #WHITELIST_IP_LIST=23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8
#USE_WHITELIST_REVERSE=yes #USE_WHITELIST_REVERSE=yes
#WHITELIST_REVERSE_LIST=.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net #WHITELIST_REVERSE_LIST=.googlebot.com .google.com .search.msn.com .crawl.yahoo.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net
#WHITELIST_COUNTRY= #WHITELIST_COUNTRY=
#WHITELIST_USER_AGENT= #WHITELIST_USER_AGENT=
#WHITELIST_URI= #WHITELIST_URI=

13
settings.json
View File

@ -534,7 +534,7 @@
"env": "EMAIL_LETS_ENCRYPT", "env": "EMAIL_LETS_ENCRYPT",
"id": "email-lets-encrypt", "id": "email-lets-encrypt",
"label": "Email lets encrypt", "label": "Email lets encrypt",
"regex": "^([a-z0-9\\-\\.]+@[a-z\\-0-9\\.]+|.{0})$", "regex": "^([a-z0-9\\-\\._]+@[a-z\\-0-9\\.]+|.{0})$",
"type": "text" "type": "text"
}, },
{ {
@ -939,6 +939,15 @@
"label": "Redirect every requests to another web service", "label": "Redirect every requests to another web service",
"regex": "^(https?://.+|.{0})$", "regex": "^(https?://.+|.{0})$",
"type": "text" "type": "text"
},
{
"context": "multisite",
"default": "no",
"env": "REDIRECT_TO_REQUEST_URI",
"id": "redirect-to-request-uri",
"label": "Append the requested path when redirecting",
"regex": "^(yes|no)$",
"type": "checkbox"
} }
] ]
}, },
@ -1375,7 +1384,7 @@
}, },
{ {
"context": "multisite", "context": "multisite",
"default": ".googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net", "default": ".googlebot.com .google.com .search.msn.com .crawl.yahoo.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net",
"env": "WHITELIST_REVERSE_LIST", "env": "WHITELIST_REVERSE_LIST",
"id": "whitelist-reverse-list", "id": "whitelist-reverse-list",
"label": "Whitelist reverse list", "label": "Whitelist reverse list",

10
tests/linux-run.sh
View File

@ -2,6 +2,7 @@
function cleanup() { function cleanup() {
docker kill "$1" docker kill "$1"
docker volume rm "linux-tmp"
} }
image="$1" image="$1"
@ -11,8 +12,15 @@ if [ "$3" == "no" ] ; then
do_cleanup="no" do_cleanup="no"
fi fi
echo "[*] Create volume"
docker volume create linux-tmp
if [ $? -ne 0 ] ; then
echo "[!] docker volume failed"
exit 1
fi
echo "[*] Run $image" echo "[*] Run $image"
id="$(docker run --rm -d -p 80:80 -p 443:443 --privileged=true --name "$name" "$image" /sbin/init)" id="$(docker run --rm -d -p 80:80 -p 443:443 --privileged=true --name "$name" -v linux-tmp:/tmp "$image" /sbin/init)"
if [ $? -ne 0 ] ; then if [ $? -ne 0 ] ; then
echo "[!] docker run failed" echo "[!] docker run failed"
cleanup "$name" cleanup "$name"