v1.3.1 release

Fix typo related to non-HTTP configuration

.github/workflows/build-bunkerized-nginx-autoconf.yml

@@ -20,6 +20,7 @@ jobs:
       - name: Run Trivy security scanner
         uses: aquasecurity/trivy-action@master
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           image-ref: 'bunkerized-nginx-autoconf'
           format: 'table'
           exit-code: '1'

.github/workflows/build-bunkerized-nginx-ui.yml

@@ -20,6 +20,7 @@ jobs:
       - name: Run Trivy security scanner
         uses: aquasecurity/trivy-action@master
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           image-ref: 'bunkerized-nginx-ui'
           format: 'table'
           exit-code: '1'

.github/workflows/build-bunkerized-nginx.yml

@@ -20,6 +20,7 @@ jobs:
       - name: Run Trivy security scanner
         uses: aquasecurity/trivy-action@master
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           image-ref: 'bunkerized-nginx'
           format: 'table'
           exit-code: '1'

CHANGELOG.md

@@ -1,6 +1,15 @@
 # Changelog
 
-## v1.3.0
+## v1.3.1 - 2021/09/02
+
+- Use ModSecurity v3.0.4 instead of v3.0.5 to fix memory leak
+- Fix ignored variables to control jobs
+- Fix bug when LISTEN_HTTP=no and MULTISITE=yes
+- Add CUSTOM_HEADER variable
+- Add REVERSE_PROXY_BUFFERING variable
+- Fix documentation for modsec and modsec-crs special folders
+
+## v1.3.0 - 2021/08/23
 
 - Kubernetes integration in beta
 - Linux integration in beta

README.md

@@ -3,7 +3,7 @@
 </p>
 
 <p align="center">
-        <img src="https://img.shields.io/badge/bunkerized--nginx-1.3.0-blue" />
+        <img src="https://img.shields.io/badge/bunkerized--nginx-1.3.1-blue" />
         <img src="https://img.shields.io/badge/nginx-1.20.1-blue" />
         <img src="https://img.shields.io/github/last-commit/bunkerity/bunkerized-nginx" />
         <img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerized-nginx/Automatic%20test?label=automatic%20test" />

VERSION

@@ -1 +1 @@
-1.3.0
+1.3.1

confs/global/multisite-default-server.conf

@@ -1,5 +1,5 @@
 server {
-	{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif +%};
+	{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server;{% endif +%}
 	server_name _;
 	{% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif +%}
 	include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;

confs/site/custom-headers.conf

@@ -0,0 +1,5 @@
+{% for k, v in all.items() +%}
+	{% if k.startswith("CUSTOM_HEADER") and v != "" +%}
+more_set_header "{{ v }}";
+	{% endif %}
+{% endfor %}

confs/site/reverse-proxy.conf

@@ -5,10 +5,17 @@
 			{% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %}
 			{% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %}
 			{% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %}
+			{% set buffering = all[k.replace("URL", "BUFFERING")] if k.replace("URL", "BUFFERING") in all else "yes" %}
+			{% set keepalive = all[k.replace("URL", "KEEPALIVE")] if k.replace("URL", "KEEPALIVE") in all else "yes" %}
 location {{ url }} {% raw %}{{% endraw +%}
 	etag off;
 	set $backend "{{ host }}";
 	proxy_pass $backend;
+	{% if buffering == "yes" +%}
+	proxy_buffering on;
+	{% else +%}
+	proxy_buffering off;
+	{% endif %}
 	{% if USE_AUTHELIA == "yes" +%}
 	include {{ NGINX_PREFIX }}authelia-auth-request.conf;
 	{% endif %}
@@ -17,6 +24,9 @@ location {{ url }} {% raw %}{{% endraw +%}
 	proxy_http_version 1.1;
 	proxy_set_header Upgrade $http_upgrade;
 	proxy_set_header Connection "Upgrade";
+			{% elif keepalive == "yes" +%}
+	proxy_http_version 1.1;
+	proxy_set_header Connection "";
 			{% endif %}
 			{% if headers != "" %}
 				{% for header in headers.split(";") +%}

confs/site/server.conf

@@ -180,6 +180,9 @@ server {
 	include {{ NGINX_PREFIX }}redirect-to.conf;
 {% endif %}
 
+	# custom headers
+	include {{ NGINX_PREFIX }}custom-headers.conf;
+
 	# reverse proxy
 {% if USE_REVERSE_PROXY == "yes" +%}
 	include {{ NGINX_PREFIX }}reverse-proxy.conf;

docs/conf.py

@@ -50,7 +50,7 @@ copyright = '2021, bunkerity'
 author = 'bunkerity'
 
 # The full version, including alpha/beta/rc tags
-release = 'v1.3.0'
+release = 'v1.3.1'
 
 
 # -- General configuration ---------------------------------------------------

docs/environment_variables.md

@@ -123,6 +123,12 @@ Default value : *no*
 Context : *global*, *multisite*  
 When set to yes and `REDIRECT_TO` is set it will append the requested path to the redirection (e.g., https://example.com/something redirects to https://www.example.com/something).
 
+`CUSTOM_HEADER`  
+Values : *\<HeaderName: HeaderValue\>*  
+Default value :  
+Context : *global*, *multisite*  
+Add custom HTTP header of your choice to clients. You can add multiple headers by appending a number as a suffix of the environment variable : `CUSTOM_HEADER_1`, `CUSTOM_HEADER_2`, `CUSTOM_HEADER_3`, ...
+
 ### Information leak
 
 `SERVER_TOKENS`  
@@ -207,6 +213,20 @@ Context : *global*, *multisite*
 Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* when the corresponding `REVERSE_PROXY_HOST` is a WebSocket server.  
 You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_WS_1`, `REVERSE_PROXY_WS_2`, `REVERSE_PROXY_WS_3`, ...
 
+`REVERSE_PROXY_BUFFERING`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* then the [proxy_buffering](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) directive will be set to `on` or `off` otherwise.  
+You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_BUFFERING_1`, `REVERSE_PROXY_BUFFERING_2`, `REVERSE_PROXY_BUFFERING_3`, ...
+
+`REVERSE_PROXY_KEEPALIVE`  
+Values : *yes* | *no*  
+Default value : *yes*  
+Context : *global*, *multisite*  
+Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* to enable keepalive connections with the backend (needs a HTTP 1.1 backend) or *no* otherwise.  
+You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_KEEPALIVE_1`, `REVERSE_PROXY_KEEPALIVE_2`, `REVERSE_PROXY_KEEPALIVE_3`, ...
+
 `REVERSE_PROXY_HEADERS`  
 Values : *\<list of custom headers separated with a semicolon like this : header1 value1;header2 value2...\>* 
 Default value :  

docs/integrations.md

@@ -726,12 +726,12 @@ Unlike containers, Linux integration can be tedious because bunkerized-nginx has
 
 First of all you will need to install bunkerized-nginx. The recommended way is to use the official installer script :
 ```shell
-$ curl -fsSL https://github.com/bunkerity/bunkerized-nginx/releases/download/v1.3.0/linux-install.sh -o /tmp/bunkerized-nginx.sh
+$ curl -fsSL https://github.com/bunkerity/bunkerized-nginx/releases/download/v1.3.1/linux-install.sh -o /tmp/bunkerized-nginx.sh
 ```
 
 Before executing it, you should also check the signature :
 ```shell
-$ curl -fsSL https://github.com/bunkerity/bunkerized-nginx/releases/download/v1.3.0/linux-install.sh.asc -o /tmp/bunkerized-nginx.sh.asc
+$ curl -fsSL https://github.com/bunkerity/bunkerized-nginx/releases/download/v1.3.1/linux-install.sh.asc -o /tmp/bunkerized-nginx.sh.asc
 $ gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys contact@bunkerity.com
 $ gpg --verify /tmp/bunkerized-nginx.sh.asc /tmp/bunkerized-nginx.sh
 ```

docs/special_folders.md

@@ -46,7 +46,7 @@ Examples :
 
 ## ModSecurity configurations
 
-This special folder contains .conf files that will be loaded by ModSecurity before the OWASP Core Rule Set is loaded. The typical use case is when you want to specify exclusions for the CRS.
+This special folder contains .conf files that will be loaded by ModSecurity after the OWASP Core Rule Set is loaded. The typical use case is to edit loaded CRS rules to avoid false positives.
 
 Location (container) : `/modsec-confs`  
 Location (Linux) : `/opt/bunkerized-nginx/modsec-confs`  
@@ -59,7 +59,7 @@ Examples :
 
 ## CRS configurations
 
-This special folder contains .conf file that will be loaded by ModSecurity after the OWASP Core Rule Set is loaded. The typical use case is to edit loaded CRS rules to avoid false positives.
+This special folder contains .conf file that will be loaded by ModSecurity before the OWASP Core Rule Set is loaded. The typical use case is when you want to specify exclusions for the CRS.
 
 Location (container) : `/modsec-crs-confs`  
 Location (Linux) : `/opt/bunkerized-nginx/modsec-crs-confs`  

helpers/install.sh

@@ -459,7 +459,10 @@ CHANGE_DIR="/tmp/bunkerized-nginx/libmaxminddb-1.6.0" do_and_check_cmd make inst
 
 # Download, compile and install ModSecurity
 echo "[*] Clone SpiderLabs/ModSecurity"
-git_secure_clone https://github.com/SpiderLabs/ModSecurity.git bf881a4eda343d37629e39ede5e28b70dc4067c0
+# TODO : looks like memory leak is happening with ModSecurity 3.0.5
+# so we keep 3.0.4 until a fixed version is available
+#git_secure_clone https://github.com/SpiderLabs/ModSecurity.git bf881a4eda343d37629e39ede5e28b70dc4067c0
+git_secure_clone https://github.com/SpiderLabs/ModSecurity.git 753145fbd1d6751a6b14fdd700921eb3cc3a1d35
 echo "[*] Compile and install ModSecurity"
 # temp fix : Debian run it twice
 cd /tmp/bunkerized-nginx/ModSecurity && ./build.sh > /dev/null 2>&1
@@ -671,7 +674,7 @@ fi
 # Clone the repo
 if [ "$OS" != "alpine" ] && [ ! -d "/tmp/bunkerized-nginx-test" ] ; then
 	echo "[*] Clone bunkerity/bunkerized-nginx"
-	CHANGE_DIR="/tmp" do_and_check_cmd git_secure_clone https://github.com/bunkerity/bunkerized-nginx.git 8808f161c5f92911ae485623d96f6ef24fe42ffe
+	CHANGE_DIR="/tmp" do_and_check_cmd git_secure_clone https://github.com/bunkerity/bunkerized-nginx.git 3d2f5e2389e5f75131ae22f822a673b92cb12cca
 	# TODO : dev only
 	#CHANGE_DIR="/tmp" do_and_check_cmd git clone https://github.com/bunkerity/bunkerized-nginx.git
 	#CHANGE_DIR="/tmp/bunkerized-nginx" do_and_check_cmd git checkout dev

jobs/Job.py

@@ -15,10 +15,13 @@ class ReloadRet(enum.Enum) :
 class JobManagement() :
 
 	def __init__(self) :
+		self.__docker_nginx = False
 		self.__local_nginx = False
-		if os.path.isfile("/usr/sbin/nginx") and os.path.isfile("/tmp/nginx.pid") :
-			self.__local_nginx = True
 		self.__autoconf_socket = None
+		if os.path.isfile("/usr/sbin/nginx") and os.path.isfile("/tmp/nginx.pid") and not os.path.isfile("/opt/bunkerized-nginx/ui/linux.sh") :
+			self.__docker_nginx = True
+		if os.path.isfile("/usr/sbin/nginx") and os.path.isfile("/tmp/nginx.pid") and os.path.isfile("/opt/bunkerized-nginx/ui/linux.sh") :
+			self.__local_nginx = True
 		if os.path.exists("/tmp/autoconf.sock") and stat.S_ISSOCK(os.stat("/tmp/autoconf.sock").st_mode) :
 			self.__autoconf_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
 			self.__autoconf_socket.connect("/tmp/autoconf.sock")
@@ -43,10 +46,22 @@ class JobManagement() :
 		return True
 
 	def reload(self) :
-		if self.__autoconf_socket != None :
+		if self.__docker_nginx :
+			proc = subprocess.run(["/usr/sbin/nginx", "-s", "reload"], capture_output=True)
+			if proc.returncode != 0 :
+				log("reload", "ERROR", "can't reload nginx (status code = " + str(proc.returncode) + ")")
+				if len(proc.stdout.decode("ascii")) > 1 :
+					log("reload", "ERROR", proc.stdout.decode("ascii"))
+				if len(proc.stderr.decode("ascii")) > 1 :
+					log("reload", "ERROR", proc.stderr.decode("ascii"))
+				return ReloadRet.KO
+			return ReloadRet.OK
+
+		elif self.__autoconf_socket != None :
 			if self.__autoconf_order(b"reload") :
 				return ReloadRet.OK
 			return ReloadRet.KO
+
 		elif self.__local_nginx :
 			proc = subprocess.run(["sudo", "/opt/bunkerized-nginx/ui/linux.sh", "reload"], capture_output=True)
 			if proc.returncode != 0 :
@@ -57,6 +72,7 @@ class JobManagement() :
 					log("reload", "ERROR", proc.stderr.decode("ascii"))
 				return ReloadRet.KO
 			return ReloadRet.OK
+
 		return ReloadRet.NO
 
 class Job(abc.ABC) :

misc/cron

@@ -1,7 +1,7 @@
-15 0 * * * /opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew >> /var/log/nginx/jobs.log 2>&1
-30 0 * * * /opt/bunkerized-nginx/jobs/main.py --reload --name user-agents >> /var/log/nginx/jobs.log 2>&1
-45 0 * * * /opt/bunkerized-nginx/jobs/main.py --reload --name referrers >> /var/log/nginx/jobs.log 2>&1
-0 1 * * * /opt/bunkerized-nginx/jobs/main.py --reload --name abusers >> /var/log/nginx/jobs.log 2>&1
-0 2 * * * /opt/bunkerized-nginx/jobs/main.py --reload --name proxies >> /var/log/nginx/jobs.log 2>&1
-0 */1 * * * /opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes >> /var/log/nginx/jobs.log 2>&1
-0 3 2 * * /opt/bunkerized-nginx/jobs/main.py --reload --name geoip >> /var/log/nginx/jobs.log 2>&1
+15 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew >> /var/log/nginx/jobs.log 2>&1
+30 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name user-agents >> /var/log/nginx/jobs.log 2>&1
+45 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_REFERRER yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name referrers >> /var/log/nginx/jobs.log 2>&1
+0 1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_ABUSERS yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name abusers >> /var/log/nginx/jobs.log 2>&1
+0 2 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_PROXIES yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name proxies >> /var/log/nginx/jobs.log 2>&1
+0 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes >> /var/log/nginx/jobs.log 2>&1
+0 3 2 * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ] && /opt/bunkerized-nginx/jobs/main.py --reload --name geoip >> /var/log/nginx/jobs.log 2>&1

misc/cron-autoconf

@@ -1,7 +1,7 @@
-15 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name certbot-renew" nginx >> /var/log/nginx/jobs.log 2>&1
-30 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name user-agents" nginx >> /var/log/nginx/jobs.log 2>&1
-45 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name referrers" nginx >> /var/log/nginx/jobs.log 2>&1
-0 1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name abusers" nginx >> /var/log/nginx/jobs.log 2>&1
-0 2 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name proxies" nginx >> /var/log/nginx/jobs.log 2>&1
-0 */1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name exit-nodes" nginx >> /var/log/nginx/jobs.log 2>&1
-0 3 2 * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name geoip" nginx >> /var/log/nginx/jobs.log 2>&1
+15 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name certbot-renew" nginx >> /var/log/nginx/jobs.log 2>&1
+30 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name user-agents" nginx >> /var/log/nginx/jobs.log 2>&1
+45 0 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_REFERRER yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name referrers" nginx >> /var/log/nginx/jobs.log 2>&1
+0 1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_ABUSERS yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name abusers" nginx >> /var/log/nginx/jobs.log 2>&1
+0 2 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_PROXIES yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name proxies" nginx >> /var/log/nginx/jobs.log 2>&1
+0 */1 * * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name exit-nodes" nginx >> /var/log/nginx/jobs.log 2>&1
+0 3 2 * * . /opt/bunkerized-nginx/entrypoint/utils.sh && [ [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ] && /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name geoip" nginx >> /var/log/nginx/jobs.log 2>&1

misc/cron-linux

@@ -1,7 +1,7 @@
-15 0 * * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew >> /var/log/nginx/jobs.log 2>&1
-30 0 * * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name user-agents >> /var/log/nginx/jobs.log 2>&1
-45 0 * * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name referrers >> /var/log/nginx/jobs.log 2>&1
-0 1 * * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name abusers >> /var/log/nginx/jobs.log 2>&1
-0 2 * * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name proxies >> /var/log/nginx/jobs.log 2>&1
-0 */1 * * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes >> /var/log/nginx/jobs.log 2>&1
-0 3 2 * * nginx /opt/bunkerized-nginx/jobs/main.py --reload --name geoip >> /var/log/nginx/jobs.log 2>&1
+15 0 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew >> /var/log/nginx/jobs.log 2>&1
+30 0 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name user-agents >> /var/log/nginx/jobs.log 2>&1
+45 0 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_REFERRER yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name referrers >> /var/log/nginx/jobs.log 2>&1
+0 1 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_ABUSERS yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name abusers >> /var/log/nginx/jobs.log 2>&1
+0 2 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_PROXIES yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name proxies >> /var/log/nginx/jobs.log 2>&1
+0 */1 * * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] && /opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes >> /var/log/nginx/jobs.log 2>&1
+0 3 2 * * nginx . /opt/bunkerized-nginx/entrypoint/utils.sh && [ [ "$(has_value BLACKLIST_COUNTRY ".\+")" != "" ] || [ "$(has_value WHITELIST_COUNTRY ".\+")" != "" ] ] && /opt/bunkerized-nginx/jobs/main.py --reload --name geoip >> /var/log/nginx/jobs.log 2>&1

settings.json

@@ -775,6 +775,23 @@
                 "label": "Content security policy",
                 "regex": "^([\\S ]*)$",
                 "type": "text"
+            },
+            {
+                "id": "custom-headers",
+                "label": "Custom headers",
+                "params" : [
+                    {
+                        "context": "multisite",
+                        "default": "",
+                        "env": "CUSTOM_HEADER",
+                        "id": "custom-headers",
+                        "label": "Custom header",
+                        "multiple": "Custom headers",
+                        "regex": "^([\\S ]*)$",
+                        "type": "text"
+                    }
+                ],
+                "type": "multiple"
             }
         ]
     },
@@ -1070,6 +1087,26 @@
                         "regex": "^(yes|no)$",
                         "type": "checkbox"
                     },
+                    {
+                        "context": "multisite",
+                        "default": "yes",
+                        "env": "REVERSE_PROXY_BUFFERING",
+                        "id": "reverse-proxy-buffering",
+                        "label": "Reverse proxy buffering",
+                        "multiple": "Reverse proxy",
+                        "regex": "^(yes|no)$",
+                        "type": "checkbox"
+                    },
+                    {
+                        "context": "multisite",
+                        "default": "yes",
+                        "env": "REVERSE_PROXY_KEEPALIVE",
+                        "id": "reverse-proxy-keepalive",
+                        "label": "Reverse proxy keepalive",
+                        "multiple": "Reverse proxy",
+                        "regex": "^(yes|no)$",
+                        "type": "checkbox"
+                    },
                     {
                         "context": "multisite",
                         "default": "",