Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: Makussu:v1.4.0
Branches Tags
Makussu:master
Makussu:dev
Makussu:gh-pages
Makussu:v1.4.1
Makussu:v1.4.0
Makussu:v1.3.2
Makussu:v1.3.1
Makussu:v1.3.0
Makussu:v1.2.8
Makussu:v1.2.7
Makussu:v1.2.6
Makussu:v1.2.5
Makussu:v1.2.4
Makussu:v1.2.3
Makussu:v1.2.2
Makussu:v1.2.1
Makussu:v1.2.0
Makussu:v1.1.2
Makussu:v1.1.1
Makussu:v1.1.0
Makussu:v1.0.0
...
compare: Makussu:master
Branches Tags
Makussu:dev
Makussu:gh-pages
Makussu:master
Makussu:v1.4.1
Makussu:v1.4.0
Makussu:v1.3.2
Makussu:v1.3.1
Makussu:v1.3.0
Makussu:v1.2.8
Makussu:v1.2.7
Makussu:v1.2.6
Makussu:v1.2.5
Makussu:v1.2.4
Makussu:v1.2.3
Makussu:v1.2.2
Makussu:v1.2.1
Makussu:v1.2.0
Makussu:v1.1.2
Makussu:v1.1.1
Makussu:v1.1.0
Makussu:v1.0.0

15 Commits
v1.4.0 ... master

Author SHA1 Message Date
florian
fd0c7b1e53 ci/cd - add automatic build for Linux images 2022-06-16 17:40:15 +02:00
florian
1e6d62ce79
fix packagecloud yank name 2022-06-16 12:52:44 +02:00
florian
1a4e21481e
docs - edit supported architectures for prebuilt Docker images 2022-06-16 11:38:05 +02:00
florian
bcaca6f034
v1.4.1 release 2022-06-16 11:26:58 +02:00
florian
424214fd56
add changelog and add missing s in authentik url 2022-06-15 14:06:39 +02:00
Florian Pitance
82b42d5b9c
Merge pull request #259 from Brawdunoir/master 
Remove USE_ before authbasic plugin settings
 2022-06-15 11:06:45 +02:00
florian
db4e2cf266
update linux docs, minor fix in ingress example and update default value for bunkernet job 2022-06-14 13:49:22 +02:00
florian
0ef82619b8
temp disable automatic tests for authentik and test automatic arm build on dedicated hardware 2022-06-14 11:05:26 +02:00
florian
f2655e331d
remove arm build again, fix proxy_*_timeout directives and add authelia example 2022-06-14 09:42:32 +02:00
Yann Lacroix
d51ae1c1b9 Remove USE_ before authbasic plugin settings 2022-06-13 22:50:10 +02:00
florian
cd0438b8ce support REVERSE_PROXY_*_TIMEOUT settings, remove useless push in CI/CD and try to build arm on GH runners 2022-06-13 21:40:38 +02:00
florian
f9a042526e add docs about compiling BW from source on Linux, add docs about packages pinning on Linux and fix regex for REVERSE_PROXY_AUTH_REQUEST and REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL 2022-06-13 21:04:25 +02:00
florian
15ac64b05f let's encrypt - fix bug when AUTOCONF_MODE=yes 2022-06-13 19:55:15 +02:00
florian
e0f8895e9a
init support for auth_request and add authentik example 2022-06-13 13:06:03 +02:00
florian
e852298352 don't send local IP to BunkerNet on default server, fix certbot new when MULTISITE=no and fix unknown reason in get_reason 2022-06-11 18:36:52 +02:00
66 changed files with 1190 additions and 362 deletions
Show Stats Expand all files Collapse all files

176
.github/workflows/dev.yml vendored
View File

@ -73,12 +73,6 @@ jobs:
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build images
- name: Build BW for 386
@ -86,8 +80,7 @@ jobs:
with:
context: .
platforms: linux/386
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-386:latest
tags: bunkerweb-tests-386:latest
cache-from: type=registry,ref=bunkerity/cache:bw-386-cache
cache-to: type=registry,ref=bunkerity/cache:bw-386-cache,mode=min
- name: Build BW autoconf for 386
@ -96,8 +89,7 @@ jobs:
context: .
file: autoconf/Dockerfile
platforms: linux/386
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-386:latest
tags: bunkerweb-autoconf-tests-386:latest
cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-386-cache
cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-386-cache,mode=min
- name: Build BW UI for 386
@ -106,92 +98,65 @@ jobs:
context: .
file: ui/Dockerfile
platforms: linux/386
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-386:latest
tags: bunkerweb-autoconf-tests-386:latest
cache-from: type=registry,ref=bunkerity/cache:bw-ui-386-cache
cache-to: type=registry,ref=bunkerity/cache:bw-ui-386-cache,mode=min
# Build bunkerweb/arm
# build-bw-arm:
# runs-on: [self-hosted, ARM64]
# steps:
build-bw-arm:
runs-on: ubuntu-latest
steps:
# Prepare
# - name: Checkout source code
# uses: actions/checkout@v3
# - name: Setup Buildx
# uses: docker/setup-buildx-action@v2
# - name: Login to Docker Hub
# uses: docker/login-action@v2
# with:
# username: ${{ secrets.DOCKER_USERNAME }}
# password: ${{ secrets.DOCKER_TOKEN }}
# - name: Login to private repository
# uses: docker/login-action@v2
# with:
# registry: ${{ secrets.PRIVATE_REGISTRY }}
# username: registry
# password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Setup SSH for ARM node
run: |
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
chmod 600 ~/.ssh/id_rsa_arm
echo "$SSH_CONFIG" > ~/.ssh/config
env:
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Append ARM node to buildx
run: |
docker buildx create --append --name ${{ steps.buildx.outputs.name }} --node arm --platform linux/arm64,linux/arm/v7,linux/arm/v6 ssh://ubuntu@arm
# Build images
# - name: Build BW for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-armv7-cache,mode=min
# - name: Build BW for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-armv8:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-armv8-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-armv8-cache,mode=min
# - name: Build BW autoconf for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# file: autoconf/Dockerfile
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv7-cache,mode=min
# - name: Build BW autoconf for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# file: autoconf/Dockerfile
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-armv8:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache,mode=min
# - name: Build BW UI for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# file: ui/Dockerfile
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv7-cache,mode=min
# - name: Build BW UI for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# file: ui/Dockerfile
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-armv8:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache,mode=min
- name: Build BW for ARM
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-tests-arm:latest
cache-from: type=registry,ref=bunkerity/cache:bw-arm-cache
cache-to: type=registry,ref=bunkerity/cache:bw-arm-cache,mode=min
- name: Build BW autoconf for ARM
uses: docker/build-push-action@v3
with:
context: .
file: autoconf/Dockerfile
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-autoconf-tests-arm:latest
cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-arm-cache
cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-arm-cache,mode=min
- name: Build BW UI for ARM
uses: docker/build-push-action@v3
with:
context: .
file: ui/Dockerfile
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-ui-tests-arm:latest
cache-from: type=registry,ref=bunkerity/cache:bw-ui-arm-cache
cache-to: type=registry,ref=bunkerity/cache:bw-ui-arm-cache,mode=min
# Run tests
tests:
@ -216,7 +181,7 @@ jobs:
- name: Set variables
run: |
VER=$(cat VERSION | tr -d '\n')
if [ "$GITHUB_REF" = "refs/heads/main" ] ; then
if [ "$GITHUB_REF" = "refs/heads/master" ] ; then
echo "BUILD_MODE=prod" >> $GITHUB_ENV
else
echo "BUILD_MODE=dev" >> $GITHUB_ENV
@ -273,17 +238,15 @@ jobs:
# Push to dev registries
push-docker:
# needs: [tests, build-bw-386, build-bw-arm]
needs: [tests, build-bw-386]
needs: [tests, build-bw-386, build-bw-arm]
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Setup Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
@ -296,40 +259,55 @@ jobs:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Setup SSH for ARM node
run: |
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
chmod 600 ~/.ssh/id_rsa_arm
echo "$SSH_CONFIG" > ~/.ssh/config
env:
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Append ARM node to buildx
run: |
docker buildx create --append --name ${{ steps.buildx.outputs.name }} --node arm --platform linux/arm64,linux/arm/v7,linux/arm/v6 ssh://ubuntu@arm
# Build and push
- name: Build and push BW
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb:staging,bunkerity/bunkerweb:dev
cache-from: |
type=registry,ref=bunkerity/cache:bw-amd64-cache
type=registry,ref=bunkerity/cache:bw-386-cache
type=registry,ref=bunkerity/cache:bw-arm-cache
- name: Build and push BW autoconf
uses: docker/build-push-action@v3
with:
context: .
file: autoconf/Dockerfile
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf:staging,bunkerity/bunkerweb-autoconf:dev
cache-from: |
type=registry,ref=bunkerity/cache:bw-autoconf-amd64-cache
type=registry,ref=bunkerity/cache:bw-autoconf-386-cache
type=registry,ref=bunkerity/cache:bw-autoconf-arm-cache
- name: Build and push BW UI
uses: docker/build-push-action@v3
with:
context: .
file: ui/Dockerfile
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui:staging,bunkerity/bunkerweb-ui:dev
cache-from: |
type=registry,ref=bunkerity/cache:bw-ui-amd64-cache
type=registry,ref=bunkerity/cache:bw-ui-386-cache
type=registry,ref=bunkerity/cache:bw-ui-arm-cache
# Push to PackageCloud
push-linux:
@ -346,7 +324,7 @@ jobs:
echo "VERSION=$VER" >> $GITHUB_ENV
- name: Remove Ubuntu DEB from packagecloud
run: package_cloud yank bunkerity/bunkerweb-dev/ubuntu/jammy bunkerweb_${{ env.VERSION }}_amd64.deb
run: package_cloud yank bunkerity/bunkerweb-dev/ubuntu/jammy bunkerweb_${{ env.VERSION }}-1_amd64.deb
continue-on-error: true
env:
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
@ -361,7 +339,7 @@ jobs:
PACKAGECLOUD-TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
- name: Remove Debian DEB from packagecloud
run: package_cloud yank bunkerity/bunkerweb-dev/debian/bullseye bunkerweb_${{ env.VERSION }}_amd64.deb
run: package_cloud yank bunkerity/bunkerweb-dev/debian/bullseye bunkerweb_${{ env.VERSION }}-1_amd64.deb
continue-on-error: true
env:
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}

308
.github/workflows/prod.yml vendored
View File

@ -70,12 +70,6 @@ jobs:
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build images
- name: Build BW for 386
@ -83,8 +77,7 @@ jobs:
with:
context: .
platforms: linux/386
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-386:latest
tags: bunkerweb-tests-386:latest
cache-to: type=registry,ref=bunkerity/cache:bw-386-cache,mode=min
- name: Build BW autoconf for 386
uses: docker/build-push-action@v3
@ -92,8 +85,7 @@ jobs:
context: .
file: autoconf/Dockerfile
platforms: linux/386
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-386:latest
tags: bunkerweb-autoconf-tests-386:latest
cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-386-cache,mode=min
- name: Build BW UI for 386
uses: docker/build-push-action@v3
@ -101,91 +93,189 @@ jobs:
context: .
file: ui/Dockerfile
platforms: linux/386
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-386:latest
tags: bunkerweb-autoconf-tests-386:latest
cache-to: type=registry,ref=bunkerity/cache:bw-ui-386-cache,mode=min
# Build bunkerweb/arm
# build-bw-arm:
# runs-on: [self-hosted, ARM64]
# steps:
build-bw-arm:
runs-on: ubuntu-latest
steps:
# Prepare
# - name: Checkout source code
# uses: actions/checkout@v3
# - name: Setup Buildx
# uses: docker/setup-buildx-action@v2
# - name: Login to Docker Hub
# uses: docker/login-action@v2
# with:
# username: ${{ secrets.DOCKER_USERNAME }}
# password: ${{ secrets.DOCKER_TOKEN }}
# - name: Login to private repository
# uses: docker/login-action@v2
# with:
# registry: ${{ secrets.PRIVATE_REGISTRY }}
# username: registry
# password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Setup SSH for ARM node
run: |
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
chmod 600 ~/.ssh/id_rsa_arm
echo "$SSH_CONFIG" > ~/.ssh/config
env:
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Append ARM node to buildx
run: |
docker buildx create --append --name ${{ steps.buildx.outputs.name }} --node arm --platform linux/arm64,linux/arm/v7,linux/arm/v6 ssh://ubuntu@arm
# Build images
# - name: Build BW for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-armv7-cache,mode=min
# - name: Build BW for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-armv8:latest
# cache-to: type=registry,ref=bunkerity/cache:bw-armv8-cache,mode=min
# - name: Build BW autoconf for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# file: autoconf/Dockerfile
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv7-cache,mode=min
# - name: Build BW autoconf for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# file: autoconf/Dockerfile
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-armv8:latest
# cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache,mode=min
# - name: Build BW UI for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# file: ui/Dockerfile
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv7-cache,mode=min
# - name: Build BW UI for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# file: ui/Dockerfile
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-armv8:latest
# cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache,mode=min
- name: Build BW for ARM
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-tests-arm:latest
cache-to: type=registry,ref=bunkerity/cache:bw-arm-cache,mode=min
- name: Build BW autoconf for ARM
uses: docker/build-push-action@v3
with:
context: .
file: autoconf/Dockerfile
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-autoconf-tests-arm:latest
cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-arm-cache,mode=min
- name: Build BW UI for ARM
uses: docker/build-push-action@v3
with:
context: .
file: ui/Dockerfile
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-ui-tests-arm:latest
cache-to: type=registry,ref=bunkerity/cache:bw-ui-arm-cache,mode=min
# Build linux ubuntu
build-bw-ubuntu:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW ubuntu
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-ubuntu
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest
# Build linux debian
build-bw-debian:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW debian
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-debian
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest
# Build linux centos
build-bw-centos:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW centos
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-centos
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest
# Build linux fedora
build-bw-fedora:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW fedora
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-fedora
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest
# Run tests
tests:
needs: build-bw-amd64
needs: [build-bw-amd64, build-bw-ubuntu, build-bw-debian, build-bw-centos, build-bw-fedora]
runs-on: [self-hosted, X64]
steps:
@ -206,7 +296,7 @@ jobs:
- name: Set variables
run: |
VER=$(cat VERSION | tr -d '\n')
if [ "$GITHUB_REF" = "refs/heads/main" ] ; then
if [ "$GITHUB_REF" = "refs/heads/master" ] ; then
echo "BUILD_MODE=prod" >> $GITHUB_ENV
else
echo "BUILD_MODE=dev" >> $GITHUB_ENV
@ -219,6 +309,14 @@ jobs:
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-amd64:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-amd64:latest 10.20.1.1:5000/bw-autoconf-tests:latest && docker push 10.20.1.1:5000/bw-autoconf-tests:latest
- name: Import BW UI image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-amd64:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-amd64:latest 10.20.1.1:5000/bw-ui-tests:latest && docker push 10.20.1.1:5000/bw-ui-tests:latest
- name: Import Ubuntu image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest bw-ubuntu-tests:latest
- name: Import Debian image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest bw-debian-tests:latest
- name: Import Centos image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest bw-centos-tests:latest
- name: Import Fedora image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest bw-fedora-tests:latest
# CVE check on OS
- name: Check security vulnerabilities for BW
@ -263,16 +361,19 @@ jobs:
# Push to dev registries
push-docker:
needs: [tests, build-bw-386]
needs: [tests, build-bw-386, build-bw-arm]
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set variables
run: |
VER=$(cat VERSION | tr -d '\n')
echo "VERSION=$VER" >> $GITHUB_ENV
- name: Setup Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
@ -285,44 +386,55 @@ jobs:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Set variables
- name: Setup SSH for ARM node
run: |
VER=$(cat VERSION | tr -d '\n')
echo "VERSION=$VER" >> $GITHUB_ENV
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
chmod 600 ~/.ssh/id_rsa_arm
echo "$SSH_CONFIG" > ~/.ssh/config
env:
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Append ARM node to buildx
run: |
docker buildx create --append --name ${{ steps.buildx.outputs.name }} --node arm --platform linux/arm64,linux/arm/v7,linux/arm/v6 ssh://ubuntu@arm
# Build and push
- name: Build and push BW
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb:latest,bunkerity/bunkerweb:latest,bunkerity/bunkerweb:${{ env.VERSION }}
cache-from: |
type=registry,ref=bunkerity/cache:bw-amd64-cache
type=registry,ref=bunkerity/cache:bw-386-cache
type=registry,ref=bunkerity/cache:bw-arm-cache
- name: Build and push BW autoconf
uses: docker/build-push-action@v3
with:
context: .
file: autoconf/Dockerfile
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf:latest,bunkerity/bunkerweb-autoconf:latest,bunkerity/bunkerweb-autoconf:${{ env.VERSION }}
cache-from: |
type=registry,ref=bunkerity/cache:bw-autoconf-amd64-cache
type=registry,ref=bunkerity/cache:bw-autoconf-386-cache
type=registry,ref=bunkerity/cache:bw-autoconf-arm-cache
- name: Build and push BW UI
uses: docker/build-push-action@v3
with:
context: .
file: ui/Dockerfile
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui:latest,bunkerity/bunkerweb-ui:latest,bunkerity/bunkerweb-ui:${{ env.VERSION }}
cache-from: |
type=registry,ref=bunkerity/cache:bw-ui-amd64-cache
type=registry,ref=bunkerity/cache:bw-ui-386-cache
type=registry,ref=bunkerity/cache:bw-ui-arm-cache
# Push to PackageCloud
push-linux:
@ -339,7 +451,7 @@ jobs:
echo "VERSION=$VER" >> $GITHUB_ENV
- name: Remove Ubuntu DEB from packagecloud
run: package_cloud yank bunkerity/bunkerweb/ubuntu/jammy bunkerweb_${{ env.VERSION }}_amd64.deb
run: package_cloud yank bunkerity/bunkerweb/ubuntu/jammy bunkerweb_${{ env.VERSION }}-1_amd64.deb
continue-on-error: true
env:
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
@ -354,7 +466,7 @@ jobs:
PACKAGECLOUD-TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
- name: Remove Debian DEB from packagecloud
run: package_cloud yank bunkerity/bunkerweb/debian/bullseye bunkerweb_${{ env.VERSION }}_amd64.deb
run: package_cloud yank bunkerity/bunkerweb/debian/bullseye bunkerweb_${{ env.VERSION }}-1_amd64.deb
continue-on-error: true
env:
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}

114
CHANGELOG.md Normal file
View File

@ -0,0 +1,114 @@
# Changelog
## v1.4.1 - 2022/16/06
- Fix sending local IPs to BunkerNet when DISABLE_DEFAULT_SERVER=yes
- Fix certbot bug when AUTOCONF_MODE=yes
- Fix certbot bug when MULTISITE=no
- Add reverse proxy timeouts settings
- Add auth_request settings
- Add authentik and authelia examples
- Prebuilt Docker images for arm64 and armv7
- Improve documentation for Linux integration
- Various fixes in the documentation
## v1.4.0 - 2022/06/06
- Project renamed to BunkerWeb
- Internal architecture fully revised with a modular approach
- Improved CI/CD with automatic tests for multiple integrations
- Plugin improvement
- Volume improvement for container-based integrations
- Web UI improvement with various new features
- Web tool to generate settings from a user-friendly UI
- Linux packages
- Various bug fixes
## v1.3.2 - 2021/10/24
- Use API instead of a shared folder for Swarm and Kubernetes integrations
- Beta integration of distributed bad IPs database through a remote API
- Improvement of the request limiting feature : hour/day rate and multiple URL support
- Various bug fixes related to antibot feature
- Init support of Arch Linux
- Fix Moodle example
- Fix ROOT_FOLDER bug in serve-files.conf when using the UI
- Update default values for PERMISSIONS_POLICY and FEATURE_POLICY
- Disable COUNTRY ban if IP is local
## v1.3.1 - 2021/09/02
- Use ModSecurity v3.0.4 instead of v3.0.5 to fix memory leak
- Fix ignored variables to control jobs
- Fix bug when LISTEN_HTTP=no and MULTISITE=yes
- Add CUSTOM_HEADER variable
- Add REVERSE_PROXY_BUFFERING variable
- Add REVERSE_PROXY_KEEPALIVE variable
- Fix documentation for modsec and modsec-crs special folders
## v1.3.0 - 2021/08/23
- Kubernetes integration in beta
- Linux integration in beta
- autoconf refactoring
- jobs refactoring
- UI refactoring
- UI security : login/password authentication and CRSF protection
- various dependencies updates
- move CrowdSec as an external plugin
- Authelia support
- improve various regexes
- add INJECT_BODY variable
- add WORKER_PROCESSES variable
- add USE_LETS_ENCRYPT_STAGING variable
- add LOCAL_PHP and LOCAL_PHP_PATH variables
- add REDIRECT_TO variable
## v1.2.8 - 2021/07/22
- Fix broken links in README
- Fix regex for EMAIL_LETS_ENCRYPT
- Fix regex for REMOTE_PHP and REMOTE_PHP_PATH
- Fix regex for SELF_SIGNED_*
- Fix various bugs related to web UI
- Fix bug in autoconf (missing instances parameter to reload function)
- Remove old .env files when generating a new configuration
## v1.2.7 - 2021/06/14
- Add custom robots.txt and sitemap to RTD
- Fix missing GeoIP DB bug when using BLACKLIST/WHITELIST_COUNTRY
- Add underscore "_" to allowed chars for CUSTOM_HTTPS_CERT/KEY
- Fix bug when using automatic self-signed certificate
- Build and push images from GitHub actions instead of Docker Hub autobuild
- Display the reason when generator is ignoring a variable
- Various bug fixes related to certbot and jobs
- Split jobs into pre and post jobs
- Add HEALTHCHECK to image
- Fix race condition when using autoconf without Swarm by checking healthy state
- Bump modsecurity-nginx to v1.0.2
- Community chat with bridged platforms
## v1.2.6 - 2021/06/06
- Move from "ghetto-style" shell scripts to generic jinja2 templating
- Init work on a basic plugins system
- Move ClamAV to external plugin
- Reduce image size by removing unnecessary dependencies
- Fix CrowdSec example
- Change some global variables to multisite
- Add LOG_LEVEL environment variable
- Read-only container support
- Improved antibot javascript with a basic proof of work
- Update nginx to 1.20.1
- Support of docker-socket-proxy with web UI
- Add certbot-cloudflare example
- Disable DNSBL checks when IP is local
## v1.2.5 - 2021/05/14
- Performance improvement : move some nginx security checks to LUA and external blacklist parsing enhancement
- Init work on official documentation on readthedocs
- Fix default value for CONTENT_SECURITY_POLICY to allow file downloads
- Add ROOT_SITE_SUBFOLDER environment variable
## TODO - retrospective changelog

2
README.md
View File

@ -3,7 +3,7 @@
</p>
<p align="center">
<img src="https://img.shields.io/badge/bunkerweb-1.4.0-blue" />
<img src="https://img.shields.io/badge/bunkerweb-1.4.1-blue" />
<img src="https://img.shields.io/github/last-commit/bunkerity/bunkerweb" />
<img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerweb/Automatic%20test%2C%20build%2C%20push%20and%20deploy%20%28DEV%29?label=CI%2FCD%20dev" />
<img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerweb/Automatic%20test%2C%20build%2C%20push%20and%20deploy%20%28PROD%29?label=CI%2FCD%20prod" />

2
VERSION
View File

@ -1 +1 @@
1.4.0
1.4.1

5
autoconf/DockerController.py
View File

@ -26,11 +26,6 @@ class DockerController(Controller) :
continue
value = env.replace(variable + "=", "", 1)
instance["env"][variable] = value
server_name = []
for controller_service in self._get_controller_services() :
if "bunkerweb.SERVER_NAME" in controller_service.labels :
server_name.append(controller_service.labels["bunkerweb.SERVER_NAME"].split(" ")[0])
instance["env"]["SERVER_NAME"] = " ".join(server_name)
return [instance]
def _get_controller_services(self) :

8
core/bunkernet/confs/default-server-http/bunkernet.conf
View File

@ -21,6 +21,14 @@ log_by_lua_block {
if ngx.status ~= ngx.HTTP_CLOSE then
return
end
-- Check if IP is global
local is_global, err = utils.ip_is_global(ngx.var.remote_addr)
if is_global == nil then
return
end
if not is_global then
return
end
-- Only report if it hasn't been reported for the same reason recently
local reported = datastore:get("plugin_bunkernet_cache_" .. ngx.var.remote_addr .. "default")
if reported then

4
core/bunkernet/jobs/bunkernet-register.py
View File

@ -18,11 +18,11 @@ try :
# Multisite case
if os.getenv("MULTISITE") == "yes" :
for first_server in os.getenv("SERVER_NAME").split(" ") :
if os.getenv(first_server + "_USE_BUNKERNET", os.getenv("USE_BUNKERNET")) == "yes" :
if os.getenv(first_server + "_USE_BUNKERNET", os.getenv("USE_BUNKERNET", "yes")) == "yes" :
bunkernet_activated = True
break
# Singlesite case
elif os.getenv("USE_BUNKERNET") == "yes" :
elif os.getenv("USE_BUNKERNET", "yes") == "yes" :
bunkernet_activated = True
if not bunkernet_activated :
logger.log("BUNKERNET", "", "BunkerNet is not activated, skipping registration...")

3
core/letsencrypt/jobs/certbot-auth.py
View File

@ -15,11 +15,12 @@ try :
# Get env vars
is_kubernetes_mode = os.getenv("KUBERNETES_MODE") == "yes"
is_swarm_mode = os.getenv("SWARM_MODE") == "yes"
is_autoconf_mode = os.getenv("AUTOCONF_MODE") == "yes"
token = os.getenv("CERTBOT_TOKEN")
validation = os.getenv("CERTBOT_VALIDATION")
# Cluster case
if is_kubernetes_mode or is_swarm_mode :
if is_kubernetes_mode or is_swarm_mode or is_autoconf_mode :
for variable, value in os.environ.items() :
if not variable.startswith("CLUSTER_INSTANCE_") :
continue

3
core/letsencrypt/jobs/certbot-cleanup.py
View File

@ -15,10 +15,11 @@ try :
# Get env vars
is_kubernetes_mode = os.getenv("KUBERNETES_MODE") == "yes"
is_swarm_mode = os.getenv("SWARM_MODE") == "yes"
is_autoconf_mode = os.getenv("AUTOCONF_MODE") == "yes"
token = os.getenv("CERTBOT_TOKEN")
# Cluster case
if is_kubernetes_mode or is_swarm_mode :
if is_kubernetes_mode or is_swarm_mode or is_autoconf_mode :
for variable, value in os.environ.items() :
if not variable.startswith("CLUSTER_INSTANCE_") :
continue

3
core/letsencrypt/jobs/certbot-deploy.py
View File

@ -17,10 +17,11 @@ try :
# Get env vars
is_kubernetes_mode = os.getenv("KUBERNETES_MODE") == "yes"
is_swarm_mode = os.getenv("SWARM_MODE") == "yes"
is_autoconf_mode = os.getenv("AUTOCONF_MODE") == "yes"
token = os.getenv("CERTBOT_TOKEN")
# Cluster case
if is_kubernetes_mode or is_swarm_mode :
if is_kubernetes_mode or is_swarm_mode or is_autoconf_mode :
# Create tarball of /data/letsencrypt
tgz = BytesIO()

2
core/letsencrypt/jobs/certbot-new.py
View File

@ -45,7 +45,7 @@ try :
elif os.getenv("AUTO_LETS_ENCRYPT") == "yes" and os.getenv("SERVER_NAME") != "" :
first_server = os.getenv("SERVER_NAME").split(" ")[0]
domains = os.getenv("SERVER_NAME").replace(" ", ",")
if not os.path.exists("/etc/letsencrypt/live/" + first_server + "/cert.pem") :
if os.path.exists("/etc/letsencrypt/live/" + first_server + "/cert.pem") :
logger.log("LETS-ENCRYPT", "", "Certificates already exists for domain(s) " + domains)
else :
real_email = os.getenv("EMAIL_LETS_ENCRYPT", "contact@" + first_server)

38
core/reverseproxy/confs/server-http/reverse-proxy.conf
View File

@ -22,18 +22,26 @@ add_header X-Proxy-Cache $upstream_cache_status;
{% endif %}
{% set counter = namespace(value=1) %}
{% for k, v in all.items() %}
{% if k.startswith("REVERSE_PROXY_URL") and v != "" +%}
{% set url = v %}
{% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %}
{% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %}
{% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %}
{% set headers_client = all[k.replace("URL", "HEADERS_CLIENT")] if k.replace("URL", "HEADERS_CLIENT") in all else "" %}
{% set buffering = all[k.replace("URL", "BUFFERING")] if k.replace("URL", "BUFFERING") in all else "yes" %}
{% set keepalive = all[k.replace("URL", "KEEPALIVE")] if k.replace("URL", "KEEPALIVE") in all else "yes" %}
{% set auth_request = all[k.replace("URL", "AUTH_REQUEST")] if k.replace("URL", "AUTH_REQUEST") in all else "" %}
{% set auth_request_signin_url = all[k.replace("URL", "AUTH_REQUEST_SIGNIN_URL")] if k.replace("URL", "AUTH_REQUEST_SIGNIN_URL") in all else "" %}
{% set auth_request_sets = all[k.replace("URL", "AUTH_REQUEST_SET")] if k.replace("URL", "AUTH_REQUEST_SET") in all else "" %}
{% set connect_timeout = all[k.replace("URL", "CONNECT_TIMEOUT")] if k.replace("URL", "CONNECT_TIMEOUT") in all else "60s" %}
{% set read_timeout = all[k.replace("URL", "READ_TIMEOUT")] if k.replace("URL", "READ_TIMEOUT") in all else "60s" %}
{% set send_timeout = all[k.replace("URL", "SEND_TIMEOUT")] if k.replace("URL", "SEND_TIMEOUT") in all else "60s" %}
location {{ url }} {% raw %}{{% endraw +%}
etag off;
set $backend "{{ host }}";
proxy_pass $backend;
set $backend{{ counter.value }} "{{ host }}";
proxy_pass $backend{{ counter.value }};
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
@ -53,12 +61,32 @@ location {{ url }} {% raw %}{{% endraw +%}
proxy_http_version 1.1;
proxy_set_header Connection "";
{% endif %}
{% if headers != "" %}
{% if auth_request != "" +%}
auth_request {{ auth_request }};
{% endif +%}
{% if auth_request_signin_url != "" +%}
error_page 401 =302 {{ auth_request_signin_url }};
{% endif +%}
{% if auth_request_sets != "" +%}
{% for auth_request_set in auth_request_sets.split(";") +%}
auth_request_set {{ auth_request_set }};
{% endfor +%}
{% endif +%}
{% if headers != "" +%}
{% for header in headers.split(";") +%}
proxy_set_header {{ header }};
{% endfor %}
{% endif %}
{% endfor +%}
{% endif +%}
{% if headers_client != "" +%}
{% for header_client in headers_client.split(";") +%}
add_header {{ header_client }};
{% endfor +%}
{% endif +%}
proxy_connect_timeout {{ connect_timeout }};
proxy_read_timeout {{ read_timeout }};
proxy_send_timeout {{ send_timeout }};
{% raw %}}{% endraw %}
{% endif %}
{% set counter.value = counter.value + 1 %}
{% endfor %}
{% endif %}

72
core/reverseproxy/plugin.json
View File

@ -56,13 +56,23 @@
"REVERSE_PROXY_HEADERS": {
"context": "multisite",
"default": "",
"help": "List of HTTP headers to send to proxied resource.",
"help": "List of HTTP headers to send to proxied resource separated with ; (values for proxy_set_header directive).",
"id": "reverse-proxy-headers",
"label": "Reverse proxy headers",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_HEADERS_CLIENT": {
"context": "multisite",
"default": "",
"help": "List of HTTP headers to send to client separated with ; (values for add_header directive).",
"id": "reverse-proxy-headers-client",
"label": "Reverse proxy headers-client",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_BUFFERING": {
"context": "multisite",
"default": "yes",
@ -83,6 +93,36 @@
"type": "check",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_AUTH_REQUEST": {
"context": "multisite",
"default": "",
"help": "Enable authentication using an external provider (value of auth_request directive).",
"id": "reverse-proxy-auth-request",
"label": "Reverse proxy auth request",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL": {
"context": "multisite",
"default": "",
"help": "Redirect clients to signin URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401).",
"id": "reverse-proxy-auth-request-signin-url",
"label": "Auth request signin URL",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_AUTH_REQUEST_SET": {
"context": "multisite",
"default": "",
"help": "List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).",
"id": "reverse-proxy-auth-request-set",
"label": "Reverse proxy auth request set",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"USE_PROXY_CACHE": {
"context": "multisite",
"default": "no",
@ -172,6 +212,36 @@
"label": "Reverse proxy bypass",
"regex": "^.*$",
"type": "text"
},
"REVERSE_PROXY_CONNECT_TIMEOUT": {
"context": "multisite",
"default": "60s",
"help": "Timeout when connecting to the proxied resource.",
"id": "reverse-proxy-connect-timeout",
"label": "Reverse proxy connect timeout",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_READ_TIMEOUT": {
"context": "multisite",
"default": "60s",
"help": "Timeout when reading from the proxied resource.",
"id": "reverse-proxy-read-timeout",
"label": "Reverse proxy read timeout",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_SEND_TIMEOUT": {
"context": "multisite",
"default": "60s",
"help": "Timeout when sending to the proxied resource.",
"id": "reverse-proxy-send-timeout",
"label": "Reverse proxy send timeout",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
}
}
}

158
docs/integrations.md
View File

@ -9,10 +9,10 @@
Using BunkerWeb as a [Docker](https://www.docker.com/) container is a quick and easy way to test and use it as long as you are familiar with the Docker technology.
We provide ready to use prebuilt images for x64 and x86 architectures (armv7 and armv8 are not supported at the moment) on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb) :
We provide ready to use prebuilt images for x64, x86 armv8 and armv7 architectures on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb) :
```shell
docker pull bunkerity/bunkerweb:1.4.0
docker pull bunkerity/bunkerweb:1.4.1
```
Alternatively, you can build the Docker images directly from the [source](https://github.com/bunkerity/bunkerweb) (and take a coffee ☕ because it may be long depending on your hardware) :
@ -39,7 +39,7 @@ docker run \
-e MY_SETTING=value \
-e "MY_OTHER_SETTING=value with spaces" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@ -48,7 +48,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
environment:
- MY_SETTING=value
```
@ -73,7 +73,7 @@ docker run \
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@ -82,7 +82,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- bw-data:/data
...
@ -109,7 +109,7 @@ docker run \
...
-v ./bw-data:/data \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@ -119,7 +119,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- ./bw-data:/data
```
@ -141,7 +141,7 @@ docker run \
...
--network mynetwork \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
You will also need to do the same with your web application(s). Please note that the other containers are accessible using their name as the hostname.
@ -152,7 +152,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
networks:
- bw-net
...
@ -183,9 +183,6 @@ First of all, you will need to create the data volume :
docker volume create bw-data
```
- One for sharing the persistent data, mounted on **/data**
- Another one for sharing the generated Nginx configurations, mounted on **/etc/nginx**
Then, you can create two networks (replace 10.20.30.0/24 with an unused subnet of your choice) :
```shell
@ -210,7 +207,7 @@ docker run \
-e SERVER_NAME= \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.AUTOCONF \
bunkerity/bunkerweb:1.4.0 && \
bunkerity/bunkerweb:1.4.1 && \
docker network connect bw-services mybunker
```
@ -224,7 +221,7 @@ docker run \
--network bw-autoconf \
-v bw-data:/data \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
bunkerity/bunkerweb-autoconf:1.4.0
bunkerity/bunkerweb-autoconf:1.4.1
```
Here is the docker-compose equivalent for the BunkerWeb autoconf stack :
@ -235,13 +232,12 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
volumes:
- bw-data:/data
environment:
- AUTOCONF_MODE=yes
- MULTISITE=yes
- SERVER_NAME=
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
@ -252,7 +248,7 @@ services:
- bw-services
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
volumes:
- bw-data:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
@ -354,7 +350,7 @@ docker service create \
-e MULTISITE=yes \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.AUTOCONF \
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
And the autoconf one :
@ -368,7 +364,7 @@ docker service \
--mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
--mount type=volume,source=bw-data,destination=/data \
-e SWARM_MODE=yes \
bunkerity/bunkerweb-autoconf:1.4.0
bunkerity/bunkerweb-autoconf:1.4.1
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
@ -379,7 +375,7 @@ version: '3.5'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- published: 80
target: 8080
@ -406,7 +402,7 @@ services:
- "bunkerweb.AUTOCONF"
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
environment:
- SWARM_MODE=yes
volumes:
@ -674,7 +670,7 @@ List of supported Linux distros :
- Fedora 36
- CentOS Stream 8
Please note that you will need to **install NGINX 1.20.2 before BunkerWeb**. For all distros, except Fedora, using prebuilt packages from [official NGINX repository](https://nginx.org/en/linux_packages.html) is mandatory. Compiling NGINX from source or using packages from different repositories won't work with the official supported way of installing BunkerWeb on Linux.
Please note that you will need to **install NGINX 1.20.2 before BunkerWeb**. For all distros, except Fedora, using prebuilt packages from [official NGINX repository](https://nginx.org/en/linux_packages.html) is mandatory. Compiling NGINX from source or using packages from different repositories won't work with the official prebuild packages of BunkerWeb but you can build it from source.
Repositories of Linux packages for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb), they provide a bash script to automatically add and trust the repository (but you can also follow the [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer).
@ -682,7 +678,7 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
The first step is to add NGINX official repository :
```shell
sudo apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring && \
sudo apt install -y curl gnupg2 ca-certificates lsb-release debian-archive-keyring && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
@ -693,21 +689,26 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
You should now be able to install NGINX 1.20.2 :
```shell
sudo apt update && \
sudo apt install nginx=1.20.2-1~bullseye
sudo apt install -y nginx=1.20.2-1~bullseye
```
And finally install BunkerWeb 1.4.0 :
And finally install BunkerWeb 1.4.1 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
apt update && \
apt install -y bunkerweb=1.4.0
sudo apt update && \
sudo apt install -y bunkerweb=1.4.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
```shell
sudo apt-mark hold nginx bunkerweb
```
=== "Ubuntu"
The first step is to add NGINX official repository :
```shell
sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring && \
sudo apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
@ -718,27 +719,38 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
You should now be able to install NGINX 1.20.2 :
```shell
sudo apt update && \
sudo apt install nginx=1.20.2-1~jammy
sudo apt install -y nginx=1.20.2-1~jammy
```
And finally install BunkerWeb 1.4.0 :
And finally install BunkerWeb 1.4.1 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
apt update && \
apt install -y bunkerweb=1.4.0
sudo apt update && \
sudo apt install -y bunkerweb=1.4.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
```shell
sudo apt-mark hold nginx bunkerweb
```
=== "Fedora"
Fedora already provides NGINX 1.20.2 that we support :
```shell
sudo dnf install nginx-1.20.2
sudo dnf install -y nginx-1.20.2
```
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
dnf check-update && \
dnf install -y bunkerweb-1.4.0
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.4.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
=== "CentOS Stream"
@ -759,12 +771,78 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo dnf install nginx-1.20.2
```
And finally install BunkerWeb 1.4.0 :
And finally install BunkerWeb 1.4.1 :
```shell
dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
dnf check-update && \
dnf install -y bunkerweb-1.4.0
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.4.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
=== "From source"
The first step is to install NGINX 1.20.2 using the repository of your choice or by [compiling it from source](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#compiling-and-installing-from-source).
The target installation folder of BunkerWeb is located at `/opt/bunkerweb`, let's create it :
```shell
mkdir /opt/bunkerweb
```
You can now clone the BunkerWeb project to the `/tmp` folder :
```shell
https://github.com/bunkerity/bunkerweb.git /tmp/bunkerweb
```
BunkerWeb needs some dependencies to be compiled and install to `/opt/bunkerweb/deps`, the easiest way to it is by executing the [install.sh helper script](https://github.com/bunkerity/bunkerweb/blob/master/deps/install.sh) (please note that you will need to install additional packages which is not covered in this procedure and depends on your own system) :
```
mkdir /opt/bunkerweb/deps && \
/tmp/bunkerweb/deps/install.sh
```
Additional Python dependencies needs to be installed into the `/opt/bunkerweb/deps/python` folder :
```shell
mkdir /opt/bunkerweb/deps/python && \
pip install --no-cache-dir --require-hashes --target /opt/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt && \
pip install --no-cache-dir --target /opt/bunkerweb/deps/python -r /tmp/bunkerweb/ui/requirements.txt
```
Once dependencies had been installed, you can now copy the BunkerWeb sources to the target `/opt/bunkerweb` folder :
```shell
for src in api cli confs core gen helpers job lua misc utils ui settings.json VERSION linux/variables.env linux/bunkerweb-ui.env linux/scripts ; do
cp -r /tmp/bunkerweb/${src} /opt/bunkerweb
done
cp /opt/bunkerweb/helpers/bwcli /usr/local/bin
```
Additional folders also need to be created :
```shell
mkdir /opt/bunkerweb/{configs,cache,plugins,tmp}
```
Permissions needs to be fixed :
```shell
find /opt/bunkerweb -path /opt/bunkerweb/deps -prune -o -type f -exec chmod 0740 {} \; && \
find /opt/bunkerweb -path /opt/bunkerweb/deps -prune -o -type d -exec chmod 0750 {} \; && \
find /opt/bunkerweb/core/*/jobs/* -type f -exec chmod 750 {} \; && \
chmod 770 /opt/bunkerweb/cache /opt/bunkerweb/tmp && \
chmod 750 /opt/bunkerweb/gen/main.py /opt/bunkerweb/job/main.py /opt/bunkerweb/cli/main.py /opt/bunkerweb/helpers/*.sh /opt/bunkerweb/scripts/*.sh /usr/local/bin/bwcli /opt/bunkerweb/ui/main.py && \
chown -R root:nginx /opt/bunkerweb
```
Last but not least, you will need to setup systemd unit files :
```shell
cp /tmp/bunkerweb/linux/*.service /etc/systemd/system && \
systemctl daemon-reload && \
systemctl stop nginx && \
systemctl disable nginx && \
systemctl enable bunkerweb && \
systemctl enable bunkerweb-ui
```
Configuration of BunkerWeb is done by editing the `/opt/bunkerweb/variables.env` file :

9
docs/migrating.md
View File

@ -2,7 +2,7 @@
!!! warning "Read this if you were a bunkerized user"
A lot of things have changed since the last bunkerized release. If you want to an upgrade, which we recommend you to do because BunkerWeb is by far better than bunkerized, please read carefully this section and also the whole documentation.
A lot of things have changed since the last bunkerized release. If you want to do an upgrade, which we recommend you to do because BunkerWeb is by far better than bunkerized, please read carefully this section and also the whole documentation.
## Volumes
@ -12,11 +12,14 @@ When using container-based integrations like [Docker](/1.4/integrations/#docker)
We decided to drop the following features :
- Authelia : we will make an official [plugin](/1.4/plugins) for that
- Blocking "bad" referrers : we may add it again in the future
- ROOT_SITE_SUBFOLDER : we will need to redesign this in the future
## Replaced BLOCK_*, WHITELIST_* and BLACKLIST_* settings
## Changed Authelia support
Instead of supporting only Authelia, we decided to support generic auth request settings. See the new [authelia example](https://github.com/bunkerity/bunkerweb/tree/master/examples/authelia) and [auth request documentation](https://docs.bunkerweb.io/1.4/security-tuning/#auth-request) for more information.
## Replaced BLOCK_\*, WHITELIST_\* and BLACKLIST_\* settings
The blocking mechanisms has been completely redesigned. We have detected that a lot of false positives came from the default blacklists hardcoded into bunkerized. That's why we decided to give the users the choice of their blacklists (and also whitelists) for IP address, reverse DNS, user-agent, URI and ASN, see the [Blacklisting and whitelisting](/1.4/security-tuning/#blacklisting-and-whitelisting) section of the [security tuning](/1.4/security-tuning).

4
docs/plugins.md
View File

@ -43,13 +43,13 @@ The first step is to install the plugin by putting the plugin files inside the c
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- ./bw-data:/data
...

44
docs/quickstart-guide.md
View File

@ -54,7 +54,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
-e USE_REVERSE_PROXY=yes \
-e REVERSE_PROXY_URL=/ \
-e REVERSE_PROXY_HOST=http://myapp \
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@ -64,7 +64,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@ -331,7 +331,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
-e app1.example.com_REVERSE_PROXY_HOST=http://myapp1 \
-e app2.example.com_REVERSE_PROXY_HOST=http://myapp2 \
-e app3.example.com_REVERSE_PROXY_HOST=http://myapp3 \
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@ -341,7 +341,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@ -875,13 +875,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@ -900,13 +900,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@ -925,13 +925,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@ -956,7 +956,7 @@ REAL_IP_HEADER=X-Forwarded-For
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
env:
- name: USE_REAL_IP
@ -1008,13 +1008,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@ -1035,13 +1035,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@ -1062,13 +1062,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@ -1094,7 +1094,7 @@ REAL_IP_HEADER=proxy_protocol
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
env:
- name: USE_REAL_IP
@ -1169,13 +1169,13 @@ Some integrations offer a more convenient way of applying configurations for exa
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- ./bw-data:/data
...
@ -1212,13 +1212,13 @@ Some integrations offer a more convenient way of applying configurations for exa
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- ./bw-data:/data
...

18
docs/security-tuning.md
View File

@ -297,12 +297,24 @@ Using both country blacklist and whitelist at the same time makes no sense. If y
## Authentication
### Auth basic
You can quickly protect sensitive resources like the admin area for example by requiring HTTP basic authentication. Here is the list of related settings :
| Setting | Default | Description |
| :-----------------------: | :---------------: | :------------------------------------------------------------------------------------------- |
| `USE_AUTH_BASIC` | `no` | When set to `yes` HTTP auth basic will be enabled. |
| `AUTH_BASIC_LOCATION` | `sitewide` | Location (URL) of the sensitive resource. Use special value `sitewide` to enable everywhere. |
| `USE_AUTH_BASIC_USER` | `changeme` | The username required. |
| `USE_AUTH_BASIC_PASSWORD` | `changeme` | The password required. |
| `USE_AUTH_BASIC_TEXT` | `Restricted area` | Text to display in the auth prompt. |
| `AUTH_BASIC_USER` | `changeme` | The username required. |
| `AUTH_BASIC_PASSWORD` | `changeme` | The password required. |
| `AUTH_BASIC_TEXT` | `Restricted area` | Text to display in the auth prompt. |
### Auth request
You can deploy complex authentification (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/master/examples).
**Auth request settings are related to reverse proxy rules.**
| Setting | Default | Context |Multiple| Description |
|---------------------------------------|----------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------------------|
|`REVERSE_PROXY_AUTH_REQUEST` | |multisite|yes |Enable authentication using an external provider (value of auth_request directive). |
|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`| |multisite|yes |Redirect clients to signin URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). |
|`REVERSE_PROXY_AUTH_REQUEST_SET` | |multisite|yes |List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).|

15
docs/settings.md
View File

@ -250,15 +250,19 @@ When settings are considered as "multiple", it means that you can have multiple
### Reverse proxy
| Setting | Default | Context |Multiple| Description |
|--------------------------------|----------------------------------|---------|--------|-----------------------------------------------------------------------------------|
|---------------------------------------|----------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------------------|
|`USE_REVERSE_PROXY` |`no` |multisite|no |Activate reverse proxy mode. |
|`REVERSE_PROXY_INTERCEPT_ERRORS`|`yes` |multisite|no |Intercept and rewrite errors. |
|`REVERSE_PROXY_INTERCEPT_ERRORS` |`yes` |multisite|no |Intercept and rewrite errors. |
|`REVERSE_PROXY_HOST` | |multisite|yes |Full URL of the proxied resource (proxy_pass). |
|`REVERSE_PROXY_URL` | |multisite|yes |Location URL that will be proxied. |
|`REVERSE_PROXY_WS` |`no` |multisite|yes |Enable websocket on the proxied resource. |
|`REVERSE_PROXY_HEADERS` | |multisite|yes |List of HTTP headers to send to proxied resource. |
|`REVERSE_PROXY_HEADERS` | |multisite|yes |List of HTTP headers to send to proxied resource separated with ; (values for proxy_set_header directive). |
|`REVERSE_PROXY_HEADERS_CLIENT` | |multisite|yes |List of HTTP headers to send to client separated with ; (values for add_header directive). |
|`REVERSE_PROXY_BUFFERING` |`yes` |multisite|yes |Enable or disable buffering of responses from proxied resource. |
|`REVERSE_PROXY_KEEPALIVE` |`no` |multisite|yes |Enable or disable keepalive connections with the proxied resource. |
|`REVERSE_PROXY_AUTH_REQUEST` | |multisite|yes |Enable authentication using an external provider (value of auth_request directive). |
|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`| |multisite|yes |Redirect clients to signin URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). |
|`REVERSE_PROXY_AUTH_REQUEST_SET` | |multisite|yes |List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).|
|`USE_PROXY_CACHE` |`no` |multisite|no |Enable or disable caching of the proxied resources. |
|`PROXY_CACHE_PATH_LEVELS` |`1:2` |global |no |Hierarchy levels of the cache. |
|`PROXY_CACHE_PATH_ZONE_SIZE` |`10m` |global |no |Maximum size of cached metadata when caching proxied resources. |
@ -266,9 +270,12 @@ When settings are considered as "multiple", it means that you can have multiple
|`PROXY_CACHE_METHODS` |`GET HEAD` |multisite|no |HTTP methods that should trigger a cache operation. |
|`PROXY_CACHE_MIN_USES` |`2` |multisite|no |The minimimum number of requests before a response is cached. |
|`PROXY_CACHE_KEY` |`$scheme$host$request_uri` |multisite|no |The key used to uniquely identify a cached response. |
|`PROXY_CACHE_VALID` |`200=24h 301=1h 302=24h` |multisite|no |Define the caching time dependending on the HTTP status code (list of status=time).|
|`PROXY_CACHE_VALID` |`200=24h 301=1h 302=24h` |multisite|no |Define the caching time dependending on the HTTP status code (list of status=time). |
|`PROXY_NO_CACHE` |`$http_pragma $http_authorization`|multisite|no |Conditions to disable caching of responses. |
|`PROXY_CACHE_BYPASS` |`0` |multisite|no |Conditions to bypass caching of responses. |
|`REVERSE_PROXY_CONNECT_TIMEOUT` |`60s` |multisite|yes |Timeout when connecting to the proxied resource. |
|`REVERSE_PROXY_READ_TIMEOUT` |`60s` |multisite|yes |Timeout when reading from the proxied resource. |
|`REVERSE_PROXY_SEND_TIMEOUT` |`60s` |multisite|yes |Timeout when sending to the proxied resource. |
### Self-signed certificate

7
docs/troubleshooting.md
View File

@ -75,7 +75,12 @@ Here is how you can access the logs depending on your integration :
=== "Linux"
The logs are located inside the `/var/log/nginx` directory. There is two files :
For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
```shell
journalctl -u bunkerweb --no-pager
```
Common logs are located inside the `/var/log/nginx` directory :
```shell
cat /var/log/nginx/error.log
cat /var/log/nginx/access.log

8
docs/web-ui.md
View File

@ -78,7 +78,7 @@ Because the web UI is a web application, the recommended installation procedure
-e "bwadm.example.com_REVERSE_PROXY_HEADER=X-Script-Name /changeme" \
-e bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no \
-l bunkerweb.UI \
bunkerity/bunkerweb:1.4.0 && \
bunkerity/bunkerweb:1.4.1 && \
docker network connect bw-ui mybunker
```
@ -117,7 +117,7 @@ Because the web UI is a web application, the recommended installation procedure
-e ADMIN_USERNAME=admin \
-e ADMIN_PASSWORD=changeme \
-e ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/
bunkerity/bunkerweb-ui:1.4.0 && \
bunkerity/bunkerweb-ui:1.4.1 && \
docker network connect bw-docker myui
```
@ -133,7 +133,7 @@ Because the web UI is a web application, the recommended installation procedure
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
networks:
- bw-services
- bw-ui
@ -156,7 +156,7 @@ Because the web UI is a web application, the recommended installation procedure
- "bunkerweb.UI"
myui:
image: bunkerity/bunkerweb-ui:1.4.0
image: bunkerity/bunkerweb-ui:1.4.1
depends_on:
- mydocker
networks:

79
examples/authelia/authelia/configuration.yml Normal file
View File

@ -0,0 +1,79 @@
---
###############################################################
# Authelia configuration #
###############################################################
jwt_secret: a_very_important_secret
default_redirection_url: https://auth.example.com
ntp:
disable_failure: true
server:
host: 0.0.0.0
port: 9091
log:
level: debug
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
totp:
issuer: authelia.com
# duo_api:
# hostname: api-123456789.example.com
# integration_key: ABCDEF
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
# secret_key: 1234567890abcdefghifjkl
authentication_backend:
file:
path: /config/users_database.yml
access_control:
default_policy: deny
rules:
# Rules applied to everyone
- domain: auth.example.com
policy: bypass
- domain: app1.example.com
policy: one_factor
- domain: app2.example.com
policy: two_factor
session:
name: authelia_session
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: example.com # Should match whatever your root protected domain is
redis:
host: redis
port: 6379
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
# password: authelia
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
local:
path: /config/db.sqlite3
notifier:
filesystem:
filename: /config/notification.txt
#notifier:
# smtp:
# username: test
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
# password: password
# host: mail.example.com
# port: 25
# sender: admin@example.com
...

18
examples/authelia/authelia/users_database.yml Normal file
View File

@ -0,0 +1,18 @@
---
###############################################################
# Users Database #
###############################################################
# This file can be used if you do not have an LDAP set up.
# List of users
users:
authelia:
displayname: "Authelia User"
# Password is authelia
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
email: authelia@authelia.com
groups:
- admins
- dev
...

85
examples/authelia/docker-compose.yml Normal file
View File

@ -0,0 +1,85 @@
version: '3.4'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
environment:
- MULTISITE=yes
- SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
# Proxy to auth_request URI
- REVERSE_PROXY_URL_999=/authelia
- REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
- REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
# Authelia
- auth.example.com_REVERSE_PROXY_URL=/
- auth.example.com_REVERSE_PROXY_HOST=http://authelia:9091
- auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
# Applications
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:3000
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
- app1.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
- app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
# APPLICATIONS
app1:
image: node
working_dir: /home/node/app
volumes:
- ./js-app:/home/node/app
environment:
- NODE_ENV=production
command: bash -c "npm install express && node index.js"
app2:
image: tutum/hello-world
# AUTHELIA
authelia:
image: authelia/authelia
container_name: authelia
volumes:
- ./authelia:/config
restart: unless-stopped
healthcheck:
disable: true
environment:
- TZ=Europe/Paris
redis:
image: redis:alpine
container_name: redis
volumes:
- ./redis:/data
expose:
- 6379
restart: unless-stopped
environment:
- TZ=Europe/Paris
volumes:
bw_data:

13
examples/authelia/js-app/index.js Normal file
View File

@ -0,0 +1,13 @@
const express = require('express')
const app = express()
const port = 3000
app.get('/', (req, res) => {
res.send('Hello World from app1!')
})
app.listen(port, () => {
console.log(`Example app listening at http://localhost:${port}`)
})

15
examples/authelia/js-app/package.json Normal file
View File

@ -0,0 +1,15 @@
{
"name": "js-app",
"version": "1.0.0",
"description": "demo",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"express": "^4.17.1"
}
}

5
examples/authentik/.env Normal file
View File

@ -0,0 +1,5 @@
PG_PASS=changeme
AUTHENTIK_SECRET_KEY=changeme
AUTHENTIK_COOKIE_DOMAIN=example.com
AUTHENTIK_BOOTSTRAP_PASSWORD=changeme
AUTHENTIK_BOOTSTRAP_TOKEN=changeme

3
examples/authentik/README.md Normal file
View File

@ -0,0 +1,3 @@
We assume that you are already familiar with [Authentik](https://goauthentik.io/).
This example has been tested with a Proxy in Forward auth (domain level) mode (see [here](https://goauthentik.io/docs/providers/proxy/forward_auth) for more information).

154
examples/authentik/docker-compose.yml Normal file
View File

@ -0,0 +1,154 @@
version: '3.4'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
environment:
- MULTISITE=yes
- SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
# Proxy to outpost
- REVERSE_PROXY_URL_999=/outpost.goauthentik.io
- REVERSE_PROXY_HOST_999=http://server:9000
- REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
- REVERSE_PROXY_HEADERS_CLIENT_999=Set-Cookie $$auth_cookie
- REVERSE_PROXY_AUTH_REQUEST_SET_999=$$auth_cookie $$upstream_http_set_cookie
# Authentik
- auth.example.com_REVERSE_PROXY_URL=/
- auth.example.com_REVERSE_PROXY_HOST=http://server:9000
- auth.example.com_REVERSE_PROXY_WS=yes
- auth.example.com_LIMIT_REQ_URL_1=^/api/
- auth.example.com_LIMIT_REQ_RATE_1=5r/s
- auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
- auth.example.com_ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE|PATCH
- auth.example.com_COOKIE_FLAGS=* SameSite=Lax
# Applications
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:3000
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/outpost.goauthentik.io/auth/nginx
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid
- app1.example.com_REVERSE_PROXY_HEADERS_CLIENT=Set-Cookie $$auth_cookie
- app1.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/outpost.goauthentik.io/auth/nginx
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid
- app2.example.com_REVERSE_PROXY_HEADERS_CLIENT=Set-Cookie $$auth_cookie
- app2.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
# APPLICATIONS
app1:
image: node
working_dir: /home/node/app
volumes:
- ./js-app:/home/node/app
environment:
- NODE_ENV=production
command: bash -c "npm install express && node index.js"
app2:
image: tutum/hello-world
# AUTHENTIK SERVICES
postgresql:
image: postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD", "pg_isready"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=${PG_PASS:?database password required}
- POSTGRES_USER=${PG_USER:-authentik}
- POSTGRES_DB=${PG_DB:-authentik}
env_file:
- .env
redis:
image: redis:alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.6.2}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
# WORKERS: 2
volumes:
- ./media:/media
- ./custom-templates:/templates
- geoip:/geoip
env_file:
- .env
# ports:
# - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
# - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.6.2}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
# This is optional, and can be removed. If you remove this, the following will happen
# - The permissions for the /media folders aren't fixed, so make sure they are 1000:1000
# - The docker socket can't be accessed anymore
user: root
volumes:
- ./media:/media
- ./certs:/certs
- /var/run/docker.sock:/var/run/docker.sock
- ./custom-templates:/templates
- geoip:/geoip
env_file:
- .env
geoipupdate:
image: "maxmindinc/geoipupdate:latest"
volumes:
- "geoip:/usr/share/GeoIP"
environment:
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
GEOIPUPDATE_FREQUENCY: "8"
env_file:
- .env
volumes:
bw_data:
database:
geoip:

13
examples/authentik/js-app/index.js Normal file
View File

@ -0,0 +1,13 @@
const express = require('express')
const app = express()
const port = 3000
app.get('/', (req, res) => {
res.send('Hello World from app1!')
})
app.listen(port, () => {
console.log(`Example app listening at http://localhost:${port}`)
})

15
examples/authentik/js-app/package.json Normal file
View File

@ -0,0 +1,15 @@
{
"name": "js-app",
"version": "1.0.0",
"description": "demo",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"express": "^4.17.1"
}
}

2
examples/behind-reverse-proxy/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly

2
examples/bigbluebutton/docker-compose.yml
View File

@ -27,7 +27,7 @@ services:
...
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/drupal/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

4
examples/ghost/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@ -31,7 +31,7 @@ services:
volumes:
- ./ghost-data:/var/lib/ghost/content
environment:
- url=http://www.example.com # replace with your domain
- url=https://www.example.com # replace with your domain
volumes:
bw_data:

2
examples/gogs/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/hardened/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
# dropping all capabilities
cap_drop:
- ALL

2
examples/joomla/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/kubernetes-ingress/ingress.yml
View File

@ -5,7 +5,7 @@ metadata:
annotations:
bunkerweb.io/AUTOCONF: "yes"
bunkerweb.io/AUTO_LETS_ENCRYPT: "yes"
bunkerweb.io/USE_LETS_ENCRYPT_STAGING: "yes"
spec:
rules:
- host: app1.example.com

2
examples/load-balancer/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/magento/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/mongo-express/docker-compose.yml
View File

@ -24,7 +24,7 @@ services:
- mongo
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/moodle/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/nextcloud/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/passbolt/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/php-multisite/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/php-singlesite/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/prestashop/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/proxy-protocol/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly

2
examples/redmine/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/reverse-proxy-multisite/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/reverse-proxy-singlesite/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/reverse-proxy-websocket/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/syslog/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
logging:
driver: syslog
options:

2
examples/tomcat/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/tor-hidden-service/docker-compose.yml
View File

@ -11,7 +11,7 @@ services:
- SERVICE1_TOR_SERVICE_VERSION=3
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly

4
examples/web-ui/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@ -42,7 +42,7 @@ services:
- net_svc
myui:
image: bunkerity/bunkerweb-ui:1.4.0
image: bunkerity/bunkerweb-ui:1.4.1
depends_on:
- myuiproxy
volumes:

2
examples/wordpress/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

4
helpers/entrypoint.sh
View File

@ -40,6 +40,10 @@ function trap_reload() {
}
trap "trap_reload" HUP
if [ -f /opt/bunkerweb/tmp/scheduler.pid ] ; then
rm -f /opt/bunkerweb/tmp/scheduler.pid
fi
if [ "$SWARM_MODE" != "yes" ] && [ "$KUBERNETES_MODE" != "yes" ] && [ "$AUTOCONF_MODE" != "yes" ] ; then
# execute temp nginx with no server
export TEMP_NGINX="yes"

5
integrations/autoconf/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@ -20,7 +20,7 @@ services:
- bw-services
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
volumes:
- ./bw-data:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
@ -29,7 +29,6 @@ services:
volumes:
bw-data:
bw-conf:
networks:
bw-autoconf:

4
integrations/kubernetes/bunkerweb.yml
View File

@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -106,7 +106,7 @@ spec:
claimName: pvc-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE

4
integrations/swarm/stack.yml
View File

@ -3,7 +3,7 @@ version: '3.5'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- published: 80
target: 8080
@ -31,7 +31,7 @@ services:
- "bunkerweb.AUTOCONF"
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
environment:
- SWARM_MODE=yes
volumes:

4
lua/utils.lua
View File

@ -244,6 +244,10 @@ utils.get_reason = function()
if os.getenv("REASON") == "modsecurity" then
return "modsecurity"
end
local banned, err = datastore:get("bans_ip_" .. ngx.var.remote_addr)
if banned then
return banned
end
if ngx.status == ngx.HTTP_FORBIDDEN then
return "unknown"
end

7
tests/docker.sh
View File

@ -48,6 +48,13 @@ fi
echo "Running Docker tests ..."
# authelia
single_docker_test "authelia" "60" "https://$TEST_DOMAIN1_1 authelia" "https://$TEST_DOMAIN1_2 authelia"
# authentik
# TODO : find a way to load a basic configuration for automatic tests
# single_docker_test "authentik" "60" "https://$TEST_DOMAIN1_1 authentik" "https://$TEST_DOMAIN1_2 authentik"
# drupal
single_docker_test "drupal" "60" "https://$TEST_DOMAIN1 drupal"

1
tests/utils/utils.sh
View File

@ -23,6 +23,7 @@ function exec_docker_example() {
sed -i 's@\./bw\-data:/@/tmp/bw\-data:/@g' docker-compose.yml
sed -i 's@- bw_data:/@- /tmp/bw\-data:/@g' docker-compose.yml
sed -i "s@www.example.com@${TEST_DOMAIN1}@g" docker-compose.yml
sed -i "s@auth.example.com@${TEST_DOMAIN1}@g" docker-compose.yml
sed -i "s@app1.example.com@${TEST_DOMAIN1_1}@g" docker-compose.yml
sed -i "s@app2.example.com@${TEST_DOMAIN1_2}@g" docker-compose.yml
sed -i "s@app3.example.com@${TEST_DOMAIN1_3}@g" docker-compose.yml