Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: Makussu:v1.4.0
Branches Tags
Makussu:master Makussu:dev Makussu:gh-pages
Makussu:v1.4.1 Makussu:v1.4.0 Makussu:v1.3.2 Makussu:v1.3.1 Makussu:v1.3.0 Makussu:v1.2.8 Makussu:v1.2.7 Makussu:v1.2.6 Makussu:v1.2.5 Makussu:v1.2.4 Makussu:v1.2.3 Makussu:v1.2.2 Makussu:v1.2.1 Makussu:v1.2.0 Makussu:v1.1.2 Makussu:v1.1.1 Makussu:v1.1.0 Makussu:v1.0.0
..
compare: Makussu:dev
Branches Tags
Makussu:dev Makussu:gh-pages Makussu:master
Makussu:v1.4.1 Makussu:v1.4.0 Makussu:v1.3.2 Makussu:v1.3.1 Makussu:v1.3.0 Makussu:v1.2.8 Makussu:v1.2.7 Makussu:v1.2.6 Makussu:v1.2.5 Makussu:v1.2.4 Makussu:v1.2.3 Makussu:v1.2.2 Makussu:v1.2.1 Makussu:v1.2.0 Makussu:v1.1.2 Makussu:v1.1.1 Makussu:v1.1.0 Makussu:v1.0.0

29 Commits
v1.4.0 ... dev

Author SHA1 Message Date
florian
4a699ef6c6 fix missing local Linux images import in ci/cd, and fix bug related to jobs in Linux integration 2022-06-26 16:50:55 +02:00
florian
5690a58ab9 fix IFS checking permissions 2022-06-26 12:25:33 +02:00
florian
e55928a37b fix bwcli commands when using Linux integration 2022-06-26 12:16:40 +02:00
florian
0f2388b1f2 fix permissions check when file has space in the name 2022-06-26 11:58:45 +02:00
TheophileDiot
2b43a9cbf5 Merge branch 'dev' of https://github.com/bunkerity/bunkerized-nginx into dev 2022-06-23 17:54:33 -04:00
TheophileDiot
5ecf39ee02 Fix web-ui example with X-Script-Name 2022-06-23 17:53:58 -04:00
bunkerity
ad091493c3 examples - add various certbot-dns examples 2022-06-22 16:30:06 +02:00
bunkerity
a65606c369 examples - add certbot-dns-ovh 2022-06-22 16:03:01 +02:00
bunkerity
cd0d70b8f6 cache dev Linux images in ci/cd and disable site config generation for autoconf/swarm/k8s 2022-06-22 14:32:27 +02:00
bunkerity
e21a35017a plugins - support log_default() hook, same as log() but for default server 2022-06-22 11:24:47 +02:00
bunkerity
c563731e86 autoconf - fix overwrite configs file when using Docker autoconf 2022-06-22 09:34:18 +02:00
bunkerity
3c417d2ff0 linux - fix fedora NGINX version in Dockerfile, fix missing arg when building DEB/RPM and force NGINX version DEB deps 2022-06-21 14:17:45 +02:00
bunkerity
970082f92e linux - force NGINX version in RPM deps 2022-06-21 14:04:03 +02:00
florian
4a2504c3b8 reflect ci/cd changes to dev 2022-06-19 10:21:50 +02:00
florian
fd0c7b1e53 ci/cd - add automatic build for Linux images 2022-06-16 17:40:15 +02:00
florian
1e6d62ce79 fix packagecloud yank name 2022-06-16 12:52:44 +02:00
florian
1a4e21481e docs - edit supported architectures for prebuilt Docker images 2022-06-16 11:38:05 +02:00
florian
bcaca6f034 v1.4.1 release 2022-06-16 11:26:58 +02:00
florian
424214fd56 add changelog and add missing s in authentik url 2022-06-15 14:06:39 +02:00
Florian Pitance
82b42d5b9c Merge pull request #259 from Brawdunoir/master 
Remove USE_ before authbasic plugin settings
 2022-06-15 11:06:45 +02:00
florian
db4e2cf266 update linux docs, minor fix in ingress example and update default value for bunkernet job 2022-06-14 13:49:22 +02:00
florian
0ef82619b8 temp disable automatic tests for authentik and test automatic arm build on dedicated hardware 2022-06-14 11:05:26 +02:00
florian
f2655e331d remove arm build again, fix proxy_*_timeout directives and add authelia example 2022-06-14 09:42:32 +02:00
Yann Lacroix
d51ae1c1b9 Remove USE_ before authbasic plugin settings 2022-06-13 22:50:10 +02:00
florian
cd0438b8ce support REVERSE_PROXY_*_TIMEOUT settings, remove useless push in CI/CD and try to build arm on GH runners 2022-06-13 21:40:38 +02:00
florian
f9a042526e add docs about compiling BW from source on Linux, add docs about packages pinning on Linux and fix regex for REVERSE_PROXY_AUTH_REQUEST and REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL 2022-06-13 21:04:25 +02:00
florian
15ac64b05f let's encrypt - fix bug when AUTOCONF_MODE=yes 2022-06-13 19:55:15 +02:00
florian
e0f8895e9a init support for auth_request and add authentik example 2022-06-13 13:06:03 +02:00
florian
e852298352 don't send local IP to BunkerNet on default server, fix certbot new when MULTISITE=no and fix unknown reason in get_reason 2022-06-11 18:36:52 +02:00
99 changed files with 1984 additions and 432 deletions
Expand all files Collapse all files

312
.github/workflows/dev.yml vendored
View File

@@ -73,12 +73,6 @@ jobs:
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build images
- name: Build BW for 386
@@ -86,8 +80,7 @@ jobs:
with:
context: .
platforms: linux/386
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-386:latest
tags: bunkerweb-tests-386:latest
cache-from: type=registry,ref=bunkerity/cache:bw-386-cache
cache-to: type=registry,ref=bunkerity/cache:bw-386-cache,mode=min
- name: Build BW autoconf for 386
@@ -96,8 +89,7 @@ jobs:
context: .
file: autoconf/Dockerfile
platforms: linux/386
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-386:latest
tags: bunkerweb-autoconf-tests-386:latest
cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-386-cache
cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-386-cache,mode=min
- name: Build BW UI for 386
@@ -106,96 +98,201 @@ jobs:
context: .
file: ui/Dockerfile
platforms: linux/386
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-386:latest
tags: bunkerweb-autoconf-tests-386:latest
cache-from: type=registry,ref=bunkerity/cache:bw-ui-386-cache
cache-to: type=registry,ref=bunkerity/cache:bw-ui-386-cache,mode=min
# Build bunkerweb/arm
# build-bw-arm:
# runs-on: [self-hosted, ARM64]
# steps:
build-bw-arm:
runs-on: ubuntu-latest
steps:
# Prepare
# - name: Checkout source code
# uses: actions/checkout@v3
# - name: Setup Buildx
# uses: docker/setup-buildx-action@v2
# - name: Login to Docker Hub
# uses: docker/login-action@v2
# with:
# username: ${{ secrets.DOCKER_USERNAME }}
# password: ${{ secrets.DOCKER_TOKEN }}
# - name: Login to private repository
# uses: docker/login-action@v2
# with:
# registry: ${{ secrets.PRIVATE_REGISTRY }}
# username: registry
# password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Setup SSH for ARM node
run: |
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
chmod 600 ~/.ssh/id_rsa_arm
echo "$SSH_CONFIG" > ~/.ssh/config
env:
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Append ARM node to buildx
run: |
docker buildx create --append --name ${{ steps.buildx.outputs.name }} --node arm --platform linux/arm64,linux/arm/v7,linux/arm/v6 ssh://ubuntu@arm
# Build images
# - name: Build BW for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-armv7-cache,mode=min
# - name: Build BW for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-armv8:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-armv8-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-armv8-cache,mode=min
# - name: Build BW autoconf for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# file: autoconf/Dockerfile
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv7-cache,mode=min
# - name: Build BW autoconf for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# file: autoconf/Dockerfile
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-armv8:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache,mode=min
# - name: Build BW UI for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# file: ui/Dockerfile
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv7-cache,mode=min
# - name: Build BW UI for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# file: ui/Dockerfile
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-armv8:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache,mode=min
- name: Build BW for ARM
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-tests-arm:latest
cache-from: type=registry,ref=bunkerity/cache:bw-arm-cache
cache-to: type=registry,ref=bunkerity/cache:bw-arm-cache,mode=min
- name: Build BW autoconf for ARM
uses: docker/build-push-action@v3
with:
context: .
file: autoconf/Dockerfile
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-autoconf-tests-arm:latest
cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-arm-cache
cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-arm-cache,mode=min
- name: Build BW UI for ARM
uses: docker/build-push-action@v3
with:
context: .
file: ui/Dockerfile
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-ui-tests-arm:latest
cache-from: type=registry,ref=bunkerity/cache:bw-ui-arm-cache
cache-to: type=registry,ref=bunkerity/cache:bw-ui-arm-cache,mode=min
# Build linux ubuntu
build-bw-ubuntu:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW ubuntu
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-ubuntu
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest
cache-from: type=registry,ref=bunkerity/cache:bw-ubuntu-cache
cache-to: type=registry,ref=bunkerity/cache:bw-ubuntu-cache,mode=min
# Build linux debian
build-bw-debian:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW debian
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-debian
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest
cache-from: type=registry,ref=bunkerity/cache:bw-debian-cache
cache-to: type=registry,ref=bunkerity/cache:bw-debian-cache,mode=min
# Build linux centos
build-bw-centos:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW centos
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-centos
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest
cache-from: type=registry,ref=bunkerity/cache:bw-centos-cache
cache-to: type=registry,ref=bunkerity/cache:bw-centos-cache,mode=min
# Build linux fedora
build-bw-fedora:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW fedora
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-fedora
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest
cache-from: type=registry,ref=bunkerity/cache:bw-fedora-cache
cache-to: type=registry,ref=bunkerity/cache:bw-fedora-cache,mode=min
# Run tests
tests:
needs: build-bw-amd64
needs: [build-bw-amd64, build-bw-ubuntu, build-bw-debian, build-bw-centos, build-bw-fedora]
runs-on: [self-hosted, X64]
steps:
@@ -216,7 +313,7 @@ jobs:
- name: Set variables
run: |
VER=$(cat VERSION | tr -d '\n')
if [ "$GITHUB_REF" = "refs/heads/main" ] ; then
if [ "$GITHUB_REF" = "refs/heads/master" ] ; then
echo "BUILD_MODE=prod" >> $GITHUB_ENV
else
echo "BUILD_MODE=dev" >> $GITHUB_ENV
@@ -229,6 +326,14 @@ jobs:
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-amd64:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-amd64:latest 10.20.1.1:5000/bw-autoconf-tests:latest && docker push 10.20.1.1:5000/bw-autoconf-tests:latest
- name: Import BW UI image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-amd64:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-amd64:latest 10.20.1.1:5000/bw-ui-tests:latest && docker push 10.20.1.1:5000/bw-ui-tests:latest
- name: Import Ubuntu image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest bw-ubuntu-tests:latest
- name: Import Debian image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest bw-debian-tests:latest
- name: Import Centos image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest bw-centos-tests:latest
- name: Import Fedora image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest bw-fedora-tests:latest
# CVE check on OS
- name: Check security vulnerabilities for BW
@@ -273,17 +378,15 @@ jobs:
# Push to dev registries
push-docker:
# needs: [tests, build-bw-386, build-bw-arm]
needs: [tests, build-bw-386]
needs: [tests, build-bw-386, build-bw-arm]
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Setup Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
@@ -296,40 +399,55 @@ jobs:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Setup SSH for ARM node
run: |
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
chmod 600 ~/.ssh/id_rsa_arm
echo "$SSH_CONFIG" > ~/.ssh/config
env:
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Append ARM node to buildx
run: |
docker buildx create --append --name ${{ steps.buildx.outputs.name }} --node arm --platform linux/arm64,linux/arm/v7,linux/arm/v6 ssh://ubuntu@arm
# Build and push
- name: Build and push BW
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb:staging,bunkerity/bunkerweb:dev
cache-from: |
type=registry,ref=bunkerity/cache:bw-amd64-cache
type=registry,ref=bunkerity/cache:bw-386-cache
type=registry,ref=bunkerity/cache:bw-arm-cache
- name: Build and push BW autoconf
uses: docker/build-push-action@v3
with:
context: .
file: autoconf/Dockerfile
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf:staging,bunkerity/bunkerweb-autoconf:dev
cache-from: |
type=registry,ref=bunkerity/cache:bw-autoconf-amd64-cache
type=registry,ref=bunkerity/cache:bw-autoconf-386-cache
type=registry,ref=bunkerity/cache:bw-autoconf-arm-cache
- name: Build and push BW UI
uses: docker/build-push-action@v3
with:
context: .
file: ui/Dockerfile
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui:staging,bunkerity/bunkerweb-ui:dev
cache-from: |
type=registry,ref=bunkerity/cache:bw-ui-amd64-cache
type=registry,ref=bunkerity/cache:bw-ui-386-cache
type=registry,ref=bunkerity/cache:bw-ui-arm-cache
# Push to PackageCloud
push-linux:

304
.github/workflows/prod.yml vendored
View File

@@ -70,12 +70,6 @@ jobs:
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build images
- name: Build BW for 386
@@ -83,8 +77,7 @@ jobs:
with:
context: .
platforms: linux/386
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-386:latest
tags: bunkerweb-tests-386:latest
cache-to: type=registry,ref=bunkerity/cache:bw-386-cache,mode=min
- name: Build BW autoconf for 386
uses: docker/build-push-action@v3
@@ -92,8 +85,7 @@ jobs:
context: .
file: autoconf/Dockerfile
platforms: linux/386
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-386:latest
tags: bunkerweb-autoconf-tests-386:latest
cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-386-cache,mode=min
- name: Build BW UI for 386
uses: docker/build-push-action@v3
@@ -101,91 +93,189 @@ jobs:
context: .
file: ui/Dockerfile
platforms: linux/386
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-386:latest
tags: bunkerweb-autoconf-tests-386:latest
cache-to: type=registry,ref=bunkerity/cache:bw-ui-386-cache,mode=min
# Build bunkerweb/arm
# build-bw-arm:
# runs-on: [self-hosted, ARM64]
# steps:
build-bw-arm:
runs-on: ubuntu-latest
steps:
# Prepare
# - name: Checkout source code
# uses: actions/checkout@v3
# - name: Setup Buildx
# uses: docker/setup-buildx-action@v2
# - name: Login to Docker Hub
# uses: docker/login-action@v2
# with:
# username: ${{ secrets.DOCKER_USERNAME }}
# password: ${{ secrets.DOCKER_TOKEN }}
# - name: Login to private repository
# uses: docker/login-action@v2
# with:
# registry: ${{ secrets.PRIVATE_REGISTRY }}
# username: registry
# password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Setup SSH for ARM node
run: |
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
chmod 600 ~/.ssh/id_rsa_arm
echo "$SSH_CONFIG" > ~/.ssh/config
env:
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Append ARM node to buildx
run: |
docker buildx create --append --name ${{ steps.buildx.outputs.name }} --node arm --platform linux/arm64,linux/arm/v7,linux/arm/v6 ssh://ubuntu@arm
# Build images
# - name: Build BW for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-armv7-cache,mode=min
# - name: Build BW for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests-armv8:latest
# cache-to: type=registry,ref=bunkerity/cache:bw-armv8-cache,mode=min
# - name: Build BW autoconf for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# file: autoconf/Dockerfile
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv7-cache,mode=min
# - name: Build BW autoconf for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# file: autoconf/Dockerfile
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-armv8:latest
# cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache,mode=min
# - name: Build BW UI for armv7
# uses: docker/build-push-action@v3
# with:
# context: .
# file: ui/Dockerfile
# platforms: linux/arm/v7
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-armv7:latest
# cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv7-cache
# cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv7-cache,mode=min
# - name: Build BW UI for armv8
# uses: docker/build-push-action@v3
# with:
# context: .
# file: ui/Dockerfile
# platforms: linux/arm64/v8
# push: true
# tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-armv8:latest
# cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache,mode=min
- name: Build BW for ARM
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-tests-arm:latest
cache-to: type=registry,ref=bunkerity/cache:bw-arm-cache,mode=min
- name: Build BW autoconf for ARM
uses: docker/build-push-action@v3
with:
context: .
file: autoconf/Dockerfile
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-autoconf-tests-arm:latest
cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-arm-cache,mode=min
- name: Build BW UI for ARM
uses: docker/build-push-action@v3
with:
context: .
file: ui/Dockerfile
platforms: linux/arm64,linux/arm/v7
tags: bunkerweb-ui-tests-arm:latest
cache-to: type=registry,ref=bunkerity/cache:bw-ui-arm-cache,mode=min
# Build linux ubuntu
build-bw-ubuntu:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW ubuntu
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-ubuntu
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest
# Build linux debian
build-bw-debian:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW debian
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-debian
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest
# Build linux centos
build-bw-centos:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW centos
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-centos
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest
# Build linux fedora
build-bw-fedora:
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build image
- name: Build BW fedora
uses: docker/build-push-action@v3
with:
context: .
file: linux/Dockerfile-fedora
platforms: linux/amd64
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest
# Run tests
tests:
needs: build-bw-amd64
needs: [build-bw-amd64, build-bw-ubuntu, build-bw-debian, build-bw-centos, build-bw-fedora]
runs-on: [self-hosted, X64]
steps:
@@ -206,7 +296,7 @@ jobs:
- name: Set variables
run: |
VER=$(cat VERSION | tr -d '\n')
if [ "$GITHUB_REF" = "refs/heads/main" ] ; then
if [ "$GITHUB_REF" = "refs/heads/master" ] ; then
echo "BUILD_MODE=prod" >> $GITHUB_ENV
else
echo "BUILD_MODE=dev" >> $GITHUB_ENV
@@ -219,6 +309,14 @@ jobs:
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-amd64:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf-tests-amd64:latest 10.20.1.1:5000/bw-autoconf-tests:latest && docker push 10.20.1.1:5000/bw-autoconf-tests:latest
- name: Import BW UI image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-amd64:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui-tests-amd64:latest 10.20.1.1:5000/bw-ui-tests:latest && docker push 10.20.1.1:5000/bw-ui-tests:latest
- name: Import Ubuntu image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ubuntu:latest bw-ubuntu-tests:latest
- name: Import Debian image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-debian:latest bw-debian-tests:latest
- name: Import Centos image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-centos:latest bw-centos-tests:latest
- name: Import Fedora image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-fedora:latest bw-fedora-tests:latest
# CVE check on OS
- name: Check security vulnerabilities for BW
@@ -263,16 +361,19 @@ jobs:
# Push to dev registries
push-docker:
needs: [tests, build-bw-386]
needs: [tests, build-bw-386, build-bw-arm]
runs-on: ubuntu-latest
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set variables
run: |
VER=$(cat VERSION | tr -d '\n')
echo "VERSION=$VER" >> $GITHUB_ENV
- name: Setup Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
@@ -285,44 +386,55 @@ jobs:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Set variables
- name: Setup SSH for ARM node
run: |
VER=$(cat VERSION | tr -d '\n')
echo "VERSION=$VER" >> $GITHUB_ENV
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
chmod 600 ~/.ssh/id_rsa_arm
echo "$SSH_CONFIG" > ~/.ssh/config
env:
SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Append ARM node to buildx
run: |
docker buildx create --append --name ${{ steps.buildx.outputs.name }} --node arm --platform linux/arm64,linux/arm/v7,linux/arm/v6 ssh://ubuntu@arm
# Build and push
- name: Build and push BW
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb:latest,bunkerity/bunkerweb:latest,bunkerity/bunkerweb:${{ env.VERSION }}
cache-from: |
type=registry,ref=bunkerity/cache:bw-amd64-cache
type=registry,ref=bunkerity/cache:bw-386-cache
type=registry,ref=bunkerity/cache:bw-arm-cache
- name: Build and push BW autoconf
uses: docker/build-push-action@v3
with:
context: .
file: autoconf/Dockerfile
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf:latest,bunkerity/bunkerweb-autoconf:latest,bunkerity/bunkerweb-autoconf:${{ env.VERSION }}
cache-from: |
type=registry,ref=bunkerity/cache:bw-autoconf-amd64-cache
type=registry,ref=bunkerity/cache:bw-autoconf-386-cache
type=registry,ref=bunkerity/cache:bw-autoconf-arm-cache
- name: Build and push BW UI
uses: docker/build-push-action@v3
with:
context: .
file: ui/Dockerfile
platforms: linux/amd64,linux/386
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui:latest,bunkerity/bunkerweb-ui:latest,bunkerity/bunkerweb-ui:${{ env.VERSION }}
cache-from: |
type=registry,ref=bunkerity/cache:bw-ui-amd64-cache
type=registry,ref=bunkerity/cache:bw-ui-386-cache
type=registry,ref=bunkerity/cache:bw-ui-arm-cache
# Push to PackageCloud
push-linux:

126
CHANGELOG.md Normal file
View File

@@ -0,0 +1,126 @@
# Changelog
## v1.4.2 -
- Fix bwcli unban command when using Linux integration
- Fix permissions check when filename has a space
- Fix static config (SERVER_NAME not empty) support when using autoconf/swarm/k8s
- Fix config files overwrite when using Docker autoconf
- Add log_default() plugin hook
- Add various certbot-dns examples
- Force NGINX version dependencies in Linux packages DEB/RPM
- Add Discord to supported plugins
## v1.4.1 - 2022/16/06
- Fix sending local IPs to BunkerNet when DISABLE_DEFAULT_SERVER=yes
- Fix certbot bug when AUTOCONF_MODE=yes
- Fix certbot bug when MULTISITE=no
- Add reverse proxy timeouts settings
- Add auth_request settings
- Add authentik and authelia examples
- Prebuilt Docker images for arm64 and armv7
- Improve documentation for Linux integration
- Various fixes in the documentation
## v1.4.0 - 2022/06/06
- Project renamed to BunkerWeb
- Internal architecture fully revised with a modular approach
- Improved CI/CD with automatic tests for multiple integrations
- Plugin improvement
- Volume improvement for container-based integrations
- Web UI improvement with various new features
- Web tool to generate settings from a user-friendly UI
- Linux packages
- Various bug fixes
## v1.3.2 - 2021/10/24
- Use API instead of a shared folder for Swarm and Kubernetes integrations
- Beta integration of distributed bad IPs database through a remote API
- Improvement of the request limiting feature : hour/day rate and multiple URL support
- Various bug fixes related to antibot feature
- Init support of Arch Linux
- Fix Moodle example
- Fix ROOT_FOLDER bug in serve-files.conf when using the UI
- Update default values for PERMISSIONS_POLICY and FEATURE_POLICY
- Disable COUNTRY ban if IP is local
## v1.3.1 - 2021/09/02
- Use ModSecurity v3.0.4 instead of v3.0.5 to fix memory leak
- Fix ignored variables to control jobs
- Fix bug when LISTEN_HTTP=no and MULTISITE=yes
- Add CUSTOM_HEADER variable
- Add REVERSE_PROXY_BUFFERING variable
- Add REVERSE_PROXY_KEEPALIVE variable
- Fix documentation for modsec and modsec-crs special folders
## v1.3.0 - 2021/08/23
- Kubernetes integration in beta
- Linux integration in beta
- autoconf refactoring
- jobs refactoring
- UI refactoring
- UI security : login/password authentication and CRSF protection
- various dependencies updates
- move CrowdSec as an external plugin
- Authelia support
- improve various regexes
- add INJECT_BODY variable
- add WORKER_PROCESSES variable
- add USE_LETS_ENCRYPT_STAGING variable
- add LOCAL_PHP and LOCAL_PHP_PATH variables
- add REDIRECT_TO variable
## v1.2.8 - 2021/07/22
- Fix broken links in README
- Fix regex for EMAIL_LETS_ENCRYPT
- Fix regex for REMOTE_PHP and REMOTE_PHP_PATH
- Fix regex for SELF_SIGNED_*
- Fix various bugs related to web UI
- Fix bug in autoconf (missing instances parameter to reload function)
- Remove old .env files when generating a new configuration
## v1.2.7 - 2021/06/14
- Add custom robots.txt and sitemap to RTD
- Fix missing GeoIP DB bug when using BLACKLIST/WHITELIST_COUNTRY
- Add underscore "_" to allowed chars for CUSTOM_HTTPS_CERT/KEY
- Fix bug when using automatic self-signed certificate
- Build and push images from GitHub actions instead of Docker Hub autobuild
- Display the reason when generator is ignoring a variable
- Various bug fixes related to certbot and jobs
- Split jobs into pre and post jobs
- Add HEALTHCHECK to image
- Fix race condition when using autoconf without Swarm by checking healthy state
- Bump modsecurity-nginx to v1.0.2
- Community chat with bridged platforms
## v1.2.6 - 2021/06/06
- Move from "ghetto-style" shell scripts to generic jinja2 templating
- Init work on a basic plugins system
- Move ClamAV to external plugin
- Reduce image size by removing unnecessary dependencies
- Fix CrowdSec example
- Change some global variables to multisite
- Add LOG_LEVEL environment variable
- Read-only container support
- Improved antibot javascript with a basic proof of work
- Update nginx to 1.20.1
- Support of docker-socket-proxy with web UI
- Add certbot-cloudflare example
- Disable DNSBL checks when IP is local
## v1.2.5 - 2021/05/14
- Performance improvement : move some nginx security checks to LUA and external blacklist parsing enhancement
- Init work on official documentation on readthedocs
- Fix default value for CONTENT_SECURITY_POLICY to allow file downloads
- Add ROOT_SITE_SUBFOLDER environment variable
## TODO - retrospective changelog

5
README.md
View File

@@ -3,7 +3,7 @@
</p>
<p align="center">
<img src="https://img.shields.io/badge/bunkerweb-1.4.0-blue" />
<img src="https://img.shields.io/badge/bunkerweb-1.4.1-blue" />
<img src="https://img.shields.io/github/last-commit/bunkerity/bunkerweb" />
<img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerweb/Automatic%20test%2C%20build%2C%20push%20and%20deploy%20%28DEV%29?label=CI%2FCD%20dev" />
<img src="https://img.shields.io/github/workflow/status/bunkerity/bunkerweb/Automatic%20test%2C%20build%2C%20push%20and%20deploy%20%28PROD%29?label=CI%2FCD%20prod" />
@@ -246,6 +246,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
| **ClamAV** | 0.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **CrowdSec** | 0.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 0.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **VirusTotal** | 0.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
You will find more information in the [plugins section](https://docs.bunkerweb.io/latest/plugins) of the documentation.
@@ -280,7 +281,7 @@ This project is licensed under the terms of the [GNU Affero General Public Licen
# Contribute
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/master/LICENSE.md) to get started.
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/master/CONTRIBUTING.md) to get started.
# Security policy

2
VERSION
View File

@@ -1 +1 @@
1.4.0
1.4.1

9
autoconf/Config.py
View File

@@ -131,10 +131,11 @@ class Config(ApiCaller, ConfigCaller) :
self._set_apis(self.__get_apis())
# write configs
ret = self.__write_configs()
if not ret :
success = False
log("CONFIG", "", "saving custom configs failed, configuration will not work as expected...")
if configs != None :
ret = self.__write_configs()
if not ret :
success = False
log("CONFIG", "", "saving custom configs failed, configuration will not work as expected...")
# get env
env = self.__get_full_env()

7
autoconf/DockerController.py
View File

@@ -26,11 +26,6 @@ class DockerController(Controller) :
continue
value = env.replace(variable + "=", "", 1)
instance["env"][variable] = value
server_name = []
for controller_service in self._get_controller_services() :
if "bunkerweb.SERVER_NAME" in controller_service.labels :
server_name.append(controller_service.labels["bunkerweb.SERVER_NAME"].split(" ")[0])
instance["env"]["SERVER_NAME"] = " ".join(server_name)
return [instance]
def _get_controller_services(self) :
@@ -48,7 +43,7 @@ class DockerController(Controller) :
raise("get_configs is not supported with DockerController")
def apply_config(self) :
return self._config.apply(self._instances, self._services, configs=self._configs)
return self._config.apply(self._instances, self._services)
def process_events(self) :
for event in self.__client.events(decode=True, filters={"type": "container"}) :

2
cli/CLI.py
View File

@@ -42,7 +42,7 @@ class CLI(ApiCaller) :
def __get_apis(self) :
# Docker case
if self.__integration == "docker" :
if self.__integration == "docker" or self.__integration == "linux" :
return [API("http://127.0.0.1:" + self.__variables["API_HTTP_PORT"], host=self.__variables["API_SERVER_NAME"])]
# Autoconf case

46
confs/default-server-http.conf
View File

@@ -12,4 +12,50 @@ server {
# include custom default-server configurations
include /opt/bunkerweb/configs/default-server-http/*.conf;
log_by_lua_block {
local utils = require "utils"
local logger = require "logger"
local datastore = require "datastore"
local plugins = require "plugins"
logger.log(ngx.INFO, "LOG", "Log phase started")
-- List all plugins
local list, err = plugins:list()
if not list then
logger.log(ngx.ERR, "LOG", "Can't list loaded plugins : " .. err)
list = {}
end
-- Call log_default method of plugins
for i, plugin in ipairs(list) do
local ret, plugin_lua = pcall(require, plugin.id .. "/" .. plugin.id)
if ret then
local plugin_obj = plugin_lua.new()
if plugin_obj.log_default ~= nil then
logger.log(ngx.INFO, "LOG", "Executing log_default() of " .. plugin.id)
local ok, err = plugin_obj:log_default()
if not ok then
logger.log(ngx.ERR, "LOG", "Error while calling log_default() on plugin " .. plugin.id .. " : " .. err)
else
logger.log(ngx.INFO, "LOG", "Return value from " .. plugin.id .. ".log_default() is : " .. err)
end
else
logger.log(ngx.INFO, "LOG", "log_default() method not found in " .. plugin.id .. ", skipped execution")
end
end
end
-- Display reason at info level
local reason = utils.get_reason()
if reason then
logger.log(ngx.INFO, "LOG", "Client was denied with reason : " .. reason)
end
logger.log(ngx.INFO, "LOG", "Log phase ended")
}
}

33
core/bunkernet/bunkernet.lua
View File

@@ -141,11 +141,13 @@ function _M:report(ip, reason, method, url, headers)
return self:request("POST", "/report", data)
end
function _M:log()
-- Check if BunkerNet is activated
local use_bunkernet = utils.get_variable("USE_BUNKERNET")
if use_bunkernet ~= "yes" then
return true, "bunkernet not activated"
function _M:log(bypass_use_bunkernet)
if bypass_use_bunkernet then
-- Check if BunkerNet is activated
local use_bunkernet = utils.get_variable("USE_BUNKERNET")
if use_bunkernet ~= "yes" then
return true, "bunkernet not activated"
end
end
-- Check if BunkerNet ID is generated
if not self.id then
@@ -193,6 +195,27 @@ function _M:log()
return true, "created report timer"
end
function _M:log_default()
-- Check if bunkernet is activated
local check, err = utils.has_variable("USE_BUNKERNET", "yes")
if check == nil then
return false, "error while checking variable USE_BUNKERNET (" .. err .. ")"
end
if not check then
return true, "bunkernet not enabled"
end
-- Check if default server is disabled
local check, err = utils.get_variable("DISABLE_DEFAULT_SERVER", false)
if check == nil then
return false, "error while getting variable DISABLE_DEFAULT_SERVER (" .. err .. ")"
end
if check ~= "yes" then
return true, "default server not disabled"
end
-- Call log method
return self:log(true)
end
function _M:access()
local use_bunkernet = utils.get_variable("USE_BUNKERNET")
if use_bunkernet ~= "yes" then

51
core/bunkernet/confs/default-server-http/bunkernet.conf
View File

@@ -1,51 +0,0 @@
log_by_lua_block {
local bunkernet = require "bunkernet.bunkernet"
local utils = require "utils"
local datastore = require "datastore"
local logger = require "logger"
local disable_default_server = utils.get_variable("DISABLE_DEFAULT_SERVER", false)
local use_bunkernet = utils.has_variable("USE_BUNKERNET", "yes")
if disable_default_server == "yes" and use_bunkernet then
-- Instantiate bunkernet
local bnet, err = bunkernet.new()
if not bnet then
ngx.log(ngx.ERR, "BUNKERNET", "can't instantiate bunkernet " .. err)
return
end
-- Check if BunkerNet ID is generated
if not bnet.id then
return
end
-- Check if IP has been blocked
if ngx.status ~= ngx.HTTP_CLOSE then
return
end
-- Only report if it hasn't been reported for the same reason recently
local reported = datastore:get("plugin_bunkernet_cache_" .. ngx.var.remote_addr .. "default")
if reported then
return
end
-- report callback called in a light thread
local function report_callback(premature, obj, ip, reason, method, url, headers)
local ok, err, status, data = obj:report(ip, reason, method, url, headers)
if not ok then
logger.log(ngx.ERR, "BUNKERNET", "Can't report IP : " .. err)
elseif status ~= 200 then
logger.log(ngx.ERR, "BUNKERNET", "Error from remote server : " .. tostring(status))
else
logger.log(ngx.NOTICE, "BUNKERNET", "Successfully reported IP " .. ip .. " (reason : " .. reason .. ")")
local ok, err = datastore:set("plugin_bunkernet_cache_" .. ip .. reason, true, 3600)
if not ok then
logger.log(ngx.ERR, "BUNKERNET", "Can't store cached report : " .. err)
end
end
end
-- Set a timer at the end of log()
local hdr, err = ngx.timer.at(0, report_callback, bnet, ngx.var.remote_addr, "default", ngx.var.request_method, ngx.var.request_uri, ngx.req.get_headers())
if not hdr then
logger.log(ngx.ERR, "BUNKERNET", "can't create report timer : " .. err)
end
return
end
}

4
core/bunkernet/jobs/bunkernet-register.py
View File

@@ -18,11 +18,11 @@ try :
# Multisite case
if os.getenv("MULTISITE") == "yes" :
for first_server in os.getenv("SERVER_NAME").split(" ") :
if os.getenv(first_server + "_USE_BUNKERNET", os.getenv("USE_BUNKERNET")) == "yes" :
if os.getenv(first_server + "_USE_BUNKERNET", os.getenv("USE_BUNKERNET", "yes")) == "yes" :
bunkernet_activated = True
break
# Singlesite case
elif os.getenv("USE_BUNKERNET") == "yes" :
elif os.getenv("USE_BUNKERNET", "yes") == "yes" :
bunkernet_activated = True
if not bunkernet_activated :
logger.log("BUNKERNET", "", "BunkerNet is not activated, skipping registration...")

3
core/letsencrypt/jobs/certbot-auth.py
View File

@@ -15,11 +15,12 @@ try :
# Get env vars
is_kubernetes_mode = os.getenv("KUBERNETES_MODE") == "yes"
is_swarm_mode = os.getenv("SWARM_MODE") == "yes"
is_autoconf_mode = os.getenv("AUTOCONF_MODE") == "yes"
token = os.getenv("CERTBOT_TOKEN")
validation = os.getenv("CERTBOT_VALIDATION")
# Cluster case
if is_kubernetes_mode or is_swarm_mode :
if is_kubernetes_mode or is_swarm_mode or is_autoconf_mode :
for variable, value in os.environ.items() :
if not variable.startswith("CLUSTER_INSTANCE_") :
continue

3
core/letsencrypt/jobs/certbot-cleanup.py
View File

@@ -15,10 +15,11 @@ try :
# Get env vars
is_kubernetes_mode = os.getenv("KUBERNETES_MODE") == "yes"
is_swarm_mode = os.getenv("SWARM_MODE") == "yes"
is_autoconf_mode = os.getenv("AUTOCONF_MODE") == "yes"
token = os.getenv("CERTBOT_TOKEN")
# Cluster case
if is_kubernetes_mode or is_swarm_mode :
if is_kubernetes_mode or is_swarm_mode or is_autoconf_mode :
for variable, value in os.environ.items() :
if not variable.startswith("CLUSTER_INSTANCE_") :
continue

3
core/letsencrypt/jobs/certbot-deploy.py
View File

@@ -17,10 +17,11 @@ try :
# Get env vars
is_kubernetes_mode = os.getenv("KUBERNETES_MODE") == "yes"
is_swarm_mode = os.getenv("SWARM_MODE") == "yes"
is_autoconf_mode = os.getenv("AUTOCONF_MODE") == "yes"
token = os.getenv("CERTBOT_TOKEN")
# Cluster case
if is_kubernetes_mode or is_swarm_mode :
if is_kubernetes_mode or is_swarm_mode or is_autoconf_mode :
# Create tarball of /data/letsencrypt
tgz = BytesIO()

2
core/letsencrypt/jobs/certbot-new.py
View File

@@ -45,7 +45,7 @@ try :
elif os.getenv("AUTO_LETS_ENCRYPT") == "yes" and os.getenv("SERVER_NAME") != "" :
first_server = os.getenv("SERVER_NAME").split(" ")[0]
domains = os.getenv("SERVER_NAME").replace(" ", ",")
if not os.path.exists("/etc/letsencrypt/live/" + first_server + "/cert.pem") :
if os.path.exists("/etc/letsencrypt/live/" + first_server + "/cert.pem") :
logger.log("LETS-ENCRYPT", "", "Certificates already exists for domain(s) " + domains)
else :
real_email = os.getenv("EMAIL_LETS_ENCRYPT", "contact@" + first_server)

1
core/misc/confs/default-server-http/disable.conf
View File

@@ -1,5 +1,6 @@
{% if DISABLE_DEFAULT_SERVER == "yes" +%}
location / {
set $reason "default";
return 444;
}
{% endif %}

64
core/reverseproxy/confs/server-http/reverse-proxy.conf
View File

@@ -6,59 +6,87 @@ proxy_intercept_errors on;
proxy_intercept_errors off;
{% endif +%}
{% if USE_PROXY_CACHE == "yes" +%}
{% if USE_PROXY_CACHE == "yes" +%}
proxy_cache proxycache;
proxy_cache_methods {{ PROXY_CACHE_METHODS }};
proxy_cache_min_uses {{ PROXY_CACHE_MIN_USES }};
proxy_cache_key {{ PROXY_CACHE_KEY }};
proxy_no_cache {{ PROXY_NO_CACHE }};
proxy_cache_bypass {{ PROXY_CACHE_BYPASS }};
{% if PROXY_CACHE_VALID != "" +%}
{% for element in PROXY_CACHE_VALID.split(" ") +%}
{% if PROXY_CACHE_VALID != "" +%}
{% for element in PROXY_CACHE_VALID.split(" ") +%}
proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }};
{% endfor %}
{% endfor %}
add_header X-Proxy-Cache $upstream_cache_status;
{% endif %}
{% endif %}
{% endif %}
{% endif %}
{% set counter = namespace(value=1) %}
{% for k, v in all.items() %}
{% if k.startswith("REVERSE_PROXY_URL") and v != "" +%}
{% set url = v %}
{% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %}
{% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %}
{% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %}
{% set headers_client = all[k.replace("URL", "HEADERS_CLIENT")] if k.replace("URL", "HEADERS_CLIENT") in all else "" %}
{% set buffering = all[k.replace("URL", "BUFFERING")] if k.replace("URL", "BUFFERING") in all else "yes" %}
{% set keepalive = all[k.replace("URL", "KEEPALIVE")] if k.replace("URL", "KEEPALIVE") in all else "yes" %}
{% set auth_request = all[k.replace("URL", "AUTH_REQUEST")] if k.replace("URL", "AUTH_REQUEST") in all else "" %}
{% set auth_request_signin_url = all[k.replace("URL", "AUTH_REQUEST_SIGNIN_URL")] if k.replace("URL", "AUTH_REQUEST_SIGNIN_URL") in all else "" %}
{% set auth_request_sets = all[k.replace("URL", "AUTH_REQUEST_SET")] if k.replace("URL", "AUTH_REQUEST_SET") in all else "" %}
{% set connect_timeout = all[k.replace("URL", "CONNECT_TIMEOUT")] if k.replace("URL", "CONNECT_TIMEOUT") in all else "60s" %}
{% set read_timeout = all[k.replace("URL", "READ_TIMEOUT")] if k.replace("URL", "READ_TIMEOUT") in all else "60s" %}
{% set send_timeout = all[k.replace("URL", "SEND_TIMEOUT")] if k.replace("URL", "SEND_TIMEOUT") in all else "60s" %}
location {{ url }} {% raw %}{{% endraw +%}
etag off;
set $backend "{{ host }}";
proxy_pass $backend;
set $backend{{ counter.value }} "{{ host }}";
proxy_pass $backend{{ counter.value }};
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
{% if buffering == "yes" +%}
{% if buffering == "yes" +%}
proxy_buffering on;
{% else +%}
{% else +%}
proxy_buffering off;
{% endif %}
{% if ws == "yes" +%}
{% endif %}
{% if ws == "yes" +%}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% elif keepalive == "yes" +%}
{% elif keepalive == "yes" +%}
proxy_http_version 1.1;
proxy_set_header Connection "";
{% endif %}
{% if headers != "" %}
{% for header in headers.split(";") +%}
{% endif %}
{% if auth_request != "" +%}
auth_request {{ auth_request }};
{% endif +%}
{% if auth_request_signin_url != "" +%}
error_page 401 =302 {{ auth_request_signin_url }};
{% endif +%}
{% if auth_request_sets != "" +%}
{% for auth_request_set in auth_request_sets.split(";") +%}
auth_request_set {{ auth_request_set }};
{% endfor +%}
{% endif +%}
{% if headers != "" +%}
{% for header in headers.split(";") +%}
proxy_set_header {{ header }};
{% endfor %}
{% endif %}
{% endfor +%}
{% endif +%}
{% if headers_client != "" +%}
{% for header_client in headers_client.split(";") +%}
add_header {{ header_client }};
{% endfor +%}
{% endif +%}
proxy_connect_timeout {{ connect_timeout }};
proxy_read_timeout {{ read_timeout }};
proxy_send_timeout {{ send_timeout }};
{% raw %}}{% endraw %}
{% endif %}
{% set counter.value = counter.value + 1 %}
{% endfor %}
{% endif %}

72
core/reverseproxy/plugin.json
View File

@@ -56,13 +56,23 @@
"REVERSE_PROXY_HEADERS": {
"context": "multisite",
"default": "",
"help": "List of HTTP headers to send to proxied resource.",
"help": "List of HTTP headers to send to proxied resource separated with ; (values for proxy_set_header directive).",
"id": "reverse-proxy-headers",
"label": "Reverse proxy headers",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_HEADERS_CLIENT": {
"context": "multisite",
"default": "",
"help": "List of HTTP headers to send to client separated with ; (values for add_header directive).",
"id": "reverse-proxy-headers-client",
"label": "Reverse proxy headers-client",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_BUFFERING": {
"context": "multisite",
"default": "yes",
@@ -83,6 +93,36 @@
"type": "check",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_AUTH_REQUEST": {
"context": "multisite",
"default": "",
"help": "Enable authentication using an external provider (value of auth_request directive).",
"id": "reverse-proxy-auth-request",
"label": "Reverse proxy auth request",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL": {
"context": "multisite",
"default": "",
"help": "Redirect clients to signin URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401).",
"id": "reverse-proxy-auth-request-signin-url",
"label": "Auth request signin URL",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_AUTH_REQUEST_SET": {
"context": "multisite",
"default": "",
"help": "List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).",
"id": "reverse-proxy-auth-request-set",
"label": "Reverse proxy auth request set",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"USE_PROXY_CACHE": {
"context": "multisite",
"default": "no",
@@ -172,6 +212,36 @@
"label": "Reverse proxy bypass",
"regex": "^.*$",
"type": "text"
},
"REVERSE_PROXY_CONNECT_TIMEOUT": {
"context": "multisite",
"default": "60s",
"help": "Timeout when connecting to the proxied resource.",
"id": "reverse-proxy-connect-timeout",
"label": "Reverse proxy connect timeout",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_READ_TIMEOUT": {
"context": "multisite",
"default": "60s",
"help": "Timeout when reading from the proxied resource.",
"id": "reverse-proxy-read-timeout",
"label": "Reverse proxy read timeout",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_SEND_TIMEOUT": {
"context": "multisite",
"default": "60s",
"help": "Timeout when sending to the proxied resource.",
"id": "reverse-proxy-send-timeout",
"label": "Reverse proxy send timeout",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
}
}
}

158
docs/integrations.md
View File

@@ -9,10 +9,10 @@
Using BunkerWeb as a [Docker](https://www.docker.com/) container is a quick and easy way to test and use it as long as you are familiar with the Docker technology.
We provide ready to use prebuilt images for x64 and x86 architectures (armv7 and armv8 are not supported at the moment) on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb) :
We provide ready to use prebuilt images for x64, x86 armv8 and armv7 architectures on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb) :
```shell
docker pull bunkerity/bunkerweb:1.4.0
docker pull bunkerity/bunkerweb:1.4.1
```
Alternatively, you can build the Docker images directly from the [source](https://github.com/bunkerity/bunkerweb) (and take a coffee ☕ because it may be long depending on your hardware) :
@@ -39,7 +39,7 @@ docker run \
-e MY_SETTING=value \
-e "MY_OTHER_SETTING=value with spaces" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@@ -48,7 +48,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
environment:
- MY_SETTING=value
```
@@ -73,7 +73,7 @@ docker run \
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@@ -82,7 +82,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- bw-data:/data
...
@@ -109,7 +109,7 @@ docker run \
...
-v ./bw-data:/data \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@@ -119,7 +119,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- ./bw-data:/data
```
@@ -141,7 +141,7 @@ docker run \
...
--network mynetwork \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
You will also need to do the same with your web application(s). Please note that the other containers are accessible using their name as the hostname.
@@ -152,7 +152,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
networks:
- bw-net
...
@@ -183,9 +183,6 @@ First of all, you will need to create the data volume :
docker volume create bw-data
```
- One for sharing the persistent data, mounted on **/data**
- Another one for sharing the generated Nginx configurations, mounted on **/etc/nginx**
Then, you can create two networks (replace 10.20.30.0/24 with an unused subnet of your choice) :
```shell
@@ -210,7 +207,7 @@ docker run \
-e SERVER_NAME= \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.AUTOCONF \
bunkerity/bunkerweb:1.4.0 && \
bunkerity/bunkerweb:1.4.1 && \
docker network connect bw-services mybunker
```
@@ -224,7 +221,7 @@ docker run \
--network bw-autoconf \
-v bw-data:/data \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
bunkerity/bunkerweb-autoconf:1.4.0
bunkerity/bunkerweb-autoconf:1.4.1
```
Here is the docker-compose equivalent for the BunkerWeb autoconf stack :
@@ -235,13 +232,12 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
volumes:
- bw-data:/data
environment:
- AUTOCONF_MODE=yes
- MULTISITE=yes
- SERVER_NAME=
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
@@ -252,7 +248,7 @@ services:
- bw-services
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
volumes:
- bw-data:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
@@ -354,7 +350,7 @@ docker service create \
-e MULTISITE=yes \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.AUTOCONF \
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
And the autoconf one :
@@ -368,7 +364,7 @@ docker service \
--mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
--mount type=volume,source=bw-data,destination=/data \
-e SWARM_MODE=yes \
bunkerity/bunkerweb-autoconf:1.4.0
bunkerity/bunkerweb-autoconf:1.4.1
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
@@ -379,7 +375,7 @@ version: '3.5'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- published: 80
target: 8080
@@ -406,7 +402,7 @@ services:
- "bunkerweb.AUTOCONF"
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
environment:
- SWARM_MODE=yes
volumes:
@@ -674,7 +670,7 @@ List of supported Linux distros :
- Fedora 36
- CentOS Stream 8
Please note that you will need to **install NGINX 1.20.2 before BunkerWeb**. For all distros, except Fedora, using prebuilt packages from [official NGINX repository](https://nginx.org/en/linux_packages.html) is mandatory. Compiling NGINX from source or using packages from different repositories won't work with the official supported way of installing BunkerWeb on Linux.
Please note that you will need to **install NGINX 1.20.2 before BunkerWeb**. For all distros, except Fedora, using prebuilt packages from [official NGINX repository](https://nginx.org/en/linux_packages.html) is mandatory. Compiling NGINX from source or using packages from different repositories won't work with the official prebuild packages of BunkerWeb but you can build it from source.
Repositories of Linux packages for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb), they provide a bash script to automatically add and trust the repository (but you can also follow the [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer).
@@ -682,7 +678,7 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
The first step is to add NGINX official repository :
```shell
sudo apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring && \
sudo apt install -y curl gnupg2 ca-certificates lsb-release debian-archive-keyring && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
@@ -693,21 +689,26 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
You should now be able to install NGINX 1.20.2 :
```shell
sudo apt update && \
sudo apt install nginx=1.20.2-1~bullseye
sudo apt install -y nginx=1.20.2-1~bullseye
```
And finally install BunkerWeb 1.4.0 :
And finally install BunkerWeb 1.4.1 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
apt update && \
apt install -y bunkerweb=1.4.0
sudo apt update && \
sudo apt install -y bunkerweb=1.4.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
```shell
sudo apt-mark hold nginx bunkerweb
```
=== "Ubuntu"
The first step is to add NGINX official repository :
```shell
sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring && \
sudo apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
@@ -718,29 +719,40 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
You should now be able to install NGINX 1.20.2 :
```shell
sudo apt update && \
sudo apt install nginx=1.20.2-1~jammy
sudo apt install -y nginx=1.20.2-1~jammy
```
And finally install BunkerWeb 1.4.0 :
And finally install BunkerWeb 1.4.1 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
apt update && \
apt install -y bunkerweb=1.4.0
sudo apt update && \
sudo apt install -y bunkerweb=1.4.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
```shell
sudo apt-mark hold nginx bunkerweb
```
=== "Fedora"
Fedora already provides NGINX 1.20.2 that we support :
```shell
sudo dnf install nginx-1.20.2
sudo dnf install -y nginx-1.20.2
```
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
dnf check-update && \
dnf install -y bunkerweb-1.4.0
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.4.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
=== "CentOS Stream"
The first step is to add NGINX official repository, create the following file at `/etc/yum.repos.d/nginx.repo` :
@@ -759,14 +771,80 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo dnf install nginx-1.20.2
```
And finally install BunkerWeb 1.4.0 :
And finally install BunkerWeb 1.4.1 :
```shell
dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
dnf check-update && \
dnf install -y bunkerweb-1.4.0
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.4.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
=== "From source"
The first step is to install NGINX 1.20.2 using the repository of your choice or by [compiling it from source](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#compiling-and-installing-from-source).
The target installation folder of BunkerWeb is located at `/opt/bunkerweb`, let's create it :
```shell
mkdir /opt/bunkerweb
```
You can now clone the BunkerWeb project to the `/tmp` folder :
```shell
https://github.com/bunkerity/bunkerweb.git /tmp/bunkerweb
```
BunkerWeb needs some dependencies to be compiled and install to `/opt/bunkerweb/deps`, the easiest way to it is by executing the [install.sh helper script](https://github.com/bunkerity/bunkerweb/blob/master/deps/install.sh) (please note that you will need to install additional packages which is not covered in this procedure and depends on your own system) :
```
mkdir /opt/bunkerweb/deps && \
/tmp/bunkerweb/deps/install.sh
```
Additional Python dependencies needs to be installed into the `/opt/bunkerweb/deps/python` folder :
```shell
mkdir /opt/bunkerweb/deps/python && \
pip install --no-cache-dir --require-hashes --target /opt/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt && \
pip install --no-cache-dir --target /opt/bunkerweb/deps/python -r /tmp/bunkerweb/ui/requirements.txt
```
Once dependencies had been installed, you can now copy the BunkerWeb sources to the target `/opt/bunkerweb` folder :
```shell
for src in api cli confs core gen helpers job lua misc utils ui settings.json VERSION linux/variables.env linux/bunkerweb-ui.env linux/scripts ; do
cp -r /tmp/bunkerweb/${src} /opt/bunkerweb
done
cp /opt/bunkerweb/helpers/bwcli /usr/local/bin
```
Additional folders also need to be created :
```shell
mkdir /opt/bunkerweb/{configs,cache,plugins,tmp}
```
Permissions needs to be fixed :
```shell
find /opt/bunkerweb -path /opt/bunkerweb/deps -prune -o -type f -exec chmod 0740 {} \; && \
find /opt/bunkerweb -path /opt/bunkerweb/deps -prune -o -type d -exec chmod 0750 {} \; && \
find /opt/bunkerweb/core/*/jobs/* -type f -exec chmod 750 {} \; && \
chmod 770 /opt/bunkerweb/cache /opt/bunkerweb/tmp && \
chmod 750 /opt/bunkerweb/gen/main.py /opt/bunkerweb/job/main.py /opt/bunkerweb/cli/main.py /opt/bunkerweb/helpers/*.sh /opt/bunkerweb/scripts/*.sh /usr/local/bin/bwcli /opt/bunkerweb/ui/main.py && \
chown -R root:nginx /opt/bunkerweb
```
Last but not least, you will need to setup systemd unit files :
```shell
cp /tmp/bunkerweb/linux/*.service /etc/systemd/system && \
systemctl daemon-reload && \
systemctl stop nginx && \
systemctl disable nginx && \
systemctl enable bunkerweb && \
systemctl enable bunkerweb-ui
```
Configuration of BunkerWeb is done by editing the `/opt/bunkerweb/variables.env` file :
```conf

9
docs/migrating.md
View File

@@ -2,7 +2,7 @@
!!! warning "Read this if you were a bunkerized user"
A lot of things have changed since the last bunkerized release. If you want to an upgrade, which we recommend you to do because BunkerWeb is by far better than bunkerized, please read carefully this section and also the whole documentation.
A lot of things have changed since the last bunkerized release. If you want to do an upgrade, which we recommend you to do because BunkerWeb is by far better than bunkerized, please read carefully this section and also the whole documentation.
## Volumes
@@ -12,11 +12,14 @@ When using container-based integrations like [Docker](/1.4/integrations/#docker)
We decided to drop the following features :
- Authelia : we will make an official [plugin](/1.4/plugins) for that
- Blocking "bad" referrers : we may add it again in the future
- ROOT_SITE_SUBFOLDER : we will need to redesign this in the future
## Replaced BLOCK_*, WHITELIST_* and BLACKLIST_* settings
## Changed Authelia support
Instead of supporting only Authelia, we decided to support generic auth request settings. See the new [authelia example](https://github.com/bunkerity/bunkerweb/tree/master/examples/authelia) and [auth request documentation](https://docs.bunkerweb.io/1.4/security-tuning/#auth-request) for more information.
## Replaced BLOCK_\*, WHITELIST_\* and BLACKLIST_\* settings
The blocking mechanisms has been completely redesigned. We have detected that a lot of false positives came from the default blacklists hardcoded into bunkerized. That's why we decided to give the users the choice of their blacklists (and also whitelists) for IP address, reverse DNS, user-agent, URI and ASN, see the [Blacklisting and whitelisting](/1.4/security-tuning/#blacklisting-and-whitelisting) section of the [security tuning](/1.4/security-tuning).

13
docs/plugins.md
View File

@@ -10,6 +10,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
| **ClamAV** | 0.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **CrowdSec** | 0.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 0.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **VirusTotal** | 0.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
## How to use a plugin
@@ -43,13 +44,13 @@ The first step is to install the plugin by putting the plugin files inside the c
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- ./bw-data:/data
...
@@ -242,16 +243,22 @@ function _M:log()
return true, "success"
end
function _M:log_default()
logger.log(ngx.NOTICE, "MYPLUGIN", "log_default called")
return true, "success"
end
return _M
```
The 3 functions `init`, `access`, and `log` are automatically called during specific contexts. Here are the details of each function :
The declared functions are automatically called during specific contexts. Here are the details of each function :
| Function | Context | Description | Return value |
| :------: | :--------------------------------------------------------------------------: | :-------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `init` | [init_by_lua](https://github.com/openresty/lua-nginx-module#init_by_lua) | Called when NGINX just started or received a reload order. the typical use case is to prepare any data that will be used by your plugin. | `ret`, `err`<ul><li>`ret` (boolean) : true if no error else false</li><li>`err` (string) : success or error message</li></ul> |
| `access` | [access_by_lua](https://github.com/openresty/lua-nginx-module#access_by_lua) | Called on each request received by the server. The typical use case is to do the security checks here and deny the request if needed. | `ret`, `err`, `return`, `status`<ul><li>`ret` (boolean) : true if no error else false</li><li>`err` (string) : success or error message</li><li>`return` (boolean) : true if you want to stop the access phase and send a status to the client</li><li>`status` (number) : the return value to set if `return` is set to true</li></ul> |
| `log` | [log_by_lua](https://github.com/openresty/lua-nginx-module#log_by_lua) | Called when a request has finished (and before it gets logged to the access logs). The typical use case is to make stats or compute counters for example. | `ret`, `err`<ul><li>`ret` (boolean) : true if no error else false</li><li>`err` (string) : success or error message</li></ul> |
| `log_default` | [log_by_lua](https://github.com/openresty/lua-nginx-module#log_by_lua) | Same as `log` but only called on the default server. | `ret`, `err`<ul><li>`ret` (boolean) : true if no error else false</li><li>`err` (string) : success or error message</li></ul> |
#### Libraries

44
docs/quickstart-guide.md
View File

@@ -54,7 +54,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
-e USE_REVERSE_PROXY=yes \
-e REVERSE_PROXY_URL=/ \
-e REVERSE_PROXY_HOST=http://myapp \
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@@ -64,7 +64,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@@ -331,7 +331,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
-e app1.example.com_REVERSE_PROXY_HOST=http://myapp1 \
-e app2.example.com_REVERSE_PROXY_HOST=http://myapp2 \
-e app3.example.com_REVERSE_PROXY_HOST=http://myapp3 \
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
@@ -341,7 +341,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@@ -875,13 +875,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@@ -900,13 +900,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@@ -925,13 +925,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@@ -956,7 +956,7 @@ REAL_IP_HEADER=X-Forwarded-For
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
env:
- name: USE_REAL_IP
@@ -1008,13 +1008,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@@ -1035,13 +1035,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@@ -1062,13 +1062,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
environment:
- USE_REAL_IP=yes
@@ -1094,7 +1094,7 @@ REAL_IP_HEADER=proxy_protocol
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
...
env:
- name: USE_REAL_IP
@@ -1169,13 +1169,13 @@ Some integrations offer a more convenient way of applying configurations for exa
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- ./bw-data:/data
...
@@ -1212,13 +1212,13 @@ Some integrations offer a more convenient way of applying configurations for exa
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.0
bunkerity/bunkerweb:1.4.1
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
volumes:
- ./bw-data:/data
...

18
docs/security-tuning.md
View File

@@ -297,12 +297,24 @@ Using both country blacklist and whitelist at the same time makes no sense. If y
## Authentication
### Auth basic
You can quickly protect sensitive resources like the admin area for example by requiring HTTP basic authentication. Here is the list of related settings :
| Setting | Default | Description |
| :-----------------------: | :---------------: | :------------------------------------------------------------------------------------------- |
| `USE_AUTH_BASIC` | `no` | When set to `yes` HTTP auth basic will be enabled. |
| `AUTH_BASIC_LOCATION` | `sitewide` | Location (URL) of the sensitive resource. Use special value `sitewide` to enable everywhere. |
| `USE_AUTH_BASIC_USER` | `changeme` | The username required. |
| `USE_AUTH_BASIC_PASSWORD` | `changeme` | The password required. |
| `USE_AUTH_BASIC_TEXT` | `Restricted area` | Text to display in the auth prompt. |
| `AUTH_BASIC_USER` | `changeme` | The username required. |
| `AUTH_BASIC_PASSWORD` | `changeme` | The password required. |
| `AUTH_BASIC_TEXT` | `Restricted area` | Text to display in the auth prompt. |
### Auth request
You can deploy complex authentification (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/master/examples).
**Auth request settings are related to reverse proxy rules.**
| Setting | Default | Context |Multiple| Description |
|---------------------------------------|----------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------------------|
|`REVERSE_PROXY_AUTH_REQUEST` | |multisite|yes |Enable authentication using an external provider (value of auth_request directive). |
|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`| |multisite|yes |Redirect clients to signin URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). |
|`REVERSE_PROXY_AUTH_REQUEST_SET` | |multisite|yes |List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).|

47
docs/settings.md
View File

@@ -249,26 +249,33 @@ When settings are considered as "multiple", it means that you can have multiple
### Reverse proxy
| Setting | Default | Context |Multiple| Description |
|--------------------------------|----------------------------------|---------|--------|-----------------------------------------------------------------------------------|
|`USE_REVERSE_PROXY` |`no` |multisite|no |Activate reverse proxy mode. |
|`REVERSE_PROXY_INTERCEPT_ERRORS`|`yes` |multisite|no |Intercept and rewrite errors. |
|`REVERSE_PROXY_HOST` | |multisite|yes |Full URL of the proxied resource (proxy_pass). |
|`REVERSE_PROXY_URL` | |multisite|yes |Location URL that will be proxied. |
|`REVERSE_PROXY_WS` |`no` |multisite|yes |Enable websocket on the proxied resource. |
|`REVERSE_PROXY_HEADERS` | |multisite|yes |List of HTTP headers to send to proxied resource. |
|`REVERSE_PROXY_BUFFERING` |`yes` |multisite|yes |Enable or disable buffering of responses from proxied resource. |
|`REVERSE_PROXY_KEEPALIVE` |`no` |multisite|yes |Enable or disable keepalive connections with the proxied resource. |
|`USE_PROXY_CACHE` |`no` |multisite|no |Enable or disable caching of the proxied resources. |
|`PROXY_CACHE_PATH_LEVELS` |`1:2` |global |no |Hierarchy levels of the cache. |
|`PROXY_CACHE_PATH_ZONE_SIZE` |`10m` |global |no |Maximum size of cached metadata when caching proxied resources. |
|`PROXY_CACHE_PATH_PARAMS` |`max_size=100m` |global |no |Additional parameters to add to the proxy_cache directive. |
|`PROXY_CACHE_METHODS` |`GET HEAD` |multisite|no |HTTP methods that should trigger a cache operation. |
|`PROXY_CACHE_MIN_USES` |`2` |multisite|no |The minimimum number of requests before a response is cached. |
|`PROXY_CACHE_KEY` |`$scheme$host$request_uri` |multisite|no |The key used to uniquely identify a cached response. |
|`PROXY_CACHE_VALID` |`200=24h 301=1h 302=24h` |multisite|no |Define the caching time dependending on the HTTP status code (list of status=time).|
|`PROXY_NO_CACHE` |`$http_pragma $http_authorization`|multisite|no |Conditions to disable caching of responses. |
|`PROXY_CACHE_BYPASS` |`0` |multisite|no |Conditions to bypass caching of responses. |
| Setting | Default | Context |Multiple| Description |
|---------------------------------------|----------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------------------|
|`USE_REVERSE_PROXY` |`no` |multisite|no |Activate reverse proxy mode. |
|`REVERSE_PROXY_INTERCEPT_ERRORS` |`yes` |multisite|no |Intercept and rewrite errors. |
|`REVERSE_PROXY_HOST` | |multisite|yes |Full URL of the proxied resource (proxy_pass). |
|`REVERSE_PROXY_URL` | |multisite|yes |Location URL that will be proxied. |
|`REVERSE_PROXY_WS` |`no` |multisite|yes |Enable websocket on the proxied resource. |
|`REVERSE_PROXY_HEADERS` | |multisite|yes |List of HTTP headers to send to proxied resource separated with ; (values for proxy_set_header directive). |
|`REVERSE_PROXY_HEADERS_CLIENT` | |multisite|yes |List of HTTP headers to send to client separated with ; (values for add_header directive). |
|`REVERSE_PROXY_BUFFERING` |`yes` |multisite|yes |Enable or disable buffering of responses from proxied resource. |
|`REVERSE_PROXY_KEEPALIVE` |`no` |multisite|yes |Enable or disable keepalive connections with the proxied resource. |
|`REVERSE_PROXY_AUTH_REQUEST` | |multisite|yes |Enable authentication using an external provider (value of auth_request directive). |
|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`| |multisite|yes |Redirect clients to signin URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). |
|`REVERSE_PROXY_AUTH_REQUEST_SET` | |multisite|yes |List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).|
|`USE_PROXY_CACHE` |`no` |multisite|no |Enable or disable caching of the proxied resources. |
|`PROXY_CACHE_PATH_LEVELS` |`1:2` |global |no |Hierarchy levels of the cache. |
|`PROXY_CACHE_PATH_ZONE_SIZE` |`10m` |global |no |Maximum size of cached metadata when caching proxied resources. |
|`PROXY_CACHE_PATH_PARAMS` |`max_size=100m` |global |no |Additional parameters to add to the proxy_cache directive. |
|`PROXY_CACHE_METHODS` |`GET HEAD` |multisite|no |HTTP methods that should trigger a cache operation. |
|`PROXY_CACHE_MIN_USES` |`2` |multisite|no |The minimimum number of requests before a response is cached. |
|`PROXY_CACHE_KEY` |`$scheme$host$request_uri` |multisite|no |The key used to uniquely identify a cached response. |
|`PROXY_CACHE_VALID` |`200=24h 301=1h 302=24h` |multisite|no |Define the caching time dependending on the HTTP status code (list of status=time). |
|`PROXY_NO_CACHE` |`$http_pragma $http_authorization`|multisite|no |Conditions to disable caching of responses. |
|`PROXY_CACHE_BYPASS` |`0` |multisite|no |Conditions to bypass caching of responses. |
|`REVERSE_PROXY_CONNECT_TIMEOUT` |`60s` |multisite|yes |Timeout when connecting to the proxied resource. |
|`REVERSE_PROXY_READ_TIMEOUT` |`60s` |multisite|yes |Timeout when reading from the proxied resource. |
|`REVERSE_PROXY_SEND_TIMEOUT` |`60s` |multisite|yes |Timeout when sending to the proxied resource. |
### Self-signed certificate

7
docs/troubleshooting.md
View File

@@ -75,7 +75,12 @@ Here is how you can access the logs depending on your integration :
=== "Linux"
The logs are located inside the `/var/log/nginx` directory. There is two files :
For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
```shell
journalctl -u bunkerweb --no-pager
```
Common logs are located inside the `/var/log/nginx` directory :
```shell
cat /var/log/nginx/error.log
cat /var/log/nginx/access.log

8
docs/web-ui.md
View File

@@ -78,7 +78,7 @@ Because the web UI is a web application, the recommended installation procedure
-e "bwadm.example.com_REVERSE_PROXY_HEADER=X-Script-Name /changeme" \
-e bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no \
-l bunkerweb.UI \
bunkerity/bunkerweb:1.4.0 && \
bunkerity/bunkerweb:1.4.1 && \
docker network connect bw-ui mybunker
```
@@ -117,7 +117,7 @@ Because the web UI is a web application, the recommended installation procedure
-e ADMIN_USERNAME=admin \
-e ADMIN_PASSWORD=changeme \
-e ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/
bunkerity/bunkerweb-ui:1.4.0 && \
bunkerity/bunkerweb-ui:1.4.1 && \
docker network connect bw-docker myui
```
@@ -133,7 +133,7 @@ Because the web UI is a web application, the recommended installation procedure
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
networks:
- bw-services
- bw-ui
@@ -156,7 +156,7 @@ Because the web UI is a web application, the recommended installation procedure
- "bunkerweb.UI"
myui:
image: bunkerity/bunkerweb-ui:1.4.0
image: bunkerity/bunkerweb-ui:1.4.1
depends_on:
- mydocker
networks:

79
examples/authelia/authelia/configuration.yml Normal file
View File

@@ -0,0 +1,79 @@
---
###############################################################
# Authelia configuration #
###############################################################
jwt_secret: a_very_important_secret
default_redirection_url: https://auth.example.com
ntp:
disable_failure: true
server:
host: 0.0.0.0
port: 9091
log:
level: debug
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
totp:
issuer: authelia.com
# duo_api:
# hostname: api-123456789.example.com
# integration_key: ABCDEF
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
# secret_key: 1234567890abcdefghifjkl
authentication_backend:
file:
path: /config/users_database.yml
access_control:
default_policy: deny
rules:
# Rules applied to everyone
- domain: auth.example.com
policy: bypass
- domain: app1.example.com
policy: one_factor
- domain: app2.example.com
policy: two_factor
session:
name: authelia_session
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: example.com # Should match whatever your root protected domain is
redis:
host: redis
port: 6379
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
# password: authelia
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
local:
path: /config/db.sqlite3
notifier:
filesystem:
filename: /config/notification.txt
#notifier:
# smtp:
# username: test
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
# password: password
# host: mail.example.com
# port: 25
# sender: admin@example.com
...

18
examples/authelia/authelia/users_database.yml Normal file
View File

@@ -0,0 +1,18 @@
---
###############################################################
# Users Database #
###############################################################
# This file can be used if you do not have an LDAP set up.
# List of users
users:
authelia:
displayname: "Authelia User"
# Password is authelia
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
email: authelia@authelia.com
groups:
- admins
- dev
...

85
examples/authelia/docker-compose.yml Normal file
View File

@@ -0,0 +1,85 @@
version: '3.4'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
environment:
- MULTISITE=yes
- SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
# Proxy to auth_request URI
- REVERSE_PROXY_URL_999=/authelia
- REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
- REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
# Authelia
- auth.example.com_REVERSE_PROXY_URL=/
- auth.example.com_REVERSE_PROXY_HOST=http://authelia:9091
- auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
# Applications
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:3000
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
- app1.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
- app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
# APPLICATIONS
app1:
image: node
working_dir: /home/node/app
volumes:
- ./js-app:/home/node/app
environment:
- NODE_ENV=production
command: bash -c "npm install express && node index.js"
app2:
image: tutum/hello-world
# AUTHELIA
authelia:
image: authelia/authelia
container_name: authelia
volumes:
- ./authelia:/config
restart: unless-stopped
healthcheck:
disable: true
environment:
- TZ=Europe/Paris
redis:
image: redis:alpine
container_name: redis
volumes:
- ./redis:/data
expose:
- 6379
restart: unless-stopped
environment:
- TZ=Europe/Paris
volumes:
bw_data:

13
examples/authelia/js-app/index.js Normal file
View File

@@ -0,0 +1,13 @@
const express = require('express')
const app = express()
const port = 3000
app.get('/', (req, res) => {
res.send('Hello World from app1!')
})
app.listen(port, () => {
console.log(`Example app listening at http://localhost:${port}`)
})

15
examples/authelia/js-app/package.json Normal file
View File

@@ -0,0 +1,15 @@
{
"name": "js-app",
"version": "1.0.0",
"description": "demo",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"express": "^4.17.1"
}
}

5
examples/authentik/.env Normal file
View File

@@ -0,0 +1,5 @@
PG_PASS=changeme
AUTHENTIK_SECRET_KEY=changeme
AUTHENTIK_COOKIE_DOMAIN=example.com
AUTHENTIK_BOOTSTRAP_PASSWORD=changeme
AUTHENTIK_BOOTSTRAP_TOKEN=changeme

3
examples/authentik/README.md Normal file
View File

@@ -0,0 +1,3 @@
We assume that you are already familiar with [Authentik](https://goauthentik.io/).
This example has been tested with a Proxy in Forward auth (domain level) mode (see [here](https://goauthentik.io/docs/providers/proxy/forward_auth) for more information).

154
examples/authentik/docker-compose.yml Normal file
View File

@@ -0,0 +1,154 @@
version: '3.4'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
environment:
- MULTISITE=yes
- SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
# Proxy to outpost
- REVERSE_PROXY_URL_999=/outpost.goauthentik.io
- REVERSE_PROXY_HOST_999=http://server:9000
- REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
- REVERSE_PROXY_HEADERS_CLIENT_999=Set-Cookie $$auth_cookie
- REVERSE_PROXY_AUTH_REQUEST_SET_999=$$auth_cookie $$upstream_http_set_cookie
# Authentik
- auth.example.com_REVERSE_PROXY_URL=/
- auth.example.com_REVERSE_PROXY_HOST=http://server:9000
- auth.example.com_REVERSE_PROXY_WS=yes
- auth.example.com_LIMIT_REQ_URL_1=^/api/
- auth.example.com_LIMIT_REQ_RATE_1=5r/s
- auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
- auth.example.com_ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE|PATCH
- auth.example.com_COOKIE_FLAGS=* SameSite=Lax
# Applications
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:3000
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/outpost.goauthentik.io/auth/nginx
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid
- app1.example.com_REVERSE_PROXY_HEADERS_CLIENT=Set-Cookie $$auth_cookie
- app1.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/outpost.goauthentik.io/auth/nginx
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid
- app2.example.com_REVERSE_PROXY_HEADERS_CLIENT=Set-Cookie $$auth_cookie
- app2.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
# APPLICATIONS
app1:
image: node
working_dir: /home/node/app
volumes:
- ./js-app:/home/node/app
environment:
- NODE_ENV=production
command: bash -c "npm install express && node index.js"
app2:
image: tutum/hello-world
# AUTHENTIK SERVICES
postgresql:
image: postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD", "pg_isready"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=${PG_PASS:?database password required}
- POSTGRES_USER=${PG_USER:-authentik}
- POSTGRES_DB=${PG_DB:-authentik}
env_file:
- .env
redis:
image: redis:alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.6.2}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
# WORKERS: 2
volumes:
- ./media:/media
- ./custom-templates:/templates
- geoip:/geoip
env_file:
- .env
# ports:
# - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
# - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.6.2}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
# This is optional, and can be removed. If you remove this, the following will happen
# - The permissions for the /media folders aren't fixed, so make sure they are 1000:1000
# - The docker socket can't be accessed anymore
user: root
volumes:
- ./media:/media
- ./certs:/certs
- /var/run/docker.sock:/var/run/docker.sock
- ./custom-templates:/templates
- geoip:/geoip
env_file:
- .env
geoipupdate:
image: "maxmindinc/geoipupdate:latest"
volumes:
- "geoip:/usr/share/GeoIP"
environment:
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
GEOIPUPDATE_FREQUENCY: "8"
env_file:
- .env
volumes:
bw_data:
database:
geoip:

13
examples/authentik/js-app/index.js Normal file
View File

@@ -0,0 +1,13 @@
const express = require('express')
const app = express()
const port = 3000
app.get('/', (req, res) => {
res.send('Hello World from app1!')
})
app.listen(port, () => {
console.log(`Example app listening at http://localhost:${port}`)
})

15
examples/authentik/js-app/package.json Normal file
View File

@@ -0,0 +1,15 @@
{
"name": "js-app",
"version": "1.0.0",
"description": "demo",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"express": "^4.17.1"
}
}

2
examples/behind-reverse-proxy/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly

2
examples/bigbluebutton/docker-compose.yml
View File

@@ -27,7 +27,7 @@ services:
...
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

7
examples/certbot-dns-cloudflare/README.md Normal file
View File

@@ -0,0 +1,7 @@
Please have a look at the [certbot-dns-cloudflare documentation](https://certbot-dns-cloudflare.readthedocs.io/en/stable/) first.
Procedure :
- Edit domains in the compose file
- Edit CloudFlare credentials in cloudflare.ini file (generate using https://dash.cloudflare.com/?to=/:account/profile/api-tokens)
- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
- When certificates are generated, run your services : `docker-compose up -d`

5
examples/certbot-dns-cloudflare/cloudflare.ini Normal file
View File

@@ -0,0 +1,5 @@
# Cloudflare API token used by Certbot (recommended)
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef012345671
# Cloudflare API credentials used by Certbot (not recommended)
#dns_cloudflare_email = cloudflare@example.com
#dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef012341

74
examples/certbot-dns-cloudflare/docker-compose.yml Normal file
View File

@@ -0,0 +1,74 @@
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
- certs:/certs
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3
networks:
- net_app1
- net_app2
- net_app3
mycertbot:
image: certbot/dns-cloudflare
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
volumes:
- certs:/etc/letsencrypt
- ./cloudflare.ini:/opt/cloudflare.ini
- ./entrypoint.sh:/opt/entrypoint.sh
entrypoint: /bin/sh /opt/entrypoint.sh
app1:
image: tutum/hello-world
networks:
- net_app1
app2:
image: tutum/hello-world
networks:
- net_app2
app3:
image: tutum/hello-world
networks:
- net_app3
volumes:
bw_data:
certs:
networks:
net_app1:
net_app2:
net_app3:

23
examples/certbot-dns-cloudflare/entrypoint.sh Normal file
View File

@@ -0,0 +1,23 @@
#!/bin/sh
echo "Certbot started, domains = $DOMAINS"
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
if [ "$EMAIL" = "" ] ; then
EMAIL="contact@${first_domain}"
fi
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
echo "Renewing certificates ..."
certbot renew
else
echo "Asking for certificates ..."
certbot certonly -n --dns-cloudflare --dns-cloudflare-credentials /opt/cloudflare.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
fi
echo "Fixing permissions ..."
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
echo "Certbot ended, sleeping for 24 hours"
sleep 86400

7
examples/certbot-dns-digitalocean/README.md Normal file
View File

@@ -0,0 +1,7 @@
Please have a look at the [certbot-dns-digitalocean documentation](https://certbot-dns-digitalocean.readthedocs.io/en/stable/) first.
Procedure :
- Edit domains in the compose file
- Edit DigitalOcean credentials in digitalocean.ini file (generate using https://cloud.digitalocean.com/settings/api/tokens)
- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
- When certificates are generated, run your services : `docker-compose up -d`

2
examples/certbot-dns-digitalocean/digitalocean.ini Normal file
View File

@@ -0,0 +1,2 @@
# DigitalOcean API credentials used by Certbot
dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff

74
examples/certbot-dns-digitalocean/docker-compose.yml Normal file
View File

@@ -0,0 +1,74 @@
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
- certs:/certs
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3
networks:
- net_app1
- net_app2
- net_app3
mycertbot:
image: certbot/dns-digitalocean
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
volumes:
- certs:/etc/letsencrypt
- ./digitalocean.ini:/opt/digitalocean.ini
- ./entrypoint.sh:/opt/entrypoint.sh
entrypoint: /bin/sh /opt/entrypoint.sh
app1:
image: tutum/hello-world
networks:
- net_app1
app2:
image: tutum/hello-world
networks:
- net_app2
app3:
image: tutum/hello-world
networks:
- net_app3
volumes:
bw_data:
certs:
networks:
net_app1:
net_app2:
net_app3:

23
examples/certbot-dns-digitalocean/entrypoint.sh Normal file
View File

@@ -0,0 +1,23 @@
#!/bin/sh
echo "Certbot started, domains = $DOMAINS"
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
if [ "$EMAIL" = "" ] ; then
EMAIL="contact@${first_domain}"
fi
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
echo "Renewing certificates ..."
certbot renew
else
echo "Asking for certificates ..."
certbot certonly -n --dns-digitalocean --dns-digitalocean-credentials /opt/digitalocean.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
fi
echo "Fixing permissions ..."
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
echo "Certbot ended, sleeping for 24 hours"
sleep 86400

7
examples/certbot-dns-google/README.md Normal file
View File

@@ -0,0 +1,7 @@
Please have a look at the [certbot-dns-google documentation](https://certbot-dns-google.readthedocs.io/en/stable/) first.
Procedure :
- Edit domains in the compose file
- Edit Google credentials in google.json file (generate using https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount)
- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
- When certificates are generated, run your services : `docker-compose up -d`

74
examples/certbot-dns-google/docker-compose.yml Normal file
View File

@@ -0,0 +1,74 @@
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
- certs:/certs
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3
networks:
- net_app1
- net_app2
- net_app3
mycertbot:
image: certbot/dns-google
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
volumes:
- certs:/etc/letsencrypt
- ./google.json:/opt/google.json
- ./entrypoint.sh:/opt/entrypoint.sh
entrypoint: /bin/sh /opt/entrypoint.sh
app1:
image: tutum/hello-world
networks:
- net_app1
app2:
image: tutum/hello-world
networks:
- net_app2
app3:
image: tutum/hello-world
networks:
- net_app3
volumes:
bw_data:
certs:
networks:
net_app1:
net_app2:
net_app3:

23
examples/certbot-dns-google/entrypoint.sh Normal file
View File

@@ -0,0 +1,23 @@
#!/bin/sh
echo "Certbot started, domains = $DOMAINS"
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
if [ "$EMAIL" = "" ] ; then
EMAIL="contact@${first_domain}"
fi
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
echo "Renewing certificates ..."
certbot renew
else
echo "Asking for certificates ..."
certbot certonly -n --dns-google --dns-google-credentials /opt/google.json --email "$EMAIL" --agree-tos -d "$DOMAINS"
fi
echo "Fixing permissions ..."
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
echo "Certbot ended, sleeping for 24 hours"
sleep 86400

12
examples/certbot-dns-google/google.json Normal file
View File

@@ -0,0 +1,12 @@
{
"type": "service_account",
"project_id": "...",
"private_key_id": "...",
"private_key": "...",
"client_email": "...",
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "..."
}

7
examples/certbot-dns-ovh/README.md Normal file
View File

@@ -0,0 +1,7 @@
Please have a look at the [certbot-dns-ovh documentation](https://certbot-dns-ovh.readthedocs.io/en/stable/) first.
Procedure :
- Edit domains in the compose file
- Edit OVH credentials in ovh.ini file (generate using https://eu.api.ovh.com/createToken/)
- Run certbot only and wait for certificate to be generated : `docker-compose up -d mycertbot`
- When certificates are generated, run your services : `docker-compose up -d`

74
examples/certbot-dns-ovh/docker-compose.yml Normal file
View File

@@ -0,0 +1,74 @@
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
- certs:/certs
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3
networks:
- net_app1
- net_app2
- net_app3
mycertbot:
image: certbot/dns-ovh
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
volumes:
- certs:/etc/letsencrypt
- ./ovh.ini:/opt/ovh.ini
- ./entrypoint.sh:/opt/entrypoint.sh
entrypoint: /bin/sh /opt/entrypoint.sh
app1:
image: tutum/hello-world
networks:
- net_app1
app2:
image: tutum/hello-world
networks:
- net_app2
app3:
image: tutum/hello-world
networks:
- net_app3
volumes:
bw_data:
certs:
networks:
net_app1:
net_app2:
net_app3:

23
examples/certbot-dns-ovh/entrypoint.sh Normal file
View File

@@ -0,0 +1,23 @@
#!/bin/sh
echo "Certbot started, domains = $DOMAINS"
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
if [ "$EMAIL" = "" ] ; then
EMAIL="contact@${first_domain}"
fi
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
echo "Renewing certificates ..."
certbot renew
else
echo "Asking for certificates ..."
certbot certonly -n --dns-ovh --dns-ovh-credentials /opt/ovh.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
fi
echo "Fixing permissions ..."
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
echo "Certbot ended, sleeping for 24 hours"
sleep 86400

5
examples/certbot-dns-ovh/ovh.ini Normal file
View File

@@ -0,0 +1,5 @@
# OVH API credentials used by Certbot
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = MDAwMDAwMDAwMDAw
dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw

7
examples/certbot-dns-route53/README.md Normal file
View File

@@ -0,0 +1,7 @@
Please have a look at the [certbot-dns-route53 documentation](https://certbot-dns-route53.readthedocs.io/en/stable/) first.
Procedure :
- Edit domains in the compose file
- Edit AWS credentials in aws.ini file (generate using https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html)
- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
- When certificates are generated, run your services : `docker-compose up -d`

3
examples/certbot-dns-route53/aws.ini Normal file
View File

@@ -0,0 +1,3 @@
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

74
examples/certbot-dns-route53/docker-compose.yml Normal file
View File

@@ -0,0 +1,74 @@
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
- certs:/certs
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3
networks:
- net_app1
- net_app2
- net_app3
mycertbot:
image: certbot/dns-google
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
volumes:
- certs:/etc/letsencrypt
- ./aws.ini:/opt/aws.ini
- ./entrypoint.sh:/opt/entrypoint.sh
entrypoint: /bin/sh /opt/entrypoint.sh
app1:
image: tutum/hello-world
networks:
- net_app1
app2:
image: tutum/hello-world
networks:
- net_app2
app3:
image: tutum/hello-world
networks:
- net_app3
volumes:
bw_data:
certs:
networks:
net_app1:
net_app2:
net_app3:

24
examples/certbot-dns-route53/entrypoint.sh Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/sh
echo "Certbot started, domains = $DOMAINS"
first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
if [ "$EMAIL" = "" ] ; then
EMAIL="contact@${first_domain}"
fi
if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
echo "Renewing certificates ..."
certbot renew
else
echo "Asking for certificates ..."
export AWS_CONFIG_FILE=/opt/aws.ini
certbot certonly -n --dns-route53 --email "$EMAIL" --agree-tos -d "$DOMAINS"
fi
echo "Fixing permissions ..."
chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
echo "Certbot ended, sleeping for 24 hours"
sleep 86400

2
examples/drupal/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

4
examples/ghost/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@@ -31,7 +31,7 @@ services:
volumes:
- ./ghost-data:/var/lib/ghost/content
environment:
- url=http://www.example.com # replace with your domain
- url=https://www.example.com # replace with your domain
volumes:
bw_data:

2
examples/gogs/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/hardened/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
# dropping all capabilities
cap_drop:
- ALL

2
examples/joomla/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/kubernetes-ingress/ingress.yml
View File

@@ -5,7 +5,7 @@ metadata:
annotations:
bunkerweb.io/AUTOCONF: "yes"
bunkerweb.io/AUTO_LETS_ENCRYPT: "yes"
bunkerweb.io/USE_LETS_ENCRYPT_STAGING: "yes"
spec:
rules:
- host: app1.example.com

2
examples/load-balancer/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/magento/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/mongo-express/docker-compose.yml
View File

@@ -24,7 +24,7 @@ services:
- mongo
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/moodle/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/nextcloud/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/passbolt/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/php-multisite/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/php-singlesite/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/prestashop/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/proxy-protocol/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly

2
examples/redmine/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/reverse-proxy-multisite/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/reverse-proxy-singlesite/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/reverse-proxy-websocket/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/syslog/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
logging:
driver: syslog
options:

2
examples/tomcat/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

2
examples/tor-hidden-service/docker-compose.yml
View File

@@ -11,7 +11,7 @@ services:
- SERVICE1_TOR_SERVICE_VERSION=3
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly

8
examples/web-ui/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@@ -27,9 +27,9 @@ services:
- www.example.com_USE_UI=yes
- www.example.com_SERVE_FILES=no
- www.example.com_USE_REVERSE_PROXY=yes
- www.example.com_REVERSE_PROXY_URL=/changeme/ # replace with another url
- www.example.com_REVERSE_PROXY_URL=/changeme # replace with another url
- www.example.com_REVERSE_PROXY_HOST=http://myui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme/ # replace with another url
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme # replace with another url
- www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
- www.example.com_LIMIT_REQ_URL=/changeme/plugins/upload # replace with another url
- www.example.com_LIMIT_REQ_RATE=4r/s
@@ -42,7 +42,7 @@ services:
- net_svc
myui:
image: bunkerity/bunkerweb-ui:1.4.0
image: bunkerity/bunkerweb-ui:1.4.1
depends_on:
- myuiproxy
volumes:

2
examples/wordpress/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443

1
helpers/data.sh
View File

@@ -32,6 +32,7 @@ for folder in "${rx_folders[@]}" ; do
fi
done
# Check permissions on files
IFS=$'\n'
for file in $(find /data -type f) ; do
if [ ! -r "${file}" ] ; then
log "$1" "❌" "Wrong permissions on ${file} (at least R needed for user nginx with uid 101 and gid 101)"

7
helpers/entrypoint.sh
View File

@@ -40,6 +40,10 @@ function trap_reload() {
}
trap "trap_reload" HUP
if [ -f /opt/bunkerweb/tmp/scheduler.pid ] ; then
rm -f /opt/bunkerweb/tmp/scheduler.pid
fi
if [ "$SWARM_MODE" != "yes" ] && [ "$KUBERNETES_MODE" != "yes" ] && [ "$AUTOCONF_MODE" != "yes" ] ; then
# execute temp nginx with no server
export TEMP_NGINX="yes"
@@ -73,6 +77,9 @@ fi
# generate final configuration
export TEMP_NGINX="no"
log "ENTRYPOINT" "" "Generating configuration ..."
if [ "$SWARM_MODE" = "yes" ] || [ "$KUBERNETES_MODE" = "yes" ] || [ "$AUTOCONF_MODE" = "yes" ] ; then
export SERVER_NAME=
fi
env | grep -E -v "^(HOSTNAME|PWD|PKG_RELEASE|NJS_VERSION|SHLVL|PATH|_|NGINX_VERSION|HOME)=" > "/tmp/variables.env"
/opt/bunkerweb/gen/main.py --settings /opt/bunkerweb/settings.json --templates /opt/bunkerweb/confs --output /etc/nginx --variables /tmp/variables.env
if [ "$?" -ne 0 ] ; then

5
integrations/autoconf/docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- 80:8080
- 443:8443
@@ -20,7 +20,7 @@ services:
- bw-services
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
volumes:
- ./bw-data:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
@@ -29,7 +29,6 @@ services:
volumes:
bw-data:
bw-conf:
networks:
bw-autoconf:

4
integrations/kubernetes/bunkerweb.yml
View File

@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@@ -106,7 +106,7 @@ spec:
claimName: pvc-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE

4
integrations/swarm/stack.yml
View File

@@ -3,7 +3,7 @@ version: '3.5'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
image: bunkerity/bunkerweb:1.4.1
ports:
- published: 80
target: 8080
@@ -31,7 +31,7 @@ services:
- "bunkerweb.AUTOCONF"
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.0
image: bunkerity/bunkerweb-autoconf:1.4.1
environment:
- SWARM_MODE=yes
volumes:

2
linux/Dockerfile-fedora
View File

@@ -10,7 +10,7 @@ RUN dnf install -y ruby ruby-devel make gcc redhat-rpm-config rpm-build && \
# Nginx
RUN dnf update -y && \
dnf install -y curl gnupg2 ca-certificates redhat-lsb-core && \
dnf install nginx -y
dnf install nginx-1.20.2 -y
# Copy dependencies sources folder
COPY deps /tmp/bunkerweb/deps

2
linux/fpm-centos
View File

@@ -3,7 +3,7 @@
--license agpl3
--version %VERSION%
--architecture x86_64
--depends bash --depends epel-release --depends python39 --depends 'nginx >= 1.20.2' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends GeoIP-devel --depends file-libs --depends net-tools --depends gd
--depends bash --depends epel-release --depends python39 --depends 'nginx = 1:1.20.2-1.el8.ngx' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends GeoIP-devel --depends file-libs --depends net-tools --depends gd
--description "BunkerWeb %VERSION% for CentOS Stream 8"
--url "https://www.bunkerweb.io"
--maintainer "Bunkerity <contact at bunkerity dot com>"

2
linux/fpm-debian
View File

@@ -3,7 +3,7 @@
--license agpl3
--version %VERSION%
--architecture amd64
--depends bash --depends python3 --depends python3-pip --depends 'nginx (>= 1.20.2)' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools
--depends bash --depends python3 --depends python3-pip --depends 'nginx = 1.20.2-1~bullseye' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools
--description "BunkerWeb %VERSION% for Debian 11"
--url "https://www.bunkerweb.io"
--maintainer "Bunkerity <contact at bunkerity dot com>"

2
linux/fpm-fedora
View File

@@ -3,7 +3,7 @@
--license agpl3
--version %VERSION%
--architecture x86_64
--depends bash --depends python3 --depends 'nginx >= 1.20.2' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends geoip-devel --depends gd
--depends bash --depends python3 --depends 'nginx = 1:1.20.2-2.fc36' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends geoip-devel --depends gd
--description "BunkerWeb %VERSION% for Fedora 36"
--url "https://www.bunkerweb.io"
--maintainer "Bunkerity <contact at bunkerity dot com>"

2
linux/fpm-ubuntu
View File

@@ -3,7 +3,7 @@
--license agpl3
--version %VERSION%
--architecture amd64
--depends bash --depends python3 --depends python3-pip --depends 'nginx (>= 1.20.2)' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools
--depends bash --depends python3 --depends python3-pip --depends 'nginx = 1.20.2-1~jammy' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools
--description "BunkerWeb %VERSION% for Ubuntu 22.04"
--url "https://www.bunkerweb.io"
--maintainer "Bunkerity <contact at bunkerity dot com>"

4
linux/scripts/start.sh
View File

@@ -46,7 +46,7 @@ function start() {
# STEP1 #
# Generate variables.env files to /tmp/ #
#############################################
printf "HTTP_PORT=80\nSERVER_NAME=example.com\nTEMP_NGINX=yes\nUSE_BUNKERNET=no" > "/tmp/variables.env"
printf "HTTP_PORT=80\nSERVER_NAME=example.com\nTEMP_NGINX=yes" > "/tmp/variables.env"
# Test if command worked
check_ok
# Exit if failed
@@ -91,7 +91,7 @@ function start() {
# STEP4 #
# Run jobs script #
#############################################
/opt/bunkerweb/job/main.py --variables /etc/nginx/variables.env --run
/opt/bunkerweb/job/main.py --variables /opt/bunkerweb/variables.env --run
# Test if command worked
check_ok
# Exit if failed

4
lua/utils.lua
View File

@@ -244,6 +244,10 @@ utils.get_reason = function()
if os.getenv("REASON") == "modsecurity" then
return "modsecurity"
end
local banned, err = datastore:get("bans_ip_" .. ngx.var.remote_addr)
if banned then
return banned
end
if ngx.status == ngx.HTTP_FORBIDDEN then
return "unknown"
end

7
tests/docker.sh
View File

@@ -48,6 +48,13 @@ fi
echo "Running Docker tests ..."
# authelia
single_docker_test "authelia" "60" "https://$TEST_DOMAIN1_1 authelia" "https://$TEST_DOMAIN1_2 authelia"
# authentik
# TODO : find a way to load a basic configuration for automatic tests
# single_docker_test "authentik" "60" "https://$TEST_DOMAIN1_1 authentik" "https://$TEST_DOMAIN1_2 authentik"
# drupal
single_docker_test "drupal" "60" "https://$TEST_DOMAIN1 drupal"

2
tests/linux.sh
View File

@@ -11,7 +11,7 @@ function gen_package() {
else
type="deb"
fi
do_and_check_cmd docker run --rm -v "/tmp/packages/${linux}:/data" "bw-${linux}-tests:latest"
do_and_check_cmd docker run --rm -v "/tmp/packages/${linux}:/data" "bw-${linux}-tests:latest" "$type"
name="bunkerweb_${version}-1_amd64"
if [ "$type" = "rpm" ] ; then
name="bunkerweb-${version}-1.x86_64"

1
tests/utils/utils.sh
View File

@@ -23,6 +23,7 @@ function exec_docker_example() {
sed -i 's@\./bw\-data:/@/tmp/bw\-data:/@g' docker-compose.yml
sed -i 's@- bw_data:/@- /tmp/bw\-data:/@g' docker-compose.yml
sed -i "s@www.example.com@${TEST_DOMAIN1}@g" docker-compose.yml
sed -i "s@auth.example.com@${TEST_DOMAIN1}@g" docker-compose.yml
sed -i "s@app1.example.com@${TEST_DOMAIN1_1}@g" docker-compose.yml
sed -i "s@app2.example.com@${TEST_DOMAIN1_2}@g" docker-compose.yml
sed -i "s@app3.example.com@${TEST_DOMAIN1_3}@g" docker-compose.yml