Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'dev' into dependabot/github_actions/dev/docker/build-push-action-4

Browse source
This commit is contained in:
Théophile Diot 2023-08-21 11:44:12 -04:00 committed by GitHub
commit 0b93916a37
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2704 changed files with 42197 additions and 237928 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/container-build.yml vendored
View file

@ -50,6 +50,9 @@ jobs:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Replace VERSION
if: inputs.RELEASE == 'testing'
run: ./misc/update-version.sh testing
- name: Setup SSH for ARM node
if: inputs.CACHE_SUFFIX == 'arm'
run: |

2
.github/workflows/create-arm.yml vendored
View file

@ -39,7 +39,7 @@ jobs:
id: scw
uses: scaleway/action-scw@bbcfd65cd2af73456ce439088e0d42c1657c4c38
with:
args: instance server create zone=fr-par-2 type=AMP2-C60 root-volume=block:50GB
args: instance server create zone=fr-par-2 type=AMP2-C48 root-volume=block:50GB
save-config: true
version: v2.13.0
access-key: ${{ secrets.SCW_ACCESS_KEY }}

29
.github/workflows/dev.yml vendored
View file

@ -7,7 +7,6 @@ on:
branches: [dev]
jobs:
# Containers
build-containers:
strategy:
@ -25,6 +24,7 @@ jobs:
uses: ./.github/workflows/container-build.yml
with:
RELEASE: dev
CACHE: true
ARCH: linux/amd64
IMAGE: ${{ matrix.image }}
DOCKERFILE: ${{ matrix.dockerfile }}
@ -93,4 +93,29 @@ jobs:
RELEASE: dev
secrets:
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Push with dev tag
push-dev:
needs: [tests-ui, tests-core]
runs-on: ubuntu-latest
steps:
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Push BW image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:dev && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:dev bunkerity/bunkerweb:dev && docker push bunkerity/bunkerweb:dev
- name: Push scheduler image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:dev && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:dev bunkerity/bunkerweb-scheduler:dev && docker push bunkerity/bunkerweb-scheduler:dev
- name: Push UI image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/ui-tests:dev && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/ui-tests:dev bunkerity/bunkerweb-ui:dev && docker push bunkerity/bunkerweb-ui:dev
- name: Push autoconf image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/autoconf-tests:dev && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/autoconf-tests:dev bunkerity/bunkerweb-autoconf:dev && docker push bunkerity/bunkerweb-autoconf:dev

15
.github/workflows/linux-build.yml vendored
View file

@ -42,6 +42,9 @@ jobs:
# Prepare
- name: Checkout source code
uses: actions/checkout@v3
- name: Replace VERSION
if: inputs.RELEASE == 'testing'
run: ./misc/update-version.sh testing
- name: Extract arch
run : |
echo "ARCH=${{ env.PLATFORMS }}" | sed 's/linux//g' | sed 's@/@@g' >> "$GITHUB_ENV"
@ -90,9 +93,9 @@ jobs:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
# Build staging package image
# Build testing package image
- name: Build package image
if: inputs.RELEASE == 'staging'
if: inputs.RELEASE == 'testing'
uses: docker/build-push-action@v4
with:
context: .
@ -100,11 +103,11 @@ jobs:
file: src/linux/Dockerfile-${{ inputs.LINUX }}
platforms: ${{ inputs.PLATFORMS }}
tags: local/bunkerweb-${{ inputs.LINUX }}:latest
cache-from: type=registry,ref=bunkerity/cache:${{ inputs.LINUX }}-staging
cache-to: type=registry,ref=bunkerity/cache:${{ inputs.LINUX }}-staging,mode=min
# Build non-staging package image
cache-from: type=registry,ref=bunkerity/cache:${{ inputs.LINUX }}-testing
cache-to: type=registry,ref=bunkerity/cache:${{ inputs.LINUX }}-testing,mode=min
# Build non-testing package image
- name: Build package image
if: inputs.RELEASE != 'staging'
if: inputs.RELEASE != 'testing'
uses: docker/build-push-action@v4
with:
context: .

3
.github/workflows/push-doc.yml vendored
View file

@ -22,6 +22,9 @@ jobs:
with:
fetch-depth: 0
token: ${{ secrets.BUNKERBOT_TOKEN }}
- name: Replace VERSION
if: inputs.VERSION == 'testing'
run: ./misc/update-version.sh testing
- name: Setup git user
run: |
git config --global user.name "BunkerBot"

33
.github/workflows/push-github.yml vendored
View file

@ -18,18 +18,29 @@ jobs:
- uses: actions/checkout@v3
# Get PDF doc
- name: Get documentation
if: inputs.VERSION != 'testing'
uses: actions/download-artifact@v3
with:
name: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
# Create tag
- uses: rickstaa/action-create-tag@v1
name: Create tag
if: inputs.VERSION != 'testing'
with:
tag: "v${{ inputs.VERSION }}"
message: "v${{ inputs.VERSION }}"
force_push_tag: true
# Create tag
- uses: rickstaa/action-create-tag@v1
name: Create tag
if: inputs.VERSION == 'testing'
with:
tag: "${{ inputs.VERSION }}"
message: "${{ inputs.VERSION }}"
force_push_tag: true
# Extract changelog
- name: Extract changelog
if: inputs.VERSION != 'testing'
id: getchangelog
run: |
content=$(awk -v n=2 '/##/{n--}; n > 0' CHANGELOG.md | grep -v '# Changelog' | grep -v '##' | sed '/^$/d')
@ -39,6 +50,7 @@ jobs:
echo "::set-output name=content::$content"
# Create release
- name: Create release
if: inputs.VERSION != 'testing'
uses: softprops/action-gh-release@v1
with:
body: |
@ -60,4 +72,25 @@ jobs:
tag_name: v${{ inputs.VERSION }}
discussion_category_name: Announcements
files: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
# Create release
- name: Create release
if: inputs.VERSION == 'testing'
uses: softprops/action-gh-release@v1
with:
body: |
**The testing version of BunkerWeb should not be used in production, please use the latest stable version instead.**
Documentation : https://docs.bunkerweb.io/${{ inputs.VERSION }}/
Docker tags :
- `bunkerity/bunkerweb:${{ inputs.VERSION }}`
- `bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}`
- `bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}`
- `bunkerity/bunkerweb-ui:${{ inputs.VERSION }}`
Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=${{ inputs.VERSION }}&filter=all&dist=
draft: false
prerelease: ${{ inputs.PRERELEASE }}
name: Testing
tag_name: ${{ inputs.VERSION }}

4
.github/workflows/push-packagecloud.yml vendored
View file

@ -64,6 +64,10 @@ jobs:
continue-on-error: true
env:
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
# Update name
# - name: Rename package
# if: inputs.BW_VERSION == 'testing'
# run: sudo apt install -y rename && rename 's/[0-9]\.[0-9]\.[0-9]/testing/' /tmp/${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
# Push package
- name: Push package to packagecloud
uses: danielmundi/upload-packagecloud@v1

18
.github/workflows/staging-tests.yml vendored
View file

@ -33,13 +33,13 @@ jobs:
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Pull BW image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:staging && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:staging local/bunkerweb-tests:latest
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:testing local/bunkerweb-tests:latest
if: contains(fromJSON('["linux", "k8s"]'), inputs.TYPE) != true
- name: Pull Scheduler image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:staging && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:staging local/scheduler-tests:latest
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:testing local/scheduler-tests:latest
if: contains(fromJSON('["linux", "k8s"]'), inputs.TYPE) != true
- name: Pull Autoconf image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/autoconf-tests:staging && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/autoconf-tests:staging local/autoconf-tests:latest
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/autoconf-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/autoconf-tests:testing local/autoconf-tests:latest
if: contains(fromJSON('["autoconf", "swarm"]'), inputs.TYPE)
- name: Push images to local repo
run: docker tag local/bunkerweb-tests:latest 192.168.42.100:5000/bunkerweb-tests:latest && docker push 192.168.42.100:5000/bunkerweb-tests:latest && docker tag local/scheduler-tests:latest 192.168.42.100:5000/scheduler-tests:latest && docker push 192.168.42.100:5000/scheduler-tests:latest && docker tag local/autoconf-tests:latest 192.168.42.100:5000/autoconf-tests:latest && docker push 192.168.42.100:5000/autoconf-tests:latest
@ -59,19 +59,19 @@ jobs:
if: inputs.TYPE == 'k8s'
- name: Pull BW linux ubuntu test image
if: inputs.TYPE == 'linux'
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/ubuntu-tests:staging && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/ubuntu-tests:staging local/ubuntu:latest
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/ubuntu-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/ubuntu-tests:testing local/ubuntu:latest
- name: Pull BW linux debian test image
if: inputs.TYPE == 'linux'
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/debian-tests:staging && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/debian-tests:staging local/debian:latest
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/debian-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/debian-tests:testing local/debian:latest
# - name: Pull BW linux centos test image
# if: inputs.TYPE == 'linux'
# run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/centos-tests:staging && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/centos-tests:staging local/centos:latest
# run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/centos-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/centos-tests:testing local/centos:latest
- name: Pull BW linux fedora test image
if: inputs.TYPE == 'linux'
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/fedora-tests:staging && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/fedora-tests:staging local/fedora:latest
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/fedora-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/fedora-tests:testing local/fedora:latest
- name: Pull BW linux rhel test image
if: inputs.TYPE == 'linux'
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/rhel-tests:staging && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/rhel-tests:staging local/rhel:latest
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/rhel-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/rhel-tests:testing local/rhel:latest
# Do tests
- name: Run tests
if: inputs.TYPE == 'docker'
@ -99,7 +99,7 @@ jobs:
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
KUBECONFIG: "/tmp/k8s/kubeconfig"
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
IMAGE_TAG: "staging"
IMAGE_TAG: "testing"
- name: Run Linux ubuntu tests
if: inputs.TYPE == 'linux'
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "ubuntu"

114
.github/workflows/staging.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
dockerfile: src/ui/Dockerfile
uses: ./.github/workflows/container-build.yml
with:
RELEASE: staging
RELEASE: testing
ARCH: linux/amd64
CACHE: true
PUSH: true
@ -52,7 +52,7 @@ jobs:
package: rpm
uses: ./.github/workflows/linux-build.yml
with:
RELEASE: staging
RELEASE: testing
LINUX: ${{ matrix.linux }}
PACKAGE: ${{ matrix.package }}
TEST: true
@ -125,7 +125,7 @@ jobs:
needs: [create-infras]
uses: ./.github/workflows/tests-ui.yml
with:
RELEASE: staging
RELEASE: testing
secrets:
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
@ -150,7 +150,7 @@ jobs:
uses: ./.github/workflows/test-core.yml
with:
TEST: ${{ matrix.test }}
RELEASE: staging
RELEASE: testing
secrets:
PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
@ -166,4 +166,108 @@ jobs:
with:
TYPE: ${{ matrix.type }}
secrets:
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
# Push Docker images
push-images:
needs: [staging-tests, tests-ui, tests-core]
runs-on: ubuntu-latest
steps:
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to private repository
uses: docker/login-action@v2
with:
registry: ${{ secrets.PRIVATE_REGISTRY }}
username: registry
password: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
- name: Push BW image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:testing bunkerity/bunkerweb:testing && docker push bunkerity/bunkerweb:testing
- name: Push scheduler image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:testing bunkerity/bunkerweb-scheduler:testing && docker push bunkerity/bunkerweb-scheduler:testing
- name: Push UI image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/ui-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/ui-tests:testing bunkerity/bunkerweb-ui:testing && docker push bunkerity/bunkerweb-ui:testing
- name: Push autoconf image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/autoconf-tests:testing && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/autoconf-tests:testing bunkerity/bunkerweb-autoconf:testing && docker push bunkerity/bunkerweb-autoconf:testing
# Push Linux packages
push-packages:
needs: [staging-tests, tests-ui, tests-core]
strategy:
matrix:
linux: [ubuntu, debian, fedora, el]
arch: [amd64]
include:
- release: testing
repo: bunkerweb
- linux: ubuntu
separator: _
suffix: ""
version: jammy
package: deb
- linux: debian
separator: _
suffix: ""
version: bullseye
package: deb
- linux: fedora
separator: "-"
suffix: "1."
version: 38
package: rpm
- linux: el
separator: "-"
suffix: "1."
version: 8
package: rpm
- linux: ubuntu
arch: amd64
package_arch: amd64
- linux: debian
arch: amd64
package_arch: amd64
- linux: fedora
arch: amd64
package_arch: x86_64
- linux: el
arch: amd64
package_arch: x86_64
uses: ./.github/workflows/push-packagecloud.yml
with:
SEPARATOR: ${{ matrix.separator }}
SUFFIX: ${{ matrix.suffix }}
REPO: ${{ matrix.repo }}
LINUX: ${{ matrix.linux }}
VERSION: ${{ matrix.version }}
PACKAGE: ${{ matrix.package }}
BW_VERSION: ${{ matrix.release }}
PACKAGE_ARCH: ${{ matrix.package_arch }}
ARCH: ${{ matrix.arch }}
secrets:
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
# Push doc
push-doc:
needs: [push-images, push-packages]
permissions:
contents: write
uses: ./.github/workflows/push-doc.yml
with:
VERSION: testing
ALIAS: unstable
secrets:
BUNKERBOT_TOKEN: ${{ secrets.BUNKERBOT_TOKEN }}
# Push on GH
push-gh:
needs: [push-doc]
permissions:
contents: write
discussions: write
uses: ./.github/workflows/push-github.yml
with:
VERSION: testing
PRERELEASE: true

7
.github/workflows/test-core.yml vendored
View file

@ -31,10 +31,15 @@ jobs:
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:${{ inputs.RELEASE }} && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-tests:${{ inputs.RELEASE }} bunkerweb-tests
- name: Pull Scheduler image
run: docker pull ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:${{ inputs.RELEASE }} && docker tag ${{ secrets.PRIVATE_REGISTRY }}/infra/scheduler-tests:${{ inputs.RELEASE }} scheduler-tests
# Temp fix "is not connected to the network" until compose v2.19.1 is available
- name: Downgrade compose
run: |
sudo apt update
sudo apt install -y --allow-downgrades moby-compose=2.18.1+azure-ubuntu22.04u2
# Run test
- name: Run test
run: |
cd ./tests/core/${{ inputs.TEST }}
find . -type f -name 'docker-compose.*' -exec sed -i "s@bunkerity/bunkerweb:.*@bunkerweb-tests@" {} \;
find . -type f -name 'docker-compose.*' -exec sed -i "s@bunkerity/bunkerweb-scheduler:.*@scheduler-tests@" {} \;
./test.sh
./test.sh

59
CHANGELOG.md
View file

@ -1,5 +1,64 @@
# Changelog
## v1.5.1 - 2023/08/08
- [BUGFIX] New version checker in logs displays "404 not found"
- [BUGFIX] New version checker in UI
- [BUGFIX] Only get the right keys from plugin.json files when importing plugins
- [BUGFIX] Remove external resources for Google fonts in UI
- [BUGFIX] Support multiple plugin uploads in one zip when using the UI
- [BUGFIX] Variable being ignored instead of saved in the database when value is empty
- [BUGFIX] ALLOWED_METHODS regex working with LOCK/UNLOCK methods
- [BUGFIX] Custom certificate bug after the refactoring
- [BUGFIX] Wrong variables in header phase (fix CORS feature too)
- [BUGFIX] UI not working in Ubuntu (python zope module)
- [BUGFIX] Patch ModSecurity to run it after LUA code (should fix whitelist problems)
- [BUGFIX] Custom configurations from env were not being deleted properly
- [BUGFIX] Missing concepts image not displayed in the documentation
- [BUGFIX] Scheduler not picking up new instances IPs in autoconf modes
- [BUGFIX] Autoconf deadlock in k8s
- [BUGFIX] Missing HTTP and HTTPS ports for temp nginx
- [BUGFIX] Infinite loop when sessions is not valid
- [BUGFIX] Missing valid LE certificates in edge cases
- [BUGFIX] Wrong service namespace in k8s
- [BUGFIX] DNS_RESOLVERS regex not accepting hostnames
- [PERFORMANCE] Reduce CPU and RAM usage of scheduler
- [PERFORMANCE] Cache ngx.ctx instead of loading it each time
- [PERFORMANCE] Use per-worker LRU cache for common RO LUA values
- [FEATURE] Add Turnstile antibot mode
- [FEATURE] Add more CORS headers
- [FEATURE] Add KEEP_UPSTREAM_HEADERS to preserve headers when using reverse proxy
- [FEATURE] Add the possibility to download the different lists and plugins from a local file (like the blacklist)
- [FEATURE] External plugins can now be downloaded from a tar.gz and tar.xz file as well as zip
- [FEATURE] Add X-Forwarded-Prefix header when using reverse proxy
- [FEATURE] Add REDIRECT_TO_STATUS_CODE to choose status code 301 or 302 when redirecting
- [DOCUMENTATION] Add timezone information
- [DOCUMENTATION] Add timezone informat
- [MISC] Add LOG_LEVEL=warning for docker socket proxy in docs, examples and boilerplates
- [MISC] Temp remove VMWare provider for Vagrant integration
- [MISC] Remove X-Script-Name header and ABSOLUTE_URI variable when using UI
- [MISC] Move logs to /var/log/bunkerweb folder
- [MISC] Reduce "Got an error reading communication packets" warnings in mariadb/mysql
## v1.5.0 - 2023/05/23
- Refactoring of almost all the components of the project
- Dedicated scheduler service to manage jobs and configuration
- Store configuration in a database backend
- Improved web UI and make it working with all integrations
- Improved internal LUA code
- Improved internal cache of BW
- Add Redis support when using clustered integrations
- Add RHEL integration
- Add Vagrant integration
- Init support of generic TCP/UDP (stream)
- Init support of IPv6
- Improved CI/CD : UI tests, core tests and release automation
- Reduce Docker images size
- Fix and improved core plugins : antibot, cors, dnsbl, ...
- Use PCRE regex instead of LUA patterns
- Connectivity tests at startup/reload with logging
## v1.5.0-beta - 2023/05/02
- Refactoring of almost all the components of the project

99
README.md
View file

@ -1,5 +1,5 @@
<p align="center">
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/misc/logo.png" />
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/misc/logo.png" />
</p>
<p align="center">
@ -17,7 +17,7 @@
&#124;
👨‍💻 <a href="https://demo.bunkerweb.io">Demo</a>
&#124;
🛡️ <a href="https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples">Examples</a>
🛡️ <a href="https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples">Examples</a>
&#124;
💬 <a href="https://discord.com/invite/fTf46FmtyD">Chat</a>
&#124;
@ -33,14 +33,14 @@
# BunkerWeb
<p align="center">
<img alt="overview" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/intro-overview.svg" />
<img alt="overview" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/intro-overview.svg" />
</p>
BunkerWeb is a next-generation and open-source Web Application Firewall (WAF).
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default". BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.5.0/integrations/#linux), [Docker](https://docs.bunkerweb.io/1.5.0/integrations/#docker), [Swarm](https://docs.bunkerweb.io/1.5.0/integrations/#swarm), [Kubernetes](https://docs.bunkerweb.io/1.5.0/integrations/#kubernetes), …) and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.5.0/web-ui/) if you don't like the CLI) to meet your own use-cases . In other words, cybersecurity is no more a hassle.
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default". BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.5.1/integrations/#linux), [Docker](https://docs.bunkerweb.io/1.5.1/integrations/#docker), [Swarm](https://docs.bunkerweb.io/1.5.1/integrations/#swarm), [Kubernetes](https://docs.bunkerweb.io/1.5.1/integrations/#kubernetes), …) and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.5.1/web-ui/) if you don't like the CLI) to meet your own use-cases . In other words, cybersecurity is no more a hassle.
BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.5.0/security-tuning/) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.5.0/plugins/)).
BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.5.1/security-tuning/) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.5.1/plugins/)).
## Why BunkerWeb ?
@ -64,12 +64,12 @@ A non-exhaustive list of security features :
- **Block known bad IPs** with external blacklists and DNSBL
- And much more ...
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.5.0/security-tuning/) section of the documentation.
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.5.1/security-tuning/) section of the documentation.
## Demo
<p align="center">
<a href="https://www.youtube.com/watch?v=ZhYV-QELzA4" target="_blank"><img alt="BunkerWeb demo" src="https://yt-embed.herokuapp.com/embed?v=ZhYV-QELzA4" /></a>
<a href="https://www.youtube.com/watch?v=ZhYV-QELzA4" target="_blank"><img alt="BunkerWeb demo" src="https://img.youtube.com/vi/ZhYV-QELzA4/0.jpg" /></a>
</p>
A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](https://demo.bunkerweb.io). Feel free to visit it and perform some security tests.
@ -77,10 +77,10 @@ A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](http
# Concepts
<p align="center">
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/concepts.svg" />
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/concepts.svg" />
</p>
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.5.0/concepts).
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.5.1/concepts).
## Integrations
@ -88,13 +88,13 @@ The first concept is the integration of BunkerWeb into the target environment. W
The following integrations are officially supported :
- [Docker](https://docs.bunkerweb.io/1.5.0/integrations/#docker)
- [Docker autoconf](https://docs.bunkerweb.io/1.5.0/integrations/#docker-autoconf)
- [Swarm](https://docs.bunkerweb.io/1.5.0/integrations/#swarm)
- [Kubernetes](https://docs.bunkerweb.io/1.5.0/integrations/#kubernetes)
- [Linux](https://docs.bunkerweb.io/1.5.0/integrations/#linux)
- [Ansible](https://docs.bunkerweb.io/1.5.0/integrations/#ansible)
- [Vagrant](https://docs.bunkerweb.io/1.5.0/integrations/#vagrant)
- [Docker](https://docs.bunkerweb.io/1.5.1/integrations/#docker)
- [Docker autoconf](https://docs.bunkerweb.io/1.5.1/integrations/#docker-autoconf)
- [Swarm](https://docs.bunkerweb.io/1.5.1/integrations/#swarm)
- [Kubernetes](https://docs.bunkerweb.io/1.5.1/integrations/#kubernetes)
- [Linux](https://docs.bunkerweb.io/1.5.1/integrations/#linux)
- [Ansible](https://docs.bunkerweb.io/1.5.1/integrations/#ansible)
- [Vagrant](https://docs.bunkerweb.io/1.5.1/integrations/#vagrant)
## Settings
@ -126,7 +126,7 @@ When multisite mode is enabled, BunkerWeb will serve and protect multiple web ap
## Custom configurations
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.5.0/plugins)), you can use custom configurations to solve your specific challenges.
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.5.1/plugins)), you can use custom configurations to solve your specific challenges.
Under the hood, BunkerWeb uses the notorious NGINX web server, that's why you can leverage its configuration system for your specific needs. Custom NGINX configurations can be included in different [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) like HTTP or server (all servers and/or specific server block).
@ -160,7 +160,7 @@ In other words, the scheduler is the brain of BunkerWeb.
## Docker
<p align="center">
<img alt="Docker" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-docker.svg" />
<img alt="Docker" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-docker.svg" />
</p>
We provide ready to use prebuilt images for x64, x86, armv7 and arm64 platforms on [Docker Hub](https://hub.docker.com/u/bunkerity).
@ -171,46 +171,46 @@ Docker integration key concepts are :
- **Scheduler** container to store configuration and execute jobs
- **Networks** to expose ports for clients and connect to upstream web services
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.5.0/integrations/#docker) of the documentation.
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.5.1/integrations/#docker) of the documentation.
## Docker autoconf
<p align="center">
<img alt="Docker autoconf" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-autoconf.svg" />
<img alt="Docker autoconf" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-autoconf.svg" />
</p>
The downside of using environment variables is that the container needs to be recreated each time there is an update which is not very convenient. To counter that issue, you can use another image called **autoconf** which will listen for Docker events and automatically reconfigure BunkerWeb in real-time without recreating the container.
Instead of defining environment variables for the BunkerWeb container, you simply add **labels** to your web applications containers and the **autoconf** will "automagically" take care of the rest.
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.5.0/integrations/#docker-autoconf) of the documentation.
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.5.1/integrations/#docker-autoconf) of the documentation.
## Swarm
<p align="center">
<img alt="Swarm" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-swarm.svg" />
<img alt="Swarm" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-swarm.svg" />
</p>
To automatically configure BunkerWeb instances, a special service, called **autoconf** will listen for Docker Swarm events like service creation or deletion and automatically configure the **BunkerWeb instances** in real-time without downtime.
Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.5.0/integrations/#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.5.1/integrations/#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.5.0/integrations/#swarm) of the documentation.
You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.5.1/integrations/#swarm) of the documentation.
## Kubernetes
<p align="center">
<img alt="Kubernetes" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-kubernetes.svg" />
<img alt="Kubernetes" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-kubernetes.svg" />
</p>
The autoconf acts as an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) and will configure the BunkerWeb instances according to the [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/). It also monitors other Kubernetes objects like [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for custom configurations.
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.5.0/integrations/#kubernetes) of the documentation.
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.5.1/integrations/#kubernetes) of the documentation.
## Linux
<p align="center">
<img alt="Linux" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-linux.svg" />
<img alt="Linux" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-linux.svg" />
</p>
List of supported Linux distros :
@ -222,12 +222,12 @@ List of supported Linux distros :
Repositories of Linux packages for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb), they provide a bash script to automatically add and trust the repository (but you can also follow the [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer).
You will find more information in the [Linux section](https://docs.bunkerweb.io/1.5.0/integrations/#linux) of the documentation.
You will find more information in the [Linux section](https://docs.bunkerweb.io/1.5.1/integrations/#linux) of the documentation.
## Ansible
<p align="center">
<img alt="Ansible" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.0/docs/assets/img/integration-ansible.svg" />
<img alt="Ansible" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.1/docs/assets/img/integration-ansible.svg" />
</p>
List of supported Linux distros :
@ -241,21 +241,20 @@ List of supported Linux distros :
A specific BunkerWeb Ansible role is available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb) (source code is available [here](https://github.com/bunkerity/bunkerweb-ansible)).
You will find more information in the [Ansible section](https://docs.bunkerweb.io/1.5.0/integrations/#ansible) of the documentation.
You will find more information in the [Ansible section](https://docs.bunkerweb.io/1.5.1/integrations/#ansible) of the documentation.
## Vagrant
We maintain ready to use Vagrant boxes hosted on Vagrant cloud for the following providers :
- vmware_desktop
- virtualbox
- virtualbox
- libvirt
You will find more information in the [Vagrant section](https://docs.bunkerweb.io/1.5.0/integrations/#vagrant) of the documentation.
You will find more information in the [Vagrant section](https://docs.bunkerweb.io/1.5.1/integrations/#vagrant) of the documentation.
# Quickstart guide
Once you have setup BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.5.0/quickstart-guide/) that will cover the following common use cases :
Once you have setup BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.5.1/quickstart-guide/) that will cover the following common use cases :
- Protecting a single HTTP application
- Protecting multiple HTTP application
@ -266,9 +265,9 @@ Once you have setup BunkerWeb with the integration of your choice, you can follo
# Security tuning
BunkerWeb offers many security features that you can configure with [settings](https://docs.bunkerweb.io/1.5.0/settings). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives.
BunkerWeb offers many security features that you can configure with [settings](https://docs.bunkerweb.io/1.5.1/settings). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives.
You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.5.0/security-tuning) of the documentation.
You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.5.1/security-tuning) of the documentation.
# Settings
@ -278,7 +277,7 @@ As a general rule when multisite mode is enabled, if you want to apply settings
When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like `REVERSE_PROXY_URL_1=/subdir`, `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.
Check the [settings section](https://docs.bunkerweb.io/1.5.0/settings) of the documentation to get the full list.
Check the [settings section](https://docs.bunkerweb.io/1.5.1/settings) of the documentation to get the full list.
# Web UI
@ -296,7 +295,7 @@ The "Web UI" is a web application that helps you manage your BunkerWeb instance
- Monitor jobs execution
- View the logs and search pattern
You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.5.0/web-ui) of the documentation.
You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.5.1/web-ui) of the documentation.
# Plugins
@ -304,15 +303,17 @@ BunkerWeb comes with a plugin system to make it possible to easily add new featu
Here is the list of "official" plugins that we maintain (see the [bunkerweb-plugins](https://github.com/bunkerity/bunkerweb-plugins) repository for more information) :
| Name | Version | Description | Link |
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------: |
| **ClamAV** | 0.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **CrowdSec** | 0.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 0.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 0.1 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 0.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| Name | Version | Description | Link |
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
| **ClamAV** | 1.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.1 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **CrowdSec** | 1.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 1.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.1 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.1 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.0/plugins) of the documentation.
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.1/plugins) of the documentation.
# Support
@ -340,12 +341,12 @@ Please don't use [GitHub issues](https://github.com/bunkerity/bunkerweb/issues)
# License
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/tree/1.5.0/LICENSE.md).
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/tree/1.5.1/LICENSE.md).
# Contribute
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/1.5.0/CONTRIBUTING.md) to get started.
If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/tree/1.5.1/CONTRIBUTING.md) to get started.
# Security policy
We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/tree/1.5.0/SECURITY.md) for more information.
We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/tree/1.5.1/SECURITY.md) for more information.

2
SECURITY.md
View file

@ -4,7 +4,7 @@ Even though this project is focused on security, it is still prone to possible v
## Responsible disclosure
If you have found a security bug, please send us an email at security \[@\] bunkerity.com with technical details so we can resolve it as soon as possible.
If you have found a security bug, please send us an email at security \[@\] bunkerity.com (using a ProtonMail if possible) with technical details so we can resolve it as soon as possible.
Here is a non-exhaustive list of issues we consider as high risk :
- Vulnerability in the code

1
docs/assets/img/bunkerweb_db.svg Normal file
View file

File diff suppressed because one or more lines are too long
Side by side

After

Width:  |  Height:  |  Size: 38 KiB

82
docs/concepts.md
View file

@ -1,7 +1,7 @@
# Concepts
<figure markdown>
![Overwiew](assets/img/concepts.svg){ align=center }
![Overwiew](assets/img/concepts.svg){ align=center, width="600" }
</figure>
## Integrations
@ -52,17 +52,19 @@ USE_BROTLI=no
## Multisite mode
The multisite mode is a crucial concept to understand when using BunkerWeb. Because the goal is to protect web applications, our solution is intrinsically linked to the concept of "virtual host" or "vhost" (more info [here](https://en.wikipedia.org/wiki/Virtual_hosting)) which makes it possible to serve multiple web applications from a single (or a cluster of) instance.
Understanding the multisite mode is essential when utilizing BunkerWeb. As our primary focus is safeguarding web applications, our solution is intricately linked to the concept of "virtual hosts" or "vhosts" (more info [here](https://en.wikipedia.org/wiki/Virtual_hosting)). These virtual hosts enable the serving of multiple web applications from a single instance or cluster.
By default, the multisite mode of BunkerWeb is disabled which means that only one web application will be served and all the settings will be applied to it. The typical use case is having a single application to protect : you don't have to worry about the multisite and the default behavior should be the right one for you.
By default, BunkerWeb has the multisite mode disabled. This means that only one web application will be served, and all settings will be applied to it. This setup is ideal when you have a single application to protect, as you don't need to concern yourself with multisite configurations.
When multisite mode is enabled, BunkerWeb serves and protects multiple web applications. Each web application is identified by a unique server name and have its own set of settings. The typical use case is having multiple applications to protect and you want to use a single (or a cluster depending of the integration) instance of BunkerWeb.
However, when the multisite mode is enabled, BunkerWeb becomes capable of serving and protecting multiple web applications. Each web application is identified by a unique server name and has its own set of settings. This mode proves beneficial when you have multiple applications to secure, and you prefer to utilize a single instance (or a cluster) of BunkerWeb.
The multisite mode is controlled by the `MULTISITE` setting which can be set to `yes` (enabled) or `no` (disabled, which is the default).
The activation of the multisite mode is controlled by the `MULTISITE` setting, which can be set to `yes` to enable it or `no` to keep it disabled (which is the default value).
Each setting has a context that defines "where" it can be applied. If the context is global then the setting can't be set per server (or "per site", "per app") but only to the whole configuration. Otherwise, if the context is multisite, the setting can be set globally and per server. Defining a multisite setting to a specific server is done by adding the server name as a prefix of the setting name like `app1.example.com_AUTO_LETS_ENCRYPT` or `app2.example.com_USE_ANTIBOT` for example. When a multisite setting is defined globally (without any server prefix), all the servers will inherit that setting (but can still be overridden if we set the same setting with the server name prefix).
Each setting within BunkerWeb has a specific context that determines where it can be applied. If the context is set to "global," the setting can't be applied per server or site but is instead applied to the entire configuration as a whole. On the other hand, if the context is "multisite," the setting can be applied globally and per server. To define a multisite setting for a specific server, simply add the server name as a prefix to the setting name. For example, `app1.example.com_AUTO_LETS_ENCRYPT` or `app2.example.com_USE_ANTIBOT` are examples of setting names with server name prefixes. When a multisite setting is defined globally without a server prefix, all servers inherit that setting. However, individual servers can still override the setting if the same setting is defined with a server name prefix.
Here is a dummy example of a multisite BunkerWeb configuration :
Understanding the intricacies of multisite mode and its associated settings allows you to tailor BunkerWeb's behavior to suit your specific requirements, ensuring optimal protection for your web applications.
Here's a dummy example of a multisite BunkerWeb configuration :
```conf
MULTISITE=yes
@ -79,48 +81,66 @@ app3.example.com_USE_BAD_BEHAVIOR=no
!!! info "Going further"
You will find concrete examples of multisite mode in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples) directory of the repository.
You will find concrete examples of multisite mode in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples) directory of the repository.
## Custom configurations
Because meeting all the use cases only using the settings is not an option (even with [external plugins](plugins.md)), you can use custom configurations to solve your specific challenges.
To address unique challenges and cater to specific use cases, BunkerWeb offers the flexibility of custom configurations. While the provided settings and [external plugins](plugins.md) cover a wide range of scenarios, there may be situations that require additional customization.
Under the hood, BunkerWeb uses the notorious NGINX web server, that's why you can leverage its configuration system for your specific needs. Custom NGINX configurations can be included in different [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) like HTTP or server (all servers and/or specific server block).
BunkerWeb is built on the renowned NGINX web server, which provides a powerful configuration system. This means you can leverage NGINX's configuration capabilities to meet your specific needs. Custom NGINX configurations can be included in various [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) such as HTTP or server, allowing you to fine-tune the behavior of BunkerWeb according to your requirements. Whether you need to customize global settings or apply configurations to specific server blocks, BunkerWeb empowers you to optimize its behavior to align perfectly with your use case.
Another core component of BunkerWeb is the ModSecurity Web Application Firewall : you can also use custom configurations to fix some false positives or add custom rules for example.
Another integral component of BunkerWeb is the ModSecurity Web Application Firewall. With custom configurations, you have the flexibility to address false positives or add custom rules to further enhance the protection provided by ModSecurity. These custom configurations allow you to fine-tune the behavior of the firewall and ensure that it aligns with the specific requirements of your web applications.
By leveraging custom configurations, you unlock a world of possibilities to tailor BunkerWeb's behavior and security measures precisely to your needs. Whether it's adjusting NGINX configurations or fine-tuning ModSecurity, BunkerWeb provides the flexibility to meet your unique challenges effectively.
!!! info "Going further"
You will find concrete examples of custom configurations in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples) directory of the repository.
You will find concrete examples of custom configurations in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples) directory of the repository.
## Database
State of the current configuration of BunkerWeb is stored in a backend database which contains the following data :
BunkerWeb securely stores its current configuration in a backend database, which contains essential data for smooth operation. The following information is stored in the database:
- Settings defined for all the services
- Custom configurations
- BunkerWeb instances
- Metadata about jobs execution
- Cached files
- **Settings for all services**: The database holds the defined settings for all the services provided by BunkerWeb. This ensures that your configurations and preferences are preserved and readily accessible.
Under the hood, when you edit a setting or add a new configuration, everything is stored in the database. We actually support SQLite, MariaDB, MySQL and PostgreSQL as backends.
- **Custom configurations**: Any custom configurations you create are also stored in the backend database. This includes personalized settings and modifications tailored to your specific requirements.
Database configuration is done by using the `DATABASE_URI` setting which respects the following formats :
- **BunkerWeb instances**: Information about BunkerWeb instances, including their setup and relevant details, is stored in the database. This allows for easy management and monitoring of multiple instances if applicable.
- SQLite : `sqlite:///var/lib/bunkerweb/db.sqlite3`
- MariaDB : `mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db`
- MySQL : `mysql+pymysql://bunkerweb:changeme@bw-db:3306/db`
- PostgreSQL : `postgresql://bunkerweb:changeme@bw-db:5432/db`
- **Metadata about job execution**: The database stores metadata related to the execution of various jobs within BunkerWeb. This includes information about scheduled tasks, maintenance processes, and other automated activities.
- **Cached files**: BunkerWeb utilizes caching mechanisms for improved performance. The database holds cached files, ensuring efficient retrieval and delivery of frequently accessed resources.
Under the hood, whenever you edit a setting or add a new configuration, BunkerWeb automatically stores the changes in the database, ensuring data persistence and consistency. BunkerWeb supports multiple backend database options, including SQLite, MariaDB, MySQL, and PostgreSQL.
Configuring the database is straightforward using the `DATABASE_URI` setting, which follows the specified formats for each supported database:
- **SQLite**: `sqlite:///var/lib/bunkerweb/db.sqlite3`
- **MariaDB**: `mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db`
- **MySQL**: `mysql+pymysql://bunkerweb:changeme@bw-db:3306/db`
- **PostgreSQL**: `postgresql://bunkerweb:changeme@bw-db:5432/db`
By specifying the appropriate database URI in the configuration, you can seamlessly integrate BunkerWeb with your preferred database backend, ensuring efficient and reliable storage of your configuration data.
<figure markdown>
![Overview](assets/img/bunkerweb_db.svg){ align=center, width="800" }
<figcaption>Database Schema</figcaption>
</figure>
## Scheduler
To make things automagically work together, a dedicated service called the scheduler is in charge of :
For seamless coordination and automation, BunkerWeb employs a specialized service known as the scheduler. The scheduler plays a vital role in ensuring smooth operation by performing the following tasks:
- Storing the settings and custom configurations inside the database
- Executing various tasks (called jobs)
- Generating a configuration which is understood by BunkerWeb
- Being the intermediary for other services (like web UI or autoconf)
- **Storing settings and custom configurations**: The scheduler is responsible for storing all the settings and custom configurations within the backend database. This centralizes the configuration data, making it easily accessible and manageable.
In other words, the scheduler is the brain of BunkerWeb.
- **Executing various tasks (jobs)**: The scheduler handles the execution of various tasks, referred to as jobs. These jobs encompass a range of activities, such as periodic maintenance, scheduled updates, or any other automated tasks required by BunkerWeb.
When using container-based integrations, the scheduler is executed in its own container. Whereas, for linux-based integrations scheduler is self-contained in the `bunkerweb` service.
- **Generating BunkerWeb configuration**: The scheduler generates a configuration that is readily understood by BunkerWeb. This configuration is derived from the stored settings and custom configurations, ensuring that the entire system operates cohesively.
- **Acting as an intermediary for other services**: The scheduler acts as an intermediary, facilitating communication and coordination between different components of BunkerWeb. It interfaces with services such as the web UI or autoconf, ensuring a seamless flow of information and data exchange.
In essence, the scheduler serves as the brain of BunkerWeb, orchestrating various operations and ensuring the smooth functioning of the system.
Depending on the integration approach, the execution environment of the scheduler may differ. In container-based integrations, the scheduler is executed within its dedicated container, providing isolation and flexibility. On the other hand, for Linux-based integrations, the scheduler is self-contained within the bunkerweb service, simplifying the deployment and management process.
By employing the scheduler, BunkerWeb streamlines the automation and coordination of essential tasks, enabling efficient and reliable operation of the entire system.

59
docs/index.md
View file

@ -7,35 +7,56 @@
<figcaption>Make your web services secure by default !</figcaption>
</figure>
BunkerWeb is a next-generation and open-source Web Application Firewall (WAF).
Introducing BunkerWeb, the **cutting-edge** and **open-source Web Application Firewall** (WAF) that will revolutionize your web security experience.
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default". BunkerWeb integrates seamlessly into your existing environments ([Linux](integrations.md#linux), [Docker](integrations.md#docker), [Swarm](integrations.md#swarm), [Kubernetes](integrations.md#kubernetes), …) and is fully configurable (don't panic, there is an [awesome web UI](web-ui.md) if you don't like the CLI) to meet your own use-cases . In other words, cybersecurity is no more a hassle.
With BunkerWeb, your web services are safeguarded by default, providing you with peace of mind and enhanced protection. Powered by [NGINX](https://nginx.org/), this comprehensive web server combines advanced features seamlessly, ensuring your online assets remain secure.
BunkerWeb effortlessly integrates into your existing environments, whether it's [Linux](integrations.md#linux), [Docker](integrations.md#docker), [Swarm](integrations.md#swarm), [Kubernetes](integrations.md#kubernetes), or more. Its versatility allows for easy configuration to suit your specific requirements. Don't worry if you prefer a user-friendly interface—BunkerWeb offers an exceptional [web UI](web-ui.md) alongside the command-line interface (CLI), ensuring accessibility for all users.
Experience the transformation in cybersecurity, where complexities and obstacles are a thing of the past. With BunkerWeb, fortifying your digital assets has never been more delightful and hassle-free.
Furthermore, BunkerWeb boasts a comprehensive set of primary [security features](security-tuning.md) at its core. However, what sets it apart is its remarkable flexibility through an intuitive [plugin system](plugins.md). This ingenious design empowers you to effortlessly enhance BunkerWeb with additional security measures, ensuring a tailored and robust defense for your web applications.
By seamlessly integrating new plugins into BunkerWeb, you can customize and expand its capabilities to address specific security requirements unique to your environment. Whether you need to strengthen authentication protocols, bolster threat detection, or implement specialized security measures, BunkerWeb's [plugin system](plugins.md) grants you the freedom to fortify your web infrastructure with ease.
With BunkerWeb's dynamic [plugin system](plugins.md), security becomes an enjoyable journey of exploration and empowerment. Discover the endless possibilities and create a fortified web environment that perfectly aligns with your needs.
BunkerWeb contains primary [security features](security-tuning.md) as part of the core but can be easily extended with additional ones thanks to a [plugin system](plugins.md)).
## Why BunkerWeb ?
- **Easy integration into existing environments** : support for Linux, Docker, Swarm, Kubernetes, Ansible, Vagrant, ...
- **Highly customizable** : enable, disable and configure features easily to meet your use case
- **Secure by default** : offers out-of-the-box and hassle-free minimal security for your web services
- **Awesome web UI** : keep control of everything more efficiently without the need of the CLI
- **Plugin system** : extend BunkerWeb to meet your own use-cases
- **Free as in "freedom"** : licensed under the free [AGPLv3 license](https://www.gnu.org/licenses/agpl-3.0.en.html)
- **Easy integration into existing environments** : Seamlessly integrate BunkerWeb into various environments such as Linux, Docker, Swarm, Kubernetes, Ansible, Vagrant, and more. Enjoy a smooth transition and hassle-free implementation.
- **Highly customizable** : Tailor BunkerWeb to your specific requirements with ease. Enable, disable, and configure features effortlessly, allowing you to customize the security settings according to your unique use case.
- **Secure by default** : BunkerWeb provides out-of-the-box, hassle-free minimal security for your web services. Experience peace of mind and enhanced protection right from the start.
- **Awesome web UI** : Take control of BunkerWeb more efficiently with the exceptional web user interface (UI). Navigate settings and configurations effortlessly through a user-friendly graphical interface, eliminating the need for the command-line interface (CLI).
- **Plugin system** : Extend the capabilities of BunkerWeb to meet your own use cases. Seamlessly integrate additional security measures and customize the functionality of BunkerWeb according to your specific requirements.
- **Free as in "freedom"** : BunkerWeb is licensed under the free [AGPLv3 license](https://www.gnu.org/licenses/agpl-3.0.en.html), embracing the principles of freedom and openness. Enjoy the freedom to use, modify, and distribute the software, backed by a supportive community.
## Security features
A non-exhaustive list of security features :
Explore the impressive array of security features offered by BunkerWeb. While not exhaustive, here are some notable highlights:
- **HTTPS** support with transparent **Let's Encrypt** automation
- **State-of-the-art web security** : HTTP security headers, prevent leaks, TLS hardening, ...
- Integrated **ModSecurity WAF** with the **OWASP Core Rule Set**
- **Automatic ban** of strange behaviors based on HTTP status code
- Apply **connections and requests limit** for clients
- **Block bots** by asking them to solve a **challenge** (e.g. : cookie, javascript, captcha, hCaptcha or reCAPTCHA)
- **Block known bad IPs** with external blacklists and DNSBL
- And much more ...
- **HTTPS** support with transparent **Let's Encrypt** automation : Easily secure your web services with automated Let's Encrypt integration, ensuring encrypted communication between clients and your server.
Learn more about the core security features in the [security tuning](security-tuning.md) section of the documentation.
- **State-of-the-art web security** : Benefit from cutting-edge web security measures, including comprehensive HTTP security headers, prevention of data leaks, and TLS hardening techniques.
- Integrated **ModSecurity WAF** with the **OWASP Core Rule Set** : Enjoy enhanced protection against web application attacks with the integration of ModSecurity, fortified by the renowned OWASP Core Rule Set.
- **Automatic ban** of strange behaviors based on HTTP status code : BunkerWeb intelligently identifies and blocks suspicious activities by automatically banning behaviors that trigger abnormal HTTP status codes.
- Apply **connections and requests limit** for clients : Set limits on the number of connections and requests from clients, preventing resource exhaustion and ensuring fair usage of server resources.
- **Block bots** with **challenge-based verification** : Keep malicious bots at bay by challenging them to solve puzzles such as cookies, JavaScript tests, captcha, hCaptcha, reCAPTCHA or Turnstile, effectively blocking unauthorized access.
- **Block known bad IPs** with external blacklists and DNSBL : Utilize external blacklists and DNS-based blackhole lists (DNSBL) to proactively block known malicious IP addresses, bolstering your defense against potential threats.
- **And much more...** : BunkerWeb is packed with a plethora of additional security features that go beyond this list, providing you with comprehensive protection and peace of mind.
To delve deeper into the core security features, we invite you to explore the [security tuning](security-tuning.md) section of the documentation. Discover how BunkerWeb empowers you to fine-tune and optimize security measures according to your specific needs.
## Demo

365
docs/integrations.md
View file

@ -7,15 +7,28 @@
<figcaption>Docker integration</figcaption>
</figure>
Using BunkerWeb as a [Docker](https://www.docker.com/) container is a quick and easy way to test and use it as long as you are familiar with the Docker technology.
Utilizing BunkerWeb as a [Docker](https://www.docker.com/) container offers a convenient and straightforward approach for testing and utilizing the solution, particularly if you are already familiar with Docker technology.
We provide ready-to-use prebuilt images for x64, x86 armv8 and armv7 architectures on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb) :
To facilitate your Docker deployment, we provide readily available prebuilt images on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb), supporting multiple architectures. These prebuilt images are optimized and prepared for use on the following architectures:
- x64 (64-bit)
- x86
- armv8 (ARM 64-bit)
- armv7 (ARM 32-bit)
By accessing these prebuilt images from Docker Hub, you can quickly pull and run BunkerWeb within your Docker environment, eliminating the need for extensive configuration or setup processes. This streamlined approach allows you to focus on leveraging the capabilities of BunkerWeb without unnecessary complexities.
Whether you're conducting tests, developing applications, or deploying BunkerWeb in production, the Docker containerization option provides flexibility and ease of use. Embracing this method empowers you to take full advantage of BunkerWeb's features while leveraging the benefits of Docker technology.
```shell
docker pull bunkerity/bunkerweb:1.5.0
docker pull bunkerity/bunkerweb:1.5.1
```
Alternatively, you can build the Docker image directly from the [source](https://github.com/bunkerity/bunkerweb) (and get a coffee ☕ because it may take a long time depending on your hardware) :
Alternatively, if you prefer a more hands-on approach, you have the option to build the Docker image directly from the [source](https://github.com/bunkerity/bunkerweb). Building the image from source gives you greater control and customization over the deployment process. However, please note that this method may take some time to complete, depending on your hardware configuration.
While the image is being built, you can take a moment to relax and enjoy a cup of coffee ☕, as the process may require some patience. Once the image is successfully built, you can proceed to deploy and utilize BunkerWeb within your Docker environment. This method allows you to tailor the image to your specific requirements and ensures a more personalized deployment of BunkerWeb.
So, whether you choose to use the ready-to-use prebuilt images or embark on the journey of building the image from source, BunkerWeb in Docker provides you with the flexibility and options to seamlessly integrate it into your environment.
```shell
git clone https://github.com/bunkerity/bunkerweb.git && \
@ -29,8 +42,16 @@ Docker integration key concepts are :
- **Scheduler** container to store configuration and execute jobs
- **Networks** to expose ports for clients and connect to upstream web services
When integrating BunkerWeb with Docker, there are key concepts to keep in mind, ensuring a smooth and efficient deployment:
- **Environment variables**: BunkerWeb can be easily configured using environment variables. These variables allow you to customize various aspects of BunkerWeb's behavior, such as network settings, security options, and other parameters.
- **Scheduler container**: To effectively manage the configuration and execution of jobs, BunkerWeb utilizes a dedicated container called the [scheduler](concepts.md#scheduler).
- **Networks**: Docker networks play a vital role in the integration of BunkerWeb. These networks serve two main purposes: exposing ports to clients and connecting to upstream web services. By exposing ports, BunkerWeb can accept incoming requests from clients, allowing them to access the protected web services. Additionally, by connecting to upstream web services, BunkerWeb can efficiently route and manage the traffic, providing enhanced security and performance.
!!! info "Database backend"
Please note that we assume you are using SQLite as database backend (which is the default for the `DATABASE_URI` setting). Other backends for this integration are still possible if you want to : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repostiory for more information.
Please be aware that our instructions assume you are using SQLite as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repository for more information.
### Environment variables
@ -40,7 +61,7 @@ Settings are passed to BunkerWeb using Docker environment variables :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
labels:
- "bunkerweb.INSTANCE"
environment:
@ -59,7 +80,7 @@ Please note that the `bunkerweb.INSTANCE` is mandatory to make sure the schedule
The [scheduler](concepts.md#scheduler) is executed in its own container which is also available on Docker Hub :
```shell
docker pull bunkerity/bunkerweb-scheduler:1.5.0
docker pull bunkerity/bunkerweb-scheduler:1.5.1
```
Alternatively, you can build the Docker image directly from the [source](https://github.com/bunkerity/bunkerweb) (less coffee ☕ needed than BunkerWeb image) :
@ -76,7 +97,7 @@ A volume is needed to store the SQLite database that will be used by the schedul
...
services:
mybunker:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
volumes:
- bw-data:/data
...
@ -85,7 +106,6 @@ volumes:
```
!!! warning "Using local folder for persistent data"
The scheduler runs as an **unprivileged user with UID 101 and GID 101** inside the container. The reason behind this is security : in case a vulnerability is exploited, the attacker won't have full root (UID/GID 0) privileges.
But there is a downside : if you use a **local folder for the persistent data**, you will need to **set the correct permissions** so the unprivileged user can write data to it. Something like that should do the trick :
@ -127,10 +147,11 @@ volumes:
When using Docker-based integrations, the scheduler will need to access the Docker API to get things working which is defined using the `DOCKER_HOST` environment variable.
!!! warning "Docker API access and security"
Due to Docker's limitations in supporting fine-grained authorizations, it's important to be aware of the potential security risks associated with accessing the API directly. Accessing the Docker API can pose a threat, as an attacker with API access can potentially obtain root privileges on the host machine. For more detailed information on this topic, we encourage you to refer to the provided link ([here](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)).
Since Docker doesn't support fine-grained authorizations, accessing the API poses a security risk. An attacker with access to the API can easily gain root privileges on the host machine (more info [here](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)).
To mitigate these risks, we strongly advise against directly mounting the socket file located at `/var/run/docker.sock` within the BunkerWeb container. Instead, we recommend employing an alternative approach that enhances security. One such approach involves using a "proxy" container, such as `tecnativa/docker-socket-proxy`, which acts as an intermediary and allows only necessary API calls.
We strongly recommend not to mount the socket file usually located at `/var/run/docker.sock` directly in the container. An alternative, which is described here, is to use a "proxy" container like [tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) that will allow only the necessary API calls.
By adopting this proxy container strategy, you can establish a more secure communication channel with the Docker API, minimizing the potential attack surface and enhancing overall system security.
You will need to create the Docker API proxy container, mount the socket and set the `DOCKER_HOST` environment variable to use the Docker API proxy :
@ -138,16 +159,17 @@ You will need to create the Docker API proxy container, mount the socket and set
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
env:
- DOCKER_HOST=tcp://bw-docker:2375
...
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
...
```
@ -179,13 +201,13 @@ For defense in depth purposes, we strongly recommend to create at least three di
- `bw-universe` : for BunkerWeb and scheduler
- `bw-docker` : for scheduler and the Docker API proxy
The scheduler needs to contact the API of BunkerWeb and for obvious security reason BunkerWeb needs to check if the caller is authorized to make API calls. The `API_WHITELIST_IP` setting lets you choose allowed IP addresses and subnets, usage of a static subnet for the `bw-universe` is strongly advised :
To secure the communication between the scheduler and BunkerWeb API, it is important to authorize API calls. You can use the `API_WHITELIST_IP` setting to specify allowed IP addresses and subnets. It is strongly recommended to use a static subnet for the `bw-universe` network to enhance security. By implementing these measures, you can ensure that only authorized sources can access the BunkerWeb API, reducing the risk of unauthorized access or malicious activities:
```yaml
...
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -194,13 +216,13 @@ services:
- bw-universe
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
networks:
- bw-universe
- bw-docker
...
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
networks:
- bw-docker
...
@ -224,7 +246,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -238,7 +260,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -251,11 +273,12 @@ services:
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -285,24 +308,28 @@ networks:
!!! info "Docker integration"
The Docker autoconf integration is an "evolution" of the Docker one. Please read the [Docker integration section](#docker) first if needed.
The downside of using environment variables is that the container needs to be recreated each time there is an update which is not very convenient. To counter that issue, you can use another image called **autoconf** which will listen for Docker events and automatically reconfigure BunkerWeb in real-time without recreating the container.
An alternative approach is available to address the inconvenience of recreating the container every time there is an update. By utilizing another image called **autoconf**, you can automate the real-time reconfiguration of BunkerWeb without the need for container recreation.
Instead of defining environment variables for the BunkerWeb container, you simply add **labels** to your web applications containers and the **autoconf** will "automagically" take care of the rest.
To leverage this functionality, instead of defining environment variables for the BunkerWeb container, you can add **labels** to your web application containers. The **autoconf** image will then listen for Docker events and seamlessly handle the configuration updates for BunkerWeb.
This "automagical" process simplifies the management of BunkerWeb configurations. By adding labels to your web application containers, you can delegate the reconfiguration tasks to **autoconf** without the manual intervention of container recreation. This streamlines the update process and enhances convenience.
By adopting this approach, you can enjoy real-time reconfiguration of BunkerWeb without the hassle of container recreation, making it more efficient and user-friendly.
!!! info "Multisite mode"
The Docker autoconf integration implies the use of **multisite mode**. Please refer to the [multisite section](concepts.md#multisite-mode) of the documentation for more information.
!!! info "Database backend"
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repostiory for more information.
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repository for more information.
Another container, named `bw-autoconf` for example, containing the autoconf service must be added to the stack. Since two services will generate the configuration for BunkerWeb, a "real" database backend (in other words, not SQLite) also needs to be added :
To enable automated configuration updates, include an additional container called `bw-autoconf` in the stack. This container hosts the autoconf service, which manages dynamic configuration changes for BunkerWeb. To support this functionality, use a dedicated "real" database backend (e.g., MariaDB, MySQL, or PostgreSQL) for synchronized configuration storage. By integrating `bw-autoconf` and a suitable database backend, you establish the infrastructure for seamless automated configuration management in BunkerWeb.
```yaml
version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -319,7 +346,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -332,7 +359,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -345,11 +372,12 @@ services:
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -381,6 +409,9 @@ networks:
name: bw-docker
```
!!! info "Database in the `bw-docker` network"
The database container is intentionally not included in the `bw-universe` network. It is used by the `bw-autoconf` and `bw-scheduler` containers rather than directly by BunkerWeb. Therefore, the database container is part of the `bw-docker` network, which enhances security by making external access to the database more challenging. This deliberate design choice helps safeguard the database and strengthens the overall security perspective of the system.
!!! warning "Using Docker in rootless mode"
If you are using [Docker in rootless mode](https://docs.docker.com/engine/security/rootless), you will need to replace the mount of the docker socket with the following value : `$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro`.
@ -416,18 +447,20 @@ networks:
!!! info "Docker autoconf"
The Swarm integration is similar to the Docker autoconf one (but with services instead of containers). Please read the [Docker autoconf integration section](#docker-autoconf) first if needed.
To automatically configure BunkerWeb instances, a special service called **autoconf** needs to have access to the Docker API. That service will listen for Docker Swarm events like service creation or deletion and automatically configure the **BunkerWeb instances** in real-time without downtime. It also monitors other Swarm objects like [configs](https://docs.docker.com/engine/swarm/configs/) for custom configurations.
To enable automatic configuration of BunkerWeb instances, the **autoconf** service requires access to the Docker API. This service listens for Docker Swarm events, such as service creation or deletion, and seamlessly configures the **BunkerWeb instances** in real-time without any downtime. It also monitors other Swarm objects, such as [configs](https://docs.docker.com/engine/swarm/configs/), for custom configurations.
Like the [Docker autoconf integration](#docker-autoconf), configuration for web services is defined by using labels starting with the special **bunkerweb.** prefix.
Similar to the [Docker autoconf integration](#docker-autoconf), configuration for web services is defined using labels that start with the **bunkerweb** prefix.
The recommended setup is to schedule the **BunkerWeb service** as a **global service** on all nodes and the **autoconf, scheduler and Docker API proxy services** as **single replicated services**. Please note that the **Docker API proxy service** needs to be scheduled on a manager node unless you configure it to use a remote API (which is not covered in the documentation).
For an optimal setup, it is recommended to schedule the **BunkerWeb service** as a ***global service*** on all nodes, while the **autoconf, scheduler, and Docker API proxy services** should be scheduled as ***single replicated services***. Please note that the Docker API proxy service needs to be scheduled on a manager node unless you configure it to use a remote API (which is not covered in the documentation).
Since we have multiple instances of BunkerWeb running, a shared data store implemented as a [Redis](https://redis.io/) service must be created : the instances will use it to cache and share data. You will find more information about the Redis settings [here](settings.md#redis)
Since multiple instances of BunkerWeb are running, a shared data store implemented as a [Redis](https://redis.io/) service must be created. These instances will utilize the Redis service to cache and share data. Further details regarding the Redis settings can be found [here](settings.md#redis).
Using a shared folder or a specific driver for the database volume is left as an exercise for the reader (and depends on your own use-case).
As for the database volume, the documentation does not specify a specific approach. Choosing either a shared folder or a specific driver for the database volume is dependent on your unique use-case and is left as an exercise for the reader.
!!! info "Database backend"
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repository for more information.
Clustered database backends setup are out-of-the-scope of this documentation.
Here is the stack boilerplate that you can deploy using `docker stack deploy` :
@ -436,7 +469,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- published: 80
target: 8080
@ -466,7 +499,7 @@ services:
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -480,7 +513,7 @@ services:
- "node.role == worker"
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
@ -489,6 +522,7 @@ services:
- SERVICES=1
- SWARM=1
- TASKS=1
- LOG_LEVEL=warning
networks:
- bw-docker
deploy:
@ -497,7 +531,7 @@ services:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -556,7 +590,8 @@ networks:
attachable: true
```
Please note that the `SWARM_MODE=yes` environment variable is mandatory when using the Swarm integration.
!!! info "Swarm mandatory setting"
Please note that the `SWARM_MODE=yes` environment variable is mandatory when using the Swarm integration.
Once the BunkerWeb Swarm stack is set up and running (see autoconf and scheduler logs for more information), you will be able to deploy web applications in the cluster and use labels to dynamically configure BunkerWeb :
@ -589,20 +624,22 @@ networks:
<figcaption>Kubernetes integration</figcaption>
</figure>
The autoconf acts as an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) and will configure the BunkerWeb instances according to the [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/). It also monitors other Kubernetes objects like [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for custom configurations.
To automate the configuration of BunkerWeb instances in a Kubernetes environment, the autoconf service serves as an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/). It configures the BunkerWeb instances based on [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/) and also monitors other Kubernetes objects, such as [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/), for custom configurations.
The recommended setup is to define **BunkerWeb** as a **[DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/)** which will create a pod on all nodes and the **autoconf and scheduler** as **single replicated [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/)**.
For an optimal setup, it is recommended to define BunkerWeb as a **[DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/)**, which ensures that a pod is created on all nodes, while the **autoconf and scheduler** are defined as **single replicated [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/)**.
Since we have multiple instances of BunkerWeb running, a shared data store implemented as a [Redis](https://redis.io/) service must be created : the instances will use it to cache and share data. You will find more information about the Redis settings [here](settings.md#redis)
Given the presence of multiple BunkerWeb instances, it is necessary to establish a shared data store implemented as a [Redis](https://redis.io/) service. This Redis service will be utilized by the instances to cache and share data among themselves. Further information about the Redis settings can be found [here](settings.md#redis).
!!! info "Database backend"
Please note that we assume you are using MariaDB as database backend (which is defined using the `DATABASE_URI` setting). Other backends for this integration are still possible if you want : see yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repostiory for more information. Clustered database backends setup are out-of-the-scope of this documentation.
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repository for more information.
Clustered database backends setup are out-of-the-scope of this documentation.
Please note that both scheduler and autoconf services needs to access the Kubernetes API. The recommended way of doing it is using [RBAC authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
Please ensure that both the scheduler and autoconf services have access to the Kubernetes API. It is recommended to utilize [RBAC authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for this purpose.
Another important thing is the `KUBERNETES_MODE=yes` environment variable which is mandatory when using the Kubernetes integration.
Additionally, it is crucial to set the `KUBERNETES_MODE` environment variable to `yes` when utilizing the Kubernetes integration. This variable is mandatory for proper functionality.
Here is the yaml boilerplate you can use as a base :
To assist you, here is a YAML boilerplate that can serve as a foundation for your configuration:
```yaml
apiVersion: rbac.authorization.k8s.io/v1
@ -655,7 +692,7 @@ spec:
containers:
# using bunkerweb as name is mandatory
- name: bunkerweb
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -725,7 +762,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -752,7 +789,7 @@ spec:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -867,7 +904,9 @@ spec:
storage: 5Gi
```
Once the BunkerWeb Kubernetes stack is set up and running (see autoconf logs for more information), you will be able to deploy web applications in the cluster and declare your Ingress resource. Please note that [settings](settings.md) need to be set as annotations for the Ingress resource with the special value **bunkerweb.io** for the domain part :
Once the BunkerWeb Kubernetes stack is successfully set up and operational (refer to the autoconf logs for detailed information), you can proceed with deploying web applications within the cluster and declaring your Ingress resource.
It is important to note that the BunkerWeb settings need to be specified as annotations for the Ingress resource. For the domain part, please use the special value "**bunkerweb.io**". By including the appropriate annotations, you can configure BunkerWeb accordingly for the Ingress resource.
```yaml
apiVersion: networking.k8s.io/v1
@ -899,16 +938,16 @@ spec:
<figcaption>Linux integration</figcaption>
</figure>
List of supported Linux distros (amd64/x86_64 and arm64/aarch64 architectures) :
Supported Linux distributions for BunkerWeb (amd64/x86_64 and arm64/aarch64 architectures) include:
- Debian 11 "Bullseye"
- Ubuntu 22.04 "Jammy"
- Fedora 38
- RedHat Enterprise Linux (RHEL) 8.7
- Red Hat Enterprise Linux (RHEL) 8.7
Please note that you will need to **install NGINX 1.24.0 before BunkerWeb**. For all distros, except Fedora, using prebuilt packages from [official NGINX repository](https://nginx.org/en/linux_packages.html) is mandatory. Compiling NGINX from source or using packages from different repositories won't work with the official prebuilt packages of BunkerWeb but you can build it from source.
Please ensure that you have **NGINX 1.24.0 installed before installing BunkerWeb**. For all distributions, except Fedora, it is mandatory to use prebuilt packages from the [official NGINX repository](https://nginx.org/en/linux_packages.html). Compiling NGINX from source or using packages from different repositories will not work with the official prebuilt packages of BunkerWeb. However, you have the option to build BunkerWeb from source.
Repositories of Linux packages for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb). They provide a bash script to add and trust the repository automatically (but you can also follow the [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer).
To simplify the installation process, Linux package repositories for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb). They provide a bash script that automatically adds and trusts the repository. You can follow the provided script for automatic setup, or opt for [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer.
=== "Debian"
@ -930,12 +969,12 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo apt install -y nginx=1.24.0-1~$(lsb_release -cs)
```
And finally install BunkerWeb 1.5.0 :
And finally install BunkerWeb 1.5.1 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo apt install -y bunkerweb=1.5.0
sudo apt install -y bunkerweb=1.5.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
@ -964,12 +1003,12 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo apt install -y nginx=1.24.0-1~jammy
```
And finally install BunkerWeb 1.5.0 :
And finally install BunkerWeb 1.5.1 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo apt install -y bunkerweb=1.5.0
sudo apt install -y bunkerweb=1.5.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
@ -986,14 +1025,14 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo dnf install -y nginx-1.24.0
```
And finally install BunkerWeb 1.5.0 :
And finally install BunkerWeb 1.5.1 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | \
sed 's/yum install -y pygpgme --disablerepo='\''bunkerity_bunkerweb'\''/yum install -y python-gnupg/g' | \
sed 's/pypgpme_check=`rpm -qa | grep -qw pygpgme`/python-gnupg_check=`rpm -qa | grep -qw python-gnupg`/g' | sudo bash && \
sudo dnf makecache && \
sudo dnf install -y bunkerweb-1.5.0
sudo dnf install -y bunkerweb-1.5.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
@ -1030,13 +1069,13 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
```shell
sudo dnf install nginx-1.24.0
```
And finally install BunkerWeb 1.5.0 :
And finally install BunkerWeb 1.5.1 :
```shell
dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.5.0
sudo dnf install -y bunkerweb-1.5.1
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
@ -1046,103 +1085,6 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo dnf versionlock add bunkerweb
```
<!---
=== "CentOS Stream"
The first step is to add NGINX official repository. Create the following file at `/etc/yum.repos.d/nginx.repo` :
```conf
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
```
You should now be able to install NGINX 1.24.0 :
```shell
sudo dnf install nginx-1.24.0
```
And finally install BunkerWeb 1.5.0 :
```shell
dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.5.0
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
=== "From source"
The first step is to install NGINX 1.24.0 using the repository of your choice or by [compiling it from source](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#compiling-and-installing-from-source).
The target installation folder of BunkerWeb is located at `/usr/share/bunkerweb`, let's create it :
```shell
mkdir /usr/share/bunkerweb
```
You can now clone the BunkerWeb project to the `/tmp` folder :
```shell
https://github.com/bunkerity/bunkerweb.git /tmp/bunkerweb
```
BunkerWeb needs some dependencies to be compiled and installed to `/usr/share/bunkerweb/deps`, the easiest way to do it is by executing the [install.sh helper script](https://github.com/bunkerity/bunkerweb/blobdeps/install.sh) (please note that you will need to install additional packages which is not covered in this procedure and depends on your own system) :
```
mkdir /usr/share/bunkerweb/deps && \
/tmp/bunkerweb/src/deps/install.sh
```
Additional Python dependencies needs to be installed into the `/usr/share/bunkerweb/deps/python` folder :
```shell
mkdir /usr/share/bunkerweb/src/deps/python && \
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt && \
pip install --no-cache-dir --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/src/ui/requirements.txt
```
Once dependencies are installed, you will be able to copy the BunkerWeb sources to the target `/usr/share/bunkerweb` folder :
```shell
for src in api cli confs core gen helpers job lua misc utils ui settings.json VERSION linux/variables.env linux/ui.env linux/scripts ; do
cp -r /tmp/bunkerweb/${src} /usr/share/bunkerweb
done
cp /usr/share/bunkerweb/helpers/bwcli /usr/local/bin
```
Additional folders also need to be created :
```shell
mkdir -p /etc/bunkerweb/{configs,plugins} && \
mkdir -p /var/cache/bunkerweb && \
mkdir -p /var/tmp/bunkerweb
```
Permissions needs to be fixed :
```shell
find /usr/share/bunkerweb -path /usr/share/bunkerweb/deps -prune -o -type f -exec chmod 0740 {} \; && \
find /usr/share/bunkerweb -path /usr/share/bunkerweb/deps -prune -o -type d -exec chmod 0750 {} \; && \
find /usr/share/bunkerweb/core/*/jobs/* -type f -exec chmod 750 {} \; && \
chmod 770 /var/cache/bunkerweb /var/tmp/bunkerweb && \
chmod 750 /usr/share/bunkerweb/gen/main.py /usr/share/bunkerweb/scheduler/main.py /usr/share/bunkerweb/cli/main.py /usr/share/bunkerweb/helpers/*.sh /usr/share/bunkerweb/scripts/*.sh /usr/bin/bwcli /usr/share/bunkerweb/ui/main.py && \
chown -R root:nginx /usr/share/bunkerweb
```
Last but not least, you will need to set up systemd unit files :
```shell
cp /tmp/bunkerweb/linux/*.service /etc/systemd/system && \
systemctl daemon-reload && \
systemctl stop nginx && \
systemctl disable nginx && \
systemctl enable bunkerweb && \
systemctl enable bunkerweb-ui
```
--->
The configuration of BunkerWeb is done by editing the `/etc/bunkerweb/variables.env` file :
```conf
@ -1165,61 +1107,63 @@ BunkerWeb is managed using systemctl :
<figcaption>Ansible integration</figcaption>
</figure>
List of supported Linux distros (amd64/x86_64 and arm64/aarch64 architectures) :
Supported Linux distributions for BunkerWeb (amd64/x86_64 and arm64/aarch64 architectures) include:
- Debian 11 "Bullseye"
- Ubuntu 22.04 "Jammy"
- Fedora 38
- RedHat Enterprise Linux (RHEL) 8.7
- Red Hat Enterprise Linux (RHEL) 8.7
[Ansible](https://docs.ansible.com/ansible/latest/index.html) is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates.
To simplify the deployment and configuration process, [Ansible](https://docs.ansible.com/ansible/latest/index.html) can be used as an IT automation tool. Ansible enables you to configure systems, deploy software, and perform advanced IT tasks such as continuous deployments or zero downtime rolling updates.
A specific BunkerWeb Ansible role is available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb).
For BunkerWeb, there is a dedicated Ansible role available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb).
First of all, download the role from ansible-galaxy :
```shell
ansible-galaxy install bunkerity.bunkerweb
```
To proceed with the BunkerWeb Ansible role setup, follow these steps:
Next, create an inventory by adding the IP adress or FQDN of one or more remote systems, either in `/etc/ansible/hosts` or in your own playbook `inventory.yml` :
```toml
[mybunkers]
192.0.2.50
192.0.2.51
192.0.2.52
```
1. Begin by creating an inventory file that lists the IP addresses or FQDNs of the remote systems you want to manage. You can either add this information to the `/etc/ansible/hosts` file or create a separate inventory file such as `inventory.yml`. Here's an example using a TOML format:
The next step we're going to set up is the SSH connection so Ansible can connect to the managed nodes. Add your public SSH keys to the `authorized_keys` file on each remote system and ensure you can successfully connect.
```toml
[mybunkers]
192.0.2.50
192.0.2.51
192.0.2.52
```
In order to use the role, we will create the playbook file named `playbook.yml` for example :
```yaml
---
- hosts: all
become: true
roles:
- bunkerity.bunkerweb
```
2. Next, establish SSH connections to the managed nodes by adding your public SSH keys to the `authorized_keys` file on each remote system. Verify that you can successfully connect to the nodes using SSH.
Run the playbook :
```shell
ansible-playbook -i inventory.yml playbook.yml
```
3. Create a playbook file, such as `playbook.yml`, which will define the desired configuration using the BunkerWeb Ansible role. Here's an example playbook configuration:
Configuration of BunkerWeb is done by using specific role variables :
```yaml
---
- hosts: all
become: true
roles:
- bunkerity.bunkerweb
```
| Name | Type | Description | Default value |
|:-----:|:-----:|--------------|----------------|
| `bunkerweb_version` | string | Version of BunkerWeb to install. | `1.5.0` |
| `nginx_version` | string | Version of NGINX to install. | `1.24.0` |
| `freeze_versions` | boolean | Prevent upgrade of BunkerWeb and NGINX when performing packages upgrades. | `true` |
| `variables_env` | string | Path of the variables.env file to configure BunkerWeb. | `files/variables.env` |
| `enable_ui` | boolean | Activate the web UI. | `false` |
| `custom_ui` | string | Path of the ui.env file to configure the web UI. | `files/ui.env` |
| `custom_configs_path` | Dictionary | Each entry is a path of the folder containing custom configurations. Keys are the type of custom configs : `http`, `server-http`, `modsec`, `modsec-crs` and `default-server-http` | empty values |
| `custom_www` | string | Path of the www directory to upload. | empty value |
| `custom_plugins` | string | Path of the plugins directory to upload. | empty value |
| `custom_www_owner` | string | Default owner for www files and folders. | `nginx` |
| `custom_www_group` | string | Default group for www files and folders. | `nginx` |
4. Execute the playbook using the `ansible-playbook` command, providing the inventory file and the playbook file as arguments. For example:
```shell
ansible-playbook -i inventory.yml playbook.yml
```
By running the playbook, Ansible will apply the BunkerWeb role to all the hosts specified in the inventory, setting up the desired configuration.
the configuration of BunkerWeb is done by using specific role variables :
| Name | Type | Description | Default value |
| :-------------------: | :--------: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
| `bunkerweb_version` | string | Version of BunkerWeb to install. | `1.5.1` |
| `nginx_version` | string | Version of NGINX to install. | `1.24.0` |
| `freeze_versions` | boolean | Prevent upgrade of BunkerWeb and NGINX when performing packages upgrades. | `true` |
| `variables_env` | string | Path of the variables.env file to configure BunkerWeb. | `files/variables.env` |
| `enable_ui` | boolean | Activate the web UI. | `false` |
| `custom_ui` | string | Path of the ui.env file to configure the web UI. | `files/ui.env` |
| `custom_configs_path` | Dictionary | Each entry is a path of the folder containing custom configurations. Keys are the type of custom configs : `http`, `server-http`, `modsec`, `modsec-crs` and `default-server-http` | empty values |
| `custom_www` | string | Path of the www directory to upload. | empty value |
| `custom_plugins` | string | Path of the plugins directory to upload. | empty value |
| `custom_www_owner` | string | Default owner for www files and folders. | `nginx` |
| `custom_www_group` | string | Default group for www files and folders. | `nginx` |
## Vagrant
@ -1229,24 +1173,22 @@ Configuration of BunkerWeb is done by using specific role variables :
<figcaption>BunkerWeb integration with Vagrant</figcaption>
</figure>
-->
List of supported providers :
- vmware_desktop
- virtualbox
- libvirt
**_Note on Supported Base Images_**
Please be aware that the provided Vagrant boxes are based **exclusively on Ubuntu 22.04 "Jammy"**. While BunkerWeb supports other Linux distributions, the Vagrant setup currently only supports Ubuntu 22.04 as the base operating system. This ensures a consistent and reliable environment for users who want to deploy BunkerWeb using Vagrant.
!!! note "Supported Base Images"
Please be aware that the provided Vagrant boxes are based **exclusively on Ubuntu 22.04 "Jammy"**. While BunkerWeb supports other Linux distributions, the Vagrant setup currently only supports Ubuntu 22.04 as the base operating system. This ensures a consistent and reliable environment for users who want to deploy BunkerWeb using Vagrant.
Similar to other BunkerWeb integrations, the Vagrant setup uses **NGINX version 1.24.0**. This specific version is required to ensure compatibility and smooth functioning with BunkerWeb. Additionally, the Vagrant box includes **PHP** pre-installed, providing a ready-to-use environment for hosting PHP-based applications alongside BunkerWeb.
By using the provided Vagrant box based on Ubuntu 22.04 "Jammy", you benefit from a well-configured and integrated setup, allowing you to focus on developing and securing your applications with BunkerWeb without worrying about the underlying infrastructure.
Here are the steps to install BunkerWeb using Vagrant on Ubuntu with the supported virtualization providers (VirtualBox, VMware, and libvirt):
Here are the steps to install BunkerWeb using Vagrant on Ubuntu with the supported virtualization providers (VirtualBox, and libvirt):
1. Make sure you have Vagrant and one of the supported virtualization providers (VirtualBox, VMware, or libvirt) installed on your system.
1. Make sure you have Vagrant and one of the supported virtualization providers (VirtualBox or libvirt) installed on your system.
2. There are two ways to install the Vagrant box with BunkerWeb: either by using a provided Vagrantfile to configure your virtual machine or by creating a new box based on the existing BunkerWeb Vagrant box, offering you flexibility in how you set up your development environment.
=== "Vagrantfile"
@ -1259,7 +1201,6 @@ Here are the steps to install BunkerWeb using Vagrant on Ubuntu with the support
Depending on the virtualization provider you choose, you may need to install additional plugins:
* For **VMware**, install the `vagrant-vmware-desktop` plugin. For more information, see the [Vagrant documentation](https://www.vagrantup.com/docs/providers).
* For **libvirt**, install the `vagrant-libvirt plugin`. For more information, see the [Vagrant documentation](https://www.vagrantup.com/docs/providers).
* For **VirtualBox**, install the `vagrant-vbguest` plugin. For more information, see the [Vagrant documentation](https://www.vagrantup.com/docs/providers).
@ -1271,14 +1212,13 @@ Here are the steps to install BunkerWeb using Vagrant on Ubuntu with the support
Depending on the virtualization provider you choose, you may need to install additional plugins:
* For **VMware**, install the `vagrant-vmware-desktop` plugin. For more information, see the [Vagrant documentation](https://www.vagrantup.com/docs/providers).
* For **libvirt**, install the `vagrant-libvirt plugin`. For more information, see the [Vagrant documentation](https://www.vagrantup.com/docs/providers).
* For **VirtualBox**, install the `vagrant-vbguest` plugin. For more information, see the [Vagrant documentation](https://www.vagrantup.com/docs/providers).
After installing the necessary plugins for your chosen virtualization provider, run the following command to start the virtual machine and install BunkerWeb:
```shell
vagrant up --provider=virtualbox # or --provider=vmware_desktop or --provider=libvirt
vagrant up --provider=virtualbox # or --provider=libvirt
```
Finally, to access the virtual machine using SSH, execute the following command:
@ -1298,9 +1238,6 @@ Vagrant.configure("2") do |config|
# Uncomment the desired virtualization provider
# For VirtualBox (default)
config.vm.provider "virtualbox"
# For VMware
# config.vm.provider "vmware_desktop" # Windows
# config.vm.provider "vmware_workstation" # Linux
# For libvirt
# config.vm.provider "libvirt"
end

2
docs/migrating.md
View file

@ -2,7 +2,7 @@
!!! warning "Read this if you were a 1.4.X user"
A lot of things changed since the 1.4.X releases. Container-based integrations stacks contain more services but, trust us, fundamental principles of BunkerWeb are still there. You will find ready to use boilerplates for various integrations in the [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) folder of the repository.
A lot of things changed since the 1.4.X releases. Container-based integrations stacks contain more services but, trust us, fundamental principles of BunkerWeb are still there. You will find ready to use boilerplates for various integrations in the [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) folder of the repository.
## Scheduler

72
docs/plugins.md
View file

@ -8,11 +8,13 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| Name | Version | Description | Link |
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
| **ClamAV** | 1.0 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **CrowdSec** | 1.0 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 1.0 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.0 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.0 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **ClamAV** | 1.1 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.1 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **CrowdSec** | 1.1 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 1.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.1 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.1 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.1 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
## How to use a plugin
@ -20,7 +22,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
If you want to quickly install external plugins, you can use the `EXTERNAL_PLUGIN_URLS` setting. It takes a list of URLs, separated with space, pointing to compressed (zip format) archive containing one or more plugin(s).
You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.0.zip`
You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.1.zip`
### Manual
@ -56,7 +58,7 @@ The first step is to install the plugin by putting the plugin files inside the c
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
volumes:
- ./bw-data:/data
...
@ -93,7 +95,7 @@ The first step is to install the plugin by putting the plugin files inside the c
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
volumes:
- ./bw-data:/data
...
@ -132,7 +134,7 @@ The first step is to install the plugin by putting the plugin files inside the c
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
volumes:
- /shared/bw-plugins:/data/plugins
...
@ -179,7 +181,7 @@ The first step is to install the plugin by putting the plugin files inside the c
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -260,7 +262,7 @@ The first step is to install the plugin by putting the plugin files inside the c
!!! tip "Existing plugins"
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
The first step is to create a folder that will contain the plugin :
@ -275,30 +277,29 @@ A file named **plugin.json** and written at the root of the plugin folder must c
```json
{
"id": "myplugin",
"order": 42,
"name": "My Plugin",
"description": "Just an example plugin.",
"version": "1.0",
"id": "myplugin",
"name": "My Plugin",
"description": "Just an example plugin.",
"version": "1.0",
"stream": "partial",
"settings": {
"DUMMY_SETTING": {
"context": "multisite",
"default": "1234",
"help": "Here is the help of the setting.",
"id": "dummy-id",
"label": "Dummy setting",
"regex": "^.*$",
"type": "text"
}
},
"jobs": [
{
"name": "my-job",
"file": "my-job.py",
"every": "hour"
}
]
"settings": {
"DUMMY_SETTING": {
"context": "multisite",
"default": "1234",
"help": "Here is the help of the setting.",
"id": "dummy-id",
"label": "Dummy setting",
"regex": "^.*$",
"type": "text"
}
},
"jobs": [
{
"name": "my-job",
"file": "my-job.py",
"every": "hour"
}
]
}
```
@ -307,7 +308,6 @@ Here are the details of the fields :
| Field | Mandatory | Type | Description |
| :-----------: | :-------: | :----: | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `id` | yes | string | Internal ID for the plugin : must be unique among other plugins (including "core" ones) and contain only lowercase chars. |
| `order` | yes | int | When the plugin should be executed during the access phase : `1` for whitelisting, `2` for blacklisting, `3` for "standard security feature" or `999` if your settings don't use the access phase. |
| `name` | yes | string | Name of your plugin. |
| `description` | yes | string | Description of your plugin. |
| `version` | yes | string | Version of your plugin. |
@ -507,7 +507,7 @@ end
!!! tip "More examples"
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/src/bw/lua/bunkerweb) of the repository.
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/src/bw/lua/bunkerweb) of the repository.
### Jobs

95
docs/quickstart-guide.md
View file

@ -4,7 +4,7 @@
We assume that you're already familiar with the [core concepts](concepts.md) and you have followed the [integrations instructions](integrations.md) for your environment.
!!! tip "Going further"
To demonstrate the use of BunkerWeb, we will deploy a dummy "Hello World" web application as an example. See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples) of the repository to get real-world examples.
To demonstrate the use of BunkerWeb, we will deploy a dummy "Hello World" web application as an example. See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples) of the repository to get real-world examples.
## Protect HTTP applications
@ -35,7 +35,7 @@ You will find more settings about reverse proxy in the [settings section](settin
- bw-services
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -52,7 +52,7 @@ You will find more settings about reverse proxy in the [settings section](settin
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -65,11 +65,12 @@ You will find more settings about reverse proxy in the [settings section](settin
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -385,7 +386,7 @@ You will find more settings about reverse proxy in the [settings section](settin
- bw-services
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -405,7 +406,7 @@ You will find more settings about reverse proxy in the [settings section](settin
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -418,11 +419,12 @@ You will find more settings about reverse proxy in the [settings section](settin
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -820,7 +822,7 @@ REAL_IP_HEADER=X-Forwarded-For
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
...
environment:
- USE_REAL_IP=yes
@ -835,7 +837,7 @@ REAL_IP_HEADER=X-Forwarded-For
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
...
environment:
- USE_REAL_IP=yes
@ -850,7 +852,7 @@ REAL_IP_HEADER=X-Forwarded-For
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
...
environment:
- USE_REAL_IP=yes
@ -970,7 +972,7 @@ REAL_IP_HEADER=proxy_protocol
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
...
environment:
- USE_REAL_IP=yes
@ -986,7 +988,7 @@ REAL_IP_HEADER=proxy_protocol
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
...
environment:
- USE_REAL_IP=yes
@ -1002,7 +1004,7 @@ REAL_IP_HEADER=proxy_protocol
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
...
environment:
- USE_REAL_IP=yes
@ -1111,11 +1113,11 @@ REAL_IP_HEADER=proxy_protocol
!!! warning "Feature is in beta"
This feature is not production-ready. Feel free to test it and report us any bug using [issues](https://github.com/bunkerity/bunkerweb/issues) in the GitHub repository.
BunkerWeb can also act as **generic UDP/TCP reverse proxy** : you can protect any network-based applications working at least on layer 4 of the OSI model. Behind the hood, it leverages the [stream module](https://nginx.org/en/docs/stream/ngx_stream_core_module.html) of NGINX instead of using the "classical" http one.
BunkerWeb offers the capability to function as a **generic UDP/TCP reverse proxy**, allowing you to protect any network-based applications operating at least on layer 4 of the OSI model. Instead of utilizing the "classical" HTTP module, BunkerWeb leverages the [stream module](https://nginx.org/en/docs/stream/ngx_stream_core_module.html) of NGINX.
Please note that not all settings and security features are available when using the stream module. You will find more info about that in the [security tuning](security-tuning.md) and [settings](settings.md) sections of the documentation.
It's important to note that not all settings and security features are available when using the stream module. Additional information on this can be found in the [security tuning](security-tuning.md) and [settings](settings.md) sections of the documentation.
Configuration for a basic reverse proxy is very similar to the HTTP one because it uses the same `USE_REVERSE_PROXY=yes` and `REVERSE_PROXY_HOST=myapp:4242` settings. Even the settings used when BunkerWeb is [behind a Load Balancer](#behind-load-balancer-or-reverse-proxy) are the same (but for obvious reasons, only **PROXY protocol** is supported).
Configuring a basic reverse proxy is quite similar to the HTTP setup, as it involves using the same settings: `USE_REVERSE_PROXY=yes` and `REVERSE_PROXY_HOST=myapp:4242`. Even when BunkerWeb is positioned behind a Load Balancer, the settings remain the same (with **PROXY protocol** being the supported option due to evident reasons).
On top of that, the following specific settings are used :
@ -1148,7 +1150,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
- bw-services
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080 # Keep it if you want to use Let's Encrypt automation
- 10000:10000 # app1
@ -1170,7 +1172,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -1183,11 +1185,12 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -1218,7 +1221,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080 # Keep it if you want to use Let's Encrypt automation
- 10000:10000 # app1
@ -1276,7 +1279,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
# Keep it if you want to use Let's Encrypt automation
- published: 80
@ -1426,21 +1429,23 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
## Custom configurations
Because BunkerWeb is based on the NGINX web server, you can add custom NGINX configurations in different NGINX contexts. You can also apply custom configurations for the ModSecurity WAF which is a core component of BunkerWeb (more info [here](security-tuning.md#modsecurity)). Here is the list of custom configurations types :
To customize and add custom configurations to BunkerWeb, you can take advantage of its NGINX foundation. Custom NGINX configurations can be added in different NGINX contexts, including configurations for the ModSecurity Web Application Firewall (WAF), which is a core component of BunkerWeb. More details about ModSecurity configurations can be found [here](security-tuning.md#modsecurity).
- **http** : http level of NGINX
- **server-http** : http/server level of NGINX
- **default-server-http** : server level of NGINX (only apply to the "default server" when the name supplied by the client doesn't match any server name in `SERVER_NAME`)
- **modsec-crs** : before the OWASP Core Rule Set is loaded
- **modsec** : after the OWASP Core Rule Set is loaded (also used if CRS is not loaded)
- **stream** : stream level of NGINX
- **server-stream** : stream/server level of NGINX
Here are the available types of custom configurations:
Custom configurations can be applied globally or only for a specific server when applicable and if the multisite mode is enabled.
- **http**: Configurations at the HTTP level of NGINX.
- **server-http**: Configurations at the HTTP/Server level of NGINX.
- **default-server-http**: Configurations at the Server level of NGINX, specifically for the "default server" when the supplied client name doesn't match any server name in `SERVER_NAME`.
- **modsec-crs**: Configurations applied before the OWASP Core Rule Set is loaded.
- **modsec**: Configurations applied after the OWASP Core Rule Set is loaded, or used when the Core Rule Set is not loaded.
- **stream**: Configurations at the Stream level of NGINX.
- **server-stream**: Configurations at the Stream/Server level of NGINX.
The howto depends on the integration used but under the hood, applying custom configurations is done by adding files ending with the .conf suffix in their name to specific folders. To apply a custom configuration for a specific server, the file is written to a subfolder which is named as the primary server name.
Custom configurations can be applied globally or specifically for a particular server, depending on the applicable context and whether the [multisite mode](concepts.md#multisite-mode) is enabled.
Some integrations offer a more convenient way of applying configurations such as using [Configs](https://docs.docker.com/engine/swarm/configs/) with Swarm or [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) with Kubernetes.
The method for applying custom configurations depends on the integration being used. However, the underlying process involves adding files with the `.conf` suffix to specific folders. To apply a custom configuration for a specific server, the file should be placed in a subfolder named after the primary server name.
Some integrations provide more convenient ways to apply configurations, such as using [Configs](https://docs.docker.com/engine/swarm/configs/) in Docker Swarm or [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) in Kubernetes. These options offer simpler approaches for managing and applying configurations.
=== "Docker"
@ -1462,7 +1467,7 @@ Some integrations offer a more convenient way of applying configurations such as
```yaml
...
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
environment:
- |
CUSTOM_CONF_SERVER_HTTP_hello-world=
@ -1505,7 +1510,7 @@ Some integrations offer a more convenient way of applying configurations such as
```yaml
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
volumes:
- ./bw-data:/data
...
@ -1574,7 +1579,7 @@ Some integrations offer a more convenient way of applying configurations such as
```yaml
myautoconf:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
volumes:
- ./bw-data:/data
...
@ -1807,7 +1812,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- bw-services
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
volumes:
- ./www:/var/www/html
ports:
@ -1830,7 +1835,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -1843,11 +1848,12 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -1907,7 +1913,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
volumes:
- ./www:/var/www/html
labels:
@ -1921,7 +1927,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -1933,11 +1939,12 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -2064,7 +2071,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
volumes:
- /shared/www:/var/www/html
...
@ -2343,7 +2350,7 @@ By default, BunkerWeb will only listen on IPv4 adresses and won't use IPv6 for n
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
environment:
- USE_IPv6=yes
@ -2388,7 +2395,7 @@ By default, BunkerWeb will only listen on IPv4 adresses and won't use IPv6 for n
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
environment:
- USE_IPv6=yes

8
docs/requirements.txt
View file

@ -1,6 +1,6 @@
mkdocs==1.4.3
mkdocs-material==9.1.13
pytablewriter==0.64.2
mkdocs==1.5.2
mkdocs-material==9.1.21
pytablewriter==1.0.0
mike==1.1.2
jinja2<3.1.0
mkdocs-print-site-plugin==2.3.4
mkdocs-print-site-plugin==2.3.5

4
docs/robots.txt Normal file
View file

@ -0,0 +1,4 @@
User-agent: *
Allow: /latest/
Sitemap: https://docs.bunkerweb.io/sitemap.xml

28
docs/security-tuning.md
View file

@ -63,6 +63,12 @@ STREAM support :x:
You can automatically remove verbose headers in the HTTP responses by using the `REMOVE_HEADERS` setting (default : `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`).
#### Keep upstream headers
STREAM support :x:
You can automatically keep headers from upstream servers and prevent BunkerWeb from overriding them in the HTTP responses by using the `KEEP_UPSTREAM_HEADERS` setting (default : `Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options`). A special value `*` is available to keep all headers. List of headers to keep must be separated with a space. Note that if the header is not present in the upstream response, it will be added by BunkerWeb.
#### Cookies
STREAM support :x:
@ -127,12 +133,10 @@ Besides the HTTPS configuration, the following settings related to HTTPS can be
| :---------------------------: | :---------------: | :----------------------------------------------------------------------------------------------------------- |
| `REDIRECT_HTTP_TO_HTTPS` | `no` | When set to `yes`, will redirect every HTTP request to HTTPS even if BunkerWeb is not configured with HTTPS. |
| `AUTO_REDIRECT_HTTP_TO_HTTPS` | `yes` | When set to `yes`, will redirect every HTTP request to HTTPS only if BunkerWeb is configured with HTTPS. |
| `HTTPS_PROTOCOLS` | `TLSv1.2 TLSv1.3` | List of supported SSL/TLS protocols when HTTPS is enabled. |
| `SSL_PROTOCOLS` | `TLSv1.2 TLSv1.3` | List of supported SSL/TLS protocols when SSL is enabled. |
| `HTTP2` | `yes` | When set to `yes`, will enable HTTP2 protocol support when using HTTPS. |
| `LISTEN_HTTP` | `yes` | When set to `no`, BunkerWeb will not listen for HTTP requests. Useful if you want HTTPS only for example. |
When using stream, the `SSL_PROTOCOLS` can be used which takes the same value as the `HTTPS_PROTOCOLS` one.
### Let's Encrypt
STREAM support :white_check_mark:
@ -155,13 +159,14 @@ STREAM support :white_check_mark:
If you want to use your own certificates, here is the list of related settings :
| Setting | Default | Description |
| :-----------------: | :-----: | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_CUSTOM_SSL` | `no` | When set to `yes`, HTTPS will be enabled with custom certificates. |
| `CUSTOM_SSL_CERT` | | Full path to the certificate. If you have one or more intermediate certificate(s) in your chain of trust, you will need to provide the bundle (more info [here](https://nginx.org/en/docs/http/configuring_https_servers.html#chains)). |
| `CUSTOM_SSL_KEY` | | Full path to the private key. |
| Setting |Default| Context |Multiple| Description |
|-----------------|-------|---------|--------|--------------------------------------------------------------------------------|
|`USE_CUSTOM_SSL` |`no` |multisite|no |Use custom HTTPS certificate. |
|`CUSTOM_SSL_CERT`| |multisite|no |Full path of the certificate or bundle file (must be readable by the scheduler).|
|`CUSTOM_SSL_KEY` | |multisite|no |Full path of the key file (must be readable by the scheduler). |
When `USE_CUSTOM_HTTPS` is set to `yes`, BunkerWeb will check every day if the custom certificate specified in `CUSTOM_HTTPS_CERT` is modified and will reload NGINX if that's the case.
When `USE_CUSTOM_SSL` is set to `yes`, BunkerWeb will check every day if the custom certificate specified in `CUSTOM_SSL_CERT` is modified and will reload NGINX if that's the case.
When using stream mode, you will need to use the `LISTEN_STREAM_PORT_SSL` setting in order to choose your listening SSL/TLS port.
@ -250,6 +255,7 @@ That kind of security is implemented but not enabled by default in BunkerWeb and
- **Captcha** : force the client to solve a classical captcha (no external dependencies)
- **hCaptcha** : force the client to solve a captcha from hCaptcha
- **reCAPTCHA** : force the client to get a minimum score with Google reCAPTCHA
- **Turnstile** : enforce rate limiting and access control for APIs and web applications using various mechanisms with Coudflare Turnstile
Here is the list of related settings :
@ -262,6 +268,8 @@ Here is the list of related settings :
|`ANTIBOT_RECAPTCHA_SECRET` | |multisite|no |Secret for reCAPTCHA challenge. |
|`ANTIBOT_HCAPTCHA_SITEKEY` | |multisite|no |Sitekey for hCaptcha challenge. |
|`ANTIBOT_HCAPTCHA_SECRET` | |multisite|no |Secret for hCaptcha challenge. |
|`ANTIBOT_TURNSTILE_SITEKEY`| |multisite|no |Sitekey for Turnstile challenge. |
|`ANTIBOT_TURNSTILE_SECRET` | |multisite|no |Secret for Turnstile challenge. |
|`ANTIBOT_TIME_RESOLVE` |`60` |multisite|no |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.|
|`ANTIBOT_TIME_VALID` |`86400` |multisite|no |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. |
@ -476,7 +484,7 @@ You can quickly protect sensitive resources like the admin area for example, by
### Auth request
You can deploy complex authentication (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/examples).
You can deploy complex authentication (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/examples).
**Auth request settings are related to reverse proxy rules.**

132
docs/settings.md
View file

@ -67,6 +67,8 @@ Bot detection by using a challenge.
|`ANTIBOT_RECAPTCHA_SECRET` | |multisite|no |Secret for reCAPTCHA challenge. |
|`ANTIBOT_HCAPTCHA_SITEKEY` | |multisite|no |Sitekey for hCaptcha challenge. |
|`ANTIBOT_HCAPTCHA_SECRET` | |multisite|no |Secret for hCaptcha challenge. |
|`ANTIBOT_TURNSTILE_SITEKEY`| |multisite|no |Sitekey for Turnstile challenge. |
|`ANTIBOT_TURNSTILE_SECRET` | |multisite|no |Secret for Turnstile challenge. |
|`ANTIBOT_TIME_RESOLVE` |`60` |multisite|no |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.|
|`ANTIBOT_TIME_VALID` |`86400` |multisite|no |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. |
@ -159,16 +161,19 @@ STREAM support :x:
Cross-Origin Resource Sharing.
| Setting | Default | Context |Multiple| Description |
|------------------------|------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------------------|
|`USE_CORS` |`no` |multisite|no |Use CORS |
|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Allowed origins to make CORS requests : PCRE regex or *. |
|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header. |
|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. |
|`CORS_ALLOW_CREDENTIALS`|`no` |multisite|no |Send the Access-Control-Allow-Credentials header. |
|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. |
|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. |
|`CORS_DENY_REQUEST` |`yes` |multisite|no |Deny request and don't send it to backend if Origin is not allowed.|
| Setting | Default | Context |Multiple| Description |
|------------------------------|------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------------------|
|`USE_CORS` |`no` |multisite|no |Use CORS |
|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Allowed origins to make CORS requests : PCRE regex or *. |
|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header. |
|`CROSS_ORIGIN_OPENER_POLICY` | |multisite|no |Value for the Cross-Origin-Opener-Policy header. |
|`CROSS_ORIGIN_EMBEDDER_POLICY`| |multisite|no |Value for the Cross-Origin-Embedder-Policy header. |
|`CROSS_ORIGIN_RESOURCE_POLICY`| |multisite|no |Value for the Cross-Origin-Resource-Policy header. |
|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. |
|`CORS_ALLOW_CREDENTIALS` |`no` |multisite|no |Send the Access-Control-Allow-Credentials header. |
|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. |
|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. |
|`CORS_DENY_REQUEST` |`yes` |multisite|no |Deny request and don't send it to backend if Origin is not allowed.|
### Client cache
@ -200,11 +205,11 @@ STREAM support :white_check_mark:
Choose custom certificate for HTTPS.
| Setting |Default| Context |Multiple| Description |
|-----------------|-------|---------|--------|--------------------------------------------|
|`USE_CUSTOM_SSL` |`no` |multisite|no |Use custom HTTPS certificate. |
|`CUSTOM_SSL_CERT`| |multisite|no |Full path of the certificate or bundle file.|
|`CUSTOM_SSL_KEY` | |multisite|no |Full path of the key file. |
| Setting |Default| Context |Multiple| Description |
|-----------------|-------|---------|--------|--------------------------------------------------------------------------------|
|`USE_CUSTOM_SSL` |`no` |multisite|no |Use custom HTTPS certificate. |
|`CUSTOM_SSL_CERT`| |multisite|no |Full path of the certificate or bundle file (must be readable by the scheduler).|
|`CUSTOM_SSL_KEY` | |multisite|no |Full path of the key file (must be readable by the scheduler). |
### DB
@ -288,20 +293,22 @@ STREAM support :x:
Manage HTTP headers sent to clients.
| Setting | Default | Context |Multiple| Description |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------------------|
|`CUSTOM_HEADER` | |multisite|yes |Custom header to add (HeaderName: HeaderValue). |
|`REMOVE_HEADERS` |`Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version` |multisite|no |Headers to remove (Header1 Header2 Header3 ...) |
|`STRICT_TRANSPORT_SECURITY`|`max-age=31536000` |multisite|no |Value for the Strict-Transport-Security header. |
|`COOKIE_FLAGS` |`* HttpOnly SameSite=Lax` |multisite|yes |Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module).|
|`COOKIE_AUTO_SECURE_FLAG` |`yes` |multisite|no |Automatically add the Secure flag to all cookies. |
|`CONTENT_SECURITY_POLICY` |`object-src 'none'; form-action 'self'; frame-ancestors 'self';` |multisite|no |Value for the Content-Security-Policy header. |
|`REFERRER_POLICY` |`strict-origin-when-cross-origin` |multisite|no |Value for the Referrer-Policy header. |
|`PERMISSIONS_POLICY` |`accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()` |multisite|no |Value for the Permissions-Policy header. |
|`FEATURE_POLICY` |`accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';`|multisite|no |Value for the Feature-Policy header. |
|`X_FRAME_OPTIONS` |`SAMEORIGIN` |multisite|no |Value for the X-Frame-Options header. |
|`X_CONTENT_TYPE_OPTIONS` |`nosniff` |multisite|no |Value for the X-Content-Type-Options header. |
|`X_XSS_PROTECTION` |`1; mode=block` |multisite|no |Value for the X-XSS-Protection header. |
| Setting | Default | Context |Multiple| Description |
|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------------------|
|`CUSTOM_HEADER` | |multisite|yes |Custom header to add (HeaderName: HeaderValue). |
|`REMOVE_HEADERS` |`Server Expect-CT X-Powered-By X-AspNet-Version X-AspNetMvc-Version` |multisite|no |Headers to remove (Header1 Header2 Header3 ...) |
|`KEEP_UPSTREAM_HEADERS` |`Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options` |multisite|no |Headers to keep from upstream (Header1 Header2 Header3 ... or * for all). |
|`STRICT_TRANSPORT_SECURITY` |`max-age=31536000` |multisite|no |Value for the Strict-Transport-Security header. |
|`COOKIE_FLAGS` |`* HttpOnly SameSite=Lax` |multisite|yes |Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module).|
|`COOKIE_AUTO_SECURE_FLAG` |`yes` |multisite|no |Automatically add the Secure flag to all cookies. |
|`CONTENT_SECURITY_POLICY` |`object-src 'none'; form-action 'self'; frame-ancestors 'self';` |multisite|no |Value for the Content-Security-Policy header. |
|`CONTENT_SECURITY_POLICY_REPORT_ONLY`|`no` |multisite|no |Send reports for violations of the Content-Security-Policy header instead of blocking them. |
|`REFERRER_POLICY` |`strict-origin-when-cross-origin` |multisite|no |Value for the Referrer-Policy header. |
|`PERMISSIONS_POLICY` |`accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()` |multisite|no |Value for the Permissions-Policy header. |
|`FEATURE_POLICY` |`accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';`|multisite|no |Value for the Feature-Policy header. |
|`X_FRAME_OPTIONS` |`SAMEORIGIN` |multisite|no |Value for the X-Frame-Options header. |
|`X_CONTENT_TYPE_OPTIONS` |`nosniff` |multisite|no |Value for the X-Content-Type-Options header. |
|`X_XSS_PROTECTION` |`1; mode=block` |multisite|no |Value for the X-XSS-Protection header. |
### Let's Encrypt
@ -337,25 +344,25 @@ STREAM support :warning:
Miscellaneous settings.
| Setting | Default | Context |Multiple| Description |
|-----------------------------|-----------------------|---------|--------|----------------------------------------------------------------------------------------------------------------------|
|`DISABLE_DEFAULT_SERVER` |`no` |global |no |Close connection if the request vhost is unknown. |
|`REDIRECT_HTTP_TO_HTTPS` |`no` |multisite|no |Redirect all HTTP request to HTTPS. |
|`AUTO_REDIRECT_HTTP_TO_HTTPS`|`yes` |multisite|no |Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case. |
|`ALLOWED_METHODS` |`GET|POST|HEAD` |multisite|no |Allowed HTTP and WebDAV methods, separated with pipes to be sent by clients. |
|`MAX_CLIENT_SIZE` |`10m` |multisite|no |Maximum body size (0 for infinite). |
|`SERVE_FILES` |`yes` |multisite|no |Serve files from the local folder. |
|`ROOT_FOLDER` | |multisite|no |Root folder containing files to serve (/var/www/html/{server_name} if unset). |
|`SSL_PROTOCOLS` |`TLSv1.2 TLSv1.3` |multisite|no |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. |
|`HTTP2` |`yes` |multisite|no |Support HTTP2 protocol when HTTPS is enabled. |
|`LISTEN_HTTP` |`yes` |multisite|no |Respond to (insecure) HTTP requests. |
|`USE_OPEN_FILE_CACHE` |`no` |multisite|no |Enable open file cache feature |
|`OPEN_FILE_CACHE` |`max=1000 inactive=20s`|multisite|no |Open file cache directive |
|`OPEN_FILE_CACHE_ERRORS` |`yes` |multisite|no |Enable open file cache for errors |
|`OPEN_FILE_CACHE_MIN_USES` |`2` |multisite|no |Enable open file cache minimum uses |
|`OPEN_FILE_CACHE_VALID` |`30s` |multisite|no |Open file cache valid time |
|`EXTERNAL_PLUGIN_URLS` | |global |no |List of external plugins URLs (direct download to .zip file) to download and install (URLs are separated with space). |
|`DENY_HTTP_STATUS` |`403` |global |no |HTTP status code to send when the request is denied (403 or 444). When using 444, BunkerWeb will close the connection.|
| Setting | Default | Context |Multiple| Description |
|-----------------------------|-----------------------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------|
|`DISABLE_DEFAULT_SERVER` |`no` |global |no |Close connection if the request vhost is unknown. |
|`REDIRECT_HTTP_TO_HTTPS` |`no` |multisite|no |Redirect all HTTP request to HTTPS. |
|`AUTO_REDIRECT_HTTP_TO_HTTPS`|`yes` |multisite|no |Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case. |
|`ALLOWED_METHODS` |`GET|POST|HEAD` |multisite|no |Allowed HTTP and WebDAV methods, separated with pipes to be sent by clients. |
|`MAX_CLIENT_SIZE` |`10m` |multisite|no |Maximum body size (0 for infinite). |
|`SERVE_FILES` |`yes` |multisite|no |Serve files from the local folder. |
|`ROOT_FOLDER` | |multisite|no |Root folder containing files to serve (/var/www/html/{server_name} if unset). |
|`SSL_PROTOCOLS` |`TLSv1.2 TLSv1.3` |multisite|no |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. |
|`HTTP2` |`yes` |multisite|no |Support HTTP2 protocol when HTTPS is enabled. |
|`LISTEN_HTTP` |`yes` |multisite|no |Respond to (insecure) HTTP requests. |
|`USE_OPEN_FILE_CACHE` |`no` |multisite|no |Enable open file cache feature |
|`OPEN_FILE_CACHE` |`max=1000 inactive=20s`|multisite|no |Open file cache directive |
|`OPEN_FILE_CACHE_ERRORS` |`yes` |multisite|no |Enable open file cache for errors |
|`OPEN_FILE_CACHE_MIN_USES` |`2` |multisite|no |Enable open file cache minimum uses |
|`OPEN_FILE_CACHE_VALID` |`30s` |multisite|no |Open file cache valid time |
|`EXTERNAL_PLUGIN_URLS` | |global |no |List of external plugins URLs (direct download to .zip or .tar file) to download and install (URLs are separated with space).|
|`DENY_HTTP_STATUS` |`403` |global |no |HTTP status code to send when the request is denied (403 or 444). When using 444, BunkerWeb will close the connection. |
### ModSecurity
@ -409,6 +416,7 @@ Manage HTTP redirects.
|-------------------------|-------|---------|--------|-------------------------------------------------|
|`REDIRECT_TO` | |multisite|no |Redirect a whole site to another one. |
|`REDIRECT_TO_REQUEST_URI`|`no` |multisite|no |Append the requested URI to the redirect address.|
|`REDIRECT_TO_STATUS_CODE`|`301` |multisite|no |Status code to send to client when redirecting. |
### Redis
@ -517,18 +525,18 @@ STREAM support :warning:
Allow access based on internal and external IP/network/rDNS/ASN whitelists.
| Setting | Default | Context |Multiple| Description |
|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------|
|`USE_WHITELIST` |`yes` |multisite|no |Activate whitelist feature. |
|`WHITELIST_IP` |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247 54.208.102.37 107.21.1.8`|multisite|no |List of IP/network, separated with spaces, to put into the whitelist. |
|`WHITELIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to whitelist. |
|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. |
|`WHITELIST_RDNS` |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com` |multisite|no |List of reverse DNS suffixes, separated with spaces, to whitelist. |
|`WHITELIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
|`WHITELIST_ASN` |`32934` |multisite|no |List of ASN numbers, separated with spaces, to whitelist. |
|`WHITELIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to whitelist. |
|`WHITELIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to whitelist. |
|`WHITELIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to whitelist. |
|`WHITELIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to whitelist. |
|`WHITELIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to whitelist. |
| Setting | Default | Context |Multiple| Description |
|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------|
|`USE_WHITELIST` |`yes` |multisite|no |Activate whitelist feature. |
|`WHITELIST_IP` |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247` |multisite|no |List of IP/network, separated with spaces, to put into the whitelist. |
|`WHITELIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to whitelist. |
|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. |
|`WHITELIST_RDNS` |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com`|multisite|no |List of reverse DNS suffixes, separated with spaces, to whitelist. |
|`WHITELIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
|`WHITELIST_ASN` |`32934` |multisite|no |List of ASN numbers, separated with spaces, to whitelist. |
|`WHITELIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to whitelist. |
|`WHITELIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to whitelist. |
|`WHITELIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to whitelist. |
|`WHITELIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to whitelist. |
|`WHITELIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to whitelist. |

24
docs/troubleshooting.md
View file

@ -80,10 +80,10 @@ Here is how you can access the logs, depending on your integration :
journalctl -u bunkerweb --no-pager
```
Common logs are located inside the `/var/log/nginx` directory :
Common logs are located inside the `/var/log/bunkerweb` directory :
```shell
cat /var/log/nginx/error.log
cat /var/log/nginx/access.log
cat /var/log/bunkerweb/error.log
cat /var/log/bunkerweb/access.log
```
=== "Ansible"
@ -93,10 +93,10 @@ Here is how you can access the logs, depending on your integration :
ansible -i inventory.yml all -a "journalctl -u bunkerweb --no-pager" --become
```
Common logs are located inside the `/var/log/nginx` directory :
Common logs are located inside the `/var/log/bunkerweb` directory :
```shell
ansible -i inventory.yml all -a "cat /var/log/nginx/error.log" --become
ansible -i inventory.yml all -a "cat /var/log/nginx/access.log" --become
ansible -i inventory.yml all -a "cat /var/log/bunkerweb/error.log" --become
ansible -i inventory.yml all -a "cat /var/log/bunkerweb/access.log" --become
```
=== "Vagrant"
@ -106,10 +106,10 @@ Here is how you can access the logs, depending on your integration :
journalctl -u bunkerweb --no-pager
```
Common logs are located inside the `/var/log/nginx` directory :
Common logs are located inside the `/var/log/bunkerweb` directory :
```shell
cat /var/log/nginx/error.log
cat /var/log/nginx/access.log
cat /var/log/bunkerweb/error.log
cat /var/log/bunkerweb/access.log
```
## Permissions
@ -280,4 +280,8 @@ If you have bots that need to access your website, the recommended way to avoid
- Healthcheck / status bot
- Callback like IPN or webhook
- Social media crawler
- Social media crawler
## Timezone
When using container-based integrations, the timezone of the container may not match the one of the host machine. To resolve that, you can set the `TZ` environment variable to the timezone of your choice on your containers (e.g. `TZ=Europe/Paris`). You will find the list of timezone identifers [here](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List).

83
docs/web-ui.md
View file

@ -55,13 +55,12 @@ Because the web UI is a web application, the recommended installation procedure
- `ADMIN_USERNAME` : username to access the web UI
- `ADMIN_PASSWORD` : password to access the web UI
- `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
!!! info "Database backend"
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) of the repository.
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) of the repository.
Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -70,7 +69,7 @@ Because the web UI is a web application, the recommended installation procedure
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -86,16 +85,15 @@ Because the web UI is a web application, the recommended installation procedure
- USE_GZIP=yes
- www.example.com_USE_UI=yes
- www.example.com_USE_REVERSE_PROXY=yes
- www.example.com_REVERSE_PROXY_URL=/changeme/
- www.example.com_REVERSE_PROXY_URL=/changeme
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -107,16 +105,17 @@ Because the web UI is a web application, the recommended installation procedure
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
depends_on:
- bw-docker
environment:
@ -124,7 +123,6 @@ Because the web UI is a web application, the recommended installation procedure
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
- ABSOLUTE_URI=http://www.example.com/changeme/
networks:
- bw-universe
- bw-docker
@ -177,13 +175,12 @@ Because the web UI is a web application, the recommended installation procedure
- `ADMIN_USERNAME` : username to access the web UI
- `ADMIN_PASSWORD` : password to access the web UI
- `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
!!! info "Database backend"
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) of the repository.
If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) of the repository.
Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -192,7 +189,7 @@ Because the web UI is a web application, the recommended installation procedure
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -209,7 +206,7 @@ Because the web UI is a web application, the recommended installation procedure
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -222,7 +219,7 @@ Because the web UI is a web application, the recommended installation procedure
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -235,11 +232,12 @@ Because the web UI is a web application, the recommended installation procedure
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -256,7 +254,7 @@ Because the web UI is a web application, the recommended installation procedure
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
networks:
bw-docker:
bw-universe:
@ -268,14 +266,12 @@ Because the web UI is a web application, the recommended installation procedure
- AUTOCONF_MODE=yes
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://www.example.com/changeme/
labels:
- "bunkerweb.SERVER_NAME=www.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_URL=/changeme"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
@ -314,13 +310,12 @@ Because the web UI is a web application, the recommended installation procedure
- `ADMIN_USERNAME` : username to access the web UI
- `ADMIN_PASSWORD` : password to access the web UI
- `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
!!! info "Database backend"
If you want another Database backend than MariaDB please refer to the stack files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) of the repository.
If you want another Database backend than MariaDB please refer to the stack files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) of the repository.
Here is the stack boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -329,7 +324,7 @@ Because the web UI is a web application, the recommended installation procedure
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- published: 80
target: 8080
@ -359,7 +354,7 @@ Because the web UI is a web application, the recommended installation procedure
- "bunkerweb.INSTANCE"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -369,7 +364,7 @@ Because the web UI is a web application, the recommended installation procedure
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
@ -378,6 +373,7 @@ Because the web UI is a web application, the recommended installation procedure
- SERVICES=1
- SWARM=1
- TASKS=1
- LOG_LEVEL=warning
networks:
- bw-docker
deploy:
@ -386,7 +382,7 @@ Because the web UI is a web application, the recommended installation procedure
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
@ -413,13 +409,12 @@ Because the web UI is a web application, the recommended installation procedure
- bw-universe
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
environment:
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
- ABSOLUTE_URI=http://www.example.com/changeme/
networks:
- bw-universe
- bw-docker
@ -428,11 +423,10 @@ Because the web UI is a web application, the recommended installation procedure
- "bunkerweb.SERVER_NAME=www.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_URL=/changeme"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
- "INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:
bw-data:
@ -463,13 +457,12 @@ Because the web UI is a web application, the recommended installation procedure
- `ADMIN_USERNAME` : username to access the web UI
- `ADMIN_PASSWORD` : password to access the web UI
- `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Network segmentation between web UI and web services is not covered in this documentation. Please note that the web UI container is listening on the `7000` port.
!!! info "Database backend"
If you want another Database backend than MariaDB please refer to the yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.0/misc/integrations) of the repository.
If you want another Database backend than MariaDB please refer to the yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.1/misc/integrations) of the repository.
Here is the yaml boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -524,7 +517,7 @@ Because the web UI is a web application, the recommended installation procedure
containers:
# using bunkerweb as name is mandatory
- name: bunkerweb
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
imagePullPolicy: Always
securityContext:
runAsUser: 101
@ -594,7 +587,7 @@ Because the web UI is a web application, the recommended installation procedure
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -621,7 +614,7 @@ Because the web UI is a web application, the recommended installation procedure
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -705,15 +698,13 @@ Because the web UI is a web application, the recommended installation procedure
spec:
containers:
- name: bunkerweb-ui
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
imagePullPolicy: Always
env:
- name: ADMIN_USERNAME
value: "changeme"
- name: "ADMIN_PASSWORD"
value: "changeme"
- name: "ABSOLUTE_URI"
value: "http://www.example.com/changeme/"
- name: KUBERNETES_MODE
value: "YES"
- name: "DATABASE_URI"
@ -788,14 +779,14 @@ Because the web UI is a web application, the recommended installation procedure
name: ingress
annotations:
bunkerweb.io/www.example.com_USE_UI: "yes"
bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
bunkerweb.io/www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: '400 404 405 413 429 500 501 502 503 504'
spec:
rules:
- host: www.example.com
http:
paths:
- path: /changeme/
- path: /changeme
pathType: Prefix
backend:
service:
@ -819,7 +810,6 @@ Because the web UI is a web application, the recommended installation procedure
```conf
ADMIN_USERNAME=changeme
ADMIN_PASSWORD=changeme
ABSOLUTE_URI=http://www.example.com/changeme/
```
Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
@ -841,9 +831,8 @@ Because the web UI is a web application, the recommended installation procedure
MULTISITE=yes
www.example.com_USE_UI=yes
www.example.com_USE_REVERSE_PROXY=yes
www.example.com_REVERSE_PROXY_URL=/changeme/
www.example.com_REVERSE_PROXY_URL=/changeme
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
```
@ -862,7 +851,6 @@ Because the web UI is a web application, the recommended installation procedure
```conf
ADMIN_USERNAME=changeme
ADMIN_PASSWORD=changeme
ABSOLUTE_URI=http://www.example.com/changeme/
```
Here is the `my_variables.env` boilerplate you can use :
@ -875,9 +863,8 @@ Because the web UI is a web application, the recommended installation procedure
MULTISITE=yes
www.example.com_USE_UI=yes
www.example.com_USE_REVERSE_PROXY=yes
www.example.com_REVERSE_PROXY_URL=/changeme/
www.example.com_REVERSE_PROXY_URL=/changeme
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
```
@ -929,7 +916,6 @@ Because the web UI is a web application, the recommended installation procedure
```conf
ADMIN_USERNAME=changeme
ADMIN_PASSWORD=changeme
ABSOLUTE_URI=http://www.example.com/changeme/
```
Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
@ -950,9 +936,8 @@ Because the web UI is a web application, the recommended installation procedure
MULTISITE=yes
www.example.com_USE_UI=yes
www.example.com_USE_REVERSE_PROXY=yes
www.example.com_REVERSE_PROXY_URL=/changeme/
www.example.com_REVERSE_PROXY_URL=/changeme
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
```

7
examples/authelia/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3.4"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -44,7 +44,7 @@ services:
- app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -56,11 +56,12 @@ services:
- bw-data:/data
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/authelia/tests.json
View file

@ -1,7 +1,7 @@
{
"name": "authelia",
"kinds": ["docker", "autoconf", "swarm", "linux"],
"timeout": 60,
"timeout": 120,
"delay": 60,
"tests": [
{

7
examples/authentik/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3.4"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -53,7 +53,7 @@ services:
- app2.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -65,11 +65,12 @@ services:
- bw-data:/data
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

7
examples/behind-reverse-proxy/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
environment:
- SERVER_NAME=www.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
@ -24,7 +24,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -36,11 +36,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

7
examples/bigbluebutton/docker-compose.yml
View file

@ -27,7 +27,7 @@ services:
...
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -50,7 +50,7 @@ services:
bw-universe:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -62,11 +62,12 @@ services:
bw-docker:
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

13
examples/certbot-dns-cloudflare/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -17,9 +17,9 @@ services:
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- USE_CUSTOM_SSL=yes
- CUSTOM_SSL_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_SSL_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -46,11 +46,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

13
examples/certbot-dns-digitalocean/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -17,9 +17,9 @@ services:
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- USE_CUSTOM_SSL=yes
- CUSTOM_SSL_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_SSL_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -46,11 +46,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

13
examples/certbot-dns-google/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -17,9 +17,9 @@ services:
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- USE_CUSTOM_SSL=yes
- CUSTOM_SSL_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_SSL_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -46,11 +46,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

13
examples/certbot-dns-ovh/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -17,9 +17,9 @@ services:
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- USE_CUSTOM_SSL=yes
- CUSTOM_SSL_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_SSL_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -46,11 +46,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

13
examples/certbot-dns-route53/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -17,9 +17,9 @@ services:
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_HTTPS=yes
- CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
- USE_CUSTOM_SSL=yes
- CUSTOM_SSL_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_SSL_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1
- app2.example.com_REVERSE_PROXY_URL=/
@ -33,7 +33,7 @@ services:
- bw-services
bbw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -46,11 +46,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

9
examples/cors/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -38,7 +38,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -50,11 +50,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -101,4 +102,4 @@ networks:
bw-services:
volumes:
bw-data:
bw-data:

7
examples/docker-configs/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -53,7 +53,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -65,11 +65,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/docker-configs/tests.json
View file

@ -1,6 +1,7 @@
{
"name": "docker-configs",
"kinds": ["docker"],
"delay": 30,
"timeout": 60,
"tests": [
{

2
examples/drupal/autoconf.yml
View file

@ -35,7 +35,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=drupaldb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
volumes:
db-data:

9
examples/drupal/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -40,11 +40,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -66,7 +67,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=drupaldb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
networks:
- bw-services

2
examples/drupal/drupal-chart-values.yml
View file

@ -3,4 +3,4 @@ drupalPassword: "changeme42"
drupalEmail: "contact@example.com"
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

2
examples/drupal/swarm.yml
View file

@ -33,7 +33,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=drupaldb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
deploy:
placement:
constraints:

2
examples/ghost/autoconf.yml
View file

@ -24,4 +24,4 @@ volumes:
networks:
bw-services:
external: true
name: bw-services
name: bw-services

7
examples/ghost/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -24,7 +24,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -36,11 +36,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/ghost/ghost-chart-values.yml
View file

@ -3,4 +3,4 @@ ghostPassword: "changeme42"
ghostHost: "www.example.com"
mysql:
auth:
password: "changeme1337"
password: "changeme1337"

7
examples/gogs/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -40,11 +40,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

8
examples/hardened/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
# dropping all capabilities
cap_drop:
- ALL
@ -15,6 +15,7 @@ services:
tmpfs:
- /tmp:mode=0770,uid=0,gid=101
- /var/tmp/bunkerweb:mode=0770,uid=0,gid=101
- /var/run/bunkerweb:mode=0770,uid=0,gid=101
- /var/cache/bunkerweb:mode=0770,uid=0,gid=101
- /etc/nginx:mode=0770,uid=0,gid=101
ports:
@ -38,7 +39,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -50,11 +51,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/joomla/autoconf.yml
View file

@ -36,7 +36,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=joomla_db
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
volumes:
joomla-data:

9
examples/joomla/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -40,11 +40,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -68,7 +69,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=joomla_db
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
networks:
- bw-services
volumes:

2
examples/joomla/joomla-chart-values.yml
View file

@ -3,4 +3,4 @@ joomlaPassword: "changeme42"
joomlaEmail: "contact@example.com"
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

3
examples/joomla/swarm.yml
View file

@ -36,13 +36,12 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=joomla_db
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
deploy:
placement:
constraints:
- "node.role==worker"
networks:
bw-services:
external: true

7
examples/load-balancer/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -31,7 +31,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -43,11 +43,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/load-balancer/tests.json
View file

@ -1,7 +1,7 @@
{
"name": "load-balancer",
"kinds": ["docker"],
"timeout": 60,
"timeout": 120,
"no_copy_container": true,
"tests": [
{

2
examples/magento/autoconf.yml
View file

@ -55,7 +55,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=magentodb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
volumes:
magento-data:

9
examples/magento/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -29,7 +29,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -41,11 +41,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -85,7 +86,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=magentodb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
networks:
- bw-services

2
examples/magento/magento-chart-values.yml
View file

@ -7,4 +7,4 @@ magentoLastName: "Doe"
magentoAdminUri: "admin"
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

2
examples/magento/swarm.yml
View file

@ -50,7 +50,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=magentodb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
deploy:
placement:
constraints:

7
examples/mattermost/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -44,7 +44,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -56,11 +56,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

7
examples/mongo-express/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -27,7 +27,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -39,11 +39,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

12
examples/moodle/autoconf.yml
View file

@ -13,10 +13,10 @@ services:
- moodle-files:/bitnami/moodle
- moodle-data:/bitnami/moodledata
environment:
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_DATABASE_HOST=mydb
- MOODLE_DATABASE_NAME=moodle
- MOODLE_DATABASE_USER=user
@ -36,10 +36,10 @@ services:
aliases:
- mydb
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=moodle
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MARIADB_CHARACTER_SET=utf8mb4
- MARIADB_COLLATE=utf8mb4_unicode_ci

19
examples/moodle/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -25,7 +25,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -37,11 +37,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -53,10 +54,10 @@ services:
- moodle-files:/bitnami/moodle
- moodle-data:/bitnami/moodledata
environment:
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_DATABASE_HOST=mydb
- MOODLE_DATABASE_NAME=moodle
- MOODLE_DATABASE_USER=user
@ -69,10 +70,10 @@ services:
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=moodle
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MARIADB_CHARACTER_SET=utf8mb4
- MARIADB_COLLATE=utf8mb4_unicode_ci
networks:

2
examples/moodle/moodle-chart-values.yml
View file

@ -4,4 +4,4 @@ moodlePassword: "changeme42"
moodleEmail: "admin@example.com"
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

4
examples/moodle/swarm.yml
View file

@ -36,10 +36,10 @@ services:
networks:
- bw-services
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=moodle
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MARIADB_CHARACTER_SET=utf8mb4
- MARIADB_COLLATE=utf8mb4_unicode_ci
deploy:

3
examples/nextcloud/autoconf.yml
View file

@ -56,7 +56,6 @@ services:
bunkerweb.CUSTOM_CONF_MODSEC_nextcloud=
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
mydb:
image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
@ -70,7 +69,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
volumes:
nc-files:

8
examples/nextcloud/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -54,7 +54,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -66,11 +66,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -110,7 +111,6 @@ volumes:
db-data:
nc-files:
networks:
bw-universe:
ipam:

2
examples/nextcloud/swarm.yml
View file

@ -48,7 +48,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
deploy:
placement:
constraints:

6
examples/passbolt/autoconf.yml
View file

@ -13,7 +13,7 @@ services:
environment:
- APP_FULL_BASE_URL=https://www.example.com # replace with your URL
- DATASOURCES_DEFAULT_HOST=mydb
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_USERNAME=user
- DATASOURCES_DEFAULT_DATABASE=passbolt
volumes:
@ -45,10 +45,10 @@ services:
aliases:
- mydb
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=passbolt
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
volumes:
gpg-data:

15
examples/passbolt/docker-compose.yml
View file

@ -2,12 +2,12 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
environment:
- SERVER_NAME=www.example.com # replace with your domain
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
@ -26,7 +26,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -38,11 +38,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -58,7 +59,7 @@ services:
environment:
- APP_FULL_BASE_URL=https://www.example.com # replace with your URL
- DATASOURCES_DEFAULT_HOST=mydb
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_USERNAME=user
- DATASOURCES_DEFAULT_DATABASE=passbolt
volumes:
@ -81,10 +82,10 @@ services:
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=passbolt
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
networks:
- bw-services

6
examples/passbolt/swarm.yml
View file

@ -11,7 +11,7 @@ services:
environment:
- APP_FULL_BASE_URL=https://www.example.com # replace with your URL
- DATASOURCES_DEFAULT_HOST=mydb
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_USERNAME=user
- DATASOURCES_DEFAULT_DATABASE=passbolt
volumes:
@ -45,10 +45,10 @@ services:
networks:
- bw-services
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=passbolt
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
deploy:
placement:
constraints:

8
examples/php-cookie-flags/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -31,7 +31,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -43,11 +43,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -65,7 +66,6 @@ services:
volumes:
bw-data:
networks:
bw-universe:
ipam:

7
examples/php-multisite/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -34,7 +34,7 @@ services:
- net-app2
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -46,11 +46,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

7
examples/php-singlesite/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -30,7 +30,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -42,11 +42,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

7
examples/prestashop/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -40,11 +40,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/prestashop/prestashop-chart-values.yml
View file

@ -10,4 +10,4 @@ service:
type: ClusterIP
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

7
examples/proxy-protocol/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
environment:
- SERVER_NAME=www.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
@ -27,7 +27,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -39,11 +39,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

7
examples/radarr/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3.5"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -34,7 +34,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -46,11 +46,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/radarr/tests.json
View file

@ -1,6 +1,7 @@
{
"name": "radarr",
"kinds": ["docker", "autoconf", "swarm"],
"delay": 180,
"timeout": 60,
"tests": [
{

2
examples/redmine/autoconf.yml
View file

@ -33,7 +33,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=redminedb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
volumes:
redmine-data:

9
examples/redmine/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -24,7 +24,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -36,11 +36,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -65,7 +66,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=redminedb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
networks:
- bw-universe
- bw-services

2
examples/redmine/redmine-chart-values.yml
View file

@ -6,4 +6,4 @@ service:
type: ClusterIP
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

2
examples/redmine/swarm.yml
View file

@ -33,7 +33,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=redminedb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
deploy:
placement:
constraints:

7
examples/reverse-proxy-multisite/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -27,7 +27,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -39,11 +39,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/reverse-proxy-multisite/tests.json
View file

@ -2,7 +2,7 @@
"name": "reverse-proxy-multisite",
"kinds": ["docker", "autoconf", "swarm", "kubernetes", "linux"],
"timeout": 60,
"delay": 60,
"delay": 90,
"tests": [
{
"type": "string",

7
examples/reverse-proxy-singlesite/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -32,7 +32,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -44,11 +44,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

1
examples/reverse-proxy-singlesite/tests.json
View file

@ -1,6 +1,7 @@
{
"name": "reverse-proxy-singlesite",
"kinds": ["docker", "autoconf", "swarm", "linux"],
"delay": 120,
"timeout": 60,
"no_copy_container": true,
"tests": [

7
examples/reverse-proxy-websocket/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -25,7 +25,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -37,11 +37,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

11
examples/stream-multisite/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080 # required to resolve let's encrypt challenges
- 10000:10000 # app1 without SSL/TLS
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -45,23 +45,24 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
app1:
image: istio/tcp-echo-server:1.2
command: [ "9000", "app1" ]
command: ["9000", "app1"]
networks:
- bw-services
app2:
image: istio/tcp-echo-server:1.2
command: [ "9000", "app2" ]
command: ["9000", "app2"]
networks:
- bw-services

7
examples/syslog/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
logging:
driver: syslog
options:
@ -28,7 +28,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
logging:
driver: syslog
options:
@ -45,11 +45,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

7
examples/tomcat/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -23,7 +23,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -35,11 +35,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

7
examples/tor-hidden-service/docker-compose.yml
View file

@ -12,7 +12,7 @@ services:
- bw-universe
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
environment:
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
# disable common security measures based on IP
@ -34,7 +34,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -46,11 +46,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

15
examples/web-ui/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3.5"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -17,10 +17,9 @@ services:
- www.example.com_USE_UI=yes
- www.example.com_SERVE_FILES=no
- www.example.com_USE_REVERSE_PROXY=yes
- www.example.com_REVERSE_PROXY_URL=/changeme/ # replace with another url
- www.example.com_REVERSE_PROXY_URL=/changeme # replace with another url
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme # replace with another url
- www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
labels:
- "bunkerweb.INSTANCE"
networks:
@ -28,7 +27,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -40,11 +39,10 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
depends_on:
- bw-docker-proxy
environment:
- ABSOLUTE_URI=https://www.example.com/changeme/ # replace with another url
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme # replace with a stronger password
@ -55,11 +53,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

2
examples/wordpress/autoconf.yml
View file

@ -43,7 +43,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=wp
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
volumes:
wp-data:

9
examples/wordpress/docker-compose.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mybunker:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -25,7 +25,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- mybunker
environment:
@ -37,11 +37,12 @@ services:
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:0.1
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -66,7 +67,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=wp
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
networks:
- bw-services

3
examples/wordpress/setup-kubernetes.sh
View file

@ -1,4 +1,3 @@
#!/bin/bash
helm repo add wordpress https://charts.bitnami.com/bitnami
helm install -f wordpress-chart-values.yml wordpress bitnami/wordpress
helm install -f wordpress-chart-values.yml wordpress oci://registry-1.docker.io/bitnamicharts/wordpress

2
examples/wordpress/swarm.yml
View file

@ -34,7 +34,7 @@ services:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=wp
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
deploy:
placement:
constraints:

2
examples/wordpress/tests.json
View file

@ -1,7 +1,7 @@
{
"name": "wordpress",
"kinds": ["docker", "autoconf", "swarm", "kubernetes", "linux"],
"timeout": 60,
"timeout": 120,
"delay": 120,
"no_copy_container": true,
"tests": [

2
examples/wordpress/wordpress-chart-values.yml
View file

@ -8,4 +8,4 @@ wordpressTablePrefix: "changeme_"
wordpressScheme: "https"
mariadb:
auth:
password: "changeme1337"
password: "changeme1337"

15
misc/integrations/autoconf.mariadb.ui.yml
View file

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -45,11 +45,12 @@ services:
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
@ -66,7 +67,7 @@ services:
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.0
image: bunkerity/bunkerweb-ui:1.5.1
networks:
bw-docker:
bw-universe:
@ -78,14 +79,12 @@ services:
- AUTOCONF_MODE=yes
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
- ABSOLUTE_URI=http://www.example.com/changeme/
labels:
- "bunkerweb.SERVER_NAME=www.example.com"
- "bunkerweb.USE_UI=yes"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/changeme/"
- "bunkerweb.REVERSE_PROXY_URL=/changeme"
- "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
- "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
- "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
volumes:

9
misc/integrations/autoconf.mariadb.yml
View file

@ -2,7 +2,7 @@ version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.0
image: bunkerity/bunkerweb:1.5.1
ports:
- 80:8080
- 443:8443
@ -19,7 +19,7 @@ services:
- bw-services
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.0
image: bunkerity/bunkerweb-autoconf:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -32,7 +32,7 @@ services:
- bw-docker
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.0
image: bunkerity/bunkerweb-scheduler:1.5.1
depends_on:
- bunkerweb
- bw-docker
@ -45,11 +45,12 @@ services:
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker

Some files were not shown because too many files have changed in this diff Show more