Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update templates

Browse source
This commit is contained in:
Théophile Diot 2024-10-25 17:38:28 +02:00
parent 71e70a0728
commit 0dd1f53fb8
No known key found for this signature in database
GPG key ID: FA995104A0BA376A
6 changed files with 427 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

188
src/common/core/templates/templates/high.json
View file

@ -1,3 +1,189 @@
{
"name": "Advanced security level with focus on robust security measures and comprehensive protection"
"name": "Advanced security level with focus on robust security measures and comprehensive protection",
"settings": {
"SERVER_NAME": "www.example.com",
"USE_REVERSE_PROXY": "yes",
"REVERSE_PROXY_HOST": "http://upstream-server:8080",
"REVERSE_PROXY_URL": "/",
"REVERSE_PROXY_CUSTOM_HOST": "",
"REVERSE_PROXY_SSL_SNI": "no",
"REVERSE_PROXY_SSL_SNI_NAME": "",
"REVERSE_PROXY_WS": "no",
"REVERSE_PROXY_KEEPALIVE": "no",
"AUTO_LETS_ENCRYPT": "yes",
"USE_LETS_ENCRYPT_STAGING": "no",
"ALLOWED_METHODS": "GET|POST|HEAD",
"MAX_CLIENT_SIZE": "10m",
"HTTP2": "yes",
"HTTP3": "yes",
"SSL_PROTOCOLS": "TLSv1.2 TLSv1.3",
"COOKIE_FLAGS": "* HttpOnly SameSite=Lax",
"CONTENT_SECURITY_POLICY": "object-src 'none'; form-action 'self'; frame-ancestors 'self';",
"PERMISSIONS_POLICY": "accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=(), interest-cohort=()",
"KEEP_UPSTREAM_HEADERS": "Content-Security-Policy Permissions-Policy X-Frame-Options",
"REFERRER_POLICY": "no-referrer",
"USE_CORS": "no",
"CORS_ALLOW_ORIGIN": "*",
"USE_BAD_BEHAVIOR": "yes",
"BAD_BEHAVIOR_STATUS_CODES": "400 401 403 404 405 429 444",
"BAD_BEHAVIOR_BAN_TIME": "86400",
"BAD_BEHAVIOR_THRESHOLD": "10",
"BAD_BEHAVIOR_COUNT_TIME": "60",
"USE_ANTIBOT": "captcha",
"ANTIBOT_URI": "/challenge",
"ANTIBOT_RECAPTCHA_SCORE": "0.9",
"ANTIBOT_RECAPTCHA_SITEKEY": "",
"ANTIBOT_RECAPTCHA_SECRET": "",
"ANTIBOT_HCAPTCHA_SITEKEY": "",
"ANTIBOT_HCAPTCHA_SECRET": "",
"ANTIBOT_TURNSTILE_SITEKEY": "",
"ANTIBOT_TURNSTILE_SECRET": "",
"USE_BLACKLIST": "yes",
"USE_DNSBL": "yes",
"USE_LIMIT_CONN": "yes",
"LIMIT_CONN_MAX_HTTP1": "10",
"LIMIT_CONN_MAX_HTTP2": "100",
"USE_LIMIT_REQ": "yes",
"LIMIT_REQ_URL": "/",
"LIMIT_REQ_RATE": "2r/s",
"USE_AUTH_BASIC": "no",
"AUTH_BASIC_LOCATION": "sitewide",
"AUTH_BASIC_USER": "changeme",
"AUTH_BASIC_PASSWORD": "changeme",
"AUTH_BASIC_TEXT": "Restricted area",
"BLACKLIST_COUNTRY": "",
"WHITELIST_COUNTRY": "",
"USE_REVERSE_SCAN": "yes",
"REVERSE_SCAN_PORTS": "22 80 443 3128 8000 8080",
"USE_MODSECURITY": "yes",
"USE_MODSECURITY_CRS_PLUGINS": "yes",
"MODSECURITY_CRS_VERSION": "4",
"MODSECURITY_CRS_PLUGIN_URLS": ""
},
"configs": ["modsec/anomaly_score.conf"],
"steps": [
{
"title": "Web service - Front service",
"subtitle": "Configure your web service facing your clients",
"settings": [
"SERVER_NAME",
"AUTO_LETS_ENCRYPT",
"USE_LETS_ENCRYPT_STAGING"
]
},
{
"title": "Web service - Upstream server",
"subtitle": "Configure the upstream server to be protected by BunkerWeb",
"settings": [
"USE_REVERSE_PROXY",
"REVERSE_PROXY_HOST",
"REVERSE_PROXY_URL",
"REVERSE_PROXY_CUSTOM_HOST",
"REVERSE_PROXY_SSL_SNI",
"REVERSE_PROXY_SSL_SNI_NAME",
"REVERSE_PROXY_WS",
"REVERSE_PROXY_KEEPALIVE"
]
},
{
"title": "HTTP - General",
"subtitle": "Configure the settings related to the HTTP(S) protocol",
"settings": [
"MAX_CLIENT_SIZE",
"ALLOWED_METHODS",
"HTTP2",
"HTTP3",
"SSL_PROTOCOLS"
]
},
{
"title": "HTTP - Headers",
"subtitle": "Configure the settings related to the HTTP headers",
"settings": [
"COOKIE_FLAGS",
"CONTENT_SECURITY_POLICY",
"PERMISSIONS_POLICY",
"USE_CORS",
"CORS_ALLOW_ORIGIN",
"KEEP_UPSTREAM_HEADERS",
"REFERRER_POLICY"
]
},
{
"title": "Security - Bad behavior",
"subtitle": "Configure the settings related to the automatic ban when a bad behavior is detected.",
"settings": [
"USE_BAD_BEHAVIOR",
"BAD_BEHAVIOR_STATUS_CODES",
"BAD_BEHAVIOR_BAN_TIME",
"BAD_BEHAVIOR_THRESHOLD",
"BAD_BEHAVIOR_COUNT_TIME"
]
},
{
"title": "Security - Blacklisting",
"subtitle": "Configure the settings related to the external blacklists.",
"settings": ["USE_BLACKLIST", "USE_DNSBL"]
},
{
"title": "Security - Limiting",
"subtitle": "Configure the settings related to limiting requests and connections.",
"settings": [
"USE_LIMIT_CONN",
"LIMIT_CONN_MAX_HTTP1",
"LIMIT_CONN_MAX_HTTP2",
"LIMIT_CONN_MAX_HTTP3",
"USE_LIMIT_REQ",
"LIMIT_REQ_URL",
"LIMIT_REQ_RATE"
]
},
{
"title": "Security - Antibot",
"subtitle": "Configure the settings about bot detection",
"settings": [
"USE_ANTIBOT",
"ANTIBOT_URI",
"ANTIBOT_RECAPTCHA_SCORE",
"ANTIBOT_RECAPTCHA_SITEKEY",
"ANTIBOT_RECAPTCHA_SECRET",
"ANTIBOT_HCAPTCHA_SITEKEY",
"ANTIBOT_HCAPTCHA_SECRET",
"ANTIBOT_TURNSTILE_SITEKEY",
"ANTIBOT_TURNSTILE_SECRET"
]
},
{
"title": "Security - Auth basic",
"subtitle": "Configure HTTP basic authentication",
"settings": [
"USE_AUTH_BASIC",
"AUTH_BASIC_LOCATION",
"AUTH_BASIC_USER",
"AUTH_BASIC_PASSWORD",
"AUTH_BASIC_TEXT"
]
},
{
"title": "Security - Country",
"subtitle": "Configure the settings about country access policy",
"settings": ["BLACKLIST_COUNTRY", "WHITELIST_COUNTRY"]
},
{
"title": "Security - Reverse scan",
"subtitle": "Configure the settings about scanning clients ports",
"settings": ["USE_REVERSE_SCAN", "REVERSE_SCAN_PORTS"]
},
{
"title": "Security - ModSecurity",
"subtitle": "Configure the settings related to the ModSecurity WAF",
"settings": [
"USE_MODSECURITY",
"USE_MODSECURITY_CRS_PLUGINS",
"MODSECURITY_CRS_VERSION",
"MODSECURITY_CRS_PLUGIN_URLS"
],
"configs": ["modsec/anomaly_score.conf"]
}
]
}

19
src/common/core/templates/templates/high/configs/modsec/anomaly_score.conf Normal file
View file

@ -0,0 +1,19 @@
SecAction \
"id:900001,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.7.0-dev',\
setvar:tx.detection_paranoia_level=2"
SecAction \
"id:900110,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
setvar:tx.inbound_anomaly_score_threshold=5,\
setvar:tx.outbound_anomaly_score_threshold=4"

27
src/common/core/templates/templates/low.json
View file

@ -46,12 +46,19 @@
"USE_LIMIT_REQ": "yes",
"LIMIT_REQ_URL": "/",
"LIMIT_REQ_RATE": "5r/s",
"USE_AUTH_BASIC": "no",
"AUTH_BASIC_LOCATION": "sitewide",
"AUTH_BASIC_USER": "changeme",
"AUTH_BASIC_PASSWORD": "changeme",
"AUTH_BASIC_TEXT": "Restricted area",
"BLACKLIST_COUNTRY": "",
"WHITELIST_COUNTRY": "",
"USE_MODSECURITY": "yes",
"USE_MODSECURITY_CRS_PLUGINS": "yes",
"MODSECURITY_CRS_VERSION": "4",
"MODSECURITY_CRS_PLUGIN_URLS": ""
},
"configs": ["modsec/low_anomaly_score.conf"],
"configs": ["modsec/anomaly_score.conf"],
"steps": [
{
"title": "Web service - Front service",
@ -144,6 +151,22 @@
"ANTIBOT_TURNSTILE_SECRET"
]
},
{
"title": "Security - Auth basic",
"subtitle": "Configure HTTP basic authentication",
"settings": [
"USE_AUTH_BASIC",
"AUTH_BASIC_LOCATION",
"AUTH_BASIC_USER",
"AUTH_BASIC_PASSWORD",
"AUTH_BASIC_TEXT"
]
},
{
"title": "Security - Country",
"subtitle": "Configure the settings about country access policy",
"settings": ["BLACKLIST_COUNTRY", "WHITELIST_COUNTRY"]
},
{
"title": "Security - ModSecurity",
"subtitle": "Configure the settings related to the ModSecurity WAF",
@ -153,7 +176,7 @@
"MODSECURITY_CRS_VERSION",
"MODSECURITY_CRS_PLUGIN_URLS"
],
"configs": ["modsec/low_anomaly_score.conf"]
"configs": ["modsec/anomaly_score.conf"]
}
]
}

0
src/common/core/templates/templates/low/configs/modsec/low_anomaly_score.conf → src/common/core/templates/templates/low/configs/modsec/anomaly_score.conf
View file

188
src/common/core/templates/templates/medium.json
View file

@ -1,3 +1,189 @@
{
"name": "Balanced security level that offers a mix of security features and performance optimizations"
"name": "Balanced security level that offers a mix of security features and performance optimizations",
"settings": {
"SERVER_NAME": "www.example.com",
"USE_REVERSE_PROXY": "yes",
"REVERSE_PROXY_HOST": "http://upstream-server:8080",
"REVERSE_PROXY_URL": "/",
"REVERSE_PROXY_CUSTOM_HOST": "",
"REVERSE_PROXY_SSL_SNI": "no",
"REVERSE_PROXY_SSL_SNI_NAME": "",
"REVERSE_PROXY_WS": "no",
"REVERSE_PROXY_KEEPALIVE": "no",
"AUTO_LETS_ENCRYPT": "yes",
"USE_LETS_ENCRYPT_STAGING": "no",
"ALLOWED_METHODS": "GET|POST|HEAD|OPTIONS|PUT|DELETE|PATCH",
"MAX_CLIENT_SIZE": "50m",
"HTTP2": "yes",
"HTTP3": "yes",
"SSL_PROTOCOLS": "TLSv1.2 TLSv1.3",
"COOKIE_FLAGS": "* SameSite=Lax",
"CONTENT_SECURITY_POLICY": "",
"PERMISSIONS_POLICY": "accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=(), interest-cohort=()",
"KEEP_UPSTREAM_HEADERS": "*",
"REFERRER_POLICY": "strict-origin-when-cross-origin",
"USE_CORS": "yes",
"CORS_ALLOW_ORIGIN": "*",
"USE_BAD_BEHAVIOR": "yes",
"BAD_BEHAVIOR_STATUS_CODES": "400 401 403 404 405 429 444",
"BAD_BEHAVIOR_BAN_TIME": "14200",
"BAD_BEHAVIOR_THRESHOLD": "15",
"BAD_BEHAVIOR_COUNT_TIME": "60",
"USE_ANTIBOT": "javascript",
"ANTIBOT_URI": "/challenge",
"ANTIBOT_RECAPTCHA_SCORE": "0.7",
"ANTIBOT_RECAPTCHA_SITEKEY": "",
"ANTIBOT_RECAPTCHA_SECRET": "",
"ANTIBOT_HCAPTCHA_SITEKEY": "",
"ANTIBOT_HCAPTCHA_SECRET": "",
"ANTIBOT_TURNSTILE_SITEKEY": "",
"ANTIBOT_TURNSTILE_SECRET": "",
"USE_BLACKLIST": "yes",
"USE_DNSBL": "no",
"USE_LIMIT_CONN": "yes",
"LIMIT_CONN_MAX_HTTP1": "20",
"LIMIT_CONN_MAX_HTTP2": "150",
"USE_LIMIT_REQ": "yes",
"LIMIT_REQ_URL": "/",
"LIMIT_REQ_RATE": "4r/s",
"USE_AUTH_BASIC": "no",
"AUTH_BASIC_LOCATION": "sitewide",
"AUTH_BASIC_USER": "changeme",
"AUTH_BASIC_PASSWORD": "changeme",
"AUTH_BASIC_TEXT": "Restricted area",
"BLACKLIST_COUNTRY": "",
"WHITELIST_COUNTRY": "",
"USE_REVERSE_SCAN": "no",
"REVERSE_SCAN_PORTS": "22 80 443",
"USE_MODSECURITY": "yes",
"USE_MODSECURITY_CRS_PLUGINS": "yes",
"MODSECURITY_CRS_VERSION": "4",
"MODSECURITY_CRS_PLUGIN_URLS": ""
},
"configs": ["modsec/anomaly_score.conf"],
"steps": [
{
"title": "Web service - Front service",
"subtitle": "Configure your web service facing your clients",
"settings": [
"SERVER_NAME",
"AUTO_LETS_ENCRYPT",
"USE_LETS_ENCRYPT_STAGING"
]
},
{
"title": "Web service - Upstream server",
"subtitle": "Configure the upstream server to be protected by BunkerWeb",
"settings": [
"USE_REVERSE_PROXY",
"REVERSE_PROXY_HOST",
"REVERSE_PROXY_URL",
"REVERSE_PROXY_CUSTOM_HOST",
"REVERSE_PROXY_SSL_SNI",
"REVERSE_PROXY_SSL_SNI_NAME",
"REVERSE_PROXY_WS",
"REVERSE_PROXY_KEEPALIVE"
]
},
{
"title": "HTTP - General",
"subtitle": "Configure the settings related to the HTTP(S) protocol",
"settings": [
"MAX_CLIENT_SIZE",
"ALLOWED_METHODS",
"HTTP2",
"HTTP3",
"SSL_PROTOCOLS"
]
},
{
"title": "HTTP - Headers",
"subtitle": "Configure the settings related to the HTTP headers",
"settings": [
"COOKIE_FLAGS",
"CONTENT_SECURITY_POLICY",
"PERMISSIONS_POLICY",
"USE_CORS",
"CORS_ALLOW_ORIGIN",
"KEEP_UPSTREAM_HEADERS",
"REFERRER_POLICY"
]
},
{
"title": "Security - Bad behavior",
"subtitle": "Configure the settings related to the automatic ban when a bad behavior is detected.",
"settings": [
"USE_BAD_BEHAVIOR",
"BAD_BEHAVIOR_STATUS_CODES",
"BAD_BEHAVIOR_BAN_TIME",
"BAD_BEHAVIOR_THRESHOLD",
"BAD_BEHAVIOR_COUNT_TIME"
]
},
{
"title": "Security - Blacklisting",
"subtitle": "Configure the settings related to the external blacklists.",
"settings": ["USE_BLACKLIST", "USE_DNSBL"]
},
{
"title": "Security - Limiting",
"subtitle": "Configure the settings related to limiting requests and connections.",
"settings": [
"USE_LIMIT_CONN",
"LIMIT_CONN_MAX_HTTP1",
"LIMIT_CONN_MAX_HTTP2",
"LIMIT_CONN_MAX_HTTP3",
"USE_LIMIT_REQ",
"LIMIT_REQ_URL",
"LIMIT_REQ_RATE"
]
},
{
"title": "Security - Antibot",
"subtitle": "Configure the settings about bot detection",
"settings": [
"USE_ANTIBOT",
"ANTIBOT_URI",
"ANTIBOT_RECAPTCHA_SCORE",
"ANTIBOT_RECAPTCHA_SITEKEY",
"ANTIBOT_RECAPTCHA_SECRET",
"ANTIBOT_HCAPTCHA_SITEKEY",
"ANTIBOT_HCAPTCHA_SECRET",
"ANTIBOT_TURNSTILE_SITEKEY",
"ANTIBOT_TURNSTILE_SECRET"
]
},
{
"title": "Security - Auth basic",
"subtitle": "Configure HTTP basic authentication",
"settings": [
"USE_AUTH_BASIC",
"AUTH_BASIC_LOCATION",
"AUTH_BASIC_USER",
"AUTH_BASIC_PASSWORD",
"AUTH_BASIC_TEXT"
]
},
{
"title": "Security - Country",
"subtitle": "Configure the settings about country access policy",
"settings": ["BLACKLIST_COUNTRY", "WHITELIST_COUNTRY"]
},
{
"title": "Security - Reverse scan",
"subtitle": "Configure the settings about scanning clients ports",
"settings": ["USE_REVERSE_SCAN", "REVERSE_SCAN_PORTS"]
},
{
"title": "Security - ModSecurity",
"subtitle": "Configure the settings related to the ModSecurity WAF",
"settings": [
"USE_MODSECURITY",
"USE_MODSECURITY_CRS_PLUGINS",
"MODSECURITY_CRS_VERSION",
"MODSECURITY_CRS_PLUGIN_URLS"
],
"configs": ["modsec/anomaly_score.conf"]
}
]
}

9
src/common/core/templates/templates/medium/configs/modsec/anomaly_score.conf Normal file
View file

@ -0,0 +1,9 @@
SecAction \
"id:900110,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
setvar:tx.inbound_anomaly_score_threshold=5,\
setvar:tx.outbound_anomaly_score_threshold=4"