Add log rotation configuration and fix ownership of log directory + refresh linux Dockerfiles

src/linux/Dockerfile-centos

@@ -1,8 +1,19 @@
-FROM quay.io/centos/centos:stream8@sha256:a8692b39e546eed9177d495db1edfd97bb6de70b9527f58aeb72f90b687c3426
+FROM quay.io/centos/centos:stream8@sha256:7b56a6667ca1e57935a055307bca430e1c3d9d328365240c69e21a225f507a5f as builder
 
 ENV OS=centos
 ENV NGINX_VERSION 1.24.0
 
+# Copy centos repo
+COPY src/linux/centos.repo /etc/yum.repos.d/centos.repo
+RUN sed -i "s/%ARCH%/$(uname -m)/g" /etc/yum.repos.d/centos.repo
+
+# Copy RPM-GPG-KEY-CentOS-Official
+COPY src/linux/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+
+# Import RPM-GPG-KEY-CentOS-Official
+RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+COPY src/linux/nginx.repo /etc/yum.repos.d/nginx.repo
+
 # Install Nginx, fpm and dependencies
 RUN dnf update -y && \
     dnf install -y epel-release dnf-plugins-core && \
@@ -21,32 +32,28 @@ WORKDIR /tmp/bunkerweb/deps
 COPY src/deps/misc misc
 COPY src/deps/src src
 COPY src/deps/deps.json deps.json
-COPY src/deps/install.sh install.sh
+COPY --chmod=644 src/deps/install.sh install.sh
 
 # Compile and install dependencies
-RUN mkdir -p /usr/share/bunkerweb/deps/python && \
-    chmod +x install.sh && \
-    bash install.sh
+RUN bash install.sh
 
 # Copy dependencies sources folder
 COPY src/deps/requirements.txt /tmp/requirements-deps.txt
-COPY src/scheduler/requirements.txt /tmp/req/requirements.txt
-COPY src/ui/requirements.txt /tmp/req/requirements.txt.1
-COPY src/common/gen/requirements.txt /tmp/req/requirements.txt.2
-COPY src/common/db/requirements.txt /tmp/req/requirements.txt.3
+COPY src/scheduler/requirements.txt /tmp/req/requirements-scheduler.txt
+COPY src/ui/requirements.txt /tmp/req/requirements-ui.txt
+COPY src/common/gen/requirements.txt /tmp/req/requirements-gen.txt
+COPY src/common/db/requirements.txt /tmp/req/requirements-db.txt
 
 WORKDIR /usr/share/bunkerweb
 
-RUN mkdir -p deps/python && \
-    cat /tmp/req/requirements.txt* > deps/requirements.txt && \
-    rm -rf /tmp/req
-
 # Compile and install dependencies
 RUN export MAKEFLAGS="-j$(nproc)" && \
-    pip install --no-cache-dir --ignore-installed --require-hashes -r /tmp/requirements-deps.txt && \
-    pip install --no-cache-dir --require-hashes --target deps/python -r deps/requirements.txt
+    mkdir -p deps/python && \
+    easy_install-3.9 pip && \
+    pip install --no-cache-dir --require-hashes --ignore-installed -r /tmp/requirements-deps.txt && \
+    pip install --no-cache-dir --require-hashes --target deps/python $(for file in $(ls /tmp/req/requirements*.txt) ; do echo "-r ${file}" ; done | xargs)
 
-# Copy files
+# Copy BW files
 # can't exclude deps from . so we are copying everything by hand
 COPY src/bw/loading loading
 COPY src/bw/lua lua
@@ -64,33 +71,52 @@ COPY src/scheduler scheduler
 COPY src/ui ui
 COPY src/VERSION VERSION
 
+FROM quay.io/centos/centos:stream8@sha256:7b56a6667ca1e57935a055307bca430e1c3d9d328365240c69e21a225f507a5f
+
+# Set default umask to prevent huge recursive chmod increasing the final image size
+RUN umask 027
+
+# Copy dependencies
+COPY --from=builder --chown=0:101 /etc/nginx /etc/nginx
+COPY --from=builder --chown=0:101 /usr/share/bunkerweb /usr/share/bunkerweb
+
+WORKDIR /usr/share/bunkerweb
+
+# Install fpm
+RUN dnf install -y wget redhat-rpm-config rpm-build yum-utils && \
+    wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
+    rpm -Uvh epel-release*rpm && \
+    dnf module -y reset ruby && dnf module -y enable ruby:3.1 && dnf module -y install ruby:3.1/common && \
+    gem install fpm
+
 # Setup BW
 RUN cp helpers/bwcli /usr/bin/ && \
     chmod 755 /usr/bin/bwcli && \
-    mkdir -p /etc/bunkerweb/configs && \
-    mkdir -p /var/cache/bunkerweb/ && \
-    mkdir -p /etc/bunkerweb/plugins && \
-    mkdir -p /var/tmp/bunkerweb/ && \
-    mkdir -p /var/run/bunkerweb/ && \
-    mkdir -p /var/log/bunkerweb/ && \
-    mkdir -p /var/www/html && \
-    mkdir -p /var/lib/bunkerweb && \
+    mkdir -p /etc/bunkerweb/configs /etc/bunkerweb/plugins /var/cache/bunkerweb /var/tmp/bunkerweb /var/run/bunkerweb /var/log/bunkerweb /var/lib/bunkerweb /var/www/html && \
     echo "Linux" > INTEGRATION && \
-    mkdir -p /etc/bunkerweb/plugins && \
-    for dir in $(echo "configs/http configs/stream configs/server-http configs/server-stream configs/default-server-http configs/default-server-stream configs/modsec configs/modsec-crs") ; do mkdir -p "/etc/bunkerweb/${dir}" ; done && \
-    find /usr/share/bunkerweb -path deps -prune -o -type f -exec chmod 0740 {} \; && \
-    find /usr/share/bunkerweb -path deps -prune -o -type d -exec chmod 0750 {} \; && \
-    chmod -R 770 /var/cache/bunkerweb/ /var/lib/bunkerweb/ /etc/bunkerweb/ /var/tmp/bunkerweb/ /var/run/bunkerweb/ /var/log/bunkerweb/ && \
-    chmod 750 gen/*.py scheduler/*.py cli/*.py ui/*.py ui/src/*.py deps/python/bin/* helpers/*.sh /var/www/ && \
+    find . -path deps -prune -o -type f -exec chmod 0740 {} \; && \
+    find . -path deps -prune -o -type d -exec chmod 0750 {} \; && \
+    chmod 755 /var/log/bunkerweb && \
+    touch /var/log/bunkerweb/error.log /var/log/bunkerweb/access.log /var/log/bunkerweb/modsec_audit.log && \
+    chmod 770 /var/cache/bunkerweb/ /var/tmp/bunkerweb/ /var/run/bunkerweb/ && \
+    chmod 750 gen/*.py scheduler/*.py cli/*.py ui/*.py ui/src/*.py helpers/*.sh /var/www/ && \
     find core/*/jobs/* -type f -exec chmod 750 {} \; && \
-    chmod 755 /usr/share/bunkerweb
+    chmod 755 .
+
+# Cleanup
+RUN dnf -y --setopt=install_weak_deps=False autoremove && \
+    dnf clean all && \
+    rm -rf /var/cache/dnf
+
+COPY --chmod=660 src/bw/misc/asn.mmdb /var/tmp/bunkerweb/asn.mmdb
+COPY --chmod=660 src/bw/misc/country.mmdb /var/tmp/bunkerweb/country.mmdb
 
 # Copy Linux files
-COPY src/linux/scripts scripts
-COPY src/linux/fpm.sh /usr/share/fpm.sh
-RUN chmod +x scripts/*.sh /usr/share/fpm.sh
+COPY --chmod=740 src/linux/scripts scripts
+COPY --chmod=740 src/linux/fpm.sh /usr/share/fpm.sh
 COPY src/linux/fpm-centos /usr/share/.fpm
-COPY src/linux/*.service /lib/systemd/system/
+COPY --chmod=644 src/linux/*.service /lib/systemd/system/
+COPY --chmod=644 src/linux/bunkerweb.logrotate /etc/logrotate.d/bunkerweb
 
 # Generate RPM at startup
 VOLUME /data

src/linux/Dockerfile-debian

@@ -1,14 +1,12 @@
-FROM debian:bookworm-slim@sha256:f4a83aa865a2b4a064ff142aa91c713180df9fcb86ce676b5de2981029379c37
+FROM debian:bookworm-slim@sha256:d02c76d82364cedca16ba3ed6f9102406fa9fa8833076a609cabf14270f43dfc as builder
 
 ENV OS=debian
 ENV NGINX_VERSION 1.24.0
 
-# Install Nginx, fpm and dependencies
+# Install Nginx and dependencies
 RUN apt update && \
     apt install -y --no-install-recommends gnupg2 ca-certificates wget \
-    ruby ruby-dev \
     bash curl libssl-dev git libpcre2-dev zlib1g-dev libyajl2 libyajl-dev yajl-tools pkgconf libcurl4-openssl-dev libgeoip-dev liblmdb-dev apt-utils build-essential autoconf libtool automake g++ gcc libxml2-dev make musl-dev gnupg patch libreadline-dev libpcre3-dev libgd-dev python3 python3-dev python3-pip python3-distutils -y && \
-    gem install fpm && \
     echo "deb https://nginx.org/packages/debian/ bookworm nginx" > /etc/apt/sources.list.d/nginx.list && \
     echo "deb-src https://nginx.org/packages/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list && \
     apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ABF5BD827BD9BF62 && \
@@ -21,30 +19,25 @@ WORKDIR /tmp/bunkerweb/deps
 COPY src/deps/misc misc
 COPY src/deps/src src
 COPY src/deps/deps.json deps.json
-COPY src/deps/install.sh install.sh
+COPY --chmod=644 src/deps/install.sh install.sh
 
 # Compile and install dependencies
-RUN mkdir -p /usr/share/bunkerweb/deps/python && \
-    chmod +x install.sh && \
-    bash install.sh
+RUN bash install.sh
 
 # Copy dependencies sources folder
 COPY src/deps/requirements.txt /tmp/requirements-deps.txt
-COPY src/scheduler/requirements.txt /tmp/req/requirements.txt
-COPY src/ui/requirements.txt /tmp/req/requirements.txt.1
-COPY src/common/gen/requirements.txt /tmp/req/requirements.txt.2
-COPY src/common/db/requirements.txt /tmp/req/requirements.txt.3
+COPY src/scheduler/requirements.txt /tmp/req/requirements-scheduler.txt
+COPY src/ui/requirements.txt /tmp/req/requirements-ui.txt
+COPY src/common/gen/requirements.txt /tmp/req/requirements-gen.txt
+COPY src/common/db/requirements.txt /tmp/req/requirements-db.txt
 
 WORKDIR /usr/share/bunkerweb
 
-RUN mkdir -p deps/python && \
-    cat /tmp/req/requirements.txt* > deps/requirements.txt && \
-    rm -rf /tmp/req
-
 # Compile and install dependencies
 RUN export MAKEFLAGS="-j$(nproc)" && \
-    pip install --break-system-packages --no-cache-dir --ignore-installed --require-hashes -r /tmp/requirements-deps.txt && \
-    pip install --break-system-packages --no-cache-dir --require-hashes --target deps/python -r deps/requirements.txt
+    mkdir -p deps/python && \
+    pip install --break-system-packages --no-cache-dir --require-hashes --ignore-installed -r /tmp/requirements-deps.txt && \
+    pip install --break-system-packages --no-cache-dir --require-hashes --target deps/python $(for file in $(ls /tmp/req/requirements*.txt) ; do echo "-r ${file}" ; done | xargs)
 
 # Copy files
 # can't exclude deps from . so we are copying everything by hand
@@ -64,34 +57,50 @@ COPY src/scheduler scheduler
 COPY src/ui ui
 COPY src/VERSION VERSION
 
+FROM debian:bookworm-slim@sha256:d02c76d82364cedca16ba3ed6f9102406fa9fa8833076a609cabf14270f43dfc
+
+# Set default umask to prevent huge recursive chmod increasing the final image size
+RUN umask 027
+
+# Copy dependencies
+COPY --from=builder --chown=0:101 /etc/nginx /etc/nginx
+COPY --from=builder --chown=0:101 /usr/share/bunkerweb /usr/share/bunkerweb
+
+WORKDIR /usr/share/bunkerweb
+
+# Install fpm
+RUN apt-get update && \
+    apt-get -y install ruby ruby-dev rubygems build-essential autoconf libtool rpm binutils && \
+    gem install -N fpm
+
 # Setup BW
 RUN cp helpers/bwcli /usr/bin/ && \
     chmod 755 /usr/bin/bwcli && \
-    mkdir -p /etc/bunkerweb/configs && \
-    mkdir -p /var/cache/bunkerweb/ && \
-    mkdir -p /etc/bunkerweb/plugins && \
-    mkdir -p /var/tmp/bunkerweb/ && \
-    mkdir -p /var/run/bunkerweb/ && \
-    mkdir -p /var/log/bunkerweb/ && \
-    mkdir -p /var/www/ && \
-    mkdir -p /var/lib/bunkerweb && \
-    mkdir /var/www/html && \
+    mkdir -p /etc/bunkerweb/configs /etc/bunkerweb/plugins /var/cache/bunkerweb /var/tmp/bunkerweb /var/run/bunkerweb /var/log/bunkerweb /var/lib/bunkerweb /var/www/html && \
     echo "Linux" > INTEGRATION && \
-    mkdir -p /etc/bunkerweb/plugins && \
-    for dir in $(echo "configs/http configs/stream configs/server-http configs/server-stream configs/default-server-http configs/default-server-stream configs/modsec configs/modsec-crs") ; do mkdir -p "/etc/bunkerweb/${dir}" ; done && \
-    find /usr/share/bunkerweb -path deps -prune -o -type f -exec chmod 0740 {} \; && \
-    find /usr/share/bunkerweb -path deps -prune -o -type d -exec chmod 0750 {} \; && \
-    chmod -R 770 /var/cache/bunkerweb/ /var/lib/bunkerweb/ /etc/bunkerweb/ /var/tmp/bunkerweb/ /var/run/bunkerweb/ /var/log/bunkerweb/ && \
-    chmod 750 gen/*.py scheduler/*.py cli/*.py ui/*.py ui/src/*.py deps/python/bin/* helpers/*.sh /var/www/ && \
+    find . -path deps -prune -o -type f -exec chmod 0740 {} \; && \
+    find . -path deps -prune -o -type d -exec chmod 0750 {} \; && \
+    chmod 755 /var/log/bunkerweb && \
+    touch /var/log/bunkerweb/error.log /var/log/bunkerweb/access.log /var/log/bunkerweb/modsec_audit.log && \
+    chmod 770 /var/cache/bunkerweb/ /var/tmp/bunkerweb/ /var/run/bunkerweb/ && \
+    chmod 750 gen/*.py scheduler/*.py cli/*.py ui/*.py ui/src/*.py helpers/*.sh /var/www/ && \
     find core/*/jobs/* -type f -exec chmod 750 {} \; && \
-    chmod 755 /usr/share/bunkerweb
+    chmod 755 .
+
+# Cleanup
+RUN apt-get -f -y --auto-remove remove build-essential autoconf libtool && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY --chmod=660 src/bw/misc/asn.mmdb /var/tmp/bunkerweb/asn.mmdb
+COPY --chmod=660 src/bw/misc/country.mmdb /var/tmp/bunkerweb/country.mmdb
 
 # Copy Linux files
-COPY src/linux/scripts scripts
-COPY src/linux/fpm.sh /usr/share/fpm.sh
-RUN chmod +x scripts/*.sh /usr/share/fpm.sh
+COPY --chmod=740 src/linux/scripts scripts
+COPY --chmod=740 src/linux/fpm.sh /usr/share/fpm.sh
 COPY src/linux/fpm-debian /usr/share/.fpm
-COPY src/linux/*.service /lib/systemd/system/
+COPY --chmod=644 src/linux/*.service /lib/systemd/system/
+COPY --chmod=644 src/linux/bunkerweb.logrotate /etc/logrotate.d/bunkerweb
 
 # Generate DEB at startup
 VOLUME /data

src/linux/Dockerfile-fedora

@@ -1,13 +1,11 @@
-FROM fedora:39@sha256:06df381d697d14940c886fda8e94a4fdc838df74e93f65111ed3ea04f7a7d6e0
+FROM fedora:39@sha256:06df381d697d14940c886fda8e94a4fdc838df74e93f65111ed3ea04f7a7d6e0 as builder
 
 ENV OS=fedora
 ENV NGINX_VERSION 1.24.0
 
 # Install Nginx, fpm and dependencies
 RUN dnf update -y && \
-    dnf install -y curl gnupg2 ca-certificates redhat-lsb-core \
-    ruby ruby-devel make gcc redhat-rpm-config rpm-build && \
-    gem install fpm && \
+    dnf install -y curl gnupg2 ca-certificates redhat-lsb-core make gcc && \
     dnf install -y --setopt=install_weak_deps=False python3 python3-devel python3-pip brotli brotli-devel gperftools-devel perl libxslt-devel libxml2 yajl yajl-devel libxslt bash gd gd-devel gcc-c++ kernel-devel znc-modtcl libmpc-devel gmp-devel gawk mpfr-devel libtool pcre-devel automake autoconf readline-devel gcc make openssl-devel git zlib-devel libxml2-devel pkgconf libcurl-devel geoip-devel lmdb-devel && \
     dnf install nginx-${NGINX_VERSION} -y
 
@@ -17,30 +15,25 @@ WORKDIR /tmp/bunkerweb/deps
 COPY src/deps/misc misc
 COPY src/deps/src src
 COPY src/deps/deps.json deps.json
-COPY src/deps/install.sh install.sh
+COPY --chmod=644 src/deps/install.sh install.sh
 
 # Compile and install dependencies
-RUN mkdir -p /usr/share/bunkerweb/deps/python && \
-    chmod +x install.sh && \
-    bash install.sh
+RUN bash install.sh
 
 # Copy dependencies sources folder
 COPY src/deps/requirements.txt /tmp/requirements-deps.txt
-COPY src/scheduler/requirements.txt /tmp/req/requirements.txt
-COPY src/ui/requirements.txt /tmp/req/requirements.txt.1
-COPY src/common/gen/requirements.txt /tmp/req/requirements.txt.2
-COPY src/common/db/requirements.txt /tmp/req/requirements.txt.3
+COPY src/scheduler/requirements.txt /tmp/req/requirements-scheduler.txt
+COPY src/ui/requirements.txt /tmp/req/requirements-ui.txt
+COPY src/common/gen/requirements.txt /tmp/req/requirements-gen.txt
+COPY src/common/db/requirements.txt /tmp/req/requirements-db.txt
 
 WORKDIR /usr/share/bunkerweb
 
-RUN mkdir -p deps/python && \
-    cat /tmp/req/requirements.txt* > deps/requirements.txt && \
-    rm -rf /tmp/req
-
 # Compile and install dependencies
 RUN export MAKEFLAGS="-j$(nproc)" && \
-    pip install --no-cache-dir --ignore-installed --require-hashes -r /tmp/requirements-deps.txt && \
-    pip install --no-cache-dir --require-hashes --target deps/python -r deps/requirements.txt
+    mkdir -p deps/python && \
+    pip install --no-cache-dir --require-hashes --ignore-installed -r /tmp/requirements-deps.txt && \
+    pip install --no-cache-dir --require-hashes --target deps/python $(for file in $(ls /tmp/req/requirements*.txt) ; do echo "-r ${file}" ; done | xargs)
 
 # Copy files
 # can't exclude deps from . so we are copying everything by hand
@@ -60,33 +53,50 @@ COPY src/scheduler scheduler
 COPY src/ui ui
 COPY src/VERSION VERSION
 
+FROM fedora:39@sha256:06df381d697d14940c886fda8e94a4fdc838df74e93f65111ed3ea04f7a7d6e0
+
+# Set default umask to prevent huge recursive chmod increasing the final image size
+RUN umask 027
+
+# Copy dependencies
+COPY --from=builder --chown=0:101 /etc/nginx /etc/nginx
+COPY --from=builder --chown=0:101 /usr/share/bunkerweb /usr/share/bunkerweb
+
+WORKDIR /usr/share/bunkerweb
+
+# Install fpm
+RUN dnf update -y && \
+    dnf install -y ruby ruby-devel redhat-rpm-config rpm-build && \
+    gem install -N fpm
+
 # Setup BW
 RUN cp helpers/bwcli /usr/bin/ && \
     chmod 755 /usr/bin/bwcli && \
-    mkdir -p /etc/bunkerweb/configs && \
-    mkdir -p /var/cache/bunkerweb/ && \
-    mkdir -p /etc/bunkerweb/plugins && \
-    mkdir -p /var/tmp/bunkerweb/ && \
-    mkdir -p /var/run/bunkerweb/ && \
-    mkdir -p /var/log/bunkerweb/ && \
-    mkdir -p /var/www/html && \
-    mkdir -p /var/lib/bunkerweb && \
+    mkdir -p /etc/bunkerweb/configs /etc/bunkerweb/plugins /var/cache/bunkerweb /var/tmp/bunkerweb /var/run/bunkerweb /var/log/bunkerweb /var/lib/bunkerweb /var/www/html && \
     echo "Linux" > INTEGRATION && \
-    mkdir -p /etc/bunkerweb/plugins && \
-    for dir in $(echo "configs/http configs/stream configs/server-http configs/server-stream configs/default-server-http configs/default-server-stream configs/modsec configs/modsec-crs") ; do mkdir -p "/etc/bunkerweb/${dir}" ; done && \
-    find /usr/share/bunkerweb -path deps -prune -o -type f -exec chmod 0740 {} \; && \
-    find /usr/share/bunkerweb -path deps -prune -o -type d -exec chmod 0750 {} \; && \
-    chmod -R 770 /var/cache/bunkerweb/ /var/lib/bunkerweb/ /etc/bunkerweb/ /var/tmp/bunkerweb/ /var/run/bunkerweb/ /var/log/bunkerweb/ && \
-    chmod 750 gen/*.py scheduler/*.py cli/*.py ui/*.py ui/src/*.py deps/python/bin/* helpers/*.sh /var/www/ && \
+    find . -path deps -prune -o -type f -exec chmod 0740 {} \; && \
+    find . -path deps -prune -o -type d -exec chmod 0750 {} \; && \
+    chmod 755 /var/log/bunkerweb && \
+    touch /var/log/bunkerweb/error.log /var/log/bunkerweb/access.log /var/log/bunkerweb/modsec_audit.log && \
+    chmod 770 /var/cache/bunkerweb/ /var/tmp/bunkerweb/ /var/run/bunkerweb/ && \
+    chmod 750 gen/*.py scheduler/*.py cli/*.py ui/*.py ui/src/*.py helpers/*.sh /var/www/ && \
     find core/*/jobs/* -type f -exec chmod 750 {} \; && \
-    chmod 755 /usr/share/bunkerweb
+    chmod 755 .
+
+# Cleanup
+RUN dnf -y --setopt=install_weak_deps=False autoremove && \
+    dnf clean all && \
+    rm -rf /var/cache/dnf
+
+COPY --chmod=660 src/bw/misc/asn.mmdb /var/tmp/bunkerweb/asn.mmdb
+COPY --chmod=660 src/bw/misc/country.mmdb /var/tmp/bunkerweb/country.mmdb
 
 # Copy Linux files
-COPY src/linux/scripts scripts
-COPY src/linux/fpm.sh /usr/share/fpm.sh
-RUN chmod +x scripts/*.sh /usr/share/fpm.sh
+COPY --chmod=740 src/linux/scripts scripts
+COPY --chmod=740 src/linux/fpm.sh /usr/share/fpm.sh
 COPY src/linux/fpm-fedora /usr/share/.fpm
-COPY src/linux/*.service /lib/systemd/system/
+COPY --chmod=644 src/linux/*.service /lib/systemd/system/
+COPY --chmod=644 src/linux/bunkerweb.logrotate /etc/logrotate.d/bunkerweb
 
 # Generate RPM at startup
 VOLUME /data

src/linux/Dockerfile-rhel

@@ -1,4 +1,4 @@
-FROM redhat/ubi8:8.9@sha256:1fdb97f2d2a44fdef3feaa69100f154631bae65130105ac685d0e34eb1d8c3d0
+FROM redhat/ubi8:8.9@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac as builder
 
 ENV OS=rhel
 ENV NGINX_VERSION 1.24.0
@@ -14,12 +14,9 @@ COPY src/linux/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg/RPM-GPG-KEY-centosoff
 RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
 
 # Install Nginx, fpm and dependencies
-RUN dnf install -y ruby ruby-devel make gcc redhat-rpm-config rpm-build wget \
-  yum-utils && \
+RUN dnf install -y wget make yum-utils && \
   wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
   rpm -Uvh epel-release*rpm && \
-  dnf module -y reset ruby && dnf module -y enable ruby:3.1 && dnf module -y install ruby:3.1/common && \
-  gem install fpm && \
   dnf install -y --skip-broken --setopt=install_weak_deps=False readline-devel python39 python39-devel python39-setuptools brotli brotli-devel gperftools-devel perl libxslt-devel libxml2 yajl yajl-devel libxslt bash gd gd-devel gcc-c++ curl znc-modtcl gawk libtool pcre-devel automake autoconf gcc make openssl-devel git zlib-devel libxml2-devel pkgconf libcurl-devel geoip-devel && \
   wget https://nginx.org/packages/rhel/8/$(uname -m)/RPMS/nginx-${NGINX_VERSION}-1.el8.ngx.$(uname -m).rpm && \
   dnf install nginx-${NGINX_VERSION}-1.el8.ngx.$(uname -m).rpm -y && \
@@ -31,31 +28,26 @@ WORKDIR /tmp/bunkerweb/deps
 COPY src/deps/misc misc
 COPY src/deps/src src
 COPY src/deps/deps.json deps.json
-COPY src/deps/install.sh install.sh
+COPY --chmod=644 src/deps/install.sh install.sh
 
 # Compile and install dependencies
-RUN mkdir -p /usr/share/bunkerweb/deps/python && \
-  chmod +x install.sh && \
-  bash install.sh
+RUN bash install.sh
 
 # Copy dependencies sources folder
 COPY src/deps/requirements.txt /tmp/requirements-deps.txt
-COPY src/scheduler/requirements.txt /tmp/req/requirements.txt
-COPY src/ui/requirements.txt /tmp/req/requirements.txt.1
-COPY src/common/gen/requirements.txt /tmp/req/requirements.txt.2
-COPY src/common/db/requirements.txt /tmp/req/requirements.txt.3
+COPY src/scheduler/requirements.txt /tmp/req/requirements-scheduler.txt
+COPY src/ui/requirements.txt /tmp/req/requirements-ui.txt
+COPY src/common/gen/requirements.txt /tmp/req/requirements-gen.txt
+COPY src/common/db/requirements.txt /tmp/req/requirements-db.txt
 
 WORKDIR /usr/share/bunkerweb
 
-RUN mkdir -p deps/python && \
-  cat /tmp/req/requirements.txt* > deps/requirements.txt && \
-  rm -rf /tmp/req
-
 # Compile and install dependencies
-RUN easy_install-3.9 pip && \
-  export MAKEFLAGS="-j$(nproc)" && \
-  pip install --no-cache-dir --ignore-installed --require-hashes -r /tmp/requirements-deps.txt && \
-  pip install --no-cache-dir --require-hashes --target deps/python -r deps/requirements.txt
+RUN export MAKEFLAGS="-j$(nproc)" && \
+  mkdir -p deps/python && \
+  easy_install-3.9 pip && \
+  pip install --no-cache-dir --require-hashes --ignore-installed -r /tmp/requirements-deps.txt && \
+  pip install --no-cache-dir --require-hashes --target deps/python $(for file in $(ls /tmp/req/requirements*.txt) ; do echo "-r ${file}" ; done | xargs)
 
 # Copy BW files
 # can't exclude deps from . so we are copying everything by hand
@@ -75,33 +67,52 @@ COPY src/scheduler scheduler
 COPY src/ui ui
 COPY src/VERSION VERSION
 
+FROM redhat/ubi8:8.9@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac
+
+# Set default umask to prevent huge recursive chmod increasing the final image size
+RUN umask 027
+
+# Copy dependencies
+COPY --from=builder --chown=0:101 /etc/nginx /etc/nginx
+COPY --from=builder --chown=0:101 /usr/share/bunkerweb /usr/share/bunkerweb
+
+WORKDIR /usr/share/bunkerweb
+
+# Install fpm
+RUN dnf install -y wget redhat-rpm-config rpm-build yum-utils && \
+  wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
+  rpm -Uvh epel-release*rpm && \
+  dnf module -y reset ruby && dnf module -y enable ruby:3.1 && dnf module -y install ruby:3.1/common && \
+  gem install fpm
+
 # Setup BW
 RUN cp helpers/bwcli /usr/bin/ && \
   chmod 755 /usr/bin/bwcli && \
-  mkdir -p /etc/bunkerweb/configs && \
-  mkdir -p /var/cache/bunkerweb/ && \
-  mkdir -p /etc/bunkerweb/plugins && \
-  mkdir -p /var/tmp/bunkerweb/ && \
-  mkdir -p /var/run/bunkerweb/ && \
-  mkdir -p /var/log/bunkerweb/ && \
-  mkdir -p /var/www/html && \
-  mkdir -p /var/lib/bunkerweb && \
+  mkdir -p /etc/bunkerweb/configs /etc/bunkerweb/plugins /var/cache/bunkerweb /var/tmp/bunkerweb /var/run/bunkerweb /var/log/bunkerweb /var/lib/bunkerweb /var/www/html && \
   echo "Linux" > INTEGRATION && \
-  mkdir -p /etc/bunkerweb/plugins && \
-  for dir in $(echo "configs/http configs/stream configs/server-http configs/server-stream configs/default-server-http configs/default-server-stream configs/modsec configs/modsec-crs") ; do mkdir -p "/etc/bunkerweb/${dir}" ; done && \
-  find /usr/share/bunkerweb -path deps -prune -o -type f -exec chmod 0740 {} \; && \
-  find /usr/share/bunkerweb -path deps -prune -o -type d -exec chmod 0750 {} \; && \
-  chmod -R 770 /var/cache/bunkerweb/ /var/lib/bunkerweb/ /etc/bunkerweb/ /var/tmp/bunkerweb/ /var/run/bunkerweb/ /var/log/bunkerweb/ && \
-  chmod 750 gen/*.py scheduler/*.py cli/*.py ui/*.py ui/src/*.py deps/python/bin/* helpers/*.sh /var/www/ && \
+  find . -path deps -prune -o -type f -exec chmod 0740 {} \; && \
+  find . -path deps -prune -o -type d -exec chmod 0750 {} \; && \
+  chmod 755 /var/log/bunkerweb && \
+  touch /var/log/bunkerweb/error.log /var/log/bunkerweb/access.log /var/log/bunkerweb/modsec_audit.log && \
+  chmod 770 /var/cache/bunkerweb/ /var/tmp/bunkerweb/ /var/run/bunkerweb/ && \
+  chmod 750 gen/*.py scheduler/*.py cli/*.py ui/*.py ui/src/*.py helpers/*.sh /var/www/ && \
   find core/*/jobs/* -type f -exec chmod 750 {} \; && \
-  chmod 755 /usr/share/bunkerweb
+  chmod 755 .
+
+# Cleanup
+RUN dnf -y --setopt=install_weak_deps=False autoremove && \
+  dnf clean all && \
+  rm -rf /var/cache/dnf
+
+COPY --chmod=660 src/bw/misc/asn.mmdb /var/tmp/bunkerweb/asn.mmdb
+COPY --chmod=660 src/bw/misc/country.mmdb /var/tmp/bunkerweb/country.mmdb
 
 # Copy Linux files
-COPY src/linux/scripts scripts
-COPY src/linux/fpm.sh /usr/share/fpm.sh
-RUN chmod +x scripts/*.sh /usr/share/fpm.sh
+COPY --chmod=740 src/linux/scripts scripts
+COPY --chmod=740 src/linux/fpm.sh /usr/share/fpm.sh
 COPY src/linux/fpm-rhel /usr/share/.fpm
-COPY src/linux/*.service /lib/systemd/system/
+COPY --chmod=644 src/linux/*.service /lib/systemd/system/
+COPY --chmod=644 src/linux/bunkerweb.logrotate /etc/logrotate.d/bunkerweb
 
 # Generate RPM at startup
 VOLUME /data

src/linux/Dockerfile-rhel9

@@ -1,4 +1,4 @@
-FROM redhat/ubi9:9.3@sha256:1fafb0905264413501df60d90a92ca32df8a2011cbfb4876ddff5ceb20c8f165
+FROM redhat/ubi9:9.3@sha256:1fafb0905264413501df60d90a92ca32df8a2011cbfb4876ddff5ceb20c8f165 as builder
 
 ENV OS=rhel
 ENV NGINX_VERSION 1.24.0
@@ -14,12 +14,9 @@ COPY src/linux/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg/RPM-GPG-KEY-centosoff
 RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
 
 # Install Nginx, fpm and dependencies
-RUN dnf install -y ruby ruby-devel make gcc redhat-rpm-config rpm-build wget \
-  yum-utils && \
+RUN dnf install -y wget make yum-utils && \
   wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
   rpm -Uvh epel-release*rpm && \
-  dnf module -y reset ruby && dnf module -y enable ruby:3.1 && dnf module -y install ruby:3.1/common && \
-  gem install fpm && \
   dnf install -y --skip-broken --setopt=install_weak_deps=False readline-devel python39 brotli brotli-devel gperftools-devel perl libxslt-devel libxml2 yajl libxslt bash gd gd-devel gcc-c++ znc-modtcl gawk libtool pcre-devel automake autoconf gcc make openssl-devel git zlib-devel libxml2-devel pkgconf libcurl-devel libmaxminddb && \
   wget https://nginx.org/packages/rhel/9/$(uname -m)/RPMS/nginx-${NGINX_VERSION}-1.el9.ngx.$(uname -m).rpm && \
   dnf install nginx-${NGINX_VERSION}-1.el9.ngx.$(uname -m).rpm -y && \
@@ -31,31 +28,26 @@ WORKDIR /tmp/bunkerweb/deps
 COPY src/deps/misc misc
 COPY src/deps/src src
 COPY src/deps/deps.json deps.json
-COPY src/deps/install.sh install.sh
+COPY --chmod=644 src/deps/install.sh install.sh
 
 # Compile and install dependencies
-RUN mkdir -p /usr/share/bunkerweb/deps/python && \
-  chmod +x install.sh && \
-  bash install.sh
+RUN bash install.sh
 
 # Copy dependencies sources folder
 COPY src/deps/requirements.txt /tmp/requirements-deps.txt
-COPY src/scheduler/requirements.txt /tmp/req/requirements.txt
-COPY src/ui/requirements.txt /tmp/req/requirements.txt.1
-COPY src/common/gen/requirements.txt /tmp/req/requirements.txt.2
-COPY src/common/db/requirements.txt /tmp/req/requirements.txt.3
+COPY src/scheduler/requirements.txt /tmp/req/requirements-scheduler.txt
+COPY src/ui/requirements.txt /tmp/req/requirements-ui.txt
+COPY src/common/gen/requirements.txt /tmp/req/requirements-gen.txt
+COPY src/common/db/requirements.txt /tmp/req/requirements-db.txt
 
 WORKDIR /usr/share/bunkerweb
 
-RUN mkdir -p deps/python && \
-  cat /tmp/req/requirements.txt* > deps/requirements.txt && \
-  rm -rf /tmp/req
-
 # Compile and install dependencies
 RUN export MAKEFLAGS="-j$(nproc)" && \
+  mkdir -p deps/python && \
   python3 -m ensurepip --upgrade && \
-  python3 -m pip install --no-cache-dir --ignore-installed --require-hashes -r /tmp/requirements-deps.txt && \
-  python3 -m pip install --no-cache-dir --require-hashes --target deps/python -r deps/requirements.txt
+  python3 -m pip install --no-cache-dir --require-hashes --ignore-installed -r /tmp/requirements-deps.txt && \
+  python3 -m pip install --no-cache-dir --require-hashes --target deps/python $(for file in $(ls /tmp/req/requirements*.txt) ; do echo "-r ${file}" ; done | xargs)
 
 # Copy BW files
 # can't exclude deps from . so we are copying everything by hand
@@ -75,33 +67,52 @@ COPY src/scheduler scheduler
 COPY src/ui ui
 COPY src/VERSION VERSION
 
+FROM redhat/ubi9:9.3@sha256:1fafb0905264413501df60d90a92ca32df8a2011cbfb4876ddff5ceb20c8f165
+
+# Set default umask to prevent huge recursive chmod increasing the final image size
+RUN umask 027
+
+# Copy dependencies
+COPY --from=builder --chown=0:101 /etc/nginx /etc/nginx
+COPY --from=builder --chown=0:101 /usr/share/bunkerweb /usr/share/bunkerweb
+
+WORKDIR /usr/share/bunkerweb
+
+# Install fpm
+RUN dnf install -y wget redhat-rpm-config rpm-build yum-utils && \
+  wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
+  rpm -Uvh epel-release*rpm && \
+  dnf module -y reset ruby && dnf module -y enable ruby:3.1 && dnf module -y install ruby:3.1/common && \
+  gem install fpm
+
 # Setup BW
 RUN cp helpers/bwcli /usr/bin/ && \
   chmod 755 /usr/bin/bwcli && \
-  mkdir -p /etc/bunkerweb/configs && \
-  mkdir -p /var/cache/bunkerweb/ && \
-  mkdir -p /etc/bunkerweb/plugins && \
-  mkdir -p /var/tmp/bunkerweb/ && \
-  mkdir -p /var/run/bunkerweb/ && \
-  mkdir -p /var/log/bunkerweb/ && \
-  mkdir -p /var/www/html && \
-  mkdir -p /var/lib/bunkerweb && \
+  mkdir -p /etc/bunkerweb/configs /etc/bunkerweb/plugins /var/cache/bunkerweb /var/tmp/bunkerweb /var/run/bunkerweb /var/log/bunkerweb /var/lib/bunkerweb /var/www/html && \
   echo "Linux" > INTEGRATION && \
-  mkdir -p /etc/bunkerweb/plugins && \
-  for dir in $(echo "configs/http configs/stream configs/server-http configs/server-stream configs/default-server-http configs/default-server-stream configs/modsec configs/modsec-crs") ; do mkdir -p "/etc/bunkerweb/${dir}" ; done && \
-  find /usr/share/bunkerweb -path deps -prune -o -type f -exec chmod 0740 {} \; && \
-  find /usr/share/bunkerweb -path deps -prune -o -type d -exec chmod 0750 {} \; && \
-  chmod -R 770 /var/cache/bunkerweb/ /var/lib/bunkerweb/ /etc/bunkerweb/ /var/tmp/bunkerweb/ /var/run/bunkerweb/ /var/log/bunkerweb/ && \
-  chmod 750 gen/*.py scheduler/*.py cli/*.py ui/*.py ui/src/*.py deps/python/bin/* helpers/*.sh /var/www/ && \
+  find . -path deps -prune -o -type f -exec chmod 0740 {} \; && \
+  find . -path deps -prune -o -type d -exec chmod 0750 {} \; && \
+  chmod 755 /var/log/bunkerweb && \
+  touch /var/log/bunkerweb/error.log /var/log/bunkerweb/access.log /var/log/bunkerweb/modsec_audit.log && \
+  chmod 770 /var/cache/bunkerweb/ /var/tmp/bunkerweb/ /var/run/bunkerweb/ && \
+  chmod 750 gen/*.py scheduler/*.py cli/*.py ui/*.py ui/src/*.py helpers/*.sh /var/www/ && \
   find core/*/jobs/* -type f -exec chmod 750 {} \; && \
-  chmod 755 /usr/share/bunkerweb
+  chmod 755 .
+
+# Cleanup
+RUN dnf -y --setopt=install_weak_deps=False autoremove && \
+  dnf clean all && \
+  rm -rf /var/cache/dnf
+
+COPY --chmod=660 src/bw/misc/asn.mmdb /var/tmp/bunkerweb/asn.mmdb
+COPY --chmod=660 src/bw/misc/country.mmdb /var/tmp/bunkerweb/country.mmdb
 
 # Copy Linux files
-COPY src/linux/scripts scripts
-COPY src/linux/fpm.sh /usr/share/fpm.sh
-RUN chmod +x scripts/*.sh /usr/share/fpm.sh
+COPY --chmod=740 src/linux/scripts scripts
+COPY --chmod=740 src/linux/fpm.sh /usr/share/fpm.sh
 COPY src/linux/fpm-rhel9 /usr/share/.fpm
-COPY src/linux/*.service /lib/systemd/system/
+COPY --chmod=644 src/linux/*.service /lib/systemd/system/
+COPY --chmod=644 src/linux/bunkerweb.logrotate /etc/logrotate.d/bunkerweb
 
 # Generate RPM at startup
 VOLUME /data

src/linux/Dockerfile-ubuntu

@@ -1,14 +1,12 @@
-FROM ubuntu:22.04@sha256:6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b
+FROM ubuntu:22.04@sha256:f9d633ff6640178c2d0525017174a688e2c1aef28f0a0130b26bd5554491f0da as builder
 
 ENV OS=ubuntu
 ENV NGINX_VERSION 1.24.0
 
-# Install Nginx, fpm and dependencies
+# Install Nginx and dependencies
 RUN apt update && \
     apt install -y --no-install-recommends curl gnupg2 ca-certificates lsb-release ubuntu-keyring software-properties-common \
-    ruby ruby-dev \
     bash libssl-dev git libpcre++-dev zlib1g-dev libyajl2 libyajl-dev yajl-tools pkgconf libcurl4-openssl-dev libgeoip-dev liblmdb-dev apt-utils build-essential autoconf libtool automake g++ gcc libxml2-dev make musl-dev gnupg patch libreadline-dev libpcre3-dev libgd-dev python3 python3-dev python3-pip -y && \
-    gem install fpm && \
     echo "deb https://nginx.org/packages/ubuntu/ jammy nginx" > /etc/apt/sources.list.d/nginx.list && \
     echo "deb-src https://nginx.org/packages/ubuntu/ jammy nginx" >> /etc/apt/sources.list.d/nginx.list && \
     apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ABF5BD827BD9BF62 && \
@@ -21,30 +19,25 @@ WORKDIR /tmp/bunkerweb/deps
 COPY src/deps/misc misc
 COPY src/deps/src src
 COPY src/deps/deps.json deps.json
-COPY src/deps/install.sh install.sh
+COPY --chmod=644 src/deps/install.sh install.sh
 
 # Compile and install dependencies
-RUN mkdir -p /usr/share/bunkerweb/deps/python && \
-    chmod +x install.sh && \
-    bash install.sh
+RUN bash install.sh
 
 # Copy dependencies sources folder
 COPY src/deps/requirements.txt /tmp/requirements-deps.txt
-COPY src/scheduler/requirements.txt /tmp/req/requirements.txt
-COPY src/ui/requirements.txt /tmp/req/requirements.txt.1
-COPY src/common/gen/requirements.txt /tmp/req/requirements.txt.2
-COPY src/common/db/requirements.txt /tmp/req/requirements.txt.3
+COPY src/scheduler/requirements.txt /tmp/req/requirements-scheduler.txt
+COPY src/ui/requirements.txt /tmp/req/requirements-ui.txt
+COPY src/common/gen/requirements.txt /tmp/req/requirements-gen.txt
+COPY src/common/db/requirements.txt /tmp/req/requirements-db.txt
 
 WORKDIR /usr/share/bunkerweb
 
-RUN mkdir -p deps/python && \
-    cat /tmp/req/requirements.txt* > deps/requirements.txt && \
-    rm -rf /tmp/req
-
 # Compile and install dependencies
 RUN export MAKEFLAGS="-j$(nproc)" && \
-    pip install --no-cache-dir --ignore-installed --require-hashes -r /tmp/requirements-deps.txt && \
-    pip install --no-cache-dir --require-hashes --target deps/python -r deps/requirements.txt
+    mkdir -p deps/python && \
+    pip install --no-cache-dir --require-hashes --ignore-installed -r /tmp/requirements-deps.txt && \
+    pip install --no-cache-dir --require-hashes --target deps/python $(for file in $(ls /tmp/req/requirements*.txt) ; do echo "-r ${file}" ; done | xargs)
 
 # Copy files
 # can't exclude deps from . so we are copying everything by hand
@@ -64,33 +57,50 @@ COPY src/scheduler scheduler
 COPY src/ui ui
 COPY src/VERSION VERSION
 
+FROM ubuntu:22.04@sha256:f9d633ff6640178c2d0525017174a688e2c1aef28f0a0130b26bd5554491f0da
+
+# Set default umask to prevent huge recursive chmod increasing the final image size
+RUN umask 027
+
+# Copy dependencies
+COPY --from=builder --chown=0:101 /etc/nginx /etc/nginx
+COPY --from=builder --chown=0:101 /usr/share/bunkerweb /usr/share/bunkerweb
+
+WORKDIR /usr/share/bunkerweb
+
+# Install fpm
+RUN apt-get update && \
+    apt-get -y install ruby ruby-dev rubygems build-essential autoconf libtool rpm binutils && \
+    gem install -N fpm
+
 # Setup BW
 RUN cp helpers/bwcli /usr/bin/ && \
     chmod 755 /usr/bin/bwcli && \
-    mkdir -p /etc/bunkerweb/configs && \
-    mkdir -p /var/cache/bunkerweb/ && \
-    mkdir -p /etc/bunkerweb/plugins && \
-    mkdir -p /var/tmp/bunkerweb/ && \
-    mkdir -p /var/run/bunkerweb/ && \
-    mkdir -p /var/log/bunkerweb/ && \
-    mkdir -p /var/www/html && \
-    mkdir -p /var/lib/bunkerweb && \
+    mkdir -p /etc/bunkerweb/configs /etc/bunkerweb/plugins /var/cache/bunkerweb /var/tmp/bunkerweb /var/run/bunkerweb /var/log/bunkerweb /var/lib/bunkerweb /var/www/html && \
     echo "Linux" > INTEGRATION && \
-    mkdir -p /etc/bunkerweb/plugins && \
-    for dir in $(echo "configs/http configs/stream configs/server-http configs/server-stream configs/default-server-http configs/default-server-stream configs/modsec configs/modsec-crs") ; do mkdir -p "/etc/bunkerweb/${dir}" ; done && \
-    find /usr/share/bunkerweb -path deps -prune -o -type f -exec chmod 0740 {} \; && \
-    find /usr/share/bunkerweb -path deps -prune -o -type d -exec chmod 0750 {} \; && \
-    chmod -R 770 /var/cache/bunkerweb/ /var/lib/bunkerweb/ /etc/bunkerweb/ /var/tmp/bunkerweb/ /var/run/bunkerweb/ /var/log/bunkerweb/ && \
-    chmod 750 gen/*.py scheduler/*.py cli/*.py ui/*.py ui/src/*.py deps/python/bin/* helpers/*.sh /var/www/ && \
+    find . -path deps -prune -o -type f -exec chmod 0740 {} \; && \
+    find . -path deps -prune -o -type d -exec chmod 0750 {} \; && \
+    chmod 755 /var/log/bunkerweb && \
+    touch /var/log/bunkerweb/error.log /var/log/bunkerweb/access.log /var/log/bunkerweb/modsec_audit.log && \
+    chmod 770 /var/cache/bunkerweb/ /var/tmp/bunkerweb/ /var/run/bunkerweb/ && \
+    chmod 750 gen/*.py scheduler/*.py cli/*.py ui/*.py ui/src/*.py helpers/*.sh /var/www/ && \
     find core/*/jobs/* -type f -exec chmod 750 {} \; && \
-    chmod 755 /usr/share/bunkerweb
+    chmod 755 .
+
+# Cleanup
+RUN apt-get -f -y --auto-remove remove build-essential autoconf libtool && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY --chmod=660 src/bw/misc/asn.mmdb /var/tmp/bunkerweb/asn.mmdb
+COPY --chmod=660 src/bw/misc/country.mmdb /var/tmp/bunkerweb/country.mmdb
 
 # Copy Linux files
-COPY src/linux/scripts scripts
-COPY src/linux/fpm.sh /usr/share/fpm.sh
-RUN chmod +x scripts/*.sh /usr/share/fpm.sh
+COPY --chmod=740 src/linux/scripts scripts
+COPY --chmod=740 src/linux/fpm.sh /usr/share/fpm.sh
 COPY src/linux/fpm-ubuntu /usr/share/.fpm
-COPY src/linux/*.service /lib/systemd/system/
+COPY --chmod=644 src/linux/*.service /lib/systemd/system/
+COPY --chmod=644 src/linux/bunkerweb.logrotate /etc/logrotate.d/bunkerweb
 
 # Generate DEB at startup
 VOLUME /data

src/linux/bunkerweb.logrotate

@@ -0,0 +1,12 @@
+/var/log/bunkerweb/*.log
+{
+    daily
+    rotate 7
+    copytruncate
+    compress
+    delaycompress
+    missingok
+    notifempty
+    dateext
+    create 0640 root nginx
+}

src/linux/fpm-centos

@@ -10,4 +10,4 @@
 --before-install /usr/share/bunkerweb/scripts/beforeInstall.sh
 --after-install /usr/share/bunkerweb/scripts/postinstall.sh
 --after-remove /usr/share/bunkerweb/scripts/afterRemoveRPM.sh
-/usr/share/bunkerweb/=/usr/share/bunkerweb/ /usr/bin/bwcli=/usr/bin/bwcli /etc/bunkerweb/=/etc/bunkerweb /var/tmp/bunkerweb/=/var/tmp/bunkerweb /var/run/bunkerweb/=/var/run/bunkerweb /var/log/bunkerweb/=/var/log/bunkerweb /var/cache/bunkerweb/=/var/cache/bunkerweb /lib/systemd/system/bunkerweb.service=/lib/systemd/system/bunkerweb.service /lib/systemd/system/bunkerweb-ui.service=/lib/systemd/system/bunkerweb-ui.service /var/lib/bunkerweb/=/var/lib/bunkerweb
+/usr/share/bunkerweb/=/usr/share/bunkerweb/ /usr/bin/bwcli=/usr/bin/bwcli /etc/bunkerweb/=/etc/bunkerweb /var/tmp/bunkerweb/=/var/tmp/bunkerweb /var/run/bunkerweb/=/var/run/bunkerweb /var/log/bunkerweb/=/var/log/bunkerweb /var/cache/bunkerweb/=/var/cache/bunkerweb /lib/systemd/system/bunkerweb.service=/lib/systemd/system/bunkerweb.service /lib/systemd/system/bunkerweb-ui.service=/lib/systemd/system/bunkerweb-ui.service /var/lib/bunkerweb/=/var/lib/bunkerweb /etc/logrotate.d/bunkerweb=/etc/logrotate.d/bunkerweb

src/linux/fpm-debian

@@ -3,11 +3,11 @@
 --license agpl3
 --version %VERSION%
 --architecture %ARCH%
---depends bash --depends python3 --depends procps --depends python3-pip --depends 'nginx = 1.24.0-1~bookworm' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools --depends sudo --depends lsof --depends libpq5 --depends libpcre3 --depends libcap2-bin
+--depends bash --depends python3 --depends procps --depends python3-pip --depends 'nginx = 1.24.0-1~bookworm' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools --depends sudo --depends lsof --depends libpq5 --depends libpcre3 --depends libcap2-bin --depends logrotate
 --description "BunkerWeb %VERSION% for Debian 12"
 --url "https://www.bunkerweb.io"
 --maintainer "Bunkerity <contact at bunkerity dot com>"
 --before-install /usr/share/bunkerweb/scripts/beforeInstall.sh
 --after-install /usr/share/bunkerweb/scripts/postinstall.sh
 --after-remove /usr/share/bunkerweb/scripts/afterRemoveDEB.sh
-/usr/share/bunkerweb/=/usr/share/bunkerweb/ /usr/bin/bwcli=/usr/bin/bwcli /etc/bunkerweb/=/etc/bunkerweb /var/tmp/bunkerweb/=/var/tmp/bunkerweb /var/run/bunkerweb/=/var/run/bunkerweb /var/log/bunkerweb/=/var/log/bunkerweb /var/cache/bunkerweb/=/var/cache/bunkerweb /lib/systemd/system/bunkerweb.service=/lib/systemd/system/bunkerweb.service /lib/systemd/system/bunkerweb-ui.service=/lib/systemd/system/bunkerweb-ui.service /var/lib/bunkerweb/=/var/lib/bunkerweb
+/usr/share/bunkerweb/=/usr/share/bunkerweb/ /usr/bin/bwcli=/usr/bin/bwcli /etc/bunkerweb/=/etc/bunkerweb /var/tmp/bunkerweb/=/var/tmp/bunkerweb /var/run/bunkerweb/=/var/run/bunkerweb /var/log/bunkerweb/=/var/log/bunkerweb /var/cache/bunkerweb/=/var/cache/bunkerweb /lib/systemd/system/bunkerweb.service=/lib/systemd/system/bunkerweb.service /lib/systemd/system/bunkerweb-ui.service=/lib/systemd/system/bunkerweb-ui.service /var/lib/bunkerweb/=/var/lib/bunkerweb /etc/logrotate.d/bunkerweb=/etc/logrotate.d/bunkerweb

src/linux/fpm-fedora

@@ -3,11 +3,11 @@
 --license agpl3
 --version %VERSION%
 --architecture %ARCH%
---depends bash --depends python3 --depends 'nginx >= 1:1.24.0' --depends 'nginx < 1:1.25.0' --depends libcurl-devel --depends libxml2 --depends yajl --depends lmdb-libs --depends geoip-devel --depends gd --depends sudo --depends procps --depends lsof --depends nginx-mod-stream --depends pcre --depends libpq --depends libcap --depends openssl
+--depends bash --depends python3 --depends 'nginx >= 1:1.24.0' --depends 'nginx < 1:1.25.0' --depends libcurl-devel --depends libxml2 --depends yajl --depends lmdb-libs --depends geoip-devel --depends gd --depends sudo --depends procps --depends lsof --depends nginx-mod-stream --depends pcre --depends libpq --depends libcap --depends openssl --depends logrotate
 --description "BunkerWeb %VERSION% for Fedora 39"
 --url "https://www.bunkerweb.io"
 --maintainer "Bunkerity <contact at bunkerity dot com>"
 --before-install /usr/share/bunkerweb/scripts/beforeInstall.sh
 --after-install /usr/share/bunkerweb/scripts/postinstall.sh
 --after-remove /usr/share/bunkerweb/scripts/afterRemoveRPM.sh
-/usr/share/bunkerweb/=/usr/share/bunkerweb/ /usr/bin/bwcli=/usr/bin/bwcli /etc/bunkerweb/=/etc/bunkerweb /var/tmp/bunkerweb/=/var/tmp/bunkerweb /var/run/bunkerweb/=/var/run/bunkerweb /var/log/bunkerweb/=/var/log/bunkerweb /var/cache/bunkerweb/=/var/cache/bunkerweb /lib/systemd/system/bunkerweb.service=/lib/systemd/system/bunkerweb.service /lib/systemd/system/bunkerweb-ui.service=/lib/systemd/system/bunkerweb-ui.service /var/lib/bunkerweb/=/var/lib/bunkerweb
+/usr/share/bunkerweb/=/usr/share/bunkerweb/ /usr/bin/bwcli=/usr/bin/bwcli /etc/bunkerweb/=/etc/bunkerweb /var/tmp/bunkerweb/=/var/tmp/bunkerweb /var/run/bunkerweb/=/var/run/bunkerweb /var/log/bunkerweb/=/var/log/bunkerweb /var/cache/bunkerweb/=/var/cache/bunkerweb /lib/systemd/system/bunkerweb.service=/lib/systemd/system/bunkerweb.service /lib/systemd/system/bunkerweb-ui.service=/lib/systemd/system/bunkerweb-ui.service /var/lib/bunkerweb/=/var/lib/bunkerweb /etc/logrotate.d/bunkerweb=/etc/logrotate.d/bunkerweb

src/linux/fpm-rhel

@@ -10,4 +10,4 @@
 --before-install /usr/share/bunkerweb/scripts/beforeInstall.sh
 --after-install /usr/share/bunkerweb/scripts/postinstall.sh
 --after-remove /usr/share/bunkerweb/scripts/afterRemoveRPM.sh
-/usr/share/bunkerweb/=/usr/share/bunkerweb/ /usr/bin/bwcli=/usr/bin/bwcli /etc/bunkerweb/=/etc/bunkerweb /var/tmp/bunkerweb/=/var/tmp/bunkerweb /var/run/bunkerweb/=/var/run/bunkerweb /var/log/bunkerweb/=/var/log/bunkerweb /var/cache/bunkerweb/=/var/cache/bunkerweb /lib/systemd/system/bunkerweb.service=/lib/systemd/system/bunkerweb.service /lib/systemd/system/bunkerweb-ui.service=/lib/systemd/system/bunkerweb-ui.service /var/lib/bunkerweb/=/var/lib/bunkerweb
+/usr/share/bunkerweb/=/usr/share/bunkerweb/ /usr/bin/bwcli=/usr/bin/bwcli /etc/bunkerweb/=/etc/bunkerweb /var/tmp/bunkerweb/=/var/tmp/bunkerweb /var/run/bunkerweb/=/var/run/bunkerweb /var/log/bunkerweb/=/var/log/bunkerweb /var/cache/bunkerweb/=/var/cache/bunkerweb /lib/systemd/system/bunkerweb.service=/lib/systemd/system/bunkerweb.service /lib/systemd/system/bunkerweb-ui.service=/lib/systemd/system/bunkerweb-ui.service /var/lib/bunkerweb/=/var/lib/bunkerweb /etc/logrotate.d/bunkerweb=/etc/logrotate.d/bunkerweb

src/linux/fpm-rhel9

@@ -10,4 +10,4 @@
 --before-install /usr/share/bunkerweb/scripts/beforeInstall.sh
 --after-install /usr/share/bunkerweb/scripts/postinstall.sh
 --after-remove /usr/share/bunkerweb/scripts/afterRemoveRPM.sh
-/usr/share/bunkerweb/=/usr/share/bunkerweb/ /usr/bin/bwcli=/usr/bin/bwcli /etc/bunkerweb/=/etc/bunkerweb /var/tmp/bunkerweb/=/var/tmp/bunkerweb /var/run/bunkerweb/=/var/run/bunkerweb /var/log/bunkerweb/=/var/log/bunkerweb /var/cache/bunkerweb/=/var/cache/bunkerweb /lib/systemd/system/bunkerweb.service=/lib/systemd/system/bunkerweb.service /lib/systemd/system/bunkerweb-ui.service=/lib/systemd/system/bunkerweb-ui.service /var/lib/bunkerweb/=/var/lib/bunkerweb
+/usr/share/bunkerweb/=/usr/share/bunkerweb/ /usr/bin/bwcli=/usr/bin/bwcli /etc/bunkerweb/=/etc/bunkerweb /var/tmp/bunkerweb/=/var/tmp/bunkerweb /var/run/bunkerweb/=/var/run/bunkerweb /var/log/bunkerweb/=/var/log/bunkerweb /var/cache/bunkerweb/=/var/cache/bunkerweb /lib/systemd/system/bunkerweb.service=/lib/systemd/system/bunkerweb.service /lib/systemd/system/bunkerweb-ui.service=/lib/systemd/system/bunkerweb-ui.service /var/lib/bunkerweb/=/var/lib/bunkerweb /etc/logrotate.d/bunkerweb=/etc/logrotate.d/bunkerweb

src/linux/fpm-ubuntu

@@ -3,7 +3,7 @@
 --license agpl3
 --version %VERSION%
 --architecture %ARCH%
---depends bash --depends python3 --depends python3-pip --depends 'nginx = 1.24.0-1~jammy' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools --depends sudo --depends procps --depends lsof --depends libpq5 --depends libcap2-bin
+--depends bash --depends python3 --depends python3-pip --depends 'nginx = 1.24.0-1~jammy' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools --depends sudo --depends procps --depends lsof --depends libpq5 --depends libcap2-bin --depends logrotate
 --description "BunkerWeb %VERSION% for Ubuntu 22.04"
 --url "https://www.bunkerweb.io"
 --maintainer "Bunkerity <contact at bunkerity dot com>"
@@ -11,4 +11,4 @@
 --after-install /usr/share/bunkerweb/scripts/postinstall.sh
 --after-remove /usr/share/bunkerweb/scripts/afterRemoveDEB.sh
 --deb-no-default-config-files
-/usr/share/bunkerweb/=/usr/share/bunkerweb/ /usr/bin/bwcli=/usr/bin/bwcli /etc/bunkerweb/=/etc/bunkerweb /var/tmp/bunkerweb/=/var/tmp/bunkerweb /var/run/bunkerweb/=/var/run/bunkerweb /var/log/bunkerweb/=/var/log/bunkerweb /var/cache/bunkerweb/=/var/cache/bunkerweb /lib/systemd/system/bunkerweb.service=/lib/systemd/system/bunkerweb.service /lib/systemd/system/bunkerweb-ui.service=/lib/systemd/system/bunkerweb-ui.service /var/lib/bunkerweb/=/var/lib/bunkerweb
+/usr/share/bunkerweb/=/usr/share/bunkerweb/ /usr/bin/bwcli=/usr/bin/bwcli /etc/bunkerweb/=/etc/bunkerweb /var/tmp/bunkerweb/=/var/tmp/bunkerweb /var/run/bunkerweb/=/var/run/bunkerweb /var/log/bunkerweb/=/var/log/bunkerweb /var/cache/bunkerweb/=/var/cache/bunkerweb /lib/systemd/system/bunkerweb.service=/lib/systemd/system/bunkerweb.service /lib/systemd/system/bunkerweb-ui.service=/lib/systemd/system/bunkerweb-ui.service /var/lib/bunkerweb/=/var/lib/bunkerweb /etc/logrotate.d/bunkerweb=/etc/logrotate.d/bunkerweb

src/linux/scripts/postinstall.sh

@@ -18,6 +18,7 @@ function do_and_check_cmd() {
 # Give all the permissions to the nginx user
 echo "Setting ownership for all necessary directories to nginx user and group..."
 do_and_check_cmd chown -R nginx:nginx /usr/share/bunkerweb /var/cache/bunkerweb /var/lib/bunkerweb /etc/bunkerweb /var/tmp/bunkerweb /var/run/bunkerweb /var/log/bunkerweb
+do_and_check_cmd chown root:root /var/log/bunkerweb
 
 # Stop and disable nginx on boot
 echo "Stop and disable nginx on boot..."