Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #353 from TheophileDiot/1.5

Browse source 
Merge branch 'dev' (softly)
This commit is contained in:
Florian Pitance 2022-11-15 16:58:03 +01:00 committed by GitHub
commit 1a7d8978b1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
33 changed files with 805 additions and 180 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docs/assets/img/core-order.svg Executable file
View file

File diff suppressed because one or more lines are too long
Side by side

After

Width:  |  Height:  |  Size: 42 KiB

441
docs/backup-new-integrations.md Normal file
View file

@ -0,0 +1,441 @@
****** INTEGRATIONS ******
=== "RHEL"
The first step is to add NGINX official repository. Create the following file at `/etc/yum.repos.d/nginx.repo` :
```conf
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
```
You should now be able to install NGINX 1.20.2 :
```shell
sudo dnf install nginx-1.20.2
```
And finally install BunkerWeb 1.4.4 :
```shell
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
rpm -Uvh epel-release*rpm && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.4.4
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
## Vagrant
<figure markdown>
![Overwiew](assets/img/integration-ansible.svg){ align=center }
<figcaption>Vagrant integration</figcaption>
</figure>
List of supported Linux distros :
- Ubuntu 22.04 "Jammy"
[Vagrant](https://www.vagrantup.com/docs) is a tool for building and managing virtual machine environments in a single workflow. With an easy-to-use workflow and focus on automation, Vagrant lowers development environment setup time, increases production parity, and makes the "works on my machine" excuse a relic of the past.
A specific BunkerWeb box is available on vagrantup.
First of all download the box from vagrantup : ```shell vagrant box add bunkerity/bunkerity```
Then an list of boxes should appear, select the one whith your provider (virtualbox, vmware, libvirt).
This will download the box named bunkerity/bunkerity from [HashiCorp's Vagrant Cloud box catalog](https://vagrantcloud.com/boxes/search), where you can find and host boxes.
Now you've added a box to Vagrant either by initializing or adding it explicitly, you need to configure your project to use it as a base.
For initializing a new Vagrant project, you can use the `vagrant init bunkerity/bunkerity` command. This will create a Vagrantfile in the current directory.
Open the Vagrantfile and replace the contents with the following.
```shell
Vagrant.configure("2") do |config|
config.vm.box = "bunkerity/bunkerity"
end
```
Vagrant will automatically download the box in his latest version and add it to your Vagrant environment. If you want to use a specific version of the box, you can use the `config.vm.box_version` option.
For exemple:
```shell
Vagrant.configure("2") do |config|
config.vm.box = "bunkerity/bunkerity"
config.vm.box_version = "1.4.2"
end
```
Now you can start the box :
```shell
vagrant up
```
And then connect to it :
```shell
vagrant ssh
```
****** QUICKSTART ******
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
The following command will run a basic HTTP server on the port 8000 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1
```
Configuration of BunkerWeb is done by editing the `/etc/bunkerweb/variables.env` file.
Connect to your vagrant machine :
```shell
vagrant ssh
```
And then you can edit the `variables.env` file in your host machine like this :
```conf
SERVER_NAME=www.example.com
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/
REVERSE_PROXY_HOST=http://127.0.0.1:8000
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#Vagrant) stack running on your machine with some web applications running on the same machine as BunkerWeb.
Let's assume that you have some web applications running on the same machine as BunkerWeb :
=== "App #1"
The following command will run a basic HTTP server on the port 8001 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1 8001
```
=== "App #2"
The following command will run a basic HTTP server on the port 8002 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1 8002
```
=== "App #3"
The following command will run a basic HTTP server on the port 8003 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1 8003
```
Connect to your vagrant machine :
```shell
vagrant ssh
```
Configuration of BunkerWeb is done by editing the /etc/bunkerweb/variables.env file :
```conf
SERVER_NAME=app1.example.com app2.example.com app3.example.com
HTTP_PORT=80
HTTPS_PORT=443
MULTISITE=yes
DNS_RESOLVERS=8.8.8.8 8.8.4.4
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/
app1.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8001
app2.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8002
app3.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8003
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
=== "Vagrant"
You will need to add the settings to the `/etc/bunkerweb/variables.env` file :
```conf
...
USE_REAL_IP=yes
REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16
REAL_IP_HEADER=X-Forwarded-For
...
```
Don't forget to restart the BunkerWeb service once it's done.
=== "Vagrant"
You will need to add the settings to the `/etc/bunkerweb/variables.env` file :
```conf
...
USE_REAL_IP=yes
USE_PROXY_PROTOCOL=yes
REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16
REAL_IP_HEADER=proxy_protocol
...
```
Don't forget to restart the BunkerWeb service once it's done.
=== "Vagrant"
When using the [Vagrant integration](/1.4/integrations/#vagrant), custom configurations must be written to the `/etc/bunkerweb/configs` folder.
Here is an example for server-http/hello-world.conf :
```conf
location /hello {
default_type 'text/plain';
content_by_lua_block {
ngx.say('world')
}
}
```
Because BunkerWeb runs as an unprivileged user (nginx:nginx), you will need to edit the permissions :
```shell
chown -R root:nginx /etc/bunkerweb/configs && \
chmod -R 770 /etc/bunkerweb/configs
```
Don't forget to restart the BunkerWeb service once it's done.
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
By default, BunkerWeb will search for web files inside the `/var/www/html` folder. You can use it to store your PHP application. Please note that you will need to configure your PHP-FPM service to get or set the user/group of the running processes and the UNIX socket file used to communicate with BunkerWeb.
First of all, you will need to make sure that your PHP-FPM instance can access the files inside the `/var/www/html` folder and also that BunkerWeb can access the UNIX socket file in order to communicate with PHP-FPM. We recommend to set a different user like `www-data` for the PHP-FPM service and to give the nginx group access to the UNIX socket file. Here is corresponding PHP-FPM configuration :
```ini
...
[www]
user = www-data
group = www-data
listen = /run/php/php-fpm.sock
listen.owner = www-data
listen.group = nginx
listen.mode = 0660
...
```
Don't forget to restart your PHP-FPM service :
```shell
systemctl restart php8.1-fpm
```
Once your application is copied to the `/var/www/html` folder, you will need to fix the permissions so BunkerWeb (user/group nginx) can at least read files and list folders and PHP-FPM (user/group www-data) is the owner of the files and folders :
```shell
chown -R www-data:nginx /var/www/html && \
find /var/www/html -type f -exec chmod 0640 {} \; && \
find /var/www/html -type d -exec chmod 0750 {} \;
```
You can now edit the `/etc/bunkerweb/variable.env` file :
```env
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
SERVER_NAME=www.example.com
AUTO_LETS_ENCRYPT=yes
LOCAL_PHP=/run/php/php-fpm.sock
LOCAL_PHP_PATH=/var/www/html/
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
=== "Vagrant"
We will assume that you already have the [Vagrant integration](/1.4/integrations/#vagrant) stack running on your machine.
By default, BunkerWeb will search for web files inside the `/var/www/html` folder. You can use it to store your PHP applications : each application will be in its own subfolder named the same as the primary server name. Please note that you will need to configure your PHP-FPM service to get or set the user/group of the running processes and the UNIX socket file used to communicate with BunkerWeb.
First of all, you will need to make sure that your PHP-FPM instance can access the files inside the `/var/www/html` folder and also that BunkerWeb can access the UNIX socket file in order to communicate with PHP-FPM. We recommend to set a different user like `www-data` for the PHP-FPM service and to give the nginx group access to the UNIX socket file. Here is corresponding PHP-FPM configuration :
```ini
...
[www]
user = www-data
group = www-data
listen = /run/php/php-fpm.sock
listen.owner = www-data
listen.group = nginx
listen.mode = 0660
...
```
Don't forget to restart your PHP-FPM service :
```shell
systemctl restart php8.1-fpm
```
Once your application is copied to the `/var/www/html` folder, you will need to fix the permissions so BunkerWeb (user/group nginx) can at least read files and list folders and PHP-FPM (user/group www-data) is the owner of the files and folders :
```shell
chown -R www-data:nginx /var/www/html && \
find /var/www/html -type f -exec chmod 0640 {} \; && \
find /var/www/html -type d -exec chmod 0750 {} \;
```
You can now edit the `/etc/bunkerweb/variable.env` file :
```env
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
SERVER_NAME=app1.example.com app2.example.com app3.example.com
MULTISITE=yes
AUTO_LETS_ENCRYPT=yes
app1.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app1.example.com_LOCAL_PHP_PATH=/var/www/html/app1.example.com
app2.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app2.example.com_LOCAL_PHP_PATH=/var/www/html/app2.example.com
app3.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app3.example.com_LOCAL_PHP_PATH=/var/www/html/app3.example.com
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
****** PLUGINS ******
=== "Vagrant"
When using the [Linux integration](/1.4/integrations/#linux), plugins must be written to the `/etc/bunkerweb/plugins` folder :
```shell
git clone https://github.com/bunkerity/bunkerweb-plugins && \
cp -rp ./bunkerweb-plugins/* /data/plugins
```
****** UI ******
=== "Vagrant"
The installation of the web UI using the [Vagrant integration](/1.4/integrations/#vagrant) is pretty straightforward because it is installed with BunkerWeb.
The first thing to do is to edit the BunkerWeb configuration located at **/etc/bunkerweb/variables.env** to add settings related to the web UI :
```conf
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
...
SERVER_NAME=bwadm.example.com
MULTISITE=yes
USE_API=yes
API_WHITELIST_IP=127.0.0.0/8
bwadm.example.com_USE_UI=yes
bwadm.example.com_USE_REVERSE_PROXY=yes
bwadm.example.com_REVERSE_PROXY_URL=/changeme/
bwadm.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
bwadm.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
...
```
Important things to note :
* `bwadm.example.com` is the dedicated (sub)domain for accessing the web UI
* replace the `/changeme` URLs with a custom one of your choice
Once the configuration file is edited, you will need to restart BunkerWeb :
```shell
systemctl restart bunkerweb
```
You can edit the **/etc/bunkerweb/ui.env** file containing the settings of the web UI :
```conf
ADMIN_USERNAME=admin
ADMIN_PASSWORD=changeme
ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/
```
Important things to note :
* `http(s)://bwadmin.example.com/changeme/` is the full base URL of the web UI (must match the sub(domain) and /changeme URL used in **/etc/bunkerweb/variables.env**)
* replace the username `admin` and password `changeme` with strong ones
Restart the BunkerWeb UI service and you are now ready to access it :
```shell
systemctl restart bunkerweb-ui
```
****** TROUBLE ******
=== "Vagrant"
For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
```shell
journalctl -u bunkerweb --no-pager
```
Common logs are located inside the `/var/log/nginx` directory :
```shell
cat /var/log/nginx/error.log
cat /var/log/nginx/access.log
```
=== "Vagrant"
You can use the `bwcli` command (as root) :
```shell
sudo bwcli unban 1.2.3.4
```

1
docs/diagrams/core-order.drawio Executable file
View file

@ -0,0 +1 @@
<mxfile host="app.diagrams.net" modified="2022-10-13T12:11:36.746Z" agent="5.0 (Windows)" etag="qIM9S_K3KBWfpHSqmD4a" version="20.4.0"><diagram id="C5RBs43oDa-KdzZeNtuy" name="Page-1">7Z1df6I4FIc/jZfdHxDevFSkrVuHzqjdrntHlVF20HQR2zqffkMhAglqtEJoYW4Gjrz/z3OScxJoCxjLtxvffl58gzPHa0nC7K0Fei1JkkRdR/+Flm1sAWo7ssx9dxbZxMQwcn87sVGIrRt35qwzGwYQeoH7nDVO4WrlTIOMzfZ9+Jrd7Cf0smd9tucOZRhNbY+2PrqzYBFZdUlL7LeOO1/gM4v4/pY23ji+k/XCnsHXlAmYLWD4EAbR0vLNcLzw6eHn8tjfPnqDX+rNnz/W/9kP3bux9ddVdLDrU3bZ3YLvrIKzD73a2Lf9lfFyfbUdXc2DjvjPuH8lg+jYL7a3iR9YfLPBFj9BZ4YeaLwK/WAB53Ble2Zi7fpws5o54XkEtJZsM4DwGRlFZPzXCYJt7B32JoDItAiWXvxrdM7wRIRoR+443m4NN/7UOXCbsYKB7c+d4NDjkHa6IiIcuHQCf4t29B3PDtyX7NXZsWfOd9slTx8txAKcIIaQo4XqoevtztwXtDgPFzuGYY5G+Ad0ntRvOZt3zZu+he1PPrkluT8pvechTkOJXxdu4Iye7ffH/IpiRZ6AL44fOG9nSEg/cRyA2nJ0nDj8KNHaa0KyiPFcpCjWhYIkwnh8cV5kRl6kPeqVw4tMafF42x+bg/5obKI19GyvKXH8BVw+bdbHPfqn63kG9KD/vh8QRUXVtNAOV0HKfv3+r0ACVFXIEHCF/T3NgJLDgAgKg4B+8F8Rgl135SgFgCcF+MBHmo3B0Oz0JiEVzI0B3Zh0LCsh68w2hZ3APaTtI7MoAvV29QhU60EgYCVQ4Uog3YnuDjrG3YUaoopgIO56WhXiQK8HBworBxpXDhRKjZuhOfliGAClehhoLF0A4/7BGg8nTWt/WF9Fr5y+oB5Zp9RmDHOAa9qJL/Mwbbuol5RfjhLXs0bdQe2BE9v8gatHhgtYM1zANcMFTBnuOcB1H6w7c2iZ49pBR/ZiqgBdXi+mfOjQY/W3f6dXJuHB/lDwau8tPni0to3XCoeVNRkG+gdhjXf9Dl104YnLCHLWZSRFyR4jurJ4N8IZdtfxAf/IG6uikB52xiYz/4P+t/64hn1cMpWvAv108niQfsd7gq9p8N8N6IfwcblT23sHdNYJh5CRderZ67U7zeqRjRXngu+8ucFuN7Sc2gutJTuFK2UFC5wRHq8YtPM9JeUIeX6AbR+NKaqWdUSF9K/oTqmYQh9JI1xaJscA90Qn5CD2NrXZc7jB+sAla8SAjKhmxt3RQnTIi8Y+WWmaQrKFYxnP55oogrzqJD0yY4373fuwB2rcmsYdc9tlmWavfk2X1q5cy4W7RRedt2Fava8zawMpQotU6rwNWW3iJxkWWeKnkK9zSfM7mPL+UQqVo1gZt53BwLRu9qYIZHzcuYDIECOzsRB1BAxVPxA7i8JPJgpqzNOm1MLwk7niJ1QMP4kVP670SSz0fR/en9SuDc0fD+ZofH6H5SsAydocFscj04Bhz7TYRwsbYdMq8lP2xBkRBZZRUoF2komzh8soeLkKZRSZtYyyr6NUThll97JF7IaA7EezVlEkorYByKTpQkUUmaw/KmXUUPLGbT9VhTHBYdJK6o2cKozMOcSeOUnloLErKOKyIBl5WdEgR6llsRg0qAJHGWgoeSWMBo2ip63yRUMjau9y+0w0dLL0LheDRlvggUZeEaJBo+iZrJxbDeFSrYZSTqshCjx6VEpeiaBho+gxW85skEO2pEuzsqGSzQYJ2aXYEAEPNk58s7rqbAh82WCdGsyZDfVIT4iZDTKjJ/tmn5uNE6fXNmwcYoN5Fi/ndIPwtLOn+mhkJl7UTB8+fapPPw+uUmx8jlScDPfntxtkAbegdqMt8kCDbT7VYHD/2Axb5XrznmErgN2N27CV0tTmecyPVPa8KlBSb5kojijnDlupwpGuxYWiHjlbGWglRD3MXAXQIEZ0RVY00t0BziO6CvPUYa4juoB412ZXkDwVDUAMJ8lKMWjIZMJaBhpasXnkCq6cg1yc0eFFh792w7ssZ/4CTx/WyfB+bqFQJI+EneviGR8gP7ZVxrsdGkvGV0pf5oPuWPHuxnE3Yq5AENGZtXJ9MY+hEyHrnvIZlDQEWS9ZBz785eBMIw5v6aQkNtmeO1+FroZkd5C9i+NjJ/5h6c5m7wE0L+HJ+mKroByGHHSmp1SqOa5U2EsgGp3A1E4SUSAjPl9NdLrnXD9NJL1amtDTKSbmqG6iKGK1RJEaUChN8mbpl6sKPYJcP1U08jslgLcqdM5ZP1XIRoU/K3QOVT9VBKFqqtCfqa1fY08WjfmrQr/8VTtWdLJcib+ozE0UOqWvISrkpzfxRCFeqrTpDLJ+qlBj/XidmypNDhmqIFdNliaLROmJVjVV6CyyhrAoxBdp+MtCp5GNLLtvqfGThc4jaygLFcS4y9IkknktfnGyoNXkDxtGw5bJ34cE5v8=</diagram></mxfile>

97
docs/integrations.md
View file

@ -12,7 +12,7 @@ Using BunkerWeb as a [Docker](https://www.docker.com/) container is a quick and
We provide ready-to-use prebuilt images for x64, x86 armv8 and armv7 architectures on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb) :
```shell
docker pull bunkerity/bunkerweb:1.4.3
docker pull bunkerity/bunkerweb:1.4.4
```
Alternatively, you can build the Docker images directly from the [source](https://github.com/bunkerity/bunkerweb) (and get a coffee ☕ because it may take a long time depending on your hardware) :
@ -39,7 +39,7 @@ docker run \
-e MY_SETTING=value \
-e "MY_OTHER_SETTING=value with spaces" \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent :
@ -48,7 +48,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
environment:
- MY_SETTING=value
```
@ -73,7 +73,7 @@ docker run \
...
-v bw_data:/data \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent :
@ -82,7 +82,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
volumes:
- bw_data:/data
...
@ -152,7 +152,7 @@ docker run \
...
--network mynetwork \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
You will also need to do the same with your web application(s). Please note that the other containers are accessible using their name as the hostname.
@ -163,7 +163,7 @@ Here is the docker-compose equivalent :
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
networks:
- bw-net
...
@ -204,7 +204,7 @@ docker network create bw-services
- One for communication between **BunkerWeb** and **autoconf**
- Another one for communication between **BunkerWeb** and **web applications**
You can now create the BunkerWeb container with the `AUTOCONF_MODE=yes` setting and the `bunkerweb.INSTANCE` label (replace 10.20.30.0/24 with the subnet specified before) :
You can now create the BunkerWeb container with the `AUTOCONF_MODE=yes` setting and the `bunkerweb.AUTOCONF` label (replace 10.20.30.0/24 with the subnet specified before) :
```shell
docker run \
@ -217,8 +217,8 @@ docker run \
-e MULTISITE=yes \
-e SERVER_NAME= \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.INSTANCE \
bunkerity/bunkerweb:1.4.3 && \
-l bunkerweb.AUTOCONF \
bunkerity/bunkerweb:1.4.4 && \
docker network connect bw-services mybunker
```
@ -235,7 +235,7 @@ docker run \
--network bw-autoconf \
-v bw-data:/data \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
bunkerity/bunkerweb-autoconf:1.4.3
bunkerity/bunkerweb-autoconf:1.4.4
```
Here is the docker-compose equivalent for the BunkerWeb autoconf stack :
@ -246,7 +246,7 @@ version: '3.5'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
ports:
- 80:8080
- 443:8443
@ -256,13 +256,13 @@ services:
- SERVER_NAME=
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
labels:
- "bunkerweb.INSTANCE"
- "bunkerweb.AUTOCONF"
networks:
- bw-autoconf
- bw-services
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.3
image: bunkerity/bunkerweb-autoconf:1.4.4
volumes:
- bw-data:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
@ -363,8 +363,8 @@ docker service create \
-e SERVER_NAME= \
-e MULTISITE=yes \
-e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \
-l bunkerweb.INSTANCE \
bunkerity/bunkerweb:1.4.3
-l bunkerweb.AUTOCONF \
bunkerity/bunkerweb:1.4.4
```
And the autoconf one :
@ -378,7 +378,7 @@ docker service \
--mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
--mount type=volume,source=bw-data,destination=/data \
-e SWARM_MODE=yes \
bunkerity/bunkerweb-autoconf:1.4.3
bunkerity/bunkerweb-autoconf:1.4.4
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
@ -389,7 +389,7 @@ version: '3.5'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
ports:
- published: 80
target: 8080
@ -413,10 +413,10 @@ services:
constraints:
- "node.role==worker"
labels:
- "bunkerweb.INSTANCE"
- "bunkerweb.AUTOCONF"
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.3
image: bunkerity/bunkerweb-autoconf:1.4.4
environment:
- SWARM_MODE=yes
volumes:
@ -544,7 +544,7 @@ spec:
app: bunkerweb
# mandatory annotation
annotations:
bunkerweb.io/INSTANCE: "yes"
bunkerweb.io/AUTOCONF: "yes"
spec:
containers:
- name: bunkerweb
@ -703,14 +703,14 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
You should now be able to install NGINX 1.20.2 :
```shell
sudo apt update && \
sudo apt install -y nginx=1.20.2-1~bullseye
sudo apt install -y nginx=1.20.2-1~$(lsb_release -cs)
```
And finally install BunkerWeb 1.4.3 :
And finally install BunkerWeb 1.4.4 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo apt install -y bunkerweb=1.4.3
sudo apt install -y bunkerweb=1.4.4
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
@ -736,11 +736,11 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo apt install -y nginx=1.20.2-1~jammy
```
And finally install BunkerWeb 1.4.3 :
And finally install BunkerWeb 1.4.4 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo apt install -y bunkerweb=1.4.3
sudo apt install -y bunkerweb=1.4.4
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
@ -758,7 +758,7 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.4.3
sudo dnf install -y bunkerweb-1.4.4
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
@ -785,12 +785,12 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
sudo dnf install nginx-1.20.2
```
And finally install BunkerWeb 1.4.3 :
And finally install BunkerWeb 1.4.4 :
```shell
dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo dnf install -y bunkerweb-1.4.3
sudo dnf install -y bunkerweb-1.4.4
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
@ -818,13 +818,12 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt
mkdir /usr/share/bunkerweb/deps && \
/tmp/bunkerweb/deps/install.sh
```
Additional Python dependencies needs to be installed into the `/usr/share/bunkerweb/deps/python` folder :
```shell
mkdir /usr/share/bunkerweb/deps/python && \
mkdir -p /usr/share/bunkerweb/deps/python && \
cat src/scheduler/requirements.txt src/ui/requirements.txt src/common/gen/requirements.txt src/common/db/requirements.txt > /tmp/bunkerweb/deps/requirements.txt && \
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt && \
pip install --no-cache-dir --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/ui/requirements.txt && \
pip install --no-cache-dir gunicorn
```
Once dependencies are installed, you will be able to copy the BunkerWeb sources to the target `/usr/share/bunkerweb` folder :
@ -894,11 +893,11 @@ List of supported Linux distros :
[Ansible](https://docs.ansible.com/ansible/latest/index.html) is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates.
A specific BunkerWeb Ansible role is available on [Ansible Galaxy](https://galaxy.ansible.com/fl0ppy_d1sk/bunkerweb) (source code is available [here](https://github.com/bunkerity/bunkerweb-ansible)).
A specific BunkerWeb Ansible role is available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb) (source code is available [here](https://github.com/bunkerity/bunkerweb-ansible)).
First of all, download the role from ansible-galaxy :
```shell
ansible-galaxy install fl0ppy_d1sk.bunkerweb
ansible-galaxy install bunkerity.bunkerweb
```
Next, create an inventory by adding the IP adress or FQDN of one or more remote systems, either in `/etc/ansible/hosts` or in your own playbook `inventory.yml` :
@ -917,7 +916,7 @@ In order to use the role, we will create the playbook file named `playbook.yml`
- hosts: all
become: true
roles:
- fl0ppy_d1sk.bunkerweb
- bunkerity.bunkerweb
```
Run the playbook :
@ -927,16 +926,16 @@ ansible-playbook -i inventory.yml playbook.yml
Configuration of BunkerWeb is done by using specific role variables :
| Name | Type | Description | Default value |
| :-------------------: | :--------: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
| `bunkerweb_version` | string | Version of BunkerWeb to install. | `1.4.3` |
| `nginx_version` | string | Version of NGINX to install. | `1.20.2` |
| `freeze_versions` | boolean | Prevent upgrade of BunkerWeb and NGINX when performing packages upgrades. | `true` |
| `variables_env` | string | Path of the variables.env file to configure BunkerWeb. | `files/variables.env` |
| `enable_ui` | boolean | Activate the web UI. | `false` |
| `custom_ui` | string | Path of the ui.env file to configure the web UI. | `files/ui.env` |
| `custom_configs_path` | Dictionary | Each entry is a path of the folder containing custom configurations. Keys are the type of custom configs : `http`, `server-http`, `modsec`, `modsec-crs` and `default-server-http` | empty values |
| `custom_www` | string | Path of the www directory to upload. | empty value |
| `custom_plugins` | string | Path of the plugins directory to upload. | empty value |
| `custom_www_owner` | string | Default owner for www files and folders. | `nginx` |
| `custom_www_group` | string | Default group for www files and folders. | `nginx` |
| Name | Type | Description | Default value |
|:-----:|:-----:|--------------|----------------|
| `bunkerweb_version` | string | Version of BunkerWeb to install. | `1.4.4` |
| `nginx_version` | string | Version of NGINX to install. | `1.20.2` |
| `freeze_versions` | boolean | Prevent upgrade of BunkerWeb and NGINX when performing packages upgrades. | `true` |
| `variables_env` | string | Path of the variables.env file to configure BunkerWeb. | `files/variables.env` |
| `enable_ui` | boolean | Activate the web UI. | `false` |
| `custom_ui` | string | Path of the ui.env file to configure the web UI. | `files/ui.env` |
| `custom_configs_path` | Dictionary | Each entry is a path of the folder containing custom configurations. Keys are the type of custom configs : `http`, `server-http`, `modsec`, `modsec-crs` and `default-server-http` | empty values |
| `custom_www` | string | Path of the www directory to upload. | empty value |
| `custom_plugins` | string | Path of the plugins directory to upload. | empty value |
| `custom_www_owner` | string | Default owner for www files and folders. | `nginx` |
| `custom_www_group` | string | Default group for www files and folders. | `nginx` |

2
docs/mike.sh
View file

@ -8,6 +8,6 @@ fi
if [ "$1" == "dev" ] ; then
mike deploy --push --update-aliases dev
else
mike deploy --push --update-aliases "$(cat src/VERSION | sed -E 's/([0-9]+)\.([0-9]+)\.([0-9]+)/\1\.\2/')" latest
mike deploy --push --update-aliases "$(cat VERSION | sed -E 's/([0-9]+)\.([0-9]+)\.([0-9]+)/\1\.\2/')" latest
mike set-default --push latest
fi

6
docs/plugins.md
View file

@ -53,13 +53,13 @@ The first step is to install the plugin by putting the plugin files inside the c
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
volumes:
- ./bw-data:/data
...
@ -140,7 +140,7 @@ The first step is to install the plugin by putting the plugin files inside the c
vars:
- custom_plugins: "{{ playbook_dir }}/bunkerweb-plugins"
roles:
- fl0ppy_d1sk.bunkerweb
- bunkerity.bunkerweb
```
Run the playbook :

82
docs/quickstart-guide.md
View file

@ -54,7 +54,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
-e USE_REVERSE_PROXY=yes \
-e REVERSE_PROXY_URL=/ \
-e REVERSE_PROXY_HOST=http://myapp \
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent :
@ -64,7 +64,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
services:
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
ports:
- 80:8080
- 443:8443
@ -223,7 +223,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
metadata:
name: ingress
annotations:
bunkerweb.io/INSTANCE: "yes"
bunkerweb.io/AUTOCONF: "yes"
spec:
rules:
- host: www.example.com
@ -306,7 +306,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
vars:
- variables_env: "{{ playbook_dir }}/my_variables.env"
roles:
- fl0ppy_d1sk.bunkerweb
- bunkerity.bunkerweb
```
You can now run the playbook :
@ -379,7 +379,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
-e app1.example.com_REVERSE_PROXY_HOST=http://myapp1 \
-e app2.example.com_REVERSE_PROXY_HOST=http://myapp2 \
-e app3.example.com_REVERSE_PROXY_HOST=http://myapp3 \
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent :
@ -389,7 +389,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
services:
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
ports:
- 80:8080
- 443:8443
@ -793,7 +793,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
metadata:
name: ingress
annotations:
bunkerweb.io/INSTANCE: "yes"
bunkerweb.io/AUTOCONF: "yes"
spec:
rules:
- host: app1.example.com
@ -880,7 +880,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
```shell
systemctl start bunkerweb
```
=== "Ansible"
Let's assume that you have some web applications running on the same machine as BunkerWeb :
@ -930,7 +930,7 @@ You will find more settings about reverse proxy in the [settings section](/1.4/s
vars:
- variables_env: "{{ playbook_dir }}/my_variables.env"
roles:
- fl0ppy_d1sk.bunkerweb
- bunkerity.bunkerweb
```
[]()
Run the playbook :
@ -981,13 +981,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
...
environment:
- USE_REAL_IP=yes
@ -1006,13 +1006,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
...
environment:
- USE_REAL_IP=yes
@ -1031,13 +1031,13 @@ REAL_IP_HEADER=X-Forwarded-For
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=X-Forwarded-For \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
...
environment:
- USE_REAL_IP=yes
@ -1062,7 +1062,7 @@ REAL_IP_HEADER=X-Forwarded-For
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
...
env:
- name: USE_REAL_IP
@ -1111,7 +1111,7 @@ REAL_IP_HEADER=X-Forwarded-For
vars:
- variables_env: "{{ playbook_dir }}/my_variables.env"
roles:
- fl0ppy_d1sk.bunkerweb
- bunkerity.bunkerweb
```
Run the playbook :
@ -1146,13 +1146,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
...
environment:
- USE_REAL_IP=yes
@ -1173,13 +1173,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
...
environment:
- USE_REAL_IP=yes
@ -1200,13 +1200,13 @@ REAL_IP_HEADER=proxy_protocol
-e "REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16" \
-e REAL_IP_HEADER=proxy_protocol \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent (using `docker stack deploy`) :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
...
environment:
- USE_REAL_IP=yes
@ -1232,7 +1232,7 @@ REAL_IP_HEADER=proxy_protocol
spec:
containers:
- name: bunkerweb
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
...
env:
- name: USE_REAL_IP
@ -1285,7 +1285,7 @@ REAL_IP_HEADER=proxy_protocol
vars:
- variables_env: "{{ playbook_dir }}/my_variables.env"
roles:
- fl0ppy_d1sk.bunkerweb
- bunkerity.bunkerweb
```
Run the playbook :
@ -1327,7 +1327,7 @@ Some integrations offer a more convenient way of applying configurations such as
Here is a dummy example using a docker-compose file :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
environment:
- |
CUSTOM_CONF_SERVER_HTTP_hello-world=
@ -1369,13 +1369,13 @@ Some integrations offer a more convenient way of applying configurations such as
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent :
```yaml
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
volumes:
- ./bw-data:/data
...
@ -1436,13 +1436,13 @@ Some integrations offer a more convenient way of applying configurations such as
...
-v "${PWD}/bw-data:/data" \
...
bunkerity/bunkerweb-autoconf:1.4.3
bunkerity/bunkerweb-autoconf:1.4.4
```
Here is the docker-compose equivalent :
```yaml
myautoconf:
image: bunkerity/bunkerweb-autoconf:1.4.3
image: bunkerity/bunkerweb-autoconf:1.4.4
volumes:
- ./bw-data:/data
...
@ -1551,7 +1551,7 @@ Some integrations offer a more convenient way of applying configurations such as
server-http: "{{ playbook_dir }}/server-http"
}
roles:
- fl0ppy_d1sk.bunkerweb
- bunkerity.bunkerweb
```
Run the playbook :
@ -1622,7 +1622,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
-e AUTO_LETS_ENCRYPT=yes \
-e REMOTE_PHP=myphp \
-e REMOTE_PHP_PATH=/app \
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent :
@ -1632,7 +1632,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
services:
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
ports:
- 80:8080
- 443:8443
@ -1674,7 +1674,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
...
-v "${PWD}/myapp:/app" \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Once BunkerWeb and autoconf are ready, you will be able to create the PHP-FPM container, mount the application folder inside the container and configure it using specific labels :
@ -1738,7 +1738,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
...
-v "/shared/myapp:/app" \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Once BunkerWeb and autoconf are ready, you will be able to create the PHP-FPM service, mount the application folder inside the container and configure it using specific labels :
@ -1891,7 +1891,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- custom_www: "{{ playbook_dir }}/my_app"
- custom_www_owner: "www-data"
roles:
- fl0ppy_d1sk.bunkerweb
- bunkerity.bunkerweb
```
You can now run the playbook :
@ -1984,7 +1984,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
-e app2.example.com_REMOTE_PHP_PATH=/app \
-e app3.example.com_REMOTE_PHP=myphp3 \
-e app3.example.com_REMOTE_PHP_PATH=/app \
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Here is the docker-compose equivalent :
@ -1994,7 +1994,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
services:
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
ports:
- 80:8080
- 443:8443
@ -2055,7 +2055,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
...
-v "${PWD}/myapps:/apps" \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Once BunkerWeb and autoconf are ready, you will be able to create the PHP-FPM containers, mount the right application folder inside each container and configure them using specific labels :
@ -2179,7 +2179,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
...
-v "/shared/myapps:/apps" \
...
bunkerity/bunkerweb:1.4.3
bunkerity/bunkerweb:1.4.4
```
Once BunkerWeb and autoconf are ready, you will be able to create the PHP-FPM service, mount the application folder inside the container and configure it using specific labels :
@ -2406,7 +2406,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- custom_www: "{{ playbook_dir }}/my_app"
- custom_www_owner: "www-data"
roles:
- fl0ppy_d1sk.bunkerweb
- bunkerity.bunkerweb
```
You can now run the playbook :

4
docs/requirements.txt
View file

@ -1,5 +1,5 @@
mkdocs==1.4.2
mkdocs-material==8.5.9
mkdocs==1.2.3
mkdocs-material==8.2.5
pytablewriter==0.64.2
mike==1.1.2
jinja2<3.1.0

5
docs/security-tuning.md
View file

@ -5,6 +5,11 @@ BunkerWeb offers many security features that you can configure with [settings](/
!!! tip "Other settings"
This section only focuses on security tuning, see the [settings section](/1.4/settings) of the documentation for other settings.
<figure markdown>
![Overview](assets/img/core-order.svg){ align=center }
<figcaption>Overview and order of the core security plugins</figcaption>
</figure>
## HTTP protocol
### Deny status code

2
docs/troubleshooting.md
View file

@ -260,4 +260,4 @@ If you have bots that need to access your website, the recommended way to avoid
- Healthcheck / status bot
- Callback like IPN or webhook
- Social media crawler
- Social media crawler

14
docs/web-ui.md
View file

@ -1,7 +1,7 @@
# Web UI
!!! note "Supported integrations"
At the moment, the web UI is only supported with the [Docker](/1.4/integrations/#docker), [Linux](/1.4/integrations/#linux) and [Ansible](/1.4/integrations/#ansible) integrations. Please note that we plan to support more integrations as the project evolves.
At the moment, the web UI is only supported with the [Docker](/1.4/integrations/#docker), [Linux](/1.4/integrations/#linux) and [Ansible](/1.4/integrations/#ansible) integrations. It's not possible to use the web UI with other integrations like [Docker autoconf](/1.4/integrations/#docker-autoconf), [Swarm](/1.4/integrations/#swarm) or [Kubernetes](/1.4/integrations/#kubernetes). Please note that we plan to support more integrations as the project evolves.
## Overview
@ -76,7 +76,7 @@ Because the web UI is a web application, the recommended installation procedure
-e "bwadm.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme" \
-e bwadm.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no \
-l bunkerweb.UI \
bunkerity/bunkerweb:1.4.3 && \
bunkerity/bunkerweb:1.4.4 && \
docker network connect bw-ui mybunker
```
@ -115,7 +115,7 @@ Because the web UI is a web application, the recommended installation procedure
-e ADMIN_USERNAME=admin \
-e ADMIN_PASSWORD=changeme \
-e ABSOLUTE_URI=http(s)://bwadm.example.com/changeme/ \
bunkerity/bunkerweb-ui:1.4.3 && \
bunkerity/bunkerweb-ui:1.4.4 && \
docker network connect bw-docker myui
```
@ -131,7 +131,7 @@ Because the web UI is a web application, the recommended installation procedure
services:
mybunker:
image: bunkerity/bunkerweb:1.4.3
image: bunkerity/bunkerweb:1.4.4
networks:
- bw-services
- bw-ui
@ -154,7 +154,7 @@ Because the web UI is a web application, the recommended installation procedure
- "bunkerweb.UI"
myui:
image: bunkerity/bunkerweb-ui:1.4.3
image: bunkerity/bunkerweb-ui:1.4.4
depends_on:
- mydocker
networks:
@ -297,10 +297,10 @@ Because the web UI is a web application, the recommended installation procedure
- enable_ui: true
- custom_ui: "{{ playbook_dir }}/my_ui.env"
roles:
- fl0ppy_d1sk.bunkerweb
- bunkerity.bunkerweb
```
You can now run the playbook and be able to access the web UI :
```shell
ansible-playbook -i inventory.yml playbook.yml
```
```

30
src/autoconf/DockerController.py
View file

@ -111,23 +111,21 @@ class DockerController(Controller, ConfigCaller):
return ret
def process_events(self):
for event in self.__client.events(decode=True, filters={"type": "container"}):
self._instances = self.get_instances()
self._services = self.get_services()
self._configs = self.get_configs()
if not self._config.update_needed(
self._instances, self._services, configs=self._configs
):
continue
self.__logger.info(
"Catched docker event, deploying new configuration ...",
)
for _ in self.__client.events(decode=True, filters={"type": "container"}):
try:
self._instances = self.get_instances()
self._services = self.get_services()
self._configs = self.get_configs()
if not self._config.update_needed(
self._instances, self._services, configs=self._configs
):
continue
self.__logger.info(
"Catched Docker event, deploying new configuration ..."
)
ret = self.apply_config()
if not ret:
self.__logger.error(
"Error while deploying new configuration",
)
self.__logger.error("Error while deploying new configuration")
else:
self.__logger.info(
"Successfully deployed new configuration 🚀",
@ -136,10 +134,10 @@ class DockerController(Controller, ConfigCaller):
if not self._config._db.is_autoconf_loaded():
ret = self._config._db.set_autoconf_load(True)
if ret:
self.__logger.error(
self.__logger.warning(
f"Can't set autoconf loaded metadata to true in database: {ret}",
)
except:
self.__logger.error(
f"Exception while deploying new configuration :\n{format_exc()}",
f"Exception while processing events :\n{format_exc()}"
)

2
src/autoconf/Dockerfile
View file

@ -39,7 +39,7 @@ RUN apk add --no-cache bash && \
chown root:nginx /usr/bin/bwcli
# Fix CVEs
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "git>=2.32.3-r0" "ncurses-libs>=6.2_p20210612-r1" "ncurses-terminfo-base>=6.2_p20210612-r1" "libtirpc>=1.3.2-r1" "libtirpc-conf>=1.3.2-r1" "zlib>=1.2.12-r2" "libxml2>=2.9.14-r1"
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "git>=2.32.3-r0" "ncurses-libs>=6.2_p20210612-r1" "ncurses-terminfo-base>=6.2_p20210612-r1" "libtirpc>=1.3.2-r1" "libtirpc-conf>=1.3.2-r1" "zlib>=1.2.12-r2" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0"
VOLUME /data /etc/nginx

22
src/autoconf/IngressController.py
View file

@ -1,4 +1,5 @@
from os import getenv
from time import sleep
from traceback import format_exc
from kubernetes import client, config, watch
from kubernetes.client.exceptions import ApiException
@ -224,8 +225,9 @@ class IngressController(Controller, ConfigCaller):
raise Exception(f"unsupported watch_type {watch_type}")
while True:
locked = False
error = False
try:
for event in w.stream(what):
for _ in w.stream(what):
self.__internal_lock.acquire()
locked = True
self._instances = self.get_instances()
@ -246,6 +248,7 @@ class IngressController(Controller, ConfigCaller):
self.__logger.error(
"Error while deploying new configuration ...",
)
error = True
else:
self.__logger.info(
"Successfully deployed new configuration 🚀",
@ -254,28 +257,31 @@ class IngressController(Controller, ConfigCaller):
if not self._config._db.is_autoconf_loaded():
ret = self._config._db.set_autoconf_load(True)
if ret:
self.__logger.error(
self.__logger.warning(
f"Can't set autoconf loaded metadata to true in database: {ret}",
)
except:
self.__logger.error(
f"Exception while deploying new configuration :\n{format_exc()}",
)
self.__internal_lock.release()
locked = False
error = True
except ApiException as e:
if e.status != 410:
self.__logger.error(
f"Exception while reading k8s event (type = {watch_type}) :\n{format_exc()}",
)
sys_exit(1)
if locked:
self.__internal_lock.release()
except:
self.__logger.error(
f"Unknown exception while reading k8s event (type = {watch_type}) :\n{format_exc()}",
)
sys_exit(2)
finally :
if locked:
self.__internal_lock.release()
locked = False
if error is True:
self.__logger.warning("Got exception, retrying in 10 seconds ...")
sleep(10)
def apply_config(self):
ret = self._config.apply(self._instances, self._services, configs=self._configs)

29
src/autoconf/SwarmController.py
View file

@ -110,23 +110,20 @@ class SwarmController(Controller, ConfigCaller):
def __event(self, event_type):
for event in self.__client.events(decode=True, filters={"type": event_type}):
self.__internal_lock.acquire()
self._instances = self.get_instances()
self._services = self.get_services()
self._configs = self.get_configs()
if not self._config.update_needed(
self._instances, self._services, configs=self._configs
):
self.__internal_lock.release()
continue
self.__logger.info(
"Catched Swarm event, deploying new configuration ...",
)
try:
self._instances = self.get_instances()
self._services = self.get_services()
self._configs = self.get_configs()
if not self._config.update_needed(
self._instances, self._services, configs=self._configs
):
continue
self.__logger.info(
"Catched Swarm event, deploying new configuration ..."
)
ret = self.apply_config()
if not ret:
self.__logger.error(
"Error while deploying new configuration ...",
)
self.__logger.error("Error while deploying new configuration")
else:
self.__logger.info(
"Successfully deployed new configuration 🚀",
@ -135,12 +132,12 @@ class SwarmController(Controller, ConfigCaller):
if not self._config._db.is_autoconf_loaded():
ret = self._config._db.set_autoconf_load(True)
if ret:
self.__logger.error(
self.__logger.warning(
f"Can't set autoconf loaded metadata to true in database: {ret}",
)
except:
self.__logger.error(
f"Exception while deploying new configuration :\n{format_exc()}",
f"Exception while processing events :\n{format_exc()}"
)
self.__internal_lock.release()

2
src/bw/Dockerfile
View file

@ -75,7 +75,7 @@ RUN apk add --no-cache bash python3 && \
chmod 660 /usr/share/bunkerweb/INTEGRATION
# Fix CVEs
RUN apk add "freetype>=2.10.4-r3" "curl>=7.79.1-r2" "libcurl>=7.79.1-r2" "openssl>=1.1.1q-r0" "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "git>=2.32.3-r0" "ncurses-libs>=6.2_p20210612-r1" "ncurses-terminfo-base>=6.2_p20210612-r1" "zlib>=1.2.12-r2" "libxml2>=2.9.14-r1"
RUN apk add "freetype>=2.10.4-r3" "curl>=7.79.1-r2" "libcurl>=7.79.1-r2" "openssl>=1.1.1q-r0" "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "git>=2.32.3-r0" "ncurses-libs>=6.2_p20210612-r1" "ncurses-terminfo-base>=6.2_p20210612-r1" "zlib>=1.2.12-r2" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0"
VOLUME /data /etc/nginx

38
src/bw/lua/api.lua
View file

@ -103,6 +103,44 @@ api.global.POST["^/unban$"] = function(api)
return api:response(ngx.HTTP_OK, "success", "ip " .. ip["ip"] .. " unbanned")
end
api.global.POST["^/ban$"] = function(api)
ngx.req.read_body()
local data = ngx.req.get_body_data()
if not data then
local data_file = ngx.req.get_body_file()
if data_file then
local file = io.open(data_file)
data = file:read("*a")
file:close()
end
end
local ok, ip = pcall(cjson.decode, data)
if not ok then
return api:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", "can't decode JSON : " .. env)
end
datastore:set("bans_ip_" .. ip["ip"], "manual", ip["exp"])
return api:response(ngx.HTTP_OK, "success", "ip " .. ip["ip"] .. " banned")
end
api.global.GET["^/bans$"] = function(api)
local data = {}
for i, k in ipairs(datastore:keys()) do
if k:find("^bans_ip_") then
local ret, reason = datastore:get(k)
if not ret then
return api:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", "can't access " .. k .. " from datastore : " + reason)
end
local ret, exp = datastore:exp(k)
if not ret then
return api:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", "can't access exp " .. k .. " from datastore : " + exp)
end
local ban = { ip = k:sub(9, #k), reason = reason, exp = exp }
table.insert(data, ban)
end
end
return api:response(ngx.HTTP_OK, "success", data)
end
api.is_allowed_ip = function(self)
local data, err = datastore:get("api_whitelist_ip")
if not data then

10
src/bw/lua/datastore.lua
View file

@ -1,4 +1,4 @@
local datastore = {dict = ngx.shared.datastore }
local datastore = { dict = ngx.shared.datastore }
datastore.get = function(self, key)
local value, err = self.dict:get(key)
@ -22,6 +22,14 @@ datastore.delete = function(self, key)
return true, "success"
end
datastore.exp = function(self, key)
local ttl, err = self.dict:ttl(key)
if not ttl then
return false, err
end
return true, ttl
end
datastore.delete_all = function(self, pattern)
local keys = self.dict:get_keys(0)
for i, key in ipairs(keys) do

15
src/common/cli/CLI.py
View file

@ -117,3 +117,18 @@ class CLI(ApiCaller):
if self._send_to_apis("POST", "/unban", data={"ip": ip}):
return True, f"IP {ip} has been unbanned"
return False, "error"
def ban(self, ip, exp):
if self._send_to_apis("POST", "/ban", data={"ip": ip, "exp": exp}):
return True, f"IP {ip} has been banned"
return False, "error"
def bans(self):
ret, resp = self._send_to_apis("GET", "/bans", response=True)
if ret:
bans = resp["bans"]
cli_str = "List of bans :\n"
for ban in bans:
cli_str += f"- {ban['ip']} for {ban['exp']}s : {ban['reason']}\n"
return True, cli_str
return False, "error"

19
src/common/cli/main.py
View file

@ -27,6 +27,19 @@ if __name__ == "__main__":
)
parser_unban.add_argument("ip", type=str, help="IP address to unban")
# Ban subparser
parser_ban = subparsers.add_parser("ban", help="add a ban to the cache")
parser_ban.add_argument("ip", type=str, help="IP address to ban")
parser_ban.add_argument(
"exp",
type=int,
help="banning time in seconds (default : 86400)",
default=86400,
)
# Bans subparser
parser_bans = subparsers.add_parser("bans", help="list current bans")
# Parse args
args = parser.parse_args()
@ -37,6 +50,10 @@ if __name__ == "__main__":
ret, err = False, "unknown command"
if args.command == "unban":
ret, err = cli.unban(args.ip)
elif args.command == "ban":
ret, err = cli.ban(args.ip, args.exp)
elif args.command == "bans":
ret, err = cli.bans()
if not ret:
logger.error(f"CLI command status : ❌ (fail)\n{err}")
@ -50,5 +67,3 @@ if __name__ == "__main__":
except:
logger.error(f"Error while executing bwcli :\n{format_exc()}")
sys_exit(1)
sys_exit(0)

2
src/common/core/bunkernet/jobs/bunkernet-data.py
View file

@ -113,7 +113,7 @@ try:
checksum=new_hash,
)
if err:
logger.warning(f"Couldn't update db cache: {err}")
logger.warning(f"Couldn't update db ip.list cache: {err}")
logger.info("Successfully saved BunkerNet data")

18
src/common/core/bunkernet/jobs/bunkernet-register.py
View file

@ -117,15 +117,15 @@ try:
with open("/var/cache/bunkerweb/bunkernet/instance.id", "w") as f:
f.write(bunkernet_id)
# Update db
err = db.update_job_cache(
"bunkernet-register",
None,
"instance.id",
f"{bunkernet_id}".encode("utf-8"),
)
if err:
logger.warning(f"Couldn't update db cache: {err}")
# Update db
err = db.update_job_cache(
"bunkernet-register",
None,
"instance.id",
f"{bunkernet_id}".encode("utf-8"),
)
if err:
logger.warning(f"Couldn't update db cache: {err}")
else:
logger.error("Connectivity with BunkerWeb failed ...")
status = 2

5
src/common/core/letsencrypt/jobs/certbot-deploy.py
View file

@ -1,10 +1,9 @@
#!/usr/bin/python3
from asyncio import run
from io import BytesIO
from os import environ, getenv
from os.path import exists
from subprocess import DEVNULL, STDOUT
from subprocess import run, DEVNULL, STDOUT
from sys import exit as sys_exit, path as sys_path
from tarfile import open as tar_open
from traceback import format_exc
@ -34,6 +33,8 @@ try:
with open("/usr/share/bunkerweb/INTEGRATION", "r") as f:
bw_integration = f.read().strip()
token = getenv("CERTBOT_TOKEN")
logger.info(f"Certificates renewal for {getenv('RENEWED_DOMAINS')} successful")
# Cluster case
if bw_integration in ("Swarm", "Kubernetes", "Autoconf"):

10
src/common/core/letsencrypt/jobs/certbot-renew.py
View file

@ -28,7 +28,6 @@ logger = setup_logger("LETS-ENCRYPT", getenv("LOG_LEVEL", "INFO"))
status = 0
try:
if getenv("MULTISITE") == "yes":
for first_server in getenv("SERVER_NAME").split(" "):
if first_server == "":
@ -46,11 +45,6 @@ try:
logger.error(
f"Certificates renewal for {first_server} failed",
)
else:
logger.info(
f"Certificates renewal for {first_server} successful",
)
elif getenv("AUTO_LETS_ENCRYPT") == "yes" and getenv("SERVER_NAME") != "":
first_server = getenv("SERVER_NAME").split(" ")[0]
if exists(f"/etc/letsencrypt/live/{first_server}/cert.pem"):
@ -60,10 +54,6 @@ try:
logger.error(
f"Certificates renewal for {first_server} failed",
)
else:
logger.info(
f"Certificates renewal for {first_server} successful",
)
except:
status = 2

5
src/common/utils/ApiCaller.py
View file

@ -100,7 +100,7 @@ class ApiCaller:
def _get_apis(self):
return self.__apis
def _send_to_apis(self, method, url, files=None, data=None):
def _send_to_apis(self, method, url, files=None, data=None, response=False):
ret = True
for api in self.__apis:
if files is not None:
@ -122,6 +122,9 @@ class ApiCaller:
self.__logger.info(
f"Successfully sent API request to {api.get_endpoint()}{url}",
)
if response:
return ret, resp.json()
return ret
def _send_files(self, path, url):

4
src/linux/Dockerfile-centos
View file

@ -31,7 +31,9 @@ RUN dnf install -y python39-pip brotli brotli-devel gperftools-devel perl libxsl
chmod +x /tmp/bunkerweb/deps/install.sh && \
bash /tmp/bunkerweb/deps/install.sh && \
mkdir /usr/share/bunkerweb/deps/python && \
pip3.9 install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt
# Dirty fix to avoid errors with --target and packages same namespace
cp -r /usr/lib64/python3.9/* /usr/lib/python3.9/ && \
PYTHONPLATLIBDIR=lib pip3.9 install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt
# Copy files
# can't exclude deps from . so we are copying everything by hand

7
src/linux/Dockerfile-fedora
View file

@ -29,7 +29,9 @@ RUN dnf install -y python3-pip brotli brotli-devel gperftools-devel perl libxslt
chmod +x /tmp/bunkerweb/deps/install.sh && \
bash /tmp/bunkerweb/deps/install.sh && \
mkdir /usr/share/bunkerweb/deps/python && \
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt
# Dirty fix to avoid errors with --target and packages same namespace
cp -r /usr/lib64/python3.10/* /usr/lib/python3.10/ && \
PYTHONPLATLIBDIR=lib pip3.10 install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt
# Copy files
# can't exclude deps from . so we are copying everything by hand
@ -56,7 +58,6 @@ RUN cp /usr/share/bunkerweb/helpers/bwcli /usr/bin/ && \
mkdir /var/cache/bunkerweb/ && \
mkdir /etc/bunkerweb/plugins && \
mkdir /var/tmp/bunkerweb/ && \
#mkdir /var/www/html && \
echo "Linux" > /usr/share/bunkerweb/INTEGRATION && \
find /usr/share/bunkerweb -path /usr/share/bunkerweb/deps -prune -o -type f -exec chmod 0740 {} \; && \
find /usr/share/bunkerweb -path /usr/share/bunkerweb/deps -prune -o -type d -exec chmod 0750 {} \; && \
@ -79,4 +80,4 @@ COPY src/linux/bunkerweb-ui.service /usr/share/bunkerweb-ui.service
# Generate DEB at startup
VOLUME /data
WORKDIR /usr/share/
ENTRYPOINT ["/usr/share/fpm.sh", "deb"]
ENTRYPOINT ["/usr/share/fpm.sh", "deb"]

87
src/linux/Dockerfile-rhel Normal file
View file

@ -0,0 +1,87 @@
FROM redhat/ubi8:8.6
ENV OS=rhel
ENV NGINX_VERSION 1.20.2
# RHEL subscription
RUN subscription-manager register --username=username --password=password --auto-attach
# Install fpm
RUN dnf install -y ruby ruby-devel make gcc redhat-rpm-config rpm-build wget && \
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
rpm -Uvh epel-release*rpm && \
dnf module -y reset ruby && dnf module -y enable ruby:2.6 && dnf module -y install ruby:2.6/common && \
gem install fpm
# Nginx
COPY linux/nginx.repo /etc/yum.repos.d/nginx.repo
RUN dnf install yum-utils -y && \
dnf install nginx-1.20.2 -y
# Copy dependencies sources folder
COPY src/common/deps /tmp/bunkerweb/deps
COPY src/scheduler/requirements.txt /tmp/req/requirements.txt
COPY src/ui/requirements.txt /tmp/req/requirements.txt.1
COPY src/common/gen/requirements.txt /tmp/req/requirements.txt.2
COPY src/common/db/requirements.txt /tmp/req/requirements.txt.3
RUN mkdir -p /usr/share/bunkerweb/deps && \
cat /tmp/req/requirements.txt /tmp/req/requirements.txt.1 /tmp/req/requirements.txt.2 /tmp/req/requirements.txt.3 > /tmp/bunkerweb/deps/requirements.txt && \
rm -rf /tmp/req
# Compile and install dependencies
RUN dnf install -y python39-pip brotli brotli-devel gperftools-devel perl libxslt-devel libxml2 libxslt bash gd gd-devel gcc-c++ kernel-devel curl znc-modtcl libmpc-devel gmp-devel gawk mpfr-devel libtool pcre-devel automake autoconf readline-devel gcc make openssl-devel git zlib-devel libxml2-devel pkgconf libcurl-devel geoip-devel lmdb-libs && \
mkdir -p /usr/share/bunkerweb/deps && \
chmod +x /tmp/bunkerweb/deps/install.sh && \
bash /tmp/bunkerweb/deps/install.sh && \
mkdir /usr/share/bunkerweb/deps/python && \
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt
# Copy BW files
# can't exclude deps from . so we are copying everything by hand
COPY src/bw/loading /usr/share/bunkerweb/loading
COPY src/bw/lua /usr/share/bunkerweb/lua
COPY src/bw/misc /usr/share/bunkerweb/misc
COPY src/common/api /usr/share/bunkerweb/api
COPY src/common/cli /usr/share/bunkerweb/cli
COPY src/common/confs /usr/share/bunkerweb/confs
COPY src/common/core /usr/share/bunkerweb/core
COPY src/common/db /usr/share/bunkerweb/db
COPY src/common/gen /usr/share/bunkerweb/gen
COPY src/common/helpers /usr/share/bunkerweb/helpers
COPY src/common/settings.json /usr/share/bunkerweb/settings.json
COPY src/common/utils /usr/share/bunkerweb/utils
COPY src/scheduler /usr/share/bunkerweb/scheduler
COPY src/ui /usr/share/bunkerweb/ui
COPY src/VERSION /usr/share/bunkerweb/VERSION
# Setup BW
RUN cp /usr/share/bunkerweb/helpers/bwcli /usr/bin/ && \
chmod 755 /usr/bin/bwcli && \
mkdir /etc/bunkerweb/configs && \
mkdir /var/cache/bunkerweb/ && \
mkdir /etc/bunkerweb/plugins && \
mkdir /var/tmp/bunkerweb/ && \
echo "Linux" > /usr/share/bunkerweb/INTEGRATION && \
find /usr/share/bunkerweb -path /usr/share/bunkerweb/deps -prune -o -type f -exec chmod 0740 {} \; && \
find /usr/share/bunkerweb -path /usr/share/bunkerweb/deps -prune -o -type d -exec chmod 0750 {} \; && \
chmod 770 /var/cache/bunkerweb/ /var/tmp/bunkerweb/ && \
chmod 750 /usr/share/bunkerweb/gen/main.py /usr/share/bunkerweb/scheduler/main.py /usr/share/bunkerweb/cli/main.py /usr/share/bunkerweb/helpers/*.sh /usr/share/bunkerweb/ui/main.py && \
find /usr/share/bunkerweb/core/*/jobs/* -type f -exec chmod 750 {} \; && \
pip install --no-cache-dir --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/ui/deps/requirements.txt && \
chmod 755 /usr/share/bunkerweb
# Copy Linux files
COPY src/linux/variables.env /etc/bunkerweb/variables.env
COPY src/linux/ui.env /etc/bunkerweb/ui.env
COPY src/linux/scripts /usr/share/bunkerweb/scripts
COPY src/linux/fpm.sh /usr/share/fpm.sh
RUN chmod +x /usr/share/bunkerweb/scripts/*.sh /usr/share/fpm.sh
COPY src/linux/fpm-rhel /usr/share/.fpm
COPY src/linux/bunkerweb.service /usr/share/bunkerweb.service
COPY src/linux/bunkerweb-ui.service /usr/share/bunkerweb-ui.service
# Generate RPM at startup
VOLUME /data
WORKDIR /usr/share/
ENTRYPOINT ["/usr/share/fpm.sh", "rpm"]

1
src/linux/bunkerweb.service
View file

@ -4,6 +4,7 @@ Documentation=https://docs.bunkerweb.io
After=network.target
[Service]
Restart=always
User=root
PIDFile=/var/tmp/bunkerweb/scheduler.pid
ExecStart=/usr/share/bunkerweb/scripts/start.sh start

13
src/linux/fpm-rhel Normal file
View file

@ -0,0 +1,13 @@
-s dir
--name bunkerweb
--license agpl3
--version %VERSION%
--architecture x86_64
--depends bash --depends epel-release --depends python39 --depends 'nginx = 1:1.20.2-1.el8.ngx' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends GeoIP-devel --depends file-libs --depends net-tools --depends gd --depends sudo
--description "BunkerWeb %VERSION% for Rhel 8"
--url "https://www.bunkerweb.io"
--maintainer "Bunkerity <contact at bunkerity dot com>"
--after-install /usr/share/bunkerweb/scripts/postinstall.sh
--before-remove /usr/share/bunkerweb/scripts/beforeRemove.sh
--after-remove /usr/share/bunkerweb/scripts/afterRemove.sh
/usr/share/bunkerweb/=/usr/share/bunkerweb/ bunkerweb.service=/etc/systemd/system/bunkerweb.service bunkerweb-ui.service=/etc/systemd/system/bunkerweb-ui.service /usr/bin/bwcli=/usr/bin/bwcli

2
src/scheduler/Dockerfile
View file

@ -58,7 +58,7 @@ RUN apk add --no-cache bash libgcc libstdc++ openssl && \
chmod 660 /usr/share/bunkerweb/INTEGRATION
# Fix CVEs
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "git>=2.32.3-r0" "ncurses-libs>=6.2_p20210612-r1" "ncurses-terminfo-base>=6.2_p20210612-r1" "libtirpc>=1.3.2-r1" "libtirpc-conf>=1.3.2-r1" "zlib>=1.2.12-r2" "libxml2>=2.9.14-r1"
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "git>=2.32.3-r0" "ncurses-libs>=6.2_p20210612-r1" "ncurses-terminfo-base>=6.2_p20210612-r1" "libtirpc>=1.3.2-r1" "libtirpc-conf>=1.3.2-r1" "zlib>=1.2.12-r2" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0"
VOLUME /data /etc/nginx

2
src/ui/Dockerfile
View file

@ -48,7 +48,7 @@ RUN apk add --no-cache bash file && \
chmod 750 /usr/share/bunkerweb/gen/main.py /usr/share/bunkerweb/deps/python/bin/*
# Fix CVEs
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "git>=2.32.3-r0" "ncurses-libs>=6.2_p20210612-r1" "ncurses-terminfo-base>=6.2_p20210612-r1" "libtirpc>=1.3.2-r1" "libtirpc-conf>=1.3.2-r1" "zlib>=1.2.12-r2" "libxml2>=2.9.14-r1"
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "git>=2.32.3-r0" "ncurses-libs>=6.2_p20210612-r1" "ncurses-terminfo-base>=6.2_p20210612-r1" "libtirpc>=1.3.2-r1" "libtirpc-conf>=1.3.2-r1" "zlib>=1.2.12-r2" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0"
VOLUME /data /etc/nginx

4
src/ui/src/Config.py
View file

@ -24,14 +24,14 @@ class Config:
self.__logger.warning(
"Database is not initialized, retrying in 5s ...",
)
sleep(3)
sleep(5)
env = self.__db.get_config()
while not self.__db.is_first_config_saved() or not env:
self.__logger.warning(
"Database doesn't have any config saved yet, retrying in 5s ...",
)
sleep(3)
sleep(5)
env = self.__db.get_config()
self.reload_plugins()