Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-04-21 13:37:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #3321 from bunkerity/dev

Browse source
This commit is contained in:
Théophile Diot 2026-03-13 18:01:33 +01:00 committed by GitHub
commit 1fe1087008
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1330 changed files with 285058 additions and 32598 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/ISSUE_TEMPLATE/bug_report.yml vendored
View file

@ -51,7 +51,7 @@ body:
label: BunkerWeb version
description: What version of BunkerWeb are you running?
placeholder: Version
value: 1.6.8
value: 1.6.9
validations:
required: true
- type: dropdown

4
.github/workflows/codeql.yml vendored
View file

@ -36,12 +36,12 @@ jobs:
python -m pip install --no-cache-dir --require-hashes -r src/common/db/requirements.txt
echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
- name: Initialize CodeQL
uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql.yml
setup-python-dependencies: false
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
category: "/language:${{matrix.language}}"

16
.github/workflows/container-build.yml vendored
View file

@ -76,22 +76,22 @@ jobs:
SSH_IP: ${{ secrets.ARM_SSH_IP }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Setup Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
if: startsWith(inputs.CACHE_SUFFIX, 'arm') == false
- name: Setup Buildx (ARM)
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
if: startsWith(inputs.CACHE_SUFFIX, 'arm')
with:
endpoint: ssh://root@arm
platforms: linux/arm64,linux/arm/v7
- name: Login to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to ghcr
if: inputs.PUSH == true
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -99,13 +99,13 @@ jobs:
# Compute metadata
- name: Extract metadata
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
with:
images: bunkerity/${{ inputs.IMAGE }}
# Build cached image
- name: Build image
if: inputs.CACHE == true
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: .
file: ${{ inputs.DOCKERFILE }}
@ -118,7 +118,7 @@ jobs:
# Build non-cached image
- name: Build image
if: inputs.CACHE != true
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: .
file: ${{ inputs.DOCKERFILE }}
@ -130,7 +130,7 @@ jobs:
# Check OS vulnerabilities
- name: Check OS vulnerabilities
if: ${{ startsWith(inputs.CACHE_SUFFIX, 'arm') == false }}
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
vuln-type: os
skip-dirs: /root/.cargo

5
.github/workflows/dev.yml vendored
View file

@ -5,6 +5,7 @@ permissions: read-all
on:
push:
branches: [dev]
workflow_dispatch:
jobs:
# Containers
@ -188,12 +189,12 @@ jobs:
to: bunkerweb-all-in-one
steps:
- name: Login to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to ghcr
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}

4
.github/workflows/doc-to-pdf.yml vendored
View file

@ -23,7 +23,7 @@ jobs:
- name: Install chromium
run: sudo apt update && sudo apt install chromium-browser
- name: Install node
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 22
- name: Install puppeteer
@ -35,7 +35,7 @@ jobs:
run: mkdocs serve -f mkdocs_print.yml & sleep 15
- name: Run pdf script
run: node docs/misc/pdf.js http://localhost:8000/print_page/ BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf 'BunkerWeb documentation v${{ inputs.VERSION }}'
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
path: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf

18
.github/workflows/linux-build.yml vendored
View file

@ -85,21 +85,21 @@ jobs:
SSH_IP: ${{ secrets.ARM_SSH_IP }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Setup Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
if: startsWith(env.ARCH, 'arm') == false
- name: Setup Buildx (ARM)
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
if: startsWith(env.ARCH, 'arm') == true
with:
endpoint: ssh://root@arm
platforms: linux/arm64,linux/arm/v7
- name: Login to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to ghcr
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -107,7 +107,7 @@ jobs:
# Build testing package image
- name: Build package image
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui' || inputs.RELEASE == '1.5'
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: .
load: true
@ -119,7 +119,7 @@ jobs:
# Build non-testing package image
- name: Build package image
if: inputs.RELEASE != 'testing' && inputs.RELEASE != 'dev' && inputs.RELEASE != 'ui' && inputs.RELEASE != '1.5'
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: .
load: true
@ -143,7 +143,7 @@ jobs:
scp -r root@arm:/root/package-${{ inputs.LINUX }} ./package-${{ inputs.LINUX }}
env:
LARCH: ${{ env.LARCH }}
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: package-${{ inputs.LINUX }}-${{ env.LARCH }}
path: package-${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
@ -151,12 +151,12 @@ jobs:
- name: Extract metadata
if: inputs.TEST == true
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
with:
images: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
- name: Build test image
if: inputs.TEST == true
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: .
file: tests/linux/Dockerfile-${{ inputs.LINUX }}

10
.github/workflows/push-docker.yml vendored
View file

@ -35,12 +35,12 @@ jobs:
- name: Check out repository code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Login to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to ghcr
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -68,7 +68,7 @@ jobs:
SSH_IP: ${{ secrets.ARM_SSH_IP }}
SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
- name: Setup Buildx (ARM)
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
endpoint: ssh://root@arm
platforms: linux/arm64,linux/arm/v7
@ -82,12 +82,12 @@ jobs:
# Compute metadata
- name: Extract metadata
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
with:
images: bunkerity/${{ inputs.IMAGE }}
# Build and push
- name: Build and push
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: .
file: ${{ inputs.DOCKERFILE }}

6
.github/workflows/push-github.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
# Get PDF doc
- name: Get documentation
if: inputs.VERSION != 'testing'
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
# Sanitize version (replace ~ with - for valid Git tag names)
@ -114,10 +114,12 @@ jobs:
Documentation : https://docs.bunkerweb.io/${{ inputs.VERSION }}/
Docker tags :
- All-in-one : `bunkerity/bunkerweb-all-in-one:${{ steps.sanitize.outputs.version }}` or `ghcr.io/bunkerity/bunkerweb-all-in-one:${{ steps.sanitize.outputs.version }}`
- BunkerWeb : `bunkerity/bunkerweb:${{ steps.sanitize.outputs.version }}` or `ghcr.io/bunkerity/bunkerweb:${{ steps.sanitize.outputs.version }}`
- Scheduler : `bunkerity/bunkerweb-scheduler:${{ steps.sanitize.outputs.version }}` or `ghcr.io/bunkerity/bunkerweb-scheduler:${{ steps.sanitize.outputs.version }}`
- Autoconf : `bunkerity/bunkerweb-autoconf:${{ steps.sanitize.outputs.version }}` or `ghcr.io/bunkerity/bunkerweb-autoconf:${{ steps.sanitize.outputs.version }}`
- UI : `bunkerity/bunkerweb-ui:${{ steps.sanitize.outputs.version }}` or `ghcr.io/bunkerity/bunkerweb-ui:${{ steps.sanitize.outputs.version }}`
- API : `bunkerity/bunkerweb-api:${{ steps.sanitize.outputs.version }}` or `ghcr.io/bunkerity/bunkerweb-api:${{ steps.sanitize.outputs.version }}`
Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=${{ inputs.VERSION }}&filter=all&dist=
@ -147,6 +149,8 @@ jobs:
- Scheduler : `bunkerity/bunkerweb-scheduler:${{ steps.sanitize.outputs.version }}` or `ghcr.io/bunkerity/bunkerweb-scheduler:${{ steps.sanitize.outputs.version }}`
- Autoconf : `bunkerity/bunkerweb-autoconf:${{ steps.sanitize.outputs.version }}` or `ghcr.io/bunkerity/bunkerweb-autoconf:${{ steps.sanitize.outputs.version }}`
- UI : `bunkerity/bunkerweb-ui:${{ steps.sanitize.outputs.version }}` or `ghcr.io/bunkerity/bunkerweb-ui:${{ steps.sanitize.outputs.version }}`
- API : `bunkerity/bunkerweb-api:${{ steps.sanitize.outputs.version }}` or `ghcr.io/bunkerity/bunkerweb-api:${{ steps.sanitize.outputs.version }}`
- All-in-one : `bunkerity/bunkerweb-all-in-one:${{ steps.sanitize.outputs.version }}` or `ghcr.io/bunkerity/bunkerweb-all-in-one:${{ steps.sanitize.outputs.version }}`
Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=${{ inputs.VERSION }}&filter=all&dist=

4
.github/workflows/push-packagecloud.yml vendored
View file

@ -42,7 +42,7 @@ jobs:
- name: Check out repository code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install ruby
uses: ruby/setup-ruby@8d27f39a5e7ad39aebbcbd1324f7af020229645c # v1.287.0
uses: ruby/setup-ruby@4eb9f110bac952a8b68ecf92e3b5c7a987594ba6 # v1.292.0
with:
ruby-version: "3.0"
- name: Install packagecloud
@ -81,7 +81,7 @@ jobs:
echo "artifact=$ARTIFACT_NAME" >> $GITHUB_OUTPUT
# Download packages (single generic step)
- name: Download package artifact
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ env.ARTIFACT_NAME }}
path: /tmp/${{ inputs.LINUX }}

2
.github/workflows/scorecards-analysis.yml vendored
View file

@ -25,6 +25,6 @@ jobs:
results_format: sarif
publish_results: true
- name: "Upload SARIF results to code scanning"
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
sarif_file: results.sarif

4
.github/workflows/staging-create-infra.yml vendored
View file

@ -23,7 +23,7 @@ jobs:
- name: Checkout source code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install terraform
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
- name: Install kubectl
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
if: inputs.TYPE == 'k8s'
@ -52,7 +52,7 @@ jobs:
if: always()
env:
SECRET_KEY: ${{ secrets.SECRET_KEY }}
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: tf-${{ inputs.TYPE }}

4
.github/workflows/staging-delete-infra.yml vendored
View file

@ -22,8 +22,8 @@ jobs:
- name: Checkout source code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install terraform
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: tf-${{ inputs.TYPE }}
path: /tmp

6
.github/workflows/staging-tests.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
- name: Checkout source code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Login to ghcr
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -41,9 +41,9 @@ jobs:
- name: Install test dependencies
run: PIP_BREAK_SYSTEM_PACKAGES=1 pip3 install --no-cache-dir --require-hashes --no-deps -r tests/requirements.txt
- name: Install Terraform
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
if: inputs.TYPE == 'k8s'
- uses: actions/download-artifact@v7.0.0
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: tf-k8s
path: /tmp

5
.github/workflows/staging.yml vendored
View file

@ -5,6 +5,7 @@ permissions: read-all
on:
push:
branches: [staging]
workflow_dispatch:
jobs:
# Build Docker images
@ -152,12 +153,12 @@ jobs:
packages: write
steps:
- name: Login to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to ghcr
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}

2
.github/workflows/test-core-linux.yml vendored
View file

@ -49,7 +49,7 @@ jobs:
sudo chmod +x /usr/local/bin/geckodriver
rm -f geckodriver.tar.gz
- name: Login to ghcr
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}

2
.github/workflows/test-core.yml vendored
View file

@ -18,7 +18,7 @@ jobs:
- name: Checkout source code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Login to ghcr
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}

2
.github/workflows/tests-ui-linux.yml vendored
View file

@ -49,7 +49,7 @@ jobs:
sudo chmod +x /usr/local/bin/geckodriver
rm -f geckodriver.tar.gz
- name: Login to ghcr
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}

2
.github/workflows/tests-ui.yml vendored
View file

@ -17,7 +17,7 @@ jobs:
- name: Checkout source code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Login to ghcr
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}

4
.pre-commit-config.yaml
View file

@ -22,7 +22,7 @@ repos:
hooks:
- id: black
name: Black Python Formatter
language_version: python3.9
language_version: python3.10
- repo: local
hooks:
@ -67,7 +67,7 @@ repos:
- id: codespell
name: Codespell Spell Checker
exclude: (^src/(ui/templates|common/core/.+/files|bw/loading)/.+.html|modsecurity-rules.conf.*|src/ui/app/static/(fonts|libs)/.+|src/ui/app/static/locales/.+|docs/.+/.+|src/common/README\..+\.md|src/common/core/.+/README\..+\.md)$
entry: codespell --ignore-regex="(tabEl|Widgits|fpr)" --skip CHANGELOG.md,CODE_OF_CONDUCT.md,src/ui/client/build.py,src/ui/app/static/json/countries.geojson,src/ui/app/static/json/countries.topojson,src/ui/app/static/js/pages/bans.js,src/ui/app/static/json/periscop.min.json,src/ui/app/static/json/blockhaus.min.json,src/ui/app/routes/reports.py,src/ui/app/static/js/pages/reports.js,docs/json2md.py
entry: codespell --ignore-regex="(tabEl|Widgits|fpr|TE|STING|SUPPOR|FO|EXPEC)" --skip CHANGELOG.md,CODE_OF_CONDUCT.md,src/ui/client/build.py,src/ui/app/static/json/countries.geojson,src/ui/app/static/json/countries.topojson,src/ui/app/static/js/pages/bans.js,src/ui/app/static/json/periscop.min.json,src/ui/app/static/json/blockhaus.min.json,src/ui/app/routes/reports.py,src/ui/app/static/js/pages/reports.js,docs/json2md.py
language: python
types: [text]

371
BUILD.md Normal file
View file

@ -0,0 +1,371 @@
# BUILD Guide (Community)
This guide explains how to build **community** BunkerWeb artifacts from source.
## Scope
This document covers:
- Community container images (`bunkerweb`, `scheduler`, `autoconf`, `ui`, `api`, `all-in-one`)
- Linux packages (`.deb`, `.rpm`)
- FreeBSD package (`.pkg`)
All commands are expected to be run from the repository root.
## Build Standards
- Build from a clean, up-to-date working tree.
- Use the version from `src/VERSION` (packaging scripts read it automatically).
- Keep artifacts reproducible by using the provided scripts and Dockerfiles.
- Run `pre-commit run --all-files` before opening a PR.
## Prerequisites
- For containers and Linux packages:
- Docker (Buildx recommended)
- For FreeBSD package:
- A native FreeBSD 14 host or VM
## Artifact Matrix
| Artifact | Build path | Main command |
| ---------------------------- | ------------------------------------------------- | ----------------------------------------- |
| Community container images | `src/*/Dockerfile` | `docker build -f <Dockerfile> -t <tag> .` |
| Linux packages (`deb`/`rpm`) | `src/linux/Dockerfile-*` + `src/linux/package.sh` | `./src/linux/package.sh <linux> <arch>` |
| FreeBSD package (`pkg`) | `src/linux/build-freebsd.sh` | `bash src/linux/build-freebsd.sh` |
## Build Community Container Images
### Image targets
| Image | Dockerfile |
| ------------ | --------------------------- |
| `bunkerweb` | `src/bw/Dockerfile` |
| `scheduler` | `src/scheduler/Dockerfile` |
| `autoconf` | `src/autoconf/Dockerfile` |
| `ui` | `src/ui/Dockerfile` |
| `api` | `src/api/Dockerfile` |
| `all-in-one` | `src/all-in-one/Dockerfile` |
### Build one image
```sh
docker build -f src/bw/Dockerfile -t local/bunkerweb:dev .
```
### Build all community images
```sh
for image in bunkerweb scheduler autoconf ui api all-in-one; do
case "$image" in
bunkerweb) dockerfile="src/bw/Dockerfile" ;;
scheduler) dockerfile="src/scheduler/Dockerfile" ;;
autoconf) dockerfile="src/autoconf/Dockerfile" ;;
ui) dockerfile="src/ui/Dockerfile" ;;
api) dockerfile="src/api/Dockerfile" ;;
all-in-one) dockerfile="src/all-in-one/Dockerfile" ;;
esac
docker build -f "$dockerfile" -t "local/$image:dev" .
done
```
### Development-only build argument (not for production)
Use this only for local iteration on images that support minification args (`bw`, `ui`, `all-in-one`).
It reduces build time by skipping asset minification, but it does not produce production-grade artifacts.
```sh
docker build -f src/all-in-one/Dockerfile \
--build-arg SKIP_MINIFY=yes \
-t local/all-in-one:dev .
```
## Build Linux Packages (`.deb` / `.rpm`)
Linux package generation can be done directly with Docker in 2 steps:
1. Build the package builder image for your distro.
2. Run that image with a host output directory mounted to `/data`.
### Supported distro identifiers
- `ubuntu`
- `ubuntu-jammy`
- `debian-bookworm`
- `debian-trixie`
- `fedora-42`
- `fedora-43`
- `rhel-8`
- `rhel-9`
- `rhel-10`
### Quick local method (recommended)
This is the simplest community workflow for local package builds.
In `-v <host-dir>:/data`, you can choose any host directory you want.
Generated package files are exported by the container into that same host directory.
#### Build a `.deb` (Ubuntu example)
```sh
docker build \
-t bunkerweb_ubuntu \
-f src/linux/Dockerfile-ubuntu . && \
docker run --rm \
-v "$(pwd)/out/deb:/data" \
bunkerweb_ubuntu
```
Output:
- `<your-chosen-host-dir>/bunkerweb.deb` (for the example above: `$(pwd)/out/deb/bunkerweb.deb`)
#### Build an `.rpm` (Fedora example)
```sh
docker build \
-t bunkerweb_fedora43 \
-f src/linux/Dockerfile-fedora-43 . && \
docker run --rm \
-v "$(pwd)/out/rpm:/data" \
bunkerweb_fedora43
```
Output:
- `<your-chosen-host-dir>/bunkerweb.rpm` (for the example above: `$(pwd)/out/rpm/bunkerweb.rpm`)
### Development flags (not for production)
Use these only for local development and troubleshooting:
- `SKIP_MINIFY=yes` (`docker build --build-arg`): skips static asset minification to speed up builds; output is less optimized.
- `FPM_DEBUG=yes` (`docker run -e`): enables verbose FPM/debug logs during package creation.
- `FPM_SKIP_COMPRESSION=yes` (`docker run -e`): disables package compression to speed up packaging and simplify inspection; output packages are larger.
Do not use these flags for release artifacts intended for users.
### Development / troubleshooting example
Use this only when debugging package generation (verbose FPM logs, no compression). You can still choose any host directory mounted to `/data`, and artifacts will be written there.
```sh
docker build --build-arg SKIP_MINIFY=yes \
-t bunkerweb_ubuntu \
-f src/linux/Dockerfile-ubuntu . && \
docker run --rm \
-e FPM_DEBUG=yes \
-e FPM_SKIP_COMPRESSION=yes \
-v "$(pwd)/out/deb:/data" \
bunkerweb_ubuntu
```
### Scripted method (`package.sh`)
Use this if you want the repository naming convention in `package-<linux>/`.
### Step 1: build builder image
Example (`ubuntu`):
```sh
docker build -f src/linux/Dockerfile-ubuntu -t local/bunkerweb-ubuntu:latest .
```
### Step 2: build package
```sh
chmod +x src/linux/package.sh
./src/linux/package.sh ubuntu amd64
```
Artifacts are written to `package-<linux>/`.
Examples:
```sh
# Debian/Ubuntu package
docker build -f src/linux/Dockerfile-debian-bookworm -t local/bunkerweb-debian-bookworm:latest .
./src/linux/package.sh debian-bookworm amd64
# RPM package
docker build -f src/linux/Dockerfile-fedora-43 -t local/bunkerweb-fedora-43:latest .
./src/linux/package.sh fedora-43 x86_64
```
Notes:
- For RPM, use Linux arch naming (`x86_64`, `aarch64`, ...).
- For DEB, use Debian arch naming (`amd64`, `arm64`, ...).
- `curl` is a runtime requirement for scheduler ACME integrations (notably ZeroSSL/EAB flows).
- `package.sh` intentionally does not build FreeBSD packages in Docker.
- Dockerfiles for Linux package builders are preconfigured with their package type:
- Debian/Ubuntu Dockerfiles run `fpm.sh deb`
- Fedora/RHEL Dockerfiles run `fpm.sh rpm`
## Build FreeBSD Package (`.pkg`)
FreeBSD packages must be built on FreeBSD.
### Preflight requirements
- Use a native FreeBSD 14 host/VM.
- Run the build as `root` (or with equivalent privileges), because the build script installs packages and stages files under system paths.
- Ensure dependency sources are initialized:
```sh
bash src/deps/init_deps.sh
```
- Install build prerequisites:
```sh
pkg bootstrap -f
pkg update -f
pkg install -y bash git wget curl gtar pigz gmake pkgconf autoconf automake libtool \
rust ruby rubygem-fpm nginx sudo lsof unzip openssl sqlite3 pcre2 lmdb ssdeep \
libxml2 yajl libgd libmaxminddb libffi python311 py311-pip py311-setuptools \
py311-wheel py311-sqlite3 postgresql18-client
```
**Security Note**: The final package has **zero runtime dependencies on compiler toolchains**. Only security-relevant libraries (TLS, XML parsing, GeoIP, etc.) are required at runtime, meeting security requirements for production firewall appliances.
### Quick build (recommended)
```sh
bash src/linux/build-freebsd.sh
```
Output:
- `bunkerweb-<VERSION>.pkg` (or `bunkerweb-dev.pkg`, depending on `src/VERSION`) in the repository root
### Installing the package
Before installing the BunkerWeb package on a production system, ensure runtime dependencies are installed:
```sh
pkg install -y bash nginx python311 py311-sqlite3 curl libxml2 yajl libgd \
sudo lsof libmaxminddb libffi openssl sqlite3 unzip pcre2 lmdb ssdeep
```
**Note**: No compiler packages (gcc, clang, etc.) are required at runtime.
Then install BunkerWeb:
```sh
pkg install -y ./bunkerweb-<VERSION>.pkg
```
## CI Parity (Reference)
If you want local builds to match CI behavior, use these workflow references:
- Container builds: `.github/workflows/container-build.yml`
- Linux package builds: `.github/workflows/linux-build.yml`
## Publish Artifacts
Security baseline:
- Never paste real tokens/passwords directly in command lines or shell history.
- Prefer interactive login prompts for local/manual publishing.
- Use short-lived tokens with minimum required scopes.
- Use CI secret stores for automation.
- Unset sensitive environment variables after publishing.
### Publish Docker images (`docker.io` and `ghcr.io`)
Set your image metadata:
```sh
export VERSION="$(cat src/VERSION)"
export DOCKERHUB_ORG="<dockerhub-org-or-user>"
export GHCR_ORG="<github-org-or-user>"
```
Authenticate registries:
```sh
docker login docker.io
docker login ghcr.io -u "<github-user>"
```
Notes:
- The `docker login` commands above prompt for credentials securely (hidden input).
- For automated pipelines, read credentials from CI secrets and avoid hardcoded values.
Tag and push one image (example: `all-in-one`):
```sh
docker tag local/all-in-one:dev docker.io/$DOCKERHUB_ORG/bunkerweb-all-in-one:$VERSION
docker tag local/all-in-one:dev ghcr.io/$GHCR_ORG/bunkerweb-all-in-one:$VERSION
docker push docker.io/$DOCKERHUB_ORG/bunkerweb-all-in-one:$VERSION
docker push ghcr.io/$GHCR_ORG/bunkerweb-all-in-one:$VERSION
```
Optional rolling tag (`latest`) for stable releases only:
```sh
docker tag local/all-in-one:dev docker.io/$DOCKERHUB_ORG/bunkerweb-all-in-one:latest
docker tag local/all-in-one:dev ghcr.io/$GHCR_ORG/bunkerweb-all-in-one:latest
docker push docker.io/$DOCKERHUB_ORG/bunkerweb-all-in-one:latest
docker push ghcr.io/$GHCR_ORG/bunkerweb-all-in-one:latest
```
### Publish Linux packages to Packagecloud
Install and authenticate the `package_cloud` CLI, then upload generated packages.
Install CLI first:
```sh
# Debian/Ubuntu
sudo apt-get update
sudo apt-get install -y ruby-full build-essential
sudo gem install package_cloud
# Fedora/RHEL
sudo dnf install -y ruby rubygems gcc make
sudo gem install package_cloud
```
```sh
export PACKAGECLOUD_REPO="<owner>/<repo>"
read -r -s -p "Packagecloud token: " PACKAGECLOUD_TOKEN
echo
export PACKAGECLOUD_TOKEN
```
Examples:
```sh
# Ubuntu/Debian
package_cloud push "$PACKAGECLOUD_REPO/ubuntu/jammy" package-ubuntu/*.deb
package_cloud push "$PACKAGECLOUD_REPO/debian/bookworm" package-debian-bookworm/*.deb
# Fedora/RHEL
package_cloud push "$PACKAGECLOUD_REPO/fedora/43" package-fedora-43/*.rpm
package_cloud push "$PACKAGECLOUD_REPO/el/9" package-rhel-9/*.rpm
```
Notes:
- Use the correct distribution path expected by your Packagecloud repository.
- Upload only release artifacts; avoid development flags (`SKIP_MINIFY`, `FPM_DEBUG`, `FPM_SKIP_COMPRESSION`) for publish builds.
- Verify repository retention, metadata, and signing policy before publishing.
- Run `unset PACKAGECLOUD_TOKEN` once uploads are complete.
## Quick Validation
```sh
# Check generated package files
ls -lh package-*/*.{deb,rpm} 2>/dev/null || true
ls -lh bunkerweb-*.pkg 2>/dev/null || true
# Check local images
docker image ls | grep -E 'local/(bunkerweb|scheduler|autoconf|ui|api|all-in-one)'
```

96
CHANGELOG.md
View file

@ -1,6 +1,100 @@
# Changelog
## v1.6.8 - 2026/02/??
## v1.6.9 - 2026/03/??
- [SECURITY] Implement `SafeFileSystemCache` for Web UI session storage with token regeneration on privilege changes, preventing session fixation attacks.
- [SECURITY] Sanitize uploaded filenames in the Web UI to strip path separators, null bytes, and control characters, preventing path traversal attacks.
- [SECURITY] Add tar extraction path filtering in `Let's Encrypt` certificate handling to only allow expected directories, preventing path traversal. Add 300s timeout to certificate account registration. Use explicit whitelist for API environment variables.
- [SECURITY] Validate IP addresses and service names across all ban management endpoints (API, Lua, UI, CLI) to prevent invalid data injection. Fix Redis key parsing for service names containing underscores.
- [BUGFIX] Close local database connections before forking worker processes to prevent file descriptor leaks and connection pool corruption.
- [BUGFIX] Fix race condition in instance update logic by using direct SQL `UPDATE` statements instead of ORM session operations.
- [BUGFIX] Ensure thread safety when managing the session factory by moving instance update operations outside the synchronization lock.
- [BUGFIX] Handle empty or unreadable certificates gracefully in Let's Encrypt `retrieve_certificates` and `retrieve_certificates_info` functions to prevent crashes during certificate enumeration.
- [BUGFIX] Enhance error handling for missing server name in SSL certificate functions to avoid crashes when the server name is not yet configured.
- [BUGFIX] Improve backup cleanup logic when replacing destination files to correctly remove leftover backups after a successful replacement.
- [BUGFIX] Mark the Flask session as modified when adding flash messages to ensure session data is correctly persisted across redirects.
- [BUGFIX] Fix Domeneshop DNS provider in the `Let's Encrypt` plugin to use the correct credential keys and ensure proper certificate generation.
- [BUGFIX] Handle file-not-found and OS errors gracefully when archiving plugin UI pages in the database, and skip storing content when tar archiving fails to prevent corrupt data.
- [BUGFIX] Return false instead of a potentially incorrect result when version comparison encounters invalid version strings, preventing spurious update notifications.
- [BUGFIX] Validate gRPC host setting to only accept empty values or properly prefixed `grpc://` / `grpcs://` URIs.
- [BUGFIX] Properly close the database connection when the scheduler stops, and fix configuration generation flag to only reset after a successful reload.
- [BUGFIX] Add backup and rollback mechanism when deploying new configurations to BunkerWeb instances, preventing data loss if the file copy operation fails.
- [BUGFIX] Generate and deploy initial configuration on first start before running plugin jobs, ensuring API endpoints are available when jobs execute.
- [BUGFIX] Skip Content-Security-Policy header override in the antibot plugin when nonces are not available (e.g., HEAD requests), preventing malformed CSP headers.
- [UI] Add confetti animation and visual unlock effect when activating a PRO License Key in the Web UI.
- [UI] Fix service cloning to correctly strip the source service prefix from configuration keys, preventing settings from being ignored during import.
- [UI] Rate-limit worker restarts to prevent excessive restarts when multiple plugin reload triggers fire in quick succession.
- [UI] Fix crashes when CSRF validation or request teardown occurs outside a valid user context, improving stability during edge-case scenarios.
- [API] Add lifespan handler to properly close database connections on shutdown, preventing connection leaks.
- [DOCS] Update documentation and default configurations to remove the deprecated nightly CRS version and ensure full compatibility with CRS v4.
- [DOCS] Update Domeneshop DNS provider credential key names in documentation to match the corrected `client_token`/`client_secret` keys.
- [DOCS] Add documentation for the Cache PRO plugin covering response caching configuration and settings.
- [DEPS] Update coreruleset-v4 version to v4.24.1
## v1.6.9~rc4 - 2026/03/10
- [BUGFIX] Ensure script_nonce is available for security headers to prevent XSS attacks
## v1.6.9~rc3 - 2026/03/06
- [BUGFIX] Fix issues with the new `multiselect` logic where a custom separator can be used, but the default one (space) was still used if the separator was empty, which caused issues with settings that had an empty string as a value.
- [BUGFIX] Fix issue with the failover not sending the failover configuration if the reload failed, which caused the failover configuration to not be applied until the next successful reload.
- [FEATURE] Add field value redaction in Let's Encrypt plugin and update ZeroSSL API key handling to avoid exposing sensitive information in logs and process arguments. (Except in TRACE level logs for debugging purposes)
- [UI] Set `reuse_port` setting to `False` with gunicorn to avoid issues with workers not starting.
- [UI] Tweak plugins headers style to avoid the text moving the buttons out of the page when the header is too long.
- [UI] Add `MAX_CONTENT_LENGTH` setting to configure the maximum upload size (defaults to 50 MB).
- [UI/API] Add `MAX_REQUESTS` setting to configure Gunicorn max requests before worker restart (defaults to 1000), with `UI_MAX_REQUESTS` / `API_MAX_REQUESTS` as optional overrides.
- [API] Set `reuse_port` setting to `False` with gunicorn to avoid issues with workers not starting.
- [MISC] Enhance version comparison logic in update check
- [MISC] Enhance database connection management with configurable pool reset and session handling
- [MISC] Enhance database configuration options with `DATABASE_POOL_SIZE`, `DATABASE_POOL_MAX_OVERFLOW`, `DATABASE_POOL_TIMEOUT`, `DATABASE_POOL_RECYCLE`, `DATABASE_POOL_PRE_PING`, `DATABASE_POOL_RESET_ON_RETURN`, `DATABASE_RETRY_TIMEOUT`, `DATABASE_REQUEST_RETRY_ATTEMPTS` and `DATABASE_REQUEST_RETRY_DELAY` settings for improved performance, reliability and resilience of database interactions.
- [DEPS] Updated libmaxminddb version to v1.13.3
- [DEPS] Updated luajit2 version to v2.1-20260227
- [DEPS] Update coreruleset-v4 version to v4.24.0
## v1.6.9~rc2 - 2026/02/26
- [BUGFIX] Update reCAPTCHA handling to use ANTIBOT_RECAPTCHA_CLASSIC variable instead of session data to determine whether to use the classic reCAPTCHA response format or the new one, ensuring consistent behavior regardless of session state.
- [BUGFIX] Rename command argument to plugin_command for clarity and to avoid conflicts with other command arguments with bwcli.
- [FEATURE] Add new `file` setting type to allow users to upload files directly from the web UI and use their content as values for settings.
- [FEATURE] Add `Gandi` as a DNS provider in the `letsencrypt` plugin
- [FEATURE] Add `Hetzner` as a DNS provider in the `letsencrypt` plugin
- [FEATURE] Add certificate authority selection in the `Let's Encrypt` plugin to allow users to choose between `Let's Encrypt` and `ZeroSSL` as the certificate authority for their certificates (Also added ZeroSSL specific settings).
- [FEATURE] Add the possibility to whitelist/blacklist group of countries in the `Country` plugin.
- [UI] Add override non-global services functionality in global settings
- [UI] Make data columns in the reports page non orderable to avoid issues
- [UI] Add control socket configuration for gunicorn
- [UI] Enhance multiselect dropdown functionality and update the type of multiple settings to use it
- [ALL-IN-ONE] Update CrowdSec version to 1.7.6
- [AUTOCONF] Update gateway and ingress status patching to handle multiple IP addresses and Handle NodePort services if a load balancer IP is not available.
- [API] Add control socket configuration for gunicorn
- [MISC] Change type of `CUSTOM_SSL_CERT_DATA` and `CUSTOM_SSL_KEY_DATA` settings to `file` to allow users to upload their certificate and key files directly from the web UI.
- [MISC] Update default value for Permissions-Policy header to include an additional feature (`gamepad`).
- [DEPS] Update ApexCharts.js version to v5.6.0
- [DEPS] Update i18next version to v25.8.10
- [DEPS] Updated zlib version to v1.3.2
- [DEPS] Updated libmaxminddb version to v1.13.1
- [CONTRIBUTION] Thank you [Kn-ut99](https://github.com/Kn-ut99) for your contribution regarding the fix of a typo in the `Let's Encrypt` plugin's documentation.
## v1.6.9~rc1 - 2026/02/13
- [BUGFIX] Ensure variables are only added if they are defined in the environment file and are valid key-value pairs to prevent issues with malformed lines in the variables file.
- [BUGFIX] Add API token back for certbot hooks in environment configuration
- [FEATURE] Add `ClouDNS` as a DNS provider in the `letsencrypt` plugin
- [FEATURE] Add new `CLIENT_BODY_TIMEOUT`, `CLIENT_HEADER_TIMEOUT`, `KEEPALIVE_TIMEOUT` and `SEND_TIMEOUT` settings to control the corresponding NGINX timeouts, allowing better handling of long-lived connections and preventing unintended timeouts.
- [FEATURE] Add a new `gRPC` plugin to allow proxying gRPC traffic to upstream gRPC services with support for TLS, SNI, custom headers and retry policies.
- [FEATURE] Make it possible to leave HTTP/HTTPS/STREAM/TLS ports empty to not listen on them.
- [AUTOCONF] Add experimental support for GRPCRoute in the Kubernetes integration to allow routing gRPC traffic based on Kubernetes Gateway API resources.
- [LINUX] Updated NGINX version to v1.28.2 for Fedora 42 and 43 integration
- [UI] Fix status for PHP plugin to not always be shown as activated
- [UI] Fix dark theme background for datatables actions
- [UI] Make it possible to edit settings with the `wizard` method in the web UI
- [UI] Enhance reports functionality with improved filter handling and data fetching
- [UI] Enhance home dashboard with new IP blocking metrics and improved tooltips
- [API] Fix redis sentinel issue when a password is set on the master node
- [MISC] Remove warning for uninitialized variables in default server configuration (as we control the configuration and we know that some variables may be uninitialized in some cases, especially for 400 errors)
## v1.6.8 - 2026/02/06
- [DOCS] Add forward proxy configuration for outgoing traffic
- [DEPS] Update coreruleset-v4 version to v4.23.0

184
CLAUDE.md
View file

@ -10,44 +10,72 @@ BunkerWeb is an open-source Web Application Firewall (WAF) built on NGINX with a
### Core Components
- **BunkerWeb Core** (`src/bw/`, `src/common/core/`): NGINX-based reverse proxy with security modules written in Lua and Python. Each security feature is a plugin with its own `plugin.json` configuration.
- **Scheduler** (`src/scheduler/`): Central orchestrator that manages configuration, executes jobs, generates NGINX configs, and acts as intermediary between components. This is the "brain" of BunkerWeb.
- **Autoconf** (`src/autoconf/`): Listens for Docker/Swarm/Kubernetes events and dynamically reconfigures BunkerWeb without container restarts.
- **API** (`src/api/`): FastAPI service for programmatic control of BunkerWeb instances.
- **Web UI** (`src/ui/`): Flask-based admin interface for managing instances, viewing blocked attacks, configuring settings, and monitoring jobs.
- **Database** (`src/common/db/`): Backend store (SQLite/MariaDB/MySQL/PostgreSQL) for configuration, metadata, cached files, and job execution state.
- **BunkerWeb Core** (`src/bw/`, `src/common/core/`): NGINX-based reverse proxy with security modules in Lua (request-time) and Python (jobs). Entry point: `src/bw/lua/bunkerweb.lua`.
- **Scheduler** (`src/scheduler/`): Central orchestrator ("brain"). `main.py` runs the main loop; `JobScheduler.py` manages job execution with thread pools. Uses Python's `schedule` library.
- **Autoconf** (`src/autoconf/`): Listens for Docker/Swarm/Kubernetes events and dynamically reconfigures BunkerWeb.
- **API** (`src/api/`): FastAPI service with router-based architecture (`src/api/app/routers/` — auth, instances, services, configs, plugins, jobs). IP whitelist and rate limiting support.
- **Web UI** (`src/ui/`): Flask app using Blueprints for routing (`src/ui/app/routes/` — configs, plugins, jobs, logs, instances, profile, etc.). Uses Flask-Login for auth and Jinja2 templates. `dependencies.py` is the central dependency injection point providing DB, DATA, BW_CONFIG, BW_INSTANCES_UTILS.
- **Database** (`src/common/db/`): SQLAlchemy ORM with `model.py` defining all tables (Plugins, Settings, Services, Jobs, Custom_configs, Users, etc.). `Database.py` wraps high-level query methods. Supports SQLite (WAL mode), MariaDB, MySQL, PostgreSQL with QueuePool for connection pooling.
### Configuration Flow
1. Settings are defined as environment variables (e.g., `USE_ANTIBOT=captcha`, `AUTO_LETS_ENCRYPT=yes`)
1. Settings defined as environment variables (e.g., `USE_ANTIBOT=captcha`, `AUTO_LETS_ENCRYPT=yes`)
2. Scheduler reads settings from environment or database
3. Configurator/Templator (`src/common/gen/`) generates NGINX configuration files from templates (`src/common/confs/`)
4. BunkerWeb instances reload with new configuration
5. In multisite mode, prefix settings with server name: `www.example.com_USE_ANTIBOT=captcha`
6. Multiple settings use numeric suffixes: `REVERSE_PROXY_URL_1=/api`, `REVERSE_PROXY_HOST_1=http://backend1`
3. **Configurator** (`src/common/gen/Configurator.py`) validates settings against `plugin.json` schemas with pre-compiled regex caches
4. **Templator** (`src/common/gen/Templator.py`) renders NGINX configs from Jinja2 templates (`src/common/confs/`) using ProcessPoolExecutor for parallel rendering
5. BunkerWeb instances reload with new configuration
6. In multisite mode, prefix settings with server name: `www.example.com_USE_ANTIBOT=captcha`
7. Multiple settings use numeric suffixes: `REVERSE_PROXY_URL_1=/api`, `REVERSE_PROXY_HOST_1=http://backend1`
### Plugin System
Each core module in `src/common/core/*/` is a plugin with:
Each core module in `src/common/core/*/` contains:
- `plugin.json`: Metadata, settings schema, validation regex
- Python jobs for periodic tasks (e.g., downloading blocklists)
- `plugin.json`: Metadata with settings schema (id, name, version, stream, settings with context/type/regex/default, jobs array with schedule/reload/async flags)
- `jobs/` folder: Python scripts for periodic tasks (e.g., downloading blocklists). Jobs specify `every` (once/minute/hour/day/week) and `reload` flag.
- Lua code for request-time processing
- NGINX configuration templates
- `confs/` folder: NGINX configuration templates
External plugins follow the same structure and can be installed via the Web UI or CLI.
External plugins follow the same structure.
### Lua Request Processing Pipeline
The Lua runtime (`src/bw/lua/`) processes requests through plugin hooks at NGINX phases: access, header_filter, body_filter, log. Key files:
- `plugin.lua`: Plugin loader and execution across phases
- `ctx.lua`: Per-request context management
- `datastore.lua`: Shared data persistence (shared dict backed)
- `cachestore.lua`: Request-level caching
- `clusterstore.lua`: Cluster-aware storage (Redis)
### Core Plugins (src/common/core/)
42 plugins organized by function:
- **Auth**: antibot (CAPTCHA), authbasic, mtls, crowdsec
- **Threat Detection**: modsecurity (OWASP WAF), badbehavior, dnsbl, reversescan
- **Access Control**: whitelist, blacklist, greylist, country, limit (rate limiting)
- **SSL/TLS**: ssl, letsencrypt, customcert, selfsigned
- **Proxy & Routing**: reverseproxy, realip, redirect, grpc, php
- **Performance**: gzip, brotli, clientcache, redis
- **Headers & Content**: headers, cors, inject, robotstxt, securitytxt
- **Management**: sessions, metrics, backup, templates, bunkernet, ui, db, jobs
### Shared Utilities (src/common/utils/)
- `common_utils.py`: Docker secrets handling, hashing, version info, integration detection
- `logger.py`: Logging with syslog support
- `jobs.py`: Job helpers (atomic writes, file hashing, tar operations)
- `ApiCaller.py`: HTTP client for inter-component API calls
## Development Commands
### Setup
```bash
# Install Python dependencies for a component
pip install -r src/scheduler/requirements.txt
pip install -r src/ui/requirements.txt
pip install -r src/api/requirements.txt
# Install pre-commit hooks
pre-commit install
```
@ -70,69 +98,56 @@ pre-commit run --all-files
# Individual tools
black . # Python formatting (160 char lines)
flake8 . # Python linting
flake8 . # Python linting (ignores E266,E402,E501,E722,W503)
stylua . # Lua formatting
luacheck src/ # Lua linting
luacheck src/ # Lua linting (--std min)
shellcheck scripts/*.sh # Shell script linting
prettier --write "**/*.{js,ts,css,html,json,yaml,md}" # Frontend formatting
```
### Documentation
```bash
# Serve docs locally with live reload
mkdocs serve --watch
# Build static docs
mkdocs build
codespell # Spell checking
refurb # Python refactoring suggestions (excludes tests/)
```
### Run Development Instance
```bash
# Iso-prod environment with all components
# Full stack with UI + API (recommended)
docker compose -f misc/dev/docker-compose.ui.api.yml up -d
# There are other compose files for different setups in misc/dev/
```
## Code Organization
Dev compose files in `misc/dev/`:
### Directory Structure
- `docker-compose.ui.api.yml` — Full stack (UI + API + core + MariaDB) — **recommended**
- `docker-compose.ui.yml` — UI only (no API)
- `docker-compose.all-in-one.yml` — Single container with all components
- `docker-compose.autoconf.yml` — Docker autoconf mode
- `docker-compose.wizard.yml` — Setup wizard
```
src/
├── all-in-one/ # Single container with all components
├── api/ # FastAPI service
├── autoconf/ # Docker/Swarm/K8s event listener
├── bw/ # BunkerWeb core (NGINX + Lua runtime)
├── common/ # Shared code
│ ├── api/ # API client library
│ ├── cli/ # Command-line interface (bwcli)
│ ├── confs/ # NGINX configuration templates
│ ├── core/ # Core security plugins (each is a module)
│ ├── db/ # Database abstraction + Alembic migrations
│ ├── gen/ # Configuration generator (Configurator, Templator)
│ ├── helpers/ # Healthcheck scripts
│ └── utils/ # Shared utilities
├── deps/ # Third-party dependencies (NGINX modules, Lua libs)
├── linux/ # Linux package build scripts (deb/rpm)
├── scheduler/ # Job scheduler and orchestrator
└── ui/ # Web UI (Flask app)
Dev credentials: UI `admin`/`P@ssw0rd`, API `admin`/`P@ssw0rd`, DB `bunkerweb`/`secret`.
docs/ # MkDocs documentation
examples/ # Integration examples with tests.json
tests/ # Integration test suites
misc/ # Utilities and scripts
The dev compose mounts `src/ui/app/` and `src/api/app/` as read-only volumes, so UI and API code changes apply without rebuilding (restart the container to pick up changes).
### Database Migrations
```bash
# Alembic migrations in src/common/db/alembic/
# Separate version directories per DB type: mariadb_versions, mysql_versions, postgresql_versions, sqlite_versions
# Migration scripts also in src/common/db/alembic/
```
### Key Files
## Key Files
- `src/common/settings.json`: Master list of all core settings with validation rules
- `src/scheduler/main.py`: Scheduler entry point, handles config generation and job execution
- `src/common/db/model.py`: SQLAlchemy ORM models for all tables
- `src/common/db/Database.py`: High-level database wrapper
- `src/common/gen/Configurator.py`: Settings validation engine
- `src/common/gen/Templator.py`: NGINX config renderer
- `src/scheduler/main.py`: Scheduler entry point
- `src/scheduler/JobScheduler.py`: Job execution orchestrator
- `src/ui/main.py`: Web UI entry point
- `src/ui/app/dependencies.py`: UI dependency injection (DB, DATA, BW_CONFIG)
- `src/api/app/core.py`: API entry point (imports all routers)
- `src/bw/lua/bunkerweb.lua`: Main Lua runtime initialization
- `pyproject.toml`: Project metadata (Black config: 160 char lines)
- `pyproject.toml`: Black config (160 char lines)
- `.pre-commit-config.yaml`: All linting/formatting rules
## Important Patterns
@ -144,51 +159,36 @@ misc/ # Utilities and scripts
### Security Modes
- `detect`: Log threats without blocking (for testing/debugging false positives)
- `detect`: Log threats without blocking
- `block`: Actively block threats (default)
### Integration Modes
Set one of these to `yes`:
Set one of these to `yes`: `AUTOCONF_MODE`, `SWARM_MODE`, `KUBERNETES_MODE`
- `AUTOCONF_MODE`: Docker autoconf (labels on containers)
- `SWARM_MODE`: Docker Swarm (labels on services)
- `KUBERNETES_MODE`: Kubernetes (Ingress resources)
### Database Migrations
Use Alembic for schema changes:
### Testing
```bash
# Located in src/common/db/alembic/
# Separate version directories for: mariadb, mysql, postgresql, sqlite
python3 tests/main.py docker # Docker integration tests
python3 tests/main.py autoconf # Autoconf tests
python3 tests/main.py swarm # Swarm tests
python3 tests/main.py kubernetes # Kubernetes tests
python3 tests/main.py linux debian # Linux tests (with distro)
```
## Testing Philosophy
- Integration tests use real Docker environments with actual HTTP requests
- Each example has a `tests.json` defining test scenarios (HTTP status codes, response content, timing)
- Tests verify observable behavior, not internals
- For regressions, add a test case to the relevant example's `tests.json`
## Configuration Best Practices
- Never commit secrets (use `env/` templates for examples)
- Settings are validated against regex in `plugin.json`
- Custom NGINX configs go in designated directories or via Web UI
- ModSecurity custom rules follow the same pattern
- Multi-language UI translations in `src/ui/app/static/locales/`
- Tests scan `examples/*/tests.json` for test scenarios (type: string/status, url, expected results)
- Real Docker environments with actual HTTP requests — tests verify observable behavior, not internals
## Key Conventions
- Python: snake_case (modules/functions), PascalCase (classes), Black formatting at 160 chars
- Lua: lowercase module names, descriptive function names, StyLua formatting
- Shell: POSIX-compatible unless `#!/bin/bash` shebang, pass ShellCheck
- Commit messages: Use Conventional Commits (`feat:`, `fix:`, `docs:`) or `<component> - ...` format
- Commit messages: Conventional Commits (`feat:`, `fix:`, `docs:`) or `<component> - ...` format
- UI translations in `src/ui/app/static/locales/`
## External Resources
- Documentation: https://docs.bunkerweb.io
- Official Plugins: https://github.com/bunkerity/bunkerweb-plugins
- Web UI Demo: https://demo-ui.bunkerweb.io
- Discord: https://discord.com/invite/fTf46FmtyD
- Documentation: <https://docs.bunkerweb.io>
- Official Plugins: <https://github.com/bunkerity/bunkerweb-plugins>
- Web UI Demo: <https://demo-ui.bunkerweb.io>

88
README.md
View file

@ -1,5 +1,5 @@
<p align="center">
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.8/misc/logo.png" height=100 width=350 />
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/misc/logo.png" height=100 width=350 />
</p>
<p align="center">
@ -12,9 +12,11 @@
<br />
<img src="https://img.shields.io/github/actions/workflow/status/bunkerity/bunkerweb/dev.yml?branch=dev&label=CI%2FCD%20dev" />
<img src="https://img.shields.io/github/actions/workflow/status/bunkerity/bunkerweb/staging.yml?branch=staging&label=CI%2FCD%20staging" />
<br />
<a href="https://www.bestpractices.dev/projects/8001">
<img src="https://www.bestpractices.dev/projects/8001/badge">
</a>
<a href="https://gitrated.com/bunkerity/bunkerweb"><img src="https://gitrated.com/bunkerity/bunkerweb/badge" alt="GitRated rating" /></a>
</p>
<p align="center">
@ -30,7 +32,7 @@
&#124;
🧩 <a href="https://github.com/bunkerity/bunkerweb-templates">Templates</a>
&#124;
🛡️ <a href="https://github.com/bunkerity/bunkerweb/raw/v1.6.8/examples">Examples</a>
🛡️ <a href="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/examples">Examples</a>
<br/>
💬 <a href="https://discord.com/invite/fTf46FmtyD">Chat</a>
&#124;
@ -50,14 +52,14 @@
# BunkerWeb
<p align="center">
<img alt="Overview banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.8/docs/assets/img/intro-overview.svg" />
<img alt="Overview banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/intro-overview.svg" />
</p>
BunkerWeb is a next-generation, open-source Web Application Firewall (WAF).
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default." BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#linux), [Docker](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#docker), [Swarm](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#swarm), [Kubernetes](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#kubernetes), …) as a reverse proxy and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.6.8/web-ui/?utm_campaign=self&utm_source=github) if you don't like the CLI) to meet your own use cases. In other words, cybersecurity is no longer a hassle.
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default." BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#linux), [Docker](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#docker), [Swarm](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#swarm), [Kubernetes](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#kubernetes), …) as a reverse proxy and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.6.9/web-ui/?utm_campaign=self&utm_source=github) if you don't like the CLI) to meet your own use cases. In other words, cybersecurity is no longer a hassle.
BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.6.8/advanced/?utm_campaign=self&utm_source=github#security-tuning) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.6.8/plugins/?utm_campaign=self&utm_source=github).
BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.6.9/advanced/?utm_campaign=self&utm_source=github#security-tuning) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.6.9/plugins/?utm_campaign=self&utm_source=github).
## Why BunkerWeb?
@ -84,7 +86,7 @@ A non-exhaustive list of security features:
- **Block known bad IPs** with external blacklists and DNSBL
- And much more...
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.6.8/advanced/?utm_campaign=self&utm_source=github#security-tuning) section of the documentation.
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.6.9/advanced/?utm_campaign=self&utm_source=github#security-tuning) section of the documentation.
## Demo
@ -119,13 +121,13 @@ When using BunkerWeb, you have the choice of the version you want to use: open-s
Whether it's enhanced security, an enriched user experience, or technical monitoring, the BunkerWeb PRO version allows you to fully benefit from BunkerWeb and meet your professional needs.
In the documentation or the user interface, PRO features are annotated with a crown <img src="https://docs.bunkerweb.io/1.6.8/assets/img/pro-icon.svg" alt="crown pro icon" height="32px" width="32px"> to distinguish them from those integrated into the open-source version.
In the documentation or the user interface, PRO features are annotated with a crown <img src="https://docs.bunkerweb.io/1.6.9/assets/img/pro-icon.svg" alt="crown pro icon" height="32px" width="32px"> to distinguish them from those integrated into the open-source version.
You can upgrade from the open-source version to the PRO one easily and at any time. The process is straightforward:
- Claim your [free trial on the BunkerWeb panel](https://panel.bunkerweb.io/store/bunkerweb-pro?utm_campaign=self&utm_source=doc) by using the `freetrial` promo code at checkout
- Once connected to the client area, copy your PRO license key
- Paste your license key into BunkerWeb using the [web UI](https://docs.bunkerweb.io/1.6.8/web-ui/#upgrade-to-pro) or a [specific setting](https://docs.bunkerweb.io/1.6.8/features/#pro)
- Paste your license key into BunkerWeb using the [web UI](https://docs.bunkerweb.io/1.6.9/web-ui/#upgrade-to-pro) or a [specific setting](https://docs.bunkerweb.io/1.6.9/features/#pro)
Do not hesitate to visit the [BunkerWeb panel](https://panel.bunkerweb.io/knowledgebase?utm_campaign=self&utm_source=doc) or [contact us](https://panel.bunkerweb.io/contact.php?utm_campaign=self&utm_source=doc) if you have any questions regarding the PRO version.
@ -158,10 +160,10 @@ Community and social networks:
# Concepts
<p align="center">
<img alt="Concepts banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.8/docs/assets/img/concepts.svg" />
<img alt="Concepts banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/concepts.svg" />
</p>
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.6.8/concepts/?utm_campaign=self&utm_source=github).
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.6.9/concepts/?utm_campaign=self&utm_source=github).
## Integrations
@ -169,12 +171,12 @@ The first concept is the integration of BunkerWeb into the target environment. W
The following integrations are officially supported:
- [Docker](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#docker)
- [Linux](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#linux)
- [Docker autoconf](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#docker-autoconf)
- [Kubernetes](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#kubernetes)
- [Swarm](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#swarm)
- [Microsoft Azure](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#microsoft-azure)
- [Docker](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#docker)
- [Linux](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#linux)
- [Docker autoconf](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#docker-autoconf)
- [Kubernetes](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#kubernetes)
- [Swarm](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#swarm)
- [Microsoft Azure](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#microsoft-azure)
## Settings
@ -204,7 +206,7 @@ When multisite mode is enabled, BunkerWeb will serve and protect multiple web ap
## Custom configurations
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.6.8/plugins/?utm_campaign=self&utm_source=github)), you can use custom configurations to solve your specific challenges.
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.6.9/plugins/?utm_campaign=self&utm_source=github)), you can use custom configurations to solve your specific challenges.
Under the hood, BunkerWeb uses the notorious NGINX web server, that's why you can leverage its configuration system for your specific needs. Custom NGINX configurations can be included in different [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) like HTTP or server (all servers and/or specific server block).
@ -213,7 +215,7 @@ Another core component of BunkerWeb is the ModSecurity Web Application Firewall:
## Database
<p align="center">
<img alt="Database model" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.8/docs/assets/img/bunkerweb_db.svg" />
<img alt="Database model" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/bunkerweb_db.svg" />
</p>
The state of the current configuration of BunkerWeb is stored in a backend database which contains the following data:
@ -242,7 +244,7 @@ In other words, the scheduler is the brain of BunkerWeb.
<!--## BunkerWeb Cloud
<p align="center">
<img alt="Docker banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.8/docs/assets/img/bunkerweb-cloud.webp" />
<img alt="Docker banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/bunkerweb-cloud.webp" />
</p>
BunkerWeb Cloud is the easiest way to get started with BunkerWeb. It offers you a fully managed BunkerWeb service with no hassle. Think of it like a BunkerWeb-as-a-Service!
@ -252,7 +254,7 @@ You will find more information about BunkerWeb Cloud beta [here](https://www.bun
## Linux
<p align="center">
<img alt="Linux banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.8/docs/assets/img/integration-linux.svg" />
<img alt="Linux banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/integration-linux.svg" />
</p>
List of supported Linux distros:
@ -272,7 +274,7 @@ You will find more information in the [Linux section](https://docs.bunkerweb.io/
## Docker
<p align="center">
<img alt="Docker banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.8/docs/assets/img/integration-docker.svg" />
<img alt="Docker banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/integration-docker.svg" />
</p>
We provide ready-to-use prebuilt images for x64, x86, armv7, and arm64 platforms on [Docker Hub](https://hub.docker.com/u/bunkerity).
@ -283,63 +285,63 @@ Docker integration key concepts are:
- **Scheduler** container to store configuration and execute jobs
- **Networks** to expose ports for clients and connect to upstream web services
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#docker) of the documentation.
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#docker) of the documentation.
## Docker autoconf
<p align="center">
<img alt="Docker autoconf banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.8/docs/assets/img/integration-autoconf.svg" />
<img alt="Docker autoconf banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/integration-autoconf.svg" />
</p>
The downside of using environment variables is that the container needs to be recreated each time there is an update, which is not very convenient. To counter that issue, you can use another image called **autoconf** which will listen for Docker events and automatically reconfigure BunkerWeb in real-time without recreating the container.
Instead of defining environment variables for the BunkerWeb container, you simply add **labels** to your web applications containers and the **autoconf** will "automagically" take care of the rest.
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#docker-autoconf) of the documentation.
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#docker-autoconf) of the documentation.
## Kubernetes
<p align="center">
<img alt="Kubernetes banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.8/docs/assets/img/integration-kubernetes.svg" />
<img alt="Kubernetes banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/integration-kubernetes.svg" />
</p>
The autoconf acts as an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) and will configure the BunkerWeb instances according to the [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/). It also monitors other Kubernetes objects like [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for custom configurations.
The official [Helm chart](https://helm.sh/) for BunkerWeb is available in the [bunkerity/bunkerweb-helm repository](https://github.com/bunkerity/bunkerweb-helm).
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#kubernetes) of the documentation.
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#kubernetes) of the documentation.
## Microsoft Azure
<p align="center">
<img alt="Azure banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.8/docs/assets/img/integration-azure.webp" />
<img alt="Azure banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/integration-azure.webp" />
</p>
BunkerWeb is referenced in the [Azure Marketplace](https://azuremarketplace.microsoft.com/fr-fr/marketplace/apps/bunkerity.bunkerweb?tab=Overview) and an ARM template is available in the [misc folder](https://github.com/bunkerity/bunkerweb/raw/v1.6.8/misc/integrations/azure-arm-template.json).
BunkerWeb is referenced in the [Azure Marketplace](https://azuremarketplace.microsoft.com/fr-fr/marketplace/apps/bunkerity.bunkerweb?tab=Overview) and an ARM template is available in the [misc folder](https://github.com/bunkerity/bunkerweb/raw/v1.6.9/misc/integrations/azure-arm-template.json).
You will find more information in the [Microsoft Azure section](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#microsoft-azure) of the documentation.
You will find more information in the [Microsoft Azure section](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#microsoft-azure) of the documentation.
## Swarm
<p align="center">
<img alt="Swarm banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.8/docs/assets/img/integration-swarm.svg" />
<img alt="Swarm banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/integration-swarm.svg" />
</p>
To automatically configure BunkerWeb instances, a special service, called **autoconf** will listen for Docker Swarm events like service creation or deletion and automatically configure the **BunkerWeb instances** in real-time without downtime.
Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.6.8/integrations/?utm_campaign=self&utm_source=github#swarm) of the documentation.
You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#swarm) of the documentation.
# Quickstart guide
Once you have set up BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.6.8/quickstart-guide/?utm_campaign=self&utm_source=github) that will cover the installation and first configuration to protect a web service.
Once you have set up BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.6.9/quickstart-guide/?utm_campaign=self&utm_source=github) that will cover the installation and first configuration to protect a web service.
# Security tuning
BunkerWeb offers many security features that you can configure with [features](https://docs.bunkerweb.io/1.6.8/features/?utm_campaign=self&utm_source=github). Even if the default values of settings ensure a minimal "security by default," we strongly recommend you to tune them. By doing so, you will be able to ensure a security level of your choice but also manage false positives.
BunkerWeb offers many security features that you can configure with [features](https://docs.bunkerweb.io/1.6.9/features/?utm_campaign=self&utm_source=github). Even if the default values of settings ensure a minimal "security by default," we strongly recommend you to tune them. By doing so, you will be able to ensure a security level of your choice but also manage false positives.
You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.6.8/advanced/?utm_campaign=self&utm_source=github#security-tuning) of the documentation.
You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.6.9/advanced/?utm_campaign=self&utm_source=github#security-tuning) of the documentation.
# Settings
@ -347,7 +349,7 @@ As a general rule, when multisite mode is enabled, if you want to apply settings
When settings are considered as "multiple," it means that you can have multiple groups of settings for the same feature by adding numbers as suffixes like `REVERSE_PROXY_URL_1=/subdir`, `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.
Check the [features section](https://docs.bunkerweb.io/1.6.8/features/?utm_campaign=self&utm_source=github) of the documentation to get the full list.
Check the [features section](https://docs.bunkerweb.io/1.6.9/features/?utm_campaign=self&utm_source=github) of the documentation to get the full list.
# Web UI
@ -366,7 +368,7 @@ Here is the list of features offered by the web UI:
- Monitor job execution and restart them when needed
- View the logs and search patterns
You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.6.8/web-ui/?utm_campaign=self&utm_source=github) of the documentation.
You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.6.9/web-ui/?utm_campaign=self&utm_source=github) of the documentation.
# Plugins
@ -383,7 +385,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| **VirusTotal** | 1.9 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.9 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.6.8/plugins/?utm_campaign=self&utm_source=github) of the documentation.
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.6.9/plugins/?utm_campaign=self&utm_source=github) of the documentation.
# Language Support & Localization
@ -407,7 +409,7 @@ BunkerWeb UI supports multiple languages. Translations are managed in the `src/u
- Urdu (ur)
- Simplified Chinese (zh)
See the [locales/README.md](https://github.com/bunkerity/bunkerweb/raw/v1.6.8/src/ui/app/static/locales/README.md) for details on translation provenance and review status.
See the [locales/README.md](https://github.com/bunkerity/bunkerweb/raw/v1.6.9/src/ui/app/static/locales/README.md) for details on translation provenance and review status.
## Contributing Translations
@ -423,7 +425,7 @@ We welcome contributions to improve or add new locale files!
For updates, edit the relevant file and update the provenance table as needed.
See the [locales/README.md](https://github.com/bunkerity/bunkerweb/raw/v1.6.8/src/ui/app/static/locales/README.md) for full guidelines.
See the [locales/README.md](https://github.com/bunkerity/bunkerweb/raw/v1.6.9/src/ui/app/static/locales/README.md) for full guidelines.
# Support
@ -446,15 +448,15 @@ Please don't use [GitHub issues](https://github.com/bunkerity/bunkerweb/issues)
# License
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/raw/v1.6.8/LICENSE.md).
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/raw/v1.6.9/LICENSE.md).
# Contribute
If you would like to contribute to the plugins, you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/raw/v1.6.8/CONTRIBUTING.md) to get started.
If you would like to contribute to the plugins, you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/raw/v1.6.9/CONTRIBUTING.md) to get started.
# Security policy
We take security bugs as serious issues and encourage responsible disclosure; see our [security policy](https://github.com/bunkerity/bunkerweb/raw/v1.6.8/SECURITY.md) for more information.
We take security bugs as serious issues and encourage responsible disclosure; see our [security policy](https://github.com/bunkerity/bunkerweb/raw/v1.6.9/SECURITY.md) for more information.
# Star History

189
docs/advanced.md
View file

@ -1,8 +1,8 @@
# Advanced usages
Many real-world use case examples are available in the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) folder of the GitHub repository.
Many real-world use case examples are available in the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) folder of the GitHub repository.
We also provide numerous boilerplates, such as YAML files for various integrations and database types. These are available in the [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) folder.
We also provide numerous boilerplates, such as YAML files for various integrations and database types. These are available in the [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) folder.
This section only focuses on advanced usages and security tuning, see the [features section](features.md) of the documentation to see all the available settings.
@ -85,7 +85,7 @@ You will find more settings about real IP in the [features section](features.md#
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Please note that if your container is already created, you will need to delete it and recreate it so the new environment variables will be updated.
@ -96,7 +96,7 @@ You will find more settings about real IP in the [features section](features.md#
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -104,7 +104,7 @@ You will find more settings about real IP in the [features section](features.md#
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -121,7 +121,7 @@ You will find more settings about real IP in the [features section](features.md#
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -129,7 +129,7 @@ You will find more settings about real IP in the [features section](features.md#
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -176,7 +176,7 @@ You will find more settings about real IP in the [features section](features.md#
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -184,7 +184,7 @@ You will find more settings about real IP in the [features section](features.md#
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -249,7 +249,7 @@ You will find more settings about real IP in the [features section](features.md#
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Please note that if your container is already created, you will need to delete it and recreate it so the new environment variables will be updated.
@ -260,7 +260,7 @@ You will find more settings about real IP in the [features section](features.md#
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -270,7 +270,7 @@ You will find more settings about real IP in the [features section](features.md#
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -288,7 +288,7 @@ You will find more settings about real IP in the [features section](features.md#
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -298,7 +298,7 @@ You will find more settings about real IP in the [features section](features.md#
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -350,7 +350,7 @@ You will find more settings about real IP in the [features section](features.md#
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -360,7 +360,7 @@ You will find more settings about real IP in the [features section](features.md#
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -485,8 +485,8 @@ The Manager is the brain of the cluster. It runs the Scheduler, Database, and op
```bash
# Download script and checksum
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# Verify checksum
sha256sum -c install-bunkerweb.sh.sha256
@ -585,7 +585,7 @@ The Manager is the brain of the cluster. It runs the Scheduler, Database, and op
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: "192.168.1.11 192.168.1.12" # Replace with your worker IPs
@ -604,7 +604,7 @@ The Manager is the brain of the cluster. It runs the Scheduler, Database, and op
- bw-redis
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
ports:
- "7000:7000" # Expose the Web UI port
environment:
@ -687,7 +687,7 @@ Workers are the nodes that process incoming traffic.
```yaml title="docker-compose.yml"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -992,7 +992,7 @@ To enable systemd-resolved as your DNS resolver in BunkerWeb, set the `DNS_RESOL
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Docker"
@ -1020,7 +1020,7 @@ To enable systemd-resolved as your DNS resolver in BunkerWeb, set the `DNS_RESOL
- bw-dns
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
DNS_RESOLVERS: "dnsmasq"
@ -1031,7 +1031,7 @@ To enable systemd-resolved as your DNS resolver in BunkerWeb, set the `DNS_RESOL
- bw-dns
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
DNS_RESOLVERS: "dnsmasq"
@ -1145,7 +1145,7 @@ Some integrations provide more convenient ways to apply configurations, such as
}" \
-p 80:8080/tcp \
-p 443:8443/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Please note that if your container is already created, you will need to delete it and recreate it for the new environment variables to be applied.
@ -1185,7 +1185,7 @@ Some integrations provide more convenient ways to apply configurations, such as
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Docker"
@ -1208,7 +1208,7 @@ Some integrations provide more convenient ways to apply configurations, such as
```yaml
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
- |
CUSTOM_CONF_SERVER_HTTP_hello-world=
@ -1251,7 +1251,7 @@ Some integrations provide more convenient ways to apply configurations, such as
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -1321,7 +1321,7 @@ Some integrations provide more convenient ways to apply configurations, such as
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -1551,7 +1551,7 @@ For complete list of settings regarding `stream` mode, please refer to the [feat
-p 443:8443/udp \
-p 10000:10000/tcp \
-p 20000:20000/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Please note that if your container is already created, you will need to delete it and recreate it for the new environment variables to be applied.
@ -1574,7 +1574,7 @@ For complete list of settings regarding `stream` mode, please refer to the [feat
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080" # Keep it if you want to use Let's Encrypt automation when using http challenge type
- "10000:10000" # app1
@ -1589,7 +1589,7 @@ For complete list of settings regarding `stream` mode, please refer to the [feat
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # This setting is mandatory to specify the BunkerWeb instance
@ -1640,7 +1640,7 @@ For complete list of settings regarding `stream` mode, please refer to the [feat
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080" # Keep it if you want to use Let's Encrypt automation when using http challenge type
- "10000:10000" # app1
@ -1870,7 +1870,7 @@ For complete list of settings regarding `stream` mode, please refer to the [feat
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
# Keep it if you want to use Let's Encrypt automation when using http challenge type
- published: 80
@ -2000,7 +2000,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Please note that if your container is already created, you will need to delete it and recreate it for the new environment variables to be applied.
@ -2044,7 +2044,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2059,7 +2059,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # This setting is mandatory to specify the BunkerWeb instance
@ -2153,7 +2153,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
labels:
- "bunkerweb.INSTANCE=yes"
environment:
@ -2166,7 +2166,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "" # We don't need to specify the BunkerWeb instance here as they are automatically detected by the autoconf service
@ -2181,7 +2181,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bunkerweb
- bw-docker
@ -2421,7 +2421,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
volumes:
- /shared/www:/var/www/html
...
@ -2520,7 +2520,7 @@ By default, BunkerWeb will only listen on IPv4 addresses and won't use IPv6 for
```yaml
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
USE_IPv6: "yes"
@ -2660,7 +2660,7 @@ LOG_LEVEL_1=error
services:
bunkerweb:
# This is the name that will be used to identify the instance in the Scheduler
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2673,7 +2673,7 @@ LOG_LEVEL_1=error
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Make sure to set the correct instance name
@ -2690,7 +2690,7 @@ LOG_LEVEL_1=error
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-env
volumes:
@ -2825,7 +2825,7 @@ You can configure the logging driver for your services in your `docker-compose.y
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
logging:
driver: "json-file"
options:
@ -2934,7 +2934,7 @@ The commonly used variables are:
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
If the container already exists, recreate it to apply the new environment.
@ -2945,7 +2945,7 @@ The commonly used variables are:
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -2964,7 +2964,7 @@ The commonly used variables are:
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -3007,7 +3007,7 @@ The commonly used variables are:
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -3959,11 +3959,11 @@ Templates use Lua template syntax with the following delimiters:
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
# ... other settings (no environment variables needed here for custom pages)
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./templates:/custom_templates:ro
environment:
@ -4046,7 +4046,7 @@ Templates use Lua template syntax with the following delimiters:
spec:
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
env:
- name: CUSTOM_ERROR_PAGE
value: "/custom_templates/error.html"
@ -4264,7 +4264,9 @@ Common hardening/tuning options:
## OpenAPI Validator <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style="transform : translateY(3px);"> (PRO)
STREAM support :x:
<p align="center">
<iframe style="display: block;" width="560" height="315" data-src="https://www.youtube-nocookie.com/embed/3oZOO1XdSlc" title="OpenAPI Validator" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
</p>
The **OpenAPI Validator** plugin enforces your API contract by validating incoming requests against an OpenAPI / Swagger specification. It ensures the requested path exists, the HTTP method is allowed, and optionally validates query, header, cookie, and path parameters against their schema definitions.
@ -4314,3 +4316,82 @@ Set the minimum values per protected service:
Optionally allow unknown paths during rollout:
- `OPENAPI_ALLOW_UNSPECIFIED=yes`
## Cache <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style="transform : translateY(3px);"> (PRO)
STREAM support :x:
The Cache PRO plugin enables response caching at the reverse proxy level using NGINX `proxy_cache*` directives. It is useful when you want to absorb repeated reads for cacheable content, shield upstreams from bursts, or serve stale content during short backend failures.
**How it works**
1. Each global `CACHE_PATH*` value creates a `proxy_cache_path` directive in the HTTP context.
2. A service starts using the cache only when `CACHE_ZONE` is set to one of the zones declared in `CACHE_PATH*`.
3. Service-level settings then control the cache key, methods, bypass conditions, stale behavior, locking, and validity rules.
4. If `CACHE_HEADER` is set, BunkerWeb adds a response header exposing `$upstream_cache_status` such as `HIT`, `MISS`, `BYPASS`, `EXPIRED`, or `STALE`.
**List of features**
- Reverse-proxy response caching with configurable cache paths and zones.
- Per-service cache activation through `CACHE_ZONE`.
- Optional cache status response header with `$upstream_cache_status`.
- Fine-grained cache controls for bypass, no-cache, keying, methods, locking, stale handling, and revalidation.
- Multiple cache validity rules via repeated `CACHE_VALID*` settings.
**List of settings**
| Setting | Default | Context | Multiple | Description |
| --------------------------- | --------------------------------- | --------- | -------- | ------------------------------------------------------------------------ |
| `CACHE_PATH` | | global | yes | Path and parameters for a cache. |
| `CACHE_ZONE` | | multisite | no | Name of cache zone to use (specified in a `CACHE_PATH` setting). |
| `CACHE_HEADER` | `X-Cache` | multisite | no | Add a header exposing cache status. |
| `CACHE_BACKGROUND_UPDATE` | `no` | multisite | no | Refresh expired cache entries in background while serving stale content. |
| `CACHE_BYPASS` | | multisite | no | Variables that force a request to skip reading from cache. |
| `CACHE_NO_CACHE` | `$http_pragma$http_authorization` | multisite | no | Variables that prevent storing the upstream response in cache. |
| `CACHE_KEY` | `$scheme$proxy_host$request_uri` | multisite | no | Cache key used to identify objects. |
| `CACHE_CONVERT_HEAD_TO_GET` | `yes` | multisite | no | Convert `HEAD` requests to `GET` when caching. |
| `CACHE_LOCK` | `no` | multisite | no | Serialize concurrent misses for the same key. |
| `CACHE_LOCK_AGE` | `5s` | multisite | no | Maximum age of a cache lock before requests are allowed upstream. |
| `CACHE_LOCK_TIMEOUT` | `5s` | multisite | no | Maximum time to wait on a cache lock before bypassing it. |
| `CACHE_METHODS` | `GET HEAD` | multisite | no | HTTP methods eligible for caching. |
| `CACHE_MIN_USES` | `1` | multisite | no | Number of identical requests before storing the response. |
| `CACHE_REVALIDATE` | `no` | multisite | no | Revalidate expired entries with conditional upstream requests. |
| `CACHE_USE_STALE` | `off` | multisite | no | Conditions that allow serving stale content. |
| `CACHE_VALID` | `10m` | multisite | yes | Cache duration, optionally scoped to one or more status codes. |
**Usage example**
1. Define a global cache path and zone:
```yaml
CACHE_PATH: "/var/cache/bunkerweb/proxy levels=1:2 keys_zone=htmlcache:10m max_size=1g inactive=60m use_temp_path=off"
```
2. Enable the reverse proxy and attach the zone to a service:
```yaml
www.example.com_USE_REVERSE_PROXY: "yes"
www.example.com_REVERSE_PROXY_HOST: "http://app:8080"
www.example.com_CACHE_ZONE: "htmlcache"
www.example.com_CACHE_HEADER: "X-Cache"
www.example.com_CACHE_VALID: "200 301 302 10m"
www.example.com_CACHE_VALID_1: "404 1m"
```
3. Add optional controls when needed:
```yaml
www.example.com_CACHE_BYPASS: "$cookie_nocache $arg_nocache"
www.example.com_CACHE_NO_CACHE: "$http_pragma $http_authorization"
www.example.com_CACHE_LOCK: "yes"
www.example.com_CACHE_BACKGROUND_UPDATE: "yes"
www.example.com_CACHE_USE_STALE: "error timeout updating http_500 http_502 http_503 http_504"
```
!!! info "Important behavior"
- This plugin only applies to reverse-proxied traffic. It does not cache content served directly from local static files or stream/TCP services.
- `CACHE_ZONE` must match a zone defined in a `CACHE_PATH*` value through `keys_zone=<name>:<size>`.
- If `CACHE_ZONE` is empty for a service, cache directives are not applied for that service.
- Use numeric suffixes for repeated values such as `CACHE_PATH_1`, `CACHE_PATH_2`, `CACHE_VALID_1`, and `CACHE_VALID_2`.
- Keep authenticated or user-specific traffic out of cache unless your `CACHE_KEY` explicitly varies on that state.
- `CACHE_LOCK=yes` and `CACHE_BACKGROUND_UPDATE=yes` help reduce origin stampedes on hot keys.

11
docs/api.md
View file

@ -41,7 +41,7 @@ Choose the flavor that matches your environment.
services:
bunkerweb:
# This is the name that will be used to identify the instance in the Scheduler
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -54,7 +54,7 @@ Choose the flavor that matches your environment.
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Make sure to set the correct instance name
@ -76,7 +76,7 @@ Choose the flavor that matches your environment.
- bw-db
bw-api:
image: bunkerity/bunkerweb-api:1.6.8
image: bunkerity/bunkerweb-api:1.6.9
environment:
<<: *bw-env
API_USERNAME: "admin"
@ -143,7 +143,7 @@ Choose the flavor that matches your environment.
-e SERVICE_API=yes \
-e API_WHITELIST_IPS="127.0.0.0/8" \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Linux"
@ -266,7 +266,7 @@ Disable docs or schema by setting their URLs to `off|disabled|none|false|0`. Set
| -------------------------------------------------- | ------------------------------------------------------------------------------------------- | ------------------------- | ---------------------------------- |
| `API_DOCS_URL`, `API_REDOC_URL`, `API_OPENAPI_URL` | Paths for Swagger, ReDoc, and OpenAPI schema; set to `off/disabled/none/false/0` to disable | Path or `off` | `/docs`, `/redoc`, `/openapi.json` |
| `API_ROOT_PATH` | Mount prefix when reverse-proxying | Path (e.g. `/api`) | empty |
| `API_FORWARDED_ALLOW_IPS` | Trusted proxy IPs for `X-Forwarded-*` | Comma-separated IPs/CIDRs | `127.0.0.1,::1` (package default) |
| `API_FORWARDED_ALLOW_IPS` | Trusted proxy IPs for `X-Forwarded-*` | Comma-separated IPs/CIDRs | `127.0.0.1,::1` (package default) |
| `API_PROXY_ALLOW_IPS` | Trusted proxy IPs for PROXY protocol | Comma-separated IPs/CIDRs | `FORWARDED_ALLOW_IPS` |
#### Auth, ACL, Biscuit
@ -338,6 +338,7 @@ Disable docs or schema by setting their URLs to `off|disabled|none|false|0`. Set
| `LOG_SYSLOG_ADDRESS` | Syslog target (`udp://host:514`, `tcp://host:514`, socket) | Host:port, proto-prefixed host, or socket path | unset |
| `LOG_SYSLOG_TAG` | Syslog tag | String | `bw-api` |
| `MAX_WORKERS`, `MAX_THREADS` | Gunicorn workers/threads | Integer or unset for auto | unset |
| `MAX_REQUESTS` | Requests before a Gunicorn worker is recycled (prevents memory bloat) | Integer | `1000` |
| `CAPTURE_OUTPUT` | Capture Gunicorn stdout/stderr into the configured handlers | `yes` or `no` | `no` |
## API surface (capability map)

4
docs/concepts.md
View file

@ -105,7 +105,7 @@ Please note that multisite mode is implicit when using the web User Interface. Y
!!! info "Going further"
You will find concrete examples of multisite mode in the [advanced usages](advanced.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) directory of the repository.
You will find concrete examples of multisite mode in the [advanced usages](advanced.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) directory of the repository.
## Custom configurations {#custom-configurations}
@ -126,7 +126,7 @@ Managing custom configurations from the web User Interface is done through the *
!!! info "Going further"
You will find concrete examples of custom configurations in the [advanced usages](advanced.md#custom-configurations) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) directory of the repository.
You will find concrete examples of custom configurations in the [advanced usages](advanced.md#custom-configurations) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) directory of the repository.
## Database

205
docs/de/advanced.md
View file

@ -1,8 +1,8 @@
# Fortgeschrittene Nutzungen
Viele Beispiele für reale Anwendungsfälle sind im Ordner [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) des GitHub-Repositorys verfügbar.
Viele Beispiele für reale Anwendungsfälle sind im Ordner [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) des GitHub-Repositorys verfügbar.
Wir stellen auch zahlreiche Boilerplates zur Verfügung, wie z. B. YAML-Dateien für verschiedene Integrationen und Datenbanktypen. Diese sind im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) verfügbar.
Wir stellen auch zahlreiche Boilerplates zur Verfügung, wie z. B. YAML-Dateien für verschiedene Integrationen und Datenbanktypen. Diese sind im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) verfügbar.
Dieser Abschnitt konzentriert sich nur auf fortgeschrittene Nutzungen und Sicherheits-Tuning. Informationen zu allen verfügbaren Einstellungen finden Sie im [Features-Abschnitt](features.md) der Dokumentation.
@ -85,7 +85,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Bitte beachten Sie, dass Sie, wenn Ihr Container bereits erstellt wurde, ihn löschen und neu erstellen müssen, damit die neuen Umgebungsvariablen aktualisiert werden.
@ -96,7 +96,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -104,7 +104,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -121,7 +121,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -129,7 +129,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -176,7 +176,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -184,7 +184,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -249,7 +249,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Bitte beachten Sie, dass Sie, wenn Ihr Container bereits erstellt wurde, ihn löschen und neu erstellen müssen, damit die neuen Umgebungsvariablen aktualisiert werden.
@ -260,7 +260,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -270,7 +270,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -288,7 +288,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -298,7 +298,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -350,7 +350,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -360,7 +360,7 @@ Weitere Einstellungen zur echten IP finden Sie im [Features-Abschnitt](features.
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -485,8 +485,8 @@ Der Manager ist das Gehirn des Clusters. Er führt den Scheduler, die Datenbank
```bash
# Skript und Checksumme laden
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# Prüfsumme verifizieren
sha256sum -c install-bunkerweb.sh.sha256
@ -585,7 +585,7 @@ Der Manager ist das Gehirn des Clusters. Er führt den Scheduler, die Datenbank
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: "192.168.1.11 192.168.1.12" # Ersetzen durch die IPs Ihrer Worker
@ -604,7 +604,7 @@ Der Manager ist das Gehirn des Clusters. Er führt den Scheduler, die Datenbank
- bw-redis
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
ports:
- "7000:7000" # UI-Port veröffentlichen
environment:
@ -687,7 +687,7 @@ Worker sind die Knoten, die den eingehenden Verkehr verarbeiten.
```yaml title="docker-compose.yml"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -992,7 +992,7 @@ Um systemd-resolved als Ihren DNS-Resolver in BunkerWeb zu aktivieren, setzen Si
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Docker"
@ -1020,7 +1020,7 @@ Um systemd-resolved als Ihren DNS-Resolver in BunkerWeb zu aktivieren, setzen Si
- bw-dns
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
DNS_RESOLVERS: "dnsmasq"
@ -1031,7 +1031,7 @@ Um systemd-resolved als Ihren DNS-Resolver in BunkerWeb zu aktivieren, setzen Si
- bw-dns
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
DNS_RESOLVERS: "dnsmasq"
@ -1145,7 +1145,7 @@ Einige Integrationen bieten bequemere Möglichkeiten zum Anwenden von Konfigurat
}" \
-p 80:8080/tcp \
-p 443:8443/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Bitte beachten Sie, dass Sie, wenn Ihr Container bereits erstellt wurde, ihn löschen und neu erstellen müssen, damit die neuen Umgebungsvariablen angewendet werden.
@ -1185,7 +1185,7 @@ Einige Integrationen bieten bequemere Möglichkeiten zum Anwenden von Konfigurat
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Docker"
@ -1208,7 +1208,7 @@ Einige Integrationen bieten bequemere Möglichkeiten zum Anwenden von Konfigurat
```yaml
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
- |
CUSTOM_CONF_SERVER_HTTP_hello-world=
@ -1251,7 +1251,7 @@ Einige Integrationen bieten bequemere Möglichkeiten zum Anwenden von Konfigurat
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -1321,7 +1321,7 @@ Einige Integrationen bieten bequemere Möglichkeiten zum Anwenden von Konfigurat
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -1552,7 +1552,7 @@ Eine vollständige Liste der Einstellungen für den `stream`-Modus finden Sie im
-p 443:8443/udp \
-p 10000:10000/tcp \
-p 20000:20000/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Bitte beachten Sie, dass Sie, wenn Ihr Container bereits erstellt wurde, ihn löschen und neu erstellen müssen, damit die neuen Umgebungsvariablen angewendet werden.
@ -1575,7 +1575,7 @@ Eine vollständige Liste der Einstellungen für den `stream`-Modus finden Sie im
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080" # Behalten, wenn Sie die Let's Encrypt-Automatisierung mit dem http-Challenge-Typ verwenden möchten
- "10000:10000" # app1
@ -1590,7 +1590,7 @@ Eine vollständige Liste der Einstellungen für den `stream`-Modus finden Sie im
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # Diese Einstellung ist obligatorisch, um die BunkerWeb-Instanz anzugeben
@ -1641,7 +1641,7 @@ Eine vollständige Liste der Einstellungen für den `stream`-Modus finden Sie im
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080" # Behalten, wenn Sie die Let's Encrypt-Automatisierung mit dem http-Challenge-Typ verwenden möchten
- "10000:10000" # app1
@ -1871,7 +1871,7 @@ Eine vollständige Liste der Einstellungen für den `stream`-Modus finden Sie im
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
# Behalten, wenn Sie die Let's Encrypt-Automatisierung mit dem http-Challenge-Typ verwenden möchten
- published: 80
@ -2001,7 +2001,7 @@ BunkerWeb unterstützt PHP über externe oder entfernte [PHP-FPM](https://www.ph
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Bitte beachten Sie, dass Sie, wenn Ihr Container bereits erstellt wurde, ihn löschen und neu erstellen müssen, damit die neuen Umgebungsvariablen angewendet werden.
@ -2045,7 +2045,7 @@ BunkerWeb unterstützt PHP über externe oder entfernte [PHP-FPM](https://www.ph
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2060,7 +2060,7 @@ BunkerWeb unterstützt PHP über externe oder entfernte [PHP-FPM](https://www.ph
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # Diese Einstellung ist obligatorisch, um die BunkerWeb-Instanz anzugeben
@ -2154,7 +2154,7 @@ BunkerWeb unterstützt PHP über externe oder entfernte [PHP-FPM](https://www.ph
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
labels:
- "bunkerweb.INSTANCE=yes"
environment:
@ -2167,7 +2167,7 @@ BunkerWeb unterstützt PHP über externe oder entfernte [PHP-FPM](https://www.ph
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "" # Wir müssen die BunkerWeb-Instanz hier nicht angeben, da sie automatisch vom Autoconf-Dienst erkannt werden
@ -2182,7 +2182,7 @@ BunkerWeb unterstützt PHP über externe oder entfernte [PHP-FPM](https://www.ph
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bunkerweb
- bw-docker
@ -2422,7 +2422,7 @@ BunkerWeb unterstützt PHP über externe oder entfernte [PHP-FPM](https://www.ph
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
volumes:
- /shared/www:/var/www/html
...
@ -2521,7 +2521,7 @@ Standardmäßig lauscht BunkerWeb nur auf IPv4-Adressen und verwendet kein IPv6
```yaml
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
USE_IPv6: "yes"
@ -2661,7 +2661,7 @@ LOG_LEVEL_1=error
services:
bunkerweb:
# Dies ist der Name, der zur Identifikation der Instanz im Scheduler verwendet wird
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2674,7 +2674,7 @@ LOG_LEVEL_1=error
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Stellen Sie sicher, dass Sie den richtigen Instanznamen setzen
@ -2691,7 +2691,7 @@ LOG_LEVEL_1=error
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-env
volumes:
@ -2826,7 +2826,7 @@ Sie können den Protokollierungstreiber für Ihre Dienste in Ihrer `docker-compo
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
logging:
driver: "json-file"
options:
@ -2935,7 +2935,7 @@ Die üblichen Variablen sind:
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Wenn der Container bereits existiert, erstellen Sie ihn neu, um die neue Umgebung anzuwenden.
@ -2946,7 +2946,7 @@ Die üblichen Variablen sind:
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -2965,7 +2965,7 @@ Die üblichen Variablen sind:
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -3008,7 +3008,7 @@ Die üblichen Variablen sind:
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -3960,11 +3960,11 @@ Vorlagen verwenden Lua-Vorlagensyntax mit den folgenden Trennzeichen:
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
# ... andere Einstellungen (keine Umgebungsvariablen für Custom Pages hier benötigt)
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./templates:/custom_templates:ro
environment:
@ -4047,7 +4047,7 @@ Vorlagen verwenden Lua-Vorlagensyntax mit den folgenden Trennzeichen:
spec:
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
env:
- name: CUSTOM_ERROR_PAGE
value: "/custom_templates/error.html"
@ -4265,7 +4265,9 @@ Häufige Hardening-/Tuning-Optionen:
## OpenAPI Validator <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style="transform : translateY(3px);"> (PRO)
STREAM-Unterstützung :x:
<p align="center">
<iframe style="display: block;" width="560" height="315" data-src="https://www.youtube-nocookie.com/embed/3oZOO1XdSlc" title="OpenAPI Validator" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
</p>
Das **OpenAPI Validator** Plugin setzt Ihren API-Vertrag durch, indem es eingehende Anfragen gegen eine OpenAPI / Swagger Spezifikation validiert. Es stellt sicher, dass der angeforderte Pfad existiert, die HTTP-Methode erlaubt ist und validiert optional Abfrage-, Header-, Cookie- und Pfadparameter gegen deren Schema-Definitionen.
@ -4286,16 +4288,16 @@ Das **OpenAPI Validator** Plugin setzt Ihren API-Vertrag durch, indem es eingehe
### Konfiguration
| Einstellung | Standard | Kontext | Mehrfach | Beschreibung |
| ---------------------------- | ------------------------------------ | --------- | -------- | ---------------------------------------------------------------------------- |
| `USE_OPENAPI_VALIDATOR` | `no` | multisite | nein | Aktiviert die OpenAPI-Routenvalidierung für diese Seite. |
| `OPENAPI_SPEC` | | multisite | nein | Absoluter Pfad oder HTTP(S)-URL zum OpenAPI-Dokument im JSON/YAML-Format. |
| Einstellung | Standard | Kontext | Mehrfach | Beschreibung |
| ---------------------------- | ------------------------------------ | --------- | -------- | ------------------------------------------------------------------------------------ |
| `USE_OPENAPI_VALIDATOR` | `no` | multisite | nein | Aktiviert die OpenAPI-Routenvalidierung für diese Seite. |
| `OPENAPI_SPEC` | | multisite | nein | Absoluter Pfad oder HTTP(S)-URL zum OpenAPI-Dokument im JSON/YAML-Format. |
| `OPENAPI_BASE_PATH` | | multisite | nein | Optionaler Basispfad-Präfix, der jedem Pfad in der Spezifikation vorangestellt wird. |
| `OPENAPI_ALLOW_UNSPECIFIED` | `no` | multisite | nein | Erlaubt Anfragen an Pfade, die nicht in der Spezifikation aufgeführt sind. |
| `OPENAPI_ALLOW_UNSPECIFIED` | `no` | multisite | nein | Erlaubt Anfragen an Pfade, die nicht in der Spezifikation aufgeführt sind. |
| `OPENAPI_ALLOW_INSECURE_URL` | `no` | multisite | nein | Erlaubt das Abrufen der OpenAPI-Spezifikation über einfaches HTTP (nicht empfohlen). |
| `OPENAPI_IGNORE_URLS` | `^/docs$ ^/redoc$ ^/openapi\\.json$` | multisite | nein | Leerzeichengetrennte Liste von URL-Regexes zur Umgehung der OpenAPI-Validierung. |
| `OPENAPI_MAX_SPEC_SIZE` | `2M` | global | nein | Maximal erlaubte Größe des OpenAPI-Dokuments (akzeptiert Suffixe k/M/G). |
| `OPENAPI_VALIDATE_PARAMS` | `yes` | multisite | nein | Validiert Abfrage-, Header-, Cookie- und Pfadparameter gegen die Spezifikation. |
| `OPENAPI_IGNORE_URLS` | `^/docs$ ^/redoc$ ^/openapi\\.json$` | multisite | nein | Leerzeichengetrennte Liste von URL-Regexes zur Umgehung der OpenAPI-Validierung. |
| `OPENAPI_MAX_SPEC_SIZE` | `2M` | global | nein | Maximal erlaubte Größe des OpenAPI-Dokuments (akzeptiert Suffixe k/M/G). |
| `OPENAPI_VALIDATE_PARAMS` | `yes` | multisite | nein | Validiert Abfrage-, Header-, Cookie- und Pfadparameter gegen die Spezifikation. |
### Verhaltenshinweise
@ -4315,3 +4317,82 @@ Legen Sie die Mindestwerte pro geschütztem Dienst fest:
Erlauben Sie optional unbekannte Pfade während der Einführung:
- `OPENAPI_ALLOW_UNSPECIFIED=yes`
## Cache <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style="transform : translateY(3px);"> (PRO)
STREAM-Unterstützung :x:
Das Cache-PRO-Plugin aktiviert das Caching von Antworten auf Reverse-Proxy-Ebene mithilfe der NGINX-Direktiven `proxy_cache*`. Es ist nützlich, um wiederholte Zugriffe auf cachebare Inhalte abzufangen, Upstreams bei Lastspitzen zu entlasten und bei kurzen Backend-Ausfällen veraltete Inhalte auszuliefern.
**Funktionsweise**
1. Jeder globale Wert `CACHE_PATH*` erzeugt eine `proxy_cache_path`-Direktive im HTTP-Kontext.
2. Ein Service verwendet den Cache nur dann, wenn `CACHE_ZONE` auf eine der in `CACHE_PATH*` definierten Zonen gesetzt ist.
3. Einstellungen auf Service-Ebene steuern anschließend Cache-Key, Bypass-/No-Cache-Bedingungen, Locking, Stale-Verhalten und Gültigkeitsregeln.
4. Wenn `CACHE_HEADER` gesetzt ist, fügt BunkerWeb einen Response-Header hinzu, der `$upstream_cache_status` wie `HIT`, `MISS`, `BYPASS`, `EXPIRED` oder `STALE` anzeigt.
**Liste der Funktionen**
- Reverse-Proxy-Response-Caching mit konfigurierbaren Cache-Pfaden und Zonen.
- Aktivierung des Caches pro Service über `CACHE_ZONE`.
- Optionaler Header zur Anzeige des Cache-Status mit `$upstream_cache_status`.
- Feingranulare Steuerung für Bypass, No-Cache, Schlüsselbildung, Methoden, Locking, Stale-Nutzung und Revalidierung.
- Mehrere Gültigkeitsregeln über wiederholte `CACHE_VALID*`-Einstellungen.
**Liste der Einstellungen**
| Einstellung | Standard | Kontext | Mehrfach | Beschreibung |
| --------------------------- | --------------------------------- | --------- | -------- | ---------------------------------------------------------------------------------- |
| `CACHE_PATH` | | global | ja | Pfad und Parameter für einen Cache. |
| `CACHE_ZONE` | | multisite | nein | Name der zu verwendenden Cache-Zone (definiert in einer `CACHE_PATH`-Einstellung). |
| `CACHE_HEADER` | `X-Cache` | multisite | nein | Fügt einen Header hinzu, der den Cache-Status anzeigt. |
| `CACHE_BACKGROUND_UPDATE` | `no` | multisite | nein | Aktiviert oder deaktiviert die Aktualisierung des Caches im Hintergrund. |
| `CACHE_BYPASS` | | multisite | nein | Liste von Variablen, die den Cache umgehen. |
| `CACHE_NO_CACHE` | `$http_pragma$http_authorization` | multisite | nein | Speichert Antworten nicht im Cache, wenn Variablen gesetzt sind. |
| `CACHE_KEY` | `$scheme$proxy_host$request_uri` | multisite | nein | Schlüssel zur Identifizierung gecachter Elemente. |
| `CACHE_CONVERT_HEAD_TO_GET` | `yes` | multisite | nein | Konvertiert HEAD-Anfragen beim Caching zu GET. |
| `CACHE_LOCK` | `no` | multisite | nein | Sperrt konkurrierende Anfragen beim Befüllen des Caches. |
| `CACHE_LOCK_AGE` | `5s` | multisite | nein | Leitet Anfragen an den Upstream weiter, wenn der Cache so lange gesperrt ist. |
| `CACHE_LOCK_TIMEOUT` | `5s` | multisite | nein | Leitet Anfragen an den Upstream weiter, wenn die Sperre so lange anhält. |
| `CACHE_METHODS` | `GET HEAD` | multisite | nein | Cacht Antworten nur für diese HTTP-Methoden. |
| `CACHE_MIN_USES` | `1` | multisite | nein | Anzahl gleicher Anfragen, bevor die Antwort gecacht wird. |
| `CACHE_REVALIDATE` | `no` | multisite | nein | Revalidiert abgelaufene Einträge mit bedingten Upstream-Anfragen. |
| `CACHE_USE_STALE` | `off` | multisite | nein | Legt fest, wann veraltete Inhalte ausgeliefert werden dürfen. |
| `CACHE_VALID` | `10m` | multisite | ja | Definiert die Cache-Dauer optional mit einem oder mehreren Statuscodes. |
**Anwendungsbeispiel**
1. Definieren Sie einen globalen Cache-Pfad und eine Zone:
```yaml
CACHE_PATH: "/var/cache/bunkerweb/proxy levels=1:2 keys_zone=htmlcache:10m max_size=1g inactive=60m use_temp_path=off"
```
2. Aktivieren Sie den Reverse Proxy und verknüpfen Sie die Zone mit einem Service:
```yaml
www.example.com_USE_REVERSE_PROXY: "yes"
www.example.com_REVERSE_PROXY_HOST: "http://app:8080"
www.example.com_CACHE_ZONE: "htmlcache"
www.example.com_CACHE_HEADER: "X-Cache"
www.example.com_CACHE_VALID: "200 301 302 10m"
www.example.com_CACHE_VALID_1: "404 1m"
```
3. Fügen Sie bei Bedarf optionale Steuerungen hinzu:
```yaml
www.example.com_CACHE_BYPASS: "$cookie_nocache $arg_nocache"
www.example.com_CACHE_NO_CACHE: "$http_pragma $http_authorization"
www.example.com_CACHE_LOCK: "yes"
www.example.com_CACHE_BACKGROUND_UPDATE: "yes"
www.example.com_CACHE_USE_STALE: "error timeout updating http_500 http_502 http_503 http_504"
```
!!! info "Wichtiges Verhalten"
- Dieses Plugin gilt nur für Reverse-Proxy-Traffic. Direkt aus lokalen statischen Dateien oder über Stream-/TCP-Dienste ausgelieferte Inhalte werden nicht gecacht.
- `CACHE_ZONE` muss mit einer in `CACHE_PATH*` definierten Zone über `keys_zone=<name>:<größe>` übereinstimmen.
- Wenn `CACHE_ZONE` für einen Service leer ist, werden für diesen Service keine Cache-Direktiven angewendet.
- Verwenden Sie numerische Suffixe für wiederholte Werte wie `CACHE_PATH_1`, `CACHE_PATH_2`, `CACHE_VALID_1` und `CACHE_VALID_2`.
- Authentifizierter oder benutzerspezifischer Traffic sollte nicht gecacht werden, es sei denn, Ihr `CACHE_KEY` variiert ausdrücklich nach diesem Zustand.
- `CACHE_LOCK=yes` und `CACHE_BACKGROUND_UPDATE=yes` helfen, Lastspitzen auf dem Origin zu reduzieren.

127
docs/de/api.md
View file

@ -41,7 +41,7 @@ Wählen Sie die Variante, die zu Ihrer Umgebung passt.
services:
bunkerweb:
# Name, unter dem die Instanz im Scheduler erscheint
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -54,7 +54,7 @@ Wählen Sie die Variante, die zu Ihrer Umgebung passt.
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Instanznamen korrekt setzen
@ -76,7 +76,7 @@ Wählen Sie die Variante, die zu Ihrer Umgebung passt.
- bw-db
bw-api:
image: bunkerity/bunkerweb-api:1.6.8
image: bunkerity/bunkerweb-api:1.6.9
environment:
<<: *bw-env
API_USERNAME: "admin"
@ -143,7 +143,7 @@ Wählen Sie die Variante, die zu Ihrer Umgebung passt.
-e SERVICE_API=yes \
-e API_WHITELIST_IPS="127.0.0.0/8" \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Linux"
@ -252,9 +252,9 @@ Mehr Details und Abwägungen: [https://limits.readthedocs.io/en/stable/strategie
### Laufzeit & Zeitzone
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ------- | ------------------------------------------------------------------------------------------------ | ------------------------------------------------- | --------------------------------------------- |
| `TZ` | Zeitzone für API-Logs und zeitbasierte Claims (z. B. Biscuit-TTL-Auswertung und Log-Zeitstempel) | TZ-Datenbank-Name (z. B. `UTC`, `Europe/Paris`) | unset (Container-Default, meist UTC) |
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ------- | ------------------------------------------------------------------------------------------------ | ----------------------------------------------- | ------------------------------------ |
| `TZ` | Zeitzone für API-Logs und zeitbasierte Claims (z. B. Biscuit-TTL-Auswertung und Log-Zeitstempel) | TZ-Datenbank-Name (z. B. `UTC`, `Europe/Paris`) | unset (Container-Default, meist UTC) |
Docs oder Schema deaktivieren, indem die zugehörigen URLs auf `off|disabled|none|false|0` gesetzt werden. Setzen Sie `API_SSL_ENABLED=yes` mit `API_SSL_CERTFILE` und `API_SSL_KEYFILE`, um TLS direkt in der API zu terminieren. Beim Reverse-Proxy `API_FORWARDED_ALLOW_IPS` auf die Proxy-IPs setzen, damit Gunicorn `X-Forwarded-*` vertraut.
@ -262,83 +262,84 @@ Docs oder Schema deaktivieren, indem die zugehörigen URLs auf `off|disabled|non
#### Oberfläche & Docs
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| -------------------------------------------------- | ------------------------------------------------------------------------------------------ | --------------------------- | ---------------------------------- |
| `API_DOCS_URL`, `API_REDOC_URL`, `API_OPENAPI_URL` | Pfade für Swagger, ReDoc und OpenAPI; auf `off/disabled/none/false/0` setzen zum Deaktivieren | Pfad oder `off` | `/docs`, `/redoc`, `/openapi.json` |
| `API_ROOT_PATH` | Mount-Prefix bei Reverse Proxy | Pfad (z. B. `/api`) | leer |
| `API_FORWARDED_ALLOW_IPS` | Vertrauenswürdige Proxy-IPs für `X-Forwarded-*` | Kommagetrennte IPs/CIDRs | `127.0.0.1,::1` (Package-Default) |
| `API_PROXY_ALLOW_IPS` | Vertrauenswürdige Proxy-IPs für PROXY-Protokoll | Kommagetrennte IPs/CIDRs | `FORWARDED_ALLOW_IPS` |
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| -------------------------------------------------- | --------------------------------------------------------------------------------------------- | ------------------------ | ---------------------------------- |
| `API_DOCS_URL`, `API_REDOC_URL`, `API_OPENAPI_URL` | Pfade für Swagger, ReDoc und OpenAPI; auf `off/disabled/none/false/0` setzen zum Deaktivieren | Pfad oder `off` | `/docs`, `/redoc`, `/openapi.json` |
| `API_ROOT_PATH` | Mount-Prefix bei Reverse Proxy | Pfad (z. B. `/api`) | leer |
| `API_FORWARDED_ALLOW_IPS` | Vertrauenswürdige Proxy-IPs für `X-Forwarded-*` | Kommagetrennte IPs/CIDRs | `127.0.0.1,::1` (Package-Default) |
| `API_PROXY_ALLOW_IPS` | Vertrauenswürdige Proxy-IPs für PROXY-Protokoll | Kommagetrennte IPs/CIDRs | `FORWARDED_ALLOW_IPS` |
#### Auth, ACL, Biscuit
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ------------------------------------------- | --------------------------------------------- | ------------------------------------------------------------------ | ------------------------ |
| `API_USERNAME`, `API_PASSWORD` | Bootstrap-Admin-Nutzer | Strings; starkes Passwort außerhalb Debug erforderlich | unset |
| `OVERRIDE_API_CREDS` | Admin-Creds beim Start erneut anwenden | `yes/no/on/off/true/false/0/1` | `no` |
| `API_TOKEN` | Admin-Override-Bearer-Token | Opaquer String | unset |
| `API_ACL_BOOTSTRAP_FILE` | Pfad zu JSON für Nutzer/Berechtigungen | Dateipfad oder gemountetes `/var/lib/bunkerweb/api_acl_bootstrap.json` | unset |
| `BISCUIT_PRIVATE_KEY`, `BISCUIT_PUBLIC_KEY` | Biscuit-Schlüssel (Hex), falls keine Dateien | Hex-Strings | auto-generiert/persistent |
| `API_BISCUIT_TTL_SECONDS` | Token-Lebensdauer; `0/off` deaktiviert Ablauf | Integer Sekunden oder `off/disabled` | `3600` |
| `CHECK_PRIVATE_IP` | Biscuit an Client-IP binden (außer private) | `yes/no/on/off/true/false/0/1` | `yes` |
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ------------------------------------------- | --------------------------------------------- | ---------------------------------------------------------------------- | ------------------------- |
| `API_USERNAME`, `API_PASSWORD` | Bootstrap-Admin-Nutzer | Strings; starkes Passwort außerhalb Debug erforderlich | unset |
| `OVERRIDE_API_CREDS` | Admin-Creds beim Start erneut anwenden | `yes/no/on/off/true/false/0/1` | `no` |
| `API_TOKEN` | Admin-Override-Bearer-Token | Opaquer String | unset |
| `API_ACL_BOOTSTRAP_FILE` | Pfad zu JSON für Nutzer/Berechtigungen | Dateipfad oder gemountetes `/var/lib/bunkerweb/api_acl_bootstrap.json` | unset |
| `BISCUIT_PRIVATE_KEY`, `BISCUIT_PUBLIC_KEY` | Biscuit-Schlüssel (Hex), falls keine Dateien | Hex-Strings | auto-generiert/persistent |
| `API_BISCUIT_TTL_SECONDS` | Token-Lebensdauer; `0/off` deaktiviert Ablauf | Integer Sekunden oder `off/disabled` | `3600` |
| `CHECK_PRIVATE_IP` | Biscuit an Client-IP binden (außer private) | `yes/no/on/off/true/false/0/1` | `yes` |
#### Allowlist
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ----------------------- | ----------------------------------- | -------------------------------- | ----------------------- |
| `API_WHITELIST_ENABLED` | IP-Allowlist-Middleware umschalten | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_WHITELIST_IPS` | Leer- oder kommagetrennte IPs/CIDRs | IPs/CIDRs | RFC1918-Bereiche im Code |
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ----------------------- | ----------------------------------- | ------------------------------ | ------------------------ |
| `API_WHITELIST_ENABLED` | IP-Allowlist-Middleware umschalten | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_WHITELIST_IPS` | Leer- oder kommagetrennte IPs/CIDRs | IPs/CIDRs | RFC1918-Bereiche im Code |
#### Ratenbegrenzung
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| -------------------------------- | ----------------------------------------------- | ----------------------------------------------------------- | -------------- |
| `API_RATE_LIMIT` | Globales Limit (NGINX-String) | `3r/s`, `100/minute`, `500 per 30 minutes` | `100r/m` |
| `API_RATE_LIMIT_AUTH` | `/auth`-Limit (oder `off`) | wie oben oder `off/disabled/none/false/0` | `10r/m` |
| `API_RATE_LIMIT_ENABLED` | Limiter aktivieren | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_RATE_LIMIT_HEADERS_ENABLED` | Rate-Limit-Header injizieren | wie oben | `yes` |
| `API_RATE_LIMIT_RULES` | Pfadregeln (CSV/JSON/YAML oder Dateipfad) | String oder Pfad | unset |
| `API_RATE_LIMIT_STRATEGY` | Algorithmus | `fixed-window`, `moving-window`, `sliding-window-counter` | `fixed-window` |
| `API_RATE_LIMIT_KEY` | Schlüssel-Selektion | `ip`, `header:<Name>` | `ip` |
| `API_RATE_LIMIT_EXEMPT_IPS` | Limits für diese IPs/CIDRs überspringen | Leer- oder kommagetrennt | unset |
| `API_RATE_LIMIT_STORAGE_OPTIONS` | JSON, das in die Storage-Konfig gemerged wird | JSON-String | unset |
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| -------------------------------- | --------------------------------------------- | --------------------------------------------------------- | -------------- |
| `API_RATE_LIMIT` | Globales Limit (NGINX-String) | `3r/s`, `100/minute`, `500 per 30 minutes` | `100r/m` |
| `API_RATE_LIMIT_AUTH` | `/auth`-Limit (oder `off`) | wie oben oder `off/disabled/none/false/0` | `10r/m` |
| `API_RATE_LIMIT_ENABLED` | Limiter aktivieren | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_RATE_LIMIT_HEADERS_ENABLED` | Rate-Limit-Header injizieren | wie oben | `yes` |
| `API_RATE_LIMIT_RULES` | Pfadregeln (CSV/JSON/YAML oder Dateipfad) | String oder Pfad | unset |
| `API_RATE_LIMIT_STRATEGY` | Algorithmus | `fixed-window`, `moving-window`, `sliding-window-counter` | `fixed-window` |
| `API_RATE_LIMIT_KEY` | Schlüssel-Selektion | `ip`, `header:<Name>` | `ip` |
| `API_RATE_LIMIT_EXEMPT_IPS` | Limits für diese IPs/CIDRs überspringen | Leer- oder kommagetrennt | unset |
| `API_RATE_LIMIT_STORAGE_OPTIONS` | JSON, das in die Storage-Konfig gemerged wird | JSON-String | unset |
#### Redis/Valkey (für Rate Limits)
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ---------------------------------------------------- | ------------------------ | -------------------------------- | ------------------- |
| `USE_REDIS` | Redis-Backend aktivieren | `yes/no/on/off/true/false/0/1` | `no` |
| `REDIS_HOST`, `REDIS_PORT`, `REDIS_DATABASE` | Verbindungsdetails | Host, int, int | unset, `6379`, `0` |
| `REDIS_USERNAME`, `REDIS_PASSWORD` | Auth | Strings | unset |
| `REDIS_SSL`, `REDIS_SSL_VERIFY` | TLS und Verifizierung | `yes/no/on/off/true/false/0/1` | `no`, `yes` |
| `REDIS_TIMEOUT` | Timeout (ms) | Integer | `1000` |
| `REDIS_KEEPALIVE_POOL` | Pool-Keepalive | Integer | `10` |
| `REDIS_SENTINEL_HOSTS` | Sentinel-Hosts | Leerzeichen-getrennte `host:port` | unset |
| `REDIS_SENTINEL_MASTER` | Sentinel-Mastername | String | unset |
| `REDIS_SENTINEL_USERNAME`, `REDIS_SENTINEL_PASSWORD` | Sentinel-Auth | Strings | unset |
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ---------------------------------------------------- | ------------------------ | --------------------------------- | ------------------ |
| `USE_REDIS` | Redis-Backend aktivieren | `yes/no/on/off/true/false/0/1` | `no` |
| `REDIS_HOST`, `REDIS_PORT`, `REDIS_DATABASE` | Verbindungsdetails | Host, int, int | unset, `6379`, `0` |
| `REDIS_USERNAME`, `REDIS_PASSWORD` | Auth | Strings | unset |
| `REDIS_SSL`, `REDIS_SSL_VERIFY` | TLS und Verifizierung | `yes/no/on/off/true/false/0/1` | `no`, `yes` |
| `REDIS_TIMEOUT` | Timeout (ms) | Integer | `1000` |
| `REDIS_KEEPALIVE_POOL` | Pool-Keepalive | Integer | `10` |
| `REDIS_SENTINEL_HOSTS` | Sentinel-Hosts | Leerzeichen-getrennte `host:port` | unset |
| `REDIS_SENTINEL_MASTER` | Sentinel-Mastername | String | unset |
| `REDIS_SENTINEL_USERNAME`, `REDIS_SENTINEL_PASSWORD` | Sentinel-Auth | Strings | unset |
!!! info "DB-Redis"
Wenn Redis/Valkey-Einstellungen in der BunkerWeb-Datenbank vorhanden sind, nutzt die API sie automatisch fürs Rate Limiting, auch ohne `USE_REDIS` in der Umgebung. Bei Bedarf per Umgebungsvariablen überschreiben.
#### Listener & TLS
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ------------------------------------- | -------------------------------- | -------------------------------- | ------------------------------------- |
| `API_LISTEN_ADDR`, `API_LISTEN_PORT` | Bind-Adresse/Port für Gunicorn | IP oder Hostname, int | `127.0.0.1`, `8888` (Package-Skript) |
| `API_SSL_ENABLED` | TLS in der API aktivieren | `yes/no/on/off/true/false/0/1` | `no` |
| `API_SSL_CERTFILE`, `API_SSL_KEYFILE` | PEM-Zertifikat und -Schlüssel | Dateipfade | unset |
| `API_SSL_CA_CERTS` | Optionale CA/Chain | Dateipfad | unset |
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ------------------------------------- | ------------------------------ | ------------------------------ | ------------------------------------ |
| `API_LISTEN_ADDR`, `API_LISTEN_PORT` | Bind-Adresse/Port für Gunicorn | IP oder Hostname, int | `127.0.0.1`, `8888` (Package-Skript) |
| `API_SSL_ENABLED` | TLS in der API aktivieren | `yes/no/on/off/true/false/0/1` | `no` |
| `API_SSL_CERTFILE`, `API_SSL_KEYFILE` | PEM-Zertifikat und -Schlüssel | Dateipfade | unset |
| `API_SSL_CA_CERTS` | Optionale CA/Chain | Dateipfad | unset |
#### Logging & Laufzeit (Package-Defaults)
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ------------------------------- | ---------------------------------------------------------------------------------- | ------------------------------------------------- | ------------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Basis-Log-Level / Override | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Ziele | Leerzeichen-getrennt `stderr`/`file`/`syslog` | `stderr` |
| `LOG_FILE_PATH` | Log-Dateipfad (bei `LOG_TYPES` mit `file` oder `CAPTURE_OUTPUT=yes` genutzt) | Dateipfad | `/var/log/bunkerweb/api.log`, falls file/capture aktiv, sonst unset |
| `LOG_SYSLOG_ADDRESS` | Syslog-Ziel (`udp://host:514`, `tcp://host:514`, Socket) | Host:Port, Protokoll-präfixter Host oder Socket | unset |
| `LOG_SYSLOG_TAG` | Syslog-Tag | String | `bw-api` |
| `MAX_WORKERS`, `MAX_THREADS` | Gunicorn-Worker/Threads | Integer oder unset für Auto | unset |
| `CAPTURE_OUTPUT` | Gunicorn stdout/stderr in die konfigurierten Handler umlenken | `yes` oder `no` | `no` |
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ------------------------------- | ---------------------------------------------------------------------------- | ----------------------------------------------- | ------------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Basis-Log-Level / Override | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Ziele | Leerzeichen-getrennt `stderr`/`file`/`syslog` | `stderr` |
| `LOG_FILE_PATH` | Log-Dateipfad (bei `LOG_TYPES` mit `file` oder `CAPTURE_OUTPUT=yes` genutzt) | Dateipfad | `/var/log/bunkerweb/api.log`, falls file/capture aktiv, sonst unset |
| `LOG_SYSLOG_ADDRESS` | Syslog-Ziel (`udp://host:514`, `tcp://host:514`, Socket) | Host:Port, Protokoll-präfixter Host oder Socket | unset |
| `LOG_SYSLOG_TAG` | Syslog-Tag | String | `bw-api` |
| `MAX_WORKERS`, `MAX_THREADS` | Gunicorn-Worker/Threads | Integer oder unset für Auto | unset |
| `MAX_REQUESTS` | Anfragen vor Gunicorn-Worker-Recycling (verhindert Speicherbloat) | Integer | `1000` |
| `CAPTURE_OUTPUT` | Gunicorn stdout/stderr in die konfigurierten Handler umlenken | `yes` oder `no` | `no` |
## API-Fläche (Capabilities)

4
docs/de/concepts.md
View file

@ -105,7 +105,7 @@ Bitte beachten Sie, dass der Multisite-Modus bei Verwendung der Web-Benutzerober
!!! info "Weiterführende Informationen"
Konkrete Beispiele für den Multisite-Modus finden Sie in den [fortgeschrittenen Nutzungen](advanced.md) der Dokumentation und im [Beispiele](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)-Verzeichnis des Repositorys.
Konkrete Beispiele für den Multisite-Modus finden Sie in den [fortgeschrittenen Nutzungen](advanced.md) der Dokumentation und im [Beispiele](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)-Verzeichnis des Repositorys.
## Benutzerdefinierte Konfigurationen {#custom-configurations}
@ -126,7 +126,7 @@ Die Verwaltung benutzerdefinierter Konfigurationen über die Web-Benutzeroberfl
!!! info "Weiterführende Informationen"
Konkrete Beispiele für benutzerdefinierte Konfigurationen finden Sie in den [fortgeschrittenen Nutzungen](advanced.md#custom-configurations) der Dokumentation und im [Beispiele](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)-Verzeichnis des Repositorys.
Konkrete Beispiele für benutzerdefinierte Konfigurationen finden Sie in den [fortgeschrittenen Nutzungen](advanced.md#custom-configurations) der Dokumentation und im [Beispiele](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)-Verzeichnis des Repositorys.
## Datenbank

904
docs/de/features.md
View file

File diff suppressed because it is too large Load diff

132
docs/de/integrations.md
View file

@ -1268,7 +1268,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Standardmäßig stellt der Container Folgendes bereit:
@ -1284,7 +1284,7 @@ Ein benanntes Volume (oder Bind-Mount) ist erforderlich, um die unter `/data` ge
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.8
image: bunkerity/bunkerweb-all-in-one:1.6.9
volumes:
- bw-storage:/data
...
@ -1361,7 +1361,7 @@ docker run -d \
-e API_PASSWORD=StrongP@ssw0rd \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
-p 8888:8888/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Empfohlen (hinter BunkerWeb) — veröffentlichen Sie `8888` nicht; verwenden Sie stattdessen einen Reverse-Proxy:
@ -1369,7 +1369,7 @@ Empfohlen (hinter BunkerWeb) — veröffentlichen Sie `8888` nicht; verwenden Si
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.8
image: bunkerity/bunkerweb-all-in-one:1.6.9
container_name: bunkerweb-aio
ports:
- "80:8080/tcp"
@ -1441,7 +1441,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8```
bunkerity/bunkerweb-all-in-one:1.6.9```
* Wenn `USE_CROWDSEC=yes`, wird das Einstiegsskript:
@ -1495,7 +1495,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
!!! info "Wie es intern funktioniert"
@ -1517,7 +1517,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Hinweise:
@ -1553,7 +1553,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
* Die **lokale Registrierung** wird übersprungen, wenn `CROWDSEC_API` nicht `127.0.0.1` oder `localhost` ist.
@ -1585,13 +1585,13 @@ Um Ihre Docker-Bereitstellung zu erleichtern, stellen wir auf [Docker Hub](https
Durch den Zugriff auf diese vorgefertigten Images von Docker Hub können Sie BunkerWeb schnell in Ihrer Docker-Umgebung ziehen und ausführen, wodurch umfangreiche Konfigurations- oder Einrichtungsprozesse entfallen. Dieser optimierte Ansatz ermöglicht es Ihnen, sich auf die Nutzung der Funktionen von BunkerWeb zu konzentrieren, ohne unnötige Komplexität.
```shell
docker pull bunkerity/bunkerweb:1.6.8
docker pull bunkerity/bunkerweb:1.6.9
```
Docker-Images sind auch auf [GitHub-Paketen](https://github.com/orgs/bunkerity/packages?repo_name=bunkerweb) verfügbar und können über die Repository-Adresse `ghcr.io` heruntergeladen werden:
```shell
docker pull ghcr.io/bunkerity/bunkerweb:1.6.8
docker pull ghcr.io/bunkerity/bunkerweb:1.6.9
```
Schlüsselkonzepte für die Docker-Integration sind:
@ -1601,7 +1601,7 @@ Schlüsselkonzepte für die Docker-Integration sind:
- **Netzwerke**: Docker-Netzwerke spielen eine wichtige Rolle bei der Integration von BunkerWeb. Diese Netzwerke dienen zwei Hauptzwecken: dem Bereitstellen von Ports für Clients und dem Verbinden mit Upstream-Webdiensten. Durch das Bereitstellen von Ports kann BunkerWeb eingehende Anfragen von Clients annehmen und ihnen den Zugriff auf die geschützten Webdienste ermöglichen. Darüber hinaus kann BunkerWeb durch die Verbindung mit Upstream-Webdiensten den Datenverkehr effizient weiterleiten und verwalten und so eine verbesserte Sicherheit und Leistung bieten.
!!! info "Datenbank-Backend"
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie SQLite als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Es werden jedoch auch andere Datenbank-Backends unterstützt. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) des Repositorys.
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie SQLite als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Es werden jedoch auch andere Datenbank-Backends unterstützt. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) des Repositorys.
### Umgebungsvariablen
@ -1611,7 +1611,7 @@ Einstellungen werden dem Scheduler über Docker-Umgebungsvariablen übergeben:
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
- MY_SETTING=value
- ANOTHER_SETTING=another value
@ -1655,7 +1655,7 @@ Dadurch wird sichergestellt, dass sensible Einstellungen aus der Umgebung und de
Der [Scheduler](concepts.md#scheduler) läuft in seinem eigenen Container, der auch auf Docker Hub verfügbar ist:
```shell
docker pull bunkerity/bunkerweb-scheduler:1.6.8
docker pull bunkerity/bunkerweb-scheduler:1.6.9
```
!!! info "BunkerWeb-Einstellungen"
@ -1676,7 +1676,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.8
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
environment:
# Dies setzt die API-Einstellungen für den BunkerWeb-Container
<<: *bw-api-env
@ -1685,7 +1685,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.8
- bw-universe
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
# Dies setzt die API-Einstellungen für den Scheduler-Container
<<: *bw-api-env
@ -1703,7 +1703,7 @@ Ein Volume wird benötigt, um die vom Scheduler verwendete SQLite-Datenbank und
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- bw-storage:/data
...
@ -1849,7 +1849,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1862,7 +1862,7 @@ services:
- bw-universe
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # Diese Einstellung ist obligatorisch, um die BunkerWeb-Instanz anzugeben
@ -1895,7 +1895,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1908,7 +1908,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
depends_on:
- bunkerweb
environment:
@ -1974,8 +1974,8 @@ Um zu beginnen, laden Sie das Installationsskript und seine Prüfsumme herunter
```bash
# Skript und Prüfsumme herunterladen
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# Prüfsumme überprüfen
sha256sum -c install-bunkerweb.sh.sha256
@ -2034,7 +2034,7 @@ Für nicht-interaktive oder automatisierte Setups kann das Skript mit Befehlszei
| Option | Beschreibung |
| ----------------------- | ------------------------------------------------------------------------------------------- |
| `-v, --version VERSION` | Gibt die zu installierende BunkerWeb-Version an (z. B. `1.6.8`). |
| `-v, --version VERSION` | Gibt die zu installierende BunkerWeb-Version an (z. B. `1.6.9`). |
| `-w, --enable-wizard` | Aktiviert den Einrichtungsassistenten. |
| `-n, --no-wizard` | Deaktiviert den Einrichtungsassistenten. |
| `-y, --yes` | Führt im nicht-interaktiven Modus mit Standardantworten für alle Eingabeaufforderungen aus. |
@ -2099,7 +2099,7 @@ sudo ./install-bunkerweb.sh --yes
sudo ./install-bunkerweb.sh --worker --no-wizard
# Eine bestimmte Version installieren
sudo ./install-bunkerweb.sh --version 1.6.8
sudo ./install-bunkerweb.sh --version 1.6.9
# Manager-Setup mit entfernten Worker-Instanzen (Instanzen erforderlich)
sudo ./install-bunkerweb.sh --manager --instances "192.168.1.10 192.168.1.11"
@ -2207,7 +2207,7 @@ Abhängig von Ihren Entscheidungen während der Installation:
### Installation mit dem Paketmanager
Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie BunkerWeb installieren**. Für alle Distributionen außer Fedora ist es zwingend erforderlich, vorgefertigte Pakete aus dem [offiziellen NGINX-Repository](https://nginx.org/en/linux_packages.html) zu verwenden. Das Kompilieren von NGINX aus dem Quellcode oder die Verwendung von Paketen aus verschiedenen Repositories funktioniert nicht mit den offiziellen vorgefertigten Paketen von BunkerWeb. Sie haben jedoch die Möglichkeit, BunkerWeb aus dem Quellcode zu erstellen.
Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie BunkerWeb installieren**. Für alle Distributionen ist es zwingend erforderlich, vorgefertigte Pakete aus dem [offiziellen NGINX-Repository](https://nginx.org/en/linux_packages.html) zu verwenden. Das Kompilieren von NGINX aus dem Quellcode oder die Verwendung von Paketen aus verschiedenen Repositories funktioniert nicht mit den offiziellen vorgefertigten Paketen von BunkerWeb. Sie haben jedoch die Möglichkeit, BunkerWeb aus dem Quellcode zu erstellen.
=== "Debian Bookworm/Trixie"
@ -2243,12 +2243,12 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
export UI_WIZARD=no
```
Und installieren Sie schließlich BunkerWeb 1.6.8:
Und installieren Sie schließlich BunkerWeb 1.6.9:
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.8
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
```
Um ein Upgrade der NGINX- und/oder BunkerWeb-Pakete bei der Ausführung von `apt upgrade` zu verhindern, können Sie den folgenden Befehl verwenden:
@ -2291,12 +2291,12 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
export UI_WIZARD=no
```
Und installieren Sie schließlich BunkerWeb 1.6.8:
Und installieren Sie schließlich BunkerWeb 1.6.9:
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.8
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
```
Um ein Upgrade der NGINX- und/oder BunkerWeb-Pakete bei der Ausführung von `apt upgrade` zu verhindern, können Sie den folgenden Befehl verwenden:
@ -2314,10 +2314,10 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
sudo dnf config-manager setopt updates-testing.enabled=1
```
Fedora stellt bereits NGINX 1.28.1 zur Verfügung, das wir unterstützen
Fedora stellt bereits NGINX 1.28.2 zur Verfügung, das wir unterstützen
```shell
sudo dnf install -y --allowerasing nginx-1.28.1
sudo dnf install -y --allowerasing nginx-1.28.2
```
!!! example "Einrichtungsassistenten deaktivieren"
@ -2327,12 +2327,12 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
export UI_WIZARD=no
```
Und installieren Sie schließlich BunkerWeb 1.6.8:
Und installieren Sie schließlich BunkerWeb 1.6.9:
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf makecache && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.8
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
```
Um ein Upgrade der NGINX- und/oder BunkerWeb-Pakete bei der Ausführung von `dnf upgrade` zu verhindern, können Sie den folgenden Befehl verwenden:
@ -2377,12 +2377,12 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
export UI_WIZARD=no
```
Und installieren Sie schließlich BunkerWeb 1.6.8:
Und installieren Sie schließlich BunkerWeb 1.6.9:
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.8
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
```
Um ein Upgrade der NGINX- und/oder BunkerWeb-Pakete bei der Ausführung von `dnf upgrade` zu verhindern, können Sie den folgenden Befehl verwenden:
@ -2474,7 +2474,7 @@ Durch die Übernahme dieses Ansatzes können Sie eine Echtzeit-Rekonfiguration v
Die Docker Autoconf-Integration impliziert die Verwendung des **Multisite-Modus**. Weitere Informationen finden Sie im [Multisite-Abschnitt](concepts.md#multisite-mode) der Dokumentation.
!!! info "Datenbank-Backend"
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie MariaDB als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Wir verstehen jedoch, dass Sie möglicherweise alternative Backends für Ihre Docker-Integration bevorzugen. In diesem Fall können Sie sicher sein, dass auch andere Datenbank-Backends möglich sind. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) des Repositorys.
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie MariaDB als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Wir verstehen jedoch, dass Sie möglicherweise alternative Backends für Ihre Docker-Integration bevorzugen. In diesem Fall können Sie sicher sein, dass auch andere Datenbank-Backends möglich sind. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) des Repositorys.
Um automatisierte Konfigurationsupdates zu ermöglichen, fügen Sie einen zusätzlichen Container namens `bw-autoconf` zum Stack hinzu. Dieser Container hostet den Autoconf-Dienst, der dynamische Konfigurationsänderungen für BunkerWeb verwaltet.
@ -2488,7 +2488,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2503,7 +2503,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # Wir müssen die BunkerWeb-Instanz hier nicht angeben, da sie automatisch vom Autoconf-Dienst erkannt werden
@ -2518,7 +2518,7 @@ services:
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bunkerweb
- bw-docker
@ -2701,13 +2701,13 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
labels:
- "bunkerweb.INSTANCE=yes"
- "bunkerweb.NAMESPACE=my-namespace" # Setzen Sie den Namespace für die BunkerWeb-Instanz, damit der Autoconf-Dienst sie erkennen kann
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
...
NAMESPACES: "my-namespace my-other-namespace" # Lauschen Sie nur auf diese Namespaces
@ -2742,7 +2742,9 @@ für benutzerdefinierte Konfigurationen.
Wenn Sie die Kubernetes Gateway API verwenden, setzen Sie `KUBERNETES_MODE=yes` und `KUBERNETES_GATEWAY_MODE=yes`.
Der Controller überwacht `Gateway`, `HTTPRoute`, `TLSRoute`, `TCPRoute` und `UDPRoute` statt `Ingress`-Objekten. Optional können Sie die Auswahl mit `KUBERNETES_GATEWAY_CLASS` einschränken und die API-Version mit `KUBERNETES_GATEWAY_API_VERSION` (`v1`, `v1beta1`, `v1beta2`, `v1alpha2` oder `v1alpha1`) festlegen.
Der Controller überwacht `Gateway`, `HTTPRoute`, `GRPCRoute`, `TLSRoute`, `TCPRoute` und `UDPRoute` statt `Ingress`-Objekten. Optional können Sie die Auswahl mit `KUBERNETES_GATEWAY_CLASS` einschränken und die API-Version mit `KUBERNETES_GATEWAY_API_VERSION` (`v1`, `v1beta1`, `v1beta2`, `v1alpha2` oder `v1alpha1`) festlegen.
Die Unterstützung für `GRPCRoute` ist in BunkerWeb derzeit **experimentell**.
Wenn Ihr Service nicht `bunkerweb` heißt, setzen Sie `BUNKERWEB_SERVICE_NAME`, damit das Status-Patching den richtigen Service verwendet.
@ -2757,7 +2759,7 @@ Für eine optimale Einrichtung wird empfohlen, BunkerWeb als **[DaemonSet](https
Angesichts des Vorhandenseins mehrerer BunkerWeb-Instanzen ist es erforderlich, einen gemeinsamen Datenspeicher zu implementieren, der als [Redis](https://redis.io/)- oder [Valkey](https://valkey.io/)-Dienst realisiert wird. Dieser Dienst wird von den Instanzen genutzt, um Daten zwischen ihnen zu cachen und zu teilen. Weitere Informationen zu den Redis/Valkey-Einstellungen finden Sie [hier](features.md#redis).
!!! info "Datenbank-Backend"
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie MariaDB als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Wir verstehen jedoch, dass Sie möglicherweise alternative Backends für Ihre Docker-Integration bevorzugen. In diesem Fall können Sie sicher sein, dass auch andere Datenbank-Backends möglich sind. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) des Repositorys.
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie MariaDB als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Wir verstehen jedoch, dass Sie möglicherweise alternative Backends für Ihre Docker-Integration bevorzugen. In diesem Fall können Sie sicher sein, dass auch andere Datenbank-Backends möglich sind. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) des Repositorys.
Die Einrichtung von geclusterten Datenbank-Backends liegt außerhalb des Geltungsbereichs dieser Dokumentation.
@ -2872,7 +2874,7 @@ The **BunkerWeb controller** automatically discovers pods with BunkerWeb sidecar
```yaml
controller:
enabled: true
tag: "1.6.8"
tag: "1.6.9"
```
2. For each sidecar, add:
@ -2965,7 +2967,7 @@ In your BunkerWeb chart `values.yaml`, configure the `BUNKERWEB_INSTANCES` envir
```yaml
scheduler:
tag: "1.6.8"
tag: "1.6.9"
extraEnvs:
- name: BUNKERWEB_INSTANCES
value: "http://app1-bunkerweb-workers.namespace.svc.cluster.local:5000 http://app2-bunkerweb-workers.namespace.svc.cluster.local:5000"
@ -3009,7 +3011,7 @@ spec:
# BunkerWeb Sidecar
- name: bunkerweb
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- containerPort: 8080 # Exposed HTTP port
- containerPort: 5000 # Internal API (mandatory)
@ -3280,7 +3282,7 @@ To add a new application protected by BunkerWeb:
#### Vollständige YAML-Dateien
Anstatt das Helm-Chart zu verwenden, können Sie auch die YAML-Vorlagen im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) des GitHub-Repositorys verwenden. Bitte beachten Sie, dass wir dringend empfehlen, stattdessen das Helm-Chart zu verwenden.
Anstatt das Helm-Chart zu verwenden, können Sie auch die YAML-Vorlagen im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) des GitHub-Repositorys verwenden. Bitte beachten Sie, dass wir dringend empfehlen, stattdessen das Helm-Chart zu verwenden.
### Ingress-Ressourcen
@ -3326,28 +3328,28 @@ spec:
### Gateway-Ressourcen
Wenn der Gateway-API-Modus aktiviert ist, können Sie `Gateway`-, `HTTPRoute`-, `TLSRoute`-, `TCPRoute`- und `UDPRoute`-Ressourcen deklarieren.
BunkerWeb-Einstellungen werden als `bunkerweb.io/<SETTING>`-Annotationen an der `HTTPRoute` angegeben; um eine Einstellung
Wenn der Gateway-API-Modus aktiviert ist, können Sie `Gateway`-, `HTTPRoute`-, `GRPCRoute`-, `TLSRoute`-, `TCPRoute`- und `UDPRoute`-Ressourcen deklarieren.
BunkerWeb-Einstellungen werden als `bunkerweb.io/<SETTING>`-Annotationen an der `HTTPRoute`/`GRPCRoute` angegeben; um eine Einstellung
auf einen Host zu begrenzen, verwenden Sie `bunkerweb.io/<hostname>_<SETTING>`. Das Feld `hostnames` steuert die Servernamen. Für `TCPRoute`/`UDPRoute` (und `TLSRoute` ohne `hostnames`) erzeugt BunkerWeb einen Servernamen wie `<route>.<namespace>.<protocol>`. Siehe [Gateway-Klasse](#gateway-class).
Annotationen auf dem `Gateway` gelten für alle daran angehängten Routen, während Annotationen auf einer `HTTPRoute` nur für diese Route gelten.
Annotationen auf dem `Gateway` gelten für alle daran angehängten Routen, während Annotationen auf einer `HTTPRoute`/`GRPCRoute` nur für diese Route gelten.
Sie können Gateway-Annotationen weiterhin auf einen bestimmten Servernamen einschränken, indem Sie `bunkerweb.io/<hostname>_<SETTING>` verwenden; sie werden nur angewendet, wenn diese Route bzw. dieser Servername existiert.
#### Unterstützte Ressourcen
- Ressourcen: `HTTPRoute`, `TLSRoute`, `TCPRoute` und `UDPRoute` (keine `GRPCRoute`).
- Ressourcen: `HTTPRoute`, `GRPCRoute` (experimentell), `TLSRoute`, `TCPRoute` und `UDPRoute`.
- Regeln: Für `TLSRoute`, `TCPRoute` und `UDPRoute` wird nur die erste Regel verwendet.
- Backends: nur `Service`, erste `backendRef` pro Regel.
#### Protokolle und TLS
- Listener-Protokolle: `HTTP`/`HTTPS` für `HTTPRoute`, `TLS` für `TLSRoute`, `TCP` für `TCPRoute` und `UDP` für `UDPRoute`.
- Listener-Protokolle: `HTTP`/`HTTPS` für `HTTPRoute` und `GRPCRoute`, `TLS` für `TLSRoute`, `TCP` für `TCPRoute` und `UDP` für `UDPRoute`.
- TLS: Zertifikate über Listener-`certificateRefs` mit `HTTPS` oder `TLS` + `mode: Terminate` (Passthrough wird für die Terminierung nicht unterstützt). `TLSRoute` läuft im Stream-Modus.
!!! tip "Servername für Stream-Routen"
Für `TLSRoute`, `TCPRoute` und `UDPRoute` können Sie den generierten Servernamen überschreiben, indem Sie `bunkerweb.io/SERVER_NAME` an der Route setzen.
!!! note "Experimental Channel für Stream-Routen"
Wenn Sie `TLSRoute`, `TCPRoute` oder `UDPRoute` verwenden möchten, installieren Sie die Experimental-Channel-CRDs: https://gateway-api.sigs.k8s.io/guides/getting-started/#install-experimental-channel
!!! note "Experimental Channel für erweiterte Routen"
Wenn Sie `GRPCRoute`, `TLSRoute`, `TCPRoute` oder `UDPRoute` verwenden möchten, installieren Sie die Experimental-Channel-CRDs: https://gateway-api.sigs.k8s.io/guides/getting-started/#install-experimental-channel
!!! info "TLS-Unterstützung"
Die TLS-Terminierung erfolgt über die `Gateway`-Listener und deren `certificateRefs` (TLS-Secrets) für `HTTPRoute` mit `HTTPS` oder `TLS` + `mode: Terminate`. `TLSRoute` läuft im Stream-Modus.
@ -3428,7 +3430,7 @@ metadata:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
imagePullPolicy: Always
env:
- name: NAMESPACES
@ -3602,11 +3604,11 @@ service:
# BunkerWeb-Einstellungen
bunkerweb:
tag: 1.6.8
tag: 1.6.9
# Scheduler-Einstellungen
scheduler:
tag: 1.6.8
tag: 1.6.9
extraEnvs:
# Aktivieren Sie das Real-IP-Modul, um die echte IP der Clients zu erhalten
- name: USE_REAL_IP
@ -3614,11 +3616,11 @@ scheduler:
# Controller-Einstellungen
controller:
tag: 1.6.8
tag: 1.6.9
# UI-Einstellungen
ui:
tag: 1.6.8
tag: 1.6.9
```
Installieren Sie BunkerWeb mit benutzerdefinierten Werten:
@ -4240,7 +4242,7 @@ Da mehrere Instanzen von BunkerWeb ausgeführt werden, muss ein gemeinsamer Date
Was das Datenbank-Volume betrifft, so gibt die Dokumentation keinen spezifischen Ansatz vor. Die Wahl eines freigegebenen Ordners oder eines bestimmten Treibers für das Datenbank-Volume hängt von Ihrem einzigartigen Anwendungsfall ab und bleibt dem Leser als Übung überlassen.
!!! info "Datenbank-Backend"
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie MariaDB als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Wir verstehen jedoch, dass Sie möglicherweise alternative Backends für Ihre Docker-Integration bevorzugen. In diesem Fall können Sie sicher sein, dass auch andere Datenbank-Backends möglich sind. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) des Repositorys.
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie MariaDB als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Wir verstehen jedoch, dass Sie möglicherweise alternative Backends für Ihre Docker-Integration bevorzugen. In diesem Fall können Sie sicher sein, dass auch andere Datenbank-Backends möglich sind. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) des Repositorys.
Die Einrichtung von geclusterten Datenbank-Backends liegt außerhalb des Geltungsbereichs dieser Dokumentation.
@ -4254,7 +4256,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- published: 80
target: 8080
@ -4283,7 +4285,7 @@ services:
- "bunkerweb.INSTANCE=yes" # Obligatorisches Label für den Autoconf-Dienst, um die BunkerWeb-Instanz zu identifizieren
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # Wir müssen die BunkerWeb-Instanz hier nicht angeben, da sie automatisch vom Autoconf-Dienst erkannt werden
@ -4304,7 +4306,7 @@ services:
- "node.role == worker"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
SWARM_MODE: "yes"
DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db" # Denken Sie daran, ein stärkeres Passwort für die Datenbank festzulegen
@ -4456,7 +4458,7 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
deploy:
mode: global
@ -4468,7 +4470,7 @@ networks:
- "bunkerweb.NAMESPACE=my-namespace" # Setzen Sie den Namespace für die BunkerWeb-Instanz
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
NAMESPACES: "my-namespace my-other-namespace" # Lauschen Sie nur auf diese Namespaces
...

28
docs/de/plugins.md
View file

@ -8,12 +8,12 @@ Hier ist die Liste der "offiziellen" Plugins, die wir pflegen (weitere Informati
| Name | Version | Beschreibung | Link |
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------: |
| **ClamAV** | 1.9 | Scannt hochgeladene Dateien automatisch mit der ClamAV-Antiviren-Engine und lehnt die Anfrage ab, wenn eine Datei als bösartig erkannt wird. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.9 | Überprüft Anfragen mit der Coraza WAF (Alternative zu ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **Discord** | 1.9 | Sendet Sicherheitsbenachrichtigungen über einen Webhook an einen Discord-Kanal. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.9 | Sendet Sicherheitsbenachrichtigungen über einen Webhook an einen Slack-Kanal. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.9 | Scannt hochgeladene Dateien automatisch mit der VirusTotal-API und lehnt die Anfrage ab, wenn eine Datei als bösartig erkannt wird. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.9 | Sendet Sicherheitsbenachrichtigungen über einen Webhook an einen benutzerdefinierten HTTP-Endpunkt. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
| **ClamAV** | 1.10 | Scannt hochgeladene Dateien automatisch mit der ClamAV-Antiviren-Engine und lehnt die Anfrage ab, wenn eine Datei als bösartig erkannt wird. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.10 | Überprüft Anfragen mit der Coraza WAF (Alternative zu ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **Discord** | 1.10 | Sendet Sicherheitsbenachrichtigungen über einen Webhook an einen Discord-Kanal. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.10 | Sendet Sicherheitsbenachrichtigungen über einen Webhook an einen Slack-Kanal. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.10 | Scannt hochgeladene Dateien automatisch mit der VirusTotal-API und lehnt die Anfrage ab, wenn eine Datei als bösartig erkannt wird. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.10 | Sendet Sicherheitsbenachrichtigungen über einen Webhook an einen benutzerdefinierten HTTP-Endpunkt. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
## Wie man ein Plugin verwendet
@ -21,7 +21,7 @@ Hier ist die Liste der "offiziellen" Plugins, die wir pflegen (weitere Informati
Wenn Sie externe Plugins schnell installieren möchten, können Sie die Einstellung `EXTERNAL_PLUGIN_URLS` verwenden. Sie akzeptiert eine durch Leerzeichen getrennte Liste von URLs, die jeweils auf ein komprimiertes (zip-Format) Archiv mit einem oder mehreren Plugins verweisen.
Sie können den folgenden Wert verwenden, wenn Sie die offiziellen Plugins automatisch installieren möchten: `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.9.zip`
Sie können den folgenden Wert verwenden, wenn Sie die offiziellen Plugins automatisch installieren möchten: `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.10.zip`
### Manuell
@ -89,7 +89,7 @@ Der erste Schritt besteht darin, das Plugin zu installieren, indem Sie seine Dat
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -124,7 +124,7 @@ Der erste Schritt besteht darin, das Plugin zu installieren, indem Sie seine Dat
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -167,7 +167,7 @@ Der erste Schritt besteht darin, das Plugin zu installieren, indem Sie seine Dat
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- /shared/bw-plugins:/data/plugins
...
@ -214,7 +214,7 @@ Der erste Schritt besteht darin, das Plugin zu installieren, indem Sie seine Dat
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -254,7 +254,7 @@ Der erste Schritt besteht darin, das Plugin zu installieren, indem Sie seine Dat
!!! tip "Bestehende Plugins"
Wenn die Dokumentation nicht ausreicht, können Sie sich den bestehenden Quellcode der [offiziellen Plugins](https://github.com/bunkerity/bunkerweb-plugins) und der [Kern-Plugins](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/src/common/core) ansehen (bereits in BunkerWeb enthalten, aber technisch gesehen sind es Plugins).
Wenn die Dokumentation nicht ausreicht, können Sie sich den bestehenden Quellcode der [offiziellen Plugins](https://github.com/bunkerity/bunkerweb-plugins) und der [Kern-Plugins](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/common/core) ansehen (bereits in BunkerWeb enthalten, aber technisch gesehen sind es Plugins).
Wie eine Plugin-Struktur aussieht:
```
@ -478,7 +478,7 @@ Die deklarierten Funktionen werden automatisch in bestimmten Kontexten aufgerufe
#### Bibliotheken
Alle Direktiven aus dem [NGINX LUA-Modul](https://github.com/openresty/lua-nginx-module) und dem [NGINX Stream LUA-Modul](https://github.com/openresty/stream-lua-nginx-module) sind verfügbar. Darüber hinaus können Sie die in BunkerWeb enthaltenen LUA-Bibliotheken verwenden: siehe [dieses Skript](https://github.com/bunkerity/bunkerweb/blob/v1.6.8/src/deps/clone.sh) für die vollständige Liste.
Alle Direktiven aus dem [NGINX LUA-Modul](https://github.com/openresty/lua-nginx-module) und dem [NGINX Stream LUA-Modul](https://github.com/openresty/stream-lua-nginx-module) sind verfügbar. Darüber hinaus können Sie die in BunkerWeb enthaltenen LUA-Bibliotheken verwenden: siehe [dieses Skript](https://github.com/bunkerity/bunkerweb/blob/v1.6.9/src/deps/clone.sh) für die vollständige Liste.
Wenn Sie zusätzliche Bibliotheken benötigen, können Sie diese in den Stammordner des Plugins legen und darauf zugreifen, indem Sie ihnen Ihre Plugin-ID voranstellen. Hier ist ein Beispiel für eine Datei namens **mylibrary.lua**:
@ -559,7 +559,7 @@ end
!!! tip "Weitere Beispiele"
Wenn Sie die vollständige Liste der verfügbaren Funktionen sehen möchten, können Sie sich die Dateien im [lua-Verzeichnis](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/src/bw/lua/bunkerweb) des Repositorys ansehen.
Wenn Sie die vollständige Liste der verfügbaren Funktionen sehen möchten, können Sie sich die Dateien im [lua-Verzeichnis](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/bw/lua/bunkerweb) des Repositorys ansehen.
### Jobs

34
docs/de/quickstart-guide.md
View file

@ -18,7 +18,7 @@ Diese Schnellstart-Anleitung hilft Ihnen, BunkerWeb schnell zu installieren und
Der Schutz bestehender Webanwendungen, die bereits über das HTTP(S)-Protokoll erreichbar sind, ist das Hauptziel von BunkerWeb: Es fungiert als klassischer [Reverse-Proxy](https://de.wikipedia.org/wiki/Reverse_Proxy) mit zusätzlichen Sicherheitsfunktionen.
Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) des Repositorys finden Sie Beispiele aus der Praxis.
Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) des Repositorys finden Sie Beispiele aus der Praxis.
## Grundlegende Einrichtung
@ -33,7 +33,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Standardmäßig stellt der Container Folgendes bereit:
@ -51,8 +51,8 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
```bash
# Laden Sie das Skript und seine Prüfsumme herunter
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# Überprüfen Sie die Prüfsumme
sha256sum -c install-bunkerweb.sh.sha256
@ -90,7 +90,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
services:
bunkerweb:
# Dies ist der Name, der zur Identifizierung der Instanz im Scheduler verwendet wird
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -103,7 +103,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Stellen Sie sicher, dass Sie den richtigen Instanznamen festlegen
@ -120,7 +120,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-env
restart: "unless-stopped"
@ -187,7 +187,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -203,7 +203,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -221,7 +221,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bw-docker
environment:
@ -244,7 +244,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Denken Sie daran, einen stärkeren geheimen Schlüssel festzulegen (siehe Abschnitt Voraussetzungen)
@ -339,7 +339,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- published: 80
target: 8080
@ -369,7 +369,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
- "bunkerweb.INSTANCE=yes"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -387,7 +387,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
<<: *bw-ui-env
DOCKER_HOST: "tcp://bw-docker:2375"
@ -416,7 +416,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)
- "node.role == manager"
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Denken Sie daran, einen stärkeren geheimen Schlüssel festzulegen (siehe Abschnitt Voraussetzungen)
@ -637,7 +637,7 @@ Sie können sich nun mit dem während des Einrichtungsassistenten erstellten Adm
-e "www.example.com_REVERSE_PROXY_HOST=http://myapp:8080" \
-e "www.example.com_REVERSE_PROXY_URL=/" \
# --- Fügen Sie alle anderen vorhandenen Umgebungsvariablen für UI, Redis, CrowdSec usw. hinzu ---
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Ihr Anwendungscontainer (`myapp`) und der `bunkerweb-aio`-Container müssen sich im selben Docker-Netzwerk befinden, damit BunkerWeb ihn über den Hostnamen `myapp` erreichen kann.
@ -659,7 +659,7 @@ Sie können sich nun mit dem während des Einrichtungsassistenten erstellten Adm
-p 443:8443/tcp \
-p 443:8443/udp \
# ... (alle anderen relevanten Umgebungsvariablen wie im Hauptbeispiel oben gezeigt) ...
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Stellen Sie sicher, dass Sie `myapp` durch den tatsächlichen Namen oder die IP Ihres Anwendungscontainers und `http://myapp:8080` durch dessen korrekte Adresse und Port ersetzen.

36
docs/de/upgrading.md
View file

@ -25,16 +25,16 @@
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
...
```
@ -137,20 +137,20 @@
Beispiele:
```bash
# Interaktiv auf 1.6.8 aktualisieren (fragt nach Sicherung)
sudo ./install-bunkerweb.sh --version 1.6.8
# Interaktiv auf 1.6.9 aktualisieren (fragt nach Sicherung)
sudo ./install-bunkerweb.sh --version 1.6.9
# Nicht-interaktives Upgrade mit automatischer Sicherung in ein benutzerdefiniertes Verzeichnis
sudo ./install-bunkerweb.sh -v 1.6.8 --backup-dir /var/backups/bw-2025-01 -y
sudo ./install-bunkerweb.sh -v 1.6.9 --backup-dir /var/backups/bw-2025-01 -y
# Stilles unbeaufsichtigtes Upgrade (Protokolle unterdrückt) verlässt sich auf die standardmäßige automatische Sicherung
sudo ./install-bunkerweb.sh -v 1.6.8 -y -q
sudo ./install-bunkerweb.sh -v 1.6.9 -y -q
# Einen Probelauf (Plan) durchführen, ohne Änderungen anzuwenden
sudo ./install-bunkerweb.sh -v 1.6.8 --dry-run
sudo ./install-bunkerweb.sh -v 1.6.9 --dry-run
# Upgrade unter Überspringen der automatischen Sicherung (NICHT empfohlen)
sudo ./install-bunkerweb.sh -v 1.6.8 --no-auto-backup -y
sudo ./install-bunkerweb.sh -v 1.6.9 --no-auto-backup -y
```
!!! warning "Überspringen von Sicherungen"
@ -230,7 +230,7 @@
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.8
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
```
Um zu verhindern, dass das BunkerWeb-Paket bei der Ausführung von `apt upgrade` aktualisiert wird, können Sie den folgenden Befehl verwenden:
@ -256,7 +256,7 @@
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.8
sudo dnf install -y --allowerasing bunkerweb-1.6.9
```
Um zu verhindern, dass das BunkerWeb-Paket bei der Ausführung von `dnf upgrade` aktualisiert wird, können Sie den folgenden Befehl verwenden:
@ -653,16 +653,16 @@ Wir haben eine **Namespace**-Funktion zu den Autoconf-Integrationen hinzugefügt
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
...
```
@ -697,7 +697,7 @@ Wir haben eine **Namespace**-Funktion zu den Autoconf-Integrationen hinzugefügt
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.8
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
```
Um zu verhindern, dass das BunkerWeb-Paket bei der Ausführung von `apt upgrade` aktualisiert wird, können Sie den folgenden Befehl verwenden:
@ -723,7 +723,7 @@ Wir haben eine **Namespace**-Funktion zu den Autoconf-Integrationen hinzugefügt
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.8
sudo dnf install -y --allowerasing bunkerweb-1.6.9
```
Um zu verhindern, dass das BunkerWeb-Paket bei der Ausführung von `dnf upgrade` aktualisiert wird, können Sie den folgenden Befehl verwenden:

42
docs/de/web-ui.md
View file

@ -35,7 +35,7 @@ Die UI erwartet, dass Scheduler/(BunkerWeb-)API/Redis/DB erreichbar sind.
Verwenden Sie die veröffentlichten Images und das Layout aus dem [Quickstart-Guide](quickstart-guide.md#__tabbed_1_3). Stack starten, dann den Wizard im Browser abschließen.
```bash
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.8-rc1/misc/integrations/docker-compose.yml up -d
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.9-rc1/misc/integrations/docker-compose.yml up -d
```
Öffnen Sie den Scheduler-Host (z.B. `https://www.example.com/changeme`) und führen Sie den `/setup`-Wizard aus, um UI, Scheduler und Instanz zu konfigurieren.
@ -52,7 +52,7 @@ Die UI erwartet, dass Scheduler/(BunkerWeb-)API/Redis/DB erreichbar sind.
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -63,7 +63,7 @@ Die UI erwartet, dass Scheduler/(BunkerWeb-)API/Redis/DB erreichbar sind.
networks: [bw-universe, bw-services]
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *service-env
BUNKERWEB_INSTANCES: "bunkerweb"
@ -83,7 +83,7 @@ Die UI erwartet, dass Scheduler/(BunkerWeb-)API/Redis/DB erreichbar sind.
networks: [bw-universe, bw-db]
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *service-env
ADMIN_USERNAME: "admin"
@ -185,14 +185,14 @@ Die UI erwartet, dass Scheduler/(BunkerWeb-)API/Redis/DB erreichbar sind.
### Listener & TLS
| Setting | Beschreibung | Erlaubte Werte | Standard |
| ----------------------------------- | --------------------------------------------- | -------------------------------------- | ---------------------------------------- |
| `UI_LISTEN_ADDR` | Bind-Adresse der UI | IP oder Hostname | `0.0.0.0` (Docker) / `127.0.0.1` (Paket) |
| `UI_LISTEN_PORT` | Bind-Port der UI | Integer | `7000` |
| `LISTEN_ADDR`, `LISTEN_PORT` | Fallbacks, falls UI-Variablen fehlen | IP/Hostname, Integer | `0.0.0.0`, `7000` |
| `UI_SSL_ENABLED` | TLS in der UI aktivieren | `yes` oder `no` | `no` |
| `UI_SSL_CERTFILE`, `UI_SSL_KEYFILE` | PEM-Zertifikat/Key bei TLS | Dateipfade | unset |
| `UI_SSL_CA_CERTS` | Optionale CA/Chain | Dateipfad | unset |
| Setting | Beschreibung | Erlaubte Werte | Standard |
| ----------------------------------- | --------------------------------------------- | -------------------------------------- | ----------------------------------------------------- |
| `UI_LISTEN_ADDR` | Bind-Adresse der UI | IP oder Hostname | `0.0.0.0` (Docker) / `127.0.0.1` (Paket) |
| `UI_LISTEN_PORT` | Bind-Port der UI | Integer | `7000` |
| `LISTEN_ADDR`, `LISTEN_PORT` | Fallbacks, falls UI-Variablen fehlen | IP/Hostname, Integer | `0.0.0.0`, `7000` |
| `UI_SSL_ENABLED` | TLS in der UI aktivieren | `yes` oder `no` | `no` |
| `UI_SSL_CERTFILE`, `UI_SSL_KEYFILE` | PEM-Zertifikat/Key bei TLS | Dateipfade | unset |
| `UI_SSL_CA_CERTS` | Optionale CA/Chain | Dateipfad | unset |
| `UI_FORWARDED_ALLOW_IPS` | Vertrauenswürdige Proxies für `X-Forwarded-*` | IPs/CIDRs (Leer- oder Komma-separiert) | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `UI_PROXY_ALLOW_IPS` | Vertrauenswürdige Proxies für PROXY-Protokoll | IPs/CIDRs (Leer- oder Komma-separiert) | `FORWARDED_ALLOW_IPS` |
@ -223,14 +223,16 @@ Die UI erwartet, dass Scheduler/(BunkerWeb-)API/Redis/DB erreichbar sind.
### Sonstiges Runtime
| Setting | Beschreibung | Erlaubte Werte | Standard |
| ------------------------------- | ------------------------------------------- | --------------- | ------------------------------------ |
| `MAX_WORKERS`, `MAX_THREADS` | Gunicorn-Worker/Threads | Integer | `cpu_count()-1` (min 1), `workers*2` |
| `ENABLE_HEALTHCHECK` | `GET /healthcheck` bereitstellen | `yes` oder `no` | `no` |
| `FORWARDED_ALLOW_IPS` | Alias für Proxy-Allowlist | IPs/CIDRs | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `PROXY_ALLOW_IPS` | Alias für PROXY-Allowlist | IPs/CIDRs | `FORWARDED_ALLOW_IPS` |
| `DISABLE_CONFIGURATION_TESTING` | Test-Reloads beim Push skippen | `yes` oder `no` | `no` |
| `IGNORE_REGEX_CHECK` | Regex-Validierung der Settings überspringen | `yes` oder `no` | `no` |
| Setting | Beschreibung | Erlaubte Werte | Standard |
| ------------------------------- | ----------------------------------------------------------------- | ------------------------------------------- | ----------------------------------------------------- |
| `MAX_WORKERS`, `MAX_THREADS` | Gunicorn-Worker/Threads | Integer | `cpu_count()-1` (min 1), `workers*2` |
| `MAX_REQUESTS` | Anfragen vor Gunicorn-Worker-Recycling (verhindert Speicherbloat) | Integer | `1000` |
| `ENABLE_HEALTHCHECK` | `GET /healthcheck` bereitstellen | `yes` oder `no` | `no` |
| `FORWARDED_ALLOW_IPS` | Alias für Proxy-Allowlist | IPs/CIDRs | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `PROXY_ALLOW_IPS` | Alias für PROXY-Allowlist | IPs/CIDRs | `FORWARDED_ALLOW_IPS` |
| `DISABLE_CONFIGURATION_TESTING` | Test-Reloads beim Push skippen | `yes` oder `no` | `no` |
| `IGNORE_REGEX_CHECK` | Regex-Validierung der Settings überspringen | `yes` oder `no` | `no` |
| `MAX_CONTENT_LENGTH` | Maximale Upload-Größe (Flask `MAX_CONTENT_LENGTH`) | Größe mit Einheit (`50M`, `1G`, `52428800`) | `50MB` |
## Log-Zugriff

207
docs/es/advanced.md
View file

@ -1,8 +1,8 @@
# Usos avanzados
Muchos ejemplos de casos de uso del mundo real están disponibles en la carpeta [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) del repositorio de GitHub.
Muchos ejemplos de casos de uso del mundo real están disponibles en la carpeta [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) del repositorio de GitHub.
También proporcionamos numerosos boilerplates, como archivos YAML para diversas integraciones y tipos de bases de datos. Estos están disponibles en la carpeta [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations).
También proporcionamos numerosos boilerplates, como archivos YAML para diversas integraciones y tipos de bases de datos. Estos están disponibles en la carpeta [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations).
Esta sección solo se enfoca en usos avanzados y ajustes de seguridad, consulta la [sección de características](features.md) de la documentación para ver todas las configuraciones disponibles.
@ -85,7 +85,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Ten en cuenta que si tu contenedor ya está creado, necesitarás eliminarlo y recrearlo para que se actualicen las nuevas variables de entorno.
@ -96,7 +96,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -104,7 +104,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -121,7 +121,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -129,7 +129,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -176,7 +176,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -184,7 +184,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -249,7 +249,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Ten en cuenta que si tu contenedor ya está creado, necesitarás eliminarlo y recrearlo para que se actualicen las nuevas variables de entorno.
@ -260,7 +260,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -270,7 +270,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -288,7 +288,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -298,7 +298,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -350,7 +350,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -360,7 +360,7 @@ Encontrarás más configuraciones sobre la IP real en la [sección de caracterí
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -485,8 +485,8 @@ El Manager es el cerebro del clúster. Ejecuta el Scheduler, la base de datos y,
```bash
# Descargar script y checksum
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# Verificar checksum
sha256sum -c install-bunkerweb.sh.sha256
@ -585,7 +585,7 @@ El Manager es el cerebro del clúster. Ejecuta el Scheduler, la base de datos y,
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: \"192.168.1.11 192.168.1.12\" # Sustituye por las IP de tus workers
@ -604,7 +604,7 @@ El Manager es el cerebro del clúster. Ejecuta el Scheduler, la base de datos y,
- bw-redis
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
ports:
- \"7000:7000\" # Exponer el puerto de la UI
environment:
@ -687,7 +687,7 @@ Los workers son los nodos que procesan el tráfico entrante.
```yaml title="docker-compose.yml"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- \"80:8080/tcp\"
- \"443:8443/tcp\"
@ -992,7 +992,7 @@ Para habilitar systemd-resolved como tu resolutor de DNS en BunkerWeb, establece
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Docker"
@ -1020,7 +1020,7 @@ Para habilitar systemd-resolved como tu resolutor de DNS en BunkerWeb, establece
- bw-dns
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
DNS_RESOLVERS: "dnsmasq"
@ -1031,7 +1031,7 @@ Para habilitar systemd-resolved como tu resolutor de DNS en BunkerWeb, establece
- bw-dns
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
DNS_RESOLVERS: "dnsmasq"
@ -1145,7 +1145,7 @@ Algunas integraciones proporcionan formas más convenientes de aplicar configura
}" \
-p 80:8080/tcp \
-p 443:8443/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Ten en cuenta que si tu contenedor ya está creado, necesitarás eliminarlo y recrearlo para que se apliquen las nuevas variables de entorno.
@ -1185,7 +1185,7 @@ Algunas integraciones proporcionan formas más convenientes de aplicar configura
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Docker"
@ -1208,7 +1208,7 @@ Algunas integraciones proporcionan formas más convenientes de aplicar configura
```yaml
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
- |
CUSTOM_CONF_SERVER_HTTP_hello-world=
@ -1251,7 +1251,7 @@ Algunas integraciones proporcionan formas más convenientes de aplicar configura
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -1321,7 +1321,7 @@ Algunas integraciones proporcionan formas más convenientes de aplicar configura
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -1552,7 +1552,7 @@ Para obtener una lista completa de las configuraciones relacionadas con el modo
-p 443:8443/udp \
-p 10000:10000/tcp \
-p 20000:20000/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Ten en cuenta que si tu contenedor ya está creado, necesitarás eliminarlo y recrearlo para que se apliquen las nuevas variables de entorno.
@ -1575,7 +1575,7 @@ Para obtener una lista completa de las configuraciones relacionadas con el modo
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080" # Mantenlo si quieres usar la automatización de Let's Encrypt al usar el tipo de desafío http
- "10000:10000" # app1
@ -1590,7 +1590,7 @@ Para obtener una lista completa de las configuraciones relacionadas con el modo
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # Esta configuración es obligatoria para especificar la instancia de BunkerWeb
@ -1641,7 +1641,7 @@ Para obtener una lista completa de las configuraciones relacionadas con el modo
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080" # Mantenlo si quieres usar la automatización de Let's Encrypt cuando usas el tipo de desafío http
- "10000:10000" # app1
@ -1871,7 +1871,7 @@ Para obtener una lista completa de las configuraciones relacionadas con el modo
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
# Mantenlo si quieres usar la automatización de Let's Encrypt cuando usas el tipo de desafío http
- published: 80
@ -2001,7 +2001,7 @@ Se pueden usar las siguientes configuraciones:
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Ten en cuenta que si tu contenedor ya está creado, necesitarás eliminarlo y recrearlo para que se apliquen las nuevas variables de entorno.
@ -2045,7 +2045,7 @@ Se pueden usar las siguientes configuraciones:
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2060,7 +2060,7 @@ Se pueden usar las siguientes configuraciones:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # Esta configuración es obligatoria para especificar la instancia de BunkerWeb
@ -2154,7 +2154,7 @@ Se pueden usar las siguientes configuraciones:
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
labels:
- "bunkerweb.INSTANCE=yes"
environment:
@ -2167,7 +2167,7 @@ Se pueden usar las siguientes configuraciones:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "" # No necesitamos especificar la instancia de BunkerWeb aquí, ya que son detectadas automáticamente por el servicio de autoconfiguración
@ -2182,7 +2182,7 @@ Se pueden usar las siguientes configuraciones:
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bunkerweb
- bw-docker
@ -2422,7 +2422,7 @@ Se pueden usar las siguientes configuraciones:
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
volumes:
- /shared/www:/var/www/html
...
@ -2521,7 +2521,7 @@ Por defecto, BunkerWeb solo escuchará en direcciones IPv4 y no usará IPv6 para
```yaml
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
USE_IPv6: "yes"
@ -2661,7 +2661,7 @@ LOG_LEVEL_1=error
services:
bunkerweb:
# Este es el nombre que se usará para identificar la instancia en el Scheduler
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2674,7 +2674,7 @@ LOG_LEVEL_1=error
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Asegúrate de establecer el nombre correcto de la instancia
@ -2691,7 +2691,7 @@ LOG_LEVEL_1=error
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-env
volumes:
@ -2826,7 +2826,7 @@ Puede configurar el controlador de registro para sus servicios en su archivo `do
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
logging:
driver: "json-file"
options:
@ -2935,7 +2935,7 @@ Las variables habituales son:
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Si el contenedor ya existe, recréalo para aplicar el nuevo entorno.
@ -2946,7 +2946,7 @@ Las variables habituales son:
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -2965,7 +2965,7 @@ Las variables habituales son:
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -3008,7 +3008,7 @@ Las variables habituales son:
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -3960,11 +3960,11 @@ Las plantillas usan sintaxis de plantilla Lua con los siguientes delimitadores:
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
# ... otras configuraciones (no se necesitan variables de entorno aquí para páginas personalizadas)
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./templates:/custom_templates:ro
environment:
@ -4047,7 +4047,7 @@ Las plantillas usan sintaxis de plantilla Lua con los siguientes delimitadores:
spec:
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
env:
- name: CUSTOM_ERROR_PAGE
value: "/custom_templates/error.html"
@ -4265,7 +4265,9 @@ Opciones comunes de hardening/tuning:
## OpenAPI Validator <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style="transform : translateY(3px);"> (PRO)
SOPORTE STREAM: :x:
<p align="center">
<iframe style="display: block;" width="560" height="315" data-src="https://www.youtube-nocookie.com/embed/3oZOO1XdSlc" title="OpenAPI Validator" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
</p>
El plugin **OpenAPI Validator** aplica su contrato de API validando las solicitudes entrantes contra una especificación OpenAPI / Swagger. Asegura que la ruta solicitada exista, que el método HTTP esté permitido y, opcionalmente, valida los parámetros de consulta, cabecera, cookie y ruta contra sus definiciones de esquema.
@ -4286,16 +4288,16 @@ El plugin **OpenAPI Validator** aplica su contrato de API validando las solicitu
### Configuración
| Ajuste | Por defecto | Contexto | Múltiple | Descripción |
| ---------------------------- | ------------------------------------ | --------- | -------- | ------------------------------------------------------------------------- |
| `USE_OPENAPI_VALIDATOR` | `no` | multisite | no | Habilita la validación de rutas OpenAPI para este sitio. |
| `OPENAPI_SPEC` | | multisite | no | Ruta absoluta o URL HTTP(S) al documento OpenAPI en formato JSON/YAML. |
| `OPENAPI_BASE_PATH` | | multisite | no | Prefijo de ruta base opcional para anteponer a cada ruta en la especificación. |
| `OPENAPI_ALLOW_UNSPECIFIED` | `no` | multisite | no | Permite solicitudes a rutas no listadas en la especificación. |
| Ajuste | Por defecto | Contexto | Múltiple | Descripción |
| ---------------------------- | ------------------------------------ | --------- | -------- | ----------------------------------------------------------------------------------- |
| `USE_OPENAPI_VALIDATOR` | `no` | multisite | no | Habilita la validación de rutas OpenAPI para este sitio. |
| `OPENAPI_SPEC` | | multisite | no | Ruta absoluta o URL HTTP(S) al documento OpenAPI en formato JSON/YAML. |
| `OPENAPI_BASE_PATH` | | multisite | no | Prefijo de ruta base opcional para anteponer a cada ruta en la especificación. |
| `OPENAPI_ALLOW_UNSPECIFIED` | `no` | multisite | no | Permite solicitudes a rutas no listadas en la especificación. |
| `OPENAPI_ALLOW_INSECURE_URL` | `no` | multisite | no | Permite obtener la especificación OpenAPI a través de HTTP simple (no recomendado). |
| `OPENAPI_IGNORE_URLS` | `^/docs$ ^/redoc$ ^/openapi\\.json$` | multisite | no | Lista de regex de URL separadas por espacios para omitir la validación OpenAPI. |
| `OPENAPI_MAX_SPEC_SIZE` | `2M` | global | no | Tamaño máximo permitido del documento OpenAPI (acepta sufijos k/M/G). |
| `OPENAPI_VALIDATE_PARAMS` | `yes` | multisite | no | Valida parámetros de consulta, cabecera, cookie y ruta contra la especificación. |
| `OPENAPI_IGNORE_URLS` | `^/docs$ ^/redoc$ ^/openapi\\.json$` | multisite | no | Lista de regex de URL separadas por espacios para omitir la validación OpenAPI. |
| `OPENAPI_MAX_SPEC_SIZE` | `2M` | global | no | Tamaño máximo permitido del documento OpenAPI (acepta sufijos k/M/G). |
| `OPENAPI_VALIDATE_PARAMS` | `yes` | multisite | no | Valida parámetros de consulta, cabecera, cookie y ruta contra la especificación. |
### Notas de comportamiento
@ -4315,3 +4317,82 @@ Establezca los valores mínimos por servicio protegido:
Opcionalmente, permita rutas desconocidas durante el despliegue:
- `OPENAPI_ALLOW_UNSPECIFIED=yes`
## Cache <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style="transform : translateY(3px);"> (PRO)
Soporte STREAM :x:
El plugin Cache PRO habilita el almacenamiento en caché de respuestas a nivel de reverse proxy usando directivas NGINX `proxy_cache*`. Es útil para absorber lecturas repetidas de contenido cacheable, proteger a los upstreams durante picos de carga y servir contenido obsoleto durante fallos breves del backend.
**Cómo funciona**
1. Cada valor global `CACHE_PATH*` crea una directiva `proxy_cache_path` en el contexto HTTP.
2. Un servicio empieza a usar la caché solo cuando `CACHE_ZONE` coincide con una de las zonas declaradas en `CACHE_PATH*`.
3. Las configuraciones a nivel de servicio controlan después la clave de caché, las condiciones de bypass/no-cache, el locking, el uso de stale y las reglas de validez.
4. Si se define `CACHE_HEADER`, BunkerWeb añade una cabecera de respuesta que expone `$upstream_cache_status` como `HIT`, `MISS`, `BYPASS`, `EXPIRED` o `STALE`.
**Lista de características**
- Caché de respuestas de reverse proxy con rutas y zonas configurables.
- Activación de caché por servicio mediante `CACHE_ZONE`.
- Cabecera opcional para exponer el estado de la caché con `$upstream_cache_status`.
- Controles detallados para bypass, no-cache, clave, métodos, locking, stale y revalidación.
- Varias reglas de validez mediante configuraciones `CACHE_VALID*`.
**Lista de configuraciones**
| Configuración | Predeterminado | Contexto | Múltiple | Descripción |
| --------------------------- | --------------------------------- | --------- | -------- | ------------------------------------------------------------------------------- |
| `CACHE_PATH` | | global | sí | Ruta y parámetros para una caché. |
| `CACHE_ZONE` | | multisite | no | Nombre de la zona de caché a usar (definida en una configuración `CACHE_PATH`). |
| `CACHE_HEADER` | `X-Cache` | multisite | no | Añade una cabecera que expone el estado de la caché. |
| `CACHE_BACKGROUND_UPDATE` | `no` | multisite | no | Habilita o deshabilita la actualización en segundo plano de la caché. |
| `CACHE_BYPASS` | | multisite | no | Lista de variables que determinan si se debe omitir la caché. |
| `CACHE_NO_CACHE` | `$http_pragma$http_authorization` | multisite | no | Evita almacenar en caché si ciertas variables están definidas. |
| `CACHE_KEY` | `$scheme$proxy_host$request_uri` | multisite | no | Clave usada para identificar elementos cacheados. |
| `CACHE_CONVERT_HEAD_TO_GET` | `yes` | multisite | no | Convierte solicitudes HEAD en GET al cachear. |
| `CACHE_LOCK` | `no` | multisite | no | Bloquea solicitudes concurrentes mientras se llena la caché. |
| `CACHE_LOCK_AGE` | `5s` | multisite | no | Pasa la solicitud al upstream si el bloqueo dura ese tiempo. |
| `CACHE_LOCK_TIMEOUT` | `5s` | multisite | no | Pasa la solicitud al upstream si el bloqueo persiste durante ese tiempo. |
| `CACHE_METHODS` | `GET HEAD` | multisite | no | Solo cachea respuestas para estos métodos HTTP. |
| `CACHE_MIN_USES` | `1` | multisite | no | Número de solicitudes antes de guardar la respuesta en caché. |
| `CACHE_REVALIDATE` | `no` | multisite | no | Revalida entradas expiradas con solicitudes condicionales al upstream. |
| `CACHE_USE_STALE` | `off` | multisite | no | Determina cuándo se puede servir contenido obsoleto. |
| `CACHE_VALID` | `10m` | multisite | sí | Define la duración de caché con códigos HTTP opcionales. |
**Ejemplo de uso**
1. Define una ruta global de caché y una zona:
```yaml
CACHE_PATH: "/var/cache/bunkerweb/proxy levels=1:2 keys_zone=htmlcache:10m max_size=1g inactive=60m use_temp_path=off"
```
2. Habilita el reverse proxy y asocia la zona a un servicio:
```yaml
www.example.com_USE_REVERSE_PROXY: "yes"
www.example.com_REVERSE_PROXY_HOST: "http://app:8080"
www.example.com_CACHE_ZONE: "htmlcache"
www.example.com_CACHE_HEADER: "X-Cache"
www.example.com_CACHE_VALID: "200 301 302 10m"
www.example.com_CACHE_VALID_1: "404 1m"
```
3. Añade controles opcionales cuando sea necesario:
```yaml
www.example.com_CACHE_BYPASS: "$cookie_nocache $arg_nocache"
www.example.com_CACHE_NO_CACHE: "$http_pragma $http_authorization"
www.example.com_CACHE_LOCK: "yes"
www.example.com_CACHE_BACKGROUND_UPDATE: "yes"
www.example.com_CACHE_USE_STALE: "error timeout updating http_500 http_502 http_503 http_504"
```
!!! info "Comportamiento importante"
- Este plugin solo se aplica al tráfico reverse proxy. No cachea contenido servido directamente desde archivos estáticos locales ni servicios stream/TCP.
- `CACHE_ZONE` debe coincidir con una zona definida en un valor `CACHE_PATH*` mediante `keys_zone=<nombre>:<tamaño>`.
- Si `CACHE_ZONE` está vacío para un servicio, no se aplican directivas de caché a ese servicio.
- Usa sufijos numéricos para valores repetidos como `CACHE_PATH_1`, `CACHE_PATH_2`, `CACHE_VALID_1` y `CACHE_VALID_2`.
- Mantén fuera de la caché el tráfico autenticado o específico de usuario salvo que `CACHE_KEY` varíe explícitamente según ese estado.
- `CACHE_LOCK=yes` y `CACHE_BACKGROUND_UPDATE=yes` ayudan a reducir estampidas hacia el origen.

127
docs/es/api.md
View file

@ -41,7 +41,7 @@ Elige el sabor que encaje con tu entorno.
services:
bunkerweb:
# Nombre que usará el scheduler para identificar la instancia
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -54,7 +54,7 @@ Elige el sabor que encaje con tu entorno.
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Asegúrate de poner el nombre de instancia correcto
@ -76,7 +76,7 @@ Elige el sabor que encaje con tu entorno.
- bw-db
bw-api:
image: bunkerity/bunkerweb-api:1.6.8
image: bunkerity/bunkerweb-api:1.6.9
environment:
<<: *bw-env
API_USERNAME: "admin"
@ -143,7 +143,7 @@ Elige el sabor que encaje con tu entorno.
-e SERVICE_API=yes \
-e API_WHITELIST_IPS="127.0.0.0/8" \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Linux"
@ -252,9 +252,9 @@ Más detalles y trade-offs: [https://limits.readthedocs.io/en/stable/strategies.
### Tiempo de ejecución y zona horaria
| Setting | Descripción | Valores aceptados | Predeterminado |
| ------- | ----------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ----------------------------------------------- |
| `TZ` | Zona horaria para logs de la API y claims basados en tiempo (p. ej. TTL de Biscuit y marcas de tiempo) | Nombre de base TZ (p. ej. `UTC`, `Europe/Paris`) | unset (default del contenedor, normalmente UTC) |
| Setting | Descripción | Valores aceptados | Predeterminado |
| ------- | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------ | ----------------------------------------------- |
| `TZ` | Zona horaria para logs de la API y claims basados en tiempo (p. ej. TTL de Biscuit y marcas de tiempo) | Nombre de base TZ (p. ej. `UTC`, `Europe/Paris`) | unset (default del contenedor, normalmente UTC) |
Desactiva docs o esquema poniendo sus URLs en `off|disabled|none|false|0`. Define `API_SSL_ENABLED=yes` con `API_SSL_CERTFILE` y `API_SSL_KEYFILE` para terminar TLS en la API. Con reverse proxy, define `API_FORWARDED_ALLOW_IPS` a las IPs del proxy para que Gunicorn confíe en los `X-Forwarded-*`.
@ -262,83 +262,84 @@ Desactiva docs o esquema poniendo sus URLs en `off|disabled|none|false|0`. Defin
#### Superficie y docs
| Setting | Descripción | Valores aceptados | Predeterminado |
| -------------------------------------------------- | ------------------------------------------------------------------------------------------ | --------------------------- | ------------------------------------ |
| `API_DOCS_URL`, `API_REDOC_URL`, `API_OPENAPI_URL` | Rutas para Swagger, ReDoc y OpenAPI; pon `off/disabled/none/false/0` para desactivar | Ruta o `off` | `/docs`, `/redoc`, `/openapi.json` |
| `API_ROOT_PATH` | Prefijo de montaje al usar reverse proxy | Ruta (ej. `/api`) | vacío |
| `API_FORWARDED_ALLOW_IPS` | IPs de proxy confiables para `X-Forwarded-*` | IPs/CIDRs separadas por comas | `127.0.0.1,::1` (default de paquete) |
| `API_PROXY_ALLOW_IPS` | IPs de proxy confiables para el protocolo PROXY | IPs/CIDRs separadas por comas | `FORWARDED_ALLOW_IPS` |
| Setting | Descripción | Valores aceptados | Predeterminado |
| -------------------------------------------------- | ------------------------------------------------------------------------------------ | ----------------------------- | ------------------------------------ |
| `API_DOCS_URL`, `API_REDOC_URL`, `API_OPENAPI_URL` | Rutas para Swagger, ReDoc y OpenAPI; pon `off/disabled/none/false/0` para desactivar | Ruta o `off` | `/docs`, `/redoc`, `/openapi.json` |
| `API_ROOT_PATH` | Prefijo de montaje al usar reverse proxy | Ruta (ej. `/api`) | vacío |
| `API_FORWARDED_ALLOW_IPS` | IPs de proxy confiables para `X-Forwarded-*` | IPs/CIDRs separadas por comas | `127.0.0.1,::1` (default de paquete) |
| `API_PROXY_ALLOW_IPS` | IPs de proxy confiables para el protocolo PROXY | IPs/CIDRs separadas por comas | `FORWARDED_ALLOW_IPS` |
#### Auth, ACL, Biscuit
| Setting | Descripción | Valores aceptados | Predeterminado |
| ------------------------------------------- | -------------------------------------------- | ------------------------------------------------------------------ | --------------------------- |
| `API_USERNAME`, `API_PASSWORD` | Usuario admin inicial | Strings; contraseña fuerte requerida fuera de debug | unset |
| `OVERRIDE_API_CREDS` | Reaplicar credenciales admin al arranque | `yes/no/on/off/true/false/0/1` | `no` |
| `API_TOKEN` | Bearer de override admin | Cadena opaca | unset |
| `API_ACL_BOOTSTRAP_FILE` | Ruta JSON para usuarios/permisos | Ruta o `/var/lib/bunkerweb/api_acl_bootstrap.json` montado | unset |
| `BISCUIT_PRIVATE_KEY`, `BISCUIT_PUBLIC_KEY` | Claves Biscuit (hex) si no se usan archivos | Cadenas hex | auto-generadas/persistidas |
| `API_BISCUIT_TTL_SECONDS` | Vida del token; `0/off` desactiva expiración | Entero en segundos o `off/disabled` | `3600` |
| `CHECK_PRIVATE_IP` | Liga Biscuit a la IP cliente (excepto privada) | `yes/no/on/off/true/false/0/1` | `yes` |
| Setting | Descripción | Valores aceptados | Predeterminado |
| ------------------------------------------- | ---------------------------------------------- | ---------------------------------------------------------- | -------------------------- |
| `API_USERNAME`, `API_PASSWORD` | Usuario admin inicial | Strings; contraseña fuerte requerida fuera de debug | unset |
| `OVERRIDE_API_CREDS` | Reaplicar credenciales admin al arranque | `yes/no/on/off/true/false/0/1` | `no` |
| `API_TOKEN` | Bearer de override admin | Cadena opaca | unset |
| `API_ACL_BOOTSTRAP_FILE` | Ruta JSON para usuarios/permisos | Ruta o `/var/lib/bunkerweb/api_acl_bootstrap.json` montado | unset |
| `BISCUIT_PRIVATE_KEY`, `BISCUIT_PUBLIC_KEY` | Claves Biscuit (hex) si no se usan archivos | Cadenas hex | auto-generadas/persistidas |
| `API_BISCUIT_TTL_SECONDS` | Vida del token; `0/off` desactiva expiración | Entero en segundos o `off/disabled` | `3600` |
| `CHECK_PRIVATE_IP` | Liga Biscuit a la IP cliente (excepto privada) | `yes/no/on/off/true/false/0/1` | `yes` |
#### Allowlist
| Setting | Descripción | Valores aceptados | Predeterminado |
| ----------------------- | ------------------------------------ | -------------------------------- | -------------------------- |
| `API_WHITELIST_ENABLED` | Alternar middleware de lista blanca | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_WHITELIST_IPS` | IPs/CIDRs separadas por espacio/coma | IPs/CIDRs | Rangos RFC1918 en código |
| Setting | Descripción | Valores aceptados | Predeterminado |
| ----------------------- | ------------------------------------ | ------------------------------ | ------------------------ |
| `API_WHITELIST_ENABLED` | Alternar middleware de lista blanca | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_WHITELIST_IPS` | IPs/CIDRs separadas por espacio/coma | IPs/CIDRs | Rangos RFC1918 en código |
#### Limitación
| Setting | Descripción | Valores aceptados | Predeterminado |
| -------------------------------- | -------------------------------------------- | ----------------------------------------------------------- | --------------- |
| `API_RATE_LIMIT` | Límite global (cadena estilo NGINX) | `3r/s`, `100/minute`, `500 per 30 minutes` | `100r/m` |
| `API_RATE_LIMIT_AUTH` | Límite de `/auth` (o `off`) | igual que arriba o `off/disabled/none/false/0` | `10r/m` |
| `API_RATE_LIMIT_ENABLED` | Activar limitador | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_RATE_LIMIT_HEADERS_ENABLED` | Inyectar headers de límite | igual que arriba | `yes` |
| `API_RATE_LIMIT_RULES` | Reglas por ruta (CSV/JSON/YAML o ruta) | Cadena o ruta | unset |
| `API_RATE_LIMIT_STRATEGY` | Algoritmo | `fixed-window`, `moving-window`, `sliding-window-counter` | `fixed-window` |
| `API_RATE_LIMIT_KEY` | Selector de clave | `ip`, `header:<Name>` | `ip` |
| `API_RATE_LIMIT_EXEMPT_IPS` | Saltar límites para estas IPs/CIDRs | Separadas por espacio/coma | unset |
| `API_RATE_LIMIT_STORAGE_OPTIONS` | JSON mezclado en la config de almacenamiento | Cadena JSON | unset |
| Setting | Descripción | Valores aceptados | Predeterminado |
| -------------------------------- | -------------------------------------------- | --------------------------------------------------------- | -------------- |
| `API_RATE_LIMIT` | Límite global (cadena estilo NGINX) | `3r/s`, `100/minute`, `500 per 30 minutes` | `100r/m` |
| `API_RATE_LIMIT_AUTH` | Límite de `/auth` (o `off`) | igual que arriba o `off/disabled/none/false/0` | `10r/m` |
| `API_RATE_LIMIT_ENABLED` | Activar limitador | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_RATE_LIMIT_HEADERS_ENABLED` | Inyectar headers de límite | igual que arriba | `yes` |
| `API_RATE_LIMIT_RULES` | Reglas por ruta (CSV/JSON/YAML o ruta) | Cadena o ruta | unset |
| `API_RATE_LIMIT_STRATEGY` | Algoritmo | `fixed-window`, `moving-window`, `sliding-window-counter` | `fixed-window` |
| `API_RATE_LIMIT_KEY` | Selector de clave | `ip`, `header:<Name>` | `ip` |
| `API_RATE_LIMIT_EXEMPT_IPS` | Saltar límites para estas IPs/CIDRs | Separadas por espacio/coma | unset |
| `API_RATE_LIMIT_STORAGE_OPTIONS` | JSON mezclado en la config de almacenamiento | Cadena JSON | unset |
#### Redis/Valkey (para rate limits)
| Setting | Descripción | Valores aceptados | Predeterminado |
| ---------------------------------------------------- | ---------------------- | -------------------------------- | --------------------- |
| `USE_REDIS` | Habilitar backend Redis | `yes/no/on/off/true/false/0/1` | `no` |
| `REDIS_HOST`, `REDIS_PORT`, `REDIS_DATABASE` | Detalles de conexión | Host, int, int | unset, `6379`, `0` |
| `REDIS_USERNAME`, `REDIS_PASSWORD` | Auth | Cadenas | unset |
| `REDIS_SSL`, `REDIS_SSL_VERIFY` | TLS y verificación | `yes/no/on/off/true/false/0/1` | `no`, `yes` |
| `REDIS_TIMEOUT` | Timeout (ms) | Entero | `1000` |
| `REDIS_KEEPALIVE_POOL` | Keepalive de pool | Entero | `10` |
| `REDIS_SENTINEL_HOSTS` | Hosts de Sentinel | `host:port` separados por espacio | unset |
| `REDIS_SENTINEL_MASTER` | Nombre de maestro | Cadena | unset |
| `REDIS_SENTINEL_USERNAME`, `REDIS_SENTINEL_PASSWORD` | Auth de Sentinel | Cadenas | unset |
| Setting | Descripción | Valores aceptados | Predeterminado |
| ---------------------------------------------------- | ----------------------- | --------------------------------- | ------------------ |
| `USE_REDIS` | Habilitar backend Redis | `yes/no/on/off/true/false/0/1` | `no` |
| `REDIS_HOST`, `REDIS_PORT`, `REDIS_DATABASE` | Detalles de conexión | Host, int, int | unset, `6379`, `0` |
| `REDIS_USERNAME`, `REDIS_PASSWORD` | Auth | Cadenas | unset |
| `REDIS_SSL`, `REDIS_SSL_VERIFY` | TLS y verificación | `yes/no/on/off/true/false/0/1` | `no`, `yes` |
| `REDIS_TIMEOUT` | Timeout (ms) | Entero | `1000` |
| `REDIS_KEEPALIVE_POOL` | Keepalive de pool | Entero | `10` |
| `REDIS_SENTINEL_HOSTS` | Hosts de Sentinel | `host:port` separados por espacio | unset |
| `REDIS_SENTINEL_MASTER` | Nombre de maestro | Cadena | unset |
| `REDIS_SENTINEL_USERNAME`, `REDIS_SENTINEL_PASSWORD` | Auth de Sentinel | Cadenas | unset |
!!! info "Redis de la BD"
Si la config de la base de datos de BunkerWeb incluye Redis/Valkey, la API la reutiliza automáticamente para rate limiting incluso sin `USE_REDIS` en el entorno. Sobrescribe con variables de entorno cuando necesites otro backend.
#### Listener y TLS
| Setting | Descripción | Valores aceptados | Predeterminado |
| ------------------------------------- | --------------------------------- | -------------------------------- | --------------------------------------- |
| `API_LISTEN_ADDR`, `API_LISTEN_PORT` | Dirección/puerto de Gunicorn | IP o hostname, int | `127.0.0.1`, `8888` (script de paquete) |
| `API_SSL_ENABLED` | Activar TLS en la API | `yes/no/on/off/true/false/0/1` | `no` |
| `API_SSL_CERTFILE`, `API_SSL_KEYFILE` | Rutas de cert y clave PEM | Rutas de archivo | unset |
| `API_SSL_CA_CERTS` | CA/cadena opcional | Ruta de archivo | unset |
| Setting | Descripción | Valores aceptados | Predeterminado |
| ------------------------------------- | ---------------------------- | ------------------------------ | --------------------------------------- |
| `API_LISTEN_ADDR`, `API_LISTEN_PORT` | Dirección/puerto de Gunicorn | IP o hostname, int | `127.0.0.1`, `8888` (script de paquete) |
| `API_SSL_ENABLED` | Activar TLS en la API | `yes/no/on/off/true/false/0/1` | `no` |
| `API_SSL_CERTFILE`, `API_SSL_KEYFILE` | Rutas de cert y clave PEM | Rutas de archivo | unset |
| `API_SSL_CA_CERTS` | CA/cadena opcional | Ruta de archivo | unset |
#### Logging y runtime (defaults de paquete)
| Setting | Descripción | Valores aceptados | Predeterminado |
| ------------------------------- | --------------------------------------------------------------------------------- | ------------------------------------------------- | ---------------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Nivel base / override | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Destinos | `stderr`/`file`/`syslog` separados por espacio | `stderr` |
| `LOG_FILE_PATH` | Ubicación del log (si `LOG_TYPES` incluye `file` o `CAPTURE_OUTPUT=yes`) | Ruta de archivo | `/var/log/bunkerweb/api.log` si file/capture, si no unset |
| `LOG_SYSLOG_ADDRESS` | Destino syslog (`udp://host:514`, `tcp://host:514`, socket) | Host:puerto, host con prefijo proto o ruta socket | unset |
| `LOG_SYSLOG_TAG` | Tag de syslog | Cadena | `bw-api` |
| `MAX_WORKERS`, `MAX_THREADS` | Workers/hilos de Gunicorn | Entero o unset para auto | unset |
| `CAPTURE_OUTPUT` | Capturar stdout/stderr de Gunicorn hacia los handlers configurados | `yes` o `no` | `no` |
| Setting | Descripción | Valores aceptados | Predeterminado |
| ------------------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------- | --------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Nivel base / override | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Destinos | `stderr`/`file`/`syslog` separados por espacio | `stderr` |
| `LOG_FILE_PATH` | Ubicación del log (si `LOG_TYPES` incluye `file` o `CAPTURE_OUTPUT=yes`) | Ruta de archivo | `/var/log/bunkerweb/api.log` si file/capture, si no unset |
| `LOG_SYSLOG_ADDRESS` | Destino syslog (`udp://host:514`, `tcp://host:514`, socket) | Host:puerto, host con prefijo proto o ruta socket | unset |
| `LOG_SYSLOG_TAG` | Tag de syslog | Cadena | `bw-api` |
| `MAX_WORKERS`, `MAX_THREADS` | Workers/hilos de Gunicorn | Entero o unset para auto | unset |
| `MAX_REQUESTS` | Solicitudes antes de reciclar el worker Gunicorn (previene exceso de memoria) | Entero | `1000` |
| `CAPTURE_OUTPUT` | Capturar stdout/stderr de Gunicorn hacia los handlers configurados | `yes` o `no` | `no` |
## Superficie de la API (mapa de capacidades)

4
docs/es/concepts.md
View file

@ -105,7 +105,7 @@ Ten en cuenta que el modo multisitio es implícito cuando se utiliza la interfaz
!!! info "Para saber más"
Encontrarás ejemplos concretos del modo multisitio en los [usos avanzados](advanced.md) de la documentación y en el directorio de [ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) del repositorio.
Encontrarás ejemplos concretos del modo multisitio en los [usos avanzados](advanced.md) de la documentación y en el directorio de [ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) del repositorio.
## Configuraciones personalizadas {#custom-configurations}
@ -126,7 +126,7 @@ La gestión de configuraciones personalizadas desde la interfaz de usuario web s
!!! info "Para saber más"
Encontrarás ejemplos concretos de configuraciones personalizadas en los [usos avanzados](advanced.md#custom-configurations) de la documentación y en el directorio de [ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) del repositorio.
Encontrarás ejemplos concretos de configuraciones personalizadas en los [usos avanzados](advanced.md#custom-configurations) de la documentación y en el directorio de [ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) del repositorio.
## Base de datos

896
docs/es/features.md
View file

File diff suppressed because it is too large Load diff

132
docs/es/integrations.md
View file

@ -1268,7 +1268,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Por defecto, el contenedor expone:
@ -1284,7 +1284,7 @@ Se requiere un volumen nombrado (o un bind mount) para persistir la base de dato
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.8
image: bunkerity/bunkerweb-all-in-one:1.6.9
volumes:
- bw-storage:/data
...
@ -1361,7 +1361,7 @@ docker run -d \
-e API_PASSWORD=StrongP@ssw0rd \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
-p 8888:8888/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Recomendado (detrás de BunkerWeb) — no publiques el `8888`; en su lugar, haz un proxy inverso:
@ -1369,7 +1369,7 @@ Recomendado (detrás de BunkerWeb) — no publiques el `8888`; en su lugar, haz
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.8
image: bunkerity/bunkerweb-all-in-one:1.6.9
container_name: bunkerweb-aio
ports:
- "80:8080/tcp"
@ -1441,7 +1441,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
* Cuando `USE_CROWDSEC=yes`, el punto de entrada hará lo siguiente:
@ -1496,7 +1496,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
!!! info "Cómo funciona internamente"
@ -1518,7 +1518,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Notas:
@ -1554,7 +1554,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
* El **registro local** se omite cuando `CROWDSEC_API` no es `127.0.0.1` o `localhost`.
@ -1586,13 +1586,13 @@ Al acceder a estas imágenes preconstruidas desde Docker Hub, puedes obtener y e
Ya sea que estés realizando pruebas, desarrollando aplicaciones o desplegando BunkerWeb en producción, la opción de contenedorización de Docker proporciona flexibilidad y facilidad de uso. Adoptar este método te permite aprovechar al máximo las características de BunkerWeb mientras te beneficias de las ventajas de la tecnología Docker.
```shell
docker pull bunkerity/bunkerweb:1.6.8
docker pull bunkerity/bunkerweb:1.6.9
```
Las imágenes de Docker también están disponibles en [GitHub packages](https://github.com/orgs/bunkerity/packages?repo_name=bunkerweb) y se pueden descargar usando la dirección del repositorio `ghcr.io`:
```shell
docker pull ghcr.io/bunkerity/bunkerweb:1.6.8
docker pull ghcr.io/bunkerity/bunkerweb:1.6.9
```
Los conceptos clave para la integración con Docker incluyen:
@ -1602,7 +1602,7 @@ Los conceptos clave para la integración con Docker incluyen:
- **Redes**: Las redes de Docker desempeñan un papel vital en la integración de BunkerWeb. Estas redes tienen dos propósitos principales: exponer puertos a los clientes y conectarse a los servicios web ascendentes. Al exponer los puertos, BunkerWeb puede aceptar solicitudes entrantes de los clientes, permitiéndoles acceder a los servicios web protegidos. Además, al conectarse a los servicios web ascendentes, BunkerWeb puede enrutar y gestionar el tráfico de manera eficiente, proporcionando una mayor seguridad y rendimiento.
!!! info "Backend de la base de datos"
Ten en cuenta que nuestras instrucciones asumen que estás utilizando SQLite como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, también se admiten otros backends de bases de datos. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) del repositorio para obtener más información.
Ten en cuenta que nuestras instrucciones asumen que estás utilizando SQLite como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, también se admiten otros backends de bases de datos. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) del repositorio para obtener más información.
### Variables de entorno
@ -1612,7 +1612,7 @@ Las configuraciones se pasan al Programador usando las variables de entorno de D
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
- MY_SETTING=value
- ANOTHER_SETTING=another value
@ -1656,7 +1656,7 @@ Esto asegura que las configuraciones sensibles se mantengan fuera del entorno y
El [programador](concepts.md#scheduler) se ejecuta en su propio contenedor, que también está disponible en Docker Hub:
```shell
docker pull bunkerity/bunkerweb-scheduler:1.6.8
docker pull bunkerity/bunkerweb-scheduler:1.6.9
```
!!! info "Configuraciones de BunkerWeb"
@ -1677,7 +1677,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.8
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
environment:
# Esto establecerá las configuraciones de la API para el contenedor de BunkerWeb
<<: *bw-api-env
@ -1686,7 +1686,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.8
- bw-universe
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
# Esto establecerá las configuraciones de la API para el contenedor del Programador
<<: *bw-api-env
@ -1704,7 +1704,7 @@ Se necesita un volumen para almacenar la base de datos SQLite y las copias de se
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- bw-storage:/data
...
@ -1850,7 +1850,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1863,7 +1863,7 @@ services:
- bw-universe
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # Esta configuración es obligatoria para especificar la instancia de BunkerWeb
@ -1896,7 +1896,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1909,7 +1909,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
depends_on:
- bunkerweb
environment:
@ -1975,8 +1975,8 @@ Para empezar, descarga el script de instalación y su suma de verificación, lue
```bash
# Descargar el script y su suma de verificación
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# Verificar la suma de verificación
sha256sum -c install-bunkerweb.sh.sha256
@ -2035,7 +2035,7 @@ Para configuraciones no interactivas o automatizadas, el script se puede control
| Opción | Descripción |
| :---------------------- | :------------------------------------------------------------------------------------------------ |
| `-v, --version VERSION` | Especifica la versión de BunkerWeb a instalar (p. ej., `1.6.8`). |
| `-v, --version VERSION` | Especifica la versión de BunkerWeb a instalar (p. ej., `1.6.9`). |
| `-w, --enable-wizard` | Habilita el asistente de configuración. |
| `-n, --no-wizard` | Deshabilita el asistente de configuración. |
| `-y, --yes` | Se ejecuta en modo no interactivo usando las respuestas predeterminadas para todas las preguntas. |
@ -2100,7 +2100,7 @@ sudo ./install-bunkerweb.sh --yes
sudo ./install-bunkerweb.sh --worker --no-wizard
# Instalar una versión específica
sudo ./install-bunkerweb.sh --version 1.6.8
sudo ./install-bunkerweb.sh --version 1.6.9
# Configuración del Gestor con instancias de trabajador remotas (se requieren instancias)
sudo ./install-bunkerweb.sh --manager --instances "192.168.1.10 192.168.1.11"
@ -2208,7 +2208,7 @@ Dependiendo de tus elecciones durante la instalación:
### Instalación mediante el gestor de paquetes
Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para todas las distribuciones, excepto Fedora, es obligatorio usar los paquetes precompilados del [repositorio oficial de NGINX](https://nginx.org/en/linux_packages.html). Compilar NGINX desde el código fuente o usar paquetes de diferentes repositorios no funcionará con los paquetes precompilados oficiales de BunkerWeb. Sin embargo, tienes la opción de compilar BunkerWeb desde el código fuente.
Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para todas las distribuciones, es obligatorio usar los paquetes precompilados del [repositorio oficial de NGINX](https://nginx.org/en/linux_packages.html). Compilar NGINX desde el código fuente o usar paquetes de diferentes repositorios no funcionará con los paquetes precompilados oficiales de BunkerWeb. Sin embargo, tienes la opción de compilar BunkerWeb desde el código fuente.
=== "Debian Bookworm/Trixie"
@ -2244,12 +2244,12 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
export UI_WIZARD=no
```
Y finalmente instala BunkerWeb 1.6.8:
Y finalmente instala BunkerWeb 1.6.9:
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.8
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
```
Para evitar la actualización de los paquetes de NGINX y/o BunkerWeb al ejecutar `apt upgrade`, puedes usar el siguiente comando:
@ -2292,12 +2292,12 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
export UI_WIZARD=no
```
Y finalmente instala BunkerWeb 1.6.8:
Y finalmente instala BunkerWeb 1.6.9:
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.8
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
```
Para evitar la actualización de los paquetes de NGINX y/o BunkerWeb al ejecutar `apt upgrade`, puedes usar el siguiente comando:
@ -2315,10 +2315,10 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
sudo dnf config-manager setopt updates-testing.enabled=1
```
Fedora ya proporciona NGINX 1.28.1 que soportamos
Fedora ya proporciona NGINX 1.28.2 que soportamos
```shell
sudo dnf install -y --allowerasing nginx-1.28.1
sudo dnf install -y --allowerasing nginx-1.28.2
```
!!! example "Deshabilitar el asistente de configuración"
@ -2328,12 +2328,12 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
export UI_WIZARD=no
```
Y finalmente instala BunkerWeb 1.6.8:
Y finalmente instala BunkerWeb 1.6.9:
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf makecache && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.8
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
```
Para evitar la actualización de los paquetes de NGINX y/o BunkerWeb al ejecutar `dnf upgrade`, puedes usar el siguiente comando:
@ -2378,12 +2378,12 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
export UI_WIZARD=no
```
Y finalmente instala BunkerWeb 1.6.8:
Y finalmente instala BunkerWeb 1.6.9:
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.8
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
```
Para evitar la actualización de los paquetes de NGINX y/o BunkerWeb al ejecutar `dnf upgrade`, puedes usar el siguiente comando:
@ -2476,7 +2476,7 @@ Al adoptar este enfoque, puedes disfrutar de la reconfiguración en tiempo real
La integración de autoconfiguración de Docker implica el uso del **modo multisitio**. Por favor, consulta la [sección de multisitio](concepts.md#multisite-mode) de la documentación para obtener más información.
!!! info "Backend de la base de datos"
Ten en cuenta que nuestras instrucciones asumen que estás utilizando MariaDB como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, entendemos que puedes preferir utilizar backends alternativos para tu integración con Docker. Si ese es el caso, ten la seguridad de que otros backends de bases de datos también son posibles. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) del repositorio para obtener más información.
Ten en cuenta que nuestras instrucciones asumen que estás utilizando MariaDB como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, entendemos que puedes preferir utilizar backends alternativos para tu integración con Docker. Si ese es el caso, ten la seguridad de que otros backends de bases de datos también son posibles. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) del repositorio para obtener más información.
Para habilitar las actualizaciones de configuración automatizadas, incluye un contenedor adicional llamado `bw-autoconf` en la pila. Este contenedor aloja el servicio de autoconfiguración, que gestiona los cambios de configuración dinámicos para BunkerWeb.
@ -2490,7 +2490,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2505,7 +2505,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # No necesitamos especificar la instancia de BunkerWeb aquí, ya que son detectadas automáticamente por el servicio de autoconfiguración
@ -2520,7 +2520,7 @@ services:
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bunkerweb
- bw-docker
@ -2703,13 +2703,13 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
labels:
- "bunkerweb.INSTANCE=yes"
- "bunkerweb.NAMESPACE=my-namespace" # Establece el espacio de nombres para la instancia de BunkerWeb para que el servicio de autoconfiguración pueda detectarla
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
...
NAMESPACES: "my-namespace my-other-namespace" # Solo escucha a estos espacios de nombres
@ -2744,7 +2744,9 @@ para configuraciones personalizadas.
Si usas la Gateway API de Kubernetes, establece `KUBERNETES_MODE=yes` y `KUBERNETES_GATEWAY_MODE=yes`.
El controlador observa recursos `Gateway`, `HTTPRoute`, `TLSRoute`, `TCPRoute` y `UDPRoute` en lugar de objetos `Ingress`. Puedes limitar lo que procesa con `KUBERNETES_GATEWAY_CLASS` y elegir `KUBERNETES_GATEWAY_API_VERSION` (`v1`, `v1beta1`, `v1beta2`, `v1alpha2` o `v1alpha1`).
El controlador observa recursos `Gateway`, `HTTPRoute`, `GRPCRoute`, `TLSRoute`, `TCPRoute` y `UDPRoute` en lugar de objetos `Ingress`. Puedes limitar lo que procesa con `KUBERNETES_GATEWAY_CLASS` y elegir `KUBERNETES_GATEWAY_API_VERSION` (`v1`, `v1beta1`, `v1beta2`, `v1alpha2` o `v1alpha1`).
El soporte de `GRPCRoute` en BunkerWeb es actualmente **experimental**.
Si tu Service no se llama `bunkerweb`, establece `BUNKERWEB_SERVICE_NAME` para que el parcheo de estado lea el Service correcto.
@ -2759,7 +2761,7 @@ Para una configuración óptima, se recomienda definir BunkerWeb como un **[Daem
Dada la presencia de múltiples instancias de BunkerWeb, es necesario establecer un almacén de datos compartido implementado como un servicio de [Redis](https://redis.io/) o [Valkey](https://valkey.io/). Este servicio será utilizado por las instancias para almacenar en caché y compartir datos entre ellas. Se puede encontrar más información sobre la configuración de Redis/Valkey [aquí](features.md#redis).
!!! info "Backend de la base de datos"
Ten en cuenta que nuestras instrucciones asumen que estás utilizando MariaDB como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, entendemos que puedes preferir utilizar backends alternativos para tu integración con Docker. Si ese es el caso, ten la seguridad de que otros backends de bases de datos también son posibles. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) del repositorio para obtener más información.
Ten en cuenta que nuestras instrucciones asumen que estás utilizando MariaDB como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, entendemos que puedes preferir utilizar backends alternativos para tu integración con Docker. Si ese es el caso, ten la seguridad de que otros backends de bases de datos también son posibles. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) del repositorio para obtener más información.
La configuración de backends de bases de datos en clúster está fuera del alcance de esta documentación.
@ -2874,7 +2876,7 @@ The **BunkerWeb controller** automatically discovers pods with BunkerWeb sidecar
```yaml
controller:
enabled: true
tag: "1.6.8"
tag: "1.6.9"
```
2. For each sidecar, add:
@ -2967,7 +2969,7 @@ In your BunkerWeb chart `values.yaml`, configure the `BUNKERWEB_INSTANCES` envir
```yaml
scheduler:
tag: "1.6.8"
tag: "1.6.9"
extraEnvs:
- name: BUNKERWEB_INSTANCES
value: "http://app1-bunkerweb-workers.namespace.svc.cluster.local:5000 http://app2-bunkerweb-workers.namespace.svc.cluster.local:5000"
@ -3011,7 +3013,7 @@ spec:
# BunkerWeb Sidecar
- name: bunkerweb
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- containerPort: 8080 # Exposed HTTP port
- containerPort: 5000 # Internal API (mandatory)
@ -3282,7 +3284,7 @@ To add a new application protected by BunkerWeb:
#### Archivos YAML completos
En lugar de usar el chart de Helm, también puedes usar las plantillas YAML dentro de la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) del repositorio de GitHub. Ten en cuenta que recomendamos encarecidamente usar el chart de Helm en su lugar.
En lugar de usar el chart de Helm, también puedes usar las plantillas YAML dentro de la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) del repositorio de GitHub. Ten en cuenta que recomendamos encarecidamente usar el chart de Helm en su lugar.
### Recursos de Ingress
@ -3328,28 +3330,28 @@ spec:
### Recursos de Gateway
Cuando el modo Gateway API está habilitado, puedes declarar recursos `Gateway`, `HTTPRoute`, `TLSRoute`, `TCPRoute` y `UDPRoute`.
Las configuraciones de BunkerWeb se indican como anotaciones `bunkerweb.io/<SETTING>` en el `HTTPRoute`; para limitar una
Cuando el modo Gateway API está habilitado, puedes declarar recursos `Gateway`, `HTTPRoute`, `GRPCRoute`, `TLSRoute`, `TCPRoute` y `UDPRoute`.
Las configuraciones de BunkerWeb se indican como anotaciones `bunkerweb.io/<SETTING>` en el `HTTPRoute`/`GRPCRoute`; para limitar una
configuración a un host, usa `bunkerweb.io/<hostname>_<SETTING>`. El campo `hostnames` define los nombres de servidor. Para `TCPRoute`/`UDPRoute` (y `TLSRoute` sin `hostnames`), BunkerWeb genera un nombre de servidor como `<route>.<namespace>.<protocol>`. Consulta [Clase de Gateway](#gateway-class).
Las anotaciones en el `Gateway` se aplican a todas las rutas asociadas, mientras que las anotaciones en un `HTTPRoute` solo se aplican a esa ruta.
Las anotaciones en el `Gateway` se aplican a todas las rutas asociadas, mientras que las anotaciones en un `HTTPRoute`/`GRPCRoute` solo se aplican a esa ruta.
También puedes limitar las anotaciones del Gateway a un nombre de servidor con `bunkerweb.io/<hostname>_<SETTING>`; solo se aplicarán si existe esa ruta/nombre de servidor.
#### Recursos compatibles
- Recursos: `HTTPRoute`, `TLSRoute`, `TCPRoute` y `UDPRoute` (no `GRPCRoute`).
- Recursos: `HTTPRoute`, `GRPCRoute` (experimental), `TLSRoute`, `TCPRoute` y `UDPRoute`.
- Reglas: solo se usa la primera regla para `TLSRoute`, `TCPRoute` y `UDPRoute`.
- Backends: solo `Service`, primer `backendRef` por regla.
#### Protocolos y TLS
- Protocolos de listener: `HTTP`/`HTTPS` para `HTTPRoute`, `TLS` para `TLSRoute`, `TCP` para `TCPRoute` y `UDP` para `UDPRoute`.
- Protocolos de listener: `HTTP`/`HTTPS` para `HTTPRoute` y `GRPCRoute`, `TLS` para `TLSRoute`, `TCP` para `TCPRoute` y `UDP` para `UDPRoute`.
- TLS: certificados mediante `certificateRefs` del listener con `HTTPS` o `TLS` + `mode: Terminate` (Passthrough no está soportado para la terminación). `TLSRoute` funciona en modo stream.
!!! tip "Nombre de servidor para rutas stream"
Para `TLSRoute`, `TCPRoute` y `UDPRoute`, puedes reemplazar el nombre de servidor generado configurando `bunkerweb.io/SERVER_NAME` en la ruta.
!!! note "Experimental Channel para rutas stream"
Si quieres usar `TLSRoute`, `TCPRoute` o `UDPRoute`, instala las CRD del Experimental Channel: https://gateway-api.sigs.k8s.io/guides/getting-started/#install-experimental-channel
!!! note "Experimental Channel para rutas avanzadas"
Si quieres usar `GRPCRoute`, `TLSRoute`, `TCPRoute` o `UDPRoute`, instala las CRD del Experimental Channel: https://gateway-api.sigs.k8s.io/guides/getting-started/#install-experimental-channel
!!! info "Soporte TLS"
La terminación TLS se gestiona mediante los listeners del `Gateway` y sus `certificateRefs` (secrets TLS) para `HTTPRoute` con `HTTPS` o `TLS` + `mode: Terminate`. `TLSRoute` funciona en modo stream.
@ -3430,7 +3432,7 @@ metadata:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
imagePullPolicy: Always
env:
- name: NAMESPACES
@ -3603,11 +3605,11 @@ service:
# Configuraciones de BunkerWeb
bunkerweb:
tag: 1.6.8
tag: 1.6.9
# Configuraciones del programador
scheduler:
tag: 1.6.8
tag: 1.6.9
extraEnvs:
# Habilita el módulo de IP real para obtener la IP real de los clientes
- name: USE_REAL_IP
@ -3615,11 +3617,11 @@ scheduler:
# Configuraciones del controlador
controller:
tag: 1.6.8
tag: 1.6.9
# Configuraciones de la UI
ui:
tag: 1.6.8
tag: 1.6.9
```
Instala BunkerWeb con valores personalizados:
@ -4241,7 +4243,7 @@ Dado que se están ejecutando múltiples instancias de BunkerWeb, se debe crear
En cuanto al volumen de la base de datos, la documentación no especifica un enfoque concreto. La elección de una carpeta compartida o un controlador específico para el volumen de la base de datos depende de tu caso de uso particular y se deja como ejercicio para el lector.
!!! info "Backend de la base de datos"
Ten en cuenta que nuestras instrucciones asumen que estás utilizando MariaDB como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, entendemos que puedes preferir utilizar backends alternativos para tu integración con Docker. Si ese es el caso, ten la seguridad de que otros backends de bases de datos también son posibles. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) del repositorio para obtener más información.
Ten en cuenta que nuestras instrucciones asumen que estás utilizando MariaDB como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, entendemos que puedes preferir utilizar backends alternativos para tu integración con Docker. Si ese es el caso, ten la seguridad de que otros backends de bases de datos también son posibles. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) del repositorio para obtener más información.
La configuración de backends de bases de datos en clúster está fuera del alcance de esta documentación.
@ -4255,7 +4257,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- published: 80
target: 8080
@ -4284,7 +4286,7 @@ services:
- "bunkerweb.INSTANCE=yes" # Etiqueta obligatoria para que el servicio de autoconfiguración identifique la instancia de BunkerWeb
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # No necesitamos especificar la instancia de BunkerWeb aquí, ya que son detectadas automáticamente por el servicio de autoconfiguración
@ -4305,7 +4307,7 @@ services:
- "node.role == worker"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
SWARM_MODE: "yes"
DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db" # Recuerda establecer una contraseña más segura para la base de datos
@ -4457,7 +4459,7 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
deploy:
mode: global
@ -4469,7 +4471,7 @@ networks:
- "bunkerweb.NAMESPACE=my-namespace" # Establece el espacio de nombres para la instancia de BunkerWeb
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
NAMESPACES: "my-namespace my-other-namespace" # Solo escucha a estos espacios de nombres
...

26
docs/es/plugins.md
View file

@ -8,12 +8,12 @@ Aquí está la lista de plugins "oficiales" que mantenemos (consulta el reposito
| Nombre | Versión | Descripción | Enlace |
| :------------: | :-----: | :----------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------: |
| **ClamAV** | 1.9 | Escanea automáticamente los archivos subidos con el motor antivirus ClamAV y deniega la solicitud cuando un archivo es detectado como malicioso. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.9 | Inspecciona las solicitudes usando el WAF de Coraza (alternativa a ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **Discord** | 1.9 | Envía notificaciones de seguridad a un canal de Discord usando un Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.9 | Envía notificaciones de seguridad a un canal de Slack usando un Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.9 | Escanea automáticamente los archivos subidos con la API de VirusTotal y deniega la solicitud cuando un archivo es detectado como malicioso. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.9 | Envía notificaciones de seguridad a un punto final HTTP personalizado usando un Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
| **ClamAV** | 1.10 | Escanea automáticamente los archivos subidos con el motor antivirus ClamAV y deniega la solicitud cuando un archivo es detectado como malicioso. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.10 | Inspecciona las solicitudes usando el WAF de Coraza (alternativa a ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **Discord** | 1.10 | Envía notificaciones de seguridad a un canal de Discord usando un Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.10 | Envía notificaciones de seguridad a un canal de Slack usando un Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.10 | Escanea automáticamente los archivos subidos con la API de VirusTotal y deniega la solicitud cuando un archivo es detectado como malicioso. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.10 | Envía notificaciones de seguridad a un punto final HTTP personalizado usando un Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
## Cómo usar un plugin
@ -21,7 +21,7 @@ Aquí está la lista de plugins "oficiales" que mantenemos (consulta el reposito
Si quieres instalar rápidamente plugins externos, puedes usar la configuración `EXTERNAL_PLUGIN_URLS`. Acepta una lista de URLs separadas por espacios, cada una apuntando a un archivo comprimido (formato zip) que contiene uno o más plugins.
Puedes usar el siguiente valor si quieres instalar automáticamente los plugins oficiales: `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.9.zip`
Puedes usar el siguiente valor si quieres instalar automáticamente los plugins oficiales: `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.10.zip`
### Manual
@ -89,7 +89,7 @@ El primer paso es instalar el plugin colocando sus archivos dentro de la carpeta
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -125,7 +125,7 @@ El primer paso es instalar el plugin colocando sus archivos dentro de la carpeta
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -168,7 +168,7 @@ El primer paso es instalar el plugin colocando sus archivos dentro de la carpeta
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- /shared/bw-plugins:/data/plugins
...
@ -215,7 +215,7 @@ El primer paso es instalar el plugin colocando sus archivos dentro de la carpeta
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -255,7 +255,7 @@ El primer paso es instalar el plugin colocando sus archivos dentro de la carpeta
!!! tip "Plugins existentes"
Si la documentación no es suficiente, puedes echar un vistazo al código fuente existente de los [plugins oficiales](https://github.com/bunkerity/bunkerweb-plugins) y los [plugins del núcleo](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/src/common/core) (ya incluidos en BunkerWeb, pero técnicamente son plugins).
Si la documentación no es suficiente, puedes echar un vistazo al código fuente existente de los [plugins oficiales](https://github.com/bunkerity/bunkerweb-plugins) y los [plugins del núcleo](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/common/core) (ya incluidos en BunkerWeb, pero técnicamente son plugins).
Así es como se ve la estructura de un plugin:
```
@ -560,7 +560,7 @@ end
!!! tip "Más ejemplos"
Si quieres ver la lista completa de funciones disponibles, puedes echar un vistazo a los archivos presentes en el [directorio lua](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/src/bw/lua/bunkerweb) del repositorio.
Si quieres ver la lista completa de funciones disponibles, puedes echar un vistazo a los archivos presentes en el [directorio lua](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/bw/lua/bunkerweb) del repositorio.
### Trabajos

34
docs/es/quickstart-guide.md
View file

@ -18,7 +18,7 @@ Esta guía de inicio rápido te ayudará a instalar rápidamente BunkerWeb y a p
Proteger las aplicaciones web existentes que ya son accesibles con el protocolo HTTP(S) es el objetivo principal de BunkerWeb: actuará como un [proxy inverso](https://es.wikipedia.org/wiki/Proxy_inverso) clásico con características de seguridad adicionales.
Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) del repositorio para obtener ejemplos del mundo real.
Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) del repositorio para obtener ejemplos del mundo real.
## Configuración básica
@ -33,7 +33,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Por defecto, el contenedor expone:
@ -52,8 +52,8 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
```bash
```bash
# Download the script and its checksum
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# Verify the checksum
sha256sum -c install-bunkerweb.sh.sha256 # Si la comprobación es exitosa, ejecuta el script
@ -89,7 +89,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
services:
bunkerweb:
# Este es el nombre que se usará para identificar la instancia en el Programador
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -102,7 +102,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Asegúrate de establecer el nombre de instancia correcto
@ -119,7 +119,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-env
restart: "unless-stopped"
@ -186,7 +186,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -202,7 +202,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -220,7 +220,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bw-docker
environment:
@ -243,7 +243,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Recuerda establecer una clave secreta más segura (consulta la sección de Requisitos previos)
@ -338,7 +338,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- published: 80
target: 8080
@ -368,7 +368,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- "bunkerweb.INSTANCE=yes"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -386,7 +386,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
<<: *bw-ui-env
DOCKER_HOST: "tcp://bw-docker:2375"
@ -415,7 +415,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- "node.role == manager"
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Recuerda establecer una clave secreta más segura (consulta la sección de Requisitos previos)
@ -637,7 +637,7 @@ Ahora puedes iniciar sesión con la cuenta de administrador que creaste durante
-e "www.example.com_REVERSE_PROXY_HOST=http://myapp:8080" \
-e "www.example.com_REVERSE_PROXY_URL=/" \
# --- Incluye cualquier otra variable de entorno existente para la UI, Redis, CrowdSec, etc. ---
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Tu contenedor de aplicación (`myapp`) y el contenedor `bunkerweb-aio` deben estar en la misma red de Docker para que BunkerWeb pueda alcanzarlo usando el nombre de host `myapp`.
@ -659,7 +659,7 @@ Ahora puedes iniciar sesión con la cuenta de administrador que creaste durante
-p 443:8443/tcp \
-p 443:8443/udp \
# ... (todas las demás variables de entorno relevantes como se muestra en el ejemplo principal anterior) ...
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Asegúrate de reemplazar `myapp` con el nombre o IP real de tu contenedor de aplicación y `http://myapp:8080` con su dirección y puerto correctos.

36
docs/es/upgrading.md
View file

@ -25,16 +25,16 @@
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
...
```
@ -141,20 +141,20 @@
Ejemplos:
```bash
# Actualizar a 1.6.8 interactivamente (pedirá confirmación para la copia de seguridad)
sudo ./install-bunkerweb.sh --version 1.6.8
# Actualizar a 1.6.9 interactivamente (pedirá confirmación para la copia de seguridad)
sudo ./install-bunkerweb.sh --version 1.6.9
# Actualización no interactiva con copia de seguridad automática a un directorio personalizado
sudo ./install-bunkerweb.sh -v 1.6.8 --backup-dir /var/backups/bw-2025-01 -y
sudo ./install-bunkerweb.sh -v 1.6.9 --backup-dir /var/backups/bw-2025-01 -y
# Actualización desatendida silenciosa (salida suprimida) depende de la copia de seguridad automática predeterminada
sudo ./install-bunkerweb.sh -v 1.6.8 -y -q
sudo ./install-bunkerweb.sh -v 1.6.9 -y -q
# Realizar una ejecución de prueba (plan) sin aplicar cambios
sudo ./install-bunkerweb.sh -v 1.6.8 --dry-run
sudo ./install-bunkerweb.sh -v 1.6.9 --dry-run
# Actualizar omitiendo la copia de seguridad automática (NO recomendado)
sudo ./install-bunkerweb.sh -v 1.6.8 --no-auto-backup -y
sudo ./install-bunkerweb.sh -v 1.6.9 --no-auto-backup -y
```
!!! warning "Omitir copias de seguridad"
@ -234,7 +234,7 @@
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.8
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
```
Para evitar que el paquete de BunkerWeb se actualice al ejecutar `apt upgrade`, puedes usar el siguiente comando:
@ -260,7 +260,7 @@
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.8
sudo dnf install -y --allowerasing bunkerweb-1.6.9
```
Para evitar que el paquete de BunkerWeb se actualice al ejecutar `dnf upgrade`, puedes usar el siguiente comando:
@ -657,16 +657,16 @@ Hemos añadido una característica de **espacio de nombres** a las integraciones
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
...
```
@ -701,7 +701,7 @@ Hemos añadido una característica de **espacio de nombres** a las integraciones
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.8
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
```
Para evitar que el paquete de BunkerWeb se actualice al ejecutar `apt upgrade`, puedes usar el siguiente comando:
@ -727,7 +727,7 @@ Hemos añadido una característica de **espacio de nombres** a las integraciones
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.8
sudo dnf install -y --allowerasing bunkerweb-1.6.9
```
Para evitar que el paquete de BunkerWeb se actualice al ejecutar `dnf upgrade`, puedes usar el siguiente comando:

42
docs/es/web-ui.md
View file

@ -35,7 +35,7 @@ La UI requiere scheduler/API de BunkerWeb/redis/base de datos accesibles.
Usa las imágenes publicadas y el layout del [guía rápida](quickstart-guide.md#__tabbed_1_3) para levantar el stack, luego completa el asistente en el navegador.
```bash
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.8-rc1/misc/integrations/docker-compose.yml up -d
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.9-rc1/misc/integrations/docker-compose.yml up -d
```
Visita el hostname del scheduler (ej. `https://www.example.com/changeme`) y ejecuta el asistente `/setup` para configurar la UI, el scheduler y la instancia.
@ -52,7 +52,7 @@ La UI requiere scheduler/API de BunkerWeb/redis/base de datos accesibles.
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -63,7 +63,7 @@ La UI requiere scheduler/API de BunkerWeb/redis/base de datos accesibles.
networks: [bw-universe, bw-services]
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *service-env
BUNKERWEB_INSTANCES: "bunkerweb"
@ -83,7 +83,7 @@ La UI requiere scheduler/API de BunkerWeb/redis/base de datos accesibles.
networks: [bw-universe, bw-db]
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *service-env
ADMIN_USERNAME: "admin"
@ -185,14 +185,14 @@ La UI requiere scheduler/API de BunkerWeb/redis/base de datos accesibles.
### Listener y TLS
| Ajuste | Descripción | Valores aceptados | Predeterminado |
| ----------------------------------- | ----------------------------------------- | ------------------------------------ | ------------------------------------------ |
| `UI_LISTEN_ADDR` | Dirección de escucha de la UI | IP o hostname | `0.0.0.0` (Docker) / `127.0.0.1` (paquete) |
| `UI_LISTEN_PORT` | Puerto de escucha de la UI | Entero | `7000` |
| `LISTEN_ADDR`, `LISTEN_PORT` | Alternativas si faltan vars de UI | IP/hostname, entero | `0.0.0.0`, `7000` |
| `UI_SSL_ENABLED` | Habilitar TLS en el contenedor UI | `yes` o `no` | `no` |
| `UI_SSL_CERTFILE`, `UI_SSL_KEYFILE` | Rutas de cert/clave PEM con TLS | Rutas de archivo | sin definir |
| `UI_SSL_CA_CERTS` | CA/cadena opcional | Ruta de archivo | sin definir |
| Ajuste | Descripción | Valores aceptados | Predeterminado |
| ----------------------------------- | ----------------------------------------- | ------------------------------------ | ----------------------------------------------------- |
| `UI_LISTEN_ADDR` | Dirección de escucha de la UI | IP o hostname | `0.0.0.0` (Docker) / `127.0.0.1` (paquete) |
| `UI_LISTEN_PORT` | Puerto de escucha de la UI | Entero | `7000` |
| `LISTEN_ADDR`, `LISTEN_PORT` | Alternativas si faltan vars de UI | IP/hostname, entero | `0.0.0.0`, `7000` |
| `UI_SSL_ENABLED` | Habilitar TLS en el contenedor UI | `yes` o `no` | `no` |
| `UI_SSL_CERTFILE`, `UI_SSL_KEYFILE` | Rutas de cert/clave PEM con TLS | Rutas de archivo | sin definir |
| `UI_SSL_CA_CERTS` | CA/cadena opcional | Ruta de archivo | sin definir |
| `UI_FORWARDED_ALLOW_IPS` | Proxies de confianza para `X-Forwarded-*` | IPs/CIDRs separados por espacio/coma | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `UI_PROXY_ALLOW_IPS` | Proxies de confianza para protocolo PROXY | IPs/CIDRs separados por espacio/coma | `FORWARDED_ALLOW_IPS` |
@ -223,14 +223,16 @@ La UI requiere scheduler/API de BunkerWeb/redis/base de datos accesibles.
### Runtime misceláneo
| Ajuste | Descripción | Valores aceptados | Predeterminado |
| ------------------------------- | ------------------------------------------ | ----------------- | ------------------------------------ |
| `MAX_WORKERS`, `MAX_THREADS` | Workers/hilos de Gunicorn | Entero | `cpu_count()-1` (mín 1), `workers*2` |
| `ENABLE_HEALTHCHECK` | Exponer `GET /healthcheck` | `yes` o `no` | `no` |
| `FORWARDED_ALLOW_IPS` | Alias para lista de proxies | IPs/CIDRs | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `PROXY_ALLOW_IPS` | Alias para lista de PROXY | IPs/CIDRs | `FORWARDED_ALLOW_IPS` |
| `DISABLE_CONFIGURATION_TESTING` | Saltar reloads de prueba al aplicar config | `yes` o `no` | `no` |
| `IGNORE_REGEX_CHECK` | Omitir validación regex de ajustes | `yes` o `no` | `no` |
| Ajuste | Descripción | Valores aceptados | Predeterminado |
| ------------------------------- | ----------------------------------------------------------------------------- | ------------------------------------------- | ----------------------------------------------------- |
| `MAX_WORKERS`, `MAX_THREADS` | Workers/hilos de Gunicorn | Entero | `cpu_count()-1` (mín 1), `workers*2` |
| `MAX_REQUESTS` | Solicitudes antes de reciclar el worker Gunicorn (previene exceso de memoria) | Entero | `1000` |
| `ENABLE_HEALTHCHECK` | Exponer `GET /healthcheck` | `yes` o `no` | `no` |
| `FORWARDED_ALLOW_IPS` | Alias para lista de proxies | IPs/CIDRs | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `PROXY_ALLOW_IPS` | Alias para lista de PROXY | IPs/CIDRs | `FORWARDED_ALLOW_IPS` |
| `DISABLE_CONFIGURATION_TESTING` | Saltar reloads de prueba al aplicar config | `yes` o `no` | `no` |
| `IGNORE_REGEX_CHECK` | Omitir validación regex de ajustes | `yes` o `no` | `no` |
| `MAX_CONTENT_LENGTH` | Tamaño máximo de subida (Flask `MAX_CONTENT_LENGTH`) | Tamaño con unidad (`50M`, `1G`, `52428800`) | `50MB` |
## Acceso a logs

980
docs/features.md
View file

File diff suppressed because it is too large Load diff

209
docs/fr/advanced.md
View file

@ -1,8 +1,8 @@
# Utilisations avancées
De nombreux exemples de cas d'utilisation concrets sont disponibles dans le dossier [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) du dépôt GitHub.
De nombreux exemples de cas d'utilisation concrets sont disponibles dans le dossier [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) du dépôt GitHub.
Nous fournissons également de nombreux modèles standard, tels que des fichiers YAML pour diverses intégrations et types de bases de données. Ceux-ci sont disponibles dans le dossier [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations).
Nous fournissons également de nombreux modèles standard, tels que des fichiers YAML pour diverses intégrations et types de bases de données. Ceux-ci sont disponibles dans le dossier [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations).
Cette section se concentre uniquement sur les utilisations avancées et le réglage de la sécurité, consultez la [section fonctionnalités](features.md) de la documentation pour voir tous les paramètres disponibles.
@ -85,7 +85,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Veuillez noter que si votre conteneur existe déjà, vous devrez le supprimer et le recréer afin que les nouvelles variables d'environnement soient prises en compte.
@ -96,7 +96,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -104,7 +104,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -121,7 +121,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -129,7 +129,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -176,7 +176,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -184,7 +184,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -249,7 +249,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Veuillez noter que si votre conteneur existe déjà, vous devrez le supprimer et le recréer afin que les nouvelles variables d'environnement soient prises en compte.
@ -260,7 +260,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -270,7 +270,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -288,7 +288,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -298,7 +298,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -350,7 +350,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -360,7 +360,7 @@ Vous trouverez plus de paramètres sur l'IP réelle dans la [section des fonctio
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -485,8 +485,8 @@ Le Manager est le cerveau du cluster. Il exécute le Scheduler, la base de donn
```bash
# Télécharger le script et sa somme
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# Vérifier l'empreinte
sha256sum -c install-bunkerweb.sh.sha256
@ -585,7 +585,7 @@ Le Manager est le cerveau du cluster. Il exécute le Scheduler, la base de donn
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: "192.168.1.11 192.168.1.12" # Remplacez par les IPs de vos workers
@ -604,7 +604,7 @@ Le Manager est le cerveau du cluster. Il exécute le Scheduler, la base de donn
- bw-redis
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
ports:
- "7000:7000" # Exposer le port de l'UI
environment:
@ -687,7 +687,7 @@ Les workers sont les nœuds qui traitent le trafic entrant.
```yaml title="docker-compose.yml"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -992,7 +992,7 @@ Pour activer systemd-resolved comme résolveur DNS dans BunkerWeb, définissez l
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Docker"
@ -1020,7 +1020,7 @@ Pour activer systemd-resolved comme résolveur DNS dans BunkerWeb, définissez l
- bw-dns
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
DNS_RESOLVERS: "dnsmasq"
@ -1031,7 +1031,7 @@ Pour activer systemd-resolved comme résolveur DNS dans BunkerWeb, définissez l
- bw-dns
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
DNS_RESOLVERS: "dnsmasq"
@ -1145,7 +1145,7 @@ Certaines intégrations offrent des moyens plus pratiques d'appliquer des config
}" \
-p 80:8080/tcp \
-p 443:8443/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Veuillez noter que si votre conteneur est déjà créé, vous devrez le supprimer et le recréer pour que les nouvelles variables d'environnement soient appliquées.
@ -1185,7 +1185,7 @@ Certaines intégrations offrent des moyens plus pratiques d'appliquer des config
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Docker"
@ -1208,7 +1208,7 @@ Certaines intégrations offrent des moyens plus pratiques d'appliquer des config
```yaml
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
- |
CUSTOM_CONF_SERVER_HTTP_hello-world=
@ -1251,7 +1251,7 @@ Certaines intégrations offrent des moyens plus pratiques d'appliquer des config
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -1321,7 +1321,7 @@ Certaines intégrations offrent des moyens plus pratiques d'appliquer des config
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -1551,7 +1551,7 @@ Pour la liste complète des paramètres concernant `stream` le mode, veuillez v
-p 443:8443/udp \
-p 10000:10000/tcp \
-p 20000:20000/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Veuillez noter que si votre conteneur existe déjà, vous devrez le supprimer et le recréer afin que les nouvelles variables d'environnement soient prises en compte.
@ -1574,7 +1574,7 @@ Pour la liste complète des paramètres concernant `stream` le mode, veuillez v
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080" # Keep it if you want to use Let's Encrypt automation when using http challenge type
- "10000:10000" # app1
@ -1589,7 +1589,7 @@ Pour la liste complète des paramètres concernant `stream` le mode, veuillez v
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # This setting is mandatory to specify the BunkerWeb instance
@ -1640,7 +1640,7 @@ Pour la liste complète des paramètres concernant `stream` le mode, veuillez v
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080" # Keep it if you want to use Let's Encrypt automation when using http challenge type
- "10000:10000" # app1
@ -1870,7 +1870,7 @@ Pour la liste complète des paramètres concernant `stream` le mode, veuillez v
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
# Keep it if you want to use Let's Encrypt automation when using http challenge type
- published: 80
@ -2000,7 +2000,7 @@ BunkerWeb prend en charge PHP en utilisant des instances [PHP-FPM externes ou ]
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Veuillez noter que si votre conteneur est déjà créé, vous devrez le supprimer et le recréer pour que les nouvelles variables d'environnement soient appliquées.
@ -2044,7 +2044,7 @@ BunkerWeb prend en charge PHP en utilisant des instances [PHP-FPM externes ou ]
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2059,7 +2059,7 @@ BunkerWeb prend en charge PHP en utilisant des instances [PHP-FPM externes ou ]
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # This setting is mandatory to specify the BunkerWeb instance
@ -2153,7 +2153,7 @@ BunkerWeb prend en charge PHP en utilisant des instances [PHP-FPM externes ou ]
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
labels:
- "bunkerweb.INSTANCE=yes"
environment:
@ -2166,7 +2166,7 @@ BunkerWeb prend en charge PHP en utilisant des instances [PHP-FPM externes ou ]
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "" # We don't need to specify the BunkerWeb instance here as they are automatically detected by the autoconf service
@ -2181,7 +2181,7 @@ BunkerWeb prend en charge PHP en utilisant des instances [PHP-FPM externes ou ]
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bunkerweb
- bw-docker
@ -2421,7 +2421,7 @@ BunkerWeb prend en charge PHP en utilisant des instances [PHP-FPM externes ou ]
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
volumes:
- /shared/www:/var/www/html
...
@ -2520,7 +2520,7 @@ Par défaut, BunkerWeb n'écoutera que les adresses IPv4 et n'utilisera pas IPv6
```yaml
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
USE_IPv6: "yes"
@ -2660,7 +2660,7 @@ LOG_LEVEL_1=error
services:
bunkerweb:
# Ceci est le nom qui sera utilisé pour identifier l'instance dans le Scheduler
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2673,7 +2673,7 @@ LOG_LEVEL_1=error
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Assurez-vous de définir le nom d'instance correct
@ -2690,7 +2690,7 @@ LOG_LEVEL_1=error
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-env
volumes:
@ -2825,7 +2825,7 @@ Vous pouvez configurer le pilote de journalisation pour vos services dans votre
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
logging:
driver: "json-file"
options:
@ -2934,7 +2934,7 @@ Les variables couramment utilisées sont :
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Si le conteneur existe déjà, recréez-le pour appliquer le nouvel environnement.
@ -2945,7 +2945,7 @@ Les variables couramment utilisées sont :
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -2964,7 +2964,7 @@ Les variables couramment utilisées sont :
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -3007,7 +3007,7 @@ Les variables couramment utilisées sont :
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -3959,11 +3959,11 @@ Les modèles utilisent la syntaxe de modèle Lua avec les délimiteurs suivants
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
# ... autres paramètres (pas de variables d'environnement nécessaires ici pour les pages personnalisées)
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./templates:/custom_templates:ro
environment:
@ -4046,7 +4046,7 @@ Les modèles utilisent la syntaxe de modèle Lua avec les délimiteurs suivants
spec:
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
env:
- name: CUSTOM_ERROR_PAGE
value: "/custom_templates/error.html"
@ -4264,7 +4264,9 @@ Options fréquentes de durcissement / tuning :
## OpenAPI Validator <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style="transform : translateY(3px);"> (PRO)
SUPPORT STREAM : :x:
<p align="center">
<iframe style="display: block;" width="560" height="315" data-src="https://www.youtube-nocookie.com/embed/3oZOO1XdSlc" title="OpenAPI Validator" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
</p>
Le plugin **OpenAPI Validator** applique votre contrat d'API en validant les requêtes entrantes par rapport à une spécification OpenAPI / Swagger. Il s'assure que le chemin demandé existe, que la méthode HTTP est autorisée et valide éventuellement les paramètres de requête, d'en-tête, de cookie et de chemin par rapport à leurs définitions de schéma.
@ -4285,16 +4287,16 @@ Le plugin **OpenAPI Validator** applique votre contrat d'API en validant les req
### Configuration
| Paramètre | Défaut | Contexte | Multiple | Description |
| ---------------------------- | ------------------------------------ | --------- | -------- | ------------------------------------------------------------------------- |
| `USE_OPENAPI_VALIDATOR` | `no` | multisite | non | Activer la validation des routes OpenAPI pour ce site. |
| `OPENAPI_SPEC` | | multisite | non | Chemin absolu ou URL HTTP(S) vers le document OpenAPI au format JSON/YAML. |
| `OPENAPI_BASE_PATH` | | multisite | non | Préfixe de chemin de base optionnel à ajouter à chaque chemin de la spécification. |
| `OPENAPI_ALLOW_UNSPECIFIED` | `no` | multisite | non | Autoriser les requêtes vers des chemins non listés dans la spécification. |
| `OPENAPI_ALLOW_INSECURE_URL` | `no` | multisite | non | Autoriser la récupération de la spécification OpenAPI via HTTP simple (non recommandé). |
| `OPENAPI_IGNORE_URLS` | `^/docs$ ^/redoc$ ^/openapi\\.json$` | multisite | non | Liste d'expressions régulières d'URL séparées par des espaces pour contourner la validation OpenAPI. |
| `OPENAPI_MAX_SPEC_SIZE` | `2M` | global | non | Taille maximale autorisée du document OpenAPI (accepte les suffixes k/M/G). |
| `OPENAPI_VALIDATE_PARAMS` | `yes` | multisite | non | Valider les paramètres de requête, d'en-tête, de cookie et de chemin par rapport à la spécification. |
| Paramètre | Défaut | Contexte | Multiple | Description |
| ---------------------------- | ------------------------------------ | --------- | -------- | ---------------------------------------------------------------------------------------------------- |
| `USE_OPENAPI_VALIDATOR` | `no` | multisite | non | Activer la validation des routes OpenAPI pour ce site. |
| `OPENAPI_SPEC` | | multisite | non | Chemin absolu ou URL HTTP(S) vers le document OpenAPI au format JSON/YAML. |
| `OPENAPI_BASE_PATH` | | multisite | non | Préfixe de chemin de base optionnel à ajouter à chaque chemin de la spécification. |
| `OPENAPI_ALLOW_UNSPECIFIED` | `no` | multisite | non | Autoriser les requêtes vers des chemins non listés dans la spécification. |
| `OPENAPI_ALLOW_INSECURE_URL` | `no` | multisite | non | Autoriser la récupération de la spécification OpenAPI via HTTP simple (non recommandé). |
| `OPENAPI_IGNORE_URLS` | `^/docs$ ^/redoc$ ^/openapi\\.json$` | multisite | non | Liste d'expressions régulières d'URL séparées par des espaces pour contourner la validation OpenAPI. |
| `OPENAPI_MAX_SPEC_SIZE` | `2M` | global | non | Taille maximale autorisée du document OpenAPI (accepte les suffixes k/M/G). |
| `OPENAPI_VALIDATE_PARAMS` | `yes` | multisite | non | Valider les paramètres de requête, d'en-tête, de cookie et de chemin par rapport à la spécification. |
### Notes de comportement
@ -4314,3 +4316,82 @@ Définissez les valeurs minimales par service protégé :
Autorisez éventuellement les chemins inconnus pendant le déploiement :
- `OPENAPI_ALLOW_UNSPECIFIED=yes`
## Cache <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style="transform : translateY(3px);"> (PRO)
Prise en charge de STREAM :x:
Le plugin Cache PRO active la mise en cache des réponses au niveau du reverse proxy à l'aide des directives NGINX `proxy_cache*`. Il est utile pour absorber les lectures répétées sur du contenu cacheable, soulager les upstreams lors des pics de charge et servir du contenu périmé pendant de courtes indisponibilités du backend.
**Fonctionnement**
1. Chaque valeur globale `CACHE_PATH*` crée une directive `proxy_cache_path` dans le contexte HTTP.
2. Un service n'utilise le cache que lorsque `CACHE_ZONE` correspond à l'une des zones déclarées dans `CACHE_PATH*`.
3. Les paramètres au niveau du service contrôlent ensuite la clé de cache, les conditions de bypass/no-cache, le verrouillage, l'utilisation de contenu périmé et les règles de validité.
4. Si `CACHE_HEADER` est défini, BunkerWeb ajoute un en-tête de réponse exposant `$upstream_cache_status` comme `HIT`, `MISS`, `BYPASS`, `EXPIRED` ou `STALE`.
**Liste des fonctionnalités**
- Mise en cache des réponses du reverse proxy avec chemins et zones configurables.
- Activation du cache par service via `CACHE_ZONE`.
- En-tête facultatif exposant l'état du cache avec `$upstream_cache_status`.
- Contrôles fins pour le bypass, le no-cache, la clé, les méthodes, le verrouillage, le stale et la revalidation.
- Plusieurs règles de validité via des paramètres `CACHE_VALID*`.
**Liste des paramètres**
| Réglage | Défaut | Contexte | Multiple | Description |
| --------------------------- | --------------------------------- | --------- | -------- | -------------------------------------------------------------------------- |
| `CACHE_PATH` | | global | oui | Chemin et paramètres d'un cache. |
| `CACHE_ZONE` | | multisite | non | Nom de la zone de cache à utiliser (définie dans un réglage `CACHE_PATH`). |
| `CACHE_HEADER` | `X-Cache` | multisite | non | Ajoute un en-tête exposant l'état du cache. |
| `CACHE_BACKGROUND_UPDATE` | `no` | multisite | non | Active ou désactive la mise à jour du cache en arrière-plan. |
| `CACHE_BYPASS` | | multisite | non | Liste de variables déterminant si le cache doit être contourné. |
| `CACHE_NO_CACHE` | `$http_pragma$http_authorization` | multisite | non | Désactive le stockage en cache si des variables sont définies. |
| `CACHE_KEY` | `$scheme$proxy_host$request_uri` | multisite | non | Clé utilisée pour identifier les éléments mis en cache. |
| `CACHE_CONVERT_HEAD_TO_GET` | `yes` | multisite | non | Convertit les requêtes HEAD en GET lors de la mise en cache. |
| `CACHE_LOCK` | `no` | multisite | non | Verrouille les requêtes concurrentes lors du remplissage du cache. |
| `CACHE_LOCK_AGE` | `5s` | multisite | non | Envoie la requête à l'upstream si le cache est verrouillé depuis ce délai. |
| `CACHE_LOCK_TIMEOUT` | `5s` | multisite | non | Envoie la requête à l'upstream si le verrou persiste pendant ce délai. |
| `CACHE_METHODS` | `GET HEAD` | multisite | non | Met en cache uniquement les réponses pour ces méthodes HTTP. |
| `CACHE_MIN_USES` | `1` | multisite | non | Nombre de requêtes avant de stocker la réponse en cache. |
| `CACHE_REVALIDATE` | `no` | multisite | non | Revalide les éléments expirés via des requêtes conditionnelles. |
| `CACHE_USE_STALE` | `off` | multisite | non | Définit dans quels cas servir un contenu périmé. |
| `CACHE_VALID` | `10m` | multisite | oui | Définit la durée de cache avec code(s) HTTP optionnel(s). |
**Exemple d'utilisation**
1. Définissez un chemin global et une zone de cache :
```yaml
CACHE_PATH: "/var/cache/bunkerweb/proxy levels=1:2 keys_zone=htmlcache:10m max_size=1g inactive=60m use_temp_path=off"
```
2. Activez le reverse proxy et attachez la zone à un service :
```yaml
www.example.com_USE_REVERSE_PROXY: "yes"
www.example.com_REVERSE_PROXY_HOST: "http://app:8080"
www.example.com_CACHE_ZONE: "htmlcache"
www.example.com_CACHE_HEADER: "X-Cache"
www.example.com_CACHE_VALID: "200 301 302 10m"
www.example.com_CACHE_VALID_1: "404 1m"
```
3. Ajoutez des contrôles optionnels si nécessaire :
```yaml
www.example.com_CACHE_BYPASS: "$cookie_nocache $arg_nocache"
www.example.com_CACHE_NO_CACHE: "$http_pragma $http_authorization"
www.example.com_CACHE_LOCK: "yes"
www.example.com_CACHE_BACKGROUND_UPDATE: "yes"
www.example.com_CACHE_USE_STALE: "error timeout updating http_500 http_502 http_503 http_504"
```
!!! info "Comportement important"
- Ce plugin s'applique uniquement au trafic reverse proxy. Il ne met pas en cache le contenu servi directement depuis des fichiers statiques locaux ni les services stream/TCP.
- `CACHE_ZONE` doit correspondre à une zone définie dans une valeur `CACHE_PATH*` via `keys_zone=<nom>:<taille>`.
- Si `CACHE_ZONE` est vide pour un service, les directives de cache ne sont pas appliquées à ce service.
- Utilisez des suffixes numériques pour les valeurs répétées, par exemple `CACHE_PATH_1`, `CACHE_PATH_2`, `CACHE_VALID_1` et `CACHE_VALID_2`.
- Gardez le trafic authentifié ou spécifique à un utilisateur hors cache, sauf si votre `CACHE_KEY` varie explicitement selon cet état.
- `CACHE_LOCK=yes` et `CACHE_BACKGROUND_UPDATE=yes` permettent de réduire les rafales de requêtes vers l'origine.

127
docs/fr/api.md
View file

@ -41,7 +41,7 @@ Choisissez la saveur adaptée à votre environnement.
services:
bunkerweb:
# Nom utilisé par le scheduler pour identifier linstance
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -54,7 +54,7 @@ Choisissez la saveur adaptée à votre environnement.
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Assurez-vous de mettre le bon nom dinstance
@ -76,7 +76,7 @@ Choisissez la saveur adaptée à votre environnement.
- bw-db
bw-api:
image: bunkerity/bunkerweb-api:1.6.8
image: bunkerity/bunkerweb-api:1.6.9
environment:
<<: *bw-env
API_USERNAME: "admin"
@ -143,7 +143,7 @@ Choisissez la saveur adaptée à votre environnement.
-e SERVICE_API=yes \
-e API_WHITELIST_IPS="127.0.0.0/8" \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Linux"
@ -252,9 +252,9 @@ Plus de détails et compromis : [https://limits.readthedocs.io/en/stable/strateg
### Runtime et fuseau horaire
| Setting | Description | Valeurs acceptées | Défaut |
| ------- | ---------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ----------------------------------------------- |
| `TZ` | Fuseau horaire pour les logs API et les claims basés sur le temps (ex. TTL Biscuit et horodatages de logs) | Nom de la base TZ (ex. `UTC`, `Europe/Paris`) | unset (défaut conteneur, généralement UTC) |
| Setting | Description | Valeurs acceptées | Défaut |
| ------- | ---------------------------------------------------------------------------------------------------------- | --------------------------------------------- | ------------------------------------------ |
| `TZ` | Fuseau horaire pour les logs API et les claims basés sur le temps (ex. TTL Biscuit et horodatages de logs) | Nom de la base TZ (ex. `UTC`, `Europe/Paris`) | unset (défaut conteneur, généralement UTC) |
Désactivez docs ou schéma en mettant leurs URLs à `off|disabled|none|false|0`. Activez `API_SSL_ENABLED=yes` avec `API_SSL_CERTFILE` et `API_SSL_KEYFILE` pour terminer TLS dans lAPI. En reverse proxy, fixez `API_FORWARDED_ALLOW_IPS` aux IPs du proxy pour que Gunicorn fasse confiance aux `X-Forwarded-*`.
@ -262,83 +262,84 @@ Désactivez docs ou schéma en mettant leurs URLs à `off|disabled|none|false|0`
#### Surface & docs
| Setting | Description | Valeurs acceptées | Défaut |
| -------------------------------------------------- | -------------------------------------------------------------------------------------------- | --------------------------- | ---------------------------------- |
| `API_DOCS_URL`, `API_REDOC_URL`, `API_OPENAPI_URL` | Chemins Swagger, ReDoc et schéma OpenAPI ; mettre `off/disabled/none/false/0` pour désactiver | Chemin ou `off` | `/docs`, `/redoc`, `/openapi.json` |
| `API_ROOT_PATH` | Préfixe de montage en reverse proxy | Chemin (ex. `/api`) | vide |
| `API_FORWARDED_ALLOW_IPS` | IPs proxy de confiance pour `X-Forwarded-*` | IPs/CIDR séparées par virgule | `127.0.0.1,::1` (défaut paquet) |
| `API_PROXY_ALLOW_IPS` | IPs proxy de confiance pour le protocole PROXY | IPs/CIDR séparées par virgule | `FORWARDED_ALLOW_IPS` |
| Setting | Description | Valeurs acceptées | Défaut |
| -------------------------------------------------- | --------------------------------------------------------------------------------------------- | ----------------------------- | ---------------------------------- |
| `API_DOCS_URL`, `API_REDOC_URL`, `API_OPENAPI_URL` | Chemins Swagger, ReDoc et schéma OpenAPI ; mettre `off/disabled/none/false/0` pour désactiver | Chemin ou `off` | `/docs`, `/redoc`, `/openapi.json` |
| `API_ROOT_PATH` | Préfixe de montage en reverse proxy | Chemin (ex. `/api`) | vide |
| `API_FORWARDED_ALLOW_IPS` | IPs proxy de confiance pour `X-Forwarded-*` | IPs/CIDR séparées par virgule | `127.0.0.1,::1` (défaut paquet) |
| `API_PROXY_ALLOW_IPS` | IPs proxy de confiance pour le protocole PROXY | IPs/CIDR séparées par virgule | `FORWARDED_ALLOW_IPS` |
#### Auth, ACL, Biscuit
| Setting | Description | Valeurs acceptées | Défaut |
| ------------------------------------------- | -------------------------------------------- | ------------------------------------------------------------------ | ----------------------- |
| `API_USERNAME`, `API_PASSWORD` | Utilisateur admin initial | Chaînes ; mot de passe fort requis hors debug | unset |
| `OVERRIDE_API_CREDS` | Réappliquer les creds admin au démarrage | `yes/no/on/off/true/false/0/1` | `no` |
| `API_TOKEN` | Bearer doverride admin | Chaîne opaque | unset |
| `API_ACL_BOOTSTRAP_FILE` | Chemin JSON pour utilisateurs/permissions | Chemin ou `/var/lib/bunkerweb/api_acl_bootstrap.json` monté | unset |
| `BISCUIT_PRIVATE_KEY`, `BISCUIT_PUBLIC_KEY` | Clés Biscuit (hex) si pas de fichiers | Chaînes hex | auto-générées/persistées |
| `API_BISCUIT_TTL_SECONDS` | Durée de vie du token ; `0/off` désactive | Secondes entières ou `off/disabled` | `3600` |
| `CHECK_PRIVATE_IP` | Lier le Biscuit à lIP cliente (hors privées) | `yes/no/on/off/true/false/0/1` | `yes` |
| Setting | Description | Valeurs acceptées | Défaut |
| ------------------------------------------- | --------------------------------------------- | ----------------------------------------------------------- | ------------------------ |
| `API_USERNAME`, `API_PASSWORD` | Utilisateur admin initial | Chaînes ; mot de passe fort requis hors debug | unset |
| `OVERRIDE_API_CREDS` | Réappliquer les creds admin au démarrage | `yes/no/on/off/true/false/0/1` | `no` |
| `API_TOKEN` | Bearer doverride admin | Chaîne opaque | unset |
| `API_ACL_BOOTSTRAP_FILE` | Chemin JSON pour utilisateurs/permissions | Chemin ou `/var/lib/bunkerweb/api_acl_bootstrap.json` monté | unset |
| `BISCUIT_PRIVATE_KEY`, `BISCUIT_PUBLIC_KEY` | Clés Biscuit (hex) si pas de fichiers | Chaînes hex | auto-générées/persistées |
| `API_BISCUIT_TTL_SECONDS` | Durée de vie du token ; `0/off` désactive | Secondes entières ou `off/disabled` | `3600` |
| `CHECK_PRIVATE_IP` | Lier le Biscuit à lIP cliente (hors privées) | `yes/no/on/off/true/false/0/1` | `yes` |
#### Liste blanche
| Setting | Description | Valeurs acceptées | Défaut |
| ----------------------- | ----------------------------------------- | -------------------------------- | ---------------------- |
| `API_WHITELIST_ENABLED` | Activer/désactiver le middleware dIP | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_WHITELIST_IPS` | IPs/CIDR séparées par espace/virgule | IPs/CIDR | Plages RFC1918 en code |
| Setting | Description | Valeurs acceptées | Défaut |
| ----------------------- | ------------------------------------- | ------------------------------ | ---------------------- |
| `API_WHITELIST_ENABLED` | Activer/désactiver le middleware dIP | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_WHITELIST_IPS` | IPs/CIDR séparées par espace/virgule | IPs/CIDR | Plages RFC1918 en code |
#### Limitation
| Setting | Description | Valeurs acceptées | Défaut |
| -------------------------------- | --------------------------------------------- | ----------------------------------------------------------- | ------------- |
| `API_RATE_LIMIT` | Limite globale (chaîne style NGINX) | `3r/s`, `100/minute`, `500 per 30 minutes` | `100r/m` |
| `API_RATE_LIMIT_AUTH` | Limite de `/auth` (ou `off`) | idem ou `off/disabled/none/false/0` | `10r/m` |
| `API_RATE_LIMIT_ENABLED` | Activer le limiteur | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_RATE_LIMIT_HEADERS_ENABLED` | Injecter les headers de limite | idem | `yes` |
| `API_RATE_LIMIT_RULES` | Règles par chemin (CSV/JSON/YAML ou fichier) | Chaîne ou chemin | unset |
| `API_RATE_LIMIT_STRATEGY` | Algorithme | `fixed-window`, `moving-window`, `sliding-window-counter` | `fixed-window`|
| `API_RATE_LIMIT_KEY` | Sélectionneur de clé | `ip`, `header:<Name>` | `ip` |
| `API_RATE_LIMIT_EXEMPT_IPS` | Exempter ces IPs/CIDR des limites | Séparées par espace/virgule | unset |
| `API_RATE_LIMIT_STORAGE_OPTIONS` | JSON fusionné dans la config de stockage | Chaîne JSON | unset |
| Setting | Description | Valeurs acceptées | Défaut |
| -------------------------------- | -------------------------------------------- | --------------------------------------------------------- | -------------- |
| `API_RATE_LIMIT` | Limite globale (chaîne style NGINX) | `3r/s`, `100/minute`, `500 per 30 minutes` | `100r/m` |
| `API_RATE_LIMIT_AUTH` | Limite de `/auth` (ou `off`) | idem ou `off/disabled/none/false/0` | `10r/m` |
| `API_RATE_LIMIT_ENABLED` | Activer le limiteur | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_RATE_LIMIT_HEADERS_ENABLED` | Injecter les headers de limite | idem | `yes` |
| `API_RATE_LIMIT_RULES` | Règles par chemin (CSV/JSON/YAML ou fichier) | Chaîne ou chemin | unset |
| `API_RATE_LIMIT_STRATEGY` | Algorithme | `fixed-window`, `moving-window`, `sliding-window-counter` | `fixed-window` |
| `API_RATE_LIMIT_KEY` | Sélectionneur de clé | `ip`, `header:<Name>` | `ip` |
| `API_RATE_LIMIT_EXEMPT_IPS` | Exempter ces IPs/CIDR des limites | Séparées par espace/virgule | unset |
| `API_RATE_LIMIT_STORAGE_OPTIONS` | JSON fusionné dans la config de stockage | Chaîne JSON | unset |
#### Redis/Valkey (pour les limites)
| Setting | Description | Valeurs acceptées | Défaut |
| ---------------------------------------------------- | ------------------------ | -------------------------------- | ------------------ |
| `USE_REDIS` | Activer le backend Redis | `yes/no/on/off/true/false/0/1` | `no` |
| `REDIS_HOST`, `REDIS_PORT`, `REDIS_DATABASE` | Détails de connexion | Host, int, int | unset, `6379`, `0` |
| `REDIS_USERNAME`, `REDIS_PASSWORD` | Auth | Chaînes | unset |
| `REDIS_SSL`, `REDIS_SSL_VERIFY` | TLS et vérification | `yes/no/on/off/true/false/0/1` | `no`, `yes` |
| `REDIS_TIMEOUT` | Timeout (ms) | Entier | `1000` |
| `REDIS_KEEPALIVE_POOL` | Keepalive du pool | Entier | `10` |
| `REDIS_SENTINEL_HOSTS` | Hôtes Sentinel | `host:port` séparés par espace | unset |
| `REDIS_SENTINEL_MASTER` | Nom du master Sentinel | Chaîne | unset |
| `REDIS_SENTINEL_USERNAME`, `REDIS_SENTINEL_PASSWORD` | Auth Sentinel | Chaînes | unset |
| Setting | Description | Valeurs acceptées | Défaut |
| ---------------------------------------------------- | ------------------------ | ------------------------------ | ------------------ |
| `USE_REDIS` | Activer le backend Redis | `yes/no/on/off/true/false/0/1` | `no` |
| `REDIS_HOST`, `REDIS_PORT`, `REDIS_DATABASE` | Détails de connexion | Host, int, int | unset, `6379`, `0` |
| `REDIS_USERNAME`, `REDIS_PASSWORD` | Auth | Chaînes | unset |
| `REDIS_SSL`, `REDIS_SSL_VERIFY` | TLS et vérification | `yes/no/on/off/true/false/0/1` | `no`, `yes` |
| `REDIS_TIMEOUT` | Timeout (ms) | Entier | `1000` |
| `REDIS_KEEPALIVE_POOL` | Keepalive du pool | Entier | `10` |
| `REDIS_SENTINEL_HOSTS` | Hôtes Sentinel | `host:port` séparés par espace | unset |
| `REDIS_SENTINEL_MASTER` | Nom du master Sentinel | Chaîne | unset |
| `REDIS_SENTINEL_USERNAME`, `REDIS_SENTINEL_PASSWORD` | Auth Sentinel | Chaînes | unset |
!!! info "Redis fourni par la BD"
Si la configuration BunkerWeb en base contient Redis/Valkey, lAPI la réutilise automatiquement pour le rate limiting même sans `USE_REDIS` dans lenvironnement. Surcharger via variables denvironnement si nécessaire.
#### Listener & TLS
| Setting | Description | Valeurs acceptées | Défaut |
| ------------------------------------- | -------------------------------- | -------------------------------- | ------------------------------------ |
| `API_LISTEN_ADDR`, `API_LISTEN_PORT` | Adresse/port de bind pour Gunicorn | IP ou hostname, int | `127.0.0.1`, `8888` (script paquet) |
| `API_SSL_ENABLED` | Activer TLS dans lAPI | `yes/no/on/off/true/false/0/1` | `no` |
| `API_SSL_CERTFILE`, `API_SSL_KEYFILE` | Certificat et clé PEM | Chemins de fichier | unset |
| `API_SSL_CA_CERTS` | CA/chaîne optionnelle | Chemin de fichier | unset |
| Setting | Description | Valeurs acceptées | Défaut |
| ------------------------------------- | ---------------------------------- | ------------------------------ | ----------------------------------- |
| `API_LISTEN_ADDR`, `API_LISTEN_PORT` | Adresse/port de bind pour Gunicorn | IP ou hostname, int | `127.0.0.1`, `8888` (script paquet) |
| `API_SSL_ENABLED` | Activer TLS dans lAPI | `yes/no/on/off/true/false/0/1` | `no` |
| `API_SSL_CERTFILE`, `API_SSL_KEYFILE` | Certificat et clé PEM | Chemins de fichier | unset |
| `API_SSL_CA_CERTS` | CA/chaîne optionnelle | Chemin de fichier | unset |
#### Logging & runtime (défauts paquet)
| Setting | Description | Valeurs acceptées | Défaut |
| ------------------------------- | --------------------------------------------------------------------------------- | ------------------------------------------------- | ------------------------------------------------------------------ |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Niveau de base / override | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Destinations | `stderr`/`file`/`syslog` séparés par espaces | `stderr` |
| `LOG_FILE_PATH` | Chemin du log (utilisé si `LOG_TYPES` contient `file` ou `CAPTURE_OUTPUT=yes`) | Chemin de fichier | `/var/log/bunkerweb/api.log` si file/capture, sinon unset |
| `LOG_SYSLOG_ADDRESS` | Cible syslog (`udp://host:514`, `tcp://host:514`, socket) | Host:port, host préfixé protocole ou socket | unset |
| `LOG_SYSLOG_TAG` | Tag syslog | Chaîne | `bw-api` |
| `MAX_WORKERS`, `MAX_THREADS` | Workers/threads Gunicorn | Entier ou unset pour auto | unset |
| `CAPTURE_OUTPUT` | Rediriger stdout/stderr Gunicorn vers les handlers configurés | `yes` ou `no` | `no` |
| Setting | Description | Valeurs acceptées | Défaut |
| ------------------------------- | ------------------------------------------------------------------------------ | ----------------------------------------------- | --------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Niveau de base / override | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Destinations | `stderr`/`file`/`syslog` séparés par espaces | `stderr` |
| `LOG_FILE_PATH` | Chemin du log (utilisé si `LOG_TYPES` contient `file` ou `CAPTURE_OUTPUT=yes`) | Chemin de fichier | `/var/log/bunkerweb/api.log` si file/capture, sinon unset |
| `LOG_SYSLOG_ADDRESS` | Cible syslog (`udp://host:514`, `tcp://host:514`, socket) | Host:port, host préfixé protocole ou socket | unset |
| `LOG_SYSLOG_TAG` | Tag syslog | Chaîne | `bw-api` |
| `MAX_WORKERS`, `MAX_THREADS` | Workers/threads Gunicorn | Entier ou unset pour auto | unset |
| `MAX_REQUESTS` | Requêtes avant recyclage du worker Gunicorn (évite la fuite mémoire) | Entier | `1000` |
| `CAPTURE_OUTPUT` | Rediriger stdout/stderr Gunicorn vers les handlers configurés | `yes` ou `no` | `no` |
## Surface API (carte des capacités)

4
docs/fr/concepts.md
View file

@ -105,7 +105,7 @@ Veuillez noter que le mode multisite est implicite lors de l'utilisation de l'in
!!! info "Aller plus loin"
Vous trouverez des exemples concrets du mode multisite dans la section [Utilisations avancées](advanced.md) de la documentation et dans le répertoire [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) du dépôt.
Vous trouverez des exemples concrets du mode multisite dans la section [Utilisations avancées](advanced.md) de la documentation et dans le répertoire [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) du dépôt.
## Configurations personnalisées {#custom-configurations}
@ -126,7 +126,7 @@ La gestion des configurations personnalisées à partir de l'interface utilisate
!!! info "Aller plus loin"
Vous trouverez des exemples concrets de configurations personnalisées dans la section [Utilisations avancées](advanced.md#custom-configurations) de la documentation et dans le répertoire [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) du dépôt.
Vous trouverez des exemples concrets de configurations personnalisées dans la section [Utilisations avancées](advanced.md#custom-configurations) de la documentation et dans le répertoire [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) du dépôt.
## Base de données

840
docs/fr/features.md
View file

File diff suppressed because it is too large Load diff

132
docs/fr/integrations.md
View file

@ -1268,7 +1268,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Par défaut, le conteneur expose :
@ -1283,7 +1283,7 @@ Un volume nommé (ou un bind mount) est nécessaire pour conserver la base SQLit
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.8
image: bunkerity/bunkerweb-all-in-one:1.6.9
container_name: bunkerweb-aio
volumes:
- bw-storage:/data
@ -1361,7 +1361,7 @@ docker run -d \
-e API_PASSWORD=StrongP@ssw0rd \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
-p 8888:8888/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Configuration recommandée (derrière BunkerWeb) — ne publiez pas `8888`; utilisez plutôt un proxy inverse :
@ -1369,7 +1369,7 @@ Configuration recommandée (derrière BunkerWeb) — ne publiez pas `8888`; u
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.8
image: bunkerity/bunkerweb-all-in-one:1.6.9
container_name: bunkerweb-aio
ports:
- "80:8080/tcp"
@ -1441,7 +1441,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
* Lorsque `USE_CROWDSEC=yes`, le point d'entrée :
@ -1496,7 +1496,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
!!! info "Comment ça marche en interne"
@ -1517,7 +1517,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Notes :
@ -1553,7 +1553,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
* **L'enregistrement local** est ignoré lorsque n' `CROWDSEC_API` est pas `127.0.0.1` ou `localhost`.
@ -1587,13 +1587,13 @@ En accédant à ces images prédéfinies à partir de Docker Hub, vous pouvez ra
Que vous effectuiez des tests, développiez des applications ou déployiez BunkerWeb en production, l'option de conteneurisation Docker offre flexibilité et facilité d'utilisation. L'adoption de cette méthode vous permet de tirer pleinement parti des fonctionnalités de BunkerWeb tout en tirant parti des avantages de la technologie Docker.
```shell
docker pull bunkerity/bunkerweb:1.6.8
docker pull bunkerity/bunkerweb:1.6.9
```
Les images Docker sont également disponibles sur [les packages GitHub](https://github.com/orgs/bunkerity/packages?repo_name=bunkerweb) et peuvent être téléchargées à l'aide de l'adresse du `ghcr.io` dépôt :
```shell
docker pull ghcr.io/bunkerity/bunkerweb:1.6.8
docker pull ghcr.io/bunkerity/bunkerweb:1.6.9
```
Les concepts clés de l'intégration Docker sont les suivants :
@ -1603,7 +1603,7 @@ Les concepts clés de l'intégration Docker sont les suivants :
- **Réseaux**: Les réseaux Docker jouent un rôle essentiel dans l'intégration de BunkerWeb. Ces réseaux ont deux objectifs principaux : exposer les ports aux clients et se connecter aux services Web en amont. En exposant les ports, BunkerWeb peut accepter les demandes entrantes des clients, leur permettant d'accéder aux services Web protégés. De plus, en se connectant aux services Web en amont, BunkerWeb peut acheminer et gérer efficacement le trafic, offrant ainsi une sécurité et des performances améliorées.
!!! info "Backend de base de données"
Veuillez noter que nos instructions supposent que vous utilisez SQLite comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, d'autres backends de base de données sont également pris en charge. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) du dépôt.
Veuillez noter que nos instructions supposent que vous utilisez SQLite comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, d'autres backends de base de données sont également pris en charge. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) du dépôt.
### Variables d'environnement
@ -1613,7 +1613,7 @@ Les paramètres sont transmis au Scheduler à l'aide de variables d'environnemen
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
- MY_SETTING=value
- ANOTHER_SETTING=another value
@ -1657,7 +1657,7 @@ Cela garantit que les paramètres sensibles sont tenus à l'écart de l'environn
Le [Scheduler](concepts.md#scheduler) s'exécute dans son propre conteneur, qui est également disponible sur Docker Hub :
```shell
docker pull bunkerity/bunkerweb-scheduler:1.6.8
docker pull bunkerity/bunkerweb-scheduler:1.6.9
```
!!! info "Paramètres BunkerWeb"
@ -1678,7 +1678,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.8
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
environment:
# Paramètres API pour le conteneur BunkerWeb
<<: *bw-api-env
@ -1687,7 +1687,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.8
- bw-universe
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
# Paramètres API pour le conteneur Scheduler
<<: *bw-api-env
@ -1705,7 +1705,7 @@ Un volume est nécessaire pour stocker la base de données SQLite et les sauvega
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- bw-storage:/data
...
@ -1851,7 +1851,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1864,7 +1864,7 @@ services:
- bw-universe
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # This setting is mandatory to specify the BunkerWeb instance
@ -1897,7 +1897,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1910,7 +1910,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
depends_on:
- bunkerweb
environment:
@ -1976,8 +1976,8 @@ Pour commencer, téléchargez le script d'installation et sa somme de contrôle,
```bash
# Download the script and its checksum
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# Verify the checksum
sha256sum -c install-bunkerweb.sh.sha256
@ -2033,7 +2033,7 @@ Pour les configurations non interactives ou automatisées, le script peut être
| Option | Description |
| ----------------------- | -------------------------------------------------------------------------------------------------------- |
| `-v, --version VERSION` | Spécifie la version de BunkerWeb à installer (par exemple, `1.6.8`). |
| `-v, --version VERSION` | Spécifie la version de BunkerWeb à installer (par exemple, `1.6.9`). |
| `-w, --enable-wizard` | Active l'assistant de configuration. |
| `-n, --no-wizard` | Désactive l'assistant d'installation. |
| `--api`, `--enable-api` | Active le service API (FastAPI) systemd (désactivé par défaut). |
@ -2098,7 +2098,7 @@ sudo ./install-bunkerweb.sh --yes
sudo ./install-bunkerweb.sh --worker --no-wizard
# Install a specific version
sudo ./install-bunkerweb.sh --version 1.6.8
sudo ./install-bunkerweb.sh --version 1.6.9
# Manager setup with remote worker instances (instances required)
sudo ./install-bunkerweb.sh --manager --instances "192.168.1.10 192.168.1.11"
@ -2203,7 +2203,7 @@ En fonction de vos choix lors de l'installation :
### Installation à l'aide du gestionnaire de paquets
Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerWeb**. Pour toutes les distributions, à l'exception de Fedora, il est obligatoire d'utiliser des paquets préconstruits à partir du [dépôt officiel NGINX](https://nginx.org/en/linux_packages.html). La compilation de NGINX à partir des sources ou l'utilisation de paquets provenant de différents dépôts ne fonctionnera pas avec les paquets officiels préconstruits de BunkerWeb. Cependant, vous avez la possibilité de construire BunkerWeb à partir des sources.
Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerWeb**. Pour toutes les distributions, il est obligatoire d'utiliser des paquets préconstruits à partir du [dépôt officiel NGINX](https://nginx.org/en/linux_packages.html). La compilation de NGINX à partir des sources ou l'utilisation de paquets provenant de différents dépôts ne fonctionnera pas avec les paquets officiels préconstruits de BunkerWeb. Cependant, vous avez la possibilité de construire BunkerWeb à partir des sources.
=== "Debian Bookworm/Trixie"
@ -2239,12 +2239,12 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
export UI_WIZARD=no
```
Et enfin, installez BunkerWeb 1.6.8 :
Et enfin, installez BunkerWeb 1.6.9 :
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.8
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
```
Pour empêcher la mise à jour des paquets NGINX et/ou BunkerWeb lors de l'exécution de `apt upgrade`, vous pouvez utiliser la commande suivante :
@ -2287,12 +2287,12 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
export UI_WIZARD=no
```
Et enfin, installez BunkerWeb 1.6.8 :
Et enfin, installez BunkerWeb 1.6.9 :
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.8
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
```
Pour empêcher la mise à jour des paquets NGINX et/ou BunkerWeb lors de l'exécution de `apt upgrade`, vous pouvez utiliser la commande suivante :
@ -2310,10 +2310,10 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
sudo dnf config-manager setopt updates-testing.enabled=1
```
Fedora fournit déjà NGINX 1.28.1, que nous prenons en charge
Fedora fournit déjà NGINX 1.28.2, que nous prenons en charge
```shell
sudo dnf install -y --allowerasing nginx-1.28.1
sudo dnf install -y --allowerasing nginx-1.28.2
```
!!! example "Désactiver l'assistant d'installation"
@ -2323,12 +2323,12 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
export UI_WIZARD=no
```
Et enfin, installez BunkerWeb 1.6.8 :
Et enfin, installez BunkerWeb 1.6.9 :
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf makecache && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.8
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
```
Pour empêcher la mise à jour des paquets NGINX et/ou BunkerWeb lors de l'exécution de `dnf upgrade`, vous pouvez utiliser la commande suivante :
@ -2373,12 +2373,12 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
export UI_WIZARD=no
```
Enfin, installez BunkerWeb 1.6.8 :
Enfin, installez BunkerWeb 1.6.9 :
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.8
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
```
Pour empêcher la mise à jour des paquets NGINX et/ou BunkerWeb lors de l'exécution de `dnf upgrade`, vous pouvez utiliser la commande suivante :
@ -2471,7 +2471,7 @@ En adoptant cette approche, vous pouvez profiter d'une reconfiguration en temps
L'intégration de Docker autoconf implique l'utilisation du **mode multisite**. Pour plus d'informations, reportez-vous à la [section multisite](concepts.md#multisite-mode) de la documentation.
!!! info "Backend de base de données"
Veuillez noter que nos instructions supposent que vous utilisez MariaDB comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, nous comprenons que vous préférerez peut-être utiliser d'autres backends pour votre intégration Docker. Si c'est le cas, soyez assuré que d'autres backends de base de données sont toujours possibles. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) du dépôt.
Veuillez noter que nos instructions supposent que vous utilisez MariaDB comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, nous comprenons que vous préférerez peut-être utiliser d'autres backends pour votre intégration Docker. Si c'est le cas, soyez assuré que d'autres backends de base de données sont toujours possibles. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) du dépôt.
Pour activer les mises à jour automatiques de la configuration, incluez un conteneur supplémentaire appelé `bw-autoconf` dans la pile. Ce conteneur héberge le service autoconf, qui gère les modifications de configuration dynamiques pour BunkerWeb.
@ -2485,7 +2485,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2500,7 +2500,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # We don't need to specify the BunkerWeb instance here as they are automatically detected by the autoconf service
@ -2515,7 +2515,7 @@ services:
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bunkerweb
- bw-docker
@ -2698,13 +2698,13 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
labels:
- "bunkerweb.INSTANCE=yes"
- "bunkerweb.NAMESPACE=my-namespace" # Définir l'espace de noms pour l'instance BunkerWeb afin que le service autoconf puisse la détecter
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
...
NAMESPACES: "my-namespace my-other-namespace" # Écouter uniquement ces espaces de noms
@ -2738,7 +2738,9 @@ et surveille également d'autres objets Kubernetes, tels que [ConfigMap](https:/
Si vous utilisez la Gateway API Kubernetes, définissez `KUBERNETES_MODE=yes` et `KUBERNETES_GATEWAY_MODE=yes`.
Le contrôleur surveille les ressources `Gateway`, `HTTPRoute`, `TLSRoute`, `TCPRoute` et `UDPRoute` au lieu des objets `Ingress`. Vous pouvez limiter ce qui est traité avec `KUBERNETES_GATEWAY_CLASS` et choisir `KUBERNETES_GATEWAY_API_VERSION` (`v1`, `v1beta1`, `v1beta2`, `v1alpha2` ou `v1alpha1`).
Le contrôleur surveille les ressources `Gateway`, `HTTPRoute`, `GRPCRoute`, `TLSRoute`, `TCPRoute` et `UDPRoute` au lieu des objets `Ingress`. Vous pouvez limiter ce qui est traité avec `KUBERNETES_GATEWAY_CLASS` et choisir `KUBERNETES_GATEWAY_API_VERSION` (`v1`, `v1beta1`, `v1beta2`, `v1alpha2` ou `v1alpha1`).
Le support de `GRPCRoute` est actuellement **expérimental** dans BunkerWeb.
Si votre Service ne s'appelle pas `bunkerweb`, définissez `BUNKERWEB_SERVICE_NAME` pour que le patch de statut lise le bon Service.
@ -2753,7 +2755,7 @@ Pour une configuration optimale, il est recommandé de définir BunkerWeb en tan
Compte tenu de la présence de plusieurs instances BunkerWeb, il est nécessaire d'établir un magasin de données partagé implémenté en tant que [ service Redis](https://redis.io/) ou [Valkey](https://valkey.io/). Ce service sera utilisé par les instances pour mettre en cache et partager des données entre elles. Vous trouverez de plus amples informations sur les paramètres Redis/Valkey [ici](features.md#redis).
!!! info "Backend de base de données"
Veuillez noter que nos instructions supposent que vous utilisez MariaDB comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, nous comprenons que vous préférerez peut-être utiliser d'autres backends pour votre intégration Docker. Si c'est le cas, soyez assuré que d'autres backends de base de données sont toujours possibles. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) du dépôt.
Veuillez noter que nos instructions supposent que vous utilisez MariaDB comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, nous comprenons que vous préférerez peut-être utiliser d'autres backends pour votre intégration Docker. Si c'est le cas, soyez assuré que d'autres backends de base de données sont toujours possibles. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) du dépôt.
La configuration des backends de base de données en cluster est hors du périmètre de cette documentation.
@ -2868,7 +2870,7 @@ Le **controller BunkerWeb** découvre automatiquement les pods avec sidecars Bun
```yaml
controller:
enabled: true
tag: "1.6.8"
tag: "1.6.9"
```
2. Pour chaque sidecar, ajoutez :
@ -2961,7 +2963,7 @@ Dans votre fichier `values.yaml` du chart BunkerWeb, configurez la variable d'en
```yaml
scheduler:
tag: "1.6.8"
tag: "1.6.9"
extraEnvs:
- name: BUNKERWEB_INSTANCES
value: "http://app1-bunkerweb-workers.namespace.svc.cluster.local:5000 http://app2-bunkerweb-workers.namespace.svc.cluster.local:5000"
@ -3003,7 +3005,7 @@ spec:
# Sidecar BunkerWeb
- name: bunkerweb
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- containerPort: 8080 # Port HTTP exposé
- containerPort: 5000 # API interne (obligatoire)
@ -3247,7 +3249,7 @@ Pour ajouter une nouvelle application protégée par BunkerWeb :
#### Fichiers YAML complets
Au lieu d'utiliser la charte Helm, vous pouvez également utiliser les modèles YAML dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) du référentiel GitHub. Veuillez noter que nous vous recommandons vivement d'utiliser le tableau de barre à la place.
Au lieu d'utiliser la charte Helm, vous pouvez également utiliser les modèles YAML dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) du référentiel GitHub. Veuillez noter que nous vous recommandons vivement d'utiliser le tableau de barre à la place.
### Ressources d'entrée
@ -3293,28 +3295,28 @@ spec:
### Ressources Gateway
Lorsque le mode Gateway API est activé, vous pouvez déclarer des ressources `Gateway`, `HTTPRoute`, `TLSRoute`, `TCPRoute` et `UDPRoute`.
Les paramètres BunkerWeb sont fournis via des annotations `bunkerweb.io/<SETTING>` sur le `HTTPRoute` ; pour limiter un
Lorsque le mode Gateway API est activé, vous pouvez déclarer des ressources `Gateway`, `HTTPRoute`, `GRPCRoute`, `TLSRoute`, `TCPRoute` et `UDPRoute`.
Les paramètres BunkerWeb sont fournis via des annotations `bunkerweb.io/<SETTING>` sur le `HTTPRoute`/`GRPCRoute` ; pour limiter un
paramètre à un hôte, utilisez `bunkerweb.io/<hostname>_<SETTING>`. Le champ `hostnames` pilote les noms de serveur. Pour `TCPRoute`/`UDPRoute` (et `TLSRoute` sans `hostnames`), BunkerWeb génère un nom de serveur du type `<route>.<namespace>.<protocol>`. Voir [Classe Gateway](#gateway-class).
Les annotations sur le `Gateway` s'appliquent à toutes les routes qui y sont rattachées, tandis que les annotations sur un `HTTPRoute` ne s'appliquent qu'à cette route.
Les annotations sur le `Gateway` s'appliquent à toutes les routes qui y sont rattachées, tandis que les annotations sur un `HTTPRoute`/`GRPCRoute` ne s'appliquent qu'à cette route.
Vous pouvez limiter les annotations du Gateway à un nom de serveur avec `bunkerweb.io/<hostname>_<SETTING>` ; elles ne s'appliqueront que si cette route/ce nom de serveur existe.
#### Ressources prises en charge
- Ressources : `HTTPRoute`, `TLSRoute`, `TCPRoute` et `UDPRoute` (pas de `GRPCRoute`).
- Ressources : `HTTPRoute`, `GRPCRoute` (expérimental), `TLSRoute`, `TCPRoute` et `UDPRoute`.
- Règles : seule la première règle est utilisée pour `TLSRoute`, `TCPRoute` et `UDPRoute`.
- Backends : uniquement `Service`, premier `backendRef` par règle.
#### Protocoles et TLS
- Protocoles de listener : `HTTP`/`HTTPS` pour `HTTPRoute`, `TLS` pour `TLSRoute`, `TCP` pour `TCPRoute` et `UDP` pour `UDPRoute`.
- Protocoles de listener : `HTTP`/`HTTPS` pour `HTTPRoute` et `GRPCRoute`, `TLS` pour `TLSRoute`, `TCP` pour `TCPRoute` et `UDP` pour `UDPRoute`.
- TLS : certificats via les `certificateRefs` du listener avec `HTTPS` ou `TLS` + `mode: Terminate` (Passthrough n'est pas pris en charge pour la terminaison). `TLSRoute` fonctionne en mode stream.
!!! tip "Nom de serveur pour les routes stream"
Pour `TLSRoute`, `TCPRoute` et `UDPRoute`, vous pouvez remplacer le nom de serveur généré en définissant `bunkerweb.io/SERVER_NAME` sur la route.
!!! note "Experimental Channel pour les routes stream"
Si vous souhaitez utiliser `TLSRoute`, `TCPRoute` ou `UDPRoute`, installez les CRD de l'Experimental Channel : https://gateway-api.sigs.k8s.io/guides/getting-started/#install-experimental-channel
!!! note "Experimental Channel pour les routes avancées"
Si vous souhaitez utiliser `GRPCRoute`, `TLSRoute`, `TCPRoute` ou `UDPRoute`, installez les CRD de l'Experimental Channel : https://gateway-api.sigs.k8s.io/guides/getting-started/#install-experimental-channel
!!! info "Prise en charge TLS"
La terminaison TLS est gérée via les listeners du `Gateway` et leurs `certificateRefs` (secrets TLS) pour `HTTPRoute` avec `HTTPS` ou `TLS` + `mode: Terminate`. `TLSRoute` fonctionne en mode stream.
@ -3395,7 +3397,7 @@ metadata:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
imagePullPolicy: Always
env:
- name: NAMESPACES
@ -3569,11 +3571,11 @@ service:
# BunkerWeb settings
bunkerweb:
tag: 1.6.8
tag: 1.6.9
# Scheduler settings
scheduler:
tag: 1.6.8
tag: 1.6.9
extraEnvs:
# Enable real IP module to get real IP of clients
- name: USE_REAL_IP
@ -3581,11 +3583,11 @@ scheduler:
# Controller settings
controller:
tag: 1.6.8
tag: 1.6.9
# UI settings
ui:
tag: 1.6.8
tag: 1.6.9
```
Installez BunkerWeb avec des valeurs personnalisées :
@ -4206,7 +4208,7 @@ Pour une configuration optimale, il est recommandé de planifier le **service Bu
En ce qui concerne le volume de la base de données, la documentation ne spécifie pas d'approche spécifique. Le choix d'un dossier partagé ou d'un pilote spécifique pour le volume de base de données dépend de votre cas d'utilisation unique et est laissé à la disposition du lecteur.
!!! info "Backend de base de données"
Veuillez noter que nos instructions supposent que vous utilisez MariaDB comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, nous comprenons que vous préférerez peut-être utiliser d'autres backends pour votre intégration Docker. Si c'est le cas, soyez assuré que d'autres backends de base de données sont toujours possibles. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) du dépôt.
Veuillez noter que nos instructions supposent que vous utilisez MariaDB comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, nous comprenons que vous préférerez peut-être utiliser d'autres backends pour votre intégration Docker. Si c'est le cas, soyez assuré que d'autres backends de base de données sont toujours possibles. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) du dépôt.
La configuration des backends de base de données en cluster est hors du périmètre de cette documentation.
@ -4220,7 +4222,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- published: 80
target: 8080
@ -4249,7 +4251,7 @@ services:
- "bunkerweb.INSTANCE=yes" # Mandatory label for the autoconf service to identify the BunkerWeb instance
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # We don't need to specify the BunkerWeb instance here as they are automatically detected by the autoconf service
@ -4270,7 +4272,7 @@ services:
- "node.role == worker"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
SWARM_MODE: "yes"
DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db" # Remember to set a stronger password for the database
@ -4422,7 +4424,7 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
deploy:
mode: global
@ -4434,7 +4436,7 @@ networks:
- "bunkerweb.NAMESPACE=my-namespace" # Set the namespace for the BunkerWeb instance
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
NAMESPACES: "my-namespace my-other-namespace" # Only listen to these namespaces
...

26
docs/fr/plugins.md
View file

@ -8,12 +8,12 @@ Voici la liste des plugins "officiels" que nous maintenons (voir le dépôt [bun
| Nom | Version | Description | Lien |
| :-------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------------------------------ | :-------------------------------------------------------------------------------------------------: |
| **ClamAV** | 1.9 | Analyse automatiquement les fichiers téléchargés avec le moteur antivirus ClamAV et rejette la demande lorsqu'un fichier est détecté comme malveillant. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.9 | Inspectez les requêtes à l'aide du WAF Coraza (alternative à ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **Discorde** | 1.9 | Envoyez des notifications de sécurité à un canal Discord à l'aide d'un Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Lâche** | 1.9 | Envoyez des notifications de sécurité à un canal Slack à l'aide d'un Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.9 | Analyse automatiquement les fichiers téléchargés à l'aide de l'API VirusTotal et rejette la demande lorsqu'un fichier est détecté comme malveillant. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **Crochet Web** | 1.9 | Envoyez des notifications de sécurité à un point de terminaison HTTP personnalisé à l'aide d'un Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
| **ClamAV** | 1.10 | Analyse automatiquement les fichiers téléchargés avec le moteur antivirus ClamAV et rejette la demande lorsqu'un fichier est détecté comme malveillant. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.10 | Inspectez les requêtes à l'aide du WAF Coraza (alternative à ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **Discorde** | 1.10 | Envoyez des notifications de sécurité à un canal Discord à l'aide d'un Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Lâche** | 1.10 | Envoyez des notifications de sécurité à un canal Slack à l'aide d'un Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.10 | Analyse automatiquement les fichiers téléchargés à l'aide de l'API VirusTotal et rejette la demande lorsqu'un fichier est détecté comme malveillant. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **Crochet Web** | 1.10 | Envoyez des notifications de sécurité à un point de terminaison HTTP personnalisé à l'aide d'un Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
## Comment utiliser un plugin
@ -21,7 +21,7 @@ Voici la liste des plugins "officiels" que nous maintenons (voir le dépôt [bun
Si vous souhaitez installer rapidement des plugins externes, vous pouvez utiliser ce `EXTERNAL_PLUGIN_URLS` paramètre. Il prend une liste d'URL séparées par des espaces, chacune pointant vers une archive compressée (format zip) contenant un ou plusieurs plugins.
Vous pouvez utiliser la valeur suivante si vous souhaitez installer automatiquement les plugins officiels : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.9.zip`
Vous pouvez utiliser la valeur suivante si vous souhaitez installer automatiquement les plugins officiels : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.10.zip`
### Manuelle
@ -89,7 +89,7 @@ La première étape consiste à installer le plugin en plaçant ses fichiers dan
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -125,7 +125,7 @@ La première étape consiste à installer le plugin en plaçant ses fichiers dan
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -168,7 +168,7 @@ La première étape consiste à installer le plugin en plaçant ses fichiers dan
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- /shared/bw-plugins:/data/plugins
...
@ -215,7 +215,7 @@ La première étape consiste à installer le plugin en plaçant ses fichiers dan
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -255,7 +255,7 @@ La première étape consiste à installer le plugin en plaçant ses fichiers dan
!!! tip "Plugins existants"
Si la documentation n'est pas suffisante, vous pouvez consulter le code source existant des [plugins officiels](https://github.com/bunkerity/bunkerweb-plugins) et des [plugins core](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/src/common/core) (déjà inclus dans BunkerWeb mais ce sont des plugins, techniquement parlant).
Si la documentation n'est pas suffisante, vous pouvez consulter le code source existant des [plugins officiels](https://github.com/bunkerity/bunkerweb-plugins) et des [plugins core](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/common/core) (déjà inclus dans BunkerWeb mais ce sont des plugins, techniquement parlant).
À quoi ressemble la structure d'un plugin :
```
@ -560,7 +560,7 @@ end
!!! tip "Plus d'exemples"
Si vous souhaitez voir la liste complète des fonctions disponibles, vous pouvez consulter les fichiers présents dans le [répertoire lua](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/src/bw/lua/bunkerweb) du dépôt.
Si vous souhaitez voir la liste complète des fonctions disponibles, vous pouvez consulter les fichiers présents dans le [répertoire lua](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/bw/lua/bunkerweb) du dépôt.
### Emplois

34
docs/fr/quickstart-guide.md
View file

@ -18,7 +18,7 @@ Ce guide de démarrage rapide vous aidera à installer rapidement BunkerWeb et
Protéger les applications web existantes déjà accessibles avec le protocole HTTP(S) est l'objectif principal de BunkerWeb : il agira comme un [proxy inverse classique](https://en.wikipedia.org/wiki/Reverse_proxy) avec des fonctionnalités de sécurité supplémentaires.
Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) du dépôt pour obtenir des exemples concrets.
Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) du dépôt pour obtenir des exemples concrets.
## Configuration de base
@ -33,7 +33,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Par défaut, le conteneur expose :
@ -51,8 +51,8 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
```bash
# Download the script and its checksum
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# Verify the checksum
sha256sum -c install-bunkerweb.sh.sha256
@ -90,7 +90,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
services:
bunkerweb:
# This is the name that will be used to identify the instance in the Scheduler
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -103,7 +103,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Make sure to set the correct instance name
@ -120,7 +120,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-env
restart: "unless-stopped"
@ -187,7 +187,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -203,7 +203,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -221,7 +221,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bw-docker
environment:
@ -244,7 +244,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
@ -339,7 +339,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- published: 80
target: 8080
@ -369,7 +369,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- "bunkerweb.INSTANCE=yes"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -387,7 +387,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
<<: *bw-ui-env
DOCKER_HOST: "tcp://bw-docker:2375"
@ -416,7 +416,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- "node.role == manager"
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
@ -638,7 +638,7 @@ Vous pouvez maintenant vous connecter avec le compte administrateur que vous ave
-e "www.example.com_REVERSE_PROXY_HOST=http://myapp:8080" \
-e "www.example.com_REVERSE_PROXY_URL=/" \
# --- Include any other existing environment variables for UI, Redis, CrowdSec, etc. ---
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Votre conteneur d'application (`myapp`) et le conteneur `bunkerweb-aio` doivent être sur le même réseau Docker pour que BunkerWeb puisse y accéder en utilisant le nom d'hôte `myapp`.
@ -660,7 +660,7 @@ Vous pouvez maintenant vous connecter avec le compte administrateur que vous ave
-p 443:8443/tcp \
-p 443:8443/udp \
# ... (all other relevant environment variables as shown in the main example above) ...
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Assurez-vous de remplacer `myapp` par le nom réel ou l'adresse IP de votre conteneur d'application et `http://myapp:8080` par son adresse et son port corrects.

36
docs/fr/upgrading.md
View file

@ -25,16 +25,16 @@
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
...
```
@ -141,20 +141,20 @@
Exemples:
```bash
# Upgrade to 1.6.8 interactively (will prompt for backup)
sudo ./install-bunkerweb.sh --version 1.6.8
# Upgrade to 1.6.9 interactively (will prompt for backup)
sudo ./install-bunkerweb.sh --version 1.6.9
# Non-interactive upgrade with automatic backup to custom directory
sudo ./install-bunkerweb.sh -v 1.6.8 --backup-dir /var/backups/bw-2025-01 -y
sudo ./install-bunkerweb.sh -v 1.6.9 --backup-dir /var/backups/bw-2025-01 -y
# Silent unattended upgrade (logs suppressed) relies on default auto-backup
sudo ./install-bunkerweb.sh -v 1.6.8 -y -q
sudo ./install-bunkerweb.sh -v 1.6.9 -y -q
# Perform a dry run (plan) without applying changes
sudo ./install-bunkerweb.sh -v 1.6.8 --dry-run
sudo ./install-bunkerweb.sh -v 1.6.9 --dry-run
# Upgrade skipping automatic backup (NOT recommended)
sudo ./install-bunkerweb.sh -v 1.6.8 --no-auto-backup -y
sudo ./install-bunkerweb.sh -v 1.6.9 --no-auto-backup -y
```
!!! warning "Sauter les sauvegardes"
@ -234,7 +234,7 @@
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.8
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
```
Pour empêcher le paquet BunkerWeb d'être mis à niveau lors de l'exécution de `apt upgrade`, vous pouvez utiliser la commande suivante :
@ -260,7 +260,7 @@
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.8
sudo dnf install -y --allowerasing bunkerweb-1.6.9
```
Pour empêcher le paquet BunkerWeb d'être mis à niveau lors de l'exécution de `dnf upgrade`, vous pouvez utiliser la commande suivante :
@ -657,16 +657,16 @@ Nous avons ajouté une fonctionnalité d**'espace de noms** aux intégrations au
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
...
```
@ -701,7 +701,7 @@ Nous avons ajouté une fonctionnalité d**'espace de noms** aux intégrations au
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.8
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
```
Pour empêcher le paquet BunkerWeb d'être mis à niveau lors de l'exécution de `apt upgrade`, vous pouvez utiliser la commande suivante :
@ -727,7 +727,7 @@ Nous avons ajouté une fonctionnalité d**'espace de noms** aux intégrations au
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.8
sudo dnf install -y --allowerasing bunkerweb-1.6.9
```
Pour empêcher le paquet BunkerWeb d'être mis à niveau lors de l'exécution de `dnf upgrade`, vous pouvez utiliser la commande suivante :

46
docs/fr/web-ui.md
View file

@ -35,7 +35,7 @@ LUI attend que le scheduler/lAPI BunkerWeb/le redis/la base soient accessi
Utilisez les images publiées et le layout du [guide de démarrage rapide](quickstart-guide.md#__tabbed_1_3) pour monter la stack, puis terminez la configuration dans le navigateur.
```bash
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.8-rc1/misc/integrations/docker-compose.yml up -d
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.9-rc1/misc/integrations/docker-compose.yml up -d
```
Ouvrez le nom dhôte du scheduler (par ex. `https://www.example.com/changeme`) et lancez lassistant `/setup` pour configurer lUI, le scheduler et linstance.
@ -52,7 +52,7 @@ LUI attend que le scheduler/lAPI BunkerWeb/le redis/la base soient accessi
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -63,7 +63,7 @@ LUI attend que le scheduler/lAPI BunkerWeb/le redis/la base soient accessi
networks: [bw-universe, bw-services]
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *service-env
BUNKERWEB_INSTANCES: "bunkerweb"
@ -83,7 +83,7 @@ LUI attend que le scheduler/lAPI BunkerWeb/le redis/la base soient accessi
networks: [bw-universe, bw-db]
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *service-env
ADMIN_USERNAME: "admin"
@ -185,16 +185,16 @@ LUI attend que le scheduler/lAPI BunkerWeb/le redis/la base soient accessi
### Écoute et TLS
| Paramètre | Description | Valeurs acceptées | Défaut |
| ----------------------------------- | ----------------------------------------- | ------------------------------------ | ----------------------------------------- |
| `UI_LISTEN_ADDR` | Adresse découte de lUI | IP ou hostname | `0.0.0.0` (Docker) / `127.0.0.1` (paquet) |
| `UI_LISTEN_PORT` | Port découte de lUI | Entier | `7000` |
| `LISTEN_ADDR`, `LISTEN_PORT` | Substituts si les variables UI manquent | IP/hostname, entier | `0.0.0.0`, `7000` |
| `UI_SSL_ENABLED` | Activer le TLS dans le conteneur UI | `yes` ou `no` | `no` |
| `UI_SSL_CERTFILE`, `UI_SSL_KEYFILE` | Chemins cert/clé PEM si TLS activé | Chemins de fichier | non définis |
| `UI_SSL_CA_CERTS` | CA/chaîne optionnelle | Chemin de fichier | non défini |
| `UI_FORWARDED_ALLOW_IPS` | Proxies de confiance pour `X-Forwarded-*` | IP/CIDR séparés par espaces/virgules | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `UI_PROXY_ALLOW_IPS` | Proxies de confiance pour le protocole PROXY | IP/CIDR séparés par espaces/virgules | `FORWARDED_ALLOW_IPS` |
| Paramètre | Description | Valeurs acceptées | Défaut |
| ----------------------------------- | -------------------------------------------- | ------------------------------------ | ----------------------------------------------------- |
| `UI_LISTEN_ADDR` | Adresse découte de lUI | IP ou hostname | `0.0.0.0` (Docker) / `127.0.0.1` (paquet) |
| `UI_LISTEN_PORT` | Port découte de lUI | Entier | `7000` |
| `LISTEN_ADDR`, `LISTEN_PORT` | Substituts si les variables UI manquent | IP/hostname, entier | `0.0.0.0`, `7000` |
| `UI_SSL_ENABLED` | Activer le TLS dans le conteneur UI | `yes` ou `no` | `no` |
| `UI_SSL_CERTFILE`, `UI_SSL_KEYFILE` | Chemins cert/clé PEM si TLS activé | Chemins de fichier | non définis |
| `UI_SSL_CA_CERTS` | CA/chaîne optionnelle | Chemin de fichier | non défini |
| `UI_FORWARDED_ALLOW_IPS` | Proxies de confiance pour `X-Forwarded-*` | IP/CIDR séparés par espaces/virgules | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `UI_PROXY_ALLOW_IPS` | Proxies de confiance pour le protocole PROXY | IP/CIDR séparés par espaces/virgules | `FORWARDED_ALLOW_IPS` |
### Auth, sessions et cookies
@ -223,14 +223,16 @@ LUI attend que le scheduler/lAPI BunkerWeb/le redis/la base soient accessi
### Divers runtime
| Paramètre | Description | Valeurs acceptées | Défaut |
| ------------------------------- | ----------------------------------------------- | ----------------- | ------------------------------------ |
| `MAX_WORKERS`, `MAX_THREADS` | Workers/threads Gunicorn | Entier | `cpu_count()-1` (min 1), `workers*2` |
| `ENABLE_HEALTHCHECK` | Exposer `GET /healthcheck` | `yes` ou `no` | `no` |
| `FORWARDED_ALLOW_IPS` | Alias pour la liste des proxies | IP/CIDR | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `PROXY_ALLOW_IPS` | Alias pour la liste PROXY | IP/CIDR | `FORWARDED_ALLOW_IPS` |
| `DISABLE_CONFIGURATION_TESTING` | Sauter les reloads de test lors des push config | `yes` ou `no` | `no` |
| `IGNORE_REGEX_CHECK` | Ignorer la validation regex des paramètres | `yes` ou `no` | `no` |
| Paramètre | Description | Valeurs acceptées | Défaut |
| ------------------------------- | -------------------------------------------------------------------- | ------------------------------------------- | ----------------------------------------------------- |
| `MAX_WORKERS`, `MAX_THREADS` | Workers/threads Gunicorn | Entier | `cpu_count()-1` (min 1), `workers*2` |
| `MAX_REQUESTS` | Requêtes avant recyclage du worker Gunicorn (évite la fuite mémoire) | Entier | `1000` |
| `ENABLE_HEALTHCHECK` | Exposer `GET /healthcheck` | `yes` ou `no` | `no` |
| `FORWARDED_ALLOW_IPS` | Alias pour la liste des proxies | IP/CIDR | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `PROXY_ALLOW_IPS` | Alias pour la liste PROXY | IP/CIDR | `FORWARDED_ALLOW_IPS` |
| `DISABLE_CONFIGURATION_TESTING` | Sauter les reloads de test lors des push config | `yes` ou `no` | `no` |
| `IGNORE_REGEX_CHECK` | Ignorer la validation regex des paramètres | `yes` ou `no` | `no` |
| `MAX_CONTENT_LENGTH` | Taille maximale d'upload (Flask `MAX_CONTENT_LENGTH`) | Taille avec unité (`50M`, `1G`, `52428800`) | `50MB` |
## Accès aux journaux

132
docs/integrations.md
View file

@ -1268,7 +1268,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
By default, the container exposes:
@ -1294,7 +1294,7 @@ A named volume (or bind mount) is required to persist the SQLite database, cache
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.8
image: bunkerity/bunkerweb-all-in-one:1.6.9
container_name: bunkerweb-aio
ports:
- "80:8080/tcp"
@ -1366,7 +1366,7 @@ docker run -d \
-e API_PASSWORD=StrongP@ssw0rd \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
-p 8888:8888/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Recommended (behind BunkerWeb) — do not publish `8888`; reverseproxy it instead:
@ -1374,7 +1374,7 @@ Recommended (behind BunkerWeb) — do not publish `8888`; reverseproxy it ins
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.8
image: bunkerity/bunkerweb-all-in-one:1.6.9
container_name: bunkerweb-aio
ports:
- "80:8080/tcp"
@ -1446,7 +1446,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
* When `USE_CROWDSEC=yes`, the entrypoint will:
@ -1501,7 +1501,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
!!! info "How it works internally"
@ -1523,7 +1523,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Notes:
@ -1559,7 +1559,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
* **Local registration** is skipped when `CROWDSEC_API` is not `127.0.0.1` or `localhost`.
@ -1593,13 +1593,13 @@ By accessing these prebuilt images from Docker Hub, you can quickly pull and run
Whether you're conducting tests, developing applications, or deploying BunkerWeb in production, the Docker containerization option provides flexibility and ease of use. Embracing this method empowers you to take full advantage of BunkerWeb's features while leveraging the benefits of Docker technology.
```shell
docker pull bunkerity/bunkerweb:1.6.8
docker pull bunkerity/bunkerweb:1.6.9
```
Docker images are also available on [GitHub packages](https://github.com/orgs/bunkerity/packages?repo_name=bunkerweb) and can be downloaded using the `ghcr.io` repository address:
```shell
docker pull ghcr.io/bunkerity/bunkerweb:1.6.8
docker pull ghcr.io/bunkerity/bunkerweb:1.6.9
```
Key concepts for Docker integration include:
@ -1609,7 +1609,7 @@ Key concepts for Docker integration include:
- **Networks**: Docker networks play a vital role in the integration of BunkerWeb. These networks serve two main purposes: exposing ports to clients and connecting to upstream web services. By exposing ports, BunkerWeb can accept incoming requests from clients, allowing them to access the protected web services. Additionally, by connecting to upstream web services, BunkerWeb can efficiently route and manage traffic, providing enhanced security and performance.
!!! info "Database backend"
Please note that our instructions assume you are using SQLite as the default database backend, as configured by the `DATABASE_URI` setting. However, other database backends are also supported. See the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) of the repository for more information.
Please note that our instructions assume you are using SQLite as the default database backend, as configured by the `DATABASE_URI` setting. However, other database backends are also supported. See the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) of the repository for more information.
### Environment variables
@ -1619,7 +1619,7 @@ Settings are passed to the Scheduler using Docker environment variables:
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
- MY_SETTING=value
- ANOTHER_SETTING=another value
@ -1663,7 +1663,7 @@ This ensures sensitive settings are kept out of the environment and logs.
The [scheduler](concepts.md#scheduler) runs in its own container, which is also available on Docker Hub:
```shell
docker pull bunkerity/bunkerweb-scheduler:1.6.8
docker pull bunkerity/bunkerweb-scheduler:1.6.9
```
!!! info "BunkerWeb settings"
@ -1684,7 +1684,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.8
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
environment:
# This will set the API settings for the BunkerWeb container
<<: *bw-api-env
@ -1693,7 +1693,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.8
- bw-universe
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
# This will set the API settings for the Scheduler container
<<: *bw-api-env
@ -1711,7 +1711,7 @@ A volume is needed to store the SQLite database and backups used by the schedule
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- bw-storage:/data
...
@ -1857,7 +1857,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1870,7 +1870,7 @@ services:
- bw-universe
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # This setting is mandatory to specify the BunkerWeb instance
@ -1903,7 +1903,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1916,7 +1916,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
depends_on:
- bunkerweb
environment:
@ -1982,8 +1982,8 @@ To get started, download the installation script and its checksum, then verify t
```bash
# Download the script and its checksum
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# Verify the checksum
sha256sum -c install-bunkerweb.sh.sha256
@ -2042,7 +2042,7 @@ For non-interactive or automated setups, the script can be controlled with comma
| Option | Description |
| ----------------------- | --------------------------------------------------------------------- |
| `-v, --version VERSION` | Specifies the BunkerWeb version to install (e.g., `1.6.8`). |
| `-v, --version VERSION` | Specifies the BunkerWeb version to install (e.g., `1.6.9`). |
| `-w, --enable-wizard` | Enables the setup wizard. |
| `-n, --no-wizard` | Disables the setup wizard. |
| `-y, --yes` | Runs in non-interactive mode using default answers for all prompts. |
@ -2107,7 +2107,7 @@ sudo ./install-bunkerweb.sh --yes
sudo ./install-bunkerweb.sh --worker --no-wizard
# Install a specific version
sudo ./install-bunkerweb.sh --version 1.6.8
sudo ./install-bunkerweb.sh --version 1.6.9
# Manager setup with remote worker instances (instances required)
sudo ./install-bunkerweb.sh --manager --instances "192.168.1.10 192.168.1.11"
@ -2245,7 +2245,7 @@ Depending on your installation type:
### Installation using package manager
Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb**. For all distributions, except Fedora, it is mandatory to use prebuilt packages from the [official NGINX repository](https://nginx.org/en/linux_packages.html). Compiling NGINX from source or using packages from different repositories will not work with the official prebuilt packages of BunkerWeb. However, you have the option to build BunkerWeb from source.
Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb**. For all distributions, it is mandatory to use prebuilt packages from the [official NGINX repository](https://nginx.org/en/linux_packages.html). Compiling NGINX from source or using packages from different repositories will not work with the official prebuilt packages of BunkerWeb. However, you have the option to build BunkerWeb from source.
=== "Debian Bookworm/Trixie"
@ -2281,12 +2281,12 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
export UI_WIZARD=no
```
And finally install BunkerWeb 1.6.8:
And finally install BunkerWeb 1.6.9:
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.8
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command:
@ -2329,12 +2329,12 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
export UI_WIZARD=no
```
And finally install BunkerWeb 1.6.8:
And finally install BunkerWeb 1.6.9:
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.8
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command:
@ -2352,10 +2352,10 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
sudo dnf config-manager setopt updates-testing.enabled=1
```
Fedora already provides NGINX 1.28.1 that we support
Fedora already provides NGINX 1.28.2 that we support
```shell
sudo dnf install -y --allowerasing nginx-1.28.1
sudo dnf install -y --allowerasing nginx-1.28.2
```
!!! example "Disable the setup wizard"
@ -2365,12 +2365,12 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
export UI_WIZARD=no
```
And finally install BunkerWeb 1.6.8:
And finally install BunkerWeb 1.6.9:
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf makecache && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.8
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command:
@ -2415,12 +2415,12 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
export UI_WIZARD=no
```
And finally install BunkerWeb 1.6.8:
And finally install BunkerWeb 1.6.9:
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.8
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command:
@ -2513,7 +2513,7 @@ By adopting this approach, you can enjoy real-time reconfiguration of BunkerWeb
The Docker autoconf integration implies the use of **multisite mode**. Please refer to the [multisite section](concepts.md#multisite-mode) of the documentation for more information.
!!! info "Database backend"
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) of the repository for more information.
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) of the repository for more information.
To enable automated configuration updates, include an additional container called `bw-autoconf` in the stack. This container hosts the autoconf service, which manages dynamic configuration changes for BunkerWeb.
@ -2527,7 +2527,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2542,7 +2542,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # We don't need to specify the BunkerWeb instance here as they are automatically detected by the autoconf service
@ -2557,7 +2557,7 @@ services:
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bunkerweb
- bw-docker
@ -2739,13 +2739,13 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
labels:
- "bunkerweb.INSTANCE=yes"
- "bunkerweb.NAMESPACE=my-namespace" # Set the namespace for the BunkerWeb instance so the autoconf service can detect it
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
...
NAMESPACES: "my-namespace my-other-namespace" # Only listen to these namespaces
@ -2779,7 +2779,9 @@ and also monitors other Kubernetes objects, such as [ConfigMap](https://kubernet
If you use the Kubernetes Gateway API, set `KUBERNETES_MODE=yes` and `KUBERNETES_GATEWAY_MODE=yes`.
The controller will watch `Gateway`, `HTTPRoute`, `TLSRoute`, `TCPRoute`, and `UDPRoute` resources instead of `Ingress` objects. You can optionally limit what it processes with `KUBERNETES_GATEWAY_CLASS` and choose `KUBERNETES_GATEWAY_API_VERSION` (`v1`, `v1beta1`, `v1beta2`, `v1alpha2`, or `v1alpha1`).
The controller will watch `Gateway`, `HTTPRoute`, `GRPCRoute`, `TLSRoute`, `TCPRoute`, and `UDPRoute` resources instead of `Ingress` objects. You can optionally limit what it processes with `KUBERNETES_GATEWAY_CLASS` and choose `KUBERNETES_GATEWAY_API_VERSION` (`v1`, `v1beta1`, `v1beta2`, `v1alpha2`, or `v1alpha1`).
`GRPCRoute` support is currently **experimental** in BunkerWeb.
If your Service name is not `bunkerweb`, set `BUNKERWEB_SERVICE_NAME` so status patching reads the correct Service.
@ -2803,7 +2805,7 @@ Further information about the Redis/Valkey settings can be found [here](features
as configured by the `DATABASE_URI` setting.
However, we understand that you may prefer to utilize alternative backends for your Docker integration.
If that is the case, rest assured that other database backends are still possible.
See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations)
See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations)
of the repository for more information.
Clustered database backends setup are out-of-the-scope of this documentation.
@ -2920,7 +2922,7 @@ The **BunkerWeb controller** automatically discovers pods with BunkerWeb sidecar
```yaml
controller:
enabled: true
tag: "1.6.8"
tag: "1.6.9"
```
2. For each sidecar, add:
@ -3013,7 +3015,7 @@ In your BunkerWeb chart `values.yaml`, configure the `BUNKERWEB_INSTANCES` envir
```yaml
scheduler:
tag: "1.6.8"
tag: "1.6.9"
extraEnvs:
- name: BUNKERWEB_INSTANCES
value: "http://app1-bunkerweb-workers.namespace.svc.cluster.local:5000 http://app2-bunkerweb-workers.namespace.svc.cluster.local:5000"
@ -3057,7 +3059,7 @@ spec:
# BunkerWeb Sidecar
- name: bunkerweb
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- containerPort: 8080 # Exposed HTTP port
- containerPort: 5000 # Internal API (mandatory)
@ -3328,7 +3330,7 @@ To add a new application protected by BunkerWeb:
#### Full YAML files
Instead of using the helm chart, you can also use the YAML boilerplates inside the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) of the GitHub repository. Please note that we highly recommend to use the helm chart instead.
Instead of using the helm chart, you can also use the YAML boilerplates inside the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) of the GitHub repository. Please note that we highly recommend to use the helm chart instead.
### Ingress resources
@ -3374,28 +3376,28 @@ spec:
### Gateway resources
When Gateway API mode is enabled, you can declare `Gateway`, `HTTPRoute`, `TLSRoute`, `TCPRoute`, and `UDPRoute` resources.
BunkerWeb settings are provided as `bunkerweb.io/<SETTING>` annotations on the `HTTPRoute`; to scope a setting to a host,
When Gateway API mode is enabled, you can declare `Gateway`, `HTTPRoute`, `GRPCRoute`, `TLSRoute`, `TCPRoute`, and `UDPRoute` resources.
BunkerWeb settings are provided as `bunkerweb.io/<SETTING>` annotations on the `HTTPRoute`/`GRPCRoute`; to scope a setting to a host,
use `bunkerweb.io/<hostname>_<SETTING>`. The `hostnames` field drives the server names. For `TCPRoute`/`UDPRoute` (and `TLSRoute` without `hostnames`), BunkerWeb generates a server name like `<route>.<namespace>.<protocol>`. See [Gateway class](#gateway-class).
Annotations on the `Gateway` itself apply to all routes attached to it, while annotations on an `HTTPRoute` only apply to that route.
Annotations on the `Gateway` itself apply to all routes attached to it, while annotations on an `HTTPRoute`/`GRPCRoute` only apply to that route.
You can still scope gateway annotations to a specific server name using `bunkerweb.io/<hostname>_<SETTING>`, and they will only apply if that route/server name exists.
#### Supported resources
- Resources: `HTTPRoute`, `TLSRoute`, `TCPRoute`, and `UDPRoute` (no `GRPCRoute`).
- Resources: `HTTPRoute`, `GRPCRoute` (experimental), `TLSRoute`, `TCPRoute`, and `UDPRoute`.
- Rules: only the first rule is used for `TLSRoute`, `TCPRoute`, and `UDPRoute`.
- Backends: `Service` only, first `backendRef` per rule.
#### Protocols and TLS
- Listener protocols: `HTTP`/`HTTPS` for `HTTPRoute`, `TLS` for `TLSRoute`, `TCP` for `TCPRoute`, and `UDP` for `UDPRoute`.
- Listener protocols: `HTTP`/`HTTPS` for `HTTPRoute` and `GRPCRoute`, `TLS` for `TLSRoute`, `TCP` for `TCPRoute`, and `UDP` for `UDPRoute`.
- TLS: certificates via listener `certificateRefs` with `HTTPS` or `TLS` + `mode: Terminate` (Passthrough is not supported for termination). `TLSRoute` runs in stream mode.
!!! tip "Stream route server name"
For `TLSRoute`, `TCPRoute`, and `UDPRoute`, you can override the generated server name by setting `bunkerweb.io/SERVER_NAME` on the route.
!!! note "Experimental Channel for stream routes"
If you intend to use `TLSRoute`, `TCPRoute`, or `UDPRoute`, install the Experimental Channel CRDs: https://gateway-api.sigs.k8s.io/guides/getting-started/#install-experimental-channel
!!! note "Experimental Channel for advanced routes"
If you intend to use `GRPCRoute`, `TLSRoute`, `TCPRoute`, or `UDPRoute`, install the Experimental Channel CRDs: https://gateway-api.sigs.k8s.io/guides/getting-started/#install-experimental-channel
!!! info "TLS support"
TLS termination is handled via the `Gateway` listeners and their `certificateRefs` (TLS secrets) for `HTTPRoute` with `HTTPS` or `TLS` + `mode: Terminate`. `TLSRoute` runs in stream mode.
@ -3476,7 +3478,7 @@ metadata:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
imagePullPolicy: Always
env:
- name: NAMESPACES
@ -3650,11 +3652,11 @@ service:
# BunkerWeb settings
bunkerweb:
tag: 1.6.8
tag: 1.6.9
# Scheduler settings
scheduler:
tag: 1.6.8
tag: 1.6.9
extraEnvs:
# Enable real IP module to get real IP of clients
- name: USE_REAL_IP
@ -3662,11 +3664,11 @@ scheduler:
# Controller settings
controller:
tag: 1.6.8
tag: 1.6.9
# UI settings
ui:
tag: 1.6.8
tag: 1.6.9
```
Install BunkerWeb with custom values:
@ -4287,7 +4289,7 @@ Since multiple instances of BunkerWeb are running, a shared data store implement
As for the database volume, the documentation does not specify a specific approach. Choosing either a shared folder or a specific driver for the database volume is dependent on your unique use-case and is left as an exercise for the reader.
!!! info "Database backend"
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) of the repository for more information.
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) of the repository for more information.
Clustered database backends setup are out-of-the-scope of this documentation.
@ -4301,7 +4303,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- published: 80
target: 8080
@ -4330,7 +4332,7 @@ services:
- "bunkerweb.INSTANCE=yes" # Mandatory label for the autoconf service to identify the BunkerWeb instance
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # We don't need to specify the BunkerWeb instance here as they are automatically detected by the autoconf service
@ -4351,7 +4353,7 @@ services:
- "node.role == worker"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
SWARM_MODE: "yes"
DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db" # Remember to set a stronger password for the database
@ -4503,7 +4505,7 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
deploy:
mode: global
@ -4515,7 +4517,7 @@ networks:
- "bunkerweb.NAMESPACE=my-namespace" # Set the namespace for the BunkerWeb instance
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
NAMESPACES: "my-namespace my-other-namespace" # Only listen to these namespaces
...

2
docs/json2md.py
View file

@ -222,7 +222,7 @@ def generate_docs_for_lang(lang: str):
core_settings[pro_plugin["name"]]["is_pro"] = True
# Print plugins and their settings
for data in dict(sorted(core_settings.items())).values():
for _, data in sorted(core_settings.items(), key=lambda item: item[0].casefold()):
pro_crown = ""
if "is_pro" in data:
pro_crown = (

26
docs/plugins.md
View file

@ -8,12 +8,12 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| Name | Version | Description | Link |
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------: |
| **ClamAV** | 1.9 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.9 | Inspect requests using the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **Discord** | 1.9 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.9 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.9 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.9 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
| **ClamAV** | 1.10 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.10 | Inspect requests using the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **Discord** | 1.10 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.10 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.10 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.10 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
## How to use a plugin
@ -21,7 +21,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
If you want to quickly install external plugins, you can use the `EXTERNAL_PLUGIN_URLS` setting. It takes a list of URLs separated by spaces, each pointing to a compressed (zip format) archive containing one or more plugins.
You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.9.zip`
You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.10.zip`
### Manual
@ -89,7 +89,7 @@ The first step is to install the plugin by placing its files inside the correspo
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -125,7 +125,7 @@ The first step is to install the plugin by placing its files inside the correspo
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -168,7 +168,7 @@ The first step is to install the plugin by placing its files inside the correspo
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- /shared/bw-plugins:/data/plugins
...
@ -215,7 +215,7 @@ The first step is to install the plugin by placing its files inside the correspo
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -255,7 +255,7 @@ The first step is to install the plugin by placing its files inside the correspo
!!! tip "Existing plugins"
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
What a plugin structure looks like:
```
@ -563,7 +563,7 @@ end
!!! tip "More examples"
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/src/bw/lua/bunkerweb) of the repository.
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/bw/lua/bunkerweb) of the repository.
### Jobs

34
docs/quickstart-guide.md
View file

@ -18,7 +18,7 @@ This quickstart guide will help you to quickly install BunkerWeb and secure a we
Protecting existing web applications already accessible with the HTTP(S) protocol is the main goal of BunkerWeb: it will act as a classical [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) with extra security features.
See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) of the repository to get real-world examples.
See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) of the repository to get real-world examples.
## Basic setup
@ -33,7 +33,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
By default, the container exposes:
@ -51,8 +51,8 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
```bash
# Download the script and its checksum
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# Verify the checksum
sha256sum -c install-bunkerweb.sh.sha256
@ -90,7 +90,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
services:
bunkerweb:
# This is the name that will be used to identify the instance in the Scheduler
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -103,7 +103,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Make sure to set the correct instance name
@ -120,7 +120,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-env
restart: "unless-stopped"
@ -187,7 +187,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -203,7 +203,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -221,7 +221,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bw-docker
environment:
@ -244,7 +244,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
@ -339,7 +339,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- published: 80
target: 8080
@ -369,7 +369,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
- "bunkerweb.INSTANCE=yes"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -387,7 +387,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
<<: *bw-ui-env
DOCKER_HOST: "tcp://bw-docker:2375"
@ -416,7 +416,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/exa
- "node.role == manager"
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
@ -638,7 +638,7 @@ You can now log in with the administrator account you created during the setup w
-e "www.example.com_REVERSE_PROXY_HOST=http://myapp:8080" \
-e "www.example.com_REVERSE_PROXY_URL=/" \
# --- Include any other existing environment variables for UI, Redis, CrowdSec, etc. ---
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Your application container (`myapp`) and the `bunkerweb-aio` container must be on the same Docker network for BunkerWeb to reach it using the hostname `myapp`.
@ -660,7 +660,7 @@ You can now log in with the administrator account you created during the setup w
-p 443:8443/tcp \
-p 443:8443/udp \
# ... (all other relevant environment variables as shown in the main example above) ...
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
Make sure to replace `myapp` with the actual name or IP of your application container and `http://myapp:8080` with its correct address and port.

36
docs/upgrading.md
View file

@ -25,16 +25,16 @@
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
...
```
@ -141,20 +141,20 @@
Examples:
```bash
# Upgrade to 1.6.8 interactively (will prompt for backup)
sudo ./install-bunkerweb.sh --version 1.6.8
# Upgrade to 1.6.9 interactively (will prompt for backup)
sudo ./install-bunkerweb.sh --version 1.6.9
# Non-interactive upgrade with automatic backup to custom directory
sudo ./install-bunkerweb.sh -v 1.6.8 --backup-dir /var/backups/bw-2025-01 -y
sudo ./install-bunkerweb.sh -v 1.6.9 --backup-dir /var/backups/bw-2025-01 -y
# Silent unattended upgrade (logs suppressed) relies on default auto-backup
sudo ./install-bunkerweb.sh -v 1.6.8 -y -q
sudo ./install-bunkerweb.sh -v 1.6.9 -y -q
# Perform a dry run (plan) without applying changes
sudo ./install-bunkerweb.sh -v 1.6.8 --dry-run
sudo ./install-bunkerweb.sh -v 1.6.9 --dry-run
# Upgrade skipping automatic backup (NOT recommended)
sudo ./install-bunkerweb.sh -v 1.6.8 --no-auto-backup -y
sudo ./install-bunkerweb.sh -v 1.6.9 --no-auto-backup -y
```
!!! warning "Skipping backups"
@ -234,7 +234,7 @@
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.8
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
```
To prevent the BunkerWeb package from upgrading when executing `apt upgrade`, you can use the following command :
@ -260,7 +260,7 @@
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.8
sudo dnf install -y --allowerasing bunkerweb-1.6.9
```
To prevent the BunkerWeb package from upgrading when executing `dnf upgrade`, you can use the following command :
@ -657,16 +657,16 @@ We added a **namespace** feature to the autoconf integrations. Namespaces allow
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
...
```
@ -701,7 +701,7 @@ We added a **namespace** feature to the autoconf integrations. Namespaces allow
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.8
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
```
To prevent the BunkerWeb package from upgrading when executing `apt upgrade`, you can use the following command :
@ -727,7 +727,7 @@ We added a **namespace** feature to the autoconf integrations. Namespaces allow
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.8
sudo dnf install -y --allowerasing bunkerweb-1.6.9
```
To prevent the BunkerWeb package from upgrading when executing `dnf upgrade`, you can use the following command :

40
docs/web-ui.md
View file

@ -47,7 +47,7 @@ The UI expects the scheduler/(BunkerWeb) API/redis/database stack to be reachabl
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -62,7 +62,7 @@ The UI expects the scheduler/(BunkerWeb) API/redis/database stack to be reachabl
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *service-env
BUNKERWEB_INSTANCES: "bunkerweb" # Make sure to set the correct instance name
@ -86,7 +86,7 @@ The UI expects the scheduler/(BunkerWeb) API/redis/database stack to be reachabl
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *service-env
ADMIN_USERNAME: "admin"
@ -206,14 +206,14 @@ The UI expects the scheduler/(BunkerWeb) API/redis/database stack to be reachabl
### Listener & TLS
| Setting | Description | Accepted values | Default |
| ----------------------------------- | ------------------------------------------ | ------------------------------- | ------------------------------------------ |
| `UI_LISTEN_ADDR` | Bind address for the UI | IP or hostname | `0.0.0.0` (Docker) / `127.0.0.1` (package) |
| `UI_LISTEN_PORT` | Bind port for the UI | Integer | `7000` |
| `LISTEN_ADDR`, `LISTEN_PORT` | Fallbacks when UI-specific vars are unset | IP/hostname, integer | `0.0.0.0`, `7000` |
| `UI_SSL_ENABLED` | Enable TLS in the UI container | `yes` or `no` | `no` |
| `UI_SSL_CERTFILE`, `UI_SSL_KEYFILE` | PEM cert and key paths when TLS is enabled | File paths | unset |
| `UI_SSL_CA_CERTS` | Optional CA/chain | File path | unset |
| Setting | Description | Accepted values | Default |
| ----------------------------------- | ------------------------------------------ | ------------------------------- | ----------------------------------------------------- |
| `UI_LISTEN_ADDR` | Bind address for the UI | IP or hostname | `0.0.0.0` (Docker) / `127.0.0.1` (package) |
| `UI_LISTEN_PORT` | Bind port for the UI | Integer | `7000` |
| `LISTEN_ADDR`, `LISTEN_PORT` | Fallbacks when UI-specific vars are unset | IP/hostname, integer | `0.0.0.0`, `7000` |
| `UI_SSL_ENABLED` | Enable TLS in the UI container | `yes` or `no` | `no` |
| `UI_SSL_CERTFILE`, `UI_SSL_KEYFILE` | PEM cert and key paths when TLS is enabled | File paths | unset |
| `UI_SSL_CA_CERTS` | Optional CA/chain | File path | unset |
| `UI_FORWARDED_ALLOW_IPS` | Trusted proxy IPs for `X-Forwarded-*` | Comma/space-separated IPs/CIDRs | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `UI_PROXY_ALLOW_IPS` | Trusted proxy IPs for PROXY protocol | Comma/space-separated IPs/CIDRs | `FORWARDED_ALLOW_IPS` |
@ -244,14 +244,16 @@ The UI expects the scheduler/(BunkerWeb) API/redis/database stack to be reachabl
### Misc runtime
| Setting | Description | Accepted values | Default |
| ------------------------------- | -------------------------------------------------- | --------------- | ------------------------------------ |
| `MAX_WORKERS`, `MAX_THREADS` | Gunicorn workers/threads | Integer | `cpu_count()-1` (min 1), `workers*2` |
| `ENABLE_HEALTHCHECK` | Expose `GET /healthcheck` | `yes` or `no` | `no` |
| `FORWARDED_ALLOW_IPS` | Alias for proxy allowlist | IPs/CIDRs | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `PROXY_ALLOW_IPS` | Alias for PROXY allowlist | IPs/CIDRs | `FORWARDED_ALLOW_IPS` |
| `DISABLE_CONFIGURATION_TESTING` | Skip test reloads when pushing config to instances | `yes` or `no` | `no` |
| `IGNORE_REGEX_CHECK` | Skip regex validation on settings | `yes` or `no` | `no` |
| Setting | Description | Accepted values | Default |
| ------------------------------- | --------------------------------------------------------------------- | ---------------------------------------- | ----------------------------------------------------- |
| `MAX_WORKERS`, `MAX_THREADS` | Gunicorn workers/threads | Integer | `cpu_count()-1` (min 1), `workers*2` |
| `MAX_REQUESTS` | Requests before a Gunicorn worker is recycled (prevents memory bloat) | Integer | `1000` |
| `ENABLE_HEALTHCHECK` | Expose `GET /healthcheck` | `yes` or `no` | `no` |
| `FORWARDED_ALLOW_IPS` | Alias for proxy allowlist | IPs/CIDRs | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `PROXY_ALLOW_IPS` | Alias for PROXY allowlist | IPs/CIDRs | `FORWARDED_ALLOW_IPS` |
| `DISABLE_CONFIGURATION_TESTING` | Skip test reloads when pushing config to instances | `yes` or `no` | `no` |
| `IGNORE_REGEX_CHECK` | Skip regex validation on settings | `yes` or `no` | `no` |
| `MAX_CONTENT_LENGTH` | Maximum upload size (Flask `MAX_CONTENT_LENGTH`) | Size with unit (`50M`, `1G`, `52428800`) | `50MB` |
## Log access

209
docs/zh/advanced.md
View file

@ -1,8 +1,8 @@
# 高级用法
GitHub 仓库的 [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) 文件夹中提供了许多真实世界的用例示例。
GitHub 仓库的 [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) 文件夹中提供了许多真实世界的用例示例。
我们还提供了许多样板文件,例如用于各种集成和数据库类型的 YAML 文件。这些都可以在 [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations) 文件夹中找到。
我们还提供了许多样板文件,例如用于各种集成和数据库类型的 YAML 文件。这些都可以在 [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) 文件夹中找到。
本节仅关注高级用法和安全调整,请参阅文档的[功能部分](features.md)以查看所有可用的设置。
@ -85,7 +85,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
请注意,如果您的容器已经创建,您需要删除并重新创建它,以便更新新的环境变量。
@ -96,7 +96,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -104,7 +104,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -121,7 +121,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -129,7 +129,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -176,7 +176,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -184,7 +184,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
REAL_IP_HEADER: "X-Forwarded-For"
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -249,7 +249,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
请注意,如果您的容器已经创建,您需要删除并重新创建它,以便更新新的环境变量。
@ -260,7 +260,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -270,7 +270,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -288,7 +288,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -298,7 +298,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -350,7 +350,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
```yaml
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -360,7 +360,7 @@ BunkerWeb 实际上支持两种方法来检索客户端的真实 IP 地址:
...
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
USE_REAL_IP: "yes"
@ -485,8 +485,8 @@ Manager 是集群的大脑,运行 Scheduler、数据库以及可选的 Web 界
```bash
# 下载脚本及校验文件
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# 校验完整性
sha256sum -c install-bunkerweb.sh.sha256
@ -585,7 +585,7 @@ Manager 是集群的大脑,运行 Scheduler、数据库以及可选的 Web 界
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: "192.168.1.11 192.168.1.12" # 替换为 Worker IP
@ -604,7 +604,7 @@ Manager 是集群的大脑,运行 Scheduler、数据库以及可选的 Web 界
- bw-redis
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
ports:
- "7000:7000" # 暴露 UI 端口
environment:
@ -687,7 +687,7 @@ Worker 负责处理进入的流量。
```yaml title="docker-compose.yml"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -992,7 +992,7 @@ systemctl status systemd-resolved
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Docker"
@ -1020,7 +1020,7 @@ systemctl status systemd-resolved
- bw-dns
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
environment:
DNS_RESOLVERS: "dnsmasq"
@ -1031,7 +1031,7 @@ systemctl status systemd-resolved
- bw-dns
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
DNS_RESOLVERS: "dnsmasq"
@ -1145,7 +1145,7 @@ systemctl status systemd-resolved
}" \
-p 80:8080/tcp \
-p 443:8443/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
请注意,如果您的容器已经创建,您需要删除并重新创建它,以便应用新的环境变量。
@ -1185,7 +1185,7 @@ systemctl status systemd-resolved
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Docker"
@ -1208,7 +1208,7 @@ systemctl status systemd-resolved
```yaml
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
- |
CUSTOM_CONF_SERVER_HTTP_hello-world=
@ -1251,7 +1251,7 @@ systemctl status systemd-resolved
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -1321,7 +1321,7 @@ systemctl status systemd-resolved
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -1550,7 +1550,7 @@ BunkerWeb 能够作为**通用的 UDP/TCP 反向代理**,让您可以保护任
-p 443:8443/udp \
-p 10000:10000/tcp \
-p 20000:20000/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
请注意,如果您的容器已经创建,您需要删除并重新创建它,以便应用新的环境变量。
@ -1573,7 +1573,7 @@ BunkerWeb 能够作为**通用的 UDP/TCP 反向代理**,让您可以保护任
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080" # 如果您想在使用 http 挑战类型时使用 Let's Encrypt 自动化,请保留此项
- "10000:10000" # app1
@ -1588,7 +1588,7 @@ BunkerWeb 能够作为**通用的 UDP/TCP 反向代理**,让您可以保护任
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # 此设置是指定 BunkerWeb 实例所必需的
@ -1639,7 +1639,7 @@ BunkerWeb 能够作为**通用的 UDP/TCP 反向代理**,让您可以保护任
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080" # 如果您想在使用 http 挑战类型时使用 Let's Encrypt 自动化,请保留此项
- "10000:10000" # app1
@ -1869,7 +1869,7 @@ BunkerWeb 能够作为**通用的 UDP/TCP 反向代理**,让您可以保护任
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
# 如果您想在使用 http 挑战类型时使用 Let's Encrypt 自动化,请保留此项
- published: 80
@ -1999,7 +1999,7 @@ BunkerWeb 支持使用外部或远程的 [PHP-FPM](https://www.php.net/manual/en
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
请注意,如果您的容器已经创建,您需要删除并重新创建它,以便应用新的环境变量。
@ -2043,7 +2043,7 @@ BunkerWeb 支持使用外部或远程的 [PHP-FPM](https://www.php.net/manual/en
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2058,7 +2058,7 @@ BunkerWeb 支持使用外部或远程的 [PHP-FPM](https://www.php.net/manual/en
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # 此设置是指定 BunkerWeb 实例所必需的
@ -2152,7 +2152,7 @@ BunkerWeb 支持使用外部或远程的 [PHP-FPM](https://www.php.net/manual/en
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
labels:
- "bunkerweb.INSTANCE=yes"
environment:
@ -2165,7 +2165,7 @@ BunkerWeb 支持使用外部或远程的 [PHP-FPM](https://www.php.net/manual/en
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "" # 我们不需要在这里指定 BunkerWeb 实例,因为它们由 autoconf 服务自动检测
@ -2180,7 +2180,7 @@ BunkerWeb 支持使用外部或远程的 [PHP-FPM](https://www.php.net/manual/en
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bunkerweb
- bw-docker
@ -2420,7 +2420,7 @@ BunkerWeb 支持使用外部或远程的 [PHP-FPM](https://www.php.net/manual/en
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
volumes:
- /shared/www:/var/www/html
...
@ -2519,7 +2519,7 @@ BunkerWeb 支持使用外部或远程的 [PHP-FPM](https://www.php.net/manual/en
```yaml
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
USE_IPv6: "yes"
@ -2658,7 +2658,7 @@ LOG_LEVEL_1=error
services:
bunkerweb:
# 这将是用于在调度程序中识别实例的名称
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2671,7 +2671,7 @@ LOG_LEVEL_1=error
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # 确保设置正确的实例名称
@ -2688,7 +2688,7 @@ LOG_LEVEL_1=error
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-env
volumes:
@ -2823,7 +2823,7 @@ log {
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
logging:
driver: "json-file"
options:
@ -2932,7 +2932,7 @@ BunkerWeb 提供了许多安全功能,您可以通过[功能](features.md)进
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
如果容器已存在,请重新创建以应用新的环境变量。
@ -2943,7 +2943,7 @@ BunkerWeb 提供了许多安全功能,您可以通过[功能](features.md)进
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -2962,7 +2962,7 @@ BunkerWeb 提供了许多安全功能,您可以通过[功能](features.md)进
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -3005,7 +3005,7 @@ BunkerWeb 提供了许多安全功能,您可以通过[功能](features.md)进
```yaml
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
environment:
HTTP_PROXY: "http://proxy.example.local:3128"
@ -3957,11 +3957,11 @@ BunkerWeb 模板使用 [lua-resty-template](https://github.com/bungle/lua-resty-
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
# ... 其他设置(自定义页面无需在此处设置环境变量)
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./templates:/custom_templates:ro
environment:
@ -4044,7 +4044,7 @@ BunkerWeb 模板使用 [lua-resty-template](https://github.com/bungle/lua-resty-
spec:
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
env:
- name: CUSTOM_ERROR_PAGE
value: "/custom_templates/error.html"
@ -4262,7 +4262,9 @@ Discovery/JWKS 数据会缓存在 NGINX shared dict 中。如果您有很多租
## OpenAPI Validator <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style="transform : translateY(3px);"> (PRO)
STREAM 支持::x:
<p align="center">
<iframe style="display: block;" width="560" height="315" data-src="https://www.youtube-nocookie.com/embed/3oZOO1XdSlc" title="OpenAPI Validator" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
</p>
**OpenAPI Validator** 插件通过根据 OpenAPI / Swagger 规范验证传入请求来执行您的 API 合约。它确保请求的路径存在HTTP 方法是被允许的并可选地根据架构定义验证查询、请求头、cookie 和路径参数。
@ -4283,16 +4285,16 @@ STREAM 支持::x:
### 配置
| 设置 | 默认值 | 上下文 | 多选 | 描述 |
| ---------------------------- | ------------------------------------ | --------- | ---- | ------------------------------------------------------------------------- |
| `USE_OPENAPI_VALIDATOR` | `no` | multisite | 否 | 为该站点启用 OpenAPI 路由验证。 |
| `OPENAPI_SPEC` | | multisite | 否 | JSON/YAML 格式的 OpenAPI 文档的绝对路径或 HTTP(S) URL。 |
| `OPENAPI_BASE_PATH` | | multisite | 否 | 可选的基础路径前缀,将添加到规范中的每个路径前。 |
| `OPENAPI_ALLOW_UNSPECIFIED` | `no` | multisite | 否 | 允许指向规范中未列出路径的请求。 |
| `OPENAPI_ALLOW_INSECURE_URL` | `no` | multisite | 否 | 允许通过普通 HTTP 获取 OpenAPI 规范(不推荐)。 |
| `OPENAPI_IGNORE_URLS` | `^/docs$ ^/redoc$ ^/openapi\\.json$` | multisite | 否 | 以空格分隔的 URL 正则表达式列表,用于绕过 OpenAPI 验证。 |
| `OPENAPI_MAX_SPEC_SIZE` | `2M` | global | 否 | 允许的 OpenAPI 文档最大大小(接受后缀 k/M/G |
| `OPENAPI_VALIDATE_PARAMS` | `yes` | multisite | 否 | 根据规范验证查询、请求头、cookie 和路径参数。 |
| 设置 | 默认值 | 上下文 | 多选 | 描述 |
| ---------------------------- | ------------------------------------ | --------- | ---- | -------------------------------------------------------- |
| `USE_OPENAPI_VALIDATOR` | `no` | multisite | 否 | 为该站点启用 OpenAPI 路由验证。 |
| `OPENAPI_SPEC` | | multisite | 否 | JSON/YAML 格式的 OpenAPI 文档的绝对路径或 HTTP(S) URL。 |
| `OPENAPI_BASE_PATH` | | multisite | 否 | 可选的基础路径前缀,将添加到规范中的每个路径前。 |
| `OPENAPI_ALLOW_UNSPECIFIED` | `no` | multisite | 否 | 允许指向规范中未列出路径的请求。 |
| `OPENAPI_ALLOW_INSECURE_URL` | `no` | multisite | 否 | 允许通过普通 HTTP 获取 OpenAPI 规范(不推荐)。 |
| `OPENAPI_IGNORE_URLS` | `^/docs$ ^/redoc$ ^/openapi\\.json$` | multisite | 否 | 以空格分隔的 URL 正则表达式列表,用于绕过 OpenAPI 验证。 |
| `OPENAPI_MAX_SPEC_SIZE` | `2M` | global | 否 | 允许的 OpenAPI 文档最大大小(接受后缀 k/M/G。 |
| `OPENAPI_VALIDATE_PARAMS` | `yes` | multisite | 否 | 根据规范验证查询、请求头、cookie 和路径参数。 |
### 行为说明
@ -4312,3 +4314,82 @@ STREAM 支持::x:
(可选)在部署期间允许未知路径:
- `OPENAPI_ALLOW_UNSPECIFIED=yes`
## Cache <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style="transform : translateY(3px);"> (PRO)
STREAM 支持 :x:
Cache PRO 插件使用 NGINX `proxy_cache*` 指令在反向代理层启用响应缓存。它适合用于吸收对可缓存内容的重复读取、在流量高峰期保护上游服务,以及在后端短暂故障期间提供陈旧缓存内容。
**工作原理**
1. 每个全局 `CACHE_PATH*` 值都会在 HTTP 上下文中生成一条 `proxy_cache_path` 指令。
2. 只有当 `CACHE_ZONE` 设置为 `CACHE_PATH*` 中声明的某个区域时,服务才会启用缓存。
3. 服务级设置随后控制缓存键、bypass/no-cache 条件、锁、stale 使用方式以及有效期规则。
4. 如果设置了 `CACHE_HEADER`BunkerWeb 会添加一个响应头,公开 `$upstream_cache_status`,例如 `HIT`、`MISS`、`BYPASS`、`EXPIRED` 或 `STALE`
**功能列表**
- 具有可配置缓存路径和区域的反向代理响应缓存。
- 通过 `CACHE_ZONE` 按服务启用缓存。
- 可选响应头,使用 `$upstream_cache_status` 暴露缓存状态。
- 针对 bypass、no-cache、缓存键、方法、锁、stale 和重新验证的细粒度控制。
- 通过重复的 `CACHE_VALID*` 设置定义多条缓存有效期规则。
**设置列表**
| 设置 | 默认 | 上下文 | 多个 | 描述 |
| --------------------------- | --------------------------------- | --------- | ---- | ---------------------------------------------------- |
| `CACHE_PATH` | | 全局 | 是 | 缓存路径及其参数。 |
| `CACHE_ZONE` | | multisite | 否 | 要使用的缓存区域名称(在 `CACHE_PATH` 设置中定义)。 |
| `CACHE_HEADER` | `X-Cache` | multisite | 否 | 添加一个暴露缓存状态的响应头。 |
| `CACHE_BACKGROUND_UPDATE` | `no` | multisite | 否 | 启用或禁用后台缓存更新。 |
| `CACHE_BYPASS` | | multisite | 否 | 用于判断是否绕过缓存的变量列表。 |
| `CACHE_NO_CACHE` | `$http_pragma$http_authorization` | multisite | 否 | 当变量被设置时,不将响应写入缓存。 |
| `CACHE_KEY` | `$scheme$proxy_host$request_uri` | multisite | 否 | 用于标识缓存对象的键。 |
| `CACHE_CONVERT_HEAD_TO_GET` | `yes` | multisite | 否 | 缓存时将 HEAD 请求转换为 GET。 |
| `CACHE_LOCK` | `no` | multisite | 否 | 填充缓存时锁定并发请求。 |
| `CACHE_LOCK_AGE` | `5s` | multisite | 否 | 缓存锁持续该时间后,将请求转发到上游。 |
| `CACHE_LOCK_TIMEOUT` | `5s` | multisite | 否 | 等待缓存锁超过该时间后,将请求转发到上游。 |
| `CACHE_METHODS` | `GET HEAD` | multisite | 否 | 仅缓存这些 HTTP 方法对应的响应。 |
| `CACHE_MIN_USES` | `1` | multisite | 否 | 在写入缓存前,相同请求需要出现的次数。 |
| `CACHE_REVALIDATE` | `no` | multisite | 否 | 通过条件请求向上游重新验证过期缓存项。 |
| `CACHE_USE_STALE` | `off` | multisite | 否 | 决定何时允许返回陈旧缓存内容。 |
| `CACHE_VALID` | `10m` | multisite | 是 | 定义缓存时长,可选附带一个或多个 HTTP 状态码。 |
**使用示例**
1. 定义一个全局缓存路径和区域:
```yaml
CACHE_PATH: "/var/cache/bunkerweb/proxy levels=1:2 keys_zone=htmlcache:10m max_size=1g inactive=60m use_temp_path=off"
```
2. 启用反向代理并将该区域绑定到一个服务:
```yaml
www.example.com_USE_REVERSE_PROXY: "yes"
www.example.com_REVERSE_PROXY_HOST: "http://app:8080"
www.example.com_CACHE_ZONE: "htmlcache"
www.example.com_CACHE_HEADER: "X-Cache"
www.example.com_CACHE_VALID: "200 301 302 10m"
www.example.com_CACHE_VALID_1: "404 1m"
```
3. 根据需要添加可选控制项:
```yaml
www.example.com_CACHE_BYPASS: "$cookie_nocache $arg_nocache"
www.example.com_CACHE_NO_CACHE: "$http_pragma $http_authorization"
www.example.com_CACHE_LOCK: "yes"
www.example.com_CACHE_BACKGROUND_UPDATE: "yes"
www.example.com_CACHE_USE_STALE: "error timeout updating http_500 http_502 http_503 http_504"
```
!!! info "重要行为"
- 此插件仅适用于反向代理流量。它不会缓存直接由本地静态文件提供的内容,也不适用于 stream/TCP 服务。
- `CACHE_ZONE` 必须通过 `keys_zone=<名称>:<大小>` 匹配某个 `CACHE_PATH*` 中定义的区域。
- 如果某个服务的 `CACHE_ZONE` 为空,则不会为该服务应用缓存指令。
- 对于重复值,请使用数字后缀,例如 `CACHE_PATH_1`、`CACHE_PATH_2`、`CACHE_VALID_1` 和 `CACHE_VALID_2`
- 认证流量或用户特定流量通常不应进入缓存,除非 `CACHE_KEY` 明确根据该状态变化。
- `CACHE_LOCK=yes``CACHE_BACKGROUND_UPDATE=yes` 有助于减少对源站的瞬时冲击。

127
docs/zh/api.md
View file

@ -41,7 +41,7 @@ BunkerWeb API 是用于管理实例、服务、封禁、插件、任务和自定
services:
bunkerweb:
# 调度器识别实例的名称
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -54,7 +54,7 @@ BunkerWeb API 是用于管理实例、服务、封禁、插件、任务和自定
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # 确保填写正确的实例名
@ -76,7 +76,7 @@ BunkerWeb API 是用于管理实例、服务、封禁、插件、任务和自定
- bw-db
bw-api:
image: bunkerity/bunkerweb-api:1.6.8
image: bunkerity/bunkerweb-api:1.6.9
environment:
<<: *bw-env
API_USERNAME: "admin"
@ -143,7 +143,7 @@ BunkerWeb API 是用于管理实例、服务、封禁、插件、任务和自定
-e SERVICE_API=yes \
-e API_WHITELIST_IPS="127.0.0.0/8" \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
=== "Linux"
@ -252,9 +252,9 @@ BunkerWeb API 是用于管理实例、服务、封禁、插件、任务和自定
### 运行时与时区
| Setting | 描述 | 接受的值 | 默认值 |
| ------- | ----------------------------------------------------------------------------------------- | ---------------------------------------------- | ------------------------------------------- |
| `TZ` | API 日志和基于时间的声明(如 Biscuit TTL、日志时间戳的时区 | TZ 数据库名称(如 `UTC`、`Europe/Paris`) | unset容器默认通常为 UTC |
| Setting | 描述 | 接受的值 | 默认值 |
| ------- | ------------------------------------------------------------ | ---------------------------------------- | ----------------------------- |
| `TZ` | API 日志和基于时间的声明(如 Biscuit TTL、日志时间戳的时区 | TZ 数据库名称(如 `UTC`、`Europe/Paris`) | unset容器默认通常为 UTC |
将 docs 或 schema 的 URL 设为 `off|disabled|none|false|0` 可禁用它们。设置 `API_SSL_ENABLED=yes` 并提供 `API_SSL_CERTFILE`、`API_SSL_KEYFILE` 以在 API 终止 TLS。反向代理时`API_FORWARDED_ALLOW_IPS` 设为代理 IP使 Gunicorn 信任 `X-Forwarded-*` 头。
@ -262,83 +262,84 @@ BunkerWeb API 是用于管理实例、服务、封禁、插件、任务和自定
#### 表面与文档
| Setting | 描述 | 接受的值 | 默认值 |
| -------------------------------------------------- | ------------------------------------------------------------------------------------------ | ------------------------ | ----------------------------------- |
| `API_DOCS_URL`, `API_REDOC_URL`, `API_OPENAPI_URL` | Swagger、ReDoc、OpenAPI 的路径;设为 `off/disabled/none/false/0` 可禁用 | 路径或 `off` | `/docs`, `/redoc`, `/openapi.json` |
| `API_ROOT_PATH` | 反向代理时的挂载前缀 | 路径(如 `/api` | 空 |
| `API_FORWARDED_ALLOW_IPS` | 可信的代理 IP用于 `X-Forwarded-*` | 逗号分隔 IP/CIDR | `127.0.0.1,::1`(包默认值) |
| `API_PROXY_ALLOW_IPS` | 可信的 PROXY 协议代理 IP | 逗号分隔 IP/CIDR | `FORWARDED_ALLOW_IPS` |
| Setting | 描述 | 接受的值 | 默认值 |
| -------------------------------------------------- | ----------------------------------------------------------------------- | ----------------- | ---------------------------------- |
| `API_DOCS_URL`, `API_REDOC_URL`, `API_OPENAPI_URL` | Swagger、ReDoc、OpenAPI 的路径;设为 `off/disabled/none/false/0` 可禁用 | 路径或 `off` | `/docs`, `/redoc`, `/openapi.json` |
| `API_ROOT_PATH` | 反向代理时的挂载前缀 | 路径(如 `/api` | 空 |
| `API_FORWARDED_ALLOW_IPS` | 可信的代理 IP用于 `X-Forwarded-*` | 逗号分隔 IP/CIDR | `127.0.0.1,::1`(包默认值) |
| `API_PROXY_ALLOW_IPS` | 可信的 PROXY 协议代理 IP | 逗号分隔 IP/CIDR | `FORWARDED_ALLOW_IPS` |
#### Auth、ACL、Biscuit
| Setting | 描述 | 接受的值 | 默认值 |
| ------------------------------------------- | ------------------------------------------ | ------------------------------------------------------------ | ----------------------- |
| `API_USERNAME`, `API_PASSWORD` | 引导管理员用户 | 字符串;非调试环境需强密码 | unset |
| `OVERRIDE_API_CREDS` | 启动时重新应用管理员凭据 | `yes/no/on/off/true/false/0/1` | `no` |
| `API_TOKEN` | 管理员 override Bearer token | 不透明字符串 | unset |
| `API_ACL_BOOTSTRAP_FILE` | 用户/权限的 JSON 路径 | 文件路径或挂载的 `/var/lib/bunkerweb/api_acl_bootstrap.json` | unset |
| `BISCUIT_PRIVATE_KEY`, `BISCUIT_PUBLIC_KEY` | Biscuit 密钥hex若不使用文件 | 十六进制字符串 | 自动生成并持久化 |
| `API_BISCUIT_TTL_SECONDS` | Token 生命周期;`0/off` 禁用过期 | 整型秒数或 `off/disabled` | `3600` |
| `CHECK_PRIVATE_IP` | 将 Biscuit 绑定到客户端 IP私网除外 | `yes/no/on/off/true/false/0/1` | `yes` |
| Setting | 描述 | 接受的值 | 默认值 |
| ------------------------------------------- | -------------------------------------- | ------------------------------------------------------------ | ---------------- |
| `API_USERNAME`, `API_PASSWORD` | 引导管理员用户 | 字符串;非调试环境需强密码 | unset |
| `OVERRIDE_API_CREDS` | 启动时重新应用管理员凭据 | `yes/no/on/off/true/false/0/1` | `no` |
| `API_TOKEN` | 管理员 override Bearer token | 不透明字符串 | unset |
| `API_ACL_BOOTSTRAP_FILE` | 用户/权限的 JSON 路径 | 文件路径或挂载的 `/var/lib/bunkerweb/api_acl_bootstrap.json` | unset |
| `BISCUIT_PRIVATE_KEY`, `BISCUIT_PUBLIC_KEY` | Biscuit 密钥hex若不使用文件 | 十六进制字符串 | 自动生成并持久化 |
| `API_BISCUIT_TTL_SECONDS` | Token 生命周期;`0/off` 禁用过期 | 整型秒数或 `off/disabled` | `3600` |
| `CHECK_PRIVATE_IP` | 将 Biscuit 绑定到客户端 IP私网除外 | `yes/no/on/off/true/false/0/1` | `yes` |
#### 白名单
| Setting | 描述 | 接受的值 | 默认值 |
| ----------------------- | -------------------------------- | --------------------------- | --------------------- |
| `API_WHITELIST_ENABLED` | 切换 IP 白名单中间件 | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_WHITELIST_IPS` | 空格/逗号分隔的 IP/CIDR | IP/CIDR | 代码中的 RFC1918 范围 |
| Setting | 描述 | 接受的值 | 默认值 |
| ----------------------- | ----------------------- | ------------------------------ | --------------------- |
| `API_WHITELIST_ENABLED` | 切换 IP 白名单中间件 | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_WHITELIST_IPS` | 空格/逗号分隔的 IP/CIDR | IP/CIDR | 代码中的 RFC1918 范围 |
#### 速率限制
| Setting | 描述 | 接受的值 | 默认值 |
| -------------------------------- | ------------------------------------------ | ----------------------------------------------------- | ------------- |
| `API_RATE_LIMIT` | 全局限制NGINX 风格字符串) | `3r/s`, `100/minute`, `500 per 30 minutes` | `100r/m` |
| `API_RATE_LIMIT_AUTH` | `/auth` 限制(或 `off` | 同上或 `off/disabled/none/false/0` | `10r/m` |
| `API_RATE_LIMIT_ENABLED` | 启用限流 | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_RATE_LIMIT_HEADERS_ENABLED` | 注入限流头部 | 同上 | `yes` |
| `API_RATE_LIMIT_RULES` | 路径规则CSV/JSON/YAML 或文件路径) | 字符串或路径 | unset |
| `API_RATE_LIMIT_STRATEGY` | 算法 | `fixed-window`, `moving-window`, `sliding-window-counter` | `fixed-window` |
| `API_RATE_LIMIT_KEY` | 键选择器 | `ip`, `header:<Name>` | `ip` |
| `API_RATE_LIMIT_EXEMPT_IPS` | 这些 IP/CIDR 跳过限流 | 空格/逗号分隔 | unset |
| `API_RATE_LIMIT_STORAGE_OPTIONS` | 合并到存储配置的 JSON | JSON 字符串 | unset |
| Setting | 描述 | 接受的值 | 默认值 |
| -------------------------------- | ------------------------------------ | --------------------------------------------------------- | -------------- |
| `API_RATE_LIMIT` | 全局限制NGINX 风格字符串) | `3r/s`, `100/minute`, `500 per 30 minutes` | `100r/m` |
| `API_RATE_LIMIT_AUTH` | `/auth` 限制(或 `off` | 同上或 `off/disabled/none/false/0` | `10r/m` |
| `API_RATE_LIMIT_ENABLED` | 启用限流 | `yes/no/on/off/true/false/0/1` | `yes` |
| `API_RATE_LIMIT_HEADERS_ENABLED` | 注入限流头部 | 同上 | `yes` |
| `API_RATE_LIMIT_RULES` | 路径规则CSV/JSON/YAML 或文件路径) | 字符串或路径 | unset |
| `API_RATE_LIMIT_STRATEGY` | 算法 | `fixed-window`, `moving-window`, `sliding-window-counter` | `fixed-window` |
| `API_RATE_LIMIT_KEY` | 键选择器 | `ip`, `header:<Name>` | `ip` |
| `API_RATE_LIMIT_EXEMPT_IPS` | 这些 IP/CIDR 跳过限流 | 空格/逗号分隔 | unset |
| `API_RATE_LIMIT_STORAGE_OPTIONS` | 合并到存储配置的 JSON | JSON 字符串 | unset |
#### Redis/Valkey用于限流
| Setting | 描述 | 接受的值 | 默认值 |
| ---------------------------------------------------- | -------------------- | --------------------------- | ------------------- |
| `USE_REDIS` | 启用 Redis 后端 | `yes/no/on/off/true/false/0/1` | `no` |
| `REDIS_HOST`, `REDIS_PORT`, `REDIS_DATABASE` | 连接信息 | 主机,端口,数据库 | unset, `6379`, `0` |
| `REDIS_USERNAME`, `REDIS_PASSWORD` | 认证 | 字符串 | unset |
| `REDIS_SSL`, `REDIS_SSL_VERIFY` | TLS 与校验 | `yes/no/on/off/true/false/0/1` | `no`, `yes` |
| `REDIS_TIMEOUT` | 超时(毫秒) | 整数 | `1000` |
| `REDIS_KEEPALIVE_POOL` | 连接池 keepalive | 整数 | `10` |
| `REDIS_SENTINEL_HOSTS` | Sentinel 主机 | 空格分隔的 `host:port` | unset |
| `REDIS_SENTINEL_MASTER` | Sentinel 主节点名称 | 字符串 | unset |
| `REDIS_SENTINEL_USERNAME`, `REDIS_SENTINEL_PASSWORD` | Sentinel 认证 | 字符串 | unset |
| Setting | 描述 | 接受的值 | 默认值 |
| ---------------------------------------------------- | ------------------- | ------------------------------ | ------------------ |
| `USE_REDIS` | 启用 Redis 后端 | `yes/no/on/off/true/false/0/1` | `no` |
| `REDIS_HOST`, `REDIS_PORT`, `REDIS_DATABASE` | 连接信息 | 主机,端口,数据库 | unset, `6379`, `0` |
| `REDIS_USERNAME`, `REDIS_PASSWORD` | 认证 | 字符串 | unset |
| `REDIS_SSL`, `REDIS_SSL_VERIFY` | TLS 与校验 | `yes/no/on/off/true/false/0/1` | `no`, `yes` |
| `REDIS_TIMEOUT` | 超时(毫秒) | 整数 | `1000` |
| `REDIS_KEEPALIVE_POOL` | 连接池 keepalive | 整数 | `10` |
| `REDIS_SENTINEL_HOSTS` | Sentinel 主机 | 空格分隔的 `host:port` | unset |
| `REDIS_SENTINEL_MASTER` | Sentinel 主节点名称 | 字符串 | unset |
| `REDIS_SENTINEL_USERNAME`, `REDIS_SENTINEL_PASSWORD` | Sentinel 认证 | 字符串 | unset |
!!! info "DB 提供的 Redis"
如果 BunkerWeb 数据库配置中存在 Redis/Valkey 设置,即使未在环境中设置 `USE_REDIS`API 也会自动复用它们用于限流。需要不同后端时可通过环境变量覆盖。
#### Listener 与 TLS
| Setting | 描述 | 接受的值 | 默认值 |
| ------------------------------------- | ---------------------------- | --------------------------- | ----------------------------------- |
| `API_LISTEN_ADDR`, `API_LISTEN_PORT` | Gunicorn 绑定地址/端口 | IP 或主机名,整型 | `127.0.0.1`, `8888`(包脚本) |
| `API_SSL_ENABLED` | 在 API 内启用 TLS | `yes/no/on/off/true/false/0/1` | `no` |
| `API_SSL_CERTFILE`, `API_SSL_KEYFILE` | PEM 证书与密钥路径 | 文件路径 | unset |
| `API_SSL_CA_CERTS` | 可选 CA/链 | 文件路径 | unset |
| Setting | 描述 | 接受的值 | 默认值 |
| ------------------------------------- | ---------------------- | ------------------------------ | ----------------------------- |
| `API_LISTEN_ADDR`, `API_LISTEN_PORT` | Gunicorn 绑定地址/端口 | IP 或主机名,整型 | `127.0.0.1`, `8888`(包脚本) |
| `API_SSL_ENABLED` | 在 API 内启用 TLS | `yes/no/on/off/true/false/0/1` | `no` |
| `API_SSL_CERTFILE`, `API_SSL_KEYFILE` | PEM 证书与密钥路径 | 文件路径 | unset |
| `API_SSL_CA_CERTS` | 可选 CA/链 | 文件路径 | unset |
#### 日志与运行时(包默认)
| Setting | 描述 | 接受的值 | 默认值 |
| ------------------------------- | ---------------------------------------------------------------------------------- | ---------------------------------------------- | ----------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | 基础日志级别 / 覆盖 | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | 目标 | 空格分隔的 `stderr`/`file`/`syslog` | `stderr` |
| `LOG_FILE_PATH` | 日志文件位置(当 `LOG_TYPES``file``CAPTURE_OUTPUT=yes` 时使用) | 文件路径 | 当启用 file/capture 时为 `/var/log/bunkerweb/api.log`,否则 unset |
| `LOG_SYSLOG_ADDRESS` | Syslog 目标(`udp://host:514`、`tcp://host:514`、socket | Host:port、带协议前缀的主机或 socket 路径 | unset |
| `LOG_SYSLOG_TAG` | Syslog tag | 字符串 | `bw-api` |
| `MAX_WORKERS`, `MAX_THREADS` | Gunicorn worker/线程 | 整数或 unset 表示自动 | unset |
| `CAPTURE_OUTPUT` | 将 Gunicorn stdout/stderr 汇入配置的处理器 | `yes``no` | `no` |
| Setting | 描述 | 接受的值 | 默认值 |
| ------------------------------- | ----------------------------------------------------------------------- | ----------------------------------------------- | ----------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | 基础日志级别 / 覆盖 | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | 目标 | 空格分隔的 `stderr`/`file`/`syslog` | `stderr` |
| `LOG_FILE_PATH` | 日志文件位置(当 `LOG_TYPES``file``CAPTURE_OUTPUT=yes` 时使用) | 文件路径 | 当启用 file/capture 时为 `/var/log/bunkerweb/api.log`,否则 unset |
| `LOG_SYSLOG_ADDRESS` | Syslog 目标(`udp://host:514`、`tcp://host:514`、socket | Host:port、带协议前缀的主机或 socket 路径 | unset |
| `LOG_SYSLOG_TAG` | Syslog tag | 字符串 | `bw-api` |
| `MAX_WORKERS`, `MAX_THREADS` | Gunicorn worker/线程 | 整数或 unset 表示自动 | unset |
| `MAX_REQUESTS` | Worker 回收前的请求数Gunicorn防止内存膨胀 | 整数 | `1000` |
| `CAPTURE_OUTPUT` | 将 Gunicorn stdout/stderr 汇入配置的处理器 | `yes``no` | `no` |
## API 面(能力映射)

4
docs/zh/concepts.md
View file

@ -105,7 +105,7 @@ app3.example.com_USE_BAD_BEHAVIOR=no
!!! info "更进一步"
您将在文档的[高级用法](advanced.md)和仓库的 [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) 目录中找到多站点模式的具体示例。
您将在文档的[高级用法](advanced.md)和仓库的 [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) 目录中找到多站点模式的具体示例。
## 自定义配置 {#custom-configurations}
@ -126,7 +126,7 @@ BunkerWeb 的另一个不可或缺的组件是 ModSecurity Web 应用程序防
!!! info "更进一步"
您将在文档的[高级用法](advanced.md#custom-configurations)和仓库的 [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples) 目录中找到自定义配置的具体示例。
您将在文档的[高级用法](advanced.md#custom-configurations)和仓库的 [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) 目录中找到自定义配置的具体示例。
## 数据库

928
docs/zh/features.md
View file

File diff suppressed because it is too large Load diff

154
docs/zh/integrations.md
View file

@ -1268,7 +1268,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
默认情况下,容器暴露:
@ -1284,7 +1284,7 @@ docker run -d \
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.8
image: bunkerity/bunkerweb-all-in-one:1.6.9
volumes:
- bw-storage:/data
...
@ -1361,7 +1361,7 @@ docker run -d \
-e API_PASSWORD=StrongP@ssw0rd \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
-p 8888:8888/tcp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
推荐(在 BunkerWeb 之后)— 不要发布 `8888`;而是反向代理它:
@ -1369,7 +1369,7 @@ docker run -d \
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.8
image: bunkerity/bunkerweb-all-in-one:1.6.9
container_name: bunkerweb-aio
ports:
- "80:8080/tcp"
@ -1441,7 +1441,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
* 当 `USE_CROWDSEC=yes` 时,入口点将:
@ -1496,7 +1496,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
!!! info "内部工作原理"
@ -1518,7 +1518,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
注意:
@ -1554,7 +1554,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
* 当 `CROWDSEC_API` 不是 `127.0.0.1``localhost` 时,将跳过**本地注册**。
@ -1588,13 +1588,13 @@ docker run -d \
无论您是进行测试、开发应用程序还是在生产中部署 BunkerWebDocker 容器化选项都提供了灵活性和易用性。采用这种方法使您能够充分利用 BunkerWeb 的功能,同时利用 Docker 技术的优势。
```shell
docker pull bunkerity/bunkerweb:1.6.8
docker pull bunkerity/bunkerweb:1.6.9
```
Docker 镜像也可在 [GitHub packages](https://github.com/orgs/bunkerity/packages?repo_name=bunkerweb) 上找到,可以使用 `ghcr.io` 仓库地址下载:
```shell
docker pull ghcr.io/bunkerity/bunkerweb:1.6.8
docker pull ghcr.io/bunkerity/bunkerweb:1.6.9
```
Docker 集成的关键概念包括:
@ -1604,7 +1604,7 @@ Docker 集成的关键概念包括:
- **网络**Docker 网络在 BunkerWeb 的集成中扮演着至关重要的角色。这些网络有两个主要目的:向客户端公开端口以及连接到上游 Web 服务。通过公开端口BunkerWeb 可以接受来自客户端的传入请求,允许他们访问受保护的 Web 服务。此外,通过连接到上游 Web 服务BunkerWeb 可以高效地路由和管理流量,提供增强的安全性和性能。
!!! info "数据库后端"
请注意,我们的说明假设您正在使用 SQLite 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,也支持其他数据库后端。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations)中的 docker-compose 文件。
请注意,我们的说明假设您正在使用 SQLite 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,也支持其他数据库后端。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations)中的 docker-compose 文件。
### 环境变量
@ -1614,7 +1614,7 @@ Docker 集成的关键概念包括:
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
- MY_SETTING=value
- ANOTHER_SETTING=another value
@ -1655,7 +1655,7 @@ secrets:
[调度器](concepts.md#scheduler) 在其自己的容器中运行,该容器也可在 Docker Hub 上找到:
```shell
docker pull bunkerity/bunkerweb-scheduler:1.6.8
docker pull bunkerity/bunkerweb-scheduler:1.6.9
```
!!! info "BunkerWeb 设置"
@ -1676,7 +1676,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.8
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
environment:
# 这将为 BunkerWeb 容器设置 API
<<: *bw-api-env
@ -1685,7 +1685,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.8
- bw-universe
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
# 这将为调度器容器设置 API
<<: *bw-api-env
@ -1703,7 +1703,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.8
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- bw-storage:/data
...
@ -1849,7 +1849,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1862,7 +1862,7 @@ services:
- bw-universe
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # 这个设置是强制性的,用来指定 BunkerWeb 实例
@ -1895,7 +1895,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1908,7 +1908,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
depends_on:
- bunkerweb
environment:
@ -1974,8 +1974,8 @@ docker build -t bw-ui -f src/ui/Dockerfile .
```bash
# 下载脚本及其校验和
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# 验证校验和
sha256sum -c install-bunkerweb.sh.sha256
@ -2032,18 +2032,18 @@ sudo ./install-bunkerweb.sh
**通用选项:**
| 选项 | 描述 |
| ----------------------- | ------------------------------------------------- |
| `-v, --version VERSION` | 指定要安装的 BunkerWeb 版本(例如 `1.6.8`)。 |
| `-w, --enable-wizard` | 启用设置向导。 |
| `-n, --no-wizard` | 禁用设置向导。 |
| `-y, --yes` | 以非交互模式运行,对所有提示使用默认答案。 |
| `-f, --force` | 即使在不受支持的操作系统版本上,也强制继续安装。 |
| `-q, --quiet` | 静默安装(抑制输出)。 |
| `--api`, `--enable-api` | 启用 API (FastAPI) systemd 服务(默认禁用)。 |
| `--no-api` | 明确禁用 API 服务。 |
| `-h, --help` | 显示包含所有可用选项的帮助信息。 |
| `--dry-run` | 显示将要安装的内容,但不实际执行。 |
| 选项 | 描述 |
| ----------------------- | ------------------------------------------------ |
| `-v, --version VERSION` | 指定要安装的 BunkerWeb 版本(例如 `1.6.9`)。 |
| `-w, --enable-wizard` | 启用设置向导。 |
| `-n, --no-wizard` | 禁用设置向导。 |
| `-y, --yes` | 以非交互模式运行,对所有提示使用默认答案。 |
| `-f, --force` | 即使在不受支持的操作系统版本上,也强制继续安装。 |
| `-q, --quiet` | 静默安装(抑制输出)。 |
| `--api`, `--enable-api` | 启用 API (FastAPI) systemd 服务(默认禁用)。 |
| `--no-api` | 明确禁用 API 服务。 |
| `-h, --help` | 显示包含所有可用选项的帮助信息。 |
| `--dry-run` | 显示将要安装的内容,但不实际执行。 |
**安装类型:**
@ -2099,7 +2099,7 @@ sudo ./install-bunkerweb.sh --yes
sudo ./install-bunkerweb.sh --worker --no-wizard
# 安装一个特定版本
sudo ./install-bunkerweb.sh --version 1.6.8
sudo ./install-bunkerweb.sh --version 1.6.9
# 带有远程工作实例的管理器设置(需要 instances
sudo ./install-bunkerweb.sh --manager --instances "192.168.1.10 192.168.1.11"
@ -2207,7 +2207,7 @@ sudo ./install-bunkerweb.sh --yes --api
### 使用软件包管理器安装
请确保在安装 BunkerWeb 之前**已经安装了 NGINX 1.28.2**。对于除 Fedora 之外的所有发行版,强制要求使用来自[官方 NGINX 仓库](https://nginx.org/en/linux_packages.html)的预构建包。从源代码编译 NGINX 或使用来自不同仓库的包将无法与 BunkerWeb 的官方预构建包一起工作。但是,您可以选择从源代码构建 BunkerWeb。
请确保在安装 BunkerWeb 之前**已经安装了 NGINX 1.28.2**。对于所有发行版,强制要求使用来自[官方 NGINX 仓库](https://nginx.org/en/linux_packages.html)的预构建包。从源代码编译 NGINX 或使用来自不同仓库的包将无法与 BunkerWeb 的官方预构建包一起工作。但是,您可以选择从源代码构建 BunkerWeb。
=== "Debian Bookworm/Trixie"
@ -2243,12 +2243,12 @@ sudo ./install-bunkerweb.sh --yes --api
export UI_WIZARD=no
```
最后安装 BunkerWeb 1.6.8
最后安装 BunkerWeb 1.6.9
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.8
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
```
要防止在执行 `apt upgrade` 时升级 NGINX 和/或 BunkerWeb 包,您可以使用以下命令:
@ -2291,12 +2291,12 @@ sudo ./install-bunkerweb.sh --yes --api
export UI_WIZARD=no
```
最后安装 BunkerWeb 1.6.8
最后安装 BunkerWeb 1.6.9
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.8
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
```
要防止在执行 `apt upgrade` 时升级 NGINX 和/或 BunkerWeb 包,您可以使用以下命令:
@ -2314,10 +2314,10 @@ sudo ./install-bunkerweb.sh --yes --api
sudo dnf config-manager setopt updates-testing.enabled=1
```
Fedora 已经提供了我们支持的 NGINX 1.28.1
Fedora 已经提供了我们支持的 NGINX 1.28.2
```shell
sudo dnf install -y --allowerasing nginx-1.28.1
sudo dnf install -y --allowerasing nginx-1.28.2
```
!!! example "禁用设置向导"
@ -2327,12 +2327,12 @@ sudo ./install-bunkerweb.sh --yes --api
export UI_WIZARD=no
```
最后安装 BunkerWeb 1.6.8
最后安装 BunkerWeb 1.6.9
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf makecache && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.8
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
```
要防止在执行 `dnf upgrade` 时升级 NGINX 和/或 BunkerWeb 包,您可以使用以下命令:
@ -2377,12 +2377,12 @@ sudo ./install-bunkerweb.sh --yes --api
export UI_WIZARD=no
```
最后安装 BunkerWeb 1.6.8
最后安装 BunkerWeb 1.6.9
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.8
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
```
要防止在执行 `dnf upgrade` 时升级 NGINX 和/或 BunkerWeb 包,您可以使用以下命令:
@ -2475,7 +2475,7 @@ export SERVICE_UI=yes
Docker 自动配置集成意味着使用**多站点模式**。有关更多信息,请参阅文档的[多站点部分](concepts.md#multisite-mode)。
!!! info "数据库后端"
请注意,我们的说明假设您正在使用 MariaDB 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,我们理解您可能更喜欢为您的 Docker 集成使用其他后端。如果是这样,请放心,其他数据库后端仍然是可行的。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations)中的 docker-compose 文件。
请注意,我们的说明假设您正在使用 MariaDB 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,我们理解您可能更喜欢为您的 Docker 集成使用其他后端。如果是这样,请放心,其他数据库后端仍然是可行的。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations)中的 docker-compose 文件。
要启用自动配置更新,请在堆栈中包含一个名为 `bw-autoconf` 的额外容器。此容器承载自动配置服务,该服务管理 BunkerWeb 的动态配置更改。
@ -2489,7 +2489,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2504,7 +2504,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # 我们不需要在这里指定 BunkerWeb 实例,因为它们由自动配置服务自动检测
@ -2519,7 +2519,7 @@ services:
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bunkerweb
- bw-docker
@ -2702,13 +2702,13 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
labels:
- "bunkerweb.INSTANCE=yes"
- "bunkerweb.NAMESPACE=my-namespace" # 为 BunkerWeb 实例设置命名空间,以便自动配置服务可以检测到它
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
...
NAMESPACES: "my-namespace my-other-namespace" # 只监听这些命名空间
@ -2742,7 +2742,9 @@ autoconf 服务充当一个 [Ingress 控制器](https://kubernetes.io/docs/conce
如果你使用 Kubernetes Gateway API请设置 `KUBERNETES_MODE=yes``KUBERNETES_GATEWAY_MODE=yes`
控制器将监控 `Gateway`、`HTTPRoute`、`TLSRoute`、`TCPRoute` 和 `UDPRoute` 资源,而不是 `Ingress` 对象。你可以通过 `KUBERNETES_GATEWAY_CLASS` 限制处理范围,并选择 `KUBERNETES_GATEWAY_API_VERSION``v1`、`v1beta1`、`v1beta2`、`v1alpha2` 或 `v1alpha1`)。
控制器将监控 `Gateway`、`HTTPRoute`、`GRPCRoute`、`TLSRoute`、`TCPRoute` 和 `UDPRoute` 资源,而不是 `Ingress` 对象。你可以通过 `KUBERNETES_GATEWAY_CLASS` 限制处理范围,并选择 `KUBERNETES_GATEWAY_API_VERSION``v1`、`v1beta1`、`v1beta2`、`v1alpha2` 或 `v1alpha1`)。
BunkerWeb 对 `GRPCRoute` 的支持目前为 **实验性**
如果你的 Service 名称不是 `bunkerweb`,请设置 `BUNKERWEB_SERVICE_NAME` 以便状态补丁读取正确的 Service。
@ -2757,7 +2759,7 @@ autoconf 服务充当一个 [Ingress 控制器](https://kubernetes.io/docs/conce
鉴于存在多个 BunkerWeb 实例,有必要建立一个共享数据存储,实现为一个 [Redis](https://redis.io/) 或 [Valkey](https://valkey.io/) 服务。这些实例将利用该服务来缓存和共享彼此之间的数据。有关 Redis/Valkey 设置的更多信息,请参见[此处](features.md#redis)。
!!! info "数据库后端"
请注意,我们的说明假设您正在使用 MariaDB 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,我们理解您可能更喜欢为您的 Docker 集成使用其他后端。如果是这样,请放心,其他数据库后端仍然是可行的。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations)中的 docker-compose 文件。
请注意,我们的说明假设您正在使用 MariaDB 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,我们理解您可能更喜欢为您的 Docker 集成使用其他后端。如果是这样,请放心,其他数据库后端仍然是可行的。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations)中的 docker-compose 文件。
集群数据库后端的设置超出了本文档的范围。
@ -2872,7 +2874,7 @@ The **BunkerWeb controller** automatically discovers pods with BunkerWeb sidecar
```yaml
controller:
enabled: true
tag: "1.6.8"
tag: "1.6.9"
```
2. For each sidecar, add:
@ -2965,7 +2967,7 @@ In your BunkerWeb chart `values.yaml`, configure the `BUNKERWEB_INSTANCES` envir
```yaml
scheduler:
tag: "1.6.8"
tag: "1.6.9"
extraEnvs:
- name: BUNKERWEB_INSTANCES
value: "http://app1-bunkerweb-workers.namespace.svc.cluster.local:5000 http://app2-bunkerweb-workers.namespace.svc.cluster.local:5000"
@ -3009,7 +3011,7 @@ spec:
# BunkerWeb Sidecar
- name: bunkerweb
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- containerPort: 8080 # Exposed HTTP port
- containerPort: 5000 # Internal API (mandatory)
@ -3280,7 +3282,7 @@ To add a new application protected by BunkerWeb:
#### 完整的 YAML 文件
除了使用 helm chart您还可以使用 GitHub 仓库中 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations)内的 YAML 样板文件。请注意,我们强烈建议您改用 helm chart。
除了使用 helm chart您还可以使用 GitHub 仓库中 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations)内的 YAML 样板文件。请注意,我们强烈建议您改用 helm chart。
### Ingress 资源
@ -3326,28 +3328,28 @@ spec:
### Gateway 资源
当使用 Gateway API 模式时,你可以声明 `Gateway`、`HTTPRoute`、`TLSRoute`、`TCPRoute` 与 `UDPRoute` 资源。
`HTTPRoute` 上通过 `bunkerweb.io/<SETTING>` 注解提供 BunkerWeb 配置;如需限定到某个主机,
当使用 Gateway API 模式时,你可以声明 `Gateway`、`HTTPRoute`、`GRPCRoute`、`TLSRoute`、`TCPRoute` 与 `UDPRoute` 资源。
`HTTPRoute`/`GRPCRoute` 上通过 `bunkerweb.io/<SETTING>` 注解提供 BunkerWeb 配置;如需限定到某个主机,
使用 `bunkerweb.io/<hostname>_<SETTING>`。`hostnames` 字段用于驱动服务器名称。对于 `TCPRoute`/`UDPRoute`(以及没有 `hostnames``TLSRoute`BunkerWeb 会生成类似 `<route>.<namespace>.<protocol>` 的服务器名称。参见 [Gateway 类](#gateway-class)。
`Gateway` 上的注解会应用到其挂载的所有路由,而 `HTTPRoute` 上的注解仅作用于该路由。
`Gateway` 上的注解会应用到其挂载的所有路由,而 `HTTPRoute`/`GRPCRoute` 上的注解仅作用于该路由。
你也可以用 `bunkerweb.io/<hostname>_<SETTING>` 将 Gateway 注解限定到某个服务器名;只有当该路由/服务器名存在时才会生效。
#### 支持的资源
- 资源:`HTTPRoute`、`TLSRoute`、`TCPRoute`、`UDPRoute`(不支持 `GRPCRoute`
- 资源:`HTTPRoute`、`GRPCRoute`(实验性)、`TLSRoute`、`TCPRoute`、`UDPRoute`。
- 规则:`TLSRoute`、`TCPRoute` 和 `UDPRoute` 只使用第一条规则。
- 后端:仅 `Service`,每条规则只取第一个 `backendRef`
#### 协议与 TLS
- Listener 协议:`HTTP`/`HTTPS` 用于 `HTTPRoute``TLS` 用于 `TLSRoute``TCP` 用于 `TCPRoute``UDP` 用于 `UDPRoute`
- Listener 协议:`HTTP`/`HTTPS` 用于 `HTTPRoute``GRPCRoute``TLS` 用于 `TLSRoute``TCP` 用于 `TCPRoute``UDP` 用于 `UDPRoute`
- TLS通过 listener 的 `certificateRefs`,仅 `HTTPS``TLS` + `mode: Terminate`(不支持 Passthrough 终止)。`TLSRoute` 运行在 stream 模式。
!!! tip "Stream 路由的服务器名称"
对于 `TLSRoute`、`TCPRoute` 和 `UDPRoute`,你可以通过设置 `bunkerweb.io/SERVER_NAME` 来覆盖生成的服务器名称。
!!! note "Experimental Channelstream 路由)"
如果你打算使用 `TLSRoute`、`TCPRoute` 或 `UDPRoute`,请安装 Experimental Channel CRD https://gateway-api.sigs.k8s.io/guides/getting-started/#install-experimental-channel
!!! note "Experimental Channel高级路由)"
如果你打算使用 `GRPCRoute`、`TLSRoute`、`TCPRoute` 或 `UDPRoute`,请安装 Experimental Channel CRD https://gateway-api.sigs.k8s.io/guides/getting-started/#install-experimental-channel
!!! info "TLS 支持"
`HTTPRoute` 使用 `HTTPS``TLS` + `mode: Terminate`TLS 终止通过 `Gateway` 的 listeners 及其 `certificateRefs`TLS secrets完成。`TLSRoute` 运行在 stream 模式。
@ -3428,7 +3430,7 @@ metadata:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
imagePullPolicy: Always
env:
- name: NAMESPACES
@ -3602,11 +3604,11 @@ service:
# BunkerWeb 设置
bunkerweb:
tag: 1.6.8
tag: 1.6.9
# 调度器设置
scheduler:
tag: 1.6.8
tag: 1.6.9
extraEnvs:
# 启用 real IP 模块以获取客户端的真实 IP
- name: USE_REAL_IP
@ -3614,11 +3616,11 @@ scheduler:
# 控制器设置
controller:
tag: 1.6.8
tag: 1.6.9
# UI 设置
ui:
tag: 1.6.8
tag: 1.6.9
```
使用自定义值安装 BunkerWeb
@ -4240,7 +4242,7 @@ kubectl delete ingress <old-ingress> -n <namespace>
至于数据库卷,文档并未指定具体的方法。为数据库卷选择共享文件夹或特定驱动程序取决于您的独特用例,留给读者自行决定。
!!! info "数据库后端"
请注意,我们的说明假设您正在使用 MariaDB 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,我们理解您可能更喜欢为您的 Docker 集成使用其他后端。如果是这样,请放心,其他数据库后端仍然是可行的。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/misc/integrations)中的 docker-compose 文件。
请注意,我们的说明假设您正在使用 MariaDB 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,我们理解您可能更喜欢为您的 Docker 集成使用其他后端。如果是这样,请放心,其他数据库后端仍然是可行的。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations)中的 docker-compose 文件。
集群数据库后端的设置超出了本文档的范围。
@ -4254,7 +4256,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- published: 80
target: 8080
@ -4283,7 +4285,7 @@ services:
- "bunkerweb.INSTANCE=yes" # autoconf 服务识别 BunkerWeb 实例的强制性标签
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # 我们不需要在这里指定 BunkerWeb 实例,因为它们由 autoconf 服务自动检测
@ -4304,7 +4306,7 @@ services:
- "node.role == worker"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
SWARM_MODE: "yes"
DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db" # 记得为数据库设置一个更强的密码
@ -4453,7 +4455,7 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
deploy:
mode: global
@ -4465,7 +4467,7 @@ networks:
- "bunkerweb.NAMESPACE=my-namespace" # 为 BunkerWeb 实例设置命名空间
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
NAMESPACES: "my-namespace my-other-namespace" # 只监听这些命名空间
...

26
docs/zh/plugins.md
View file

@ -8,12 +8,12 @@ BunkerWeb 附带一个插件系统,可以轻松添加新功能。安装插件
| 名称 | 版本 | 描述 | 链接 |
| :------------: | :---: | :----------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------: |
| **ClamAV** | 1.9 | 使用 ClamAV 杀毒引擎自动扫描上传的文件,并在检测到文件为恶意时拒绝请求。 | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.9 | 使用 Coraza WAFModSecurity 的替代品)检查请求。 | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **Discord** | 1.9 | 使用 Webhook 将安全通知发送到 Discord 频道。 | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.9 | 使用 Webhook 将安全通知发送到 Slack 频道。 | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.9 | 使用 VirusTotal API 自动扫描上传的文件,并在检测到文件为恶意时拒绝请求。 | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.9 | 使用 Webhook 将安全通知发送到自定义 HTTP 端点。 | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
| **ClamAV** | 1.10 | 使用 ClamAV 杀毒引擎自动扫描上传的文件,并在检测到文件为恶意时拒绝请求。 | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.10 | 使用 Coraza WAFModSecurity 的替代品)检查请求。 | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **Discord** | 1.10 | 使用 Webhook 将安全通知发送到 Discord 频道。 | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.10 | 使用 Webhook 将安全通知发送到 Slack 频道。 | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.10 | 使用 VirusTotal API 自动扫描上传的文件,并在检测到文件为恶意时拒绝请求。 | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.10 | 使用 Webhook 将安全通知发送到自定义 HTTP 端点。 | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
## 如何使用插件
@ -21,7 +21,7 @@ BunkerWeb 附带一个插件系统,可以轻松添加新功能。安装插件
如果您想快速安装外部插件,可以使用 `EXTERNAL_PLUGIN_URLS` 设置。它接受一个以空格分隔的 URL 列表,每个 URL 指向一个包含一个或多个插件的压缩zip 格式)存档。
如果您想自动安装官方插件,可以使用以下值:`EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.9.zip`
如果您想自动安装官方插件,可以使用以下值:`EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.10.zip`
### 手动
@ -89,7 +89,7 @@ BunkerWeb 附带一个插件系统,可以轻松添加新功能。安装插件
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -125,7 +125,7 @@ BunkerWeb 附带一个插件系统,可以轻松添加新功能。安装插件
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- ./bw-data:/data
...
@ -168,7 +168,7 @@ BunkerWeb 附带一个插件系统,可以轻松添加新功能。安装插件
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
volumes:
- /shared/bw-plugins:/data/plugins
...
@ -215,7 +215,7 @@ BunkerWeb 附带一个插件系统,可以轻松添加新功能。安装插件
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -255,7 +255,7 @@ BunkerWeb 附带一个插件系统,可以轻松添加新功能。安装插件
!!! tip "现有插件"
如果文档不够,您可以查看[官方插件](https://github.com/bunkerity/bunkerweb-plugins)和[核心插件](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/src/common/core)的现有源代码(已包含在 BunkerWeb 中,但从技术上讲它们是插件)。
如果文档不够,您可以查看[官方插件](https://github.com/bunkerity/bunkerweb-plugins)和[核心插件](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/common/core)的现有源代码(已包含在 BunkerWeb 中,但从技术上讲它们是插件)。
插件结构如下所示:
```
@ -560,7 +560,7 @@ end
!!! tip "更多示例"
如果您想查看可用函数的完整列表,可以查看仓库的 [lua 目录](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/src/bw/lua/bunkerweb)中存在的文件。
如果您想查看可用函数的完整列表,可以查看仓库的 [lua 目录](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/bw/lua/bunkerweb)中存在的文件。
### 作业

34
docs/zh/quickstart-guide.md
View file

@ -18,7 +18,7 @@
保护已经可以通过 HTTP(S) 协议访问的现有 Web 应用程序是 BunkerWeb 的主要目标:它将充当一个带有额外安全功能的经典[反向代理](https://en.wikipedia.org/wiki/Reverse_proxy)。
有关真实世界的示例,请参阅仓库的 [examples 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.8/examples)。
有关真实世界的示例,请参阅仓库的 [examples 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)。
## 基本设置
@ -33,7 +33,7 @@
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
默认情况下,容器暴露:
@ -51,8 +51,8 @@
```bash
# 下载脚本及其校验和
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.8/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
# 验证校验和
sha256sum -c install-bunkerweb.sh.sha256
@ -90,7 +90,7 @@
services:
bunkerweb:
# 这是将用于在调度器中识别实例的名称
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -103,7 +103,7 @@
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # 确保设置正确的实例名称
@ -120,7 +120,7 @@
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-env
restart: "unless-stopped"
@ -187,7 +187,7 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -203,7 +203,7 @@
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -221,7 +221,7 @@
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
depends_on:
- bw-docker
environment:
@ -244,7 +244,7 @@
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # 记得设置一个更强的密钥(请参阅先决条件部分)
@ -339,7 +339,7 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- published: 80
target: 8080
@ -369,7 +369,7 @@
- "bunkerweb.INSTANCE=yes"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -387,7 +387,7 @@
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
environment:
<<: *bw-ui-env
DOCKER_HOST: "tcp://bw-docker:2375"
@ -416,7 +416,7 @@
- "node.role == manager"
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # 记得设置一个更强的密钥(请参阅先决条件部分)
@ -638,7 +638,7 @@
-e "www.example.com_REVERSE_PROXY_HOST=http://myapp:8080" \
-e "www.example.com_REVERSE_PROXY_URL=/" \
# --- 包括任何其他现有的用于 UI、Redis、CrowdSec 等的环境变量 ---
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
您的应用程序容器 (`myapp`) 和 `bunkerweb-aio` 容器必须在同一个 Docker 网络上,以便 BunkerWeb 能够使用主机名 `myapp` 访问它。
@ -660,7 +660,7 @@
-p 443:8443/tcp \
-p 443:8443/udp \
# ... (如上主示例所示的所有其他相关环境变量)...
bunkerity/bunkerweb-all-in-one:1.6.8
bunkerity/bunkerweb-all-in-one:1.6.9
```
请确保将 `myapp` 替换为您的应用程序容器的实际名称或 IP并将 `http://myapp:8080` 替换为其正确的地址和端口。

36
docs/zh/upgrading.md
View file

@ -25,16 +25,16 @@
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
...
```
@ -141,20 +141,20 @@
示例:
```bash
# 交互式升级到 1.6.8(会提示备份)
sudo ./install-bunkerweb.sh --version 1.6.8
# 交互式升级到 1.6.9(会提示备份)
sudo ./install-bunkerweb.sh --version 1.6.9
# 使用自动备份到自定义目录的非交互式升级
sudo ./install-bunkerweb.sh -v 1.6.8 --backup-dir /var/backups/bw-2025-01 -y
sudo ./install-bunkerweb.sh -v 1.6.9 --backup-dir /var/backups/bw-2025-01 -y
# 静默无人值守升级(抑制日志)– 依赖默认的自动备份
sudo ./install-bunkerweb.sh -v 1.6.8 -y -q
sudo ./install-bunkerweb.sh -v 1.6.9 -y -q
# 执行一次空运行(计划)而不应用更改
sudo ./install-bunkerweb.sh -v 1.6.8 --dry-run
sudo ./install-bunkerweb.sh -v 1.6.9 --dry-run
# 跳过自动备份进行升级(不推荐)
sudo ./install-bunkerweb.sh -v 1.6.8 --no-auto-backup -y
sudo ./install-bunkerweb.sh -v 1.6.9 --no-auto-backup -y
```
!!! warning "跳过备份"
@ -234,7 +234,7 @@
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.8
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
```
为了防止在执行 `apt upgrade` 时升级 BunkerWeb 软件包,您可以使用以下命令:
@ -260,7 +260,7 @@
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.8
sudo dnf install -y --allowerasing bunkerweb-1.6.9
```
为了防止在执行 `dnf upgrade` 时升级 BunkerWeb 软件包,您可以使用以下命令:
@ -657,16 +657,16 @@
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.8
image: bunkerity/bunkerweb-autoconf:1.6.9
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
...
```
@ -701,7 +701,7 @@
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.8
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
```
为了防止在执行 `apt upgrade` 时升级 BunkerWeb 软件包,您可以使用以下命令:
@ -727,7 +727,7 @@
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.8
sudo dnf install -y --allowerasing bunkerweb-1.6.9
```
为了防止在执行 `dnf upgrade` 时升级 BunkerWeb 软件包,您可以使用以下命令:

44
docs/zh/web-ui.md
View file

@ -35,7 +35,7 @@ UI 需要可访问的 scheduler /BunkerWebAPI / redis / 数据库。
使用已发布镜像与[快速入门](quickstart-guide.md#__tabbed_1_3)的布局启动栈,然后在浏览器完成向导。
```bash
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.8-rc1/misc/integrations/docker-compose.yml up -d
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.9-rc1/misc/integrations/docker-compose.yml up -d
```
访问 scheduler 主机名(如 `https://www.example.com/changeme`),运行 `/setup` 向导以配置 UI、scheduler 与实例。
@ -52,7 +52,7 @@ UI 需要可访问的 scheduler /BunkerWebAPI / redis / 数据库。
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -63,7 +63,7 @@ UI 需要可访问的 scheduler /BunkerWebAPI / redis / 数据库。
networks: [bw-universe, bw-services]
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
environment:
<<: *service-env
BUNKERWEB_INSTANCES: "bunkerweb"
@ -83,7 +83,7 @@ UI 需要可访问的 scheduler /BunkerWebAPI / redis / 数据库。
networks: [bw-universe, bw-db]
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.8
image: bunkerity/bunkerweb-ui:1.6.9
environment:
<<: *service-env
ADMIN_USERNAME: "admin"
@ -185,15 +185,15 @@ UI 需要可访问的 scheduler /BunkerWebAPI / redis / 数据库。
### 监听与 TLS
| 设置 | 描述 | 可接受值 | 默认值 |
| ----------------------------------- | -------------------------- | --------------------- | --------------------------------------- |
| `UI_LISTEN_ADDR` | UI 监听地址 | IP 或主机名 | `0.0.0.0`Docker / `127.0.0.1`(包) |
| `UI_LISTEN_PORT` | UI 监听端口 | 整数 | `7000` |
| `LISTEN_ADDR`, `LISTEN_PORT` | UI 变量缺失时的备用 | IP/主机名,整数 | `0.0.0.0`, `7000` |
| `UI_SSL_ENABLED` | 在 UI 容器中启用 TLS | `yes``no` | `no` |
| `UI_SSL_CERTFILE`, `UI_SSL_KEYFILE` | 启用 TLS 时的证书/密钥路径 | 文件路径 | 未设 |
| `UI_SSL_CA_CERTS` | 可选 CA/链 | 文件路径 | 未设 |
| `UI_FORWARDED_ALLOW_IPS` | 信任的代理 IP/CIDR | 空格/逗号分隔 IP/CIDR | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| 设置 | 描述 | 可接受值 | 默认值 |
| ----------------------------------- | ---------------------------- | --------------------- | ----------------------------------------------------- |
| `UI_LISTEN_ADDR` | UI 监听地址 | IP 或主机名 | `0.0.0.0`Docker / `127.0.0.1`(包) |
| `UI_LISTEN_PORT` | UI 监听端口 | 整数 | `7000` |
| `LISTEN_ADDR`, `LISTEN_PORT` | UI 变量缺失时的备用 | IP/主机名,整数 | `0.0.0.0`, `7000` |
| `UI_SSL_ENABLED` | 在 UI 容器中启用 TLS | `yes``no` | `no` |
| `UI_SSL_CERTFILE`, `UI_SSL_KEYFILE` | 启用 TLS 时的证书/密钥路径 | 文件路径 | 未设 |
| `UI_SSL_CA_CERTS` | 可选 CA/链 | 文件路径 | 未设 |
| `UI_FORWARDED_ALLOW_IPS` | 信任的代理 IP/CIDR | 空格/逗号分隔 IP/CIDR | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `UI_PROXY_ALLOW_IPS` | PROXY 协议的可信代理 IP/CIDR | 空格/逗号分隔 IP/CIDR | `FORWARDED_ALLOW_IPS` |
### 认证、会话与 Cookie
@ -223,14 +223,16 @@ UI 需要可访问的 scheduler /BunkerWebAPI / redis / 数据库。
### 其他运行时
| 设置 | 描述 | 可接受值 | 默认值 |
| ------------------------------- | ------------------------- | ------------- | -------------------------------------- |
| `MAX_WORKERS`, `MAX_THREADS` | Gunicorn worker/线程数 | 整数 | `cpu_count()-1`(至少 1`workers*2` |
| `ENABLE_HEALTHCHECK` | 暴露 `GET /healthcheck` | `yes``no` | `no` |
| `FORWARDED_ALLOW_IPS` | 代理允许列表的别名 | IP/CIDR | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `PROXY_ALLOW_IPS` | PROXY 允许列表的别名 | IP/CIDR | `FORWARDED_ALLOW_IPS` |
| `DISABLE_CONFIGURATION_TESTING` | 应用配置时跳过测试 reload | `yes``no` | `no` |
| `IGNORE_REGEX_CHECK` | 跳过设置的正则校验 | `yes``no` | `no` |
| 设置 | 描述 | 可接受值 | 默认值 |
| ------------------------------- | ----------------------------------------------- | --------------------------------------- | ----------------------------------------------------- |
| `MAX_WORKERS`, `MAX_THREADS` | Gunicorn worker/线程数 | 整数 | `cpu_count()-1`(至少 1`workers*2` |
| `MAX_REQUESTS` | Worker 回收前的请求数Gunicorn防止内存膨胀 | 整数 | `1000` |
| `ENABLE_HEALTHCHECK` | 暴露 `GET /healthcheck` | `yes``no` | `no` |
| `FORWARDED_ALLOW_IPS` | 代理允许列表的别名 | IP/CIDR | `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` |
| `PROXY_ALLOW_IPS` | PROXY 允许列表的别名 | IP/CIDR | `FORWARDED_ALLOW_IPS` |
| `DISABLE_CONFIGURATION_TESTING` | 应用配置时跳过测试 reload | `yes``no` | `no` |
| `IGNORE_REGEX_CHECK` | 跳过设置的正则校验 | `yes``no` | `no` |
| `MAX_CONTENT_LENGTH` | 最大上传大小Flask `MAX_CONTENT_LENGTH` | 带单位的大小(`50M`、`1G`、`52428800` | `50MB` |
## 日志访问

4
examples/authelia/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/authentik/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/behind-reverse-proxy/docker-compose.yml
View file

@ -6,7 +6,7 @@ x-env: &env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
environment:
<<: *env
@ -17,7 +17,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/bigbluebutton/docker-compose.yml
View file

@ -25,7 +25,7 @@ services:
...
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -40,7 +40,7 @@ services:
bw-universe:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/cors/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -22,7 +22,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-cloudflare/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-desec/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-digitalocean/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-dnsimple/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-dnsmadeeasy/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-gehirn/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-google/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-linode/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-luadns/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-nsone/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-ovh/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-rfc2136/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-route53/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-sakuracloud/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-scaleway/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/docker-configs/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/drupal/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/ghost/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/gogs/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/hardened/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
# dropping all capabilities
cap_drop:
@ -33,7 +33,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

10
examples/jellyfin/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb
@ -26,7 +26,8 @@ services:
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
# AUTO_LETS_ENCRYPT: "yes"
GENERATE_SELF_SIGNED_SSL: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
MAX_CLIENT_SIZE: "20m" # The default `client_max_body_size` is 10m, this might not be enough for some posters, etc.
@ -50,7 +51,7 @@ services:
- bw-universe
jellyfin:
image: jellyfin/jellyfin:10.10.7
image: jellyfin/jellyfin:10
container_name: jellyfin
volumes:
- ./jellyfin-data/config:/config
@ -65,7 +66,6 @@ services:
volumes:
bw-storage:
networks:
bw-universe:
name: bw-universe

4
examples/joomla/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/load-balancer/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/magento/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/mattermost/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/mongo-express/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.8
image: bunkerity/bunkerweb:1.6.9
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.8
image: bunkerity/bunkerweb-scheduler:1.6.9
container_name: bw-scheduler
depends_on:
- bunkerweb

Some files were not shown because too many files have changed in this diff Show more