Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

misc - add DISABLE_DEFAULT_SERVER_STRICT_SNI setting to avoid breaking changes when using HTTPS behind a reverse proxy

Browse source
This commit is contained in:
florian 2024-03-26 21:29:54 +01:00
parent ab00187624
commit 2aae0394eb
No known key found for this signature in database
GPG key ID: 93EE47CC3D061500
4 changed files with 35 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docs/security-tuning.md
View file

@ -33,6 +33,8 @@ In the HTTP protocol, the Host header is used to determine which server the clie
You can disable any request containing undefined or unknown Host value by setting `DISABLE_DEFAULT_SERVER` to `yes` (default : `no`). Please note that clients won't even receive a response, the TCP connection will be closed (using the special 444 status code of NGINX).
If you want to close SSL/TLS connection if [Server Name Indication (SNI)](https://en.wikipedia.org/wiki/Server_Name_Indication) is undefined or unknown, you can set `DISABLE_DEFAULT_SERVER_STRICT_SNI` to `yes` (default : `no`). On the one hand, you can block attackers as soon as possible at SSL/TLS level but, in the other hand, you may have issues if your BunkerWeb instance is behind a reverse proxy configured to send HTTPS requests without SNI.
### Allowed methods
STREAM support :x:

41
docs/settings.md
View file

@ -376,26 +376,27 @@ STREAM support :warning:
Miscellaneous settings.
| Setting | Default | Context |Multiple| Description |
|-----------------------------|-----------------------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------|
|`DISABLE_DEFAULT_SERVER` |`no` |global |no |Close connection if the request vhost is unknown. |
|`REDIRECT_HTTP_TO_HTTPS` |`no` |multisite|no |Redirect all HTTP request to HTTPS. |
|`AUTO_REDIRECT_HTTP_TO_HTTPS`|`yes` |multisite|no |Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case. |
|`ALLOWED_METHODS` |`GET|POST|HEAD` |multisite|no |Allowed HTTP and WebDAV methods, separated with pipes to be sent by clients. |
|`MAX_CLIENT_SIZE` |`10m` |multisite|no |Maximum body size (0 for infinite). |
|`SERVE_FILES` |`yes` |multisite|no |Serve files from the local folder. |
|`ROOT_FOLDER` | |multisite|no |Root folder containing files to serve (/var/www/html/{server_name} if unset). |
|`SSL_PROTOCOLS` |`TLSv1.2 TLSv1.3` |multisite|no |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. |
|`HTTP2` |`yes` |multisite|no |Support HTTP2 protocol when HTTPS is enabled. |
|`LISTEN_HTTP` |`yes` |multisite|no |Respond to (insecure) HTTP requests. |
|`USE_OPEN_FILE_CACHE` |`no` |multisite|no |Enable open file cache feature |
|`OPEN_FILE_CACHE` |`max=1000 inactive=20s`|multisite|no |Open file cache directive |
|`OPEN_FILE_CACHE_ERRORS` |`yes` |multisite|no |Enable open file cache for errors |
|`OPEN_FILE_CACHE_MIN_USES` |`2` |multisite|no |Enable open file cache minimum uses |
|`OPEN_FILE_CACHE_VALID` |`30s` |multisite|no |Open file cache valid time |
|`EXTERNAL_PLUGIN_URLS` | |global |no |List of external plugins URLs (direct download to .zip or .tar file) to download and install (URLs are separated with space).|
|`DENY_HTTP_STATUS` |`403` |global |no |HTTP status code to send when the request is denied (403 or 444). When using 444, BunkerWeb will close the connection. |
|`SEND_ANONYMOUS_REPORT` |`yes` |global |no |Send anonymous report to BunkerWeb maintainers. |
| Setting | Default | Context |Multiple| Description |
|-----------------------------------|-----------------------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------|
|`DISABLE_DEFAULT_SERVER` |`no` |global |no |Deny HTTP request if the request vhost is unknown. |
|`DISABLE_DEFAULT_SERVER_STRICT_SNI`|`no` |global |no |Close SSL/TLS connection if the SNI is unknown. |
|`REDIRECT_HTTP_TO_HTTPS` |`no` |multisite|no |Redirect all HTTP request to HTTPS. |
|`AUTO_REDIRECT_HTTP_TO_HTTPS` |`yes` |multisite|no |Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case. |
|`ALLOWED_METHODS` |`GET|POST|HEAD` |multisite|no |Allowed HTTP and WebDAV methods, separated with pipes to be sent by clients. |
|`MAX_CLIENT_SIZE` |`10m` |multisite|no |Maximum body size (0 for infinite). |
|`SERVE_FILES` |`yes` |multisite|no |Serve files from the local folder. |
|`ROOT_FOLDER` | |multisite|no |Root folder containing files to serve (/var/www/html/{server_name} if unset). |
|`SSL_PROTOCOLS` |`TLSv1.2 TLSv1.3` |multisite|no |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. |
|`HTTP2` |`yes` |multisite|no |Support HTTP2 protocol when HTTPS is enabled. |
|`LISTEN_HTTP` |`yes` |multisite|no |Respond to (insecure) HTTP requests. |
|`USE_OPEN_FILE_CACHE` |`no` |multisite|no |Enable open file cache feature |
|`OPEN_FILE_CACHE` |`max=1000 inactive=20s`|multisite|no |Open file cache directive |
|`OPEN_FILE_CACHE_ERRORS` |`yes` |multisite|no |Enable open file cache for errors |
|`OPEN_FILE_CACHE_MIN_USES` |`2` |multisite|no |Enable open file cache minimum uses |
|`OPEN_FILE_CACHE_VALID` |`30s` |multisite|no |Open file cache valid time |
|`EXTERNAL_PLUGIN_URLS` | |global |no |List of external plugins URLs (direct download to .zip or .tar file) to download and install (URLs are separated with space).|
|`DENY_HTTP_STATUS` |`403` |global |no |HTTP status code to send when the request is denied (403 or 444). When using 444, BunkerWeb will close the connection. |
|`SEND_ANONYMOUS_REPORT` |`yes` |global |no |Send anonymous report to BunkerWeb maintainers. |
## ModSecurity

2
src/common/core/misc/confs/default-server-http/disable.conf
View file

@ -4,6 +4,8 @@ location / {
set $reason_data "";
return {{ DENY_HTTP_STATUS }};
}
{% endif %}
{% if DISABLE_DEFAULT_SERVER_STRICT_SNI == "yes" +%}
ssl_client_hello_by_lua_block {
local ssl_clt = require "ngx.ssl.clienthello"
local utils = require "bunkerweb.utils"

11
src/common/core/misc/plugin.json
View file

@ -8,12 +8,21 @@
"DISABLE_DEFAULT_SERVER": {
"context": "global",
"default": "no",
"help": "Close connection if the request vhost is unknown.",
"help": "Deny HTTP request if the request vhost is unknown.",
"id": "disable-default-server",
"label": "Disable default server",
"regex": "^(yes|no)$",
"type": "check"
},
"DISABLE_DEFAULT_SERVER_STRICT_SNI": {
"context": "global",
"default": "no",
"help": "Close SSL/TLS connection if the SNI is unknown.",
"id": "disable-default-server-strict-sni",
"label": "Disable default server strict SNI",
"regex": "^(yes|no)$",
"type": "check"
},
"REDIRECT_HTTP_TO_HTTPS": {
"context": "multisite",
"default": "no",