From 4dabe6dae601dee4b97710b477acbee740a5c12b Mon Sep 17 00:00:00 2001 From: TheophileDiot Date: Mon, 21 Nov 2022 14:27:55 +0100 Subject: [PATCH] Advancements in the examples migration to 1.5 --- examples/drupal/autoconf.yml | 23 +--- examples/joomla/autoconf.yml | 14 +-- examples/load-balancer/docker-compose.yml | 49 ++++++++- examples/magento/autoconf.yml | 14 +-- examples/magento/cleanup-kubernetes.sh | 7 +- examples/magento/docker-compose.yml | 96 ++++++++++++---- examples/magento/setup-kubernetes.sh | 7 +- examples/magento/tests.json | 2 +- examples/mattermost/autoconf.yml | 24 +--- examples/mattermost/cleanup-kubernetes.sh | 5 - examples/mattermost/docker-compose.yml | 99 ++++++++++++----- examples/mattermost/init-db.sh | 22 ++++ examples/mattermost/setup-kubernetes.sh | 5 - examples/mattermost/tests.json | 2 +- examples/mongo-express/docker-compose.yml | 47 +++++++- examples/mongo-express/tests.json | 1 + examples/moodle/autoconf.yml | 25 ++--- examples/moodle/cleanup-kubernetes.sh | 7 +- examples/moodle/docker-compose.yml | 91 ++++++++++++---- examples/moodle/setup-kubernetes.sh | 7 +- examples/moodle/tests.json | 2 +- examples/nextcloud/autoconf.yml | 15 +-- examples/nextcloud/cleanup-kubernetes.sh | 7 +- examples/nextcloud/docker-compose.yml | 127 +++++++++++++++------- examples/nextcloud/kubernetes.yml | 2 +- examples/nextcloud/setup-kubernetes.sh | 7 +- examples/nextcloud/swarm.yml | 18 +-- 27 files changed, 436 insertions(+), 289 deletions(-) create mode 100644 examples/mattermost/init-db.sh diff --git a/examples/drupal/autoconf.yml b/examples/drupal/autoconf.yml index 6e1af3263..b329e49a1 100644 --- a/examples/drupal/autoconf.yml +++ b/examples/drupal/autoconf.yml @@ -21,28 +21,9 @@ services: - bunkerweb.LIMIT_REQ_URL_1=/core/install.php - bunkerweb.LIMIT_REQ_RATE_1=5r/s - | - bunkerweb.CUSTOM_CONF_MODSEC_CRS_drupal= - SecAction \ - "id:900130,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.crs_exclusions_drupal=1" + CUSTOM_CONF_MODSEC_CRS_drupal=SecAction "id:900130,phase:1,nolog,pass,t:none,setvar:tx.crs_exclusions_drupal=1" - mydb: - image: mariadb - networks: - bw-services: - aliases: - - mydb - volumes: - - ./db-data:/var/lib/mysql - environment: - - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password - - MYSQL_DATABASE=drupaldb - - MYSQL_USER=user - - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password + # For the database, you can refer to the example of the autoconf including a database networks: bw-services: diff --git a/examples/joomla/autoconf.yml b/examples/joomla/autoconf.yml index 0f44d136b..22165c922 100644 --- a/examples/joomla/autoconf.yml +++ b/examples/joomla/autoconf.yml @@ -24,19 +24,7 @@ services: - bunkerweb.LIMIT_REQ_URL_2=/installation/index.php - bunkerweb.LIMIT_REQ_RATE_2=8r/s - mydb: - image: mariadb - volumes: - - ./db-data:/var/lib/mysql - networks: - bw-services: - aliases: - - mydb - environment: - - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password - - MYSQL_DATABASE=joomla_db - - MYSQL_USER=user - - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD) + # For the database, you can refer to the example of the autoconf including a database networks: bw-services: diff --git a/examples/load-balancer/docker-compose.yml b/examples/load-balancer/docker-compose.yml index 4f5250654..3571bf3be 100644 --- a/examples/load-balancer/docker-compose.yml +++ b/examples/load-balancer/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.4.3 + image: bunkerity/bunkerweb:1.5.0 ports: - 80:8080 - 443:8443 @@ -13,9 +13,10 @@ services: # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder # more info at https://docs.bunkerweb.io volumes: - - bw_data:/data # contains upstreams definition at http context + - bw-data:/data # contains upstreams definition at http context environment: - SERVER_NAME=www.example.com # replace with your domain + - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 - SERVE_FILES=no - DISABLE_DEFAULT_SERVER=yes - AUTO_LETS_ENCRYPT=yes @@ -31,15 +32,57 @@ services: server app2:80; server app3:80; } + labels: + - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container + networks: + - bw-universe + - bw-services + + bw-scheduler: + image: bunkerity/bunkerweb-scheduler:1.5.0 + depends_on: + - mybunker + environment: + - DOCKER_HOST=tcp://docker-proxy:2375 + volumes: + - bw-data:/data + networks: + - bw-universe + - net-docker + + docker-proxy: + image: tecnativa/docker-socket-proxy + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CONTAINERS=1 + networks: + - net-docker app1: image: tutum/hello-world + networks: + - bw-services app2: image: tutum/hello-world + networks: + - bw-services app3: image: tutum/hello-world + networks: + - bw-services volumes: - bw_data: + bw-data: + + +networks: + bw-universe: + ipam: + driver: default + config: + - subnet: 10.20.30.0/24 + bw-services: + net-docker: diff --git a/examples/magento/autoconf.yml b/examples/magento/autoconf.yml index a66f19743..7fcc96aed 100644 --- a/examples/magento/autoconf.yml +++ b/examples/magento/autoconf.yml @@ -43,19 +43,7 @@ services: volumes: - ./elasticsearch-data:/bitnami/elasticsearch/data - mydb: - image: mariadb:10.2 - networks: - bw-services: - aliases: - - mydb - volumes: - - ./db-data:/var/lib/mysql - environment: - - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password - - MYSQL_DATABASE=magentodb - - MYSQL_USER=user - - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD) + # For the database, you can refer to the example of the autoconf including a database networks: bw-services: diff --git a/examples/magento/cleanup-kubernetes.sh b/examples/magento/cleanup-kubernetes.sh index 343c25073..6a0212490 100755 --- a/examples/magento/cleanup-kubernetes.sh +++ b/examples/magento/cleanup-kubernetes.sh @@ -1,11 +1,6 @@ #!/bin/bash -if [ $(id -u) -ne 0 ] ; then - echo "❌ Run me as root" - exit 1 -fi - helm delete magento kubectl delete pvc data-magento-elasticsearch-data-0 kubectl delete pvc data-magento-elasticsearch-master-0 -kubectl delete pvc data-magento-mariadb-0 \ No newline at end of file +kubectl delete pvc data-magento-mariadb-0 diff --git a/examples/magento/docker-compose.yml b/examples/magento/docker-compose.yml index f71942116..d235ae5b3 100644 --- a/examples/magento/docker-compose.yml +++ b/examples/magento/docker-compose.yml @@ -1,8 +1,12 @@ version: "3" +x-bunkerweb-env: + &bunkerweb-env + DATABASE_URI: "mariadb+pymysql://${MAGENTO_USER:-user}:${MAGENTO_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}" + services: mybunker: - image: bunkerity/bunkerweb:1.4.3 + image: bunkerity/bunkerweb:1.5.0 ports: - 80:8080 - 443:8443 @@ -13,22 +17,47 @@ services: # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder # more info at https://docs.bunkerweb.io volumes: - - bw_data:/data + - bw-data:/data environment: - - SERVER_NAME=www.example.com # replace with your domain - - SERVE_FILES=no - - DISABLE_DEFAULT_SERVER=yes - - AUTO_LETS_ENCRYPT=yes - - USE_CLIENT_CACHE=yes - - USE_GZIP=yes - - USE_REVERSE_PROXY=yes - - REVERSE_PROXY_URL=/ - - REVERSE_PROXY_HOST=http://mymagento:8080 - - | - CUSTOM_CONF_SERVER_HTTP_magento= - proxy_busy_buffers_size 512k; - proxy_buffers 4 512k; - proxy_buffer_size 256k; + <<: *bunkerweb-env + SERVER_NAME: "www.example.com" # replace with your domain + API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24" + SERVE_FILES: "no" + DISABLE_DEFAULT_SERVER: "yes" + AUTO_LETS_ENCRYPT: "yes" + USE_CLIENT_CACHE: "yes" + USE_GZIP: "yes" + USE_REVERSE_PROXY: "yes" + REVERSE_PROXY_URL: "/" + REVERSE_PROXY_HOST: "http://mymagento:8080" + CUSTOM_CONF_SERVER_HTTP_magento: "proxy_busy_buffers_size 512k;proxy_buffers 4 512k;proxy_buffer_size 256k;" + labels: + - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container + networks: + - bw-universe + - bw-services + + bw-scheduler: + image: bunkerity/bunkerweb-scheduler:1.5.0 + depends_on: + - mybunker + environment: + <<: *bunkerweb-env + DOCKER_HOST: "tcp://docker-proxy:2375" + volumes: + - bw-data:/data + networks: + - bw-universe + - net-docker + + docker-proxy: + image: tecnativa/docker-socket-proxy + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CONTAINERS=1 + networks: + - net-docker mymagento: image: bitnami/magento:2 @@ -42,10 +71,12 @@ services: - MAGENTO_ENABLE_HTTPS=yes - MAGENTO_ENABLE_ADMIN_HTTPS=yes - MAGENTO_DATABASE_HOST=mydb - - MAGENTO_DATABASE_NAME=magentodb - - MAGENTO_DATABASE_USER=user - - MAGENTO_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) + - MAGENTO_DATABASE_NAME=${MAGENTO_DATABASE:-magentodb} + - MAGENTO_DATABASE_USER=${MAGENTO_USER:-user} + - MAGENTO_DATABASE_PASSWORD=${MAGENTO_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD) - ELASTICSEARCH_HOST=myelasticsearch + networks: + - bw-services myelasticsearch: image: bitnami/elasticsearch:7 @@ -53,13 +84,30 @@ services: # see setup-docker.sh volumes: - ./elasticsearch-data:/bitnami/elasticsearch/data + networks: + - bw-services mydb: image: mariadb:10.2 volumes: - - ./db-data:/var/lib/mysql + - db-data:/var/lib/mysql environment: - - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password - - MYSQL_DATABASE=magentodb - - MYSQL_USER=user - - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD) + MARIADB_RANDOM_ROOT_PASSWORD: "yes" + entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${MAGENTO_USER:-user}\"; CREATE USER \"${MAGENTO_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${MAGENTO_DATABASE:-magentodb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${MAGENTO_DATABASE:-magentodb}.* TO \"${MAGENTO_USER:-user}\"@\"%\" IDENTIFIED BY \"${MAGENTO_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${MAGENTO_USER:-user}\"@\"%\" IDENTIFIED BY \"${MAGENTO_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci" + networks: + - bw-universe + - bw-services + +volumes: + bw-data: + db-data: + + +networks: + bw-universe: + ipam: + driver: default + config: + - subnet: 10.20.30.0/24 + bw-services: + net-docker: diff --git a/examples/magento/setup-kubernetes.sh b/examples/magento/setup-kubernetes.sh index 047e69651..d3b0807f0 100755 --- a/examples/magento/setup-kubernetes.sh +++ b/examples/magento/setup-kubernetes.sh @@ -1,9 +1,4 @@ #!/bin/bash -if [ $(id -u) -ne 0 ] ; then - echo "❌ Run me as root" - exit 1 -fi - helm repo add bitnami https://charts.bitnami.com/bitnami -helm install -f magento-chart-values.yml magento bitnami/magento \ No newline at end of file +helm install -f magento-chart-values.yml magento bitnami/magento diff --git a/examples/magento/tests.json b/examples/magento/tests.json index d406b484f..e66d4c583 100644 --- a/examples/magento/tests.json +++ b/examples/magento/tests.json @@ -3,7 +3,7 @@ "kinds": ["docker", "autoconf", "swarm", "kubernetes"], "timeout": 360, "no_copy_container": true, - "delay": 180, + "delay": 240, "tests": [ { "type": "string", diff --git a/examples/mattermost/autoconf.yml b/examples/mattermost/autoconf.yml index 3ee6db7dd..39e0b088e 100644 --- a/examples/mattermost/autoconf.yml +++ b/examples/mattermost/autoconf.yml @@ -63,29 +63,7 @@ services: - bunkerweb.LIMIT_REQ_URL_3=^/static/ - bunkerweb.LIMIT_REQ_RATE_3=10r/s - postgres: - image: postgres:${POSTGRES_IMAGE_TAG} - networks: - bw-services: - aliases: - - postgres - restart: ${RESTART_POLICY} - security_opt: - - no-new-privileges:true - pids_limit: 100 - read_only: true - tmpfs: - - /tmp - - /var/run/postgresql - volumes: - - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data - environment: - # timezone inside container - - TZ - # necessary Postgres options/variables - - POSTGRES_USER - - POSTGRES_PASSWORD - - POSTGRES_DB + # For the postgres database, you can refer to the example of the autoconf including a postgres database networks: bw-services: diff --git a/examples/mattermost/cleanup-kubernetes.sh b/examples/mattermost/cleanup-kubernetes.sh index 56521156b..177494b40 100755 --- a/examples/mattermost/cleanup-kubernetes.sh +++ b/examples/mattermost/cleanup-kubernetes.sh @@ -1,8 +1,3 @@ #!/bin/bash -if [ $(id -u) -ne 0 ] ; then - echo "❌ Run me as root" - exit 1 -fi - helm delete mattermost diff --git a/examples/mattermost/docker-compose.yml b/examples/mattermost/docker-compose.yml index 6deeff91e..e45504e55 100644 --- a/examples/mattermost/docker-compose.yml +++ b/examples/mattermost/docker-compose.yml @@ -1,8 +1,12 @@ version: "3" +x-bunkerweb-env: + &bunkerweb-env + DATABASE_URI: "postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres/${BUNKERWEB_DATABASE:-bunkerweb}" + services: mybunker: - image: bunkerity/bunkerweb:1.4.3 + image: bunkerity/bunkerweb:1.5.0 ports: - 80:8080 - 443:8443 @@ -13,37 +17,66 @@ services: # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder # more info at https://docs.bunkerweb.io volumes: - - bw_data:/data + - bw-data:/data environment: - - SERVER_NAME=www.example.com # replace with your domain - - AUTO_LETS_ENCRYPT=yes - - DISABLE_DEFAULT_SERVER=yes - - USE_CLIENT_CACHE=yes - - SERVE_FILES=no - - MAX_CLIENT_SIZE=50m - - USE_GZIP=yes + <<: *bunkerweb-env + SERVER_NAME: "${DOMAIN}" # set your domain name in the .env file, for additional domains, just add them separated by a space + API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24" + AUTO_LETS_ENCRYPT: "yes" + DISABLE_DEFAULT_SERVER: "yes" + USE_CLIENT_CACHE: "yes" + SERVE_FILES: "no" + MAX_CLIENT_SIZE: "50m" + USE_GZIP: "yes" # Methods used to query the api # more info at https://api.mattermost.com/ - - ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT + ALLOWED_METHODS: "GET|POST|HEAD|DELETE|PUT" # Reverse proxy to Mattermost # second endpoint needs websocket enabled # more info at https://docs.mattermost.com/install/config-proxy-nginx.html - - USE_REVERSE_PROXY=yes - - REVERSE_PROXY_INTERCEPT_ERRORS=no - - REVERSE_PROXY_URL_1=/ - - REVERSE_PROXY_HOST_1=http://mattermost:8065 - - REVERSE_PROXY_URL_2=~ /api/v[0-9]+/(users/)?websocket$$ - - REVERSE_PROXY_HOST_2=http://mattermost:8065 - - REVERSE_PROXY_WS_2=yes + USE_REVERSE_PROXY: "yes" + REVERSE_PROXY_INTERCEPT_ERRORS: "no" + REVERSE_PROXY_URL_1: "/" + REVERSE_PROXY_HOST_1: "http://mattermost:8065" + REVERSE_PROXY_URL_2: "~ /api/v[0-9]+/(users/)?websocket$$" + REVERSE_PROXY_HOST_2: "http://mattermost:8065" + REVERSE_PROXY_WS_2: "yes" # Default limit rate for URLs - - LIMIT_REQ_URL_1=/ - - LIMIT_REQ_RATE_1=3r/s + LIMIT_REQ_URL_1: "/" + LIMIT_REQ_RATE_1: "3r/s" # Limit rate for api endpoints - - LIMIT_REQ_URL_2=^/api/ - - LIMIT_REQ_RATE_2=10r/s + LIMIT_REQ_URL_2: "^/api/" + LIMIT_REQ_RATE_2: "10r/s" # Limit rate for static resources - - LIMIT_REQ_URL_3=^/static/ - - LIMIT_REQ_RATE_3=10r/s + LIMIT_REQ_URL_3: "^/static/" + LIMIT_REQ_RATE_3: "10r/s" + labels: + - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container + networks: + - bw-universe + - bw-services + + bw-scheduler: + image: bunkerity/bunkerweb-scheduler:1.5.0 + depends_on: + - mybunker + environment: + <<: *bunkerweb-env + DOCKER_HOST: "tcp://docker-proxy:2375" + volumes: + - bw-data:/data + networks: + - bw-universe + - net-docker + + docker-proxy: + image: tecnativa/docker-socket-proxy + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CONTAINERS=1 + networks: + - net-docker mattermost: depends_on: @@ -77,6 +110,8 @@ services: - MM_BLEVESETTINGS_INDEXDIR # additional settings - MM_SERVICESETTINGS_SITEURL + networks: + - bw-services postgres: image: postgres:${POSTGRES_IMAGE_TAG} @@ -90,13 +125,27 @@ services: - /var/run/postgresql volumes: - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data + - ./init-db.sh:/docker-entrypoint-initdb.d/init-db.sh environment: # timezone inside container - TZ # necessary Postgres options/variables - POSTGRES_USER - POSTGRES_PASSWORD - - POSTGRES_DB + - POSTGRES_MULTIPLE_DATABASES=${POSTGRES_DB},${BUNKERWEB_DATABASE:-bunkerweb} + networks: + - bw-universe + - bw-services volumes: - bw_data: + bw-data: + + +networks: + bw-universe: + ipam: + driver: default + config: + - subnet: 10.20.30.0/24 + bw-services: + net-docker: diff --git a/examples/mattermost/init-db.sh b/examples/mattermost/init-db.sh new file mode 100644 index 000000000..18c0f96b9 --- /dev/null +++ b/examples/mattermost/init-db.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +set -e +set -u + +function create_user_and_database() { + local database=$1 + echo " Creating user and database '$database'" + psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE USER $database; + CREATE DATABASE $database; + GRANT ALL PRIVILEGES ON DATABASE $database TO $database; +EOSQL +} + +if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then + echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES" + for db in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do + create_user_and_database $db + done + echo "Multiple databases created" +fi \ No newline at end of file diff --git a/examples/mattermost/setup-kubernetes.sh b/examples/mattermost/setup-kubernetes.sh index 4dd63f93a..44f8d974c 100755 --- a/examples/mattermost/setup-kubernetes.sh +++ b/examples/mattermost/setup-kubernetes.sh @@ -1,9 +1,4 @@ #!/bin/bash -if [ $(id -u) -ne 0 ] ; then - echo "❌ Run me as root" - exit 1 -fi - helm repo add mattermost https://helm.mattermost.com helm install -f mattermost-chart-values.yml mattermost mattermost/mattermost-team-edition diff --git a/examples/mattermost/tests.json b/examples/mattermost/tests.json index ca9f0a835..677272a67 100644 --- a/examples/mattermost/tests.json +++ b/examples/mattermost/tests.json @@ -2,7 +2,7 @@ "name": "mattermost", "kinds": ["docker", "autoconf", "kubernetes"], "timeout": 60, - "delay": 60, + "delay": 300, "tests": [ { "type": "string", diff --git a/examples/mongo-express/docker-compose.yml b/examples/mongo-express/docker-compose.yml index 771696d63..b59e9c9a3 100644 --- a/examples/mongo-express/docker-compose.yml +++ b/examples/mongo-express/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.4.3 + image: bunkerity/bunkerweb:1.5.0 ports: - 80:8080 - 443:8443 @@ -13,9 +13,10 @@ services: # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder # more info at https://docs.bunkerweb.io volumes: - - bw_data:/data + - bw-data:/data environment: - SERVER_NAME=www.example.com # replace with your domain + - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 - SERVE_FILES=no - DISABLE_DEFAULT_SERVER=yes - AUTO_LETS_ENCRYPT=yes @@ -27,6 +28,32 @@ services: - | CUSTOM_CONF_MODSEC_mongo-express= SecRule REQUEST_FILENAME "@rx ^/db" "id:1,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=attack-protocol,nolog" + labels: + - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container + networks: + - bw-universe + - bw-services + + bw-scheduler: + image: bunkerity/bunkerweb-scheduler:1.5.0 + depends_on: + - mybunker + environment: + - DOCKER_HOST=tcp://docker-proxy:2375 + volumes: + - bw-data:/data + networks: + - bw-universe + - net-docker + + docker-proxy: + image: tecnativa/docker-socket-proxy + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CONTAINERS=1 + networks: + - net-docker mongo: image: mongo:latest @@ -36,6 +63,8 @@ services: - MONGO_INITDB_ROOT_USERNAME=root # replace with a less obvious username - MONGO_INITDB_ROOT_PASSWORD=toor # replace with a better password - MONGO_INITDB_DATABASE=mongo # replace with the database name of your choice + networks: + - bw-services mongo-ui: image: mongo-express:latest @@ -48,6 +77,18 @@ services: restart: unless-stopped depends_on: - mongo + networks: + - bw-services volumes: - bw_data: + bw-data: + + +networks: + bw-universe: + ipam: + driver: default + config: + - subnet: 10.20.30.0/24 + bw-services: + net-docker: diff --git a/examples/mongo-express/tests.json b/examples/mongo-express/tests.json index 0803bfb57..ff82bce43 100644 --- a/examples/mongo-express/tests.json +++ b/examples/mongo-express/tests.json @@ -2,6 +2,7 @@ "name": "mongo-express", "kinds": ["docker", "autoconf"], "timeout": 60, + "delay": 60, "no_copy_container": true, "tests": [ { diff --git a/examples/moodle/autoconf.yml b/examples/moodle/autoconf.yml index de00ffc94..d6a814a3d 100644 --- a/examples/moodle/autoconf.yml +++ b/examples/moodle/autoconf.yml @@ -18,30 +18,19 @@ services: - MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email - MOODLE_SITE_NAME=My Moodle # replace with your moodle site name - MOODLE_DATABASE_HOST=mydb - - MOODLE_DATABASE_NAME=moodle - - MOODLE_DATABASE_USER=user - - MOODLE_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) + - MOODLE_DATABASE_NAME=${MOODLE_DATABASE:-moodledb} + - MOODLE_DATABASE_USER=${MOODLE_USER:-user} + - MOODLE_DATABASE_PASSWORD=${MOODLE_PASSWORD:-secret} # replace with a stronger password (must match MYSQL_PASSWORD) labels: - bunkerweb.SERVER_NAME=www.example.com - bunkerweb.USE_REVERSE_PROXY=yes - bunkerweb.REVERSE_PROXY_URL=/ - bunkerweb.REVERSE_PROXY_HOST=https://mymoodle:8443 - mydb: - image: mariadb:10.5 - volumes: - - db_data:/var/lib/mysql - networks: - bw-services: - aliases: - - mydb - environment: - - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password - - MYSQL_DATABASE=moodle - - MYSQL_USER=user - - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD) - - MARIADB_CHARACTER_SET=utf8mb4 - - MARIADB_COLLATE=utf8mb4_unicode_ci + # For the database, you can refer to the example of the autoconf including a database + # In this example, you will need to add the following lines to the mydb service: + # - MARIADB_CHARACTER_SET=utf8mb4 + # - MARIADB_COLLATE=utf8mb4_unicode_ci networks: bw-services: diff --git a/examples/moodle/cleanup-kubernetes.sh b/examples/moodle/cleanup-kubernetes.sh index 01f200bea..7628104e9 100755 --- a/examples/moodle/cleanup-kubernetes.sh +++ b/examples/moodle/cleanup-kubernetes.sh @@ -1,9 +1,4 @@ #!/bin/bash -if [ $(id -u) -ne 0 ] ; then - echo "❌ Run me as root" - exit 1 -fi - helm delete moodle -kubectl delete pvc data-moodle-mariadb-0 \ No newline at end of file +kubectl delete pvc data-moodle-mariadb-0 diff --git a/examples/moodle/docker-compose.yml b/examples/moodle/docker-compose.yml index 19227acfd..b94984016 100644 --- a/examples/moodle/docker-compose.yml +++ b/examples/moodle/docker-compose.yml @@ -1,8 +1,12 @@ version: "3" +x-bunkerweb-env: + &bunkerweb-env + DATABASE_URI: "mariadb+pymysql://${MOODLE_USER:-user}:${MOODLE_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}" + services: mybunker: - image: bunkerity/bunkerweb:1.4.3 + image: bunkerity/bunkerweb:1.5.0 ports: - 80:8080 - 443:8443 @@ -13,18 +17,47 @@ services: # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder # more info at https://docs.bunkerweb.io volumes: - - bw_data:/data + - bw-data:/data environment: - - SERVER_NAME=www.example.com # replace with your domain - - AUTO_LETS_ENCRYPT=yes - - DISABLE_DEFAULT_SERVER=yes - - MAX_CLIENT_SIZE=50m - - SERVE_FILES=no - - USE_CLIENT_CACHE=yes - - USE_GZIP=yes - - USE_REVERSE_PROXY=yes - - REVERSE_PROXY_URL=/ - - REVERSE_PROXY_HOST=https://mymoodle:8443 + <<: *bunkerweb-env + SERVER_NAME: "www.example.com" # replace with your domain + API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24" + AUTO_LETS_ENCRYPT: "yes" + DISABLE_DEFAULT_SERVER: "yes" + MAX_CLIENT_SIZE: "50m" + SERVE_FILES: "no" + USE_CLIENT_CACHE: "yes" + USE_GZIP: "yes" + USE_REVERSE_PROXY: "yes" + REVERSE_PROXY_URL: "/" + REVERSE_PROXY_HOST: "https://mymoodle:8443" + labels: + - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container + networks: + - bw-universe + - bw-services + + bw-scheduler: + image: bunkerity/bunkerweb-scheduler:1.5.0 + depends_on: + - mybunker + environment: + <<: *bunkerweb-env + DOCKER_HOST: "tcp://docker-proxy:2375" + volumes: + - bw-data:/data + networks: + - bw-universe + - net-docker + + docker-proxy: + image: tecnativa/docker-socket-proxy + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CONTAINERS=1 + networks: + - net-docker mymoodle: image: bitnami/moodle:latest @@ -39,21 +72,33 @@ services: - MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email - MOODLE_SITE_NAME=My Moodle # replace with your moodle site name - MOODLE_DATABASE_HOST=mydb - - MOODLE_DATABASE_NAME=moodle - - MOODLE_DATABASE_USER=user - - MOODLE_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) + - MOODLE_DATABASE_NAME=${MOODLE_DATABASE:-moodledb} + - MOODLE_DATABASE_USER=${MOODLE_USER:-user} + - MOODLE_DATABASE_PASSWORD=${MOODLE_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD) + networks: + - bw-services mydb: image: mariadb:10.5 volumes: - - ./db-data:/var/lib/mysql + - db-data:/var/lib/mysql environment: - - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password - - MYSQL_DATABASE=moodle - - MYSQL_USER=user - - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD) - - MARIADB_CHARACTER_SET=utf8mb4 - - MARIADB_COLLATE=utf8mb4_unicode_ci + MARIADB_RANDOM_ROOT_PASSWORD: "yes" + entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${MOODLE_USER:-user}\"; CREATE USER \"${MOODLE_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${MOODLE_DATABASE:-moodledb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${MOODLE_DATABASE:-moodledb}.* TO \"${MOODLE_USER:-user}\"@\"%\" IDENTIFIED BY \"${MOODLE_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${MOODLE_USER:-user}\"@\"%\" IDENTIFIED BY \"${MOODLE_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci" + networks: + - bw-universe + - bw-services volumes: - bw_data: + bw-data: + db-data: + + +networks: + bw-universe: + ipam: + driver: default + config: + - subnet: 10.20.30.0/24 + bw-services: + net-docker: diff --git a/examples/moodle/setup-kubernetes.sh b/examples/moodle/setup-kubernetes.sh index d3c41416b..113865f41 100755 --- a/examples/moodle/setup-kubernetes.sh +++ b/examples/moodle/setup-kubernetes.sh @@ -1,9 +1,4 @@ #!/bin/bash -if [ $(id -u) -ne 0 ] ; then - echo "❌ Run me as root" - exit 1 -fi - helm repo add bitnami https://charts.bitnami.com/bitnami -helm install -f moodle-chart-values.yml moodle bitnami/moodle \ No newline at end of file +helm install -f moodle-chart-values.yml moodle bitnami/moodle diff --git a/examples/moodle/tests.json b/examples/moodle/tests.json index 4e3ac8495..580a2fcc7 100644 --- a/examples/moodle/tests.json +++ b/examples/moodle/tests.json @@ -2,7 +2,7 @@ "name": "moodle", "kinds": ["docker", "autoconf", "swarm", "kubernetes"], "timeout": 300, - "delay": 180, + "delay": 300, "tests": [ { "type": "string", diff --git a/examples/nextcloud/autoconf.yml b/examples/nextcloud/autoconf.yml index 7386d3623..e4b78bda1 100644 --- a/examples/nextcloud/autoconf.yml +++ b/examples/nextcloud/autoconf.yml @@ -56,20 +56,7 @@ services: bunkerweb.CUSTOM_CONF_MODSEC_nextcloud= SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog" - mydb: - image: mariadb - command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW - volumes: - - ./db-data:/var/lib/mysql - networks: - bw-services: - aliases: - - mydb - environment: - - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password - - MYSQL_DATABASE=nc - - MYSQL_USER=user - - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) + # For the database, you can refer to the example of the autoconf including a database networks: bw-services: diff --git a/examples/nextcloud/cleanup-kubernetes.sh b/examples/nextcloud/cleanup-kubernetes.sh index f2410c85b..4ea4c7b74 100755 --- a/examples/nextcloud/cleanup-kubernetes.sh +++ b/examples/nextcloud/cleanup-kubernetes.sh @@ -1,8 +1,3 @@ #!/bin/bash -if [ $(id -u) -ne 0 ] ; then - echo "❌ Run me as root" - exit 1 -fi - -helm delete nextcloud \ No newline at end of file +helm delete nextcloud diff --git a/examples/nextcloud/docker-compose.yml b/examples/nextcloud/docker-compose.yml index d0d7f10ae..e6a770583 100644 --- a/examples/nextcloud/docker-compose.yml +++ b/examples/nextcloud/docker-compose.yml @@ -1,8 +1,12 @@ version: "3" +x-bunkerweb-env: + &bunkerweb-env + DATABASE_URI: "mariadb+pymysql://${NEXTCLOUD_USER:-user}:${NEXTCLOUD_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}" + services: mybunker: - image: bunkerity/bunkerweb:1.4.3 + image: bunkerity/bunkerweb:1.5.0 ports: - 80:8080 - 443:8443 @@ -13,74 +17,113 @@ services: # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder # more info at https://docs.bunkerweb.io volumes: - - bw_data:/data + - bw-data:/data environment: - - SERVER_NAME=www.example.com # replace with your domain - - AUTO_LETS_ENCRYPT=yes - - DISABLE_DEFAULT_SERVER=yes - - MAX_CLIENT_SIZE=10G - - USE_CLIENT_CACHE=yes - - SERVE_FILES=no - - ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS - - X_FRAME_OPTIONS=SAMEORIGIN - - USE_GZIP=yes - - BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444 - - USE_REVERSE_PROXY=yes - - REVERSE_PROXY_URL=/ - - REVERSE_PROXY_HOST=http://mync - - LIMIT_REQ_URL_1=/apps - - LIMIT_REQ_RATE_1=5r/s - - LIMIT_REQ_URL_2=/apps/text/session/sync - - LIMIT_REQ_RATE_2=8r/s - - LIMIT_REQ_URL_3=/core/preview - - LIMIT_REQ_RATE_3=5r/s - - | - CUSTOM_CONF_MODSEC_CRS_nextcloud= + <<: *bunkerweb-env + SERVER_NAME: "www.example.com" # replace with your domain + API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24" + AUTO_LETS_ENCRYPT: "yes" + DISABLE_DEFAULT_SERVER: "yes" + MAX_CLIENT_SIZE: "10G" + USE_CLIENT_CACHE: "yes" + SERVE_FILES: "no" + ALLOWED_METHODS: "GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS" + X_FRAME_OPTIONS: "SAMEORIGIN" + USE_GZIP: "yes" + BAD_BEHAVIOR_STATUS_CODES: "400 401 403 405 444" + USE_REVERSE_PROXY: "yes" + REVERSE_PROXY_URL: "/" + REVERSE_PROXY_HOST: "http://mync" + LIMIT_REQ_URL_1: "/apps" + LIMIT_REQ_RATE_1: "5r/s" + LIMIT_REQ_URL_2: "/apps/text/session/sync" + LIMIT_REQ_RATE_2: "8r/s" + LIMIT_REQ_URL_3: "/core/preview" + LIMIT_REQ_RATE_3: "5r/s" + CUSTOM_CONF_MODSEC_CRS_nextcloud: "\ SecAction \ - "id:900130,\ + \"id:900130,\ phase:1,\ nolog,\ pass,\ t:none,\ - setvar:tx.crs_exclusions_nextcloud=1" + setvar:tx.crs_exclusions_nextcloud=1\" # WebDAV SecAction \ - "id:900200,\ + \"id:900200,\ phase:1,\ nolog,\ pass,\ t:none,\ - setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'" - - | - CUSTOM_CONF_MODSEC_nextcloud= - SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog" + setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'\"" + CUSTOM_CONF_MODSEC_nextcloud: "\ + SecRule REQUEST_FILENAME \"@rx ^/remote.php/dav/files/\" \"id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog\"" + labels: + - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container + networks: + - bw-universe + - bw-services + + bw-scheduler: + image: bunkerity/bunkerweb-scheduler:1.5.0 + depends_on: + - mybunker + environment: + <<: *bunkerweb-env + DOCKER_HOST: "tcp://docker-proxy:2375" + volumes: + - bw-data:/data + networks: + - bw-universe + - net-docker + + docker-proxy: + image: tecnativa/docker-socket-proxy + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CONTAINERS=1 + networks: + - net-docker mync: image: nextcloud:24-apache volumes: - ./nc-files:/var/www/html environment: - - MYSQL_HOST=mydb - - MYSQL_DATABASE=nc - - MYSQL_USER=user - - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) - NEXTCLOUD_ADMIN_USER=admin # replace with the admin username - NEXTCLOUD_ADMIN_PASSWORD=changeme # replace with a stronger password - NEXTCLOUD_TRUSTED_DOMAINS=www.example.com # replace with your domain(s) - TRUSTED_PROXIES=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 - APACHE_DISABLE_REWRITE_IP=1 + - MYSQL_HOST=mydb + - MYSQL_DATABASE=${NEXTCLOUD_DATABASE:-nextclouddb} + - MYSQL_USER=${NEXTCLOUD_USER:-user} + - MYSQL_PASSWORD=${NEXTCLOUD_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD) + networks: + - bw-services mydb: - image: mariadb:10.9 - command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW + image: mariadb:10.5 volumes: - - ./db-data:/var/lib/mysql + - db-data:/var/lib/mysql environment: - - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password - - MYSQL_DATABASE=nc - - MYSQL_USER=user - - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) + MARIADB_RANDOM_ROOT_PASSWORD: "yes" + entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${NEXTCLOUD_USER:-user}\"; CREATE USER \"${NEXTCLOUD_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${NEXTCLOUD_DATABASE:-nextclouddb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${NEXTCLOUD_DATABASE:-nextclouddb}.* TO \"${NEXTCLOUD_USER:-user}\"@\"%\" IDENTIFIED BY \"${NEXTCLOUD_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${NEXTCLOUD_USER:-user}\"@\"%\" IDENTIFIED BY \"${NEXTCLOUD_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci" + networks: + - bw-universe + - bw-services volumes: - bw_data: + bw-data: + db-data: + +networks: + bw-universe: + ipam: + driver: default + config: + - subnet: 10.20.30.0/24 + bw-services: + net-docker: diff --git a/examples/nextcloud/kubernetes.yml b/examples/nextcloud/kubernetes.yml index eaafb67ac..32841e724 100644 --- a/examples/nextcloud/kubernetes.yml +++ b/examples/nextcloud/kubernetes.yml @@ -7,7 +7,7 @@ metadata: bunkerweb.io/www.example.com_MAX_CLIENT_SIZE: "10G" bunkerweb.io/www.example.com_ALLOWED_METHODS: "GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS" bunkerweb.io/www.example.com_X_FRAME_OPTIONS: "SAMEORIGIN" - bunkerweb.io/www.example.com_BAD_BEHAVIOR_STATUS_CODES: "400 401 403 405 444" + bunkerweb.io/www.example.com_BAD_BEHAVIOR_STATUS_CODES: "400 401.4.4 405 444" bunkerweb.io/www.example.com_LIMIT_REQ_URL_1: "/apps" bunkerweb.io/www.example.com_LIMIT_REQ_RATE_1: "5r/s" bunkerweb.io/www.example.com_LIMIT_REQ_URL_2: "/apps/text/session/sync" diff --git a/examples/nextcloud/setup-kubernetes.sh b/examples/nextcloud/setup-kubernetes.sh index cbe163b3e..7c565955e 100755 --- a/examples/nextcloud/setup-kubernetes.sh +++ b/examples/nextcloud/setup-kubernetes.sh @@ -1,9 +1,4 @@ #!/bin/bash -if [ $(id -u) -ne 0 ] ; then - echo "❌ Run me as root" - exit 1 -fi - helm repo add nextcloud https://nextcloud.github.io/helm/ -helm install -f nextcloud-chart-values.yml nextcloud nextcloud/nextcloud \ No newline at end of file +helm install -f nextcloud-chart-values.yml nextcloud nextcloud/nextcloud diff --git a/examples/nextcloud/swarm.yml b/examples/nextcloud/swarm.yml index d0ac304c1..a825d7e82 100644 --- a/examples/nextcloud/swarm.yml +++ b/examples/nextcloud/swarm.yml @@ -37,22 +37,7 @@ services: - bunkerweb.LIMIT_REQ_URL_3=/core/preview - bunkerweb.LIMIT_REQ_RATE_3=5r/s - mydb: - image: mariadb:10.9 - command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW - volumes: - - db_data:/var/lib/mysql - networks: - - bw-services - environment: - - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password - - MYSQL_DATABASE=nc - - MYSQL_USER=user - - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) - deploy: - placement: - constraints: - - "node.role==worker" + # For the database, you can refer to the example of the autoconf in swarm mode including a database networks: bw-services: @@ -61,4 +46,3 @@ networks: volumes: nc_files: - db_data: