diff --git a/.github/ISSUE_TEMPLATE/documentation.md b/.github/ISSUE_TEMPLATE/documentation.md new file mode 100644 index 000000000..66ed2b960 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/documentation.md @@ -0,0 +1,14 @@ +--- +name: Documentation enhancement +about: Error in the documentation or something is missing +title: "[DOC]" +labels: documentation +assignees: '' + +--- + +**Description** +Concise description of the error or what is missing. + +**Proposal (optional)** +Any proposal or ideas to fix the problem. diff --git a/CHANGELOG.md b/CHANGELOG.md index 375ff422f..2bc12c4e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,13 @@ ## v1.4.3 - -- Add \*_CUSTOM_CONF_\* setting to automatically add custom config files from setting value +- Fix various documentation errors/typos +- Fix ui.env not read when using Linux integration +- Fix check if BunkerNet is activated on default server +- Add \*_CUSTOM_CONF_\* setting to automatically add custom config files from setting value +- Add DENY_HTTP_STATUS setting to choose standard 403 error (default) or to close connection (444) +- Add documentation about Docker in rootless mode and podman +- Migrate CI/CD to another provider ## v1.4.2 - 2022/06/28 diff --git a/confs/server-http/access-lua.conf b/confs/server-http/access-lua.conf index 5d2564976..cb0fcb417 100644 --- a/confs/server-http/access-lua.conf +++ b/confs/server-http/access-lua.conf @@ -3,6 +3,7 @@ access_by_lua_block { local logger = require "logger" local datastore = require "datastore" local plugins = require "plugins" +local utils = require "utils" -- Don't process internal requests if ngx.req.is_internal() then @@ -16,7 +17,7 @@ logger.log(ngx.INFO, "ACCESS", "Access phase started") local banned, err = datastore:get("bans_ip_" .. ngx.var.remote_addr) if banned then logger.log(ngx.WARN, "ACCESS", "IP " .. ngx.var.remote_addr .. " is banned with reason : " .. banned) - ngx.exit(ngx.HTTP_FORBIDDEN) + ngx.exit(utils.get_deny_status()) end -- List all plugins @@ -41,7 +42,7 @@ for i, plugin in ipairs(list) do end if ret then if type(value) == "number" then - if value == ngx.HTTP_FORBIDDEN then + if value == utils.get_deny_status() then logger.log(ngx.WARN, "ACCESS", "Denied access from " .. plugin.id .. " : " .. err) ngx.var.reason = plugin.id else diff --git a/core/antibot/antibot.lua b/core/antibot/antibot.lua index f3b3222a6..c17aae1e7 100644 --- a/core/antibot/antibot.lua +++ b/core/antibot/antibot.lua @@ -127,7 +127,7 @@ function _M:access() end -- Method is suspicious, let's deny the request - return true, "unsupported HTTP method for Antibot", true, ngx.HTTP_FORBIDDEN + return true, "unsupported HTTP method for Antibot", true, utils.get_deny_status() end diff --git a/core/blacklist/blacklist.lua b/core/blacklist/blacklist.lua index 37637adeb..a0f30a8a3 100644 --- a/core/blacklist/blacklist.lua +++ b/core/blacklist/blacklist.lua @@ -61,17 +61,17 @@ function _M:access() -- Check the cache local cached_ip, err = self:is_in_cache("ip" .. ngx.var.remote_addr) if cached_ip and cached_ip ~= "ok" then - return true, "IP is in blacklist cache (info = " .. cached_ip .. ")", true, ngx.HTTP_FORBIDDEN + return true, "IP is in blacklist cache (info = " .. cached_ip .. ")", true, utils.get_deny_status() end local cached_uri, err = self:is_in_cache("uri" .. ngx.var.uri) if cached_uri and cached_uri ~= "ok" then - return true, "URI is in blacklist cache (info = " .. cached_uri .. ")", true, ngx.HTTP_FORBIDDEN + return true, "URI is in blacklist cache (info = " .. cached_uri .. ")", true, utils.get_deny_status() end local cached_ua = true if ngx.var.http_user_agent then cached_ua, err = self:is_in_cache("ua" .. ngx.var.http_user_agent) if cached_ua and cached_ua ~= "ok" then - return true, "User-Agent is in blacklist cache (info = " .. cached_ua .. ")", true, ngx.HTTP_FORBIDDEN + return true, "User-Agent is in blacklist cache (info = " .. cached_ua .. ")", true, utils.get_deny_status() end end if cached_ip and cached_uri and cached_ua then @@ -106,7 +106,7 @@ function _M:access() else if ipm:match(ngx.var.remote_addr) then self:add_to_cache("ip" .. ngx.var.remote_addr, "ip/net") - return ret, "client IP " .. ngx.var.remote_addr .. " is in blacklist", true, ngx.HTTP_FORBIDDEN + return ret, "client IP " .. ngx.var.remote_addr .. " is in blacklist", true, utils.get_deny_status() end end end @@ -137,7 +137,7 @@ function _M:access() for i, suffix in ipairs(blacklists["RDNS"]) do if rdns:sub(-#suffix) == suffix then self:add_to_cache("ip" .. ngx.var.remote_addr, "rDNS " .. suffix) - return ret, "client IP " .. ngx.var.remote_addr .. " is in blacklist (info = rDNS " .. suffix .. ")", true, ngx.HTTP_FORBIDDEN + return ret, "client IP " .. ngx.var.remote_addr .. " is in blacklist (info = rDNS " .. suffix .. ")", true, utils.get_deny_status() end end end @@ -160,7 +160,7 @@ function _M:access() for i, asn_bl in ipairs(blacklists["ASN"]) do if tostring(asn) == asn_bl then self:add_to_cache("ip" .. ngx.var.remote_addr, "ASN " .. tostring(asn)) - return ret, "client IP " .. ngx.var.remote_addr .. " is in blacklist (kind = ASN " .. tostring(asn) .. ")", true, ngx.HTTP_FORBIDDEN + return ret, "client IP " .. ngx.var.remote_addr .. " is in blacklist (kind = ASN " .. tostring(asn) .. ")", true, utils.get_deny_status() end end end @@ -185,7 +185,7 @@ function _M:access() for i, ua_bl in ipairs(blacklists["USER_AGENT"]) do if ngx.var.http_user_agent:match(ua_bl) then self:add_to_cache("ua" .. ngx.var.http_user_agent, "UA " .. ua_bl) - return ret, "client User-Agent " .. ngx.var.http_user_agent .. " is in blacklist (matched " .. ua_bl .. ")", true, ngx.HTTP_FORBIDDEN + return ret, "client User-Agent " .. ngx.var.http_user_agent .. " is in blacklist (matched " .. ua_bl .. ")", true, utils.get_deny_status() end end -- UA is not blacklisted @@ -207,7 +207,7 @@ function _M:access() for i, uri_bl in ipairs(blacklists["URI"]) do if ngx.var.uri:match(uri_bl) then self:add_to_cache("uri" .. ngx.var.uri, "URI " .. uri_bl) - return ret, "client URI " .. ngx.var.uri .. " is in blacklist (matched " .. uri_bl .. ")", true, ngx.HTTP_FORBIDDEN + return ret, "client URI " .. ngx.var.uri .. " is in blacklist (matched " .. uri_bl .. ")", true, utils.get_deny_status() end end end diff --git a/core/bunkernet/bunkernet.lua b/core/bunkernet/bunkernet.lua index 36467d24b..a29fee54f 100644 --- a/core/bunkernet/bunkernet.lua +++ b/core/bunkernet/bunkernet.lua @@ -142,7 +142,7 @@ function _M:report(ip, reason, method, url, headers) end function _M:log(bypass_use_bunkernet) - if bypass_use_bunkernet then + if not bypass_use_bunkernet then -- Check if BunkerNet is activated local use_bunkernet = utils.get_variable("USE_BUNKERNET") if use_bunkernet ~= "yes" then @@ -232,7 +232,7 @@ function _M:access() local db = cjson.decode(data) for index, value in ipairs(db.ip) do if value == ngx.var.remote_addr then - return true, "ip is in database", true, ngx.exit(ngx.HTTP_FORBIDDEN) + return true, "ip is in database", true, utils.get_deny_status() end end return true, "ip is not in database", false, nil diff --git a/core/country/country.lua b/core/country/country.lua index 1f904cdcc..6d31fbfc3 100644 --- a/core/country/country.lua +++ b/core/country/country.lua @@ -33,7 +33,7 @@ function _M:access() if data.result == "ok" then return true, "client IP " .. ngx.var.remote_addr .. " is in country cache (not blacklisted, country = " .. data.country .. ")", nil, nil end - return true, "client IP " .. ngx.var.remote_addr .. " is in country cache (blacklisted, country = " .. data.country .. ")", true, ngx.HTTP_FORBIDDEN + return true, "client IP " .. ngx.var.remote_addr .. " is in country cache (blacklisted, country = " .. data.country .. ")", true, utils.get_deny_status() end -- Don't go further if IP is not global @@ -60,7 +60,7 @@ function _M:access() end end self:add_to_cache(ngx.var.remote_addr, country, "ko") - return true, "client IP " .. ngx.var.remote_addr .. " is not whitelisted (country = " .. country .. ")", true, ngx.HTTP_FORBIDDEN + return true, "client IP " .. ngx.var.remote_addr .. " is not whitelisted (country = " .. country .. ")", true, utils.get_deny_status() end -- And then blacklist @@ -68,7 +68,7 @@ function _M:access() for bl_country in blacklist:gmatch("%S+") do if bl_country == country then self:add_to_cache(ngx.var.remote_addr, country, "ko") - return true, "client IP " .. ngx.var.remote_addr .. " is blacklisted (country = " .. country .. ")", true, ngx.HTTP_FORBIDDEN + return true, "client IP " .. ngx.var.remote_addr .. " is blacklisted (country = " .. country .. ")", true, utils.get_deny_status() end end end diff --git a/core/dnsbl/dnsbl.lua b/core/dnsbl/dnsbl.lua index 5d947f83f..b449a87bf 100644 --- a/core/dnsbl/dnsbl.lua +++ b/core/dnsbl/dnsbl.lua @@ -56,7 +56,7 @@ function _M:access() if dnsbl == "ok" then return true, "client IP " .. ngx.var.remote_addr .. " is in DNSBL cache (not blacklisted)", nil, nil end - return true, "client IP " .. ngx.var.remote_addr .. " is in DNSBL cache (server = " .. dnsbl .. ")", true, ngx.HTTP_FORBIDDEN + return true, "client IP " .. ngx.var.remote_addr .. " is in DNSBL cache (server = " .. dnsbl .. ")", true, utils.get_deny_status() end -- Don't go further if IP is not global @@ -84,7 +84,7 @@ function _M:access() local result, err = self:is_in_dnsbl(dnsbl, ngx.var.remote_addr) if result then self:add_to_cache(ngx.var.remote_addr, dnsbl) - return ret, "client IP " .. ngx.var.remote_addr .. " is in DNSBL (server = " .. dnsbl .. ")", true, ngx.HTTP_FORBIDDEN + return ret, "client IP " .. ngx.var.remote_addr .. " is in DNSBL (server = " .. dnsbl .. ")", true, utils.get_deny_status() end end diff --git a/core/misc/confs/default-server-http/disable.conf b/core/misc/confs/default-server-http/disable.conf index 6868be9fc..53f113c6f 100644 --- a/core/misc/confs/default-server-http/disable.conf +++ b/core/misc/confs/default-server-http/disable.conf @@ -1,6 +1,6 @@ {% if DISABLE_DEFAULT_SERVER == "yes" +%} location / { set $reason "default"; - return 444; + return {{ DENY_HTTP_STATUS }}; } {% endif %} \ No newline at end of file diff --git a/core/misc/plugin.json b/core/misc/plugin.json index e8dd77eb2..483d97012 100644 --- a/core/misc/plugin.json +++ b/core/misc/plugin.json @@ -31,7 +31,7 @@ "label": "Auto redirect HTTP to HTTPS", "regex": ".*", "type": "text" - }, + }, "ALLOWED_METHODS": { "context": "multisite", "default": "GET|POST|HEAD", @@ -148,6 +148,19 @@ "label": "External plugin URLs", "regex": "^.*$", "type": "text" + }, + "DENY_HTTP_STATUS": { + "context": "global", + "default": "403", + "help": "HTTP status code to send when the request is denied (403 or 444). When using 444, BunkerWeb will close the connection.", + "id": "deny-http-status", + "label": "Deny HTTP status", + "regex": "^(403|444)$", + "type": "select", + "select": [ + "403", + "444" + ] } } } diff --git a/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec b/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec index 951bfc42f..aa2ccffd9 100644 --- a/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec +++ b/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec @@ -105,6 +105,6 @@ include /etc/nginx/{{ SERVER_NAME.split(" ")[0] }}/modsec/*.conf # set REASON env var {% if USE_MODSECURITY_CRS == "yes" %} -SecRuleUpdateActionById 949110 "t:none,deny,status:403,setenv:REASON=modsecurity" -SecRuleUpdateActionById 959100 "t:none,deny,status:403,setenv:REASON=modsecurity" +SecRuleUpdateActionById 949110 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity" +SecRuleUpdateActionById 959100 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity" {% endif %} \ No newline at end of file diff --git a/lua/utils.lua b/lua/utils.lua index 2557127ae..d36586e28 100644 --- a/lua/utils.lua +++ b/lua/utils.lua @@ -248,7 +248,7 @@ utils.get_reason = function() if banned then return banned end - if ngx.status == ngx.HTTP_FORBIDDEN then + if ngx.status == utils.get_deny_status() then return "unknown" end return nil @@ -347,4 +347,13 @@ utils.rand = function(nb) return result end +utils.get_deny_status = function () + local status, err = datastore:get("variable_DENY_HTTP_STATUS") + if not status then + logger.log(ngx.ERR, "UTILS", "Can't get DENY_HTTP_STATUS variable " .. err) + return 403 + end + return tonumber(status) +end + return utils \ No newline at end of file