diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c84d3cb8..0527722b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ - Add \*_CUSTOM_CONF_\* setting to automatically add custom config files from setting value - Add DENY_HTTP_STATUS setting to choose standard 403 error (default) or to close connection (444) when access is denied - Add documentation about Docker in rootless mode and podman -- Migrate CI/CD to another provider +- Migrate CI/CD infrastructure to another provider ## v1.4.2 - 2022/06/28 diff --git a/core/cors/confs/server-http/cors.conf b/core/cors/confs/server-http/cors.conf new file mode 100644 index 000000000..96eb94916 --- /dev/null +++ b/core/cors/confs/server-http/cors.conf @@ -0,0 +1,13 @@ +{% if USE_CORS == "yes" +%} +{% if CORS_ALLOW_ORIGIN != "" %}add_header Access-Control-Allow-Origin '{{ CORS_ALLOW_ORIGIN }}' always;{% endif %} +{% if CORS_EXPOSE_HEADERS != "" %}add_header Access-Control-Expose-Headers '{{ CORS_EXPOSE_HEADERS }}' always;{% endif %} +{% if CORS_ALLOW_CREDENTIALS != "no" %}add_header Access-Control-Allow-Credentials true always;{% endif %} +if ($request_method == 'OPTIONS') { + {% if CORS_MAX_AGE != "no" %}add_header Access-Control-Max-Age '{{ CORS_MAX_AGE }}' always;{% endif %} + {% if CORS_ALLOW_METHODS != "no" %}add_header Access-Control-Allow-Methods '{{ CORS_ALLOW_METHODS }}' always;{% endif %} + {% if CORS_ALLOW_HEADERS != "no" %}add_header Access-Control-Allow-Headers '{{ CORS_ALLOW_Headers }}' always;{% endif %} + add_header Content-Type 'text/plain; charset=utf-8'; + add_header Content-Length 0; + return 204; +} +{% endif %} \ No newline at end of file diff --git a/core/cors/plugin.json b/core/cors/plugin.json new file mode 100644 index 000000000..df5611e95 --- /dev/null +++ b/core/cors/plugin.json @@ -0,0 +1,72 @@ +{ + "id": "cors", + "order": 999, + "name": "CORS", + "description": "Cross-Origin Resource Sharing.", + "version": "0.1", + "settings": { + "USE_CORS": { + "context": "multisite", + "default": "no", + "help": "Use CORS", + "id": "use-cors", + "label": "Use CORS", + "regex": "^(yes|no)$", + "type": "check" + }, + "CORS_ALLOW_ORIGIN": { + "context": "multisite", + "default": "*", + "help": "Value of the Access-Control-Allow-Origin header.", + "id": "cors-allow-origin", + "label": "Access-Control-Allow-Origin value", + "regex": "^.*$", + "type": "text" + }, + "CORS_EXPOSE_HEADERS": { + "context": "multisite", + "default": "Content-Length,Content-Range", + "help": "Value of the Access-Control-Expose-Headers header.", + "id": "cors-expose-headers", + "label": "Access-Control-Expose-Headers value", + "regex": "^.*$", + "type": "text" + }, + "CORS_MAX_AGE": { + "context": "multisite", + "default": "86400", + "help": "Value of the Access-Control-Max-Age header.", + "id": "cors-max-age", + "label": "Access-Control-Max-Age value", + "regex": "^[0-9]+$", + "type": "text" + }, + "CORS_ALLOW_CREDENTIALS": { + "context": "multisite", + "default": "no", + "help": "Send the Access-Control-Allow-Credentials header.", + "id": "cors-allow-credentials", + "label": "Send Access-Control-Allow-Credentials", + "regex": "^(yes|no)$", + "type": "check" + }, + "CORS_ALLOW_METHODS": { + "context": "multisite", + "default": "GET, POST, OPTIONS", + "help": "Value of the Access-Control-Allow-Methods header.", + "id": "cors-allow-methods", + "label": "Access-Control-Allow-Methods value", + "regex": "^.*$", + "type": "text" + }, + "CORS_ALLOW_HEADERS": { + "context": "multisite", + "default": "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range", + "help": "Value of the Access-Control-Allow-Headers header.", + "id": "cors-allow-headers", + "label": "Access-Control-Allow-Headers value", + "regex": "^.*$", + "type": "text" + } + } +} diff --git a/docs/integrations.md b/docs/integrations.md index dd059de87..d6adc27c4 100644 --- a/docs/integrations.md +++ b/docs/integrations.md @@ -828,7 +828,7 @@ Repositories of Linux packages for BunkerWeb are available on [PackageCloud](htt Once dependencies had been installed, you can now copy the BunkerWeb sources to the target `/opt/bunkerweb` folder : ```shell - for src in api cli confs core gen helpers job lua misc utils ui settings.json VERSION linux/variables.env linux/bunkerweb-ui.env linux/scripts ; do + for src in api cli confs core gen helpers job lua misc utils ui settings.json VERSION linux/variables.env linux/ui.env linux/scripts ; do cp -r /tmp/bunkerweb/${src} /opt/bunkerweb done cp /opt/bunkerweb/helpers/bwcli /usr/local/bin diff --git a/docs/security-tuning.md b/docs/security-tuning.md index 3bca79024..d5fc334b6 100644 --- a/docs/security-tuning.md +++ b/docs/security-tuning.md @@ -69,6 +69,20 @@ Various security headers are available and most of them can be set using BunkerW | `X-Content-Type-Options` | `X_CONTENT_TYPE_OPTIONS` | `nosniff` | | `X-XSS-Protection` | `X_XSS_PROTECTION` | `1; mode=block` | +#### CORS + +[Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) lets you manage how your service can be contacted from different origins. Please note that you will have to allow the `OPTIONS` HTTP method using the `ALLOWED_METHODS` if you want to enable it (more info [here](https://docs.bunkerweb.io/1.4/security-tuning/#allowed-methods)). Here is the list of settings related to CORS : + +| Setting | Default | Context |Multiple| Description | +|------------------------|------------------------------------------------------------------------------------|---------|--------|--------------------------------------------------| +|`USE_CORS` |`no` |multisite|no |Use CORS | +|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Value of the Access-Control-Allow-Origin header. | +|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header.| +|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. | +|`CORS_ALLOW_CREDENTIALS`|`no` |multisite|no |Send the Access-Control-Allow-Credentials header. | +|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. | +|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. | + ## HTTPS Besides the HTTPS configuration, the following settings related to HTTPS can be set : diff --git a/docs/settings.md b/docs/settings.md index e30f7a6cd..a3631698a 100644 --- a/docs/settings.md +++ b/docs/settings.md @@ -104,6 +104,18 @@ When settings are considered as "multiple", it means that you can have multiple |`USE_BUNKERNET` |`yes` |multisite|no |Activate BunkerNet feature. | |`BUNKERNET_SERVER`|`https://api.bunkerweb.io`|global |no |Address of the BunkerNet API.| +### CORS + +| Setting | Default | Context |Multiple| Description | +|------------------------|------------------------------------------------------------------------------------|---------|--------|--------------------------------------------------| +|`USE_CORS` |`no` |multisite|no |Use CORS | +|`CORS_ALLOW_ORIGIN` |`*` |multisite|no |Value of the Access-Control-Allow-Origin header. | +|`CORS_EXPOSE_HEADERS` |`Content-Length,Content-Range` |multisite|no |Value of the Access-Control-Expose-Headers header.| +|`CORS_MAX_AGE` |`86400` |multisite|no |Value of the Access-Control-Max-Age header. | +|`CORS_ALLOW_CREDENTIALS`|`no` |multisite|no |Send the Access-Control-Allow-Credentials header. | +|`CORS_ALLOW_METHODS` |`GET, POST, OPTIONS` |multisite|no |Value of the Access-Control-Allow-Methods header. | +|`CORS_ALLOW_HEADERS` |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no |Value of the Access-Control-Allow-Headers header. | + ### Client cache | Setting | Default | Context |Multiple| Description | @@ -194,24 +206,25 @@ When settings are considered as "multiple", it means that you can have multiple ### Miscellaneous -| Setting | Default | Context |Multiple| Description | -|-----------------------------|-----------------------|---------|--------|---------------------------------------------------------------------------------------------------------------------| -|`DISABLE_DEFAULT_SERVER` |`no` |global |no |Close connection if the request vhost is unknown. | -|`REDIRECT_HTTP_TO_HTTPS` |`no` |multisite|no |Redirect all HTTP request to HTTPS. | -|`AUTO_REDIRECT_HTTP_TO_HTTPS`|`yes` |multisite|no |Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case. | -|`ALLOWED_METHODS` |`GET\|POST\|HEAD` |multisite|no |Allowed HTTP methods to be sent by clients. | -|`MAX_CLIENT_SIZE` |`10m` |multisite|no |Maximum body size (0 for infinite). | -|`SERVE_FILES` |`yes` |multisite|no |Serve files from the local folder. | -|`ROOT_FOLDER` | |multisite|no |Root folder containing files to serve (/opt/bunkerweb/www/{server_name} if unset). | -|`HTTPS_PROTOCOLS` |`TLSv1.2 TLSv1.3` |multisite|no |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. | -|`HTTP2` |`yes` |multisite|no |Support HTTP2 protocol when HTTPS is enabled. | -|`LISTEN_HTTP` |`yes` |multisite|no |Respond to (insecure) HTTP requests. | -|`USE_OPEN_FILE_CACHE` |`no` |multisite|no |Enable open file cache feature | -|`OPEN_FILE_CACHE` |`max=1000 inactive=20s`|multisite|no |Open file cache directive | -|`OPEN_FILE_CACHE_ERRORS` |`yes` |multisite|no |Enable open file cache for errors | -|`OPEN_FILE_CACHE_MIN_USES` |`2` |multisite|no |Enable open file cache minimum uses | -|`OPEN_FILE_CACHE_VALID` |`30s` |multisite|no |Open file cache valid time | -|`EXTERNAL_PLUGIN_URLS` | |global |no |List of external plugins URLs (direct download to .zip file) to download and install (URLs are separated with space).| +| Setting | Default | Context |Multiple| Description | +|-----------------------------|-----------------------|---------|--------|----------------------------------------------------------------------------------------------------------------------| +|`DISABLE_DEFAULT_SERVER` |`no` |global |no |Close connection if the request vhost is unknown. | +|`REDIRECT_HTTP_TO_HTTPS` |`no` |multisite|no |Redirect all HTTP request to HTTPS. | +|`AUTO_REDIRECT_HTTP_TO_HTTPS`|`yes` |multisite|no |Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case. | +|`ALLOWED_METHODS` |`GET\|POST\|HEAD` |multisite|no |Allowed HTTP methods to be sent by clients. | +|`MAX_CLIENT_SIZE` |`10m` |multisite|no |Maximum body size (0 for infinite). | +|`SERVE_FILES` |`yes` |multisite|no |Serve files from the local folder. | +|`ROOT_FOLDER` | |multisite|no |Root folder containing files to serve (/opt/bunkerweb/www/{server_name} if unset). | +|`HTTPS_PROTOCOLS` |`TLSv1.2 TLSv1.3` |multisite|no |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons. | +|`HTTP2` |`yes` |multisite|no |Support HTTP2 protocol when HTTPS is enabled. | +|`LISTEN_HTTP` |`yes` |multisite|no |Respond to (insecure) HTTP requests. | +|`USE_OPEN_FILE_CACHE` |`no` |multisite|no |Enable open file cache feature | +|`OPEN_FILE_CACHE` |`max=1000 inactive=20s`|multisite|no |Open file cache directive | +|`OPEN_FILE_CACHE_ERRORS` |`yes` |multisite|no |Enable open file cache for errors | +|`OPEN_FILE_CACHE_MIN_USES` |`2` |multisite|no |Enable open file cache minimum uses | +|`OPEN_FILE_CACHE_VALID` |`30s` |multisite|no |Open file cache valid time | +|`EXTERNAL_PLUGIN_URLS` | |global |no |List of external plugins URLs (direct download to .zip file) to download and install (URLs are separated with space). | +|`DENY_HTTP_STATUS` |`403` |global |no |HTTP status code to send when the request is denied (403 or 444). When using 444, BunkerWeb will close the connection.| ### ModSecurity